Commit b022d9c8 authored by johan's avatar johan

Code style

parent 183c5c5a
......@@ -210,7 +210,7 @@ BCTBX_PUBLIC off_t bctbx_file_seek(bctbx_vfs_file_t *pFile, off_t offset, int wh
* @param pFile File handle pointer.
* @return true if the file is encrypted
*/
BCTBX_PUBLIC bool_t bctbx_file_isEncrypted(bctbx_vfs_file_t *pFile);
BCTBX_PUBLIC bool_t bctbx_file_is_encrypted(bctbx_vfs_file_t *pFile);
/**
* Set default VFS pointer pDefault to my_vfs.
......
......@@ -99,22 +99,22 @@ class VfsEncryption {
/* Object properties and methods */
private:
uint16_t m_versionNumber; /**< version number of the encryption vfs */
size_t m_chunkSize; /**< size of the file chunks payload in bytes : default is 4kB */
uint16_t mVersionNumber; /**< version number of the encryption vfs */
size_t mChunkSize; /**< size of the file chunks payload in bytes : default is 4kB */
size_t rawChunkSizeGet() const noexcept; /** return the size of a chunk including its encryption header, as stored in the raw file */
std::shared_ptr<VfsEncryptionModule> m_module; /**< one of the available encryption module : if nullptr, assume we deal with regular plain file */
size_t m_headerExtensionSize; /**< header extension size */
const std::string m_filename; /**< the filename as given to the open function */
uint64_t m_fileSize; /**< size of the plaintext file */
size_t mHeaderExtensionSize; /**< header extension size */
const std::string mFilename; /**< the filename as given to the open function */
uint64_t mFileSize; /**< size of the plaintext file */
uint64_t rawFileSizeGet() const noexcept; /**< return the size of the raw file */
uint32_t getChunkIndex(uint64_t offset) const noexcept; /**< return the chunk index where to find the given offset */
size_t getChunkOffset(uint32_t index) const noexcept; /**< return the offset in the actual file of the begining of the chunk */
std::vector<uint8_t> r_header; /**< a cache of the header - without the encryption module data */
/** flags use to communicate during differents functions involved at file opening **/
bool m_encryptExistingPlainFile; /**< when opening a plain file, if the callback set an encryption suite and key material : migrate the file */
bool m_integrityFullCheck; /**< if the file size given in the header metadata is incorrect, full check the file integrity and revrite header */
int m_accessMode; /**< the flags used to open the file, filtered on the access mode */
bool mEncryptExistingPlainFile; /**< when opening a plain file, if the callback set an encryption suite and key material : migrate the file */
bool mIntegrityFullCheck; /**< if the file size given in the header metadata is incorrect, full check the file integrity and revrite header */
int mAccessMode; /**< the flags used to open the file, filtered on the access mode */
/**
* Parse the header of an encrypted file, check everything seems correct
......
......@@ -287,7 +287,7 @@ int bctbx_file_get_nxtline(bctbx_vfs_file_t *pFile, char *s, int maxlen) {
return BCTBX_VFS_ERROR;
}
bool_t bctbx_file_isEncrypted(bctbx_vfs_file_t *pFile) {
bool_t bctbx_file_is_encrypted(bctbx_vfs_file_t *pFile) {
if (pFile && pFile->pMethods && pFile->pMethods->pFuncIsEncrypted){
return pFile->pMethods->pFuncIsEncrypted(pFile);
}
......
This diff is collapsed.
......@@ -49,40 +49,40 @@ static constexpr size_t masterKeySize=32;
/** constructor called at file creation */
VfsEM_AES256GCM_SHA256::VfsEM_AES256GCM_SHA256() :
m_RNG(std::make_shared<bctoolbox::RNG>()), // start the local RNG
m_fileSalt(m_RNG->randomize(fileSaltSize)) // generate a random file Salt
mRNG(std::make_shared<bctoolbox::RNG>()), // start the local RNG
mFileSalt(mRNG->randomize(fileSaltSize)) // generate a random file Salt
{
}
/** constructor called when opening an existing file */
VfsEM_AES256GCM_SHA256::VfsEM_AES256GCM_SHA256(const std::vector<uint8_t> &fileHeader) :
m_RNG(std::make_shared<bctoolbox::RNG>()), // start the local RNG
m_fileSalt(std::vector<uint8_t>(fileSaltSize))
mRNG(std::make_shared<bctoolbox::RNG>()), // start the local RNG
mFileSalt(std::vector<uint8_t>(fileSaltSize))
{
if (fileHeader.size() != fileHeaderSize) {
throw EVFS_EXCEPTION<<"The AES256GCM128-SHA256 encryption module expect a fileHeader of size "<<fileHeaderSize<<" bytes but "<<fileHeader.size()<<" are provided";
}
// File header Data is 32 bytes of integrity data, 16 bytes of global salt
std::copy(fileHeader.cbegin(), fileHeader.cbegin()+fileAuthTagSize, m_fileHeaderIntegrity.begin());
std::copy(fileHeader.cbegin()+fileAuthTagSize, fileHeader.cend(), m_fileSalt.begin());
std::copy(fileHeader.cbegin(), fileHeader.cbegin()+fileAuthTagSize, mFileHeaderIntegrity.begin());
std::copy(fileHeader.cbegin()+fileAuthTagSize, fileHeader.cend(), mFileSalt.begin());
}
/** destructor ensure proper cleaning of any key material **/
VfsEM_AES256GCM_SHA256::~VfsEM_AES256GCM_SHA256() {
bctbx_clean(s_masterKey.data(), s_masterKey.size());
bctbx_clean(s_fileHeaderHMACKey.data(), s_fileHeaderHMACKey.size());
bctbx_clean(sMasterKey.data(), sMasterKey.size());
bctbx_clean(sFileHeaderHMACKey.data(), sFileHeaderHMACKey.size());
}
const std::vector<uint8_t> VfsEM_AES256GCM_SHA256::getModuleFileHeader(const VfsEncryption &fileContext) const {
if (s_fileHeaderHMACKey.empty()) {
if (sFileHeaderHMACKey.empty()) {
throw EVFS_EXCEPTION<<"The AES256GCM128-SHA256 encryption module cannot generate its file header without master key";
}
// Only the actual file header is to authenticate, the module file header holds the global salt used to derive the key feed to HMAC authenticating the file header
// so it is useless to authenticate it
auto tag = HMAC<SHA256>(s_fileHeaderHMACKey, fileContext.rawHeaderGet());
auto tag = HMAC<SHA256>(sFileHeaderHMACKey, fileContext.rawHeaderGet());
// Append the actual file salt value to the tag
auto ret = m_fileSalt;
auto ret = mFileSalt;
ret.insert(ret.begin(), tag.cbegin(), tag.cend());
return ret;
}
......@@ -91,10 +91,10 @@ void VfsEM_AES256GCM_SHA256::setModuleSecretMaterial(const std::vector<uint8_t>
if (secret.size() != masterKeySize) {
throw EVFS_EXCEPTION<<"The AES256GCM128 SHA256 encryption module expect a secret material of size "<<masterKeySize<<" bytes but "<<secret.size()<<" are provided";
}
s_masterKey = secret;
sMasterKey = secret;
// Now that we have a master key, we can derive the header authentication one
s_fileHeaderHMACKey = bctoolbox::HKDF<SHA256>(m_fileSalt, s_masterKey, "EVFS file Header", masterKeySize);
sFileHeaderHMACKey = bctoolbox::HKDF<SHA256>(mFileSalt, sMasterKey, "EVFS file Header", masterKeySize);
}
/**
......@@ -106,16 +106,16 @@ void VfsEM_AES256GCM_SHA256::setModuleSecretMaterial(const std::vector<uint8_t>
* @return the AES256-GCM128 key
*/
std::vector<uint8_t> VfsEM_AES256GCM_SHA256::deriveChunkKey(uint32_t chunkIndex) {
std::vector<uint8_t> chunkSalt{m_fileSalt};
std::vector<uint8_t> chunkSalt{mFileSalt};
chunkSalt.push_back((chunkIndex>>24)&0xFF);
chunkSalt.push_back((chunkIndex>>16)&0xFF);
chunkSalt.push_back((chunkIndex>>8)&0xFF);
chunkSalt.push_back(chunkIndex&0xFF);
return bctoolbox::HKDF<SHA256>(chunkSalt, s_masterKey, "EVFS chunk", AES256GCM128::keySize());
return bctoolbox::HKDF<SHA256>(chunkSalt, sMasterKey, "EVFS chunk", AES256GCM128::keySize());
}
std::vector<uint8_t> VfsEM_AES256GCM_SHA256::decryptChunk(const uint32_t chunkIndex, const std::vector<uint8_t> &rawChunk) {
if (s_masterKey.empty()) {
if (sMasterKey.empty()) {
throw EVFS_EXCEPTION<<"No encryption Master key set, cannot decrypt";
}
......@@ -151,11 +151,11 @@ void VfsEM_AES256GCM_SHA256::encryptChunk(const uint32_t chunkIndex, std::vector
}
std::vector<uint8_t> VfsEM_AES256GCM_SHA256::encryptChunk(const uint32_t chunkIndex, const std::vector<uint8_t> &plainData) {
if (s_masterKey.empty()) {
if (sMasterKey.empty()) {
throw EVFS_EXCEPTION<<"No encryption Master key set, cannot encrypt";
}
// generate a random IV
auto IV = m_RNG->randomize(chunkIVSize);
auto IV = mRNG->randomize(chunkIVSize);
// derive the key : HKDF (fileHeaderSalt || Chunk Index, Master key, "EVFS chunk")
std::vector<uint8_t> key{deriveChunkKey(chunkIndex)};
......@@ -178,19 +178,19 @@ std::vector<uint8_t> VfsEM_AES256GCM_SHA256::encryptChunk(const uint32_t chunkIn
/**
* When this function is called, m_fileHeader holds the integrity tag read from file
* and s_fileHeaderHMACKey holds the derived key for header authentication
* and sFileHeaderHMACKey holds the derived key for header authentication
* Compute the HMAC on the whole rawfileHeader + the module header
* Check it match what we have in the m_fileHeader
*/
bool VfsEM_AES256GCM_SHA256::checkIntegrity(const VfsEncryption &fileContext) {
if (s_fileHeaderHMACKey.empty()) {
if (sFileHeaderHMACKey.empty()) {
throw EVFS_EXCEPTION<<"The AES256GCM128-SHA256 encryption module cannot generate its file header without master key";
}
// Only the actual file header is to authenticate, the module file header holds the global salt used to derive the key feed to HMAC authenticating the file header
// so it is useless to authenticate it
auto tag = HMAC<SHA256>(s_fileHeaderHMACKey, fileContext.rawHeaderGet());
auto tag = HMAC<SHA256>(sFileHeaderHMACKey, fileContext.rawHeaderGet());
return (std::equal(tag.cbegin(), tag.cend(), m_fileHeaderIntegrity.cbegin()));
return (std::equal(tag.cbegin(), tag.cend(), mFileHeaderIntegrity.cbegin()));
}
/**
* This function exists as static and non static
......
......@@ -44,18 +44,18 @@ class VfsEM_AES256GCM_SHA256 : public VfsEncryptionModule {
/**
* The local RNG
*/
std::shared_ptr<bctoolbox::RNG> m_RNG; // list it first so it is available in the constructor's init list
std::shared_ptr<bctoolbox::RNG> mRNG; // list it first so it is available in the constructor's init list
/**
* File header
*/
std::vector<uint8_t> m_fileSalt;
std::array<uint8_t, SHA256::ssize()> m_fileHeaderIntegrity;
std::vector<uint8_t> mFileSalt;
std::array<uint8_t, SHA256::ssize()> mFileHeaderIntegrity;
/** keys
*/
std::vector<uint8_t> s_masterKey; // used to derive all keys
std::vector<uint8_t> s_fileHeaderHMACKey; // used to feed HMAC integrity check on file header
std::vector<uint8_t> sMasterKey; // used to derive all keys
std::vector<uint8_t> sFileHeaderHMACKey; // used to feed HMAC integrity check on file header
/**
* Derive the key from master key for the given chunkIndex:
......
......@@ -80,28 +80,28 @@ uint32_t VfsEncryptionModuleDummy::getChunkIndex(const std::vector<uint8_t> &chu
* Get global IV. Part of IV common to all chunks
*/
std::vector<uint8_t> VfsEncryptionModuleDummy::globalIV() const {
return m_fileHeader;
return mFileHeader;
}
VfsEncryptionModuleDummy::VfsEncryptionModuleDummy() {
// this is a constant for the dummy suite to help debug, real module would do otherwise
// the fileHeader also holds a integrity part computed on the whole fileHeader in the get function
m_fileHeader = std::vector<uint8_t>{0xaa, 0x55, 0xbb, 0x44, 0xcc, 0x33, 0xdd, 0x22};
m_fileHeaderIntegrity.resize(8);
m_secret = std::vector<uint8_t>{};
mFileHeader = std::vector<uint8_t>{0xaa, 0x55, 0xbb, 0x44, 0xcc, 0x33, 0xdd, 0x22};
mFileHeaderIntegrity.resize(8);
mSecret = std::vector<uint8_t>{};
}
VfsEncryptionModuleDummy::VfsEncryptionModuleDummy(const std::vector<uint8_t> &fileHeader) {
m_secret = std::vector<uint8_t>{};
m_fileHeader.resize(8);
m_fileHeaderIntegrity.resize(8);
mSecret = std::vector<uint8_t>{};
mFileHeader.resize(8);
mFileHeaderIntegrity.resize(8);
if (fileHeader.size() != fileHeaderSize) {
throw EVFS_EXCEPTION<<"The dummy encryption module expect a fileHeader of size "<<fileHeaderSize<<" bytes but "<<fileHeader.size()<<" are provided";
}
// File header Data is 8 bytes of integrity data, 8 bytes of actual header (a global IV)
std::copy(fileHeader.cbegin(), fileHeader.cbegin()+8, m_fileHeaderIntegrity.begin());
std::copy(fileHeader.cbegin()+8, fileHeader.cend(), m_fileHeader.begin());
std::copy(fileHeader.cbegin(), fileHeader.cbegin()+8, mFileHeaderIntegrity.begin());
std::copy(fileHeader.cbegin()+8, fileHeader.cend(), mFileHeader.begin());
}
const std::vector<uint8_t> VfsEncryptionModuleDummy::getModuleFileHeader(const VfsEncryption &fileContext) const {
......@@ -112,15 +112,15 @@ const std::vector<uint8_t> VfsEncryptionModuleDummy::getModuleFileHeader(const V
header.insert(header.end(), moduleAuthentifiedPart.cbegin(), moduleAuthentifiedPart.cend());
std::vector<uint8_t> tag(8);
// Compute HMAC keyed with global key
bctbx_hmacSha256(m_secret.data(), secretMaterialSize,
bctbx_hmacSha256(mSecret.data(), secretMaterialSize,
header.data(),
header.size(),
8, // get 8 bytes out of the HMAC
tag.data());
// Append the actual file header value to the tag
tag.insert(tag.end(), m_fileHeader.cbegin(), m_fileHeader.cend());
BCTBX_SLOGD<<"get Module file header returns "<<getHex(tag)<<std::endl<<" Key "<<getHex(m_secret)<<std::endl<<" Header "<<getHex(header);
tag.insert(tag.end(), mFileHeader.cbegin(), mFileHeader.cend());
BCTBX_SLOGD<<"get Module file header returns "<<getHex(tag)<<std::endl<<" Key "<<getHex(mSecret)<<std::endl<<" Header "<<getHex(header);
return tag;
}
......@@ -128,7 +128,7 @@ void VfsEncryptionModuleDummy::setModuleSecretMaterial(const std::vector<uint8_t
if (secret.size() != secretMaterialSize) {
throw EVFS_EXCEPTION<<"The dummy encryption module expect a secret material of size "<<secretMaterialSize<<" bytes but "<<secret.size()<<" are provided";
}
m_secret = secret;
mSecret = secret;
}
std::vector<uint8_t> VfsEncryptionModuleDummy::decryptChunk(const uint32_t chunkIndex, const std::vector<uint8_t> &rawChunk) {
......@@ -148,7 +148,7 @@ std::vector<uint8_t> VfsEncryptionModuleDummy::decryptChunk(const uint32_t chunk
// The 16 bytes result is then xor with the secret material
std::vector<uint8_t> XORkey(globalIV()); // Xor key is file header material
XORkey.insert(XORkey.end(), rawChunk.cbegin()+8, rawChunk.cbegin()+chunkHeaderSize); // and chunkHeaderMaterial
std::transform(XORkey.begin(), XORkey.end(), m_secret.cbegin(), XORkey.begin(), std::bit_xor<uint8_t>());
std::transform(XORkey.begin(), XORkey.end(), mSecret.cbegin(), XORkey.begin(), std::bit_xor<uint8_t>());
BCTBX_SLOGD<<"decryptChunk :"<<std::endl<<" chunk is "<<getHex(plainData)<<std::endl<<" key is "<<getHex(XORkey);
// Xor it all, 16 bytes at a time
......@@ -190,7 +190,7 @@ void VfsEncryptionModuleDummy::encryptChunk(const uint32_t chunkIndex, std::vect
// The 16 bytes result is then xor with the secret material
std::vector<uint8_t> XORkey(globalIV()); // Xor key is file header material
XORkey.insert(XORkey.end(), rawChunk.cbegin()+8, rawChunk.cbegin()+chunkHeaderSize); // and chunkHeaderMaterial
std::transform(XORkey.begin(), XORkey.end(), m_secret.cbegin(), XORkey.begin(), std::bit_xor<uint8_t>());
std::transform(XORkey.begin(), XORkey.end(), mSecret.cbegin(), XORkey.begin(), std::bit_xor<uint8_t>());
// Xor it all, 16 bytes at a time
for (size_t i=0; i<plainData.size(); i+=16) {
......@@ -220,7 +220,7 @@ std::vector<uint8_t> VfsEncryptionModuleDummy::encryptChunk(const uint32_t chunk
// The 16 bytes result is then xor with the secret material
std::vector<uint8_t> XORkey(globalIV()); // Xor key is file header material
XORkey.insert(XORkey.end(), rawChunk.cbegin()+8, rawChunk.cbegin()+chunkHeaderSize); // and chunkHeaderMaterial
std::transform(XORkey.begin(), XORkey.end(), m_secret.cbegin(), XORkey.begin(), std::bit_xor<uint8_t>());
std::transform(XORkey.begin(), XORkey.end(), mSecret.cbegin(), XORkey.begin(), std::bit_xor<uint8_t>());
// Xor it all, 16 bytes at a time
for (size_t i=0; i<plainData.size(); i+=16) {
......@@ -237,9 +237,9 @@ std::vector<uint8_t> VfsEncryptionModuleDummy::encryptChunk(const uint32_t chunk
}
/**
* When this function is called, m_fileHeader holds the integrity tag in its 8 first bytes
* When this function is called, mFileHeader holds the integrity tag in its 8 first bytes
* Compute the HMAC on the whole rawfileHeader + the module header
* Check it match what we have in the m_fileHeader
* Check it match what we have in the mFileHeader
*/
bool VfsEncryptionModuleDummy::checkIntegrity(const VfsEncryption &fileContext) {
// Integrity is performed on the header only - each chunk take care of its own
......@@ -249,19 +249,19 @@ bool VfsEncryptionModuleDummy::checkIntegrity(const VfsEncryption &fileContext)
header.insert(header.end(), moduleAuthentifiedPart.cbegin(), moduleAuthentifiedPart.cend());
std::vector<uint8_t> tag(8);
// Compute HMAC keyed with global key
bctbx_hmacSha256(m_secret.data(), secretMaterialSize,
bctbx_hmacSha256(mSecret.data(), secretMaterialSize,
header.data(),
header.size(),
8, // get 8 bytes out of the HMAC
tag.data());
BCTBX_SLOGD<<"check integrity compute "<<getHex(tag)<<std::endl<<" Key "<<getHex(m_secret)<<std::endl<<" Header "<<getHex(header);
BCTBX_SLOGD<<"check integrity compute "<<getHex(tag)<<std::endl<<" Key "<<getHex(mSecret)<<std::endl<<" Header "<<getHex(header);
return (std::equal(tag.cbegin(), tag.cend(), m_fileHeaderIntegrity.cbegin()));
return (std::equal(tag.cbegin(), tag.cend(), mFileHeaderIntegrity.cbegin()));
}
std::vector<uint8_t> VfsEncryptionModuleDummy::chunkIntegrityTag(const std::vector<uint8_t> &chunk) const {
std::vector<uint8_t> tag(8);
bctbx_hmacSha256(m_secret.data(), secretMaterialSize,
bctbx_hmacSha256(mSecret.data(), secretMaterialSize,
chunk.data()+8, // compute integrity on the whole block (header included) but skip the integrity tag (8 first bytes)
chunk.size()-8,
8, // get 8 bytes out of the HMAC
......
......@@ -28,9 +28,9 @@ class VfsEncryptionModuleDummy : public VfsEncryptionModule {
/**
* Store the file header and secret
*/
std::vector<uint8_t> m_fileHeader;
std::vector<uint8_t> m_fileHeaderIntegrity;
std::vector<uint8_t> m_secret;
std::vector<uint8_t> mFileHeader;
std::vector<uint8_t> mFileHeaderIntegrity;
std::vector<uint8_t> mSecret;
/**
* Compute the integrity tag in the given chunk
......
......@@ -350,7 +350,7 @@ void migration_test(bctoolbox::EncryptionSuite suite) {
memset(readBuffer, 0, sizeof(readBuffer));
// file shall not be encrypted
BC_ASSERT_FALSE(bctbx_file_isEncrypted(fp));
BC_ASSERT_FALSE(bctbx_file_is_encrypted(fp));
// close file
bctbx_file_close(fp);
......@@ -362,7 +362,7 @@ void migration_test(bctoolbox::EncryptionSuite suite) {
BC_ASSERT_EQUAL(bctbx_file_read(fp, readBuffer, 42, 0), 42, ssize_t, "%ld");
BC_ASSERT_TRUE(memcmp(readBuffer, message, 42)==0);
// now it shall still be plain
BC_ASSERT_FALSE(bctbx_file_isEncrypted(fp));
BC_ASSERT_FALSE(bctbx_file_is_encrypted(fp));
bctbx_file_close(fp);
......@@ -375,7 +375,7 @@ void migration_test(bctoolbox::EncryptionSuite suite) {
BC_ASSERT_TRUE(memcmp(readBuffer, message, 42)==0);
// now it shall be encrypted
BC_ASSERT_TRUE(bctbx_file_isEncrypted(fp));
BC_ASSERT_TRUE(bctbx_file_is_encrypted(fp));
bctbx_file_close(fp);
// cleaning
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment