1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
use error::Error;
use list::List;
use ring::pbkdf2;
use ring::rand::{SecureRandom, SystemRandom};
use std::collections::HashMap;
use vault::{Vault, NONCE_LEN};
static PRF: &'static pbkdf2::PRF = &pbkdf2::HMAC_SHA256;
const ITERATIONS: u32 = 100000;
const SALT_LEN: usize = 16;
const KEY_LEN: usize = 32;
const DERIVED_KEY_LEN: usize = 32;
#[cfg_attr(feature = "serialization", derive(Serialize, Deserialize))]
pub struct Data {
pub salt: [u8; SALT_LEN],
pub key: Vault,
pub entries: HashMap<String, Vault>,
}
pub struct Unlocked<'a> {
key: [u8; KEY_LEN],
data: &'a mut Data,
}
impl Data {
pub fn new(pwd: String) -> Result<Data, Error> {
let mut salt = [0; SALT_LEN];
let mut key = vec![0; KEY_LEN];
randomize(&mut salt)?;
randomize(&mut key[..])?;
Ok(Data {
salt: salt,
key: Vault::new(
&derive_key(&pwd, &salt),
random_nonce()?,
key
)?,
entries: HashMap::new(),
})
}
pub fn change_password(
&mut self,
old: &str,
new: &str
) -> Result<(), Error> {
let mut salt = [0; SALT_LEN];
let mut nonce = [0; NONCE_LEN];
randomize(&mut salt)?;
randomize(&mut nonce)?;
let old_pbk = derive_key(old, &self.salt);
let new_pbk = derive_key(new, &salt);
let mut unlocked = self.key.unlock(&old_pbk)?;
unlocked.rekey(&new_pbk, nonce);
self.salt = salt;
Ok(())
}
pub fn unlock<'a>(
&'a mut self,
pwd: &str
) -> Result<Unlocked<'a>, Error> {
let key = {
let pbk = derive_key(pwd, &self.salt);
let unlocked = self.key.unlock(&pbk)?;
if unlocked.len() != KEY_LEN {
return Err(Error::BadEncryptionKey);
}
let mut key = [0; KEY_LEN];
key.copy_from_slice(&unlocked);
key
};
Ok(Unlocked {
key: key,
data: self,
})
}
pub fn list(&self) -> List {
List(self.entries.keys())
}
pub fn delete(&mut self, key: &str) -> bool {
self.entries.remove(key).is_some()
}
}
impl<'a> Unlocked<'a> {
pub fn get(
&mut self,
name: &str
) -> Result<Option<String>, Error> {
let bytes = match self.data.entries.get_mut(name) {
Some(vault) => vault.unlock(&self.key)?.to_vec(),
None => return Ok(None),
};
match String::from_utf8(bytes) {
Ok(k) => Ok(Some(k)),
Err(_) => Err(Error::DecodeString),
}
}
pub fn set(
&mut self,
name: String,
pwd: String
) -> Result<bool, Error> {
let vault = Vault::new(
&self.key,
random_nonce()?,
pwd.into_bytes()
)?;
Ok(self.data.entries.insert(name, vault).is_some())
}
}
fn derive_key(pwd: &str, salt: &[u8]) -> [u8; DERIVED_KEY_LEN] {
let mut pbk = [0; DERIVED_KEY_LEN];
pbkdf2::derive(
PRF,
ITERATIONS,
salt,
pwd.as_bytes(),
&mut pbk
);
pbk
}
fn random_nonce() -> Result<[u8; NONCE_LEN], Error> {
let mut nonce = [0; NONCE_LEN];
randomize(&mut nonce)?;
Ok(nonce)
}
fn randomize(buf: &mut [u8]) -> Result<(), Error> {
match SystemRandom.fill(buf) {
Ok(_) => Ok(()),
Err(_) => Err(Error::RngError),
}
}