Add more checks befor decrypting data

This commit is contained in:
Alexander Neumann 2014-11-24 22:11:09 +01:00
parent 26cd6c5372
commit 4ab3d51996
3 changed files with 21 additions and 2 deletions

View file

@ -24,6 +24,8 @@ const (
versionFileName = "version"
)
var ErrWrongData = errors.New("wrong data returned by backend, checksum does not match")
type Local struct {
p string
ver uint
@ -218,7 +220,8 @@ func (b *Local) filename(t Type, id ID) string {
return filepath.Join(b.dir(t), id.String())
}
// Get returns the content stored under the given ID.
// Get returns the content stored under the given ID. If the data doesn't match
// the requested ID, ErrWrongData is returned.
func (b *Local) Get(t Type, id ID) ([]byte, error) {
// try to open file
file, err := os.Open(b.filename(t, id))
@ -233,6 +236,11 @@ func (b *Local) Get(t Type, id ID) ([]byte, error) {
return nil, err
}
// check id
if !Hash(buf).Equal(id) {
return nil, ErrWrongData
}
return buf, nil
}

View file

@ -292,7 +292,8 @@ func (r *SFTP) filename(t Type, id ID) string {
return filepath.Join(r.dir(t), id.String())
}
// Get returns the content stored under the given ID.
// Get returns the content stored under the given ID. If the data doesn't match
// the requested ID, ErrWrongData is returned.
func (r *SFTP) Get(t Type, id ID) ([]byte, error) {
// try to open file
file, err := r.c.Open(r.filename(t, id))
@ -307,6 +308,11 @@ func (r *SFTP) Get(t Type, id ID) ([]byte, error) {
return nil, err
}
// check id
if !Hash(buf).Equal(id) {
return nil, ErrWrongData
}
return buf, nil
}

5
key.go
View file

@ -304,6 +304,11 @@ func (k *Key) Encrypt(ciphertext, plaintext []byte) (int, error) {
// Decrypt verifes and decrypts the ciphertext. Ciphertext must be in the form
// IV || Ciphertext || HMAC.
func (k *Key) decrypt(ks *keys, ciphertext []byte) ([]byte, error) {
// check for plausible length
if len(ciphertext) <= ivSize+hmacSize {
panic("trying to decryipt invalid data: ciphertext too small")
}
hm := hmac.New(sha256.New, ks.Sign)
// extract hmac