Fix the design error where IVs were not hmaced
This commit is contained in:
parent
236b0b319a
commit
13c94d9bdf
35
shacrypt.py
35
shacrypt.py
|
@ -117,35 +117,38 @@ def shacrypt_enc(key, plaintext):
|
||||||
del plaintext
|
del plaintext
|
||||||
del cipher_key
|
del cipher_key
|
||||||
|
|
||||||
|
# Contruct the HMACed part of ciphertext
|
||||||
|
hmaced = b''.join((
|
||||||
|
hkdf_salt,
|
||||||
|
cipher_nonce,
|
||||||
|
ciphered
|
||||||
|
))
|
||||||
|
del ciphered
|
||||||
|
|
||||||
# HMAC
|
# HMAC
|
||||||
hmac = hmac_sha256(hmac_key, ciphered)
|
hmac = hmac_sha256(hmac_key, hmaced)
|
||||||
del hmac_key
|
del hmac_key
|
||||||
|
|
||||||
# Construct the full ciphertext
|
# Construct the full ciphertext
|
||||||
return b''.join((
|
return hmaced + hmac
|
||||||
hkdf_salt,
|
|
||||||
cipher_nonce,
|
|
||||||
ciphered,
|
|
||||||
hmac
|
|
||||||
))
|
|
||||||
|
|
||||||
class AuthenticationError(Exception): pass
|
class AuthenticationError(Exception): pass
|
||||||
|
|
||||||
def shacrypt_dec(key, ciphertext):
|
def shacrypt_dec(key, ciphertext):
|
||||||
assert len(key) == 256//8
|
assert len(key) == 256//8
|
||||||
|
|
||||||
# Extract the IVs
|
# Extract the HMACed part of ciphertext
|
||||||
hkdf_salt = ciphertext[0:256//8]
|
hmaced = ciphertext[:-sha256_outputsize]
|
||||||
cipher_nonce = ciphertext[256//8:256//8 + 256//8]
|
|
||||||
|
|
||||||
# Extract the main part of ciphertext
|
|
||||||
ciphered = ciphertext[2 * 256//8:-sha256_outputsize]
|
|
||||||
|
|
||||||
# Extract the expected HMAC
|
# Extract the expected HMAC
|
||||||
expected_hmac = ciphertext[-sha256_outputsize:]
|
expected_hmac = ciphertext[-sha256_outputsize:]
|
||||||
|
|
||||||
del ciphertext
|
del ciphertext
|
||||||
|
|
||||||
|
# Extract the IVs
|
||||||
|
hkdf_salt = hmaced[0:256//8]
|
||||||
|
cipher_nonce = hmaced[256//8:256//8 + 256//8]
|
||||||
|
|
||||||
# Derive keys
|
# Derive keys
|
||||||
keys = hkdf_sha256(hkdf_salt, key, b'', 512//8)
|
keys = hkdf_sha256(hkdf_salt, key, b'', 512//8)
|
||||||
del key
|
del key
|
||||||
|
@ -160,13 +163,17 @@ def shacrypt_dec(key, ciphertext):
|
||||||
del keys
|
del keys
|
||||||
|
|
||||||
# Verify HMAC
|
# Verify HMAC
|
||||||
hmac = hmac_sha256(hmac_key, ciphered)
|
hmac = hmac_sha256(hmac_key, hmaced)
|
||||||
del hmac_key
|
del hmac_key
|
||||||
if not secrets.compare_digest(expected_hmac, hmac):
|
if not secrets.compare_digest(expected_hmac, hmac):
|
||||||
raise AuthenticationError
|
raise AuthenticationError
|
||||||
del expected_hmac
|
del expected_hmac
|
||||||
del hmac
|
del hmac
|
||||||
|
|
||||||
|
# Extract the ciphered part of the ciphertext
|
||||||
|
ciphered = hmaced[2 * 256//8:]
|
||||||
|
del hmaced
|
||||||
|
|
||||||
# Decrypt
|
# Decrypt
|
||||||
plaintext = bytearray()
|
plaintext = bytearray()
|
||||||
for cipheredbyte, keybyte in zip(ciphered, hmac_sha256_ctr_keystream(cipher_nonce, cipher_key)):
|
for cipheredbyte, keybyte in zip(ciphered, hmac_sha256_ctr_keystream(cipher_nonce, cipher_key)):
|
||||||
|
|
Loading…
Reference in New Issue