Dimitar Banchev
Dimitar Banchev
> @expp121 please comment on this issue. Hi!
> `gcm.Open` takes a nonce, but it's meant to be the value passed in at `Seal` time, not unique. From https://pkg.go.dev/crypto/cipher#NewGCM: > > ```go > // ... The nonce must...
Okay, yeah.... if you are loading it from storage, that's a different story :D. It will flag it. You are right for this! The rule always expects freshly generated nonce....
> @expp121 Did you have a chance to look at this an try to improve it? Nope, but I might give it a look in the future.
> The code to generate an OpenSSH-compatible encrypted private key might go something like: > > ``` > k, err := BcryptPbkdfKey([]byte(passPhrase), []byte(opts.Salt), int(opts.Rounds), 32+16) > if err != nil...
> Yeah, this analyzer doesn't really make any sense. It requires that all nonces are generated with `(crypto/rand).Read`. Then how could you ever use `(crypto/cipher.AEAD).Open`? To open, you need to...
`Nobody calls Seal + Open in the same function, other than weird examples... ` Yeah... You are correct. `I think it's reasonable to detect that both encryption and decryption are...
@imirkin thank you for the recommendation, will see what can I do! Edit: If possible, can you provide me with more examples in which you want something to be flagged...
> @expp121 Did you have a chance to look at this an try to improve it? Sorry, haven't done any work on that. Might give it a look in the...