commit a3163291d014bea9da99d86b83db224d9825d122
parent 88f8088146870f79d1b4fc31bb2be7e910bff8f9
Author: Sean Enck <sean@ttypty.com>
Date: Sun, 18 Sep 2022 12:36:10 -0400
all forms should pad
Diffstat:
2 files changed, 21 insertions(+), 19 deletions(-)
diff --git a/internal/encrypt/core.go b/internal/encrypt/core.go
@@ -2,8 +2,10 @@
package encrypt
import (
+ "crypto/rand"
"crypto/sha512"
"errors"
+ "io"
random "math/rand"
"os"
"time"
@@ -15,6 +17,7 @@ import (
const (
keyLength = 32
algorithmBaseVersion = 0
+ padLength = 256
)
const (
@@ -139,11 +142,20 @@ func (l Lockbox) Encrypt(datum []byte) error {
if len(data) == 0 {
return errors.New("no data given")
}
+ padTo := random.Intn(padLength)
+ var padding [padLength]byte
+ if _, err := io.ReadFull(rand.Reader, padding[:]); err != nil {
+ return err
+ }
box := newAlgorithm(l.algo)
if box == nil {
return errors.New("unknown algorithm detected")
}
- b, err := box.encrypt(l.secret[:], data)
+ var write []byte
+ write = append(write, byte(padTo))
+ write = append(write, padding[0:padTo]...)
+ write = append(write, data...)
+ b, err := box.encrypt(l.secret[:], write)
if err != nil {
return err
}
@@ -175,5 +187,10 @@ func (l Lockbox) Decrypt() ([]byte, error) {
if len(data) <= box.dataSize() {
return nil, errors.New("data is invalid for decryption")
}
- return box.decrypt(l.secret[:], data)
+ decrypted, err := box.decrypt(l.secret[:], data)
+ if err != nil {
+ return nil, err
+ }
+ padding := int(decrypted[0])
+ return decrypted[1+padding:], nil
}
diff --git a/internal/encrypt/secretbox.go b/internal/encrypt/secretbox.go
@@ -4,7 +4,6 @@ import (
"crypto/rand"
"errors"
"io"
- random "math/rand"
"golang.org/x/crypto/nacl/secretbox"
)
@@ -16,7 +15,6 @@ type (
const (
secretBoxAlgorithmNonceLength = 24
- secretBoxAlgorithmPadLength = 256
secretBoxAlgorithmSaltLength = 16
)
@@ -34,27 +32,15 @@ func (s secretBoxAlgorithm) version() algorithmVersions {
func (s secretBoxAlgorithm) encrypt(encryptKey, data []byte) ([]byte, error) {
var nonce [secretBoxAlgorithmNonceLength]byte
- padTo := random.Intn(secretBoxAlgorithmPadLength)
- if _, err := io.ReadFull(rand.Reader, nonce[:]); err != nil {
- return nil, err
- }
- var padding [secretBoxAlgorithmPadLength]byte
- if _, err := io.ReadFull(rand.Reader, padding[:]); err != nil {
- return nil, err
- }
var salt [secretBoxAlgorithmSaltLength]byte
if _, err := io.ReadFull(rand.Reader, salt[:]); err != nil {
return nil, err
}
- var write []byte
- write = append(write, byte(padTo))
- write = append(write, padding[0:padTo]...)
- write = append(write, data...)
key, err := pad(salt[:], encryptKey[:])
if err != nil {
return nil, err
}
- encrypted := secretbox.Seal(nonce[:], write, &nonce, &key)
+ encrypted := secretbox.Seal(nonce[:], data, &nonce, &key)
var persist []byte
persist = append(persist, salt[:]...)
persist = append(persist, encrypted...)
@@ -75,6 +61,5 @@ func (s secretBoxAlgorithm) decrypt(encryptKey, encrypted []byte) ([]byte, error
return nil, errors.New("decrypt not ok")
}
- padding := int(decrypted[0])
- return decrypted[1+padding:], nil
+ return decrypted, nil
}
