|
package xsalsa20symmetric
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
|
|
"golang.org/x/crypto/nacl/secretbox" // forked to github.com/tendermint/crypto
|
|
|
|
"github.com/tendermint/tendermint/crypto"
|
|
cmn "github.com/tendermint/tendermint/libs/common"
|
|
)
|
|
|
|
// TODO, make this into a struct that implements crypto.Symmetric.
|
|
|
|
const nonceLen = 24
|
|
const secretLen = 32
|
|
|
|
// secret must be 32 bytes long. Use something like Sha256(Bcrypt(passphrase))
|
|
// The ciphertext is (secretbox.Overhead + 24) bytes longer than the plaintext.
|
|
// NOTE: call crypto.MixEntropy() first.
|
|
func EncryptSymmetric(plaintext []byte, secret []byte) (ciphertext []byte) {
|
|
if len(secret) != secretLen {
|
|
cmn.PanicSanity(fmt.Sprintf("Secret must be 32 bytes long, got len %v", len(secret)))
|
|
}
|
|
nonce := crypto.CRandBytes(nonceLen)
|
|
nonceArr := [nonceLen]byte{}
|
|
copy(nonceArr[:], nonce)
|
|
secretArr := [secretLen]byte{}
|
|
copy(secretArr[:], secret)
|
|
ciphertext = make([]byte, nonceLen+secretbox.Overhead+len(plaintext))
|
|
copy(ciphertext, nonce)
|
|
secretbox.Seal(ciphertext[nonceLen:nonceLen], plaintext, &nonceArr, &secretArr)
|
|
return ciphertext
|
|
}
|
|
|
|
// secret must be 32 bytes long. Use something like Sha256(Bcrypt(passphrase))
|
|
// The ciphertext is (secretbox.Overhead + 24) bytes longer than the plaintext.
|
|
func DecryptSymmetric(ciphertext []byte, secret []byte) (plaintext []byte, err error) {
|
|
if len(secret) != secretLen {
|
|
cmn.PanicSanity(fmt.Sprintf("Secret must be 32 bytes long, got len %v", len(secret)))
|
|
}
|
|
if len(ciphertext) <= secretbox.Overhead+nonceLen {
|
|
return nil, errors.New("Ciphertext is too short")
|
|
}
|
|
nonce := ciphertext[:nonceLen]
|
|
nonceArr := [nonceLen]byte{}
|
|
copy(nonceArr[:], nonce)
|
|
secretArr := [secretLen]byte{}
|
|
copy(secretArr[:], secret)
|
|
plaintext = make([]byte, len(ciphertext)-nonceLen-secretbox.Overhead)
|
|
_, ok := secretbox.Open(plaintext[:0], ciphertext[nonceLen:], &nonceArr, &secretArr)
|
|
if !ok {
|
|
return nil, errors.New("Ciphertext decryption failed")
|
|
}
|
|
return plaintext, nil
|
|
}
|