Merge branch 'feat/encrypt_padding' into 'master'

Feat/encrypt padding

See merge request TankerHQ/sdk-python!239

Author: JMounier

cffi_defs.h

@@ -353,6 +353,7 @@ struct tanker_encrypt_options
   char const* const* share_with_groups;
   uint32_t nb_groups;
   bool share_with_self;
+  uint32_t padding_step;
 };
 
 struct tanker_sharing_options
@@ -420,7 +421,7 @@ tanker_future_t* tanker_set_verification_method(
 
 tanker_future_t* tanker_get_verification_methods(tanker_t* session);
 
-uint64_t tanker_encrypted_size(uint64_t clear_size);
+uint64_t tanker_encrypted_size(uint64_t clear_size, uint32_t padding_step);
 
 tanker_expected_t* tanker_decrypted_size(uint8_t const* encrypted_data,
                                          uint64_t encrypted_size);
@@ -516,7 +517,8 @@ tanker_future_t* tanker_encryption_session_open(
 tanker_future_t* tanker_encryption_session_close(
     tanker_encryption_session_t* session);
 
-uint64_t tanker_encryption_session_encrypted_size(uint64_t clear_size);
+uint64_t tanker_encryption_session_encrypted_size(
+    tanker_encryption_session_t* session, uint64_t clear_size);
 
 tanker_expected_t* tanker_encryption_session_get_resource_id(
     tanker_encryption_session_t* session);

run-ci.py

@@ -116,7 +116,10 @@ def deploy() -> None:
     env["TWINE_USERNAME"] = env["GITLAB_USERNAME"]
 
     wheels_path = Path.cwd() / "dist"
-    for wheel in wheels_path.glob("tankersdk-*.whl"):
+    wheels = list(wheels_path.glob("tankersdk-*.whl"))
+    if len(wheels) == 0:
+        raise Exception("no wheel found")
+    for wheel in wheels:
         # fmt: off
         tankerci.run(
             "poetry", "run",

tankersdk/__init__.py

@@ -18,6 +18,7 @@
     EncryptionOptions,
     OidcIdTokenVerification,
     OidcIdTokenVerificationMethod,
+    Padding,
     PassphraseVerification,
     PassphraseVerificationMethod,
     PhoneNumberVerification,

tankersdk/tanker.py

@@ -2,14 +2,15 @@
 import os
 import warnings
 import weakref
-from enum import Enum
-from typing import Any, List, Optional, cast
+from enum import Enum, IntEnum
+from typing import Any, List, Optional, Union, cast
 
 import typing_extensions
 from _tanker import ffi
 from _tanker import lib as tankerlib
 
 from .error import Error as TankerError
+from .error import InvalidArgument
 from .ffi_helpers import CCharList, CData, FFIHelpers, OptionalStrList
 from .version import __version__
 
@@ -44,6 +45,13 @@ class Status(Enum):
     IDENTITY_VERIFICATION_NEEDED = 3
 
 
+class Padding(IntEnum):
+    """Special constants for the padding_step encryption option"""
+
+    AUTO = 0
+    OFF = 1
+
+
 class VerificationMethodType(Enum):
     """Types of available methods for identity verification"""
 
@@ -240,11 +248,24 @@ def __init__(
         share_with_users: Optional[List[str]] = None,
         share_with_groups: Optional[List[str]] = None,
         share_with_self: bool = True,
+        padding_step: Optional[Union[int, Padding]] = None,
     ):
         self.share_with_users = share_with_users
         self.share_with_groups = share_with_groups
         self.share_with_self = share_with_self
 
+        if not (
+            padding_step is None
+            or type(padding_step) is Padding  # noqa: W503
+            or (padding_step >= 2 and type(padding_step) is int)  # noqa: W503
+        ):
+            raise InvalidArgument(
+                f"Invalid padding step. Got: `{padding_step}`, use "
+                + "Padding.{OFF|AUTO} or an integer >= 2 instead."  # noqa: W503
+            )
+
+        self.padding_step = padding_step
+
 
 class CEncryptionOptions:
     """Wraps the tanker_encrypt_options_t C type"""
@@ -255,19 +276,22 @@ def __init__(
         share_with_users: OptionalStrList = None,
         share_with_groups: OptionalStrList = None,
         share_with_self: bool = True,
+        padding_step: Optional[int] = None,
     ) -> None:
         self.user_list = CCharList(share_with_users, ffi, tankerlib)
         self.group_list = CCharList(share_with_groups, ffi, tankerlib)
+        self.padding_step = ffi.cast("uint32_t", padding_step or Padding.AUTO)
 
         self._c_data = ffi.new(
             "tanker_encrypt_options_t *",
             {
-                "version": 3,
+                "version": 4,
                 "share_with_users": self.user_list.data,
                 "nb_users": self.user_list.size,
                 "share_with_groups": self.group_list.data,
                 "nb_groups": self.group_list.size,
                 "share_with_self": share_with_self,
+                "padding_step": self.padding_step,
             },
         )
 
@@ -554,7 +578,9 @@ async def encrypt(self, clear_data: bytes) -> bytes:
         """Encrypt `clear_data` with the session"""
         c_clear_buffer = ffihelpers.bytes_to_c_buffer(clear_data)  # type: CData
         clear_size = len(c_clear_buffer)
-        size = tankerlib.tanker_encryption_session_encrypted_size(clear_size)
+        size = tankerlib.tanker_encryption_session_encrypted_size(
+            self.c_session, clear_size
+        )
         c_encrypted_buffer = ffi.new("uint8_t[%i]" % size)
         c_future = tankerlib.tanker_encryption_session_encrypt(
             self.c_session, c_encrypted_buffer, c_clear_buffer, clear_size
@@ -785,12 +811,15 @@ async def encrypt(
                 share_with_users=options.share_with_users,
                 share_with_groups=options.share_with_groups,
                 share_with_self=options.share_with_self,
+                padding_step=options.padding_step,
             )
         else:
             c_encrypt_options = CEncryptionOptions()
         c_clear_buffer = ffihelpers.bytes_to_c_buffer(clear_data)  # type: CData
         clear_size = len(c_clear_buffer)
-        size = tankerlib.tanker_encrypted_size(clear_size)
+        size = tankerlib.tanker_encrypted_size(
+            clear_size, c_encrypt_options.padding_step
+        )
         c_encrypted_buffer = ffi.new("uint8_t[%i]" % size)
         c_future = tankerlib.tanker_encrypt(
             self.c_tanker,
@@ -835,6 +864,7 @@ async def encrypt_stream(
                 share_with_users=options.share_with_users,
                 share_with_groups=options.share_with_groups,
                 share_with_self=options.share_with_self,
+                padding_step=options.padding_step,
             )
         else:
             c_encrypt_options = CEncryptionOptions()
@@ -1085,6 +1115,7 @@ async def create_encryption_session(
                 share_with_users=options.share_with_users,
                 share_with_groups=options.share_with_groups,
                 share_with_self=options.share_with_self,
+                padding_step=options.padding_step,
             )
         else:
             c_encrypt_options = CEncryptionOptions()

test/test_tanker.py

@@ -21,6 +21,7 @@
     EmailVerificationMethod,
     EncryptionOptions,
     OidcIdTokenVerification,
+    Padding,
     PassphraseVerification,
     PhoneNumberVerification,
     PhoneNumberVerificationMethod,
@@ -405,6 +406,23 @@ async def test_empty_message(self, tmp_path: Path, app: Dict[str, str]) -> None:
             assert len(result) == 0
         await alice.session.stop()
 
+    @pytest.mark.asyncio
+    async def test_encrypt_with_padding(
+        self, tmp_path: Path, app: Dict[str, str]
+    ) -> None:
+        alice = await create_user_session(tmp_path, app)
+        chunk_size = 1024**2
+        message = bytearray(
+            3 * chunk_size + 2
+        )  # three big chunks plus a little something
+        input_stream = InMemoryAsyncStream(message)
+        async with await alice.session.encrypt_stream(
+            input_stream, EncryptionOptions(padding_step=500)
+        ) as encrypted_stream:
+            encrypted_message = await encrypted_stream.read()
+        assert len(encrypted_message) == 3146248
+        await alice.session.stop()
+
 
 @pytest.mark.asyncio
 async def test_encrypt_decrypt(tmp_path: Path, app: Dict[str, str]) -> None:
@@ -426,6 +444,79 @@ async def test_encrypt_decrypt_empty(tmp_path: Path, app: Dict[str, str]) -> Non
     await alice.session.stop()
 
 
+SIMPLE_ENCRYPTION_OVERHEAD = 17
+
+
+SIMPLE_PADDED_ENCRYPTION_OVERHEAD = SIMPLE_ENCRYPTION_OVERHEAD + 1
+
+
+@pytest.mark.asyncio
+async def test_auto_padding_is_default(tmp_path: Path, app: Dict[str, str]) -> None:
+    alice = await create_user_session(tmp_path, app)
+    message = b"my clear data is clear!"
+    length_with_padme = 24
+    encrypted_data = await alice.session.encrypt(message)
+    assert len(encrypted_data) - SIMPLE_PADDED_ENCRYPTION_OVERHEAD == length_with_padme
+    clear_data = await alice.session.decrypt(encrypted_data)
+    assert clear_data == message
+    await alice.session.stop()
+
+
+@pytest.mark.asyncio
+async def test_padding_opt_auto(tmp_path: Path, app: Dict[str, str]) -> None:
+    alice = await create_user_session(tmp_path, app)
+    message = b"my clear data is clear!"
+    length_with_padme = 24
+    encrypted_data = await alice.session.encrypt(
+        message, EncryptionOptions(padding_step=Padding.AUTO)
+    )
+    assert len(encrypted_data) - SIMPLE_PADDED_ENCRYPTION_OVERHEAD == length_with_padme
+    clear_data = await alice.session.decrypt(encrypted_data)
+    assert clear_data == message
+    await alice.session.stop()
+
+
+@pytest.mark.asyncio
+async def test_padding_opt_disable(tmp_path: Path, app: Dict[str, str]) -> None:
+    alice = await create_user_session(tmp_path, app)
+    message = b"I love you"
+    encrypted_data = await alice.session.encrypt(
+        message, EncryptionOptions(padding_step=Padding.OFF)
+    )
+    assert len(encrypted_data) == len(message) + SIMPLE_ENCRYPTION_OVERHEAD
+    clear_data = await alice.session.decrypt(encrypted_data)
+    assert clear_data == message
+    await alice.session.stop()
+
+
+@pytest.mark.asyncio
+async def test_padding_opt_enable(tmp_path: Path, app: Dict[str, str]) -> None:
+    alice = await create_user_session(tmp_path, app)
+    message = b"I love you"
+    step = 13
+    encrypted_data = await alice.session.encrypt(
+        message, EncryptionOptions(padding_step=step)
+    )
+    assert (len(encrypted_data) - SIMPLE_PADDED_ENCRYPTION_OVERHEAD) % step == 0
+    clear_data = await alice.session.decrypt(encrypted_data)
+    assert clear_data == message
+    await alice.session.stop()
+
+
+def test_padding_opt_error(tmp_path: Path, app: Dict[str, str]) -> None:
+    with pytest.raises(error.InvalidArgument):
+        EncryptionOptions(padding_step=0)
+
+    with pytest.raises(error.InvalidArgument):
+        EncryptionOptions(padding_step=1)
+
+    with pytest.raises(error.InvalidArgument):
+        EncryptionOptions(padding_step=-1)
+
+    with pytest.raises(error.InvalidArgument):
+        EncryptionOptions(padding_step=2.42)  # type: ignore
+
+
 @pytest.mark.asyncio
 async def test_share_during_encrypt(tmp_path: Path, app: Dict[str, str]) -> None:
     alice = await create_user_session(tmp_path, app)
@@ -593,6 +684,81 @@ async def test_share_with_encryption_session_without_self(
     await bob.session.stop()
 
 
+ENCRYPTION_SESSION_OVERHEAD = 57
+
+
+ENCRYPTION_SESSION_PADDED_OVERHEAD = ENCRYPTION_SESSION_OVERHEAD + 1
+
+
+@pytest.mark.asyncio
+async def test_encryption_session_auto_padding_by_default(
+    tmp_path: Path, app: Dict[str, str]
+) -> None:
+    alice = await create_user_session(tmp_path, app)
+    message = b"my clear data is clear!"
+    length_with_padme = 24
+    enc_session = await alice.session.create_encryption_session()
+    encrypted = await enc_session.encrypt(message)
+    assert len(encrypted) - ENCRYPTION_SESSION_PADDED_OVERHEAD == length_with_padme
+
+    decrypted = await alice.session.decrypt(encrypted)
+    assert decrypted == message
+    await alice.session.stop()
+
+
+@pytest.mark.asyncio
+async def test_encryption_session_auto_padding(
+    tmp_path: Path, app: Dict[str, str]
+) -> None:
+    alice = await create_user_session(tmp_path, app)
+    message = b"my clear data is clear!"
+    length_with_padme = 24
+    enc_session = await alice.session.create_encryption_session(
+        EncryptionOptions(padding_step=Padding.AUTO)
+    )
+    encrypted = await enc_session.encrypt(message)
+    assert len(encrypted) - ENCRYPTION_SESSION_PADDED_OVERHEAD == length_with_padme
+
+    decrypted = await alice.session.decrypt(encrypted)
+    assert decrypted == message
+    await alice.session.stop()
+
+
+@pytest.mark.asyncio
+async def test_encryption_session_no_padding(
+    tmp_path: Path, app: Dict[str, str]
+) -> None:
+    alice = await create_user_session(tmp_path, app)
+    message = b"Ceci n'est pas un test"
+    enc_session = await alice.session.create_encryption_session(
+        EncryptionOptions(padding_step=Padding.OFF)
+    )
+    encrypted = await enc_session.encrypt(message)
+    assert len(encrypted) - ENCRYPTION_SESSION_OVERHEAD == len(message)
+
+    decrypted = await alice.session.decrypt(encrypted)
+    assert decrypted == message
+    await alice.session.stop()
+
+
+@pytest.mark.asyncio
+async def test_encryption_session_padding_step(
+    tmp_path: Path, app: Dict[str, str]
+) -> None:
+    alice = await create_user_session(tmp_path, app)
+    message = b"Ceci n'est pas un test"
+    step = 13
+    enc_session = await alice.session.create_encryption_session(
+        EncryptionOptions(padding_step=step)
+    )
+    encrypted = await enc_session.encrypt(message)
+    assert (len(encrypted) - ENCRYPTION_SESSION_PADDED_OVERHEAD) % step == 0
+
+    decrypted = await alice.session.decrypt(encrypted)
+    assert decrypted == message
+    await alice.session.stop()
+
+
 @pytest.mark.asyncio
 async def test_encryption_session_streams(tmp_path: Path, app: Dict[str, str]) -> None:
     alice = await create_user_session(tmp_path, app)