diff options
| author | Justus Winter <justus@sequoia-pgp.org> | 2023-03-02 13:39:50 +0100 |
|---|---|---|
| committer | Justus Winter <justus@sequoia-pgp.org> | 2023-03-02 15:03:12 +0100 |
| commit | 3d2b1e3ae7f555b027113767938bbe5663df74a0 (patch) | |
| tree | de02ffbdd529d7b56d6ba8361dec99be24d6940e /openpgp/src/crypto/backend/openssl | |
| parent | b9d5a76186e2a9380cf3f6f7a96b07b6bdaaaa26 (diff) | |
openpgp: Combine ciphertext and tag in Aead::decrypt_verify.
- It is easier (and cheaper) to tear apart in backends that need
ciphertext and tag to be separate than to combine it for backends
that expect the tag to be appended to the ciphertext.
- The caller doesn't have to do anything, because in OpenPGP on the
wire the tag is already appended to the ciphertext. The one
exception is our current implementation of SKESKv5, but in our
upcoming SKESKv6 implementation, we store the tag appended to the
ciphertext, so it will be easy to use this interface there.
Diffstat (limited to 'openpgp/src/crypto/backend/openssl')
| -rw-r--r-- | openpgp/src/crypto/backend/openssl/aead.rs | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/openpgp/src/crypto/backend/openssl/aead.rs b/openpgp/src/crypto/backend/openssl/aead.rs index 469539c0..cc8735fb 100644 --- a/openpgp/src/crypto/backend/openssl/aead.rs +++ b/openpgp/src/crypto/backend/openssl/aead.rs @@ -25,19 +25,22 @@ impl Aead for OpenSslContext { Ok(()) } - fn decrypt_verify(&mut self, dst: &mut [u8], src: &[u8], digest: &[u8]) -> Result<()> { - // SAFETY: This condition makes the unsafe calls below correct. - if dst.len() != src.len() { - return Err( - Error::InvalidArgument("src and dst need to be of the same length".into()).into(), - ); - } + fn decrypt_verify(&mut self, dst: &mut [u8], src: &[u8]) -> Result<()> { + debug_assert!(src.len() >= self.digest_size()); + debug_assert_eq!(dst.len() + self.digest_size(), src.len()); + + // Split src into ciphertext and tag. + let l = self.digest_size(); + let ciphertext = &src[..src.len().saturating_sub(l)]; + let tag = &src[src.len().saturating_sub(l)..]; // SAFETY: Process completely one full chunk. Since `update` // is not being called again with partial block info and the // cipher is finalized afterwards these two calls are safe. - let size = unsafe { self.ctx.cipher_update_unchecked(src, Some(dst))? }; - self.ctx.set_tag(digest)?; + let size = unsafe { + self.ctx.cipher_update_unchecked(ciphertext, Some(dst))? + }; + self.ctx.set_tag(tag)?; unsafe { self.ctx.cipher_final_unchecked(&mut dst[size..])? }; Ok(()) } |