summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordrebs <drebs@leap.se>2013-05-21 16:45:32 -0300
committerdrebs <drebs@leap.se>2013-05-21 17:43:20 -0300
commit0f822e6b75e842bbc086cbcbdd096316533ca7ca (patch)
treec9cbb510acc357804eb99401064ded73fe93be79
parente9c65f1aab207ea663561946d2733d9741ca4733 (diff)
Change symmetric encryption scheme to use AES256.
-rw-r--r--src/leap/soledad/crypto.py64
-rw-r--r--src/leap/soledad/tests/test_crypto.py48
2 files changed, 31 insertions, 81 deletions
diff --git a/src/leap/soledad/crypto.py b/src/leap/soledad/crypto.py
index d0e2c720..0a459293 100644
--- a/src/leap/soledad/crypto.py
+++ b/src/leap/soledad/crypto.py
@@ -25,7 +25,7 @@ import hmac
import hashlib
-from leap.common.keymanager import openpgp
+from leap.common import crypto
class NoSymmetricSecret(Exception):
@@ -49,56 +49,46 @@ class SoledadCrypto(object):
@type soledad: leap.soledad.Soledad
"""
self._soledad = soledad
- self._pgp = openpgp.OpenPGPScheme(self._soledad)
- def encrypt_sym(self, data, passphrase):
+ def encrypt_sym(self, data, key,
+ method=crypto.EncryptionMethods.AES_256_CTR):
"""
Encrypt C{data} using a {password}.
- @param data: the data to be encrypted
+ Currently, the only encryption method supported is AES-256 CTR mode.
+
+ @param data: The data to be encrypted.
@type data: str
- @param passphrase: the passphrase to use for encryption
- @type passphrase: str
+ @param key: The key used to encrypt C{data} (must be 256 bits long).
+ @type key: str
+ @param method: The encryption method to use.
+ @type method: str
- @return: the encrypted data
- @rtype: str
+ @return: A tuple with the initial value and the encrypted data.
+ @rtype: (long, str)
"""
- return openpgp.encrypt_sym(data, passphrase)
+ return crypto.encrypt_sym(data, key, method)
- def decrypt_sym(self, data, passphrase):
+ def decrypt_sym(self, data, key,
+ method=crypto.EncryptionMethods.AES_256_CTR, **kwargs):
"""
Decrypt data using symmetric secret.
- @param data: the data to be decrypted
- @type data: str
- @param passphrase: the passphrase to use for decryption
- @type passphrase: str
-
- @return: the decrypted data
- @rtype: str
- """
- return openpgp.decrypt_sym(data, passphrase)
-
- def is_encrypted(self, data):
- """
- Test whether some chunk of data is a cyphertext.
+ Currently, the only encryption method supported is AES-256 CTR mode.
- @param data: the data to be tested
+ @param data: The data to be decrypted.
@type data: str
-
- @return: whether the data is a cyphertext
- @rtype: bool
- """
- return openpgp.is_encrypted(data)
-
- def is_encrypted_sym(self, data):
- """
- Test whether some chunk of data was encrypted with a symmetric key.
-
- @return: whether data is encrypted to a symmetric key
- @rtype: bool
+ @param key: The key used to decrypt C{data} (must be 256 bits long).
+ @type key: str
+ @param method: The encryption method to use.
+ @type method: str
+ @param kwargs: Other parameters specific to each encryption method.
+ @type kwargs: dict
+
+ @return: The decrypted data.
+ @rtype: str
"""
- return openpgp.is_encrypted_sym(data)
+ return crypto.decrypt_sym(data, key, method, **kwargs)
def doc_passphrase(self, doc_id):
"""
diff --git a/src/leap/soledad/tests/test_crypto.py b/src/leap/soledad/tests/test_crypto.py
index 9a219bd0..4c57e023 100644
--- a/src/leap/soledad/tests/test_crypto.py
+++ b/src/leap/soledad/tests/test_crypto.py
@@ -85,19 +85,6 @@ class EncryptedSyncTestCase(BaseSoledadTest):
self.assertEqual(
simpledoc, doc1.content, 'incorrect document encryption')
- def test_encrypt_sym(self):
- """
- Test for successful symmetric encryption.
- """
- doc1 = LeapDocument()
- doc1.content = {'key': 'val'}
- enc_json = json.loads(
- encrypt_doc(self._soledad._crypto, doc1))[ENC_JSON_KEY]
- self.assertEqual(
- True,
- self._soledad._crypto.is_encrypted_sym(enc_json),
- "could not encrypt with passphrase.")
-
#from leap.soledad.server import SoledadApp, SoledadAuthMiddleware
#
@@ -192,7 +179,7 @@ class EncryptedSyncTestCase(BaseSoledadTest):
class RecoveryDocumentTestCase(BaseSoledadTest):
def test_export_recovery_document_raw(self):
- rd = json.loads(self._soledad.export_recovery_document(None))
+ rd = json.loads(self._soledad.export_recovery_document())
secret_id = rd[self._soledad.STORAGE_SECRETS_KEY].items()[0][0]
secret = rd[self._soledad.STORAGE_SECRETS_KEY][secret_id]
self.assertEqual(secret_id, self._soledad._secret_id)
@@ -202,27 +189,10 @@ class RecoveryDocumentTestCase(BaseSoledadTest):
self.assertTrue(self._soledad.LENGTH_KEY in secret)
self.assertTrue(self._soledad.SECRET_KEY in secret)
- def test_export_recovery_document_crypt(self):
- rd = self._soledad.export_recovery_document('123456')
- self.assertEqual(True,
- self._soledad._crypto.is_encrypted_sym(rd))
- data = {
- self._soledad.UUID_KEY: self._soledad._uuid,
- self._soledad.STORAGE_SECRETS_KEY: self._soledad._secrets,
- }
- raw_data = json.loads(self._soledad._crypto.decrypt_sym(
- rd,
- passphrase='123456'))
- self.assertEqual(
- raw_data,
- data,
- "Could not export raw recovery document."
- )
-
- def test_import_recovery_document_raw(self):
+ def test_import_recovery_document(self):
rd = self._soledad.export_recovery_document(None)
s = self._soledad_instance(user='anotheruser@leap.se', prefix='/2')
- s.import_recovery_document(rd, None)
+ s.import_recovery_document(rd)
s._set_secret_id(self._soledad._secret_id)
self.assertEqual(self._soledad._uuid,
s._uuid, 'Failed setting user uuid.')
@@ -230,16 +200,6 @@ class RecoveryDocumentTestCase(BaseSoledadTest):
s._get_storage_secret(),
'Failed settinng secret for symmetric encryption.')
- def test_import_recovery_document_crypt(self):
- rd = self._soledad.export_recovery_document('123456')
- s = self._soledad_instance(user='anotheruser@leap.se', prefix='3')
- s.import_recovery_document(rd, '123456')
- self.assertEqual(self._soledad._uuid,
- s._uuid, 'Failed setting user uuid.')
- self.assertEqual(self._soledad._get_storage_secret(),
- s._get_storage_secret(),
- 'Failed settinng secret for symmetric encryption.')
-
class CryptoMethodsTestCase(BaseSoledadTest):
@@ -263,7 +223,7 @@ class MacAuthTestCase(BaseSoledadTest):
self.assertTrue(MAC_KEY in doc.content)
self.assertTrue(MAC_METHOD_KEY in doc.content)
# mess with MAC
- doc.content[MAC_KEY] = 'wrongmac'
+ doc.content[MAC_KEY] = '1234567890ABCDEF'
# try to decrypt doc
self.assertRaises(
WrongMac,