[couchdb] branch prototype/fdb-encryption updated: Switch to old crypto API for now

Fri, 06 Mar 2020 07:28:45 -0800 

This is an automated email from the ASF dual-hosted git repository.

eiri pushed a commit to branch prototype/fdb-encryption
in repository https://gitbox.apache.org/repos/asf/couchdb.git


The following commit(s) were added to refs/heads/prototype/fdb-encryption by 
this push:
     new 68aa755  Switch to old crypto API for now
68aa755 is described below

commit 68aa7552d5d68fa07423f12ee3430e020ec589fe
Author: Eric Avdey <[email protected]>
AuthorDate: Fri Mar 6 11:27:55 2020 -0400

    Switch to old crypto API for now
---
 src/fabric/src/fabric2_encryption.erl | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/fabric/src/fabric2_encryption.erl 
b/src/fabric/src/fabric2_encryption.erl
index d9791f8..43813d9 100644
--- a/src/fabric/src/fabric2_encryption.erl
+++ b/src/fabric/src/fabric2_encryption.erl
@@ -168,8 +168,10 @@ do_encode(KEK, InstanceId, DbName, DocId, DocRev, DocBody) 
->
     try
         {ok, AAD} = get_aad(InstanceId, DbName),
         {ok, DEK} = get_dek(KEK, DocId, DocRev),
-        {CipherText, CipherTag} = crypto:crypto_one_time_aead(
-            aes_256_gcm, DEK, <<0:96>>, DocBody, AAD, 16, true),
+        {CipherText, CipherTag} = crypto:block_encrypt(
+            aes_gcm, DEK, <<0:96>>, {AAD, DocBody, 16}),
+        % {CipherText, CipherTag} = crypto:crypto_one_time_aead(
+        %     aes_256_gcm, DEK, <<0:96>>, DocBody, AAD, 16, true),
         <<CipherTag/binary, CipherText/binary>>
     of
         Resp ->
@@ -185,8 +187,10 @@ do_decode(KEK, InstanceId, DbName, DocId, DocRev, Encoded) 
->
         <<CipherTag:16/binary, CipherText/binary>> = Encoded,
         {ok, AAD} = get_aad(InstanceId, DbName),
         {ok, DEK} = get_dek(KEK, DocId, DocRev),
-        crypto:crypto_one_time_aead(
-            aes_256_gcm, DEK, <<0:96>>, CipherText, AAD, CipherTag, false)
+        crypto:block_decrypt(
+            aes_gcm, DEK, <<0:96>>, {AAD, CipherText, CipherTag})
+        % crypto:crypto_one_time_aead(
+        %     aes_256_gcm, DEK, <<0:96>>, CipherText, AAD, CipherTag, false)
     of
         Resp ->
             exit({ok, Resp})
@@ -221,11 +225,13 @@ unwrap_kek(Cache, WrappedKEK) ->
 %% this mocks a call to an expernal system to aquire KEK
 get_kek() ->
     KEK = crypto:strong_rand_bytes(32),
-    WrappedKEK = crypto:crypto_one_time(aes_256_ctr, ?MEK, ?IV, KEK, true),
+    % WrappedKEK = crypto:crypto_one_time(aes_256_ctr, ?MEK, ?IV, KEK, true),
+    WrappedKEK = crypto:block_encrypt(aes_256_ctr, ?MEK, ?IV, KEK),
     {ok, KEK, WrappedKEK}.
 
 
 %% this mocks a call to an expernal system to unwrap KEK
 unwrap_kek(WrappedKEK) ->
-    KEK = crypto:crypto_one_time(aes_256_ctr, ?MEK, ?IV, WrappedKEK, true),
+    % KEK = crypto:crypto_one_time(aes_256_ctr, ?MEK, ?IV, WrappedKEK, true),
+    KEK = crypto:block_decrypt(aes_256_ctr, ?MEK, ?IV, WrappedKEK),
     {ok, KEK, WrappedKEK}.

Reply via email to