openpgp: Implement OCB mode using the Nettle backend.

  - Nettle 3.9 and up support the authenticated encryption mode OCB.

4 files changed, 75 insertions, 6 deletions

diff --git a/Cargo.lock b/Cargo.lock
index db581028..810b71af 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1552,14 +1552,15 @@ dependencies = [
 
 [[package]]
 name = "nettle"
-version = "7.2.2"
+version = "7.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "91ff5d538c014cb58ab701db16e28aa66fbbb8b472bf65821d0e84f72aae6d4f"
+checksum = "b9fdccf3eae7b161910d2daa2f0155ca35041322e8fe5c5f1f2c9d0b12356336"
 dependencies = [
  "getrandom 0.2.9",
  "libc",
  "nettle-sys",
  "thiserror",
+ "typenum",
 ]
 
 [[package]]
diff --git a/openpgp/Cargo.toml b/openpgp/Cargo.toml
index 6e1c950b..bfae2c4b 100644
--- a/openpgp/Cargo.toml
+++ b/openpgp/Cargo.toml
@@ -38,7 +38,7 @@ lalrpop-util = ">=0.17, <0.20"
 lazy_static = "1.4.0"
 libc = "0.2.66"
 memsec = { version = ">=0.5, <0.7", default-features = false }
-nettle = { version = "7.2.2", optional = true }
+nettle = { version = "7.3", optional = true }
 once_cell = "1"
 regex = "1"
 regex-syntax = "0.6"
diff --git a/openpgp/src/crypto/backend/nettle.rs b/openpgp/src/crypto/backend/nettle.rs
index d2d8750a..62c62f4b 100644
--- a/openpgp/src/crypto/backend/nettle.rs
+++ b/openpgp/src/crypto/backend/nettle.rs
@@ -14,9 +14,10 @@ pub mod symmetric;
 pub fn backend() -> String {
     let (major, minor) = nettle::version();
     format!(
-        "Nettle {}.{} (Cv448: {:?})",
+        "Nettle {}.{} (Cv448: {:?}, OCB: {:?})",
         major, minor,
         nettle::curve448::IS_SUPPORTED,
+        nettle::aead::OCB_IS_SUPPORTED,
     )
 }
 
@@ -65,7 +66,9 @@ impl AEADAlgorithm {
         match &self {
             EAX
                 => true,
-            OCB | Private(_) | Unknown(_)
+            OCB
+                => nettle::aead::OCB_IS_SUPPORTED,
+            Private(_) | Unknown(_)
                 => false,
         }
     }
@@ -84,6 +87,17 @@ impl AEADAlgorithm {
                     SymmetricAlgorithm::Camellia256 => true,
                     _ => false,
                 },
+            AEADAlgorithm::OCB =>
+                match algo {
+                    SymmetricAlgorithm::AES128 |
+                    SymmetricAlgorithm::AES192 |
+                    SymmetricAlgorithm::AES256 |
+                    SymmetricAlgorithm::Twofish |
+                    SymmetricAlgorithm::Camellia128 |
+                    SymmetricAlgorithm::Camellia192 |
+                    SymmetricAlgorithm::Camellia256 => true,
+                    _ => false,
+                },
             _ => false
         }
     }
diff --git a/openpgp/src/crypto/backend/nettle/aead.rs b/openpgp/src/crypto/backend/nettle/aead.rs
index 486269b1..76303715 100644
--- a/openpgp/src/crypto/backend/nettle/aead.rs
+++ b/openpgp/src/crypto/backend/nettle/aead.rs
@@ -1,7 +1,14 @@
 //! Implementation of AEAD using Nettle cryptographic library.
 use std::cmp::Ordering;
 
-use nettle::{aead::{self, Aead as _}, cipher};
+use nettle::{
+    aead::{
+        self,
+        Aead as _,
+        typenum::consts::U16,
+    },
+    cipher,
+};
 
 use crate::{Error, Result};
 
@@ -110,6 +117,53 @@ impl AEADAlgorithm {
                 },
                 _ => Err(Error::UnsupportedSymmetricAlgorithm(sym_algo).into()),
             },
+
+            AEADAlgorithm::OCB => match sym_algo {
+                SymmetricAlgorithm::AES128 => {
+                    let mut ctx =
+                        aead::Ocb::<cipher::Aes128, U16>::with_key_and_nonce(key, nonce)?;
+                    ctx.update(aad);
+                    Ok(Box::new(ctx))
+                },
+                SymmetricAlgorithm::AES192 => {
+                    let mut ctx =
+                        aead::Ocb::<cipher::Aes192, U16>::with_key_and_nonce(key, nonce)?;
+                    ctx.update(aad);
+                    Ok(Box::new(ctx))
+                },
+                SymmetricAlgorithm::AES256 => {
+                    let mut ctx =
+                        aead::Ocb::<cipher::Aes256, U16>::with_key_and_nonce(key, nonce)?;
+                    ctx.update(aad);
+                    Ok(Box::new(ctx))
+                },
+                SymmetricAlgorithm::Twofish => {
+                    let mut ctx =
+                        aead::Ocb::<cipher::Twofish, U16>::with_key_and_nonce(key, nonce)?;
+                    ctx.update(aad);
+                    Ok(Box::new(ctx))
+                },
+                SymmetricAlgorithm::Camellia128 => {
+                    let mut ctx =
+                        aead::Ocb::<cipher::Camellia128, U16>::with_key_and_nonce(key, nonce)?;
+                    ctx.update(aad);
+                    Ok(Box::new(ctx))
+                },
+                SymmetricAlgorithm::Camellia192 => {
+                    let mut ctx =
+                        aead::Ocb::<cipher::Camellia192, U16>::with_key_and_nonce(key, nonce)?;
+                    ctx.update(aad);
+                    Ok(Box::new(ctx))
+                },
+                SymmetricAlgorithm::Camellia256 => {
+                    let mut ctx =
+                        aead::Ocb::<cipher::Camellia256, U16>::with_key_and_nonce(key, nonce)?;
+                    ctx.update(aad);
+                    Ok(Box::new(ctx))
+                },
+                _ => Err(Error::UnsupportedSymmetricAlgorithm(sym_algo).into()),
+            },
+
             _ => Err(Error::UnsupportedAEADAlgorithm(*self).into()),
         }
     }