7e69063a29
This works well, and it interoperates with gpg in my testing (although some SOP commands might choose to use a profile that does not so caveat emptor). Note that for creating the Cipher, gpg --gen-random is still used. SOP does not have an eqivilant, and as long as the user has gpg around, which seems likely, it doesn't matter that it uses gpg here, it's not being used for encryption. That seemed better than implementing a second way to get high quality entropy, at least for now. The need for the sop command to run in an empty directory has each call to encrypt and decrypt creating a new temporary directory. That is some unncessary overhead, though probably swamped by the overhead of running the sop command. This could be improved in the future by passing an already empty directory to them, or a sufficiently empty directory (.git/annex/tmp would probably suffice). Sponsored-by: Brett Eisenberg on Patreon
77 lines
1.8 KiB
Haskell
77 lines
1.8 KiB
Haskell
{- git-annex crypto types
|
|
-
|
|
- Copyright 2011-2020 Joey Hess <id@joeyh.name>
|
|
-
|
|
- Licensed under the GNU AGPL version 3 or higher.
|
|
-}
|
|
|
|
module Types.Crypto (
|
|
EncryptionMethod(..),
|
|
Cipher(..),
|
|
StorableCipher(..),
|
|
EncryptedCipherVariant(..),
|
|
KeyIds(..),
|
|
cipherKeyIds,
|
|
Mac(..),
|
|
readMac,
|
|
showMac,
|
|
macMap,
|
|
defaultMac,
|
|
calcMac,
|
|
) where
|
|
|
|
import Utility.Hash
|
|
import Utility.Gpg (KeyIds(..))
|
|
|
|
import Data.Typeable
|
|
import qualified Data.Map as M
|
|
import Data.ByteString (ByteString)
|
|
|
|
data EncryptionMethod
|
|
= NoneEncryption
|
|
| SharedEncryption
|
|
| PubKeyEncryption
|
|
| SharedPubKeyEncryption
|
|
| HybridEncryption
|
|
deriving (Typeable, Eq)
|
|
|
|
-- A base-64 encoded random value used for encryption.
|
|
-- XXX ideally, this would be a locked memory region
|
|
data Cipher = Cipher ByteString | MacOnlyCipher ByteString
|
|
|
|
data StorableCipher
|
|
= EncryptedCipher ByteString EncryptedCipherVariant KeyIds
|
|
| SharedCipher ByteString
|
|
| SharedPubKeyCipher ByteString KeyIds
|
|
deriving (Ord, Eq)
|
|
data EncryptedCipherVariant = Hybrid | PubKey
|
|
deriving (Ord, Eq)
|
|
|
|
cipherKeyIds :: StorableCipher -> Maybe KeyIds
|
|
cipherKeyIds (EncryptedCipher _ _ ks) = Just ks
|
|
cipherKeyIds (SharedPubKeyCipher _ ks) = Just ks
|
|
cipherKeyIds (SharedCipher _) = Nothing
|
|
|
|
defaultMac :: Mac
|
|
defaultMac = HmacSha1
|
|
|
|
-- MAC algorithms are shown as follows in the file names.
|
|
showMac :: Mac -> String
|
|
showMac HmacSha1 = "HMACSHA1"
|
|
showMac HmacSha224 = "HMACSHA224"
|
|
showMac HmacSha256 = "HMACSHA256"
|
|
showMac HmacSha384 = "HMACSHA384"
|
|
showMac HmacSha512 = "HMACSHA512"
|
|
|
|
-- Read the MAC algorithm from the remote config.
|
|
readMac :: String -> Maybe Mac
|
|
readMac n = M.lookup n macMap
|
|
|
|
macMap :: M.Map String Mac
|
|
macMap = M.fromList
|
|
[ ("HMACSHA1", HmacSha1)
|
|
, ("HMACSHA224", HmacSha224)
|
|
, ("HMACSHA256", HmacSha256)
|
|
, ("HMACSHA384", HmacSha384)
|
|
, ("HMACSHA512", HmacSha512)
|
|
]
|