Age | Commit message (Collapse) | Author |
|
- It is easier (and cheaper) to tear apart in backends that need
ciphertext and tag to be separate than to combine it for backends
that expect the tag to be appended to the ciphertext.
- The caller doesn't have to do anything, because in OpenPGP on the
wire the tag is already appended to the ciphertext. The one
exception is our current implementation of SKESKv5, but in our
upcoming SKESKv6 implementation, we store the tag appended to the
ciphertext, so it will be easy to use this interface there.
|
|
- Hand in the additional authenticated data when constructing the
context.
|
|
- Combine `encrypt` and `tag` to `encrypt_seal` similarly to we
previously combined `decrypt_verify`. This better matches AEAD
constructions, and the original interface was mostly informed by
Nettle's relatively low-level interface.
|
|
- Previously the AEAD roundtrip test checked supported symmetric
ciphers and AEAD algorithms separately but only certain combinations
of them are valid in some libraries.
- See: https://openpgp-wg.gitlab.io/rfc4880bis/#name-preferred-aead-ciphersuites
|
|
- Some backends may want to propagate their internal errors to
the caller.
- Modify all functions to return Results and their clients to
either propagate the error or handle it.
|
|
- Some backends want to verify the AEAD block by themselves and need
the tag to be passed in.
- Change two step `decrypt` + `digest` into a one step `decrypt_verify`.
- Old backends are modified to work like they did previously by
utilizing decryption and the digest operation.
- New backends can implement `decrypt_verify` using their respective
cryptographic primitives.
|
|
- See #812.
|
|
- Rename `iv_size` to `nonce_size`.
- Introduce `iv_size` that forwards to `nonce_size` for compatibility
reasons.
- Change all calls to `iv_size` to `nonce_size`.
|
|
- We don't always actually need it, so it is nice to defer creating
it until we do.
|
|
- Introduce a trait that schedules nonce and additional
authenticated data for each AEAD chunk.
- Factoring that out allows us to support different schemes, and
decouple memory encryption from the OpenPGP schedules.
|
|
- Now that the chunk size is capped, just initialize the scratch
vector.
|
|
- The decryptor only decrypts, the encryptor only encrypts. No need
to have that parameter (in fact, having the parameter presents the
opportunity to get it wrong, see the previous commit).
|
|
- This only went unnoticed because we only hash and write the
digest, and don't invoke the encrypt method (which would have
panic'ed). No functional change.
|
|
- Use range syntac instad of manual comparisons. This is arguably
better to read.
- Found by clippy::manual_range_contains.
|
|
|
|
- This adds a cryptographic backend based on the RustCrypto crates.
The backend is marked as experimental, as the RustCrypto crates'
authors state that they have not been audited and may not perform
computations in constant time. Nevertheless, it may be useful in
certain environments, e.g. WebAssembly.
- The backend implements RSA, EdDSA and ECDH over Curve25519, IDEA,
3DES, CAST5, Blowfish, AES, Twofish, EAX, MD5, SHA1, RipeMD160, and
the SHA2 family.
- Notably missing are DSA, ElGamal, and ECDSA and ECDH over the NIST
curves.
- See #333.
|
|
|
|
|
|
- Make sure that chunk sizes are between 64B and 4MiB.
- Fixes a DoS resulting from unconstrained, attacker-controlled heap
allocations.
- Fixes #738.
|
|
- https://rust-lang.github.io/rust-clippy/master/index.html#clone_on_copy
|
|
- https://rust-lang.github.io/rust-clippy/master/index.html#len_zero
- https://rust-lang.github.io/rust-clippy/master/index.html#comparison_to_empty
|
|
- https://rust-lang.github.io/rust-clippy/master/index.html#needless_return
|
|
- See #615.
|
|
- This way the entire `BufferedReader<C>` will be `Send` and `Sync`.
- Modify all other crates accordingly.
- See #615.
|
|
- Declare trait bounds using a where clause. It looks a bit odd if
there is no bound, but not worse than before.
|
|
|
|
- Use generics and the anonmymous lifetime in `assert_send_and_sync!`.
- See 627.
|
|
- See #627.
|
|
- Fixes #556.
|
|
- Seal the Aead trait so it cannot be implemented outside the openpgp
crate.
- This way we can extend the trait without breaking the API
compatibility.
- See #538.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- Use u64 in packet::aed::AED1 and the API.
- Add explicit overflow checks when using chunk sizes as offsets.
|
|
|
|
|
|
- Use the anyhow crate instead of failure to implement the dynamic
side of our error handling. anyhow::Error derefs to dyn
std::error::Error, allowing better interoperability with other
stdlib-based error handling libraries.
- Fixes #444.
|
|
- This cleanly avoids creating a linked list of references on the
stack that grows every time we call into_inner.
|
|
- Similar to Vec<u8>::truncate(_), this operation is very slow in
debug mode due to the dropping of drained elements. Provide an
optimized version in debug mode.
|
|
|
|
|
|
|
|
- Fixes #381.
|
|
|
|
|
|
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
|
- Parsing the headers of AED packets is not possible without knowing
the AEAD algorithm used due to the fact that the length of the IV
field is dependent on the AEAD algorithm.
- In the case of OCB, the RFC4880bis does not specify an exact
length of the IV, but GnuPG hardcodes it to 15.
|