switch crypto implementation and add spinner

src-tauri/src/credentials.rs

@@ -1,7 +1,25 @@
 use std::fmt::{self, Formatter};
 use std::time::{SystemTime, UNIX_EPOCH};
 
-use aws_smithy_types::date_time::{DateTime, Format};
+ use aws_smithy_types::date_time::{DateTime, Format};
+use argon2::{
+    Argon2,
+    Algorithm,
+    Version,
+    ParamsBuilder,
+    password_hash::rand_core::{RngCore, OsRng},
+};
+use chacha20poly1305::{
+    XChaCha20Poly1305,
+    XNonce,
+    aead::{
+        Aead,
+        AeadCore,
+        KeyInit,
+        Error as AeadError,
+        generic_array::GenericArray,
+    },
+};
 use serde::{
     Serialize,
     Deserialize,
@@ -10,12 +28,7 @@ use serde::{
 };
 use serde::de::{self, Visitor};
 use sqlx::SqlitePool;
-use sodiumoxide::crypto::{
-        pwhash,
-        pwhash::Salt, 
-        secretbox, 
-        secretbox::{Nonce, Key}
-};
+
 
 use crate::errors::*;
 
@@ -40,18 +53,17 @@ impl Session {
             None => {return Ok(Session::Empty);}
         };
 
-        let salt_buf: [u8; 32] = row.salt
-            .try_into()
-            .map_err(|_e| SetupError::InvalidRecord)?;
-        let nonce_buf: [u8; 24] = row.nonce
+        let salt: [u8; 32] = row.salt
             .try_into()
             .map_err(|_e| SetupError::InvalidRecord)?;
+        let nonce = XNonce::from_exact_iter(row.nonce.into_iter())
+            .ok_or(SetupError::InvalidRecord)?;
 
         let creds = LockedCredentials {
             access_key_id: row.access_key_id,
             secret_key_enc: row.secret_key_enc,
-            salt: Salt(salt_buf),
-            nonce: Nonce(nonce_buf),
+            salt,
+            nonce,
         };
         Ok(Session::Locked(creds))
     }
@@ -76,8 +88,8 @@ impl Session {
 pub struct LockedCredentials {
     pub access_key_id: String,
     pub secret_key_enc: Vec<u8>,
-    pub salt: Salt,
-    pub nonce: Nonce,
+    pub salt: [u8; 32],
+    pub nonce: XNonce,
 }
 
 impl LockedCredentials {
@@ -88,8 +100,8 @@ impl LockedCredentials {
         )
             .bind(&self.access_key_id)
             .bind(&self.secret_key_enc)
-            .bind(&self.salt.0[0..])
-            .bind(&self.nonce.0[0..])
+            .bind(&self.salt[..])
+            .bind(&self.nonce[..])
             .execute(pool)
             .await?;
 
@@ -97,11 +109,10 @@ impl LockedCredentials {
     }
 
     pub fn decrypt(&self, passphrase: &str) -> Result<BaseCredentials, UnlockError> {
-        let mut key_buf = [0; secretbox::KEYBYTES];
-        // pretty sure this only fails if we're out of memory
-        pwhash::derive_key_interactive(&mut key_buf, passphrase.as_bytes(), &self.salt).unwrap();
-        let decrypted = secretbox::open(&self.secret_key_enc, &self.nonce, &Key(key_buf))
-            .map_err(|_| UnlockError::BadPassphrase)?;
+        let crypto = Crypto::new(passphrase, &self.salt)
+            .map_err(|e| CryptoError::Argon2(e))?;
+        let decrypted = crypto.decrypt(&self.nonce, &self.secret_key_enc)
+            .map_err(|e| CryptoError::Aead(e))?;
         let secret_access_key = String::from_utf8(decrypted)
             .map_err(|_| UnlockError::InvalidUtf8)?;
 
@@ -122,21 +133,18 @@ pub struct BaseCredentials {
 }
 
 impl BaseCredentials {
-    pub fn encrypt(&self, passphrase: &str) -> LockedCredentials {
-        let salt = pwhash::gen_salt();
-        let mut key_buf = [0; secretbox::KEYBYTES];
-        pwhash::derive_key_interactive(&mut key_buf, passphrase.as_bytes(), &salt).unwrap();
-        let key = Key(key_buf);
-        let nonce = secretbox::gen_nonce();
+    pub fn encrypt(&self, passphrase: &str) -> Result<LockedCredentials, CryptoError> {
+        let salt = Crypto::salt();
+        let crypto = Crypto::new(passphrase, &salt)?;
+        let (nonce, secret_key_enc) = crypto.encrypt(self.secret_access_key.as_bytes())?;
 
-        let secret_key_enc = secretbox::seal(self.secret_access_key.as_bytes(), &nonce, &key);
-
-        LockedCredentials {
+        let locked = LockedCredentials {
             access_key_id: self.access_key_id.clone(),
             secret_key_enc,
             salt,
             nonce,
-        }
+        };
+        Ok(locked)
     }
 }
 
@@ -241,4 +249,73 @@ fn deserialize_expiration<'de, D>(deserializer: D) -> Result<DateTime, D::Error>
 where D: Deserializer<'de>
 {
     deserializer.deserialize_str(DateTimeVisitor)
-}
+}
+
+
+struct Crypto {
+    cipher: XChaCha20Poly1305,
+}
+
+impl Crypto {
+    /// Argon2 params rationale:
+    ///
+    /// m_cost is measured in KiB, so 128 * 1024 gives us 128MiB.
+    /// This should roughly double the memory usage of the application
+    /// while deriving the key.
+    ///
+    /// p_cost is irrelevant since (at present) there isn't any parallelism
+    /// implemented, so we leave it at 1.
+    ///
+    /// With the above m_cost, t_cost = 8 results in about 800ms to derive
+    /// a key on my (somewhat older) CPU. This is probably overkill, but
+    /// given that it should only have to happen ~once a day for most 
+    /// usage, it should be acceptable.
+    #[cfg(not(debug_assertions))]
+    const MEM_COST: u32 = 128 * 1024;
+    #[cfg(not(debug_assertions))]
+    const TIME_COST: u32 = 8;
+
+    /// But since this takes a million years in an unoptimized build,
+    /// we turn it way down in debug builds.
+    #[cfg(debug_assertions)]
+    const MEM_COST: u32 = 48 * 1024;
+    #[cfg(debug_assertions)]
+    const TIME_COST: u32 = 1;
+    
+
+    fn new(passphrase: &str, salt: &[u8]) -> argon2::Result<Crypto> {
+        let params = ParamsBuilder::new()
+            .m_cost(Self::MEM_COST)
+            .p_cost(1)
+            .t_cost(Self::TIME_COST)
+            .build()
+            .unwrap(); // only errors if the given params are invalid
+
+        let hasher = Argon2::new(
+            Algorithm::Argon2id,
+            Version::V0x13,
+            params,
+        );
+
+        let mut key = [0; 32];
+        hasher.hash_password_into(passphrase.as_bytes(), &salt, &mut key)?;
+        let cipher = XChaCha20Poly1305::new(GenericArray::from_slice(&key));
+        Ok(Crypto { cipher })
+    }
+
+    fn salt() -> [u8; 32] {
+        let mut salt = [0; 32];
+        OsRng.fill_bytes(&mut salt);
+        salt
+    }
+
+    fn encrypt(&self, data: &[u8]) -> Result<(XNonce, Vec<u8>), AeadError> {
+        let nonce = XChaCha20Poly1305::generate_nonce(&mut OsRng);
+        let ciphertext = self.cipher.encrypt(&nonce, data)?;
+        Ok((nonce, ciphertext))
+    }
+
+    fn decrypt(&self, nonce: &XNonce, data: &[u8]) -> Result<Vec<u8>, AeadError> {
+        self.cipher.decrypt(nonce, data)
+    }
+}

src-tauri/src/errors.rs

@@ -164,8 +164,8 @@ pub enum UnlockError {
     NotLocked,
     #[error("No saved credentials were found")]
     NoCredentials,
-    #[error("Invalid passphrase")]
-    BadPassphrase,
+    #[error(transparent)]
+    Crypto(#[from] CryptoError),
     #[error("Data was found to be corrupt after decryption")]
     InvalidUtf8, // Somehow we got invalid utf-8 even though decryption succeeded
     #[error("Database error: {0}")]
@@ -175,6 +175,15 @@ pub enum UnlockError {
 }
 
 
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum CryptoError {
+    #[error(transparent)]
+    Argon2(#[from] argon2::Error),
+    #[error("Invalid passphrase")] // I think this is the only way decryption fails
+    Aead(#[from] chacha20poly1305::aead::Error),
+}
+
+
 // Errors encountered while trying to figure out who's on the other end of a request
 #[derive(Debug, ThisError, AsRefStr)]
 pub enum ClientInfoError {

src-tauri/src/state.rs

@@ -48,7 +48,7 @@ impl AppState {
     }
 
     pub async fn new_creds(&self, base_creds: BaseCredentials, passphrase: &str) -> Result<(), UnlockError> {
-        let locked = base_creds.encrypt(passphrase);
+        let locked = base_creds.encrypt(passphrase)?;
         // do this first so that if it fails we don't save bad credentials
         self.new_session(base_creds).await?;
         locked.save(&self.pool).await?;