diff options
| author | Justus Winter <justus@sequoia-pgp.org> | 2020-05-25 13:20:15 +0200 |
|---|---|---|
| committer | Justus Winter <justus@sequoia-pgp.org> | 2020-05-28 11:52:26 +0200 |
| commit | 271280e62d1e0ee64a8f4cbb5766b17e3edf947d (patch) | |
| tree | d30a6172c9626e6fb36db62f336bd7d80abce819 | |
| parent | 94dcb41c69c4e16f1f491a9b27148e90a0d713e7 (diff) | |
openpgp: Change the `decrypt` proxy in the decryption helper.
- Returning rich errors from this function may compromise secret key
material due to Bleichenbacher-style attacks. Change the API to
prevent this.
- Hat tip to Hanno Böck.
- Fixes #507.
| -rw-r--r-- | guide/src/chapter_02.md | 16 | ||||
| -rw-r--r-- | ipc/examples/gpg-agent-decrypt.rs | 7 | ||||
| -rw-r--r-- | ipc/tests/gpg-agent.rs | 6 | ||||
| -rw-r--r-- | openpgp-ffi/include/sequoia/openpgp/types.h | 4 | ||||
| -rw-r--r-- | openpgp-ffi/src/parse/stream.rs | 26 | ||||
| -rw-r--r-- | openpgp/examples/decrypt-with.rs | 8 | ||||
| -rw-r--r-- | openpgp/examples/generate-encrypt-decrypt.rs | 4 | ||||
| -rw-r--r-- | openpgp/src/parse/stream.rs | 37 | ||||
| -rw-r--r-- | openpgp/src/policy.rs | 11 | ||||
| -rw-r--r-- | openpgp/src/serialize/stream.rs | 5 | ||||
| -rw-r--r-- | sop/src/main.rs | 17 | ||||
| -rw-r--r-- | tool/src/commands/decrypt.rs | 15 |
12 files changed, 83 insertions, 73 deletions
diff --git a/guide/src/chapter_02.md b/guide/src/chapter_02.md index 91b01513..fe7e9856 100644 --- a/guide/src/chapter_02.md +++ b/guide/src/chapter_02.md @@ -126,7 +126,7 @@ fn main() { # sym_algo: Option<SymmetricAlgorithm>, # mut decrypt: D) # -> openpgp::Result<Option<openpgp::Fingerprint>> -# where D: FnMut(SymmetricAlgorithm, &SessionKey) -> openpgp::Result<()> +# where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool # { # // The encryption key is the first and only subkey. # let key = self.secret.keys().unencrypted_secret() @@ -137,7 +137,7 @@ fn main() { # let mut pair = key.into_keypair().unwrap(); # # pkesks[0].decrypt(&mut pair, sym_algo) -# .and_then(|(algo, session_key)| decrypt(algo, &session_key).ok()); +# .map(|(algo, session_key)| decrypt(algo, &session_key)); # # // XXX: In production code, return the Fingerprint of the # // recipient's Cert here @@ -272,7 +272,7 @@ fn generate() -> openpgp::Result<openpgp::Cert> { # sym_algo: Option<SymmetricAlgorithm>, # mut decrypt: D) # -> openpgp::Result<Option<openpgp::Fingerprint>> -# where D: FnMut(SymmetricAlgorithm, &SessionKey) -> openpgp::Result<()> +# where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool # { # // The encryption key is the first and only subkey. # let key = self.secret.keys().unencrypted_secret() @@ -283,7 +283,7 @@ fn generate() -> openpgp::Result<openpgp::Cert> { # let mut pair = key.into_keypair().unwrap(); # # pkesks[0].decrypt(&mut pair, sym_algo) -# .and_then(|(algo, session_key)| decrypt(algo, &session_key).ok()); +# .map(|(algo, session_key)| decrypt(algo, &session_key)); # # // XXX: In production code, return the Fingerprint of the # // recipient's Cert here @@ -418,7 +418,7 @@ fn encrypt(policy: &dyn Policy, # sym_algo: Option<SymmetricAlgorithm>, # mut decrypt: D) # -> openpgp::Result<Option<openpgp::Fingerprint>> -# where D: FnMut(SymmetricAlgorithm, &SessionKey) -> openpgp::Result<()> +# where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool # { # // The encryption key is the first and only subkey. # let key = self.secret.keys().unencrypted_secret() @@ -429,7 +429,7 @@ fn encrypt(policy: &dyn Policy, # let mut pair = key.into_keypair().unwrap(); # # pkesks[0].decrypt(&mut pair, sym_algo) -# .and_then(|(algo, session_key)| decrypt(algo, &session_key).ok()); +# .map(|(algo, session_key)| decrypt(algo, &session_key)); # # // XXX: In production code, return the Fingerprint of the # // recipient's Cert here @@ -578,7 +578,7 @@ impl<'a> DecryptionHelper for Helper<'a> { sym_algo: Option<SymmetricAlgorithm>, mut decrypt: D) -> openpgp::Result<Option<openpgp::Fingerprint>> - where D: FnMut(SymmetricAlgorithm, &SessionKey) -> openpgp::Result<()> + where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool { // The encryption key is the first and only subkey. let key = self.secret.keys().unencrypted_secret() @@ -589,7 +589,7 @@ impl<'a> DecryptionHelper for Helper<'a> { let mut pair = key.into_keypair().unwrap(); pkesks[0].decrypt(&mut pair, sym_algo) - .and_then(|(algo, session_key)| decrypt(algo, &session_key).ok()); + .map(|(algo, session_key)| decrypt(algo, &session_key)); // XXX: In production code, return the Fingerprint of the // recipient's Cert here diff --git a/ipc/examples/gpg-agent-decrypt.rs b/ipc/examples/gpg-agent-decrypt.rs index b580b353..76be71db 100644 --- a/ipc/examples/gpg-agent-decrypt.rs +++ b/ipc/examples/gpg-agent-decrypt.rs @@ -100,14 +100,15 @@ impl<'a> DecryptionHelper for Helper<'a> { sym_algo: Option<SymmetricAlgorithm>, mut decrypt: D) -> openpgp::Result<Option<openpgp::Fingerprint>> - where D: FnMut(SymmetricAlgorithm, &SessionKey) -> openpgp::Result<()> + where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool { // Try each PKESK until we succeed. for pkesk in pkesks { if let Some(key) = self.keys.get(pkesk.recipient()) { let mut pair = KeyPair::new(self.ctx, key)?; - if let Some(_) = pkesk.decrypt(&mut pair, sym_algo) - .and_then(|(algo, session_key)| decrypt(algo, &session_key).ok()) + if pkesk.decrypt(&mut pair, sym_algo) + .map(|(algo, session_key)| decrypt(algo, &session_key)) + .unwrap_or(false) { break; } diff --git a/ipc/tests/gpg-agent.rs b/ipc/tests/gpg-agent.rs index 606dd683..c303cdd4 100644 --- a/ipc/tests/gpg-agent.rs +++ b/ipc/tests/gpg-agent.rs @@ -276,8 +276,7 @@ fn decrypt() -> openpgp::Result<()> { sym_algo: Option<SymmetricAlgorithm>, mut decrypt: D) -> openpgp::Result<Option<openpgp::Fingerprint>> - where D: FnMut(SymmetricAlgorithm, &SessionKey) -> - openpgp::Result<()> + where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool { let mut keypair = KeyPair::new( self.ctx, @@ -287,8 +286,7 @@ fn decrypt() -> openpgp::Result<()> { .unwrap(); pkesks[0].decrypt(&mut keypair, sym_algo) - .and_then( - |(algo, session_key)| decrypt(algo, &session_key).ok()); + .map(|(algo, session_key)| decrypt(algo, &session_key)); // XXX: In production code, return the Fingerprint of the // recipient's Cert here diff --git a/openpgp-ffi/include/sequoia/openpgp/types.h b/openpgp-ffi/include/sequoia/openpgp/types.h index b77e4251..216c69cb 100644 --- a/openpgp-ffi/include/sequoia/openpgp/types.h +++ b/openpgp-ffi/include/sequoia/openpgp/types.h @@ -1,6 +1,8 @@ #ifndef SEQUOIA_OPENPGP_TYPES_H #define SEQUOIA_OPENPGP_TYPES_H +#include <stdbool.h> + /*/ /// Holds a session key. /// @@ -524,7 +526,7 @@ typedef pgp_status_t (*pgp_decryptor_get_certs_cb_t) (void *, pgp_cert_t **, size_t *, void (**free)(void *)); -typedef pgp_status_t (pgp_decryptor_do_decrypt_cb_t) ( +typedef bool (pgp_decryptor_do_decrypt_cb_t) ( void *, uint8_t, pgp_session_key_t); diff --git a/openpgp-ffi/src/parse/stream.rs b/openpgp-ffi/src/parse/stream.rs index 9c900a76..cce302ad 100644 --- a/openpgp-ffi/src/parse/stream.rs +++ b/openpgp-ffi/src/parse/stream.rs @@ -416,7 +416,7 @@ type DecryptCallback = fn(*mut HelperCookie, u8, // XXX SymmetricAlgorithm extern "C" fn (*mut c_void, u8, *const crypto::SessionKey) - -> Status, + -> bool, *mut c_void, *mut Maybe<super::super::fingerprint::Fingerprint>) -> Status; @@ -837,7 +837,7 @@ impl DecryptionHelper for DHelper { sym_algo: Option<SymmetricAlgorithm>, mut decrypt: D) -> openpgp::Result<Option<openpgp::Fingerprint>> - where D: FnMut(SymmetricAlgorithm, &SessionKey) -> openpgp::Result<()> + where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool { let mut identity: Maybe<super::super::fingerprint::Fingerprint> = None; @@ -860,12 +860,11 @@ impl DecryptionHelper for DHelper { extern "C" fn trampoline<D>(data: *mut c_void, algo: u8, sk: *const crypto::SessionKey) - -> Status - where D: FnMut(SymmetricAlgorithm, &SessionKey) - -> openpgp::Result<()> + -> bool + where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool { let closure: &mut D = unsafe { &mut *(data as *mut D) }; - (*closure)(algo.into(), sk.ref_raw()).into() + (*closure)(algo.into(), sk.ref_raw()) } let result = (self.decrypt_cb)( @@ -954,7 +953,6 @@ impl DecryptionHelper for DHelper { /// void *decrypt_cookie, /// pgp_fingerprint_t *identity_out) /// { -/// pgp_status_t rc; /// pgp_error_t err; /// struct decrypt_cookie *cookie = cookie_opaque; /// @@ -989,18 +987,24 @@ impl DecryptionHelper for DHelper { /// if (pgp_pkesk_decrypt (&err, /// pkesk, key, &algo, /// session_key, &session_key_len)) { -/// error (1, 0, "pgp_pkesk_decrypt: %s", pgp_error_to_string (err)); +/// error (0, 0, "pgp_pkesk_decrypt: %s", pgp_error_to_string (err)); +/// pgp_key_free (key); +/// pgp_key_amalgamation_free (ka); +/// continue; /// } /// pgp_key_free (key); /// pgp_key_amalgamation_free (ka); /// /// pgp_session_key_t sk = pgp_session_key_from_bytes (session_key, /// session_key_len); -/// rc = decrypt (decrypt_cookie, algo, sk); -/// pgp_session_key_free (sk); +/// if (! decrypt (decrypt_cookie, algo, sk)) { +/// pgp_session_key_free (sk); +/// continue; +/// } /// +/// pgp_session_key_free (sk); /// *identity_out = pgp_cert_fingerprint (cookie->key); -/// return rc; +/// return PGP_STATUS_SUCCESS; /// } /// /// return PGP_STATUS_UNKNOWN_ERROR; diff --git a/openpgp/examples/decrypt-with.rs b/openpgp/examples/decrypt-with.rs index 3a5723bc..f50d2102 100644 --- a/openpgp/examples/decrypt-with.rs +++ b/openpgp/examples/decrypt-with.rs @@ -84,14 +84,14 @@ impl DecryptionHelper for Helper { sym_algo: Option<SymmetricAlgorithm>, mut decrypt: D) -> openpgp::Result<Option<openpgp::Fingerprint>> - where D: FnMut(SymmetricAlgorithm, &SessionKey) -> openpgp::Result<()> + where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool { // Try each PKESK until we succeed. for pkesk in pkesks { if let Some(pair) = self.keys.get_mut(pkesk.recipient()) { - if let Some(_) = pkesk.decrypt(pair, sym_algo) - .and_then(|(algo, session_key)| decrypt(algo, &session_key) - .ok()) + if pkesk.decrypt(pair, sym_algo) + .map(|(algo, session_key)| decrypt(algo, &session_key)) + .unwrap_or(false) { break; } diff --git a/openpgp/examples/generate-encrypt-decrypt.rs b/openpgp/examples/generate-encrypt-decrypt.rs index c7e2e38d..3a02f264 100644 --- a/openpgp/examples/generate-encrypt-decrypt.rs +++ b/openpgp/examples/generate-encrypt-decrypt.rs @@ -118,7 +118,7 @@ impl<'a> DecryptionHelper for Helper<'a> { sym_algo: Option<SymmetricAlgorithm>, mut decrypt: D) -> openpgp::Result<Option<openpgp::Fingerprint>> - where D: FnMut(SymmetricAlgorithm, &SessionKey) -> openpgp::Result<()> + where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool { let key = self.secret.keys().unencrypted_secret() .with_policy(self.policy, None) @@ -128,7 +128,7 @@ impl<'a> DecryptionHelper for Helper<'a> { let mut pair = key.into_keypair().unwrap(); pkesks[0].decrypt(&mut pair, sym_algo) - .and_then(|(algo, session_key)| decrypt(algo, &session_key).ok()); + .map(|(algo, session_key)| decrypt(algo, &session_key)); // XXX: In production code, return the Fingerprint of the // recipient's Cert here diff --git a/openpgp/src/parse/stream.rs b/openpgp/src/parse/stream.rs index 69513432..bb242291 100644 --- a/openpgp/src/parse/stream.rs +++ b/openpgp/src/parse/stream.rs @@ -667,7 +667,7 @@ impl<V: VerificationHelper> DecryptionHelper for NoDecryptionHelper<V> { fn decrypt<D>(&mut self, _: &[PKESK], _: &[SKESK], _: Option<SymmetricAlgorithm>, _: D) -> Result<Option<Fingerprint>> - where D: FnMut(SymmetricAlgorithm, &SessionKey) -> Result<()> + where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool { unreachable!("This is not used for verifications") } @@ -1135,11 +1135,11 @@ enum Mode { /// fn decrypt<D>(&mut self, _: &[PKESK], skesks: &[SKESK], /// _sym_algo: Option<SymmetricAlgorithm>, /// mut decrypt: D) -> Result<Option<openpgp::Fingerprint>> -/// where D: FnMut(SymmetricAlgorithm, &SessionKey) -> Result<()> +/// where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool /// { /// skesks[0].decrypt(&"streng geheim".into()) -/// .and_then(|(algo, session_key)| decrypt(algo, &session_key)) -/// .map(|_| None) +/// .map(|(algo, session_key)| decrypt(algo, &session_key)); +/// Ok(None) /// } /// } /// @@ -1318,7 +1318,8 @@ pub trait DecryptionHelper { /// the symmetric algorithm and session key from one of the /// [`PKESK`] packets, the [`SKESK`] packets, or retrieve it from /// a cache, and then call `decrypt` with the symmetric algorithm - /// and session key. + /// and session key. `decrypt` returns `true` if the decryption + /// was successful. /// /// [`PKESK`]: ../../packet/enum.PKESK.html /// [`SKESK`]: ../../packet/enum.SKESK.html @@ -1371,14 +1372,14 @@ pub trait DecryptionHelper { /// fn decrypt<D>(&mut self, pkesks: &[PKESK], skesks: &[SKESK], /// sym_algo: Option<SymmetricAlgorithm>, /// mut decrypt: D) -> Result<Option<Fingerprint>> - /// where D: FnMut(SymmetricAlgorithm, &SessionKey) -> Result<()> + /// where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool /// { /// // Try to decrypt, from the most convenient method to the /// // least convenient one. /// /// // First, see if it is in the cache. /// if let Some((fp, algo, sk)) = lookup_cache(pkesks, skesks) { - /// if decrypt(algo, &sk).is_ok() { + /// if decrypt(algo, &sk) { /// return Ok(fp); /// } /// } @@ -1390,8 +1391,8 @@ pub trait DecryptionHelper { /// if ! key.secret().is_encrypted() { /// let mut keypair = key.clone().into_keypair()?; /// if pkesk.decrypt(&mut keypair, sym_algo) - /// .and_then(|(algo, sk)| decrypt(algo, &sk).ok()) - /// .is_some() + /// .map(|(algo, sk)| decrypt(algo, &sk)) + /// .unwrap_or(false) /// { /// return Ok(Some(fp)); /// } @@ -1407,8 +1408,8 @@ pub trait DecryptionHelper { /// if ! key.secret().is_encrypted() { /// let mut keypair = key.clone().into_keypair()?; /// if pkesk.decrypt(&mut keypair, sym_algo) - /// .and_then(|(algo, sk)| decrypt(algo, &sk).ok()) - /// .is_some() + /// .map(|(algo, sk)| decrypt(algo, &sk)) + /// .unwrap_or(false) /// { /// return Ok(Some(fp)); /// } @@ -1438,8 +1439,8 @@ pub trait DecryptionHelper { /// /// for skesk in skesks { /// if skesk.decrypt(&password) - /// .and_then(|(algo, sk)| decrypt(algo, &sk)) - /// .is_ok() + /// .map(|(algo, sk)| decrypt(algo, &sk)) + /// .unwrap_or(false) /// { /// return Ok(None); /// } @@ -1453,7 +1454,7 @@ pub trait DecryptionHelper { fn decrypt<D>(&mut self, pkesks: &[PKESK], skesks: &[SKESK], sym_algo: Option<SymmetricAlgorithm>, decrypt: D) -> Result<Option<Fingerprint>> - where D: FnMut(SymmetricAlgorithm, &SessionKey) -> Result<()>; + where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool; } impl<'a, H: VerificationHelper + DecryptionHelper> Decryptor<'a, H> { @@ -1558,8 +1559,10 @@ impl<'a, H: VerificationHelper + DecryptionHelper> Decryptor<'a, H> { let result = pp.decrypt(algo, secret); if let Ok(_) = result { sym_algo = Some(algo); + true + } else { + false } - result }; v.identity = @@ -2081,7 +2084,7 @@ mod test { fn decrypt<D>(&mut self, _: &[PKESK], _: &[SKESK], _: Option<SymmetricAlgorithm>, _: D) -> Result<Option<Fingerprint>> - where D: FnMut(SymmetricAlgorithm, &SessionKey) -> Result<()> + where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool { unreachable!(); } @@ -2212,7 +2215,7 @@ mod test { fn decrypt<D>(&mut self, _: &[PKESK], _: &[SKESK], _: Option<SymmetricAlgorithm>, _: D) -> Result<Option<Fingerprint>> - where D: FnMut(SymmetricAlgorithm, &SessionKey) -> Result<()> + where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool { unreachable!(); } diff --git a/openpgp/src/policy.rs b/openpgp/src/policy.rs index fe266b79..a4635201 100644 --- a/openpgp/src/policy.rs +++ b/openpgp/src/policy.rs @@ -1201,7 +1201,7 @@ mod test { fn decrypt<D>(&mut self, _: &[PKESK], _: &[SKESK], _: Option<SymmetricAlgorithm>,_: D) -> Result<Option<Fingerprint>> - where D: FnMut(SymmetricAlgorithm, &SessionKey) -> Result<()> + where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool { unreachable!(); } @@ -1640,7 +1640,7 @@ mod test { fn decrypt<D>(&mut self, _: &[PKESK], _: &[SKESK], _: Option<SymmetricAlgorithm>,_: D) -> Result<Option<Fingerprint>> - where D: FnMut(SymmetricAlgorithm, &SessionKey) -> Result<()> + where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool { unreachable!(); } @@ -1763,7 +1763,7 @@ mod test { fn decrypt<D>(&mut self, _: &[PKESK], _: &[SKESK], _: Option<SymmetricAlgorithm>, _: D) -> Result<Option<Fingerprint>> - where D: FnMut(SymmetricAlgorithm, &SessionKey) -> Result<()> { + where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool { Ok(None) } } @@ -1810,7 +1810,7 @@ mod test { fn decrypt<D>(&mut self, pkesks: &[PKESK], _: &[SKESK], algo: Option<SymmetricAlgorithm>, mut decrypt: D) -> Result<Option<Fingerprint>> - where D: FnMut(SymmetricAlgorithm, &SessionKey) -> Result<()> + where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool { let p = &P::new(); let mut pair = Cert::from_bytes( @@ -1819,8 +1819,7 @@ mod test { .for_transport_encryption().secret().nth(0).unwrap() .key().clone().into_keypair()?; pkesks[0].decrypt(&mut pair, algo) - .and_then(|(algo, session_key)| - decrypt(algo, &session_key).ok()); + .map(|(algo, session_key)| decrypt(algo, &session_key)); Ok(None) } } diff --git a/openpgp/src/serialize/stream.rs b/openpgp/src/serialize/stream.rs index 7228bcd5..36c3358f 100644 --- a/openpgp/src/serialize/stream.rs +++ b/openpgp/src/serialize/stream.rs @@ -3057,7 +3057,7 @@ mod test { fn decrypt<D>(&mut self, pkesks: &[PKESK], _skesks: &[SKESK], sym_algo: Option<SymmetricAlgorithm>, mut decrypt: D) -> Result<Option<crate::Fingerprint>> - where D: FnMut(SymmetricAlgorithm, &SessionKey) -> Result<()> + where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool { let mut keypair = self.tsk.keys().with_policy(self.policy, None) .for_transport_encryption() @@ -3065,8 +3065,7 @@ mod test { .clone().parts_into_secret().unwrap() .into_keypair().unwrap(); pkesks[0].decrypt(&mut keypair, sym_algo) - .and_then(|(algo, session_key)| - decrypt(algo, &session_key).ok()); + .map(|(algo, session_key)| decrypt(algo, &session_key)); Ok(None) } } diff --git a/sop/src/main.rs b/sop/src/main.rs index 5d707b8c..15eccf4c 100644 --- a/sop/src/main.rs +++ b/sop/src/main.rs @@ -672,12 +672,12 @@ impl<'a> Helper<'a> { -> Option<(SymmetricAlgorithm, SessionKey, Option<Fingerprint>)> - where D: FnMut(SymmetricAlgorithm, &SessionKey) -> openpgp::Result<()> + where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool { let keyid = keypair.public().fingerprint().into(); let (algo, sk) = pkesk.decrypt(keypair, algo) .and_then(|(algo, sk)| { - decrypt(algo, &sk).ok()?; Some((algo, sk)) + if decrypt(algo, &sk) { Some((algo, sk)) } else { None } })?; Some((algo, sk, self.identities.get(&keyid).map(|fp| fp.clone()))) @@ -705,7 +705,7 @@ impl<'a> DecryptionHelper for Helper<'a> { fn decrypt<D>(&mut self, pkesks: &[PKESK], skesks: &[SKESK], algo: Option<SymmetricAlgorithm>, mut decrypt: D) -> openpgp::Result<Option<Fingerprint>> - where D: FnMut(SymmetricAlgorithm, &SessionKey) -> openpgp::Result<()> + where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool { // First, try all supplied session keys. while let Some(sk) = self.session_keys.pop() { @@ -713,7 +713,7 @@ impl<'a> DecryptionHelper for Helper<'a> { .filter(|a| a.key_size().map(|size| size == sk.len()) .unwrap_or(false)) { - if decrypt(algo, &sk).is_ok() { + if decrypt(algo, &sk) { self.dump_session_key(algo, &sk)?; return Ok(None); } @@ -764,10 +764,13 @@ impl<'a> DecryptionHelper for Helper<'a> { // Finally, try to decrypt using the SKESKs. for password in self.passwords.iter() { for skesk in skesks { - if let Ok((algo, sk)) = skesk.decrypt(password) + if let Some((algo, sk)) = skesk.decrypt(password).ok() .and_then(|(algo, sk)| { - decrypt(algo, &sk)?; - Ok((algo, sk)) + if decrypt(algo, &sk) { + Some((algo, sk)) + } else { + None + } }) { self.dump_session_key(algo, &sk)?; diff --git a/tool/src/commands/decrypt.rs b/tool/src/commands/decrypt.rs index ea48eb0b..d7657cdb 100644 --- a/tool/src/commands/decrypt.rs +++ b/tool/src/commands/decrypt.rs @@ -90,12 +90,12 @@ impl<'a> Helper<'a> { keypair: &mut dyn crypto::Decryptor, decrypt: &mut D) -> Option<Option<Fingerprint>> - where D: FnMut(SymmetricAlgorithm, &SessionKey) -> openpg |