aboutsummaryrefslogtreecommitdiff
path: root/src/zenhttp/auth/authmgr.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'src/zenhttp/auth/authmgr.cpp')
-rw-r--r--src/zenhttp/auth/authmgr.cpp242
1 files changed, 217 insertions, 25 deletions
diff --git a/src/zenhttp/auth/authmgr.cpp b/src/zenhttp/auth/authmgr.cpp
index 2fa22f2c2..9d10b1ba6 100644
--- a/src/zenhttp/auth/authmgr.cpp
+++ b/src/zenhttp/auth/authmgr.cpp
@@ -12,6 +12,11 @@
#include <zencore/trace.h>
#include <zenhttp/auth/oidc.h>
+#if ZEN_WITH_TESTS
+# include <zencore/testing.h>
+# include <zencore/testutils.h>
+#endif
+
#include <condition_variable>
#include <memory>
#include <shared_mutex>
@@ -25,13 +30,37 @@ namespace zen {
using namespace std::literals;
namespace details {
+ // On-disk format for the GCM-encrypted authstate:
+ //
+ // [ 4 bytes: magic "ZEN1" ]
+ // [12 bytes: GCM nonce ] — fresh random value per write
+ // [ N bytes: ciphertext ] — same length as the plaintext
+ // [16 bytes: GCM tag ]
+ //
+ // The magic is bound into the authentication by passing it as AAD to
+ // AesGcm; that ties the tag to the exact header bytes, so an attacker
+ // cannot strip the format indicator or swap to a different format without
+ // failing authentication.
+ //
+ // The magic also doubles as the format version. If the framing ever
+ // needs to change (e.g. adding a key-identifier for rotation), bump to
+ // "ZEN2" and teach the reader to accept both.
+ constexpr std::string_view kAuthStateMagic = "ZEN1";
+ constexpr size_t kAuthStateHeaderSz = 4 + AesGcm::NonceSize;
+
IoBuffer ReadEncryptedFile(std::filesystem::path Path,
const AesKey256Bit& Key,
- const AesIV128Bit& IV,
- std::optional<std::string>& Reason)
+ const AesIV128Bit& LegacyIV,
+ std::optional<std::string>& Reason,
+ bool* OutWasLegacy = nullptr)
{
ZEN_TRACE_CPU("AuthMgr::ReadEncryptedFile");
+ if (OutWasLegacy)
+ {
+ *OutWasLegacy = false;
+ }
+
FileContents Result = ReadFile(Path);
if (Result.ErrorCode)
@@ -46,24 +75,52 @@ namespace details {
return IoBuffer();
}
+ // Current format: magic-prefixed AES-256-GCM
+ if (EncryptedBuffer.GetSize() >= kAuthStateHeaderSz + AesGcm::TagSize &&
+ memcmp(EncryptedBuffer.GetData(), kAuthStateMagic.data(), kAuthStateMagic.size()) == 0)
+ {
+ const uint8_t* Bytes = static_cast<const uint8_t*>(EncryptedBuffer.GetData());
+ const size_t Total = EncryptedBuffer.GetSize();
+ const size_t CipherSize = Total - kAuthStateHeaderSz - AesGcm::TagSize;
+
+ MemoryView Magic(Bytes, kAuthStateMagic.size());
+ MemoryView Nonce(Bytes + kAuthStateMagic.size(), AesGcm::NonceSize);
+ MemoryView Cipher(Bytes + kAuthStateHeaderSz, CipherSize);
+ MemoryView Tag(Bytes + kAuthStateHeaderSz + CipherSize, AesGcm::TagSize);
+
+ std::vector<uint8_t> PlainBuffer(CipherSize);
+ MemoryView PlainView = AesGcm::Decrypt(Key, Nonce, /*Aad=*/Magic, Cipher, Tag, MakeMutableMemoryView(PlainBuffer), Reason);
+
+ if (PlainView.IsEmpty())
+ {
+ return IoBuffer();
+ }
+
+ return IoBufferBuilder::MakeCloneFromMemory(PlainView);
+ }
+
+ // Legacy format: raw AES-256-CBC with the caller-configured IV.
+ // Decrypt it once so we don't lose the user's cached state across
+ // the upgrade; the next SaveState will rewrite in the GCM format.
std::vector<uint8_t> DecryptionBuffer;
DecryptionBuffer.resize(EncryptedBuffer.GetSize() + Aes::BlockSize);
- MemoryView DecryptedView = Aes::Decrypt(Key, IV, EncryptedBuffer, MakeMutableMemoryView(DecryptionBuffer), Reason);
+ MemoryView DecryptedView = Aes::Decrypt(Key, LegacyIV, EncryptedBuffer, MakeMutableMemoryView(DecryptionBuffer), Reason);
if (DecryptedView.IsEmpty())
{
return IoBuffer();
}
+ if (OutWasLegacy)
+ {
+ *OutWasLegacy = true;
+ }
+
return IoBufferBuilder::MakeCloneFromMemory(DecryptedView);
}
- void WriteEncryptedFile(std::filesystem::path Path,
- IoBuffer FileData,
- const AesKey256Bit& Key,
- const AesIV128Bit& IV,
- std::optional<std::string>& Reason)
+ void WriteEncryptedFile(std::filesystem::path Path, IoBuffer FileData, const AesKey256Bit& Key, std::optional<std::string>& Reason)
{
ZEN_TRACE_CPU("AuthMgr::WriteEncryptedFile");
@@ -72,17 +129,44 @@ namespace details {
return;
}
- std::vector<uint8_t> EncryptionBuffer;
- EncryptionBuffer.resize(FileData.GetSize() + Aes::BlockSize);
+ if (!Key.IsValid())
+ {
+ Reason = "invalid key";
+ return;
+ }
+
+ // Fresh nonce per write. Never reuse a (Key, Nonce) pair — GCM is
+ // catastrophically broken under nonce reuse.
+ uint8_t Nonce[AesGcm::NonceSize];
+ if (!CryptoRandom::Fill(MakeMutableMemoryView(Nonce), &Reason))
+ {
+ return;
+ }
+
+ std::vector<uint8_t> FileBuffer;
+ FileBuffer.resize(kAuthStateHeaderSz + FileData.GetSize() + AesGcm::TagSize);
+
+ // [magic][nonce][cipher][tag]
+ memcpy(FileBuffer.data(), kAuthStateMagic.data(), kAuthStateMagic.size());
+ memcpy(FileBuffer.data() + kAuthStateMagic.size(), Nonce, AesGcm::NonceSize);
- MemoryView EncryptedView = Aes::Encrypt(Key, IV, FileData, MakeMutableMemoryView(EncryptionBuffer), Reason);
+ MutableMemoryView CipherOut(FileBuffer.data() + kAuthStateHeaderSz, FileData.GetSize());
+ MutableMemoryView TagOut(FileBuffer.data() + kAuthStateHeaderSz + FileData.GetSize(), AesGcm::TagSize);
- if (EncryptedView.IsEmpty())
+ MemoryView CipherView = AesGcm::Encrypt(Key,
+ MakeMemoryView(Nonce),
+ /*Aad=*/MakeMemoryView(kAuthStateMagic),
+ FileData.GetView(),
+ CipherOut,
+ TagOut,
+ Reason);
+
+ if (CipherView.IsEmpty())
{
return;
}
- TemporaryFile::SafeWriteFile(Path, EncryptedView);
+ TemporaryFile::SafeWriteFile(Path, MakeMemoryView(FileBuffer));
}
} // namespace details
@@ -191,10 +275,9 @@ public:
bool IsNew = false;
{
- auto Token = OpenIdToken{.IdentityToken = RefreshResult.IdentityToken,
- .RefreshToken = RefreshResult.RefreshToken,
- .AccessToken = fmt::format("Bearer {}"sv, RefreshResult.AccessToken),
- .ExpireTime = Clock::now() + Seconds(RefreshResult.ExpiresInSeconds)};
+ auto Token = OpenIdToken{.RefreshToken = RefreshResult.RefreshToken,
+ .AccessToken = fmt::format("Bearer {}"sv, RefreshResult.AccessToken),
+ .ExpireTime = Clock::now() + Seconds(RefreshResult.ExpiresInSeconds)};
std::unique_lock _(m_TokenMutex);
@@ -240,7 +323,6 @@ private:
struct OpenIdToken
{
- std::string IdentityToken;
std::string RefreshToken;
std::string AccessToken;
TimePoint ExpireTime{};
@@ -283,9 +365,18 @@ private:
try
{
std::optional<std::string> Reason;
+ bool WasLegacy = false;
+
+ IoBuffer Buffer = details::ReadEncryptedFile(m_Config.RootDirectory / "authstate"sv,
+ m_Config.EncryptionKey,
+ m_Config.EncryptionIV,
+ Reason,
+ &WasLegacy);
- IoBuffer Buffer =
- details::ReadEncryptedFile(m_Config.RootDirectory / "authstate"sv, m_Config.EncryptionKey, m_Config.EncryptionIV, Reason);
+ if (Buffer && WasLegacy)
+ {
+ ZEN_INFO("authstate read via legacy AES-CBC fallback; next save will migrate to AES-GCM");
+ }
if (!Buffer)
{
@@ -399,7 +490,6 @@ private:
details::WriteEncryptedFile(m_Config.RootDirectory / "authstate"sv,
AuthState.Save().GetBuffer().AsIoBuffer(),
m_Config.EncryptionKey,
- m_Config.EncryptionIV,
Reason);
if (Reason)
@@ -466,10 +556,9 @@ private:
{
ZEN_DEBUG("refresh access token from provider '{}' Ok", Kv.first);
- auto Token = OpenIdToken{.IdentityToken = RefreshResult.IdentityToken,
- .RefreshToken = RefreshResult.RefreshToken,
- .AccessToken = fmt::format("Bearer {}"sv, RefreshResult.AccessToken),
- .ExpireTime = Clock::now() + Seconds(RefreshResult.ExpiresInSeconds)};
+ auto Token = OpenIdToken{.RefreshToken = RefreshResult.RefreshToken,
+ .AccessToken = fmt::format("Bearer {}"sv, RefreshResult.AccessToken),
+ .ExpireTime = Clock::now() + Seconds(RefreshResult.ExpiresInSeconds)};
{
std::unique_lock _(m_TokenMutex);
@@ -534,4 +623,107 @@ AuthMgr::Create(const AuthConfig& Config)
return std::make_unique<AuthMgrImpl>(Config);
}
+#if ZEN_WITH_TESTS
+
+TEST_SUITE_BEGIN("http.authmgr");
+
+TEST_CASE("authmgr.authstate_gcm_roundtrip")
+{
+ ScopedTemporaryDirectory TmpDir;
+ std::filesystem::path Path = TmpDir.Path() / "authstate";
+
+ const AesKey256Bit Key = AesKey256Bit::FromString("abcdefghijklmnopqrstuvxyz0123456"sv);
+ const AesIV128Bit UnusedIv; // ignored on write, unused on GCM read
+
+ const std::string_view Plain = "sensitive compact-binary payload representing cached auth state"sv;
+ IoBuffer InBuf = IoBufferBuilder::MakeCloneFromMemory(MakeMemoryView(Plain));
+
+ std::optional<std::string> WriteReason;
+ details::WriteEncryptedFile(Path, InBuf, Key, WriteReason);
+ REQUIRE_FALSE(WriteReason.has_value());
+
+ std::optional<std::string> ReadReason;
+ bool WasLegacy = true;
+ IoBuffer Out = details::ReadEncryptedFile(Path, Key, UnusedIv, ReadReason, &WasLegacy);
+ REQUIRE_FALSE(ReadReason.has_value());
+ REQUIRE(Out.GetSize() == Plain.size());
+ CHECK(memcmp(Out.GetData(), Plain.data(), Plain.size()) == 0);
+ CHECK_FALSE(WasLegacy);
+}
+
+TEST_CASE("authmgr.authstate_legacy_cbc_fallback")
+{
+ // Hand-craft a legacy-format authstate file (raw AES-CBC, no magic) and
+ // verify the reader falls back, returns the plaintext, and flags the file
+ // as legacy so the caller can rewrite it in the new format.
+ ScopedTemporaryDirectory TmpDir;
+ std::filesystem::path Path = TmpDir.Path() / "authstate";
+
+ const AesKey256Bit Key = AesKey256Bit::FromString("abcdefghijklmnopqrstuvxyz0123456"sv);
+ const uint8_t IvBytes[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15};
+ const AesIV128Bit LegacyIv = AesIV128Bit::FromMemoryView(MakeMemoryView(IvBytes));
+
+ const std::string_view Plain = "legacy authstate payload"sv;
+
+ std::vector<uint8_t> CbcBuf(Plain.size() + Aes::BlockSize);
+ std::optional<std::string> CbcReason;
+ MemoryView CbcView = Aes::Encrypt(Key, LegacyIv, MakeMemoryView(Plain), MakeMutableMemoryView(CbcBuf), CbcReason);
+ REQUIRE_FALSE(CbcReason.has_value());
+
+ TemporaryFile::SafeWriteFile(Path, CbcView);
+
+ std::optional<std::string> ReadReason;
+ bool WasLegacy = false;
+ IoBuffer Out = details::ReadEncryptedFile(Path, Key, LegacyIv, ReadReason, &WasLegacy);
+ REQUIRE_FALSE(ReadReason.has_value());
+ REQUIRE(Out.GetSize() == Plain.size());
+ CHECK(memcmp(Out.GetData(), Plain.data(), Plain.size()) == 0);
+ CHECK(WasLegacy);
+}
+
+TEST_CASE("authmgr.authstate_gcm_tamper_detection")
+{
+ ScopedTemporaryDirectory TmpDir;
+ std::filesystem::path Path = TmpDir.Path() / "authstate";
+
+ const AesKey256Bit Key = AesKey256Bit::FromString("abcdefghijklmnopqrstuvxyz0123456"sv);
+ const AesIV128Bit UnusedIv;
+
+ const std::string_view Plain = "payload that should not decrypt after tampering"sv;
+ IoBuffer InBuf = IoBufferBuilder::MakeCloneFromMemory(MakeMemoryView(Plain));
+
+ std::optional<std::string> WriteReason;
+ details::WriteEncryptedFile(Path, InBuf, Key, WriteReason);
+ REQUIRE_FALSE(WriteReason.has_value());
+
+ // Flip a single byte in the middle of the ciphertext region (past magic +
+ // nonce) and verify the GCM tag check rejects the tampered file. Copy
+ // the bytes out first and drop the FileContents / IoBuffer handles before
+ // rewriting so the underlying file isn't still open when we overwrite it.
+ std::vector<uint8_t> Mutated;
+ {
+ FileContents FC = ReadFile(Path);
+ IoBuffer Whole = FC.Flatten();
+ REQUIRE(Whole.GetSize() > 4 + AesGcm::NonceSize);
+ Mutated.assign(static_cast<const uint8_t*>(Whole.GetData()), static_cast<const uint8_t*>(Whole.GetData()) + Whole.GetSize());
+ }
+ Mutated[4 + AesGcm::NonceSize] ^= 0x40;
+ TemporaryFile::SafeWriteFile(Path, MakeMemoryView(Mutated));
+
+ std::optional<std::string> ReadReason;
+ bool WasLegacy = false;
+ IoBuffer Out = details::ReadEncryptedFile(Path, Key, UnusedIv, ReadReason, &WasLegacy);
+ CHECK(ReadReason.has_value());
+ CHECK(Out.GetSize() == 0);
+}
+
+TEST_SUITE_END();
+
+void
+authmgr_forcelink()
+{
+}
+
+#endif // ZEN_WITH_TESTS
+
} // namespace zen
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-06 21:29:54 +0000