use KDF instead of sha256 for secret

2019-04-02 16:06:42 +02:00 · 2019-04-02 16:06:42 +02:00 · 1430a4accb
parent 98abc6cc44
commit 1430a4accb
2 changed files with 6 additions and 5 deletions
--- a/src/sealed_state.rs
+++ b/src/sealed_state.rs
@ -1,6 +1,7 @@
 use ring::aead::{seal_in_place, open_in_place, Algorithm, AES_256_GCM};
 use ring::aead::{OpeningKey, SealingKey};
 use ring::rand::{SecureRandom, SystemRandom};
+use ring::hmac;
 use ring::digest;

 // Keep these in sync, and keep the key len synced with the `private` docs as
@ -15,9 +16,9 @@ pub struct SealedState {

 impl SealedState  {
    pub fn new(secret: &str) -> Self {
-        // TODO use KDF
-        let salted_secret = "hagrid".to_owned() + secret;
-        let key = digest::digest(&digest::SHA256, salted_secret.as_bytes());
+        let salt = hmac::SigningKey::new(&digest::SHA256, b"hagrid");
+        let mut key = vec![0; 32];
+        ring::hkdf::extract_and_expand(&salt, secret.as_bytes(), b"", &mut key);

        let sealing_key = SealingKey::new(ALGO, key.as_ref()).expect("sealing key creation");
        let opening_key = OpeningKey::new(ALGO, key.as_ref()).expect("sealing key creation");
--- a/src/tokens.rs
+++ b/src/tokens.rs
@ -85,7 +85,7 @@ mod tests {
    fn test_ok() {
        // {"f":"D4AB192964F76A7F8F8A9B357BD18320DEADFA11","c":12345658,"r":1}
        let fpr = "D4AB192964F76A7F8F8A9B357BD18320DEADFA11".parse().unwrap();
-        let token = "Gpi5wq4ALZSAQ7KaKmCzpgbWP2a7BImNC6H49ztqAD1Tl7qwJdbTIlyFWMEhkMcU-FIbvPkWUkBAP2EB6pP7-pWsIPmUT6sD_NNChwYaiDEMqMIFpcnb0xEPYKBpqZc";
+        let token = "KkhDt1quo1I1l3OPazSXKAmuNL6LLluhnRR6eQPsLruJ4URo-AKp4YGMsVlkDvj3NLvALt6Omp7vLzMbdv_DCus6oL3X-CSyQs9AFO6f5QMaseyAPtafKMDtDW2c1_Q";
        let mt = Service::init("secret", 60);

        let check_result = mt.check(token);
@ -96,7 +96,7 @@ mod tests {
    #[test]
    fn test_expired() {
        // {"f":"D4AB192964F76A7F8F8A9B357BD18320DEADFA11","c":12345078,"r":1}
-        let token = "KfbQMVE-U3thjmwrfAo1sdel9ixwd05fALaPfJ-6p_6AhN2_U0DaLUwAEFwLah-R6zTsQ_LNjMf8cu1z-pJnyB1DoSRYdy380HFT8sx6BnEFFXFyaU02bNM0wlv3Uzk";
+        let token = "tqDOpM5mdNSTCDzyyy6El_Chpj1k-ozzw4AHy-3KJhxkXs8A17GJYVq7CHbgsYMc7n5irdzOJ-IvForV_HiVSnZYpnS_BiORWN6FISVmnwlMxDBIGUqa1XDiBLD7UW8";
        let mt = Service::init("secret", 60);

        let check_result = mt.check(token);