1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103

package util

import (
	"crypto/aes"
	"crypto/cipher"
	"crypto/rand"
	"crypto/sha256"
	"encoding/base64"
	"hash/fnv"
	"io"
	"strings"

	"github.com/pkg/errors"
)

var _encryptKey string

func EncryptMessage(key []byte, message string, logger Logger) (string, error) {
	block, err := newCipher(key, logger)
	if err != nil {
		return "", errors.Wrap(err, "could not create new cipher")
	}

	byteMsg := []byte(message)
	if len(byteMsg) > 1024*1024*64 {
		return "", errors.New("message is too large")
	}
	cipherText := make([]byte, aes.BlockSize+len(byteMsg))
	iv := cipherText[:aes.BlockSize]
	if _, err = io.ReadFull(rand.Reader, iv); err != nil {
		return "", errors.Wrap(err, "could not encrypt")
	}

	stream := cipher.NewCFBEncrypter(block, iv)
	stream.XORKeyStream(cipherText[aes.BlockSize:], byteMsg)

	return base64.StdEncoding.EncodeToString(cipherText), nil
}

func DecryptMessage(key []byte, message string, logger Logger) (string, error) {
	block, err := newCipher(key, logger)
	if err != nil {
		return "", errors.Wrap(err, "could not create new cipher")
	}

	cipherText, err := base64.StdEncoding.DecodeString(message)
	if err != nil {
		return "", errors.Wrap(err, "could not base64 decode")
	}
	if len(cipherText) < aes.BlockSize {
		return "", errors.New("invalid ciphertext block size")
	}

	iv := cipherText[:aes.BlockSize]
	cipherText = cipherText[aes.BlockSize:]

	stream := cipher.NewCFBDecrypter(block, iv)
	stream.XORKeyStream(cipherText, cipherText)

	return string(cipherText), nil
}

func newCipher(key []byte, logger Logger) (cipher.Block, error) {
	if key == nil {
		key = getKey(logger)
	}
	for i := len(key); i < 16; i++ {
		key = append(key, ' ')
	}
	key = key[:16]
	return aes.NewCipher(key)
}

func HashFNV32(s string) uint32 {
	h := fnv.New32a()
	_, _ = h.Write([]byte(s))
	return h.Sum32()
}

// HashSHA256 returns a Base64-encoded string representing the SHA-256 hash of the argument.
func HashSHA256(s string) string {
	h := sha256.New()
	ret := h.Sum([]byte(s))
	return base64.URLEncoding.EncodeToString(ret)
}

func getKey(logger Logger) []byte {
	if _encryptKey == "" {
		env := strings.ReplaceAll(AppKey, "-", "_") + "_encryption_key"
		_encryptKey = GetEnv(env)
		if _encryptKey == "" {
			if logger != nil {
				logger.Warnf("using default encryption key; set environment variable [%s] to save sessions between restarts", env)
			}
			_encryptKey = AppKey + "_secret"
		}
		for i := len(_encryptKey); i < 16; i++ {
			_encryptKey += " "
		}
		_encryptKey = _encryptKey[:16]
	}
	return []byte(_encryptKey)
}