Skip to content

Commit

Permalink
Avoid unnecessary path copies
Browse files Browse the repository at this point in the history
  • Loading branch information
robin-nitrokey committed Oct 13, 2024
1 parent 947ffe6 commit 2ae26ba
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 25 deletions.
25 changes: 12 additions & 13 deletions src/backend.rs
Original file line number Diff line number Diff line change
Expand Up @@ -134,19 +134,19 @@ impl AuthBackend {
global_fs: &mut impl Filestore,
rng: &mut R,
) -> Result<Salt, Error> {
let path = PathBuf::from("salt");
let path = path!("salt");
global_fs
.read(&path, self.location)
.read(path, self.location)
.or_else(|_| {
if global_fs.exists(&path, self.location) {
if global_fs.exists(path, self.location) {
return Err(Error::ReadFailed);
}

let mut salt = Bytes::<SALT_LEN>::default();
salt.resize_to_capacity();
rng.fill_bytes(&mut salt);
global_fs
.write(&path, self.location, &salt)
.write(path, self.location, &salt)
.or(Err(Error::WriteFailed))
.and(Ok(salt))
})
Expand All @@ -170,7 +170,7 @@ impl AuthBackend {
}
}

fn expand(kdf: &Hkdf<Sha256>, client_id: &PathBuf) -> Key {
fn expand(kdf: &Hkdf<Sha256>, client_id: &Path) -> Key {
let mut out = Key::default();
#[allow(clippy::expect_used)]
kdf.expand(client_id.as_ref().as_bytes(), &mut *out)
Expand All @@ -180,27 +180,27 @@ impl AuthBackend {

fn generate_app_key<R: CryptoRng + RngCore>(
&mut self,
client_id: PathBuf,
client_id: &Path,
global_fs: &mut impl Filestore,
rng: &mut R,
) -> Result<Key, Error> {
Ok(match &self.hw_key {
HardwareKey::Extracted(okm) => Self::expand(okm, &client_id),
HardwareKey::Extracted(okm) => Self::expand(okm, client_id),
HardwareKey::Missing => return Err(Error::MissingHwKey),
HardwareKey::Raw(hw_k) => {
let kdf = self.extract(global_fs, Some(hw_k.clone()), rng)?;
Self::expand(kdf, &client_id)
Self::expand(kdf, client_id)
}
HardwareKey::None => {
let kdf = self.extract(global_fs, None, rng)?;
Self::expand(kdf, &client_id)
Self::expand(kdf, client_id)
}
})
}

fn get_app_key<R: CryptoRng + RngCore>(
&mut self,
client_id: PathBuf,
client_id: &Path,
global_fs: &mut impl Filestore,
ctx: &mut AuthContext,
rng: &mut R,
Expand Down Expand Up @@ -277,7 +277,7 @@ impl ExtensionImpl<AuthExtension> for AuthBackend {
let global_fs = &mut global_fs;

let rng = &mut resources.rng()?;
let client_id = core_ctx.path.clone();
let client_id = &core_ctx.path.clone();
let keystore = &mut resources.keystore(core_ctx.path.clone())?;
match request {
AuthRequest::HasPin(request) => {
Expand All @@ -297,8 +297,7 @@ impl ExtensionImpl<AuthExtension> for AuthBackend {
Ok(reply::CheckPin { success }.into())
}
AuthRequest::GetPinKey(request) => {
let application_key =
self.get_app_key(core_ctx.path.clone(), global_fs, ctx, rng)?;
let application_key = self.get_app_key(client_id, global_fs, ctx, rng)?;
let verification = PinData::load(fs, self.location, request.id)?.write(
fs,
self.location,
Expand Down
21 changes: 9 additions & 12 deletions src/backend/data.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,20 +5,23 @@ use core::ops::Deref;

use chacha20poly1305::ChaCha8Poly1305;
use hmac::{Hmac, Mac};
use littlefs2::path;
use serde::{Deserialize, Serialize};
use serde_byte_array::ByteArray;
use sha2::{Digest as _, Sha256};
use subtle::ConstantTimeEq as _;
use trussed::{
platform::{CryptoRng, RngCore},
store::filestore::Filestore,
types::{Location, PathBuf},
types::{Location, Path},
Bytes,
};

use super::Error;
use crate::{Pin, PinId, MAX_PIN_LENGTH};

const APP_SALT_PATH: &Path = path!("application_salt");

pub(crate) const SIZE: usize = 256;
pub(crate) const CHACHA_TAG_LEN: usize = 16;
pub(crate) const SALT_LEN: usize = 16;
Expand Down Expand Up @@ -502,18 +505,12 @@ fn pin_len(pin: &Pin) -> u8 {
pin.len() as u8
}

fn app_salt_path() -> PathBuf {
const SALT_PATH: &str = "application_salt";

PathBuf::from(SALT_PATH)
}

pub(crate) fn get_app_salt<S: Filestore, R: CryptoRng + RngCore>(
fs: &mut S,
rng: &mut R,
location: Location,
) -> Result<Salt, Error> {
if !fs.exists(&app_salt_path(), location) {
if !fs.exists(APP_SALT_PATH, location) {
create_app_salt(fs, rng, location)
} else {
load_app_salt(fs, location)
Expand All @@ -524,8 +521,8 @@ pub(crate) fn delete_app_salt<S: Filestore>(
fs: &mut S,
location: Location,
) -> Result<(), trussed::Error> {
if fs.exists(&app_salt_path(), location) {
fs.remove_file(&app_salt_path(), location)
if fs.exists(APP_SALT_PATH, location) {
fs.remove_file(APP_SALT_PATH, location)
} else {
Ok(())
}
Expand All @@ -538,13 +535,13 @@ fn create_app_salt<S: Filestore, R: CryptoRng + RngCore>(
) -> Result<Salt, Error> {
let mut salt = Salt::default();
rng.fill_bytes(&mut *salt);
fs.write(&app_salt_path(), location, &*salt)
fs.write(APP_SALT_PATH, location, &*salt)
.map_err(|_| Error::WriteFailed)?;
Ok(salt)
}

fn load_app_salt<S: Filestore>(fs: &mut S, location: Location) -> Result<Salt, Error> {
fs.read(&app_salt_path(), location)
fs.read(APP_SALT_PATH, location)
.map_err(|_| Error::ReadFailed)
.and_then(|b: Bytes<SALT_LEN>| (**b).try_into().map_err(|_| Error::ReadFailed))
}
Expand Down

0 comments on commit 2ae26ba

Please sign in to comment.