steamguard-cli/src/encryption.rs

use aes::cipher::block_padding::Pkcs7;
use aes::cipher::{BlockDecryptMut, BlockEncryptMut, InvalidLength, KeyIvInit};
use aes::Aes256;
use ring::pbkdf2;
use ring::rand::SecureRandom;
use serde::{Deserialize, Serialize};
use thiserror::Error;

const SALT_LENGTH: usize = 8;
const IV_LENGTH: usize = 16;

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct EntryEncryptionParams {
	pub iv: String,
	pub salt: String,
	pub scheme: EncryptionScheme,
}

impl EntryEncryptionParams {
	pub fn generate() -> EntryEncryptionParams {
		let rng = ring::rand::SystemRandom::new();
		let mut salt = [0u8; SALT_LENGTH];
		let mut iv = [0u8; IV_LENGTH];
		rng.fill(&mut salt).expect("Unable to generate salt.");
		rng.fill(&mut iv).expect("Unable to generate IV.");
		EntryEncryptionParams {
			salt: base64::encode(salt),
			iv: base64::encode(iv),
			scheme: Default::default(),
		}
	}
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum EncryptionScheme {
	/// Encryption scheme that is compatible with SteamDesktopAuthenticator.
	LegacySdaCompatible = -1,
}

impl Default for EncryptionScheme {
	fn default() -> Self {
		Self::LegacySdaCompatible
	}
}

pub trait EntryEncryptor {
	fn encrypt(
		passkey: &str,
		params: &EntryEncryptionParams,
		plaintext: Vec<u8>,
	) -> anyhow::Result<Vec<u8>, EntryEncryptionError>;
	fn decrypt(
		passkey: &str,
		params: &EntryEncryptionParams,
		ciphertext: Vec<u8>,
	) -> anyhow::Result<Vec<u8>, EntryEncryptionError>;
}

/// Encryption scheme that is compatible with SteamDesktopAuthenticator.
pub struct LegacySdaCompatible;

impl LegacySdaCompatible {
	const PBKDF2_ITERATIONS: u32 = 50000; // This is necessary to maintain compatibility with SteamDesktopAuthenticator.
	const KEY_SIZE_BYTES: usize = 32;

	fn get_encryption_key(passkey: &str, salt: &str) -> anyhow::Result<[u8; Self::KEY_SIZE_BYTES]> {
		let password_bytes = passkey.as_bytes();
		let salt_bytes = base64::decode(salt)?;
		let mut full_key: [u8; Self::KEY_SIZE_BYTES] = [0u8; Self::KEY_SIZE_BYTES];
		pbkdf2::derive(
			pbkdf2::PBKDF2_HMAC_SHA1,
			std::num::NonZeroU32::new(Self::PBKDF2_ITERATIONS).unwrap(),
			&salt_bytes,
			password_bytes,
			&mut full_key,
		);
		Ok(full_key)
	}
}

impl EntryEncryptor for LegacySdaCompatible {
	fn encrypt(
		passkey: &str,
		params: &EntryEncryptionParams,
		plaintext: Vec<u8>,
	) -> anyhow::Result<Vec<u8>, EntryEncryptionError> {
		let key = Self::get_encryption_key(passkey, &params.salt)?;
		let mut iv = [0u8; IV_LENGTH];
		base64::decode_config_slice(&params.iv, base64::STANDARD, &mut iv)?;

		let cipher = cbc::Encryptor::<Aes256>::new_from_slices(&key, &iv)?;

		let ciphertext = cipher.encrypt_padded_vec_mut::<Pkcs7>(&plaintext);

		let encoded = base64::encode(ciphertext);
		Ok(encoded.as_bytes().to_vec())
	}

	fn decrypt(
		passkey: &str,
		params: &EntryEncryptionParams,
		ciphertext: Vec<u8>,
	) -> anyhow::Result<Vec<u8>, EntryEncryptionError> {
		let key = Self::get_encryption_key(passkey, &params.salt)?;
		let mut iv = [0u8; IV_LENGTH];
		base64::decode_config_slice(&params.iv, base64::STANDARD, &mut iv)?;
		let cipher = cbc::Decryptor::<Aes256>::new_from_slices(&key, &iv)?;
		let decoded = base64::decode(ciphertext)?;
		let size: usize = decoded.len() / 16 + (if decoded.len() % 16 == 0 { 0 } else { 1 });
		let mut buffer = vec![0xffu8; 16 * size];
		buffer[..decoded.len()].copy_from_slice(&decoded);
		let decrypted = cipher.decrypt_padded_mut::<Pkcs7>(&mut buffer)?;
		Ok(decrypted.to_vec())
	}
}

#[derive(Debug, Error)]
pub enum EntryEncryptionError {
	#[error("Invalid ciphertext length. The ciphertext must be a multiple of 16 bytes.")]
	InvalidCipherTextLength,
	#[error(transparent)]
	Unknown(#[from] anyhow::Error),
}

/// For some reason, these errors do not get converted to `ManifestAccountLoadError`s, even though they get converted into `anyhow::Error` just fine. I am too lazy to figure out why right now.
impl From<InvalidLength> for EntryEncryptionError {
	fn from(error: InvalidLength) -> Self {
		Self::Unknown(anyhow::Error::from(error))
	}
}

impl From<inout::NotEqualError> for EntryEncryptionError {
	fn from(error: inout::NotEqualError) -> Self {
		Self::Unknown(anyhow::Error::from(error))
	}
}

impl From<inout::PadError> for EntryEncryptionError {
	fn from(error: inout::PadError) -> Self {
		Self::Unknown(anyhow::Error::from(error))
	}
}

impl From<inout::block_padding::UnpadError> for EntryEncryptionError {
	fn from(error: inout::block_padding::UnpadError) -> Self {
		Self::Unknown(anyhow::Error::from(error))
	}
}

impl From<base64::DecodeError> for EntryEncryptionError {
	fn from(error: base64::DecodeError) -> Self {
		Self::Unknown(anyhow::Error::from(error))
	}
}
impl From<std::io::Error> for EntryEncryptionError {
	fn from(error: std::io::Error) -> Self {
		Self::Unknown(anyhow::Error::from(error))
	}
}

#[cfg(test)]
mod tests {
	use super::*;
	use proptest::prelude::*;

	/// This test ensures compatibility with SteamDesktopAuthenticator and with previous versions of steamguard-cli
	#[test]
	fn test_encryption_key() {
		assert_eq!(
			LegacySdaCompatible::get_encryption_key("password", "GMhL0N2hqXg=")
				.unwrap()
				.as_slice(),
			base64::decode("KtiRa4/OxW83MlB6URf+Z8rAGj7CBY+pDlwD/NuVo6Y=")
				.unwrap()
				.as_slice()
		);

		assert_eq!(
			LegacySdaCompatible::get_encryption_key("password", "wTzTE9A6aN8=")
				.unwrap()
				.as_slice(),
			base64::decode("Dqpej/3DqEat0roJaHmu3luYgDzRCUmzX94n4fqvWj8=")
				.unwrap()
				.as_slice()
		);
	}

	#[test]
	fn test_ensure_encryption_symmetric() -> anyhow::Result<()> {
		let cases = [
			"foo",
			"tactical glizzy",
			"glizzy gladiator",
			"shadow wizard money gang",
			"shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells",
		];
		let passkey = "password";
		let params = EntryEncryptionParams::generate();
		for case in cases {
			eprintln!("testing case: {} (len {})", case, case.len());
			let orig = case.as_bytes().to_vec();
			let encrypted = LegacySdaCompatible::encrypt(passkey, &params, orig.clone()).unwrap();
			let result = LegacySdaCompatible::decrypt(passkey, &params, encrypted).unwrap();
			assert_eq!(orig, result.to_vec());
		}
		Ok(())
	}

	prop_compose! {
		/// An insecure but reproducible strategy for generating encryption params.
		fn encryption_params()(salt in any::<[u8; SALT_LENGTH]>(), iv in any::<[u8; IV_LENGTH]>()) -> EntryEncryptionParams {
			EntryEncryptionParams {
				salt: base64::encode(salt),
				iv: base64::encode(iv),
				scheme: EncryptionScheme::LegacySdaCompatible,
			}
		}
	}

	// proptest! {
	// 	#[test]
	// 	fn ensure_encryption_symmetric(
	// 		passkey in ".{1,}",
	// 		params in encryption_params(),
	// 		data in any::<Vec<u8>>(),
	// 	) {
	// 		prop_assume!(data.len() >= 2);
	// 		let mut orig = data;
	// 		orig[0] = '{' as u8;
	// 		let n = orig.len() - 1;
	// 		orig[n] = '}' as u8;
	// 		let encrypted = LegacySdaCompatible::encrypt(&passkey.clone().into(), &params, orig.clone()).unwrap();
	// 		let result = LegacySdaCompatible::decrypt(&passkey.into(), &params, encrypted).unwrap();
	// 		prop_assert_eq!(orig, result.to_vec());
	// 	}
	// }
}
fix SDA encryption compatibility (#236) fixes #233 2023-06-27 01:02:48 +02:00			`use aes::cipher::block_padding::Pkcs7;`
			`use aes::cipher::{BlockDecryptMut, BlockEncryptMut, InvalidLength, KeyIvInit};`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`use aes::Aes256;`
			`use ring::pbkdf2;`
			`use ring::rand::SecureRandom;`
			`use serde::{Deserialize, Serialize};`
			`use thiserror::Error;`

			`const SALT_LENGTH: usize = 8;`
			`const IV_LENGTH: usize = 16;`

			`#[derive(Debug, Clone, Serialize, Deserialize)]`
			`pub struct EntryEncryptionParams {`
			`pub iv: String,`
			`pub salt: String,`
			`pub scheme: EncryptionScheme,`
			`}`

			`impl EntryEncryptionParams {`
			`pub fn generate() -> EntryEncryptionParams {`
			`let rng = ring::rand::SystemRandom::new();`
			`let mut salt = [0u8; SALT_LENGTH];`
			`let mut iv = [0u8; IV_LENGTH];`
			`rng.fill(&mut salt).expect("Unable to generate salt.");`
			`rng.fill(&mut iv).expect("Unable to generate IV.");`
			`EntryEncryptionParams {`
			`salt: base64::encode(salt),`
			`iv: base64::encode(iv),`
			`scheme: Default::default(),`
			`}`
			`}`
			`}`

			`#[derive(Debug, Clone, Serialize, Deserialize)]`
			`pub enum EncryptionScheme {`
			`/// Encryption scheme that is compatible with SteamDesktopAuthenticator.`
move encryption key maker into LegacySdaCompatible impl 2021-08-19 23:15:10 +02:00			`LegacySdaCompatible = -1,`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`}`

			`impl Default for EncryptionScheme {`
			`fn default() -> Self {`
			`Self::LegacySdaCompatible`
			`}`
			`}`

			`pub trait EntryEncryptor {`
			`fn encrypt(`
Dead code cleanup, subcommand refactor (#206) - clean up dead code - fix lints - move Session type to legacy module - refactor service names into constants - refactor build_url to be less restrictive for service names - refactor most commands into their own modules 2023-06-23 19:36:23 +02:00			`passkey: &str,`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`params: &EntryEncryptionParams,`
			`plaintext: Vec<u8>,`
			`) -> anyhow::Result<Vec<u8>, EntryEncryptionError>;`
			`fn decrypt(`
Dead code cleanup, subcommand refactor (#206) - clean up dead code - fix lints - move Session type to legacy module - refactor service names into constants - refactor build_url to be less restrictive for service names - refactor most commands into their own modules 2023-06-23 19:36:23 +02:00			`passkey: &str,`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`params: &EntryEncryptionParams,`
			`ciphertext: Vec<u8>,`
			`) -> anyhow::Result<Vec<u8>, EntryEncryptionError>;`
			`}`

			`/// Encryption scheme that is compatible with SteamDesktopAuthenticator.`
			`pub struct LegacySdaCompatible;`

move encryption key maker into LegacySdaCompatible impl 2021-08-19 23:15:10 +02:00			`impl LegacySdaCompatible {`
add some unit tests (#234) - add unit test for migrating single accounts - add manifest v1 loading tests - disable a test - update comment - update vscode runners - add a unit test to make sure migrated maFiles can still be read 2023-06-26 18:44:14 +02:00			`const PBKDF2_ITERATIONS: u32 = 50000; // This is necessary to maintain compatibility with SteamDesktopAuthenticator.`
move encryption key maker into LegacySdaCompatible impl 2021-08-19 23:15:10 +02:00			`const KEY_SIZE_BYTES: usize = 32;`

Dead code cleanup, subcommand refactor (#206) - clean up dead code - fix lints - move Session type to legacy module - refactor service names into constants - refactor build_url to be less restrictive for service names - refactor most commands into their own modules 2023-06-23 19:36:23 +02:00			`fn get_encryption_key(passkey: &str, salt: &str) -> anyhow::Result<[u8; Self::KEY_SIZE_BYTES]> {`
move encryption key maker into LegacySdaCompatible impl 2021-08-19 23:15:10 +02:00			`let password_bytes = passkey.as_bytes();`
			`let salt_bytes = base64::decode(salt)?;`
			`let mut full_key: [u8; Self::KEY_SIZE_BYTES] = [0u8; Self::KEY_SIZE_BYTES];`
			`pbkdf2::derive(`
			`pbkdf2::PBKDF2_HMAC_SHA1,`
			`std::num::NonZeroU32::new(Self::PBKDF2_ITERATIONS).unwrap(),`
			`&salt_bytes,`
			`password_bytes,`
			`&mut full_key,`
			`);`
Use IAuthenticationService for login, account migrations, other major refactors (#194) fixes #193 fixes #192 fixes #107 - [x] Implement the new login process - [x] Tested - [x] Update the authenticator setup process - [x] Tested - [x] Update the authenticator remove process - [x] Tested - [x] Manifest format migrator - [x] Tested - [x] Make it possible to import SDA accounts - [x] Make sure confirmations still work - [x] Fetching - [x] Responding - [x] Make it so that the login process doesn't prompt for which method to use - [x] Make it so that device confirmation and email confirmation auth session guards work 2023-06-22 22:20:15 +02:00			`Ok(full_key)`
move encryption key maker into LegacySdaCompatible impl 2021-08-19 23:15:10 +02:00			`}`
			`}`

move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`impl EntryEncryptor for LegacySdaCompatible {`
			`fn encrypt(`
Dead code cleanup, subcommand refactor (#206) - clean up dead code - fix lints - move Session type to legacy module - refactor service names into constants - refactor build_url to be less restrictive for service names - refactor most commands into their own modules 2023-06-23 19:36:23 +02:00			`passkey: &str,`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`params: &EntryEncryptionParams,`
			`plaintext: Vec<u8>,`
			`) -> anyhow::Result<Vec<u8>, EntryEncryptionError> {`
Dead code cleanup, subcommand refactor (#206) - clean up dead code - fix lints - move Session type to legacy module - refactor service names into constants - refactor build_url to be less restrictive for service names - refactor most commands into their own modules 2023-06-23 19:36:23 +02:00			`let key = Self::get_encryption_key(passkey, &params.salt)?;`
fix SDA encryption compatibility (#236) fixes #233 2023-06-27 01:02:48 +02:00			`let mut iv = [0u8; IV_LENGTH];`
			`base64::decode_config_slice(&params.iv, base64::STANDARD, &mut iv)?;`

			`let cipher = cbc::Encryptor::<Aes256>::new_from_slices(&key, &iv)?;`

			`let ciphertext = cipher.encrypt_padded_vec_mut::<Pkcs7>(&plaintext);`

			`let encoded = base64::encode(ciphertext);`
			`Ok(encoded.as_bytes().to_vec())`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`}`

			`fn decrypt(`
Dead code cleanup, subcommand refactor (#206) - clean up dead code - fix lints - move Session type to legacy module - refactor service names into constants - refactor build_url to be less restrictive for service names - refactor most commands into their own modules 2023-06-23 19:36:23 +02:00			`passkey: &str,`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`params: &EntryEncryptionParams,`
			`ciphertext: Vec<u8>,`
			`) -> anyhow::Result<Vec<u8>, EntryEncryptionError> {`
Dead code cleanup, subcommand refactor (#206) - clean up dead code - fix lints - move Session type to legacy module - refactor service names into constants - refactor build_url to be less restrictive for service names - refactor most commands into their own modules 2023-06-23 19:36:23 +02:00			`let key = Self::get_encryption_key(passkey, &params.salt)?;`
fix SDA encryption compatibility (#236) fixes #233 2023-06-27 01:02:48 +02:00			`let mut iv = [0u8; IV_LENGTH];`
			`base64::decode_config_slice(&params.iv, base64::STANDARD, &mut iv)?;`
			`let cipher = cbc::Decryptor::<Aes256>::new_from_slices(&key, &iv)?;`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`let decoded = base64::decode(ciphertext)?;`
			`let size: usize = decoded.len() / 16 + (if decoded.len() % 16 == 0 { 0 } else { 1 });`
			`let mut buffer = vec![0xffu8; 16 * size];`
			`buffer[..decoded.len()].copy_from_slice(&decoded);`
fix SDA encryption compatibility (#236) fixes #233 2023-06-27 01:02:48 +02:00			`let decrypted = cipher.decrypt_padded_mut::<Pkcs7>(&mut buffer)?;`
			`Ok(decrypted.to_vec())`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`}`
			`}`

			`#[derive(Debug, Error)]`
			`pub enum EntryEncryptionError {`
fix SDA encryption compatibility (#236) fixes #233 2023-06-27 01:02:48 +02:00			`#[error("Invalid ciphertext length. The ciphertext must be a multiple of 16 bytes.")]`
			`InvalidCipherTextLength,`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`#[error(transparent)]`
			`Unknown(#[from] anyhow::Error),`
			`}`

			/// For some reason, these errors do not get converted to `ManifestAccountLoadError`s, even though they get converted into `anyhow::Error` just fine. I am too lazy to figure out why right now.
fix SDA encryption compatibility (#236) fixes #233 2023-06-27 01:02:48 +02:00			`impl From<InvalidLength> for EntryEncryptionError {`
			`fn from(error: InvalidLength) -> Self {`
Use IAuthenticationService for login, account migrations, other major refactors (#194) fixes #193 fixes #192 fixes #107 - [x] Implement the new login process - [x] Tested - [x] Update the authenticator setup process - [x] Tested - [x] Update the authenticator remove process - [x] Tested - [x] Manifest format migrator - [x] Tested - [x] Make it possible to import SDA accounts - [x] Make sure confirmations still work - [x] Fetching - [x] Responding - [x] Make it so that the login process doesn't prompt for which method to use - [x] Make it so that device confirmation and email confirmation auth session guards work 2023-06-22 22:20:15 +02:00			`Self::Unknown(anyhow::Error::from(error))`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`}`
			`}`
fix SDA encryption compatibility (#236) fixes #233 2023-06-27 01:02:48 +02:00
			`impl From<inout::NotEqualError> for EntryEncryptionError {`
			`fn from(error: inout::NotEqualError) -> Self {`
Use IAuthenticationService for login, account migrations, other major refactors (#194) fixes #193 fixes #192 fixes #107 - [x] Implement the new login process - [x] Tested - [x] Update the authenticator setup process - [x] Tested - [x] Update the authenticator remove process - [x] Tested - [x] Manifest format migrator - [x] Tested - [x] Make it possible to import SDA accounts - [x] Make sure confirmations still work - [x] Fetching - [x] Responding - [x] Make it so that the login process doesn't prompt for which method to use - [x] Make it so that device confirmation and email confirmation auth session guards work 2023-06-22 22:20:15 +02:00			`Self::Unknown(anyhow::Error::from(error))`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`}`
			`}`
fix SDA encryption compatibility (#236) fixes #233 2023-06-27 01:02:48 +02:00
			`impl From<inout::PadError> for EntryEncryptionError {`
			`fn from(error: inout::PadError) -> Self {`
			`Self::Unknown(anyhow::Error::from(error))`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`}`
			`}`
fix SDA encryption compatibility (#236) fixes #233 2023-06-27 01:02:48 +02:00
			`impl From<inout::block_padding::UnpadError> for EntryEncryptionError {`
			`fn from(error: inout::block_padding::UnpadError) -> Self {`
			`Self::Unknown(anyhow::Error::from(error))`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`}`
			`}`
fix SDA encryption compatibility (#236) fixes #233 2023-06-27 01:02:48 +02:00
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`impl From<base64::DecodeError> for EntryEncryptionError {`
			`fn from(error: base64::DecodeError) -> Self {`
Use IAuthenticationService for login, account migrations, other major refactors (#194) fixes #193 fixes #192 fixes #107 - [x] Implement the new login process - [x] Tested - [x] Update the authenticator setup process - [x] Tested - [x] Update the authenticator remove process - [x] Tested - [x] Manifest format migrator - [x] Tested - [x] Make it possible to import SDA accounts - [x] Make sure confirmations still work - [x] Fetching - [x] Responding - [x] Make it so that the login process doesn't prompt for which method to use - [x] Make it so that device confirmation and email confirmation auth session guards work 2023-06-22 22:20:15 +02:00			`Self::Unknown(anyhow::Error::from(error))`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`}`
			`}`
			`impl From<std::io::Error> for EntryEncryptionError {`
			`fn from(error: std::io::Error) -> Self {`
Use IAuthenticationService for login, account migrations, other major refactors (#194) fixes #193 fixes #192 fixes #107 - [x] Implement the new login process - [x] Tested - [x] Update the authenticator setup process - [x] Tested - [x] Update the authenticator remove process - [x] Tested - [x] Manifest format migrator - [x] Tested - [x] Make it possible to import SDA accounts - [x] Make sure confirmations still work - [x] Fetching - [x] Responding - [x] Make it so that the login process doesn't prompt for which method to use - [x] Make it so that device confirmation and email confirmation auth session guards work 2023-06-22 22:20:15 +02:00			`Self::Unknown(anyhow::Error::from(error))`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`}`
			`}`

			`#[cfg(test)]`
			`mod tests {`
			`use super::*;`
add a unit test for encryption 2021-08-20 15:37:55 +02:00			`use proptest::prelude::*;`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00
			`/// This test ensures compatibility with SteamDesktopAuthenticator and with previous versions of steamguard-cli`
			`#[test]`
			`fn test_encryption_key() {`
			`assert_eq!(`
fix SDA encryption compatibility (#236) fixes #233 2023-06-27 01:02:48 +02:00			`LegacySdaCompatible::get_encryption_key("password", "GMhL0N2hqXg=")`
			`.unwrap()`
			`.as_slice(),`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`base64::decode("KtiRa4/OxW83MlB6URf+Z8rAGj7CBY+pDlwD/NuVo6Y=")`
			`.unwrap()`
			`.as_slice()`
			`);`

			`assert_eq!(`
fix SDA encryption compatibility (#236) fixes #233 2023-06-27 01:02:48 +02:00			`LegacySdaCompatible::get_encryption_key("password", "wTzTE9A6aN8=")`
			`.unwrap()`
			`.as_slice(),`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`base64::decode("Dqpej/3DqEat0roJaHmu3luYgDzRCUmzX94n4fqvWj8=")`
			`.unwrap()`
			`.as_slice()`
			`);`
			`}`
add a unit test for encryption 2021-08-20 15:37:55 +02:00
			`#[test]`
			`fn test_ensure_encryption_symmetric() -> anyhow::Result<()> {`
fix SDA encryption compatibility (#236) fixes #233 2023-06-27 01:02:48 +02:00			`let cases = [`
			`"foo",`
			`"tactical glizzy",`
			`"glizzy gladiator",`
			`"shadow wizard money gang",`
			"shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells",
			`];`
add a unit test for encryption 2021-08-20 15:37:55 +02:00			`let passkey = "password";`
			`let params = EntryEncryptionParams::generate();`
fix SDA encryption compatibility (#236) fixes #233 2023-06-27 01:02:48 +02:00			`for case in cases {`
			`eprintln!("testing case: {} (len {})", case, case.len());`
			`let orig = case.as_bytes().to_vec();`
			`let encrypted = LegacySdaCompatible::encrypt(passkey, &params, orig.clone()).unwrap();`
			`let result = LegacySdaCompatible::decrypt(passkey, &params, encrypted).unwrap();`
			`assert_eq!(orig, result.to_vec());`
			`}`
Use IAuthenticationService for login, account migrations, other major refactors (#194) fixes #193 fixes #192 fixes #107 - [x] Implement the new login process - [x] Tested - [x] Update the authenticator setup process - [x] Tested - [x] Update the authenticator remove process - [x] Tested - [x] Manifest format migrator - [x] Tested - [x] Make it possible to import SDA accounts - [x] Make sure confirmations still work - [x] Fetching - [x] Responding - [x] Make it so that the login process doesn't prompt for which method to use - [x] Make it so that device confirmation and email confirmation auth session guards work 2023-06-22 22:20:15 +02:00			`Ok(())`
add a unit test for encryption 2021-08-20 15:37:55 +02:00			`}`

			`prop_compose! {`
			`/// An insecure but reproducible strategy for generating encryption params.`
			`fn encryption_params()(salt in any::<[u8; SALT_LENGTH]>(), iv in any::<[u8; IV_LENGTH]>()) -> EntryEncryptionParams {`
			`EntryEncryptionParams {`
Use IAuthenticationService for login, account migrations, other major refactors (#194) fixes #193 fixes #192 fixes #107 - [x] Implement the new login process - [x] Tested - [x] Update the authenticator setup process - [x] Tested - [x] Update the authenticator remove process - [x] Tested - [x] Manifest format migrator - [x] Tested - [x] Make it possible to import SDA accounts - [x] Make sure confirmations still work - [x] Fetching - [x] Responding - [x] Make it so that the login process doesn't prompt for which method to use - [x] Make it so that device confirmation and email confirmation auth session guards work 2023-06-22 22:20:15 +02:00			`salt: base64::encode(salt),`
			`iv: base64::encode(iv),`
add a unit test for encryption 2021-08-20 15:37:55 +02:00			`scheme: EncryptionScheme::LegacySdaCompatible,`
			`}`
			`}`
			`}`

			`// proptest! {`
			`// #[test]`
			`// fn ensure_encryption_symmetric(`
			`// passkey in ".{1,}",`
			`// params in encryption_params(),`
			`// data in any::<Vec<u8>>(),`
			`// ) {`
			`// prop_assume!(data.len() >= 2);`
			`// let mut orig = data;`
			`// orig[0] = '{' as u8;`
			`// let n = orig.len() - 1;`
			`// orig[n] = '}' as u8;`
			`// let encrypted = LegacySdaCompatible::encrypt(&passkey.clone().into(), &params, orig.clone()).unwrap();`
			`// let result = LegacySdaCompatible::decrypt(&passkey.into(), &params, encrypted).unwrap();`
			`// prop_assert_eq!(orig, result.to_vec());`
			`// }`
			`// }`
move encryption stuff into new module 2021-08-19 22:54:18 +02:00			`}`