edward/omegaupload
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Use stronger argon2id params

Browse source
This commit is contained in:
Edward Shen 2021-10-31 15:42:15 -07:00
parent 3e2f608e27
commit 5bb3ad2d0d
Signed by: edward
GPG key ID: 19182661E818369F
1 changed files with 24 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
common/src/crypto.rs
View file

@ -20,7 +20,7 @@
use std::ops::{Deref, DerefMut}; use std::ops::{Deref, DerefMut};
use argon2::Argon2; use argon2::{Argon2, ParamsBuilder};
use chacha20poly1305::aead::generic_array::sequence::GenericSequence; use chacha20poly1305::aead::generic_array::sequence::GenericSequence;
use chacha20poly1305::aead::generic_array::GenericArray; use chacha20poly1305::aead::generic_array::GenericArray;
use chacha20poly1305::aead::{AeadInPlace, NewAead}; use chacha20poly1305::aead::{AeadInPlace, NewAead};
@ -152,7 +152,7 @@ pub fn open_in_place(
) -> Result<(), Error> { ) -> Result<(), Error> {
let pw_key = if let Some(password) = password { let pw_key = if let Some(password) = password {
let salt_buf = data.split_off(data.len() - Salt::SIZE); let salt_buf = data.split_off(data.len() - Salt::SIZE);
let argon = Argon2::default(); let argon = get_argon2();
let mut pw_key = Key::default(); let mut pw_key = Key::default();
argon argon
.hash_password_into(password.expose_secret(), &salt_buf, &mut pw_key) .hash_password_into(password.expose_secret(), &salt_buf, &mut pw_key)
@ -255,13 +255,34 @@ impl AsRef<[u8]> for Salt {
/// Hashes an input to output a usable key. /// Hashes an input to output a usable key.
fn kdf(password: &SecretVec<u8>) -> Result<(Secret<Key>, Salt), argon2::Error> { fn kdf(password: &SecretVec<u8>) -> Result<(Secret<Key>, Salt), argon2::Error> {
let salt = Salt::random(); let salt = Salt::random();
let hasher = Argon2::default(); let hasher = get_argon2();
let mut key = Key::default(); let mut key = Key::default();
hasher.hash_password_into(password.expose_secret().as_ref(), salt.as_ref(), &mut key)?; hasher.hash_password_into(password.expose_secret().as_ref(), salt.as_ref(), &mut key)?;
Ok((Secret::new(key), salt)) Ok((Secret::new(key), salt))
} }
/// Returns Argon2id configured as follows:
/// - 15MiB of memory (`m`),
/// - an iteration count of 2 (`t`),
/// - and 2 degrees of parallelism (`p`).
///
/// This follows the [minimum recommended parameters suggested by OWASP][rec].
///
/// [rec]: https://link.eddie.sh/vaQ6a.
fn get_argon2() -> Argon2<'static> {
let mut params = ParamsBuilder::new();
params
.m_cost(15 * 1024) // 15 MiB
.expect("Hard coded params to work")
.t_cost(2)
.expect("Hard coded params to work")
.p_cost(2)
.expect("Hard coded params to work");
let params = params.params().expect("Hard coded params to work");
Argon2::new(argon2::Algorithm::Argon2id, argon2::Version::V0x13, params)
}
/// Fetches a cryptographically secure random number generator. This indirection /// Fetches a cryptographically secure random number generator. This indirection
/// is used for better auditing the quality of rng. Notably, this function /// is used for better auditing the quality of rng. Notably, this function
/// returns a `Rng` with the `CryptoRng` marker trait, preventing /// returns a `Rng` with the `CryptoRng` marker trait, preventing