Add per-item encryption/authentication to the cloud log storage.

[bluesky.git] / bluesky / cloudlog.c

diff --git a/bluesky/cloudlog.c b/bluesky/cloudlog.c
index ec168e8..142104f 100644 (file)
--- a/bluesky/cloudlog.c
+++ b/bluesky/cloudlog.c
@@ -463,6 +463,7 @@ void bluesky_cloudlog_flush(BlueSkyFS *fs)
 
     g_print("Serializing %zd bytes of data to cloud\n", state->data->len);
     SerializedRecord *record = g_new0(SerializedRecord, 1);
+    bluesky_cloudlog_encrypt(state->data, fs->keys);
     record->data = bluesky_string_new_from_gstring(state->data);
     record->items = state->writeback_list;
     record->lock = g_mutex_new();
@@ -488,3 +489,51 @@ void bluesky_cloudlog_flush(BlueSkyFS *fs)
     state->location.offset = 0;
     state->data = g_string_new("");
 }
+
+/* Make an encryption pass over a cloud log segment to encrypt private data in
+ * it. */
+void bluesky_cloudlog_encrypt(GString *segment, BlueSkyCryptKeys *keys)
+{
+    char *data = segment->str;
+    size_t remaining_size = segment->len;
+
+    while (remaining_size >= sizeof(struct cloudlog_header)) {
+        struct cloudlog_header *header = (struct cloudlog_header *)data;
+        size_t item_size = sizeof(struct cloudlog_header)
+                           + GUINT32_FROM_LE(header->size1)
+                           + GUINT32_FROM_LE(header->size2)
+                           + GUINT32_FROM_LE(header->size3);
+        if (item_size > remaining_size)
+            break;
+        bluesky_crypt_block_encrypt(data, item_size, keys);
+
+        data += item_size;
+        remaining_size -= item_size;
+    }
+}
+
+/* Make an decryption pass over a cloud log segment to decrypt items which were
+ * encrypted.  TODO: Also computes a list of all offsets which at which valid
+ * cloud log items are found. */
+void bluesky_cloudlog_decrypt(char *segment, size_t len, BlueSkyCryptKeys *keys)
+{
+    char *data = segment;
+    size_t remaining_size = len;
+
+    while (remaining_size >= sizeof(struct cloudlog_header)) {
+        struct cloudlog_header *header = (struct cloudlog_header *)data;
+        size_t item_size = sizeof(struct cloudlog_header)
+                           + GUINT32_FROM_LE(header->size1)
+                           + GUINT32_FROM_LE(header->size2)
+                           + GUINT32_FROM_LE(header->size3);
+        if (item_size > remaining_size)
+            break;
+        if (bluesky_crypt_block_decrypt(data, item_size, keys)) {
+            g_print("Decrypted valid cloud log item at offset %zd\n",
+                    data - segment);
+        }
+
+        data += item_size;
+        remaining_size -= item_size;
+    }
+}