Merge pull request #1 from replydev/argon2id

Use Argon2id for key derivation

Author: replydev

README.md

@@ -1,5 +1,6 @@
 
 # cotp - command line totp authenticator
+[![Actions Status](https://github.com/replydev/cotp/workflows/Rust/badge.svg)]("https://github.com/replydev/cotp/actions")
 
 I believe that security is of paramount importance, especially in this digital world. I created cotp because I needed a minimalist, secure, desktop accessible software to manage my two-factor authentication codes.
 
@@ -79,7 +80,7 @@ You will find the compiled binary in **target/release** folder
 ## Planned features
 
  - [x] Reduce binary size and improve compilation speed by removing useless dependencies.
- - [ ] Use argon2id13 for key derivation
+ - [x] Use argon2id13 for key derivation
  - [ ] Backup compatibility with:
 	 - [x] Aegis
 	 - [x] andOTP

src/argument_functions.rs

@@ -7,7 +7,7 @@ pub fn help(){
     println!("-a,--add <secret> <issuer> <label>       | Add a new OTP code");
     println!("-r,--remove <secret> <issuer> <label>    | Remove an OTP code");
     println!("-e,--edit <id> <secret> <issuer> <label> | Edit an OTP code");
-    println!("-i,--import aegis,andotp <filename>      | Import a backup from a given application");
+    println!("-i,--import <appname> <path>             | Import a backup from a given application");
     println!("-ex,--export                             | Export the entire database in a plaintext json format");
     println!("-j,--json                                | Print results in json format");
     println!("-h,--help                                | Print this help");
@@ -19,7 +19,7 @@ pub fn import(args: Vec<String>){
         let elements: Vec<database_loader::OTPElement>;
 
         match &args[2][..]{
-            "andotp" => result = importers::and_otp::import(&args[3]),
+            "cotp" | "andotp" => result = importers::and_otp::import(&args[3]),
             "aegis" => result = importers::aegis::import(&args[3]),
             _=> {
                 println!("Invalid argument: {}", &args[2]);
@@ -38,7 +38,11 @@ pub fn import(args: Vec<String>){
         println!("Successfully imported database");
     }
     else{
-        println!("Invalid arguments, type cotp --import <backup_format> <path>");
+        println!("Invalid arguments, type cotp --import <appname> <path>");
+        println!("cotp can import backup from:");
+        println!("\"cotp\"");
+        println!("\"aegis\"");
+        println!("\"andotp\"");
     }
 }
 

src/cryptograpy.rs

@@ -23,19 +23,26 @@ impl fmt::Display for CoreError {
 
 impl error::Error for CoreError {}
 
-pub fn encrypt_string(plaintext: &mut String,password: &str) -> String {
+fn argon_derive_key(key: &mut[u8;32],password_bytes: &[u8],salt: &pwhash::argon2id13::Salt) -> Result<Key,String>{
+    let result = pwhash::argon2id13::derive_key(key, password_bytes, salt,
+        pwhash::argon2id13::OPSLIMIT_INTERACTIVE,
+        pwhash::argon2id13::MEMLIMIT_INTERACTIVE);
+    match result{
+        Ok(&[u8]) => Ok(Key(*key)),
+        Ok(&[]) => Ok(Key(*key)),
+        Ok(&[_,_,..]) =>Ok(Key(*key)),
+        Err(()) => Err(String::from("Failed to derive encryption key"))
+    }
+}
+
+pub fn encrypt_string(plaintext: String,password: &str) -> String {
     let mut encrypted = String::new();
     encrypted.push_str(&base64::encode(SIGNATURE));
     encrypted.push('|');
-    let salt = pwhash::gen_salt();
+    let salt = pwhash::argon2id13::gen_salt();
     encrypted.push_str(&base64::encode(salt.0));
     encrypted.push('|');
-    let mut key = [0u8; KEYBYTES];
-    pwhash::derive_key(&mut key, password.as_bytes(), &salt,
-        pwhash::OPSLIMIT_INTERACTIVE,
-        pwhash::MEMLIMIT_INTERACTIVE).unwrap();
-    let key = Key(key);
-
+    let key = argon_derive_key(&mut [0u8; KEYBYTES],password.as_bytes(),&salt).unwrap();
     let (mut enc_stream, header) = Stream::init_push(&key).unwrap();
 
     encrypted.push_str(&base64::encode(header.0));
@@ -47,19 +54,19 @@ pub fn encrypt_string(plaintext: &mut String,password: &str) -> String {
     encrypted
 }
 
-pub fn decrypt_string(encrypted_text: &mut str,password: &str) -> Result<String, String> {
+pub fn decrypt_string(encrypted_text: &str,password: &str) -> Result<String, String> {
     let split = encrypted_text.split('|');
     let vec: Vec<&str> = split.collect();
     let byte_salt = base64::decode(vec[1]).unwrap();
-    let salt = pwhash::Salt(byte_vec_to_byte_array(byte_salt));
+    let salt = pwhash::argon2id13::Salt(byte_vec_to_byte_array(byte_salt));
     let byte_header = base64::decode(vec[2]).unwrap();
     let header = Header(header_vec_to_header_array(byte_header));
     let cipher = base64::decode(vec[3]).unwrap();
 
     let mut key = [0u8; KEYBYTES];
-    pwhash::derive_key(&mut key, password.as_bytes(), &salt,
-        pwhash::OPSLIMIT_INTERACTIVE,
-        pwhash::MEMLIMIT_INTERACTIVE)
+    pwhash::argon2id13::derive_key(&mut key, password.as_bytes(), &salt,
+        pwhash::argon2id13::OPSLIMIT_INTERACTIVE,
+        pwhash::argon2id13::MEMLIMIT_INTERACTIVE)
         .map_err(|_| CoreError::new("Deriving key failed")).unwrap();
     let key = Key(key);
 
@@ -74,9 +81,9 @@ pub fn decrypt_string(encrypted_text: &mut str,password: &str) -> Result<String,
     Ok(String::from_utf8(decrypted).unwrap())
 }
 
-fn byte_vec_to_byte_array(byte_vec: Vec<u8>) -> [u8;32]{
+fn byte_vec_to_byte_array(byte_vec: Vec<u8>) -> [u8;16]{
     byte_vec.try_into()
-        .unwrap_or_else(|v: Vec<u8>| panic!("Expected a Vec of length {} but it was {}", 32, v.len()))
+        .unwrap_or_else(|v: Vec<u8>| panic!("Expected a Vec of length {} but it was {}", 16, v.len()))
 }
 
 fn header_vec_to_header_array(byte_vec: Vec<u8>) -> [u8;24]{
@@ -93,4 +100,20 @@ pub fn prompt_for_passwords(message: &str) -> String{
         }
     }
     password
+}
+
+
+#[cfg(test)]
+mod tests {
+    use super::{encrypt_string,decrypt_string};
+    #[test]
+    fn test_encryption() {
+        assert_eq!(
+            String::from("Secret data@#[]ò"), 
+            decrypt_string(
+                &mut encrypt_string(String::from("Secret data@#[]ò"),"pa$$w0rd"),
+                "pa$$w0rd"
+            ).unwrap()
+        );
+    }
 }

src/database_loader.rs

@@ -67,9 +67,9 @@ impl OTPElement {
 }
 
 pub fn read_from_file() -> Result<Vec<OTPElement>,String>{
-    let mut encrypted_contents = read_to_string(&get_db_path()).unwrap();
+    let encrypted_contents = read_to_string(&get_db_path()).unwrap();
     //rust close files at the end of the function
-    let contents = cryptograpy::decrypt_string(&mut encrypted_contents, &cryptograpy::prompt_for_passwords("Password: "));
+    let contents = cryptograpy::decrypt_string(&encrypted_contents, &cryptograpy::prompt_for_passwords("Password: "));
     match contents {
         Ok(contents) => {
             let vector: Vec<OTPElement> = serde_json::from_str(&contents).unwrap();
@@ -172,8 +172,8 @@ pub fn export_database() -> Result<String, String> {
     let mut exported_path = utils::get_home_folder().to_str().unwrap().to_string();
     exported_path.push_str("/exported.cotp");
     let mut file = File::create(&exported_path).expect("Cannot create file");
-    let mut encrypted_contents = read_to_string(&get_db_path()).unwrap();
-    let contents = cryptograpy::decrypt_string(&mut encrypted_contents, &cryptograpy::prompt_for_passwords("Password: "));
+    let encrypted_contents = read_to_string(&get_db_path()).unwrap();
+    let contents = cryptograpy::decrypt_string(&encrypted_contents, &cryptograpy::prompt_for_passwords("Password: "));
     match contents {
         Ok(contents) => {
             file.write_all(contents.as_bytes()).expect("Failed to write contents");
@@ -191,7 +191,7 @@ pub fn overwrite_database(elements: Vec<OTPElement>){
 }
 
 pub fn overwrite_database_json(json: &str){
-    let encrypted = cryptograpy::encrypt_string(&mut json.to_string(), &cryptograpy::prompt_for_passwords("Insert password for database encryption: "));
+    let encrypted = cryptograpy::encrypt_string(json.to_string(), &cryptograpy::prompt_for_passwords("Insert password for database encryption: "));
     utils::write_to_file(&encrypted, &mut File::create(utils::get_db_path()).expect("Failed to open file"));
 }