diff options
-rw-r--r-- | CHANGELOG.rst | 24 | ||||
-rw-r--r-- | docs/changelog-next.rst | 27 | ||||
-rw-r--r-- | docs/changelog.rst | 1 | ||||
-rw-r--r-- | docs/index.rst | 1 | ||||
-rw-r--r-- | src/leap/soledad/client/_scrypt.py | 33 | ||||
-rw-r--r-- | src/leap/soledad/client/_secrets/__init__.py | 7 | ||||
-rw-r--r-- | src/leap/soledad/client/_secrets/crypto.py | 4 | ||||
-rw-r--r-- | testing/requirements-testing.pip | 3 | ||||
-rw-r--r-- | testing/tests/client/test_crypto.py | 12 | ||||
-rw-r--r-- | testing/tox.ini | 7 |
10 files changed, 81 insertions, 38 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 5c1171d5..7df072f9 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,3 +1,24 @@ +Changelog +========= + +0.10.0 - `master`_ ++++++++++++++++++++++++++++++++ + +.. note:: This version is not yet released and is under active development. + +Client +~~~~~~ + +- `#8472 <https://0xacab.org/leap/soledad/issues/8472>`_: Use OpenSSL backend for scrypt if OpenSSL >= 1.1 + +Misc +~~~~ + +- Unification of Client, Server and Common in a Single python package. + + + + 0.9.6 - 31 May, 2017 +++++++++++++++++++++++++++++++ @@ -235,3 +256,6 @@ Features Bugfixes ~~~~~~~~ - `#7626 <https://leap.se/code/issues/7626>`_: Subclass a leaky leap.common.couch exception to avoid depending on couch. + + +.. _`master`: https://0xacab.org/leap/soledad diff --git a/docs/changelog-next.rst b/docs/changelog-next.rst deleted file mode 100644 index f7a90692..00000000 --- a/docs/changelog-next.rst +++ /dev/null @@ -1,27 +0,0 @@ -0.9.7 - -+++++++++++++++++++++++++++++++ - -Please add lines to this file, they will be moved to the CHANGELOG.rst during -the next release. - -There are two template lines for each category, use them as reference. - -I've added a new category `Misc` so we can track doc/style/packaging stuff. - -Features -~~~~~~~~ -- `#1234 <https://leap.se/code/issues/1234>`_: Description of the new feature corresponding with issue #1234. -- New feature without related issue number. - -Bugfixes -~~~~~~~~ -- `#1235 <https://leap.se/code/issues/1235>`_: Description for the fixed stuff corresponding with issue #1235. -- Bugfix without related issue number. - -Other -~~~~~ -- `#1236 <https://leap.se/code/issues/1236>`_: Description of the new feature corresponding with issue #1236. -- Some change without issue number. - -Known Issues -~~~~~~~~~~~~ diff --git a/docs/changelog.rst b/docs/changelog.rst new file mode 100644 index 00000000..565b0521 --- /dev/null +++ b/docs/changelog.rst @@ -0,0 +1 @@ +.. include:: ../CHANGELOG.rst diff --git a/docs/index.rst b/docs/index.rst index 0ebe1a7f..42a82a7a 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -20,6 +20,7 @@ all user's devices that access a LEAP provider. incoming_box deprecation benchmarks + changelog Indices and tables ================== diff --git a/src/leap/soledad/client/_scrypt.py b/src/leap/soledad/client/_scrypt.py new file mode 100644 index 00000000..2de3ab5e --- /dev/null +++ b/src/leap/soledad/client/_scrypt.py @@ -0,0 +1,33 @@ +# -*- coding: utf-8 -*- +# _scrypt.py +# Copyright (C) 2017 LEAP Encryption Access Project +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from cryptography.hazmat.backends.interfaces import ScryptBackend +from cryptography.hazmat.backends import default_backend + +backend = default_backend() +OPENSSL_HAS_SCRYPT = isinstance(backend, ScryptBackend) + +if OPENSSL_HAS_SCRYPT: + from cryptography.hazmat.primitives.kdf.scrypt import Scrypt + + def hash(secret, salt, buflen=32): + return Scrypt(salt, buflen, 16384, 8, 1, backend).derive(secret) +else: + import scrypt + + def hash(secret, salt, buflen=32): + return scrypt.hash(secret, salt, buflen=buflen) diff --git a/src/leap/soledad/client/_secrets/__init__.py b/src/leap/soledad/client/_secrets/__init__.py index b6c81cda..c92b9905 100644 --- a/src/leap/soledad/client/_secrets/__init__.py +++ b/src/leap/soledad/client/_secrets/__init__.py @@ -16,13 +16,13 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import os -import scrypt from leap.soledad.common.log import getLogger from leap.soledad.client._secrets.storage import SecretsStorage from leap.soledad.client._secrets.crypto import SecretsCrypto from leap.soledad.client._secrets.util import emit, UserDataMixin +from leap.soledad.client import _scrypt logger = getLogger(__name__) @@ -121,9 +121,8 @@ class Secrets(UserDataMixin): def local_key(self): # local storage key is scrypt-derived from `local_secret` and # `local_salt` above - secret = scrypt.hash( - password=self.local_secret, + return _scrypt.hash( + self.local_secret, salt=self.local_salt, buflen=32, # we need a key with 256 bits (32 bytes) ) - return secret diff --git a/src/leap/soledad/client/_secrets/crypto.py b/src/leap/soledad/client/_secrets/crypto.py index 8148151d..975b790b 100644 --- a/src/leap/soledad/client/_secrets/crypto.py +++ b/src/leap/soledad/client/_secrets/crypto.py @@ -18,13 +18,13 @@ import binascii import json import os -import scrypt from leap.soledad.common import soledad_assert from leap.soledad.common.log import getLogger from leap.soledad.client._crypto import encrypt_sym, decrypt_sym, ENC_METHOD from leap.soledad.client._secrets.util import SecretsError +from leap.soledad.client import _scrypt logger = getLogger(__name__) @@ -39,7 +39,7 @@ class SecretsCrypto(object): def _get_key(self, salt): passphrase = self._soledad.passphrase.encode('utf8') - key = scrypt.hash(passphrase, salt, buflen=32) + key = _scrypt.hash(passphrase, salt, buflen=32) return key # diff --git a/testing/requirements-testing.pip b/testing/requirements-testing.pip index a33c65ab..a80b1b34 100644 --- a/testing/requirements-testing.pip +++ b/testing/requirements-testing.pip @@ -1,2 +1,3 @@ pip -tox
\ No newline at end of file +tox +pytest-twisted diff --git a/testing/tests/client/test_crypto.py b/testing/tests/client/test_crypto.py index 11384ad7..10cccbb2 100644 --- a/testing/tests/client/test_crypto.py +++ b/testing/tests/client/test_crypto.py @@ -33,6 +33,7 @@ from cryptography.exceptions import InvalidTag from leap.soledad.common.document import SoledadDocument from test_soledad.util import BaseSoledadTest from leap.soledad.client import _crypto +from leap.soledad.client import _scrypt from twisted.trial import unittest from twisted.internet import defer @@ -46,6 +47,17 @@ snowden1 = ( "they will.") +class ScryptTest(unittest.TestCase): + + def test_scrypt(self): + secret = 'supersikret' + salt = 'randomsalt' + key = _scrypt.hash(secret, salt, buflen=32) + expected = ('47996b569ea58d51ccbcc318d710' + 'a537acd28bb7a94615ab8d061d4b2a920f01') + assert binascii.b2a_hex(key) == expected + + class AESTest(unittest.TestCase): def test_chunked_encryption(self): diff --git a/testing/tox.ini b/testing/tox.ini index bb8f0913..6a6275f3 100644 --- a/testing/tox.ini +++ b/testing/tox.ini @@ -5,8 +5,7 @@ skipsdist=True [testenv] basepython = python2.7 commands = - pip uninstall -y pysqlcipher - pip install --install-option="--bundled" pysqlcipher + pip install -I --install-option="--bundled" pysqlcipher py.test -x --ignore=tests/benchmarks \ --cov-report=html \ --cov-report=term \ @@ -25,6 +24,7 @@ deps = couchdb requests service_identity + leap.common # install soledad from current tree -e../ -e../[client] @@ -75,8 +75,7 @@ deps = commands = # use a bundled version of pysqlcipher to ensure HAVE_USLEEP is set and we # don't have problems with concurrent db access. - pip uninstall -y pysqlcipher - pip install --install-option="--bundled" pysqlcipher + pip install -I --install-option="--bundled" pysqlcipher ./check-pysqlcipher.py # and only then run benchmark py.test --benchmark-only -m 'not synchronous' {posargs} |