go/sqlite3
1
0
Fork 0
mirror of https://github.com/ncruces/go-sqlite3.git synced 2026-01-12 05:59:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use crypto/pbkdf2.

Browse Source
This commit is contained in:
Nuno Cruces
2025-09-18 18:40:56 +01:00
parent 11e064574c
commit c3ebb04045
5 changed files with 15 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
tests/blob_test.go
View File

@@ -45,10 +45,7 @@ func TestBlob(t *testing.T) {
} }
var data [1280]byte var data [1280]byte
_, err = rand.Read(data[:]) rand.Read(data[:])
if err != nil {
t.Fatal(err)
}
_, err = blob.Write(data[:size/2]) _, err = blob.Write(data[:size/2])
if err != nil { if err != nil {

4
vfs/adiantum/adiantum.go
View File

@@ -25,8 +25,8 @@ func (adiantumCreator) HBSH(key []byte) *hbsh.HBSH {
func (adiantumCreator) KDF(text string) []byte { func (adiantumCreator) KDF(text string) []byte {
if text == "" { if text == "" {
key := make([]byte, 32) key := make([]byte, 32)
n, _ := rand.Read(key) rand.Read(key)
return key[:n] return key
} }
return argon2.IDKey([]byte(text), []byte(pepper), 3, 64*1024, 4, 32) return argon2.IDKey([]byte(text), []byte(pepper), 3, 64*1024, 4, 32)
} }

4
vfs/adiantum/example_test.go
View File

@@ -45,8 +45,8 @@ func (hpolycCreator) KDF(secret string) []byte {
if secret == "" { if secret == "" {
// No secret is given, generate a random key. // No secret is given, generate a random key.
key := make([]byte, 32) key := make([]byte, 32)
n, _ := rand.Read(key) rand.Read(key)
return key[:n] return key
} }
// Hash the secret with a KDF. // Hash the secret with a KDF.
return argon2.IDKey([]byte(secret), []byte("hpolyc"), 3, 64*1024, 4, 32) return argon2.IDKey([]byte(secret), []byte("hpolyc"), 3, 64*1024, 4, 32)

4
vfs/xts/README.md
View File

@@ -9,12 +9,12 @@ In general, any XTS construction can be used to wrap any VFS.
The default AES-XTS construction uses AES-128, AES-192, or AES-256 The default AES-XTS construction uses AES-128, AES-192, or AES-256
for its block cipher. for its block cipher.
Additionally, we use [PBKDF2-HMAC-SHA512](https://pkg.go.dev/golang.org/x/crypto/pbkdf2) Additionally, we use [PBKDF2-HMAC-SHA512](https://pkg.go.dev/crypto/pbkdf2)
to derive AES-128 keys from plain text where needed. to derive AES-128 keys from plain text where needed.
File contents are encrypted in 512 byte sectors, matching the File contents are encrypted in 512 byte sectors, matching the
[minimum](https://sqlite.org/fileformat.html#pages) SQLite page size. [minimum](https://sqlite.org/fileformat.html#pages) SQLite page size.
This VFS uses _only_ NIST and FIPS 140-2 approved cryptographic primitives, This VFS uses _only_ NIST and FIPS 140-3 approved cryptographic primitives,
which _may_ help you become FIPS compliant. which _may_ help you become FIPS compliant.
The VFS encrypts all files _except_ The VFS encrypts all files _except_

12
vfs/xts/aes.go
View File

@@ -2,10 +2,10 @@ package xts
import ( import (
"crypto/aes" "crypto/aes"
"crypto/pbkdf2"
"crypto/rand" "crypto/rand"
"crypto/sha512" "crypto/sha512"
"golang.org/x/crypto/pbkdf2"
"golang.org/x/crypto/xts" "golang.org/x/crypto/xts"
) )
@@ -27,8 +27,12 @@ func (aesCreator) XTS(key []byte) *xts.Cipher {
func (aesCreator) KDF(text string) []byte { func (aesCreator) KDF(text string) []byte {
if text == "" { if text == "" {
key := make([]byte, 32) key := make([]byte, 32)
n, _ := rand.Read(key) rand.Read(key)
return key[:n] return key
} }
return pbkdf2.Key([]byte(text), []byte(pepper), 10_000, 32, sha512.New) key, err := pbkdf2.Key(sha512.New, text, []byte(pepper), 10_000, 32)
if err != nil {
panic(err)
}
return key
} }