Networks/Reticulum-Go
2
1
Fork 0
Code Issues 4 Pull Requests 1 Actions Packages Projects 1 Releases 1 Wiki Activity

cleanup/sort

Browse Source
This commit is contained in:
Sudo-Ivan
2025-01-04 18:17:33 -06:00
parent c870406244
commit a5b905bbaf
1 changed files with 40 additions and 200 deletions
Download Patch File Download Diff File Expand all files Collapse all files

240
pkg/identity/identity.go
View File

@@ -7,19 +7,18 @@ import (
"crypto/hmac" "crypto/hmac"
"crypto/rand" "crypto/rand"
"crypto/sha256" "crypto/sha256"
"encoding/hex"
"encoding/json" "encoding/json"
"errors" "errors"
"fmt" "fmt"
"io" "io"
"log"
"os" "os"
"sync" "sync"
"time" "time"
"encoding/hex"
"log"
"github.com/Sudo-Ivan/reticulum-go/pkg/common" "github.com/Sudo-Ivan/reticulum-go/pkg/common"
"github.com/Sudo-Ivan/reticulum-go/pkg/cryptography"
"golang.org/x/crypto/curve25519" "golang.org/x/crypto/curve25519"
"golang.org/x/crypto/hkdf" "golang.org/x/crypto/hkdf"
) )
@@ -62,61 +61,6 @@ var (
ratchetPersistLock sync.Mutex ratchetPersistLock sync.Mutex
) )
func encryptAESCBC(key, plaintext []byte) ([]byte, error) {
block, err := aes.NewCipher(key)
if err != nil {
return nil, err
}
// Generate IV
iv := make([]byte, aes.BlockSize)
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
return nil, err
}
// Add PKCS7 padding
padding := aes.BlockSize - len(plaintext)%aes.BlockSize
padtext := make([]byte, len(plaintext)+padding)
copy(padtext, plaintext)
for i := len(plaintext); i < len(padtext); i++ {
padtext[i] = byte(padding)
}
// Encrypt
mode := cipher.NewCBCEncrypter(block, iv)
ciphertext := make([]byte, len(padtext))
mode.CryptBlocks(ciphertext, padtext)
// Prepend IV to ciphertext
return append(iv, ciphertext...), nil
}
func decryptAESCBC(key, ciphertext []byte) ([]byte, error) {
block, err := aes.NewCipher(key)
if err != nil {
return nil, err
}
if len(ciphertext) < aes.BlockSize {
return nil, errors.New("ciphertext too short")
}
iv := ciphertext[:aes.BlockSize]
ciphertext = ciphertext[aes.BlockSize:]
if len(ciphertext)%aes.BlockSize != 0 {
return nil, errors.New("ciphertext is not a multiple of block size")
}
mode := cipher.NewCBCDecrypter(block, iv)
plaintext := make([]byte, len(ciphertext))
mode.CryptBlocks(plaintext, ciphertext)
// Remove PKCS7 padding
padding := int(plaintext[len(plaintext)-1])
return plaintext[:len(plaintext)-padding], nil
}
func New() (*Identity, error) { func New() (*Identity, error) {
i := &Identity{ i := &Identity{
ratchets: make(map[string][]byte), ratchets: make(map[string][]byte),
@@ -124,30 +68,22 @@ func New() (*Identity, error) {
mutex: &sync.RWMutex{}, mutex: &sync.RWMutex{},
} }
// Generate X25519 key pair // Generate keypairs using cryptography package
i.privateKey = make([]byte, curve25519.ScalarSize) privKey, pubKey, err := cryptography.GenerateKeyPair()
if _, err := io.ReadFull(rand.Reader, i.privateKey); err != nil {
log.Printf("[DEBUG-1] Failed to generate X25519 private key: %v", err)
return nil, err
}
var err error
i.publicKey, err = curve25519.X25519(i.privateKey, curve25519.Basepoint)
if err != nil { if err != nil {
log.Printf("[DEBUG-1] Failed to generate X25519 public key: %v", err) return nil, fmt.Errorf("failed to generate X25519 keypair: %v", err)
return nil, err
} }
i.privateKey = privKey
i.publicKey = pubKey
// Generate Ed25519 signing keypair // Generate Ed25519 signing keypair
pubKey, privKey, err := ed25519.GenerateKey(rand.Reader) verificationKey, signingKey, err := cryptography.GenerateSigningKeyPair()
if err != nil { if err != nil {
log.Printf("[DEBUG-1] Failed to generate Ed25519 keypair: %v", err) return nil, fmt.Errorf("failed to generate Ed25519 keypair: %v", err)
return nil, err
} }
i.signingKey = privKey i.signingKey = signingKey
i.verificationKey = pubKey i.verificationKey = verificationKey
log.Printf("[DEBUG-7] Created new identity with hash: %x", i.Hash())
return i, nil return i, nil
} }
@@ -164,31 +100,16 @@ func (i *Identity) GetPrivateKey() []byte {
} }
func (i *Identity) Sign(data []byte) []byte { func (i *Identity) Sign(data []byte) []byte {
return ed25519.Sign(i.signingKey, data) return cryptography.Sign(i.signingKey, data)
} }
func (i *Identity) Verify(data []byte, signature []byte) bool { func (i *Identity) Verify(data []byte, signature []byte) bool {
return ed25519.Verify(i.verificationKey, data, signature) return cryptography.Verify(i.verificationKey, data, signature)
} }
func (i *Identity) Encrypt(plaintext []byte, ratchet []byte) ([]byte, error) { func (i *Identity) Encrypt(plaintext []byte, ratchet []byte) ([]byte, error) {
if i.publicKey == nil {
log.Printf("[DEBUG-1] Encryption failed: identity has no public key")
return nil, errors.New("encryption failed: identity does not hold a public key")
}
log.Printf("[DEBUG-7] Starting encryption for identity %s", i.GetHexHash())
if ratchet != nil {
log.Printf("[DEBUG-7] Using ratchet for encryption")
}
// Generate ephemeral keypair // Generate ephemeral keypair
ephemeralPrivKey := make([]byte, curve25519.ScalarSize) ephemeralPrivKey, ephemeralPubKey, err := cryptography.GenerateKeyPair()
if _, err := io.ReadFull(rand.Reader, ephemeralPrivKey); err != nil {
return nil, err
}
ephemeralPubKey, err := curve25519.X25519(ephemeralPrivKey, curve25519.Basepoint)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@@ -200,64 +121,38 @@ func (i *Identity) Encrypt(plaintext []byte, ratchet []byte) ([]byte, error) {
} }
// Generate shared secret // Generate shared secret
sharedSecret, err := curve25519.X25519(ephemeralPrivKey, targetKey) sharedSecret, err := cryptography.DeriveSharedSecret(ephemeralPrivKey, targetKey)
if err != nil { if err != nil {
return nil, err return nil, err
} }
// Derive encryption key using HKDF // Derive encryption key
kdf := hkdf.New(sha256.New, sharedSecret, i.GetSalt(), i.GetContext()) key, err := cryptography.DeriveKey(sharedSecret, i.GetSalt(), i.GetContext(), 32)
key := make([]byte, 32)
if _, err := io.ReadFull(kdf, key); err != nil {
return nil, err
}
// Encrypt using AES-128-CBC with PKCS7 padding
block, err := aes.NewCipher(key[:16]) // Use AES-128
if err != nil { if err != nil {
return nil, err return nil, err
} }
// Add PKCS7 padding // Encrypt data
padding := aes.BlockSize - len(plaintext)%aes.BlockSize ciphertext, err := cryptography.EncryptAESCBC(key[:16], plaintext)
padtext := make([]byte, len(plaintext)+padding) if err != nil {
copy(padtext, plaintext)
for i := len(plaintext); i < len(padtext); i++ {
padtext[i] = byte(padding)
}
// Generate IV
iv := make([]byte, aes.BlockSize)
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
return nil, err return nil, err
} }
// Encrypt
mode := cipher.NewCBCEncrypter(block, iv)
ciphertext := make([]byte, len(padtext))
mode.CryptBlocks(ciphertext, padtext)
// Calculate HMAC // Calculate HMAC
h := hmac.New(sha256.New, key) mac := cryptography.ComputeHMAC(key, append(ephemeralPubKey, ciphertext...))
h.Write(append(ephemeralPubKey, append(iv, ciphertext...)...))
mac := h.Sum(nil)
// Combine all components into final token // Combine components
token := make([]byte, 0, len(ephemeralPubKey)+len(iv)+len(ciphertext)+len(mac)) token := make([]byte, 0, len(ephemeralPubKey)+len(ciphertext)+len(mac))
token = append(token, ephemeralPubKey...) token = append(token, ephemeralPubKey...)
token = append(token, iv...)
token = append(token, ciphertext...) token = append(token, ciphertext...)
token = append(token, mac...) token = append(token, mac...)
log.Printf("[DEBUG-7] Encryption completed successfully")
return token, nil return token, nil
} }
func (i *Identity) Hash() []byte { func (i *Identity) Hash() []byte {
h := sha256.New() hash := cryptography.Hash(i.GetPublicKey())
h.Write(i.GetPublicKey()) return hash[:TRUNCATED_HASHLENGTH/8]
fullHash := h.Sum(nil)
return fullHash[:TRUNCATED_HASHLENGTH/8]
} }
func TruncatedHash(data []byte) []byte { func TruncatedHash(data []byte) []byte {
@@ -483,110 +378,55 @@ func (i *Identity) tryRatchetDecryption(peerPubBytes, ciphertext, ratchet []byte
ratchetPriv := ratchet ratchetPriv := ratchet
// Get ratchet ID // Get ratchet ID
ratchetPubBytes, err := curve25519.X25519(ratchetPriv, curve25519.Basepoint) ratchetPubBytes, err := curve25519.X25519(ratchetPriv, cryptography.GetBasepoint())
if err != nil { if err != nil {
log.Printf("[DEBUG-7] Failed to generate ratchet public key: %v", err) log.Printf("[DEBUG-7] Failed to generate ratchet public key: %v", err)
return nil, nil, err return nil, nil, err
} }
ratchetID := i.GetRatchetID(ratchetPubBytes) ratchetID := i.GetRatchetID(ratchetPubBytes)
log.Printf("[DEBUG-7] Decrypting with ratchet ID: %x", ratchetID) sharedSecret, err := cryptography.DeriveSharedSecret(ratchet, peerPubBytes)
// Generate shared key
sharedKey, err := curve25519.X25519(ratchetPriv, peerPubBytes)
if err != nil { if err != nil {
log.Printf("[DEBUG-7] Failed to generate shared key: %v", err)
return nil, nil, err return nil, nil, err
} }
// Derive key using HKDF key, err := cryptography.DeriveKey(sharedSecret, i.GetSalt(), i.GetContext(), 32)
hkdfReader := hkdf.New(sha256.New, sharedKey, i.GetSalt(), i.GetContext())
derivedKey := make([]byte, 32)
if _, err := io.ReadFull(hkdfReader, derivedKey); err != nil {
log.Printf("[DEBUG-7] Failed to derive key: %v", err)
return nil, nil, err
}
// Create AES cipher
block, err := aes.NewCipher(derivedKey)
if err != nil { if err != nil {
log.Printf("[DEBUG-7] Failed to create cipher: %v", err)
return nil, nil, err return nil, nil, err
} }
// Extract IV and decrypt plaintext, err := cryptography.DecryptAESCBC(key, ciphertext)
if len(ciphertext) < aes.BlockSize { if err != nil {
log.Printf("[DEBUG-7] Ciphertext too short") return nil, nil, err
return nil, nil, errors.New("ciphertext too short")
} }
iv := ciphertext[:aes.BlockSize] return plaintext, ratchetID, nil
actualCiphertext := ciphertext[aes.BlockSize:]
if len(actualCiphertext)%aes.BlockSize != 0 {
log.Printf("[DEBUG-7] Ciphertext is not a multiple of block size")
return nil, nil, errors.New("ciphertext is not a multiple of block size")
}
// Decrypt
mode := cipher.NewCBCDecrypter(block, iv)
plaintext := make([]byte, len(actualCiphertext))
mode.CryptBlocks(plaintext, actualCiphertext)
// Remove padding
padding := int(plaintext[len(plaintext)-1])
if padding > aes.BlockSize || padding == 0 {
log.Printf("[DEBUG-7] Invalid padding")
return nil, nil, errors.New("invalid padding")
}
for i := len(plaintext) - padding; i < len(plaintext); i++ {
if plaintext[i] != byte(padding) {
log.Printf("[DEBUG-7] Invalid padding")
return nil, nil, errors.New("invalid padding")
}
}
log.Printf("[DEBUG-7] Decrypted successfully")
return plaintext[:len(plaintext)-padding], ratchetID, nil
} }
func (i *Identity) EncryptWithHMAC(plaintext []byte, key []byte) ([]byte, error) { func (i *Identity) EncryptWithHMAC(plaintext []byte, key []byte) ([]byte, error) {
// Encrypt with AES-CBC ciphertext, err := cryptography.EncryptAESCBC(key, plaintext)
ciphertext, err := encryptAESCBC(key, plaintext)
if err != nil { if err != nil {
return nil, err return nil, err
} }
// Generate HMAC mac := cryptography.ComputeHMAC(key, ciphertext)
h := hmac.New(sha256.New, key)
h.Write(ciphertext)
mac := h.Sum(nil)
// Combine ciphertext and HMAC
return append(ciphertext, mac...), nil return append(ciphertext, mac...), nil
} }
func (i *Identity) DecryptWithHMAC(data []byte, key []byte) ([]byte, error) { func (i *Identity) DecryptWithHMAC(data []byte, key []byte) ([]byte, error) {
if len(data) < sha256.Size { if len(data) < cryptography.SHA256Size {
return nil, errors.New("data too short") return nil, errors.New("data too short")
} }
// Split HMAC and ciphertext macStart := len(data) - cryptography.SHA256Size
macStart := len(data) - sha256.Size
ciphertext := data[:macStart] ciphertext := data[:macStart]
messageMAC := data[macStart:] messageMAC := data[macStart:]
// Verify HMAC if !cryptography.ValidateHMAC(key, ciphertext, messageMAC) {
h := hmac.New(sha256.New, key)
h.Write(ciphertext)
expectedMAC := h.Sum(nil)
if !hmac.Equal(messageMAC, expectedMAC) {
return nil, errors.New("invalid HMAC") return nil, errors.New("invalid HMAC")
} }
// Decrypt return cryptography.DecryptAESCBC(key, ciphertext)
return decryptAESCBC(key, ciphertext)
} }
func (i *Identity) ToFile(path string) error { func (i *Identity) ToFile(path string) error {
@@ -664,7 +504,7 @@ func (i *Identity) GetContext() []byte {
} }
func (i *Identity) GetRatchetID(ratchetPubBytes []byte) []byte { func (i *Identity) GetRatchetID(ratchetPubBytes []byte) []byte {
hash := sha256.Sum256(ratchetPubBytes) hash := cryptography.Hash(ratchetPubBytes)
return hash[:NAME_HASH_LENGTH/8] return hash[:NAME_HASH_LENGTH/8]
} }