2017-01-12 15:47:46 +01:00
|
|
|
// Copyright (c) 2014-2017 The btcsuite developers
|
2015-12-01 19:44:58 +01:00
|
|
|
// Use of this source code is governed by an ISC
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
2014-08-08 22:43:50 +02:00
|
|
|
package snacl
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/rand"
|
2017-01-12 15:47:46 +01:00
|
|
|
"crypto/sha256"
|
2014-08-08 22:43:50 +02:00
|
|
|
"crypto/subtle"
|
|
|
|
"encoding/binary"
|
|
|
|
"errors"
|
|
|
|
"io"
|
2014-10-29 07:43:29 +01:00
|
|
|
"runtime/debug"
|
2014-08-08 22:43:50 +02:00
|
|
|
|
2018-05-15 07:11:11 +02:00
|
|
|
"github.com/btcsuite/btcwallet/internal/zero"
|
2015-03-04 04:13:05 +01:00
|
|
|
"github.com/btcsuite/golangcrypto/nacl/secretbox"
|
|
|
|
"github.com/btcsuite/golangcrypto/scrypt"
|
2014-08-08 22:43:50 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
prng = rand.Reader
|
|
|
|
)
|
|
|
|
|
2016-03-25 20:11:25 +01:00
|
|
|
// Error types and messages.
|
2014-08-08 22:43:50 +02:00
|
|
|
var (
|
|
|
|
ErrInvalidPassword = errors.New("invalid password")
|
|
|
|
ErrMalformed = errors.New("malformed data")
|
|
|
|
ErrDecryptFailed = errors.New("unable to decrypt")
|
|
|
|
)
|
|
|
|
|
2016-03-25 20:11:25 +01:00
|
|
|
// Various constants needed for encryption scheme.
|
2014-08-08 22:43:50 +02:00
|
|
|
const (
|
2014-06-13 19:14:44 +02:00
|
|
|
// Expose secretbox's Overhead const here for convenience.
|
|
|
|
Overhead = secretbox.Overhead
|
2014-08-08 22:43:50 +02:00
|
|
|
KeySize = 32
|
|
|
|
NonceSize = 24
|
|
|
|
DefaultN = 16384 // 2^14
|
|
|
|
DefaultR = 8
|
|
|
|
DefaultP = 1
|
|
|
|
)
|
|
|
|
|
|
|
|
// CryptoKey represents a secret key which can be used to encrypt and decrypt
|
|
|
|
// data.
|
|
|
|
type CryptoKey [KeySize]byte
|
|
|
|
|
|
|
|
// Encrypt encrypts the passed data.
|
|
|
|
func (ck *CryptoKey) Encrypt(in []byte) ([]byte, error) {
|
|
|
|
var nonce [NonceSize]byte
|
|
|
|
_, err := io.ReadFull(prng, nonce[:])
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
blob := secretbox.Seal(nil, in, &nonce, (*[KeySize]byte)(ck))
|
|
|
|
return append(nonce[:], blob...), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Decrypt decrypts the passed data. The must be the output of the Encrypt
|
|
|
|
// function.
|
|
|
|
func (ck *CryptoKey) Decrypt(in []byte) ([]byte, error) {
|
|
|
|
if len(in) < NonceSize {
|
|
|
|
return nil, ErrMalformed
|
|
|
|
}
|
|
|
|
|
|
|
|
var nonce [NonceSize]byte
|
|
|
|
copy(nonce[:], in[:NonceSize])
|
|
|
|
blob := in[NonceSize:]
|
|
|
|
|
|
|
|
opened, ok := secretbox.Open(nil, blob, &nonce, (*[KeySize]byte)(ck))
|
|
|
|
if !ok {
|
|
|
|
return nil, ErrDecryptFailed
|
|
|
|
}
|
|
|
|
|
|
|
|
return opened, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Zero clears the key by manually zeroing all memory. This is for security
|
|
|
|
// conscience application which wish to zero the memory after they've used it
|
|
|
|
// rather than waiting until it's reclaimed by the garbage collector. The
|
|
|
|
// key is no longer usable after this call.
|
|
|
|
func (ck *CryptoKey) Zero() {
|
2015-02-04 02:42:40 +01:00
|
|
|
zero.Bytea32((*[KeySize]byte)(ck))
|
2014-08-08 22:43:50 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// GenerateCryptoKey generates a new crypotgraphically random key.
|
|
|
|
func GenerateCryptoKey() (*CryptoKey, error) {
|
|
|
|
var key CryptoKey
|
|
|
|
_, err := io.ReadFull(prng, key[:])
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return &key, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Parameters are not secret and can be stored in plain text.
|
|
|
|
type Parameters struct {
|
|
|
|
Salt [KeySize]byte
|
2017-01-12 15:47:46 +01:00
|
|
|
Digest [sha256.Size]byte
|
2014-08-08 22:43:50 +02:00
|
|
|
N int
|
|
|
|
R int
|
|
|
|
P int
|
|
|
|
}
|
|
|
|
|
|
|
|
// SecretKey houses a crypto key and the parameters needed to derive it from a
|
|
|
|
// passphrase. It should only be used in memory.
|
|
|
|
type SecretKey struct {
|
|
|
|
Key *CryptoKey
|
|
|
|
Parameters Parameters
|
|
|
|
}
|
|
|
|
|
|
|
|
// deriveKey fills out the Key field.
|
|
|
|
func (sk *SecretKey) deriveKey(password *[]byte) error {
|
|
|
|
key, err := scrypt.Key(*password, sk.Parameters.Salt[:],
|
|
|
|
sk.Parameters.N,
|
|
|
|
sk.Parameters.R,
|
|
|
|
sk.Parameters.P,
|
|
|
|
len(sk.Key))
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
copy(sk.Key[:], key)
|
2015-02-04 02:42:40 +01:00
|
|
|
zero.Bytes(key)
|
2014-08-08 22:43:50 +02:00
|
|
|
|
2014-10-29 07:43:29 +01:00
|
|
|
// I'm not a fan of forced garbage collections, but scrypt allocates a
|
|
|
|
// ton of memory and calling it back to back without a GC cycle in
|
|
|
|
// between means you end up needing twice the amount of memory. For
|
|
|
|
// example, if your scrypt parameters are such that you require 1GB and
|
|
|
|
// you call it twice in a row, without this you end up allocating 2GB
|
|
|
|
// since the first GB probably hasn't been released yet.
|
|
|
|
debug.FreeOSMemory()
|
|
|
|
|
2014-08-08 22:43:50 +02:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Marshal returns the Parameters field marshalled into a format suitable for
|
|
|
|
// storage. This result of this can be stored in clear text.
|
|
|
|
func (sk *SecretKey) Marshal() []byte {
|
|
|
|
params := &sk.Parameters
|
|
|
|
|
|
|
|
// The marshalled format for the the params is as follows:
|
|
|
|
// <salt><digest><N><R><P>
|
|
|
|
//
|
2017-01-12 15:47:46 +01:00
|
|
|
// KeySize + sha256.Size + N (8 bytes) + R (8 bytes) + P (8 bytes)
|
|
|
|
marshalled := make([]byte, KeySize+sha256.Size+24)
|
2014-08-08 22:43:50 +02:00
|
|
|
|
|
|
|
b := marshalled
|
|
|
|
copy(b[:KeySize], params.Salt[:])
|
|
|
|
b = b[KeySize:]
|
2017-01-12 15:47:46 +01:00
|
|
|
copy(b[:sha256.Size], params.Digest[:])
|
|
|
|
b = b[sha256.Size:]
|
2014-08-08 22:43:50 +02:00
|
|
|
binary.LittleEndian.PutUint64(b[:8], uint64(params.N))
|
|
|
|
b = b[8:]
|
|
|
|
binary.LittleEndian.PutUint64(b[:8], uint64(params.R))
|
|
|
|
b = b[8:]
|
|
|
|
binary.LittleEndian.PutUint64(b[:8], uint64(params.P))
|
|
|
|
|
|
|
|
return marshalled
|
|
|
|
}
|
|
|
|
|
|
|
|
// Unmarshal unmarshalls the parameters needed to derive the secret key from a
|
|
|
|
// passphrase into sk.
|
|
|
|
func (sk *SecretKey) Unmarshal(marshalled []byte) error {
|
|
|
|
if sk.Key == nil {
|
|
|
|
sk.Key = (*CryptoKey)(&[KeySize]byte{})
|
|
|
|
}
|
|
|
|
|
|
|
|
// The marshalled format for the the params is as follows:
|
|
|
|
// <salt><digest><N><R><P>
|
|
|
|
//
|
2017-01-12 15:47:46 +01:00
|
|
|
// KeySize + sha256.Size + N (8 bytes) + R (8 bytes) + P (8 bytes)
|
|
|
|
if len(marshalled) != KeySize+sha256.Size+24 {
|
2014-08-08 22:43:50 +02:00
|
|
|
return ErrMalformed
|
|
|
|
}
|
|
|
|
|
|
|
|
params := &sk.Parameters
|
|
|
|
copy(params.Salt[:], marshalled[:KeySize])
|
|
|
|
marshalled = marshalled[KeySize:]
|
2017-01-12 15:47:46 +01:00
|
|
|
copy(params.Digest[:], marshalled[:sha256.Size])
|
|
|
|
marshalled = marshalled[sha256.Size:]
|
2014-08-08 22:43:50 +02:00
|
|
|
params.N = int(binary.LittleEndian.Uint64(marshalled[:8]))
|
|
|
|
marshalled = marshalled[8:]
|
|
|
|
params.R = int(binary.LittleEndian.Uint64(marshalled[:8]))
|
|
|
|
marshalled = marshalled[8:]
|
|
|
|
params.P = int(binary.LittleEndian.Uint64(marshalled[:8]))
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Zero zeroes the underlying secret key while leaving the parameters intact.
|
|
|
|
// This effectively makes the key unusable until it is derived again via the
|
|
|
|
// DeriveKey function.
|
|
|
|
func (sk *SecretKey) Zero() {
|
|
|
|
sk.Key.Zero()
|
|
|
|
}
|
|
|
|
|
|
|
|
// DeriveKey derives the underlying secret key and ensures it matches the
|
|
|
|
// expected digest. This should only be called after previously calling the
|
|
|
|
// Zero function or on an initial Unmarshal.
|
|
|
|
func (sk *SecretKey) DeriveKey(password *[]byte) error {
|
|
|
|
if err := sk.deriveKey(password); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// verify password
|
2017-01-12 15:47:46 +01:00
|
|
|
digest := sha256.Sum256(sk.Key[:])
|
2014-08-08 22:43:50 +02:00
|
|
|
if subtle.ConstantTimeCompare(digest[:], sk.Parameters.Digest[:]) != 1 {
|
|
|
|
return ErrInvalidPassword
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Encrypt encrypts in bytes and returns a JSON blob.
|
|
|
|
func (sk *SecretKey) Encrypt(in []byte) ([]byte, error) {
|
|
|
|
return sk.Key.Encrypt(in)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Decrypt takes in a JSON blob and returns it's decrypted form.
|
|
|
|
func (sk *SecretKey) Decrypt(in []byte) ([]byte, error) {
|
|
|
|
return sk.Key.Decrypt(in)
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewSecretKey returns a SecretKey structure based on the passed parameters.
|
|
|
|
func NewSecretKey(password *[]byte, N, r, p int) (*SecretKey, error) {
|
|
|
|
sk := SecretKey{
|
|
|
|
Key: (*CryptoKey)(&[KeySize]byte{}),
|
|
|
|
}
|
|
|
|
// setup parameters
|
|
|
|
sk.Parameters.N = N
|
|
|
|
sk.Parameters.R = r
|
|
|
|
sk.Parameters.P = p
|
|
|
|
_, err := io.ReadFull(prng, sk.Parameters.Salt[:])
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// derive key
|
|
|
|
err = sk.deriveKey(password)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// store digest
|
2017-01-12 15:47:46 +01:00
|
|
|
sk.Parameters.Digest = sha256.Sum256(sk.Key[:])
|
2014-08-08 22:43:50 +02:00
|
|
|
|
|
|
|
return &sk, nil
|
|
|
|
}
|