gitea-mirror/rosenpass
1
0
Fork 0
mirror of https://github.com/rosenpass/rosenpass.git synced 2025-12-05 20:40:02 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat(deps): Change base64 to base64ct crate (#295)

Browse Source
This commit is contained in:
Prabhpreet Dua
2024-05-06 21:14:10 +05:30
committed by GitHub
parent 761d5730af
commit 4bb3153761
13 changed files with 546 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
secret-memory/Cargo.toml
View File

@@ -21,3 +21,5 @@ log = { workspace = true }
[dev-dependencies]
allocator-api2-tests = { workspace = true }
tempfile = {workspace = true}
base64ct = {workspace = true}

169
secret-memory/src/public.rs
View File

@@ -1,10 +1,16 @@
use crate::debug::debug_crypto_array;
use anyhow::Context;
use rand::{Fill as Randomize, Rng};
use rosenpass_to::{ops::copy_slice, To};
use rosenpass_util::file::{fopen_r, LoadValue, ReadExactToEnd, StoreValue};
use rosenpass_util::b64::{b64_decode, b64_encode};
use rosenpass_util::file::{
fopen_r, fopen_w, LoadValue, LoadValueB64, ReadExactToEnd, ReadSliceToEnd, StoreValue,
StoreValueB64, StoreValueB64Writer, Visibility,
};
use rosenpass_util::functional::mutating;
use std::borrow::{Borrow, BorrowMut};
use std::fmt;
use std::io::Write;
use std::ops::{Deref, DerefMut};
use std::path::Path;
@@ -110,3 +116,164 @@ impl<const N: usize> StoreValue for Public<N> {
Ok(())
}
}
impl<const N: usize> LoadValueB64 for Public<N> {
type Error = anyhow::Error;
fn load_b64<const F: usize, P: AsRef<Path>>(path: P) -> Result<Self, Self::Error>
where
Self: Sized,
{
let mut f = [0u8; F];
let mut v = Public::zero();
let p = path.as_ref();
let len = fopen_r(p)?
.read_slice_to_end(&mut f)
.with_context(|| format!("Could not load file {p:?}"))?;
b64_decode(&f[0..len], &mut v.value)
.with_context(|| format!("Could not decode base64 file {p:?}"))?;
Ok(v)
}
}
impl<const N: usize> StoreValueB64 for Public<N> {
type Error = anyhow::Error;
fn store_b64<const F: usize, P: AsRef<Path>>(&self, path: P) -> anyhow::Result<()> {
let p = path.as_ref();
let mut f = [0u8; F];
let encoded_str = b64_encode(&self.value, &mut f)
.with_context(|| format!("Could not encode base64 file {p:?}"))?;
fopen_w(p, Visibility::Public)?
.write_all(encoded_str.as_bytes())
.with_context(|| format!("Could not write file {p:?}"))?;
Ok(())
}
}
impl<const N: usize> StoreValueB64Writer for Public<N> {
type Error = anyhow::Error;
fn store_b64_writer<const F: usize, W: std::io::Write>(
&self,
mut writer: W,
) -> Result<(), Self::Error> {
let mut f = [0u8; F];
let encoded_str = b64_encode(&self.value, &mut f)
.with_context(|| format!("Could not encode secret to base64"))?;
writer
.write_all(encoded_str.as_bytes())
.with_context(|| format!("Could not write base64 to writer"))?;
Ok(())
}
}
#[cfg(test)]
mod tests {
#[cfg(test)]
mod tests {
use crate::Public;
use rosenpass_util::{
b64::b64_encode,
file::{
fopen_w, LoadValue, LoadValueB64, StoreValue, StoreValueB64, StoreValueB64Writer,
Visibility,
},
};
use std::{fs, os::unix::fs::PermissionsExt};
use tempfile::tempdir;
/// test loading a public from an example file, and then storing it again in a different file
#[test]
fn test_public_load_store() {
const N: usize = 100;
// Generate original random bytes
let original_bytes: [u8; N] = [rand::random(); N];
// Create a temporary directory
let temp_dir = tempdir().unwrap();
// Store the original public to an example file in the temporary directory
let example_file = temp_dir.path().join("example_file");
std::fs::write(example_file.clone(), &original_bytes).unwrap();
// Load the public from the example file
let loaded_public = Public::load(&example_file).unwrap();
// Check that the loaded public matches the original bytes
assert_eq!(&loaded_public.value, &original_bytes);
// Store the loaded public to a different file in the temporary directory
let new_file = temp_dir.path().join("new_file");
loaded_public.store(&new_file).unwrap();
// Read the contents of the new file
let new_file_contents = fs::read(&new_file).unwrap();
// Read the contents of the original file
let original_file_contents = fs::read(&example_file).unwrap();
// Check that the contents of the new file match the original file
assert_eq!(new_file_contents, original_file_contents);
}
/// test loading a base64 encoded public from an example file, and then storing it again in a different file
#[test]
fn test_public_load_store_base64() {
const N: usize = 100;
// Generate original random bytes
let original_bytes: [u8; N] = [rand::random(); N];
// Create a temporary directory
let temp_dir = tempdir().unwrap();
let example_file = temp_dir.path().join("example_file");
let mut encoded_public = [0u8; N * 2];
let encoded_public = b64_encode(&original_bytes, &mut encoded_public).unwrap();
std::fs::write(&example_file, encoded_public).unwrap();
// Load the public from the example file
let loaded_public = Public::load_b64::<{ N * 2 }, _>(&example_file).unwrap();
// Check that the loaded public matches the original bytes
assert_eq!(&loaded_public.value, &original_bytes);
// Store the loaded public to a different file in the temporary directory
let new_file = temp_dir.path().join("new_file");
loaded_public.store_b64::<{ N * 2 }, _>(&new_file).unwrap();
// Read the contents of the new file
let new_file_contents = fs::read(&new_file).unwrap();
// Read the contents of the original file
let original_file_contents = fs::read(&example_file).unwrap();
// Check that the contents of the new file match the original file
assert_eq!(new_file_contents, original_file_contents);
//Check new file permissions are public
let metadata = fs::metadata(&new_file).unwrap();
assert_eq!(metadata.permissions().mode() & 0o000777, 0o644);
// Store the loaded public to a different file in the temporary directory for a second time
let new_file = temp_dir.path().join("new_file_writer");
let new_file_writer = fopen_w(new_file.clone(), Visibility::Public).unwrap();
loaded_public
.store_b64_writer::<{ N * 2 }, _>(&new_file_writer)
.unwrap();
// Read the contents of the new file
let new_file_contents = fs::read(&new_file).unwrap();
// Read the contents of the original file
let original_file_contents = fs::read(&example_file).unwrap();
// Check that the contents of the new file match the original file
assert_eq!(new_file_contents, original_file_contents);
//Check new file permissions are public
let metadata = fs::metadata(&new_file).unwrap();
assert_eq!(metadata.permissions().mode() & 0o000777, 0o644);
}
}
}

159
secret-memory/src/secret.rs
View File

@@ -9,8 +9,11 @@ use anyhow::Context;
use rand::{Fill as Randomize, Rng};
use zeroize::{Zeroize, ZeroizeOnDrop};
use rosenpass_util::b64::b64_reader;
use rosenpass_util::file::{fopen_r, LoadValue, LoadValueB64, ReadExactToEnd};
use rosenpass_util::b64::{b64_decode, b64_encode};
use rosenpass_util::file::{
fopen_r, LoadValue, LoadValueB64, ReadExactToEnd, ReadSliceToEnd, StoreValueB64,
StoreValueB64Writer,
};
use rosenpass_util::functional::mutating;
use crate::alloc::{secret_box, SecretBox, SecretVec};
@@ -251,25 +254,57 @@ impl<const N: usize> LoadValue for Secret<N> {
impl<const N: usize> LoadValueB64 for Secret<N> {
type Error = anyhow::Error;
fn load_b64<P: AsRef<Path>>(path: P) -> anyhow::Result<Self> {
use std::io::Read;
fn load_b64<const F: usize, P: AsRef<Path>>(path: P) -> anyhow::Result<Self> {
let mut f: Secret<F> = Secret::random();
let mut v = Self::random();
let p = path.as_ref();
// This might leave some fragments of the secret on the stack;
// in practice this is likely not a problem because the stack likely
// will be overwritten by something else soon but this is not exactly
// guaranteed. It would be possible to remedy this, but since the secret
// data will linger in the Linux page cache anyways with the current
// implementation, going to great length to erase the secret here is
// not worth it right now.
b64_reader(&mut fopen_r(p)?)
.read_exact(v.secret_mut())
.with_context(|| format!("Could not load base64 file {p:?}"))?;
let len = fopen_r(p)?
.read_slice_to_end(f.secret_mut())
.with_context(|| format!("Could not load file {p:?}"))?;
b64_decode(&f.secret()[0..len], v.secret_mut())
.with_context(|| format!("Could not decode base64 file {p:?}"))?;
Ok(v)
}
}
impl<const N: usize> StoreValueB64 for Secret<N> {
type Error = anyhow::Error;
fn store_b64<const F: usize, P: AsRef<Path>>(&self, path: P) -> anyhow::Result<()> {
let p = path.as_ref();
let mut f: Secret<F> = Secret::random();
let encoded_str = b64_encode(self.secret(), f.secret_mut())
.with_context(|| format!("Could not encode base64 file {p:?}"))?;
fopen_w(p, Visibility::Secret)?
.write_all(encoded_str.as_bytes())
.with_context(|| format!("Could not write file {p:?}"))?;
f.zeroize();
Ok(())
}
}
impl<const N: usize> StoreValueB64Writer for Secret<N> {
type Error = anyhow::Error;
fn store_b64_writer<const F: usize, W: Write>(&self, mut writer: W) -> anyhow::Result<()> {
let mut f: Secret<F> = Secret::random();
let encoded_str = b64_encode(self.secret(), f.secret_mut())
.with_context(|| format!("Could not encode secret to base64"))?;
writer
.write_all(encoded_str.as_bytes())
.with_context(|| format!("Could not write base64 to writer"))?;
f.zeroize();
Ok(())
}
}
impl<const N: usize> StoreSecret for Secret<N> {
type Error = anyhow::Error;
@@ -287,6 +322,8 @@ impl<const N: usize> StoreSecret for Secret<N> {
#[cfg(test)]
mod test {
use super::*;
use std::{fs, os::unix::fs::PermissionsExt};
use tempfile::tempdir;
/// check that we can alloc using the magic pool
#[test]
@@ -297,7 +334,7 @@ mod test {
assert_eq!(secret.as_ref(), &[0; N]);
}
/// check that a secrete lives, even if its [SecretMemoryPool] is deleted
/// check that a secret lives, even if its [SecretMemoryPool] is deleted
#[test]
fn secret_memory_pool_drop() {
const N: usize = 0x100;
@@ -307,7 +344,7 @@ mod test {
assert_eq!(secret.as_ref(), &[0; N]);
}
/// check that a secrete can be reborn, freshly initialized with zero
/// check that a secret can be reborn, freshly initialized with zero
#[test]
fn secret_memory_pool_release() {
const N: usize = 1;
@@ -325,4 +362,92 @@ mod test {
// and that the secret was zeroized
assert_eq!(new_secret.as_ref(), &[0; N]);
}
/// test loading a secret from an example file, and then storing it again in a different file
#[test]
fn test_secret_load_store() {
const N: usize = 100;
// Generate original random bytes
let original_bytes: [u8; N] = [rand::random(); N];
// Create a temporary directory
let temp_dir = tempdir().unwrap();
// Store the original secret to an example file in the temporary directory
let example_file = temp_dir.path().join("example_file");
std::fs::write(example_file.clone(), &original_bytes).unwrap();
// Load the secret from the example file
let loaded_secret = Secret::load(&example_file).unwrap();
// Check that the loaded secret matches the original bytes
assert_eq!(loaded_secret.secret(), &original_bytes);
// Store the loaded secret to a different file in the temporary directory
let new_file = temp_dir.path().join("new_file");
loaded_secret.store(&new_file).unwrap();
// Read the contents of the new file
let new_file_contents = fs::read(&new_file).unwrap();
// Read the contents of the original file
let original_file_contents = fs::read(&example_file).unwrap();
// Check that the contents of the new file match the original file
assert_eq!(new_file_contents, original_file_contents);
}
/// test loading a base64 encoded secret from an example file, and then storing it again in a different file
#[test]
fn test_secret_load_store_base64() {
const N: usize = 100;
// Generate original random bytes
let original_bytes: [u8; N] = [rand::random(); N];
// Create a temporary directory
let temp_dir = tempdir().unwrap();
let example_file = temp_dir.path().join("example_file");
let mut encoded_secret = [0u8; N * 2];
let encoded_secret = b64_encode(&original_bytes, &mut encoded_secret).unwrap();
std::fs::write(&example_file, encoded_secret).unwrap();
// Load the secret from the example file
let loaded_secret = Secret::load_b64::<{ N * 2 }, _>(&example_file).unwrap();
// Check that the loaded secret matches the original bytes
assert_eq!(loaded_secret.secret(), &original_bytes);
// Store the loaded secret to a different file in the temporary directory
let new_file = temp_dir.path().join("new_file");
loaded_secret.store_b64::<{ N * 2 }, _>(&new_file).unwrap();
// Read the contents of the new file
let new_file_contents = fs::read(&new_file).unwrap();
// Read the contents of the original file
let original_file_contents = fs::read(&example_file).unwrap();
// Check that the contents of the new file match the original file
assert_eq!(new_file_contents, original_file_contents);
//Check new file permissions are secret
let metadata = fs::metadata(&new_file).unwrap();
assert_eq!(metadata.permissions().mode() & 0o000777, 0o600);
// Store the loaded secret to a different file in the temporary directory for a second time
let new_file = temp_dir.path().join("new_file_writer");
let new_file_writer = fopen_w(new_file.clone(), Visibility::Secret).unwrap();
loaded_secret
.store_b64_writer::<{ N * 2 }, _>(&new_file_writer)
.unwrap();
// Read the contents of the new file
let new_file_contents = fs::read(&new_file).unwrap();
// Read the contents of the original file
let original_file_contents = fs::read(&example_file).unwrap();
// Check that the contents of the new file match the original file
assert_eq!(new_file_contents, original_file_contents);
//Check new file permissions are secret
let metadata = fs::metadata(&new_file).unwrap();
assert_eq!(metadata.permissions().mode() & 0o000777, 0o600);
}
}