mirror of
https://github.com/status-im/status-go.git
synced 2025-01-09 14:16:21 +00:00
e8c4b7647f
* chore(upgradeSQLCipher): Upgrading SQLCipher to version 5.4.5 Changes: ### github.com/mutecomm/go-sqlcipher 1. The improved crypto argorighms from go-sqlcipher v3 are merged in v4 Tags: v4.4.2-status.1 - merge `burn_stack` improvement v4.4.2-status.2 - merge `SHA1` improvement v4.4.2-status.4- merge 'AES' improvement 2. Fixed `go-sqlcipher` to support v3 database in compatibility mode (`sqlcipher` already supports this) (Tag: v4.4.2-status.3) 3. Upgrade `sqlcipher` to v5.4.5 (Tag: v4.5.4-status.1) ### github.com/status-im/migrate/v4 1. Upgrade `go-sqlcipher` version in `github.com/status-im/migrate/v4` ### status-go 1. Upgrade `go-sqlcipher` and `migrate` modules in status-go 2. Configure the DB connections to open the DB in v3 compatibility mode * chore(upgradeSQLCipher): Use sqlcipher v3 configuration to encrypt a plain text database * chore(upgradeSQLCipher): Scanning NULL BLOB value should return nil Fixing failing tests: TestSyncDeviceSuite/TestPairingSyncDeviceClientAsReceiver; TestSyncDeviceSuite/TestPairingSyncDeviceClientAsSender Considering the following configuration: 1. Table with BLOB column has 1 NULL value 2. Query the value 3. Rows.Scan(&dest sql.NullString) Expected: dest.Valid == false; dest.String == nil Actual: dest.Valid == true; dest.String == "" * chore: Bump go-sqlcipher version to include NULL BLOB fix
121 lines
4.0 KiB
Go
121 lines
4.0 KiB
Go
// Copyright (C) 2018 G.J.R. Timmer <gjr.timmer@gmail.com>.
|
|
//
|
|
// Use of this source code is governed by an MIT-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package sqlite3
|
|
|
|
import (
|
|
"crypto/sha1"
|
|
"crypto/sha256"
|
|
"crypto/sha512"
|
|
)
|
|
|
|
// This file provides several different implementations for the
|
|
// default embedded sqlite_crypt function.
|
|
// This function is uses a caesar-cypher by default
|
|
// and is used within the UserAuthentication module to encode
|
|
// the password.
|
|
//
|
|
// The provided functions can be used as an overload to the sqlite_crypt
|
|
// function through the use of the RegisterFunc on the connection.
|
|
//
|
|
// Because the functions can serv a purpose to an end-user
|
|
// without using the UserAuthentication module
|
|
// the functions are default compiled in.
|
|
//
|
|
// From SQLITE3 - user-auth.txt
|
|
// The sqlite_user.pw field is encoded by a built-in SQL function
|
|
// "sqlite_crypt(X,Y)". The two arguments are both BLOBs. The first argument
|
|
// is the plaintext password supplied to the sqlite3_user_authenticate()
|
|
// interface. The second argument is the sqlite_user.pw value and is supplied
|
|
// so that the function can extract the "salt" used by the password encoder.
|
|
// The result of sqlite_crypt(X,Y) is another blob which is the value that
|
|
// ends up being stored in sqlite_user.pw. To verify credentials X supplied
|
|
// by the sqlite3_user_authenticate() routine, SQLite runs:
|
|
//
|
|
// sqlite_user.pw == sqlite_crypt(X, sqlite_user.pw)
|
|
//
|
|
// To compute an appropriate sqlite_user.pw value from a new or modified
|
|
// password X, sqlite_crypt(X,NULL) is run. A new random salt is selected
|
|
// when the second argument is NULL.
|
|
//
|
|
// The built-in version of of sqlite_crypt() uses a simple Caesar-cypher
|
|
// which prevents passwords from being revealed by searching the raw database
|
|
// for ASCII text, but is otherwise trivally broken. For better password
|
|
// security, the database should be encrypted using the SQLite Encryption
|
|
// Extension or similar technology. Or, the application can use the
|
|
// sqlite3_create_function() interface to provide an alternative
|
|
// implementation of sqlite_crypt() that computes a stronger password hash,
|
|
// perhaps using a cryptographic hash function like SHA1.
|
|
|
|
// CryptEncoderSHA1 encodes a password with SHA1
|
|
func CryptEncoderSHA1(pass []byte, hash interface{}) []byte {
|
|
h := sha1.Sum(pass)
|
|
return h[:]
|
|
}
|
|
|
|
// CryptEncoderSSHA1 encodes a password with SHA1 with the
|
|
// configured salt.
|
|
func CryptEncoderSSHA1(salt string) func(pass []byte, hash interface{}) []byte {
|
|
return func(pass []byte, hash interface{}) []byte {
|
|
s := []byte(salt)
|
|
p := append(pass, s...)
|
|
h := sha1.Sum(p)
|
|
return h[:]
|
|
}
|
|
}
|
|
|
|
// CryptEncoderSHA256 encodes a password with SHA256
|
|
func CryptEncoderSHA256(pass []byte, hash interface{}) []byte {
|
|
h := sha256.Sum256(pass)
|
|
return h[:]
|
|
}
|
|
|
|
// CryptEncoderSSHA256 encodes a password with SHA256
|
|
// with the configured salt
|
|
func CryptEncoderSSHA256(salt string) func(pass []byte, hash interface{}) []byte {
|
|
return func(pass []byte, hash interface{}) []byte {
|
|
s := []byte(salt)
|
|
p := append(pass, s...)
|
|
h := sha256.Sum256(p)
|
|
return h[:]
|
|
}
|
|
}
|
|
|
|
// CryptEncoderSHA384 encodes a password with SHA384
|
|
func CryptEncoderSHA384(pass []byte, hash interface{}) []byte {
|
|
h := sha512.Sum384(pass)
|
|
return h[:]
|
|
}
|
|
|
|
// CryptEncoderSSHA384 encodes a password with SHA384
|
|
// with the configured salt
|
|
func CryptEncoderSSHA384(salt string) func(pass []byte, hash interface{}) []byte {
|
|
return func(pass []byte, hash interface{}) []byte {
|
|
s := []byte(salt)
|
|
p := append(pass, s...)
|
|
h := sha512.Sum384(p)
|
|
return h[:]
|
|
}
|
|
}
|
|
|
|
// CryptEncoderSHA512 encodes a password with SHA512
|
|
func CryptEncoderSHA512(pass []byte, hash interface{}) []byte {
|
|
h := sha512.Sum512(pass)
|
|
return h[:]
|
|
}
|
|
|
|
// CryptEncoderSSHA512 encodes a password with SHA512
|
|
// with the configured salt
|
|
func CryptEncoderSSHA512(salt string) func(pass []byte, hash interface{}) []byte {
|
|
return func(pass []byte, hash interface{}) []byte {
|
|
s := []byte(salt)
|
|
p := append(pass, s...)
|
|
h := sha512.Sum512(p)
|
|
return h[:]
|
|
}
|
|
}
|
|
|
|
// EOF
|