GString *authenticated,
GString *writable);
+/* Cryptographic operations. */
+#define CRYPTO_BLOCK_SIZE 16 /* 128-bit AES */
+#define CRYPTO_KEY_SIZE 16
+#define CRYPTO_HASH_SIZE 32 /* SHA-256 */
+
+typedef struct BlueSkyCryptKeys {
+ uint8_t encryption_key[CRYPTO_KEY_SIZE];
+ uint8_t authentication_key[CRYPTO_HASH_SIZE];
+} BlueSkyCryptKeys;
+
+void bluesky_crypt_init();
+void bluesky_crypt_hash_key(const char *keystr, uint8_t *out);
+void bluesky_crypt_random_bytes(guchar *buf, gint len);
+void bluesky_crypt_derive_keys(BlueSkyCryptKeys *keys, const gchar *master);
+BlueSkyRCStr *bluesky_crypt_encrypt(BlueSkyRCStr *in, const uint8_t *key);
+BlueSkyRCStr *bluesky_crypt_decrypt(BlueSkyRCStr *in, const uint8_t *key);
+
/* Storage layer. Requests can be performed asynchronously, so these objects
* help keep track of operations in progress. */
typedef enum {
BlueSkyRCStr *bluesky_string_dup(BlueSkyRCStr *string);
void bluesky_string_resize(BlueSkyRCStr *string, gsize len);
-/* Cryptographic operations. */
-#define CRYPTO_BLOCK_SIZE 16 /* 128-bit AES */
-#define CRYPTO_KEY_SIZE 16
-#define CRYPTO_HASH_SIZE 32 /* SHA-256 */
-
-struct BlueSkyCryptKeys {
- uint8_t encryption_key[CRYPTO_KEY_SIZE];
- uint8_t authentication_key[CRYPTO_HASH_SIZE];
-};
-
-void bluesky_crypt_init();
-void bluesky_crypt_hash_key(const char *keystr, uint8_t *out);
-void bluesky_crypt_random_bytes(guchar *buf, gint len);
-BlueSkyRCStr *bluesky_crypt_encrypt(BlueSkyRCStr *in, const uint8_t *key);
-BlueSkyRCStr *bluesky_crypt_decrypt(BlueSkyRCStr *in, const uint8_t *key);
-
/* Storage interface. This presents a key-value store abstraction, and can
* have multiple implementations: in-memory, on-disk, in-cloud. */
struct _BlueSkyStore;
/* Filesystem state. Each filesystem which is exported is represented by a
* single bluesky_fs structure in memory. */
+struct BlueSkyCryptKeys;
+
typedef struct {
GMutex *lock;
BlueSkyLog *log;
BlueSkyCloudLogState *log_state;
+ /* Filesystem crypto keys */
+ char *master_key;
+ struct BlueSkyCryptKeys *keys;
+
/* Accounting for memory used for caches. Space is measured in blocks, not
* bytes. Updates to these variables must be made atomically. */
gint cache_dirty;
BlueSkyRCStr *dirty; /* if DIRTY: raw data in memory */
} BlueSkyBlock;
-BlueSkyFS *bluesky_init_fs(gchar *name, BlueSkyStore *store);
+BlueSkyFS *bluesky_init_fs(gchar *name, BlueSkyStore *store,
+ const gchar *master_key);
gboolean bluesky_inode_is_ready(BlueSkyInode *inode);
memcpy(out, raw_csum, CRYPTO_KEY_SIZE);
}
+/* Compute an HMAC of a given data block with the given key. The key and
+ * output should both as large as the hash output size. */
+#define MD_ALGO GCRY_MD_SHA256
+void bluesky_crypt_hmac(const char *buf, size_t bufsize,
+ const uint8_t key[CRYPTO_HASH_SIZE],
+ uint8_t output[CRYPTO_HASH_SIZE])
+{
+ gcry_error_t status;
+ gcry_md_hd_t handle;
+
+ g_assert(gcry_md_get_algo_dlen(MD_ALGO) == CRYPTO_HASH_SIZE);
+
+ status = gcry_md_open(&handle, MD_ALGO, GCRY_MD_FLAG_HMAC);
+ if (status) {
+ g_error("gcrypt error setting up message digest: %s\n",
+ gcry_strerror(status));
+ g_assert(FALSE);
+ }
+
+ status = gcry_md_setkey(handle, key, CRYPTO_HASH_SIZE);
+ if (status) {
+ g_error("gcrypt error setting HMAC key: %s\n",
+ gcry_strerror(status));
+ g_assert(FALSE);
+ }
+
+ gcry_md_write(handle, buf, bufsize);
+
+ unsigned char *digest = gcry_md_read(handle, MD_ALGO);
+ memcpy(output, digest, CRYPTO_HASH_SIZE);
+
+ gcry_md_close(handle);
+}
+
+void bluesky_crypt_derive_keys(BlueSkyCryptKeys *keys, const gchar *master)
+{
+ uint8_t outbuf[CRYPTO_HASH_SIZE];
+
+ const char *key_type = "ENCRYPT";
+ bluesky_crypt_hmac(key_type, strlen(key_type),
+ (const uint8_t *)master, outbuf);
+ memcpy(keys->encryption_key, outbuf, sizeof(keys->encryption_key));
+
+ key_type = "AUTH";
+ bluesky_crypt_hmac(key_type, strlen(key_type),
+ (const uint8_t *)master, outbuf);
+ memcpy(keys->authentication_key, outbuf, sizeof(keys->authentication_key));
+}
+
+void bluesky_crypt_block_encrypt(gchar *cloud_block, size_t len,
+ BlueSkyCryptKeys *keys)
+{
+ gcry_error_t status;
+ gcry_cipher_hd_t handle;
+
+ status = gcry_cipher_open(&handle, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CTR,
+ 0);
+ if (status) {
+ g_error("gcrypt error setting up encryption: %s\n",
+ gcry_strerror(status));
+ }
+
+ struct cloudlog_header *header = (struct cloudlog_header *)cloud_block;
+ g_assert(memcmp(header->magic, CLOUDLOG_MAGIC, sizeof(header->magic)) == 0);
+
+ gcry_cipher_setkey(handle, keys->encryption_key, CRYPTO_KEY_SIZE);
+ if (status) {
+ g_error("gcrypt error setting key: %s\n",
+ gcry_strerror(status));
+ }
+
+ bluesky_crypt_random_bytes(header->crypt_iv, sizeof(header->crypt_iv));
+ status = gcry_cipher_setctr(handle, header->crypt_iv,
+ sizeof(header->crypt_iv));
+ if (status) {
+ g_error("gcrypt error setting IV: %s\n",
+ gcry_strerror(status));
+ }
+
+ status = gcry_cipher_encrypt(handle,
+ cloud_block + sizeof(struct cloudlog_header),
+ GUINT32_FROM_LE(header->size1),
+ NULL, 0);
+ if (status) {
+ g_error("gcrypt error encrypting: %s\n",
+ gcry_strerror(status));
+ }
+
+ bluesky_crypt_hmac((char *)&header->crypt_iv,
+ cloud_block + len - (char *)&header->crypt_iv,
+ keys->authentication_key,
+ header->crypt_auth);
+}
+
+#if 0
/* Encrypt a data block. */
BlueSkyRCStr *bluesky_crypt_encrypt(BlueSkyRCStr *in, const uint8_t *key)
{
return bluesky_string_new(out, in->len - CRYPTO_BLOCK_SIZE);
}
+#endif
projects / bluesky.git / commitdiff