github
/
portainer
mirror of https://github.com/portainer/portainer
1
0
Fork 0
Code Issues Releases Wiki Activity

fix(fips): use standard lib pbkdf2 [be-12164] (#1038)

pull/12567/merge
Malcolm Lockyer 2025-08-15 11:44:35 +12:00 committed by GitHub
parent 10b129a02e
commit a760426b87
2 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.golangci.yaml
View File

@ -37,6 +37,8 @@ linters:
desc: use github.com/portainer/portainer/pkg/libcrypto desc: use github.com/portainer/portainer/pkg/libcrypto
- pkg: github.com/portainer/libhttp - pkg: github.com/portainer/libhttp
desc: use github.com/portainer/portainer/pkg/libhttp desc: use github.com/portainer/portainer/pkg/libhttp
- pkg: golang.org/x/crypto/pbkdf2
desc: use standard crypto/pbkdf2 instead - important for FIPS mode
forbidigo: forbidigo:
forbid: forbid:
- pattern: ^tls\.Config$ - pattern: ^tls\.Config$

12
api/crypto/aes.go
View File

@ -5,6 +5,7 @@ import (
"bytes" "bytes"
"crypto/aes" "crypto/aes"
"crypto/cipher" "crypto/cipher"
"crypto/pbkdf2"
"crypto/rand" "crypto/rand"
"crypto/sha256" "crypto/sha256"
"errors" "errors"
@ -15,7 +16,6 @@ import (
"github.com/portainer/portainer/pkg/fips" "github.com/portainer/portainer/pkg/fips"
"golang.org/x/crypto/argon2" "golang.org/x/crypto/argon2"
"golang.org/x/crypto/pbkdf2"
"golang.org/x/crypto/scrypt" "golang.org/x/crypto/scrypt"
) )
@ -248,7 +248,10 @@ func aesEncryptGCMFIPS(input io.Reader, output io.Writer, passphrase []byte) err
return err return err
} }
key := pbkdf2.Key(passphrase, salt, pbkdf2Iterations, 32, sha256.New) key, err := pbkdf2.Key(sha256.New, string(passphrase), salt, pbkdf2Iterations, 32)
if err != nil {
return fmt.Errorf("error deriving key: %w", err)
}
block, err := aes.NewCipher(key) block, err := aes.NewCipher(key)
if err != nil { if err != nil {
@ -315,7 +318,10 @@ func aesDecryptGCMFIPS(input io.Reader, passphrase []byte) (io.Reader, error) {
return nil, err return nil, err
} }
key := pbkdf2.Key(passphrase, salt, pbkdf2Iterations, 32, sha256.New) key, err := pbkdf2.Key(sha256.New, string(passphrase), salt, pbkdf2Iterations, 32)
if err != nil {
return nil, fmt.Errorf("error deriving key: %w", err)
}
// Initialize AES cipher block // Initialize AES cipher block
block, err := aes.NewCipher(key) block, err := aes.NewCipher(key)