-
Notifications
You must be signed in to change notification settings - Fork 0
/
security.go
210 lines (178 loc) · 4.97 KB
/
security.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
package memberlist
import (
"bytes"
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"fmt"
"io"
)
/*
Encrypted messages are prefixed with an EncryptionVersion byte
that is used for us to be able to properly Encode/Decode. We
currently support the following versions:
0 - AES-GCM 128, using PKCS7 padding
1 - AES-GCM 128, no padding. Padding not needed, caused bloat.
*/
type EncryptionVersion uint8
const (
minEncryptionVersion EncryptionVersion = 0
MaxEncryptionVersion EncryptionVersion = 1
)
const (
versionSize = 1
nonceSize = 12
tagSize = 16
maxPadOverhead = 16
blockSize = aes.BlockSize
)
// Pkcs7encode is used to pad a byte buffer to a specific block size using
// the PKCS7 algorithm. "Ignores" some bytes to compensate for IV
func Pkcs7encode(buf *bytes.Buffer, ignore, blockSize int) {
n := buf.Len() - ignore
more := blockSize - (n % blockSize)
for i := 0; i < more; i++ {
buf.WriteByte(byte(more))
}
}
// Pkcs7decode is used to Decode a buffer that has been padded
func Pkcs7decode(buf []byte, blockSize int) []byte {
if len(buf) == 0 {
panic("Cannot Decode a PKCS7 buffer of zero length")
}
n := len(buf)
last := buf[n-1]
n -= int(last)
return buf[:n]
}
// encryptOverhead 返回按版本加密的最大可能开销。
func encryptOverhead(vsn EncryptionVersion) int { // 1
switch vsn {
case 0:
return 45 // Version: 1, IV: 12, Padding: 16, Tag: 16
case 1:
return 29 // Version: 1, IV: 12, Tag: 16
default:
panic("unsupported version")
}
}
// EncryptedLength // 计算缓冲区大小 加密版本、消息体长度
func EncryptedLength(vsn EncryptionVersion, inp int) int {
// 当前是2
if vsn >= 1 {
return versionSize + nonceSize + inp + tagSize
}
padding := blockSize - (inp % blockSize)
// Sum the extra parts to get total size
return versionSize + nonceSize + inp + padding + tagSize
}
// EncryptPayload 是用来用一个给定的密钥对信息进行加密的。我们在GCM模式下使用AES-128。新的字节缓冲区是版本、nonce、密码文本和标签
func EncryptPayload(vsn EncryptionVersion, key []byte, msg []byte, data []byte, dst *bytes.Buffer) error {
// Get the AES block cipher
aesBlock, err := aes.NewCipher(key)
if err != nil {
return err
}
// Get the GCM cipher mode
gcm, err := cipher.NewGCM(aesBlock)
if err != nil {
return err
}
// Grow the buffer to make room for everything
offset := dst.Len()
dst.Grow(EncryptedLength(vsn, len(msg)))
// Write the encryption version
dst.WriteByte(byte(vsn))
// Add a random nonce
_, err = io.CopyN(dst, rand.Reader, nonceSize)
if err != nil {
return err
}
afterNonce := dst.Len()
// Ensure we are correctly padded (only version 0)
if vsn == 0 {
io.Copy(dst, bytes.NewReader(msg))
Pkcs7encode(dst, offset+versionSize+nonceSize, aes.BlockSize)
}
// Encrypt message using GCM
slice := dst.Bytes()[offset:]
nonce := slice[versionSize : versionSize+nonceSize]
// Message source depends on the encryption version.
// Version 0 uses padding, version 1 does not
var src []byte
if vsn == 0 {
src = slice[versionSize+nonceSize:]
} else {
src = msg
}
out := gcm.Seal(nil, nonce, src, data)
// Truncate the plaintext, and write the cipher text
dst.Truncate(afterNonce)
dst.Write(out)
return nil
}
// decryptMessage performs the actual decryption of ciphertext. This is in its
// own function to allow it to be called on all keys easily.
func decryptMessage(key, msg []byte, data []byte) ([]byte, error) {
// Get the AES block cipher
aesBlock, err := aes.NewCipher(key)
if err != nil {
return nil, err
}
// Get the GCM cipher mode
gcm, err := cipher.NewGCM(aesBlock)
if err != nil {
return nil, err
}
// Decrypt the message
nonce := msg[versionSize : versionSize+nonceSize]
ciphertext := msg[versionSize+nonceSize:]
plain, err := gcm.Open(nil, nonce, ciphertext, data)
if err != nil {
return nil, err
}
// Success!
return plain, nil
}
// DecryptPayload OK
func DecryptPayload(keys [][]byte, msg []byte, data []byte) ([]byte, error) {
if len(msg) == 0 {
return nil, fmt.Errorf("无法解密空的有效载荷")
}
vsn := EncryptionVersion(msg[0])
if vsn > MaxEncryptionVersion {
return nil, fmt.Errorf("不支持的加密版本 %d", msg[0])
}
if len(msg) < EncryptedLength(vsn, 0) {
return nil, fmt.Errorf("有效载荷太小,无法解密: %d", len(msg))
}
for _, key := range keys {
plain, err := decryptMessage(key, msg, data)
if err == nil {
// Remove the PKCS7 padding for vsn 0
if vsn == 0 {
return Pkcs7decode(plain, aes.BlockSize), nil
} else {
return plain, nil
}
}
}
return nil, fmt.Errorf("没有安装的密钥可以解密信息")
}
func appendBytes(first []byte, second []byte) []byte {
hasFirst := len(first) > 0
hasSecond := len(second) > 0
switch {
case hasFirst && hasSecond:
out := make([]byte, 0, len(first)+len(second))
out = append(out, first...)
out = append(out, second...)
return out
case hasFirst:
return first
case hasSecond:
return second
default:
return nil
}
}