From 4742c4d8fd707c5588964dc8c5cf2d455827581e Mon Sep 17 00:00:00 2001
From: Justus Winter <justus@sequoia-pgp.org>
Date: Tue, 28 Sep 2021 11:34:34 +0200
Subject: openpgp: Use the new padding methods in the Nettle backend.

---
 openpgp/src/crypto/backend/nettle/asymmetric.rs | 42 ++++++++-----------------
 openpgp/src/crypto/backend/nettle/ecdh.rs       |  9 ++----
 2 files changed, 16 insertions(+), 35 deletions(-)

(limited to 'openpgp')

diff --git a/openpgp/src/crypto/backend/nettle/asymmetric.rs b/openpgp/src/crypto/backend/nettle/asymmetric.rs
index fd4df9be..71e9dfe3 100644
--- a/openpgp/src/crypto/backend/nettle/asymmetric.rs
+++ b/openpgp/src/crypto/backend/nettle/asymmetric.rs
@@ -85,17 +85,9 @@ impl Signer for KeyPair {
                     // zeros to be stripped.
                     // Padding has to be unconditional; otherwise we have a
                     // secret-dependent branch.
-                    let missing = ed25519::ED25519_KEY_SIZE
-                        .saturating_sub(scalar.value().len());
-                    let mut sec = [0u8; ed25519::ED25519_KEY_SIZE];
-                    sec[missing..].copy_from_slice(scalar.value());
-
-                    let res = ed25519::sign(public, &sec[..], digest, &mut sig);
-                    unsafe {
-                        memsec::memzero(sec.as_mut_ptr(),
-                                        ed25519::ED25519_KEY_SIZE);
-                    }
-                    res?;
+                    let sec = scalar.value_padded(ed25519::ED25519_KEY_SIZE);
+
+                    ed25519::sign(public, &sec[..], digest, &mut sig)?;
 
                     Ok(mpi::Signature::EdDSA {
                         r: MPI::new(&sig[..ed25519::ED25519_KEY_SIZE]),
@@ -242,6 +234,10 @@ impl<P: key::KeyParts, R: key::KeyRole> Key<P, R> {
     {
         use crate::crypto::mpi::Signature;
 
+        fn bad(e: impl ToString) -> anyhow::Error {
+            Error::BadSignature(e.to_string()).into()
+        }
+
         let ok = match (self.mpis(), sig) {
             (PublicKey::RSA { e, n }, Signature::RSA { s }) => {
                 let key = rsa::PublicKey::new(n.value(), e.value())?;
@@ -279,26 +275,14 @@ impl<P: key::KeyParts, R: key::KeyRole> Key<P, R> {
                     // We need to zero-pad them at the front, because
                     // the MPI encoding drops leading zero bytes.
                     let half = ed25519::ED25519_SIGNATURE_SIZE / 2;
-                    if r.value().len() < half {
-                        for _ in 0..half - r.value().len() {
-                            signature.push(0);
-                        }
-                    }
-                    signature.extend_from_slice(r.value());
-                    if s.value().len() < half {
-                        for _ in 0..half - s.value().len() {
-                            signature.push(0);
-                        }
-                    }
-                    signature.extend_from_slice(s.value());
+                    signature.extend_from_slice(
+                        &r.value_padded(half).map_err(bad)?);
+                    signature.extend_from_slice(
+                        &s.value_padded(half).map_err(bad)?);
 
                     // Let's see if we got it right.
-                    if signature.len() != ed25519::ED25519_SIGNATURE_SIZE {
-                        return Err(Error::MalformedPacket(
-                            format!(
-                                "Invalid signature size: {}, r: {:?}, s: {:?}",
-                                signature.len(), r.value(), s.value())).into());
-                    }
+                    assert_eq!(signature.len(),
+                               ed25519::ED25519_SIGNATURE_SIZE);
 
                     ed25519::verify(&q.value()[1..], digest, &signature)?
                 },
diff --git a/openpgp/src/crypto/backend/nettle/ecdh.rs b/openpgp/src/crypto/backend/nettle/ecdh.rs
index af1a7220..011ac024 100644
--- a/openpgp/src/crypto/backend/nettle/ecdh.rs
+++ b/openpgp/src/crypto/backend/nettle/ecdh.rs
@@ -138,14 +138,11 @@ pub fn decrypt<R>(recipient: &Key<key::PublicParts, R>,
                     // zeros to be stripped.
                     // Padding has to be unconditional; otherwise we have a
                     // secret-dependent branch.
-                    //
+                    let mut r =
+                        scalar.value_padded(curve25519::CURVE25519_SIZE);
+
                     // Reverse the scalar.  See
                     // https://lists.gnupg.org/pipermail/gnupg-devel/2018-February/033437.html.
-                    let missing = curve25519::CURVE25519_SIZE
-                        .saturating_sub(scalar.value().len());
-                    let mut r = [0u8; curve25519::CURVE25519_SIZE];
-
-                    r[missing..].copy_from_slice(scalar.value());
                     r.reverse();
 
                     // Compute the shared point S = rV = rvG, where (r, R)
-- 
cgit v1.2.3