use newtypes to make the API safer #3
Description
In https://github.com/warner/magic-wormhole.rs/issues/32 I discovered a bug in which SPAKE2::start_symmetric() was called with the password and id_s arguments swapped. This compiles and even self-interoperates, because both values had the same slice type (&[u8]). However it introduces a serious security bug: it makes the protocol vulnerable to an online man-in-the-middle attack (since the SPAKE2 blinding factors become constant). The attacker merely has to test one hash per possible password and use the application's Key Confirmation Message as an oracle. For magic-wormhole this would have taken less than a millisecond.
I discovered this bug while introducing "newtypes" into magic-wormhole: structs which wrap a single value, used just for typechecking arguments.
We should introduce a Password and Identity pair of newtypes into the spake2.rs API and use them for these arguments. I think that would make this sort of mistake harder to make for other applications in the future.