Fix the design error where IVs were not hmaced
This commit is contained in:
parent
236b0b319a
commit
13c94d9bdf
35
shacrypt.py
35
shacrypt.py
|
@ -117,35 +117,38 @@ def shacrypt_enc(key, plaintext):
|
|||
del plaintext
|
||||
del cipher_key
|
||||
|
||||
# Contruct the HMACed part of ciphertext
|
||||
hmaced = b''.join((
|
||||
hkdf_salt,
|
||||
cipher_nonce,
|
||||
ciphered
|
||||
))
|
||||
del ciphered
|
||||
|
||||
# HMAC
|
||||
hmac = hmac_sha256(hmac_key, ciphered)
|
||||
hmac = hmac_sha256(hmac_key, hmaced)
|
||||
del hmac_key
|
||||
|
||||
# Construct the full ciphertext
|
||||
return b''.join((
|
||||
hkdf_salt,
|
||||
cipher_nonce,
|
||||
ciphered,
|
||||
hmac
|
||||
))
|
||||
return hmaced + hmac
|
||||
|
||||
class AuthenticationError(Exception): pass
|
||||
|
||||
def shacrypt_dec(key, ciphertext):
|
||||
assert len(key) == 256//8
|
||||
|
||||
# Extract the IVs
|
||||
hkdf_salt = ciphertext[0:256//8]
|
||||
cipher_nonce = ciphertext[256//8:256//8 + 256//8]
|
||||
|
||||
# Extract the main part of ciphertext
|
||||
ciphered = ciphertext[2 * 256//8:-sha256_outputsize]
|
||||
# Extract the HMACed part of ciphertext
|
||||
hmaced = ciphertext[:-sha256_outputsize]
|
||||
|
||||
# Extract the expected HMAC
|
||||
expected_hmac = ciphertext[-sha256_outputsize:]
|
||||
|
||||
del ciphertext
|
||||
|
||||
# Extract the IVs
|
||||
hkdf_salt = hmaced[0:256//8]
|
||||
cipher_nonce = hmaced[256//8:256//8 + 256//8]
|
||||
|
||||
# Derive keys
|
||||
keys = hkdf_sha256(hkdf_salt, key, b'', 512//8)
|
||||
del key
|
||||
|
@ -160,13 +163,17 @@ def shacrypt_dec(key, ciphertext):
|
|||
del keys
|
||||
|
||||
# Verify HMAC
|
||||
hmac = hmac_sha256(hmac_key, ciphered)
|
||||
hmac = hmac_sha256(hmac_key, hmaced)
|
||||
del hmac_key
|
||||
if not secrets.compare_digest(expected_hmac, hmac):
|
||||
raise AuthenticationError
|
||||
del expected_hmac
|
||||
del hmac
|
||||
|
||||
# Extract the ciphered part of the ciphertext
|
||||
ciphered = hmaced[2 * 256//8:]
|
||||
del hmaced
|
||||
|
||||
# Decrypt
|
||||
plaintext = bytearray()
|
||||
for cipheredbyte, keybyte in zip(ciphered, hmac_sha256_ctr_keystream(cipher_nonce, cipher_key)):
|
||||
|
|
Loading…
Reference in New Issue