Implement secure key via KDF for transparent data encryption/decryption #60

2025-08-31 12:08:04 -05:00
parent 5a4e1302f1
commit e542aa64ad
16 changed files with 808 additions and 552 deletions
--- a/support/src/utils/encrypting_reader.cpp
+++ b/support/src/utils/encrypting_reader.cpp
@@ -285,6 +285,27 @@ encrypting_reader::encrypting_reader(
  create_encrypted_paths(file_name, relative_parent_path);
 }

+encrypting_reader::encrypting_reader(
+    std::string_view file_name, std::string_view source_path,
+    stop_type_callback stop_requested_cb,
+    const utils::hash::hash_256_t &master_key,
+    const std::pair<kdf_config, kdf_config> &configs,
+    std::optional<std::string> relative_parent_path, std::size_t error_return)
+    : stop_requested_cb_(std::move(stop_requested_cb)),
+      error_return_(error_return),
+      source_file_(utils::file::file::open_or_create_file(source_path, true)) {
+  keys_.first = configs.first.recreate_subkey(
+      utils::encryption::kdf_context::data, master_key);
+  keys_.second = configs.second.recreate_subkey(
+      utils::encryption::kdf_context::path, master_key);
+  kdf_headers_ = {
+      configs.first.to_header(),
+      configs.second.to_header(),
+  };
+  common_initialize(true);
+  create_encrypted_paths(file_name, relative_parent_path);
+}
+
 encrypting_reader::encrypting_reader(stop_type_callback stop_requested_cb,
                                     std::string_view encrypted_file_path,
                                     std::string_view source_path,
@@ -322,6 +343,32 @@ encrypting_reader::encrypting_reader(
  common_initialize(false);
 }

+encrypting_reader::encrypting_reader(
+    stop_type_callback stop_requested_cb, std::string_view encrypted_file_path,
+    std::string_view source_path, const utils::hash::hash_256_t &master_key,
+    const std::pair<kdf_config, kdf_config> &configs,
+    std::vector<
+        std::array<unsigned char, crypto_aead_xchacha20poly1305_IETF_NPUBBYTES>>
+        iv_list,
+    std::size_t error_return)
+    : stop_requested_cb_(std::move(stop_requested_cb)),
+      error_return_(error_return),
+      source_file_(utils::file::file::open_or_create_file(source_path, true)),
+      encrypted_file_name_(
+          utils::path::strip_to_file_name(std::string{encrypted_file_path})),
+      encrypted_file_path_(encrypted_file_path),
+      iv_list_(std::move(iv_list)) {
+  keys_.first = configs.first.recreate_subkey(
+      utils::encryption::kdf_context::data, master_key);
+  keys_.second = configs.second.recreate_subkey(
+      utils::encryption::kdf_context::path, master_key);
+  kdf_headers_ = {
+      configs.first.to_header(),
+      configs.second.to_header(),
+  };
+  common_initialize(false);
+}
+
 encrypting_reader::encrypting_reader(const encrypting_reader &reader)
    : keys_(reader.keys_),
      stop_requested_cb_(reader.stop_requested_cb_),
--- a/support/src/utils/encryption.cpp
+++ b/support/src/utils/encryption.cpp
@@ -63,7 +63,8 @@ auto kdf_config::generate_checksum() const -> std::uint64_t {
  return *reinterpret_cast<std::uint64_t *>(hash.data());
 }

-auto kdf_config::from_header(data_cspan data, kdf_config &cfg) -> bool {
+auto kdf_config::from_header(data_cspan data, kdf_config &cfg,
+                             bool ignore_checksum) -> bool {
  if (data.size() < kdf_config::size()) {
    return false;
  }
@@ -77,7 +78,7 @@ auto kdf_config::from_header(data_cspan data, kdf_config &cfg) -> bool {
         cfg.memlimit <= memlimit_level::level4 &&
         cfg.opslimit >= opslimit_level::level1 &&
         cfg.opslimit <= opslimit_level::level3 &&
-         cfg.checksum == cfg.generate_checksum();
+         (ignore_checksum || cfg.checksum == cfg.generate_checksum());
 }

 void kdf_config::seal() {