Browse Source
- Deleted `testresults.txt` and `testmain_test.go` as they were no longer needed. - Updated the Go workflow to streamline the build process by removing commented-out build steps for various platforms. - Refactored encryption benchmarks to improve performance and clarity in the `benchmark_test.go` file. - Introduced a new LICENSE file for the encryption package, specifying the MIT License. - Enhanced the README with usage instructions and links to the NIP-44 specification. - Bumped version to v0.25.3 to reflect these changes.main
mleku
2 months ago
15 changed files with 656 additions and 1061 deletions
@ -0,0 +1,21 @@
@@ -0,0 +1,21 @@
|
||||
MIT License |
||||
|
||||
Copyright (c) 2023 ekzyis |
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy |
||||
of this software and associated documentation files (the "Software"), to deal |
||||
in the Software without restriction, including without limitation the rights |
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
||||
copies of the Software, and to permit persons to whom the Software is |
||||
furnished to do so, subject to the following conditions: |
||||
|
||||
The above copyright notice and this permission notice shall be included in all |
||||
copies or substantial portions of the Software. |
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
||||
SOFTWARE. |
||||
@ -1,240 +0,0 @@
@@ -1,240 +0,0 @@
|
||||
# Encryption Performance Optimization Report |
||||
|
||||
## Executive Summary |
||||
|
||||
This report documents the profiling and optimization of encryption functions in the `next.orly.dev/pkg/crypto/encryption` package. The optimization focused on reducing memory allocations and CPU processing time for NIP-44 and NIP-4 encryption/decryption operations. |
||||
|
||||
## Methodology |
||||
|
||||
### Profiling Setup |
||||
|
||||
1. Created comprehensive benchmark tests covering: |
||||
- NIP-44 encryption/decryption (small, medium, large messages) |
||||
- NIP-4 encryption/decryption |
||||
- Conversation key generation |
||||
- Round-trip operations |
||||
- Internal helper functions (HMAC, padding, key derivation) |
||||
|
||||
2. Used Go's built-in profiling tools: |
||||
- CPU profiling (`-cpuprofile`) |
||||
- Memory profiling (`-memprofile`) |
||||
- Allocation tracking (`-benchmem`) |
||||
|
||||
### Initial Findings |
||||
|
||||
The profiling data revealed several key bottlenecks: |
||||
|
||||
1. **NIP-44 Encrypt**: 27 allocations per operation, 1936 bytes allocated |
||||
2. **NIP-44 Decrypt**: 24 allocations per operation, 1776 bytes allocated |
||||
3. **Memory Allocations**: Primary hotspots identified: |
||||
- `crypto/hmac.New`: 1.80GB total allocations (29.64% of all allocations) |
||||
- `encrypt` function: 0.78GB allocations (12.86% of all allocations) |
||||
- `hkdf.Expand`: 1.15GB allocations (19.01% of all allocations) |
||||
- Base64 encoding/decoding allocations |
||||
|
||||
4. **CPU Processing**: Primary hotspots: |
||||
- `getKeys`: 2.86s (27.26% of CPU time) |
||||
- `encrypt`: 1.74s (16.59% of CPU time) |
||||
- `sha256Hmac`: 1.67s (15.92% of CPU time) |
||||
- `sha256.block`: 1.71s (16.30% of CPU time) |
||||
|
||||
## Optimizations Implemented |
||||
|
||||
### 1. NIP-44 Encrypt Optimization |
||||
|
||||
**Problem**: Multiple allocations from `append` operations and buffer growth. |
||||
|
||||
**Solution**: |
||||
- Pre-allocate ciphertext buffer with exact size instead of using `append` |
||||
- Use `copy` instead of `append` for better performance and fewer allocations |
||||
|
||||
**Code Changes** (`nip44.go`): |
||||
```go |
||||
// Pre-allocate with exact size to avoid reallocation |
||||
ctLen := 1 + 32 + len(cipher) + 32 |
||||
ct := make([]byte, ctLen) |
||||
ct[0] = version |
||||
copy(ct[1:], o.nonce) |
||||
copy(ct[33:], cipher) |
||||
copy(ct[33+len(cipher):], mac) |
||||
cipherString = make([]byte, base64.StdEncoding.EncodedLen(ctLen)) |
||||
base64.StdEncoding.Encode(cipherString, ct) |
||||
``` |
||||
|
||||
**Results**: |
||||
- **Before**: 3217 ns/op, 1936 B/op, 27 allocs/op |
||||
- **After**: 3147 ns/op, 1936 B/op, 27 allocs/op |
||||
- **Improvement**: 2% faster, allocation count unchanged (minor improvement) |
||||
|
||||
### 2. NIP-44 Decrypt Optimization |
||||
|
||||
**Problem**: String conversion overhead from `base64.StdEncoding.DecodeString(string(b64ciphertextWrapped))` and inefficient buffer allocation. |
||||
|
||||
**Solution**: |
||||
- Use `base64.StdEncoding.Decode` directly with byte slices to avoid string conversion |
||||
- Pre-allocate decoded buffer and slice to actual decoded length |
||||
- This eliminates the string allocation and copy overhead |
||||
|
||||
**Code Changes** (`nip44.go`): |
||||
```go |
||||
// Pre-allocate decoded buffer to avoid string conversion overhead |
||||
decodedLen := base64.StdEncoding.DecodedLen(len(b64ciphertextWrapped)) |
||||
decoded := make([]byte, decodedLen) |
||||
var n int |
||||
if n, err = base64.StdEncoding.Decode(decoded, b64ciphertextWrapped); chk.E(err) { |
||||
return |
||||
} |
||||
decoded = decoded[:n] |
||||
``` |
||||
|
||||
**Results**: |
||||
- **Before**: 2530 ns/op, 1776 B/op, 24 allocs/op |
||||
- **After**: 2446 ns/op, 1600 B/op, 23 allocs/op |
||||
- **Improvement**: 3% faster, 10% less memory, 4% fewer allocations |
||||
- **Large messages**: 19028 ns/op → 17109 ns/op (10% faster), 17248 B → 11104 B (36% less memory) |
||||
|
||||
### 3. NIP-4 Decrypt Optimization |
||||
|
||||
**Problem**: IV buffer allocation issue where decoded buffer was larger than needed, causing CBC decrypter to fail. |
||||
|
||||
**Solution**: |
||||
- Properly slice decoded buffers to actual decoded length |
||||
- Add validation for IV length (must be 16 bytes) |
||||
- Use `base64.StdEncoding.Decode` directly instead of `DecodeString` |
||||
|
||||
**Code Changes** (`nip4.go`): |
||||
```go |
||||
ciphertextBuf := make([]byte, base64.StdEncoding.EncodedLen(len(parts[0]))) |
||||
var ciphertextLen int |
||||
if ciphertextLen, err = base64.StdEncoding.Decode(ciphertextBuf, parts[0]); chk.E(err) { |
||||
err = errorf.E("error decoding ciphertext from base64: %w", err) |
||||
return |
||||
} |
||||
ciphertext := ciphertextBuf[:ciphertextLen] |
||||
|
||||
ivBuf := make([]byte, base64.StdEncoding.EncodedLen(len(parts[1]))) |
||||
var ivLen int |
||||
if ivLen, err = base64.StdEncoding.Decode(ivBuf, parts[1]); chk.E(err) { |
||||
err = errorf.E("error decoding iv from base64: %w", err) |
||||
return |
||||
} |
||||
iv := ivBuf[:ivLen] |
||||
if len(iv) != 16 { |
||||
err = errorf.E("invalid IV length: %d, expected 16", len(iv)) |
||||
return |
||||
} |
||||
``` |
||||
|
||||
**Results**: |
||||
- Fixed critical bug where IV buffer was incorrect size |
||||
- Reduced allocations by properly sizing buffers |
||||
- Added validation for IV length |
||||
|
||||
## Performance Comparison |
||||
|
||||
### NIP-44 Encryption/Decryption |
||||
|
||||
| Operation | Metric | Before | After | Improvement | |
||||
|-----------|--------|--------|-------|-------------| |
||||
| Encrypt | Time | 3217 ns/op | 3147 ns/op | **2% faster** | |
||||
| Encrypt | Memory | 1936 B/op | 1936 B/op | No change | |
||||
| Encrypt | Allocations | 27 allocs/op | 27 allocs/op | No change | |
||||
| Decrypt | Time | 2530 ns/op | 2446 ns/op | **3% faster** | |
||||
| Decrypt | Memory | 1776 B/op | 1600 B/op | **10% less** | |
||||
| Decrypt | Allocations | 24 allocs/op | 23 allocs/op | **4% fewer** | |
||||
| Decrypt Large | Time | 19028 ns/op | 17109 ns/op | **10% faster** | |
||||
| Decrypt Large | Memory | 17248 B/op | 11104 B/op | **36% less** | |
||||
| RoundTrip | Time | 5842 ns/op | 5763 ns/op | **1% faster** | |
||||
| RoundTrip | Memory | 3712 B/op | 3536 B/op | **5% less** | |
||||
| RoundTrip | Allocations | 51 allocs/op | 50 allocs/op | **2% fewer** | |
||||
|
||||
### NIP-4 Encryption/Decryption |
||||
|
||||
| Operation | Metric | Before | After | Notes | |
||||
|-----------|--------|--------|-------|-------| |
||||
| Encrypt | Time | 866.8 ns/op | 832.8 ns/op | **4% faster** | |
||||
| Decrypt | Time | - | 697.2 ns/op | Fixed bug, now working | |
||||
| RoundTrip | Time | - | 1568 ns/op | Fixed bug, now working | |
||||
|
||||
## Key Insights |
||||
|
||||
### Allocation Reduction |
||||
|
||||
The most significant improvement came from optimizing base64 decoding: |
||||
- **Decrypt**: Reduced from 24 to 23 allocations (4% reduction) |
||||
- **Decrypt Large**: Reduced from 17248 to 11104 bytes (36% reduction) |
||||
- Eliminated string conversion overhead in `Decrypt` function |
||||
|
||||
### String Conversion Elimination |
||||
|
||||
Replacing `base64.StdEncoding.DecodeString(string(b64ciphertextWrapped))` with direct `Decode` on byte slices: |
||||
- Eliminates string allocation and copy |
||||
- Reduces memory pressure |
||||
- Improves cache locality |
||||
|
||||
### Buffer Pre-allocation |
||||
|
||||
Pre-allocating buffers with exact sizes: |
||||
- Prevents multiple slice growth operations |
||||
- Reduces memory fragmentation |
||||
- Improves cache locality |
||||
|
||||
### Remaining Optimization Opportunities |
||||
|
||||
1. **HMAC Creation**: `crypto/hmac.New` creates a new hash.Hash each time (1.80GB allocations). This is necessary for thread safety, but could potentially be optimized with: |
||||
- A sync.Pool for HMAC instances (requires careful reset handling) |
||||
- Or pre-allocating HMAC hash state |
||||
|
||||
2. **HKDF Operations**: `hkdf.Expand` allocations (1.15GB) come from the underlying crypto library. These are harder to optimize without changing the library. |
||||
|
||||
3. **ChaCha20 Cipher Creation**: Each encryption creates a new cipher instance. This is necessary for thread safety but could potentially be pooled. |
||||
|
||||
4. **Base64 Encoding**: While we optimized decoding, encoding still allocates. However, encoding is already quite efficient. |
||||
|
||||
## Recommendations |
||||
|
||||
1. **Use Direct Base64 Decode**: Always use `base64.StdEncoding.Decode` with byte slices instead of `DecodeString` when possible. |
||||
|
||||
2. **Pre-allocate Buffers**: When possible, pre-allocate buffers with exact sizes using `make([]byte, size)` instead of `append`. |
||||
|
||||
3. **Consider HMAC Pooling**: For high-throughput scenarios, consider implementing a sync.Pool for HMAC instances, being careful to properly reset them. |
||||
|
||||
4. **Monitor Large Messages**: Large message decryption benefits most from these optimizations (36% memory reduction). |
||||
|
||||
## Conclusion |
||||
|
||||
The optimizations implemented improved decryption performance: |
||||
- **3-10% faster** decryption depending on message size |
||||
- **10-36% reduction** in memory allocations |
||||
- **4% reduction** in allocation count |
||||
- **Fixed critical bug** in NIP-4 decryption |
||||
|
||||
These improvements will reduce GC pressure and improve overall system throughput, especially under high load conditions with many encryption/decryption operations. The optimizations maintain backward compatibility and require no changes to calling code. |
||||
|
||||
## Benchmark Results |
||||
|
||||
Full benchmark output: |
||||
|
||||
``` |
||||
BenchmarkNIP44Encrypt-12 347715 3215 ns/op 1936 B/op 27 allocs/op |
||||
BenchmarkNIP44EncryptSmall-12 379057 2957 ns/op 1808 B/op 27 allocs/op |
||||
BenchmarkNIP44EncryptLarge-12 62637 19518 ns/op 22192 B/op 27 allocs/op |
||||
BenchmarkNIP44Decrypt-12 465872 2494 ns/op 1600 B/op 23 allocs/op |
||||
BenchmarkNIP44DecryptSmall-12 486536 2281 ns/op 1536 B/op 23 allocs/op |
||||
BenchmarkNIP44DecryptLarge-12 68013 17593 ns/op 11104 B/op 23 allocs/op |
||||
BenchmarkNIP44RoundTrip-12 205341 5839 ns/op 3536 B/op 50 allocs/op |
||||
BenchmarkNIP4Encrypt-12 1430288 853.4 ns/op 1569 B/op 10 allocs/op |
||||
BenchmarkNIP4Decrypt-12 1629267 743.9 ns/op 1296 B/op 6 allocs/op |
||||
BenchmarkNIP4RoundTrip-12 686995 1670 ns/op 2867 B/op 16 allocs/op |
||||
BenchmarkGenerateConversationKey-12 10000 104030 ns/op 769 B/op 14 allocs/op |
||||
BenchmarkCalcPadding-12 48890450 25.49 ns/op 0 B/op 0 allocs/op |
||||
BenchmarkGetKeys-12 856620 1279 ns/op 896 B/op 15 allocs/op |
||||
BenchmarkEncryptInternal-12 2283678 517.8 ns/op 256 B/op 1 allocs/op |
||||
BenchmarkSHA256Hmac-12 1852015 659.4 ns/op 480 B/op 6 allocs/op |
||||
``` |
||||
|
||||
## Date |
||||
|
||||
Report generated: 2025-11-02 |
||||
|
||||
|
||||
@ -1 +1,7 @@
@@ -1 +1,7 @@
|
||||
Code copied from https://github.com/paulmillr/nip44/tree/e7aed61aaf77240ac10c325683eed14b22e7950f/go. |
||||
**NIP-44 implementation in Go** |
||||
|
||||
NIP-44 specification: https://github.com/nostr-protocol/nips/blob/master/44.md |
||||
|
||||
To use as library: `go get -u github.com/ekzyis/nip44` |
||||
|
||||
To run tests, clone repository and then run `go test`. |
||||
|
||||
@ -1,283 +1,280 @@
@@ -1,283 +1,280 @@
|
||||
package encryption |
||||
|
||||
import ( |
||||
"bytes" |
||||
"crypto/hmac" |
||||
"crypto/rand" |
||||
"crypto/sha256" |
||||
"encoding/base64" |
||||
"encoding/binary" |
||||
"errors" |
||||
"io" |
||||
"math" |
||||
|
||||
"github.com/minio/sha256-simd" |
||||
"golang.org/x/crypto/chacha20" |
||||
"golang.org/x/crypto/hkdf" |
||||
"lol.mleku.dev/chk" |
||||
"lol.mleku.dev/errorf" |
||||
"next.orly.dev/pkg/encoders/hex" |
||||
"next.orly.dev/pkg/interfaces/signer" |
||||
"next.orly.dev/pkg/interfaces/signer/p8k" |
||||
"next.orly.dev/pkg/utils" |
||||
"next.orly.dev/pkg/crypto/ec/secp256k1" |
||||
) |
||||
|
||||
const ( |
||||
version byte = 2 |
||||
MinPlaintextSize int = 0x0001 // 1b msg => padded to 32b
|
||||
MaxPlaintextSize int = 0xffff // 65535 (64kb-1) => padded to 64kb
|
||||
var ( |
||||
MinPlaintextSize = 0x0001 // 1b msg => padded to 32b
|
||||
MaxPlaintextSize = 0xffff // 65535 (64kb-1) => padded to 64kb
|
||||
) |
||||
|
||||
type Opts struct { |
||||
err error |
||||
nonce []byte |
||||
type EncryptOptions struct { |
||||
Salt []byte |
||||
Version int |
||||
} |
||||
|
||||
// Deprecated: use WithCustomNonce instead of WithCustomSalt, so the naming is less confusing
|
||||
var WithCustomSalt = WithCustomNonce |
||||
|
||||
// WithCustomNonce enables using a custom nonce (salt) instead of using the
|
||||
// system crypto/rand entropy source.
|
||||
func WithCustomNonce(salt []byte) func(opts *Opts) { |
||||
return func(opts *Opts) { |
||||
if len(salt) != 32 { |
||||
opts.err = errorf.E("salt must be 32 bytes, got %d", len(salt)) |
||||
func Encrypt(conversationKey []byte, plaintext []byte, options *EncryptOptions) (ciphertext string, err error) { |
||||
var ( |
||||
version int = 2 |
||||
salt []byte |
||||
enc []byte |
||||
nonce []byte |
||||
auth []byte |
||||
padded []byte |
||||
encrypted []byte |
||||
hmac_ []byte |
||||
concat []byte |
||||
) |
||||
if options != nil && options.Version != 0 { |
||||
version = options.Version |
||||
} |
||||
if options != nil && options.Salt != nil { |
||||
salt = options.Salt |
||||
} else { |
||||
if salt, err = randomBytes(32); err != nil { |
||||
return |
||||
} |
||||
opts.nonce = salt |
||||
} |
||||
} |
||||
|
||||
// Encrypt data using a provided symmetric conversation key using NIP-44
|
||||
// encryption (chacha20 cipher stream and sha256 HMAC).
|
||||
func Encrypt( |
||||
plaintext, conversationKey []byte, applyOptions ...func(opts *Opts), |
||||
) ( |
||||
cipherString []byte, err error, |
||||
) { |
||||
|
||||
var o Opts |
||||
for _, apply := range applyOptions { |
||||
apply(&o) |
||||
} |
||||
if chk.E(o.err) { |
||||
err = o.err |
||||
if version != 2 { |
||||
err = errorf.E("unknown version %d", version) |
||||
return |
||||
} |
||||
if o.nonce == nil { |
||||
o.nonce = make([]byte, 32) |
||||
if _, err = rand.Read(o.nonce); chk.E(err) { |
||||
return |
||||
} |
||||
if len(salt) != 32 { |
||||
err = errorf.E("salt must be 32 bytes") |
||||
return |
||||
} |
||||
var enc, cc20nonce, auth []byte |
||||
if enc, cc20nonce, auth, err = getKeys( |
||||
conversationKey, o.nonce, |
||||
); chk.E(err) { |
||||
if enc, nonce, auth, err = MessageKeys(conversationKey, salt); err != nil { |
||||
return |
||||
} |
||||
plain := plaintext |
||||
size := len(plain) |
||||
if size < MinPlaintextSize || size > MaxPlaintextSize { |
||||
err = errorf.E("plaintext should be between 1b and 64kB") |
||||
if padded, err = pad(plaintext); err != nil { |
||||
return |
||||
} |
||||
padding := CalcPadding(size) |
||||
padded := make([]byte, 2+padding) |
||||
binary.BigEndian.PutUint16(padded, uint16(size)) |
||||
copy(padded[2:], plain) |
||||
var cipher []byte |
||||
if cipher, err = encrypt(enc, cc20nonce, padded); chk.E(err) { |
||||
if encrypted, err = chacha20_(enc, nonce, padded); err != nil { |
||||
return |
||||
} |
||||
var mac []byte |
||||
if mac, err = sha256Hmac(auth, cipher, o.nonce); chk.E(err) { |
||||
if hmac_, err = sha256Hmac(auth, encrypted, salt); err != nil { |
||||
return |
||||
} |
||||
// Pre-allocate with exact size to avoid reallocation
|
||||
ctLen := 1 + 32 + len(cipher) + 32 |
||||
ct := make([]byte, ctLen) |
||||
ct[0] = version |
||||
copy(ct[1:], o.nonce) |
||||
copy(ct[33:], cipher) |
||||
copy(ct[33+len(cipher):], mac) |
||||
cipherString = make([]byte, base64.StdEncoding.EncodedLen(ctLen)) |
||||
base64.StdEncoding.Encode(cipherString, ct) |
||||
concat = append(concat, []byte{byte(version)}...) |
||||
concat = append(concat, salt...) |
||||
concat = append(concat, encrypted...) |
||||
concat = append(concat, hmac_...) |
||||
ciphertext = base64.StdEncoding.EncodeToString(concat) |
||||
return |
||||
} |
||||
|
||||
// Decrypt data that has been encoded using a provided symmetric conversation
|
||||
// key using NIP-44 encryption (chacha20 cipher stream and sha256 HMAC).
|
||||
func Decrypt(b64ciphertextWrapped, conversationKey []byte) ( |
||||
plaintext []byte, |
||||
err error, |
||||
) { |
||||
cLen := len(b64ciphertextWrapped) |
||||
func Decrypt(conversationKey []byte, ciphertext string) (plaintext string, err error) { |
||||
var ( |
||||
version int = 2 |
||||
decoded []byte |
||||
cLen int |
||||
dLen int |
||||
salt []byte |
||||
ciphertext_ []byte |
||||
hmac []byte |
||||
hmac_ []byte |
||||
enc []byte |
||||
nonce []byte |
||||
auth []byte |
||||
padded []byte |
||||
unpaddedLen uint16 |
||||
unpadded []byte |
||||
) |
||||
cLen = len(ciphertext) |
||||
if cLen < 132 || cLen > 87472 { |
||||
err = errorf.E("invalid payload length: %d", cLen) |
||||
return |
||||
} |
||||
if len(b64ciphertextWrapped) > 0 && b64ciphertextWrapped[0] == '#' { |
||||
if ciphertext[0:1] == "#" { |
||||
err = errorf.E("unknown version") |
||||
return |
||||
} |
||||
// Pre-allocate decoded buffer to avoid string conversion overhead
|
||||
decodedLen := base64.StdEncoding.DecodedLen(len(b64ciphertextWrapped)) |
||||
decoded := make([]byte, decodedLen) |
||||
var n int |
||||
if n, err = base64.StdEncoding.Decode(decoded, b64ciphertextWrapped); chk.E(err) { |
||||
if decoded, err = base64.StdEncoding.DecodeString(ciphertext); err != nil { |
||||
err = errorf.E("invalid base64") |
||||
return |
||||
} |
||||
decoded = decoded[:n] |
||||
if decoded[0] != version { |
||||
err = errorf.E("unknown version %d", decoded[0]) |
||||
if version = int(decoded[0]); version != 2 { |
||||
err = errorf.E("unknown version %d", version) |
||||
return |
||||
} |
||||
dLen := len(decoded) |
||||
dLen = len(decoded) |
||||
if dLen < 99 || dLen > 65603 { |
||||
err = errorf.E("invalid data length: %d", dLen) |
||||
return |
||||
} |
||||
nonce, ciphertext, givenMac := decoded[1:33], decoded[33:dLen-32], decoded[dLen-32:] |
||||
var enc, cc20nonce, auth []byte |
||||
if enc, cc20nonce, auth, err = getKeys(conversationKey, nonce); chk.E(err) { |
||||
salt, ciphertext_, hmac_ = decoded[1:33], decoded[33:dLen-32], decoded[dLen-32:] |
||||
if enc, nonce, auth, err = MessageKeys(conversationKey, salt); err != nil { |
||||
return |
||||
} |
||||
var expectedMac []byte |
||||
if expectedMac, err = sha256Hmac(auth, ciphertext, nonce); chk.E(err) { |
||||
if hmac, err = sha256Hmac(auth, ciphertext_, salt); err != nil { |
||||
return |
||||
} |
||||
if !utils.FastEqual(givenMac, expectedMac) { |
||||
if !bytes.Equal(hmac_, hmac) { |
||||
err = errorf.E("invalid hmac") |
||||
return |
||||
} |
||||
var padded []byte |
||||
if padded, err = encrypt(enc, cc20nonce, ciphertext); chk.E(err) { |
||||
if padded, err = chacha20_(enc, nonce, ciphertext_); err != nil { |
||||
return |
||||
} |
||||
unpaddedLen := binary.BigEndian.Uint16(padded[0:2]) |
||||
if unpaddedLen < uint16(MinPlaintextSize) || unpaddedLen > uint16(MaxPlaintextSize) || |
||||
len(padded) != 2+CalcPadding(int(unpaddedLen)) { |
||||
unpaddedLen = binary.BigEndian.Uint16(padded[0:2]) |
||||
if unpaddedLen < uint16(MinPlaintextSize) || unpaddedLen > uint16(MaxPlaintextSize) || len(padded) != 2+calcPadding(int(unpaddedLen)) { |
||||
err = errorf.E("invalid padding") |
||||
return |
||||
} |
||||
unpadded := padded[2:][:unpaddedLen] |
||||
unpadded = padded[2 : unpaddedLen+2] |
||||
if len(unpadded) == 0 || len(unpadded) != int(unpaddedLen) { |
||||
err = errorf.E("invalid padding") |
||||
return |
||||
} |
||||
plaintext = unpadded |
||||
plaintext = string(unpadded) |
||||
return |
||||
} |
||||
|
||||
// GenerateConversationKeyFromHex performs an ECDH key generation hashed with the nip-44-v2 using hkdf.
|
||||
// Parameters match NIP-44 spec: sender's private key first, then recipient's public key.
|
||||
// The public key can be either:
|
||||
// - 32 bytes (x-coordinate only, 64 hex characters)
|
||||
// - 33 bytes (compressed format with 0x02/0x03 prefix, 66 hex characters)
|
||||
func GenerateConversationKeyFromHex(skh, pkh string) (ck []byte, err error) { |
||||
if skh >= "fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141" || |
||||
skh == "0000000000000000000000000000000000000000000000000000000000000000" { |
||||
err = errorf.E( |
||||
"invalid private key: x coordinate %s is not on the secp256k1 curve", |
||||
skh, |
||||
) |
||||
func GenerateConversationKey(sendPrivkey []byte, recvPubkey []byte) (conversationKey []byte, err error) { |
||||
// Parse the private key
|
||||
var privKey secp256k1.SecretKey |
||||
if overflow := privKey.Key.SetByteSlice(sendPrivkey); overflow { |
||||
err = errorf.E("invalid private key: x coordinate %x is not on the secp256k1 curve", sendPrivkey) |
||||
return |
||||
} |
||||
var sign *p8k.Signer |
||||
if sign, err = p8k.New(); chk.E(err) { |
||||
return |
||||
} |
||||
var sk []byte |
||||
if sk, err = hex.Dec(skh); chk.E(err) { |
||||
return |
||||
} |
||||
if err = sign.InitSec(sk); chk.E(err) { |
||||
return |
||||
} |
||||
var pk []byte |
||||
if pk, err = hex.Dec(pkh); chk.E(err) { |
||||
return |
||||
} |
||||
// pk can be 32 bytes (x-coordinate) or 33 bytes (compressed)
|
||||
if len(pk) != 32 && len(pk) != 33 { |
||||
err = errorf.E("public key must be 32 bytes (x-coordinate) or 33 bytes (compressed format), got %d bytes", len(pk)) |
||||
|
||||
// Check if private key is zero
|
||||
if privKey.Key.IsZero() { |
||||
err = errorf.E("invalid private key: x coordinate %x is not on the secp256k1 curve", sendPrivkey) |
||||
return |
||||
} |
||||
var shared []byte |
||||
if shared, err = sign.ECDHRaw(pk); chk.E(err) { |
||||
|
||||
// Parse the public key
|
||||
// If it's 32 bytes, prepend format byte for compressed format (0x02 for even y)
|
||||
// If it's already 33 bytes, use as-is
|
||||
var pubKeyBytes []byte |
||||
if len(recvPubkey) == 32 { |
||||
// Nostr-style 32-byte public key - prepend compressed format byte
|
||||
pubKeyBytes = make([]byte, 33) |
||||
pubKeyBytes[0] = secp256k1.PubKeyFormatCompressedEven |
||||
copy(pubKeyBytes[1:], recvPubkey) |
||||
} else if len(recvPubkey) == 33 { |
||||
// Already in compressed format
|
||||
pubKeyBytes = recvPubkey |
||||
} else { |
||||
err = errorf.E("invalid public key length: %d (expected 32 or 33 bytes)", len(recvPubkey)) |
||||
return |
||||
} |
||||
ck = hkdf.Extract(sha256.New, shared, []byte("nip44-v2")) |
||||
return |
||||
} |
||||
|
||||
func GenerateConversationKeyWithSigner(sign signer.I, pk []byte) ( |
||||
ck []byte, err error, |
||||
) { |
||||
var shared []byte |
||||
if shared, err = sign.ECDHRaw(pk); chk.E(err) { |
||||
pubKey, err := secp256k1.ParsePubKey(pubKeyBytes) |
||||
if err != nil { |
||||
return |
||||
} |
||||
ck = hkdf.Extract(sha256.New, shared, []byte("nip44-v2")) |
||||
|
||||
// Compute ECDH shared secret (returns only x-coordinate, 32 bytes)
|
||||
shared := secp256k1.GenerateSharedSecret(&privKey, pubKey) |
||||
|
||||
// Apply HKDF-Extract with salt "nip44-v2"
|
||||
conversationKey = hkdf.Extract(sha256.New, shared, []byte("nip44-v2")) |
||||
return |
||||
} |
||||
|
||||
func encrypt(key, nonce, message []byte) (dst []byte, err error) { |
||||
var cipher *chacha20.Cipher |
||||
if cipher, err = chacha20.NewUnauthenticatedCipher(key, nonce); chk.E(err) { |
||||
return |
||||
func chacha20_(key []byte, nonce []byte, message []byte) ([]byte, error) { |
||||
var ( |
||||
cipher *chacha20.Cipher |
||||
dst = make([]byte, len(message)) |
||||
err error |
||||
) |
||||
if cipher, err = chacha20.NewUnauthenticatedCipher(key, nonce); err != nil { |
||||
return nil, err |
||||
} |
||||
dst = make([]byte, len(message)) |
||||
cipher.XORKeyStream(dst, message) |
||||
return |
||||
return dst, nil |
||||
} |
||||
|
||||
func sha256Hmac(key, ciphertext, nonce []byte) (h []byte, err error) { |
||||
if len(nonce) != sha256.Size { |
||||
err = errorf.E("nonce aad must be 32 bytes") |
||||
return |
||||
func randomBytes(n int) ([]byte, error) { |
||||
buf := make([]byte, n) |
||||
if _, err := rand.Read(buf); err != nil { |
||||
return nil, err |
||||
} |
||||
hm := hmac.New(sha256.New, key) |
||||
hm.Write(nonce) |
||||
hm.Write(ciphertext) |
||||
h = hm.Sum(nil) |
||||
return |
||||
return buf, nil |
||||
} |
||||
|
||||
func sha256Hmac(key []byte, ciphertext []byte, aad []byte) ([]byte, error) { |
||||
if len(aad) != 32 { |
||||
return nil, errors.New("aad data must be 32 bytes") |
||||
} |
||||
h := hmac.New(sha256.New, key) |
||||
h.Write(aad) |
||||
h.Write(ciphertext) |
||||
return h.Sum(nil), nil |
||||
} |
||||
|
||||
func getKeys(conversationKey, nonce []byte) ( |
||||
enc, cc20nonce, auth []byte, err error, |
||||
) { |
||||
func MessageKeys(conversationKey []byte, salt []byte) ([]byte, []byte, []byte, error) { |
||||
var ( |
||||
r io.Reader |
||||
enc []byte = make([]byte, 32) |
||||
nonce []byte = make([]byte, 12) |
||||
auth []byte = make([]byte, 32) |
||||
err error |
||||
) |
||||
if len(conversationKey) != 32 { |
||||
err = errorf.E("conversation key must be 32 bytes") |
||||
return |
||||
return nil, nil, nil, errors.New("conversation key must be 32 bytes") |
||||
} |
||||
if len(nonce) != 32 { |
||||
err = errorf.E("nonce must be 32 bytes") |
||||
return |
||||
if len(salt) != 32 { |
||||
return nil, nil, nil, errors.New("salt must be 32 bytes") |
||||
} |
||||
r := hkdf.Expand(sha256.New, conversationKey, nonce) |
||||
enc = make([]byte, 32) |
||||
if _, err = io.ReadFull(r, enc); chk.E(err) { |
||||
return |
||||
r = hkdf.Expand(sha256.New, conversationKey, salt) |
||||
if _, err = io.ReadFull(r, enc); err != nil { |
||||
return nil, nil, nil, err |
||||
} |
||||
cc20nonce = make([]byte, 12) |
||||
if _, err = io.ReadFull(r, cc20nonce); chk.E(err) { |
||||
return |
||||
if _, err = io.ReadFull(r, nonce); err != nil { |
||||
return nil, nil, nil, err |
||||
} |
||||
auth = make([]byte, 32) |
||||
if _, err = io.ReadFull(r, auth); chk.E(err) { |
||||
return |
||||
if _, err = io.ReadFull(r, auth); err != nil { |
||||
return nil, nil, nil, err |
||||
} |
||||
return |
||||
return enc, nonce, auth, nil |
||||
} |
||||
|
||||
func pad(s []byte) ([]byte, error) { |
||||
var ( |
||||
sb []byte |
||||
sbLen int |
||||
padding int |
||||
result []byte |
||||
) |
||||
sb = s |
||||
sbLen = len(sb) |
||||
if sbLen < 1 || sbLen > MaxPlaintextSize { |
||||
return nil, errors.New("plaintext should be between 1b and 64kB") |
||||
} |
||||
padding = calcPadding(sbLen) |
||||
result = make([]byte, 2) |
||||
binary.BigEndian.PutUint16(result, uint16(sbLen)) |
||||
result = append(result, sb...) |
||||
result = append(result, make([]byte, padding-sbLen)...) |
||||
return result, nil |
||||
} |
||||
|
||||
// CalcPadding creates padding for the message payload that is precisely a power
|
||||
// of two in order to reduce the chances of plaintext attack. This is plainly
|
||||
// retarded because it could blow out the message size a lot when just a random few
|
||||
// dozen bytes and a length prefix would achieve the same result.
|
||||
func CalcPadding(sLen int) (l int) { |
||||
func calcPadding(sLen int) int { |
||||
var ( |
||||
nextPower int |
||||
chunk int |
||||
) |
||||
if sLen <= 32 { |
||||
return 32 |
||||
} |
||||
nextPower := 1 << int(math.Floor(math.Log2(float64(sLen-1)))+1) |
||||
chunk := int(math.Max(32, float64(nextPower/8))) |
||||
l = chunk * int(math.Floor(float64((sLen-1)/chunk))+1) |
||||
return |
||||
nextPower = 1 << int(math.Floor(math.Log2(float64(sLen-1)))+1) |
||||
chunk = int(math.Max(32, float64(nextPower/8))) |
||||
return chunk * int(math.Floor(float64((sLen-1)/chunk))+1) |
||||
} |
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -1,30 +0,0 @@
@@ -1,30 +0,0 @@
|
||||
package encryption |
||||
|
||||
import ( |
||||
"io" |
||||
"os" |
||||
"testing" |
||||
|
||||
"lol.mleku.dev" |
||||
"lol.mleku.dev/log" |
||||
) |
||||
|
||||
func TestMain(m *testing.M) { |
||||
// Disable all logging during tests unless explicitly enabled
|
||||
if os.Getenv("TEST_LOG") == "" { |
||||
// Set log level to Off to suppress all logs
|
||||
lol.SetLogLevel("off") |
||||
// Also redirect output to discard
|
||||
lol.Writer = io.Discard |
||||
// Disable all log printers
|
||||
log.T = lol.GetNullPrinter() |
||||
log.D = lol.GetNullPrinter() |
||||
log.I = lol.GetNullPrinter() |
||||
log.W = lol.GetNullPrinter() |
||||
log.E = lol.GetNullPrinter() |
||||
log.F = lol.GetNullPrinter() |
||||
} |
||||
|
||||
// Run tests
|
||||
os.Exit(m.Run()) |
||||
} |
||||
Loading…
Reference in new issue