Merge pull request #314 from RobinzZH/dev

fix(encryption): update iterations to 1024 for pbkdf2
Tencent · Apr 1, 2019 · 6f4b8a5 · 6f4b8a5
2 parents 3a60a5c + 0805d72
commit 6f4b8a5
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 10 deletions.
diff --git a/bin/tsw/util/auto-report/encryption.js b/bin/tsw/util/auto-report/encryption.js
@@ -17,9 +17,11 @@ const ALGORITHM_TAG_SIZE = 16;
 const ALGORITHM_KEY_SIZE = 16;
 const PBKDF2_NAME = 'sha256';
 const PBKDF2_SALT_SIZE = 16;
-const PBKDF2_ITERATIONS = 32767;
+const PBKDF2_ITERATIONS = 1024;
+const LASTPBKDF2_ITERATIONS = 32767;
 const CHARSET_NAME = 'UTF-8';
-const CURRENT_VERSION = 'v1:';
+const LASTAES_VERSION = 'v1:';
+const CURRENT_VERSION = 'v2:';
 
 const EVP_BytesToKey = password => {
     const pwd = Buffer.from(password, 'binary');
@@ -75,6 +77,23 @@ function decrypt(ciphertextAndNonce, key) {
     return Buffer.concat([cipher.update(ciphertext), cipher.final()]);
 }
 
+const matchAES = function(content) {
+    if (content.indexOf(CURRENT_VERSION) === 0) {
+        return {
+            iterations: PBKDF2_ITERATIONS,
+            ciphertext: Buffer.from(content.slice(CURRENT_VERSION.length), 'base64')
+        };
+    } else if (content.indexOf(LASTAES_VERSION) === 0) {
+        return {
+            iterations: LASTPBKDF2_ITERATIONS,
+            ciphertext: Buffer.from(content.slice(LASTAES_VERSION.length), 'base64')
+        };
+    }
+    return {
+        ciphertext: content
+    };
+};
+
 // 加密
 module.exports.encode = function (appid, appkey, data) {
     const buff = zlib.deflateSync(Buffer.from(JSON.stringify(data), CHARSET_NAME));
@@ -89,14 +108,13 @@ module.exports.encode = function (appid, appkey, data) {
 // 解密
 module.exports.decode = function (appid, appkey, body) {
     const password = appid + appkey;
-    const content = body || '';
+    const content = matchAES(body || '');
     let decodeResult;
     let data;
-    if (content.indexOf(CURRENT_VERSION) === 0) {
-        const ciphertextAndNonceAndSalt = Buffer.from(content.slice(CURRENT_VERSION.length), 'base64');
-        const salt = ciphertextAndNonceAndSalt.slice(0, PBKDF2_SALT_SIZE);
-        const ciphertextAndNonce = ciphertextAndNonceAndSalt.slice(PBKDF2_SALT_SIZE);
-        const key = crypto.pbkdf2Sync(Buffer.from(password, CHARSET_NAME), salt, PBKDF2_ITERATIONS, ALGORITHM_KEY_SIZE, PBKDF2_NAME);
+    if (content.iterations) {
+        const salt = content.ciphertext.slice(0, PBKDF2_SALT_SIZE);
+        const ciphertextAndNonce = content.ciphertext.slice(PBKDF2_SALT_SIZE);
+        const key = crypto.pbkdf2Sync(Buffer.from(password, CHARSET_NAME), salt, content.iterations, ALGORITHM_KEY_SIZE, PBKDF2_NAME);
         try {
             decodeResult = decrypt(ciphertextAndNonce, key);
         } catch (e) {
@@ -127,6 +145,5 @@ module.exports.decode = function (appid, appkey, body) {
         return null;
     }
 
-
     return data;
 };
diff --git a/test/bin/tsw/util/auto-report/encryption.js b/test/bin/tsw/util/auto-report/encryption.js
@@ -53,7 +53,17 @@ describe('test tsw/util/auto-report/encryption', () => {
             expect(decodeResult.hello).to.be.equal(data.hello);
         });
 
-        it('#decode aes', () => {
+        it('#decode aes for v2', () => {
+            const data = {
+                hello: 'world'
+            };
+            const aesResult = 'v2:YrCZaJTDTENaSdF7QYdHWXzMscc5T2c8J1WupQuBdU7jXX8MdyTTQQQ1IcA51P4EuwIbmeanCPRks55gb/BtWofeu/2s';
+            const decodeResult = encryption.decode(appid, appkey, aesResult);
+            expect(decodeResult).to.not.be.null; // eslint-disable-line
+            expect(decodeResult.hello).to.be.equal(data.hello);
+        });
+
+        it('#decode aes for v1', () => {
             const data = {
                 hello: 'world'
             };