openpgp: extend secure_eq to secure_cmp.

secure_cmp allows for time-constant ordering
author: Kai Michaelis <kai@sequoia-pgp.org> 2018-12-14 18:42:28 +0100
committer: Kai Michaelis <kai@sequoia-pgp.org> 2018-12-14 18:46:16 +0100
commit: 48938269dc7866619c21eff8bc7772ee31237d51 (patch)
tree: 477fd7157d67259b8269cb1b2fde4c1900da6ca8 /openpgp/src/crypto/aead.rs
parent: d7b99c5232bc2f1ac2f7c1df4b7432a9fa668a68 (diff)
1 files changed, 16 insertions, 6 deletions
diff --git a/openpgp/src/crypto/aead.rs b/openpgp/src/crypto/aead.rs
index f53b67e0..33227997 100644
--- a/openpgp/src/crypto/aead.rs
+++ b/openpgp/src/crypto/aead.rs
@@ -16,7 +16,7 @@ use conversions::{
 use Error;
 use Result;
 use crypto::SessionKey;
-use super::secure_eq;
+use super::secure_cmp;
 
 impl AEADAlgorithm {
     /// Returns the digest size of the AEAD algorithm.
@@ -179,6 +179,8 @@ impl<R: io::Read> Decryptor<R> {
     }
 
     fn read_helper(&mut self, plaintext: &mut [u8]) -> Result<usize> {
+        use std::cmp::Ordering;
+
         let mut pos = 0;
 
         // 1. Copy any buffered data.
@@ -244,7 +246,9 @@ impl<R: io::Read> Decryptor<R> {
 
             // Check digest.
             aead.digest(&mut digest);
-            if !secure_eq(&digest[..], &chunk[chunk.len() - self.digest_size..]) {
+            let dig_ord = secure_cmp(&digest[..],
+                                     &chunk[chunk.len() - self.digest_size..]);
+            if dig_ord != Ordering::Equal {
                 return Err(Error::ManipulatedMessage.into());
             }
 
@@ -257,10 +261,13 @@ impl<R: io::Read> Decryptor<R> {
             // We read the whole ciphertext, now check the final digest.
             let mut aead = self.make_aead()?;
             self.hash_associated_data(&mut aead, true);
+
             let mut nada = [0; 0];
             aead.decrypt(&mut nada, b"");
             aead.digest(&mut digest);
-            if !secure_eq(&digest[..], &ciphertext[ciphertext_end..]) {
+
+            let dig_ord = secure_cmp(&digest[..], &ciphertext[ciphertext_end..]);
+            if dig_ord != Ordering::Equal {
                 return Err(Error::ManipulatedMessage.into());
             }
         }
@@ -330,10 +337,10 @@ impl<R: io::Read> Decryptor<R> {
 
         // Check digest.
         aead.digest(&mut digest);
-        let mac_is_ok = secure_eq(
+        let mac_ord = secure_cmp(
             &digest[..],
             &ciphertext[ciphertext_end - self.digest_size..ciphertext_end]);
-        if !mac_is_ok {
+        if mac_ord != Ordering::Equal {
             return Err(Error::ManipulatedMessage.into());
         }
 
@@ -348,10 +355,13 @@ impl<R: io::Read> Decryptor<R> {
             // We read the whole ciphertext, now check the final digest.
             let mut aead = self.make_aead()?;
             self.hash_associated_data(&mut aead, true);
+
             let mut nada = [0; 0];
             aead.decrypt(&mut nada, b"");
             aead.digest(&mut digest);
-            if !secure_eq(&digest[..], &ciphertext[ciphertext_end..]) {
+
+            let dig_ord = secure_cmp(&digest[..], &ciphertext[ciphertext_end..]);
+            if dig_ord != Ordering::Equal {
                 return Err(Error::ManipulatedMessage.into());
             }
         }
author	Kai Michaelis <kai@sequoia-pgp.org>	2018-12-14 18:42:28 +0100
committer	Kai Michaelis <kai@sequoia-pgp.org>	2018-12-14 18:46:16 +0100
commit	48938269dc7866619c21eff8bc7772ee31237d51 (patch)
tree	477fd7157d67259b8269cb1b2fde4c1900da6ca8 /openpgp/src/crypto/aead.rs
parent	d7b99c5232bc2f1ac2f7c1df4b7432a9fa668a68 (diff)