diff --git a/.repo-runner.yaml b/.repo-runner.yaml new file mode 100644 index 0000000..0d44ae1 --- /dev/null +++ b/.repo-runner.yaml @@ -0,0 +1,11 @@ +--- + +image: "reporunner/golang-alpine" +checkout_dir: /go/src/github.com/Luzifer/wasm-openssl + +commands: + - make publish + +environment: + ARCHS: js/wasm + CGO_ENABLED: 0 diff --git a/Gopkg.lock b/Gopkg.lock new file mode 100644 index 0000000..600be6b --- /dev/null +++ b/Gopkg.lock @@ -0,0 +1,17 @@ +# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'. + + +[[projects]] + digest = "1:f892acc8308967384ea31cbd1c17d42745bd45001add0eacada483d0d13d8fac" + name = "github.com/Luzifer/go-openssl" + packages = ["."] + pruneopts = "NUT" + revision = "5d2bdfffeecf20ba6dec4feb04e31872c8720255" + version = "v2.0.2" + +[solve-meta] + analyzer-name = "dep" + analyzer-version = 1 + input-imports = ["github.com/Luzifer/go-openssl"] + solver-name = "gps-cdcl" + solver-version = 1 diff --git a/Gopkg.toml b/Gopkg.toml new file mode 100644 index 0000000..bb0748d --- /dev/null +++ b/Gopkg.toml @@ -0,0 +1,35 @@ +# Gopkg.toml example +# +# Refer to https://golang.github.io/dep/docs/Gopkg.toml.html +# for detailed Gopkg.toml documentation. +# +# required = ["github.com/user/thing/cmd/thing"] +# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"] +# +# [[constraint]] +# name = "github.com/user/project" +# version = "1.0.0" +# +# [[constraint]] +# name = "github.com/user/project2" +# branch = "dev" +# source = "github.com/myfork/project2" +# +# [[override]] +# name = "github.com/x/y" +# version = "2.4.0" +# +# [prune] +# non-go = false +# go-tests = true +# unused-packages = true + + +[[constraint]] + name = "github.com/Luzifer/go-openssl" + version = "2.0.2" + +[prune] + non-go = true + go-tests = true + unused-packages = true diff --git a/Makefile b/Makefile index 35fce71..4588d21 100644 --- a/Makefile +++ b/Makefile @@ -6,3 +6,6 @@ build: wasm_exec.js: curl -sSfLo wasm_exec.js "https://raw.githubusercontent.com/golang/go/go1.11/misc/wasm/wasm_exec.js" + +publish: + bash golang.sh diff --git a/go.mod b/go.mod deleted file mode 100644 index 153587f..0000000 --- a/go.mod +++ /dev/null @@ -1,3 +0,0 @@ -module test - -require github.com/Luzifer/go-openssl/v2 v2.0.2+incompatible diff --git a/go.sum b/go.sum deleted file mode 100644 index 79698f1..0000000 --- a/go.sum +++ /dev/null @@ -1,2 +0,0 @@ -github.com/Luzifer/go-openssl/v2 v2.0.2+incompatible h1:To0xXBgE5HjzhAvxzVo2W3dDUl/StsOBHzSPyRfcF/w= -github.com/Luzifer/go-openssl/v2 v2.0.2+incompatible/go.mod h1:QPR7HJhwod/yIQRM+iN/qMS1CRoMAm8GJ6ojONUGTw0= diff --git a/golang.sh b/golang.sh new file mode 100644 index 0000000..3948e83 --- /dev/null +++ b/golang.sh @@ -0,0 +1,86 @@ +#!/bin/bash +set -euo pipefail + +(which zip 2>&1 1>/dev/null) || { + (which apk 2>&1 1>/dev/null) && apk add --update zip + (which apt-get 2>&1 1>/dev/null) && apt-get update && apt-get install -y zip +} + +function step() { + echo "===> $@..." +} + +VERSION=$(git describe --tags --exact-match || echo "ghpublish__notags") +PWD=$(pwd) +godir=${PWD/${GOPATH}\/src\//} +REPO=${REPO:-$(echo ${godir} | cut -d '/' -f 3)} +GHUSER=${GHUSER:-$(echo ${godir} | cut -d '/' -f 2)} +DEPLOYMENT_TAG=${DEPLOYMENT_TAG:-${VERSION}} +PACKAGES=${PACKAGES:-$(echo ${godir} | cut -d '/' -f 1-3)} +BUILD_DIR=${BUILD_DIR:-.build} +DRAFT=${DRAFT:-true} + +go version + +step "Retrieve dependencies" +go get github.com/aktau/github-release + +step "Cleanup build directory if present" +rm -rf ${BUILD_DIR} + +step "Compile program" +mkdir ${BUILD_DIR} +GOOS=js GOARCH=wasm go build -ldflags="-X main.version=${VERSION}" \ + -o "${BUILD_DIR}/openssl.wasm" \ + ${PACKAGES} + +step "Generate binary SHASUMs" +cd ${BUILD_DIR} +sha256sum * >SHA256SUMS + +step "Packing archives" +for file in *; do + if [ "${file}" = "SHA256SUMS" ]; then + continue + fi + + tar -czf "${file%%.*}.tar.gz" "${file}" + + rm "${file}" +done + +step "Generate archive SHASUMs" +sha256sum * >>SHA256SUMS +grep -v 'SHA256SUMS' SHA256SUMS >SHA256SUMS.tmp +mv SHA256SUMS.tmp SHA256SUMS + +step "Publish builds to Github" + +if (test "${VERSION}" == "ghpublish__notags"); then + echo "No tag present, stopping build now." + exit 0 +fi + +if [ -z "${GITHUB_TOKEN}" ]; then + echo "Please set \$GITHUB_TOKEN environment variable" + exit 1 +fi + +if [[ "${DRAFT}" == "true" ]]; then + step "Create a drafted release" + github-release release --user ${GHUSER} --repo ${REPO} --tag ${DEPLOYMENT_TAG} --name ${DEPLOYMENT_TAG} --draft || true +else + step "Create a published release" + github-release release --user ${GHUSER} --repo ${REPO} --tag ${DEPLOYMENT_TAG} --name ${DEPLOYMENT_TAG} || true +fi + +step "Upload build assets" +for file in *; do + echo "- ${file}" + github-release upload --user ${GHUSER} --repo ${REPO} --tag ${DEPLOYMENT_TAG} --name ${file} --file ${file} +done + +echo -e "\n\n=== Recorded checksums ===" +cat SHA256SUMS + +cd - diff --git a/main.go b/main.go index 25c1a87..67a9a92 100644 --- a/main.go +++ b/main.go @@ -4,7 +4,7 @@ import ( "fmt" "syscall/js" - openssl "github.com/Luzifer/go-openssl/v2" + openssl "github.com/Luzifer/go-openssl" ) func main() { diff --git a/vendor/github.com/Luzifer/go-openssl/LICENSE b/vendor/github.com/Luzifer/go-openssl/LICENSE new file mode 100644 index 0000000..9d74c44 --- /dev/null +++ b/vendor/github.com/Luzifer/go-openssl/LICENSE @@ -0,0 +1,202 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2015- Knut Ahlers + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + diff --git a/vendor/github.com/Luzifer/go-openssl/openssl.go b/vendor/github.com/Luzifer/go-openssl/openssl.go new file mode 100644 index 0000000..e99e747 --- /dev/null +++ b/vendor/github.com/Luzifer/go-openssl/openssl.go @@ -0,0 +1,298 @@ +package openssl + +import ( + "bytes" + "crypto/aes" + "crypto/cipher" + "crypto/md5" + "crypto/rand" + "crypto/sha1" + "crypto/sha256" + "encoding/base64" + "errors" + "fmt" + "io" +) + +// ErrInvalidSalt is returned when a salt with a length of != 8 byte is passed +var ErrInvalidSalt = errors.New("Salt needs to have exactly 8 byte") + +// OpenSSL is a helper to generate OpenSSL compatible encryption +// with autmatic IV derivation and storage. As long as the key is known all +// data can also get decrypted using OpenSSL CLI. +// Code from http://dequeue.blogspot.de/2014/11/decrypting-something-encrypted-with.html +type OpenSSL struct { + openSSLSaltHeader string +} + +type openSSLCreds struct { + key []byte + iv []byte +} + +// New instanciates and initializes a new OpenSSL encrypter +func New() *OpenSSL { + return &OpenSSL{ + openSSLSaltHeader: "Salted__", // OpenSSL salt is always this string + 8 bytes of actual salt + } +} + +// DecryptString decrypts a string that was encrypted using OpenSSL and AES-256-CBC +func (o OpenSSL) DecryptString(passphrase, encryptedBase64String string) ([]byte, error) { + return o.DecryptBytes(passphrase, []byte(encryptedBase64String)) +} + +var hashFuncList = []DigestFunc{DigestSHA256Sum, DigestMD5Sum, DigestSHA1Sum} + +func (o OpenSSL) decodeWithPassphrase(passphrase string, data []byte, salt []byte, hashFunc DigestFunc) ([]byte, error) { + creds, err := o.extractOpenSSLCreds([]byte(passphrase), salt, hashFunc) + if err != nil { + return nil, err + } + return o.decrypt(creds.key, creds.iv, data) +} + +// DecryptBytes takes a slice of bytes with base64 encoded, encrypted data to decrypt +func (o OpenSSL) DecryptBytes(passphrase string, encryptedBase64Data []byte) ([]byte, error) { + data := make([]byte, base64.StdEncoding.DecodedLen(len(encryptedBase64Data))) + n, err := base64.StdEncoding.Decode(data, encryptedBase64Data) + if err != nil { + return nil, fmt.Errorf("Could not decode data: %s", err) + } + + // Truncate to real message length + data = data[0:n] + + if len(data) < aes.BlockSize { + return nil, fmt.Errorf("Data is too short") + } + saltHeader := data[:aes.BlockSize] + if string(saltHeader[:8]) != o.openSSLSaltHeader { + return nil, fmt.Errorf("Does not appear to have been encrypted with OpenSSL, salt header missing") + } + salt := saltHeader[8:] + + tmp := make([]byte, len(data)) + for _, f := range hashFuncList { + copy(tmp, data) + result, err := o.decodeWithPassphrase(passphrase, tmp, salt, f) + if err == nil { + return result, nil + } + } + return nil, err +} + +func (o OpenSSL) decrypt(key, iv, data []byte) ([]byte, error) { + if len(data) == 0 || len(data)%aes.BlockSize != 0 { + return nil, fmt.Errorf("bad blocksize(%v), aes.BlockSize = %v", len(data), aes.BlockSize) + } + c, err := aes.NewCipher(key) + if err != nil { + return nil, err + } + cbc := cipher.NewCBCDecrypter(c, iv) + cbc.CryptBlocks(data[aes.BlockSize:], data[aes.BlockSize:]) + out, err := o.pkcs7Unpad(data[aes.BlockSize:], aes.BlockSize) + if out == nil { + return nil, err + } + return out, nil +} + +// EncryptBytes encrypts a slice of bytes in a manner compatible to OpenSSL encryption +// functions using AES-256-CBC as encryption algorithm. This function generates +// a random salt on every execution. +func (o OpenSSL) EncryptBytes(passphrase string, plainData []byte) ([]byte, error) { + salt, err := o.GenerateSalt() + if err != nil { + return nil, err + } + + return o.EncryptBytesWithSaltAndDigestFunc(passphrase, salt, plainData, DigestSHA256Sum) +} + +// EncryptString encrypts a string in a manner compatible to OpenSSL encryption +// functions using AES-256-CBC as encryption algorithm. This function generates +// a random salt on every execution. +func (o OpenSSL) EncryptString(passphrase, plaintextString string) ([]byte, error) { + salt, err := o.GenerateSalt() + if err != nil { + return nil, err + } + + return o.EncryptBytesWithSaltAndDigestFunc(passphrase, salt, []byte(plaintextString), DigestSHA256Sum) +} + +// EncryptStringWithSalt encrypts a string in a manner compatible to OpenSSL +// encryption functions using AES-256-CBC as encryption algorithm. The salt +// needs to be passed in here which ensures the same result on every execution +// on cost of a much weaker encryption as with EncryptString. +// +// The salt passed into this function needs to have exactly 8 byte. +// +// If you don't have a good reason to use this, please don't! For more information +// see this: https://en.wikipedia.org/wiki/Salt_(cryptography)#Common_mistakes +// +// Deprecated: Use EncryptBytesWithSaltAndDigestFunc instead. +func (o OpenSSL) EncryptStringWithSalt(passphrase string, salt []byte, plaintextString string) ([]byte, error) { + return o.EncryptBytesWithSaltAndDigestFunc(passphrase, salt, []byte(plaintextString), DigestSHA256Sum) +} + +// EncryptBytesWithSalt encrypts a slice of bytes in a manner compatible to OpenSSL +// encryption functions using AES-256-CBC as encryption algorithm. The salt +// needs to be passed in here which ensures the same result on every execution +// on cost of a much weaker encryption as with EncryptString. +// +// The salt passed into this function needs to have exactly 8 byte. +// +// If you don't have a good reason to use this, please don't! For more information +// see this: https://en.wikipedia.org/wiki/Salt_(cryptography)#Common_mistakes +// +// Deprecated: Use EncryptBytesWithSaltAndDigestFunc instead. +func (o OpenSSL) EncryptBytesWithSalt(passphrase string, salt, plainData []byte) ([]byte, error) { + return o.EncryptBytesWithSaltAndDigestFunc(passphrase, salt, plainData, DigestSHA256Sum) +} + +// EncryptBytesWithSaltAndDigestFunc encrypts a slice of bytes in a manner compatible to OpenSSL +// encryption functions using AES-256-CBC as encryption algorithm. The salt +// needs to be passed in here which ensures the same result on every execution +// on cost of a much weaker encryption as with EncryptString. +// +// The salt passed into this function needs to have exactly 8 byte. +// +// The hash function corresponds to the `-md` parameter of OpenSSL. For OpenSSL pre-1.1.0c +// DigestMD5Sum was the default, since then it is DigestSHA256Sum. +// +// If you don't have a good reason to use this, please don't! For more information +// see this: https://en.wikipedia.org/wiki/Salt_(cryptography)#Common_mistakes +func (o OpenSSL) EncryptBytesWithSaltAndDigestFunc(passphrase string, salt, plainData []byte, hashFunc DigestFunc) ([]byte, error) { + if len(salt) != 8 { + return nil, ErrInvalidSalt + } + + data := make([]byte, len(plainData)+aes.BlockSize) + copy(data[0:], o.openSSLSaltHeader) + copy(data[8:], salt) + copy(data[aes.BlockSize:], plainData) + + creds, err := o.extractOpenSSLCreds([]byte(passphrase), salt, hashFunc) + if err != nil { + return nil, err + } + + enc, err := o.encrypt(creds.key, creds.iv, data) + if err != nil { + return nil, err + } + + return []byte(base64.StdEncoding.EncodeToString(enc)), nil +} + +// GenerateSalt generates a random 8 byte salt +func (o OpenSSL) GenerateSalt() ([]byte, error) { + salt := make([]byte, 8) // Generate an 8 byte salt + _, err := io.ReadFull(rand.Reader, salt) + if err != nil { + return nil, err + } + + return salt, nil +} + +func (o OpenSSL) encrypt(key, iv, data []byte) ([]byte, error) { + padded, err := o.pkcs7Pad(data, aes.BlockSize) + if err != nil { + return nil, err + } + + c, err := aes.NewCipher(key) + if err != nil { + return nil, err + } + cbc := cipher.NewCBCEncrypter(c, iv) + cbc.CryptBlocks(padded[aes.BlockSize:], padded[aes.BlockSize:]) + + return padded, nil +} + +// openSSLEvpBytesToKey follows the OpenSSL (undocumented?) convention for extracting the key and IV from passphrase. +// It uses the EVP_BytesToKey() method which is basically: +// D_i = HASH^count(D_(i-1) || password || salt) where || denotes concatentaion, until there are sufficient bytes available +// 48 bytes since we're expecting to handle AES-256, 32bytes for a key and 16bytes for the IV +func (o OpenSSL) extractOpenSSLCreds(password, salt []byte, hashFunc DigestFunc) (openSSLCreds, error) { + var m []byte + prev := []byte{} + for len(m) < 48 { + prev = o.hash(prev, password, salt, hashFunc) + m = append(m, prev...) + } + return openSSLCreds{key: m[:32], iv: m[32:48]}, nil +} + +func (o OpenSSL) hash(prev, password, salt []byte, hashFunc DigestFunc) []byte { + a := make([]byte, len(prev)+len(password)+len(salt)) + copy(a, prev) + copy(a[len(prev):], password) + copy(a[len(prev)+len(password):], salt) + return hashFunc(a) +} + +// DigestFunc are functions to create a key from the passphrase +type DigestFunc func([]byte) []byte + +// DigestMD5Sum uses the (deprecated) pre-OpenSSL 1.1.0c MD5 digest to create the key +func DigestMD5Sum(data []byte) []byte { + h := md5.New() + h.Write(data) + return h.Sum(nil) +} + +// DigestSHA1Sum uses SHA1 digest to create the key +func DigestSHA1Sum(data []byte) []byte { + h := sha1.New() + h.Write(data) + return h.Sum(nil) +} + +// DigestSHA256Sum uses SHA256 digest to create the key which is the default behaviour since OpenSSL 1.1.0c +func DigestSHA256Sum(data []byte) []byte { + h := sha256.New() + h.Write(data) + return h.Sum(nil) +} + +// pkcs7Pad appends padding. +func (o OpenSSL) pkcs7Pad(data []byte, blocklen int) ([]byte, error) { + if blocklen <= 0 { + return nil, fmt.Errorf("invalid blocklen %d", blocklen) + } + padlen := 1 + for ((len(data) + padlen) % blocklen) != 0 { + padlen = padlen + 1 + } + + pad := bytes.Repeat([]byte{byte(padlen)}, padlen) + return append(data, pad...), nil +} + +// pkcs7Unpad returns slice of the original data without padding. +func (o OpenSSL) pkcs7Unpad(data []byte, blocklen int) ([]byte, error) { + if blocklen <= 0 { + return nil, fmt.Errorf("invalid blocklen %d", blocklen) + } + if len(data)%blocklen != 0 || len(data) == 0 { + return nil, fmt.Errorf("invalid data len %d", len(data)) + } + padlen := int(data[len(data)-1]) + if padlen > blocklen || padlen == 0 { + return nil, fmt.Errorf("invalid padding") + } + pad := data[len(data)-padlen:] + for i := 0; i < padlen; i++ { + if pad[i] != byte(padlen) { + return nil, fmt.Errorf("invalid padding") + } + } + return data[:len(data)-padlen], nil +}