git-annex/Crypto.hs

{- git-annex crypto
 -
 - Currently using gpg; could later be modified to support different
 - crypto backends if neccessary.
 -
 - Copyright 2011-2012 Joey Hess <joey@kitenet.net>
 -
 - Licensed under the GNU GPL version 3 or higher.
 -}

module Crypto (
	Cipher,
	KeyIds(..),
	StorableCipher(..),
	genEncryptedCipher,
	genSharedCipher,
	updateEncryptedCipher,
	describeCipher,
	decryptCipher,		
	encryptKey,
	feedFile,
	feedBytes,
	readBytes,
	encrypt,
	decrypt,	

	prop_hmacWithCipher_sane
) where

import qualified Data.ByteString.Lazy as L
import Data.ByteString.Lazy.UTF8 (fromString)
import Data.Digest.Pure.SHA
import Control.Applicative

import Common.Annex
import qualified Utility.Gpg as Gpg
import Types.Key
import Types.Crypto

{- The beginning of a Cipher is used for HMAC; the remainder
 - is used as the GPG symmetric encryption passphrase.
 -
 - HMAC SHA1 needs only 64 bytes. The rest of the HMAC key is for expansion,
 - perhaps to HMAC SHA512, which needs 128 bytes (ideally).
 - It also provides room the Cipher to contain data in a form like base64,
 - which does not pack a full byte of entropy into a byte of data.
 -
 - 256 bytes is enough for gpg's symetric cipher; unlike weaker public key
 - crypto, the key does not need to be too large.
 -}
cipherBeginning :: Int
cipherBeginning = 256

cipherSize :: Int
cipherSize = 512

cipherPassphrase :: Cipher -> String
cipherPassphrase (Cipher c) = drop cipherBeginning c

cipherHmac :: Cipher -> String
cipherHmac (Cipher c) = take cipherBeginning c

{- Creates a new Cipher, encrypted to the specified key id. -}
genEncryptedCipher :: String -> IO StorableCipher
genEncryptedCipher keyid = do
	ks <- Gpg.findPubKeys keyid
	random <- Gpg.genRandom cipherSize
	encryptCipher (Cipher random) ks

{- Creates a new, shared Cipher. -}
genSharedCipher :: IO StorableCipher
genSharedCipher = SharedCipher <$> Gpg.genRandom cipherSize

{- Updates an existing Cipher, re-encrypting it to add a keyid. -}
updateEncryptedCipher :: String -> StorableCipher -> IO StorableCipher
updateEncryptedCipher _ (SharedCipher _) = undefined
updateEncryptedCipher keyid encipher@(EncryptedCipher _ ks) = do
	ks' <- Gpg.findPubKeys keyid
	cipher <- decryptCipher encipher
	encryptCipher cipher (merge ks ks')
  where
	merge (KeyIds a) (KeyIds b) = KeyIds $ a ++ b

describeCipher :: StorableCipher -> String
describeCipher (SharedCipher _) = "shared cipher"
describeCipher (EncryptedCipher _ (KeyIds ks)) =
	"with gpg " ++ keys ks ++ " " ++ unwords ks
  where
	keys [_] = "key"
	keys _ = "keys"

{- Encrypts a Cipher to the specified KeyIds. -}
encryptCipher :: Cipher -> KeyIds -> IO StorableCipher
encryptCipher (Cipher c) (KeyIds ks) = do
	let ks' = nub $ sort ks -- gpg complains about duplicate recipient keyids
	encipher <- Gpg.pipeStrict ([ Params "--encrypt" ] ++ recipients ks') c
	return $ EncryptedCipher encipher (KeyIds ks')
  where
	recipients l = force_recipients :
		concatMap (\k -> [Param "--recipient", Param k]) l
	-- Force gpg to only encrypt to the specified
	-- recipients, not configured defaults.
	force_recipients = Params "--no-encrypt-to --no-default-recipient"

{- Decrypting an EncryptedCipher is expensive; the Cipher should be cached. -}
decryptCipher :: StorableCipher -> IO Cipher
decryptCipher (SharedCipher t) = return $ Cipher t
decryptCipher (EncryptedCipher t _) =
	Cipher <$> Gpg.pipeStrict [ Param "--decrypt" ] t

{- Generates an encrypted form of a Key. The encryption does not need to be
 - reversable, nor does it need to be the same type of encryption used
 - on content. It does need to be repeatable. -}
encryptKey :: Cipher -> Key -> Key
encryptKey c k = Key
	{ keyName = hmacWithCipher c (key2file k)
	, keyBackendName = "GPGHMACSHA1"
	, keySize = Nothing -- size and mtime omitted
	, keyMtime = Nothing -- to avoid leaking data
	}

type Feeder = Handle -> IO ()
type Reader a = Handle -> IO a

feedFile :: FilePath -> Feeder
feedFile f h = L.hPut h =<< L.readFile f

feedBytes :: L.ByteString -> Feeder
feedBytes = flip L.hPut

readBytes :: (L.ByteString -> IO a) -> Reader a
readBytes a h = L.hGetContents h >>= a

{- Runs a Feeder action, that generates content that is encrypted with the
 - Cipher, and read by the Reader action. -}
encrypt :: Cipher -> Feeder -> Reader a -> IO a
encrypt = Gpg.feedRead [Params "--symmetric --force-mdc"] . cipherPassphrase

{- Runs a Feeder action, that generates content that is decrypted with the
 - Cipher, and read by the Reader action. -}
decrypt :: Cipher -> Feeder -> Reader a -> IO a
decrypt = Gpg.feedRead [Param "--decrypt"] . cipherPassphrase

hmacWithCipher :: Cipher -> String -> String
hmacWithCipher c = hmacWithCipher' (cipherHmac c) 
hmacWithCipher' :: String -> String -> String
hmacWithCipher' c s = showDigest $ hmacSha1 (fromString c) (fromString s)

{- Ensure that hmacWithCipher' returns the same thing forevermore. -}
prop_hmacWithCipher_sane :: Bool
prop_hmacWithCipher_sane = known_good == hmacWithCipher' "foo" "bar"
  where
	known_good = "46b4ec586117154dacd49d664e5d63fdc88efb51"
add 2011-04-15 22:18:39 +00:00			`{- git-annex crypto`
encryption key management working Encrypted remotes don't yet encrypt data, but git annex initremote can be used to generate a cipher and add additional gpg keys that can use it. 2011-04-16 17:25:27 +00:00			`-`
			`- Currently using gpg; could later be modified to support different`
			`- crypto backends if neccessary.`
add 2011-04-15 22:18:39 +00:00			`-`
Added shared cipher mode to encryptable special remotes. This option avoids gpg key distribution, at the expense of flexability, and with the requirement that all clones of the git repository be equally trusted. 2012-04-29 18:02:18 +00:00			`- Copyright 2011-2012 Joey Hess <joey@kitenet.net>`
add 2011-04-15 22:18:39 +00:00			`-`
			`- Licensed under the GNU GPL version 3 or higher.`
			`-}`

			`module Crypto (`
full encryption support for directory special remotes 2011-04-16 22:22:52 +00:00			`Cipher,`
refactor 2012-04-29 18:31:34 +00:00			`KeyIds(..),`
Added shared cipher mode to encryptable special remotes. This option avoids gpg key distribution, at the expense of flexability, and with the requirement that all clones of the git repository be equally trusted. 2012-04-29 18:02:18 +00:00			`StorableCipher(..),`
			`genEncryptedCipher,`
			`genSharedCipher,`
			`updateEncryptedCipher,`
initremote: show gpg keys 2011-04-17 22:18:27 +00:00			`describeCipher,`
add 2011-04-15 22:18:39 +00:00			`decryptCipher,`
			`encryptKey,`
better streaming while encrypting/decrypting Both the directory and webdav special remotes used to have to buffer the whole file contents before it could be decrypted, as they read from chunks. Now the chunks are streamed through gpg with no buffering. 2012-11-18 19:27:44 +00:00			`feedFile,`
			`feedBytes,`
			`readBytes,`
			`encrypt,`
			`decrypt,`
add test to ensure hmac remains stable 2011-04-21 20:56:24 +00:00
			`prop_hmacWithCipher_sane`
add 2011-04-15 22:18:39 +00:00			`) where`

avoid ByteString.Char8 where not needed Its truncation behavior is a red flag, so avoid using it in these places where only raw ByteStrings are used, without looking at the data inside. 2012-06-20 17:13:40 +00:00			`import qualified Data.ByteString.Lazy as L`
Revert "Use haskell Crypto library instead of haskell SHA library.a" This reverts commit 892593c5efacbc084d19af4b5d7164ededaea7ff. Conflicts: Crypto.hs debian/control 2011-04-26 15:24:23 +00:00			`import Data.ByteString.Lazy.UTF8 (fromString)`
			`import Data.Digest.Pure.SHA`
code simplification thanks to applicative functors 2011-08-25 04:28:55 +00:00			`import Control.Applicative`
add 2011-04-15 22:18:39 +00:00
rename 2011-10-05 20:02:51 +00:00			`import Common.Annex`
split out Utility.Gpg with the generic gpg interface, from Crypto 2011-12-21 01:47:56 +00:00			`import qualified Utility.Gpg as Gpg`
rename modules for data types into Types/ directory 2011-06-02 01:56:04 +00:00			`import Types.Key`
			`import Types.Crypto`
add 2011-04-15 22:18:39 +00:00
improve comments and variable names WRT base64 encoded encryption keys 2013-03-03 23:44:48 +00:00			`{- The beginning of a Cipher is used for HMAC; the remainder`
use different parts of cipher for hmac and gpg Per bugs/S3_bucket_uses_the_same_key_for_encryption_and_hashing It may be paranoid to worry about the cipher being recovered from hmac keys, but yes.. let's be paranoid. 2011-04-17 05:34:28 +00:00			`- is used as the GPG symmetric encryption passphrase.`
			`-`
improve comments and variable names WRT base64 encoded encryption keys 2013-03-03 23:44:48 +00:00			`- HMAC SHA1 needs only 64 bytes. The rest of the HMAC key is for expansion,`
looked up HMAC block size details 2011-04-17 15:13:54 +00:00			`- perhaps to HMAC SHA512, which needs 128 bytes (ideally).`
improve comments and variable names WRT base64 encoded encryption keys 2013-03-03 23:44:48 +00:00			`- It also provides room the Cipher to contain data in a form like base64,`
			`- which does not pack a full byte of entropy into a byte of data.`
looked up HMAC block size details 2011-04-17 15:13:54 +00:00			`-`
improve comments and variable names WRT base64 encoded encryption keys 2013-03-03 23:44:48 +00:00			`- 256 bytes is enough for gpg's symetric cipher; unlike weaker public key`
use different parts of cipher for hmac and gpg Per bugs/S3_bucket_uses_the_same_key_for_encryption_and_hashing It may be paranoid to worry about the cipher being recovered from hmac keys, but yes.. let's be paranoid. 2011-04-17 05:34:28 +00:00			`- crypto, the key does not need to be too large.`
			`-}`
improve comments and variable names WRT base64 encoded encryption keys 2013-03-03 23:44:48 +00:00			`cipherBeginning :: Int`
			`cipherBeginning = 256`
use different parts of cipher for hmac and gpg Per bugs/S3_bucket_uses_the_same_key_for_encryption_and_hashing It may be paranoid to worry about the cipher being recovered from hmac keys, but yes.. let's be paranoid. 2011-04-17 05:34:28 +00:00
			`cipherSize :: Int`
improve comments and variable names WRT base64 encoded encryption keys 2013-03-03 23:44:48 +00:00			`cipherSize = 512`
use different parts of cipher for hmac and gpg Per bugs/S3_bucket_uses_the_same_key_for_encryption_and_hashing It may be paranoid to worry about the cipher being recovered from hmac keys, but yes.. let's be paranoid. 2011-04-17 05:34:28 +00:00
			`cipherPassphrase :: Cipher -> String`
improve comments and variable names WRT base64 encoded encryption keys 2013-03-03 23:44:48 +00:00			`cipherPassphrase (Cipher c) = drop cipherBeginning c`
use different parts of cipher for hmac and gpg Per bugs/S3_bucket_uses_the_same_key_for_encryption_and_hashing It may be paranoid to worry about the cipher being recovered from hmac keys, but yes.. let's be paranoid. 2011-04-17 05:34:28 +00:00
			`cipherHmac :: Cipher -> String`
improve comments and variable names WRT base64 encoded encryption keys 2013-03-03 23:44:48 +00:00			`cipherHmac (Cipher c) = take cipherBeginning c`
use different parts of cipher for hmac and gpg Per bugs/S3_bucket_uses_the_same_key_for_encryption_and_hashing It may be paranoid to worry about the cipher being recovered from hmac keys, but yes.. let's be paranoid. 2011-04-17 05:34:28 +00:00
improve comments and variable names WRT base64 encoded encryption keys 2013-03-03 23:44:48 +00:00			`{- Creates a new Cipher, encrypted to the specified key id. -}`
Added shared cipher mode to encryptable special remotes. This option avoids gpg key distribution, at the expense of flexability, and with the requirement that all clones of the git repository be equally trusted. 2012-04-29 18:02:18 +00:00			`genEncryptedCipher :: String -> IO StorableCipher`
			`genEncryptedCipher keyid = do`
			`ks <- Gpg.findPubKeys keyid`
			`random <- Gpg.genRandom cipherSize`
encryption key management working Encrypted remotes don't yet encrypt data, but git annex initremote can be used to generate a cipher and add additional gpg keys that can use it. 2011-04-16 17:25:27 +00:00			`encryptCipher (Cipher random) ks`
Added shared cipher mode to encryptable special remotes. This option avoids gpg key distribution, at the expense of flexability, and with the requirement that all clones of the git repository be equally trusted. 2012-04-29 18:02:18 +00:00
			`{- Creates a new, shared Cipher. -}`
			`genSharedCipher :: IO StorableCipher`
			`genSharedCipher = SharedCipher <$> Gpg.genRandom cipherSize`

			`{- Updates an existing Cipher, re-encrypting it to add a keyid. -}`
			`updateEncryptedCipher :: String -> StorableCipher -> IO StorableCipher`
			`updateEncryptedCipher _ (SharedCipher _) = undefined`
			`updateEncryptedCipher keyid encipher@(EncryptedCipher _ ks) = do`
			`ks' <- Gpg.findPubKeys keyid`
			`cipher <- decryptCipher encipher`
factor out common imports no code changes 2011-10-04 02:24:57 +00:00			`encryptCipher cipher (merge ks ks')`
indentation foo, and a new coding style page. no code changes 2012-10-29 01:27:15 +00:00			`where`
			`merge (KeyIds a) (KeyIds b) = KeyIds $ a ++ b`
add 2011-04-15 22:18:39 +00:00
Added shared cipher mode to encryptable special remotes. This option avoids gpg key distribution, at the expense of flexability, and with the requirement that all clones of the git repository be equally trusted. 2012-04-29 18:02:18 +00:00			`describeCipher :: StorableCipher -> String`
			`describeCipher (SharedCipher _) = "shared cipher"`
initremote: show gpg keys 2011-04-17 22:18:27 +00:00			`describeCipher (EncryptedCipher _ (KeyIds ks)) =`
			`"with gpg " ++ keys ks ++ " " ++ unwords ks`
indentation foo, and a new coding style page. no code changes 2012-10-29 01:27:15 +00:00			`where`
			`keys [_] = "key"`
			`keys _ = "keys"`
initremote: show gpg keys 2011-04-17 22:18:27 +00:00
encryption key management working Encrypted remotes don't yet encrypt data, but git annex initremote can be used to generate a cipher and add additional gpg keys that can use it. 2011-04-16 17:25:27 +00:00			`{- Encrypts a Cipher to the specified KeyIds. -}`
Added shared cipher mode to encryptable special remotes. This option avoids gpg key distribution, at the expense of flexability, and with the requirement that all clones of the git repository be equally trusted. 2012-04-29 18:02:18 +00:00			`encryptCipher :: Cipher -> KeyIds -> IO StorableCipher`
encryption key management working Encrypted remotes don't yet encrypt data, but git annex initremote can be used to generate a cipher and add additional gpg keys that can use it. 2011-04-16 17:25:27 +00:00			`encryptCipher (Cipher c) (KeyIds ks) = do`
			`let ks' = nub $ sort ks -- gpg complains about duplicate recipient keyids`
better streaming while encrypting/decrypting Both the directory and webdav special remotes used to have to buffer the whole file contents before it could be decrypted, as they read from chunks. Now the chunks are streamed through gpg with no buffering. 2012-11-18 19:27:44 +00:00			`encipher <- Gpg.pipeStrict ([ Params "--encrypt" ] ++ recipients ks') c`
encryption key management working Encrypted remotes don't yet encrypt data, but git annex initremote can be used to generate a cipher and add additional gpg keys that can use it. 2011-04-16 17:25:27 +00:00			`return $ EncryptedCipher encipher (KeyIds ks')`
whitespace fixes 2012-12-13 04:45:27 +00:00			`where`
indentation foo, and a new coding style page. no code changes 2012-10-29 01:27:15 +00:00			`recipients l = force_recipients :`
			`concatMap (\k -> [Param "--recipient", Param k]) l`
			`-- Force gpg to only encrypt to the specified`
			`-- recipients, not configured defaults.`
			`force_recipients = Params "--no-encrypt-to --no-default-recipient"`
add 2011-04-15 22:18:39 +00:00
			`{- Decrypting an EncryptedCipher is expensive; the Cipher should be cached. -}`
Added shared cipher mode to encryptable special remotes. This option avoids gpg key distribution, at the expense of flexability, and with the requirement that all clones of the git repository be equally trusted. 2012-04-29 18:02:18 +00:00			`decryptCipher :: StorableCipher -> IO Cipher`
			`decryptCipher (SharedCipher t) = return $ Cipher t`
improve comments and variable names WRT base64 encoded encryption keys 2013-03-03 23:44:48 +00:00			`decryptCipher (EncryptedCipher t _) =`
			`Cipher <$> Gpg.pipeStrict [ Param "--decrypt" ] t`
add 2011-04-15 22:18:39 +00:00
crypto library almost complete Piping data through gpg with symmetric cipher is working. Only Key encryption is not done. 2011-04-16 20:26:47 +00:00			`{- Generates an encrypted form of a Key. The encryption does not need to be`
add 2011-04-15 22:18:39 +00:00			`- reversable, nor does it need to be the same type of encryption used`
crypto library almost complete Piping data through gpg with symmetric cipher is working. Only Key encryption is not done. 2011-04-16 20:26:47 +00:00			`- on content. It does need to be repeatable. -}`
minor syntax changes 2011-10-11 18:43:45 +00:00			`encryptKey :: Cipher -> Key -> Key`
			`encryptKey c k = Key`
add routes to pause/start/cancel transfers This commit includes a paydown on technical debt incurred two years ago, when I didn't know that it was bad to make custom Read and Show instances for types. As the routes need Read and Show for Transfer, which includes a Key, and deriving my own Read instance of key was not practical, I had to finally clean that up. So the compact Key read and show functions are now file2key and key2file, and Read and Show are now derived instances. Changed all code that used the old instances, compiler checked. (There were a few places, particularly in Command.Unused, and the test suite where the Show instance continue to be used for legitimate comparisons; ie show key_x == show key_y (though really in a bloom filter)) 2012-08-08 20:06:01 +00:00			`{ keyName = hmacWithCipher c (key2file k)`
minor syntax changes 2011-10-11 18:43:45 +00:00			`, keyBackendName = "GPGHMACSHA1"`
			`, keySize = Nothing -- size and mtime omitted`
			`, keyMtime = Nothing -- to avoid leaking data`
crypto library almost complete Piping data through gpg with symmetric cipher is working. Only Key encryption is not done. 2011-04-16 20:26:47 +00:00			`}`
add 2011-04-15 22:18:39 +00:00
better streaming while encrypting/decrypting Both the directory and webdav special remotes used to have to buffer the whole file contents before it could be decrypted, as they read from chunks. Now the chunks are streamed through gpg with no buffering. 2012-11-18 19:27:44 +00:00			`type Feeder = Handle -> IO ()`
			`type Reader a = Handle -> IO a`

			`feedFile :: FilePath -> Feeder`
			`feedFile f h = L.hPut h =<< L.readFile f`

			`feedBytes :: L.ByteString -> Feeder`
			`feedBytes = flip L.hPut`

			`readBytes :: (L.ByteString -> IO a) -> Reader a`
			`readBytes a h = L.hGetContents h >>= a`

			`{- Runs a Feeder action, that generates content that is encrypted with the`
			`- Cipher, and read by the Reader action. -}`
			`encrypt :: Cipher -> Feeder -> Reader a -> IO a`
			`encrypt = Gpg.feedRead [Params "--symmetric --force-mdc"] . cipherPassphrase`

			`{- Runs a Feeder action, that generates content that is decrypted with the`
			`- Cipher, and read by the Reader action. -}`
			`decrypt :: Cipher -> Feeder -> Reader a -> IO a`
			`decrypt = Gpg.feedRead [Param "--decrypt"] . cipherPassphrase`
add 2011-04-15 22:18:39 +00:00
add test to ensure hmac remains stable 2011-04-21 20:56:24 +00:00			`hmacWithCipher :: Cipher -> String -> String`
			`hmacWithCipher c = hmacWithCipher' (cipherHmac c)`
			`hmacWithCipher' :: String -> String -> String`
Revert "Use haskell Crypto library instead of haskell SHA library.a" This reverts commit 892593c5efacbc084d19af4b5d7164ededaea7ff. Conflicts: Crypto.hs debian/control 2011-04-26 15:24:23 +00:00			`hmacWithCipher' c s = showDigest $ hmacSha1 (fromString c) (fromString s)`
add test to ensure hmac remains stable 2011-04-21 20:56:24 +00:00
			`{- Ensure that hmacWithCipher' returns the same thing forevermore. -}`
			`prop_hmacWithCipher_sane :: Bool`
			`prop_hmacWithCipher_sane = known_good == hmacWithCipher' "foo" "bar"`
indentation foo, and a new coding style page. no code changes 2012-10-29 01:27:15 +00:00			`where`
			`known_good = "46b4ec586117154dacd49d664e5d63fdc88efb51"`