go/sqlite3
1
0
Fork 0
mirror of https://github.com/ncruces/go-sqlite3.git synced 2026-01-11 21:49:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use crypto/pbkdf2.

Browse Source
This commit is contained in:
Nuno Cruces
2025-09-18 18:40:56 +01:00
parent 11e064574c
commit c3ebb04045
5 changed files with 15 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
tests/blob_test.go
View File

@@ -45,10 +45,7 @@ func TestBlob(t *testing.T) {
}
var data [1280]byte
_, err = rand.Read(data[:])
if err != nil {
t.Fatal(err)
}
rand.Read(data[:])
_, err = blob.Write(data[:size/2])
if err != nil {

4
vfs/adiantum/adiantum.go
View File

@@ -25,8 +25,8 @@ func (adiantumCreator) HBSH(key []byte) *hbsh.HBSH {
func (adiantumCreator) KDF(text string) []byte {
if text == "" {
key := make([]byte, 32)
n, _ := rand.Read(key)
return key[:n]
rand.Read(key)
return key
}
return argon2.IDKey([]byte(text), []byte(pepper), 3, 64*1024, 4, 32)
}

4
vfs/adiantum/example_test.go
View File

@@ -45,8 +45,8 @@ func (hpolycCreator) KDF(secret string) []byte {
if secret == "" {
// No secret is given, generate a random key.
key := make([]byte, 32)
n, _ := rand.Read(key)
return key[:n]
rand.Read(key)
return key
}
// Hash the secret with a KDF.
return argon2.IDKey([]byte(secret), []byte("hpolyc"), 3, 64*1024, 4, 32)

4
vfs/xts/README.md
View File

@@ -9,12 +9,12 @@ In general, any XTS construction can be used to wrap any VFS.
The default AES-XTS construction uses AES-128, AES-192, or AES-256
for its block cipher.
Additionally, we use [PBKDF2-HMAC-SHA512](https://pkg.go.dev/golang.org/x/crypto/pbkdf2)
Additionally, we use [PBKDF2-HMAC-SHA512](https://pkg.go.dev/crypto/pbkdf2)
to derive AES-128 keys from plain text where needed.
File contents are encrypted in 512 byte sectors, matching the
[minimum](https://sqlite.org/fileformat.html#pages) SQLite page size.
This VFS uses _only_ NIST and FIPS 140-2 approved cryptographic primitives,
This VFS uses _only_ NIST and FIPS 140-3 approved cryptographic primitives,
which _may_ help you become FIPS compliant.
The VFS encrypts all files _except_

12
vfs/xts/aes.go
View File

@@ -2,10 +2,10 @@ package xts
import (
"crypto/aes"
"crypto/pbkdf2"
"crypto/rand"
"crypto/sha512"
"golang.org/x/crypto/pbkdf2"
"golang.org/x/crypto/xts"
)
@@ -27,8 +27,12 @@ func (aesCreator) XTS(key []byte) *xts.Cipher {
func (aesCreator) KDF(text string) []byte {
if text == "" {
key := make([]byte, 32)
n, _ := rand.Read(key)
return key[:n]
rand.Read(key)
return key
}
return pbkdf2.Key([]byte(text), []byte(pepper), 10_000, 32, sha512.New)
key, err := pbkdf2.Key(sha512.New, text, []byte(pepper), 10_000, 32)
if err != nil {
panic(err)
}
return key
}