Swapped AES-CBC for GCM for all symmetric encryption; bolstered TLS configs

2025-12-13 21:07:22 +00:00 · 2019-06-07 02:03:15 -07:00 · 2019-06-07 02:03:15 -07:00 · f90c19d0f4
commit f90c19d0f4
parent cde1d118fc
11 changed files with 192 additions and 30 deletions
--- a/credentials/commands/cbc_to_gcm.go
+++ b/credentials/commands/cbc_to_gcm.go
@ -0,0 +1,94 @@
+package commands
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/hex"
+	"fmt"
+	"time"
+
+	"github.com/spf13/cobra"
+
+	clitypes "github.com/mitchell/selfpass/cli/types"
+	"github.com/mitchell/selfpass/credentials/types"
+	"github.com/mitchell/selfpass/crypto"
+)
+
+func MakeCBCtoGCM(repo clitypes.ConfigRepo, initClient CredentialClientInit) *cobra.Command {
+	cbcToGCM := &cobra.Command{
+		Use:    "cbc-to-gcm",
+		Hidden: true,
+		Run: func(cmd *cobra.Command, args []string) {
+			masterpass, cfg, err := repo.OpenConfig()
+			check(err)
+
+			key, err := hex.DecodeString(cfg.GetString(clitypes.KeyPrivateKey))
+			check(err)
+
+			keypass, err := crypto.CombinePasswordAndKey([]byte(masterpass), key)
+			check(err)
+
+			ctx, cancel := context.WithTimeout(context.Background(), time.Second*60)
+			defer cancel()
+
+			client := initClient(ctx)
+
+			mdch, errch := client.GetAllMetadata(ctx, "")
+
+			for {
+				select {
+				case err := <-errch:
+					check(err)
+				case md, ok := <-mdch:
+					if !ok {
+						fmt.Println("All done.")
+						return
+					}
+
+					cred, err := client.Get(ctx, md.ID)
+					check(err)
+
+					passbytes, err := base64.StdEncoding.DecodeString(cred.Password)
+					check(err)
+
+					plainpass, err := crypto.CBCDecrypt(keypass, passbytes)
+					check(err)
+
+					passbytes, err = crypto.GCMEncrypt(keypass, plainpass)
+					check(err)
+
+					cred.Password = base64.StdEncoding.EncodeToString(passbytes)
+
+					if cred.OTPSecret != "" {
+						passbytes, err := base64.StdEncoding.DecodeString(cred.OTPSecret)
+						check(err)
+
+						plainpass, err := crypto.CBCDecrypt(keypass, passbytes)
+						check(err)
+
+						passbytes, err = crypto.GCMEncrypt(keypass, plainpass)
+						check(err)
+
+						cred.OTPSecret = base64.StdEncoding.EncodeToString(passbytes)
+					}
+
+					_, err = client.Update(ctx, cred.ID, types.CredentialInput{
+						MetadataInput: types.MetadataInput{
+							Tag:        cred.Tag,
+							SourceHost: cred.SourceHost,
+							LoginURL:   cred.LoginURL,
+							Primary:    cred.Primary,
+						},
+						OTPSecret: cred.OTPSecret,
+						Password:  cred.Password,
+						Email:     cred.Email,
+						Username:  cred.Username,
+					})
+					check(err)
+				}
+			}
+		},
+	}
+
+	return cbcToGCM
+}
--- a/credentials/commands/create.go
+++ b/credentials/commands/create.go
@ -99,7 +99,7 @@ password.`,
 				}
 			}

-			cipherpass, err := crypto.CBCEncrypt(keypass, []byte(ci.Password))
+			cipherpass, err := crypto.GCMEncrypt(keypass, []byte(ci.Password))
 			check(err)

 			ci.Password = base64.StdEncoding.EncodeToString(cipherpass)
@ -113,7 +113,7 @@ password.`,
 				prompt := &survey.Password{Message: "OTP secret:"}
 				check(survey.AskOne(prompt, &secret, nil))

-				ciphersecret, err := crypto.CBCEncrypt(keypass, []byte(secret))
+				ciphersecret, err := crypto.GCMEncrypt(keypass, []byte(secret))
 				check(err)

 				ci.OTPSecret = base64.StdEncoding.EncodeToString(ciphersecret)
--- a/credentials/commands/get.go
+++ b/credentials/commands/get.go
@ -121,7 +121,7 @@ decrypting password.`,
 				passbytes, err := base64.StdEncoding.DecodeString(cred.Password)
 				check(err)

-				plainpass, err := crypto.CBCDecrypt(passkey, passbytes)
+				plainpass, err := crypto.GCMDecrypt(passkey, passbytes)

 				check(clipboard.WriteAll(string(plainpass)))

@ -137,7 +137,7 @@ decrypting password.`,
 					secretbytes, err := base64.StdEncoding.DecodeString(cred.OTPSecret)
 					check(err)

-					plainsecret, err := crypto.CBCDecrypt(passkey, secretbytes)
+					plainsecret, err := crypto.GCMDecrypt(passkey, secretbytes)

 					otp, err := totp.GenerateCode(string(plainsecret), time.Now())
 					check(err)
--- a/credentials/repositories/grpc_client.go
+++ b/credentials/repositories/grpc_client.go
@ -28,6 +28,10 @@ func NewCredentialServiceClient(ctx context.Context, target, ca, cert, key strin
 	creds := credentials.NewTLS(&tls.Config{
 		RootCAs:      capool,
 		Certificates: []tls.Certificate{keypair},
+		MinVersion:   tls.VersionTLS12,
+		CurvePreferences: []tls.CurveID{
+			tls.CurveP256,
+		},
 	})

 	conn, err := grpc.DialContext(ctx, target, grpc.WithTransportCredentials(creds), grpc.WithBlock())