-
Notifications
You must be signed in to change notification settings - Fork 4.2k
/
dhutil.go
161 lines (129 loc) · 4.15 KB
/
dhutil.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
package dhutil
import (
"bytes"
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"crypto/sha256"
"errors"
"fmt"
"io"
"golang.org/x/crypto/hkdf"
"golang.org/x/crypto/curve25519"
)
type PublicKeyInfo struct {
Curve25519PublicKey []byte `json:"curve25519_public_key"`
}
type Envelope struct {
Curve25519PublicKey []byte `json:"curve25519_public_key"`
Nonce []byte `json:"nonce"`
EncryptedPayload []byte `json:"encrypted_payload"`
}
// generatePublicPrivateKey uses curve25519 to generate a public and private key
// pair.
func GeneratePublicPrivateKey() ([]byte, []byte, error) {
var scalar, public [32]byte
if _, err := io.ReadFull(rand.Reader, scalar[:]); err != nil {
return nil, nil, err
}
curve25519.ScalarBaseMult(&public, &scalar)
return public[:], scalar[:], nil
}
// GenerateSharedSecret uses the private key and the other party's public key to
// generate the shared secret.
func GenerateSharedSecret(ourPrivate, theirPublic []byte) ([]byte, error) {
if len(ourPrivate) != 32 {
return nil, fmt.Errorf("invalid private key length: %d", len(ourPrivate))
}
if len(theirPublic) != 32 {
return nil, fmt.Errorf("invalid public key length: %d", len(theirPublic))
}
return curve25519.X25519(ourPrivate, theirPublic)
}
// DeriveSharedKey uses HKDF to derive a key from a shared secret and public keys
func DeriveSharedKey(secret, ourPublic, theirPublic []byte) ([]byte, error) {
// Derive the final key from the HKDF of the secret and public keys.
/*
Internally, HKDF hashes the secret and two public keys. If Alice and Bob are doing DH key exchange, Alice calculates:
HKDF(secret, A, B) since ourPublic is A.
Bob calculates HKDF(secret, B, A), since Bob's ours is B. That produces a different value. Now we only care
that both public keys participate in the derivation, so simply sorting them so they are in a consistent
numerical order (either one would do) arrives at an agreed value.
*/
var pub1 []byte
var pub2 []byte
switch bytes.Compare(ourPublic, theirPublic) {
case 0:
return nil, errors.New("same public key supplied for both participants")
case -1:
pub1 = ourPublic
pub2 = theirPublic
case 1:
pub1 = theirPublic
pub2 = ourPublic
}
kio := hkdf.New(sha256.New, secret, pub1, pub2)
var key [32]byte
n, err := io.ReadFull(kio, key[:])
if err != nil {
// Don't return the key along with the error to prevent misuse
return nil, err
}
if n != 32 {
return nil, errors.New("short read from hkdf")
}
return key[:], nil
}
// Use AES256-GCM to encrypt some plaintext with a provided key. The returned values are
// the ciphertext, the nonce, and error respectively.
func EncryptAES(key, plaintext, aad []byte) ([]byte, []byte, error) {
// We enforce AES-256, so check explicitly for 32 bytes on the key
if len(key) != 32 {
return nil, nil, fmt.Errorf("invalid key length: %d", len(key))
}
if len(plaintext) == 0 {
return nil, nil, errors.New("empty plaintext provided")
}
block, err := aes.NewCipher(key)
if err != nil {
return nil, nil, err
}
// Never use more than 2^32 random nonces with a given key because of the risk of a repeat.
nonce := make([]byte, 12)
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
return nil, nil, err
}
aesgcm, err := cipher.NewGCM(block)
if err != nil {
return nil, nil, err
}
ciphertext := aesgcm.Seal(nil, nonce, plaintext, aad)
return ciphertext, nonce, nil
}
// Use AES256-GCM to decrypt some ciphertext with a provided key and nonce. The
// returned values are the plaintext and error respectively.
func DecryptAES(key, ciphertext, nonce, aad []byte) ([]byte, error) {
// We enforce AES-256, so check explicitly for 32 bytes on the key
if len(key) != 32 {
return nil, fmt.Errorf("invalid key length: %d", len(key))
}
if len(ciphertext) == 0 {
return nil, errors.New("empty ciphertext provided")
}
if len(nonce) == 0 {
return nil, errors.New("empty nonce provided")
}
block, err := aes.NewCipher(key)
if err != nil {
return nil, err
}
aesgcm, err := cipher.NewGCM(block)
if err != nil {
return nil, err
}
plaintext, err := aesgcm.Open(nil, nonce, ciphertext, aad)
if err != nil {
return nil, err
}
return plaintext, nil
}