1 files changed, 20 insertions, 3 deletions

diff --git a/openpgp/src/crypto/backend/cng/aead.rs b/openpgp/src/crypto/backend/cng/aead.rs
index a7b87613..fb95b150 100644
--- a/openpgp/src/crypto/backend/cng/aead.rs
+++ b/openpgp/src/crypto/backend/cng/aead.rs
@@ -1,7 +1,9 @@
 //! Implementation of AEAD using Windows CNG API.
+use std::cmp::Ordering;
 
 use crate::{Error, Result};
 use crate::crypto::aead::{Aead, CipherOp};
+use crate::crypto::mem::secure_cmp;
 use crate::seal;
 use crate::types::{AEADAlgorithm, SymmetricAlgorithm};
 
@@ -10,6 +12,12 @@ use win_crypto_ng::symmetric::{BlockCipherKey, Aes};
 use win_crypto_ng::symmetric::block_cipher::generic_array::{GenericArray, ArrayLength};
 use win_crypto_ng::symmetric::block_cipher::generic_array::typenum::{U128, U192, U256};
 
+/// Disables authentication checks.
+///
+/// This is DANGEROUS, and is only useful for debugging problems with
+/// malformed AEAD-encrypted messages.
+const DANGER_DISABLE_AUTHENTICATION: bool = false;
+
 trait GenericArrayExt<T, N: ArrayLength<T>> {
     const LEN: usize;
 
@@ -94,7 +102,7 @@ macro_rules! impl_aead {
                 dst[..len].copy_from_slice(&src[..len]);
                 EaxOnline::<$type, Encrypt>::encrypt(self, &mut dst[..len])
             }
-            fn decrypt(&mut self, _dst: &mut [u8], _src: &[u8]) {
+            fn decrypt_verify(&mut self, _dst: &mut [u8], _src: &[u8], _digest: &[u8]) -> Result<()> {
                 panic!("AEAD decryption called in the encryption context")
             }
         }
@@ -113,10 +121,19 @@ macro_rules! impl_aead {
             fn encrypt(&mut self, _dst: &mut [u8], _src: &[u8]) {
                 panic!("AEAD encryption called in the decryption context")
             }
-            fn decrypt(&mut self, dst: &mut [u8], src: &[u8]) {
+            fn decrypt_verify(&mut self, dst: &mut [u8], src: &[u8], digest: &[u8]) -> Result<()> {
                 let len = core::cmp::min(dst.len(), src.len());
                 dst[..len].copy_from_slice(&src[..len]);
-                self.decrypt_unauthenticated_hazmat(&mut dst[..len])
+                self.decrypt_unauthenticated_hazmat(&mut dst[..len]);
+                let mut chunk_digest = vec![0u8; self.digest_size()];
+
+                self.digest(&mut chunk_digest)?;
+                if secure_cmp(&chunk_digest[..], digest)
+                    != Ordering::Equal && ! DANGER_DISABLE_AUTHENTICATION
+                {
+                    return Err(Error::ManipulatedMessage.into());
+                }
+                Ok(())
             }
         }
         impl seal::Sealed for EaxOnline<$type, Decrypt> {}