Increase the bcrypt cost to 12

Author: astonbitecode

build.rs

@@ -0,0 +1,54 @@
+use std::{env, error::Error, fmt, path::Path};
+
+fn main() -> Result<(), RklBuildError> {
+    let out_dir = env::var("OUT_DIR")?;
+    generate_version(&out_dir)?;
+    Ok(())
+}
+
+fn generate_version(out_dir: &str) -> Result<(), RklBuildError> {
+    let dest_path = Path::new(&out_dir).join("rkl_version.rs");
+    let version = env!("CARGO_PKG_VERSION");
+    let contents = format!(
+        "
+pub(crate) fn rkl_version() -> &'static str {{
+    \"{version}\"
+}}
+"
+    );
+    std::fs::write(dest_path, contents)?;
+    Ok(())
+}
+
+#[derive(Debug)]
+struct RklBuildError {
+    description: String,
+}
+
+impl fmt::Display for RklBuildError {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        write!(f, "{}", self.description)
+    }
+}
+
+impl Error for RklBuildError {
+    fn description(&self) -> &str {
+        self.description.as_str()
+    }
+}
+
+impl From<std::env::VarError> for RklBuildError {
+    fn from(err: std::env::VarError) -> RklBuildError {
+        RklBuildError {
+            description: format!("{:?}", err),
+        }
+    }
+}
+
+impl From<std::io::Error> for RklBuildError {
+    fn from(err: std::io::Error) -> RklBuildError {
+        RklBuildError {
+            description: format!("{:?}", err),
+        }
+    }
+}

src/api/mod.rs

@@ -467,13 +467,16 @@ pub struct Props {
     idle_timeout_seconds: isize,
     /// The count of the words that comprise the generated passphraases
     generated_passphrases_words_count: isize,
+    /// The current version
+    version: String,
 }
 
 impl Default for Props {
     fn default() -> Self {
         Props {
             idle_timeout_seconds: 1800,
             generated_passphrases_words_count: 5,
+            version: "".to_string(),
         }
     }
 }
@@ -482,10 +485,13 @@ impl Props {
     pub(crate) fn new(
         idle_timeout_seconds: isize,
         generated_passphrases_words_count: isize,
+        version: &str,
     ) -> Props {
+        let version = version.to_string();
         Props {
             idle_timeout_seconds,
             generated_passphrases_words_count,
+            version,
         }
     }
 
@@ -498,10 +504,15 @@ impl Props {
             .get("generated_passphrases_words_count")
             .and_then(|value| value.as_integer().and_then(|v| Some(v as isize)))
             .unwrap_or_else(|| Props::default().generated_passphrases_words_count());
+        let version = table
+            .get("version")
+            .and_then(|value| value.as_str().and_then(|v| Some(v.to_string())))
+            .unwrap_or_else(|| Props::default().version().to_string());
 
         Ok(Self::new(
             idle_timeout_seconds,
             generated_passphrases_words_count,
+            &version,
         ))
     }
 
@@ -516,6 +527,10 @@ impl Props {
             "generated_passphrases_words_count".to_string(),
             toml::Value::Integer(self.generated_passphrases_words_count as i64),
         );
+        table.insert(
+            "version".to_string(),
+            toml::Value::String(self.version().to_string()),
+        );
 
         table
     }
@@ -527,6 +542,25 @@ impl Props {
     pub fn generated_passphrases_words_count(&self) -> isize {
         self.generated_passphrases_words_count
     }
+
+    pub fn version(&self) -> &str {
+        &self.version
+    }
+
+    #[allow(dead_code)]
+    pub fn set_idle_timeout_seconds(&mut self, new_timeout: isize) {
+        self.idle_timeout_seconds = new_timeout
+    }
+
+    #[allow(dead_code)]
+    pub fn set_generated_passphrases_words_count(&mut self, new_generated_passphrases_words_count: isize) {
+        self.generated_passphrases_words_count = new_generated_passphrases_words_count;
+    }
+
+    pub fn set_version(&mut self, new_version: &str) {
+        self.version = new_version.to_string();
+    }
+
 }
 
 /// Enumeration of the several different Menus that an `Editor` implementation should handle.
@@ -1064,6 +1098,7 @@ mod api_unit_tests {
         let toml = r#"
         idle_timeout_seconds = 33
         generated_passphrases_words_count = 5
+        version = "0.0.0"
         "#;
 
         let value = toml.parse::<toml::value::Value>().unwrap();
@@ -1073,6 +1108,7 @@ mod api_unit_tests {
         let props = props_opt.unwrap();
         assert!(props.idle_timeout_seconds() == 33);
         assert!(props.generated_passphrases_words_count() == 5);
+        assert!(props.version() == "0.0.0");
     }
 
     #[test]
@@ -1098,6 +1134,18 @@ mod api_unit_tests {
         let props2 = props_opt2.unwrap();
         assert!(props2.idle_timeout_seconds() == 1800);
         assert!(props2.generated_passphrases_words_count() == 5);
+
+        let toml3 = r#"
+        version = "0.0.0"
+        "#;
+        let value3 = toml3.parse::<toml::value::Value>().unwrap();
+        let table3 = value3.as_table().unwrap();
+        let props_opt3 = super::Props::from_table(&table3);
+        assert!(props_opt3.is_ok());
+        let props3 = props_opt3.unwrap();
+        assert!(props3.idle_timeout_seconds() == 1800);
+        assert!(props3.generated_passphrases_words_count() == 5);
+        assert!(props3.version() == "0.0.0");
     }
 
     #[test]
@@ -1125,6 +1173,7 @@ mod api_unit_tests {
         let toml = r#"
         idle_timeout_seconds = 33
         generated_passphrases_words_count = 5
+        version = "0.0.0"
         "#;
 
         let value = toml.parse::<toml::value::Value>().unwrap();
@@ -1136,6 +1185,29 @@ mod api_unit_tests {
         assert!(table == &new_table);
     }
 
+    #[test]
+    fn props_mutate() {
+        let toml = r#"
+        idle_timeout_seconds = 3
+        generated_passphrases_words_count = 3
+        version = "0.0.0"
+        "#;
+
+        let value = toml.parse::<toml::value::Value>().unwrap();
+        let table = value.as_table().unwrap();
+        let props_opt = super::Props::from_table(&table);
+        assert!(props_opt.is_ok());
+        let mut props = props_opt.unwrap();
+
+        props.set_idle_timeout_seconds(33);
+        props.set_generated_passphrases_words_count(33);
+        props.set_version("0.0.1");
+
+        assert!(props.idle_timeout_seconds() == 33);
+        assert!(props.generated_passphrases_words_count() == 33);
+        assert!(props.version() == "0.0.1");
+    }
+
     #[test]
     fn user_option_constructors() {
         let opt1 = super::UserOption::cancel();

src/datacrypt.rs

@@ -18,9 +18,6 @@
 use std::cmp::PartialEq;
 use std::fmt::Debug;
 use std::iter::repeat;
-use std::thread;
-use std::thread::JoinHandle;
-
 use aes::Aes256;
 use base64::{Engine as _, engine::general_purpose};
 use bcrypt::bcrypt;
@@ -34,9 +31,7 @@ use zeroize::Zeroize;
 use super::errors::{self, RustKeylockError};
 use super::protected::RklSecret;
 
-const NUMBER_OF_SALT_KEY_PAIRS: usize = 10;
 type AesCtr = ctr::Ctr64BE<Aes256>;
-pub(crate) const BCRYPT_COST: u32 = 7;
 
 pub trait Cryptor {
     /// Decrypts a given array of bytes
@@ -58,11 +53,8 @@ pub struct BcryptAes {
     iv: Vec<u8>,
     /// The position of the salt inside the file
     salt_position: usize,
-    /// A list of pairs of salt - bcrypt key.
-    ///
-    /// Each encryption process includes the creation of a new pseudo-random iv and the usage of one of the provided salt-key pairs.
-    /// With these, the data is encrypted and the encrypted bytes are returned.
-    salt_key_pairs: Vec<(Vec<u8>, RklSecret)>,
+    /// The salt
+    salt: Vec<u8>,
     /// A Hasher to be used to guarantee data integrity
     hasher: Sha3Keccak512,
     /// The hash that is retrieved by parsing the passwords file, during the application startup.
@@ -95,53 +87,31 @@ impl BcryptAes {
     /// * The position of the salt
     /// * hash for Sha3Keccak512 hashing
     pub fn new(mut password: String,
-               mut salt: Vec<u8>,
+               salt: Vec<u8>,
                iv: Vec<u8>,
                mut salt_position: usize,
-               hash_bytes: Vec<u8>, )
-               -> BcryptAes {
-        let mut salt_key_pairs = Vec::new();
-        let handles: Vec<JoinHandle<(Vec<u8>, RklSecret)>> = (0..NUMBER_OF_SALT_KEY_PAIRS + 1)
-            .map(|i| {
-                let cp = password.clone();
-                let cs = salt.clone();
-                let child = thread::spawn(move || {
-                    if i == 0 {
-                        // Create bcrypt password for the current encrypted data
-                        // Ask for 64 bytes bcrypt key. Use 32 bytes for data encryption and 32 bytes for hash encryption.
-                        let key = BcryptAes::create_key(cp.as_bytes(), &cs, BCRYPT_COST, 64);
-                        (cs, RklSecret::new(key))
-                    } else {
-                        // Create some new salt-key pairs to use them for encryption
-                        // Ask for 64 bytes bcrypt key. Use 32 bytes for data encryption and 32 bytes for hash encryption.
-                        let s = create_random(16);
-                        let k = BcryptAes::create_key(cp.as_bytes(), &s, BCRYPT_COST, 64);
-                        (s, RklSecret::new(k))
-                    }
-                });
-                child
-            })
-            .collect();
-        for handle in handles {
-            salt_key_pairs.push(handle.join().unwrap());
-        }
+               hash_bytes: Vec<u8>,
+               bcrypt_cost: u32,
+            ) -> BcryptAes {
 
         // Create the SHA3 hasher
         let hasher = Sha3Keccak512::new();
 
+        // Create bcrypt password for the current encrypted data
+        // Ask for 64 bytes bcrypt key. Use 32 bytes for data encryption and 32 bytes for hash encryption.
+        let key = BcryptAes::create_key(password.as_bytes(), &salt, bcrypt_cost, 64);
 
         let to_ret = BcryptAes {
-            key: salt_key_pairs.remove(0).1.clone(),
+            key: RklSecret::new(key),
             iv,
             salt_position,
-            salt_key_pairs,
+            salt,
             hasher,
             hash: RklSecret::new(hash_bytes),
         };
 
         // Zeroize what's not moved
         password.zeroize();
-        salt.zeroize();
         salt_position.zeroize();
 
         to_ret
@@ -172,19 +142,7 @@ impl Cryptor for BcryptAes {
     fn decrypt(&self, input: &[u8]) -> Result<Vec<u8>, RustKeylockError> {
         let bytes_to_decrypt = extract_bytes_to_decrypt(input, self.salt_position);
 
-        // The key should be 64 bytes long (including 2 32-byte keys). If it is bigger than that, there is the legacy key in the start.
-        let legacy_handling = self.key.borrow().len() > 64;
-
-        let (final_result, integrity_check_ok) = if legacy_handling {
-            let key: Vec<u8> = self.key.borrow().iter()
-                .take(32)
-                .cloned()
-                .collect();
-            let integrity_check_ok = self.hasher.validate_hash(&bytes_to_decrypt, self.hash.borrow());
-            let final_result = self.decrypt_bytes(&bytes_to_decrypt, &key)?;
-
-            (final_result, integrity_check_ok)
-        } else {
+        let (final_result, integrity_check_ok) = {
             // The first 32 bytes of the key is for hash decryption.
             let hash_decryption_key: Vec<u8> = self.key.borrow().iter()
                 .take(32)
@@ -216,20 +174,14 @@ impl Cryptor for BcryptAes {
     fn encrypt(&self, input: &[u8]) -> Result<Vec<u8>, RustKeylockError> {
         // Create a new iv
         let iv = create_random(16);
-        let mut rng = thread_rng();
-        // Choose randomly one of the salt-key pairs
-        let idx = {
-            rng.gen_range(0.. NUMBER_OF_SALT_KEY_PAIRS)
-        };
-        let salt_key_pair = &self.salt_key_pairs[idx];
 
         // The first 32 bytes is the key for hash encryption.
-        let hash_encryption_key: Vec<u8> = salt_key_pair.1.borrow().iter()
+        let hash_encryption_key: Vec<u8> = self.key.borrow().iter()
             .take(32)
             .cloned()
             .collect();
         // The second 32 bytes is the key for data encryption.
-        let data_encryption_key: Vec<u8> = salt_key_pair.1.borrow().iter()
+        let data_encryption_key: Vec<u8> = self.key.borrow().iter()
             .skip(32)
             .take(32)
             .cloned()
@@ -242,7 +194,7 @@ impl Cryptor for BcryptAes {
         let encrypted_hash_bytes = self.encrypt_bytes(&hash_bytes, &hash_encryption_key, &iv)?;
 
         // Compose the encrypted bytes with the iv and salt
-        Ok(compose_bytes_to_save(&encrypted_data_bytes, self.salt_position, &salt_key_pair.0, &iv, &encrypted_hash_bytes))
+        Ok(compose_bytes_to_save(&encrypted_data_bytes, self.salt_position, &self.salt, &iv, &encrypted_hash_bytes))
     }
 }
 
@@ -480,6 +432,7 @@ fn compose_bytes_to_save(data: &[u8], salt_position: usize, salt: &[u8], iv: &[u
 #[cfg(test)]
 mod test_crypt {
     use super::{Cryptor, Hasher};
+    const BCRYPT_COST: u32 = 1;
 
     #[test]
     fn create_random() {
@@ -916,7 +869,7 @@ mod test_crypt {
         bytes.append(&mut tmp);
 
         // Create the cryptor
-        let cryptor = super::BcryptAes::new("password".to_string(), salt, iv, 1, hash);
+        let cryptor = super::BcryptAes::new("password".to_string(), salt, iv, 1, hash, BCRYPT_COST);
         let result = cryptor.decrypt(&bytes);
         assert!(result.is_err());
         match result.err() {
@@ -925,19 +878,6 @@ mod test_crypt {
         }
     }
 
-    #[test]
-    fn new_bcryptor_checks() {
-        let iv = super::create_random(16);
-        let salt = super::create_random(16);
-        let hash = super::create_random(64);
-        let cryptor = super::BcryptAes::new("password".to_string(), salt.clone(), iv, 1, hash);
-        assert!(cryptor.salt_key_pairs.len() == super::NUMBER_OF_SALT_KEY_PAIRS);
-        for skp in cryptor.salt_key_pairs {
-            assert!(&skp.0 != &salt);
-            assert!(&skp.1 != &cryptor.key);
-        }
-    }
-
     #[test]
     fn bcrypt_key_creation() {
         let small_key = super::BcryptAes::create_key("123".as_bytes(), "saltsaltsaltsalt".as_bytes(), 3, 12);