add encryption mode choice

2020-03-05 10:39:00 +01:00 · 2020-03-05 10:39:00 +01:00 · 88d973a625
commit 88d973a625
parent 9fb7353e08
2 changed files with 41 additions and 18 deletions
--- a/index.js
+++ b/index.js
@ -10,7 +10,7 @@
 const crypto = require ('crypto');
 const encoding = require ('@scode/encoding-helper');

-const encryption = {
+const encryption_mode_cbc_256 = {
  algorithm:  'aes-256-cbc',
  nonce_size: 16,
  key_size:   32,
@ -19,6 +19,15 @@ const encryption = {
  iterations: 32767
 };

+const encryption_mode_cbc_128 = {
+  algorithm:  'aes-128-cbc',
+  nonce_size: 16,
+  key_size:   16,
+  hash:       'sha256',
+  salt_size:  16,
+  iterations: 40
+};
+
 /**
 * creates a random string
 *
@ -149,20 +158,21 @@ function checksum (data) {
 *
 * @param {string} text plaintext
 * @param {string} pass password
+ * @param {object} mode encryption mode
 * @returns {string} encrypted
 */
-function encrypt_aes (text, pass) {
-  const salt = crypto.randomBytes (encryption.salt_size);
+function encrypt_aes (text, pass, mode = encryption_mode_cbc_256) {
+  const salt = crypto.randomBytes (mode.salt_size);
  // eslint-disable-next-line no-sync
  const key = crypto.pbkdf2Sync (
    Buffer.from (pass, 'utf-8'),
    salt,
-    encryption.iterations,
-    encryption.key_size,
-    encryption.hash
+    mode.iterations,
+    mode.key_size,
+    mode.hash
  );
-  const nonce = crypto.randomBytes (encryption.nonce_size);
-  const cipher = crypto.createCipheriv (encryption.algorithm, key, nonce);
+  const nonce = crypto.randomBytes (mode.nonce_size);
+  const cipher = crypto.createCipheriv (mode.algorithm, key, nonce);
  return Buffer.concat ([
    salt,
    nonce,
@ -177,25 +187,31 @@ function encrypt_aes (text, pass) {
 *
 * @param {string} ciphertext encrypted text
 * @param {string} pass password
+ * @param {object} mode encryption mode
 * @param {boolean} rethrow rethrow exceptions instead of returning null
 * @returns {string} plaintext
 */
-function decrypt_aes (ciphertext, pass, rethrow = false) {
+function decrypt_aes (
+  ciphertext,
+  pass,
+  mode = encryption_mode_cbc_256,
+  rethrow = false
+) {
  try {
    let buf = Buffer.from (ciphertext, 'base64');
-    const salt = buf.slice (0, encryption.salt_size);
-    buf = buf.slice (encryption.salt_size);
+    const salt = buf.slice (0, mode.salt_size);
+    buf = buf.slice (mode.salt_size);
    // eslint-disable-next-line no-sync
    const key = crypto.pbkdf2Sync (
      Buffer.from (pass, 'utf-8'),
      salt,
-      encryption.iterations,
-      encryption.key_size,
-      encryption.hash
+      mode.iterations,
+      mode.key_size,
+      mode.hash
    );
-    const nonce = buf.slice (0, encryption.nonce_size);
-    buf = buf.slice (encryption.nonce_size);
-    const cipher = crypto.createDecipheriv (encryption.algorithm, key, nonce);
+    const nonce = buf.slice (0, mode.nonce_size);
+    buf = buf.slice (mode.nonce_size);
+    const cipher = crypto.createDecipheriv (mode.algorithm, key, nonce);
    return Buffer.concat ([
      cipher.update (buf),
      cipher.final ()
@ -215,6 +231,8 @@ module.exports = {
  decode_signed,
  decrypt_aes,
  encrypt_aes,
+  encryption_mode_cbc_128,
+  encryption_mode_cbc_256,
  get_signature_info,
  hash_sha512,
  random_hex,
--- a/test/encryption.js
+++ b/test/encryption.js
@ -25,7 +25,12 @@ test ('fail decryption', (t) => {
 test ('rethrow decryption', (t) => {
  const enc = crypto.encrypt_aes ('foo', 'bar');
  t.throws (() => {
-    crypto.decrypt_aes (enc, 'baz', true);
+    crypto.decrypt_aes (
+      enc,
+      'baz',
+      crypto.encryption_mode_cbc_256,
+      true
+    );
  });
 });