Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor: bcrypt key derivation to aead #509

Merged
merged 27 commits into from
Apr 12, 2023
Merged

Conversation

bizk
Copy link

@bizk bizk commented Apr 3, 2023

Description

Closes: #3129

  • Replaced bcrypt key derivation for argon2id, this approach is secure and resolves most of bcrypt common issues. Algorithm implementation uses these parameters
const (
	argon2Time    = 1 // Recommended by library authors: Uses max memory available
	argon2Memory  = 64 * 1024 // Memory usage 
	argon2Threads = 4
	argon2KeyLen  = 32 // Key bytes
)
  • Replaced xsalsa20 symmetric encryption with AEAD ChaCha20Poly
  • Added backward compatibility for old keys.
  • Added respective tests
  • Fixed suggestions and comments by @facundomedica

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

  • included the correct type prefix in the PR title
  • added ! to the type prefix if API or client breaking change
  • targeted the correct branch (see PR Targeting)
  • provided a link to the relevant issue or specification
  • followed the guidelines for building modules
  • included the necessary unit and integration tests
  • added a changelog entry to CHANGELOG.md
  • included comments for documenting Go code
  • updated the relevant documentation or specification
  • reviewed "Files changed" and left comments if necessary
  • confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

  • confirmed the correct type prefix in the PR title
  • confirmed ! in the type prefix if API or client breaking change
  • confirmed all author checklist items have been addressed
  • reviewed state machine logic
  • reviewed API design and naming
  • reviewed documentation is accurate
  • reviewed tests and test coverage
  • manually tested (if applicable)

🔗 zboto Link

@bizk bizk self-assigned this Apr 3, 2023
@facundomedica
Copy link

Idk which PR I should review 😅 I thought this one was the one: cosmos#15589

Copy link

@facundomedica facundomedica left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bizk bizk merged commit c1d0353 into main Apr 12, 2023
bizk added a commit that referenced this pull request Apr 27, 2023
Co-authored-by: Matt Kocubinski <mkocubinski@gmail.com>
Co-authored-by: Marko <marbar3778@yahoo.com>
Co-authored-by: samricotta <37125168+samricotta@users.noreply.github.com>
Co-authored-by: Julien Robert <julien@rbrt.fr>
@bizk bizk deleted the feat/bcrypt-key-derivation-to-aead branch May 22, 2023 13:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Improper use of bcrypt API
2 participants