146 lines
4.0 KiB
Go
146 lines
4.0 KiB
Go
/*
|
|
SSHSecure - a program to harden OpenSSH from defaults
|
|
Copyright (C) 2020 Brent Saner
|
|
|
|
This program is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
package main
|
|
|
|
import (
|
|
`crypto`
|
|
`crypto/aes`
|
|
`crypto/cipher`
|
|
`crypto/ed25519`
|
|
`encoding/hex`
|
|
`fmt`
|
|
|
|
`github.com/dchest/bcrypt_pbkdf`
|
|
)
|
|
|
|
/*
|
|
Same key as private.ed25519 example.
|
|
*/
|
|
|
|
func main() {
|
|
const (
|
|
passphrase string = "test"
|
|
rounds int = 100
|
|
keySize int = 32
|
|
lenPlain int = 160
|
|
)
|
|
var salt []byte
|
|
var bcryptKey []byte
|
|
var sk []byte
|
|
var pk []byte
|
|
var pubkey crypto.PublicKey
|
|
var key ed25519.PrivateKey
|
|
var decrypted []byte
|
|
var aesCtx cipher.Block
|
|
var encData []byte
|
|
|
|
decrypted = make([]byte, lenPlain)
|
|
encData = make([]byte, lenPlain)
|
|
|
|
// Import salt
|
|
if s, err := hex.DecodeString("50132f72900d68e0a31f9d75b6f0a5bc"); err != nil {
|
|
fmt.Println(err)
|
|
return
|
|
} else {
|
|
salt = s
|
|
}
|
|
|
|
// Import encrypted data
|
|
if b, err := hex.DecodeString(
|
|
"c49777cd0d1a7d37db77a1814991278f8ce99d572e2c666b93b99867425c60da" +
|
|
"4652fddb8555098532b51beeee2959f9db5cf5a0905052720c5de25f2c4dd87e" +
|
|
"bcc7bb5ea3d7bcbeacc6b732e4c39295d9991a97ef3f0838f8a9bfd43edb3403" +
|
|
"189649088f6cfb78946fb914e358ac6abc64691072f5f2788534d9d42d7f406b" +
|
|
"c5090b30df23cb7dd8c5cb938e41facd6e38e8845b8160bff840598118d447c2",
|
|
); err != nil {
|
|
fmt.Println(err)
|
|
return
|
|
} else {
|
|
encData = b
|
|
}
|
|
|
|
// ED25519 keys
|
|
// This is used to validate decrypted keys.
|
|
if edk, err := hex.DecodeString(
|
|
"ce6e2b8d638c9d5219dff455af1a90d0a5b72694cfcedfb93bc1e1b1816dee98" +
|
|
"bfa2031aa5463113e40e16896af503c5299ead76b09cb63846f41cc4de1740f6",
|
|
); err != nil {
|
|
fmt.Println(err)
|
|
return
|
|
} else {
|
|
key = edk
|
|
// .Public() returns a crypto.PublicKey, which... is an interface that seemingly cannot be type asserted to anything.
|
|
pubkey = key.Public()
|
|
}
|
|
sep := len(key) - ed25519.PublicKeySize
|
|
pk = key[sep:]
|
|
sk = key[0:sep]
|
|
|
|
// Bcrypt_pbkdf2 derivation (used for deriving decryption key for AES encrypted private key)
|
|
// if k, err := bcrypt_pbkdf.Key([]byte(passphrase), salt, rounds, keySize); err != nil {
|
|
if k, err := bcrypt_pbkdf.Key([]byte(passphrase), salt, rounds, keySize+len(salt)); err != nil {
|
|
fmt.Println(err)
|
|
return
|
|
} else {
|
|
bcryptKey = k
|
|
}
|
|
realBcryptKey := bcryptKey[0:sep]
|
|
realIV := bcryptKey[sep:]
|
|
|
|
// Decrypter
|
|
if a, err := aes.NewCipher(realBcryptKey); err != nil {
|
|
fmt.Println(err)
|
|
return
|
|
} else {
|
|
aesCtx = a
|
|
}
|
|
|
|
// Actual cipher setup. AES256-CBC
|
|
// d := cipher.NewCBCDecrypter(aesCtx, realIV)
|
|
// d.CryptBlocks(decrypted, encData)
|
|
|
|
// Actual cipher setup. AES256-CTR
|
|
d := cipher.NewCTR(aesCtx, realIV)
|
|
d.XORKeyStream(decrypted, encData)
|
|
|
|
/*
|
|
if p, s, err := ed25519.GenerateKey(nil); err != nil {
|
|
fmt.Println(err)
|
|
return
|
|
} else {
|
|
pubkey = p
|
|
key = s
|
|
pk = key[(len(key) - ed25519.PublicKeySize):]
|
|
sk = key[0:(len(key) - ed25519.PublicKeySize)]
|
|
}
|
|
*/
|
|
|
|
fmt.Printf("ED25519 key: %v\n", hex.EncodeToString(key))
|
|
fmt.Printf("Pubkey: %v\n", pubkey)
|
|
fmt.Printf("SK: %v\n", hex.EncodeToString(sk))
|
|
fmt.Printf("PK: %v\n", hex.EncodeToString(pk))
|
|
fmt.Printf("Salt: %v\n", hex.EncodeToString(salt))
|
|
fmt.Printf("Bcrypt Key: %v\n", hex.EncodeToString(bcryptKey))
|
|
fmt.Printf("realBcryptKey: %v\n", hex.EncodeToString(realBcryptKey))
|
|
fmt.Printf("realIV: %v\n", hex.EncodeToString(realIV))
|
|
// fmt.Printf("Encrypted data: %v\n", hex.EncodeToString(encData))
|
|
fmt.Printf("Decrypted data?: %v\n", hex.EncodeToString(decrypted))
|
|
|
|
}
|