From bce89dacb0aa0c16ae7c1f212839adabb095c5b6 Mon Sep 17 00:00:00 2001 From: Sudhi Herle Date: Sun, 20 Mar 2022 20:15:15 -0700 Subject: [PATCH] Updated to go1.18; minor code cleanups; updated dependencies --- build | 1 + go.mod | 11 +++++++---- go.sum | 13 +++++++++---- sign/encrypt.go | 45 +++++++++++++++++++++++---------------------- 4 files changed, 40 insertions(+), 30 deletions(-) diff --git a/build b/build index 5f571fa..8889ecd 100755 --- a/build +++ b/build @@ -113,6 +113,7 @@ Options: -v, --verbose Build verbosely (adds "-v" to go tooling) [False] --vet Run "go vet" on modules named on the command line [False] -x Run in debug/trace mode [False] + --print-arch Print the target architecture and exit EOF exit 0 diff --git a/go.mod b/go.mod index 42d512f..61ec962 100644 --- a/go.mod +++ b/go.mod @@ -1,14 +1,17 @@ module github.com/opencoff/sigtool -go 1.17 +go 1.18 require ( github.com/dchest/bcrypt_pbkdf v0.0.0-20150205184540-83f37f9c154a github.com/gogo/protobuf v1.3.2 github.com/opencoff/go-utils v0.4.1 github.com/opencoff/pflag v0.5.0 - golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 - gopkg.in/yaml.v2 v2.2.7 + golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd + gopkg.in/yaml.v2 v2.4.0 ) -require golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f // indirect +require ( + golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect + golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 // indirect +) diff --git a/go.sum b/go.sum index a84bff6..eec97f1 100644 --- a/go.sum +++ b/go.sum @@ -13,8 +13,9 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190618222545-ea8f1a30c443/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd h1:XcWmESyNjXJMLahc3mqVQJcgSTDxFxhETVlfk9uGc38= +golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -26,8 +27,12 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f h1:+Nyd8tzPX9R7BWHguqsrbFdRx3WQ/1ib8I44HXV5yTA= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -40,5 +45,5 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.2.7 h1:VUgggvou5XRW9mHwD/yXxIYSMtY0zoKQf/v226p2nyo= -gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= diff --git a/sign/encrypt.go b/sign/encrypt.go index bb9e4d1..d8e6a71 100644 --- a/sign/encrypt.go +++ b/sign/encrypt.go @@ -129,22 +129,7 @@ func NewEncryptor(sk *PrivateKey, blksize uint64) (*Encryptor, error) { randRead(key) randRead(salt) - // if sender has provided their identity to authenticate, we sign the data-enc key - // and encrypt the signature. At no point will we send the sender's identity. - var senderSig []byte - if sk != nil { - sig, err := sk.SignMessage(key, "") - if err != nil { - return nil, fmt.Errorf("encrypt: can't sign: %w", err) - } - - senderSig = sig.Sig - } else { - var zero [ed25519.SignatureSize]byte - senderSig = zero[:] - } - - wSig, err := wrapSenderSig(senderSig, key, salt) + wSig, err := wrapSenderSig(sk, key, salt) if err != nil { return nil, fmt.Errorf("encrypt: %w", err) } @@ -543,7 +528,25 @@ func (d *Decryptor) decrypt(i uint32) ([]byte, bool, error) { } // Wrap sender's signature of the encryption key -func wrapSenderSig(sig []byte, key, salt []byte) ([]byte, error) { +// if sender has provided their identity to authenticate, we sign the data-enc key +// and encrypt the signature. At no point will we send the sender's identity. +func wrapSenderSig(sk *PrivateKey, key, salt []byte) ([]byte, error) { + var zero [ed25519.SignatureSize]byte + var sig []byte + + switch { + case sk == nil: + sig = zero[:] + + default: + xsig, err := sk.SignMessage(key, "") + if err != nil { + return nil, fmt.Errorf("wrap: can't sign: %w", err) + } + + sig = xsig.Sig + } + aes, err := aes.NewCipher(key) if err != nil { return nil, fmt.Errorf("wrap: %w", err) @@ -588,6 +591,7 @@ func (d *Decryptor) verifySender(key []byte, sk *PrivateKey, senderPK *PublicKey // Did the sender actually sign anything? if subtle.ConstantTimeCompare(zero[:], sig) == 0 { + // we set this to indicate that the sender authenticated themselves; d.auth = true if senderPK != nil { @@ -595,8 +599,7 @@ func (d *Decryptor) verifySender(key []byte, sk *PrivateKey, senderPK *PublicKey Sig: sig, } - ok := senderPK.VerifyMessage(key, ss) - if !ok { + if ok := senderPK.VerifyMessage(key, ss); !ok { return fmt.Errorf("unwrap: sender verification failed") } } @@ -605,9 +608,7 @@ func (d *Decryptor) verifySender(key []byte, sk *PrivateKey, senderPK *PublicKey } // Wrap data encryption key 'k' with the sender's PK and our ephemeral curve SK -// basically, we do two scalarmults: -// a) Ephemeral encryption/decryption SK x receiver PK -// b) Sender's SK x receiver PK +// basically, we do a scalarmult: Ephemeral encryption/decryption SK x receiver PK func (e *Encryptor) wrapKey(pk *PublicKey) (*pb.WrappedKey, error) { rxPK := pk.toCurve25519PK() dkek, err := curve25519.X25519(e.encSK, rxPK)