package crypto
|
|
|
|
import (
|
|
"crypto/cipher"
|
|
crand "crypto/rand"
|
|
"crypto/sha256"
|
|
"encoding/hex"
|
|
"io"
|
|
"sync"
|
|
|
|
"golang.org/x/crypto/chacha20poly1305"
|
|
|
|
. "github.com/tendermint/tendermint/libs/common"
|
|
)
|
|
|
|
// The randomness here is derived from xoring a chacha20 keystream with
|
|
// output from crypto/rand's OS Entropy Reader. (Due to fears of the OS'
|
|
// entropy being backdoored)
|
|
//
|
|
// For forward secrecy of produced randomness, the internal chacha key is hashed
|
|
// and thereby rotated after each call.
|
|
var gRandInfo *randInfo
|
|
|
|
func init() {
|
|
gRandInfo = &randInfo{}
|
|
gRandInfo.MixEntropy(randBytes(32)) // Init
|
|
}
|
|
|
|
// Mix additional bytes of randomness, e.g. from hardware, user-input, etc.
|
|
// It is OK to call it multiple times. It does not diminish security.
|
|
func MixEntropy(seedBytes []byte) {
|
|
gRandInfo.MixEntropy(seedBytes)
|
|
}
|
|
|
|
// This only uses the OS's randomness
|
|
func randBytes(numBytes int) []byte {
|
|
b := make([]byte, numBytes)
|
|
_, err := crand.Read(b)
|
|
if err != nil {
|
|
PanicCrisis(err)
|
|
}
|
|
return b
|
|
}
|
|
|
|
// This uses the OS and the Seed(s).
|
|
func CRandBytes(numBytes int) []byte {
|
|
b := make([]byte, numBytes)
|
|
_, err := gRandInfo.Read(b)
|
|
if err != nil {
|
|
PanicCrisis(err)
|
|
}
|
|
return b
|
|
}
|
|
|
|
// CRandHex returns a hex encoded string that's floor(numDigits/2) * 2 long.
|
|
//
|
|
// Note: CRandHex(24) gives 96 bits of randomness that
|
|
// are usually strong enough for most purposes.
|
|
func CRandHex(numDigits int) string {
|
|
return hex.EncodeToString(CRandBytes(numDigits / 2))
|
|
}
|
|
|
|
// Returns a crand.Reader mixed with user-supplied entropy
|
|
func CReader() io.Reader {
|
|
return gRandInfo
|
|
}
|
|
|
|
//--------------------------------------------------------------------------------
|
|
|
|
type randInfo struct {
|
|
mtx sync.Mutex
|
|
seedBytes [chacha20poly1305.KeySize]byte
|
|
chacha cipher.AEAD
|
|
reader io.Reader
|
|
}
|
|
|
|
// You can call this as many times as you'd like.
|
|
// XXX TODO review
|
|
func (ri *randInfo) MixEntropy(seedBytes []byte) {
|
|
ri.mtx.Lock()
|
|
defer ri.mtx.Unlock()
|
|
// Make new ri.seedBytes using passed seedBytes and current ri.seedBytes:
|
|
// ri.seedBytes = sha256( seedBytes || ri.seedBytes )
|
|
h := sha256.New()
|
|
h.Write(seedBytes)
|
|
h.Write(ri.seedBytes[:])
|
|
hashBytes := h.Sum(nil)
|
|
copy(ri.seedBytes[:], hashBytes)
|
|
chacha, err := chacha20poly1305.New(ri.seedBytes[:])
|
|
if err != nil {
|
|
panic("Initializing chacha20 failed")
|
|
}
|
|
ri.chacha = chacha
|
|
// Create new reader
|
|
ri.reader = &cipher.StreamReader{S: ri, R: crand.Reader}
|
|
}
|
|
|
|
func (ri *randInfo) XORKeyStream(dst, src []byte) {
|
|
// nonce being 0 is safe due to never re-using a key.
|
|
emptyNonce := make([]byte, 12)
|
|
tmpDst := ri.chacha.Seal([]byte{}, emptyNonce, src, []byte{0})
|
|
// this removes the poly1305 tag as well, since chacha is a stream cipher
|
|
// and we truncate at input length.
|
|
copy(dst, tmpDst[:len(src)])
|
|
// hash seedBytes for forward secrecy, and initialize new chacha instance
|
|
newSeed := sha256.Sum256(ri.seedBytes[:])
|
|
chacha, err := chacha20poly1305.New(newSeed[:])
|
|
if err != nil {
|
|
panic("Initializing chacha20 failed")
|
|
}
|
|
ri.chacha = chacha
|
|
}
|
|
|
|
func (ri *randInfo) Read(b []byte) (n int, err error) {
|
|
ri.mtx.Lock()
|
|
n, err = ri.reader.Read(b)
|
|
ri.mtx.Unlock()
|
|
return
|
|
}
|