diff options
| -rw-r--r-- | crypto/pbkdf2.go | 56 | ||||
| -rw-r--r-- | crypto/pbkdf2_test.go | 83 | ||||
| -rw-r--r-- | docs/content/functions/crypto.md | 99 | ||||
| -rw-r--r-- | funcs.go | 1 | ||||
| -rw-r--r-- | funcs/crypto.go | 109 | ||||
| -rw-r--r-- | funcs/crypto_test.go | 46 |
6 files changed, 394 insertions, 0 deletions
diff --git a/crypto/pbkdf2.go b/crypto/pbkdf2.go new file mode 100644 index 00000000..e22d5fee --- /dev/null +++ b/crypto/pbkdf2.go @@ -0,0 +1,56 @@ +package crypto + +import ( + "crypto" + "crypto/sha1" + "crypto/sha256" + "crypto/sha512" + "fmt" + "hash" + + "golang.org/x/crypto/pbkdf2" +) + +var hashFuncs map[crypto.Hash]func() hash.Hash + +func init() { + hashFuncs = make(map[crypto.Hash]func() hash.Hash) + hashFuncs[crypto.SHA1] = sha1.New + hashFuncs[crypto.SHA224] = sha256.New224 + hashFuncs[crypto.SHA256] = sha256.New + hashFuncs[crypto.SHA384] = sha512.New384 + hashFuncs[crypto.SHA512] = sha512.New + hashFuncs[crypto.SHA512_224] = sha512.New512_224 + hashFuncs[crypto.SHA512_256] = sha512.New512_256 +} + +// StrToHash - find a hash given a certain string +func StrToHash(hash string) (crypto.Hash, error) { + switch hash { + case "SHA1", "SHA-1": + return crypto.SHA1, nil + case "SHA224", "SHA-224": + return crypto.SHA224, nil + case "SHA256", "SHA-256": + return crypto.SHA256, nil + case "SHA384", "SHA-384": + return crypto.SHA384, nil + case "SHA512", "SHA-512": + return crypto.SHA512, nil + case "SHA512_224", "SHA512/224", "SHA-512_224", "SHA-512/224": + return crypto.SHA512_224, nil + case "SHA512_256", "SHA512/256", "SHA-512_256", "SHA-512/256": + return crypto.SHA512_256, nil + } + return 0, fmt.Errorf("no such hash %s", hash) +} + +// PBKDF2 - Run the Password-Based Key Derivation Function #2 as defined in +// RFC 8018 (PKCS #5 v2.1) +func PBKDF2(password, salt []byte, iter, keylen int, hashFunc crypto.Hash) ([]byte, error) { + h, ok := hashFuncs[hashFunc] + if !ok { + return nil, fmt.Errorf("hashFunc not supported: %v", hashFunc) + } + return pbkdf2.Key(password, salt, iter, keylen, h), nil +} diff --git a/crypto/pbkdf2_test.go b/crypto/pbkdf2_test.go new file mode 100644 index 00000000..7d46159f --- /dev/null +++ b/crypto/pbkdf2_test.go @@ -0,0 +1,83 @@ +package crypto + +import ( + "crypto" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestPBKDF2(t *testing.T) { + dk, err := PBKDF2([]byte{}, []byte{}, 0, 0, 0) + assert.Nil(t, dk) + assert.Error(t, err) + + // IEEE 802.11i-2004 test vectors + dk, err = PBKDF2([]byte("password"), []byte("IEEE"), 4096, 32, crypto.SHA1) + assert.EqualValues(t, []byte{ + 0xf4, 0x2c, 0x6f, 0xc5, 0x2d, 0xf0, 0xeb, 0xef, + 0x9e, 0xbb, 0x4b, 0x90, 0xb3, 0x8a, 0x5f, 0x90, + 0x2e, 0x83, 0xfe, 0x1b, 0x13, 0x5a, 0x70, 0xe2, + 0x3a, 0xed, 0x76, 0x2e, 0x97, 0x10, 0xa1, 0x2e, + }, dk) + assert.NoError(t, err) + + dk, err = PBKDF2([]byte("ThisIsAPassword"), []byte("ThisIsASSID"), 4096, 32, crypto.SHA1) + assert.EqualValues(t, []byte{ + 0x0d, 0xc0, 0xd6, 0xeb, 0x90, 0x55, 0x5e, 0xd6, + 0x41, 0x97, 0x56, 0xb9, 0xa1, 0x5e, 0xc3, 0xe3, + 0x20, 0x9b, 0x63, 0xdf, 0x70, 0x7d, 0xd5, 0x08, + 0xd1, 0x45, 0x81, 0xf8, 0x98, 0x27, 0x21, 0xaf, + }, dk) + assert.NoError(t, err) + + dk, err = PBKDF2([]byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), []byte("ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ"), 4096, 32, crypto.SHA1) + assert.EqualValues(t, []byte{ + 0xbe, 0xcb, 0x93, 0x86, 0x6b, 0xb8, 0xc3, 0x83, + 0x2c, 0xb7, 0x77, 0xc2, 0xf5, 0x59, 0x80, 0x7c, + 0x8c, 0x59, 0xaf, 0xcb, 0x6e, 0xae, 0x73, 0x48, + 0x85, 0x00, 0x13, 0x00, 0xa9, 0x81, 0xcc, 0x62, + }, dk) + assert.NoError(t, err) + + // some longer hash functions + dk, err = PBKDF2([]byte("password"), []byte("IEEE"), 4096, 64, crypto.SHA512) + assert.EqualValues(t, []byte{ + 0xc1, 0x6f, 0x4c, 0xb6, 0xd0, 0x3e, 0x23, 0x61, + 0x43, 0x99, 0xde, 0xe5, 0xe7, 0xf6, 0x76, 0xfb, + 0x1d, 0xa0, 0xeb, 0x94, 0x71, 0xb6, 0xa7, 0x4a, + 0x6c, 0x5b, 0xc9, 0x34, 0xc6, 0xec, 0x7d, 0x2a, + 0xb7, 0x02, 0x8f, 0xbb, 0x10, 0x00, 0xb1, 0xbe, + 0xb9, 0x7f, 0x17, 0x64, 0x60, 0x45, 0xd8, 0x14, + 0x47, 0x92, 0x35, 0x2f, 0x66, 0x76, 0xd1, 0x3b, + 0x20, 0xa4, 0xc0, 0x37, 0x54, 0x90, 0x3d, 0x7e, + }, dk) + assert.NoError(t, err) +} + +func TestStrToHash(t *testing.T) { + h, err := StrToHash("foo") + assert.Zero(t, h) + assert.Error(t, err) + h, err = StrToHash("SHA-1") + assert.Equal(t, crypto.SHA1, h) + assert.NoError(t, err) + h, err = StrToHash("SHA224") + assert.Equal(t, crypto.SHA224, h) + assert.NoError(t, err) + h, err = StrToHash("SHA-256") + assert.Equal(t, crypto.SHA256, h) + assert.NoError(t, err) + h, err = StrToHash("SHA384") + assert.Equal(t, crypto.SHA384, h) + assert.NoError(t, err) + h, err = StrToHash("SHA-512") + assert.Equal(t, crypto.SHA512, h) + assert.NoError(t, err) + h, err = StrToHash("SHA-512/224") + assert.Equal(t, crypto.SHA512_224, h) + assert.NoError(t, err) + h, err = StrToHash("SHA512/256") + assert.Equal(t, crypto.SHA512_256, h) + assert.NoError(t, err) +} diff --git a/docs/content/functions/crypto.md b/docs/content/functions/crypto.md new file mode 100644 index 00000000..f5faa20e --- /dev/null +++ b/docs/content/functions/crypto.md @@ -0,0 +1,99 @@ +--- +title: crypto functions +menu: + main: + parent: functions +--- + +A set of crypto-related functions to be able to perform hashing and (simple!) encryption operations with `gomplate`. + +_Note: These functions are mostly wrappers of existing functions in the Go standard library. The authors of gomplate are not cryptographic experts, however, and so can not guarantee correctness of implementation. Do not use gomplate for critical security infrastructure!_ + +## `crypto.PBKDF2` + +Run the Password-Based Key Derivation Function #2 as defined in +[RFC 8018 (PKCS #5 v2.1)](https://tools.ietf.org/html/rfc8018#section-5.2). + +This function outputs the binary result as a hexidecimal string. + +### Usage +``` +crypto.PBKDF2 password salt iter keylen [hashfunc] +``` + +### Arguments + +| name | description | +|--------|-------| +| `password` | _(required)_ the password to use to derive the key | +| `salt` | _(required)_ the salt | +| `iter` | _(required)_ iteration count | +| `keylen` | _(required)_ desired length of derived key | +| `hashfunc` | _(optional)_ the hash function to use - must be one of the allowed functions (either in the SHA-1 or SHA-2 sets). Defaults to `SHA-1` | + +### Example + +```console +$ gomplate -i '{{ crypto.PBKDF2 "foo" "bar" 1024 8 }}' +32c4907c3c80792b +``` + +## `crypto.SHA1`, `crypto.SHA224`, `crypto.SHA256`, `crypto.SHA384`, `crypto.SHA512`, `crypto.SHA512_224`, `crypto.SHA512_256` + +Compute a checksum with a SHA-1 or SHA-2 algorithm as defined in [RFC 3174](https://tools.ietf.org/html/rfc3174) (SHA-1) and [FIPS 180-4](http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf) (SHA-2). + +These function outputs the binary result as a hexidecimal string. + +_Note: SHA-1 is cryptographically broken and should not be used for secure applications._ + +### Usage +``` +crypto.SHA1 input +crypto.SHA224 input +crypto.SHA256 input +crypto.SHA384 input +crypto.SHA512 input +crypto.SHA512_224 input +crypto.SHA512_256 input +``` + +### Arguments + +| name | description | +|--------|-------| +| `input` | _(required)_ the data to hash - can be binary data or text | + +### Example + +```console +$ gomplate -i '{{ crypto.SHA1 "foo" }}' +f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 +$ gomplate -i '{{ crypto.SHA512 "bar" }}' +cc06808cbbee0510331aa97974132e8dc296aeb795be229d064bae784b0a87a5cf4281d82e8c99271b75db2148f08a026c1a60ed9cabdb8cac6d24242dac4063 +``` + +## `crypto.WPAPSK` + +This is really an alias to [`crypto.PBKDF2`](#crypto.PBKDF2) with the +values necessary to convert ASCII passphrases to the WPA pre-shared keys for use with WiFi networks. + +This can be used, for example, to help generate a configuration for [wpa_supplicant](http://w1.fi/wpa_supplicant/). + +### Usage +```go +crypto.WPAPSK ssid password +``` + +### Arguments + +| name | description | +|--------|-------| +| `ssid` | _(required)_ the WiFi SSID (network name) - must be less than 32 characters | +| `password` | _(required)_ the password - must be between 8 and 63 characters | + +### Examples + +```console +$ PW=abcd1234 gomplate -i '{{ crypto.WPAPSK "mynet" (getenv "PW") }}' +2c201d66f01237d17d4a7788051191f31706844ac3ffe7547a66c902f2900d34 +``` @@ -20,5 +20,6 @@ func initFuncs(d *data.Data) template.FuncMap { funcs.AddConvFuncs(f) funcs.AddTimeFuncs(f) funcs.AddMathFuncs(f) + funcs.AddCryptoFuncs(f) return f } diff --git a/funcs/crypto.go b/funcs/crypto.go new file mode 100644 index 00000000..ef54ee21 --- /dev/null +++ b/funcs/crypto.go @@ -0,0 +1,109 @@ +package funcs + +import ( + gcrypto "crypto" + "crypto/sha1" + "crypto/sha256" + "crypto/sha512" + "fmt" + "sync" + + "github.com/hairyhenderson/gomplate/conv" + + "github.com/hairyhenderson/gomplate/crypto" +) + +var ( + cryptoNS *CryptoFuncs + cryptoNSInit sync.Once +) + +// CryptoNS - the crypto namespace +func CryptoNS() *CryptoFuncs { + cryptoNSInit.Do(func() { cryptoNS = &CryptoFuncs{} }) + return cryptoNS +} + +// AddCryptoFuncs - +func AddCryptoFuncs(f map[string]interface{}) { + f["crypto"] = CryptoNS +} + +// CryptoFuncs - +type CryptoFuncs struct{} + +// PBKDF2 - Run the Password-Based Key Derivation Function #2 as defined in +// RFC 2898 (PKCS #5 v2.0). This function outputs the binary result in hex +// format. +func (f *CryptoFuncs) PBKDF2(password, salt, iter, keylen interface{}, hashFunc ...string) (k string, err error) { + var h gcrypto.Hash + if len(hashFunc) == 0 { + h = gcrypto.SHA1 + } else { + h, err = crypto.StrToHash(hashFunc[0]) + if err != nil { + return "", err + } + } + pw := toBytes(password) + s := toBytes(salt) + i := conv.ToInt(iter) + kl := conv.ToInt(keylen) + + dk, err := crypto.PBKDF2(pw, s, i, kl, h) + return fmt.Sprintf("%02x", dk), err +} + +// WPAPSK - Convert an ASCII passphrase to WPA PSK for a given SSID +func (f *CryptoFuncs) WPAPSK(ssid, password interface{}) (string, error) { + return f.PBKDF2(password, ssid, 4096, 32) +} + +// SHA1 - +func (f *CryptoFuncs) SHA1(input interface{}) string { + in := toBytes(input) + out := sha1.Sum(in) + return fmt.Sprintf("%02x", out) +} + +// SHA224 - +func (f *CryptoFuncs) SHA224(input interface{}) string { + in := toBytes(input) + out := sha256.Sum224(in) + return fmt.Sprintf("%02x", out) +} + +// SHA256 - +func (f *CryptoFuncs) SHA256(input interface{}) string { + in := toBytes(input) + out := sha256.Sum256(in) + return fmt.Sprintf("%02x", out) +} + +// SHA384 - +func (f *CryptoFuncs) SHA384(input interface{}) string { + in := toBytes(input) + out := sha512.Sum384(in) + return fmt.Sprintf("%02x", out) +} + +// SHA512 - +func (f *CryptoFuncs) SHA512(input interface{}) string { + in := toBytes(input) + out := sha512.Sum512(in) + return fmt.Sprintf("%02x", out) +} + +// SHA512_224 - +func (f *CryptoFuncs) SHA512_224(input interface{}) string { + in := toBytes(input) + out := sha512.Sum512_224(in) + return fmt.Sprintf("%02x", out) +} + +// SHA512_256 - +func (f *CryptoFuncs) SHA512_256(input interface{}) string { + in := toBytes(input) + out := sha512.Sum512_256(in) + return fmt.Sprintf("%02x", out) +} diff --git a/funcs/crypto_test.go b/funcs/crypto_test.go new file mode 100644 index 00000000..55945533 --- /dev/null +++ b/funcs/crypto_test.go @@ -0,0 +1,46 @@ +package funcs + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestPBKDF2(t *testing.T) { + c := CryptoNS() + dk, err := cryptoNS.PBKDF2("password", []byte("IEEE"), "4096", 32) + assert.Equal(t, "f42c6fc52df0ebef9ebb4b90b38a5f902e83fe1b135a70e23aed762e9710a12e", dk) + assert.NoError(t, err) + + dk, err = c.PBKDF2([]byte("password"), "IEEE", 4096, "64", "SHA-512") + assert.Equal(t, "c16f4cb6d03e23614399dee5e7f676fb1da0eb9471b6a74a6c5bc934c6ec7d2ab7028fbb1000b1beb97f17646045d8144792352f6676d13b20a4c03754903d7e", dk) + assert.NoError(t, err) + + _, err = c.PBKDF2(nil, nil, nil, nil, "bogus") + assert.Error(t, err) +} + +func TestWPAPSK(t *testing.T) { + dk, err := cryptoNS.WPAPSK("password", "MySSID") + assert.Equal(t, "3a98def84b11644a17ebcc9b17955d2360ce8b8a85b8a78413fc551d722a84e7", dk) + assert.NoError(t, err) +} + +func TestSHA(t *testing.T) { + in := "abc" + sha1 := "a9993e364706816aba3e25717850c26c9cd0d89d" + sha224 := "23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7" + sha256 := "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad" + sha384 := "cb00753f45a35e8bb5a03d699ac65007272c32ab0eded1631a8b605a43ff5bed8086072ba1e7cc2358baeca134c825a7" + sha512 := "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f" + sha512_224 := "4634270f707b6a54daae7530460842e20e37ed265ceee9a43e8924aa" + sha512_256 := "53048e2681941ef99b2e29b76b4c7dabe4c2d0c634fc6d46e0e2f13107e7af23" + c := CryptoNS() + assert.Equal(t, sha1, c.SHA1(in)) + assert.Equal(t, sha224, c.SHA224(in)) + assert.Equal(t, sha256, c.SHA256(in)) + assert.Equal(t, sha384, c.SHA384(in)) + assert.Equal(t, sha512, c.SHA512(in)) + assert.Equal(t, sha512_224, c.SHA512_224(in)) + assert.Equal(t, sha512_256, c.SHA512_256(in)) +} |