diff options
author | Justus Winter <justus@sequoia-pgp.org> | 2020-05-18 13:06:12 +0200 |
---|---|---|
committer | Justus Winter <justus@sequoia-pgp.org> | 2020-05-28 11:51:33 +0200 |
commit | 47362eed301a4954af94afe84df16ab6eddecf8d (patch) | |
tree | f341bceb44d84b0cf071376f1165537e9ee39cb9 /sop | |
parent | b902ef1bbe7ab1aa0f28554340550fb5cacef73b (diff) |
openpgp: Change PKESK::decrypt to return an Option<_>.
- Returning rich errors from this function may compromise secret key
material due to Bleichenbacher-style attacks. Change the API to
prevent this.
- Hat tip to Hanno Böck.
- See #507.
Diffstat (limited to 'sop')
-rw-r--r-- | sop/src/main.rs | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/sop/src/main.rs b/sop/src/main.rs index f8abce91..5d707b8c 100644 --- a/sop/src/main.rs +++ b/sop/src/main.rs @@ -669,18 +669,18 @@ impl<'a> Helper<'a> { algo: Option<SymmetricAlgorithm>, keypair: &mut dyn crypto::Decryptor, decrypt: &mut D) - -> openpgp::Result<(SymmetricAlgorithm, - SessionKey, - Option<Fingerprint>)> + -> Option<(SymmetricAlgorithm, + SessionKey, + Option<Fingerprint>)> where D: FnMut(SymmetricAlgorithm, &SessionKey) -> openpgp::Result<()> { let keyid = keypair.public().fingerprint().into(); let (algo, sk) = pkesk.decrypt(keypair, algo) .and_then(|(algo, sk)| { - decrypt(algo, &sk)?; Ok((algo, sk)) + decrypt(algo, &sk).ok()?; Some((algo, sk)) })?; - Ok((algo, sk, self.identities.get(&keyid).map(|fp| fp.clone()))) + Some((algo, sk, self.identities.get(&keyid).map(|fp| fp.clone()))) } /// Dumps the session key. @@ -726,9 +726,10 @@ impl<'a> DecryptionHelper for Helper<'a> { let keyid = pkesk.recipient(); if let Some(key) = self.secret_keys.get(&keyid) { if ! key.secret().is_encrypted() { - if let Ok((algo, sk, fp)) = key.clone().into_keypair() - .and_then(|mut k| - self.try_decrypt(pkesk, algo, &mut k, &mut decrypt)) + if let Some((algo, sk, fp)) = + key.clone().into_keypair().ok().and_then(|mut k| { + self.try_decrypt(pkesk, algo, &mut k, &mut decrypt) + }) { self.dump_session_key(algo, &sk)?; return Ok(fp); @@ -743,9 +744,10 @@ impl<'a> DecryptionHelper for Helper<'a> { for pkesk in pkesks.iter().filter(|p| p.recipient().is_wildcard()) { for key in self.secret_keys.values() { if ! key.secret().is_encrypted() { - if let Ok((algo, sk, fp)) = key.clone().into_keypair() - .and_then(|mut k| - self.try_decrypt(pkesk, algo, &mut k, &mut decrypt)) + if let Some((algo, sk, fp)) = + key.clone().into_keypair().ok().and_then(|mut k| { + self.try_decrypt(pkesk, algo, &mut k, &mut decrypt) + }) { self.dump_session_key(algo, &sk)?; return Ok(fp); |