summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorpennae <github@quasiparticle.net>2022-07-17 09:45:23 +0200
committerpennae <github@quasiparticle.net>2022-07-17 17:24:24 +0200
commitc1451924d88d146c7dc00c01d8c5f248978001b2 (patch)
treea9649df4c3e700724fef23fd20a8bb2154aa5472
parentd4ed52e48eb52566dab91080eb25d8979fbb7d3e (diff)
downloadminor-skulk-c1451924d88d146c7dc00c01d8c5f248978001b2.tar.gz
minor-skulk-c1451924d88d146c7dc00c01d8c5f248978001b2.tar.xz
minor-skulk-c1451924d88d146c7dc00c01d8c5f248978001b2.zip
don't use SecretBytes in HawkKey/SecretKey
-rw-r--r--src/api/auth/account.rs24
-rw-r--r--src/api/auth/mod.rs2
-rw-r--r--src/api/auth/oauth.rs10
-rw-r--r--src/api/auth/password.rs19
-rw-r--r--src/types.rs15
5 files changed, 37 insertions, 33 deletions
diff --git a/src/api/auth/account.rs b/src/api/auth/account.rs
index 51dd98e..0f12d49 100644
--- a/src/api/auth/account.rs
+++ b/src/api/auth/account.rs
@@ -103,7 +103,8 @@ pub(crate) async fn create(
ka: ka.clone(),
wrap_kb: stretched.decrypt_wwkb(&wrapwrap_kb),
});
- db.add_key_fetch(KeyFetchID(req.token_id.0), &HawkKey(req.req_hmac_key), &wrapped).await?;
+ db.add_key_fetch(KeyFetchID(req.token_id.0), &HawkKey(req.req_hmac_key.0), &wrapped)
+ .await?;
Some(key_fetch_token)
} else {
None
@@ -112,8 +113,8 @@ pub(crate) async fn create(
.add_user(User {
auth_salt,
email: data.email.to_owned(),
- ka: SecretKey(ka),
- wrapwrap_kb: SecretKey(wrapwrap_kb),
+ ka: SecretKey(ka.0),
+ wrapwrap_kb: SecretKey(wrapwrap_kb.0),
verify_hash: VerifyHash(verify_hash),
display_name: None,
verified: false,
@@ -121,7 +122,7 @@ pub(crate) async fn create(
.await?;
let session_id = SessionID(session.token_id.0);
let auth_at = db
- .add_session(session_id.clone(), &uid, HawkKey(session.req_hmac_key), false, None)
+ .add_session(session_id.clone(), &uid, HawkKey(session.req_hmac_key.0), false, None)
.await?;
let verify_code = hex::encode(&SecretBytes::<16>::generate().0);
db.add_verify_code(&uid, &session_id, &verify_code).await?;
@@ -205,10 +206,11 @@ pub(crate) async fn login(
let key_fetch_token = SecretBytes::generate();
let req = KeyFetchReq::from_token(&key_fetch_token);
let wrapped = req.derive_resp().wrap_keys(&KeyBundle {
- ka: user.ka.0.clone(),
- wrap_kb: stretched.decrypt_wwkb(&user.wrapwrap_kb.0),
+ ka: SecretBytes(user.ka.0),
+ wrap_kb: stretched.decrypt_wwkb(&SecretBytes(user.wrapwrap_kb.0)),
});
- db.add_key_fetch(KeyFetchID(req.token_id.0), &HawkKey(req.req_hmac_key), &wrapped).await?;
+ db.add_key_fetch(KeyFetchID(req.token_id.0), &HawkKey(req.req_hmac_key.0), &wrapped)
+ .await?;
Some(key_fetch_token)
} else {
None
@@ -220,7 +222,7 @@ pub(crate) async fn login(
.add_session(
session_id.clone(),
&uid,
- HawkKey(session.req_hmac_key),
+ HawkKey(session.req_hmac_key.0),
false,
Some(&verify_code),
)
@@ -312,7 +314,7 @@ impl AuthSource for WithKeyFetch {
async fn hawk(r: &Request<'_>, id: &KeyFetchID) -> Result<(SecretBytes<32>, Self::Context)> {
let db = Authenticated::<(), Self>::get_conn(r).await?;
db.always_commit().await?;
- Ok(db.finish_key_fetch(id).await.map(|(h, ks)| (h.0, ks))?)
+ Ok(db.finish_key_fetch(id).await.map(|(h, ks)| (SecretBytes(h.0), ks))?)
}
async fn bearer_token(_: &Request<'_>, _: &OauthToken) -> Result<(KeyFetchID, Self::Context)> {
// key fetch tokens are only valid in hawk requests
@@ -346,7 +348,7 @@ impl AuthSource for WithResetToken {
.await
.success_or_else(|| anyhow!("could not open db connection"))?;
let db = pool.begin().await?;
- let result = db.finish_account_reset(id).await.map(|(h, ctx)| (h.0, ctx))?;
+ let result = db.finish_account_reset(id).await.map(|(h, ctx)| (SecretBytes(h.0), ctx))?;
db.commit().await?;
Ok(result)
}
@@ -390,7 +392,7 @@ pub(crate) async fn reset(
let stretched = data.body.authPW.stretch(auth_salt.as_salt())?;
let verify_hash = stretched.verify_hash();
- db.reset_user_auth(&data.context, auth_salt, SecretKey(wrapwrap_kb), VerifyHash(verify_hash))
+ db.reset_user_auth(&data.context, auth_salt, SecretKey(wrapwrap_kb.0), VerifyHash(verify_hash))
.await?;
defer.spawn_after_success("api::auth/account/reset(post)", {
diff --git a/src/api/auth/mod.rs b/src/api/auth/mod.rs
index 2c6d34d..d50dcc2 100644
--- a/src/api/auth/mod.rs
+++ b/src/api/auth/mod.rs
@@ -146,7 +146,7 @@ impl crate::auth::AuthSource for WithFxaLogin {
) -> anyhow::Result<(SecretBytes<32>, Self::Context)> {
let db = Authenticated::<(), Self>::get_conn(r).await?;
let k = db.use_session(id).await?;
- Ok((k.req_hmac_key.0.clone(), k))
+ Ok((SecretBytes(k.req_hmac_key.0), k))
}
async fn bearer_token(
_: &Request<'_>,
diff --git a/src/api/auth/oauth.rs b/src/api/auth/oauth.rs
index cb53b7c..6d2f700 100644
--- a/src/api/auth/oauth.rs
+++ b/src/api/auth/oauth.rs
@@ -394,8 +394,14 @@ async fn token_impl(
let session_token = SecretBytes::generate();
let session = SessionCredentials::derive(&session_token);
let session_id = SessionID(session.token_id.0);
- db.add_session(session_id.clone(), &user_id, HawkKey(session.req_hmac_key), true, None)
- .await?;
+ db.add_session(
+ session_id.clone(),
+ &user_id,
+ HawkKey(session.req_hmac_key.0),
+ true,
+ None,
+ )
+ .await?;
(Some(session_token.0), Some(SessionID(session.token_id.0)))
} else {
(None, None)
diff --git a/src/api/auth/password.rs b/src/api/auth/password.rs
index 0eeab4f..56ad2a2 100644
--- a/src/api/auth/password.rs
+++ b/src/api/auth/password.rs
@@ -64,15 +64,15 @@ pub(crate) async fn change_start(
let key_fetch_token = SecretBytes::generate();
let key_req = KeyFetchReq::from_token(&key_fetch_token);
let wrapped = key_req.derive_resp().wrap_keys(&KeyBundle {
- ka: user.ka.0.clone(),
- wrap_kb: stretched.decrypt_wwkb(&user.wrapwrap_kb.0),
+ ka: SecretBytes(user.ka.0),
+ wrap_kb: stretched.decrypt_wwkb(&SecretBytes(user.wrapwrap_kb.0)),
});
- db.add_key_fetch(KeyFetchID(key_req.token_id.0), &HawkKey(key_req.req_hmac_key), &wrapped)
+ db.add_key_fetch(KeyFetchID(key_req.token_id.0), &HawkKey(key_req.req_hmac_key.0), &wrapped)
.await?;
db.add_password_change(
&uid,
&PasswordChangeID(change_req.token_id.0),
- &HawkKey(change_req.req_hmac_key),
+ &HawkKey(change_req.req_hmac_key.0),
None,
)
.await?;
@@ -99,7 +99,10 @@ impl<const IS_FORGOT: bool> AuthSource for WithChangeToken<IS_FORGOT> {
.await
.success_or_else(|| anyhow!("could not open db connection"))?;
let db = pool.begin().await?;
- let result = db.finish_password_change(id, IS_FORGOT).await.map(|(h, ctx)| (h.0, ctx))?;
+ let result = db
+ .finish_password_change(id, IS_FORGOT)
+ .await
+ .map(|(h, ctx)| (SecretBytes(h.0), ctx))?;
db.commit().await?;
Ok(result)
}
@@ -151,7 +154,7 @@ pub(crate) async fn change_finish(
db.change_user_auth(
&data.context.0,
auth_salt,
- SecretKey(wrapwrap_kb),
+ SecretKey(wrapwrap_kb.0),
VerifyHash(verify_hash),
)
.await?;
@@ -209,7 +212,7 @@ pub(crate) async fn forgot_start(
db.add_password_change(
&uid,
&PasswordChangeID(forgot_req.token_id.0),
- &HawkKey(forgot_req.req_hmac_key),
+ &HawkKey(forgot_req.req_hmac_key.0),
Some(&forgot_code),
)
.await?;
@@ -252,7 +255,7 @@ pub(crate) async fn forgot_finish(
db.add_account_reset(
&data.context.0,
&AccountResetID(reset_req.token_id.0),
- &HawkKey(reset_req.req_hmac_key),
+ &HawkKey(reset_req.req_hmac_key.0),
)
.await?;
diff --git a/src/types.rs b/src/types.rs
index c27b288..aca74cf 100644
--- a/src/types.rs
+++ b/src/types.rs
@@ -1,4 +1,3 @@
-use crate::crypto::SecretBytes;
use chrono::{DateTime, Utc};
use password_hash::{rand_core::OsRng, Output, SaltString};
use rand::RngCore;
@@ -163,11 +162,8 @@ macro_rules! bytea_types {
//
bytea_types! {
- #[derive(Clone, Debug, PartialEq, Eq)]
- struct HawkKey(SecretBytes<32>) as hawk_key {
- fn decode(v) -> _ { v.0.0.as_ref() }
- fn encode(v) -> _ { SecretBytes(v) }
- }
+ #[simple_array]
+ struct HawkKey([u8; 32]) as hawk_key;
#[simple_array]
struct SessionID([u8; 32]) as session_id;
@@ -196,11 +192,8 @@ bytea_types! {
#[simple_array]
struct AvatarID([u8; 16]) as avatar_id;
- #[derive(Clone, Debug, PartialEq, Eq)]
- struct SecretKey(SecretBytes<32>) as secret_key {
- fn decode(v) -> _ { v.0.0.as_ref() }
- fn encode(v) -> _ { SecretBytes(v) }
- }
+ #[simple_array]
+ struct SecretKey([u8; 32]) as secret_key;
#[derive(Clone, Debug, PartialEq, Eq)]
struct VerifyHash(Output) as verify_hash {