f Address Leo's commments

Author: tnull

src/util/key_obfuscator.rs

@@ -79,8 +79,9 @@ impl KeyObfuscator {
 		tag.copy_from_slice(&tag_bytes);
 
 		let (wrapped_nonce_bytes, wrapped_nonce_tag_bytes) = remaining.split_at(NONCE_LENGTH);
+
 		let mut wrapped_nonce_tag = [0u8; TAG_LENGTH];
-		wrapped_nonce_tag.copy_from_slice(wrapped_nonce_tag_bytes);
+		wrapped_nonce_tag.copy_from_slice(&wrapped_nonce_tag_bytes[..TAG_LENGTH]);
 
 		// Unwrap wrapped_nonce to get nonce.
 		let mut wrapped_nonce = [0u8; NONCE_LENGTH];
@@ -94,10 +95,8 @@ impl KeyObfuscator {
 		})?;
 
 		// Decrypt ciphertext using nonce.
-		let cipher = ChaCha20Poly1305::new(
-			Key::new(self.obfuscation_key.clone()),
-			Nonce::new(wrapped_nonce),
-		);
+		let cipher =
+			ChaCha20Poly1305::new(Key::new(self.obfuscation_key), Nonce::new(wrapped_nonce));
 		let mut ciphertext = ciphertext.to_vec();
 		cipher.decrypt(&mut ciphertext, tag, None).map_err(|_| {
 			let msg = format!("Failed to decrypt key: {}, Invalid Tag.", obfuscated_key);
@@ -119,10 +118,7 @@ impl KeyObfuscator {
 		&self, mut plaintext: &mut [u8], initial_nonce_material: &[u8],
 	) -> ([u8; NONCE_LENGTH], [u8; TAG_LENGTH]) {
 		let nonce = self.generate_synthetic_nonce(initial_nonce_material);
-		let cipher = ChaCha20Poly1305::new(
-			Key::new(self.obfuscation_key.clone()),
-			Nonce::new(nonce.clone()),
-		);
+		let cipher = ChaCha20Poly1305::new(Key::new(self.obfuscation_key), Nonce::new(nonce));
 		let tag = cipher.encrypt(&mut plaintext, None);
 		(nonce, tag)
 	}
@@ -132,10 +128,7 @@ impl KeyObfuscator {
 		&self, mut ciphertext: &mut [u8], initial_nonce_material: &[u8], tag: [u8; TAG_LENGTH],
 	) -> Result<(), ()> {
 		let nonce = self.generate_synthetic_nonce(initial_nonce_material);
-		let cipher = ChaCha20Poly1305::new(
-			Key::new(self.obfuscation_key.clone()),
-			Nonce::new(nonce.clone()),
-		);
+		let cipher = ChaCha20Poly1305::new(Key::new(self.obfuscation_key), Nonce::new(nonce));
 		cipher.decrypt(&mut ciphertext, tag, None).map_err(|_| ())
 	}
 

src/util/storable_builder.rs

@@ -31,6 +31,8 @@ pub trait EntropySource {
 }
 
 const CHACHA20_CIPHER_NAME: &'static str = "ChaCha20Poly1305";
+const TAG_LENGTH: usize = 16;
+const NONCE_LENGTH: usize = 12;
 
 impl<T: EntropySource> StorableBuilder<T> {
 	/// Creates a [`Storable`] that can be serialized and stored as `value` in [`PutObjectRequest`].
@@ -44,13 +46,12 @@ impl<T: EntropySource> StorableBuilder<T> {
 	pub fn build(
 		&self, input: Vec<u8>, version: i64, data_encryption_key: &[u8; 32], aad: &[u8],
 	) -> Storable {
-		let mut nonce = [0u8; 12];
+		let mut nonce = [0u8; NONCE_LENGTH];
 		self.entropy_source.fill_bytes(&mut nonce[4..]);
 
 		let mut data_blob = PlaintextBlob { value: input, version }.encode_to_vec();
 
-		let cipher =
-			ChaCha20Poly1305::new(Key::new(data_encryption_key.clone()), Nonce::new(nonce));
+		let cipher = ChaCha20Poly1305::new(Key::new(*data_encryption_key), Nonce::new(nonce));
 		let tag = cipher.encrypt(&mut data_blob, Some(aad));
 		Storable {
 			data: data_blob,
@@ -73,16 +74,18 @@ impl<T: EntropySource> StorableBuilder<T> {
 			.encryption_metadata
 			.ok_or_else(|| Error::new(ErrorKind::InvalidData, "Invalid Metadata"))?;
 
-		if encryption_metadata.nonce.len() != 12 {
+		if encryption_metadata.nonce.len() != NONCE_LENGTH {
 			return Err(Error::new(ErrorKind::InvalidData, "Invalid Metadata"));
 		}
-		let mut nonce = [0u8; 12];
+		let mut nonce = [0u8; NONCE_LENGTH];
 		nonce.copy_from_slice(&encryption_metadata.nonce);
 
-		let cipher =
-			ChaCha20Poly1305::new(Key::new(data_encryption_key.clone()), Nonce::new(nonce));
+		let cipher = ChaCha20Poly1305::new(Key::new(*data_encryption_key), Nonce::new(nonce));
 
-		let mut tag = [0u8; 16];
+		if encryption_metadata.tag.len() != TAG_LENGTH {
+			return Err(Error::new(ErrorKind::InvalidData, "Invalid Metadata"));
+		}
+		let mut tag = [0u8; TAG_LENGTH];
 		tag.copy_from_slice(&encryption_metadata.tag);
 
 		cipher