func (c *Client) Reconnect() error {
conn, err := tls.Dial("tcp", c.hostname, c.config)
if err != nil {
return err
}
c.conn = conn
loginByte := []byte{TReconnect}
c.conn.Write(loginByte)
ulen := WriteInt32(int32(len(c.username)))
c.conn.Write(ulen)
c.conn.Write([]byte(c.username))
sc := make([]byte, 32)
c.conn.Read(sc)
//Generate a response
cc := GeneratePepper()
combSalt := make([]byte, len(sc)+len(cc))
copy(combSalt, sc)
copy(combSalt[len(sc):], cc)
//Generate a hash of the password with the challenge and response as salts
hashA, _ := scrypt.Key(c.phash, combSalt, 16384, 8, 1, 32)
//write the hash, and the response
c.conn.Write(hashA)
c.conn.Write(cc)
sr := make([]byte, 32)
//Read the servers response
_, err = c.conn.Read(sr)
if err != nil {
return err
}
srVer, _ := scrypt.Key(c.phash, combSalt, 16384, 4, 3, 32)
//and ensure that it is correct
for i := 0; i < 32; i++ {
if sr[i] != srVer[i] {
return errors.New("Invalid response from server")
}
}
//Send login flags to the server
loginByte[0] = c.lflags
c.conn.Write(loginByte)
return nil
}
func deriveKey(result chan []byte, secret string) {
keySlice, err := scrypt.Key([]byte(secret), nil, 1<<18, 20, 1, 32)
if err != nil {
panic(err)
}
result <- keySlice
}
func HashPassword(username, password string) []byte {
pHash, err := scrypt.Key([]byte(password), []byte(tSalt+username), 16384, 9, 7, 32)
if err != nil {
panic(err)
}
return pHash
}
func (u *User) CheckPassword(password string) bool {
passwordHash, err := scrypt.Key([]byte(password), u.PasswordSalt, 16384, 8, 1, 32)
if err != nil {
panic(err)
}
return subtle.ConstantTimeCompare(passwordHash, u.PasswordHash) == 1
}
func (a *AccountDetail) HashPassword(password string) []byte {
hash, err := scrypt.Key([]byte(password), a.Salt, a.N, a.R, a.P, 32)
if err != nil {
panic(err)
}
return hash
}
func (e *EmailAddr) initLazyKey() {
emailKey := e.Canonical()
keyCache.Lock()
v, ok := keyCache.m[emailKey]
keyCache.Unlock()
if ok {
e.lazyKey = v
return
}
key, err := scrypt.Key([]byte(emailKey), fistSalt, 16384*8, 8, 1, 32)
if err != nil {
panic(err)
}
e.lazyKey = key
keyCache.Lock()
if keyCache.m == nil {
keyCache.m = make(map[string][]byte)
}
keyCache.m[emailKey] = key
// TODO: Prune the cache
keyCache.Unlock()
}
// Handles login functions, returns true (successful) false (unsucessful)
func (h *Client) Login(handle, password string, lflags byte) (bool, string) {
loginByte := make([]byte, 1)
loginByte[0] = TLogin
h.conn.Write(loginByte)
h.phash = HashPassword(handle, password)
//Write the usernames length, followed by the username.
ulen := WriteInt32(int32(len(handle)))
h.conn.Write(ulen)
h.conn.Write([]byte(handle))
h.username = handle
//Read the servers challenge
sc := make([]byte, 32)
h.conn.Read(sc)
//Generate a response
cc := GeneratePepper()
combSalt := make([]byte, len(sc)+len(cc))
copy(combSalt, sc)
copy(combSalt[len(sc):], cc)
//Generate a hash of the password with the challenge and response as salts
hashA, _ := scrypt.Key(h.phash, combSalt, 16384, 8, 1, 32)
//write the hash, and the response
h.conn.Write(hashA)
h.conn.Write(cc)
sr := make([]byte, 32)
//Read the servers response
_, err := h.conn.Read(sr)
if err != nil {
return false, "Auth Failed."
}
srVer, _ := scrypt.Key(h.phash, combSalt, 16384, 4, 3, 32)
//and ensure that it is correct
for i := 0; i < 32; i++ {
if sr[i] != srVer[i] {
return false, "Invalid response from server"
}
}
//Send login flags to the server
loginByte[0] = lflags
h.conn.Write(loginByte)
return true, "Authenticated"
}
func main() {
stateFile := flag.String("state-file", "", "File in which to save persistent state")
pandaScrypt := flag.Bool("panda-scrypt", false, "Run in subprocess mode to process passphrase")
cliFlag := flag.Bool("cli", false, "If true, the CLI will be used, even if the GUI is available")
devFlag := flag.Bool("dev", false, "Is this a development environment?")
flag.Parse()
if *pandaScrypt {
var numBytes uint32
if err := binary.Read(os.Stdin, binary.LittleEndian, &numBytes); err != nil {
panic(err)
}
if numBytes > 1024*1024 {
panic("passphrase too large")
}
passphrase := make([]byte, int(numBytes))
if _, err := os.Stdin.Read(passphrase); err != nil {
panic(err)
}
data, err := scrypt.Key(passphrase, nil, 1<<17, 16, 4, 32*3)
if err != nil {
panic(err)
}
os.Stdout.Write(data)
os.Exit(0)
}
dev := os.Getenv("POND") == "dev" || *devFlag
runtime.GOMAXPROCS(4)
if len(*stateFile) == 0 && dev {
*stateFile = "state"
}
if len(*stateFile) == 0 {
home := os.Getenv("HOME")
if len(home) == 0 {
fmt.Fprintf(os.Stderr, "$HOME not set. Please either export $HOME or use --state-file to set the location of the state file explicitly.\n")
os.Exit(1)
}
configDir := filepath.Join(home, ".config")
os.Mkdir(configDir, 0700)
*stateFile = filepath.Join(configDir, "pond")
}
if !haveGUI || *cliFlag || len(os.Getenv("PONDCLI")) > 0 {
client := NewCLIClient(*stateFile, rand.Reader, false /* testing */, true /* autoFetch */)
client.disableV2Ratchet = true
client.dev = dev
client.Start()
} else {
ui := NewGTKUI()
client := NewGUIClient(*stateFile, ui, rand.Reader, false /* testing */, true /* autoFetch */)
client.disableV2Ratchet = true
client.dev = dev
client.Start()
ui.Run()
}
}
func (user *User) Authenticate(password string) bool {
// Scrypt the password.
scryptPassword, err := scrypt.Key([]byte(password), user.Salt, 16384, 8, 1, 32)
if err != nil {
panic(err)
}
return bytes.Equal(scryptPassword, user.Scrypt)
}
func BenchmarkR32768r8p4k32(b *testing.B) {
for i := 0; i < b.N; i++ {
_, err := scrypt.Key(password, salt, 32768, 8, 4, 32)
if err != nil {
b.Fatalf("%v", err)
}
}
}
func BenchmarkR16384r8p1k32(b *testing.B) {
for i := 0; i < b.N; i++ {
_, err := scrypt.Key(password, salt, 16384, 8, 1, 32)
if err != nil {
b.Fatalf("%v", err)
}
}
}
func (p *adminPlugin) scryptHash(cmd *mup.Command, password, salt string) (hash string, ok bool) {
key, err := scrypt.Key([]byte(password), []byte(salt), 16384, 8, 1, 32)
if err != nil {
p.plugger.Logf("scrypt.Key failed: %v", err)
p.plugger.Sendf(cmd, "Internal error hashing password. Sorry.")
}
return hex.EncodeToString(key), err == nil
}
func deriveScrypt(in [32]byte) (psk [32]byte, err error) {
out, err := scrypt.Key(in[:], in[:], 1<<16, 8, 1, 32)
if err != nil {
return
}
copy(psk[:], out)
return
}
func recoverKey(password, salt []byte) (key []byte, ok bool) {
key, err := scrypt.Key(password, salt, scryN, scryP, scryR, pwKeyLength)
if err != nil {
key = nil
salt = nil
return
}
ok = true
return
}
// deriveKey applies Scrypt with very strong parameters to generate an
// encryption key from a passphrase and salt.
func deriveKey(passphrase []byte, salt []byte) *[keySize]byte {
rawKey, err := scrypt.Key(passphrase, salt, 32768, 8, 4, keySize)
if err != nil {
return nil
}
var key [keySize]byte
copy(key[:], rawKey)
zero(rawKey)
return &key
}
func main() {
var pass, salt string
fmt.Printf("pass:"******"%v", &pass)
fmt.Printf("salt:")
fmt.Scanf("%v", &salt)
key, err := scrypt.Key([]byte(pass), []byte(salt), 16384, 8, 1, 32)
check(err)
err = ioutil.WriteFile("blobstash.key", key, 0644)
check(err)
}
func calculateHash(pass string, salt []byte) ([]byte, error) {
const (
N = 16384
r = 8
p = 1
keyLen = 32
)
bpass := []byte(pass)
return scrypt.Key(bpass, salt, N, r, p, keyLen)
}
func DeriveKey(password, salt []byte, N, r, p, n int) (key *Key, err error) {
// Derive key using password and salt.
k, err := scrypt.Key(password, salt, N, r, p, n)
if err != nil {
return
}
subtle.ConstantTimeCopy(1, key[:], k)
return
}
func validateMeshID(id *MeshID) bool {
now := time.Now().Unix()
if id.T > now || (now-id.T) > nidMaxAge {
return false
}
stampSha := sha512.New()
stampSha.Write([]byte(strconv.FormatInt(id.T, 10)))
stampSha.Write(id.S)
stampHash := stampSha.Sum(nil)
aHash, err := scrypt.Key(stampHash[:], []byte(strconv.FormatUint(uint64(id.A), 10)),
nidScrN, nidScrR, nidScrP, 32)
if err != nil {
panic(err)
}
bHash, err := scrypt.Key(stampHash[:], []byte(strconv.FormatUint(uint64(id.B), 10)),
nidScrN, nidScrR, nidScrP, 32)
if err != nil {
panic(err)
}
if bitPrefix(aHash, nidPreBits) != bitPrefix(bHash, nidPreBits) {
return false
}
text := fmt.Sprintf("%d%d", id.A, id.B)
codeSha := sha512.New()
codeSha.Write(id.S)
codeSha.Write([]byte(text))
code := codeSha.Sum(nil)[32:64]
if hex.EncodeToString(id.ID) != hex.EncodeToString(code) {
return false
}
return true
}
func (sf *StateFile) deriveKey(pw string) error {
if len(pw) == 0 && sf.header.Scrypt != nil {
return BadPasswordError
}
params := sf.header.Scrypt
key, err := scrypt.Key([]byte(pw), sf.header.KdfSalt, int(params.GetN()), int(params.GetR()), int(params.GetP()), kdfKeyLen)
if err != nil {
return err
}
copy(sf.key[:], key)
return nil
}
func (a *AuthChallengeProvider) DeriveKey(password string, salt []byte) []byte {
if password == "" {
return nil
}
key, err := scrypt.Key([]byte(password), salt, 16384, 8, 1, 32)
if err != nil {
panic(err)
}
return key
}
func (store *FilesystemPasteStore) EncryptionKeyForPasteWithPassword(p *Paste, password string) []byte {
if password == "" {
return nil
}
key, err := scrypt.Key([]byte(password), []byte(p.encryptionSalt), 16384, 8, 1, 32)
if err != nil {
panic(err)
}
return key
}
func genKey(conn *userConn, pass, salt []byte) (key string, err error) {
// Generate their salted, hashed password.
keyBytes, err := scrypt.Key(pass, salt, 16384, 8, 1, 32)
if err != nil {
// If you can get here, it's probably
// because of a bad password.
sendAuthFail(conn, "Invalid Password")
return "", err
}
return string(keyBytes), nil
}
// NewScrypt returns a new key derivation function that uses scrypt to do
// the derivation. The returned key will be 32 bytes in size.
// If N, r, or p are invalid nil and an error are returned.
// See code.google.com/p/go.crypto/scrypt#Key for details on proper values for
// N, r, and p.
func NewScrypt(N, r, p int) (func(salt, password []byte) []byte, error) {
// The following two checks where copied directly from the scrypt implementation.
if N <= 1 || N&(N-1) != 0 {
return nil, errors.New("scrypt: N must be > 1 and a power of 2")
}
if uint64(r)*uint64(p) >= 1<<30 || r > maxInt/128/p || r > maxInt/256 || N > maxInt/128/r {
return nil, errors.New("scrypt: parameters are too large")
}
return func(salt, password []byte) []byte {
key, _ := scrypt.Key(password, salt, N, r, p, 32)
return key
}, nil
}
func (u *User) SetPassword(password string) {
var err error
u.PasswordSalt = make([]byte, 16)
_, err = rand.Read(u.PasswordSalt)
if err != nil {
panic(err)
}
u.PasswordHash, err = scrypt.Key([]byte(password), u.PasswordSalt, 16384, 8, 1, 32)
if err != nil {
panic(err)
}
}
func (kx *KeyExchange) derivePassword() error {
serialised, err := proto.Marshal(kx.sharedSecret.toProto())
if err != nil {
return err
}
if kx.Testing {
h := sha256.New()
h.Write([]byte{0})
h.Write(serialised)
h.Sum(kx.key[:0])
h.Reset()
h.Write([]byte{1})
h.Write(serialised)
h.Sum(kx.meeting1[:0])
h.Reset()
h.Write([]byte{2})
h.Write(serialised)
h.Sum(kx.meeting2[:0])
} else {
data, err := scrypt.Key(serialised, nil, 1<<17, 16, 4, 32*3)
if err != nil {
return err
}
copy(kx.key[:], data)
copy(kx.meeting1[:], data[32:])
copy(kx.meeting2[:], data[64:])
}
var encryptedDHPublic [32]byte
rijndael.NewCipher(&kx.key).Encrypt(&encryptedDHPublic, &kx.dhPublic)
l := len(encryptedDHPublic)
if padding := kx.meetingPlace.Padding(); l > padding {
return errors.New("panda: initial message too large for meeting place")
} else if l < padding {
l = padding
}
kx.message1 = make([]byte, l)
copy(kx.message1, encryptedDHPublic[:])
if _, err := io.ReadFull(kx.rand, kx.message1[len(encryptedDHPublic):]); err != nil {
return err
}
return nil
}
// runtime is roughly proportional to r * p which must be less than 1 << 30
// this is intended to be SLOW, to foil brute force password attacks.
func main() {
password := []byte("this is my key")
salt := mdr.UdevRandomBlock(8)
N := 16384
r := 8
p := 1
keyLen := 32
newKey, err := scrypt.Key(password, salt, N, r, p, keyLen)
if err != nil {
mdr.FatalError(err)
}
fmt.Printf("newKey : %x\n", newKey)
fmt.Printf("r * p (%d) < (%d) \n", r*p, 1<<30)
fmt.Printf("done\n")
}
func NewSecret(password []byte) (secret *Secret, err error) {
secret = new(Secret)
secret.Salt, err = Random(16)
if err != nil {
return
}
key, err := scrypt.Key(password, secret.Salt, 16384, 8, 1, 32)
if err != nil {
return
}
copy(secret.Key[:], key)
return
}
func deriveKey(salt []byte) *[keyvault.KeyLen]byte {
password, err := readpass.PasswordPromptBytes("Vault password: "******"Failed to read password: %v\n", err)
os.Exit(1)
}
key, err := scrypt.Key(password, salt, 16384, 8, 1, keyvault.KeyLen)
if err != nil {
fmt.Fprintf(os.Stderr, "Failed to derive key: %v\n", err)
os.Exit(1)
}
var vaultKey [keyvault.KeyLen]byte
copy(vaultKey[:], key)
return &vaultKey
}
// encrypt uses scrypt
// https://code.google.com/p/go/source/browse/?repo=crypto#hg%2Fscrypt
// to derive a secure key
func encrypt(salt string, clearstr string) (crypt string, err error) {
saltBytes, err := hex.DecodeString(salt)
if err != nil {
glog.Errorf("Undecodable pw_salt (%s)", salt)
return
}
combined := make([]byte, 64+32)
_ = copy(combined[0:64], Conf.ServerKey)
_ = copy(combined[64:], saltBytes)
cryptBytes, err := scrypt.Key([]byte(clearstr), combined, 16384, 8, 1, 64)
if err != nil {
glog.Errorf("Failure in execution of scrypt: %s", err)
}
crypt = hex.EncodeToString(cryptBytes)
return crypt, err
}