mirror of
				https://github.com/dani-garcia/vaultwarden.git
				synced 2025-10-26 16:00:02 +02:00 
			
		
		
		
	Merge pull request #2910 from samueltardieu/const-crypto
Use constant size generic parameter for random bytes generation
This commit is contained in:
		| @@ -34,7 +34,7 @@ async fn generate_authenticator(data: JsonUpcase<PasswordData>, headers: Headers | |||||||
|  |  | ||||||
|     let (enabled, key) = match twofactor { |     let (enabled, key) = match twofactor { | ||||||
|         Some(tf) => (true, tf.data), |         Some(tf) => (true, tf.data), | ||||||
|         _ => (false, BASE32.encode(&crypto::get_random(vec![0u8; 20]))), |         _ => (false, crypto::encode_random_bytes::<20>(BASE32)), | ||||||
|     }; |     }; | ||||||
|  |  | ||||||
|     Ok(Json(json!({ |     Ok(Json(json!({ | ||||||
|   | |||||||
| @@ -105,7 +105,7 @@ async fn recover(data: JsonUpcase<RecoverTwoFactor>, mut conn: DbConn) -> JsonRe | |||||||
|  |  | ||||||
| async fn _generate_recover_code(user: &mut User, conn: &mut DbConn) { | async fn _generate_recover_code(user: &mut User, conn: &mut DbConn) { | ||||||
|     if user.totp_recover.is_none() { |     if user.totp_recover.is_none() { | ||||||
|         let totp_recover = BASE32.encode(&crypto::get_random(vec![0u8; 20])); |         let totp_recover = crypto::encode_random_bytes::<20>(BASE32); | ||||||
|         user.totp_recover = Some(totp_recover); |         user.totp_recover = Some(totp_recover); | ||||||
|         user.save(conn).await.ok(); |         user.save(conn).await.ok(); | ||||||
|     } |     } | ||||||
|   | |||||||
| @@ -56,7 +56,7 @@ fn negotiate(_headers: Headers) -> Json<JsonValue> { | |||||||
|     use crate::crypto; |     use crate::crypto; | ||||||
|     use data_encoding::BASE64URL; |     use data_encoding::BASE64URL; | ||||||
|  |  | ||||||
|     let conn_id = BASE64URL.encode(&crypto::get_random(vec![0u8; 16])); |     let conn_id = crypto::encode_random_bytes::<16>(BASE64URL); | ||||||
|     let mut available_transports: Vec<JsonValue> = Vec::new(); |     let mut available_transports: Vec<JsonValue> = Vec::new(); | ||||||
|  |  | ||||||
|     if CONFIG.websocket_enabled() { |     if CONFIG.websocket_enabled() { | ||||||
|   | |||||||
| @@ -981,8 +981,7 @@ impl Config { | |||||||
|         if let Some(akey) = self._duo_akey() { |         if let Some(akey) = self._duo_akey() { | ||||||
|             akey |             akey | ||||||
|         } else { |         } else { | ||||||
|             let akey = crate::crypto::get_random_64(); |             let akey_s = crate::crypto::encode_random_bytes::<64>(data_encoding::BASE64); | ||||||
|             let akey_s = data_encoding::BASE64.encode(&akey); |  | ||||||
|  |  | ||||||
|             // Save the new value |             // Save the new value | ||||||
|             let builder = ConfigBuilder { |             let builder = ConfigBuilder { | ||||||
|   | |||||||
| @@ -3,7 +3,7 @@ | |||||||
| // | // | ||||||
| use std::num::NonZeroU32; | use std::num::NonZeroU32; | ||||||
|  |  | ||||||
| use data_encoding::HEXLOWER; | use data_encoding::{Encoding, HEXLOWER}; | ||||||
| use ring::{digest, hmac, pbkdf2}; | use ring::{digest, hmac, pbkdf2}; | ||||||
|  |  | ||||||
| static DIGEST_ALG: pbkdf2::Algorithm = pbkdf2::PBKDF2_HMAC_SHA256; | static DIGEST_ALG: pbkdf2::Algorithm = pbkdf2::PBKDF2_HMAC_SHA256; | ||||||
| @@ -37,18 +37,21 @@ pub fn hmac_sign(key: &str, data: &str) -> String { | |||||||
| // Random values | // Random values | ||||||
| // | // | ||||||
|  |  | ||||||
| pub fn get_random_64() -> Vec<u8> { | /// Return an array holding `N` random bytes. | ||||||
|     get_random(vec![0u8; 64]) | pub fn get_random_bytes<const N: usize>() -> [u8; N] { | ||||||
| } |  | ||||||
|  |  | ||||||
| pub fn get_random(mut array: Vec<u8>) -> Vec<u8> { |  | ||||||
|     use ring::rand::{SecureRandom, SystemRandom}; |     use ring::rand::{SecureRandom, SystemRandom}; | ||||||
|  |  | ||||||
|  |     let mut array = [0; N]; | ||||||
|     SystemRandom::new().fill(&mut array).expect("Error generating random values"); |     SystemRandom::new().fill(&mut array).expect("Error generating random values"); | ||||||
|  |  | ||||||
|     array |     array | ||||||
| } | } | ||||||
|  |  | ||||||
|  | /// Encode random bytes using the provided function. | ||||||
|  | pub fn encode_random_bytes<const N: usize>(e: Encoding) -> String { | ||||||
|  |     e.encode(&get_random_bytes::<N>()) | ||||||
|  | } | ||||||
|  |  | ||||||
| /// Generates a random string over a specified alphabet. | /// Generates a random string over a specified alphabet. | ||||||
| pub fn get_random_string(alphabet: &[u8], num_chars: usize) -> String { | pub fn get_random_string(alphabet: &[u8], num_chars: usize) -> String { | ||||||
|     // Ref: https://rust-lang-nursery.github.io/rust-cookbook/algorithms/randomness.html |     // Ref: https://rust-lang-nursery.github.io/rust-cookbook/algorithms/randomness.html | ||||||
| @@ -77,18 +80,18 @@ pub fn get_random_string_alphanum(num_chars: usize) -> String { | |||||||
|     get_random_string(ALPHABET, num_chars) |     get_random_string(ALPHABET, num_chars) | ||||||
| } | } | ||||||
|  |  | ||||||
| pub fn generate_id(num_bytes: usize) -> String { | pub fn generate_id<const N: usize>() -> String { | ||||||
|     HEXLOWER.encode(&get_random(vec![0; num_bytes])) |     encode_random_bytes::<N>(HEXLOWER) | ||||||
| } | } | ||||||
|  |  | ||||||
| pub fn generate_send_id() -> String { | pub fn generate_send_id() -> String { | ||||||
|     // Send IDs are globally scoped, so make them longer to avoid collisions. |     // Send IDs are globally scoped, so make them longer to avoid collisions. | ||||||
|     generate_id(32) // 256 bits |     generate_id::<32>() // 256 bits | ||||||
| } | } | ||||||
|  |  | ||||||
| pub fn generate_attachment_id() -> String { | pub fn generate_attachment_id() -> String { | ||||||
|     // Attachment IDs are scoped to a cipher, so they can be smaller. |     // Attachment IDs are scoped to a cipher, so they can be smaller. | ||||||
|     generate_id(10) // 80 bits |     generate_id::<10>() // 80 bits | ||||||
| } | } | ||||||
|  |  | ||||||
| /// Generates a numeric token for email-based verifications. | /// Generates a numeric token for email-based verifications. | ||||||
|   | |||||||
| @@ -48,7 +48,7 @@ impl Device { | |||||||
|         use crate::crypto; |         use crate::crypto; | ||||||
|         use data_encoding::BASE64; |         use data_encoding::BASE64; | ||||||
|  |  | ||||||
|         let twofactor_remember = BASE64.encode(&crypto::get_random(vec![0u8; 180])); |         let twofactor_remember = crypto::encode_random_bytes::<180>(BASE64); | ||||||
|         self.twofactor_remember = Some(twofactor_remember.clone()); |         self.twofactor_remember = Some(twofactor_remember.clone()); | ||||||
|  |  | ||||||
|         twofactor_remember |         twofactor_remember | ||||||
| @@ -69,7 +69,7 @@ impl Device { | |||||||
|             use crate::crypto; |             use crate::crypto; | ||||||
|             use data_encoding::BASE64URL; |             use data_encoding::BASE64URL; | ||||||
|  |  | ||||||
|             self.refresh_token = BASE64URL.encode(&crypto::get_random_64()); |             self.refresh_token = crypto::encode_random_bytes::<64>(BASE64URL); | ||||||
|         } |         } | ||||||
|  |  | ||||||
|         // Update the expiration of the device and the last update date |         // Update the expiration of the device and the last update date | ||||||
|   | |||||||
| @@ -81,7 +81,7 @@ impl Send { | |||||||
|  |  | ||||||
|         if let Some(password) = password { |         if let Some(password) = password { | ||||||
|             self.password_iter = Some(PASSWORD_ITER); |             self.password_iter = Some(PASSWORD_ITER); | ||||||
|             let salt = crate::crypto::get_random_64(); |             let salt = crate::crypto::get_random_bytes::<64>().to_vec(); | ||||||
|             let hash = crate::crypto::hash_password(password.as_bytes(), &salt, PASSWORD_ITER as u32); |             let hash = crate::crypto::hash_password(password.as_bytes(), &salt, PASSWORD_ITER as u32); | ||||||
|             self.password_salt = Some(salt); |             self.password_salt = Some(salt); | ||||||
|             self.password_hash = Some(hash); |             self.password_hash = Some(hash); | ||||||
|   | |||||||
| @@ -93,7 +93,7 @@ impl User { | |||||||
|             email_new_token: None, |             email_new_token: None, | ||||||
|  |  | ||||||
|             password_hash: Vec::new(), |             password_hash: Vec::new(), | ||||||
|             salt: crypto::get_random_64(), |             salt: crypto::get_random_bytes::<64>().to_vec(), | ||||||
|             password_iterations: CONFIG.password_iterations(), |             password_iterations: CONFIG.password_iterations(), | ||||||
|  |  | ||||||
|             security_stamp: crate::util::get_uuid(), |             security_stamp: crate::util::get_uuid(), | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user