forked from TrueCloudLab/restic
87 lines
1.6 KiB
Go
87 lines
1.6 KiB
Go
package crypto
|
|
|
|
import (
|
|
"bytes"
|
|
"errors"
|
|
"io"
|
|
)
|
|
|
|
type decryptReader struct {
|
|
buf []byte
|
|
rd *bytes.Reader
|
|
}
|
|
|
|
func (d *decryptReader) Read(dst []byte) (n int, err error) {
|
|
if d.buf == nil {
|
|
return 0, io.EOF
|
|
}
|
|
|
|
n, err = d.rd.Read(dst)
|
|
if err == io.EOF {
|
|
d.free()
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
func (d *decryptReader) free() {
|
|
freeBuffer(d.buf)
|
|
d.buf = nil
|
|
}
|
|
|
|
func (d *decryptReader) Close() error {
|
|
if d.buf == nil {
|
|
return nil
|
|
}
|
|
|
|
d.free()
|
|
return nil
|
|
}
|
|
|
|
func (d *decryptReader) ReadByte() (c byte, err error) {
|
|
if d.buf == nil {
|
|
return 0, io.EOF
|
|
}
|
|
|
|
c, err = d.rd.ReadByte()
|
|
if err == io.EOF {
|
|
d.free()
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
func (d *decryptReader) WriteTo(w io.Writer) (n int64, err error) {
|
|
if d.buf == nil {
|
|
return 0, errors.New("WriteTo() called on drained reader")
|
|
}
|
|
|
|
n, err = d.rd.WriteTo(w)
|
|
d.free()
|
|
|
|
return
|
|
}
|
|
|
|
// DecryptFrom verifies and decrypts the ciphertext read from rd with ks and
|
|
// makes it available on the returned Reader. Ciphertext must be in the form IV
|
|
// || Ciphertext || MAC. In order to correctly verify the ciphertext, rd is
|
|
// drained, locally buffered and made available on the returned Reader
|
|
// afterwards. If a MAC verification failure is observed, it is returned
|
|
// immediately.
|
|
func DecryptFrom(ks *Key, rd io.Reader) (io.ReadCloser, error) {
|
|
buf := bytes.NewBuffer(getBuffer()[:0])
|
|
_, err := buf.ReadFrom(rd)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
ciphertext := buf.Bytes()
|
|
|
|
// decrypt
|
|
ciphertext, err = Decrypt(ks, ciphertext, ciphertext)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &decryptReader{buf: ciphertext, rd: bytes.NewReader(ciphertext)}, nil
|
|
}
|