diff options
| author | Ryan Mehri <[email protected]> | 2020-05-15 17:58:09 -0600 |
|---|---|---|
| committer | Ryan Mehri <[email protected]> | 2020-05-15 17:58:09 -0600 |
| commit | 5d037e8297a192996b7281af0ca761c160aaed30 (patch) | |
| tree | 68a21642cfb9396e734f16e8d636af3efdee49a0 /backend | |
| parent | Merge pull request #24 from jackyzha0/update-readme (diff) | |
| download | ctrl-v-5d037e8297a192996b7281af0ca761c160aaed30.tar.xz ctrl-v-5d037e8297a192996b7281af0ca761c160aaed30.zip | |
Add encryption to content when password is specified
Diffstat (limited to 'backend')
| -rw-r--r-- | backend/cache/cache.go | 18 | ||||
| -rw-r--r-- | backend/db/db.go | 21 | ||||
| -rw-r--r-- | backend/db/schemas.go | 1 | ||||
| -rw-r--r-- | backend/security/encrypt.go | 65 | ||||
| -rw-r--r-- | backend/security/hash.go (renamed from backend/hashing/hash.go) | 2 |
5 files changed, 101 insertions, 6 deletions
diff --git a/backend/cache/cache.go b/backend/cache/cache.go index 71007e5..6d5eb42 100644 --- a/backend/cache/cache.go +++ b/backend/cache/cache.go @@ -2,7 +2,7 @@ package cache import ( "errors" - "github.com/jackyzha0/ctrl-v/hashing" + "github.com/jackyzha0/ctrl-v/security" "sync" "github.com/jackyzha0/ctrl-v/db" @@ -17,6 +17,7 @@ var C *Cache var PasteNotFound = errors.New("could not find a paste with that hash") var UserUnauthorized = errors.New("paste is password protected") +var EncryptionError = errors.New("could not encrypt the given content") func init() { C = &Cache{ @@ -46,9 +47,22 @@ func (c *Cache) Get(hash, userPassword string) (db.Paste, error) { // if there is a password, check the provided one against it if p.Password != "" { // if passwords do not match, the user is unauthorized - if !hashing.PasswordsEqual(p.Password, userPassword) { + if !security.PasswordsEqual(p.Password, userPassword) { return db.Paste{}, UserUnauthorized } + + // if password matches, decrypt content + key, _, err := security.DeriveKey([]byte(userPassword), p.Salt) + if err != nil { + return db.Paste{}, EncryptionError + } + + decryptedBytes, err := security.Decrypt(key, []byte(p.Content)) + if err != nil { + return db.Paste{}, EncryptionError + } + + p.Content = string(decryptedBytes) } return p, nil diff --git a/backend/db/db.go b/backend/db/db.go index 4e58188..b18eddf 100644 --- a/backend/db/db.go +++ b/backend/db/db.go @@ -5,7 +5,7 @@ import ( "os" "time" - "github.com/jackyzha0/ctrl-v/hashing" + "github.com/jackyzha0/ctrl-v/security" "github.com/joho/godotenv" log "github.com/sirupsen/logrus" ) @@ -30,7 +30,7 @@ const ContentLimit = 100000 // creates a new paste with title, content and hash, returns the hash of the created paste func New(ip, content, expiry, title, password string) (string, error) { // generate hash from ip - hash := hashing.GenerateURI(ip) + hash := security.GenerateURI(ip) // check for size of title and content errs := checkLengths(title, content) @@ -45,9 +45,24 @@ func New(ip, content, expiry, title, password string) (string, error) { Title: title, } + // if there is a password, encrypt content and hash the password if password != "" { + // use pass to encrypt content + key, salt, err := security.DeriveKey([]byte(password), nil) + if err != nil { + return "", fmt.Errorf("could not generate key: %s", err.Error()) + } + new.Salt = salt + + encryptedBytes, err := security.Encrypt(key, []byte(new.Content)) + if err != nil { + return "", fmt.Errorf("could not encrypt content: %s", err.Error()) + } + + new.Content = string(encryptedBytes) + // hash given password - hashedPass, err := hashing.HashPassword(password) + hashedPass, err := security.HashPassword(password) if err != nil { return "", fmt.Errorf("could not hash password: %s", err.Error()) } diff --git a/backend/db/schemas.go b/backend/db/schemas.go index 4c73f82..d3551fc 100644 --- a/backend/db/schemas.go +++ b/backend/db/schemas.go @@ -14,4 +14,5 @@ type Paste struct { Expiry time.Time `bson:"expiry"` Title string Password string + Salt []byte } diff --git a/backend/security/encrypt.go b/backend/security/encrypt.go new file mode 100644 index 0000000..fff027c --- /dev/null +++ b/backend/security/encrypt.go @@ -0,0 +1,65 @@ +package security + +import ( + "crypto/aes" + "crypto/cipher" + "crypto/rand" + "golang.org/x/crypto/scrypt" +) + +func Encrypt(key, data []byte) ([]byte, error) { + blockCipher, err := aes.NewCipher(key) + if err != nil { + return nil, err + } + + gcm, err := cipher.NewGCM(blockCipher) + if err != nil { + return nil, err + } + + nonce := make([]byte, gcm.NonceSize()) + if _, err = rand.Read(nonce); err != nil { + return nil, err + } + + cipherText := gcm.Seal(nonce, nonce, data, nil) + + return cipherText, nil +} + +func Decrypt(key, data []byte) ([]byte, error) { + blockCipher, err := aes.NewCipher(key) + if err != nil { + return nil, err + } + + gcm, err := cipher.NewGCM(blockCipher) + if err != nil { + return nil, err + } + + nonce, cipherText := data[:gcm.NonceSize()], data[gcm.NonceSize():] + plaintext, err := gcm.Open(nil, nonce, cipherText, nil) + if err != nil { + return nil, err + } + + return plaintext, nil +} + +func DeriveKey(password, salt []byte) ([]byte, []byte, error) { + if salt == nil { + salt = make([]byte, 16) + if _, err := rand.Read(salt); err != nil { + return nil, nil, err + } + } + + key, err := scrypt.Key(password, salt, 16384, 8, 1, 16) + if err != nil { + return nil, nil, err + } + + return key, salt, nil +} diff --git a/backend/hashing/hash.go b/backend/security/hash.go index e944fbe..b6ce167 100644 --- a/backend/hashing/hash.go +++ b/backend/security/hash.go @@ -1,4 +1,4 @@ -package hashing +package security import ( "crypto/md5" |