feat: move away from nocrypto

oxidizing · Nov 16, 2023 · ecb35fd · ecb35fd
1 parent 33c9e5b
commit ecb35fd
Show file tree

Hide file tree

Showing 7 changed files with 24 additions and 18 deletions.
diff --git a/.gitignore b/.gitignore
@@ -2,3 +2,4 @@
 /_opam/
 .merlin
 .devcontainer/data
+*.install
diff --git a/default.nix b/default.nix
@@ -1,7 +1,7 @@
 with import <nixpkgs> { };
 
 mkShell {
-  buildInputs = [ yarn zlib.dev zlib.out zlib zlib.all gmp gmp.dev pkgconfig openssl libev libevdev mariadb-client mariadb-connector-c postgresql ];
+  buildInputs = [ yarn zlib.dev zlib.out zlib zlib.all gmp gmp.dev pkg-config openssl libev libevdev mariadb-client mariadb-connector-c postgresql ];
   LD_LIBRARY_PATH = "${mariadb-connector-c}/lib/mariadb";
   shellHook = "eval $(opam env)";
 }
diff --git a/dune-project b/dune-project
@@ -72,8 +72,10 @@
    (>= v0.13.0))
   (ppx_sexp_conv
    (>= v0.13.0))
-  (nocrypto
-   (>= 0.5.4-2))
+  (mirage-crypto
+    (>= 0.11.2))
+  (mirage-crypto-rng
+    (>= 0.11.2))
   (cstruct
    (>= 6.0.1))
   (opium

diff --git a/sihl.opam b/sihl.opam
@@ -36,7 +36,8 @@ depends: [
   "uuidm" {>= "0.9.7"}
   "ppx_fields_conv" {>= "v0.13.0"}
   "ppx_sexp_conv" {>= "v0.13.0"}
-  "nocrypto" {>= "0.5.4-2"}
+  "mirage-crypto" {>= "0.11.2"}
+  "mirage-crypto-rng" {>= "0.11.2"}
   "cstruct" {>= "6.0.1"}
   "opium" {>= "0.20.0"}
   "cohttp-lwt-unix" {>= "2.5.4" & with-test}

diff --git a/sihl/src/dune b/sihl/src/dune
@@ -4,7 +4,7 @@
  (libraries sexplib fmt fmt.tty logs logs.fmt lwt lwt.unix tsort conformist
    base64 yojson ppx_deriving_yojson.runtime safepass ptime ptime.clock.os
    jwto uuidm opium caqti-lwt caqti-lwt.unix str dune-build-info bos
-   containers nocrypto nocrypto.unix cstruct)
+   containers mirage-crypto mirage-crypto-rng cstruct)
  (preprocess
   (pps ppx_fields_conv ppx_deriving_yojson ppx_deriving.eq ppx_deriving.show
     ppx_deriving.make ppx_sexp_conv lwt_ppx)))

diff --git a/sihl/src/web_csrf.ml b/sihl/src/web_csrf.ml
@@ -33,7 +33,6 @@ let set token req =
  *)
 
 module Crypto = struct
-  let () = Nocrypto_entropy_unix.initialize ()
   let block_size = 16
 
   (** [token_length] is the amount of bytes used in the unencrypted CSRF tokens. *)
@@ -52,7 +51,10 @@ module Crypto = struct
   end = struct
     type t = Cstruct.t
 
-    let make secret = secret |> Cstruct.of_string |> Nocrypto.Hash.SHA256.digest
+    let make secret =
+      secret |> Cstruct.of_string |> Mirage_crypto.Hash.SHA256.digest
+    ;;
+
     let to_raw = CCFun.id
   end
 
@@ -105,15 +107,15 @@ module Crypto = struct
     let to_struct = CCFun.id
 
     let from_struct ~with_secret value =
-      let open Nocrypto.Cipher_block.AES.ECB in
+      let open Mirage_crypto.Cipher_block.AES.ECB in
       let key = with_secret |> Secret.to_raw |> of_secret in
       encrypt ~key value
     ;;
 
     let from_struct_random ~with_secret value =
-      let open Nocrypto.Cipher_block.AES.CBC in
+      let open Mirage_crypto.Cipher_block.AES.CBC in
       let key = with_secret |> Secret.to_raw |> of_secret in
-      let iv = Nocrypto.Rng.generate block_size in
+      let iv = Mirage_crypto_rng.generate block_size in
       Cstruct.append iv @@ encrypt ~key ~iv value
     ;;
   end
@@ -157,13 +159,13 @@ module Crypto = struct
     let equal_struct = equal
 
     let from_encrypted ~with_secret value =
-      let open Nocrypto.Cipher_block.AES.ECB in
+      let open Mirage_crypto.Cipher_block.AES.ECB in
       let key = with_secret |> Secret.to_raw |> of_secret in
       decrypt ~key (Encrypted_token.to_struct value)
     ;;
 
     let from_encrypted_random ~with_secret value =
-      let open Nocrypto.Cipher_block.AES.CBC in
+      let open Mirage_crypto.Cipher_block.AES.CBC in
       let key = with_secret |> Secret.to_raw |> of_secret in
       let iv, value =
         value
@@ -229,7 +231,7 @@ let middleware
               ~with_secret:block_secret
               tkn )
         | None ->
-          let value = Nocrypto.Rng.generate token_length in
+          let value = Mirage_crypto_rng.generate token_length in
           ( Encrypted_token.from_struct ~with_secret:block_secret value
           , Encrypted_token.from_struct_random ~with_secret:block_secret value )
       in

diff --git a/sihl/test/web_csrf.ml b/sihl/test/web_csrf.ml
@@ -4,7 +4,7 @@ open Sihl.Web
 let can_parse_uri_safe _ () =
   let open Csrf.Crypto in
   let with_secret = Sihl.Configuration.read_secret () |> Secret.make in
-  let value = Nocrypto.Rng.generate token_length in
+  let value = Mirage_crypto_rng.generate token_length in
   let enc = Encrypted_token.from_struct ~with_secret value in
   let parsed =
     enc
@@ -21,7 +21,7 @@ let can_parse_uri_safe _ () =
 let crypto_undo_helper encrypt decrypt =
   let open Csrf.Crypto in
   let with_secret = Sihl.Configuration.read_secret () |> Secret.make in
-  let value = Nocrypto.Rng.generate token_length in
+  let value = Mirage_crypto_rng.generate token_length in
   let dec = encrypt ~with_secret value |> decrypt ~with_secret in
   let open Alcotest in
   check bool "Same decrypted CSRF tokens" true
@@ -45,7 +45,7 @@ let csrf_simulation _ () =
   let open Csrf.Crypto in
   let with_secret = Sihl.Configuration.read_secret () |> Secret.make in
   (* GET request generates value *)
-  let value = Nocrypto.Rng.generate token_length in
+  let value = Mirage_crypto_rng.generate token_length in
   (* Encrypt value for cookie token *)
   let enc = Encrypted_token.from_struct ~with_secret value in
   (* Encrypt value with randomness for body token (take already encrypted cookie
@@ -331,7 +331,7 @@ let post_request_with_nonmatching_token_fails _ () =
   let with_secret = Sihl.Configuration.read_secret () |> Secret.make in
   (* Generate a random encrypted token *)
   let tkn =
-    Nocrypto.Rng.generate token_length
+    Mirage_crypto_rng.generate token_length
     |> Encrypted_token.from_struct_random ~with_secret
     |> Encrypted_token.to_uri_safe_string
   in
@@ -361,7 +361,7 @@ let post_request_with_nonmatching_cookie_fails _ () =
   (* Generate a random encrypted token *)
   let with_secret = Sihl.Configuration.read_secret () |> Secret.make in
   let tkn =
-    Nocrypto.Rng.generate token_length
+    Mirage_crypto_rng.generate token_length
     |> Encrypted_token.from_struct ~with_secret
     |> Encrypted_token.to_uri_safe_string
   in