diff options
Diffstat (limited to 'internal/stupidgcm/stupidchacha.go')
-rw-r--r-- | internal/stupidgcm/stupidchacha.go | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/internal/stupidgcm/stupidchacha.go b/internal/stupidgcm/stupidchacha.go index 2b31e0f..be8accb 100644 --- a/internal/stupidgcm/stupidchacha.go +++ b/internal/stupidgcm/stupidchacha.go @@ -16,19 +16,20 @@ import ( ) type stupidChacha20poly1305 struct { - key []byte + key [chacha20poly1305.KeySize]byte + wiped bool } // Verify that we satisfy the cipher.AEAD interface var _ cipher.AEAD = &stupidChacha20poly1305{} -func newChacha20poly1305(keyIn []byte) cipher.AEAD { - if len(keyIn) != chacha20poly1305.KeySize { - log.Panicf("Only %d-byte keys are supported, you passed %d bytes", chacha20poly1305.KeySize, len(keyIn)) +func newChacha20poly1305(key []byte) cipher.AEAD { + if len(key) != chacha20poly1305.KeySize { + log.Panicf("Only %d-byte keys are supported, you passed %d bytes", chacha20poly1305.KeySize, len(key)) } - // Create a private copy of the key - key := append([]byte{}, keyIn...) - return &stupidChacha20poly1305{key: key} + ret := new(stupidChacha20poly1305) + copy(ret.key[:], key) + return ret } // NonceSize returns the required size of the nonce / IV. @@ -43,6 +44,9 @@ func (g *stupidChacha20poly1305) Overhead() int { // Seal encrypts "in" using "iv" and "authData" and append the result to "dst" func (g *stupidChacha20poly1305) Seal(dst, iv, in, authData []byte) []byte { + if g.wiped { + panic("BUG: tried to use wiped stupidChacha20poly1305") + } if len(iv) != g.NonceSize() { log.Panicf("Only %d-byte IVs are supported, you passed %d bytes", g.NonceSize(), len(iv)) } @@ -125,6 +129,9 @@ func (g *stupidChacha20poly1305) Seal(dst, iv, in, authData []byte) []byte { // Open decrypts "in" using "iv" and "authData" and append the result to "dst" func (g *stupidChacha20poly1305) Open(dst, iv, in, authData []byte) ([]byte, error) { + if g.wiped { + panic("BUG: tried to use wiped stupidChacha20poly1305") + } if len(iv) != g.NonceSize() { log.Panicf("Only %d-byte IVs are supported", g.NonceSize()) } @@ -215,8 +222,8 @@ func (g *stupidChacha20poly1305) Open(dst, iv, in, authData []byte) ([]byte, err // This is not bulletproof due to possible GC copies, but // still raises the bar for extracting the key. func (g *stupidChacha20poly1305) Wipe() { + g.wiped = true for i := range g.key { g.key[i] = 0 } - g.key = nil } |