Shore up uri checksum

bitwarden · Apr 23, 2024 · 0d40054 · 0d40054
1 parent 456f54f
commit 0d40054
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 15 deletions.
diff --git a/crates/bitwarden-crypto/src/sensitive/sensitive.rs b/crates/bitwarden-crypto/src/sensitive/sensitive.rs
@@ -3,6 +3,7 @@ use std::{
     fmt::{self, Formatter},
 };
 
+use generic_array::{ArrayLength, GenericArray};
 use schemars::JsonSchema;
 use serde::{Deserialize, Deserializer, Serialize, Serializer};
 use zeroize::{Zeroize, ZeroizeOnDrop};
@@ -93,6 +94,12 @@ impl From<SensitiveString> for SensitiveVec {
     }
 }
 
+impl<N: ArrayLength<u8>> From<Sensitive<GenericArray<u8, N>>> for SensitiveVec {
+    fn from(val: Sensitive<GenericArray<u8, N>>) -> Self {
+        SensitiveVec::new(Box::new(val.value.to_vec()))
+    }
+}
+
 impl SensitiveString {
     pub fn decode_base64<T: base64::Engine>(self, engine: T) -> Result<SensitiveVec, CryptoError> {
         // Prevent accidental copies by allocating the full size

diff --git a/crates/bitwarden/src/vault/cipher/login.rs b/crates/bitwarden/src/vault/cipher/login.rs
@@ -1,13 +1,15 @@
-use base64::{engine::general_purpose::STANDARD, Engine};
+use base64::engine::general_purpose::STANDARD;
 use bitwarden_api_api::models::{CipherLoginModel, CipherLoginUriModel};
 use bitwarden_crypto::{
-    CryptoError, DecryptedString, EncString, KeyDecryptable, KeyEncryptable, SensitiveString,
-    SymmetricCryptoKey,
+    CryptoError, DecryptedString, EncString, KeyDecryptable, KeyEncryptable, Sensitive,
+    SensitiveVec, SymmetricCryptoKey,
 };
 use chrono::{DateTime, Utc};
+use hmac::digest::generic_array::GenericArray;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use serde_repr::{Deserialize_repr, Serialize_repr};
+use sha2::Digest;
 
 use crate::error::{require, Error, Result};
 
@@ -50,26 +52,28 @@ impl LoginUriView {
         let Some(cs) = &self.uri_checksum else {
             return false;
         };
-        let Ok(cs) = STANDARD.decode(cs.expose()) else {
+        let Ok(cs) = cs.clone().decode_base64(STANDARD) else {
             return false;
         };
 
-        use sha2::Digest;
-        let uri_hash = sha2::Sha256::new()
-            .chain_update(uri.expose().as_bytes())
-            .finalize();
+        let uri_hash: Sensitive<GenericArray<u8, _>> = Sensitive::new(Box::new(
+            sha2::Sha256::new()
+                .chain_update(uri.expose().as_bytes())
+                .finalize(),
+        ));
 
-        uri_hash.as_slice() == cs
+        uri_hash.expose().as_slice() == cs.expose()
     }
 
     pub(crate) fn generate_checksum(&mut self) {
         if let Some(uri) = &self.uri {
-            use sha2::Digest;
-            let uri_hash = sha2::Sha256::new()
-                .chain_update(uri.expose().as_bytes())
-                .finalize();
-            let uri_hash = STANDARD.encode(uri_hash.as_slice());
-            self.uri_checksum = Some(SensitiveString::new(Box::new(uri_hash)));
+            let uri_hash: SensitiveVec = Sensitive::new(Box::new(
+                sha2::Sha256::new()
+                    .chain_update(uri.expose().as_bytes())
+                    .finalize(),
+            ))
+            .into();
+            self.uri_checksum = Some(uri_hash.encode_base64(STANDARD))
         }
     }
 }