geforkt von mirrored/vaultwarden
Merge pull request #2910 from samueltardieu/const-crypto
Use constant size generic parameter for random bytes generation
Dieser Commit ist enthalten in:
Commit
dfe1e30d1b
8 geänderte Dateien mit 21 neuen und 19 gelöschten Zeilen
|
@ -34,7 +34,7 @@ async fn generate_authenticator(data: JsonUpcase<PasswordData>, headers: Headers
|
||||||
|
|
||||||
let (enabled, key) = match twofactor {
|
let (enabled, key) = match twofactor {
|
||||||
Some(tf) => (true, tf.data),
|
Some(tf) => (true, tf.data),
|
||||||
_ => (false, BASE32.encode(&crypto::get_random(vec![0u8; 20]))),
|
_ => (false, crypto::encode_random_bytes::<20>(BASE32)),
|
||||||
};
|
};
|
||||||
|
|
||||||
Ok(Json(json!({
|
Ok(Json(json!({
|
||||||
|
|
|
@ -105,7 +105,7 @@ async fn recover(data: JsonUpcase<RecoverTwoFactor>, mut conn: DbConn) -> JsonRe
|
||||||
|
|
||||||
async fn _generate_recover_code(user: &mut User, conn: &mut DbConn) {
|
async fn _generate_recover_code(user: &mut User, conn: &mut DbConn) {
|
||||||
if user.totp_recover.is_none() {
|
if user.totp_recover.is_none() {
|
||||||
let totp_recover = BASE32.encode(&crypto::get_random(vec![0u8; 20]));
|
let totp_recover = crypto::encode_random_bytes::<20>(BASE32);
|
||||||
user.totp_recover = Some(totp_recover);
|
user.totp_recover = Some(totp_recover);
|
||||||
user.save(conn).await.ok();
|
user.save(conn).await.ok();
|
||||||
}
|
}
|
||||||
|
|
|
@ -56,7 +56,7 @@ fn negotiate(_headers: Headers) -> Json<JsonValue> {
|
||||||
use crate::crypto;
|
use crate::crypto;
|
||||||
use data_encoding::BASE64URL;
|
use data_encoding::BASE64URL;
|
||||||
|
|
||||||
let conn_id = BASE64URL.encode(&crypto::get_random(vec![0u8; 16]));
|
let conn_id = crypto::encode_random_bytes::<16>(BASE64URL);
|
||||||
let mut available_transports: Vec<JsonValue> = Vec::new();
|
let mut available_transports: Vec<JsonValue> = Vec::new();
|
||||||
|
|
||||||
if CONFIG.websocket_enabled() {
|
if CONFIG.websocket_enabled() {
|
||||||
|
|
|
@ -981,8 +981,7 @@ impl Config {
|
||||||
if let Some(akey) = self._duo_akey() {
|
if let Some(akey) = self._duo_akey() {
|
||||||
akey
|
akey
|
||||||
} else {
|
} else {
|
||||||
let akey = crate::crypto::get_random_64();
|
let akey_s = crate::crypto::encode_random_bytes::<64>(data_encoding::BASE64);
|
||||||
let akey_s = data_encoding::BASE64.encode(&akey);
|
|
||||||
|
|
||||||
// Save the new value
|
// Save the new value
|
||||||
let builder = ConfigBuilder {
|
let builder = ConfigBuilder {
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
//
|
//
|
||||||
use std::num::NonZeroU32;
|
use std::num::NonZeroU32;
|
||||||
|
|
||||||
use data_encoding::HEXLOWER;
|
use data_encoding::{Encoding, HEXLOWER};
|
||||||
use ring::{digest, hmac, pbkdf2};
|
use ring::{digest, hmac, pbkdf2};
|
||||||
|
|
||||||
static DIGEST_ALG: pbkdf2::Algorithm = pbkdf2::PBKDF2_HMAC_SHA256;
|
static DIGEST_ALG: pbkdf2::Algorithm = pbkdf2::PBKDF2_HMAC_SHA256;
|
||||||
|
@ -37,18 +37,21 @@ pub fn hmac_sign(key: &str, data: &str) -> String {
|
||||||
// Random values
|
// Random values
|
||||||
//
|
//
|
||||||
|
|
||||||
pub fn get_random_64() -> Vec<u8> {
|
/// Return an array holding `N` random bytes.
|
||||||
get_random(vec![0u8; 64])
|
pub fn get_random_bytes<const N: usize>() -> [u8; N] {
|
||||||
}
|
|
||||||
|
|
||||||
pub fn get_random(mut array: Vec<u8>) -> Vec<u8> {
|
|
||||||
use ring::rand::{SecureRandom, SystemRandom};
|
use ring::rand::{SecureRandom, SystemRandom};
|
||||||
|
|
||||||
|
let mut array = [0; N];
|
||||||
SystemRandom::new().fill(&mut array).expect("Error generating random values");
|
SystemRandom::new().fill(&mut array).expect("Error generating random values");
|
||||||
|
|
||||||
array
|
array
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Encode random bytes using the provided function.
|
||||||
|
pub fn encode_random_bytes<const N: usize>(e: Encoding) -> String {
|
||||||
|
e.encode(&get_random_bytes::<N>())
|
||||||
|
}
|
||||||
|
|
||||||
/// Generates a random string over a specified alphabet.
|
/// Generates a random string over a specified alphabet.
|
||||||
pub fn get_random_string(alphabet: &[u8], num_chars: usize) -> String {
|
pub fn get_random_string(alphabet: &[u8], num_chars: usize) -> String {
|
||||||
// Ref: https://rust-lang-nursery.github.io/rust-cookbook/algorithms/randomness.html
|
// Ref: https://rust-lang-nursery.github.io/rust-cookbook/algorithms/randomness.html
|
||||||
|
@ -77,18 +80,18 @@ pub fn get_random_string_alphanum(num_chars: usize) -> String {
|
||||||
get_random_string(ALPHABET, num_chars)
|
get_random_string(ALPHABET, num_chars)
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn generate_id(num_bytes: usize) -> String {
|
pub fn generate_id<const N: usize>() -> String {
|
||||||
HEXLOWER.encode(&get_random(vec![0; num_bytes]))
|
encode_random_bytes::<N>(HEXLOWER)
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn generate_send_id() -> String {
|
pub fn generate_send_id() -> String {
|
||||||
// Send IDs are globally scoped, so make them longer to avoid collisions.
|
// Send IDs are globally scoped, so make them longer to avoid collisions.
|
||||||
generate_id(32) // 256 bits
|
generate_id::<32>() // 256 bits
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn generate_attachment_id() -> String {
|
pub fn generate_attachment_id() -> String {
|
||||||
// Attachment IDs are scoped to a cipher, so they can be smaller.
|
// Attachment IDs are scoped to a cipher, so they can be smaller.
|
||||||
generate_id(10) // 80 bits
|
generate_id::<10>() // 80 bits
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Generates a numeric token for email-based verifications.
|
/// Generates a numeric token for email-based verifications.
|
||||||
|
|
|
@ -48,7 +48,7 @@ impl Device {
|
||||||
use crate::crypto;
|
use crate::crypto;
|
||||||
use data_encoding::BASE64;
|
use data_encoding::BASE64;
|
||||||
|
|
||||||
let twofactor_remember = BASE64.encode(&crypto::get_random(vec![0u8; 180]));
|
let twofactor_remember = crypto::encode_random_bytes::<180>(BASE64);
|
||||||
self.twofactor_remember = Some(twofactor_remember.clone());
|
self.twofactor_remember = Some(twofactor_remember.clone());
|
||||||
|
|
||||||
twofactor_remember
|
twofactor_remember
|
||||||
|
@ -69,7 +69,7 @@ impl Device {
|
||||||
use crate::crypto;
|
use crate::crypto;
|
||||||
use data_encoding::BASE64URL;
|
use data_encoding::BASE64URL;
|
||||||
|
|
||||||
self.refresh_token = BASE64URL.encode(&crypto::get_random_64());
|
self.refresh_token = crypto::encode_random_bytes::<64>(BASE64URL);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Update the expiration of the device and the last update date
|
// Update the expiration of the device and the last update date
|
||||||
|
|
|
@ -81,7 +81,7 @@ impl Send {
|
||||||
|
|
||||||
if let Some(password) = password {
|
if let Some(password) = password {
|
||||||
self.password_iter = Some(PASSWORD_ITER);
|
self.password_iter = Some(PASSWORD_ITER);
|
||||||
let salt = crate::crypto::get_random_64();
|
let salt = crate::crypto::get_random_bytes::<64>().to_vec();
|
||||||
let hash = crate::crypto::hash_password(password.as_bytes(), &salt, PASSWORD_ITER as u32);
|
let hash = crate::crypto::hash_password(password.as_bytes(), &salt, PASSWORD_ITER as u32);
|
||||||
self.password_salt = Some(salt);
|
self.password_salt = Some(salt);
|
||||||
self.password_hash = Some(hash);
|
self.password_hash = Some(hash);
|
||||||
|
|
|
@ -93,7 +93,7 @@ impl User {
|
||||||
email_new_token: None,
|
email_new_token: None,
|
||||||
|
|
||||||
password_hash: Vec::new(),
|
password_hash: Vec::new(),
|
||||||
salt: crypto::get_random_64(),
|
salt: crypto::get_random_bytes::<64>().to_vec(),
|
||||||
password_iterations: CONFIG.password_iterations(),
|
password_iterations: CONFIG.password_iterations(),
|
||||||
|
|
||||||
security_stamp: crate::util::get_uuid(),
|
security_stamp: crate::util::get_uuid(),
|
||||||
|
|
Laden …
In neuem Issue referenzieren