stupidgcm: stupidChacha20poly1305: use byte array for key

Follow what golang.org/x/crypto/chacha20poly1305 does
for easier integration in the next commit.
This commit is contained in:
Jakob Unterwurzacher 2021-09-02 10:37:44 +02:00
parent 3ba74ac4fc
commit 5df7ee815d
2 changed files with 26 additions and 14 deletions

View File

@ -167,20 +167,25 @@ type Wiper interface {
} }
func testWipe(t *testing.T, c cipher.AEAD) { func testWipe(t *testing.T, c cipher.AEAD) {
var key []byte
switch c2 := c.(type) { switch c2 := c.(type) {
case *StupidGCM: case *StupidGCM:
c2.Wipe() c2.Wipe()
key = c2.key if c2.key != nil {
t.Fatal("key is not nil")
}
case *stupidChacha20poly1305: case *stupidChacha20poly1305:
c2.Wipe() c2.Wipe()
key = c2.key if !c2.wiped {
t.Error("c2.wiped is not set")
}
for _, v := range c2.key {
if v != 0 {
t.Fatal("c2.key is not zeroed")
}
}
default: default:
t.Fatalf("BUG: unhandled type %t", c2) t.Fatalf("BUG: unhandled type %t", c2)
} }
if key != nil {
t.Fatal("key is not nil")
}
} }
// Get "n" random bytes from /dev/urandom or panic // Get "n" random bytes from /dev/urandom or panic

View File

@ -16,19 +16,20 @@ import (
) )
type stupidChacha20poly1305 struct { type stupidChacha20poly1305 struct {
key []byte key [chacha20poly1305.KeySize]byte
wiped bool
} }
// Verify that we satisfy the cipher.AEAD interface // Verify that we satisfy the cipher.AEAD interface
var _ cipher.AEAD = &stupidChacha20poly1305{} var _ cipher.AEAD = &stupidChacha20poly1305{}
func newChacha20poly1305(keyIn []byte) cipher.AEAD { func newChacha20poly1305(key []byte) cipher.AEAD {
if len(keyIn) != chacha20poly1305.KeySize { if len(key) != chacha20poly1305.KeySize {
log.Panicf("Only %d-byte keys are supported, you passed %d bytes", chacha20poly1305.KeySize, len(keyIn)) log.Panicf("Only %d-byte keys are supported, you passed %d bytes", chacha20poly1305.KeySize, len(key))
} }
// Create a private copy of the key ret := new(stupidChacha20poly1305)
key := append([]byte{}, keyIn...) copy(ret.key[:], key)
return &stupidChacha20poly1305{key: key} return ret
} }
// NonceSize returns the required size of the nonce / IV. // NonceSize returns the required size of the nonce / IV.
@ -43,6 +44,9 @@ func (g *stupidChacha20poly1305) Overhead() int {
// Seal encrypts "in" using "iv" and "authData" and append the result to "dst" // Seal encrypts "in" using "iv" and "authData" and append the result to "dst"
func (g *stupidChacha20poly1305) Seal(dst, iv, in, authData []byte) []byte { func (g *stupidChacha20poly1305) Seal(dst, iv, in, authData []byte) []byte {
if g.wiped {
panic("BUG: tried to use wiped stupidChacha20poly1305")
}
if len(iv) != g.NonceSize() { if len(iv) != g.NonceSize() {
log.Panicf("Only %d-byte IVs are supported, you passed %d bytes", g.NonceSize(), len(iv)) log.Panicf("Only %d-byte IVs are supported, you passed %d bytes", g.NonceSize(), len(iv))
} }
@ -125,6 +129,9 @@ func (g *stupidChacha20poly1305) Seal(dst, iv, in, authData []byte) []byte {
// Open decrypts "in" using "iv" and "authData" and append the result to "dst" // Open decrypts "in" using "iv" and "authData" and append the result to "dst"
func (g *stupidChacha20poly1305) Open(dst, iv, in, authData []byte) ([]byte, error) { func (g *stupidChacha20poly1305) Open(dst, iv, in, authData []byte) ([]byte, error) {
if g.wiped {
panic("BUG: tried to use wiped stupidChacha20poly1305")
}
if len(iv) != g.NonceSize() { if len(iv) != g.NonceSize() {
log.Panicf("Only %d-byte IVs are supported", g.NonceSize()) log.Panicf("Only %d-byte IVs are supported", g.NonceSize())
} }
@ -215,8 +222,8 @@ func (g *stupidChacha20poly1305) Open(dst, iv, in, authData []byte) ([]byte, err
// This is not bulletproof due to possible GC copies, but // This is not bulletproof due to possible GC copies, but
// still raises the bar for extracting the key. // still raises the bar for extracting the key.
func (g *stupidChacha20poly1305) Wipe() { func (g *stupidChacha20poly1305) Wipe() {
g.wiped = true
for i := range g.key { for i := range g.key {
g.key[i] = 0 g.key[i] = 0
} }
g.key = nil
} }