openpgp: Add features to opt-in to experimental crypto backends.

3 files changed, 57 insertions, 0 deletions

diff --git a/openpgp/Cargo.toml b/openpgp/Cargo.toml
index 015000a8..1d1fa3de 100644
--- a/openpgp/Cargo.toml
+++ b/openpgp/Cargo.toml
@@ -70,6 +70,10 @@ default = ["compression", "crypto-nettle"]
 crypto-nettle = ["nettle"]
 crypto-cng = ["winapi", "win-crypto-ng", "ed25519-dalek", "num-bigint-dig"]
 
+# Experimental and variable-time cryptographic backends opt-ins
+allow-experimental-crypto = []
+allow-variable-time-crypto = []
+
 # The compression algorithms.
 compression = ["compression-deflate", "compression-bzip2"]
 compression-deflate = ["flate2", "buffered-reader/compression-deflate"]
diff --git a/openpgp/README.md b/openpgp/README.md
index 0206ff81..3e0c81c2 100644
--- a/openpgp/README.md
+++ b/openpgp/README.md
@@ -81,6 +81,17 @@ at compile time.  Currently, these libraries are available:
     include the `crypto-cng` feature to enable it.  Currently, the CNG
     backend requires at least Windows 10.
 
+### Experimental and variable-time cryptographic backends
+
+Some cryptographic backends are not yet considered mature enough for
+general consumption.  The use of such backends requires explicit
+opt-in using the feature flag `allow-experimental-crypto`.
+
+Some cryptographic backends can not guarantee that cryptographic
+operations require a constant amount of time.  This may leak secret
+keys in some settings.  The use of such backends requires explicit
+opt-in using the feature flag `allow-variable-time-crypto`.
+
 ## Compression algorithms
 
 Use the `compression` flag to enable support for all compression
diff --git a/openpgp/build.rs b/openpgp/build.rs
index bc0f09a7..210483e5 100644
--- a/openpgp/build.rs
+++ b/openpgp/build.rs
@@ -96,4 +96,46 @@ See https://crates.io/crates/sequoia-openpgp#crypto-backends",
             exit(1);
         },
     }
+
+    // We now have exactly one backend.
+    assert_eq!(backends.len(), 1);
+    let backend = &backends[0];
+
+    // Check its properties.
+    if ! (backend.production_ready
+          || cfg!(feature = "allow-experimental-crypto"))
+    {
+        eprintln!("
+The cryptographic backend {} is not considered production ready.
+
+If you know what you are doing, you can opt-in to using experimental
+cryptographic backends using the feature flag
+
+    allow-experimental-crypto
+
+See https://crates.io/crates/sequoia-openpgp#crypto-backends",
+                  backend.name);
+        exit(1);
+    }
+
+    if ! (backend.constant_time
+          || cfg!(feature = "allow-variable-time-crypto"))
+    {
+        eprintln!("
+The cryptographic backend {} does not provide constant-time
+operations.  This has the potential of leaking cryptographic secrets,
+enable attackers to forge signatures, or cause other mayhem.
+
+If you are not using Sequoia in an interactive setting, using
+variable-time cryptographic operations is probably safe.
+
+If you know what you are doing, you can opt-in to using variable-time
+cryptographic operations using the feature flag
+
+    allow-variable-time-crypto
+
+See https://crates.io/crates/sequoia-openpgp#crypto-backends",
+                  backend.name);
+        exit(1);
+    }
 }