Age | Commit message (Collapse) | Author |
|
- Most of the logic in this function is the same across backends.
- Introduce `Key4::derive_cv25519_public_key` that does
backend-specific derivation.
- Fixes https://gitlab.com/sequoia-pgp/sequoia/-/issues/958
|
|
- Remove development remnants, actually use the creation time when
importing RSA keys.
|
|
- OpenSSL can be compiled with no support for CAST5.
- This will be indicated by setting `osslconf` variable to
`OPENSSL_NO_CAST`.
- See https://github.com/sfackler/rust-openssl/pull/1786
|
|
|
|
- Avoid creating an MPI first, as this may leak the secrets.
|
|
|
|
|
|
|
|
|
|
- Track the length of the plaintext data. This makes it possible to
use unchunked AEAD and decrypt the data without copying it into a
growing vector. Also, avoid io::copy, as this leaks secrets into
its buffer.
|
|
|
|
|
|
- It is easier (and cheaper) to tear apart in backends that need
ciphertext and tag to be separate than to combine it for backends
that expect the tag to be appended to the ciphertext.
- The caller doesn't have to do anything, because in OpenPGP on the
wire the tag is already appended to the ciphertext. The one
exception is our current implementation of SKESKv5, but in our
upcoming SKESKv6 implementation, we store the tag appended to the
ciphertext, so it will be easy to use this interface there.
|
|
- One of the brainpool curves was not included in our enum Curve,
because at the time we implemented ECC support, it wasn't part of
the RFC4880bis document.
- Unfortunately, we failed to mark enum Curve as non-exhaustive, so
we cannot add a variant without breaking the API.
- We can, however, support the curve by matching on its OID.
|
|
|
|
|
|
|
|
- Hand in the additional authenticated data when constructing the
context.
|
|
- Combine `encrypt` and `tag` to `encrypt_seal` similarly to we
previously combined `decrypt_verify`. This better matches AEAD
constructions, and the original interface was mostly informed by
Nettle's relatively low-level interface.
|
|
|
|
|
|
- Previously, the IV length defaulted to 12.
- We have to set the IV length before supplying the
IV in {de,en}crypt_init. Otherwise, it will be silently
truncated.
|
|
- This is useful for debugging, fuzzing, andn benchmarking.
|
|
|
|
- Hash algorithm detection previously checked only conversion to Nid.
- More thorough check which involves construction of the Hasher object
is needed.
- Adjust the code and add a comment.
- Fixes https://gitlab.com/sequoia-pgp/sequoia/-/issues/979
|
|
- Some systems have smaller set of supported curves and even though the
curve identifiers are compiled in the usage of the curve fails.
- Try to construct an `EcGroup` using retrieved `Nid` as this is a cheap
check that will fail if the curve is truly unsupported.
- Fixes #976.
|
|
- This way, only the leaf package has to concern itself with the
selection of a cryptographic backend for Sequoia. Notably, we
don't have to repeat all of sequoia-openpgp's features in all
crates that use sequoia-openpgp.
- Enable the new feature resolver which allows for this method.
- A complication arises because we want to make `cargo test` work by
default for the intermediate crates without developers having to
select a cryptographic backend. To make that work, we implicitly
select a backend in the dev dependencies which are enabled when
compiling the tests. To make it even more convenient, we select
the most convenient backend, which is CNG for Windows and Nettle,
our default, for every other platform.
- Now that we have implicitly selected CNG on Windows for running
the tests, when the user wants to use Nettle on Windows, and does
`cargo test --features sequoia-openpgp/crypto-nettle`, then two
backends are selected: the implicitly selected CNG and the
explicitly selected Nettle. In this case, we detect that an
implicit selection has been made, and ignore the implicitly
selected backend. Now, this has already been compiled by
cargo (remember that we cannot influence the set of dependencies
at the time the build script is run), but we can still ignore the
implicit backend using conditional compilation (i.e. it will not
be included in the resulting binary). The same happens on
non-Windows platforms where Nettle is the implicit default for
tests when the user explicitly requests a different backend. In
both cases, Nettle and CNG are slim wrappers around native
libraries, so the wasted compilation time is low.
|
|
- Adds the backend behind `crypto-openssl` feature.
- Add CI configuration to run tests with the new backend.
- See #333.
|
|
- Previously the AEAD roundtrip test checked supported symmetric
ciphers and AEAD algorithms separately but only certain combinations
of them are valid in some libraries.
- See: https://openpgp-wg.gitlab.io/rfc4880bis/#name-preferred-aead-ciphersuites
|
|
- Some backends may want to propagate their internal errors to
the caller.
- Modify all functions to return Results and their clients to
either propagate the error or handle it.
|
|
- Some backends want to verify the AEAD block by themselves and need
the tag to be passed in.
- Change two step `decrypt` + `digest` into a one step `decrypt_verify`.
- Old backends are modified to work like they did previously by
utilizing decryption and the digest operation.
- New backends can implement `decrypt_verify` using their respective
cryptographic primitives.
|
|
- RFC 4880 explicitly allows the use of v3 signatures, but adds:
> Implementations SHOULD accept V3 signatures. Implementations
> SHOULD generate V4 signatures.
- In practice, rpm-based distributions are generating v3 signatures,
and it will be awhile before we can actually stop supporting them.
https://bugzilla.redhat.com/show_bug.cgi?id=2141686#c20
- Add support for parsing, verifying, and serializing v3
signatures (but not v3 certificates, and not generating v3
signatures!).
|
|
- Appeases the compiler that now complains about the unused result.
|
|
- Expose `oid()` function for all cryptographic backends.
- Fix the description to accurately describe the bytes that are being
returned.
- Add the reference and note to the common use of this function.
- Add practical example of computing the entire `DigestInfo`
structure.
- Add mention of the change to the NEWS file.
- Add test case to check if the values match what Nettle is using.
- Fixes #919.
|
|
- Previously, we used EAX for memory encryption because it was
supported by all cryptographic backends. However, this is
problematic for OpenSSL, which doesn't support EAX.
- Instead, have the backends provide a default algorithm to use
that they support.
|
|
- This is the AES Key Wrap algorithm described in RFC 3394. It is
used in OpenPGP's ECDH, but has uses besides that (for example,
the gpg-agent uses it to wrap keys in transit).
|
|
|
|
- See #812.
|
|
- Rename `iv_size` to `nonce_size`.
- Introduce `iv_size` that forwards to `nonce_size` for compatibility
reasons.
- Change all calls to `iv_size` to `nonce_size`.
|
|
- This returns a short, human-readable description of the
cryptographic backend for use in version strings to improve bug
reports.
- Fixes #818.
|
|
- This harmonizes the docstring across the different backends.
Also, it avoids monomorphization of the backend functions.
|
|
- Select an appropriate hash algorithm for the ECDH KDF and an
appropriate cipher for the ECDH KEK depending on the curve.
Harmonize that for import and generation.
- Fixes #841.
|
|
|
|
- Previously, there were two issues:
- There is an implicit policy that constraints the symmetric
algorithm to AES. RFC6637 doesn't forbid other ciphers, so
arguably this should be made explicit and moved to the standard
policy. Only using AES seems to be a sane default choice and will
not impede interoperability in practice (notably, GnuPG constrains
to AES as well).
- We constrain hashes only based on their output length, and are
hence willing to use dubious combinations like (AES128, MD5).
- Constrain the parameters in StandardPolicy::key. Mention this in
the documentation.
- Fixes #839.
|
|
- We don't always actually need it, so it is nice to defer creating
it until we do.
|
|
- Add missing NEWS entry, drop documentation comments from trait
implementation.
- Fixes de8fab8d1b74fa87d3c20d7a2b9e49aea929e6ea.
|
|
- The former commit fixes a crash that should never have happened:
with a fallible conversion to GenericArrays, the error can be
handled at runtime.
- Unfortunately, the upstream crate does not offer a convenient
fallible conversion. Implement and use it.
|
|
- Doing the conversion before matching on the algorithm tries to
convert nonces of different sizes to an array suitable for EAX,
leading to a panic.
|
|
- Previously, we used the same session key for every encrypted
memory region, relying on the nonces being derived from a random
initialization vector.
- However, in cf2a472a34588c453f10efa0263ec51e0c860988 we changed
the nonce to be a simple counter. This leads reuse of (key,
nonce) pairs.
- Instead of relying on the nonces having some entropy, a more
robust way to deal with this is to have distinct keys. To that
end, add a random salt to each memory region that we hash before
hashing the prekey.
|
|
- Use a custom schedule, which is a simple counter nonce, no AAD
except for the final chunk which digests the plaintext size.
|