Remove deprecated Nettle API calls #36
Conversation
npavlinek
force-pushed
the
fix-deprecated-nettle-api
branch
2 times, most recently
from
6c3a0a1 to
106c2f0
Compare
rdup-tr.c
Outdated
| struct aes_ctx *aes_ctx = NULL; | ||
| guint opt_decrypt_key_length = 0; | ||
| /* | ||
| * TODO: I don't like having 3 AES contexts, when only 1 is actually used (16 |
There was a problem hiding this comment.
Is it a stretch to just allow only one key-size?
There was a problem hiding this comment.
Actually that would remove pretty much all of the key size checking and make this change much simpler and shorter.
We could just pick, say AES-256, and pad the keys to 32 bytes. There's two ways we could do that:
- Pad with some pattern
- Use something like PBKDF2 (preferable since it's more secure)
There was a problem hiding this comment.
agreed, let's do that. So to recap:
- 1 keysze
- pad with pbkdf2
npavlinek
force-pushed
the
fix-deprecated-nettle-api
branch
from
106c2f0 to
a720bae
Compare
|
Ok, this is the first draft. There's a couple of problems:
None of these issues are really that big, since with |
|
[ Quoting <[email protected]> in "Re: [miekg/rdup] Remove deprecated ..." ]
Ok, this is the first draft. There's a couple of problems:
1. Number of iterations probably shouldn't be hard-coded.
2. The use of a static salt means all users that decide to use encryption, could be attacked by the same rainbow table. (The salt needs to stay the same between encryption and decryption).
None of these issues are really that big, since with `rdup` you could use some external tool to do crypto.
Are these problems that pop up now with the rework you're doing, or were already present?
|
|
"Problems" with the rework. PBKDF2 requires a number of iterations and salt. I had a look at I also had a look at Nettle code and they don't seem to pad keys either, which is weird because when I tried passing a key without padding it, it worked. It could be that it (Nettle) was reading memory that it shouldn't have and just happened to not be a problem. I don't have time right now, but I'll give this a better look later today and come up with something. |
|
I've thought about this and I think the best course of action is to just use a static salt (i.e. hard-code a salt) and a set number of iterations. The rationale is that even if the attacker has access to the salt, they don't have access to the password or it's hash, since If you agree, I'll proceed with the above plan and we can be done with this. |
|
[ Quoting <[email protected]> in "Re: [miekg/rdup] Remove deprecated ..." ]
I've thought about this and I think the best course of action is to just use a static salt (i.e. hard-code a salt) and a set number of iterations. The rationale is that even if the attacker has access to the salt, they don't have access to the password or it's hash, since `rdup` doesn't store them anywhere (it's given by the user). Therefore us storing the salt instead of generating it for each password is not at all a problem.
If you agree, I'll proceed with the above plan and we can be done with this.
A static salt means a rainbow table would work for all backups made, which is a
lot of work and may be a problem. Should we expose an salt option, but default
to a salt (for backwards compat reason)? And explain this in the readme and
help?
|
|
This is going to be a long one. Bear with me... After spending a few hours hacking
Since the old implementation chose the correct function to call depending on key size, keys were never padded (if a user passed a key of a size other than 16-bytes, 24-bytes or 32-bytes, we rejected it and printed an error). Because of this any backups that are encrypted with the old implementation and use key sizes other than 32-bytes, cannot be decrypted since padding changes the key. If we use our own "padding", which doesn't really pad, but instead uses the original key as an input into a hash function, which then generates a hash of appropriate size (in our case, 32-bytes), and uses a salt to make sure that hashes of the same key differ, keys are always different from the original implementation. It seems that the only way to ensure backwards compatibility (with the old implementation) is to use the initial implementation of this PR (separate context for each key size), otherwise we would have to provide some sort of a script to "re-encrypt" all backups that were encrypted using the old implementation, with the new one. If you remember, the problem with the initial implementation was that we had a context for each key size while only using one at a time. And it required additional key size checks in a few places (which is actually what the old code did, but instead of that logic being in I tried being as clear as I could, but it's possible that I missed something. If something is unclear, I'd be happy to clear it up. |
|
We should care about backwards compatibility:
If this is what you propose. I think I'm OK with that. |
npavlinek
force-pushed
the
fix-deprecated-nettle-api
branch
from
a720bae to
7f2e35d
Compare
|
Using a union to ensure that all three AES contexts occupy the same memory location. I also manually verified that a backup encrypted with the old implementation can be decrypted with the new one. |
|
[ Quoting <[email protected]> in "Re: [miekg/rdup] Remove deprecated ..." ]
Using a union to ensure that all three AES contexts occupy the same memory location. I also manually verified that a backup encrypted with the old implementation can be decrypted with the new one.
Ok, I'll take another look.
Thanks!
|
This should fix issue #35