Skip to content

Commit

Permalink
Close enough to 100%.
Browse files Browse the repository at this point in the history
  • Loading branch information
@paragonie-security
paragonie-security committed Jan 26, 2018
1 parent 3728ff4 commit bc1ae5f
Show file tree
Hide file tree
Showing 5 changed files with 50 additions and 25 deletions.
26 changes: 14 additions & 12 deletions src/Asymmetric/Crypto.php
View file
Expand Up @@ -104,15 +104,16 @@ public static function encryptWithAd(
string $additionalData = '',
$encoding = Halite::ENCODE_BASE64URLSAFE
): string {
/** @var HiddenString $ss */
$ss = self::getSharedSecret(
$ourPrivateKey,
$theirPublicKey
);
// @codeCoverageIgnoreStart
// @codeCoverageIgnoreStart
if (!($ss instanceof HiddenString)) {
throw new \TypeError();
}
// @codeCoverageIgnoreEnd
// @codeCoverageIgnoreEnd
$sharedSecretKey = new EncryptionKey($ss);
$ciphertext = SymmetricCrypto::encryptWithAd(
$plaintext,
Expand Down Expand Up @@ -182,15 +183,16 @@ public static function decryptWithAd(
string $additionalData = '',
$encoding = Halite::ENCODE_BASE64URLSAFE
): HiddenString {
/** @var HiddenString $ss */
$ss = self::getSharedSecret(
$ourPrivateKey,
$theirPublicKey
);
// @codeCoverageIgnoreStart
// @codeCoverageIgnoreStart
if (!($ss instanceof HiddenString)) {
throw new \TypeError();
}
// @codeCoverageIgnoreEnd
// @codeCoverageIgnoreEnd
$sharedSecretKey = new EncryptionKey($ss);
$plaintext = SymmetricCrypto::decryptWithAd(
$ciphertext,
Expand Down Expand Up @@ -320,9 +322,9 @@ public static function signAndEncrypt(
} elseif ($recipientPublicKey instanceof EncryptionPublicKey) {
$publicKey = $recipientPublicKey;
} else {
// @codeCoverageIgnoreStart
// @codeCoverageIgnoreStart
throw new InvalidKey('An invalid key type was provided');
// @codeCoverageIgnoreEnd
// @codeCoverageIgnoreEnd
}
$signature = self::sign($message->getString(), $secretKey, true);
$plaintext = new HiddenString($signature . $message->getString());
Expand Down Expand Up @@ -384,11 +386,11 @@ public static function unseal(
// Always memzero after retrieving a value
\sodium_memzero($key_pair);
if ($message === false) {
// @codeCoverageIgnoreStart
// @codeCoverageIgnoreStart
throw new InvalidKey(
'Incorrect secret key for this sealed message'
);
// @codeCoverageIgnoreEnd
// @codeCoverageIgnoreEnd
}

// We have our encrypted message here
Expand Down Expand Up @@ -421,11 +423,11 @@ public static function verify(
$signature = $decoder($signature);
}
if (Binary::safeStrlen($signature) !== SODIUM_CRYPTO_SIGN_BYTES) {
// @codeCoverageIgnoreStart
// @codeCoverageIgnoreStart
throw new InvalidSignature(
'Signature is not the correct length; is it encoded?'
);
// @codeCoverageIgnoreEnd
// @codeCoverageIgnoreEnd
}

return (bool) \sodium_crypto_sign_verify_detached(
Expand Down Expand Up @@ -463,9 +465,9 @@ public static function verifyAndDecrypt(
} elseif ($givenSecretKey instanceof EncryptionSecretKey) {
$secretKey = $givenSecretKey;
} else {
// @codeCoverageIgnoreStart
// @codeCoverageIgnoreStart
throw new InvalidKey('An invalid key type was provided');
// @codeCoverageIgnoreEnd
// @codeCoverageIgnoreEnd
}
$senderEncKey = $senderPublicKey->getEncryptionPublicKey();
$decrypted = self::decrypt($ciphertext, $secretKey, $senderEncKey, $encoding);
Expand Down
4 changes: 4 additions & 0 deletions src/Password.php
View file
Expand Up @@ -165,16 +165,20 @@ protected static function getConfig(string $stored): SymmetricConfig
/** @var string $decoded */
$decoded = Base64UrlSafe::decode($stored);
if (!\is_string($decoded)) {
// @codeCoverageIgnoreStart
\sodium_memzero($stored);
throw new InvalidMessage('Invalid encoding');
// @codeCoverageIgnoreEnd
}
return SymmetricConfig::getConfig(
$decoded,
'encrypt'
);
}
// @codeCoverageIgnoreStart
$v = Hex::decode(Binary::safeSubstr($stored, 0, 8));
return SymmetricConfig::getConfig($v, 'encrypt');
// @codeCoverageIgnoreEnd
}

/**
Expand Down
24 changes: 12 additions & 12 deletions src/Symmetric/Crypto.php
View file
Expand Up @@ -134,7 +134,7 @@ public static function decryptWithAd(
$decoder = Halite::chooseEncoder($encoding, true);
if (\is_callable($decoder)) {
// We were given encoded data:
// @codeCoverageIgnoreStart
// @codeCoverageIgnoreStart
try {
/** @var string $ciphertext */
$ciphertext = $decoder($ciphertext);
Expand All @@ -143,7 +143,7 @@ public static function decryptWithAd(
'Invalid character encoding'
);
}
// @codeCoverageIgnoreEnd
// @codeCoverageIgnoreEnd
}
/** @var array $pieces */
$pieces = self::unpackMessageForDecryption($ciphertext);
Expand All @@ -160,13 +160,13 @@ public static function decryptWithAd(
/** @var string $auth */
$auth = $pieces[5];

// @codeCoverageIgnoreStart
// @codeCoverageIgnoreStart
if (!($config instanceof Config)) {
throw new CannotPerformOperation(
'Config is not an instance of Config. This should not happen.'
);
}
// @codeCoverageIgnoreEnd
// @codeCoverageIgnoreEnd

/* Split our key into two keys: One for encryption, the other for
authentication. By using separate keys, we can reasonably dismiss
Expand Down Expand Up @@ -209,11 +209,11 @@ public static function decryptWithAd(
(string) $encKey
);
if (!\is_string($plaintext)) {
// @codeCoverageIgnoreStart
// @codeCoverageIgnoreStart
throw new InvalidMessage(
'Invalid message'
);
// @codeCoverageIgnoreEnd
// @codeCoverageIgnoreEnd
}
\sodium_memzero($encrypted);
\sodium_memzero($nonce);
Expand Down Expand Up @@ -273,14 +273,14 @@ public static function encryptWithAd(
$config = SymmetricConfig::getConfig(Halite::HALITE_VERSION, 'encrypt');

// Generate a nonce and HKDF salt:
// @codeCoverageIgnoreStart
// @codeCoverageIgnoreStart
try {
$nonce = \random_bytes(\SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$salt = \random_bytes((int) $config->HKDF_SALT_LEN);
} catch (\Throwable $ex) {
throw new CannotPerformOperation($ex->getMessage());
}
// @codeCoverageIgnoreEnd
// @codeCoverageIgnoreEnd

/* Split our key into two keys: One for encryption, the other for
authentication. By using separate keys, we can reasonably dismiss
Expand Down Expand Up @@ -508,11 +508,11 @@ protected static function calculateMAC(
(int) $config->MAC_SIZE
);
}
// @codeCoverageIgnoreStart
// @codeCoverageIgnoreStart
throw new InvalidMessage(
'Invalid Halite version'
);
// @codeCoverageIgnoreEnd
// @codeCoverageIgnoreEnd
}

/**
Expand All @@ -535,11 +535,11 @@ protected static function verifyMAC(
SymmetricConfig $config
): bool {
if (Binary::safeStrlen($mac) !== $config->MAC_SIZE) {
// @codeCoverageIgnoreStart
// @codeCoverageIgnoreStart
throw new InvalidSignature(
'Argument 1: Message Authentication Code is not the correct length; is it encoded?'
);
// @codeCoverageIgnoreEnd
// @codeCoverageIgnoreEnd
}
if ($config->MAC_ALGO === 'BLAKE2b') {
$calc = \sodium_crypto_generichash(
Expand Down
2 changes: 2 additions & 0 deletions src/Util.php
View file
Expand Up @@ -138,11 +138,13 @@ public static function hkdfBlake2b(

// HKDF-Expand:
// This check is useless, but it serves as a reminder to the spec.
// @codeCoverageIgnoreStart
if (Binary::safeStrlen($prk) < \SODIUM_CRYPTO_GENERICHASH_KEYBYTES) {
throw new CannotPerformOperation(
'An unknown error has occurred'
);
}
// @codeCoverageIgnoreEnd
// T(0) = ''
$t = '';
$last_block = '';
Expand Down
19 changes: 18 additions & 1 deletion test/unit/KeyPairTest.php
View file
Expand Up @@ -173,10 +173,17 @@ public function testEncryptionKeyPair()
$this->fail('Two public keys was erroneously accepted');
} catch (\ParagonIE\Halite\Alerts\InvalidKey $ex) {
}
try {
new EncryptionKeyPair(
KeyFactory::generateEncryptionKey()
);
$this->fail('Symmetric key was erroneously accepted');
} catch (\ParagonIE\Halite\Alerts\InvalidKey $ex) {
}
try {
new EncryptionKeyPair(
$boxSecret,
KeyFactory::generateAuthenticationKey()
KeyFactory::generateEncryptionKey()
);
$this->fail('Symmetric key was erroneously accepted');
} catch (\ParagonIE\Halite\Alerts\InvalidKey $ex) {
Expand Down Expand Up @@ -312,6 +319,13 @@ public function testSignatureKeyPair()
$this->fail('Two public keys was erroneously accepted');
} catch (\ParagonIE\Halite\Alerts\InvalidKey $ex) {
}
try {
new SignatureKeyPair(
KeyFactory::generateAuthenticationKey()
);
$this->fail('Symmetric key was erroneously accepted');
} catch (\ParagonIE\Halite\Alerts\InvalidKey $ex) {
}
try {
new SignatureKeyPair(
$signSecret,
Expand Down Expand Up @@ -342,6 +356,9 @@ public function testSignatureKeyPair()

/**
* @throws TypeError
* @throws \ParagonIE\Halite\Alerts\CannotPerformOperation
* @throws \ParagonIE\Halite\Alerts\InvalidKey
* @throws \ParagonIE\Halite\Alerts\InvalidType
*/
public function testPublicDerivation()
{
Expand Down

0 comments on commit bc1ae5f

Please sign in to comment.