| Age | Commit message (Collapse) | Author |
|---|
|
- Avoid creating an MPI first, as this may leak the secrets.
|
|
|
|
|
|
- Not only was the heap allocation superfluous, it also leaked
secrets into the heap.
|
|
|
|
|
|
|
|
- Previously, NotAsFarAsWeKnow was interpreted as identifier making
the if let binding irrefutable.
- Fixes 7afee60b7cf0f19559bfccd8c42fdc77f6b9c655.
|
|
|
|
|
|
- Track the length of the plaintext data. This makes it possible to
use unchunked AEAD and decrypt the data without copying it into a
growing vector. Also, avoid io::copy, as this leaks secrets into
its buffer.
|
|
|
|
- When parsing secrets using the BufferedReader protocol, they may
leak into buffers of the readers in the BufferedReader stack.
This is is most problematic when parsing SecretKeyMaterial.
- Deprecate SecretKeyMaterial::parse* in favor of variants that
operate on bytes. Then, we can use the memory-backed
BufferedReader which does not introduce additional buffering (and
neither does the Dub reader used in the PackedHeaderParser).
|
|
|
|
- The PacketHeaderParser returns erased BufferedReaders anyway, so
we might as well do it early. This avoids any accidental
specialization and hence code duplication.
|
|
|
|
- It is easier (and cheaper) to tear apart in backends that need
ciphertext and tag to be separate than to combine it for backends
that expect the tag to be appended to the ciphertext.
- The caller doesn't have to do anything, because in OpenPGP on the
wire the tag is already appended to the ciphertext. The one
exception is our current implementation of SKESKv5, but in our
upcoming SKESKv6 implementation, we store the tag appended to the
ciphertext, so it will be easy to use this interface there.
|
|
- One of the brainpool curves was not included in our enum Curve,
because at the time we implemented ECC support, it wasn't part of
the RFC4880bis document.
- Unfortunately, we failed to mark enum Curve as non-exhaustive, so
we cannot add a variant without breaking the API.
- We can, however, support the curve by matching on its OID.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- Hand in the additional authenticated data when constructing the
context.
|
|
- Combine `encrypt` and `tag` to `encrypt_seal` similarly to we
previously combined `decrypt_verify`. This better matches AEAD
constructions, and the original interface was mostly informed by
Nettle's relatively low-level interface.
|
|
|
|
|
|
- Previously, the IV length defaulted to 12.
- We have to set the IV length before supplying the
IV in {de,en}crypt_init. Otherwise, it will be silently
truncated.
|
|
- This is useful for debugging, fuzzing, andn benchmarking.
|
|
|
|
|
|
- The OpenSSL backend supports OCB, so we should test it!
|
|
|
|
- Previously, we checked that the subpacket area fits a v4 signature
when parsing. However, the subpacket area size depends on the
packet version, and our SubpacketArea is independent of the
signature version.
- The size will be checked when serializing the signatures. It is
not useful to check them when parsing the signatures.
|
|
- Hash algorithm detection previously checked only conversion to Nid.
- More thorough check which involves construction of the Hasher object
is needed.
- Adjust the code and add a comment.
- Fixes https://gitlab.com/sequoia-pgp/sequoia/-/issues/979
|
|
|
|
|
|
Reported by: kpcyrd.
|
|
- When `RawCertParser::next` encounters EOF while reading the packet
body, stop processing the input.
|
|
- For each packet type, add a private function
`from_buffered_reader`.
- Implement `Parse::from_reader` and `Parse::from_bytes` in terms of
`from_buffered_reader`. For `Parse::from_bytes`, this means that
we can wrap the input in a `buffered_reader::Memory`, which is
much faster than a `buffered_reader::Generic`, which we use now.
- Note: `PacketParserBuilder` and by extension `Cert` already
implement this optimimzation.
|
|
- Fixes #3e188fb312ad4db1395f5e836bffaf2034b88a42.
|
|
|
|
- Some systems have smaller set of supported curves and even though the
curve identifiers are compiled in the usage of the curve fails.
- Try to construct an `EcGroup` using retrieved `Nid` as this is a cheap
check that will fail if the curve is truly unsupported.
- Fixes #976.
|
|
- The main reason to use a `RawCertParser` is to avoid having to
parse certificates that are definitely not needed in the current
context.
- Add some convenient accessor functions to `RawCert`:
`RawCert::primary_key`, `RawCert::keys`, `RawCert::subkeys`, and
`RawCert::UserID` to make this easier.
|
|
- Add `RawCertParser`, which splits keyrings into individual
certificates, similar to `CertParser`, but without invoking the
heavy machinery of the `CertParser`.
- `RawCertParser` uses the OpenPGP framing information to identify
the packets, and it makes sure that the packets form a valid TPK or
TSK as per Sections 11.1 and 11.2 of RFC 4880, respectively.
|
|
- When a packet source returns an error to `CertParser::next`, don't
assume that that means EOF. Subsequent calls may still return
packets.
|
|
- When `CertParser::next` is called and there is a queued error,
return it immediately; don't wait for an EOF.
|
|
- When `CertParser::next` encounters an error reading the next
packet, and then encounters an error creating the queued
certificate, queue the second error, and return the first one.
|
|
- If the `PacketParser` encounters junk (i.e., corruption) and is
able to find a valid packet within `RECOVERY_THRESHOLD` bytes of the
end of the last valid packet, it recovers by converting the junk to
an `Unknown` packet, and continuing to parse.
- Extend this recovery mechanism to junk at the end of the file. If
the `PacketParser` encounters up to `RECOVERY_THRESHOLD` bytes of
junk at the end of the file, convert that data into an `Unknown`
packet instead of immediately returning an error.
- By returning an `Unknown` packet instead of an error, we also
return the last buffered packet, which was otherwise lost.
- When converting `RECOVERY_THRESHOLD` bytes of junk into an
`Unknown` packet, queue an error (in `PacketParserState`) so that
the next call to `PacketParser::next` will not continue trying to
parse the input, but return an unrecoverable error.
- Fixes #967.
|
