Merge pull request 'feat: harden keying implementation' (#6368) from gusted/forgejo-harden-keying into forgejo

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6368
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
This commit is contained in:
Earl Warren 2024-12-25 08:05:56 +00:00
commit 7b5932738e

View file

@ -28,13 +28,16 @@ var (
// The hash used for HKDF. // The hash used for HKDF.
hash = sha256.New hash = sha256.New
// The AEAD used for encryption/decryption. // The AEAD used for encryption/decryption.
aead = chacha20poly1305.NewX aead = chacha20poly1305.NewX
aeadKeySize = chacha20poly1305.KeySize
aeadNonceSize = chacha20poly1305.NonceSizeX
// The pseudorandom key generated by HKDF-Extract. // The pseudorandom key generated by HKDF-Extract.
prk []byte prk []byte
) )
const (
aeadKeySize = chacha20poly1305.KeySize
aeadNonceSize = chacha20poly1305.NonceSizeX
)
// Set the main IKM for this module. // Set the main IKM for this module.
func Init(ikm []byte) { func Init(ikm []byte) {
// Salt is intentionally left empty, it's not useful to Forgejo's use case. // Salt is intentionally left empty, it's not useful to Forgejo's use case.
@ -55,7 +58,7 @@ var (
// Derive *the* key for a given context, this is a deterministic function. // Derive *the* key for a given context, this is a deterministic function.
// The same key will be provided for the same context. // The same key will be provided for the same context.
func DeriveKey(context Context) *Key { func DeriveKey(context Context) *Key {
if len(prk) == 0 { if len(prk) != sha256.Size {
panic("keying: not initialized") panic("keying: not initialized")
} }
@ -63,7 +66,7 @@ func DeriveKey(context Context) *Key {
key := make([]byte, aeadKeySize) key := make([]byte, aeadKeySize)
// This should never return an error, but if it does, panic. // This should never return an error, but if it does, panic.
if _, err := r.Read(key); err != nil { if n, err := r.Read(key); err != nil || n != aeadKeySize {
panic(err) panic(err)
} }
@ -92,7 +95,7 @@ func (k *Key) Encrypt(plaintext, additionalData []byte) []byte {
// Generate a random nonce. // Generate a random nonce.
nonce := make([]byte, aeadNonceSize) nonce := make([]byte, aeadNonceSize)
if _, err := rand.Read(nonce); err != nil { if n, err := rand.Read(nonce); err != nil || n != aeadNonceSize {
panic(err) panic(err)
} }