src/crypto.rs

   1 use openssl::{symm, sha::sha256};
   2 use rand::prelude::*;
   3
   4 #[derive(Debug)]
   5 pub enum KeyError {
   6     UnableToDecodeBase64Key,
   7     WrongKeyLength,
   8 }
   9
  10 #[derive(Debug)]
  11 pub enum EncryptError {
  12     KeyError(KeyError),
  13     UnsupportedVersion(u8),
  14     UnableToEncrypt,
  15 }
  16
  17 #[derive(Debug)]
  18 pub enum DecryptError {
  19     KeyError(KeyError),
  20     UnableToParseVersion,
  21     UnsupportedVersion(u8),
  22     MessageToShort,
  23     UnableToDecodeBase64Message,
  24     UnableToDecrypt,
  25     UnableToDecodeMessageAsUTF8String,
  26     HashMismatch,
  27 }
  28
  29 fn decode_key(key: &str) -> Result<Vec<u8>, KeyError> {
  30     match base64::decode(key) {
  31         Ok(k) => if k.len() != 16 { Err(KeyError::WrongKeyLength) } else { Ok(k) },
  32         Err(_e) => Err(KeyError::UnableToDecodeBase64Key)
  33     }
  34 }
  35
  36 /// Return a random key encoded in base64.
  37 pub fn generate_key() -> String {
  38     let key = rand::thread_rng().gen::<[u8; 16]>();
  39     base64::encode(key)
  40 }
  41
  42 /// Encrypt the given text with the given key (first version). The key length must be 128 bits encoded in base64.
  43 /// Ouput formats:
  44 /// * 'version' = 1: "1" + base_64(<IV> + hash(message) + aes(message))
  45 /// * 'version' = 2: "2" + base_64(<IV> + aes(hash(message) + message))
  46 /// IV: 16 bytes randomized.
  47 /// Mode : CBC.
  48 pub fn encrypt(key: &str, plain_text: &str, version: u8) -> Result<String, EncryptError> {
  49     let key_as_bytes = decode_key(key).map_err(EncryptError::KeyError)?;
  50
  51     let text_as_bytes = plain_text.as_bytes();
  52     let hash_text = sha256(&text_as_bytes);
  53     let iv = rand::thread_rng().gen::<[u8; 16]>();
  54
  55     let cipher_text =
  56         if version == 1 {
  57             symm::encrypt(symm::Cipher::aes_128_cbc(), &key_as_bytes, Some(&iv), text_as_bytes)
  58                 .map_err(|_e| EncryptError::UnableToEncrypt)?
  59         } else if version == 2 {
  60             symm::encrypt(symm::Cipher::aes_128_cbc(), &key_as_bytes, Some(&iv), &[&hash_text, text_as_bytes].concat())
  61                 .map_err(|_e| EncryptError::UnableToEncrypt)?
  62         } else {
  63             return Err(EncryptError::UnsupportedVersion(version))
  64         };
  65
  66     let mut result: Vec<u8> = Vec::new();
  67     result.extend(&iv);
  68
  69     if version == 1 {
  70         result.extend(&hash_text);
  71     }
  72
  73     result.extend(&cipher_text);
  74
  75     Ok(version.to_string() + &base64::encode(&result))
  76 }
  77
  78 /// Decrypt the given text with the given key. The key length must be 128 bits encoded in base64.
  79 /// Input formats:
  80 /// * version 1: "1" + base_64(<IV> + hash(message) + aes(message))
  81 /// * version 2: "2" + base_64(<IV> + aes(hash(message) + message))
  82 pub fn decrypt(key: &str, cipher_text: &str) -> Result<String, DecryptError> {
  83     let key_as_bytes = decode_key(key).map_err(DecryptError::KeyError)?;
  84
  85     // Can't decrypt a message with the wrong version.
  86     let first_char = &cipher_text[..1];
  87     let version: u8 = first_char.parse().map_err(|_e| DecryptError::UnableToParseVersion)?;
  88
  89     if version != 1 && version != 2 {
  90         return Err(DecryptError::UnsupportedVersion(version))
  91     }
  92
  93     let cipher_text_bytes =
  94         base64::decode(&cipher_text.as_bytes()[1..])
  95             .map_err(|_e| DecryptError::UnableToDecodeBase64Message)?;
  96
  97     if cipher_text_bytes.len() <= 48 { return Err(DecryptError::MessageToShort) }
  98
  99     let iv = &cipher_text_bytes[0..16];
 100
 101     let (plain_message_bytes, hash) =
 102         if version == 1 {
 103             let encrypted_message = &cipher_text_bytes[48..];
 104             (
 105                 symm::decrypt(symm::Cipher::aes_128_cbc(), &key_as_bytes, Some(iv), encrypted_message)
 106                     .map_err(|_e| DecryptError::UnableToDecrypt)?,
 107                 cipher_text_bytes[16..48].to_vec()
 108             )
 109         } else {
 110             let encrypted_message = &cipher_text_bytes[16..];
 111             let plain_text =
 112                 symm::decrypt(symm::Cipher::aes_128_cbc(), &key_as_bytes, Some(iv), encrypted_message)
 113                     .map_err(|_e| DecryptError::UnableToDecrypt)?;
 114             (
 115                 plain_text[32..].to_vec(),
 116                 plain_text[0..32].to_vec()
 117             )
 118         };
 119
 120     if sha256(&plain_message_bytes) != hash[..] { return Err(DecryptError::HashMismatch) }
 121
 122     let plain_message =
 123         String::from_utf8(plain_message_bytes)
 124             .map_err(|_e| DecryptError::UnableToDecodeMessageAsUTF8String)?;
 125
 126     Ok(plain_message)
 127 }