From e5d72b7c92d5af171855c8267c57f5e33ff6cc2e Mon Sep 17 00:00:00 2001 From: Justus Winter Date: Wed, 12 Feb 2020 12:02:16 +0100 Subject: openpgp: Add optional plaintext length to Decryptor::decrypt. - If we know the length of the plaintext, we can reduce the side-channel leakage of the RSA decryption operation. --- openpgp/src/crypto/asymmetric.rs | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'openpgp/src/crypto/asymmetric.rs') diff --git a/openpgp/src/crypto/asymmetric.rs b/openpgp/src/crypto/asymmetric.rs index f73c83ec..555132d6 100644 --- a/openpgp/src/crypto/asymmetric.rs +++ b/openpgp/src/crypto/asymmetric.rs @@ -47,7 +47,8 @@ pub trait Decryptor { fn public(&self) -> &Key; /// Decrypts `ciphertext`, returning the plain session key. - fn decrypt(&mut self, ciphertext: &mpis::Ciphertext) + fn decrypt(&mut self, ciphertext: &mpis::Ciphertext, + plaintext_len: Option) -> Result; } @@ -222,7 +223,8 @@ impl Decryptor for KeyPair { } /// Creates a signature over the `digest` produced by `hash_algo`. - fn decrypt(&mut self, ciphertext: &mpis::Ciphertext) + fn decrypt(&mut self, ciphertext: &mpis::Ciphertext, + plaintext_len: Option) -> Result { use crate::PublicKeyAlgorithm::*; @@ -238,9 +240,16 @@ impl Decryptor for KeyPair { let secret = rsa::PrivateKey::new(d.value(), p.value(), q.value(), Option::None)?; let mut rand = Yarrow::default(); - rsa::decrypt_pkcs1_insecure(&public, &secret, &mut rand, - c.value())? + if let Some(l) = plaintext_len { + let mut plaintext: SessionKey = vec![0; l].into(); + rsa::decrypt_pkcs1(&public, &secret, &mut rand, + c.value(), plaintext.as_mut())?; + plaintext + } else { + rsa::decrypt_pkcs1_insecure(&public, &secret, + &mut rand, c.value())? .into() + } } (PublicKey::Elgamal{ .. }, -- cgit v1.2.3