fix(crypto): enforce 32-byte key for AES-256

This commit is contained in:
2026-07-01 16:36:19 +07:00
parent 8d4a605b9f
commit 06d601482c
2 changed files with 9 additions and 0 deletions
+3
View File
@@ -39,6 +39,9 @@ func Decrypt(key []byte, enc string) ([]byte, error) {
} }
func newGCM(key []byte) (cipher.AEAD, error) { func newGCM(key []byte) (cipher.AEAD, error) {
if len(key) != 32 {
return nil, errors.New("key must be 32 bytes (AES-256)")
}
block, err := aes.NewCipher(key) block, err := aes.NewCipher(key)
if err != nil { if err != nil {
return nil, err return nil, err
+6
View File
@@ -31,3 +31,9 @@ func TestEncryptNonDeterministic(t *testing.T) {
t.Fatal("two encryptions must differ (random nonce)") t.Fatal("two encryptions must differ (random nonce)")
} }
} }
func TestEncryptRejectsWrongKeySize(t *testing.T) {
if _, err := Encrypt(make([]byte, 16), []byte("x")); err == nil {
t.Fatal("16-byte key must be rejected (AES-256 requires 32)")
}
}