siv_aead: create private key copy and implement wiping
Having a private copy relieves the caller from worrying about whether he can zero his copy. The copy can be cleared by calling Wipe().
This commit is contained in:
parent
adf7d75d31
commit
344d7e0a6f
@ -32,7 +32,9 @@ func New(key []byte) cipher.AEAD {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Same as "New" without the 64-byte restriction.
|
// Same as "New" without the 64-byte restriction.
|
||||||
func new2(key []byte) cipher.AEAD {
|
func new2(keyIn []byte) cipher.AEAD {
|
||||||
|
// Create a private copy so the caller can zero the one he owns
|
||||||
|
key := append([]byte{}, keyIn...)
|
||||||
return &sivAead{
|
return &sivAead{
|
||||||
key: key,
|
key: key,
|
||||||
}
|
}
|
||||||
@ -53,6 +55,9 @@ func (s *sivAead) Seal(dst, nonce, plaintext, authData []byte) []byte {
|
|||||||
// SIV supports any nonce size, but in gocryptfs we exclusively use 16.
|
// SIV supports any nonce size, but in gocryptfs we exclusively use 16.
|
||||||
log.Panic("nonce must be 16 bytes long")
|
log.Panic("nonce must be 16 bytes long")
|
||||||
}
|
}
|
||||||
|
if len(s.key) == 0 {
|
||||||
|
log.Panic("Key has been wiped?")
|
||||||
|
}
|
||||||
// https://github.com/jacobsa/crypto/blob/master/siv/encrypt.go#L48:
|
// https://github.com/jacobsa/crypto/blob/master/siv/encrypt.go#L48:
|
||||||
// As per RFC 5297 section 3, you may use this function for nonce-based
|
// As per RFC 5297 section 3, you may use this function for nonce-based
|
||||||
// authenticated encryption by passing a nonce as the last associated
|
// authenticated encryption by passing a nonce as the last associated
|
||||||
@ -71,7 +76,22 @@ func (s *sivAead) Open(dst, nonce, ciphertext, authData []byte) ([]byte, error)
|
|||||||
// SIV supports any nonce size, but in gocryptfs we exclusively use 16.
|
// SIV supports any nonce size, but in gocryptfs we exclusively use 16.
|
||||||
log.Panic("nonce must be 16 bytes long")
|
log.Panic("nonce must be 16 bytes long")
|
||||||
}
|
}
|
||||||
|
if len(s.key) == 0 {
|
||||||
|
log.Panic("Key has been wiped?")
|
||||||
|
}
|
||||||
associated := [][]byte{authData, nonce}
|
associated := [][]byte{authData, nonce}
|
||||||
dec, err := siv.Decrypt(s.key, ciphertext, associated)
|
dec, err := siv.Decrypt(s.key, ciphertext, associated)
|
||||||
return append(dst, dec...), err
|
return append(dst, dec...), err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Wipe tries to wipe the AES key from memory by overwriting it with zeros
|
||||||
|
// and setting the reference to nil.
|
||||||
|
//
|
||||||
|
// This is not bulletproof due to possible GC copies, but
|
||||||
|
// still raises to bar for extracting the key.
|
||||||
|
func (s *sivAead) Wipe() {
|
||||||
|
for i := range s.key {
|
||||||
|
s.key[i] = 0
|
||||||
|
}
|
||||||
|
s.key = nil
|
||||||
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user