openpgp: Improve secret key handling.

  - Use curve25519::secret_key() to generate keys in crypto::ecdh.

  - Wrap the secret keys into SessionKey objects to make sure they are
    zeroed when dropped.

3 files changed, 13 insertions, 12 deletions

diff --git a/openpgp/src/crypto/ecdh.rs b/openpgp/src/crypto/ecdh.rs
index 88ebd684..3329bbb4 100644
--- a/openpgp/src/crypto/ecdh.rs
+++ b/openpgp/src/crypto/ecdh.rs
@@ -14,7 +14,7 @@ use conversions::{
     read_be_u64,
 };
 use crypto::mpis::{MPI, PublicKey, SecretKey, Ciphertext};
-use nettle::{cipher, curve25519, mode, Mode, Yarrow};
+use nettle::{cipher, curve25519, mode, Mode};
 
 /// Wraps a session key using Elliptic Curve Diffie-Hellman.
 pub fn wrap_session_key(recipient: &Key, session_key: &[u8])
@@ -25,18 +25,13 @@ pub fn wrap_session_key(recipient: &Key, session_key: &[u8])
     } = recipient.mpis() {
         match curve {
             Curve::Cv25519 => {
-                let mut rng = Yarrow::default();
-
                 // Obtain the authenticated recipient public key R
                 #[allow(non_snake_case)]
                 let R = q.decode_point(curve)?.0;
 
                 // Generate an ephemeral key pair {v, V=vG}
-                let mut v = [0u8; curve25519::CURVE25519_SIZE];
-                rng.random(&mut v);
-                // Note: Nettle ignores the most significant and the three
-                // least significant bits, therefore every value is a valid
-                // secret key.
+                let mut v =
+                    ::crypto::SessionKey::from(curve25519::secret_key());
 
                 // Compute the public key.  We need to add an encoding
                 // octet in front of the key.
diff --git a/openpgp/src/crypto/mod.rs b/openpgp/src/crypto/mod.rs
index 33f27078..9dfec48e 100644
--- a/openpgp/src/crypto/mod.rs
+++ b/openpgp/src/crypto/mod.rs
@@ -1,7 +1,7 @@
 //! Cryptographic primitives.
 
 use std::io::Read;
-use std::ops::Deref;
+use std::ops::{Deref, DerefMut};
 use std::fmt;
 use std::cmp::Ordering;
 
@@ -54,6 +54,12 @@ impl Deref for SessionKey {
     }
 }
 
+impl DerefMut for SessionKey {
+    fn deref_mut(&mut self) -> &mut [u8] {
+        &mut self.0
+    }
+}
+
 impl From<Vec<u8>> for SessionKey {
     fn from(v: Vec<u8>) -> Self {
         SessionKey(v.into_boxed_slice())
diff --git a/openpgp/src/packet/key.rs b/openpgp/src/packet/key.rs
index 9ba5707e..aa24c2c7 100644
--- a/openpgp/src/packet/key.rs
+++ b/openpgp/src/packet/key.rs
@@ -6,7 +6,7 @@ use std::cmp::Ordering;
 use time;
 
 use Error;
-use crypto::{mpis, KeyPair};
+use crypto::{mpis, KeyPair, SessionKey};
 use packet::Tag;
 use packet;
 use Packet;
@@ -169,7 +169,7 @@ impl Key {
 
             EdDSA => {
                 let mut public = [0u8; ED25519_KEY_SIZE + 1];
-                let mut private = ed25519::private_key();
+                let mut private: SessionKey = ed25519::private_key().into();
 
                 public[0] = 0x40;
                 ed25519::public_key(&mut public[1..], &private)?;
@@ -190,7 +190,7 @@ impl Key {
 
             ECDH => {
                 let mut public = [0u8; CURVE25519_SIZE + 1];
-                let mut private = curve25519::secret_key();
+                let mut private: SessionKey = curve25519::secret_key().into();
 
                 public[0] = 0x40;