diff options
| author | Levi Durfee <levi.durfee@gmail.com> | 2026-01-07 11:35:07 -0500 |
|---|---|---|
| committer | Levi Durfee <levi.durfee@gmail.com> | 2026-01-07 11:45:18 -0500 |
| commit | ac5b030f71434123bea60f9b1d918a59f19fed6a (patch) | |
| tree | 4472e5c976692c20e68218eb9fe6a56cee201d1c /internal/goaes.go | |
| parent | b1f9ade1154df9353f19141d3ca719a8bb7936e8 (diff) | |
Switch to argon2
Diffstat (limited to 'internal/goaes.go')
| -rw-r--r-- | internal/goaes.go | 40 |
1 files changed, 22 insertions, 18 deletions
diff --git a/internal/goaes.go b/internal/goaes.go index 1923b8e..7d4f476 100644 --- a/internal/goaes.go +++ b/internal/goaes.go @@ -4,59 +4,63 @@ import ( "crypto/aes" "crypto/cipher" "crypto/rand" - "crypto/sha256" "encoding/base64" "errors" "fmt" "io" "os" - "golang.org/x/crypto/pbkdf2" + "golang.org/x/crypto/argon2" ) const ( - keyIterations = 600_000 - keyLength = 32 + time = 3 + memory = 256 * 1024 + threads = 4 + keyLen = 32 ) -func NewKEKFromEnvB64(passphraseEnvVar, saltEnvVar string) (KEK, error) { +func NewKEKFromEnvB64(passphraseEnvVar string) (KEK, Salt, error) { b64Passphrase := os.Getenv(passphraseEnvVar) if b64Passphrase == "" { - return nil, fmt.Errorf("%s is not set", passphraseEnvVar) - } - - b64Salt := os.Getenv(saltEnvVar) - if b64Salt == "" { - return nil, fmt.Errorf("%s is not set", saltEnvVar) + return nil, nil, fmt.Errorf("%s is not set", passphraseEnvVar) } passphrase, err := base64.StdEncoding.DecodeString(b64Passphrase) if err != nil { - return nil, fmt.Errorf("decode %s base64: %w", passphraseEnvVar, err) + return nil, nil, fmt.Errorf("decode %s base64: %w", passphraseEnvVar, err) } - salt, err := base64.StdEncoding.DecodeString(b64Salt) + salt, err := NewSalt() if err != nil { - return nil, fmt.Errorf("decode %s base64: %w", saltEnvVar, err) + return nil, nil, fmt.Errorf("failed to create salt %w", err) } - raw := pbkdf2.Key(passphrase, salt, keyIterations, keyLength, sha256.New) + raw := argon2.IDKey(passphrase, salt, time, memory, threads, keyLen) if !validAESKeyLen(len(raw)) { - return nil, errBadKeyLn + return nil, nil, errBadKeyLn } - return KEK(raw), nil + return KEK(raw), Salt(salt), nil } func NewDEK() (DEK, error) { - key := make([]byte, 32) // AES-256 + key := make([]byte, 32) if _, err := io.ReadFull(rand.Reader, key); err != nil { return nil, fmt.Errorf("random DEK gen: %w", err) } return DEK(key), nil } +func NewSalt() (Salt, error) { + key := make([]byte, 32) + if _, err := io.ReadFull(rand.Reader, key); err != nil { + return nil, fmt.Errorf("random salt gen: %w", err) + } + return Salt(key), nil +} + func WrapDEK(dek DEK, kek KEK) (WrappedDEK, error) { edek, err := encryptAEAD([]byte(dek), []byte(kek), aadWrapDEK) return WrappedDEK(edek), err |