From 4000c5b50d75193024bc23b3c5ea812674542323 Mon Sep 17 00:00:00 2001 From: Gustavo Covas Date: Mon, 22 Mar 2021 15:47:50 -0300 Subject: [PATCH] Fix hash-related method signatures to prevent hash functions that do not produce unique values (#530) --- api/auth/authmongo.go | 20 ++++++++++---------- api/auth/authmongo_test.go | 2 +- api/auth/pbkdf2caller.go | 6 ++---- api/auth/types.go | 2 +- api/routes/user.go | 9 ++------- api/token/token_test.go | 2 +- api/user/user.go | 5 +---- deployments/dockerfiles/api.Dockerfile | 2 +- deployments/scripts/generate-local-token.sh | 0 9 files changed, 19 insertions(+), 29 deletions(-) mode change 100644 => 100755 deployments/scripts/generate-local-token.sh diff --git a/api/auth/authmongo.go b/api/auth/authmongo.go index 67ae9165..40ea071e 100644 --- a/api/auth/authmongo.go +++ b/api/auth/authmongo.go @@ -32,34 +32,34 @@ func (cM *ClientPbkdf2) GetPassFromDB(username string) (string, error) { // GetValidHashFunction is an auxiliary function called by GetHashedPass. // It will return a valid hash function and a boolean if the hash was returned // with success. -func GetValidHashFunction(hashStr string) (hash.Hash, bool) { +func GetValidHashFunction(hashStr string) (func() hash.Hash, bool) { hashLower := strings.ToLower(hashStr) - var hashFunction hash.Hash + var hashFunction func() hash.Hash var isValid bool switch hashLower { case "sha256": - hashFunction = sha256.New() + hashFunction = sha256.New isValid = true case "sha224": - hashFunction = sha256.New224() + hashFunction = sha256.New224 isValid = true case "sha384": - hashFunction = sha512.New384() + hashFunction = sha512.New384 isValid = true case "sha512": - hashFunction = sha512.New() + hashFunction = sha512.New isValid = true case "sha3_224": - hashFunction = sha3.New224() + hashFunction = sha3.New224 isValid = true case "sha3_256": - hashFunction = sha3.New256() + hashFunction = sha3.New256 isValid = true case "sha3_384": - hashFunction = sha3.New384() + hashFunction = sha3.New384 isValid = true case "sha3_512": - hashFunction = sha3.New512() + hashFunction = sha3.New512 isValid = true default: isValid = false diff --git a/api/auth/authmongo_test.go b/api/auth/authmongo_test.go index 3b75ca4b..f6f1da42 100644 --- a/api/auth/authmongo_test.go +++ b/api/auth/authmongo_test.go @@ -23,7 +23,7 @@ type FakeGen struct { expectedDecodeSaltError error } -func (fG *FakeGen) GenHashValue(value, salt []byte, iter, keyLen int, h hash.Hash) string { +func (fG *FakeGen) GenHashValue(value, salt []byte, iter, keyLen int, hashFunc func() hash.Hash) string { return fG.expectedHash } diff --git a/api/auth/pbkdf2caller.go b/api/auth/pbkdf2caller.go index 1c36418a..b2731bf1 100644 --- a/api/auth/pbkdf2caller.go +++ b/api/auth/pbkdf2caller.go @@ -29,10 +29,8 @@ func (pC *Pbkdf2Caller) DecodeSaltValue(salt string) ([]byte, error) { } // GenHashValue returns the hash value given all pbkdf2 parameters. -func (pC *Pbkdf2Caller) GenHashValue(value, salt []byte, iter, keyLen int, h hash.Hash) string { - return base64.StdEncoding.EncodeToString(pbkdf2.Key(value, salt, iter, keyLen, func() hash.Hash { - return h - })) +func (pC *Pbkdf2Caller) GenHashValue(value, salt []byte, iter, keyLen int, hashFunc func() hash.Hash) string { + return base64.StdEncoding.EncodeToString(pbkdf2.Key(value, salt, iter, keyLen, hashFunc)) } // GenerateSalt returns a random salt and en error. diff --git a/api/auth/types.go b/api/auth/types.go index 7ff35847..a0c43a37 100644 --- a/api/auth/types.go +++ b/api/auth/types.go @@ -20,7 +20,7 @@ type UserCredsHandler interface { type Pbkdf2Generator interface { GetCredsFromDB(username string) (types.User, error) DecodeSaltValue(salt string) ([]byte, error) - GenHashValue(value, salt []byte, iter, keyLen int, h hash.Hash) string + GenHashValue(value, salt []byte, iter, keyLen int, hashFund func() hash.Hash) string GenerateSalt() (string, error) GetHashName() string GetIterations() int diff --git a/api/routes/user.go b/api/routes/user.go index 229be398..0c8a7d23 100644 --- a/api/routes/user.go +++ b/api/routes/user.go @@ -8,7 +8,6 @@ import ( "net/http" "encoding/base64" - "hash" "github.com/globocom/huskyCI/api/auth" apiContext "github.com/globocom/huskyCI/api/context" @@ -68,18 +67,14 @@ func UpdateUser(c echo.Context) error { reply := map[string]interface{}{"success": false, "error": "failed to update user data"} return c.JSON(http.StatusInternalServerError, reply) } - hashedPass := pbkdf2.Key([]byte(attemptUser.Password), salt, user.Iterations, user.KeyLen, func() hash.Hash { - return hashFunction - }) + hashedPass := pbkdf2.Key([]byte(attemptUser.Password), salt, user.Iterations, user.KeyLen, hashFunction) if base64.StdEncoding.EncodeToString(hashedPass) != user.Password { reply := map[string]interface{}{"success": false, "error": "unauthorized"} return c.JSON(http.StatusUnauthorized, reply) } // step 5.1: prepare new user struct to be updated - newHashedPass := pbkdf2.Key([]byte(attemptUser.NewPassword), salt, user.Iterations, user.KeyLen, func() hash.Hash { - return hashFunction - }) + newHashedPass := pbkdf2.Key([]byte(attemptUser.NewPassword), salt, user.Iterations, user.KeyLen, hashFunction) updatedUser := types.User{ Username: attemptUser.Username, diff --git a/api/token/token_test.go b/api/token/token_test.go index 95ba54eb..4b4308fb 100644 --- a/api/token/token_test.go +++ b/api/token/token_test.go @@ -106,7 +106,7 @@ func (fH *FakeHashGen) GetIterations() int { return fH.expectedIterations } -func (fH *FakeHashGen) GenHashValue(value, salt []byte, iter, keyLen int, h hash.Hash) string { +func (fH *FakeHashGen) GenHashValue(value, salt []byte, iter, keyLen int, hashFunc func() hash.Hash) string { return fH.expectedHashValue } diff --git a/api/user/user.go b/api/user/user.go index 03b184dc..0bf18a50 100644 --- a/api/user/user.go +++ b/api/user/user.go @@ -10,7 +10,6 @@ import ( "crypto/rand" "encoding/base64" "errors" - "hash" "io" "github.com/globocom/huskyCI/api/auth" @@ -55,9 +54,7 @@ func InsertDefaultUser() error { newUser.Iterations = iterations newUser.KeyLen = keyLength newUser.Salt = base64.StdEncoding.EncodeToString(salt) - hashedPass := pbkdf2.Key([]byte(DefaultAPIPassword), salt, iterations, keyLength, func() hash.Hash { - return hashFunction - }) + hashedPass := pbkdf2.Key([]byte(DefaultAPIPassword), salt, iterations, keyLength, hashFunction) newUser.Password = base64.StdEncoding.EncodeToString(hashedPass) return apiContext.APIConfiguration.DBInstance.InsertDBUser(newUser) } diff --git a/deployments/dockerfiles/api.Dockerfile b/deployments/dockerfiles/api.Dockerfile index d79af12b..4dc7d6e3 100644 --- a/deployments/dockerfiles/api.Dockerfile +++ b/deployments/dockerfiles/api.Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15 +FROM golang:1.16 WORKDIR /go/src/app COPY api/ . RUN go build -o huskyci-api server.go diff --git a/deployments/scripts/generate-local-token.sh b/deployments/scripts/generate-local-token.sh old mode 100644 new mode 100755