don't use SecretBytes in HawkKey/SecretKey

author: pennae <github@quasiparticle.net> 2022-07-17 09:45:23 +0200
committer: pennae <github@quasiparticle.net> 2022-07-17 17:24:24 +0200
commit: c1451924d88d146c7dc00c01d8c5f248978001b2 (patch)
tree: a9649df4c3e700724fef23fd20a8bb2154aa5472
parent: d4ed52e48eb52566dab91080eb25d8979fbb7d3e (diff)
download: minor-skulk-c1451924d88d146c7dc00c01d8c5f248978001b2.tar.gz
minor-skulk-c1451924d88d146c7dc00c01d8c5f248978001b2.tar.xz
minor-skulk-c1451924d88d146c7dc00c01d8c5f248978001b2.zip
5 files changed, 37 insertions, 33 deletions
diff --git a/src/api/auth/account.rs b/src/api/auth/account.rs
index 51dd98e..0f12d49 100644
--- a/src/api/auth/account.rs
+++ b/src/api/auth/account.rs
@@ -103,7 +103,8 @@ pub(crate) async fn create(
             ka: ka.clone(),
             wrap_kb: stretched.decrypt_wwkb(&wrapwrap_kb),
         });
-        db.add_key_fetch(KeyFetchID(req.token_id.0), &HawkKey(req.req_hmac_key), &wrapped).await?;
+        db.add_key_fetch(KeyFetchID(req.token_id.0), &HawkKey(req.req_hmac_key.0), &wrapped)
+            .await?;
         Some(key_fetch_token)
     } else {
         None
@@ -112,8 +113,8 @@ pub(crate) async fn create(
         .add_user(User {
             auth_salt,
             email: data.email.to_owned(),
-            ka: SecretKey(ka),
-            wrapwrap_kb: SecretKey(wrapwrap_kb),
+            ka: SecretKey(ka.0),
+            wrapwrap_kb: SecretKey(wrapwrap_kb.0),
             verify_hash: VerifyHash(verify_hash),
             display_name: None,
             verified: false,
@@ -121,7 +122,7 @@ pub(crate) async fn create(
         .await?;
     let session_id = SessionID(session.token_id.0);
     let auth_at = db
-        .add_session(session_id.clone(), &uid, HawkKey(session.req_hmac_key), false, None)
+        .add_session(session_id.clone(), &uid, HawkKey(session.req_hmac_key.0), false, None)
         .await?;
     let verify_code = hex::encode(&SecretBytes::<16>::generate().0);
     db.add_verify_code(&uid, &session_id, &verify_code).await?;
@@ -205,10 +206,11 @@ pub(crate) async fn login(
         let key_fetch_token = SecretBytes::generate();
         let req = KeyFetchReq::from_token(&key_fetch_token);
         let wrapped = req.derive_resp().wrap_keys(&KeyBundle {
-            ka: user.ka.0.clone(),
-            wrap_kb: stretched.decrypt_wwkb(&user.wrapwrap_kb.0),
+            ka: SecretBytes(user.ka.0),
+            wrap_kb: stretched.decrypt_wwkb(&SecretBytes(user.wrapwrap_kb.0)),
         });
-        db.add_key_fetch(KeyFetchID(req.token_id.0), &HawkKey(req.req_hmac_key), &wrapped).await?;
+        db.add_key_fetch(KeyFetchID(req.token_id.0), &HawkKey(req.req_hmac_key.0), &wrapped)
+            .await?;
         Some(key_fetch_token)
     } else {
         None
@@ -220,7 +222,7 @@ pub(crate) async fn login(
         .add_session(
             session_id.clone(),
             &uid,
-            HawkKey(session.req_hmac_key),
+            HawkKey(session.req_hmac_key.0),
             false,
             Some(&verify_code),
         )
@@ -312,7 +314,7 @@ impl AuthSource for WithKeyFetch {
     async fn hawk(r: &Request<'_>, id: &KeyFetchID) -> Result<(SecretBytes<32>, Self::Context)> {
         let db = Authenticated::<(), Self>::get_conn(r).await?;
         db.always_commit().await?;
-        Ok(db.finish_key_fetch(id).await.map(|(h, ks)| (h.0, ks))?)
+        Ok(db.finish_key_fetch(id).await.map(|(h, ks)| (SecretBytes(h.0), ks))?)
     }
     async fn bearer_token(_: &Request<'_>, _: &OauthToken) -> Result<(KeyFetchID, Self::Context)> {
         // key fetch tokens are only valid in hawk requests
@@ -346,7 +348,7 @@ impl AuthSource for WithResetToken {
             .await
             .success_or_else(|| anyhow!("could not open db connection"))?;
         let db = pool.begin().await?;
-        let result = db.finish_account_reset(id).await.map(|(h, ctx)| (h.0, ctx))?;
+        let result = db.finish_account_reset(id).await.map(|(h, ctx)| (SecretBytes(h.0), ctx))?;
         db.commit().await?;
         Ok(result)
     }
@@ -390,7 +392,7 @@ pub(crate) async fn reset(
     let stretched = data.body.authPW.stretch(auth_salt.as_salt())?;
     let verify_hash = stretched.verify_hash();
 
-    db.reset_user_auth(&data.context, auth_salt, SecretKey(wrapwrap_kb), VerifyHash(verify_hash))
+    db.reset_user_auth(&data.context, auth_salt, SecretKey(wrapwrap_kb.0), VerifyHash(verify_hash))
         .await?;
 
     defer.spawn_after_success("api::auth/account/reset(post)", {
diff --git a/src/api/auth/mod.rs b/src/api/auth/mod.rs
index 2c6d34d..d50dcc2 100644
--- a/src/api/auth/mod.rs
+++ b/src/api/auth/mod.rs
@@ -146,7 +146,7 @@ impl crate::auth::AuthSource for WithFxaLogin {
     ) -> anyhow::Result<(SecretBytes<32>, Self::Context)> {
         let db = Authenticated::<(), Self>::get_conn(r).await?;
         let k = db.use_session(id).await?;
-        Ok((k.req_hmac_key.0.clone(), k))
+        Ok((SecretBytes(k.req_hmac_key.0), k))
     }
     async fn bearer_token(
         _: &Request<'_>,
diff --git a/src/api/auth/oauth.rs b/src/api/auth/oauth.rs
index cb53b7c..6d2f700 100644
--- a/src/api/auth/oauth.rs
+++ b/src/api/auth/oauth.rs
@@ -394,8 +394,14 @@ async fn token_impl(
             let session_token = SecretBytes::generate();
             let session = SessionCredentials::derive(&session_token);
             let session_id = SessionID(session.token_id.0);
-            db.add_session(session_id.clone(), &user_id, HawkKey(session.req_hmac_key), true, None)
-                .await?;
+            db.add_session(
+                session_id.clone(),
+                &user_id,
+                HawkKey(session.req_hmac_key.0),
+                true,
+                None,
+            )
+            .await?;
             (Some(session_token.0), Some(SessionID(session.token_id.0)))
         } else {
             (None, None)
diff --git a/src/api/auth/password.rs b/src/api/auth/password.rs
index 0eeab4f..56ad2a2 100644
--- a/src/api/auth/password.rs
+++ b/src/api/auth/password.rs
@@ -64,15 +64,15 @@ pub(crate) async fn change_start(
     let key_fetch_token = SecretBytes::generate();
     let key_req = KeyFetchReq::from_token(&key_fetch_token);
     let wrapped = key_req.derive_resp().wrap_keys(&KeyBundle {
-        ka: user.ka.0.clone(),
-        wrap_kb: stretched.decrypt_wwkb(&user.wrapwrap_kb.0),
+        ka: SecretBytes(user.ka.0),
+        wrap_kb: stretched.decrypt_wwkb(&SecretBytes(user.wrapwrap_kb.0)),
     });
-    db.add_key_fetch(KeyFetchID(key_req.token_id.0), &HawkKey(key_req.req_hmac_key), &wrapped)
+    db.add_key_fetch(KeyFetchID(key_req.token_id.0), &HawkKey(key_req.req_hmac_key.0), &wrapped)
         .await?;
     db.add_password_change(
         &uid,
         &PasswordChangeID(change_req.token_id.0),
-        &HawkKey(change_req.req_hmac_key),
+        &HawkKey(change_req.req_hmac_key.0),
         None,
     )
     .await?;
@@ -99,7 +99,10 @@ impl<const IS_FORGOT: bool> AuthSource for WithChangeToken<IS_FORGOT> {
             .await
             .success_or_else(|| anyhow!("could not open db connection"))?;
         let db = pool.begin().await?;
-        let result = db.finish_password_change(id, IS_FORGOT).await.map(|(h, ctx)| (h.0, ctx))?;
+        let result = db
+            .finish_password_change(id, IS_FORGOT)
+            .await
+            .map(|(h, ctx)| (SecretBytes(h.0), ctx))?;
         db.commit().await?;
         Ok(result)
     }
@@ -151,7 +154,7 @@ pub(crate) async fn change_finish(
     db.change_user_auth(
         &data.context.0,
         auth_salt,
-        SecretKey(wrapwrap_kb),
+        SecretKey(wrapwrap_kb.0),
         VerifyHash(verify_hash),
     )
     .await?;
@@ -209,7 +212,7 @@ pub(crate) async fn forgot_start(
     db.add_password_change(
         &uid,
         &PasswordChangeID(forgot_req.token_id.0),
-        &HawkKey(forgot_req.req_hmac_key),
+        &HawkKey(forgot_req.req_hmac_key.0),
         Some(&forgot_code),
     )
     .await?;
@@ -252,7 +255,7 @@ pub(crate) async fn forgot_finish(
     db.add_account_reset(
         &data.context.0,
         &AccountResetID(reset_req.token_id.0),
-        &HawkKey(reset_req.req_hmac_key),
+        &HawkKey(reset_req.req_hmac_key.0),
     )
     .await?;
 
diff --git a/src/types.rs b/src/types.rs
index c27b288..aca74cf 100644
--- a/src/types.rs
+++ b/src/types.rs
@@ -1,4 +1,3 @@
-use crate::crypto::SecretBytes;
 use chrono::{DateTime, Utc};
 use password_hash::{rand_core::OsRng, Output, SaltString};
 use rand::RngCore;
@@ -163,11 +162,8 @@ macro_rules! bytea_types {
 //
 
 bytea_types! {
-    #[derive(Clone, Debug, PartialEq, Eq)]
-    struct HawkKey(SecretBytes<32>) as hawk_key {
-        fn decode(v) -> _ { v.0.0.as_ref() }
-        fn encode(v) -> _ { SecretBytes(v) }
-    }
+    #[simple_array]
+    struct HawkKey([u8; 32]) as hawk_key;
 
     #[simple_array]
     struct SessionID([u8; 32]) as session_id;
@@ -196,11 +192,8 @@ bytea_types! {
     #[simple_array]
     struct AvatarID([u8; 16]) as avatar_id;
 
-    #[derive(Clone, Debug, PartialEq, Eq)]
-    struct SecretKey(SecretBytes<32>) as secret_key {
-        fn decode(v) -> _ { v.0.0.as_ref() }
-        fn encode(v) -> _ { SecretBytes(v) }
-    }
+    #[simple_array]
+    struct SecretKey([u8; 32]) as secret_key;
 
     #[derive(Clone, Debug, PartialEq, Eq)]
     struct VerifyHash(Output) as verify_hash {
author	pennae <github@quasiparticle.net>	2022-07-17 09:45:23 +0200
committer	pennae <github@quasiparticle.net>	2022-07-17 17:24:24 +0200
commit	c1451924d88d146c7dc00c01d8c5f248978001b2 (patch)
tree	a9649df4c3e700724fef23fd20a8bb2154aa5472
parent	d4ed52e48eb52566dab91080eb25d8979fbb7d3e (diff)
download	minor-skulk-c1451924d88d146c7dc00c01d8c5f248978001b2.tar.gz minor-skulk-c1451924d88d146c7dc00c01d8c5f248978001b2.tar.xz minor-skulk-c1451924d88d146c7dc00c01d8c5f248978001b2.zip