Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: move away from nocrypto #563

Merged
merged 2 commits into from
Nov 20, 2023
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,4 @@
/_opam/
.merlin
.devcontainer/data
*.install
2 changes: 1 addition & 1 deletion default.nix
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
with import <nixpkgs> { };

mkShell {
buildInputs = [ yarn zlib.dev zlib.out zlib zlib.all gmp gmp.dev pkgconfig openssl libev libevdev mariadb-client mariadb-connector-c postgresql ];
buildInputs = [ yarn zlib.dev zlib.out zlib zlib.all gmp gmp.dev pkg-config openssl libev libevdev mariadb-client mariadb-connector-c postgresql ];
LD_LIBRARY_PATH = "${mariadb-connector-c}/lib/mariadb";
shellHook = "eval $(opam env)";
}
6 changes: 4 additions & 2 deletions dune-project
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,10 @@
(>= v0.13.0))
(ppx_sexp_conv
(>= v0.13.0))
(nocrypto
(>= 0.5.4-2))
(mirage-crypto
(>= 0.11.2))
(mirage-crypto-rng
(>= 0.11.2))
(cstruct
(>= 6.0.1))
(opium
Expand Down
3 changes: 2 additions & 1 deletion sihl.opam
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,8 @@ depends: [
"uuidm" {>= "0.9.7"}
"ppx_fields_conv" {>= "v0.13.0"}
"ppx_sexp_conv" {>= "v0.13.0"}
"nocrypto" {>= "0.5.4-2"}
"mirage-crypto" {>= "0.11.2"}
"mirage-crypto-rng" {>= "0.11.2"}
"cstruct" {>= "6.0.1"}
"opium" {>= "0.20.0"}
"cohttp-lwt-unix" {>= "2.5.4" & with-test}
Expand Down
2 changes: 1 addition & 1 deletion sihl/src/dune
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
(libraries sexplib fmt fmt.tty logs logs.fmt lwt lwt.unix tsort conformist
base64 yojson ppx_deriving_yojson.runtime safepass ptime ptime.clock.os
jwto uuidm opium caqti-lwt caqti-lwt.unix str dune-build-info bos
containers nocrypto nocrypto.unix cstruct)
containers mirage-crypto mirage-crypto-rng cstruct)
(preprocess
(pps ppx_fields_conv ppx_deriving_yojson ppx_deriving.eq ppx_deriving.show
ppx_deriving.make ppx_sexp_conv lwt_ppx)))
Expand Down
18 changes: 10 additions & 8 deletions sihl/src/web_csrf.ml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@ let set token req =
*)

module Crypto = struct
let () = Nocrypto_entropy_unix.initialize ()
let block_size = 16

(** [token_length] is the amount of bytes used in the unencrypted CSRF tokens. *)
Expand All @@ -52,7 +51,10 @@ module Crypto = struct
end = struct
type t = Cstruct.t

let make secret = secret |> Cstruct.of_string |> Nocrypto.Hash.SHA256.digest
let make secret =
secret |> Cstruct.of_string |> Mirage_crypto.Hash.SHA256.digest
;;

let to_raw = CCFun.id
end

Expand Down Expand Up @@ -105,15 +107,15 @@ module Crypto = struct
let to_struct = CCFun.id

let from_struct ~with_secret value =
let open Nocrypto.Cipher_block.AES.ECB in
let open Mirage_crypto.Cipher_block.AES.ECB in
let key = with_secret |> Secret.to_raw |> of_secret in
encrypt ~key value
;;

let from_struct_random ~with_secret value =
let open Nocrypto.Cipher_block.AES.CBC in
let open Mirage_crypto.Cipher_block.AES.CBC in
let key = with_secret |> Secret.to_raw |> of_secret in
let iv = Nocrypto.Rng.generate block_size in
let iv = Mirage_crypto_rng.generate block_size in
Cstruct.append iv @@ encrypt ~key ~iv value
;;
end
Expand Down Expand Up @@ -157,13 +159,13 @@ module Crypto = struct
let equal_struct = equal

let from_encrypted ~with_secret value =
let open Nocrypto.Cipher_block.AES.ECB in
let open Mirage_crypto.Cipher_block.AES.ECB in
let key = with_secret |> Secret.to_raw |> of_secret in
decrypt ~key (Encrypted_token.to_struct value)
;;

let from_encrypted_random ~with_secret value =
let open Nocrypto.Cipher_block.AES.CBC in
let open Mirage_crypto.Cipher_block.AES.CBC in
let key = with_secret |> Secret.to_raw |> of_secret in
let iv, value =
value
Expand Down Expand Up @@ -229,7 +231,7 @@ let middleware
~with_secret:block_secret
tkn )
| None ->
let value = Nocrypto.Rng.generate token_length in
let value = Mirage_crypto_rng.generate token_length in
( Encrypted_token.from_struct ~with_secret:block_secret value
, Encrypted_token.from_struct_random ~with_secret:block_secret value )
in
Expand Down
10 changes: 5 additions & 5 deletions sihl/test/web_csrf.ml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ open Sihl.Web
let can_parse_uri_safe _ () =
let open Csrf.Crypto in
let with_secret = Sihl.Configuration.read_secret () |> Secret.make in
let value = Nocrypto.Rng.generate token_length in
let value = Mirage_crypto_rng.generate token_length in
let enc = Encrypted_token.from_struct ~with_secret value in
let parsed =
enc
Expand All @@ -21,7 +21,7 @@ let can_parse_uri_safe _ () =
let crypto_undo_helper encrypt decrypt =
let open Csrf.Crypto in
let with_secret = Sihl.Configuration.read_secret () |> Secret.make in
let value = Nocrypto.Rng.generate token_length in
let value = Mirage_crypto_rng.generate token_length in
let dec = encrypt ~with_secret value |> decrypt ~with_secret in
let open Alcotest in
check bool "Same decrypted CSRF tokens" true
Expand All @@ -45,7 +45,7 @@ let csrf_simulation _ () =
let open Csrf.Crypto in
let with_secret = Sihl.Configuration.read_secret () |> Secret.make in
(* GET request generates value *)
let value = Nocrypto.Rng.generate token_length in
let value = Mirage_crypto_rng.generate token_length in
(* Encrypt value for cookie token *)
let enc = Encrypted_token.from_struct ~with_secret value in
(* Encrypt value with randomness for body token (take already encrypted cookie
Expand Down Expand Up @@ -331,7 +331,7 @@ let post_request_with_nonmatching_token_fails _ () =
let with_secret = Sihl.Configuration.read_secret () |> Secret.make in
(* Generate a random encrypted token *)
let tkn =
Nocrypto.Rng.generate token_length
Mirage_crypto_rng.generate token_length
|> Encrypted_token.from_struct_random ~with_secret
|> Encrypted_token.to_uri_safe_string
in
Expand Down Expand Up @@ -361,7 +361,7 @@ let post_request_with_nonmatching_cookie_fails _ () =
(* Generate a random encrypted token *)
let with_secret = Sihl.Configuration.read_secret () |> Secret.make in
let tkn =
Nocrypto.Rng.generate token_length
Mirage_crypto_rng.generate token_length
|> Encrypted_token.from_struct ~with_secret
|> Encrypted_token.to_uri_safe_string
in
Expand Down
Loading