rpms / erlang-riak_core

Clone
Source Code
GIT

Files

  1.   c30e26b188f683f59503f35b5e80fdf703eebf58
  2.   erlang-riak_core-0002-Don-t-use-pbkdf2-as-application.patch
Blob Blame History Raw 
From: Peter Lemenkov <lemenkov@gmail.com>
Date: Fri, 22 Apr 2016 16:45:41 +0300
Subject: [PATCH] Don't use pbkdf2 as application

Use pbkdf2 from basho/erlang-pbkdf2@0cabf7cc8c18e820d9149d08cb64ed6cc5aae3b4.

Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>

diff --git a/rebar.config b/rebar.config
index 64370762..5a7939bb 100644
--- a/rebar.config
+++ b/rebar.config
@@ -16,7 +16,6 @@
   {riak_sysmon, ".*", {git, "https://github.com/basho/riak_sysmon.git", {tag, "2.1.5"}}},
   {eleveldb, ".*", {git, "git://github.com/basho/eleveldb.git", {tag, "2.0.34"}}},
   {riak_ensemble, ".*", {git, "https://github.com/basho/riak_ensemble", {tag, "2.1.8"}}},
-  {pbkdf2, ".*", {git, "git://github.com/basho/erlang-pbkdf2.git", {tag, "2.0.0"}}},
   {exometer_core, ".*", {git, "git://github.com/basho/exometer_core.git", {tag, "1.0.0-basho9"}}},
   {clique, ".*", {git, "https://github.com/basho/clique.git", {tag, "0.3.9"}}}
 ]}.
diff --git a/src/pbkdf2.erl b/src/pbkdf2.erl
new file mode 100644
index 00000000..dcc66064
--- /dev/null
+++ b/src/pbkdf2.erl
@@ -0,0 +1,198 @@
+% Licensed under the Apache License, Version 2.0 (the "License"); you may not
+% use this file except in compliance with the License. You may obtain a copy of
+% the License at
+%
+%   http://www.apache.org/licenses/LICENSE-2.0
+%
+% Unless required by applicable law or agreed to in writing, software
+% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+% License for the specific language governing permissions and limitations under
+% the License.
+
+-module(pbkdf2).
+
+-export([pbkdf2/4, pbkdf2/5, compare_secure/2, to_hex/1]).
+
+
+%-type(hex_char() :: $0 .. $9 | $a .. $f).
+-type(hex_char() :: 48 .. 57 | 97 .. 102).
+-type(hex_list() :: [hex_char()]).
+
+
+-type digest_func_info() :: md4 | md5 | ripemd160 | sha | sha224 | sha256 | sha384 | sha512.
+
+-type mac_func_info() :: {hmac, digest_func_info()} | digest_func_info().
+
+
+-define(MAX_DERIVED_KEY_LENGTH, (1 bsl 32 - 1)).
+
+%======================================================================================================================
+% Public API
+
+-spec pbkdf2(MacFunc, Password, Salt, Iterations) -> {ok, Key} | {error, derived_key_too_long} when
+	MacFunc :: mac_func_info(),
+	Password :: binary(),
+	Salt :: binary(),
+	Iterations :: integer(),
+	Key :: binary().
+
+pbkdf2(MacFunc, Password, Salt, Iterations) ->
+	MacFunc1 = resolve_mac_func(MacFunc),
+	DerivedLength = byte_size(MacFunc1(<<"test key">>, <<"test data">>)),
+	Bin = pbkdf2(MacFunc1, Password, Salt, Iterations, DerivedLength, 1, []),
+	{ok, Bin}.
+
+%----------------------------------------------------------------------------------------------------------------------
+
+-spec pbkdf2(MacFunc, Password, Salt, Iterations, DerivedLength) -> {ok, Key} | {error, derived_key_too_long} when
+	MacFunc :: mac_func_info(),
+	Password :: binary(),
+	Salt :: binary(),
+	Iterations :: integer(),
+	DerivedLength :: integer(),
+	Key :: binary().
+
+pbkdf2(_MacFunc, _Password, _Salt, _Iterations, DerivedLength) when DerivedLength > ?MAX_DERIVED_KEY_LENGTH ->
+	{error, derived_key_too_long};
+
+pbkdf2(MacFunc, Password, Salt, Iterations, DerivedLength) ->
+	MacFunc1 = resolve_mac_func(MacFunc),
+	Bin = pbkdf2(MacFunc1, Password, Salt, Iterations, DerivedLength, 1, []),
+	{ok, Bin}.
+
+%----------------------------------------------------------------------------------------------------------------------
+
+-spec to_hex(Data) -> HexData when
+	Data :: binary() | list(),
+	HexData :: binary() | hex_list().
+
+to_hex(<<>>) ->
+	<<>>;
+
+to_hex(<<Char:8/integer, Rest/binary>>) ->
+	CharHex1 = to_hex_digit(Char div 16),
+	CharHex2 = to_hex_digit(Char rem 16),
+	RestHex = to_hex(Rest),
+	<<CharHex1, CharHex2, RestHex/binary>>;
+
+to_hex([]) ->
+	[];
+
+to_hex([Char | Rest]) ->
+	[to_hex_digit(Char div 16), to_hex_digit(Char rem 16) | to_hex(Rest)].
+
+%======================================================================================================================
+% Internal Functions
+
+-spec pbkdf2(MacFunc, Password, Salt, Iterations, DerivedLength, BlockIndex, Acc) -> Key when
+	MacFunc :: fun((binary(), binary()) -> binary()),
+	Password :: binary(),
+	Salt :: binary(),
+	Iterations :: integer(),
+	DerivedLength :: integer(),
+	BlockIndex :: integer(),
+	Acc :: iolist(),
+	Key :: binary().
+
+pbkdf2(MacFunc, Password, Salt, Iterations, DerivedLength, BlockIndex, Acc) ->
+	case iolist_size(Acc) > DerivedLength of
+		true ->
+			<<Bin:DerivedLength/binary, _/binary>> = iolist_to_binary(lists:reverse(Acc)),
+			Bin;
+		false ->
+			Block = pbkdf2(MacFunc, Password, Salt, Iterations, BlockIndex, 1, <<>>, <<>>),
+			pbkdf2(MacFunc, Password, Salt, Iterations, DerivedLength, BlockIndex + 1, [Block | Acc])
+	end.
+
+%----------------------------------------------------------------------------------------------------------------------
+
+-spec pbkdf2(MacFunc, Password, Salt, Iterations, BlockIndex, Iteration, Prev, Acc) -> Key when
+	MacFunc :: fun((binary(), binary()) -> binary()),
+	Password :: binary(),
+	Salt :: binary(),
+	Iterations :: integer(),
+	BlockIndex :: integer(),
+	Iteration :: integer(),
+	Prev :: binary(),
+	Acc :: binary(),
+	Key :: binary().
+
+pbkdf2(_MacFunc, _Password, _Salt, Iterations, _BlockIndex, Iteration, _Prev, Acc) when Iteration > Iterations ->
+	Acc;
+
+pbkdf2(MacFunc, Password, Salt, Iterations, BlockIndex, 1, _Prev, _Acc) ->
+	InitialBlock = MacFunc(Password, <<Salt/binary, BlockIndex:32/integer>>),
+	pbkdf2(MacFunc, Password, Salt, Iterations, BlockIndex, 2, InitialBlock, InitialBlock);
+
+pbkdf2(MacFunc, Password, Salt, Iterations, BlockIndex, Iteration, Prev, Acc) ->
+	Next = MacFunc(Password, Prev),
+	pbkdf2(MacFunc, Password, Salt, Iterations, BlockIndex, Iteration + 1, Next, crypto:exor(Next, Acc)).
+
+%----------------------------------------------------------------------------------------------------------------------
+
+%-type mac_func_info() :: mac_func() | {hmac, digest_func_info()}
+%	| md4 | md5 | ripemd160 | sha | sha224 | sha256 | sha384 | sha512.
+
+resolve_mac_func({hmac, DigestFunc}) ->
+	fun(Key, Data) ->
+		%crypto:hmac(DigestFunc, Key, Data)
+		HMAC = crypto:hmac_init(DigestFunc, Key),
+		HMAC1 = crypto:hmac_update(HMAC, Data),
+		crypto:hmac_final(HMAC1)
+	end;
+
+resolve_mac_func(MacFunc) when is_function(MacFunc) ->
+	MacFunc;
+
+resolve_mac_func(md4) -> resolve_mac_func({hmac, md4});
+resolve_mac_func(md5) -> resolve_mac_func({hmac, md5});
+resolve_mac_func(ripemd160) -> resolve_mac_func({hmac, ripemd160});
+resolve_mac_func(sha) -> resolve_mac_func({hmac, sha});
+resolve_mac_func(sha224) -> resolve_mac_func({hmac, sha224});
+resolve_mac_func(sha256) -> resolve_mac_func({hmac, sha256});
+resolve_mac_func(sha384) -> resolve_mac_func({hmac, sha384});
+resolve_mac_func(sha512) -> resolve_mac_func({hmac, sha512}).
+
+%----------------------------------------------------------------------------------------------------------------------
+
+%% Compare two strings or binaries for equality without short-circuits to avoid timing attacks.
+
+-spec compare_secure(First, Second) -> boolean() when
+	First :: binary() | string(),
+	Second :: binary() | string().
+
+compare_secure(<<X/binary>>, <<Y/binary>>) ->
+	compare_secure(binary_to_list(X), binary_to_list(Y));
+
+compare_secure(X, Y) when is_list(X) and is_list(Y) ->
+	case length(X) == length(Y) of
+		true ->
+			compare_secure(X, Y, 0);
+		false ->
+			false
+	end;
+
+compare_secure(_X, _Y) -> false.
+
+-spec compare_secure(First, Second, Accum) -> boolean() when
+	First :: string(),
+	Second :: string(),
+	Accum :: integer().
+
+compare_secure([X|RestX], [Y|RestY], Result) ->
+	compare_secure(RestX, RestY, (X bxor Y) bor Result);
+
+compare_secure([], [], Result) ->
+	Result == 0.
+
+%----------------------------------------------------------------------------------------------------------------------
+
+-spec to_hex_digit(Nyble) -> hex_char() when
+	Nyble :: 0 .. 15.
+
+to_hex_digit(N) when N < 10 ->
+	$0 + N;
+
+to_hex_digit(N) ->
+	$a + N - 10.
diff --git a/src/riak_core.app.src b/src/riak_core.app.src
index 4bfb03f3..c5a38371 100644
--- a/src/riak_core.app.src
+++ b/src/riak_core.app.src
@@ -17,7 +17,6 @@
                   os_mon,
                   basho_stats,
                   eleveldb,
-                  pbkdf2,
                   poolboy,
                   exometer_core,
                   clique
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.