Change all key generation to use PBKDF2;

change all internal encryption back to cbc mode; add hidden command to convert from gcm to cbc internally
2025-12-14 21:27:22 +00:00 · 2019-07-08 20:45:01 -04:00 · 2019-07-08 20:45:01 -04:00 · 347fbe7268
commit 347fbe7268
parent da95f9a5f0
12 changed files with 288 additions and 53 deletions
--- a/crypto/cbc.go
+++ b/crypto/cbc.go
@ -7,7 +7,7 @@ import (
 	"fmt"
 	"io"

-	"github.com/cloudflare/redoctober/padding"
+	"github.com/ncw/rclone/backend/crypt/pkcs7"
 )

 func CBCEncrypt(key []byte, plaintext []byte) ([]byte, error) {
@ -15,7 +15,7 @@ func CBCEncrypt(key []byte, plaintext []byte) ([]byte, error) {
 		return nil, fmt.Errorf("key is not 32 bytes")
 	}

-	plaintext = padding.AddPadding(plaintext)
+	plaintext = pkcs7.Pad(aes.BlockSize, plaintext)

 	if len(plaintext)%aes.BlockSize != 0 {
 		return nil, fmt.Errorf("plaintext is not a multiple of the block size")
@ -64,5 +64,5 @@ func CBCDecrypt(key []byte, ciphertext []byte) ([]byte, error) {
 	mode := cipher.NewCBCDecrypter(block, iv)
 	mode.CryptBlocks(ciphertext, ciphertext)

-	return padding.RemovePadding(ciphertext)
+	return pkcs7.Unpad(aes.BlockSize, ciphertext)
 }
--- a/crypto/pbkdf2.go
+++ b/crypto/pbkdf2.go
@ -0,0 +1,16 @@
+package crypto
+
+import (
+	"crypto/sha256"
+
+	"golang.org/x/crypto/pbkdf2"
+)
+
+const (
+	PBKDF2Rounds = 4096
+	KeyLength    = 32
+)
+
+func GeneratePBKDF2Key(password, salt []byte) []byte {
+	return pbkdf2.Key([]byte(password), []byte(salt), PBKDF2Rounds, KeyLength, sha256.New)
+}