From f64c52af0fc1dd5b828fe5bb5b83533cb16aafec Mon Sep 17 00:00:00 2001
From: keks <keks@cryptoscope.co>
Date: Sun, 26 Jan 2020 11:55:32 +0100
Subject: [PATCH] progress in fixing the issue

---
 secrethandshake/state.go | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/secrethandshake/state.go b/secrethandshake/state.go
index 0c41187..91c00c2 100644
--- a/secrethandshake/state.go
+++ b/secrethandshake/state.go
@@ -179,23 +179,28 @@ func (s *State) verifyClientAuth(data []byte) bool {
 	secHasher.Write(s.aBob[:])
 	copy(s.secret2[:], secHasher.Sum(nil))
 
-	s.hello = make([]byte, 0, len(data)-16)
+	s.hello = make([]byte, len(data)-16)
 
 	var (
 		nonce  [24]byte // always 0?
 		openOk bool
 		sig    [ed25519.SignatureSize]byte
 		public [ed25519.PublicKeySize]byte
+		hello  = make([]byte, 0, len(data)-16)
 	)
 
-	s.hello, openOk = box.OpenAfterPrecomputation(s.hello, data, &nonce, &s.secret2)
-	if !openOk && s.hello == nil {
+	hello, openOk = box.OpenAfterPrecomputation(hello, data, &nonce, &s.secret2)
+	if !openOk && hello == nil {
 		fmt.Println("warning: nil hello")
 	}
+
 	// subtle API requires an int containing 0 or 1, we only have bool.
 	// we can't branch because openOk is secret.
 	okInt := int(*((*byte)(unsafe.Pointer(&openOk))))
 
+	// this is not super secret data like keys, so we can copy it around
+	copy(s.hello, hello)
+
 	subtle.ConstantTimeCopy(okInt, sig[:], s.hello[:ed25519.SignatureSize])
 	subtle.ConstantTimeCopy(okInt, public[:], s.hello[ed25519.SignatureSize:ed25519.SignatureSize+ed25519.PublicKeySize])