topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge pull request #2910 from samueltardieu/const-crypto 

Use constant size generic parameter for random bytes generation
pull/2868/head
Daniel García 2 years ago
committed by GitHub
parent
7a7673103f 7445ee40f8
commit
dfe1e30d1b
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 21 additions and 19 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      src/api/core/two_factor/authenticator.rs
  2. 2
      src/api/core/two_factor/mod.rs
  3. 2
      src/api/notifications.rs
  4. 3
      src/config.rs
  5. 23
      src/crypto.rs
  6. 4
      src/db/models/device.rs
  7. 2
      src/db/models/send.rs
  8. 2
      src/db/models/user.rs

2
src/api/core/two_factor/authenticator.rs
View File

@ -34,7 +34,7 @@ async fn generate_authenticator(data: JsonUpcase<PasswordData>, headers: Headers
let (enabled, key) = match twofactor { let (enabled, key) = match twofactor {
Some(tf) => (true, tf.data), Some(tf) => (true, tf.data),
_ => (false, BASE32.encode(&crypto::get_random(vec![0u8; 20]))), _ => (false, crypto::encode_random_bytes::<20>(BASE32)),
}; };
Ok(Json(json!({ Ok(Json(json!({

2
src/api/core/two_factor/mod.rs
View File

@ -105,7 +105,7 @@ async fn recover(data: JsonUpcase<RecoverTwoFactor>, mut conn: DbConn) -> JsonRe
async fn _generate_recover_code(user: &mut User, conn: &mut DbConn) { async fn _generate_recover_code(user: &mut User, conn: &mut DbConn) {
if user.totp_recover.is_none() { if user.totp_recover.is_none() {
let totp_recover = BASE32.encode(&crypto::get_random(vec![0u8; 20])); let totp_recover = crypto::encode_random_bytes::<20>(BASE32);
user.totp_recover = Some(totp_recover); user.totp_recover = Some(totp_recover);
user.save(conn).await.ok(); user.save(conn).await.ok();
} }

2
src/api/notifications.rs
View File

@ -56,7 +56,7 @@ fn negotiate(_headers: Headers) -> Json<JsonValue> {
use crate::crypto; use crate::crypto;
use data_encoding::BASE64URL; use data_encoding::BASE64URL;
let conn_id = BASE64URL.encode(&crypto::get_random(vec![0u8; 16])); let conn_id = crypto::encode_random_bytes::<16>(BASE64URL);
let mut available_transports: Vec<JsonValue> = Vec::new(); let mut available_transports: Vec<JsonValue> = Vec::new();
if CONFIG.websocket_enabled() { if CONFIG.websocket_enabled() {

3
src/config.rs
View File

@ -981,8 +981,7 @@ impl Config {
if let Some(akey) = self._duo_akey() { if let Some(akey) = self._duo_akey() {
akey akey
} else { } else {
let akey = crate::crypto::get_random_64(); let akey_s = crate::crypto::encode_random_bytes::<64>(data_encoding::BASE64);
let akey_s = data_encoding::BASE64.encode(&akey);
// Save the new value // Save the new value
let builder = ConfigBuilder { let builder = ConfigBuilder {

23
src/crypto.rs
View File

@ -3,7 +3,7 @@
// //
use std::num::NonZeroU32; use std::num::NonZeroU32;
use data_encoding::HEXLOWER; use data_encoding::{Encoding, HEXLOWER};
use ring::{digest, hmac, pbkdf2}; use ring::{digest, hmac, pbkdf2};
static DIGEST_ALG: pbkdf2::Algorithm = pbkdf2::PBKDF2_HMAC_SHA256; static DIGEST_ALG: pbkdf2::Algorithm = pbkdf2::PBKDF2_HMAC_SHA256;
@ -37,18 +37,21 @@ pub fn hmac_sign(key: &str, data: &str) -> String {
// Random values // Random values
// //
pub fn get_random_64() -> Vec<u8> { /// Return an array holding `N` random bytes.
get_random(vec![0u8; 64]) pub fn get_random_bytes<const N: usize>() -> [u8; N] {
}
pub fn get_random(mut array: Vec<u8>) -> Vec<u8> {
use ring::rand::{SecureRandom, SystemRandom}; use ring::rand::{SecureRandom, SystemRandom};
let mut array = [0; N];
SystemRandom::new().fill(&mut array).expect("Error generating random values"); SystemRandom::new().fill(&mut array).expect("Error generating random values");
array array
} }
/// Encode random bytes using the provided function.
pub fn encode_random_bytes<const N: usize>(e: Encoding) -> String {
e.encode(&get_random_bytes::<N>())
}
/// Generates a random string over a specified alphabet. /// Generates a random string over a specified alphabet.
pub fn get_random_string(alphabet: &[u8], num_chars: usize) -> String { pub fn get_random_string(alphabet: &[u8], num_chars: usize) -> String {
// Ref: https://rust-lang-nursery.github.io/rust-cookbook/algorithms/randomness.html // Ref: https://rust-lang-nursery.github.io/rust-cookbook/algorithms/randomness.html
@ -77,18 +80,18 @@ pub fn get_random_string_alphanum(num_chars: usize) -> String {
get_random_string(ALPHABET, num_chars) get_random_string(ALPHABET, num_chars)
} }
pub fn generate_id(num_bytes: usize) -> String { pub fn generate_id<const N: usize>() -> String {
HEXLOWER.encode(&get_random(vec![0; num_bytes])) encode_random_bytes::<N>(HEXLOWER)
} }
pub fn generate_send_id() -> String { pub fn generate_send_id() -> String {
// Send IDs are globally scoped, so make them longer to avoid collisions. // Send IDs are globally scoped, so make them longer to avoid collisions.
generate_id(32) // 256 bits generate_id::<32>() // 256 bits
} }
pub fn generate_attachment_id() -> String { pub fn generate_attachment_id() -> String {
// Attachment IDs are scoped to a cipher, so they can be smaller. // Attachment IDs are scoped to a cipher, so they can be smaller.
generate_id(10) // 80 bits generate_id::<10>() // 80 bits
} }
/// Generates a numeric token for email-based verifications. /// Generates a numeric token for email-based verifications.

4
src/db/models/device.rs
View File

@ -48,7 +48,7 @@ impl Device {
use crate::crypto; use crate::crypto;
use data_encoding::BASE64; use data_encoding::BASE64;
let twofactor_remember = BASE64.encode(&crypto::get_random(vec![0u8; 180])); let twofactor_remember = crypto::encode_random_bytes::<180>(BASE64);
self.twofactor_remember = Some(twofactor_remember.clone()); self.twofactor_remember = Some(twofactor_remember.clone());
twofactor_remember twofactor_remember
@ -69,7 +69,7 @@ impl Device {
use crate::crypto; use crate::crypto;
use data_encoding::BASE64URL; use data_encoding::BASE64URL;
self.refresh_token = BASE64URL.encode(&crypto::get_random_64()); self.refresh_token = crypto::encode_random_bytes::<64>(BASE64URL);
} }
// Update the expiration of the device and the last update date // Update the expiration of the device and the last update date

2
src/db/models/send.rs
View File

@ -81,7 +81,7 @@ impl Send {
if let Some(password) = password { if let Some(password) = password {
self.password_iter = Some(PASSWORD_ITER); self.password_iter = Some(PASSWORD_ITER);
let salt = crate::crypto::get_random_64(); let salt = crate::crypto::get_random_bytes::<64>().to_vec();
let hash = crate::crypto::hash_password(password.as_bytes(), &salt, PASSWORD_ITER as u32); let hash = crate::crypto::hash_password(password.as_bytes(), &salt, PASSWORD_ITER as u32);
self.password_salt = Some(salt); self.password_salt = Some(salt);
self.password_hash = Some(hash); self.password_hash = Some(hash);

2
src/db/models/user.rs
View File

@ -93,7 +93,7 @@ impl User {
email_new_token: None, email_new_token: None,
password_hash: Vec::new(), password_hash: Vec::new(),
salt: crypto::get_random_64(), salt: crypto::get_random_bytes::<64>().to_vec(),
password_iterations: CONFIG.password_iterations(), password_iterations: CONFIG.password_iterations(),
security_stamp: crate::util::get_uuid(), security_stamp: crate::util::get_uuid(),

Write Preview
Loading…
Cancel
Save