This is an automated email from the ASF dual-hosted git repository. eiri pushed a commit to branch prototype/fdb-encryption in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit 41c9691130fba474b0dcd5cdf53ca5c48b62bda0 Author: Eric Avdey <[email protected]> AuthorDate: Fri Mar 6 11:27:55 2020 -0400 Switch to old crypto API for now --- src/fabric/src/fabric2_encryption.erl | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/src/fabric/src/fabric2_encryption.erl b/src/fabric/src/fabric2_encryption.erl index d47ef55..6a9e82e 100644 --- a/src/fabric/src/fabric2_encryption.erl +++ b/src/fabric/src/fabric2_encryption.erl @@ -168,8 +168,8 @@ do_encode(KEK, InstanceId, DbName, DocId, DocRev, DocBody) -> try {ok, AAD} = get_aad(InstanceId, DbName), {ok, DEK} = get_dek(KEK, DocId, DocRev), - {CipherText, CipherTag} = crypto:crypto_one_time_aead( - aes_256_gcm, DEK, <<0:96>>, DocBody, AAD, 16, true), + {CipherText, CipherTag} = crypto:block_encrypt( + aes_gcm, DEK, <<0:96>>, {AAD, DocBody, 16}), <<CipherTag/binary, CipherText/binary>> of Resp -> @@ -185,8 +185,8 @@ do_decode(KEK, InstanceId, DbName, DocId, DocRev, Encoded) -> <<CipherTag:16/binary, CipherText/binary>> = Encoded, {ok, AAD} = get_aad(InstanceId, DbName), {ok, DEK} = get_dek(KEK, DocId, DocRev), - crypto:crypto_one_time_aead( - aes_256_gcm, DEK, <<0:96>>, CipherText, AAD, CipherTag, false) + crypto:block_decrypt( + aes_gcm, DEK, <<0:96>>, {AAD, CipherText, CipherTag}) of Resp -> exit({ok, Resp}) @@ -203,7 +203,7 @@ get_aad(InstanceId, DbName) when is_binary(InstanceId), is_binary(DbName) -> get_dek(KEK, DocId, DocRev) when bit_size(KEK) == 256 -> Context = <<DocId/binary, 0:8, DocRev/binary>>, PlainText = <<1:16, ?LABEL, 0:8, Context/binary, 256:16>>, - <<_:256>> = DEK = crypto:mac(hmac, sha256, KEK, PlainText), + <<_:256>> = DEK = crypto:hmac(sha256, KEK, PlainText), {ok, DEK}. @@ -221,13 +221,15 @@ unwrap_kek(Cache, WrappedKEK) -> %% this mocks a call to an expernal system to aquire KEK get_kek() -> KEK = crypto:strong_rand_bytes(32), - WrappedKEK = crypto:crypto_one_time(aes_256_ctr, ?MEK, ?IV, KEK, true), + Enc = crypto:stream_init(aes_ctr, ?MEK, ?IV), + {_, WrappedKEK} = crypto:stream_encrypt(Enc, KEK), {ok, KEK, WrappedKEK}. %% this mocks a call to an expernal system to unwrap KEK unwrap_kek(WrappedKEK) -> - KEK = crypto:crypto_one_time(aes_256_ctr, ?MEK, ?IV, WrappedKEK, true), + Enc = crypto:stream_init(aes_ctr, ?MEK, ?IV), + {_, KEK} = crypto:stream_decrypt(Enc, WrappedKEK), {ok, KEK, WrappedKEK}.
