diff options
-rw-r--r-- | client/src/leap/soledad/client/_crypto.py | 18 | ||||
-rw-r--r-- | client/src/leap/soledad/client/api.py | 5 | ||||
-rw-r--r-- | client/src/leap/soledad/client/examples/soledad_sync.py | 2 | ||||
-rw-r--r-- | client/src/leap/soledad/client/http_target/fetch.py | 8 | ||||
-rw-r--r-- | client/src/leap/soledad/client/sqlcipher.py | 12 | ||||
-rw-r--r-- | scripts/db_access/client_side_db.py | 3 | ||||
-rw-r--r-- | scripts/docker/files/bin/client_side_db.py | 3 | ||||
-rw-r--r-- | scripts/profiling/mail/soledad_client.py | 3 | ||||
-rwxr-xr-x | scripts/profiling/sync/profile-sync.py | 1 | ||||
-rw-r--r-- | testing/test_soledad/util.py | 2 | ||||
-rw-r--r-- | testing/tests/server/test_server.py | 11 | ||||
-rw-r--r-- | testing/tests/sync/test_sqlcipher_sync.py | 4 | ||||
-rw-r--r-- | testing/tests/sync/test_sync_target.py | 4 |
13 files changed, 24 insertions, 52 deletions
diff --git a/client/src/leap/soledad/client/_crypto.py b/client/src/leap/soledad/client/_crypto.py index cee4f0f4..1492c1ab 100644 --- a/client/src/leap/soledad/client/_crypto.py +++ b/client/src/leap/soledad/client/_crypto.py @@ -28,7 +28,6 @@ import struct import time from io import BytesIO -from cStringIO import StringIO from collections import namedtuple import six @@ -36,8 +35,6 @@ import six from twisted.internet import defer from twisted.internet import interfaces from twisted.logger import Logger -from twisted.persisted import dirdbm -from twisted.web import client from twisted.web.client import FileBodyProducer from cryptography.exceptions import InvalidSignature @@ -50,8 +47,6 @@ from cryptography.hazmat.backends.openssl.backend \ from zope.interface import implements -from leap.common.config import get_path_prefix - log = Logger() @@ -241,7 +236,6 @@ class BlobDecryptor(object): raise InvalidBlob self.ciphertext.close() - current_time = int(time.time()) if not data or six.indexbytes(data, 0) != 0x80: raise InvalidBlob try: @@ -259,7 +253,6 @@ class BlobDecryptor(object): iv = data[11:27] docidlen = len(self.doc_id) ciph_idx = 26 + docidlen - doc_id = data[26:ciph_idx] revlen = len(self.rev) rev_idx = ciph_idx + 1 + revlen rev = data[ciph_idx + 1:rev_idx] @@ -313,7 +306,7 @@ class AESEncryptor(object): def end(self): if not self.done: - final = self.encryptor.finalize() + self.fd.write(self.encryptor.finalize()) self.done = True @@ -354,7 +347,7 @@ class AESDecryptor(object): if iv is None: iv = os.urandom(16) if len(key) != 32: - raise EncryptionhDecryptionError('key is not 256 bits') + raise EncryptionDecryptionError('key is not 256 bits') if len(iv) != 16: raise EncryptionDecryptionError('iv is not 128 bits') @@ -380,9 +373,12 @@ class AESDecryptor(object): def is_symmetrically_encrypted(payload): - header = base64.urlsafe_b64decode(enc[:15] + '===') + if not payload or len(payload) < 24 \ + or not payload.startswith('{"raw": "'): + return False + header = base64.urlsafe_b64decode(payload[9:24] + '==') ts, sch, meth = struct.unpack('Qbb', header[1:11]) - return sch == ENC_SCHEME.symkey + return sch == ENC_SCHEME.symkey and meth == ENC_METHOD.aes_256_ctr # utils diff --git a/client/src/leap/soledad/client/api.py b/client/src/leap/soledad/client/api.py index 8ce77d24..1f151e7d 100644 --- a/client/src/leap/soledad/client/api.py +++ b/client/src/leap/soledad/client/api.py @@ -60,7 +60,6 @@ from leap.soledad.client import sqlcipher from leap.soledad.client.secrets import SoledadSecrets from leap.soledad.client.shared_db import SoledadSharedDatabase from leap.soledad.client._crypto import SoledadCrypto -from leap.soledad.client._crypto import BlobEncryptor logger = getLogger(__name__) @@ -183,7 +182,6 @@ class Soledad(object): self._passphrase = passphrase self._local_db_path = local_db_path self._server_url = server_url - self._defer_encryption = defer_encryption self._secrets_path = None self._dbsyncer = None @@ -285,8 +283,7 @@ class Soledad(object): opts = sqlcipher.SQLCipherOptions( self._local_db_path, key, - is_raw_key=True, create=True, - defer_encryption=self._defer_encryption) + is_raw_key=True, create=True) self._sqlcipher_opts = opts self._dbpool = adbapi.getConnectionPool(opts) diff --git a/client/src/leap/soledad/client/examples/soledad_sync.py b/client/src/leap/soledad/client/examples/soledad_sync.py index 63077ee3..3aed10eb 100644 --- a/client/src/leap/soledad/client/examples/soledad_sync.py +++ b/client/src/leap/soledad/client/examples/soledad_sync.py @@ -40,7 +40,7 @@ def init_soledad(_): global soledad soledad = Soledad(uuid, _pass, secrets_path, local_db_path, server_url, cert_file, - auth_token=token, defer_encryption=False) + auth_token=token) def getall(_): d = soledad.get_all_docs() diff --git a/client/src/leap/soledad/client/http_target/fetch.py b/client/src/leap/soledad/client/http_target/fetch.py index a0c35063..5356f872 100644 --- a/client/src/leap/soledad/client/http_target/fetch.py +++ b/client/src/leap/soledad/client/http_target/fetch.py @@ -106,10 +106,10 @@ class HTTPDocFetcher(object): doc = SoledadDocument(doc_info['id'], doc_info['rev'], content) - payload = doc.content['raw'] - if is_symmetrically_encrypted(payload): - decrypted = yield self._crypto.decrypt_doc(doc) - doc.set_json(decrypted) + if is_symmetrically_encrypted(content): + content = yield self._crypto.decrypt_doc(doc) + + doc.set_json(content) # TODO insert blobs here on the blob backend self._insert_doc_cb(doc, doc_info['gen'], doc_info['trans_id']) diff --git a/client/src/leap/soledad/client/sqlcipher.py b/client/src/leap/soledad/client/sqlcipher.py index 618b17b9..bd7d2cc1 100644 --- a/client/src/leap/soledad/client/sqlcipher.py +++ b/client/src/leap/soledad/client/sqlcipher.py @@ -117,7 +117,7 @@ class SQLCipherOptions(object): @classmethod def copy(cls, source, path=None, key=None, create=None, is_raw_key=None, cipher=None, kdf_iter=None, - cipher_page_size=None, defer_encryption=None, sync_db_key=None): + cipher_page_size=None, sync_db_key=None): """ Return a copy of C{source} with parameters different than None replaced by new values. @@ -134,7 +134,7 @@ class SQLCipherOptions(object): args.append(getattr(source, name)) for name in ["create", "is_raw_key", "cipher", "kdf_iter", - "cipher_page_size", "defer_encryption", "sync_db_key"]: + "cipher_page_size", "sync_db_key"]: val = local_vars[name] if val is not None: kwargs[name] = val @@ -145,7 +145,7 @@ class SQLCipherOptions(object): def __init__(self, path, key, create=True, is_raw_key=False, cipher='aes-256-cbc', kdf_iter=4000, cipher_page_size=1024, - defer_encryption=False, sync_db_key=None): + sync_db_key=None): """ :param path: The filesystem path for the database to open. :type path: str @@ -163,10 +163,6 @@ class SQLCipherOptions(object): :type kdf_iter: int :param cipher_page_size: The page size. :type cipher_page_size: int - :param defer_encryption: - Whether to defer encryption of documents, or do it - inline while syncing. - :type defer_encryption: bool """ self.path = path self.key = key @@ -175,7 +171,6 @@ class SQLCipherOptions(object): self.cipher = cipher self.kdf_iter = kdf_iter self.cipher_page_size = cipher_page_size - self.defer_encryption = defer_encryption self.sync_db_key = sync_db_key def __str__(self): @@ -201,7 +196,6 @@ class SQLCipherDatabase(sqlite_backend.SQLitePartialExpandDatabase): """ A U1DB implementation that uses SQLCipher as its persistence layer. """ - defer_encryption = False # The attribute _index_storage_value will be used as the lookup key for the # implementation of the SQLCipher storage backend. diff --git a/scripts/db_access/client_side_db.py b/scripts/db_access/client_side_db.py index 11d72791..2acee2b5 100644 --- a/scripts/db_access/client_side_db.py +++ b/scripts/db_access/client_side_db.py @@ -133,8 +133,7 @@ def _get_soledad_instance(uuid, passphrase, basedir, server_url, cert_file, local_db_path=local_db_path, server_url=server_url, cert_file=cert_file, - auth_token=token, - defer_encryption=True) + auth_token=token) def _get_keymanager_instance(username, provider, soledad, token, diff --git a/scripts/docker/files/bin/client_side_db.py b/scripts/docker/files/bin/client_side_db.py index 4be33d13..80da7392 100644 --- a/scripts/docker/files/bin/client_side_db.py +++ b/scripts/docker/files/bin/client_side_db.py @@ -136,8 +136,7 @@ def _get_soledad_instance(uuid, passphrase, basedir, server_url, cert_file, local_db_path=local_db_path, server_url=server_url, cert_file=cert_file, - auth_token=token, - defer_encryption=True) + auth_token=token) def _get_keymanager_instance(username, provider, soledad, token, diff --git a/scripts/profiling/mail/soledad_client.py b/scripts/profiling/mail/soledad_client.py index 5ac8ce39..dcd605aa 100644 --- a/scripts/profiling/mail/soledad_client.py +++ b/scripts/profiling/mail/soledad_client.py @@ -30,8 +30,7 @@ class SoledadClient(object): server_url=self._server_url, cert_file=None, auth_token=self._auth_token, - secret_id=None, - defer_encryption=True) + secret_id=None) def close(self): if self._soledad is not None: diff --git a/scripts/profiling/sync/profile-sync.py b/scripts/profiling/sync/profile-sync.py index 34e66f03..1d59217a 100755 --- a/scripts/profiling/sync/profile-sync.py +++ b/scripts/profiling/sync/profile-sync.py @@ -91,7 +91,6 @@ def _get_soledad_instance_from_uuid(uuid, passphrase, basedir, server_url, server_url=server_url, cert_file=cert_file, auth_token=token, - defer_encryption=True, syncable=True) diff --git a/testing/test_soledad/util.py b/testing/test_soledad/util.py index b1965aa6..f44ce166 100644 --- a/testing/test_soledad/util.py +++ b/testing/test_soledad/util.py @@ -216,7 +216,6 @@ class BaseSoledadTest(BaseLeapTest, MockedSharedDBTest): """ Instantiates Soledad for usage in tests. """ - defer_sync_encryption = False @pytest.mark.usefixtures("method_tmpdir") def setUp(self): @@ -300,7 +299,6 @@ class BaseSoledadTest(BaseLeapTest, MockedSharedDBTest): self.tempdir, prefix, local_db_path), server_url=server_url, # Soledad will fail if not given an url cert_file=cert_file, - defer_encryption=self.defer_sync_encryption, shared_db=MockSharedDB(), auth_token=auth_token) self.addCleanup(soledad.close) diff --git a/testing/tests/server/test_server.py b/testing/tests/server/test_server.py index 6bbcf002..a7cc97d4 100644 --- a/testing/tests/server/test_server.py +++ b/testing/tests/server/test_server.py @@ -41,7 +41,7 @@ from test_soledad.util import ( BaseSoledadTest, ) -from leap.soledad.common import crypto +from leap.soledad.client import _crypto from leap.soledad.client import Soledad from leap.soledad.server.config import load_configuration from leap.soledad.server.config import CONFIG_DEFAULTS @@ -412,13 +412,8 @@ class EncryptedSyncTestCase( self.assertEqual(soldoc.doc_id, couchdoc.doc_id) self.assertEqual(soldoc.rev, couchdoc.rev) couch_content = couchdoc.content.keys() - self.assertEqual(6, len(couch_content)) - self.assertTrue(crypto.ENC_JSON_KEY in couch_content) - self.assertTrue(crypto.ENC_SCHEME_KEY in couch_content) - self.assertTrue(crypto.ENC_METHOD_KEY in couch_content) - self.assertTrue(crypto.ENC_IV_KEY in couch_content) - self.assertTrue(crypto.MAC_KEY in couch_content) - self.assertTrue(crypto.MAC_METHOD_KEY in couch_content) + self.assertEqual(['raw'], couch_content) + self.assertTrue(_crypto.is_symmetrically_encrypted(couchdoc.get_json())) d = sol1.get_all_docs() d.addCallback(_db1AssertEmptyDocList) diff --git a/testing/tests/sync/test_sqlcipher_sync.py b/testing/tests/sync/test_sqlcipher_sync.py index c3cd8444..029164eb 100644 --- a/testing/tests/sync/test_sqlcipher_sync.py +++ b/testing/tests/sync/test_sqlcipher_sync.py @@ -544,10 +544,6 @@ class SQLCipherDatabaseSyncTests( self.sync(self.db2, db3) doc3 = db3.get_doc('the-doc') - _crypto = self._soledad._crypto - decrypted = _crypto.decrypt_doc(doc3) - doc3.set_json(decrypted) - self.assertEqual(doc4.get_json(), doc3.get_json()) self.assertFalse(doc3.has_conflicts) self.db1.close() diff --git a/testing/tests/sync/test_sync_target.py b/testing/tests/sync/test_sync_target.py index 7c93cd7c..ef034142 100644 --- a/testing/tests/sync/test_sync_target.py +++ b/testing/tests/sync/test_sync_target.py @@ -71,7 +71,7 @@ class TestSoledadParseReceivedDocResponse(unittest.TestCase): doc = SoledadDocument('i', rev='r') doc.content = {'a': 'b'} - encrypted_docstr = _crypto.SoledadCrypto('').encrypt_doc(doc) + encrypted_docstr = _crypto.SoledadCrypto('safe').encrypt_doc(doc) with self.assertRaises(l2db.errors.BrokenSyncStream): self.parse("[\r\n{},\r\n]") @@ -589,9 +589,9 @@ class SoledadDatabaseSyncTargetTests( [], 'other-replica', last_known_generation=0, last_known_trans_id=None, insert_doc_cb=self.receive_doc) self.assertTransactionLog([doc.doc_id, doc.doc_id], self.db) + self.assertEqual(2, new_gen) self.assertEqual( (doc.doc_id, doc.rev, None, 2), self.other_changes[0][:-1]) - self.assertEqual(2, new_gen) if self.whitebox: self.assertEqual(self.db._last_exchange_log['return'], {'last_gen': 2, 'docs': [(doc.doc_id, doc.rev)]}) |