diff --git a/Gopkg.lock b/Gopkg.lock deleted file mode 100644 index 600be6b..0000000 --- a/Gopkg.lock +++ /dev/null @@ -1,17 +0,0 @@ -# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'. - - -[[projects]] - digest = "1:f892acc8308967384ea31cbd1c17d42745bd45001add0eacada483d0d13d8fac" - name = "github.com/Luzifer/go-openssl" - packages = ["."] - pruneopts = "NUT" - revision = "5d2bdfffeecf20ba6dec4feb04e31872c8720255" - version = "v2.0.2" - -[solve-meta] - analyzer-name = "dep" - analyzer-version = 1 - input-imports = ["github.com/Luzifer/go-openssl"] - solver-name = "gps-cdcl" - solver-version = 1 diff --git a/Gopkg.toml b/Gopkg.toml deleted file mode 100644 index bb0748d..0000000 --- a/Gopkg.toml +++ /dev/null @@ -1,35 +0,0 @@ -# Gopkg.toml example -# -# Refer to https://golang.github.io/dep/docs/Gopkg.toml.html -# for detailed Gopkg.toml documentation. -# -# required = ["github.com/user/thing/cmd/thing"] -# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"] -# -# [[constraint]] -# name = "github.com/user/project" -# version = "1.0.0" -# -# [[constraint]] -# name = "github.com/user/project2" -# branch = "dev" -# source = "github.com/myfork/project2" -# -# [[override]] -# name = "github.com/x/y" -# version = "2.4.0" -# -# [prune] -# non-go = false -# go-tests = true -# unused-packages = true - - -[[constraint]] - name = "github.com/Luzifer/go-openssl" - version = "2.0.2" - -[prune] - non-go = true - go-tests = true - unused-packages = true diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..d3f2cd4 --- /dev/null +++ b/go.mod @@ -0,0 +1,5 @@ +module github.com/Luzifer/wasm-openssl + +go 1.12 + +require github.com/Luzifer/go-openssl/v3 v3.1.0 diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..f91d632 --- /dev/null +++ b/go.sum @@ -0,0 +1,2 @@ +github.com/Luzifer/go-openssl/v3 v3.1.0 h1:QqKqo6kYXGGUsvtUoCpRZm8lHw+jDfhbzr36gVj+/gw= +github.com/Luzifer/go-openssl/v3 v3.1.0/go.mod h1:liy3FXuuS8hfDlYh1T+l78AwQ/NjZflJz0NDvjKhwDs= diff --git a/vendor/github.com/Luzifer/go-openssl/LICENSE b/vendor/github.com/Luzifer/go-openssl/LICENSE deleted file mode 100644 index 9d74c44..0000000 --- a/vendor/github.com/Luzifer/go-openssl/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright 2015- Knut Ahlers - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - diff --git a/vendor/github.com/Luzifer/go-openssl/openssl.go b/vendor/github.com/Luzifer/go-openssl/openssl.go deleted file mode 100644 index e99e747..0000000 --- a/vendor/github.com/Luzifer/go-openssl/openssl.go +++ /dev/null @@ -1,298 +0,0 @@ -package openssl - -import ( - "bytes" - "crypto/aes" - "crypto/cipher" - "crypto/md5" - "crypto/rand" - "crypto/sha1" - "crypto/sha256" - "encoding/base64" - "errors" - "fmt" - "io" -) - -// ErrInvalidSalt is returned when a salt with a length of != 8 byte is passed -var ErrInvalidSalt = errors.New("Salt needs to have exactly 8 byte") - -// OpenSSL is a helper to generate OpenSSL compatible encryption -// with autmatic IV derivation and storage. As long as the key is known all -// data can also get decrypted using OpenSSL CLI. -// Code from http://dequeue.blogspot.de/2014/11/decrypting-something-encrypted-with.html -type OpenSSL struct { - openSSLSaltHeader string -} - -type openSSLCreds struct { - key []byte - iv []byte -} - -// New instanciates and initializes a new OpenSSL encrypter -func New() *OpenSSL { - return &OpenSSL{ - openSSLSaltHeader: "Salted__", // OpenSSL salt is always this string + 8 bytes of actual salt - } -} - -// DecryptString decrypts a string that was encrypted using OpenSSL and AES-256-CBC -func (o OpenSSL) DecryptString(passphrase, encryptedBase64String string) ([]byte, error) { - return o.DecryptBytes(passphrase, []byte(encryptedBase64String)) -} - -var hashFuncList = []DigestFunc{DigestSHA256Sum, DigestMD5Sum, DigestSHA1Sum} - -func (o OpenSSL) decodeWithPassphrase(passphrase string, data []byte, salt []byte, hashFunc DigestFunc) ([]byte, error) { - creds, err := o.extractOpenSSLCreds([]byte(passphrase), salt, hashFunc) - if err != nil { - return nil, err - } - return o.decrypt(creds.key, creds.iv, data) -} - -// DecryptBytes takes a slice of bytes with base64 encoded, encrypted data to decrypt -func (o OpenSSL) DecryptBytes(passphrase string, encryptedBase64Data []byte) ([]byte, error) { - data := make([]byte, base64.StdEncoding.DecodedLen(len(encryptedBase64Data))) - n, err := base64.StdEncoding.Decode(data, encryptedBase64Data) - if err != nil { - return nil, fmt.Errorf("Could not decode data: %s", err) - } - - // Truncate to real message length - data = data[0:n] - - if len(data) < aes.BlockSize { - return nil, fmt.Errorf("Data is too short") - } - saltHeader := data[:aes.BlockSize] - if string(saltHeader[:8]) != o.openSSLSaltHeader { - return nil, fmt.Errorf("Does not appear to have been encrypted with OpenSSL, salt header missing") - } - salt := saltHeader[8:] - - tmp := make([]byte, len(data)) - for _, f := range hashFuncList { - copy(tmp, data) - result, err := o.decodeWithPassphrase(passphrase, tmp, salt, f) - if err == nil { - return result, nil - } - } - return nil, err -} - -func (o OpenSSL) decrypt(key, iv, data []byte) ([]byte, error) { - if len(data) == 0 || len(data)%aes.BlockSize != 0 { - return nil, fmt.Errorf("bad blocksize(%v), aes.BlockSize = %v", len(data), aes.BlockSize) - } - c, err := aes.NewCipher(key) - if err != nil { - return nil, err - } - cbc := cipher.NewCBCDecrypter(c, iv) - cbc.CryptBlocks(data[aes.BlockSize:], data[aes.BlockSize:]) - out, err := o.pkcs7Unpad(data[aes.BlockSize:], aes.BlockSize) - if out == nil { - return nil, err - } - return out, nil -} - -// EncryptBytes encrypts a slice of bytes in a manner compatible to OpenSSL encryption -// functions using AES-256-CBC as encryption algorithm. This function generates -// a random salt on every execution. -func (o OpenSSL) EncryptBytes(passphrase string, plainData []byte) ([]byte, error) { - salt, err := o.GenerateSalt() - if err != nil { - return nil, err - } - - return o.EncryptBytesWithSaltAndDigestFunc(passphrase, salt, plainData, DigestSHA256Sum) -} - -// EncryptString encrypts a string in a manner compatible to OpenSSL encryption -// functions using AES-256-CBC as encryption algorithm. This function generates -// a random salt on every execution. -func (o OpenSSL) EncryptString(passphrase, plaintextString string) ([]byte, error) { - salt, err := o.GenerateSalt() - if err != nil { - return nil, err - } - - return o.EncryptBytesWithSaltAndDigestFunc(passphrase, salt, []byte(plaintextString), DigestSHA256Sum) -} - -// EncryptStringWithSalt encrypts a string in a manner compatible to OpenSSL -// encryption functions using AES-256-CBC as encryption algorithm. The salt -// needs to be passed in here which ensures the same result on every execution -// on cost of a much weaker encryption as with EncryptString. -// -// The salt passed into this function needs to have exactly 8 byte. -// -// If you don't have a good reason to use this, please don't! For more information -// see this: https://en.wikipedia.org/wiki/Salt_(cryptography)#Common_mistakes -// -// Deprecated: Use EncryptBytesWithSaltAndDigestFunc instead. -func (o OpenSSL) EncryptStringWithSalt(passphrase string, salt []byte, plaintextString string) ([]byte, error) { - return o.EncryptBytesWithSaltAndDigestFunc(passphrase, salt, []byte(plaintextString), DigestSHA256Sum) -} - -// EncryptBytesWithSalt encrypts a slice of bytes in a manner compatible to OpenSSL -// encryption functions using AES-256-CBC as encryption algorithm. The salt -// needs to be passed in here which ensures the same result on every execution -// on cost of a much weaker encryption as with EncryptString. -// -// The salt passed into this function needs to have exactly 8 byte. -// -// If you don't have a good reason to use this, please don't! For more information -// see this: https://en.wikipedia.org/wiki/Salt_(cryptography)#Common_mistakes -// -// Deprecated: Use EncryptBytesWithSaltAndDigestFunc instead. -func (o OpenSSL) EncryptBytesWithSalt(passphrase string, salt, plainData []byte) ([]byte, error) { - return o.EncryptBytesWithSaltAndDigestFunc(passphrase, salt, plainData, DigestSHA256Sum) -} - -// EncryptBytesWithSaltAndDigestFunc encrypts a slice of bytes in a manner compatible to OpenSSL -// encryption functions using AES-256-CBC as encryption algorithm. The salt -// needs to be passed in here which ensures the same result on every execution -// on cost of a much weaker encryption as with EncryptString. -// -// The salt passed into this function needs to have exactly 8 byte. -// -// The hash function corresponds to the `-md` parameter of OpenSSL. For OpenSSL pre-1.1.0c -// DigestMD5Sum was the default, since then it is DigestSHA256Sum. -// -// If you don't have a good reason to use this, please don't! For more information -// see this: https://en.wikipedia.org/wiki/Salt_(cryptography)#Common_mistakes -func (o OpenSSL) EncryptBytesWithSaltAndDigestFunc(passphrase string, salt, plainData []byte, hashFunc DigestFunc) ([]byte, error) { - if len(salt) != 8 { - return nil, ErrInvalidSalt - } - - data := make([]byte, len(plainData)+aes.BlockSize) - copy(data[0:], o.openSSLSaltHeader) - copy(data[8:], salt) - copy(data[aes.BlockSize:], plainData) - - creds, err := o.extractOpenSSLCreds([]byte(passphrase), salt, hashFunc) - if err != nil { - return nil, err - } - - enc, err := o.encrypt(creds.key, creds.iv, data) - if err != nil { - return nil, err - } - - return []byte(base64.StdEncoding.EncodeToString(enc)), nil -} - -// GenerateSalt generates a random 8 byte salt -func (o OpenSSL) GenerateSalt() ([]byte, error) { - salt := make([]byte, 8) // Generate an 8 byte salt - _, err := io.ReadFull(rand.Reader, salt) - if err != nil { - return nil, err - } - - return salt, nil -} - -func (o OpenSSL) encrypt(key, iv, data []byte) ([]byte, error) { - padded, err := o.pkcs7Pad(data, aes.BlockSize) - if err != nil { - return nil, err - } - - c, err := aes.NewCipher(key) - if err != nil { - return nil, err - } - cbc := cipher.NewCBCEncrypter(c, iv) - cbc.CryptBlocks(padded[aes.BlockSize:], padded[aes.BlockSize:]) - - return padded, nil -} - -// openSSLEvpBytesToKey follows the OpenSSL (undocumented?) convention for extracting the key and IV from passphrase. -// It uses the EVP_BytesToKey() method which is basically: -// D_i = HASH^count(D_(i-1) || password || salt) where || denotes concatentaion, until there are sufficient bytes available -// 48 bytes since we're expecting to handle AES-256, 32bytes for a key and 16bytes for the IV -func (o OpenSSL) extractOpenSSLCreds(password, salt []byte, hashFunc DigestFunc) (openSSLCreds, error) { - var m []byte - prev := []byte{} - for len(m) < 48 { - prev = o.hash(prev, password, salt, hashFunc) - m = append(m, prev...) - } - return openSSLCreds{key: m[:32], iv: m[32:48]}, nil -} - -func (o OpenSSL) hash(prev, password, salt []byte, hashFunc DigestFunc) []byte { - a := make([]byte, len(prev)+len(password)+len(salt)) - copy(a, prev) - copy(a[len(prev):], password) - copy(a[len(prev)+len(password):], salt) - return hashFunc(a) -} - -// DigestFunc are functions to create a key from the passphrase -type DigestFunc func([]byte) []byte - -// DigestMD5Sum uses the (deprecated) pre-OpenSSL 1.1.0c MD5 digest to create the key -func DigestMD5Sum(data []byte) []byte { - h := md5.New() - h.Write(data) - return h.Sum(nil) -} - -// DigestSHA1Sum uses SHA1 digest to create the key -func DigestSHA1Sum(data []byte) []byte { - h := sha1.New() - h.Write(data) - return h.Sum(nil) -} - -// DigestSHA256Sum uses SHA256 digest to create the key which is the default behaviour since OpenSSL 1.1.0c -func DigestSHA256Sum(data []byte) []byte { - h := sha256.New() - h.Write(data) - return h.Sum(nil) -} - -// pkcs7Pad appends padding. -func (o OpenSSL) pkcs7Pad(data []byte, blocklen int) ([]byte, error) { - if blocklen <= 0 { - return nil, fmt.Errorf("invalid blocklen %d", blocklen) - } - padlen := 1 - for ((len(data) + padlen) % blocklen) != 0 { - padlen = padlen + 1 - } - - pad := bytes.Repeat([]byte{byte(padlen)}, padlen) - return append(data, pad...), nil -} - -// pkcs7Unpad returns slice of the original data without padding. -func (o OpenSSL) pkcs7Unpad(data []byte, blocklen int) ([]byte, error) { - if blocklen <= 0 { - return nil, fmt.Errorf("invalid blocklen %d", blocklen) - } - if len(data)%blocklen != 0 || len(data) == 0 { - return nil, fmt.Errorf("invalid data len %d", len(data)) - } - padlen := int(data[len(data)-1]) - if padlen > blocklen || padlen == 0 { - return nil, fmt.Errorf("invalid padding") - } - pad := data[len(data)-padlen:] - for i := 0; i < padlen; i++ { - if pad[i] != byte(padlen) { - return nil, fmt.Errorf("invalid padding") - } - } - return data[:len(data)-padlen], nil -}