mirrors/rage
1
0
Fork 0
mirror of https://github.com/str4d/rage.git synced 2025-04-04 11:27:43 +03:00
Code Issues Projects Releases Packages Wiki Activity

age: Add scrypt::Recipient::set_work_factor for overriding default

Browse source 
This can only be configured by using `scrypt::Recipient` directly in a
library context. The helper method `Encryptor::with_user_passphrase`
does not expose this, and `rage` continues to use the default.

Closes str4d/rage#383.
This commit is contained in:
Jack Grigg 2024-08-28 04:59:58 +00:00
parent 84eacb7271
commit e84159365d
2 changed files with 29 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

6
age/src/protocol.rs
View file

@ -462,8 +462,12 @@ mod tests {
fn scrypt_round_trip() { fn scrypt_round_trip() {
let test_msg = b"This is a test message. For testing."; let test_msg = b"This is a test message. For testing.";
let mut recipient = scrypt::Recipient::new(SecretString::new("passphrase".to_string()));
// Override to something very fast for testing.
recipient.set_work_factor(2);
let mut encrypted = vec![]; let mut encrypted = vec![];
let e = Encryptor::with_user_passphrase(SecretString::new("passphrase".to_string())); let e = Encryptor::with_recipients(vec![Box::new(recipient)]).unwrap();
{ {
let mut w = e.wrap_output(&mut encrypted).unwrap(); let mut w = e.wrap_output(&mut encrypted).unwrap();
w.write_all(test_msg).unwrap(); w.write_all(test_msg).unwrap();

29
age/src/scrypt.rs
View file

@ -104,12 +104,33 @@ fn target_scrypt_work_factor() -> u8 {
/// [`x25519::Identity`]: crate::x25519::Identity /// [`x25519::Identity`]: crate::x25519::Identity
pub struct Recipient { pub struct Recipient {
passphrase: SecretString, passphrase: SecretString,
log_n: u8,
} }
impl Recipient { impl Recipient {
/// Constructs a new `Recipient` with the given passphrase. /// Constructs a new `Recipient` with the given passphrase.
///
/// The scrypt work factor is picked to target about 1 second for encryption or
/// decryption on this device. Override it with [`Self::set_work_factor`].
pub fn new(passphrase: SecretString) -> Self { pub fn new(passphrase: SecretString) -> Self {
Self { passphrase } Self {
passphrase,
log_n: target_scrypt_work_factor(),
}
}
/// Sets the scrypt work factor to `N = 2^log_n`.
///
/// This method must be called before [`Self::wrap_file_key`] to have an effect.
///
/// [`Self::wrap_file_key`]: crate::Recipient::wrap_file_key
///
/// # Panics
///
/// Panics if `log_n == 0` or `log_n >= 64`.
pub fn set_work_factor(&mut self, log_n: u8) {
assert!(0 < log_n && log_n < 64);
self.log_n = log_n;
} }
} }
@ -127,10 +148,8 @@ impl crate::Recipient for Recipient {
inner_salt[..SCRYPT_SALT_LABEL.len()].copy_from_slice(SCRYPT_SALT_LABEL); inner_salt[..SCRYPT_SALT_LABEL.len()].copy_from_slice(SCRYPT_SALT_LABEL);
inner_salt[SCRYPT_SALT_LABEL.len()..].copy_from_slice(&salt); inner_salt[SCRYPT_SALT_LABEL.len()..].copy_from_slice(&salt);
let log_n = target_scrypt_work_factor();
let enc_key = let enc_key =
scrypt(&inner_salt, log_n, self.passphrase.expose_secret()).expect("log_n < 64"); scrypt(&inner_salt, self.log_n, self.passphrase.expose_secret()).expect("log_n < 64");
let encrypted_file_key = aead_encrypt(&enc_key, file_key.expose_secret()); let encrypted_file_key = aead_encrypt(&enc_key, file_key.expose_secret());
let encoded_salt = BASE64_STANDARD_NO_PAD.encode(salt); let encoded_salt = BASE64_STANDARD_NO_PAD.encode(salt);
@ -140,7 +159,7 @@ impl crate::Recipient for Recipient {
Ok(( Ok((
vec![Stanza { vec![Stanza {
tag: SCRYPT_RECIPIENT_TAG.to_owned(), tag: SCRYPT_RECIPIENT_TAG.to_owned(),
args: vec![encoded_salt, format!("{}", log_n)], args: vec![encoded_salt, format!("{}", self.log_n)],
body: encrypted_file_key, body: encrypted_file_key,
}], }],
iter::once(label).collect(), iter::once(label).collect(),