You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

56 lines
1.9 KiB

  1. package xsalsa20symmetric
  2. import (
  3. "errors"
  4. "fmt"
  5. "golang.org/x/crypto/nacl/secretbox"
  6. "github.com/tendermint/tendermint/crypto"
  7. cmn "github.com/tendermint/tendermint/libs/common"
  8. )
  9. // TODO, make this into a struct that implements crypto.Symmetric.
  10. const nonceLen = 24
  11. const secretLen = 32
  12. // secret must be 32 bytes long. Use something like Sha256(Bcrypt(passphrase))
  13. // The ciphertext is (secretbox.Overhead + 24) bytes longer than the plaintext.
  14. // NOTE: call crypto.MixEntropy() first.
  15. func EncryptSymmetric(plaintext []byte, secret []byte) (ciphertext []byte) {
  16. if len(secret) != secretLen {
  17. cmn.PanicSanity(fmt.Sprintf("Secret must be 32 bytes long, got len %v", len(secret)))
  18. }
  19. nonce := crypto.CRandBytes(nonceLen)
  20. nonceArr := [nonceLen]byte{}
  21. copy(nonceArr[:], nonce)
  22. secretArr := [secretLen]byte{}
  23. copy(secretArr[:], secret)
  24. ciphertext = make([]byte, nonceLen+secretbox.Overhead+len(plaintext))
  25. copy(ciphertext, nonce)
  26. secretbox.Seal(ciphertext[nonceLen:nonceLen], plaintext, &nonceArr, &secretArr)
  27. return ciphertext
  28. }
  29. // secret must be 32 bytes long. Use something like Sha256(Bcrypt(passphrase))
  30. // The ciphertext is (secretbox.Overhead + 24) bytes longer than the plaintext.
  31. func DecryptSymmetric(ciphertext []byte, secret []byte) (plaintext []byte, err error) {
  32. if len(secret) != secretLen {
  33. cmn.PanicSanity(fmt.Sprintf("Secret must be 32 bytes long, got len %v", len(secret)))
  34. }
  35. if len(ciphertext) <= secretbox.Overhead+nonceLen {
  36. return nil, errors.New("Ciphertext is too short")
  37. }
  38. nonce := ciphertext[:nonceLen]
  39. nonceArr := [nonceLen]byte{}
  40. copy(nonceArr[:], nonce)
  41. secretArr := [secretLen]byte{}
  42. copy(secretArr[:], secret)
  43. plaintext = make([]byte, len(ciphertext)-nonceLen-secretbox.Overhead)
  44. _, ok := secretbox.Open(plaintext[:0], ciphertext[nonceLen:], &nonceArr, &secretArr)
  45. if !ok {
  46. return nil, errors.New("Ciphertext decryption failed")
  47. }
  48. return plaintext, nil
  49. }