summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--client/src/leap/soledad/client/_crypto.py18
-rw-r--r--client/src/leap/soledad/client/api.py5
-rw-r--r--client/src/leap/soledad/client/examples/soledad_sync.py2
-rw-r--r--client/src/leap/soledad/client/http_target/fetch.py8
-rw-r--r--client/src/leap/soledad/client/sqlcipher.py12
-rw-r--r--scripts/db_access/client_side_db.py3
-rw-r--r--scripts/docker/files/bin/client_side_db.py3
-rw-r--r--scripts/profiling/mail/soledad_client.py3
-rwxr-xr-xscripts/profiling/sync/profile-sync.py1
-rw-r--r--testing/test_soledad/util.py2
-rw-r--r--testing/tests/server/test_server.py11
-rw-r--r--testing/tests/sync/test_sqlcipher_sync.py4
-rw-r--r--testing/tests/sync/test_sync_target.py4
13 files changed, 24 insertions, 52 deletions
diff --git a/client/src/leap/soledad/client/_crypto.py b/client/src/leap/soledad/client/_crypto.py
index cee4f0f4..1492c1ab 100644
--- a/client/src/leap/soledad/client/_crypto.py
+++ b/client/src/leap/soledad/client/_crypto.py
@@ -28,7 +28,6 @@ import struct
import time
from io import BytesIO
-from cStringIO import StringIO
from collections import namedtuple
import six
@@ -36,8 +35,6 @@ import six
from twisted.internet import defer
from twisted.internet import interfaces
from twisted.logger import Logger
-from twisted.persisted import dirdbm
-from twisted.web import client
from twisted.web.client import FileBodyProducer
from cryptography.exceptions import InvalidSignature
@@ -50,8 +47,6 @@ from cryptography.hazmat.backends.openssl.backend \
from zope.interface import implements
-from leap.common.config import get_path_prefix
-
log = Logger()
@@ -241,7 +236,6 @@ class BlobDecryptor(object):
raise InvalidBlob
self.ciphertext.close()
- current_time = int(time.time())
if not data or six.indexbytes(data, 0) != 0x80:
raise InvalidBlob
try:
@@ -259,7 +253,6 @@ class BlobDecryptor(object):
iv = data[11:27]
docidlen = len(self.doc_id)
ciph_idx = 26 + docidlen
- doc_id = data[26:ciph_idx]
revlen = len(self.rev)
rev_idx = ciph_idx + 1 + revlen
rev = data[ciph_idx + 1:rev_idx]
@@ -313,7 +306,7 @@ class AESEncryptor(object):
def end(self):
if not self.done:
- final = self.encryptor.finalize()
+ self.fd.write(self.encryptor.finalize())
self.done = True
@@ -354,7 +347,7 @@ class AESDecryptor(object):
if iv is None:
iv = os.urandom(16)
if len(key) != 32:
- raise EncryptionhDecryptionError('key is not 256 bits')
+ raise EncryptionDecryptionError('key is not 256 bits')
if len(iv) != 16:
raise EncryptionDecryptionError('iv is not 128 bits')
@@ -380,9 +373,12 @@ class AESDecryptor(object):
def is_symmetrically_encrypted(payload):
- header = base64.urlsafe_b64decode(enc[:15] + '===')
+ if not payload or len(payload) < 24 \
+ or not payload.startswith('{"raw": "'):
+ return False
+ header = base64.urlsafe_b64decode(payload[9:24] + '==')
ts, sch, meth = struct.unpack('Qbb', header[1:11])
- return sch == ENC_SCHEME.symkey
+ return sch == ENC_SCHEME.symkey and meth == ENC_METHOD.aes_256_ctr
# utils
diff --git a/client/src/leap/soledad/client/api.py b/client/src/leap/soledad/client/api.py
index 8ce77d24..1f151e7d 100644
--- a/client/src/leap/soledad/client/api.py
+++ b/client/src/leap/soledad/client/api.py
@@ -60,7 +60,6 @@ from leap.soledad.client import sqlcipher
from leap.soledad.client.secrets import SoledadSecrets
from leap.soledad.client.shared_db import SoledadSharedDatabase
from leap.soledad.client._crypto import SoledadCrypto
-from leap.soledad.client._crypto import BlobEncryptor
logger = getLogger(__name__)
@@ -183,7 +182,6 @@ class Soledad(object):
self._passphrase = passphrase
self._local_db_path = local_db_path
self._server_url = server_url
- self._defer_encryption = defer_encryption
self._secrets_path = None
self._dbsyncer = None
@@ -285,8 +283,7 @@ class Soledad(object):
opts = sqlcipher.SQLCipherOptions(
self._local_db_path, key,
- is_raw_key=True, create=True,
- defer_encryption=self._defer_encryption)
+ is_raw_key=True, create=True)
self._sqlcipher_opts = opts
self._dbpool = adbapi.getConnectionPool(opts)
diff --git a/client/src/leap/soledad/client/examples/soledad_sync.py b/client/src/leap/soledad/client/examples/soledad_sync.py
index 63077ee3..3aed10eb 100644
--- a/client/src/leap/soledad/client/examples/soledad_sync.py
+++ b/client/src/leap/soledad/client/examples/soledad_sync.py
@@ -40,7 +40,7 @@ def init_soledad(_):
global soledad
soledad = Soledad(uuid, _pass, secrets_path, local_db_path,
server_url, cert_file,
- auth_token=token, defer_encryption=False)
+ auth_token=token)
def getall(_):
d = soledad.get_all_docs()
diff --git a/client/src/leap/soledad/client/http_target/fetch.py b/client/src/leap/soledad/client/http_target/fetch.py
index a0c35063..5356f872 100644
--- a/client/src/leap/soledad/client/http_target/fetch.py
+++ b/client/src/leap/soledad/client/http_target/fetch.py
@@ -106,10 +106,10 @@ class HTTPDocFetcher(object):
doc = SoledadDocument(doc_info['id'], doc_info['rev'], content)
- payload = doc.content['raw']
- if is_symmetrically_encrypted(payload):
- decrypted = yield self._crypto.decrypt_doc(doc)
- doc.set_json(decrypted)
+ if is_symmetrically_encrypted(content):
+ content = yield self._crypto.decrypt_doc(doc)
+
+ doc.set_json(content)
# TODO insert blobs here on the blob backend
self._insert_doc_cb(doc, doc_info['gen'], doc_info['trans_id'])
diff --git a/client/src/leap/soledad/client/sqlcipher.py b/client/src/leap/soledad/client/sqlcipher.py
index 618b17b9..bd7d2cc1 100644
--- a/client/src/leap/soledad/client/sqlcipher.py
+++ b/client/src/leap/soledad/client/sqlcipher.py
@@ -117,7 +117,7 @@ class SQLCipherOptions(object):
@classmethod
def copy(cls, source, path=None, key=None, create=None,
is_raw_key=None, cipher=None, kdf_iter=None,
- cipher_page_size=None, defer_encryption=None, sync_db_key=None):
+ cipher_page_size=None, sync_db_key=None):
"""
Return a copy of C{source} with parameters different than None
replaced by new values.
@@ -134,7 +134,7 @@ class SQLCipherOptions(object):
args.append(getattr(source, name))
for name in ["create", "is_raw_key", "cipher", "kdf_iter",
- "cipher_page_size", "defer_encryption", "sync_db_key"]:
+ "cipher_page_size", "sync_db_key"]:
val = local_vars[name]
if val is not None:
kwargs[name] = val
@@ -145,7 +145,7 @@ class SQLCipherOptions(object):
def __init__(self, path, key, create=True, is_raw_key=False,
cipher='aes-256-cbc', kdf_iter=4000, cipher_page_size=1024,
- defer_encryption=False, sync_db_key=None):
+ sync_db_key=None):
"""
:param path: The filesystem path for the database to open.
:type path: str
@@ -163,10 +163,6 @@ class SQLCipherOptions(object):
:type kdf_iter: int
:param cipher_page_size: The page size.
:type cipher_page_size: int
- :param defer_encryption:
- Whether to defer encryption of documents, or do it
- inline while syncing.
- :type defer_encryption: bool
"""
self.path = path
self.key = key
@@ -175,7 +171,6 @@ class SQLCipherOptions(object):
self.cipher = cipher
self.kdf_iter = kdf_iter
self.cipher_page_size = cipher_page_size
- self.defer_encryption = defer_encryption
self.sync_db_key = sync_db_key
def __str__(self):
@@ -201,7 +196,6 @@ class SQLCipherDatabase(sqlite_backend.SQLitePartialExpandDatabase):
"""
A U1DB implementation that uses SQLCipher as its persistence layer.
"""
- defer_encryption = False
# The attribute _index_storage_value will be used as the lookup key for the
# implementation of the SQLCipher storage backend.
diff --git a/scripts/db_access/client_side_db.py b/scripts/db_access/client_side_db.py
index 11d72791..2acee2b5 100644
--- a/scripts/db_access/client_side_db.py
+++ b/scripts/db_access/client_side_db.py
@@ -133,8 +133,7 @@ def _get_soledad_instance(uuid, passphrase, basedir, server_url, cert_file,
local_db_path=local_db_path,
server_url=server_url,
cert_file=cert_file,
- auth_token=token,
- defer_encryption=True)
+ auth_token=token)
def _get_keymanager_instance(username, provider, soledad, token,
diff --git a/scripts/docker/files/bin/client_side_db.py b/scripts/docker/files/bin/client_side_db.py
index 4be33d13..80da7392 100644
--- a/scripts/docker/files/bin/client_side_db.py
+++ b/scripts/docker/files/bin/client_side_db.py
@@ -136,8 +136,7 @@ def _get_soledad_instance(uuid, passphrase, basedir, server_url, cert_file,
local_db_path=local_db_path,
server_url=server_url,
cert_file=cert_file,
- auth_token=token,
- defer_encryption=True)
+ auth_token=token)
def _get_keymanager_instance(username, provider, soledad, token,
diff --git a/scripts/profiling/mail/soledad_client.py b/scripts/profiling/mail/soledad_client.py
index 5ac8ce39..dcd605aa 100644
--- a/scripts/profiling/mail/soledad_client.py
+++ b/scripts/profiling/mail/soledad_client.py
@@ -30,8 +30,7 @@ class SoledadClient(object):
server_url=self._server_url,
cert_file=None,
auth_token=self._auth_token,
- secret_id=None,
- defer_encryption=True)
+ secret_id=None)
def close(self):
if self._soledad is not None:
diff --git a/scripts/profiling/sync/profile-sync.py b/scripts/profiling/sync/profile-sync.py
index 34e66f03..1d59217a 100755
--- a/scripts/profiling/sync/profile-sync.py
+++ b/scripts/profiling/sync/profile-sync.py
@@ -91,7 +91,6 @@ def _get_soledad_instance_from_uuid(uuid, passphrase, basedir, server_url,
server_url=server_url,
cert_file=cert_file,
auth_token=token,
- defer_encryption=True,
syncable=True)
diff --git a/testing/test_soledad/util.py b/testing/test_soledad/util.py
index b1965aa6..f44ce166 100644
--- a/testing/test_soledad/util.py
+++ b/testing/test_soledad/util.py
@@ -216,7 +216,6 @@ class BaseSoledadTest(BaseLeapTest, MockedSharedDBTest):
"""
Instantiates Soledad for usage in tests.
"""
- defer_sync_encryption = False
@pytest.mark.usefixtures("method_tmpdir")
def setUp(self):
@@ -300,7 +299,6 @@ class BaseSoledadTest(BaseLeapTest, MockedSharedDBTest):
self.tempdir, prefix, local_db_path),
server_url=server_url, # Soledad will fail if not given an url
cert_file=cert_file,
- defer_encryption=self.defer_sync_encryption,
shared_db=MockSharedDB(),
auth_token=auth_token)
self.addCleanup(soledad.close)
diff --git a/testing/tests/server/test_server.py b/testing/tests/server/test_server.py
index 6bbcf002..a7cc97d4 100644
--- a/testing/tests/server/test_server.py
+++ b/testing/tests/server/test_server.py
@@ -41,7 +41,7 @@ from test_soledad.util import (
BaseSoledadTest,
)
-from leap.soledad.common import crypto
+from leap.soledad.client import _crypto
from leap.soledad.client import Soledad
from leap.soledad.server.config import load_configuration
from leap.soledad.server.config import CONFIG_DEFAULTS
@@ -412,13 +412,8 @@ class EncryptedSyncTestCase(
self.assertEqual(soldoc.doc_id, couchdoc.doc_id)
self.assertEqual(soldoc.rev, couchdoc.rev)
couch_content = couchdoc.content.keys()
- self.assertEqual(6, len(couch_content))
- self.assertTrue(crypto.ENC_JSON_KEY in couch_content)
- self.assertTrue(crypto.ENC_SCHEME_KEY in couch_content)
- self.assertTrue(crypto.ENC_METHOD_KEY in couch_content)
- self.assertTrue(crypto.ENC_IV_KEY in couch_content)
- self.assertTrue(crypto.MAC_KEY in couch_content)
- self.assertTrue(crypto.MAC_METHOD_KEY in couch_content)
+ self.assertEqual(['raw'], couch_content)
+ self.assertTrue(_crypto.is_symmetrically_encrypted(couchdoc.get_json()))
d = sol1.get_all_docs()
d.addCallback(_db1AssertEmptyDocList)
diff --git a/testing/tests/sync/test_sqlcipher_sync.py b/testing/tests/sync/test_sqlcipher_sync.py
index c3cd8444..029164eb 100644
--- a/testing/tests/sync/test_sqlcipher_sync.py
+++ b/testing/tests/sync/test_sqlcipher_sync.py
@@ -544,10 +544,6 @@ class SQLCipherDatabaseSyncTests(
self.sync(self.db2, db3)
doc3 = db3.get_doc('the-doc')
- _crypto = self._soledad._crypto
- decrypted = _crypto.decrypt_doc(doc3)
- doc3.set_json(decrypted)
-
self.assertEqual(doc4.get_json(), doc3.get_json())
self.assertFalse(doc3.has_conflicts)
self.db1.close()
diff --git a/testing/tests/sync/test_sync_target.py b/testing/tests/sync/test_sync_target.py
index 7c93cd7c..ef034142 100644
--- a/testing/tests/sync/test_sync_target.py
+++ b/testing/tests/sync/test_sync_target.py
@@ -71,7 +71,7 @@ class TestSoledadParseReceivedDocResponse(unittest.TestCase):
doc = SoledadDocument('i', rev='r')
doc.content = {'a': 'b'}
- encrypted_docstr = _crypto.SoledadCrypto('').encrypt_doc(doc)
+ encrypted_docstr = _crypto.SoledadCrypto('safe').encrypt_doc(doc)
with self.assertRaises(l2db.errors.BrokenSyncStream):
self.parse("[\r\n{},\r\n]")
@@ -589,9 +589,9 @@ class SoledadDatabaseSyncTargetTests(
[], 'other-replica', last_known_generation=0,
last_known_trans_id=None, insert_doc_cb=self.receive_doc)
self.assertTransactionLog([doc.doc_id, doc.doc_id], self.db)
+ self.assertEqual(2, new_gen)
self.assertEqual(
(doc.doc_id, doc.rev, None, 2), self.other_changes[0][:-1])
- self.assertEqual(2, new_gen)
if self.whitebox:
self.assertEqual(self.db._last_exchange_log['return'],
{'last_gen': 2, 'docs': [(doc.doc_id, doc.rev)]})