Potentially insecure hkdf use #444

New issue

Closed

opened 2025-12-28 17:37:25 +00:00 by sami · 2 comments

sami commented 2025-12-28 17:37:25 +00:00

Owner

Copy link

Originally created by @roman-khimov on GitHub (May 14, 2024).

Originally assigned to: @smallhive on GitHub.

Current Behavior

kdf := hkdf.New(hash, secret, nil, nil). No salt, no app-specific info.

Expected Behavior

App-specific info and salt used.

Possible Solution

Hardcode info, add some salt. Breaking change, but the gateway is not used in production.

Your Environment

• Version of the product used: 0.30.0

Originally created by @roman-khimov on GitHub (May 14, 2024). Originally assigned to: @smallhive on GitHub. ## Current Behavior `kdf := hkdf.New(hash, secret, nil, nil)`. No salt, no app-specific info. ## Expected Behavior App-specific info and salt used. ## Possible Solution Hardcode info, add some salt. Breaking change, but the gateway is not used in production. ## Your Environment * Version of the product used: 0.30.0

sami 2025-12-28 17:37:25 +00:00

• closed this issue
• added the
  bug
  S2
  I4
  U2
  security
  labels

sami commented 2025-12-28 17:37:25 +00:00

Author

Owner

Copy link

@roman-khimov commented on GitHub (Jun 28, 2024):

Salt is to be stored somewhere nearby, as usual.

@roman-khimov commented on GitHub (Jun 28, 2024): Salt is to be stored somewhere nearby, as usual.

sami commented 2025-12-28 17:37:25 +00:00

Author

Owner

Copy link

@cthulhu-rider commented on GitHub (Jul 3, 2024):

Salt is to be stored somewhere

what do u mean - in what storage?

@cthulhu-rider commented on GitHub (Jul 3, 2024): > Salt is to be stored somewhere what do u mean - in what storage?

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

1255-session-token-v2

new-get

logger

experimental/unsigned-responses

experimental/get-perf

debugprint

ezayats/bump-s3-tests

955-after-a-parallel-deletion-of-versioned-objects-list-objects-returns-info-about-them

v0.42.0

v0.41.5

v0.41.4

v0.41.3

v0.41.2

v0.41.1

v0.41.0

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.1

v0.36.0

v0.35.0

v0.34.1

v0.34.0

v0.33.0

v0.32.0

v0.31.1

v0.31.0

v0.30.1

v0.30.0

v0.29.0

v0.28.2

v0.28.1

v0.28.0

v0.27.1

v0.27.0

v0.26.1

v0.26.0

v0.25.1

v0.25.0

v0.24.0

v0.23.0

v0.22.0

v0.21.1

v0.21.0

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.17.0-rc.1

v0.16.0

v0.15.1-pre

v0.15.0

v0.14.2

v0.14.1

v0.14.0

v0.13.0

v0.12.0-rc.3

v0.12.0-rc.2

v0.12.0-rc.1

Labels

Clear labels   

I2

  

I2

  

I3

  

I4

  

S2

  

S3

  

S4

  

S4

  

U0

  

U1

  

U2

  

U2

  

U3

  

U4

  

U4

  

auth-mate

  

blocked

  

bug

  

config

  

dependencies

  

discussion

  

documentation

  

enhancement

  

epic

  

feature

  

go

  

good first issue

  

help wanted

  

performance

  

question

  

security

  

test

  

tree-service

  

tree-service

No labels

I2

I2

I3

I4

S2

S3

S4

S4

U0

U1

U2

U2

U3

U4

U4

auth-mate

blocked

bug

config

dependencies

discussion

documentation

enhancement

epic

feature

go

good first issue

help wanted

performance

question

security

test

tree-service

tree-service

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

nspcc-dev/neofs-s3-gw#444

No description provided.