diff --git a/src/rebar3_grisp_io_config.erl b/src/rebar3_grisp_io_config.erl index 9d09f41..2905e20 100644 --- a/src/rebar3_grisp_io_config.erl +++ b/src/rebar3_grisp_io_config.erl @@ -15,15 +15,20 @@ %--- Macros -------------------------------------------------------------------- -define(CONFIG_FILE, "grisp-io.config"). --define(AES, aes_256_ecb). +-define(AES, aes_256_gcm). -define(AES_KEY_SIZE, 256). +-define(AAD, <<"LetItCrash">>). %--- Types --------------------------------------------------------------------- +-type encrypted_token() :: #{iv => binary(), + tag => binary(), + encrypted_token => binary()}. + -type config() :: #{username := binary(), - encrypted_token := binary()}. --type clear_token() :: <<_:_*128>>. % AES => data blocks of 16 bytes (128 bits). + encrypted_token := encrypted_token()}. +-type clear_token() :: <<_:_*128>>. % AES => data blocks of 16 bytes (128 bits). %--- API ----------------------------------------------------------------------- %% @doc Write the new configuration stored @@ -51,16 +56,21 @@ read_config(State) -> %% @doc encrypt the token provided in the args %% Warning: the token must have a bytes size that is a multiple of 16 --spec encrypt_token(binary(), clear_token()) -> binary(). +-spec encrypt_token(binary(), clear_token()) -> encrypted_token(). encrypt_token(LocalPassword, Token) -> - PaddedPassword = password_padding(LocalPassword), - crypto:crypto_one_time(?AES, PaddedPassword, Token, true). + PaddedPswd = password_padding(LocalPassword), + IV = crypto:strong_rand_bytes(16), + {EncrToken, Tag} = crypto:crypto_one_time_aead(?AES, PaddedPswd, IV, + Token, ?AAD, true), + #{iv => IV, tag => Tag, encrypted_token => EncrToken}. %% @doc Decrypt the token present in Encrypted token --spec decrypt_token(binary(), binary()) -> clear_token(). -decrypt_token(LocalPassword, EncryptedToken) -> - PaddedPassword = password_padding(LocalPassword), - crypto:crypto_one_time(?AES, PaddedPassword, EncryptedToken, false). +-spec decrypt_token(binary(), encrypted_token()) -> clear_token() | error. +decrypt_token(LocalPassword, TokenMap) -> + PaddedPswd = password_padding(LocalPassword), + #{iv := IV, tag := Tag, encrypted_token := EncrToken} = TokenMap, + crypto:crypto_one_time_aead(?AES, PaddedPswd, IV, + EncrToken, ?AAD, Tag, false). %--- Internals ----------------------------------------------------------------- auth_config_file(State) -> diff --git a/test/rebar3_grisp_io_config_SUITE.erl b/test/rebar3_grisp_io_config_SUITE.erl index bd20449..1d375f6 100644 --- a/test/rebar3_grisp_io_config_SUITE.erl +++ b/test/rebar3_grisp_io_config_SUITE.erl @@ -55,7 +55,9 @@ read_write_config_test(Config) -> encrypt_decrypt_token(Config) -> Token = ?config(token, Config), Password = ?config(local_password, Config), + BadPassword = <<"aaaaaaaaaaaaaaaa">>, EncryptedToken = rebar3_grisp_io_config:encrypt_token(Password, Token), ?assertNotEqual(<<>>, EncryptedToken), ?assertNotEqual(Token, EncryptedToken), - ?assertEqual(Token, rebar3_grisp_io_config:decrypt_token(Password, EncryptedToken)). + ?assertEqual(Token, rebar3_grisp_io_config:decrypt_token(Password, EncryptedToken)), + ?assertEqual(error, rebar3_grisp_io_config:decrypt_token(BadPassword, EncryptedToken)).