// commonArgs must be called inside a LoginState().Account(...)
// closure
func (c *PassphraseChange) commonArgs(a *libkb.Account, oldClientHalf []byte, pgpKeys []libkb.GenericKey, existingGen libkb.PassphraseGeneration) (libkb.JSONPayload, error) {
	// ensure that the login session is loaded
	if err := a.LoadLoginSession(c.me.GetName()); err != nil {
		return nil, err
	}
	salt, err := a.LoginSession().Salt()
	if err != nil {
		return nil, err
	}

	tsec, newPPStream, err := libkb.StretchPassphrase(c.arg.Passphrase, salt)
	if err != nil {
		return nil, err
	}
	newPWH := newPPStream.PWHash()
	newClientHalf := newPPStream.LksClientHalf()

	mask := make([]byte, len(oldClientHalf))
	libkb.XORBytes(mask, oldClientHalf, newClientHalf)

	lksch := make(map[keybase1.KID]string)
	devices := c.me.GetComputedKeyFamily().GetAllDevices()
	for _, dev := range devices {
		if !dev.IsActive() {
			continue
		}
		key, err := c.me.GetComputedKeyFamily().GetEncryptionSubkeyForDevice(dev.ID)
		if err != nil {
			return nil, err
		}
		ctext, err := key.EncryptToString(newClientHalf, nil)
		if err != nil {
			return nil, err
		}
		lksch[key.GetKID()] = ctext
	}

	payload := make(libkb.JSONPayload)
	payload["pwh"] = libkb.HexArg(newPWH).String()
	payload["pwh_version"] = triplesec.Version
	payload["lks_mask"] = libkb.HexArg(mask).String()
	payload["lks_client_halves"] = lksch

	var encodedKeys []string
	for _, key := range pgpKeys {
		encoded, err := c.encodePrivatePGPKey(key, tsec, existingGen+1)
		if err != nil {
			return nil, err
		}
		encodedKeys = append(encodedKeys, encoded)
	}
	payload["private_keys"] = encodedKeys

	return payload, nil
}
Beispiel #2
0
func (s *SignupEngine) genPassphraseStream(a libkb.LoginContext, passphrase string) error {
	salt, err := libkb.RandBytes(triplesec.SaltLen)
	if err != nil {
		return err
	}
	s.pwsalt = salt
	s.tsec, s.ppStream, err = libkb.StretchPassphrase(passphrase, salt)
	if err != nil {
		return err
	}
	return nil
}
Beispiel #3
0
func Fuzz(data []byte) int {
	split := len(data) / 2
	pp := string(data[0:split])
	salt := data[split:]
	tsec, pps, err := libkb.StretchPassphrase(pp, salt)
	if err != nil {
		if tsec != nil {
			panic("tsec not nil on error")
		}
		if pps != nil {
			panic("pps not nil on error")
		}
		return 0
	}
	return 1
}
Beispiel #4
0
// makeDeviceWrapArgs creates a base set of args for DeviceWrap.
func (e *PGPProvision) makeDeviceWrapArgs(ctx *Context) (*DeviceWrapArgs, error) {
	// generate lks
	salt, err := ctx.LoginContext.LoginSession().Salt()
	if err != nil {
		return nil, err
	}
	_, pps, err := libkb.StretchPassphrase(e.G(), e.passphrase, salt)
	if err != nil {
		return nil, err
	}
	// since this is just for testing, ok to set this explicitly
	pps.SetGeneration(1)
	lks := libkb.NewLKSec(pps, e.user.GetUID(), e.G())

	return &DeviceWrapArgs{
		Me:         e.user,
		DeviceName: e.deviceName,
		DeviceType: libkb.DeviceTypeDesktop,
		Lks:        lks,
	}, nil
}