diff options
| author | Justus Winter <justus@sequoia-pgp.org> | 2023-03-02 13:39:50 +0100 |
|---|---|---|
| committer | Justus Winter <justus@sequoia-pgp.org> | 2023-03-02 15:03:12 +0100 |
| commit | 3d2b1e3ae7f555b027113767938bbe5663df74a0 (patch) | |
| tree | de02ffbdd529d7b56d6ba8361dec99be24d6940e /openpgp/src/crypto/backend/cng/aead.rs | |
| parent | b9d5a76186e2a9380cf3f6f7a96b07b6bdaaaa26 (diff) | |
openpgp: Combine ciphertext and tag in Aead::decrypt_verify.
- It is easier (and cheaper) to tear apart in backends that need
ciphertext and tag to be separate than to combine it for backends
that expect the tag to be appended to the ciphertext.
- The caller doesn't have to do anything, because in OpenPGP on the
wire the tag is already appended to the ciphertext. The one
exception is our current implementation of SKESKv5, but in our
upcoming SKESKv6 implementation, we store the tag appended to the
ciphertext, so it will be easy to use this interface there.
Diffstat (limited to 'openpgp/src/crypto/backend/cng/aead.rs')
| -rw-r--r-- | openpgp/src/crypto/backend/cng/aead.rs | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/openpgp/src/crypto/backend/cng/aead.rs b/openpgp/src/crypto/backend/cng/aead.rs index c714efbb..a3aaefb4 100644 --- a/openpgp/src/crypto/backend/cng/aead.rs +++ b/openpgp/src/crypto/backend/cng/aead.rs @@ -127,7 +127,7 @@ macro_rules! impl_aead { dst[src.len()..].copy_from_slice(&tag[..]); Ok(()) } - fn decrypt_verify(&mut self, _dst: &mut [u8], _src: &[u8], _digest: &[u8]) -> Result<()> { + fn decrypt_verify(&mut self, _dst: &mut [u8], _src: &[u8]) -> Result<()> { panic!("AEAD decryption called in the encryption context") } } @@ -141,7 +141,14 @@ macro_rules! impl_aead { fn encrypt_seal(&mut self, _dst: &mut [u8], _src: &[u8]) -> Result<()> { panic!("AEAD encryption called in the decryption context") } - fn decrypt_verify(&mut self, dst: &mut [u8], src: &[u8], digest: &[u8]) -> Result<()> { + fn decrypt_verify(&mut self, dst: &mut [u8], src: &[u8]) -> Result<()> { + debug_assert_eq!(dst.len() + self.digest_size(), src.len()); + + // Split src into ciphertext and digest. + let l = self.digest_size(); + let digest = &src[src.len().saturating_sub(l)..]; + let src = &src[..src.len().saturating_sub(l)]; + let len = core::cmp::min(dst.len(), src.len()); dst[..len].copy_from_slice(&src[..len]); self.decrypt_unauthenticated_hazmat(&mut dst[..len]); |