openpgp: Change `decrypt` into `decrypt_verify`.

- Some backends want to verify the AEAD block by themselves and need the tag to be passed in. - Change two step `decrypt` + `digest` into a one step `decrypt_verify`. - Old backends are modified to work like they did previously by utilizing decryption and the digest operation. - New backends can implement `decrypt_verify` using their respective cryptographic primitives.
author: Wiktor Kwapisiewicz <wiktor@metacode.biz> 2022-10-25 10:16:06 +0200
committer: Wiktor Kwapisiewicz <wiktor@metacode.biz> 2022-12-21 10:50:44 +0100
commit: d2e89927ce5ff0ecbd5a2edd0a94d6a81fd731b8 (patch)
tree: 3c9125a0f386e421e888b88eea4661f11cff91a1 /openpgp/src/crypto/backend/nettle
parent: 026c52cb89ccc7d4ae2016f9a83682199788fb2c (diff)
1 files changed, 20 insertions, 2 deletions
diff --git a/openpgp/src/crypto/backend/nettle/aead.rs b/openpgp/src/crypto/backend/nettle/aead.rs
index e7ae9d85..000d3156 100644
--- a/openpgp/src/crypto/backend/nettle/aead.rs
+++ b/openpgp/src/crypto/backend/nettle/aead.rs
@@ -1,12 +1,21 @@
 //! Implementation of AEAD using Nettle cryptographic library.
+use std::cmp::Ordering;
+
 use nettle::{aead, cipher};
 
 use crate::{Error, Result};
 
 use crate::crypto::aead::{Aead, CipherOp};
+use crate::crypto::mem::secure_cmp;
 use crate::seal;
 use crate::types::{AEADAlgorithm, SymmetricAlgorithm};
 
+/// Disables authentication checks.
+///
+/// This is DANGEROUS, and is only useful for debugging problems with
+/// malformed AEAD-encrypted messages.
+const DANGER_DISABLE_AUTHENTICATION: bool = false;
+
 impl<T: nettle::aead::Aead> seal::Sealed for T {}
 impl<T: nettle::aead::Aead> Aead for T {
     fn update(&mut self, ad: &[u8]) {
@@ -15,8 +24,17 @@ impl<T: nettle::aead::Aead> Aead for T {
     fn encrypt(&mut self, dst: &mut [u8], src: &[u8]) {
         self.encrypt(dst, src)
     }
-    fn decrypt(&mut self, dst: &mut [u8], src: &[u8]) {
-        self.decrypt(dst, src)
+    fn decrypt_verify(&mut self, dst: &mut [u8], src: &[u8], digest: &[u8]) -> Result<()> {
+        self.decrypt(dst, src);
+        let mut chunk_digest = vec![0u8; self.digest_size()];
+
+        self.digest(&mut chunk_digest);
+        if secure_cmp(&chunk_digest[..], digest)
+             != Ordering::Equal && ! DANGER_DISABLE_AUTHENTICATION
+            {
+                 return Err(Error::ManipulatedMessage.into());
+            }
+        Ok(())
     }
     fn digest(&mut self, digest: &mut [u8]) {
         self.digest(digest)
author	Wiktor Kwapisiewicz <wiktor@metacode.biz>	2022-10-25 10:16:06 +0200
committer	Wiktor Kwapisiewicz <wiktor@metacode.biz>	2022-12-21 10:50:44 +0100
commit	d2e89927ce5ff0ecbd5a2edd0a94d6a81fd731b8 (patch)
tree	3c9125a0f386e421e888b88eea4661f11cff91a1 /openpgp/src/crypto/backend/nettle
parent	026c52cb89ccc7d4ae2016f9a83682199788fb2c (diff)