proxy: replace use of bcrypt with sha256
Unfortunately bcrypt only hashes the first 72 bytes of a given input which meant that using it on ssh keys which are longer than 72 bytes was incorrect. This swaps over to using sha256 which should be adequate for the purpose of protecting in memory passwords where the unencrypted password is likely in memory too.
This commit is contained in:
Nick Craig-Wood
parent
f2a789ea98
commit
b88dec51e5
2 changed files with 16 additions and 17 deletions
|
|
@ -3,6 +3,7 @@ package proxy
|
|||
import (
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/sha256"
|
||||
"encoding/base64"
|
||||
"log"
|
||||
"strings"
|
||||
|
|
@ -13,7 +14,6 @@ import (
|
|||
"github.com/rclone/rclone/fs/config/obscure"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
"golang.org/x/crypto/ssh"
|
||||
)
|
||||
|
||||
|
|
@ -85,8 +85,7 @@ func TestRun(t *testing.T) {
|
|||
require.True(t, ok)
|
||||
|
||||
// check hash is correct in entry
|
||||
err = bcrypt.CompareHashAndPassword(entry.pwHash, passwordBytes)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, entry.pwHash, sha256.Sum256(passwordBytes))
|
||||
require.NotNil(t, entry.vfs)
|
||||
f := entry.vfs.Fs()
|
||||
require.NotNil(t, f)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue