trezor: add sanity checks for decrypted value
Check that the value has changed, is not all-zero and has the right length.
This commit is contained in:
parent
978f1f3f6d
commit
991891a5c4
@ -1,6 +1,8 @@
|
|||||||
package readpassword
|
package readpassword
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"bytes"
|
||||||
|
"log"
|
||||||
"os"
|
"os"
|
||||||
|
|
||||||
"github.com/rfjakob/gocryptfs/internal/exitcodes"
|
"github.com/rfjakob/gocryptfs/internal/exitcodes"
|
||||||
@ -96,6 +98,18 @@ func Trezor(payload []byte) []byte {
|
|||||||
os.Exit(exitcodes.TrezorError)
|
os.Exit(exitcodes.TrezorError)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Sanity checks
|
||||||
|
if len(key) != TrezorPayloadLen {
|
||||||
|
log.Panicf("BUG: decrypted value has wrong length %d", len(key))
|
||||||
|
}
|
||||||
|
if bytes.Equal(key, payload) {
|
||||||
|
log.Panicf("BUG: payload and decrypted value are identical")
|
||||||
|
}
|
||||||
|
zero := make([]byte, TrezorPayloadLen)
|
||||||
|
if bytes.Equal(key, zero) {
|
||||||
|
log.Panicf("BUG: decrypted value is all-zero")
|
||||||
|
}
|
||||||
|
|
||||||
// Everything ok
|
// Everything ok
|
||||||
return key
|
return key
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user