|
|
- package crypto
-
- import (
- "crypto/cipher"
- crand "crypto/rand"
- "crypto/sha256"
- "encoding/hex"
- "io"
- "sync"
-
- "golang.org/x/crypto/chacha20poly1305"
-
- . "github.com/tendermint/tendermint/libs/common"
- )
-
- // The randomness here is derived from xoring a chacha20 keystream with
- // output from crypto/rand's OS Entropy Reader. (Due to fears of the OS'
- // entropy being backdoored)
- //
- // For forward secrecy of produced randomness, the internal chacha key is hashed
- // and thereby rotated after each call.
- var gRandInfo *randInfo
-
- func init() {
- gRandInfo = &randInfo{}
- gRandInfo.MixEntropy(randBytes(32)) // Init
- }
-
- // Mix additional bytes of randomness, e.g. from hardware, user-input, etc.
- // It is OK to call it multiple times. It does not diminish security.
- func MixEntropy(seedBytes []byte) {
- gRandInfo.MixEntropy(seedBytes)
- }
-
- // This only uses the OS's randomness
- func randBytes(numBytes int) []byte {
- b := make([]byte, numBytes)
- _, err := crand.Read(b)
- if err != nil {
- PanicCrisis(err)
- }
- return b
- }
-
- // This uses the OS and the Seed(s).
- func CRandBytes(numBytes int) []byte {
- b := make([]byte, numBytes)
- _, err := gRandInfo.Read(b)
- if err != nil {
- PanicCrisis(err)
- }
- return b
- }
-
- // CRandHex returns a hex encoded string that's floor(numDigits/2) * 2 long.
- //
- // Note: CRandHex(24) gives 96 bits of randomness that
- // are usually strong enough for most purposes.
- func CRandHex(numDigits int) string {
- return hex.EncodeToString(CRandBytes(numDigits / 2))
- }
-
- // Returns a crand.Reader mixed with user-supplied entropy
- func CReader() io.Reader {
- return gRandInfo
- }
-
- //--------------------------------------------------------------------------------
-
- type randInfo struct {
- mtx sync.Mutex
- seedBytes [chacha20poly1305.KeySize]byte
- chacha cipher.AEAD
- reader io.Reader
- }
-
- // You can call this as many times as you'd like.
- // XXX TODO review
- func (ri *randInfo) MixEntropy(seedBytes []byte) {
- ri.mtx.Lock()
- defer ri.mtx.Unlock()
- // Make new ri.seedBytes using passed seedBytes and current ri.seedBytes:
- // ri.seedBytes = sha256( seedBytes || ri.seedBytes )
- h := sha256.New()
- h.Write(seedBytes)
- h.Write(ri.seedBytes[:])
- hashBytes := h.Sum(nil)
- copy(ri.seedBytes[:], hashBytes)
- chacha, err := chacha20poly1305.New(ri.seedBytes[:])
- if err != nil {
- panic("Initializing chacha20 failed")
- }
- ri.chacha = chacha
- // Create new reader
- ri.reader = &cipher.StreamReader{S: ri, R: crand.Reader}
- }
-
- func (ri *randInfo) XORKeyStream(dst, src []byte) {
- // nonce being 0 is safe due to never re-using a key.
- emptyNonce := make([]byte, 12)
- tmpDst := ri.chacha.Seal([]byte{}, emptyNonce, src, []byte{0})
- // this removes the poly1305 tag as well, since chacha is a stream cipher
- // and we truncate at input length.
- copy(dst, tmpDst[:len(src)])
- // hash seedBytes for forward secrecy, and initialize new chacha instance
- newSeed := sha256.Sum256(ri.seedBytes[:])
- chacha, err := chacha20poly1305.New(newSeed[:])
- if err != nil {
- panic("Initializing chacha20 failed")
- }
- ri.chacha = chacha
- }
-
- func (ri *randInfo) Read(b []byte) (n int, err error) {
- ri.mtx.Lock()
- n, err = ri.reader.Read(b)
- ri.mtx.Unlock()
- return
- }
|
