diff options
author | drebs <drebs@leap.se> | 2017-01-20 19:43:25 -0200 |
---|---|---|
committer | Kali Kaneko <kali@leap.se> | 2017-02-09 17:41:29 +0100 |
commit | 1aa4fa6861626bd9ece719513698ef494cc23610 (patch) | |
tree | df0065759c85b4d9a6d1d174faced33b22822b74 | |
parent | 728697634428f6a357c491cfed8860f4896f8911 (diff) |
[bug] several fixes for secrets refactor
- store ENC_METHOD value instead of string in secrets file
- allow for migration of not-activated secrets
- allow migration of 'aes256' and ENC_METHOD secrets cipher
-rw-r--r-- | client/src/leap/soledad/client/_secrets/crypto.py | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/client/src/leap/soledad/client/_secrets/crypto.py b/client/src/leap/soledad/client/_secrets/crypto.py index 88f32507..dc80cf0b 100644 --- a/client/src/leap/soledad/client/_secrets/crypto.py +++ b/client/src/leap/soledad/client/_secrets/crypto.py @@ -59,7 +59,7 @@ class SecretsCrypto(object): 'kdf': 'scrypt', 'kdf_salt': binascii.b2a_base64(salt), 'kdf_length': len(key), - 'cipher': 'aes_256_gcm', + 'cipher': ENC_METHOD.aes_256_gcm, 'length': len(plaintext), 'iv': str(iv), 'secrets': binascii.b2a_base64(ciphertext), @@ -80,17 +80,26 @@ class SecretsCrypto(object): raise SecretsError(e) def _decrypt_v1(self, data): - secret_id = data['active_secret'] + # get encrypted secret from dictionary + secret_id = data['storage_secrets'].keys().pop() encrypted = data['storage_secrets'][secret_id] - soledad_assert(encrypted['cipher'] == 'aes256') + # assert that we know how to decrypt the secret + soledad_assert('cipher' in encrypted) + cipher = encrypted['cipher'] + if cipher == 'aes256': + cipher = ENC_METHOD.aes_256_ctr + soledad_assert(cipher in ENC_METHOD) + + # decrypt salt = binascii.a2b_base64(encrypted['kdf_salt']) key = self._get_key(salt) separator = ':' iv, ciphertext = encrypted['secret'].split(separator, 1) ciphertext = binascii.a2b_base64(ciphertext) - plaintext = self._decrypt( - key, iv, ciphertext, encrypted, ENC_METHOD.aes_256_ctr) + plaintext = self._decrypt(key, iv, ciphertext, encrypted, cipher) + + # create secrets dictionary secrets = { 'remote_secret': plaintext[0:512], 'local_salt': plaintext[512:576], @@ -99,14 +108,15 @@ class SecretsCrypto(object): return secrets def _decrypt_v2(self, encrypted): - soledad_assert(encrypted['cipher'] == 'aes_256_gcm') + cipher = encrypted['cipher'] + soledad_assert(cipher in ENC_METHOD) salt = binascii.a2b_base64(encrypted['kdf_salt']) key = self._get_key(salt) iv = encrypted['iv'] ciphertext = binascii.a2b_base64(encrypted['secrets']) plaintext = self._decrypt( - key, iv, ciphertext, encrypted, ENC_METHOD.aes_256_gcm) + key, iv, ciphertext, encrypted, cipher) encoded = json.loads(plaintext) secrets = {} for name, value in encoded.iteritems(): |