2 NNCP -- Node to Node copy, utilities for store-and-forward data exchange
3 Copyright (C) 2016-2017 Sergey Matveev <stargrave@stargrave.org>
5 This program is free software: you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation, either version 3 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
29 "cypherpunks.ru/balloon"
30 "github.com/davecgh/go-xdr/xdr2"
31 "golang.org/x/crypto/blake2b"
32 "golang.org/x/crypto/hkdf"
33 "golang.org/x/crypto/twofish"
37 DefaultS = 1 << 20 / 32
43 MagicNNCPBv1 [8]byte = [8]byte{'N', 'N', 'C', 'P', 'B', 0, 0, 1}
53 MAC *[blake2b.Size256]byte
56 // Create an encrypted blob. sCost -- memory space requirements, number
57 // of hash-output sized (32 bytes) blocks. tCost -- time requirements,
58 // number of rounds. pCost -- number of parallel jobs.
59 func NewEBlob(sCost, tCost, pCost int, password, data []byte) ([]byte, error) {
62 if _, err = rand.Read(salt[:]); err != nil {
65 key := balloon.H(blake256, password, salt[:], sCost, tCost, pCost)
66 kdf := hkdf.New(blake256, key, nil, MagicNNCPBv1[:])
67 keyEnc := make([]byte, 32)
68 if _, err = io.ReadFull(kdf, keyEnc); err != nil {
71 keyAuth := make([]byte, 64)
72 if _, err = io.ReadFull(kdf, keyAuth); err != nil {
75 ciph, err := twofish.NewCipher(keyEnc)
79 ctr := cipher.NewCTR(ciph, make([]byte, twofish.BlockSize))
80 mac, err := blake2b.New256(keyAuth)
85 mw := io.MultiWriter(&blob, mac)
86 ae := &cipher.StreamWriter{S: ctr, W: mw}
87 if _, err = ae.Write(data); err != nil {
90 macTag := new([blake2b.Size256]byte)
101 var eblobRaw bytes.Buffer
102 if _, err = xdr.Marshal(&eblobRaw, &eblob); err != nil {
105 return eblobRaw.Bytes(), nil
108 func DeEBlob(eblobRaw, password []byte) ([]byte, error) {
111 if _, err = xdr.Unmarshal(bytes.NewReader(eblobRaw), &eblob); err != nil {
114 if eblob.Magic != MagicNNCPBv1 {
125 kdf := hkdf.New(blake256, key, nil, MagicNNCPBv1[:])
126 keyEnc := make([]byte, 32)
127 if _, err = io.ReadFull(kdf, keyEnc); err != nil {
130 keyAuth := make([]byte, 64)
131 if _, err = io.ReadFull(kdf, keyAuth); err != nil {
134 ciph, err := twofish.NewCipher(keyEnc)
138 ctr := cipher.NewCTR(ciph, make([]byte, twofish.BlockSize))
139 mac, err := blake2b.New256(keyAuth)
143 var blob bytes.Buffer
144 tr := io.TeeReader(bytes.NewReader(eblob.Blob), mac)
145 ae := &cipher.StreamReader{S: ctr, R: tr}
146 if _, err = io.Copy(&blob, ae); err != nil {
149 if subtle.ConstantTimeCompare(mac.Sum(nil), eblob.MAC[:]) != 1 {
150 return nil, errors.New("Unauthenticated blob")
152 return blob.Bytes(), nil