progress in fixing the issue

keks · keks · commit f64c52af0fc1 · 2020-01-26T11:55:32.000+01:00
diff --git a/secrethandshake/state.go b/secrethandshake/state.go
@@ -179,23 +179,28 @@ func (s *State) verifyClientAuth(data []byte) bool {
 	secHasher.Write(s.aBob[:])
 	copy(s.secret2[:], secHasher.Sum(nil))
 
-	s.hello = make([]byte, 0, len(data)-16)
+	s.hello = make([]byte, len(data)-16)
 
 	var (
 		nonce  [24]byte // always 0?
 		openOk bool
 		sig    [ed25519.SignatureSize]byte
 		public [ed25519.PublicKeySize]byte
+		hello  = make([]byte, 0, len(data)-16)
 	)
 
-	s.hello, openOk = box.OpenAfterPrecomputation(s.hello, data, &nonce, &s.secret2)
-	if !openOk && s.hello == nil {
+	hello, openOk = box.OpenAfterPrecomputation(hello, data, &nonce, &s.secret2)
+	if !openOk && hello == nil {
 		fmt.Println("warning: nil hello")
 	}
+
 	// subtle API requires an int containing 0 or 1, we only have bool.
 	// we can't branch because openOk is secret.
 	okInt := int(*((*byte)(unsafe.Pointer(&openOk))))
 
+	// this is not super secret data like keys, so we can copy it around
+	copy(s.hello, hello)
+
 	subtle.ConstantTimeCopy(okInt, sig[:], s.hello[:ed25519.SignatureSize])
 	subtle.ConstantTimeCopy(okInt, public[:], s.hello[ed25519.SignatureSize:ed25519.SignatureSize+ed25519.PublicKeySize])
 
