Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor(general): user password hashing and key derivation helpers #3821

Merged
merged 24 commits into from
Apr 27, 2024
Merged

refactor(general): user password hashing and key derivation helpers #3821

merged 24 commits into from
Apr 27, 2024

Conversation

julio-lopez
Copy link
Collaborator

@julio-lopez julio-lopez commented Apr 26, 2024
edited
Loading

Code movement and simplification, no functional changes.

Objectives:

  • Allow callers specifying the needed key (or hash) size, instead of hard-coding it in the registered PBK derivers. Conceptually, the caller needs to specify the key size, since that is a requirement of the (encryption) algorithm being used in the caller. Now, the code changes here do not result in any functional changes since the key size is always 32 bytes.
  • Remove a global definition for the default PB key deriver to use. Instead, each of the 3 use case sets the default value.

Changes:

  • crypto.DeriveKeyFromPassword now takes a key size.
  • Adds new constants for the key sizes at the callers.
  • Removes the global crypto.MasterKeySize const.
  • Removes the global crypto.DefaultKeyDerivationAlgorithm const.
  • Adds const for the default derivation algorithms for each use case.

Followups to:

The individual commits show the code transformations to simplify the review of the changes.

@codecov Codecov
Copy link

codecov bot commented Apr 26, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 92.85714% with 2 lines in your changes are missing coverage. Please review.

Project coverage is 77.01%. Comparing base (cb455c6) to head (31259db).
Report is 119 commits behind head on master.

Files Patch % Lines
cli/command_repository_connect_server.go 50.00% 1 Missing ⚠️
internal/user/user_profile.go 87.50% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #3821      +/-   ##
==========================================
+ Coverage   75.86%   77.01%   +1.15%     
==========================================
  Files         470      476       +6     
  Lines       37301    28682    -8619     
==========================================
- Hits        28299    22090    -6209     
+ Misses       7071     4694    -2377     
+ Partials     1931     1898      -33

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@julio-lopez julio-lopez changed the title refactor(general): minor cleanups for user password hashing and helpers refactor(general): user password hashing and key derivation helpers Apr 26, 2024
@julio-lopez
trivial: reword comment
bf073d1
@julio-lopez
refactor(general): rename const to dummyHashThatNeverMatchesAnyPassword
7c9fdd0 
The variable is used in all the implementations of password hashing, not just V1.

No functional changes.
@julio-lopez
refactor(general): unexport user.{scrypt,pbkdf2}HashAlgorithm consts
a2289cd
@julio-lopez
refactor(general): unexport getPasswordHashAlgorithm
dcae060
@julio-lopez
test(general): ensure constants in the user and crypto packages match
726311d
@julio-lopez
fix(general): add for user.passwordHashSaltLength const
a33a278 
The constant is located in the `internal/user` package, this
de-couples it from the value in the `crypto` package.
This introduces no functional changes.
@julio-lopez
test(general): user.TestSaltLengthIsSupported
7876a5d
@julio-lopez
use user.passwordHashSaltLength const
abbd338 
Objective: remove dependency on `crypto.RecommendedSaltLength()`,
with the intent of removing that function and other helpers in
the crypto package.

No functional change
@julio-lopez
refactor(general): add PasswordHashingAlgorithms helper
cade593 
Adds:
- user.DefaultPasswordHashingAlgorithm constant
- user.PasswordHashingAlgorithms helper

Uses these to set up the CLI for the 'repo server user {add,set}' commands.
@julio-lopez
remove now-unused crypto.RecommendedSaltLength and
3cdfd5c 
Also, removes dependent functions.
No functional change.
@julio-lopez
fix(general): typo in error message
6b5f0d7
@julio-lopez
refactor(general): rename const for scrypt salt
6325749 
No functional changes
@julio-lopez
refactor(general): rename const to pbkdf2Sha256SaltLength
76b3df9 
Also, reorders constant definition order.

No functional changes.
@julio-lopez
refactor(general): unexport password-based key derivers
16be2e9 
No functional change.
@julio-lopez
refactor(general): allow caller to specify requested key size
80a3a61
@julio-lopez
refactor(general): use format.DefaultKeyDerivationAlgorithm in repo c…
6913f37 
…reate flag definition
@julio-lopez
refactor(general): rename DefaultServerRepoCacheKeyDerivationAlgorith…
25e1ab9 
…m const
@julio-lopez
refactor(general): add helper for supported cache key deriver
17a2c07
@julio-lopez
refactor(general): add helper for supported format blob key derivers
381e264
@julio-lopez
refactor(general): unexport and rename AllowedKeyDerivationAlgorithms
1591c37 
No longer used outside the package => unexported
Renamed to supportedPBKeyDerivationAlgorithms

No functional changes
@julio-lopez
remove non-testing crypto.DefaultKeyDerivationAlgorithm
c55e3e9
@julio-lopez
refactor(general): remove testing DefaultKeyDerivationAlgorithm const
3523b77
@julio-lopez
Rename source files for PB key deriver implementations
122b082 
Adds a common prefix `pb_key_deriver_`

No functional changes.
@julio-lopez
Rename file to internal/user/user_profile_pw_hash.go
31259db 
It contains the user password hashing implementation for all
the password hashing schemes currently supported in kopia.
julio-lopez
julio-lopez commented Apr 27, 2024
View reviewed changes
internal/user/password_hashings_test.go
// keys" for the register password-based key derivers in the crypto package.
// This trivial test is a change detector to ensure that the constants defined
// in the user package match those defined in the crypto package.
func TestPasswordHashingConstantMatchCryptoPackage(t *testing.T) {
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bathina2 This is what I meant by "adding a test to ensure the constants match".

@julio-lopez
Copy link
Collaborator Author

@bathina2 @miquella FYI

@julio-lopez julio-lopez marked this pull request as ready for review April 27, 2024 06:24
@julio-lopez julio-lopez merged commit ca1962f into kopia:master Apr 27, 2024
28 checks passed
@julio-lopez julio-lopez deleted the test/user-profile-hashing branch April 27, 2024 06:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@redgoat650 redgoat650 Awaiting requested review from redgoat650

@jkowalski jkowalski Awaiting requested review from jkowalski

@Shrekster Shrekster Awaiting requested review from Shrekster

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@julio-lopez