AAD for token encryption/decryption (#4)

* adding aad for token encryption/decryption * switch definition order of types
grisp · Sep 18, 2024 · 77f3a1e · 77f3a1e
1 parent e8ed0c2
commit 77f3a1e
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 11 deletions.
diff --git a/src/rebar3_grisp_io_config.erl b/src/rebar3_grisp_io_config.erl
@@ -15,15 +15,20 @@
 %--- Macros --------------------------------------------------------------------
 
 -define(CONFIG_FILE, "grisp-io.config").
--define(AES, aes_256_ecb).
+-define(AES, aes_256_gcm).
 -define(AES_KEY_SIZE, 256).
+-define(AAD, <<"LetItCrash">>).
 
 %--- Types ---------------------------------------------------------------------
 
+-type encrypted_token() :: #{iv => binary(),
+                             tag => binary(),
+                             encrypted_token => binary()}.
+
 -type config() :: #{username := binary(),
-                    encrypted_token := binary()}.
--type clear_token() :: <<_:_*128>>. % AES => data blocks of 16 bytes (128 bits).
+                    encrypted_token := encrypted_token()}.
 
+-type clear_token() :: <<_:_*128>>. % AES => data blocks of 16 bytes (128 bits).
 %--- API -----------------------------------------------------------------------
 
 %% @doc Write the new configuration stored
@@ -51,16 +56,21 @@ read_config(State) ->
 
 %% @doc encrypt the token provided in the args
 %% Warning: the token must have a bytes size that is a multiple of 16
--spec encrypt_token(binary(), clear_token()) -> binary().
+-spec encrypt_token(binary(), clear_token()) -> encrypted_token().
 encrypt_token(LocalPassword, Token) ->
-    PaddedPassword = password_padding(LocalPassword),
-    crypto:crypto_one_time(?AES, PaddedPassword, Token, true).
+    PaddedPswd = password_padding(LocalPassword),
+    IV = crypto:strong_rand_bytes(16),
+    {EncrToken, Tag} = crypto:crypto_one_time_aead(?AES, PaddedPswd, IV,
+                                                   Token, ?AAD, true),
+    #{iv => IV, tag => Tag, encrypted_token => EncrToken}.
 
 %% @doc Decrypt the token present in Encrypted token
--spec decrypt_token(binary(), binary()) -> clear_token().
-decrypt_token(LocalPassword, EncryptedToken) ->
-    PaddedPassword = password_padding(LocalPassword),
-    crypto:crypto_one_time(?AES, PaddedPassword, EncryptedToken, false).
+-spec decrypt_token(binary(), encrypted_token()) -> clear_token() | error.
+decrypt_token(LocalPassword, TokenMap) ->
+    PaddedPswd = password_padding(LocalPassword),
+    #{iv := IV, tag := Tag, encrypted_token := EncrToken} = TokenMap,
+    crypto:crypto_one_time_aead(?AES, PaddedPswd, IV,
+                                EncrToken, ?AAD, Tag, false).
 
 %--- Internals -----------------------------------------------------------------
 auth_config_file(State) ->

diff --git a/test/rebar3_grisp_io_config_SUITE.erl b/test/rebar3_grisp_io_config_SUITE.erl
@@ -55,7 +55,9 @@ read_write_config_test(Config) ->
 encrypt_decrypt_token(Config) ->
     Token = ?config(token, Config),
     Password = ?config(local_password, Config),
+    BadPassword = <<"aaaaaaaaaaaaaaaa">>,
     EncryptedToken = rebar3_grisp_io_config:encrypt_token(Password, Token),
     ?assertNotEqual(<<>>, EncryptedToken),
     ?assertNotEqual(Token, EncryptedToken),
-    ?assertEqual(Token, rebar3_grisp_io_config:decrypt_token(Password, EncryptedToken)).
+    ?assertEqual(Token, rebar3_grisp_io_config:decrypt_token(Password, EncryptedToken)),
+    ?assertEqual(error, rebar3_grisp_io_config:decrypt_token(BadPassword, EncryptedToken)).