+}
+
+gboolean bluesky_crypt_block_decrypt(gchar *cloud_block, size_t len,
+ BlueSkyCryptKeys *keys,
+ gboolean allow_unauth)
+{
+ gcry_error_t status;
+ uint8_t hmac_check[CRYPTO_HASH_SIZE];
+
+ gboolean encrypted = TRUE;
+
+ struct cloudlog_header *header = (struct cloudlog_header *)cloud_block;
+ if (memcmp(header->magic, CLOUDLOG_MAGIC,
+ sizeof(header->magic)) == 0)
+ encrypted = FALSE;
+ else
+ g_assert(memcmp(header->magic, CLOUDLOG_MAGIC_ENCRYPTED,
+ sizeof(header->magic)) == 0);
+
+ if (bluesky_options.disable_crypto) {
+ g_assert(encrypted == FALSE);
+ return TRUE;
+ }
+
+ if (encrypted != bluesky_crypt_block_needs_encryption(header->type)) {
+ g_warning("Encrypted status of item does not match expected!\n");
+ }
+
+ bluesky_crypt_hmac((char *)&header->crypt_iv,
+ cloud_block + len - (char *)&header->crypt_iv - GUINT32_FROM_LE(header->size3),
+ keys->authentication_key,
+ hmac_check);
+ if (memcmp(hmac_check, header->crypt_auth, CRYPTO_HASH_SIZE) != 0) {
+ g_warning("Cloud block HMAC does not match!");
+ if (allow_unauth
+ && (header->type == LOGTYPE_INODE_MAP + '0'
+ || header->type == LOGTYPE_CHECKPOINT + '0'))
+ {
+ g_warning("Allowing unauthenticated data from cleaner");
+ } else {
+ return FALSE;
+ }
+ }
+
+ if (encrypted) {
+ gcry_cipher_hd_t handle;
+ status = gcry_cipher_open(&handle, GCRY_CIPHER_AES,
+ GCRY_CIPHER_MODE_CTR, 0);
+ if (status) {
+ g_error("gcrypt error setting up encryption: %s\n",
+ gcry_strerror(status));
+ }
+
+ gcry_cipher_setkey(handle, keys->encryption_key, CRYPTO_KEY_SIZE);
+ if (status) {
+ g_error("gcrypt error setting key: %s\n",
+ gcry_strerror(status));
+ }
+
+ status = gcry_cipher_setctr(handle, header->crypt_iv,
+ sizeof(header->crypt_iv));
+ if (status) {
+ g_error("gcrypt error setting IV: %s\n",
+ gcry_strerror(status));
+ }
+
+ status = gcry_cipher_decrypt(handle,
+ cloud_block + sizeof(struct cloudlog_header),
+ GUINT32_FROM_LE(header->size1),
+ NULL, 0);
+ if (status) {
+ g_error("gcrypt error decrypting: %s\n",
+ gcry_strerror(status));
+ }
+ header->magic[3] ^= 0x10;
+ memset(header->crypt_iv, 0, sizeof(header->crypt_iv));
+
+ gcry_cipher_close(handle);
+ }