openpgp: Avoid hardcoding EAX for memory encryption.

  - Previously, we used EAX for memory encryption because it was
    supported by all cryptographic backends.  However, this is
    problematic for OpenSSL, which doesn't support EAX.

  - Instead, have the backends provide a default algorithm to use
    that they support.

4 files changed, 28 insertions, 1 deletions

diff --git a/openpgp/src/crypto/backend/cng.rs b/openpgp/src/crypto/backend/cng.rs
index 89f56e31..b2a47e74 100644
--- a/openpgp/src/crypto/backend/cng.rs
+++ b/openpgp/src/crypto/backend/cng.rs
@@ -49,6 +49,15 @@ impl Curve {
 }
 
 impl AEADAlgorithm {
+    /// Returns the best AEAD mode supported by the backend.
+    ///
+    /// This SHOULD return OCB, which is the mandatory-to-implement
+    /// algorithm and the most performing one, but fall back to any
+    /// supported algorithm.
+    pub(crate) const fn const_default() -> AEADAlgorithm {
+        AEADAlgorithm::EAX
+    }
+
     pub(crate) fn is_supported_by_backend(&self) -> bool {
         use self::AEADAlgorithm::*;
         match &self {
diff --git a/openpgp/src/crypto/backend/nettle.rs b/openpgp/src/crypto/backend/nettle.rs
index 3de8a6a9..716ec5e1 100644
--- a/openpgp/src/crypto/backend/nettle.rs
+++ b/openpgp/src/crypto/backend/nettle.rs
@@ -48,6 +48,15 @@ impl Curve {
 }
 
 impl AEADAlgorithm {
+    /// Returns the best AEAD mode supported by the backend.
+    ///
+    /// This SHOULD return OCB, which is the mandatory-to-implement
+    /// algorithm and the most performing one, but fall back to any
+    /// supported algorithm.
+    pub(crate) const fn const_default() -> AEADAlgorithm {
+        AEADAlgorithm::EAX
+    }
+
     pub(crate) fn is_supported_by_backend(&self) -> bool {
         use self::AEADAlgorithm::*;
         match &self {
diff --git a/openpgp/src/crypto/backend/rust.rs b/openpgp/src/crypto/backend/rust.rs
index dc4773ed..61784b2c 100644
--- a/openpgp/src/crypto/backend/rust.rs
+++ b/openpgp/src/crypto/backend/rust.rs
@@ -55,6 +55,15 @@ impl Curve {
 }
 
 impl AEADAlgorithm {
+    /// Returns the best AEAD mode supported by the backend.
+    ///
+    /// This SHOULD return OCB, which is the mandatory-to-implement
+    /// algorithm and the most performing one, but fall back to any
+    /// supported algorithm.
+    pub(crate) const fn const_default() -> AEADAlgorithm {
+        AEADAlgorithm::EAX
+    }
+
     pub(crate) fn is_supported_by_backend(&self) -> bool {
         use self::AEADAlgorithm::*;
         match &self {
diff --git a/openpgp/src/crypto/mem.rs b/openpgp/src/crypto/mem.rs
index af7c5cfa..9af1936c 100644
--- a/openpgp/src/crypto/mem.rs
+++ b/openpgp/src/crypto/mem.rs
@@ -269,7 +269,7 @@ mod has_access_to_prekey {
     // algorithms MUST be supported by the cryptographic library.
     const HASH_ALGO: HashAlgorithm = HashAlgorithm::SHA256;
     const SYMMETRIC_ALGO: SymmetricAlgorithm = SymmetricAlgorithm::AES256;
-    const AEAD_ALGO: AEADAlgorithm = AEADAlgorithm::EAX;
+    const AEAD_ALGO: AEADAlgorithm = AEADAlgorithm::const_default();
 
     impl Encrypted {
         /// Computes the sealing key used to encrypt the memory.