Commit 38d25f92 authored by Sietse Ringers's avatar Sietse Ringers
Browse files

docs: replace 'packet' with 'user secrets' in comments

parent 5149f71f
...@@ -83,14 +83,14 @@ func GenerateDecryptionKey() (AESKey, error) { ...@@ -83,14 +83,14 @@ func GenerateDecryptionKey() (AESKey, error) {
} }
// DangerousAddDecryptionKey adds an AES key for decryption, with identifier keyID. // DangerousAddDecryptionKey adds an AES key for decryption, with identifier keyID.
// Calling this will cause all keyshare packets generated with the key to be trusted. // Calling this will cause all keyshare secrets generated with the key to be trusted.
func (c *Core) DangerousAddDecryptionKey(keyID uint32, key AESKey) { func (c *Core) DangerousAddDecryptionKey(keyID uint32, key AESKey) {
c.decryptionKeys[keyID] = key c.decryptionKeys[keyID] = key
} }
// Set the aes key for encrypting new/changed keyshare data // Set the aes key for encrypting new/changed keyshare data
// with identifier keyid // with identifier keyid
// Calling this will also cause all keyshare packets generated with the key to be trusted // Calling this will also cause all keyshare user secrets generated with the key to be trusted
func (c *Core) setDecryptionKey(keyID uint32, key AESKey) { func (c *Core) setDecryptionKey(keyID uint32, key AESKey) {
c.decryptionKeys[keyID] = key c.decryptionKeys[keyID] = key
c.decryptionKey = key c.decryptionKey = key
......
...@@ -43,7 +43,7 @@ func (c *Core) NewUserSecrets(pinRaw string) (UserSecrets, error) { ...@@ -43,7 +43,7 @@ func (c *Core) NewUserSecrets(pinRaw string) (UserSecrets, error) {
return UserSecrets{}, err return UserSecrets{}, err
} }
// Build unencrypted packet // Build unencrypted secrets
var s unencryptedUserSecrets var s unencryptedUserSecrets
s.setPin(pin) s.setPin(pin)
err = s.setKeyshareSecret(secret) err = s.setKeyshareSecret(secret)
...@@ -78,13 +78,13 @@ func (c *Core) ValidatePin(secrets UserSecrets, pin string) (string, error) { ...@@ -78,13 +78,13 @@ func (c *Core) ValidatePin(secrets UserSecrets, pin string) (string, error) {
} }
// ValidateJWT checks whether the given JWT is currently valid as an access token for operations // ValidateJWT checks whether the given JWT is currently valid as an access token for operations
// on the provided encrypted keyshare packet. // on the provided encrypted keyshare user secrets.
func (c *Core) ValidateJWT(secrets UserSecrets, jwt string) error { func (c *Core) ValidateJWT(secrets UserSecrets, jwt string) error {
_, err := c.verifyAccess(secrets, jwt) _, err := c.verifyAccess(secrets, jwt)
return err return err
} }
// ChangePin changes the pin in an encrypted keyshare packet to a new value, after validating that // ChangePin changes the pin in an encrypted keyshare user secret to a new value, after validating that
// the old value is known by the caller. // the old value is known by the caller.
func (c *Core) ChangePin(secrets UserSecrets, oldpinRaw, newpinRaw string) (UserSecrets, error) { func (c *Core) ChangePin(secrets UserSecrets, oldpinRaw, newpinRaw string) (UserSecrets, error) {
s, err := c.decryptUserSecretsIfPinOK(secrets, oldpinRaw) s, err := c.decryptUserSecretsIfPinOK(secrets, oldpinRaw)
...@@ -108,7 +108,7 @@ func (c *Core) ChangePin(secrets UserSecrets, oldpinRaw, newpinRaw string) (User ...@@ -108,7 +108,7 @@ func (c *Core) ChangePin(secrets UserSecrets, oldpinRaw, newpinRaw string) (User
return c.encryptUserSecrets(s) return c.encryptUserSecrets(s)
} }
// verifyAccess checks that a given access jwt is valid, and if so, return decrypted keyshare packet. // verifyAccess checks that a given access jwt is valid, and if so, return decrypted keyshare user secrets.
// Note: Although this is an internal function, it is tested directly // Note: Although this is an internal function, it is tested directly
func (c *Core) verifyAccess(secrets UserSecrets, jwtToken string) (unencryptedUserSecrets, error) { func (c *Core) verifyAccess(secrets UserSecrets, jwtToken string) (unencryptedUserSecrets, error) {
// Verify token validity // Verify token validity
......
...@@ -14,8 +14,8 @@ import ( ...@@ -14,8 +14,8 @@ import (
type ( type (
// Contains pin (bytes 0-63), secret (bytes 64-127), and identifier (bytes 128-159) // Contains pin (bytes 0-63), secret (bytes 64-127), and identifier (bytes 128-159)
// The binary structure of this packet can have security implications through its interaction with the // The binary structure of this data structure can have security implications through its interaction
// encryption layer applied before storing it. As such, we keep it here more explicit than // with the encryption layer applied before storing it. As such, we keep it here more explicit than
// is standard in go. When modifying this structure, analyse whether such changes can have a // is standard in go. When modifying this structure, analyse whether such changes can have a
// security impact through error side channels. // security impact through error side channels.
unencryptedUserSecrets [64 + 64 + 32]byte unencryptedUserSecrets [64 + 64 + 32]byte
...@@ -86,7 +86,7 @@ func (c *Core) encryptUserSecrets(secrets unencryptedUserSecrets) (UserSecrets, ...@@ -86,7 +86,7 @@ func (c *Core) encryptUserSecrets(secrets unencryptedUserSecrets) (UserSecrets,
return UserSecrets{}, err return UserSecrets{}, err
} }
// Encrypt packet // Encrypt secrets
gcm, err := newGCM(c.decryptionKey) gcm, err := newGCM(c.decryptionKey)
if err != nil { if err != nil {
return UserSecrets{}, err return UserSecrets{}, err
...@@ -106,7 +106,7 @@ func (c *Core) decryptUserSecrets(secrets UserSecrets) (unencryptedUserSecrets, ...@@ -106,7 +106,7 @@ func (c *Core) decryptUserSecrets(secrets UserSecrets) (unencryptedUserSecrets,
return unencryptedUserSecrets{}, ErrNoSuchKey return unencryptedUserSecrets{}, ErrNoSuchKey
} }
// try and decrypt packet // try and decrypt secrets
gcm, err := newGCM(key) gcm, err := newGCM(key)
if err != nil { if err != nil {
return unencryptedUserSecrets{}, err return unencryptedUserSecrets{}, err
......
...@@ -43,7 +43,7 @@ type Configuration struct { ...@@ -43,7 +43,7 @@ type Configuration struct {
JwtPinExpiry int `json:"jwt_pin_expiry" mapstructure:"jwt_pin_expiry"` JwtPinExpiry int `json:"jwt_pin_expiry" mapstructure:"jwt_pin_expiry"`
JwtPrivateKey string `json:"jwt_privkey" mapstructure:"jwt_privkey"` JwtPrivateKey string `json:"jwt_privkey" mapstructure:"jwt_privkey"`
JwtPrivateKeyFile string `json:"jwt_privkey_file" mapstructure:"jwt_privkey_file"` JwtPrivateKeyFile string `json:"jwt_privkey_file" mapstructure:"jwt_privkey_file"`
// Decryption keys used for keyshare packets // Decryption keys used for user secrets
StorageFallbackKeyFiles []string `json:"storage_fallback_key_files" mapstructure:"storage_fallback_key_files"` StorageFallbackKeyFiles []string `json:"storage_fallback_key_files" mapstructure:"storage_fallback_key_files"`
StoragePrimaryKeyFile string `json:"storage_primary_key_file" mapstructure:"storage_primary_key_file"` StoragePrimaryKeyFile string `json:"storage_primary_key_file" mapstructure:"storage_primary_key_file"`
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment