vaultwarden-test/src/crypto.rs

//
// PBKDF2 derivation
//
use std::num::NonZeroU32;

use data_encoding::{Encoding, HEXLOWER};
use ring::{digest, hmac, pbkdf2};

static DIGEST_ALG: pbkdf2::Algorithm = pbkdf2::PBKDF2_HMAC_SHA256;
const OUTPUT_LEN: usize = digest::SHA256_OUTPUT_LEN;

pub fn hash_password(secret: &[u8], salt: &[u8], iterations: u32) -> Vec<u8> {
    let mut out = vec![0u8; OUTPUT_LEN]; // Initialize array with zeros

    let iterations = NonZeroU32::new(iterations).expect("Iterations can't be zero");
    pbkdf2::derive(DIGEST_ALG, iterations, salt, secret, &mut out);

    out
}

pub fn verify_password_hash(secret: &[u8], salt: &[u8], previous: &[u8], iterations: u32) -> bool {
    let iterations = NonZeroU32::new(iterations).expect("Iterations can't be zero");
    pbkdf2::verify(DIGEST_ALG, iterations, salt, secret, previous).is_ok()
}

//
// HMAC
//
pub fn hmac_sign(key: &str, data: &str) -> String {
    let key = hmac::Key::new(hmac::HMAC_SHA1_FOR_LEGACY_USE_ONLY, key.as_bytes());
    let signature = hmac::sign(&key, data.as_bytes());

    HEXLOWER.encode(signature.as_ref())
}

//
// Random values
//

/// Return an array holding `N` random bytes.
pub fn get_random_bytes<const N: usize>() -> [u8; N] {
    use ring::rand::{SecureRandom, SystemRandom};

    let mut array = [0; N];
    SystemRandom::new().fill(&mut array).expect("Error generating random values");

    array
}

/// Encode random bytes using the provided function.
pub fn encode_random_bytes<const N: usize>(e: Encoding) -> String {
    e.encode(&get_random_bytes::<N>())
}

/// Generates a random string over a specified alphabet.
pub fn get_random_string(alphabet: &[u8], num_chars: usize) -> String {
    // Ref: https://rust-lang-nursery.github.io/rust-cookbook/algorithms/randomness.html
    use rand::Rng;
    let mut rng = rand::thread_rng();

    (0..num_chars)
        .map(|_| {
            let i = rng.gen_range(0..alphabet.len());
            alphabet[i] as char
        })
        .collect()
}

/// Generates a random numeric string.
pub fn get_random_string_numeric(num_chars: usize) -> String {
    const ALPHABET: &[u8] = b"0123456789";
    get_random_string(ALPHABET, num_chars)
}

/// Generates a random alphanumeric string.
pub fn get_random_string_alphanum(num_chars: usize) -> String {
    const ALPHABET: &[u8] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZ\
                              abcdefghijklmnopqrstuvwxyz\
                              0123456789";
    get_random_string(ALPHABET, num_chars)
}

pub fn generate_id<const N: usize>() -> String {
    encode_random_bytes::<N>(HEXLOWER)
}

pub fn generate_send_id() -> String {
    // Send IDs are globally scoped, so make them longer to avoid collisions.
    generate_id::<32>() // 256 bits
}

pub fn generate_attachment_id() -> String {
    // Attachment IDs are scoped to a cipher, so they can be smaller.
    generate_id::<10>() // 80 bits
}

/// Generates a numeric token for email-based verifications.
pub fn generate_email_token(token_size: u8) -> String {
    get_random_string_numeric(token_size as usize)
}

/// Generates a personal API key.
/// Upstream uses 30 chars, which is ~178 bits of entropy.
pub fn generate_api_key() -> String {
    get_random_string_alphanum(30)
}

//
// Constant time compare
//
pub fn ct_eq<T: AsRef<[u8]>, U: AsRef<[u8]>>(a: T, b: U) -> bool {
    use ring::constant_time::verify_slices_are_equal;

    verify_slices_are_equal(a.as_ref(), b.as_ref()).is_ok()
}
Start using rustfmt and some style changes to make some lines shorter 2018-12-30 23:34:31 +01:00			`//`
			`// PBKDF2 derivation`
			`//`
Removed try_trait and some formatting, particularly around imports 2020-07-14 18:00:09 +02:00			`use std::num::NonZeroU32;`
First working version 2018-02-10 01:00:55 +01:00
Use constant size generic parameter for random bytes generation All uses of `get_random()` were in the form of: `&get_random(vec![0u8; SIZE])` with `SIZE` being a constant. Building a `Vec` is unnecessary for two reasons. First, it uses a very short-lived dynamic memory allocation. Second, a `Vec` is a resizable object, which is useless in those context when random data have a fixed size and will only be read. `get_random_bytes()` takes a constant as a generic parameter and returns an array with the requested number of random bytes. Stack safety analysis: the random bytes will be allocated on the caller stack for a very short time (until the encoding function has been called on the data). In some cases, the random bytes take less room than the `Vec` did (a `Vec` is 24 bytes on a 64 bit computer). The maximum used size is 180 bytes, which makes it for 0.008% of the default stack size for a Rust thread (2MiB), so this is a non-issue. Also, most of the uses of those random bytes are to encode them using an `Encoding`. The function `crypto::encode_random_bytes()` generates random bytes and encode them with the provided `Encoding`, leading to code deduplication. `generate_id()` has also been converted to use a constant generic parameter as well since the length of the requested String is always a constant. 2022-11-11 10:55:04 +01:00			`use data_encoding::{Encoding, HEXLOWER};`
Formatting 2019-04-26 22:08:26 +02:00			`use ring::{digest, hmac, pbkdf2};`
Removed try_trait and some formatting, particularly around imports 2020-07-14 18:00:09 +02:00
Updated ring Some small changes to match the updated ring package. 2020-03-16 16:39:20 +01:00			`static DIGEST_ALG: pbkdf2::Algorithm = pbkdf2::PBKDF2_HMAC_SHA256;`
First working version 2018-02-10 01:00:55 +01:00			`const OUTPUT_LEN: usize = digest::SHA256_OUTPUT_LEN;`

			`pub fn hash_password(secret: &[u8], salt: &[u8], iterations: u32) -> Vec<u8> {`
			`let mut out = vec![0u8; OUTPUT_LEN]; // Initialize array with zeros`

Update ring to 0.14, jwt to 6.0, and u2f 2019-03-09 14:42:16 +01:00			`let iterations = NonZeroU32::new(iterations).expect("Iterations can't be zero");`
First working version 2018-02-10 01:00:55 +01:00			`pbkdf2::derive(DIGEST_ALG, iterations, salt, secret, &mut out);`

			`out`
			`}`

			`pub fn verify_password_hash(secret: &[u8], salt: &[u8], previous: &[u8], iterations: u32) -> bool {`
Update ring to 0.14, jwt to 6.0, and u2f 2019-03-09 14:42:16 +01:00			`let iterations = NonZeroU32::new(iterations).expect("Iterations can't be zero");`
First working version 2018-02-10 01:00:55 +01:00			`pbkdf2::verify(DIGEST_ALG, iterations, salt, secret, previous).is_ok()`
			`}`

Implement user duo, initial version TODO: - At the moment each user needs to configure a DUO application and input the API keys, we need to check if multiple users can register with the same keys correctly and if so we could implement a global setting. - Sometimes the Duo frame doesn't load correctly, but canceling, reloading the page and logging in again seems to fix it for me. 2019-04-05 22:09:53 +02:00			`//`
			`// HMAC`
			`//`
Formatting 2019-04-26 22:08:26 +02:00			`pub fn hmac_sign(key: &str, data: &str) -> String {`
Updated ring Some small changes to match the updated ring package. 2020-03-16 16:39:20 +01:00			`let key = hmac::Key::new(hmac::HMAC_SHA1_FOR_LEGACY_USE_ONLY, key.as_bytes());`
Implement user duo, initial version TODO: - At the moment each user needs to configure a DUO application and input the API keys, we need to check if multiple users can register with the same keys correctly and if so we could implement a global setting. - Sometimes the Duo frame doesn't load correctly, but canceling, reloading the page and logging in again seems to fix it for me. 2019-04-05 22:09:53 +02:00			`let signature = hmac::sign(&key, data.as_bytes());`

			`HEXLOWER.encode(signature.as_ref())`
			`}`

Start using rustfmt and some style changes to make some lines shorter 2018-12-30 23:34:31 +01:00			`//`
			`// Random values`
			`//`
First working version 2018-02-10 01:00:55 +01:00
Use constant size generic parameter for random bytes generation All uses of `get_random()` were in the form of: `&get_random(vec![0u8; SIZE])` with `SIZE` being a constant. Building a `Vec` is unnecessary for two reasons. First, it uses a very short-lived dynamic memory allocation. Second, a `Vec` is a resizable object, which is useless in those context when random data have a fixed size and will only be read. `get_random_bytes()` takes a constant as a generic parameter and returns an array with the requested number of random bytes. Stack safety analysis: the random bytes will be allocated on the caller stack for a very short time (until the encoding function has been called on the data). In some cases, the random bytes take less room than the `Vec` did (a `Vec` is 24 bytes on a 64 bit computer). The maximum used size is 180 bytes, which makes it for 0.008% of the default stack size for a Rust thread (2MiB), so this is a non-issue. Also, most of the uses of those random bytes are to encode them using an `Encoding`. The function `crypto::encode_random_bytes()` generates random bytes and encode them with the provided `Encoding`, leading to code deduplication. `generate_id()` has also been converted to use a constant generic parameter as well since the length of the requested String is always a constant. 2022-11-11 10:55:04 +01:00			/// Return an array holding `N` random bytes.
			`pub fn get_random_bytes<const N: usize>() -> [u8; N] {`
First working version 2018-02-10 01:00:55 +01:00			`use ring::rand::{SecureRandom, SystemRandom};`

Use constant size generic parameter for random bytes generation All uses of `get_random()` were in the form of: `&get_random(vec![0u8; SIZE])` with `SIZE` being a constant. Building a `Vec` is unnecessary for two reasons. First, it uses a very short-lived dynamic memory allocation. Second, a `Vec` is a resizable object, which is useless in those context when random data have a fixed size and will only be read. `get_random_bytes()` takes a constant as a generic parameter and returns an array with the requested number of random bytes. Stack safety analysis: the random bytes will be allocated on the caller stack for a very short time (until the encoding function has been called on the data). In some cases, the random bytes take less room than the `Vec` did (a `Vec` is 24 bytes on a 64 bit computer). The maximum used size is 180 bytes, which makes it for 0.008% of the default stack size for a Rust thread (2MiB), so this is a non-issue. Also, most of the uses of those random bytes are to encode them using an `Encoding`. The function `crypto::encode_random_bytes()` generates random bytes and encode them with the provided `Encoding`, leading to code deduplication. `generate_id()` has also been converted to use a constant generic parameter as well since the length of the requested String is always a constant. 2022-11-11 10:55:04 +01:00			`let mut array = [0; N];`
Modify rustfmt file 2021-04-06 22:54:42 +02:00			`SystemRandom::new().fill(&mut array).expect("Error generating random values");`
First working version 2018-02-10 01:00:55 +01:00
			`array`
			`}`
Implement constant time equal check for admin, 2fa recover and 2fa remember tokens 2019-02-11 23:45:55 +01:00
Use constant size generic parameter for random bytes generation All uses of `get_random()` were in the form of: `&get_random(vec![0u8; SIZE])` with `SIZE` being a constant. Building a `Vec` is unnecessary for two reasons. First, it uses a very short-lived dynamic memory allocation. Second, a `Vec` is a resizable object, which is useless in those context when random data have a fixed size and will only be read. `get_random_bytes()` takes a constant as a generic parameter and returns an array with the requested number of random bytes. Stack safety analysis: the random bytes will be allocated on the caller stack for a very short time (until the encoding function has been called on the data). In some cases, the random bytes take less room than the `Vec` did (a `Vec` is 24 bytes on a 64 bit computer). The maximum used size is 180 bytes, which makes it for 0.008% of the default stack size for a Rust thread (2MiB), so this is a non-issue. Also, most of the uses of those random bytes are to encode them using an `Encoding`. The function `crypto::encode_random_bytes()` generates random bytes and encode them with the provided `Encoding`, leading to code deduplication. `generate_id()` has also been converted to use a constant generic parameter as well since the length of the requested String is always a constant. 2022-11-11 10:55:04 +01:00			`/// Encode random bytes using the provided function.`
			`pub fn encode_random_bytes<const N: usize>(e: Encoding) -> String {`
			`e.encode(&get_random_bytes::<N>())`
			`}`

Add support for API keys This is mainly useful for CLI-based login automation. 2022-01-19 11:51:26 +01:00			`/// Generates a random string over a specified alphabet.`
			`pub fn get_random_string(alphabet: &[u8], num_chars: usize) -> String {`
			`// Ref: https://rust-lang-nursery.github.io/rust-cookbook/algorithms/randomness.html`
			`use rand::Rng;`
			`let mut rng = rand::thread_rng();`

			`(0..num_chars)`
			`.map(\|_\| {`
			`let i = rng.gen_range(0..alphabet.len());`
			`alphabet[i] as char`
			`})`
			`.collect()`
			`}`

Increase length limit for email token generation The current limit of 19 is an artifact of the implementation, which can be easily rewritten in terms of a more general string generation function. The new limit is 255 (max value of a `u8`); using a larger type would probably be overkill. 2022-01-24 10:17:00 +01:00			`/// Generates a random numeric string.`
			`pub fn get_random_string_numeric(num_chars: usize) -> String {`
			`const ALPHABET: &[u8] = b"0123456789";`
			`get_random_string(ALPHABET, num_chars)`
			`}`

Add support for API keys This is mainly useful for CLI-based login automation. 2022-01-19 11:51:26 +01:00			`/// Generates a random alphanumeric string.`
			`pub fn get_random_string_alphanum(num_chars: usize) -> String {`
			`const ALPHABET: &[u8] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZ\`
			`abcdefghijklmnopqrstuvwxyz\`
			`0123456789";`
			`get_random_string(ALPHABET, num_chars)`
			`}`

Use constant size generic parameter for random bytes generation All uses of `get_random()` were in the form of: `&get_random(vec![0u8; SIZE])` with `SIZE` being a constant. Building a `Vec` is unnecessary for two reasons. First, it uses a very short-lived dynamic memory allocation. Second, a `Vec` is a resizable object, which is useless in those context when random data have a fixed size and will only be read. `get_random_bytes()` takes a constant as a generic parameter and returns an array with the requested number of random bytes. Stack safety analysis: the random bytes will be allocated on the caller stack for a very short time (until the encoding function has been called on the data). In some cases, the random bytes take less room than the `Vec` did (a `Vec` is 24 bytes on a 64 bit computer). The maximum used size is 180 bytes, which makes it for 0.008% of the default stack size for a Rust thread (2MiB), so this is a non-issue. Also, most of the uses of those random bytes are to encode them using an `Encoding`. The function `crypto::encode_random_bytes()` generates random bytes and encode them with the provided `Encoding`, leading to code deduplication. `generate_id()` has also been converted to use a constant generic parameter as well since the length of the requested String is always a constant. 2022-11-11 10:55:04 +01:00			`pub fn generate_id<const N: usize>() -> String {`
			`encode_random_bytes::<N>(HEXLOWER)`
Rework file ID generation 2021-05-26 08:15:24 +02:00			`}`

			`pub fn generate_send_id() -> String {`
			`// Send IDs are globally scoped, so make them longer to avoid collisions.`
Use constant size generic parameter for random bytes generation All uses of `get_random()` were in the form of: `&get_random(vec![0u8; SIZE])` with `SIZE` being a constant. Building a `Vec` is unnecessary for two reasons. First, it uses a very short-lived dynamic memory allocation. Second, a `Vec` is a resizable object, which is useless in those context when random data have a fixed size and will only be read. `get_random_bytes()` takes a constant as a generic parameter and returns an array with the requested number of random bytes. Stack safety analysis: the random bytes will be allocated on the caller stack for a very short time (until the encoding function has been called on the data). In some cases, the random bytes take less room than the `Vec` did (a `Vec` is 24 bytes on a 64 bit computer). The maximum used size is 180 bytes, which makes it for 0.008% of the default stack size for a Rust thread (2MiB), so this is a non-issue. Also, most of the uses of those random bytes are to encode them using an `Encoding`. The function `crypto::encode_random_bytes()` generates random bytes and encode them with the provided `Encoding`, leading to code deduplication. `generate_id()` has also been converted to use a constant generic parameter as well since the length of the requested String is always a constant. 2022-11-11 10:55:04 +01:00			`generate_id::<32>() // 256 bits`
Rework file ID generation 2021-05-26 08:15:24 +02:00			`}`

			`pub fn generate_attachment_id() -> String {`
			`// Attachment IDs are scoped to a cipher, so they can be smaller.`
Use constant size generic parameter for random bytes generation All uses of `get_random()` were in the form of: `&get_random(vec![0u8; SIZE])` with `SIZE` being a constant. Building a `Vec` is unnecessary for two reasons. First, it uses a very short-lived dynamic memory allocation. Second, a `Vec` is a resizable object, which is useless in those context when random data have a fixed size and will only be read. `get_random_bytes()` takes a constant as a generic parameter and returns an array with the requested number of random bytes. Stack safety analysis: the random bytes will be allocated on the caller stack for a very short time (until the encoding function has been called on the data). In some cases, the random bytes take less room than the `Vec` did (a `Vec` is 24 bytes on a 64 bit computer). The maximum used size is 180 bytes, which makes it for 0.008% of the default stack size for a Rust thread (2MiB), so this is a non-issue. Also, most of the uses of those random bytes are to encode them using an `Encoding`. The function `crypto::encode_random_bytes()` generates random bytes and encode them with the provided `Encoding`, leading to code deduplication. `generate_id()` has also been converted to use a constant generic parameter as well since the length of the requested String is always a constant. 2022-11-11 10:55:04 +01:00			`generate_id::<10>() // 80 bits`
Add support for v2 attachment upload APIs Upstream PR: https://github.com/bitwarden/server/pull/1229 2021-05-25 12:48:57 +02:00			`}`

Increase length limit for email token generation The current limit of 19 is an artifact of the implementation, which can be easily rewritten in terms of a more general string generation function. The new limit is 255 (max value of a `u8`); using a larger type would probably be overkill. 2022-01-24 10:17:00 +01:00			`/// Generates a numeric token for email-based verifications.`
			`pub fn generate_email_token(token_size: u8) -> String {`
			`get_random_string_numeric(token_size as usize)`
Implement change-email, email-verification, account-recovery, and welcome notifications 2019-11-25 06:28:49 +01:00			`}`

Add support for API keys This is mainly useful for CLI-based login automation. 2022-01-19 11:51:26 +01:00			`/// Generates a personal API key.`
			`/// Upstream uses 30 chars, which is ~178 bits of entropy.`
			`pub fn generate_api_key() -> String {`
			`get_random_string_alphanum(30)`
			`}`

Implement constant time equal check for admin, 2fa recover and 2fa remember tokens 2019-02-11 23:45:55 +01:00			`//`
			`// Constant time compare`
			`//`
			`pub fn ct_eq<T: AsRef<[u8]>, U: AsRef<[u8]>>(a: T, b: U) -> bool {`
			`use ring::constant_time::verify_slices_are_equal;`

			`verify_slices_are_equal(a.as_ref(), b.as_ref()).is_ok()`
			`}`