Remove dead code (encryption functions in crypto.py, all of binary.py)

Author: prandla

cms/server/admin/authentication.py

@@ -25,7 +25,6 @@
 from werkzeug.wrappers import Request, Response
 
 from cms import config
-from cmscommon.binary import hex_to_bin
 from cmscommon.datetime import make_timestamp
 
 
@@ -130,7 +129,7 @@ def wsgi_app(self, environ: dict, start_response: Callable):
         self._local.request = Request(environ)
         self._local.cookie = JSONSecureCookie.load_cookie(
             self._request, AWSAuthMiddleware.COOKIE,
-            hex_to_bin(config.web_server.secret_key))
+            bytes.fromhex(config.web_server.secret_key))
         self._verify_cookie()
 
         def my_start_response(status, headers, exc_info=None):

cms/server/admin/server.py

@@ -34,7 +34,6 @@
 from cms.db import SessionGen, Dataset, Submission, SubmissionResult, Task
 from cms.io import WebService, rpc_method
 from cms.service import EvaluationService
-from cmscommon.binary import hex_to_bin
 from .authentication import AWSAuthMiddleware
 from .handlers import HANDLERS
 from .jinja2_toolbox import AWS_ENVIRONMENT
@@ -52,7 +51,7 @@ def __init__(self, shard: int):
         parameters = {
             "static_files": [("cms.server", "static"),
                              ("cms.server.admin", "static")],
-            "cookie_secret": hex_to_bin(config.web_server.secret_key),
+            "cookie_secret": bytes.fromhex(config.web_server.secret_key),
             "debug": config.web_server.tornado_debug,
             "num_proxies_used": config.admin_web_server.num_proxies_used,
             "auth_middleware": AWSAuthMiddleware,

cms/server/contest/server.py

@@ -46,7 +46,6 @@
 from cms.io import WebService
 from cms.locale import get_translations
 from cms.server.contest.jinja2_toolbox import CWS_ENVIRONMENT
-from cmscommon.binary import hex_to_bin
 from .handlers import HANDLERS
 from .handlers.base import ContestListHandler
 from .handlers.main import MainHandler
@@ -66,7 +65,7 @@ def __init__(self, shard: int, contest_id: int | None = None):
         parameters = {
             "static_files": [("cms.server", "static"),
                              ("cms.server.contest", "static")],
-            "cookie_secret": hex_to_bin(config.web_server.secret_key),
+            "cookie_secret": bytes.fromhex(config.web_server.secret_key),
             "debug": config.web_server.tornado_debug,
             "is_proxy_used": None,
             "num_proxies_used": config.contest_web_server.num_proxies_used,

cmscommon/binary.py

@@ -22,33 +22,23 @@
 
 """Utilities dealing with encryption and randomness."""
 
-import binascii
 import hmac
-import random
+import secrets
 from string import ascii_lowercase
 
 import bcrypt
-from Cryptodome import Random
-from Cryptodome.Cipher import AES
-
-from cmscommon.binary import bin_to_hex, hex_to_bin, bin_to_b64, b64_to_bin
 
 
 __all__ = [
     "get_random_key", "get_hex_random_key",
 
-    "encrypt_binary", "decrypt_binary",
-    "encrypt_number", "decrypt_number",
-
     "generate_random_password",
 
     "validate_password", "build_password", "hash_password",
     "parse_authentication",
     ]
 
 
-_RANDOM = Random.new()
-
 # bcrypt difficulty parameter. This is here so that it can be set to a lower
 # value when running unit tests. It seems that the lowest accepted value is 4.
 BCRYPT_ROUNDS = 12
@@ -57,96 +47,15 @@ def get_random_key() -> bytes:
     """Generate 16 random bytes, safe to be used as AES key.
 
     """
-    return _RANDOM.read(16)
+    return secrets.token_bytes(16)
 
 
 def get_hex_random_key() -> str:
     """Generate 16 random bytes, safe to be used as AES key.
     Return it encoded in hexadecimal.
 
     """
-    return bin_to_hex(get_random_key())
-
-
-def encrypt_binary(pt: bytes, key_hex: str) -> str:
-    """Encrypt the plaintext with the 16-bytes key.
-
-    A random salt is added to avoid having the same input being
-    encrypted to the same output.
-
-    pt: the "plaintext" to encode.
-    key_hex: a 16-bytes key in hex (a string of 32 hex chars).
-
-    return: pt encrypted using the key, in a format URL-safe
-        (more precisely, base64-encoded with alphabet "a-zA-Z0-9.-_").
-
-    """
-    key = hex_to_bin(key_hex)
-    # Pad the plaintext to make its length become a multiple of the block size
-    # (that is, for AES, 16 bytes), using a byte 0x01 followed by as many bytes
-    # 0x00 as needed. If the length of the message is already a multiple of 16
-    # bytes, add a new block.
-    pt_pad = pt + b'\01' + b'\00' * (16 - (len(pt) + 1) % 16)
-    # The IV is a random block used to differentiate messages encrypted with
-    # the same key. An IV should never be used more than once in the lifetime
-    # of the key. In this way encrypting the same plaintext twice will produce
-    # different ciphertexts.
-    iv = get_random_key()
-    # Initialize the AES cipher with the given key and IV.
-    aes = AES.new(key, AES.MODE_CBC, iv)
-    ct = aes.encrypt(pt_pad)
-    # Convert the ciphertext in a URL-safe base64 encoding
-    ct_b64 = bin_to_b64(iv + ct)\
-        .replace('+', '-').replace('/', '_').replace('=', '.')
-    return ct_b64
-
-
-def decrypt_binary(ct_b64: str, key_hex: str) -> bytes:
-    """Decrypt a ciphertext generated by encrypt_binary.
-
-    ct_b64: the ciphertext as produced by encrypt_binary.
-    key_hex: the 16-bytes key in hex format used to encrypt.
-
-    return: the plaintext.
-
-    raise (ValueError): if the ciphertext is invalid.
-
-    """
-    key = hex_to_bin(key_hex)
-    try:
-        # Convert the ciphertext from a URL-safe base64 encoding to a
-        # bytestring, which contains both the IV (the first 16 bytes) as well
-        # as the encrypted padded plaintext.
-        iv_ct = b64_to_bin(
-            ct_b64.replace('-', '+').replace('_', '/').replace('.', '='))
-        aes = AES.new(key, AES.MODE_CBC, iv_ct[:16])
-        # Get the padded plaintext.
-        pt_pad = aes.decrypt(iv_ct[16:])
-        # Remove the padding.
-        # TODO check that the padding is correct, i.e. that it contains at most
-        # 15 bytes 0x00 preceded by a byte 0x01.
-        pt = pt_pad.rstrip(b'\x00')[:-1]
-        return pt
-    except (TypeError, binascii.Error):
-        raise ValueError('Could not decode from base64.')
-    except ValueError:
-        raise ValueError('Wrong AES cryptogram length.')
-
-
-def encrypt_number(num: int, key_hex: str) -> str:
-    """Encrypt an integer number, with the same properties as
-    encrypt_binary().
-
-    """
-    hexnum = b"%x" % num
-    return encrypt_binary(hexnum, key_hex)
-
-
-def decrypt_number(enc: str, key_hex: str) -> int:
-    """Decrypt an integer number encrypted with encrypt_number().
-
-    """
-    return int(decrypt_binary(enc, key_hex), 16)
+    return get_random_key().hex()
 
 
 def generate_random_password() -> str:
@@ -155,7 +64,7 @@ def generate_random_password() -> str:
     return: a random string.
 
     """
-    return "".join((random.choice(ascii_lowercase) for _ in range(6)))
+    return "".join((secrets.choice(ascii_lowercase) for _ in range(6)))
 
 
 def parse_authentication(authentication: str) -> tuple[str, str]:

cmscommon/crypto.py

@@ -19,8 +19,6 @@
 import hashlib
 import io
 
-from cmscommon.binary import bin_to_hex
-
 
 __all__ = [
     "Digester", "bytes_digest", "path_digest"
@@ -39,7 +37,7 @@ def update(self, b: bytes):
 
     def digest(self) -> str:
         """Return the digest as an hex string."""
-        return bin_to_hex(self._hasher.digest())
+        return self._hasher.digest().hex()
 
 
 def bytes_digest(b: bytes) -> str: