def encrypt_handler(infile=None,
outfile=None,
recipient=None,
self=None,
basedir=None):
# provides a high level function to do encryption of files
# infile specifies the filename of the input file,
# if '-' or not specified it uses stdin
# outfile specifies the filename of the output file, if not specified
# it uses the same filename with '.pbp' appended
# recipient specifies the name of the recipient for using public key crypto
# self specifies the sender for signing the message using pk crypto
# basedir provides a root for the keystores needed for pk crypto
# if both self and recipient is specified pk crypto is used, otherwise symmetric
# this function also handles buffering.
fd = inputfd(infile)
outfd = outputfd(outfile or
(infile + '.pbp' if infile not in [None, '-'] else '-'))
if recipient and self:
# let's do public key encryption
key = nacl.randombytes(nacl.crypto_secretbox_KEYBYTES)
me = publickey.Identity(self, basedir=basedir)
size = struct.pack('>H', len(recipient))
# write out encrypted message key (nonce, c(key+recplen)) for each recipient
for r in recipient:
r = publickey.Identity(r, basedir=basedir, publicOnly=True)
nonce = nacl.randombytes(nacl.crypto_box_NONCEBYTES)
outfd.write(nonce)
outfd.write(nacl.crypto_box(key + size, nonce, r.cp, me.cs))
me.clear()
else:
# let's do symmetric crypto
key = getkey(nacl.crypto_secretbox_KEYBYTES)
buf = fd.read(BLOCK_SIZE)
if buf:
nonce, cipher = encrypt(buf, k=key)
outfd.write(nonce)
outfd.write(cipher)
buf = fd.read(BLOCK_SIZE)
while buf:
nonce = inc_nonce(nonce)
nonce, cipher = encrypt(buf, k=key, nonce=nonce)
outfd.write(cipher)
buf = fd.read(BLOCK_SIZE)
clearmem(key)
key = None
if fd != sys.stdin: fd.close()
if outfd != sys.stdout and isinstance(outfd, file): outfd.close()
def rng(size, outfile=None):
outfd = outputfd(outfile or '-')
reset()
read = 0
res = ''
eps[USB_CRYPTO_EP_CTRL_IN].write(USB_CRYPTO_CMD_RNG)
while(read<size):
res=eps[USB_CRYPTO_EP_DATA_OUT].read(32768 if size - read > 32768 else size -read)
outfd.write(''.join([chr(x) for x in res]))
read += len(res)
eps[USB_CRYPTO_EP_CTRL_IN].write(USB_CRYPTO_CMD_STOP)
read_ctrl()
reset()
def verify_handler(infile=None, outfile=None, basedir=None):
# provides a high level function to verify signed files
# infile specifies the filename of the input file,
# if '-' or not specified it uses stdin
# outfile specifies the filename of the output file,
# basedir provides a root for the keystores
# this function also handles buffering.
fd = inputfd(infile)
outfd = outputfd(outfile)
sender = publickey.buffered_verify(fd, outfd, basedir)
if fd != sys.stdin: fd.close()
if outfd != sys.stdout: outfd.close()
return sender
def chaining_decrypt_handler(infile=None,
outfile=None,
recipient=None,
self=None,
basedir=None):
# provides highlevel forward secure deccryption receive primitive for files
# for details see doc/chaining-dh.txt
# infile specifies the input file,
# outfile the filename of the output,
# self the sending parties name
# recipient the receiving peers name
# basedir the root directory used for key storage
fd = inputfd(infile)
outfd = outputfd(outfile or infile + '.pbp')
ctx = chaining.ChainingContext(self, recipient, basedir)
ctx.buffered_decrypt(fd, outfd)
if fd != sys.stdin: fd.close()
if outfd != sys.stdout: outfd.close()
def sign(peer, infile=None, outfile=None):
if len(peer)>PEER_NAME_MAX:
raise ValueError
fd = inputfd(infile)
outfd = outputfd(outfile)
reset()
written=0
eps[USB_CRYPTO_EP_CTRL_IN].write(USB_CRYPTO_CMD_SIGN+peer, timeout=0)
tmp = read_ctrl(timeout=0)
if(tmp and tmp.startswith('err: ')):
raise ValueError(tmp)
# needs to return keyid read it here
keyid = ''.join([chr(x) for x in eps[USB_CRYPTO_EP_CTRL_OUT].read(EKID_SIZE, timeout=0)])
if(keyid.startswith('err: ')):
return
if len(keyid)<EKID_SIZE:
return
pkt = fd.read(32768)
tmp = read_ctrl(timeout=0)
if(tmp and tmp!="go"):
raise ValueError(tmp)
#if len(pkt)>0:
# outfd.write(keyid)
while pkt:
written+=eps[USB_CRYPTO_EP_DATA_IN].write(pkt, timeout=0)
pkt = fd.read(32768)
if outfile: outfd.write(pkt)
if(written%64==0):
eps[USB_CRYPTO_EP_DATA_IN].write(None, timeout=0)
read_ctrl()
res = eps[USB_CRYPTO_EP_DATA_OUT].read(nacl.crypto_generichash_BYTES, timeout=0)
read_ctrl()
reset()
if fd != sys.stdin: fd.close()
if outfd != sys.stdout: outfd.close()
return ''.join([chr(x) for x in res]), keyid
def encrypt(peer, infile=None, outfile=None):
if len(peer)>PEER_NAME_MAX:
raise ValueError
fd = inputfd(infile)
outfd = outputfd(outfile or infile+'.pbp' if infile else '-')
reset()
eps[USB_CRYPTO_EP_CTRL_IN].write(USB_CRYPTO_CMD_ENCRYPT+peer, timeout=0)
tmp = read_ctrl(timeout=0)
if(tmp and tmp.startswith('err: ')):
raise ValueError(tmp)
# needs to return keyid read it here
keyid = ''.join([chr(x) for x in eps[USB_CRYPTO_EP_CTRL_OUT].read(EKID_SIZE, timeout=0)])
if(keyid.startswith('err: ')):
raise ValueError(keyid)
if len(keyid)<EKID_SIZE:
print len(keyid),EKID_SIZE
print repr(keyid)
raise ValueError
pkt = fd.read(32768)
#if len(pkt)>0:
# outfd.write(keyid)
while pkt:
wrote = eps[USB_CRYPTO_EP_DATA_IN].write(pkt, timeout=0)
if (wrote<32768 and not (wrote&0x3f)):
eps[USB_CRYPTO_EP_DATA_IN].write(None, timeout=0)
outfd.write(''.join([chr(x) for x in eps[USB_CRYPTO_EP_DATA_OUT].read(wrote+40, timeout=0)]))
pkt = fd.read(32768)
if(len(pkt)==32768):
eps[USB_CRYPTO_EP_DATA_IN].write(None, timeout=0)
reset()
if fd != sys.stdin: fd.close()
if outfd != sys.stdout: outfd.close()
return keyid
def verify(sign, keyid, infile=None, outfile=None):
keyid=b85decode(keyid)
sign=b85decode(sign)
if(len(keyid)!=EKID_SIZE or len(sign)!= nacl.crypto_generichash_BYTES):
print len(keyid), EKID_SIZE, repr(keyid)
print len(sign), 32, repr(sign)
raise ValueError
fd = inputfd(infile)
outfd = outputfd(outfile) if outfile else None
reset()
written=0
eps[USB_CRYPTO_EP_CTRL_IN].write("%s%s%s" % (USB_CRYPTO_CMD_VERIFY,sign,keyid), timeout=0)
tmp=read_ctrl(timeout=0)
if(tmp and tmp.startswith('err: ')):
return
tmp = read_ctrl(timeout=0)
if(tmp and tmp!="go"):
raise ValueError(tmp)
pkt = fd.read(32768)
#if len(pkt)>0:
# outfd.write(keyid)
while pkt:
written+=eps[USB_CRYPTO_EP_DATA_IN].write(pkt, timeout=0)
if outfd: outfd.write(pkt)
pkt = fd.read(32768)
if(written%64==0):
eps[USB_CRYPTO_EP_DATA_IN].write(None, timeout=0)
read_ctrl()
res = eps[USB_CRYPTO_EP_DATA_OUT].read(1, timeout=0)
read_ctrl()
reset()
if fd != sys.stdin: fd.close()
if outfd and outfd != sys.stdout: outfd.close()
return res[0]
def decrypt(keyid, infile=None, outfile=None):
keyid=b85decode(keyid)
if(len(keyid)!=EKID_SIZE):
raise ValueError
fd = inputfd(infile)
outfd = outputfd(outfile or infile+'.pbp' if infile else '-')
reset()
eps[USB_CRYPTO_EP_CTRL_IN].write(USB_CRYPTO_CMD_DECRYPT+keyid, timeout=0)
tmp = read_ctrl(timeout=0)
if(tmp and tmp.startswith('err: ')):
raise ValueError(tmp)
tmp = read_ctrl(timeout=0)
pkt = fd.read(32808)
if(tmp and tmp!="go"):
raise ValueError(tmp)
#if len(pkt)>0:
# outfd.write(keyid)
while pkt:
wrote = eps[USB_CRYPTO_EP_DATA_IN].write(pkt, timeout=0)
if (wrote<32808 and not (wrote&0x3f)):
eps[USB_CRYPTO_EP_DATA_IN].write(None, timeout=0)
tmp = read_ctrl(timeout=50)
if(tmp and tmp.startswith('err: ')):
raise ValueError(tmp)
outfd.write(''.join([chr(x) for x in eps[USB_CRYPTO_EP_DATA_OUT].read(wrote-40, timeout=0)]))
pkt = fd.read(32808)
if(len(pkt)==32808):
eps[USB_CRYPTO_EP_DATA_IN].write(None, timeout=0)
reset()
if fd != sys.stdin: fd.close()
if outfd != sys.stdout: outfd.close()
def decrypt_handler(infile=None,
outfile=None,
self=None,
peer=None,
max_recipients=20,
basedir=None):
# provides a high level function to do decryption of files
# infile specifies the filename of the input file,
# if '-' or not specified it uses stdin
# outfile specifies the filename of the output file, if not specified
# it uses the same filename with '.pbp' appended
# self specifies the recipient of the message for using pk crypto
# basedir provides a root for the keystores needed for pk crypto
# if self is specified pk crypto is used, otherwise symmetric
# this function also handles buffering.
fd = inputfd(infile)
outfd = outputfd(outfile)
key = None
# asym
if self:
me = publickey.Identity(self, basedir=basedir)
if peer:
peer = publickey.Identity(peer, basedir=basedir, publicOnly=True)
sender = None
size = None
i = 0
while i < (max_recipients if not size else size):
i += 1
rnonce = fd.read(nacl.crypto_box_NONCEBYTES)
ct = fd.read(nacl.crypto_secretbox_KEYBYTES + 2 +
nacl.crypto_secretbox_MACBYTES)
if sender: continue
for keys in ([peer] if peer else publickey.get_public_keys(
basedir=basedir)):
try:
tmp = nacl.crypto_box_open(ct, rnonce, keys.cp, me.cs)
except ValueError:
continue
key = tmp[:nacl.crypto_secretbox_KEYBYTES]
size = struct.unpack('>H',
tmp[nacl.crypto_secretbox_KEYBYTES:])[0]
sender = keys.name
break
me.clear()
if not sender:
raise ValueError('decryption failed')
# sym
else:
pwd = getpass.getpass('Passphrase for decrypting: ')
key = scrypt.hash(pwd, scrypt_salt)[:nacl.crypto_secretbox_KEYBYTES]
sender = None
clearmem(pwd)
pwd = None
if key:
nonce = fd.read(nacl.crypto_secretbox_NONCEBYTES)
buf = fd.read(BLOCK_SIZE + nacl.crypto_secretbox_MACBYTES)
while buf:
outfd.write(decrypt((nonce, buf), k=key))
nonce = inc_nonce(nonce)
buf = fd.read(BLOCK_SIZE + nacl.crypto_secretbox_MACBYTES)
clearmem(key)
key = None
if fd != sys.stdin: fd.close()
if outfd != sys.stdout and type(outfd) == file: outfd.close()
return sender