func StretchPassphrase(passphrase string, salt []byte) (tsec *triplesec.Cipher, pps *PassphraseStream, err error) {
if salt == nil {
err = fmt.Errorf("no salt provided to StretchPassphrase")
return
}
var tmp []byte
if tsec, err = triplesec.NewCipher([]byte(passphrase), salt); err != nil {
return
}
if _, tmp, err = tsec.DeriveKey(extraLen); err != nil {
return
}
pps = NewPassphraseStream(tmp)
return
}
func (s *SKB) UnlockSecretKey(lctx LoginContext, passphrase string, tsec *triplesec.Cipher, pps *PassphraseStream, secretStorer SecretStorer, lksPreload *LKSec) (key GenericKey, err error) {
if key = s.decryptedSecret; key != nil {
return
}
var unlocked []byte
switch s.Priv.Encryption {
case 0:
unlocked = s.Priv.Data
case int(triplesec.Version):
if tsec == nil {
tsec, err = triplesec.NewCipher([]byte(passphrase), nil)
if err != nil {
return nil, err
}
}
unlocked, err = s.tsecUnlock(tsec)
case LKSecVersion:
ppsIn := pps
if pps == nil {
tsec, pps, err = s.unverifiedPassphraseStream(lctx, passphrase)
if err != nil {
return nil, fmt.Errorf("UnlockSecretKey: %s", err)
}
}
if unlocked, err = s.lksUnlock(lctx, pps, secretStorer, lksPreload); err == nil && ppsIn == nil {
// the unverified tsec, pps has been verified, so cache it:
if lctx != nil {
lctx.CreateStreamCache(tsec, pps)
} else {
aerr := s.G().LoginState().Account(func(a *Account) {
a.CreateStreamCache(tsec, pps)
}, "skb - UnlockSecretKey - CreateStreamCache")
if aerr != nil {
return nil, aerr
}
}
} else {
s.G().Log.Debug("| not caching passphrase stream: err = %v", err)
}
default:
err = BadKeyError{fmt.Sprintf("Can't unlock secret with protection type %d", int(s.Priv.Encryption))}
}
if err == nil {
key, err = s.parseUnlocked(unlocked)
}
return
}
func NewSecureTriplesec(passphrase []byte, salt []byte) (Triplesec, error) {
return triplesec.NewCipher(passphrase, salt)
}