diff options
| author | Justus Winter <justus@sequoia-pgp.org> | 2021-09-28 11:34:34 +0200 |
|---|---|---|
| committer | Justus Winter <justus@sequoia-pgp.org> | 2021-09-28 14:11:08 +0200 |
| commit | 4742c4d8fd707c5588964dc8c5cf2d455827581e (patch) | |
| tree | 21feeaa38162a269a3bb8cc33c84057d4e0215fe /openpgp | |
| parent | a759d80f4f9ad4b3c6121665458ab6847cb0bd39 (diff) | |
openpgp: Use the new padding methods in the Nettle backend.
Diffstat (limited to 'openpgp')
| -rw-r--r-- | openpgp/src/crypto/backend/nettle/asymmetric.rs | 42 | ||||
| -rw-r--r-- | openpgp/src/crypto/backend/nettle/ecdh.rs | 9 |
2 files changed, 16 insertions, 35 deletions
diff --git a/openpgp/src/crypto/backend/nettle/asymmetric.rs b/openpgp/src/crypto/backend/nettle/asymmetric.rs index fd4df9be..71e9dfe3 100644 --- a/openpgp/src/crypto/backend/nettle/asymmetric.rs +++ b/openpgp/src/crypto/backend/nettle/asymmetric.rs @@ -85,17 +85,9 @@ impl Signer for KeyPair { // zeros to be stripped. // Padding has to be unconditional; otherwise we have a // secret-dependent branch. - let missing = ed25519::ED25519_KEY_SIZE - .saturating_sub(scalar.value().len()); - let mut sec = [0u8; ed25519::ED25519_KEY_SIZE]; - sec[missing..].copy_from_slice(scalar.value()); - - let res = ed25519::sign(public, &sec[..], digest, &mut sig); - unsafe { - memsec::memzero(sec.as_mut_ptr(), - ed25519::ED25519_KEY_SIZE); - } - res?; + let sec = scalar.value_padded(ed25519::ED25519_KEY_SIZE); + + ed25519::sign(public, &sec[..], digest, &mut sig)?; Ok(mpi::Signature::EdDSA { r: MPI::new(&sig[..ed25519::ED25519_KEY_SIZE]), @@ -242,6 +234,10 @@ impl<P: key::KeyParts, R: key::KeyRole> Key<P, R> { { use crate::crypto::mpi::Signature; + fn bad(e: impl ToString) -> anyhow::Error { + Error::BadSignature(e.to_string()).into() + } + let ok = match (self.mpis(), sig) { (PublicKey::RSA { e, n }, Signature::RSA { s }) => { let key = rsa::PublicKey::new(n.value(), e.value())?; @@ -279,26 +275,14 @@ impl<P: key::KeyParts, R: key::KeyRole> Key<P, R> { // We need to zero-pad them at the front, because // the MPI encoding drops leading zero bytes. let half = ed25519::ED25519_SIGNATURE_SIZE / 2; - if r.value().len() < half { - for _ in 0..half - r.value().len() { - signature.push(0); - } - } - signature.extend_from_slice(r.value()); - if s.value().len() < half { - for _ in 0..half - s.value().len() { - signature.push(0); - } - } - signature.extend_from_slice(s.value()); + signature.extend_from_slice( + &r.value_padded(half).map_err(bad)?); + signature.extend_from_slice( + &s.value_padded(half).map_err(bad)?); // Let's see if we got it right. - if signature.len() != ed25519::ED25519_SIGNATURE_SIZE { - return Err(Error::MalformedPacket( - format!( - "Invalid signature size: {}, r: {:?}, s: {:?}", - signature.len(), r.value(), s.value())).into()); - } + assert_eq!(signature.len(), + ed25519::ED25519_SIGNATURE_SIZE); ed25519::verify(&q.value()[1..], digest, &signature)? }, diff --git a/openpgp/src/crypto/backend/nettle/ecdh.rs b/openpgp/src/crypto/backend/nettle/ecdh.rs index af1a7220..011ac024 100644 --- a/openpgp/src/crypto/backend/nettle/ecdh.rs +++ b/openpgp/src/crypto/backend/nettle/ecdh.rs @@ -138,14 +138,11 @@ pub fn decrypt<R>(recipient: &Key<key::PublicParts, R>, // zeros to be stripped. // Padding has to be unconditional; otherwise we have a // secret-dependent branch. - // + let mut r = + scalar.value_padded(curve25519::CURVE25519_SIZE); + // Reverse the scalar. See // https://lists.gnupg.org/pipermail/gnupg-devel/2018-February/033437.html. - let missing = curve25519::CURVE25519_SIZE - .saturating_sub(scalar.value().len()); - let mut r = [0u8; curve25519::CURVE25519_SIZE]; - - r[missing..].copy_from_slice(scalar.value()); r.reverse(); // Compute the shared point S = rV = rvG, where (r, R) |