diff options
| author | Ryan Mehri <[email protected]> | 2020-05-15 19:00:21 -0600 |
|---|---|---|
| committer | Ryan Mehri <[email protected]> | 2020-05-15 19:00:21 -0600 |
| commit | 4e03758e92887fe4251a73ce8125b93e8624b6a2 (patch) | |
| tree | 7afe72a155fd9f6afd1bdded4a214b6fbba77fa0 /backend/security | |
| parent | Add encryption to content when password is specified (diff) | |
| download | ctrl-v-4e03758e92887fe4251a73ce8125b93e8624b6a2.tar.xz ctrl-v-4e03758e92887fe4251a73ce8125b93e8624b6a2.zip | |
Add comments and clean up encryption
Diffstat (limited to 'backend/security')
| -rw-r--r-- | backend/security/encrypt.go | 56 |
1 files changed, 36 insertions, 20 deletions
diff --git a/backend/security/encrypt.go b/backend/security/encrypt.go index fff027c..4af5e3c 100644 --- a/backend/security/encrypt.go +++ b/backend/security/encrypt.go @@ -4,62 +4,78 @@ import ( "crypto/aes" "crypto/cipher" "crypto/rand" + "errors" "golang.org/x/crypto/scrypt" ) -func Encrypt(key, data []byte) ([]byte, error) { - blockCipher, err := aes.NewCipher(key) +var EncryptionError = errors.New("could not encrypt the given content") + +func Encrypt(key, data string) (string, error) { + // initialize aes block cipher with given key + blockCipher, err := aes.NewCipher([]byte(key)) if err != nil { - return nil, err + return "", err } + // wrap block cipher with Galois Counter Mode and standard nonce length gcm, err := cipher.NewGCM(blockCipher) if err != nil { - return nil, err + return "", err } + // generate nonce (number once used) unique to the given key nonce := make([]byte, gcm.NonceSize()) if _, err = rand.Read(nonce); err != nil { - return nil, err + return "", err } - cipherText := gcm.Seal(nonce, nonce, data, nil) + // seal nonce with data to use during decryption + cipherText := gcm.Seal(nonce, nonce, []byte(data), nil) - return cipherText, nil + return string(cipherText), nil } -func Decrypt(key, data []byte) ([]byte, error) { - blockCipher, err := aes.NewCipher(key) +func Decrypt(key, data string) (string, error) { + // similar to encrypt, create cipher and wrap with GCM + blockCipher, err := aes.NewCipher([]byte(key)) if err != nil { - return nil, err + return "", err } gcm, err := cipher.NewGCM(blockCipher) if err != nil { - return nil, err + return "", err } + // extract the nonce from the data nonce, cipherText := data[:gcm.NonceSize()], data[gcm.NonceSize():] - plaintext, err := gcm.Open(nil, nonce, cipherText, nil) + + // use nonce to decrypt the data + plaintext, err := gcm.Open(nil, []byte(nonce), []byte(cipherText), nil) if err != nil { - return nil, err + return "", err } - return plaintext, nil + return string(plaintext), nil } -func DeriveKey(password, salt []byte) ([]byte, []byte, error) { +const keyBytes = 16 +const iterations = 16384 +const relativeMemoryCost = 8 +const relativeCPUCost = 1 + +func DeriveKey(password string, salt []byte) (string, []byte, error) { if salt == nil { - salt = make([]byte, 16) + salt = make([]byte, keyBytes) if _, err := rand.Read(salt); err != nil { - return nil, nil, err + return "", nil, err } } - key, err := scrypt.Key(password, salt, 16384, 8, 1, 16) + key, err := scrypt.Key([]byte(password), salt, iterations, relativeMemoryCost, relativeCPUCost, keyBytes) if err != nil { - return nil, nil, err + return "", nil, err } - return key, salt, nil + return string(key), salt, nil } |