diff options
author | Wiktor Kwapisiewicz <wiktor@metacode.biz> | 2022-10-25 10:16:06 +0200 |
---|---|---|
committer | Wiktor Kwapisiewicz <wiktor@metacode.biz> | 2022-12-21 10:50:44 +0100 |
commit | d2e89927ce5ff0ecbd5a2edd0a94d6a81fd731b8 (patch) | |
tree | 3c9125a0f386e421e888b88eea4661f11cff91a1 /openpgp/src/crypto/backend/nettle | |
parent | 026c52cb89ccc7d4ae2016f9a83682199788fb2c (diff) |
openpgp: Change `decrypt` into `decrypt_verify`.
- Some backends want to verify the AEAD block by themselves and need
the tag to be passed in.
- Change two step `decrypt` + `digest` into a one step `decrypt_verify`.
- Old backends are modified to work like they did previously by
utilizing decryption and the digest operation.
- New backends can implement `decrypt_verify` using their respective
cryptographic primitives.
Diffstat (limited to 'openpgp/src/crypto/backend/nettle')
-rw-r--r-- | openpgp/src/crypto/backend/nettle/aead.rs | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/openpgp/src/crypto/backend/nettle/aead.rs b/openpgp/src/crypto/backend/nettle/aead.rs index e7ae9d85..000d3156 100644 --- a/openpgp/src/crypto/backend/nettle/aead.rs +++ b/openpgp/src/crypto/backend/nettle/aead.rs @@ -1,12 +1,21 @@ //! Implementation of AEAD using Nettle cryptographic library. +use std::cmp::Ordering; + use nettle::{aead, cipher}; use crate::{Error, Result}; use crate::crypto::aead::{Aead, CipherOp}; +use crate::crypto::mem::secure_cmp; use crate::seal; use crate::types::{AEADAlgorithm, SymmetricAlgorithm}; +/// Disables authentication checks. +/// +/// This is DANGEROUS, and is only useful for debugging problems with +/// malformed AEAD-encrypted messages. +const DANGER_DISABLE_AUTHENTICATION: bool = false; + impl<T: nettle::aead::Aead> seal::Sealed for T {} impl<T: nettle::aead::Aead> Aead for T { fn update(&mut self, ad: &[u8]) { @@ -15,8 +24,17 @@ impl<T: nettle::aead::Aead> Aead for T { fn encrypt(&mut self, dst: &mut [u8], src: &[u8]) { self.encrypt(dst, src) } - fn decrypt(&mut self, dst: &mut [u8], src: &[u8]) { - self.decrypt(dst, src) + fn decrypt_verify(&mut self, dst: &mut [u8], src: &[u8], digest: &[u8]) -> Result<()> { + self.decrypt(dst, src); + let mut chunk_digest = vec![0u8; self.digest_size()]; + + self.digest(&mut chunk_digest); + if secure_cmp(&chunk_digest[..], digest) + != Ordering::Equal && ! DANGER_DISABLE_AUTHENTICATION + { + return Err(Error::ManipulatedMessage.into()); + } + Ok(()) } fn digest(&mut self, digest: &mut [u8]) { self.digest(digest) |