improve (crypto): derivate secret_key for each usage to reduce attack surface in the worst case scenario

2025-11-02 03:54:59 +08:00 · 2019-01-18 13:48:04 +11:00
parent 7af12753ca
commit ec6eb0e8fa
10 changed files with 53 additions and 26 deletions
--- a/server/common/crypto.go
+++ b/server/common/crypto.go
@ -6,8 +6,7 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
-	"crypto/sha1"
-	"encoding/base32"
+	"crypto/sha256"
 	"encoding/base64"
 	"io"
 	"io/ioutil"
@ -45,10 +44,19 @@ func DecryptString(secret string, data string) (string, error){
 	return string(d), nil
 }

-func Hash(str string) string {
-	hasher := sha1.New()
+func Hash(str string, n int) string {
+	hasher := sha256.New()
 	hasher.Write([]byte(str))
-	return "sha1::" + base32.HexEncoding.EncodeToString(hasher.Sum(nil))
+	d := hasher.Sum(nil)
+	size := len(Letters)
+	h := ""
+	for i:=0; i<len(d); i++ {
+		if n > 0 && i >= n {
+			break
+		}
+		h += string(Letters[int(d[i]) % size])
+	}
+	return h
 }

 func RandomString(n int) string {
@ -140,8 +148,8 @@ func verify(something []byte) ([]byte, error) {

 // Create a unique ID that can be use to identify different session
 func GenerateID(ctx *App) string {
+	p := ""
 	params := ctx.Session
-	p := "salt => " + SECRET_KEY
 	if params["type"] != "" {
 		p += "type =>" + params["type"]
 	}
@ -172,8 +180,10 @@ func GenerateID(ctx *App) string {
 	if params["token"] != "" {
 		p += "token =>" + params["token"]
 	}
-	if p == "salt => " + SECRET_KEY {
-		return ""
+
+	if p == "" {
+		return Hash("N/A", 20)
 	}
-	return Hash(p)
+	p += "salt => " + SECRET_KEY
+	return Hash(p, 20)
 }