diff options
Diffstat (limited to 'openpgp/src/crypto/backend/rust/aead.rs')
-rw-r--r-- | openpgp/src/crypto/backend/rust/aead.rs | 47 |
1 files changed, 35 insertions, 12 deletions
diff --git a/openpgp/src/crypto/backend/rust/aead.rs b/openpgp/src/crypto/backend/rust/aead.rs index e5fcdb0b..30bbf546 100644 --- a/openpgp/src/crypto/backend/rust/aead.rs +++ b/openpgp/src/crypto/backend/rust/aead.rs @@ -1,6 +1,7 @@ //! Implementation of AEAD using pure Rust cryptographic libraries. use std::cmp; +use std::cmp::Ordering; use cipher::{BlockCipher, NewBlockCipher}; use cipher::block::Block; @@ -10,9 +11,16 @@ use generic_array::{ArrayLength, GenericArray}; use crate::{Error, Result}; use crate::crypto::aead::{Aead, CipherOp}; +use crate::crypto::mem::secure_cmp; use crate::seal; use crate::types::{AEADAlgorithm, SymmetricAlgorithm}; +/// Disables authentication checks. +/// +/// This is DANGEROUS, and is only useful for debugging problems with +/// malformed AEAD-encrypted messages. +const DANGER_DISABLE_AUTHENTICATION: bool = false; + trait GenericArrayExt<T, N: ArrayLength<T>> { const LEN: usize; @@ -37,26 +45,29 @@ where Cipher: BlockCipher<BlockSize = U16> + NewBlockCipher + Clone, Cipher::ParBlocks: ArrayLength<Block<Cipher>>, { - fn update(&mut self, ad: &[u8]) { - self.update_assoc(ad) + fn update(&mut self, ad: &[u8]) -> Result<()> { + self.update_assoc(ad); + Ok(()) } fn digest_size(&self) -> usize { eax::Tag::LEN } - fn digest(&mut self, digest: &mut [u8]) { + fn digest(&mut self, digest: &mut [u8]) -> Result<()> { let tag = self.tag_clone(); digest[..tag.len()].copy_from_slice(&tag[..]); + Ok(()) } - fn encrypt(&mut self, dst: &mut [u8], src: &[u8]) { + fn encrypt(&mut self, dst: &mut [u8], src: &[u8]) -> Result<()> { let len = cmp::min(dst.len(), src.len()); dst[..len].copy_from_slice(&src[..len]); - Self::encrypt(self, &mut dst[..len]) + Self::encrypt(self, &mut dst[..len]); + Ok(()) } - fn decrypt(&mut self, _dst: &mut [u8], _src: &[u8]) { + fn decrypt_verify(&mut self, _dst: &mut [u8], _src: &[u8], _valid_digest: &[u8]) -> Result<()> { panic!("AEAD decryption called in the encryption context") } } @@ -66,27 +77,39 @@ where Cipher: BlockCipher<BlockSize = U16> + NewBlockCipher + Clone, Cipher::ParBlocks: ArrayLength<Block<Cipher>>, { - fn update(&mut self, ad: &[u8]) { - self.update_assoc(ad) + fn update(&mut self, ad: &[u8]) -> Result<()> { + self.update_assoc(ad); + Ok(()) } fn digest_size(&self) -> usize { eax::Tag::LEN } - fn digest(&mut self, digest: &mut [u8]) { + fn digest(&mut self, digest: &mut [u8]) -> Result<()> { let tag = self.tag_clone(); digest[..tag.len()].copy_from_slice(&tag[..]); + Ok(()) } - fn encrypt(&mut self, _dst: &mut [u8], _src: &[u8]) { + fn encrypt(&mut self, _dst: &mut [u8], _src: &[u8]) -> Result<()> { panic!("AEAD encryption called in the decryption context") } - fn decrypt(&mut self, dst: &mut [u8], src: &[u8]) { + fn decrypt_verify(&mut self, dst: &mut [u8], src: &[u8], valid_digest: &[u8]) -> Result<()> { let len = core::cmp::min(dst.len(), src.len()); dst[..len].copy_from_slice(&src[..len]); - self.decrypt_unauthenticated_hazmat(&mut dst[..len]) + self.decrypt_unauthenticated_hazmat(&mut dst[..len]); + + let mut digest = vec![0u8; self.digest_size()]; + + self.digest(&mut digest)?; + if secure_cmp(&digest[..], valid_digest) + != Ordering::Equal && ! DANGER_DISABLE_AUTHENTICATION + { + return Err(Error::ManipulatedMessage.into()); + } + Ok(()) } } |