From 8fa181a2e6fdafeed97bbc7ecdd3f58f8f569500 Mon Sep 17 00:00:00 2001 From: 0x0fbc <10455804+0x0fbc@users.noreply.github.com> Date: Tue, 11 Jun 2024 12:49:32 -0400 Subject: [PATCH] Reduce twofactor_duo_ctx state/nonce column size in postgres and maria --- .../mysql/2024-06-05-131359_add_2fa_duo_store/up.sql | 11 ++++------- .../2024-06-05-131359_add_2fa_duo_store/up.sql | 4 ++-- src/api/core/two_factor/duo_oidc.rs | 2 ++ 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/migrations/mysql/2024-06-05-131359_add_2fa_duo_store/up.sql b/migrations/mysql/2024-06-05-131359_add_2fa_duo_store/up.sql index 9a619f65..29091791 100644 --- a/migrations/mysql/2024-06-05-131359_add_2fa_duo_store/up.sql +++ b/migrations/mysql/2024-06-05-131359_add_2fa_duo_store/up.sql @@ -1,11 +1,8 @@ CREATE TABLE twofactor_duo_ctx ( - -- For mysql, the character set on state is overridden to ascii because the utf8mb4 database charset recommended in - -- the Vaultwarden docs causes 1 character to consume 4 bytes, exceeding innodb's 3072 max key size if we want to - -- accommodate the largest supported state size. This isn't a problem for nonce since it's not a key for the table. - state VARCHAR(1024) CHARACTER SET ascii COLLATE ascii_general_ci NOT NULL, - user_email VARCHAR(255) NOT NULL, - nonce VARCHAR(1024) NOT NULL, - exp BIGINT NOT NULL, + state VARCHAR(64) NOT NULL, + user_email VARCHAR(255) NOT NULL, + nonce VARCHAR(64) NOT NULL, + exp BIGINT NOT NULL, PRIMARY KEY (state) ); \ No newline at end of file diff --git a/migrations/postgresql/2024-06-05-131359_add_2fa_duo_store/up.sql b/migrations/postgresql/2024-06-05-131359_add_2fa_duo_store/up.sql index 6cd1cdc5..ebc8be1b 100644 --- a/migrations/postgresql/2024-06-05-131359_add_2fa_duo_store/up.sql +++ b/migrations/postgresql/2024-06-05-131359_add_2fa_duo_store/up.sql @@ -1,7 +1,7 @@ CREATE TABLE twofactor_duo_ctx ( - state VARCHAR(1024) NOT NULL, + state VARCHAR(64) NOT NULL, user_email VARCHAR(255) NOT NULL, - nonce VARCHAR(1024) NOT NULL, + nonce VARCHAR(64) NOT NULL, exp BIGINT NOT NULL, PRIMARY KEY (state) diff --git a/src/api/core/two_factor/duo_oidc.rs b/src/api/core/two_factor/duo_oidc.rs index b1aa6ee4..c62939b8 100644 --- a/src/api/core/two_factor/duo_oidc.rs +++ b/src/api/core/two_factor/duo_oidc.rs @@ -63,6 +63,8 @@ const DUO_RESP_SIGNATURE_ALG: Algorithm = Algorithm::HS512; const JWT_SIGNATURE_ALG: Algorithm = Algorithm::HS512; // Size of random strings for state and nonce. Must be at least 16 characters and at most 1024 characters. +// If increasing this above 64, also increase the size of the twofactor_duo_ctx.state and +// twofactor_duo_ctx.nonce database columns for postgres and mariadb. const STATE_LENGTH: usize = 64; // client_assertion payload for health checks and obtaining MFA results.