Generate exoharness secret key and nonce from a CSPRNG#37
Open
Alexsun1one wants to merge 1 commit into
Open
Conversation
Alexsun1one
force-pushed
the
secrets-csprng
branch
from
44c8e08 to
367b572
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
random_master_keyandrandom_nonceincrates/exoharness/src/secrets.rsbuilt the AES-256-GCM key and nonce from
Uuid::new_v4()bytes. A v4 UUID hasfixed bits (the version nibble at byte 6 and the variant bits at byte 8), so the
32-byte key was not uniformly random (~244 bits, with fixed bits at known
offsets) and the 12-byte GCM nonce was effectively 90 bits, not 96.
Both now fill the buffer directly from the OS CSPRNG with
getrandom::fill.This is a hygiene fix, not an exploit. The UUID bytes were already CSPRNG-backed
on these targets so nothing was crackable. The reason to change it: key material
should not carry fixed structural bits, and it should not rely on uuid's v4 RNG
being a CSPRNG, which uuid does not promise as an API guarantee.
Notes
EncryptedSecretserialization and thenonce-length check are untouched, the nonce is still stored per ciphertext, and
the master key is still read back as-is from the keychain or key file. Existing
secrets still decrypt.
getrandomis added as an optional dep underbasic-backend. 0.3.4 was alreadyin the lockfile (via keyring/turso/uuid), so the lock gains one edge and no new
crate compiles.
getrandomdirectly instead of aes-gcm'sgenerate_key/Generatehelpers. Those bottom out in the same getrandom crate, and calling it directly
keeps the
[u8; 32]the on-disk format already uses, without coupling the keyprovider to the AEAD type.
Out of scope
Linux). Not changed here.
Fine at this scale, but a separate topic if write volume grows.
Testing
cargo build,cargo clippy -p exoharness --features basic-backend --all-targets -- -D warnings,cargo fmt --check, andcargo test -p exoharness --features basic-backendall pass (15 tests, including the existingsecrets_are_encrypted_at_rest). Added three tests insecrets.rs: keydistinctness, a nonce check that would catch the old UUID derivation, and an
encrypt/decrypt round trip with distinct nonces.