From 0f822e6b75e842bbc086cbcbdd096316533ca7ca Mon Sep 17 00:00:00 2001 From: drebs Date: Tue, 21 May 2013 16:45:32 -0300 Subject: Change symmetric encryption scheme to use AES256. --- src/leap/soledad/crypto.py | 64 +++++++++++++++-------------------- src/leap/soledad/tests/test_crypto.py | 48 +++----------------------- 2 files changed, 31 insertions(+), 81 deletions(-) (limited to 'src') diff --git a/src/leap/soledad/crypto.py b/src/leap/soledad/crypto.py index d0e2c720..0a459293 100644 --- a/src/leap/soledad/crypto.py +++ b/src/leap/soledad/crypto.py @@ -25,7 +25,7 @@ import hmac import hashlib -from leap.common.keymanager import openpgp +from leap.common import crypto class NoSymmetricSecret(Exception): @@ -49,56 +49,46 @@ class SoledadCrypto(object): @type soledad: leap.soledad.Soledad """ self._soledad = soledad - self._pgp = openpgp.OpenPGPScheme(self._soledad) - def encrypt_sym(self, data, passphrase): + def encrypt_sym(self, data, key, + method=crypto.EncryptionMethods.AES_256_CTR): """ Encrypt C{data} using a {password}. - @param data: the data to be encrypted + Currently, the only encryption method supported is AES-256 CTR mode. + + @param data: The data to be encrypted. @type data: str - @param passphrase: the passphrase to use for encryption - @type passphrase: str + @param key: The key used to encrypt C{data} (must be 256 bits long). + @type key: str + @param method: The encryption method to use. + @type method: str - @return: the encrypted data - @rtype: str + @return: A tuple with the initial value and the encrypted data. + @rtype: (long, str) """ - return openpgp.encrypt_sym(data, passphrase) + return crypto.encrypt_sym(data, key, method) - def decrypt_sym(self, data, passphrase): + def decrypt_sym(self, data, key, + method=crypto.EncryptionMethods.AES_256_CTR, **kwargs): """ Decrypt data using symmetric secret. - @param data: the data to be decrypted - @type data: str - @param passphrase: the passphrase to use for decryption - @type passphrase: str - - @return: the decrypted data - @rtype: str - """ - return openpgp.decrypt_sym(data, passphrase) - - def is_encrypted(self, data): - """ - Test whether some chunk of data is a cyphertext. + Currently, the only encryption method supported is AES-256 CTR mode. - @param data: the data to be tested + @param data: The data to be decrypted. @type data: str - - @return: whether the data is a cyphertext - @rtype: bool - """ - return openpgp.is_encrypted(data) - - def is_encrypted_sym(self, data): - """ - Test whether some chunk of data was encrypted with a symmetric key. - - @return: whether data is encrypted to a symmetric key - @rtype: bool + @param key: The key used to decrypt C{data} (must be 256 bits long). + @type key: str + @param method: The encryption method to use. + @type method: str + @param kwargs: Other parameters specific to each encryption method. + @type kwargs: dict + + @return: The decrypted data. + @rtype: str """ - return openpgp.is_encrypted_sym(data) + return crypto.decrypt_sym(data, key, method, **kwargs) def doc_passphrase(self, doc_id): """ diff --git a/src/leap/soledad/tests/test_crypto.py b/src/leap/soledad/tests/test_crypto.py index 9a219bd0..4c57e023 100644 --- a/src/leap/soledad/tests/test_crypto.py +++ b/src/leap/soledad/tests/test_crypto.py @@ -85,19 +85,6 @@ class EncryptedSyncTestCase(BaseSoledadTest): self.assertEqual( simpledoc, doc1.content, 'incorrect document encryption') - def test_encrypt_sym(self): - """ - Test for successful symmetric encryption. - """ - doc1 = LeapDocument() - doc1.content = {'key': 'val'} - enc_json = json.loads( - encrypt_doc(self._soledad._crypto, doc1))[ENC_JSON_KEY] - self.assertEqual( - True, - self._soledad._crypto.is_encrypted_sym(enc_json), - "could not encrypt with passphrase.") - #from leap.soledad.server import SoledadApp, SoledadAuthMiddleware # @@ -192,7 +179,7 @@ class EncryptedSyncTestCase(BaseSoledadTest): class RecoveryDocumentTestCase(BaseSoledadTest): def test_export_recovery_document_raw(self): - rd = json.loads(self._soledad.export_recovery_document(None)) + rd = json.loads(self._soledad.export_recovery_document()) secret_id = rd[self._soledad.STORAGE_SECRETS_KEY].items()[0][0] secret = rd[self._soledad.STORAGE_SECRETS_KEY][secret_id] self.assertEqual(secret_id, self._soledad._secret_id) @@ -202,27 +189,10 @@ class RecoveryDocumentTestCase(BaseSoledadTest): self.assertTrue(self._soledad.LENGTH_KEY in secret) self.assertTrue(self._soledad.SECRET_KEY in secret) - def test_export_recovery_document_crypt(self): - rd = self._soledad.export_recovery_document('123456') - self.assertEqual(True, - self._soledad._crypto.is_encrypted_sym(rd)) - data = { - self._soledad.UUID_KEY: self._soledad._uuid, - self._soledad.STORAGE_SECRETS_KEY: self._soledad._secrets, - } - raw_data = json.loads(self._soledad._crypto.decrypt_sym( - rd, - passphrase='123456')) - self.assertEqual( - raw_data, - data, - "Could not export raw recovery document." - ) - - def test_import_recovery_document_raw(self): + def test_import_recovery_document(self): rd = self._soledad.export_recovery_document(None) s = self._soledad_instance(user='anotheruser@leap.se', prefix='/2') - s.import_recovery_document(rd, None) + s.import_recovery_document(rd) s._set_secret_id(self._soledad._secret_id) self.assertEqual(self._soledad._uuid, s._uuid, 'Failed setting user uuid.') @@ -230,16 +200,6 @@ class RecoveryDocumentTestCase(BaseSoledadTest): s._get_storage_secret(), 'Failed settinng secret for symmetric encryption.') - def test_import_recovery_document_crypt(self): - rd = self._soledad.export_recovery_document('123456') - s = self._soledad_instance(user='anotheruser@leap.se', prefix='3') - s.import_recovery_document(rd, '123456') - self.assertEqual(self._soledad._uuid, - s._uuid, 'Failed setting user uuid.') - self.assertEqual(self._soledad._get_storage_secret(), - s._get_storage_secret(), - 'Failed settinng secret for symmetric encryption.') - class CryptoMethodsTestCase(BaseSoledadTest): @@ -263,7 +223,7 @@ class MacAuthTestCase(BaseSoledadTest): self.assertTrue(MAC_KEY in doc.content) self.assertTrue(MAC_METHOD_KEY in doc.content) # mess with MAC - doc.content[MAC_KEY] = 'wrongmac' + doc.content[MAC_KEY] = '1234567890ABCDEF' # try to decrypt doc self.assertRaises( WrongMac, -- cgit v1.2.3