New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remove bcrypt code from code-base (#4844) #4845
Conversation
what is a |
Codecov Report
@@ Coverage Diff @@
## master #4845 +/- ##
==========================================
- Coverage 63.02% 63.02% -0.01%
==========================================
Files 191 191
Lines 27452 27440 -12
==========================================
- Hits 17302 17294 -8
+ Misses 8975 8972 -3
+ Partials 1175 1174 -1
Continue to review full report at Codecov.
|
Ahm, yes xD - I fix it! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM for removing codes
One question.
Does subtle.ConstantTimeCompare()
prevent timing attack?
Yes, that's exactly the function used in bcrypt for comparing the computed hash values. It compares two byte slices in constant time. This prevents timing attacks. |
Closed until we decide what to do... |
This PR should fulfill the requirements - reopened |
cmd/credential.go
Outdated
|
||
return (cred.AccessKey == ccred.AccessKey && | ||
bcrypt.CompareHashAndPassword(cred.secretKeyHash, []byte(ccred.SecretKey)) == nil) | ||
return subtle.ConstantTimeCompare([]byte(cred.SecretKey), []byte(ccred.SecretKey)) == 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about doing below?
return (cred.AccessKey == ccred.AccessKey && subtle.ConstantTimeCompare([]byte(cred.SecretKey), []byte(ccred.SecretKey)) == 1)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The access key is public information so this is fine. However for me it looks a lite bit wired when credentials are compared and some parts are constant time and some aren't. It's just easier to miss something in the future - but the decision is up to you...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you can do the change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
cmd/credential.go
Outdated
_, err = rand.Read(keyBytes) | ||
if err != nil { | ||
return cred, err | ||
// Generate access key - the access key consits only of alpha-numeric digits. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you can keep function unchanged to minimize this PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR also cleans up the code a bit - like unnecessary if-else. aso.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep. Its better to send different PR doing cleanup.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
Can you squash your commits? @aead |
Squashed |
Bcrypt is not neccessary and not used properly. This change replace the whole bcrypt hash computation through a constant time compare and removes bcrypt from the code base.
Bcrypt is not neccessary and not used properly. This change
replace the whole bcrypt hash computation through a constant time
compare and removes bcrypt from the code base.
Fixes #4844
How Has This Been Tested?
Manually
Types of changes
Checklist: