search

nspcc-dev / neofs-s3-gw

NeoFS S3 Protocol Gateway
GNU Affero General Public License v3.0
7 stars 15 forks source link

Potentially insecure hkdf use #951

Closed roman-khimov closed 1 month ago

roman-khimov commented 3 months ago

Current Behavior

kdf := hkdf.New(hash, secret, nil, nil). No salt, no app-specific info.

Expected Behavior

App-specific info and salt used.

Possible Solution

Hardcode info, add some salt. Breaking change, but the gateway is not used in production.

Your Environment

roman-khimov commented 2 months ago

Salt is to be stored somewhere nearby, as usual.

cthulhu-rider commented 2 months ago

Salt is to be stored somewhere

what do u mean - in what storage?