From c1451924d88d146c7dc00c01d8c5f248978001b2 Mon Sep 17 00:00:00 2001 From: pennae Date: Sun, 17 Jul 2022 09:45:23 +0200 Subject: don't use SecretBytes in HawkKey/SecretKey --- src/api/auth/account.rs | 24 +++++++++++++----------- src/api/auth/mod.rs | 2 +- src/api/auth/oauth.rs | 10 ++++++++-- src/api/auth/password.rs | 19 +++++++++++-------- src/types.rs | 15 ++++----------- 5 files changed, 37 insertions(+), 33 deletions(-) (limited to 'src') diff --git a/src/api/auth/account.rs b/src/api/auth/account.rs index 51dd98e..0f12d49 100644 --- a/src/api/auth/account.rs +++ b/src/api/auth/account.rs @@ -103,7 +103,8 @@ pub(crate) async fn create( ka: ka.clone(), wrap_kb: stretched.decrypt_wwkb(&wrapwrap_kb), }); - db.add_key_fetch(KeyFetchID(req.token_id.0), &HawkKey(req.req_hmac_key), &wrapped).await?; + db.add_key_fetch(KeyFetchID(req.token_id.0), &HawkKey(req.req_hmac_key.0), &wrapped) + .await?; Some(key_fetch_token) } else { None @@ -112,8 +113,8 @@ pub(crate) async fn create( .add_user(User { auth_salt, email: data.email.to_owned(), - ka: SecretKey(ka), - wrapwrap_kb: SecretKey(wrapwrap_kb), + ka: SecretKey(ka.0), + wrapwrap_kb: SecretKey(wrapwrap_kb.0), verify_hash: VerifyHash(verify_hash), display_name: None, verified: false, @@ -121,7 +122,7 @@ pub(crate) async fn create( .await?; let session_id = SessionID(session.token_id.0); let auth_at = db - .add_session(session_id.clone(), &uid, HawkKey(session.req_hmac_key), false, None) + .add_session(session_id.clone(), &uid, HawkKey(session.req_hmac_key.0), false, None) .await?; let verify_code = hex::encode(&SecretBytes::<16>::generate().0); db.add_verify_code(&uid, &session_id, &verify_code).await?; @@ -205,10 +206,11 @@ pub(crate) async fn login( let key_fetch_token = SecretBytes::generate(); let req = KeyFetchReq::from_token(&key_fetch_token); let wrapped = req.derive_resp().wrap_keys(&KeyBundle { - ka: user.ka.0.clone(), - wrap_kb: stretched.decrypt_wwkb(&user.wrapwrap_kb.0), + ka: SecretBytes(user.ka.0), + wrap_kb: stretched.decrypt_wwkb(&SecretBytes(user.wrapwrap_kb.0)), }); - db.add_key_fetch(KeyFetchID(req.token_id.0), &HawkKey(req.req_hmac_key), &wrapped).await?; + db.add_key_fetch(KeyFetchID(req.token_id.0), &HawkKey(req.req_hmac_key.0), &wrapped) + .await?; Some(key_fetch_token) } else { None @@ -220,7 +222,7 @@ pub(crate) async fn login( .add_session( session_id.clone(), &uid, - HawkKey(session.req_hmac_key), + HawkKey(session.req_hmac_key.0), false, Some(&verify_code), ) @@ -312,7 +314,7 @@ impl AuthSource for WithKeyFetch { async fn hawk(r: &Request<'_>, id: &KeyFetchID) -> Result<(SecretBytes<32>, Self::Context)> { let db = Authenticated::<(), Self>::get_conn(r).await?; db.always_commit().await?; - Ok(db.finish_key_fetch(id).await.map(|(h, ks)| (h.0, ks))?) + Ok(db.finish_key_fetch(id).await.map(|(h, ks)| (SecretBytes(h.0), ks))?) } async fn bearer_token(_: &Request<'_>, _: &OauthToken) -> Result<(KeyFetchID, Self::Context)> { // key fetch tokens are only valid in hawk requests @@ -346,7 +348,7 @@ impl AuthSource for WithResetToken { .await .success_or_else(|| anyhow!("could not open db connection"))?; let db = pool.begin().await?; - let result = db.finish_account_reset(id).await.map(|(h, ctx)| (h.0, ctx))?; + let result = db.finish_account_reset(id).await.map(|(h, ctx)| (SecretBytes(h.0), ctx))?; db.commit().await?; Ok(result) } @@ -390,7 +392,7 @@ pub(crate) async fn reset( let stretched = data.body.authPW.stretch(auth_salt.as_salt())?; let verify_hash = stretched.verify_hash(); - db.reset_user_auth(&data.context, auth_salt, SecretKey(wrapwrap_kb), VerifyHash(verify_hash)) + db.reset_user_auth(&data.context, auth_salt, SecretKey(wrapwrap_kb.0), VerifyHash(verify_hash)) .await?; defer.spawn_after_success("api::auth/account/reset(post)", { diff --git a/src/api/auth/mod.rs b/src/api/auth/mod.rs index 2c6d34d..d50dcc2 100644 --- a/src/api/auth/mod.rs +++ b/src/api/auth/mod.rs @@ -146,7 +146,7 @@ impl crate::auth::AuthSource for WithFxaLogin { ) -> anyhow::Result<(SecretBytes<32>, Self::Context)> { let db = Authenticated::<(), Self>::get_conn(r).await?; let k = db.use_session(id).await?; - Ok((k.req_hmac_key.0.clone(), k)) + Ok((SecretBytes(k.req_hmac_key.0), k)) } async fn bearer_token( _: &Request<'_>, diff --git a/src/api/auth/oauth.rs b/src/api/auth/oauth.rs index cb53b7c..6d2f700 100644 --- a/src/api/auth/oauth.rs +++ b/src/api/auth/oauth.rs @@ -394,8 +394,14 @@ async fn token_impl( let session_token = SecretBytes::generate(); let session = SessionCredentials::derive(&session_token); let session_id = SessionID(session.token_id.0); - db.add_session(session_id.clone(), &user_id, HawkKey(session.req_hmac_key), true, None) - .await?; + db.add_session( + session_id.clone(), + &user_id, + HawkKey(session.req_hmac_key.0), + true, + None, + ) + .await?; (Some(session_token.0), Some(SessionID(session.token_id.0))) } else { (None, None) diff --git a/src/api/auth/password.rs b/src/api/auth/password.rs index 0eeab4f..56ad2a2 100644 --- a/src/api/auth/password.rs +++ b/src/api/auth/password.rs @@ -64,15 +64,15 @@ pub(crate) async fn change_start( let key_fetch_token = SecretBytes::generate(); let key_req = KeyFetchReq::from_token(&key_fetch_token); let wrapped = key_req.derive_resp().wrap_keys(&KeyBundle { - ka: user.ka.0.clone(), - wrap_kb: stretched.decrypt_wwkb(&user.wrapwrap_kb.0), + ka: SecretBytes(user.ka.0), + wrap_kb: stretched.decrypt_wwkb(&SecretBytes(user.wrapwrap_kb.0)), }); - db.add_key_fetch(KeyFetchID(key_req.token_id.0), &HawkKey(key_req.req_hmac_key), &wrapped) + db.add_key_fetch(KeyFetchID(key_req.token_id.0), &HawkKey(key_req.req_hmac_key.0), &wrapped) .await?; db.add_password_change( &uid, &PasswordChangeID(change_req.token_id.0), - &HawkKey(change_req.req_hmac_key), + &HawkKey(change_req.req_hmac_key.0), None, ) .await?; @@ -99,7 +99,10 @@ impl AuthSource for WithChangeToken { .await .success_or_else(|| anyhow!("could not open db connection"))?; let db = pool.begin().await?; - let result = db.finish_password_change(id, IS_FORGOT).await.map(|(h, ctx)| (h.0, ctx))?; + let result = db + .finish_password_change(id, IS_FORGOT) + .await + .map(|(h, ctx)| (SecretBytes(h.0), ctx))?; db.commit().await?; Ok(result) } @@ -151,7 +154,7 @@ pub(crate) async fn change_finish( db.change_user_auth( &data.context.0, auth_salt, - SecretKey(wrapwrap_kb), + SecretKey(wrapwrap_kb.0), VerifyHash(verify_hash), ) .await?; @@ -209,7 +212,7 @@ pub(crate) async fn forgot_start( db.add_password_change( &uid, &PasswordChangeID(forgot_req.token_id.0), - &HawkKey(forgot_req.req_hmac_key), + &HawkKey(forgot_req.req_hmac_key.0), Some(&forgot_code), ) .await?; @@ -252,7 +255,7 @@ pub(crate) async fn forgot_finish( db.add_account_reset( &data.context.0, &AccountResetID(reset_req.token_id.0), - &HawkKey(reset_req.req_hmac_key), + &HawkKey(reset_req.req_hmac_key.0), ) .await?; diff --git a/src/types.rs b/src/types.rs index c27b288..aca74cf 100644 --- a/src/types.rs +++ b/src/types.rs @@ -1,4 +1,3 @@ -use crate::crypto::SecretBytes; use chrono::{DateTime, Utc}; use password_hash::{rand_core::OsRng, Output, SaltString}; use rand::RngCore; @@ -163,11 +162,8 @@ macro_rules! bytea_types { // bytea_types! { - #[derive(Clone, Debug, PartialEq, Eq)] - struct HawkKey(SecretBytes<32>) as hawk_key { - fn decode(v) -> _ { v.0.0.as_ref() } - fn encode(v) -> _ { SecretBytes(v) } - } + #[simple_array] + struct HawkKey([u8; 32]) as hawk_key; #[simple_array] struct SessionID([u8; 32]) as session_id; @@ -196,11 +192,8 @@ bytea_types! { #[simple_array] struct AvatarID([u8; 16]) as avatar_id; - #[derive(Clone, Debug, PartialEq, Eq)] - struct SecretKey(SecretBytes<32>) as secret_key { - fn decode(v) -> _ { v.0.0.as_ref() } - fn encode(v) -> _ { SecretBytes(v) } - } + #[simple_array] + struct SecretKey([u8; 32]) as secret_key; #[derive(Clone, Debug, PartialEq, Eq)] struct VerifyHash(Output) as verify_hash { -- cgit v1.2.3