Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: fix argon2 parsing and comparison #1887

Merged
merged 1 commit into from
Dec 24, 2024
Merged

feat: fix argon2 parsing and comparison #1887

merged 1 commit into from
Dec 24, 2024

Conversation

hf
Copy link
Contributor

@hf hf commented Dec 24, 2024

Argon2 parsing and comparison is broken in multiple ways:

  1. Incorrect comparison being done using ConstantTimeCompare. This Go API is awful as it returns 1 on equality (unlike all other comparison APIs that return 0) so it was missed.
  2. All Argon2 comparisons were producing incorrect derived keys due to the multiplication by 1024. The argon2.Key and IDKey accept KiB as arguments (not bytes!) which caused all hashes to always be incorrect.

Tests didn't catch this as they only tested for the positive case (which passed with flying colors).

@hf hf requested a review from a team as a code owner December 24, 2024 10:57
@coveralls
Copy link

Pull Request Test Coverage Report for Build 12480774856

Details

  • 16 of 20 (80.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.03%) to 57.387%
Changes Missing Coverage Covered Lines Changed/Added Lines %
internal/crypto/password.go 16 20 80.0%
Totals Coverage Status
Change from base Build 12466189660: 0.03%
Covered Lines: 9742
Relevant Lines: 16976
💛 - Coveralls

@hf hf merged commit 9dbe6ef into master Dec 24, 2024
3 checks passed
@hf hf deleted the hf/fix-argon2 branch December 24, 2024 11:08
@hf hf mentioned this pull request Dec 24, 2024
Closed
@github-actions github-actions bot mentioned this pull request Dec 24, 2024
Merged
hf pushed a commit that referenced this pull request Dec 24, 2024
@github-actions
chore(master): release 2.167.0 (#1888)
9c97b8e 
🤖 I have created a release *beep* *boop*
---


##
[2.167.0](v2.166.0...v2.167.0)
(2024-12-24)


### Features

* fix argon2 parsing and comparison
([#1887](#1887))
([9dbe6ef](9dbe6ef))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@jtag05
Copy link

jtag05 commented Dec 24, 2024

Super grateful for the quick turnaround on getting this through! Not to sound the slightest bit ungrateful, but is there guidance on how long to expect the problem to persist on my cloud hosted project?

@hf hf mentioned this pull request Dec 24, 2024
Closed
@hf
Copy link
Contributor Author

hf commented Dec 24, 2024

Super grateful for the quick turnaround on getting this through! Not to sound the slightest bit ungrateful, but is there guidance on how long to expect the problem to persist on my cloud hosted project?

Rollout is underway.

@jtag05
Copy link

jtag05 commented Dec 24, 2024

@hf thanks so much 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kangmingtay kangmingtay kangmingtay approved these changes

@J0 J0 J0 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@hf @coveralls @jtag05 @J0 @kangmingtay