X-Git-Url: http://git.euphorik.ch/index.cgi?a=blobdiff_plain;f=src%2Fcrypto.rs;h=16fbaa0c6b8094fc26a9c2e7537391ee11562b7e;hb=295ca1daf01ff83964812c50fe1374dd679a0559;hp=cc8bf848ef326a615dadf4023f278b47cc86fb3d;hpb=b1f2c5b803a7e85a3b0c8d999cf9a13d28c6c6c2;p=rup.git

diff --git a/src/crypto.rs b/src/crypto.rs
index cc8bf84..16fbaa0 100644
--- a/src/crypto.rs
+++ b/src/crypto.rs
@@ -1,38 +1,127 @@
 use openssl::{symm, sha::sha256};
 use rand::prelude::*;
 
-/// Encrypt the given text with the given key. The key length must be 128 bits encoded in base64.
-/// Ouput format:
-/// Format "1" + base_64(<IV> + <hash(message)> + <aes(message)>)
+#[derive(Debug)]
+pub enum KeyError {
+    UnableToDecodeBase64Key,
+    WrongKeyLength,
+}
+
+#[derive(Debug)]
+pub enum EncryptError {
+    KeyError(KeyError),
+    UnsupportedVersion(u8),
+    UnableToEncrypt,
+}
+
+#[derive(Debug)]
+pub enum DecryptError {
+    KeyError(KeyError),
+    UnableToParseVersion,
+    UnsupportedVersion(u8),
+    MessageToShort,
+    UnableToDecodeBase64Message,
+    UnableToDecrypt,
+    UnableToDecodeMessageAsUTF8String,
+    HashMismatch,
+}
+
+fn decode_key(key: &str) -> Result<Vec<u8>, KeyError> {
+    match base64::decode(key) {
+        Ok(k) => if k.len() != 16 { Err(KeyError::WrongKeyLength) } else { Ok(k) },
+        Err(_e) => Err(KeyError::UnableToDecodeBase64Key)
+    }
+}
+
+/// Return a random key encoded in base64.
+pub fn generate_key() -> String {
+    let key = rand::thread_rng().gen::<[u8; 16]>();
+    base64::encode(key)
+}
+
+/// Encrypt the given text with the given key (first version). The key length must be 128 bits encoded in base64.
+/// Ouput formats:
+/// * 'version' = 1: "1" + base_64(<IV> + hash(message) + aes(message))
+/// * 'version' = 2: "2" + base_64(<IV> + aes(hash(message) + message))
 /// IV: 16 bytes randomized.
 /// Mode : CBC.
-pub fn encrypt(key: &str, plain_text: &str) -> String {
-    let key_as_bytes = base64::decode(key).expect("Unable to decode base64 encoded key");
-    assert!(key_as_bytes.len() == 16);
+pub fn encrypt(key: &str, plain_text: &str, version: u8) -> Result<String, EncryptError> {
+    let key_as_bytes = decode_key(key).map_err(EncryptError::KeyError)?;
 
     let text_as_bytes = plain_text.as_bytes();
-
+    let hash_text = sha256(&text_as_bytes);
     let iv = rand::thread_rng().gen::<[u8; 16]>();
 
     let cipher_text =
-        symm::encrypt(symm::Cipher::aes_128_cbc(), &key_as_bytes, Some(&iv), text_as_bytes)
-            .expect("Unable to encrypt message");
-
-    let hash_text = sha256(&text_as_bytes);
+        if version == 1 {
+            symm::encrypt(symm::Cipher::aes_128_cbc(), &key_as_bytes, Some(&iv), text_as_bytes)
+                .map_err(|_e| EncryptError::UnableToEncrypt)?
+        } else if version == 2 {
+            symm::encrypt(symm::Cipher::aes_128_cbc(), &key_as_bytes, Some(&iv), &[&hash_text, text_as_bytes].concat())
+                .map_err(|_e| EncryptError::UnableToEncrypt)?
+        } else {
+            return Err(EncryptError::UnsupportedVersion(version))
+        };
 
     let mut result: Vec<u8> = Vec::new();
     result.extend(&iv);
-    result.extend(&hash_text);
+
+    if version == 1 {
+        result.extend(&hash_text);
+    }
+
     result.extend(&cipher_text);
 
-    String::from("1") + &base64::encode(&result)
+    Ok(version.to_string() + &base64::encode(&result))
 }
 
-pub fn decrypt(key: &str, cipher_text: &str) -> Option<String> {
-    if cipher_text.chars() != '1' {
-        return None;
+/// Decrypt the given text with the given key. The key length must be 128 bits encoded in base64.
+/// Input formats:
+/// * version 1: "1" + base_64(<IV> + hash(message) + aes(message))
+/// * version 2: "2" + base_64(<IV> + aes(hash(message) + message))
+pub fn decrypt(key: &str, cipher_text: &str) -> Result<String, DecryptError> {
+    let key_as_bytes = decode_key(key).map_err(DecryptError::KeyError)?;
+
+    // Can't decrypt a message with the wrong version.
+    let first_char = &cipher_text[..1];
+    let version: u8 = first_char.parse().map_err(|_e| DecryptError::UnableToParseVersion)?;
+
+    if version != 1 && version != 2 {
+        return Err(DecryptError::UnsupportedVersion(version))
     }
 
-    println!("cypher: {}", cipher_text);
-    Some(String::new())
+    let cipher_text_bytes =
+        base64::decode(&cipher_text.as_bytes()[1..])
+            .map_err(|_e| DecryptError::UnableToDecodeBase64Message)?;
+
+    if cipher_text_bytes.len() <= 48 { return Err(DecryptError::MessageToShort) }
+
+    let iv = &cipher_text_bytes[0..16];
+
+    let (plain_message_bytes, hash) =
+        if version == 1 {
+            let encrypted_message = &cipher_text_bytes[48..];
+            (
+                symm::decrypt(symm::Cipher::aes_128_cbc(), &key_as_bytes, Some(iv), encrypted_message)
+                    .map_err(|_e| DecryptError::UnableToDecrypt)?,
+                cipher_text_bytes[16..48].to_vec()
+            )
+        } else {
+            let encrypted_message = &cipher_text_bytes[16..];
+            let plain_text =
+                symm::decrypt(symm::Cipher::aes_128_cbc(), &key_as_bytes, Some(iv), encrypted_message)
+                    .map_err(|_e| DecryptError::UnableToDecrypt)?;
+            (
+                plain_text[32..].to_vec(),
+                plain_text[0..32].to_vec()
+            )
+        };
+
+    if sha256(&plain_message_bytes) != hash[..] { return Err(DecryptError::HashMismatch) }
+
+    let plain_message =
+        String::from_utf8(plain_message_bytes)
+            .map_err(|_e| DecryptError::UnableToDecodeMessageAsUTF8String)?;
+
+    Ok(plain_message)
 }