-
Notifications
You must be signed in to change notification settings - Fork 3.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: crypto/xsalsa20symmetric: remove dependency on tendermint core (…
…#11027) The xsalsa20symmetric package is otherwise unused in Tendermint Core. Move the dependency to a subpackage of crypto and update the imports. No functional changes.
- Loading branch information
1 parent
5622115
commit d9033e0
Showing
4 changed files
with
111 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
package xsalsa20symmetric | ||
|
||
import ( | ||
"crypto/rand" | ||
"errors" | ||
"fmt" | ||
|
||
"golang.org/x/crypto/nacl/secretbox" | ||
) | ||
|
||
// TODO, make this into a struct that implements crypto.Symmetric. | ||
|
||
const nonceLen = 24 | ||
const secretLen = 32 | ||
|
||
// secret must be 32 bytes long. Use something like Sha256(Bcrypt(passphrase)) | ||
// The ciphertext is (secretbox.Overhead + 24) bytes longer than the plaintext. | ||
func EncryptSymmetric(plaintext []byte, secret []byte) (ciphertext []byte) { | ||
if len(secret) != secretLen { | ||
panic(fmt.Sprintf("Secret must be 32 bytes long, got len %v", len(secret))) | ||
} | ||
nonce := randBytes(nonceLen) | ||
nonceArr := [nonceLen]byte{} | ||
copy(nonceArr[:], nonce) | ||
secretArr := [secretLen]byte{} | ||
copy(secretArr[:], secret) | ||
ciphertext = make([]byte, nonceLen+secretbox.Overhead+len(plaintext)) | ||
copy(ciphertext, nonce) | ||
secretbox.Seal(ciphertext[nonceLen:nonceLen], plaintext, &nonceArr, &secretArr) | ||
return ciphertext | ||
} | ||
|
||
// secret must be 32 bytes long. Use something like Sha256(Bcrypt(passphrase)) | ||
// The ciphertext is (secretbox.Overhead + 24) bytes longer than the plaintext. | ||
func DecryptSymmetric(ciphertext []byte, secret []byte) (plaintext []byte, err error) { | ||
if len(secret) != secretLen { | ||
panic(fmt.Sprintf("Secret must be 32 bytes long, got len %v", len(secret))) | ||
} | ||
if len(ciphertext) <= secretbox.Overhead+nonceLen { | ||
return nil, errors.New("ciphertext is too short") | ||
} | ||
nonce := ciphertext[:nonceLen] | ||
nonceArr := [nonceLen]byte{} | ||
copy(nonceArr[:], nonce) | ||
secretArr := [secretLen]byte{} | ||
copy(secretArr[:], secret) | ||
plaintext = make([]byte, len(ciphertext)-nonceLen-secretbox.Overhead) | ||
_, ok := secretbox.Open(plaintext[:0], ciphertext[nonceLen:], &nonceArr, &secretArr) | ||
if !ok { | ||
return nil, errors.New("ciphertext decryption failed") | ||
} | ||
return plaintext, nil | ||
} | ||
|
||
// This only uses the OS's randomness | ||
func randBytes(numBytes int) []byte { | ||
b := make([]byte, numBytes) | ||
_, err := rand.Read(b) | ||
if err != nil { | ||
panic(err) | ||
} | ||
return b | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
package xsalsa20symmetric | ||
|
||
import ( | ||
"crypto/sha256" | ||
"testing" | ||
|
||
"github.com/stretchr/testify/assert" | ||
"github.com/stretchr/testify/require" | ||
|
||
"golang.org/x/crypto/bcrypt" | ||
) | ||
|
||
func TestSimple(t *testing.T) { | ||
|
||
plaintext := []byte("sometext") | ||
secret := []byte("somesecretoflengththirtytwo===32") | ||
ciphertext := EncryptSymmetric(plaintext, secret) | ||
plaintext2, err := DecryptSymmetric(ciphertext, secret) | ||
|
||
require.NoError(t, err, "%+v", err) | ||
assert.Equal(t, plaintext, plaintext2) | ||
} | ||
|
||
func TestSimpleWithKDF(t *testing.T) { | ||
|
||
plaintext := []byte("sometext") | ||
secretPass := []byte("somesecret") | ||
secret, err := bcrypt.GenerateFromPassword(secretPass, 12) | ||
if err != nil { | ||
t.Error(err) | ||
} | ||
secret = sha256Sum(secret) | ||
|
||
ciphertext := EncryptSymmetric(plaintext, secret) | ||
plaintext2, err := DecryptSymmetric(ciphertext, secret) | ||
|
||
require.NoError(t, err, "%+v", err) | ||
assert.Equal(t, plaintext, plaintext2) | ||
} | ||
|
||
func sha256Sum(bytes []byte) []byte { | ||
hasher := sha256.New() | ||
hasher.Write(bytes) | ||
return hasher.Sum(nil) | ||
} |