crypto primitives

Author: schiele

.gitignore

@@ -1,5 +1,6 @@
 .*.swp
 *~
+incrypt-plugin.so
 /man1
 /crypt
 /tst

Makefile

@@ -13,7 +13,7 @@ REPO := incrypt::$(CURDIR)/crypt
 
 .PHONY: all man test clean
 
-all: man
+all: incrypt-plugin.so man
 
 ifndef NODOC
 man: man1/git-incrypt.1
@@ -24,6 +24,15 @@ man:
 testman:
 endif
 
+incrypt-plugin.so: git/incrypt-plugin.so
+	cp $< $@
+
+git/incrypt-plugin.so: git/incrypt-plugin.c git/config.mak
+	$(MAKE) -C $(@D) DEVELOPER:=1 $(@F)
+
+git/%.c: %.c
+	cp $< $@
+
 man1/%.1: git/Documentation/%.1
 	mkdir -p man1
 	cp $< $@
@@ -37,7 +46,7 @@ git/Documentation/%.adoc: %.adoc
 git/config.mak: config.mak
 	cp $< $@
 
-test: testman
+test: incrypt-plugin.so testman
 	rm -rf crypt tst
 	mkdir crypt
 	git -C crypt init --bare -b _
@@ -72,5 +81,5 @@ install: man
 
 clean:
 	$(MAKE) -C git clean
-	rm -rf man1 crypt tst \
+	rm -rf incrypt-plugin.so man1 crypt tst \
 		git/config.mak git/*incrypt* git/Documentation/*incrypt*

config.mak

@@ -1 +1,8 @@
+CFLAGS += -fPIC
+
+OBJECTS += incrypt-plugin.o
+
 MAN1_TXT += git-incrypt.adoc
+
+incrypt-plugin.so: incrypt-plugin.o GIT-LDFLAGS $(GITLIBS)
+	$(QUIET_LINK)$(CC) $(ALL_CFLAGS) -o $@ $(ALL_LDFLAGS) -shared $(filter %.o,$^) $(LIBS) $(LIB_4_CRYPTO)

git-incrypt

@@ -30,10 +30,17 @@ import hashlib
 import base64
 import argparse
 import enum
+import ctypes
 import pygit2
-from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
-from cryptography.hazmat.primitives import padding
-from cryptography.hazmat.backends import default_backend
+
+plugin = ctypes.cdll.LoadLibrary(os.path.join(os.path.dirname(__file__),
+                                              'incrypt-plugin.so'))
+plugin.encryptdata.argtypes = [
+    ctypes.c_void_p, ctypes.c_size_t,
+    ctypes.c_void_p, ctypes.POINTER(ctypes.c_size_t), ctypes.c_void_p]
+plugin.decryptdata.argtypes = [
+    ctypes.c_void_p, ctypes.c_size_t,
+    ctypes.c_void_p, ctypes.POINTER(ctypes.c_size_t), ctypes.c_void_p]
 
 if not hasattr(pygit2.enums, 'FileMode'):
     class FileMode(enum.IntFlag):
@@ -65,29 +72,24 @@ decrypt the repository using
 '''
 
 
-def cipher(key):
-    'return cipher to be used'
-    return Cipher(algorithms.AES(key[0:32]), modes.CBC(key[32:48]),
-                  backend=default_backend())
-
-
-def pad():
-    'return patting to be used'
-    return padding.PKCS7(algorithms.AES.block_size)
-
-
 def encryptdata(data: bytes, key: bytes) -> (bytes, bytes):
     'encrypt raw data'
-    e = cipher(key).encryptor()
-    p = pad().padder()
-    return e.update(p.update(data) + p.finalize()) + e.finalize()
+    output = ctypes.create_string_buffer(len(data) + 16)
+    poutput = ctypes.c_void_p(ctypes.addressof(output))
+    outlen = ctypes.c_size_t(0)
+    poutlen = ctypes.pointer(outlen)
+    plugin.encryptdata(data, len(data), poutput, poutlen, key)
+    return output.raw[:poutlen.contents.value]
 
 
 def decryptdata(ciphertext: bytes, key: bytes) -> bytes:
     'decrypt raw data'
-    d = cipher(key).decryptor()
-    u = pad().unpadder()
-    return u.update(d.update(ciphertext) + d.finalize()) + u.finalize()
+    output = ctypes.create_string_buffer(len(ciphertext) + 16)
+    poutput = ctypes.c_void_p(ctypes.addressof(output))
+    outlen = ctypes.c_size_t(0)
+    poutlen = ctypes.pointer(outlen)
+    plugin.decryptdata(ciphertext, len(ciphertext), poutput, poutlen, key)
+    return output.raw[:poutlen.contents.value]
 
 
 def encryptrefname(ref, key):

incrypt-plugin.c

@@ -0,0 +1,84 @@
+/* -*- indent-tabs-mode: t; tab-width: 8; c-basic-offset: 8 -*- */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+
+int encryptdata(const unsigned char* input, size_t inputlen,
+		unsigned char* output, size_t* outputlen,
+		const unsigned char* key);
+int decryptdata(const unsigned char* input, size_t inputlen,
+		unsigned char* output, size_t* outputlen,
+		const unsigned char* key);
+void cmd_main(void);
+
+static void handle_openssl_error(const char *message) {
+    fprintf(stderr, "%s\n", message);
+    ERR_print_errors_fp(stderr);
+}
+
+int encryptdata(const unsigned char* input, size_t inputlen,
+		unsigned char* output, size_t* outputlen,
+		const unsigned char* key) {
+	const EVP_CIPHER *cipher_type = EVP_aes_256_cbc();
+	EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
+	int outlen;
+	if (ctx == NULL) {
+		handle_openssl_error("EVP_CIPHER_CTX_new failed");
+		return -1;
+	}
+	if (EVP_EncryptInit_ex(ctx, cipher_type, NULL, key, key+32) != 1) {
+		handle_openssl_error("EVP_EncryptInit_ex failed");
+		EVP_CIPHER_CTX_free(ctx);
+		return -1;
+	}
+	if (EVP_EncryptUpdate(ctx, output, &outlen, input, inputlen) != 1) {
+		handle_openssl_error("EVP_EncryptUpdate failed");
+		EVP_CIPHER_CTX_free(ctx);
+		return -1;
+	}
+	*outputlen = outlen;
+	if (EVP_EncryptFinal_ex(ctx, output + *outputlen, &outlen) != 1) {
+		handle_openssl_error("EVP_EncryptFinal_ex failed");
+		EVP_CIPHER_CTX_free(ctx);
+		return -1;
+	}
+	*outputlen += outlen;
+	EVP_CIPHER_CTX_free(ctx);
+	return 0;
+}
+
+int decryptdata(const unsigned char* input, size_t inputlen,
+		unsigned char* output, size_t* outputlen,
+		const unsigned char* key) {
+	const EVP_CIPHER *cipher_type = EVP_aes_256_cbc();
+	EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
+	int outlen;
+	if (ctx == NULL) {
+		handle_openssl_error("EVP_CIPHER_CTX_new failed");
+		return -1;
+	}
+	if (EVP_DecryptInit_ex(ctx, cipher_type, NULL, key, key+32) != 1) {
+		handle_openssl_error("EVP_DecryptInit_ex failed");
+		EVP_CIPHER_CTX_free(ctx);
+		return -1;
+	}
+	if (EVP_DecryptUpdate(ctx, output, &outlen, input, inputlen) != 1) {
+		handle_openssl_error("EVP_DecryptUpdate failed");
+		EVP_CIPHER_CTX_free(ctx);
+		return -1;
+	}
+	*outputlen = outlen;
+	if (EVP_DecryptFinal_ex(ctx, output + *outputlen, &outlen) != 1) {
+		handle_openssl_error("EVP_DecryptFinal_ex failed");
+		EVP_CIPHER_CTX_free(ctx);
+		return -1;
+	}
+	*outputlen += outlen;
+	EVP_CIPHER_CTX_free(ctx);
+	return 0;
+}
+
+void cmd_main(void) {
+}