diff options
author | Joey Hess <joeyh@joeyh.name> | 2016-08-19 16:50:27 -0400 |
---|---|---|
committer | Joey Hess <joeyh@joeyh.name> | 2016-08-19 16:50:27 -0400 |
commit | f37b78acc2ba8272d8181f636eac6eb123c59013 (patch) | |
tree | fa70245d3dcdfe232dce79bfe75633cf28361a4c /Encryption.hs | |
parent | d25d55c9c68263100ea21e66eda74067cc8c1393 (diff) | |
download | keysafe-f37b78acc2ba8272d8181f636eac6eb123c59013.tar.gz |
reorg
Diffstat (limited to 'Encryption.hs')
-rw-r--r-- | Encryption.hs | 23 |
1 files changed, 10 insertions, 13 deletions
diff --git a/Encryption.hs b/Encryption.hs index fbeb1c6..5e91ef5 100644 --- a/Encryption.hs +++ b/Encryption.hs @@ -43,21 +43,9 @@ encrypt tunables kek (SecretKey secret) = data DecryptResult = DecryptSuccess SecretKey | DecryptIncomplete KeyEncryptionKey + -- ^ Returned when the EncryptedSecretKey is truncated. | DecryptFailed --- | Tries each candidate key in turn until one unlocks the encrypted data. --- --- When the EncryptedSecretKey is truncated, returns IncompleteDecrypt. --- This avoids needing to try the candidate keys again after retrieving --- more chunks. -tryDecrypt :: Candidates KeyEncryptionKey -> EncryptedSecretKey -> DecryptResult -tryDecrypt (Candidates l _ _) esk = go l - where - go [] = DecryptFailed - go (kek:rest) = case decrypt kek esk of - DecryptFailed -> go rest - r -> r - decrypt :: KeyEncryptionKey -> EncryptedSecretKey -> DecryptResult decrypt kek (EncryptedSecretKey cs _) = case decodeEncryptableBytes pbs of Nothing -> DecryptFailed @@ -68,6 +56,15 @@ decrypt kek (EncryptedSecretKey cs _) = case decodeEncryptableBytes pbs of Raaz.unsafeDecrypt cipher (keyEncryptionKey kek, keyEncryptionIV kek) b b = B.concat cs +-- | Tries each candidate key in turn until one unlocks the encrypted data. +tryDecrypt :: Candidates KeyEncryptionKey -> EncryptedSecretKey -> DecryptResult +tryDecrypt (Candidates l _ _) esk = go l + where + go [] = DecryptFailed + go (kek:rest) = case decrypt kek esk of + DecryptFailed -> go rest + r -> r + -- | An AES key, which is used to encrypt the secret key that is stored -- in keysafe. data KeyEncryptionKey = KeyEncryptionKey |