diff --git a/Cargo.lock b/Cargo.lock index 031cc2f..cd940ab 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -161,9 +161,9 @@ checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33" [[package]] name = "cc" -version = "1.2.61" +version = "1.2.62" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d16d90359e986641506914ba71350897565610e87ce0ad9e6f28569db3dd5c6d" +checksum = "a1dce859f0832a7d088c4f1119888ab94ef4b5d6795d1ce05afb7fe159d79f98" dependencies = [ "find-msvc-tools", "jobserver", @@ -218,9 +218,9 @@ dependencies = [ [[package]] name = "clap_complete" -version = "4.6.3" +version = "4.6.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "660c0520455b1013b9bcb0393d5f643d7e4454fb69c915b8d6d2aa0e9a45acc3" +checksum = "e3e962dae2b1e5007fe9e3db363ddc43a8bf25546d279f7a8a4401204690e80c" dependencies = [ "clap", "clap_lex", @@ -324,6 +324,7 @@ dependencies = [ "fastrand", "futures", "futures-util", + "getrandom 0.4.2", "glob", "hex", "human-units", @@ -572,9 +573,9 @@ dependencies = [ [[package]] name = "hashbrown" -version = "0.17.0" +version = "0.17.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4f467dd6dccf739c208452f8014c75c18bb8301b050ad1cfb27153803edb0f51" +checksum = "ed5909b6e89a2db4456e54cd5f673791d7eca6732202bbf2a9cc504fe2f9b84a" [[package]] name = "heck" @@ -841,7 +842,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d466e9454f08e4a911e14806c24e16fba1b4c121d1ea474396f396069cf949d9" dependencies = [ "equivalent", - "hashbrown 0.17.0", + "hashbrown 0.17.1", "serde", "serde_core", ] @@ -852,16 +853,6 @@ version = "2.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2" -[[package]] -name = "iri-string" -version = "0.7.12" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "25e659a4bb38e810ebc252e53b5814ff908a8c58c2a9ce2fae1bbec24cbf4e20" -dependencies = [ - "memchr", - "serde", -] - [[package]] name = "is_executable" version = "1.0.5" @@ -919,9 +910,9 @@ dependencies = [ [[package]] name = "js-sys" -version = "0.3.97" +version = "0.3.98" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a1840c94c045fbcf8ba2812c95db44499f7c64910a912551aaaa541decebcacf" +checksum = "67df7112613f8bfd9150013a0314e196f4800d3201ae742489d999db2f979f08" dependencies = [ "cfg-if", "futures-util", @@ -1014,9 +1005,9 @@ dependencies = [ [[package]] name = "nix" -version = "0.31.2" +version = "0.31.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5d6d0705320c1e6ba1d912b5e37cf18071b6c2e9b7fa8215a1e8a7651966f5d3" +checksum = "cf20d2fde8ff38632c426f1165ed7436270b44f199fc55284c38276f9db47c3d" dependencies = [ "bitflags", "cfg-if", @@ -1047,15 +1038,14 @@ checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe" [[package]] name = "openssl" -version = "0.10.78" +version = "0.10.79" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f38c4372413cdaaf3cc79dd92d29d7d9f5ab09b51b10dded508fb90bb70b9222" +checksum = "bf0b434746ee2832f4f0baf10137e1cabb18cbe6912c69e2e33263c45250f542" dependencies = [ "bitflags", "cfg-if", "foreign-types", "libc", - "once_cell", "openssl-macros", "openssl-sys", ] @@ -1079,9 +1069,9 @@ checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe" [[package]] name = "openssl-sys" -version = "0.9.114" +version = "0.9.115" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13ce1245cd07fcc4cfdb438f7507b0c7e4f3849a69fd84d52374c66d83741bb6" +checksum = "158fe5b292746440aa6e7a7e690e55aeb72d41505e2804c23c6973ad0e9c9781" dependencies = [ "cc", "libc", @@ -1289,9 +1279,9 @@ dependencies = [ [[package]] name = "rpassword" -version = "7.5.1" +version = "7.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2501c67132bd19c3005b0111fba298907ef002c8c1cf68e25634707e38bf66fe" +checksum = "5ac5b223d9738ef56e0b98305410be40fa0941bf6036c56f1506751e43552d64" dependencies = [ "libc", "rtoolbox", @@ -1617,9 +1607,9 @@ dependencies = [ [[package]] name = "tokio" -version = "1.52.1" +version = "1.52.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b67dee974fe86fd92cc45b7a95fdd2f99a36a6d7b0d431a231178d3d670bbcc6" +checksum = "8fc7f01b389ac15039e4dc9531aa973a135d7a4135281b12d7c1bc79fd57fffe" dependencies = [ "bytes", "libc", @@ -1682,20 +1672,20 @@ dependencies = [ [[package]] name = "tower-http" -version = "0.6.8" +version = "0.6.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8" +checksum = "68d6fdd9f81c2819c9a8b0e0cd91660e7746a8e6ea2ba7c6b2b057985f6bcb51" dependencies = [ "bitflags", "bytes", "futures-util", "http", "http-body", - "iri-string", "pin-project-lite", "tower", "tower-layer", "tower-service", + "url", ] [[package]] @@ -1824,9 +1814,9 @@ dependencies = [ [[package]] name = "wasm-bindgen" -version = "0.2.120" +version = "0.2.121" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "df52b6d9b87e0c74c9edfa1eb2d9bf85e5d63515474513aa50fa181b3c4f5db1" +checksum = "49ace1d07c165b0864824eee619580c4689389afa9dc9ed3a4c75040d82e6790" dependencies = [ "cfg-if", "once_cell", @@ -1837,9 +1827,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-futures" -version = "0.4.70" +version = "0.4.71" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "af934872acec734c2d80e6617bbb5ff4f12b052dd8e6332b0817bce889516084" +checksum = "96492d0d3ffba25305a7dc88720d250b1401d7edca02cc3bcd50633b424673b8" dependencies = [ "js-sys", "wasm-bindgen", @@ -1847,9 +1837,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.120" +version = "0.2.121" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "78b1041f495fb322e64aca85f5756b2172e35cd459376e67f2a6c9dffcedb103" +checksum = "8e68e6f4afd367a562002c05637acb8578ff2dea1943df76afb9e83d177c8578" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -1857,9 +1847,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.120" +version = "0.2.121" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9dcd0ff20416988a18ac686d4d4d0f6aae9ebf08a389ff5d29012b05af2a1b41" +checksum = "d95a9ec35c64b2a7cb35d3fead40c4238d0940c86d107136999567a4703259f2" dependencies = [ "bumpalo", "proc-macro2", @@ -1870,9 +1860,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-shared" -version = "0.2.120" +version = "0.2.121" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49757b3c82ebf16c57d69365a142940b384176c24df52a087fb748e2085359ea" +checksum = "c4e0100b01e9f0d03189a92b96772a1fb998639d981193d7dbab487302513441" dependencies = [ "unicode-ident", ] @@ -1926,9 +1916,9 @@ dependencies = [ [[package]] name = "web-sys" -version = "0.3.97" +version = "0.3.98" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2eadbac71025cd7b0834f20d1fe8472e8495821b4e9801eb0a60bd1f19827602" +checksum = "4b572dff8bcf38bad0fa19729c89bb5748b2b9b1d8be70cf90df697e3a8f32aa" dependencies = [ "js-sys", "wasm-bindgen", diff --git a/Cargo.toml b/Cargo.toml index ec857d2..9099974 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -23,6 +23,7 @@ eyre = "0.6.12" fastrand = "2.3.0" futures = "0.3.31" futures-util = "0.3.31" +getrandom = "0.4.2" glob = "0.3.2" hex = "0.4.3" human-units = "0.5.3" diff --git a/src/bin/dls.rs b/src/bin/dls.rs index abfd8a3..f1c0495 100644 --- a/src/bin/dls.rs +++ b/src/bin/dls.rs @@ -3,6 +3,7 @@ use clap::{CommandFactory, Parser, Subcommand}; use eyre::format_err; use futures_util::Stream; use futures_util::StreamExt; +use std::path::PathBuf; use std::time::{Duration, SystemTime}; use tokio::fs; use tokio::io::{AsyncWrite, AsyncWriteExt}; @@ -40,6 +41,11 @@ enum Command { Hash { salt: String, }, + Store { + store_path: PathBuf, + #[command(subcommand)] + op: StoreOp, + }, } #[derive(Subcommand)] @@ -96,6 +102,12 @@ enum ClusterCommand { }, } +#[derive(Subcommand)] +enum StoreOp { + Get { data_path: PathBuf }, + Set { data_path: PathBuf, value: String }, +} + #[tokio::main(flavor = "current_thread")] async fn main() -> eyre::Result<()> { clap_complete::CompleteEnv::with_factory(Cli::command).complete(); @@ -231,6 +243,18 @@ async fn main() -> eyre::Result<()> { println!("hash (hex): {}", hex::encode(&hash)); println!("hash (base64): {}", dkl::base64_encode(&hash)); } + C::Store { store_path, op } => { + let mut s = dls::store::Store::new(store_path); + s.unlock(&std::env::var("DLS_STORE_PW").unwrap()).await?; + + match op { + StoreOp::Get { data_path } => { + let mut data = std::io::Cursor::new(s.read(data_path).await?); + tokio::io::copy(&mut data, &mut tokio::io::stdout()).await?; + } + StoreOp::Set { data_path, value } => s.write(data_path, value.as_bytes()).await?, + } + } }; Ok(()) diff --git a/src/dls/store.rs b/src/dls/store.rs index ef20709..d06135d 100644 --- a/src/dls/store.rs +++ b/src/dls/store.rs @@ -1,4 +1,13 @@ -pub fn hash_password(salt: &[u8], passphrase: &str) -> argon2::Result<[u8; 32]> { +use openssl::symm::Mode; +use std::borrow::Cow; +use std::path::{Path, PathBuf}; +use tokio::{fs, io::AsyncWriteExt}; + +pub type Salt = [u8; 16]; +pub type Key = [u8; 32]; +pub type Hash = Vec; + +pub fn hash_password(salt: &[u8], passphrase: &str) -> Result { let hash = argon2::hash_raw( passphrase.as_bytes(), salt, @@ -6,12 +15,191 @@ pub fn hash_password(salt: &[u8], passphrase: &str) -> argon2::Result<[u8; 32]> variant: argon2::Variant::Argon2id, hash_length: 32, time_cost: 1, - mem_cost: 65536, + mem_cost: 64 << 10, thread_mode: argon2::ThreadMode::Parallel, lanes: 4, ..Default::default() }, - )?; + ) + .map_err(Error::Hash)?; - unsafe { Ok(hash.try_into().unwrap_unchecked()) } + Ok(hash.try_into().unwrap()) +} + +pub struct Store { + path: PathBuf, + key: Option, +} + +impl Store { + pub fn new(path: impl Into) -> Self { + Self { + path: path.into(), + key: None, + } + } + + pub async fn unlock(&mut self, passphrase: &str) -> Result<()> { + let keys = self.read_keys().await?; + + let salt = keys.salt; + + let user_key = hash_password(&salt, passphrase)?; + let user_hash = openssl::sha::sha512(&user_key); + + for nk in keys.keys { + if nk.hash != user_hash { + continue; + } + + // build iv+data from salt + let mut enc_data = Vec::with_capacity(salt.len() + nk.enc_key.len()); + enc_data.extend_from_slice(&salt); + enc_data.extend_from_slice(&nk.enc_key); + + let key = crypt(&enc_data, &user_key, Mode::Decrypt)?; + let key = key.try_into().map_err(|_| Error::InvalidKey)?; + + self.key = Some(key); + return Ok(()); + } + + Err(Error::KeyNotFound) + } + + pub async fn read(&self, path: impl AsRef) -> Result> { + let enc_data = self.read_file(path.as_ref().with_extension("data")).await?; + self.decrypt(&enc_data) + } + pub async fn read_to_string(&self, path: impl AsRef) -> Result { + let path = path.as_ref(); + String::from_utf8(self.read(path).await?).map_err(|_| Error::InvalidUtf8(path.into())) + } + + pub async fn write(&self, path: impl AsRef, data: &[u8]) -> Result<()> { + let enc_data = self.encrypt(data)?; + safe_write(self.path.join(&path).with_extension("data"), &enc_data).await + } + + async fn read_keys(&self) -> Result> { + let keys = self.read_file(".keys").await?; + let Some(keys) = keys.strip_prefix(b"{json}") else { + return Err(Error::InvalidKeys); + }; + + serde_json::from_slice(keys).map_err(Error::KeysParse) + } + + async fn read_file(&self, subpath: impl AsRef) -> Result> { + let path = self.path.join(subpath); + fs::read(&path).await.map_err(|e| Error::Read(path, e)) + } + + fn encrypt(&self, src: &[u8]) -> Result> { + self.crypt(src, Mode::Encrypt) + } + fn decrypt(&self, src: &[u8]) -> Result> { + self.crypt(src, Mode::Decrypt) + } + fn crypt(&self, src: &[u8], mode: Mode) -> Result> { + let key = self.key.as_ref().ok_or(Error::NotUnlocked)?; + crypt(src, key, mode) + } +} + +async fn safe_write(path: impl AsRef, contents: &[u8]) -> Result<()> { + let path = path.as_ref(); + let tmp = path.with_added_extension("new"); + + let tmp_err = |e| Error::Write(tmp.clone(), e); + + let mut file = fs::OpenOptions::new() + .create(true) + .truncate(true) + .write(true) + .open(&tmp) + .await + .map_err(tmp_err)?; + + file.write_all(contents).await.map_err(tmp_err)?; + file.sync_all().await.map_err(tmp_err)?; + file.shutdown().await.map_err(tmp_err)?; + + fs::rename(tmp, &path) + .await + .map_err(|e| Error::Write(path.into(), e)) +} + +fn crypt(mut src: &[u8], key: &Key, mode: Mode) -> Result> { + use openssl::symm::{Cipher, Crypter}; + + let mut iv = [0u8; 16]; + let mut dst: Vec; + let crypt_dst: &mut [u8]; + + match mode { + Mode::Encrypt => { + getrandom::fill(&mut iv).unwrap(); + dst = vec![0u8; iv.len() + src.len()]; + dst[..iv.len()].copy_from_slice(&iv); + crypt_dst = &mut dst[iv.len()..]; + } + Mode::Decrypt => { + iv = src[..iv.len()] + .try_into() + .map_err(|_| Error::DecryptInputToSmall)?; + src = &src[iv.len()..]; + dst = vec![0u8; src.len()]; + crypt_dst = &mut dst; + } + } + + let cipher = Cipher::aes_256_cfb128(); + Crypter::new(cipher, mode, key, Some(&iv)) + .expect("Failed to init AES") + .update(src, crypt_dst) + .expect("AES CFB encrypt/decrypt failed"); + + Ok(dst) +} + +pub type Result = std::result::Result; + +#[derive(Debug, thiserror::Error)] +pub enum Error { + #[error("hash error: {0}")] + Hash(argon2::Error), + #[error("read {0} failed: {1}")] + Read(PathBuf, std::io::Error), + #[error("write {0} failed: {1}")] + Write(PathBuf, std::io::Error), + #[error("read {0} failed: invalid UTF-8")] + InvalidUtf8(PathBuf), + #[error("invalid keys data")] + InvalidKeys, + #[error("invalid key")] + InvalidKey, + #[error("keys parse error: {0}")] + KeysParse(serde_json::Error), + #[error("key not found")] + KeyNotFound, + #[error("store not unlocked")] + NotUnlocked, + #[error("decrypt input too small")] + DecryptInputToSmall, +} + +#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)] +#[serde(rename_all = "PascalCase")] +struct Keys<'t> { + salt: Salt, + keys: Vec>, +} + +#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)] +#[serde(rename_all = "PascalCase")] +struct NamedKey<'t> { + name: Cow<'t, str>, + hash: Hash, + enc_key: Key, }