diff options
| author | Conrad Ludgate <conradludgate@gmail.com> | 2023-04-17 21:12:02 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-04-17 21:12:02 +0100 |
| commit | c7d89c1703c6dc580b2ef2cbb66b0df0b1e72b50 (patch) | |
| tree | b9d7a653f3460a9f9d3a96106c273b9cbd382710 /atuin-server | |
| parent | 678323b54393777eac7e84ff3f6b1f8921083f56 (diff) | |
chore: uuhhhhhh crypto lol (#805)
* chore: uuhhhhhh crypto lol
* remove dead code
* fix key decoding
* use inplace encryption
Diffstat (limited to 'atuin-server')
| -rw-r--r-- | atuin-server/Cargo.toml | 1 | ||||
| -rw-r--r-- | atuin-server/src/handlers/user.rs | 39 |
2 files changed, 15 insertions, 25 deletions
diff --git a/atuin-server/Cargo.toml b/atuin-server/Cargo.toml index a60bc253e..773f3eb3a 100644 --- a/atuin-server/Cargo.toml +++ b/atuin-server/Cargo.toml @@ -33,3 +33,4 @@ chronoutil = "0.2.3" tower = "0.4" tower-http = { version = "0.3", features = ["trace"] } reqwest = { workspace = true } +argon2 = "0.5.0" diff --git a/atuin-server/src/handlers/user.rs b/atuin-server/src/handlers/user.rs index 61af989c0..89aa0601c 100644 --- a/atuin-server/src/handlers/user.rs +++ b/atuin-server/src/handlers/user.rs @@ -2,12 +2,16 @@ use std::borrow::Borrow; use std::collections::HashMap; use std::time::Duration; +use argon2::{ + password_hash::SaltString, Algorithm, Argon2, Params, PasswordHash, PasswordHasher, + PasswordVerifier, Version, +}; use axum::{ extract::{Path, State}, Json, }; use http::StatusCode; -use sodiumoxide::crypto::pwhash::argon2id13; +use rand::rngs::OsRng; use tracing::{debug, error, info, instrument}; use uuid::Uuid; @@ -22,18 +26,10 @@ use reqwest::header::CONTENT_TYPE; use atuin_common::api::*; -pub fn verify_str(secret: &str, verify: &str) -> bool { - sodiumoxide::init().unwrap(); - - let mut padded = [0_u8; 128]; - secret.as_bytes().iter().enumerate().for_each(|(i, val)| { - padded[i] = *val; - }); - - match argon2id13::HashedPassword::from_slice(&padded) { - Some(hp) => argon2id13::pwhash_verify(&hp, verify.as_bytes()), - None => false, - } +pub fn verify_str(hash: &str, password: &str) -> bool { + let arg2 = Argon2::new(Algorithm::Argon2id, Version::V0x13, Params::default()); + let Ok(hash) = PasswordHash::new(hash) else { return false }; + arg2.verify_password(password.as_bytes(), &hash).is_ok() } // Try to send a Discord webhook once - if it fails, we don't retry. "At most once", and best effort. @@ -185,16 +181,9 @@ pub async fn login<DB: Database>( })) } -fn hash_secret(secret: &str) -> String { - sodiumoxide::init().unwrap(); - let hash = argon2id13::pwhash( - secret.as_bytes(), - argon2id13::OPSLIMIT_INTERACTIVE, - argon2id13::MEMLIMIT_INTERACTIVE, - ) - .unwrap(); - let texthash = std::str::from_utf8(&hash.0).unwrap().to_string(); - - // postgres hates null chars. don't do that to postgres - texthash.trim_end_matches('\u{0}').to_string() +fn hash_secret(password: &str) -> String { + let arg2 = Argon2::new(Algorithm::Argon2id, Version::V0x13, Params::default()); + let salt = SaltString::generate(&mut OsRng); + let hash = arg2.hash_password(password.as_bytes(), &salt).unwrap(); + hash.to_string() } |