Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verify pbkdf2 hash function implementation #530

Open
GabhenDM opened this issue Mar 22, 2021 · 0 comments · May be fixed by #531
Open

Verify pbkdf2 hash function implementation #530

GabhenDM opened this issue Mar 22, 2021 · 0 comments · May be fixed by #531

Comments

@GabhenDM
Copy link
Contributor

As discussed on #529 and #526, the api Dockerfile would throw the following error upon starting:

panic: crypto/hmac: hash generation function does not produce unique values

goroutine 1 [running]:
crypto/hmac.New(0xc0005cdbf0, 0xc0004d88d0, 0xf, 0x10, 0x0, 0x10)
	/usr/local/go/src/crypto/hmac/hmac.go:143 +0x370
golang.org/x/crypto/pbkdf2.Key(0xc0004d88d0, 0xf, 0x10, 0xc0003ee4c0, 0x40, 0x40, 0x186a0, 0x200, 0xc0005cdbf0, 0x0, ...)
	/go/pkg/mod/golang.org/x/[email protected]/pbkdf2/pbkdf2.go:43 +0x67
github.com/globocom/huskyCI/api/user.InsertDefaultUser(0xa28e60, 0xc00019c000)
	/go/src/github.com/globocom/huskyCI/api/user/user.go:58 +0x333
github.com/globocom/huskyCI/api/util/api.(*CheckUtils).checkDefaultUser(0xce2678, 0xc000022380, 0x98a011, 0x8)
	/go/src/github.com/globocom/huskyCI/api/util/api/api.go:139 +0x158
github.com/globocom/huskyCI/api/util/api.HuskyUtils.CheckHuskyRequirements(0xa33258, 0xce2678, 0xc000022380, 0x6, 0xb)
	/go/src/github.com/globocom/huskyCI/api/util/api/api.go:47 +0x22c
main.main()
	/go/src/github.com/globocom/huskyCI/api/server.go:46 +0x1ff

As found by @aranhams, that error validation was introduced in Go version 1.16, as on changelog:



    crypto/hmac

        New will now panic if separate calls to the hash generation function fail to return new values. Previously, the behavior was undefined and invalid outputs were sometimes generated.

We believe therefore that the implementation of the hash generation function was already previously with an error, and only begin to break after the validation was introduced in the crypto library.

As a workaround, we fixed the Golang version utilized in the API Dockerfile as 1.15, in order to allow normal execution of the project.

This issue is open in order to better investigate this error, and perform all necessary changes in order to be able to execute the API in Go's latest version without errors.

gustavocovas added a commit that referenced this issue Mar 22, 2021
@gustavocovas gustavocovas linked a pull request Mar 22, 2021 that will close this issue
rogeriobastos pushed a commit to rogeriobastos/huskyCI that referenced this issue Jul 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant