Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: cover 100% of crypto with tests #1892

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat: cover 100% of crypto with tests #1892

wants to merge 2 commits into from

Conversation

hf
Copy link
Contributor

@hf hf commented Dec 24, 2024

Covers a 100% of the crypto package with tests.

@hf hf requested a review from a team as a code owner December 24, 2024 17:49
hf
hf commented Dec 24, 2024
View reviewed changes
internal/api/hooks.go
@@ -382,3 +380,26 @@ func (a *API) runHook(r *http.Request, conn *storage.Connection, hookConfig conf

return response, nil
}

func generateSignatures(secrets []string, msgID uuid.UUID, currentTime time.Time, inputPayload []byte) ([]string, error) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved this here since it seemed off in crypto.

@coveralls
Copy link

coveralls commented Dec 24, 2024
edited
Loading

Pull Request Test Coverage Report for Build 12485140393

Details

  • 83 of 97 (85.57%) changed or added relevant lines in 8 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.7%) to 65.436%
Changes Missing Coverage Covered Lines Changed/Added Lines %
internal/api/hooks.go 7 21 33.33%
Totals Coverage Status
Change from base Build 12482434145: 0.7%
Covered Lines: 9820
Relevant Lines: 15007
💛 - Coveralls

@hf hf force-pushed the hf/cover-crypto-100 branch 2 times, most recently from b667a3d to 14b0ec5 Compare December 24, 2024 18:24
@hf hf force-pushed the hf/cover-crypto-100 branch from 14b0ec5 to b1a9f64 Compare December 24, 2024 18:37
J0
J0 reviewed Dec 30, 2024
View reviewed changes
internal/crypto/password.go
var argon2HashRegexp = regexp.MustCompile("^[$](?P<alg>argon2(d|i|id))[$]v=(?P<v>(16|19))[$]m=(?P<m>[0-9]+),t=(?P<t>[0-9]+),p=(?P<p>[0-9]+)(,keyid=(?P<keyid>[^,$]+))?(,data=(?P<data>[^$]+))?[$](?P<salt>[^$]+)[$](?P<hash>.+)$")
var scryptHashRegexp = regexp.MustCompile(`^\$(?P<alg>fbscrypt)\$v=(?P<v>[0-9]+),n=(?P<n>[0-9]+),r=(?P<r>[0-9]+),p=(?P<p>[0-9]+)(?:,ss=(?P<ss>[^,]+))?(?:,sk=(?P<sk>[^$]+))?\$(?P<salt>[^$]+)\$(?P<hash>.+)$`)
var argon2HashRegexp = regexp.MustCompile("^[$](?P<alg>argon2(d|i|id))[$]v=(?P<v>(16|19))[$]m=(?P<m>[0-9]+),t=(?P<t>[0-9]+),p=(?P<p>[0-9]+)(,keyid=(?P<keyid>[^,$]+))?(,data=(?P<data>[^$]+))?[$](?P<salt>[^$]*)[$](?P<hash>.*)$")
var scryptHashRegexp = regexp.MustCompile(`^\$fbscrypt\$v=(?P<v>[0-9]+),n=(?P<n>[0-9]+),r=(?P<r>[0-9]+),p=(?P<p>[0-9]+)(?:,ss=(?P<ss>[^,]+))?(?:,sk=(?P<sk>[^$]+))?\$(?P<salt>[^$]+)\$(?P<hash>.+)$`)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, we can have scrypt as a separate HashInput

/nit I guess perhaps a more appropriate name might be fbscryptHashRegexp? Though I guess that can be addressed if we do add scrypt support.

J0
J0 reviewed Dec 30, 2024
View reviewed changes
internal/crypto/password.go
rounds, err := strconv.ParseUint(r, 10, 64)
if err != nil {
return nil, fmt.Errorf("crypto: Firebase scrypt hash has invalid r parameter %q: %w", r, err)
}
if rounds == 0 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All for the additional safeguards, and defensive programming given this is a critical section for the auth system.

However, in case we ever end up digging into this section, here's were some of the initial considerations when going through the code

the current version of the library should panic if rounds == 0 or threads=0

https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.31.0:scrypt/scrypt.go;l=133

on this line since
in[(2*r-1)*16:] would equate to in[-16]

For threads=0 it should also return a division by 0 error :

if uint64(r)*uint64(p) >= 1<<30 || r > maxInt/128/p || r > maxInt/256 || N > maxInt/128/r {
		return nil, errors.New("scrypt: parameters are too large")
	}

J0
J0 approved these changes Dec 30, 2024
View reviewed changes
Copy link
Contributor

@J0 J0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@hf hf mentioned this pull request Jan 5, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@J0 J0 J0 approved these changes

@cstockton cstockton cstockton approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hf @coveralls @cstockton @J0