stupidgcm: implement key wipe

Not bulletproof due to possible GC copies, but
still raises to bar for extracting the key.

https://github.com/rfjakob/gocryptfs/issues/211
This commit is contained in:
Jakob Unterwurzacher 2018-02-17 15:12:45 +01:00
parent 7e0fefe970
commit eeed4b4bef

View File

@ -56,6 +56,9 @@ func (g *stupidGCM) Seal(dst, iv, in, authData []byte) []byte {
if len(in) == 0 {
log.Panic("Zero-length input data is not supported")
}
if len(g.key) != keyLen {
log.Panicf("Wrong key length: %d. Key has been wiped?", len(g.key))
}
// If the "dst" slice is large enough we can use it as our output buffer
outLen := len(in) + tagLen
@ -140,6 +143,9 @@ func (g *stupidGCM) Open(dst, iv, in, authData []byte) ([]byte, error) {
if len(in) <= tagLen {
log.Panic("Input data too short")
}
if len(g.key) != keyLen {
log.Panicf("Wrong key length: %d. Key has been wiped?", len(g.key))
}
// If the "dst" slice is large enough we can use it as our output buffer
outLen := len(in) - tagLen
@ -224,3 +230,15 @@ func (g *stupidGCM) Open(dst, iv, in, authData []byte) ([]byte, error) {
}
return append(dst, buf...), nil
}
// Wipe wipes the AES key from memory by overwriting it with zeros and
// setting the reference to nil.
//
// This is not bulletproof due to possible GC copies, but
// still raises to bar for extracting the key.
func (g *stupidGCM) Wipe() {
for i := range g.key {
g.key[i] = 0
}
g.key = nil
}