From c7d89c1703c6dc580b2ef2cbb66b0df0b1e72b50 Mon Sep 17 00:00:00 2001 From: Conrad Ludgate Date: Mon, 17 Apr 2023 21:12:02 +0100 Subject: chore: uuhhhhhh crypto lol (#805) * chore: uuhhhhhh crypto lol * remove dead code * fix key decoding * use inplace encryption --- atuin-server/Cargo.toml | 1 + atuin-server/src/handlers/user.rs | 39 ++++++++++++++------------------------- 2 files changed, 15 insertions(+), 25 deletions(-) (limited to 'atuin-server') diff --git a/atuin-server/Cargo.toml b/atuin-server/Cargo.toml index a60bc253e..773f3eb3a 100644 --- a/atuin-server/Cargo.toml +++ b/atuin-server/Cargo.toml @@ -33,3 +33,4 @@ chronoutil = "0.2.3" tower = "0.4" tower-http = { version = "0.3", features = ["trace"] } reqwest = { workspace = true } +argon2 = "0.5.0" diff --git a/atuin-server/src/handlers/user.rs b/atuin-server/src/handlers/user.rs index 61af989c0..89aa0601c 100644 --- a/atuin-server/src/handlers/user.rs +++ b/atuin-server/src/handlers/user.rs @@ -2,12 +2,16 @@ use std::borrow::Borrow; use std::collections::HashMap; use std::time::Duration; +use argon2::{ + password_hash::SaltString, Algorithm, Argon2, Params, PasswordHash, PasswordHasher, + PasswordVerifier, Version, +}; use axum::{ extract::{Path, State}, Json, }; use http::StatusCode; -use sodiumoxide::crypto::pwhash::argon2id13; +use rand::rngs::OsRng; use tracing::{debug, error, info, instrument}; use uuid::Uuid; @@ -22,18 +26,10 @@ use reqwest::header::CONTENT_TYPE; use atuin_common::api::*; -pub fn verify_str(secret: &str, verify: &str) -> bool { - sodiumoxide::init().unwrap(); - - let mut padded = [0_u8; 128]; - secret.as_bytes().iter().enumerate().for_each(|(i, val)| { - padded[i] = *val; - }); - - match argon2id13::HashedPassword::from_slice(&padded) { - Some(hp) => argon2id13::pwhash_verify(&hp, verify.as_bytes()), - None => false, - } +pub fn verify_str(hash: &str, password: &str) -> bool { + let arg2 = Argon2::new(Algorithm::Argon2id, Version::V0x13, Params::default()); + let Ok(hash) = PasswordHash::new(hash) else { return false }; + arg2.verify_password(password.as_bytes(), &hash).is_ok() } // Try to send a Discord webhook once - if it fails, we don't retry. "At most once", and best effort. @@ -185,16 +181,9 @@ pub async fn login( })) } -fn hash_secret(secret: &str) -> String { - sodiumoxide::init().unwrap(); - let hash = argon2id13::pwhash( - secret.as_bytes(), - argon2id13::OPSLIMIT_INTERACTIVE, - argon2id13::MEMLIMIT_INTERACTIVE, - ) - .unwrap(); - let texthash = std::str::from_utf8(&hash.0).unwrap().to_string(); - - // postgres hates null chars. don't do that to postgres - texthash.trim_end_matches('\u{0}').to_string() +fn hash_secret(password: &str) -> String { + let arg2 = Argon2::new(Algorithm::Argon2id, Version::V0x13, Params::default()); + let salt = SaltString::generate(&mut OsRng); + let hash = arg2.hash_password(password.as_bytes(), &salt).unwrap(); + hash.to_string() } -- cgit v1.2.3