From 0f822e6b75e842bbc086cbcbdd096316533ca7ca Mon Sep 17 00:00:00 2001
From: drebs <drebs@leap.se>
Date: Tue, 21 May 2013 16:45:32 -0300
Subject: Change symmetric encryption scheme to use AES256.

---
 src/leap/soledad/crypto.py            | 64 +++++++++++++++--------------------
 src/leap/soledad/tests/test_crypto.py | 48 +++-----------------------
 2 files changed, 31 insertions(+), 81 deletions(-)

diff --git a/src/leap/soledad/crypto.py b/src/leap/soledad/crypto.py
index d0e2c720..0a459293 100644
--- a/src/leap/soledad/crypto.py
+++ b/src/leap/soledad/crypto.py
@@ -25,7 +25,7 @@ import hmac
 import hashlib
 
 
-from leap.common.keymanager import openpgp
+from leap.common import crypto
 
 
 class NoSymmetricSecret(Exception):
@@ -49,56 +49,46 @@ class SoledadCrypto(object):
         @type soledad: leap.soledad.Soledad
         """
         self._soledad = soledad
-        self._pgp = openpgp.OpenPGPScheme(self._soledad)
 
-    def encrypt_sym(self, data, passphrase):
+    def encrypt_sym(self, data, key,
+                    method=crypto.EncryptionMethods.AES_256_CTR):
         """
         Encrypt C{data} using a {password}.
 
-        @param data: the data to be encrypted
+        Currently, the only  encryption method supported is AES-256 CTR mode.
+
+        @param data: The data to be encrypted.
         @type data: str
-        @param passphrase: the passphrase to use for encryption
-        @type passphrase: str
+        @param key: The key used to encrypt C{data} (must be 256 bits long).
+        @type key: str
+        @param method: The encryption method to use.
+        @type method: str
 
-        @return: the encrypted data
-        @rtype: str
+        @return: A tuple with the initial value and the encrypted data.
+        @rtype: (long, str)
         """
-        return openpgp.encrypt_sym(data, passphrase)
+        return crypto.encrypt_sym(data, key, method)
 
-    def decrypt_sym(self, data, passphrase):
+    def decrypt_sym(self, data, key,
+                    method=crypto.EncryptionMethods.AES_256_CTR, **kwargs):
         """
         Decrypt data using symmetric secret.
 
-        @param data: the data to be decrypted
-        @type data: str
-        @param passphrase: the passphrase to use for decryption
-        @type passphrase: str
-
-        @return: the decrypted data
-        @rtype: str
-        """
-        return openpgp.decrypt_sym(data, passphrase)
-
-    def is_encrypted(self, data):
-        """
-        Test whether some chunk of data is a cyphertext.
+        Currently, the only encryption method supported is AES-256 CTR mode.
 
-        @param data: the data to be tested
+        @param data: The data to be decrypted.
         @type data: str
-
-        @return: whether the data is a cyphertext
-        @rtype: bool
-        """
-        return openpgp.is_encrypted(data)
-
-    def is_encrypted_sym(self, data):
-        """
-        Test whether some chunk of data was encrypted with a symmetric key.
-
-        @return: whether data is encrypted to a symmetric key
-        @rtype: bool
+        @param key: The key used to decrypt C{data} (must be 256 bits long).
+        @type key: str
+        @param method: The encryption method to use.
+        @type method: str
+        @param kwargs: Other parameters specific to each encryption method.
+        @type kwargs: dict
+
+        @return: The decrypted data.
+        @rtype: str
         """
-        return openpgp.is_encrypted_sym(data)
+        return crypto.decrypt_sym(data, key, method, **kwargs)
 
     def doc_passphrase(self, doc_id):
         """
diff --git a/src/leap/soledad/tests/test_crypto.py b/src/leap/soledad/tests/test_crypto.py
index 9a219bd0..4c57e023 100644
--- a/src/leap/soledad/tests/test_crypto.py
+++ b/src/leap/soledad/tests/test_crypto.py
@@ -85,19 +85,6 @@ class EncryptedSyncTestCase(BaseSoledadTest):
         self.assertEqual(
             simpledoc, doc1.content, 'incorrect document encryption')
 
-    def test_encrypt_sym(self):
-        """
-        Test for successful symmetric encryption.
-        """
-        doc1 = LeapDocument()
-        doc1.content = {'key': 'val'}
-        enc_json = json.loads(
-            encrypt_doc(self._soledad._crypto, doc1))[ENC_JSON_KEY]
-        self.assertEqual(
-            True,
-            self._soledad._crypto.is_encrypted_sym(enc_json),
-            "could not encrypt with passphrase.")
-
 
 #from leap.soledad.server import SoledadApp, SoledadAuthMiddleware
 #
@@ -192,7 +179,7 @@ class EncryptedSyncTestCase(BaseSoledadTest):
 class RecoveryDocumentTestCase(BaseSoledadTest):
 
     def test_export_recovery_document_raw(self):
-        rd = json.loads(self._soledad.export_recovery_document(None))
+        rd = json.loads(self._soledad.export_recovery_document())
         secret_id = rd[self._soledad.STORAGE_SECRETS_KEY].items()[0][0]
         secret = rd[self._soledad.STORAGE_SECRETS_KEY][secret_id]
         self.assertEqual(secret_id, self._soledad._secret_id)
@@ -202,27 +189,10 @@ class RecoveryDocumentTestCase(BaseSoledadTest):
         self.assertTrue(self._soledad.LENGTH_KEY in secret)
         self.assertTrue(self._soledad.SECRET_KEY in secret)
 
-    def test_export_recovery_document_crypt(self):
-        rd = self._soledad.export_recovery_document('123456')
-        self.assertEqual(True,
-                         self._soledad._crypto.is_encrypted_sym(rd))
-        data = {
-            self._soledad.UUID_KEY: self._soledad._uuid,
-            self._soledad.STORAGE_SECRETS_KEY: self._soledad._secrets,
-        }
-        raw_data = json.loads(self._soledad._crypto.decrypt_sym(
-            rd,
-            passphrase='123456'))
-        self.assertEqual(
-            raw_data,
-            data,
-            "Could not export raw recovery document."
-        )
-
-    def test_import_recovery_document_raw(self):
+    def test_import_recovery_document(self):
         rd = self._soledad.export_recovery_document(None)
         s = self._soledad_instance(user='anotheruser@leap.se', prefix='/2')
-        s.import_recovery_document(rd, None)
+        s.import_recovery_document(rd)
         s._set_secret_id(self._soledad._secret_id)
         self.assertEqual(self._soledad._uuid,
                          s._uuid, 'Failed setting user uuid.')
@@ -230,16 +200,6 @@ class RecoveryDocumentTestCase(BaseSoledadTest):
                          s._get_storage_secret(),
                          'Failed settinng secret for symmetric encryption.')
 
-    def test_import_recovery_document_crypt(self):
-        rd = self._soledad.export_recovery_document('123456')
-        s = self._soledad_instance(user='anotheruser@leap.se', prefix='3')
-        s.import_recovery_document(rd, '123456')
-        self.assertEqual(self._soledad._uuid,
-                         s._uuid, 'Failed setting user uuid.')
-        self.assertEqual(self._soledad._get_storage_secret(),
-                         s._get_storage_secret(),
-                         'Failed settinng secret for symmetric encryption.')
-
 
 class CryptoMethodsTestCase(BaseSoledadTest):
 
@@ -263,7 +223,7 @@ class MacAuthTestCase(BaseSoledadTest):
         self.assertTrue(MAC_KEY in doc.content)
         self.assertTrue(MAC_METHOD_KEY in doc.content)
         # mess with MAC
-        doc.content[MAC_KEY] = 'wrongmac'
+        doc.content[MAC_KEY] = '1234567890ABCDEF'
         # try to decrypt doc
         self.assertRaises(
             WrongMac,
-- 
cgit v1.2.3