| Age | Commit message (Collapse) | Author |
|---|
|
- Avoid creating an MPI first, as this may leak the secrets.
|
|
|
|
- It is easier (and cheaper) to tear apart in backends that need
ciphertext and tag to be separate than to combine it for backends
that expect the tag to be appended to the ciphertext.
- The caller doesn't have to do anything, because in OpenPGP on the
wire the tag is already appended to the ciphertext. The one
exception is our current implementation of SKESKv5, but in our
upcoming SKESKv6 implementation, we store the tag appended to the
ciphertext, so it will be easy to use this interface there.
|
|
- One of the brainpool curves was not included in our enum Curve,
because at the time we implemented ECC support, it wasn't part of
the RFC4880bis document.
- Unfortunately, we failed to mark enum Curve as non-exhaustive, so
we cannot add a variant without breaking the API.
- We can, however, support the curve by matching on its OID.
|
|
|
|
|
|
- Hand in the additional authenticated data when constructing the
context.
|
|
- Combine `encrypt` and `tag` to `encrypt_seal` similarly to we
previously combined `decrypt_verify`. This better matches AEAD
constructions, and the original interface was mostly informed by
Nettle's relatively low-level interface.
|
|
- Previously, the IV length defaulted to 12.
- We have to set the IV length before supplying the
IV in {de,en}crypt_init. Otherwise, it will be silently
truncated.
|
|
- Hash algorithm detection previously checked only conversion to Nid.
- More thorough check which involves construction of the Hasher object
is needed.
- Adjust the code and add a comment.
- Fixes https://gitlab.com/sequoia-pgp/sequoia/-/issues/979
|
|
- Some systems have smaller set of supported curves and even though the
curve identifiers are compiled in the usage of the curve fails.
- Try to construct an `EcGroup` using retrieved `Nid` as this is a cheap
check that will fail if the curve is truly unsupported.
- Fixes #976.
|
|
- Adds the backend behind `crypto-openssl` feature.
- Add CI configuration to run tests with the new backend.
- See #333.
|
|
- Previously the AEAD roundtrip test checked supported symmetric
ciphers and AEAD algorithms separately but only certain combinations
of them are valid in some libraries.
- See: https://openpgp-wg.gitlab.io/rfc4880bis/#name-preferred-aead-ciphersuites
|
|
- Some backends may want to propagate their internal errors to
the caller.
- Modify all functions to return Results and their clients to
either propagate the error or handle it.
|
|
- Some backends want to verify the AEAD block by themselves and need
the tag to be passed in.
- Change two step `decrypt` + `digest` into a one step `decrypt_verify`.
- Old backends are modified to work like they did previously by
utilizing decryption and the digest operation.
- New backends can implement `decrypt_verify` using their respective
cryptographic primitives.
|
|
- Expose `oid()` function for all cryptographic backends.
- Fix the description to accurately describe the bytes that are being
returned.
- Add the reference and note to the common use of this function.
- Add practical example of computing the entire `DigestInfo`
structure.
- Add mention of the change to the NEWS file.
- Add test case to check if the values match what Nettle is using.
- Fixes #919.
|
|
- Previously, we used EAX for memory encryption because it was
supported by all cryptographic backends. However, this is
problematic for OpenSSL, which doesn't support EAX.
- Instead, have the backends provide a default algorithm to use
that they support.
|
|
- This returns a short, human-readable description of the
cryptographic backend for use in version strings to improve bug
reports.
- Fixes #818.
|
|
- This harmonizes the docstring across the different backends.
Also, it avoids monomorphization of the backend functions.
|
|
- Select an appropriate hash algorithm for the ECDH KDF and an
appropriate cipher for the ECDH KEK depending on the curve.
Harmonize that for import and generation.
- Fixes #841.
|
|
- The former commit fixes a crash that should never have happened:
with a fallible conversion to GenericArrays, the error can be
handled at runtime.
- Unfortunately, the upstream crate does not offer a convenient
fallible conversion. Implement and use it.
|
|
- Doing the conversion before matching on the algorithm tries to
convert nonces of different sizes to an array suitable for EAX,
leading to a panic.
|
|
- ed25519-dalek requires rand:0.7 types, so make sure they are used,
and not the ones form rand:0.8.
|
|
- Rustc 1.57.0 complains that the returned Protected value is never
used.
let _ = Protected::from(Sy);
Does the trick while keeping the original intention.
|
|
- It's clearer to cast the error with .into() insead of ?.
- Found by clippy::try_err.
|
|
- Found by clippy::needless_borrow.
|
|
- The RSA parameters have single character names, this is fine.
- Clippy lint: clippy::many_single_char_names.
|
|
- Found with clippy::useless_conversion.
|
|
- Fixed with the help of clippy::needless_borrow.
|
|
|
|
- Fixes #769.
|
|
|
|
|
|
- This adds a cryptographic backend based on the RustCrypto crates.
The backend is marked as experimental, as the RustCrypto crates'
authors state that they have not been audited and may not perform
computations in constant time. Nevertheless, it may be useful in
certain environments, e.g. WebAssembly.
- The backend implements RSA, EdDSA and ECDH over Curve25519, IDEA,
3DES, CAST5, Blowfish, AES, Twofish, EAX, MD5, SHA1, RipeMD160, and
the SHA2 family.
- Notably missing are DSA, ElGamal, and ECDSA and ECDH over the NIST
curves.
- See #333.
|
|
|
|
- r is a mem::Protected, no need to explicitly clean it up.
|
|
Generally speaking, single-character names are not great for the
person reading the code later. They don't usually act as a cognitive
aid to understand the code. However, this in code implementing
cryptographic operations that implements mathematical formulas that
canonically use single-letter names it's clearer to use the same name
in the code. Thus, I only tell clippy those names are OK in these
cases.
Found by clippy lint many_single_char_names:
https://rust-lang.github.io/rust-clippy/master/index.html#many_single_char_names
|
|
It is Rust custom that the new method for a type returns an instance
of that type. However, sometimes that's not wanted. Tell clippy that
these cases are OK. I opted to not do this globally, because that
would prevent clippy from catching future cases.
Found by clippy warning new_ret_no_self:
https://rust-lang.github.io/rust-clippy/master/index.html#new_ret_no_self
|
|
- Works around a crash in the CNG bindings.
- See https://github.com/emgre/win-crypto-ng/issues/39.
|
|
- This makes the code more succinct and also more robust (consider
for example that `field_sz - r.value().len()` may underflow.
|
|
- Using ProtectedMPI::value_padded avoids this cleanly.
- Fixes #716.
|
|
|
|
|
|
The extra & in a pattern (match arm or if let) is unnecessary and only
makes the code harder to read. In most places it's enough to just
remove the & from the pattern, but in a few places a dereference (*)
needs to be added where the value captured in the pattern is used, as
removing the & changes the type of the captured value to be a
reference.
Overall, the changes are almost mechanical. Although the diff is huge,
it should be easy to read.
The clippy lint match_ref_pats warns about this. See:
https://rust-lang.github.io/rust-clippy/master/index.html#match_ref_pats
|
|
|
|
|
|
|
|
|
|
|
|
|
