summaryrefslogtreecommitdiff
path: root/src/leap/soledad/__init__.py
diff options
context:
space:
mode:
authordrebs <drebs@leap.se>2013-05-21 17:02:54 -0300
committerdrebs <drebs@leap.se>2013-05-21 17:43:22 -0300
commitb86442d9ae23b91e81bcfa2d82ed90638f849578 (patch)
tree05811108f78caf96c1ed52b15c10b429452f7ef5 /src/leap/soledad/__init__.py
parente048f0e7e6a56e289188b02e1205fbb025cb38a6 (diff)
Increase storage secret size and use half of it to get the local storage passphrase.
Diffstat (limited to 'src/leap/soledad/__init__.py')
-rw-r--r--src/leap/soledad/__init__.py30
1 files changed, 24 insertions, 6 deletions
diff --git a/src/leap/soledad/__init__.py b/src/leap/soledad/__init__.py
index 9824c5f6..ab8c03b4 100644
--- a/src/leap/soledad/__init__.py
+++ b/src/leap/soledad/__init__.py
@@ -136,9 +136,23 @@ class Soledad(object):
The name of the file where the storage secrets will be stored.
"""
- STORAGE_SECRET_LENGTH = 512
+ GENERATED_SECRET_LENGTH = 1024
"""
- The length of the secret used for symmetric encryption.
+ The length of the generated secret used to derive keys for symmetric
+ encryption for local and remote storage.
+ """
+
+ LOCAL_STORAGE_SECRET_LENGTH = 512
+ """
+ The length of the secret used to derive a passphrase for the SQLCipher
+ database.
+ """
+
+ REMOTE_STORAGE_SECRET_LENGTH = \
+ GENERATED_SECRET_LENGTH - LOCAL_STORAGE_SECRET_LENGTH
+ """
+ The length of the secret used to derive an encryption key and a MAC auth
+ key for remote storage.
"""
SALT_LENGTH = 64
@@ -302,11 +316,15 @@ class Soledad(object):
def _init_db(self):
"""
Initialize the U1DB SQLCipher database for local storage.
+
+ The local storage passphrase is hexlified version of the last
+ C{LOCAL_STORAGE_SECRET_LENGTH} bytes of the storage secret.
"""
self._db = sqlcipher.open(
self._local_db_path,
# storage secret is binary but sqlcipher passphrase must be string
- binascii.b2a_hex(self._get_storage_secret()),
+ binascii.b2a_hex(
+ self._get_storage_secret()[self.LOCAL_STORAGE_SECRET_LENGTH:]),
create=True,
document_factory=LeapDocument,
crypto=self._crypto)
@@ -350,7 +368,7 @@ class Soledad(object):
)
# recover the initial value and ciphertext
iv, ciphertext = self._secrets[self._secret_id][self.SECRET_KEY].split(
- self.IV_SEPARATOR, 1)
+ self.IV_SEPARATOR, 1)
iv = int(iv)
ciphertext = binascii.a2b_base64(ciphertext)
return self._crypto.decrypt_sym(ciphertext, key, iv=iv)
@@ -445,7 +463,7 @@ class Soledad(object):
"""
events.signal(events.events_pb2.SOLEDAD_CREATING_KEYS, self._uuid)
# generate random secret
- secret = os.urandom(self.STORAGE_SECRET_LENGTH)
+ secret = os.urandom(self.GENERATED_SECRET_LENGTH)
secret_id = sha256(secret).hexdigest()
# generate random salt
salt = os.urandom(self.SALT_LENGTH)
@@ -481,7 +499,7 @@ class Soledad(object):
'kdf_salt': '<salt>'
'kdf_length': <len>
'cipher': 'aes256',
- 'length': 512,
+ 'length': 1024,
'secret': '<encrypted storage_secret 1>',
}
}