verify HMAC-SHA256 signature and decrypt data with AES-CBC
(self, data)
| 2013 | return data + sig |
| 2014 | |
| 2015 | def decrypt(self, data): |
| 2016 | """ |
| 2017 | verify HMAC-SHA256 signature and decrypt data with AES-CBC |
| 2018 | """ |
| 2019 | aes_key, hmac_key = self.keys |
| 2020 | sig = data[-self.SIG_SIZE :] |
| 2021 | data = data[: -self.SIG_SIZE] |
| 2022 | if not isinstance(data, bytes): |
| 2023 | data = salt.utils.stringutils.to_bytes(data) |
| 2024 | mac_bytes = hmac.new(hmac_key, data, hashlib.sha256).digest() |
| 2025 | if len(mac_bytes) != len(sig): |
| 2026 | log.debug("Failed to authenticate message") |
| 2027 | raise AuthenticationError("message authentication failed") |
| 2028 | result = 0 |
| 2029 | for zipped_x, zipped_y in zip(mac_bytes, sig): |
| 2030 | result |= zipped_x ^ zipped_y |
| 2031 | if result != 0: |
| 2032 | log.debug("Failed to authenticate message") |
| 2033 | raise AuthenticationError("message authentication failed") |
| 2034 | iv_bytes = data[: self.AES_BLOCK_SIZE] |
| 2035 | data = data[self.AES_BLOCK_SIZE :] |
| 2036 | cipher = Cipher(algorithms.AES(aes_key), modes.CBC(iv_bytes)) |
| 2037 | decryptor = cipher.decryptor() |
| 2038 | data = decryptor.update(data) + decryptor.finalize() |
| 2039 | return data[: -data[-1]] |
| 2040 | |
| 2041 | def dumps(self, obj, nonce=None): |
| 2042 | """ |