951 potentially insecure hkdf use (#972)

roman-khimov · web-flow · commit 2ed8aba902e6 · 2024-07-24T15:21:27.000+03:00
Closes #951.
diff --git a/.golangci.yml b/.golangci.yml
@@ -12,7 +12,8 @@ run:
 # output configuration options
 output:
   # colored-line-number|line-number|json|tab|checkstyle|code-climate, default is "colored-line-number"
-  format: tab
+  formats:
+    - format: tab
 
 # all available settings of specific linters
 linters-settings:
@@ -21,9 +22,6 @@ linters-settings:
     # 'default' case is present, even if all enum members aren't listed in the
     # switch
     default-signifies-exhaustive: true
-  govet:
-    # report about shadowed variables
-    check-shadowing: false
 
 linters:
   enable:
diff --git a/creds/accessbox/accessbox.go b/creds/accessbox/accessbox.go
@@ -7,6 +7,7 @@ import (
 	"crypto/rand"
 	"crypto/sha256"
 	"encoding/hex"
+	"errors"
 	"fmt"
 	"io"
 
@@ -19,6 +20,14 @@ import (
 	"google.golang.org/protobuf/proto"
 )
 
+const (
+	hkdfSaltLength = 16
+)
+
+var (
+	hkdfInfo = []byte("neofs-s3-gw")
+)
+
 // Box represents friendly AccessBox.
 type Box struct {
 	Gate     *GateData
@@ -257,16 +266,21 @@ func generateShared256(prv *keys.PrivateKey, pub *keys.PublicKey) (sk []byte, er
 	return sk, nil
 }
 
-func deriveKey(secret []byte) ([]byte, error) {
+func deriveKey(secret []byte, hkdfSalt []byte) ([]byte, error) {
 	hash := sha256.New
-	kdf := hkdf.New(hash, secret, nil, nil)
+	kdf := hkdf.New(hash, secret, hkdfSalt, hkdfInfo)
 	key := make([]byte, 32)
 	_, err := io.ReadFull(kdf, key)
 	return key, err
 }
 
 func encrypt(owner *keys.PrivateKey, sender *keys.PublicKey, data []byte) ([]byte, error) {
-	enc, err := getCipher(owner, sender)
+	hkdfSalt := make([]byte, hkdfSaltLength)
+	if _, err := rand.Read(hkdfSalt); err != nil {
+		return nil, fmt.Errorf("generate hkdf salt: %w", err)
+	}
+
+	enc, err := getCipher(owner, sender, hkdfSalt)
 	if err != nil {
 		return nil, fmt.Errorf("get chiper: %w", err)
 	}
@@ -276,14 +290,19 @@ func encrypt(owner *keys.PrivateKey, sender *keys.PublicKey, data []byte) ([]byt
 		return nil, fmt.Errorf("generate random nonce: %w", err)
 	}
 
-	return enc.Seal(nonce, nonce, data, nil), nil
+	return append(hkdfSalt, enc.Seal(nonce, nonce, data, nil)...), nil
 }
 
 func decrypt(owner *keys.PrivateKey, sender *keys.PublicKey, data []byte) ([]byte, error) {
-	dec, err := getCipher(owner, sender)
+	if len(data) < hkdfSaltLength {
+		return nil, errors.New("invalid data length")
+	}
+
+	dec, err := getCipher(owner, sender, data[:hkdfSaltLength])
 	if err != nil {
 		return nil, fmt.Errorf("get chiper: %w", err)
 	}
+	data = data[hkdfSaltLength:]
 
 	if ld, ns := len(data), dec.NonceSize(); ld < ns {
 		return nil, fmt.Errorf("wrong data size (%d), should be greater than %d", ld, ns)
@@ -293,13 +312,13 @@ func decrypt(owner *keys.PrivateKey, sender *keys.PublicKey, data []byte) ([]byt
 	return dec.Open(nil, nonce, cypher, nil)
 }
 
-func getCipher(owner *keys.PrivateKey, sender *keys.PublicKey) (cipher.AEAD, error) {
+func getCipher(owner *keys.PrivateKey, sender *keys.PublicKey, hkdfSalt []byte) (cipher.AEAD, error) {
 	secret, err := generateShared256(owner, sender)
 	if err != nil {
 		return nil, fmt.Errorf("generate shared key: %w", err)
 	}
 
-	key, err := deriveKey(secret)
+	key, err := deriveKey(secret, hkdfSalt)
 	if err != nil {
 		return nil, fmt.Errorf("derive key: %w", err)
 	}
