steamguard-cli/src/encryption.rs

use aes::cipher::InvalidLength;

use rand::Rng;

use serde::{Deserialize, Serialize};
use thiserror::Error;

mod argon2id_aes;
#[cfg(feature = "keyring")]
mod keyring;
mod legacy;

pub use argon2id_aes::*;
pub use legacy::*;

#[cfg(feature = "keyring")]
pub use crate::encryption::keyring::*;

#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(tag = "scheme")]
pub enum EncryptionScheme {
	Argon2idAes256(Argon2idAes256),
	LegacySdaCompatible(LegacySdaCompatible),
}

pub trait EntryEncryptor {
	fn generate() -> Self;
	fn encrypt(
		&self,
		passkey: &str,
		plaintext: Vec<u8>,
	) -> anyhow::Result<Vec<u8>, EntryEncryptionError>;
	fn decrypt(
		&self,
		passkey: &str,
		ciphertext: Vec<u8>,
	) -> anyhow::Result<Vec<u8>, EntryEncryptionError>;
}

impl EntryEncryptor for EncryptionScheme {
	fn generate() -> Self {
		EncryptionScheme::Argon2idAes256(Argon2idAes256::generate())
	}

	fn encrypt(
		&self,
		passkey: &str,
		plaintext: Vec<u8>,
	) -> anyhow::Result<Vec<u8>, EntryEncryptionError> {
		match self {
			EncryptionScheme::Argon2idAes256(scheme) => scheme.encrypt(passkey, plaintext),
			EncryptionScheme::LegacySdaCompatible(scheme) => scheme.encrypt(passkey, plaintext),
		}
	}

	fn decrypt(
		&self,
		passkey: &str,
		ciphertext: Vec<u8>,
	) -> anyhow::Result<Vec<u8>, EntryEncryptionError> {
		match self {
			EncryptionScheme::Argon2idAes256(scheme) => scheme.decrypt(passkey, ciphertext),
			EncryptionScheme::LegacySdaCompatible(scheme) => scheme.decrypt(passkey, ciphertext),
		}
	}
}

#[derive(Debug, Error)]
pub enum EntryEncryptionError {
	#[error("Invalid ciphertext length. The ciphertext must be a multiple of 16 bytes.")]
	InvalidCipherTextLength,
	#[error(transparent)]
	Unknown(#[from] anyhow::Error),
}

/// For some reason, these errors do not get converted to `ManifestAccountLoadError`s, even though they get converted into `anyhow::Error` just fine. I am too lazy to figure out why right now.
impl From<InvalidLength> for EntryEncryptionError {
	fn from(error: InvalidLength) -> Self {
		Self::Unknown(anyhow::Error::from(error))
	}
}

impl From<inout::NotEqualError> for EntryEncryptionError {
	fn from(error: inout::NotEqualError) -> Self {
		Self::Unknown(anyhow::Error::from(error))
	}
}

impl From<inout::PadError> for EntryEncryptionError {
	fn from(error: inout::PadError) -> Self {
		Self::Unknown(anyhow::Error::from(error))
	}
}

impl From<inout::block_padding::UnpadError> for EntryEncryptionError {
	fn from(error: inout::block_padding::UnpadError) -> Self {
		Self::Unknown(anyhow::Error::from(error))
	}
}

impl From<base64::DecodeError> for EntryEncryptionError {
	fn from(error: base64::DecodeError) -> Self {
		Self::Unknown(anyhow::Error::from(error))
	}
}
impl From<std::io::Error> for EntryEncryptionError {
	fn from(error: std::io::Error) -> Self {
		Self::Unknown(anyhow::Error::from(error))
	}
}

pub fn generate_keyring_id() -> String {
	let rng = rand::thread_rng();
	rng.sample_iter(rand::distributions::Alphanumeric)
		.take(32)
		.map(char::from)
		.collect()
}
add a new, faster encryption scheme (`Argon2idAes256`) and make it the default (#270) - move legacy scheme to new module - add argon2 crate - mvoe test - add argon2id aes encryption scheme - refactor encryption to be less shit - fix all the errors - fix lints 2023-07-03 16:23:56 +02:00			`use aes::cipher::InvalidLength;`

Add support for storing encryption passkey in system keyring (#265) - add keyring package - add keyring id field to manifest - automatically attempt to load encryption passkey from keyring - have decrypt delete the passkey on decrypt - have encrypt command ask if it should store the passkey in the keyring - fix lints closes #117 2023-07-02 16:44:18 +02:00			`use rand::Rng;`
add a new, faster encryption scheme (`Argon2idAes256`) and make it the default (#270) - move legacy scheme to new module - add argon2 crate - mvoe test - add argon2id aes encryption scheme - refactor encryption to be less shit - fix all the errors - fix lints 2023-07-03 16:23:56 +02:00
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`use serde::{Deserialize, Serialize};`
			`use thiserror::Error;`

add a new, faster encryption scheme (`Argon2idAes256`) and make it the default (#270) - move legacy scheme to new module - add argon2 crate - mvoe test - add argon2id aes encryption scheme - refactor encryption to be less shit - fix all the errors - fix lints 2023-07-03 16:23:56 +02:00			`mod argon2id_aes;`
Add support for storing encryption passkey in system keyring (#265) - add keyring package - add keyring id field to manifest - automatically attempt to load encryption passkey from keyring - have decrypt delete the passkey on decrypt - have encrypt command ask if it should store the passkey in the keyring - fix lints closes #117 2023-07-02 16:44:18 +02:00			`#[cfg(feature = "keyring")]`
			`mod keyring;`
add a new, faster encryption scheme (`Argon2idAes256`) and make it the default (#270) - move legacy scheme to new module - add argon2 crate - mvoe test - add argon2id aes encryption scheme - refactor encryption to be less shit - fix all the errors - fix lints 2023-07-03 16:23:56 +02:00			`mod legacy;`

			`pub use argon2id_aes::*;`
			`pub use legacy::*;`
Add support for storing encryption passkey in system keyring (#265) - add keyring package - add keyring id field to manifest - automatically attempt to load encryption passkey from keyring - have decrypt delete the passkey on decrypt - have encrypt command ask if it should store the passkey in the keyring - fix lints closes #117 2023-07-02 16:44:18 +02:00
			`#[cfg(feature = "keyring")]`
			`pub use crate::encryption::keyring::*;`

move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`#[derive(Debug, Clone, Serialize, Deserialize)]`
add a new, faster encryption scheme (`Argon2idAes256`) and make it the default (#270) - move legacy scheme to new module - add argon2 crate - mvoe test - add argon2id aes encryption scheme - refactor encryption to be less shit - fix all the errors - fix lints 2023-07-03 16:23:56 +02:00			`#[serde(tag = "scheme")]`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`pub enum EncryptionScheme {`
add a new, faster encryption scheme (`Argon2idAes256`) and make it the default (#270) - move legacy scheme to new module - add argon2 crate - mvoe test - add argon2id aes encryption scheme - refactor encryption to be less shit - fix all the errors - fix lints 2023-07-03 16:23:56 +02:00			`Argon2idAes256(Argon2idAes256),`
			`LegacySdaCompatible(LegacySdaCompatible),`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`}`

			`pub trait EntryEncryptor {`
add a new, faster encryption scheme (`Argon2idAes256`) and make it the default (#270) - move legacy scheme to new module - add argon2 crate - mvoe test - add argon2id aes encryption scheme - refactor encryption to be less shit - fix all the errors - fix lints 2023-07-03 16:23:56 +02:00			`fn generate() -> Self;`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`fn encrypt(`
add a new, faster encryption scheme (`Argon2idAes256`) and make it the default (#270) - move legacy scheme to new module - add argon2 crate - mvoe test - add argon2id aes encryption scheme - refactor encryption to be less shit - fix all the errors - fix lints 2023-07-03 16:23:56 +02:00			`&self,`
Dead code cleanup, subcommand refactor (#206) - clean up dead code - fix lints - move Session type to legacy module - refactor service names into constants - refactor build_url to be less restrictive for service names - refactor most commands into their own modules 2023-06-23 19:36:23 +02:00			`passkey: &str,`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`plaintext: Vec<u8>,`
			`) -> anyhow::Result<Vec<u8>, EntryEncryptionError>;`
			`fn decrypt(`
add a new, faster encryption scheme (`Argon2idAes256`) and make it the default (#270) - move legacy scheme to new module - add argon2 crate - mvoe test - add argon2id aes encryption scheme - refactor encryption to be less shit - fix all the errors - fix lints 2023-07-03 16:23:56 +02:00			`&self,`
Dead code cleanup, subcommand refactor (#206) - clean up dead code - fix lints - move Session type to legacy module - refactor service names into constants - refactor build_url to be less restrictive for service names - refactor most commands into their own modules 2023-06-23 19:36:23 +02:00			`passkey: &str,`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`ciphertext: Vec<u8>,`
			`) -> anyhow::Result<Vec<u8>, EntryEncryptionError>;`
			`}`

add a new, faster encryption scheme (`Argon2idAes256`) and make it the default (#270) - move legacy scheme to new module - add argon2 crate - mvoe test - add argon2id aes encryption scheme - refactor encryption to be less shit - fix all the errors - fix lints 2023-07-03 16:23:56 +02:00			`impl EntryEncryptor for EncryptionScheme {`
			`fn generate() -> Self {`
			`EncryptionScheme::Argon2idAes256(Argon2idAes256::generate())`
move encryption key maker into LegacySdaCompatible impl 2021-08-19 23:15:10 +02:00			`}`

move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`fn encrypt(`
add a new, faster encryption scheme (`Argon2idAes256`) and make it the default (#270) - move legacy scheme to new module - add argon2 crate - mvoe test - add argon2id aes encryption scheme - refactor encryption to be less shit - fix all the errors - fix lints 2023-07-03 16:23:56 +02:00			`&self,`
Dead code cleanup, subcommand refactor (#206) - clean up dead code - fix lints - move Session type to legacy module - refactor service names into constants - refactor build_url to be less restrictive for service names - refactor most commands into their own modules 2023-06-23 19:36:23 +02:00			`passkey: &str,`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`plaintext: Vec<u8>,`
			`) -> anyhow::Result<Vec<u8>, EntryEncryptionError> {`
add a new, faster encryption scheme (`Argon2idAes256`) and make it the default (#270) - move legacy scheme to new module - add argon2 crate - mvoe test - add argon2id aes encryption scheme - refactor encryption to be less shit - fix all the errors - fix lints 2023-07-03 16:23:56 +02:00			`match self {`
			`EncryptionScheme::Argon2idAes256(scheme) => scheme.encrypt(passkey, plaintext),`
			`EncryptionScheme::LegacySdaCompatible(scheme) => scheme.encrypt(passkey, plaintext),`
			`}`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`}`

			`fn decrypt(`
add a new, faster encryption scheme (`Argon2idAes256`) and make it the default (#270) - move legacy scheme to new module - add argon2 crate - mvoe test - add argon2id aes encryption scheme - refactor encryption to be less shit - fix all the errors - fix lints 2023-07-03 16:23:56 +02:00			`&self,`
Dead code cleanup, subcommand refactor (#206) - clean up dead code - fix lints - move Session type to legacy module - refactor service names into constants - refactor build_url to be less restrictive for service names - refactor most commands into their own modules 2023-06-23 19:36:23 +02:00			`passkey: &str,`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`ciphertext: Vec<u8>,`
			`) -> anyhow::Result<Vec<u8>, EntryEncryptionError> {`
add a new, faster encryption scheme (`Argon2idAes256`) and make it the default (#270) - move legacy scheme to new module - add argon2 crate - mvoe test - add argon2id aes encryption scheme - refactor encryption to be less shit - fix all the errors - fix lints 2023-07-03 16:23:56 +02:00			`match self {`
			`EncryptionScheme::Argon2idAes256(scheme) => scheme.decrypt(passkey, ciphertext),`
			`EncryptionScheme::LegacySdaCompatible(scheme) => scheme.decrypt(passkey, ciphertext),`
			`}`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`}`
			`}`

			`#[derive(Debug, Error)]`
			`pub enum EntryEncryptionError {`
fix SDA encryption compatibility (#236) fixes #233 2023-06-27 01:02:48 +02:00			`#[error("Invalid ciphertext length. The ciphertext must be a multiple of 16 bytes.")]`
			`InvalidCipherTextLength,`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`#[error(transparent)]`
			`Unknown(#[from] anyhow::Error),`
			`}`

			/// For some reason, these errors do not get converted to `ManifestAccountLoadError`s, even though they get converted into `anyhow::Error` just fine. I am too lazy to figure out why right now.
fix SDA encryption compatibility (#236) fixes #233 2023-06-27 01:02:48 +02:00			`impl From<InvalidLength> for EntryEncryptionError {`
			`fn from(error: InvalidLength) -> Self {`
Use IAuthenticationService for login, account migrations, other major refactors (#194) fixes #193 fixes #192 fixes #107 - [x] Implement the new login process - [x] Tested - [x] Update the authenticator setup process - [x] Tested - [x] Update the authenticator remove process - [x] Tested - [x] Manifest format migrator - [x] Tested - [x] Make it possible to import SDA accounts - [x] Make sure confirmations still work - [x] Fetching - [x] Responding - [x] Make it so that the login process doesn't prompt for which method to use - [x] Make it so that device confirmation and email confirmation auth session guards work 2023-06-22 22:20:15 +02:00			`Self::Unknown(anyhow::Error::from(error))`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`}`
			`}`
fix SDA encryption compatibility (#236) fixes #233 2023-06-27 01:02:48 +02:00
			`impl From<inout::NotEqualError> for EntryEncryptionError {`
			`fn from(error: inout::NotEqualError) -> Self {`
Use IAuthenticationService for login, account migrations, other major refactors (#194) fixes #193 fixes #192 fixes #107 - [x] Implement the new login process - [x] Tested - [x] Update the authenticator setup process - [x] Tested - [x] Update the authenticator remove process - [x] Tested - [x] Manifest format migrator - [x] Tested - [x] Make it possible to import SDA accounts - [x] Make sure confirmations still work - [x] Fetching - [x] Responding - [x] Make it so that the login process doesn't prompt for which method to use - [x] Make it so that device confirmation and email confirmation auth session guards work 2023-06-22 22:20:15 +02:00			`Self::Unknown(anyhow::Error::from(error))`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`}`
			`}`
fix SDA encryption compatibility (#236) fixes #233 2023-06-27 01:02:48 +02:00
			`impl From<inout::PadError> for EntryEncryptionError {`
			`fn from(error: inout::PadError) -> Self {`
			`Self::Unknown(anyhow::Error::from(error))`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`}`
			`}`
fix SDA encryption compatibility (#236) fixes #233 2023-06-27 01:02:48 +02:00
			`impl From<inout::block_padding::UnpadError> for EntryEncryptionError {`
			`fn from(error: inout::block_padding::UnpadError) -> Self {`
			`Self::Unknown(anyhow::Error::from(error))`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`}`
			`}`
fix SDA encryption compatibility (#236) fixes #233 2023-06-27 01:02:48 +02:00
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`impl From<base64::DecodeError> for EntryEncryptionError {`
			`fn from(error: base64::DecodeError) -> Self {`
Use IAuthenticationService for login, account migrations, other major refactors (#194) fixes #193 fixes #192 fixes #107 - [x] Implement the new login process - [x] Tested - [x] Update the authenticator setup process - [x] Tested - [x] Update the authenticator remove process - [x] Tested - [x] Manifest format migrator - [x] Tested - [x] Make it possible to import SDA accounts - [x] Make sure confirmations still work - [x] Fetching - [x] Responding - [x] Make it so that the login process doesn't prompt for which method to use - [x] Make it so that device confirmation and email confirmation auth session guards work 2023-06-22 22:20:15 +02:00			`Self::Unknown(anyhow::Error::from(error))`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`}`
			`}`
			`impl From<std::io::Error> for EntryEncryptionError {`
			`fn from(error: std::io::Error) -> Self {`
Use IAuthenticationService for login, account migrations, other major refactors (#194) fixes #193 fixes #192 fixes #107 - [x] Implement the new login process - [x] Tested - [x] Update the authenticator setup process - [x] Tested - [x] Update the authenticator remove process - [x] Tested - [x] Manifest format migrator - [x] Tested - [x] Make it possible to import SDA accounts - [x] Make sure confirmations still work - [x] Fetching - [x] Responding - [x] Make it so that the login process doesn't prompt for which method to use - [x] Make it so that device confirmation and email confirmation auth session guards work 2023-06-22 22:20:15 +02:00			`Self::Unknown(anyhow::Error::from(error))`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`}`
			`}`

Add support for storing encryption passkey in system keyring (#265) - add keyring package - add keyring id field to manifest - automatically attempt to load encryption passkey from keyring - have decrypt delete the passkey on decrypt - have encrypt command ask if it should store the passkey in the keyring - fix lints closes #117 2023-07-02 16:44:18 +02:00			`pub fn generate_keyring_id() -> String {`
			`let rng = rand::thread_rng();`
			`rng.sample_iter(rand::distributions::Alphanumeric)`
			`.take(32)`
			`.map(char::from)`
			`.collect()`
			`}`