git-annex/Crypto.hs

{- git-annex crypto
 -
 - Currently using gpg; could later be modified to support different
 - crypto backends if neccessary.
 -
 - Copyright 2011-2012 Joey Hess <joey@kitenet.net>
 -
 - Licensed under the GNU GPL version 3 or higher.
 -}

module Crypto (
	Cipher,
	KeyIds(..),
	StorableCipher(..),
	genEncryptedCipher,
	genSharedCipher,
	updateEncryptedCipher,
	describeCipher,
	decryptCipher,		
	encryptKey,
	withEncryptedHandle,
	withDecryptedHandle,
	withEncryptedContent,
	withDecryptedContent,

	prop_hmacWithCipher_sane
) where

import qualified Data.ByteString.Lazy.Char8 as L
import Data.ByteString.Lazy.UTF8 (fromString)
import Data.Digest.Pure.SHA
import Control.Applicative

import Common.Annex
import qualified Utility.Gpg as Gpg
import Types.Key
import Types.Crypto

{- The first half of a Cipher is used for HMAC; the remainder
 - is used as the GPG symmetric encryption passphrase.
 -
 - HMAC SHA1 needs only 64 bytes. The remainder is for expansion,
 - perhaps to HMAC SHA512, which needs 128 bytes (ideally).
 -
 - 256 is enough for gpg's symetric cipher; unlike weaker public key
 - crypto, the key does not need to be too large.
 -}
cipherHalf :: Int
cipherHalf = 256

cipherSize :: Int
cipherSize = cipherHalf * 2

cipherPassphrase :: Cipher -> String
cipherPassphrase (Cipher c) = drop cipherHalf c

cipherHmac :: Cipher -> String
cipherHmac (Cipher c) = take cipherHalf c

{- Creates a new Cipher, encrypted to the specificed key id. -}
genEncryptedCipher :: String -> IO StorableCipher
genEncryptedCipher keyid = do
	ks <- Gpg.findPubKeys keyid
	random <- Gpg.genRandom cipherSize
	encryptCipher (Cipher random) ks

{- Creates a new, shared Cipher. -}
genSharedCipher :: IO StorableCipher
genSharedCipher = SharedCipher <$> Gpg.genRandom cipherSize

{- Updates an existing Cipher, re-encrypting it to add a keyid. -}
updateEncryptedCipher :: String -> StorableCipher -> IO StorableCipher
updateEncryptedCipher _ (SharedCipher _) = undefined
updateEncryptedCipher keyid encipher@(EncryptedCipher _ ks) = do
	ks' <- Gpg.findPubKeys keyid
	cipher <- decryptCipher encipher
	encryptCipher cipher (merge ks ks')
	where
		merge (KeyIds a) (KeyIds b) = KeyIds $ a ++ b

describeCipher :: StorableCipher -> String
describeCipher (SharedCipher _) = "shared cipher"
describeCipher (EncryptedCipher _ (KeyIds ks)) =
	"with gpg " ++ keys ks ++ " " ++ unwords ks
	where
		keys [_] = "key"
		keys _ = "keys"

{- Encrypts a Cipher to the specified KeyIds. -}
encryptCipher :: Cipher -> KeyIds -> IO StorableCipher
encryptCipher (Cipher c) (KeyIds ks) = do
	let ks' = nub $ sort ks -- gpg complains about duplicate recipient keyids
	encipher <- Gpg.pipeStrict (encrypt++recipients ks') c
	return $ EncryptedCipher encipher (KeyIds ks')
	where
		encrypt = [ Params "--encrypt" ]
		recipients l = force_recipients :
			concatMap (\k -> [Param "--recipient", Param k]) l
		-- Force gpg to only encrypt to the specified
		-- recipients, not configured defaults.
		force_recipients = Params "--no-encrypt-to --no-default-recipient"

{- Decrypting an EncryptedCipher is expensive; the Cipher should be cached. -}
decryptCipher :: StorableCipher -> IO Cipher
decryptCipher (SharedCipher t) = return $ Cipher t
decryptCipher (EncryptedCipher t _) = Cipher <$> Gpg.pipeStrict decrypt t
	where
		decrypt = [ Param "--decrypt" ]

{- Generates an encrypted form of a Key. The encryption does not need to be
 - reversable, nor does it need to be the same type of encryption used
 - on content. It does need to be repeatable. -}
encryptKey :: Cipher -> Key -> Key
encryptKey c k = Key
	{ keyName = hmacWithCipher c (show k)
	, keyBackendName = "GPGHMACSHA1"
	, keySize = Nothing -- size and mtime omitted
	, keyMtime = Nothing -- to avoid leaking data
	}

{- Runs an action, passing it a handle from which it can 
 - stream encrypted content. -}
withEncryptedHandle :: Cipher -> IO L.ByteString -> (Handle -> IO a) -> IO a
withEncryptedHandle = Gpg.passphraseHandle [Params "--symmetric --force-mdc"] . cipherPassphrase

{- Runs an action, passing it a handle from which it can
 - stream decrypted content. -}
withDecryptedHandle :: Cipher -> IO L.ByteString -> (Handle -> IO a) -> IO a
withDecryptedHandle = Gpg.passphraseHandle [Param "--decrypt"] . cipherPassphrase

{- Streams encrypted content to an action. -}
withEncryptedContent :: Cipher -> IO L.ByteString -> (L.ByteString -> IO a) -> IO a
withEncryptedContent = pass withEncryptedHandle

{- Streams decrypted content to an action. -}
withDecryptedContent :: Cipher -> IO L.ByteString -> (L.ByteString -> IO a) -> IO a
withDecryptedContent = pass withDecryptedHandle

pass :: (Cipher -> IO L.ByteString -> (Handle -> IO a) -> IO a) 
      -> Cipher -> IO L.ByteString -> (L.ByteString -> IO a) -> IO a
pass to n s a = to n s $ \h -> a =<< L.hGetContents h

hmacWithCipher :: Cipher -> String -> String
hmacWithCipher c = hmacWithCipher' (cipherHmac c) 
hmacWithCipher' :: String -> String -> String
hmacWithCipher' c s = showDigest $ hmacSha1 (fromString c) (fromString s)

{- Ensure that hmacWithCipher' returns the same thing forevermore. -}
prop_hmacWithCipher_sane :: Bool
prop_hmacWithCipher_sane = known_good == hmacWithCipher' "foo" "bar"
	where
		known_good = "46b4ec586117154dacd49d664e5d63fdc88efb51"
add 2011-04-15 22:18:39 +00:00			`{- git-annex crypto`
encryption key management working Encrypted remotes don't yet encrypt data, but git annex initremote can be used to generate a cipher and add additional gpg keys that can use it. 2011-04-16 17:25:27 +00:00			`-`
			`- Currently using gpg; could later be modified to support different`
			`- crypto backends if neccessary.`
add 2011-04-15 22:18:39 +00:00			`-`
Added shared cipher mode to encryptable special remotes. This option avoids gpg key distribution, at the expense of flexability, and with the requirement that all clones of the git repository be equally trusted. 2012-04-29 18:02:18 +00:00			`- Copyright 2011-2012 Joey Hess <joey@kitenet.net>`
add 2011-04-15 22:18:39 +00:00			`-`
			`- Licensed under the GNU GPL version 3 or higher.`
			`-}`

			`module Crypto (`
full encryption support for directory special remotes 2011-04-16 22:22:52 +00:00			`Cipher,`
refactor 2012-04-29 18:31:34 +00:00			`KeyIds(..),`
Added shared cipher mode to encryptable special remotes. This option avoids gpg key distribution, at the expense of flexability, and with the requirement that all clones of the git repository be equally trusted. 2012-04-29 18:02:18 +00:00			`StorableCipher(..),`
			`genEncryptedCipher,`
			`genSharedCipher,`
			`updateEncryptedCipher,`
initremote: show gpg keys 2011-04-17 22:18:27 +00:00			`describeCipher,`
add 2011-04-15 22:18:39 +00:00			`decryptCipher,`
			`encryptKey,`
cleanup 2011-04-17 17:11:38 +00:00			`withEncryptedHandle,`
			`withDecryptedHandle,`
crypto library almost complete Piping data through gpg with symmetric cipher is working. Only Key encryption is not done. 2011-04-16 20:26:47 +00:00			`withEncryptedContent,`
			`withDecryptedContent,`
add test to ensure hmac remains stable 2011-04-21 20:56:24 +00:00
			`prop_hmacWithCipher_sane`
add 2011-04-15 22:18:39 +00:00			`) where`

			`import qualified Data.ByteString.Lazy.Char8 as L`
Revert "Use haskell Crypto library instead of haskell SHA library.a" This reverts commit 892593c5efacbc084d19af4b5d7164ededaea7ff. Conflicts: Crypto.hs debian/control 2011-04-26 15:24:23 +00:00			`import Data.ByteString.Lazy.UTF8 (fromString)`
			`import Data.Digest.Pure.SHA`
code simplification thanks to applicative functors 2011-08-25 04:28:55 +00:00			`import Control.Applicative`
add 2011-04-15 22:18:39 +00:00
rename 2011-10-05 20:02:51 +00:00			`import Common.Annex`
split out Utility.Gpg with the generic gpg interface, from Crypto 2011-12-21 01:47:56 +00:00			`import qualified Utility.Gpg as Gpg`
rename modules for data types into Types/ directory 2011-06-02 01:56:04 +00:00			`import Types.Key`
			`import Types.Crypto`
add 2011-04-15 22:18:39 +00:00
use different parts of cipher for hmac and gpg Per bugs/S3_bucket_uses_the_same_key_for_encryption_and_hashing It may be paranoid to worry about the cipher being recovered from hmac keys, but yes.. let's be paranoid. 2011-04-17 05:34:28 +00:00			`{- The first half of a Cipher is used for HMAC; the remainder`
			`- is used as the GPG symmetric encryption passphrase.`
			`-`
looked up HMAC block size details 2011-04-17 15:13:54 +00:00			`- HMAC SHA1 needs only 64 bytes. The remainder is for expansion,`
			`- perhaps to HMAC SHA512, which needs 128 bytes (ideally).`
			`-`
use different parts of cipher for hmac and gpg Per bugs/S3_bucket_uses_the_same_key_for_encryption_and_hashing It may be paranoid to worry about the cipher being recovered from hmac keys, but yes.. let's be paranoid. 2011-04-17 05:34:28 +00:00			`- 256 is enough for gpg's symetric cipher; unlike weaker public key`
			`- crypto, the key does not need to be too large.`
			`-}`
			`cipherHalf :: Int`
			`cipherHalf = 256`

			`cipherSize :: Int`
			`cipherSize = cipherHalf * 2`

			`cipherPassphrase :: Cipher -> String`
			`cipherPassphrase (Cipher c) = drop cipherHalf c`

			`cipherHmac :: Cipher -> String`
			`cipherHmac (Cipher c) = take cipherHalf c`

Added shared cipher mode to encryptable special remotes. This option avoids gpg key distribution, at the expense of flexability, and with the requirement that all clones of the git repository be equally trusted. 2012-04-29 18:02:18 +00:00			`{- Creates a new Cipher, encrypted to the specificed key id. -}`
			`genEncryptedCipher :: String -> IO StorableCipher`
			`genEncryptedCipher keyid = do`
			`ks <- Gpg.findPubKeys keyid`
			`random <- Gpg.genRandom cipherSize`
encryption key management working Encrypted remotes don't yet encrypt data, but git annex initremote can be used to generate a cipher and add additional gpg keys that can use it. 2011-04-16 17:25:27 +00:00			`encryptCipher (Cipher random) ks`
Added shared cipher mode to encryptable special remotes. This option avoids gpg key distribution, at the expense of flexability, and with the requirement that all clones of the git repository be equally trusted. 2012-04-29 18:02:18 +00:00
			`{- Creates a new, shared Cipher. -}`
			`genSharedCipher :: IO StorableCipher`
			`genSharedCipher = SharedCipher <$> Gpg.genRandom cipherSize`

			`{- Updates an existing Cipher, re-encrypting it to add a keyid. -}`
			`updateEncryptedCipher :: String -> StorableCipher -> IO StorableCipher`
			`updateEncryptedCipher _ (SharedCipher _) = undefined`
			`updateEncryptedCipher keyid encipher@(EncryptedCipher _ ks) = do`
			`ks' <- Gpg.findPubKeys keyid`
			`cipher <- decryptCipher encipher`
factor out common imports no code changes 2011-10-04 02:24:57 +00:00			`encryptCipher cipher (merge ks ks')`
encryption key management working Encrypted remotes don't yet encrypt data, but git annex initremote can be used to generate a cipher and add additional gpg keys that can use it. 2011-04-16 17:25:27 +00:00			`where`
factor out common imports no code changes 2011-10-04 02:24:57 +00:00			`merge (KeyIds a) (KeyIds b) = KeyIds $ a ++ b`
add 2011-04-15 22:18:39 +00:00
Added shared cipher mode to encryptable special remotes. This option avoids gpg key distribution, at the expense of flexability, and with the requirement that all clones of the git repository be equally trusted. 2012-04-29 18:02:18 +00:00			`describeCipher :: StorableCipher -> String`
			`describeCipher (SharedCipher _) = "shared cipher"`
initremote: show gpg keys 2011-04-17 22:18:27 +00:00			`describeCipher (EncryptedCipher _ (KeyIds ks)) =`
			`"with gpg " ++ keys ks ++ " " ++ unwords ks`
			`where`
			`keys [_] = "key"`
			`keys _ = "keys"`

encryption key management working Encrypted remotes don't yet encrypt data, but git annex initremote can be used to generate a cipher and add additional gpg keys that can use it. 2011-04-16 17:25:27 +00:00			`{- Encrypts a Cipher to the specified KeyIds. -}`
Added shared cipher mode to encryptable special remotes. This option avoids gpg key distribution, at the expense of flexability, and with the requirement that all clones of the git repository be equally trusted. 2012-04-29 18:02:18 +00:00			`encryptCipher :: Cipher -> KeyIds -> IO StorableCipher`
encryption key management working Encrypted remotes don't yet encrypt data, but git annex initremote can be used to generate a cipher and add additional gpg keys that can use it. 2011-04-16 17:25:27 +00:00			`encryptCipher (Cipher c) (KeyIds ks) = do`
			`let ks' = nub $ sort ks -- gpg complains about duplicate recipient keyids`
split out Utility.Gpg with the generic gpg interface, from Crypto 2011-12-21 01:47:56 +00:00			`encipher <- Gpg.pipeStrict (encrypt++recipients ks') c`
encryption key management working Encrypted remotes don't yet encrypt data, but git annex initremote can be used to generate a cipher and add additional gpg keys that can use it. 2011-04-16 17:25:27 +00:00			`return $ EncryptedCipher encipher (KeyIds ks')`
			`where`
			`encrypt = [ Params "--encrypt" ]`
hlint tweaks Did all sources except Remotes/* and Command/* 2011-07-15 07:12:05 +00:00			`recipients l = force_recipients :`
			`concatMap (\k -> [Param "--recipient", Param k]) l`
			`-- Force gpg to only encrypt to the specified`
			`-- recipients, not configured defaults.`
			`force_recipients = Params "--no-encrypt-to --no-default-recipient"`
add 2011-04-15 22:18:39 +00:00
			`{- Decrypting an EncryptedCipher is expensive; the Cipher should be cached. -}`
Added shared cipher mode to encryptable special remotes. This option avoids gpg key distribution, at the expense of flexability, and with the requirement that all clones of the git repository be equally trusted. 2012-04-29 18:02:18 +00:00			`decryptCipher :: StorableCipher -> IO Cipher`
			`decryptCipher (SharedCipher t) = return $ Cipher t`
			`decryptCipher (EncryptedCipher t _) = Cipher <$> Gpg.pipeStrict decrypt t`
encryption key management working Encrypted remotes don't yet encrypt data, but git annex initremote can be used to generate a cipher and add additional gpg keys that can use it. 2011-04-16 17:25:27 +00:00			`where`
crypto library almost complete Piping data through gpg with symmetric cipher is working. Only Key encryption is not done. 2011-04-16 20:26:47 +00:00			`decrypt = [ Param "--decrypt" ]`
add 2011-04-15 22:18:39 +00:00
crypto library almost complete Piping data through gpg with symmetric cipher is working. Only Key encryption is not done. 2011-04-16 20:26:47 +00:00			`{- Generates an encrypted form of a Key. The encryption does not need to be`
add 2011-04-15 22:18:39 +00:00			`- reversable, nor does it need to be the same type of encryption used`
crypto library almost complete Piping data through gpg with symmetric cipher is working. Only Key encryption is not done. 2011-04-16 20:26:47 +00:00			`- on content. It does need to be repeatable. -}`
minor syntax changes 2011-10-11 18:43:45 +00:00			`encryptKey :: Cipher -> Key -> Key`
			`encryptKey c k = Key`
			`{ keyName = hmacWithCipher c (show k)`
			`, keyBackendName = "GPGHMACSHA1"`
			`, keySize = Nothing -- size and mtime omitted`
			`, keyMtime = Nothing -- to avoid leaking data`
crypto library almost complete Piping data through gpg with symmetric cipher is working. Only Key encryption is not done. 2011-04-16 20:26:47 +00:00			`}`
add 2011-04-15 22:18:39 +00:00
cleanup 2011-04-17 17:11:38 +00:00			`{- Runs an action, passing it a handle from which it can`
fix stall while storing encrypted data in bup Forking a new process rather than relying on a thread to feed gpg. The feeder thread was stalling, probably when the main thread got to the point it was wait()ing on the gpg to exit. 2011-04-17 04:34:38 +00:00			`- stream encrypted content. -}`
hlint tweaks Did all sources except Remotes/* and Command/* 2011-07-15 07:12:05 +00:00			`withEncryptedHandle :: Cipher -> IO L.ByteString -> (Handle -> IO a) -> IO a`
split out Utility.Gpg with the generic gpg interface, from Crypto 2011-12-21 01:47:56 +00:00			`withEncryptedHandle = Gpg.passphraseHandle [Params "--symmetric --force-mdc"] . cipherPassphrase`
cleanup 2011-04-17 17:11:38 +00:00
			`{- Runs an action, passing it a handle from which it can`
			`- stream decrypted content. -}`
hlint tweaks Did all sources except Remotes/* and Command/* 2011-07-15 07:12:05 +00:00			`withDecryptedHandle :: Cipher -> IO L.ByteString -> (Handle -> IO a) -> IO a`
split out Utility.Gpg with the generic gpg interface, from Crypto 2011-12-21 01:47:56 +00:00			`withDecryptedHandle = Gpg.passphraseHandle [Param "--decrypt"] . cipherPassphrase`
fix stall while storing encrypted data in bup Forking a new process rather than relying on a thread to feed gpg. The feeder thread was stalling, probably when the main thread got to the point it was wait()ing on the gpg to exit. 2011-04-17 04:34:38 +00:00
crypto library almost complete Piping data through gpg with symmetric cipher is working. Only Key encryption is not done. 2011-04-16 20:26:47 +00:00			`{- Streams encrypted content to an action. -}`
hlint tweaks Did all sources except Remotes/* and Command/* 2011-07-15 07:12:05 +00:00			`withEncryptedContent :: Cipher -> IO L.ByteString -> (L.ByteString -> IO a) -> IO a`
cleanup 2011-04-17 17:11:38 +00:00			`withEncryptedContent = pass withEncryptedHandle`
add 2011-04-15 22:18:39 +00:00
crypto library almost complete Piping data through gpg with symmetric cipher is working. Only Key encryption is not done. 2011-04-16 20:26:47 +00:00			`{- Streams decrypted content to an action. -}`
hlint tweaks Did all sources except Remotes/* and Command/* 2011-07-15 07:12:05 +00:00			`withDecryptedContent :: Cipher -> IO L.ByteString -> (L.ByteString -> IO a) -> IO a`
cleanup 2011-04-17 17:11:38 +00:00			`withDecryptedContent = pass withDecryptedHandle`
add 2011-04-15 22:18:39 +00:00
hlint tweaks Did all sources except Remotes/* and Command/* 2011-07-15 07:12:05 +00:00			`pass :: (Cipher -> IO L.ByteString -> (Handle -> IO a) -> IO a)`
			`-> Cipher -> IO L.ByteString -> (L.ByteString -> IO a) -> IO a`
refactor 2012-04-29 18:31:34 +00:00			`pass to n s a = to n s $ \h -> a =<< L.hGetContents h`
add 2011-04-15 22:18:39 +00:00
add test to ensure hmac remains stable 2011-04-21 20:56:24 +00:00			`hmacWithCipher :: Cipher -> String -> String`
			`hmacWithCipher c = hmacWithCipher' (cipherHmac c)`
			`hmacWithCipher' :: String -> String -> String`
Revert "Use haskell Crypto library instead of haskell SHA library.a" This reverts commit 892593c5efacbc084d19af4b5d7164ededaea7ff. Conflicts: Crypto.hs debian/control 2011-04-26 15:24:23 +00:00			`hmacWithCipher' c s = showDigest $ hmacSha1 (fromString c) (fromString s)`
add test to ensure hmac remains stable 2011-04-21 20:56:24 +00:00
			`{- Ensure that hmacWithCipher' returns the same thing forevermore. -}`
			`prop_hmacWithCipher_sane :: Bool`
			`prop_hmacWithCipher_sane = known_good == hmacWithCipher' "foo" "bar"`
			`where`
			`known_good = "46b4ec586117154dacd49d664e5d63fdc88efb51"`