From 8c056aebe10c8c56f7c25889780b04e00f9ca00b Mon Sep 17 00:00:00 2001 From: Gustav Simonsson Date: Wed, 4 Feb 2015 17:06:06 +0100 Subject: Set both key generation and ECDSA nonce to use mixed entropy * Move random entropy functions to new package randentropy * Add function to get n bytes entropy where up to first 32 bytes are mixed with OS entropy sources --- crypto/key_store_passphrase.go | 15 ++----- crypto/key_store_test.go | 8 ++-- crypto/randentropy/rand_entropy.go | 82 ++++++++++++++++++++++++++++++++++++++ crypto/secp256k1/secp256.go | 5 ++- 4 files changed, 92 insertions(+), 18 deletions(-) create mode 100644 crypto/randentropy/rand_entropy.go diff --git a/crypto/key_store_passphrase.go b/crypto/key_store_passphrase.go index 0862b7886..74408f874 100644 --- a/crypto/key_store_passphrase.go +++ b/crypto/key_store_passphrase.go @@ -68,10 +68,10 @@ import ( "code.google.com/p/go.crypto/scrypt" "crypto/aes" "crypto/cipher" - crand "crypto/rand" "encoding/hex" "encoding/json" "errors" + "github.com/ethereum/go-ethereum/crypto/randentropy" "io" "os" "path" @@ -116,7 +116,7 @@ func (ks keyStorePassphrase) GetKeyAddresses() (addresses [][]byte, err error) { func (ks keyStorePassphrase) StoreKey(key *Key, auth string) (err error) { authArray := []byte(auth) - salt := GetEntropyCSPRNG(32) + salt := randentropy.GetEntropyMixed(32) derivedKey, err := scrypt.Key(authArray, salt, scryptN, scryptr, scryptp, scryptdkLen) if err != nil { return err @@ -131,7 +131,7 @@ func (ks keyStorePassphrase) StoreKey(key *Key, auth string) (err error) { return err } - iv := GetEntropyCSPRNG(aes.BlockSize) // 16 + iv := randentropy.GetEntropyMixed(aes.BlockSize) // 16 AES256CBCEncrypter := cipher.NewCBCEncrypter(AES256Block, iv) cipherText := make([]byte, len(toEncrypt)) AES256CBCEncrypter.CryptBlocks(cipherText, toEncrypt) @@ -196,12 +196,3 @@ func DecryptKey(ks keyStorePassphrase, keyAddr []byte, auth string) (keyBytes [] } return keyBytes, keyId, err } - -func GetEntropyCSPRNG(n int) []byte { - mainBuff := make([]byte, n) - _, err := io.ReadFull(crand.Reader, mainBuff) - if err != nil { - panic("key generation: reading from crypto/rand failed: " + err.Error()) - } - return mainBuff -} diff --git a/crypto/key_store_test.go b/crypto/key_store_test.go index 0d229ab65..a136ba992 100644 --- a/crypto/key_store_test.go +++ b/crypto/key_store_test.go @@ -1,7 +1,7 @@ package crypto import ( - crand "crypto/rand" + "github.com/ethereum/go-ethereum/crypto/randentropy" "reflect" "testing" ) @@ -9,7 +9,7 @@ import ( func TestKeyStorePlain(t *testing.T) { ks := NewKeyStorePlain(DefaultDataDir()) pass := "" // not used but required by API - k1, err := ks.GenerateNewKey(crand.Reader, pass) + k1, err := ks.GenerateNewKey(new(randentropy.RandEntropy), pass) if err != nil { t.Fatal(err) } @@ -37,7 +37,7 @@ func TestKeyStorePlain(t *testing.T) { func TestKeyStorePassphrase(t *testing.T) { ks := NewKeyStorePassphrase(DefaultDataDir()) pass := "foo" - k1, err := ks.GenerateNewKey(crand.Reader, pass) + k1, err := ks.GenerateNewKey(new(randentropy.RandEntropy), pass) if err != nil { t.Fatal(err) } @@ -63,7 +63,7 @@ func TestKeyStorePassphrase(t *testing.T) { func TestKeyStorePassphraseDecryptionFail(t *testing.T) { ks := NewKeyStorePassphrase(DefaultDataDir()) pass := "foo" - k1, err := ks.GenerateNewKey(crand.Reader, pass) + k1, err := ks.GenerateNewKey(new(randentropy.RandEntropy), pass) if err != nil { t.Fatal(err) } diff --git a/crypto/randentropy/rand_entropy.go b/crypto/randentropy/rand_entropy.go new file mode 100644 index 000000000..28181030c --- /dev/null +++ b/crypto/randentropy/rand_entropy.go @@ -0,0 +1,82 @@ +package randentropy + +import ( + crand "crypto/rand" + "encoding/binary" + "github.com/ethereum/go-ethereum/crypto/sha3" + "io" + "os" + "strings" + "time" +) + +type RandEntropy struct { +} + +func (*RandEntropy) Read(bytes []byte) (n int, err error) { + readBytes := GetEntropyMixed(len(bytes)) + copy(bytes, readBytes) + return len(bytes), nil +} + +// TODO: copied from crypto.go , move to sha3 package? +func Sha3(data []byte) []byte { + d := sha3.NewKeccak256() + d.Write(data) + + return d.Sum(nil) +} + +// TODO: verify. this needs to be audited +// we start with crypt/rand, then XOR in additional entropy from OS +func GetEntropyMixed(n int) []byte { + startTime := time.Now().UnixNano() + // for each source, we take SHA3 of the source and use it as seed to math/rand + // then read bytes from it and XOR them onto the bytes read from crypto/rand + mainBuff := GetEntropyCSPRNG(n) + // 1. OS entropy sources + startTimeBytes := make([]byte, 32) + binary.PutVarint(startTimeBytes, startTime) + startTimeHash := Sha3(startTimeBytes) + mixBytes(mainBuff, startTimeHash) + + pid := os.Getpid() + pidBytes := make([]byte, 32) + binary.PutUvarint(pidBytes, uint64(pid)) + pidHash := Sha3(pidBytes) + mixBytes(mainBuff, pidHash) + + osEnv := os.Environ() + osEnvBytes := []byte(strings.Join(osEnv, "")) + osEnvHash := Sha3(osEnvBytes) + mixBytes(mainBuff, osEnvHash) + + // not all OS have hostname in env variables + osHostName, err := os.Hostname() + if err != nil { + osHostNameBytes := []byte(osHostName) + osHostNameHash := Sha3(osHostNameBytes) + mixBytes(mainBuff, osHostNameHash) + } + return mainBuff +} + +func GetEntropyCSPRNG(n int) []byte { + mainBuff := make([]byte, n) + _, err := io.ReadFull(crand.Reader, mainBuff) + if err != nil { + panic("reading from crypto/rand failed: " + err.Error()) + } + return mainBuff +} + +func mixBytes(buff []byte, mixBuff []byte) []byte { + bytesToMix := len(buff) + if bytesToMix > 32 { + bytesToMix = 32 + } + for i := 0; i < bytesToMix; i++ { + buff[i] ^= mixBuff[i] + } + return buff +} diff --git a/crypto/secp256k1/secp256.go b/crypto/secp256k1/secp256.go index c01598b84..c1e37629e 100644 --- a/crypto/secp256k1/secp256.go +++ b/crypto/secp256k1/secp256.go @@ -15,6 +15,7 @@ import "C" import ( "bytes" "errors" + "github.com/ethereum/go-ethereum/crypto/randentropy" "unsafe" ) @@ -68,7 +69,7 @@ func GenerateKeyPair() ([]byte, []byte) { const seckey_len = 32 var pubkey []byte = make([]byte, pubkey_len) - var seckey []byte = RandByte(seckey_len) + var seckey []byte = randentropy.GetEntropyMixed(seckey_len) var pubkey_ptr *C.uchar = (*C.uchar)(unsafe.Pointer(&pubkey[0])) var seckey_ptr *C.uchar = (*C.uchar)(unsafe.Pointer(&seckey[0])) @@ -124,7 +125,7 @@ int secp256k1_ecdsa_sign_compact(const unsigned char *msg, int msglen, */ func Sign(msg []byte, seckey []byte) ([]byte, error) { - nonce := RandByte(32) + nonce := randentropy.GetEntropyMixed(32) var sig []byte = make([]byte, 65) var recid C.int -- cgit v1.2.3