Please openssl with aes and cbc

mihai-dinculescu · Oct 18, 2024 · 607b416 · 607b416
1 parent 5a70742
commit 607b416
Show file tree

Hide file tree

Showing 4 changed files with 79 additions and 27 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/tapo/Cargo.toml b/tapo/Cargo.toml
@@ -34,8 +34,10 @@ tokio = { workspace = true, default-features = false, features = ["sync"] }
 uuid = { version = "1.10", features = ["serde", "v4"] }
 
 # security
+aes = "0.8"
 base16ct = { version = "0.2", features = ["alloc"] }
 base64 = "0.22"
+cbc = { version = "0.1", features = ["alloc"] }
 openssl = "0.10"
 openssl-src = "=300.2.3"
 rand = "0.8"

diff --git a/tapo/src/api/protocol/klap_cipher.rs b/tapo/src/api/protocol/klap_cipher.rs
@@ -1,6 +1,8 @@
 use std::sync::atomic::{AtomicI32, Ordering};
 
-use openssl::symm::{decrypt, encrypt, Cipher};
+use aes::cipher::{block_padding, BlockDecryptMut, BlockEncryptMut, KeyIvInit};
+use aes::Aes128;
+use cbc::{Decryptor, Encryptor};
 
 #[derive(Debug)]
 pub(super) struct KlapCipher {
@@ -29,14 +31,12 @@ impl KlapCipher {
     }
 
     pub fn encrypt(&self, data: String) -> anyhow::Result<(Vec<u8>, i32)> {
-        let seq = self.seq.fetch_add(1, Ordering::Relaxed) + 1;
+        self.seq.fetch_add(1, Ordering::Relaxed);
+        let seq = self.seq.load(Ordering::Relaxed);
+        let encryptor = Encryptor::<Aes128>::new_from_slices(&self.key, &self.iv_seq(seq))?;
 
-        let cipher_bytes = encrypt(
-            Cipher::aes_128_cbc(),
-            &self.key,
-            Some(&self.iv_seq(seq)),
-            data.as_bytes(),
-        )?;
+        let cipher_bytes =
+            encryptor.encrypt_padded_vec_mut::<block_padding::Pkcs7>(data.as_bytes());
 
         let signature = Self::sha256(
             &[
@@ -53,12 +53,11 @@ impl KlapCipher {
     }
 
     pub fn decrypt(&self, seq: i32, cipher_bytes: Vec<u8>) -> anyhow::Result<String> {
-        let decrypted_bytes = decrypt(
-            Cipher::aes_128_cbc(),
-            &self.key,
-            Some(&self.iv_seq(seq)),
-            &cipher_bytes[32..],
-        )?;
+        let decryptor = Decryptor::<Aes128>::new_from_slices(&self.key, &self.iv_seq(seq))?;
+
+        let decrypted_bytes = decryptor
+            .decrypt_padded_vec_mut::<block_padding::Pkcs7>(&cipher_bytes[32..])
+            .map_err(|e| anyhow::anyhow!("Decryption error: {:?}", e))?;
         let decrypted = std::str::from_utf8(&decrypted_bytes)?.to_string();
 
         Ok(decrypted)

diff --git a/tapo/src/api/protocol/passthrough_cipher.rs b/tapo/src/api/protocol/passthrough_cipher.rs
@@ -1,6 +1,8 @@
+use aes::cipher::{block_padding, BlockDecryptMut, BlockEncryptMut, KeyIvInit};
+use aes::Aes128;
 use base64::{engine::general_purpose, Engine as _};
+use cbc::{Decryptor, Encryptor};
 use log::debug;
-use openssl::symm::{decrypt, encrypt, Cipher};
 use rsa::pkcs8::{EncodePublicKey, LineEnding};
 use rsa::rand_core::CryptoRngCore;
 use rsa::{Pkcs1v15Encrypt, RsaPrivateKey};
@@ -54,25 +56,23 @@ impl PassthroughCipher {
     }
 
     pub fn encrypt(&self, data: &str) -> anyhow::Result<String> {
-        let cipher_bytes = encrypt(
-            Cipher::aes_128_cbc(),
-            &self.key,
-            Some(&self.iv),
-            data.as_bytes(),
-        )?;
+        let encryptor = Encryptor::<Aes128>::new_from_slices(&self.key, &self.iv)?;
+
+        let cipher_bytes =
+            encryptor.encrypt_padded_vec_mut::<block_padding::Pkcs7>(data.as_bytes());
         let cipher_base64 = general_purpose::STANDARD.encode(cipher_bytes);
 
         Ok(cipher_base64)
     }
 
     pub fn decrypt(&self, cipher_base64: &str) -> anyhow::Result<String> {
+        let decryptor = Decryptor::<Aes128>::new_from_slices(&self.key, &self.iv)?;
+
         let cipher_bytes = general_purpose::STANDARD.decode(cipher_base64)?;
-        let decrypted_bytes = decrypt(
-            Cipher::aes_128_cbc(),
-            &self.key,
-            Some(&self.iv),
-            &cipher_bytes,
-        )?;
+        let decrypted_bytes = decryptor
+            .decrypt_padded_vec_mut::<block_padding::Pkcs7>(&cipher_bytes)
+            .map_err(|e| anyhow::anyhow!("Decryption error: {:?}", e))?;
+
         let decrypted = std::str::from_utf8(&decrypted_bytes)?.to_string();
 
         Ok(decrypted)