use pbkdf2 for room hash roo0.2.3

author: metamuffin <metamuffin@disroot.org> 2023-10-29 16:52:30 +0100
committer: metamuffin <metamuffin@disroot.org> 2023-10-29 16:52:30 +0100
commit: e28eedd42b9d289238d87b0858a6cfa879fc772e (patch)
tree: d46cc40f63331fae926b3821b5b5ba1934708a3d
parent: 695e497e86d47b14622299d5f2d47d14e0118d4f (diff)
download: keks-meet-e28eedd42b9d289238d87b0858a6cfa879fc772e.tar
keks-meet-e28eedd42b9d289238d87b0858a6cfa879fc772e.tar.bz2
keks-meet-e28eedd42b9d289238d87b0858a6cfa879fc772e.tar.zst
6 files changed, 42 insertions, 33 deletions
diff --git a/Cargo.lock b/Cargo.lock
index 72f4ced..9ad47be 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -783,12 +783,13 @@ dependencies = [
  "bytes",
  "fastpbkdf2",
  "futures-util",
+ "hex",
  "log",
  "rand",
  "rand_chacha",
  "serde",
  "serde_json",
- "sha256",
+ "sha2",
  "tokio",
  "tokio-tungstenite 0.15.0",
  "url",
@@ -2187,7 +2188,7 @@ dependencies = [
 
 [[package]]
 name = "keks-meet-server"
-version = "0.1.1"
+version = "0.1.2"
 dependencies = [
  "env_logger",
  "futures-util",
@@ -2326,7 +2327,7 @@ version = "0.0.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "62bb907fe88d54d8d9ce32a3cceab4218ed2f6b7d35617cafe9adf84e43919cb"
 dependencies = [
- "libc 0.1.12",
+ "libc 0.2.149",
 ]
 
 [[package]]
@@ -3483,9 +3484,9 @@ dependencies = [
 
 [[package]]
 name = "sha2"
-version = "0.10.7"
+version = "0.10.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "479fb9d862239e610720565ca91403019f2f00410f1864c5aa7479b950a76ed8"
+checksum = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8"
 dependencies = [
  "cfg-if",
  "cpufeatures",
@@ -3493,19 +3494,6 @@ dependencies = [
 ]
 
 [[package]]
-name = "sha256"
-version = "1.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7895c8ae88588ccead14ff438b939b0c569cd619116f14b4d13fdff7b8333386"
-dependencies = [
- "async-trait",
- "bytes",
- "hex",
- "sha2",
- "tokio",
-]
-
-[[package]]
 name = "signal-hook-registry"
 version = "1.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
diff --git a/client-native-lib/Cargo.toml b/client-native-lib/Cargo.toml
index ecfa0aa..d0a0d44 100644
--- a/client-native-lib/Cargo.toml
+++ b/client-native-lib/Cargo.toml
@@ -18,7 +18,8 @@ log = "0.4"
 
 fastpbkdf2 = "0.1.0"
 aes-gcm = "0.10.3"
-sha256 = "1.4.0"
+hex = "0.4.3"
+sha2 = "0.10.8"
 rand = "0.8.5"
 rand_chacha = "0.3.1"
 base64 = "0.21.5"
diff --git a/client-native-lib/src/crypto.rs b/client-native-lib/src/crypto.rs
index b477859..ad36e02 100644
--- a/client-native-lib/src/crypto.rs
+++ b/client-native-lib/src/crypto.rs
@@ -12,16 +12,19 @@ use log::info;
 
 pub struct Key(Aes256Gcm);
 
+const CRYPTO_SALT: &'static str = "keksmeet/cryptosaltAAA==";
+const HASH_SALT: &'static str = "keksmeet/roomhashsaltA==";
+
 impl Key {
     pub fn derive(secret: &str) -> Self {
         info!("running key generation...");
         let salt = base64::engine::general_purpose::STANDARD
-            .decode("thisisagoodsaltAAAAAAA==")
+            .decode(CRYPTO_SALT)
             .unwrap();
-        let mut key = [0u8; 32];
-        fastpbkdf2::pbkdf2_hmac_sha256(secret.as_bytes(), salt.as_slice(), 250000, &mut key);
+        let mut key = [0u8; 64];
+        fastpbkdf2::pbkdf2_hmac_sha512(secret.as_bytes(), salt.as_slice(), 250000, &mut key);
 
-        let key = Aes256Gcm::new_from_slice(key.as_slice()).unwrap();
+        let key = Aes256Gcm::new_from_slice(&key[0..32]).unwrap();
 
         info!("done");
         Self(key)
@@ -43,5 +46,10 @@ impl Key {
 }
 
 pub fn hash(secret: &str) -> String {
-    sha256::digest(format!("also-a-very-good-salt{}", secret))
+    let salt = base64::engine::general_purpose::STANDARD
+        .decode(HASH_SALT)
+        .unwrap();
+    let mut key = [0u8; 64];
+    fastpbkdf2::pbkdf2_hmac_sha512(secret.as_bytes(), salt.as_slice(), 250000, &mut key);
+    hex::encode(&key[0..32])
 }
diff --git a/client-web/source/index.ts b/client-web/source/index.ts
index 594fabb..65b734c 100644
--- a/client-web/source/index.ts
+++ b/client-web/source/index.ts
@@ -14,7 +14,7 @@ import { SignalingConnection } from "./protocol/mod.ts";
 import { Room } from "./room.ts"
 import { control_bar, info_br } from "./menu.ts";
 
-export const VERSION = "0.2.2"
+export const VERSION = "0.2.3"
 
 export interface ClientConfig {
     appearance?: {
diff --git a/client-web/source/protocol/crypto.ts b/client-web/source/protocol/crypto.ts
index c541188..784bd49 100644
--- a/client-web/source/protocol/crypto.ts
+++ b/client-web/source/protocol/crypto.ts
@@ -9,8 +9,11 @@ import { log } from "../logger.ts";
 
 const IV_LENGTH = 12
 
+const CRYPTO_SALT = base64_to_buf("keksmeet/cryptosaltAAA==")
+const HASH_SALT = base64_to_buf("keksmeet/roomhashsaltA==")
+
 export async function crypto_seeded_key(seed: string): Promise<CryptoKey> {
-    log("crypto", "importing seed…")
+    log("crypto", "deriving crytographic key...")
     const seed_key = await window.crypto.subtle.importKey(
         "raw",
         new TextEncoder().encode(seed),
@@ -18,10 +21,8 @@ export async function crypto_seeded_key(seed: string): Promise<CryptoKey> {
         false,
         ["deriveKey"]
     )
-    const salt = base64_to_buf("thisisagoodsaltAAAAAAA==") // valid "unique" 16-byte base-64 string
-    log("crypto", "deriving key…")
     const key = await window.crypto.subtle.deriveKey(
-        { name: "PBKDF2", salt, iterations: 250000, hash: "SHA-256" },
+        { name: "PBKDF2", salt: CRYPTO_SALT, iterations: 250000, hash: "SHA-512" },
         seed_key,
         { name: "AES-GCM", length: 256 },
         false,
@@ -32,9 +33,20 @@ export async function crypto_seeded_key(seed: string): Promise<CryptoKey> {
 }
 
 export async function crypto_hash(input: string): Promise<string> {
-    const buf = new TextEncoder().encode("also-a-very-good-salt" + input)
-    const h = await window.crypto.subtle.digest({ name: "SHA-512" }, buf)
-    const hex = buf_to_hex(new Uint8Array(h))
+    log("crypto", "deriving room hash...")
+    const seed_key = await window.crypto.subtle.importKey(
+        "raw",
+        new TextEncoder().encode(input),
+        "PBKDF2",
+        false,
+        ["deriveBits"]
+    )
+    const key = await window.crypto.subtle.deriveBits(
+        { name: "PBKDF2", salt: HASH_SALT, iterations: 250000, hash: "SHA-512" },
+        seed_key,
+        512
+    )
+    const hex = buf_to_hex(new Uint8Array(key.slice(0, 256 / 8)))
     return hex
 }
 
diff --git a/server/Cargo.toml b/server/Cargo.toml
index 7869d7a..661fa66 100644
--- a/server/Cargo.toml
+++ b/server/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "keks-meet-server"
-version = "0.1.1"
+version = "0.1.2"
 edition = "2021"
 
 [dependencies]
author	metamuffin <metamuffin@disroot.org>	2023-10-29 16:52:30 +0100
committer	metamuffin <metamuffin@disroot.org>	2023-10-29 16:52:30 +0100
commit	e28eedd42b9d289238d87b0858a6cfa879fc772e (patch)
tree	d46cc40f63331fae926b3821b5b5ba1934708a3d
parent	695e497e86d47b14622299d5f2d47d14e0118d4f (diff)
download	keks-meet-e28eedd42b9d289238d87b0858a6cfa879fc772e.tar keks-meet-e28eedd42b9d289238d87b0858a6cfa879fc772e.tar.bz2 keks-meet-e28eedd42b9d289238d87b0858a6cfa879fc772e.tar.zst