Changed PBKDF2 hash from SHA512 to SHA256 (according to Crypt4GH specification)

kjetilkl · kjetilkl · commit 6d7085f32a55 · 2024-12-20T12:03:13.000+01:00
diff --git a/kdf/kdf.go b/kdf/kdf.go
@@ -2,7 +2,7 @@
 package kdf
 
 import (
-	"crypto/sha512"
+	"crypto/sha256"
 
 	// package is old but corresponds to "golang.org/x/crypto/ssh/internal/bcrypt_pbkdf"
 	"github.com/dchest/bcrypt_pbkdf"
@@ -15,7 +15,7 @@ import (
 var KDFS = map[string]KDF{
 	"scrypt":             sCrypt{},
 	"bcrypt":             bCrypt{},
-	"pbkdf2_hmac_sha256": pbkdf2sha512{},
+	"pbkdf2_hmac_sha256": pbkdf2sha256{},
 }
 
 // KDF interface holding "Derive" method.
@@ -37,9 +37,9 @@ func (bCrypt) Derive(rounds int, password, salt []byte) (derivedKey []byte, err
 	return bcrypt_pbkdf.Key(password, salt, rounds, chacha20poly1305.KeySize)
 }
 
-type pbkdf2sha512 struct {
+type pbkdf2sha256 struct {
 }
 
-func (pbkdf2sha512) Derive(rounds int, password, salt []byte) (derivedKey []byte, err error) {
-	return pbkdf2.Key(password, salt, rounds, chacha20poly1305.KeySize, sha512.New), nil
+func (pbkdf2sha256) Derive(rounds int, password, salt []byte) (derivedKey []byte, err error) {
+	return pbkdf2.Key(password, salt, rounds, chacha20poly1305.KeySize, sha256.New), nil
 }
diff --git a/kdf/kdf_test.go b/kdf/kdf_test.go
@@ -20,7 +20,7 @@ func TestKDF(t *testing.T) {
 		},
 		{
 			name: "pbkdf2_hmac_sha256",
-			hash: "72bf7d2b4d1f18c97a333e3a89e7f22dc9771b968ddcbc1a494fbbf507059b13",
+			hash: "dd3352defb9aa734875f7a32b60e4bcf9e3671216d6e0c39f135f0297bf8e121",
 		},
 	}
 	for _, test := range tests {

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`	`package kdf`
`3`	`3`
`4`	`4`	`import (`
`5`		`- "crypto/sha512"`
	`5`	`+ "crypto/sha256"`
`6`	`6`
`7`	`7`	`// package is old but corresponds to "golang.org/x/crypto/ssh/internal/bcrypt_pbkdf"`
`8`	`8`	`"github.com/dchest/bcrypt_pbkdf"`
`@@ -15,7 +15,7 @@ import (`
`15`	`15`	`var KDFS = map[string]KDF{`
`16`	`16`	`"scrypt": sCrypt{},`
`17`	`17`	`"bcrypt": bCrypt{},`
`18`		`- "pbkdf2_hmac_sha256": pbkdf2sha512{},`
	`18`	`+ "pbkdf2_hmac_sha256": pbkdf2sha256{},`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`// KDF interface holding "Derive" method.`
`@@ -37,9 +37,9 @@ func (bCrypt) Derive(rounds int, password, salt []byte) (derivedKey []byte, err`
`37`	`37`	`return bcrypt_pbkdf.Key(password, salt, rounds, chacha20poly1305.KeySize)`
`38`	`38`	`}`
`39`	`39`
`40`		`-type pbkdf2sha512 struct {`
	`40`	`+type pbkdf2sha256 struct {`
`41`	`41`	`}`
`42`	`42`
`43`		`-func (pbkdf2sha512) Derive(rounds int, password, salt []byte) (derivedKey []byte, err error) {`
`44`		`- return pbkdf2.Key(password, salt, rounds, chacha20poly1305.KeySize, sha512.New), nil`
	`43`	`+func (pbkdf2sha256) Derive(rounds int, password, salt []byte) (derivedKey []byte, err error) {`
	`44`	`+ return pbkdf2.Key(password, salt, rounds, chacha20poly1305.KeySize, sha256.New), nil`
`45`	`45`	`}`
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ func TestKDF(t *testing.T) {`
`20`	`20`	`},`
`21`	`21`	`{`
`22`	`22`	`name: "pbkdf2_hmac_sha256",`
`23`		`- hash: "72bf7d2b4d1f18c97a333e3a89e7f22dc9771b968ddcbc1a494fbbf507059b13",`
	`23`	`+ hash: "dd3352defb9aa734875f7a32b60e4bcf9e3671216d6e0c39f135f0297bf8e121",`
`24`	`24`	`},`
`25`	`25`	`}`
`26`	`26`	`for _, test := range tests {`