feat: replaced flaky argon2 with better argon2 crate (#37)

* feat: replaced flaky argon2 with better argon2 crate * fix: applied cargo fmt nightly * docs: added comment specifying what the settings for Argon2 mean * fix: made hashing error a bit more descriptive * fix: fixed incorrect value for Kib
2023-12-25 16:28:56 +01:00 · 2023-12-25 16:28:56 +01:00 · fdc3e07be6
commit fdc3e07be6
parent 6a9f8dfa6f
9 changed files with 84 additions and 62 deletions
--- a/src/service/globals/mod.rs
+++ b/src/service/globals/mod.rs
@ -1,4 +1,5 @@
 mod data;
+use argon2::Argon2;
 pub use data::Data;
 use ruma::{
    serde::Base64, OwnedDeviceId, OwnedEventId, OwnedRoomId, OwnedServerName,
@ -51,7 +52,7 @@ type SyncHandle = (
    Receiver<Option<Result<sync_events::v3::Response>>>, // rx
 );

-pub struct Service {
+pub struct Service<'a> {
    pub db: &'static dyn Data,

    pub actual_destination_cache: Arc<RwLock<WellKnownMap>>, // actual_destination, host
@ -77,6 +78,7 @@ pub struct Service {
    pub rotate: RotationHandler,

    pub shutdown: AtomicBool,
+    pub argon: Argon2<'a>,
 }

 /// Handles "rotation" of long-polling requests. "Rotation" in this context is similar to "rotation" of log files and the like.
@ -140,7 +142,7 @@ impl Resolve for Resolver {
    }
 }

-impl Service {
+impl Service<'_> {
    pub fn load(db: &'static dyn Data, config: Config) -> Result<Self> {
        let keypair = db.load_keypair();

@ -188,7 +190,12 @@ impl Service {
            RoomVersionId::V5,
            RoomVersionId::V11,
        ];
-
+        // 19456 Kib blocks, iterations = 2, parallelism = 1 for more info https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id
+        let argon = Argon2::new(
+            argon2::Algorithm::Argon2id,
+            argon2::Version::default(),
+            argon2::Params::new(19456, 2, 1, None).expect("valid parameters"),
+        );
        let mut s = Self {
            db,
            config,
@ -219,6 +226,7 @@ impl Service {
            sync_receivers: RwLock::new(HashMap::new()),
            rotate: RotationHandler::new(),
            shutdown: AtomicBool::new(false),
+            argon,
        };

        fs::create_dir_all(s.get_media_folder())?;
--- a/src/service/mod.rs
+++ b/src/service/mod.rs
@ -21,7 +21,7 @@ pub mod transaction_ids;
 pub mod uiaa;
 pub mod users;

-pub struct Services {
+pub struct Services<'a> {
    pub appservice: appservice::Service,
    pub pusher: pusher::Service,
    pub rooms: rooms::Service,
@ -30,13 +30,13 @@ pub struct Services {
    pub users: users::Service,
    pub account_data: account_data::Service,
    pub admin: Arc<admin::Service>,
-    pub globals: globals::Service,
+    pub globals: globals::Service<'a>,
    pub key_backups: key_backups::Service,
    pub media: media::Service,
    pub sending: Arc<sending::Service>,
 }

-impl Services {
+impl Services<'_> {
    pub fn build<
        D: appservice::Data
            + pusher::Data
--- a/src/service/uiaa/mod.rs
+++ b/src/service/uiaa/mod.rs
@ -1,5 +1,6 @@
 mod data;

+use argon2::{PasswordHash, PasswordVerifier};
 pub use data::Data;

 use ruma::{
@ -81,8 +82,14 @@ impl Service {

                // Check if password is correct
                if let Some(hash) = services().users.password_hash(&user_id)? {
-                    let hash_matches =
-                        argon2::verify_encoded(&hash, password.as_bytes()).unwrap_or(false);
+                    let hash_matches = services()
+                        .globals
+                        .argon
+                        .verify_password(
+                            password.as_bytes(),
+                            &PasswordHash::new(&hash).expect("valid hash in database"),
+                        )
+                        .is_ok();

                    if !hash_matches {
                        uiaainfo.auth_error = Some(ruma::api::client::error::StandardErrorBody {