Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potentially insecure hkdf use #951

Open
roman-khimov opened this issue May 14, 2024 · 1 comment
Open

Potentially insecure hkdf use #951

roman-khimov opened this issue May 14, 2024 · 1 comment
Labels
bug Something isn't working I4 No visible changes S2 Regular significance security Affects security U2 Seriously planned
Milestone
v0.31.0

Comments

@roman-khimov
Copy link
Member

Current Behavior

kdf := hkdf.New(hash, secret, nil, nil). No salt, no app-specific info.

Expected Behavior

App-specific info and salt used.

Possible Solution

Hardcode info, add some salt. Breaking change, but the gateway is not used in production.

Your Environment

  • Version of the product used: 0.30.0
@roman-khimov roman-khimov added bug Something isn't working U2 Seriously planned S2 Regular significance I4 No visible changes labels May 14, 2024
@roman-khimov roman-khimov added this to the v0.31.0 milestone May 14, 2024
@roman-khimov roman-khimov added the security Affects security label May 15, 2024
@roman-khimov
Copy link
Member Author

Salt is to be stored somewhere nearby, as usual.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working I4 No visible changes S2 Regular significance security Affects security U2 Seriously planned
Projects
None yet
Milestone
v0.31.0
Development

No branches or pull requests
1 participant
@roman-khimov