openpgp: Add optional cipher argument to PKESK3::decrypt.

parent e5d72b7c
......@@ -139,7 +139,7 @@ fn main() {
# // The secret key is not encrypted.
# let mut pair = key.mark_parts_secret().unwrap().into_keypair().unwrap();
#
# pkesks[0].decrypt(&mut pair)
# pkesks[0].decrypt(&mut pair, None)
# .and_then(|(algo, session_key)| decrypt(algo, &session_key))
# .map(|_| None)
# // XXX: In production code, return the Fingerprint of the
......@@ -287,7 +287,7 @@ fn generate() -> openpgp::Result<openpgp::Cert> {
# // The secret key is not encrypted.
# let mut pair = key.mark_parts_secret().unwrap().into_keypair().unwrap();
#
# pkesks[0].decrypt(&mut pair)
# pkesks[0].decrypt(&mut pair, None)
# .and_then(|(algo, session_key)| decrypt(algo, &session_key))
# .map(|_| None)
# // XXX: In production code, return the Fingerprint of the
......@@ -435,7 +435,7 @@ fn encrypt(policy: &dyn Policy,
# // The secret key is not encrypted.
# let mut pair = key.mark_parts_secret().unwrap().into_keypair().unwrap();
#
# pkesks[0].decrypt(&mut pair)
# pkesks[0].decrypt(&mut pair, None)
# .and_then(|(algo, session_key)| decrypt(algo, &session_key))
# .map(|_| None)
# // XXX: In production code, return the Fingerprint of the
......@@ -596,7 +596,7 @@ impl<'a> DecryptionHelper for Helper<'a> {
// The secret key is not encrypted.
let mut pair = key.mark_parts_secret().unwrap().into_keypair().unwrap();
pkesks[0].decrypt(&mut pair)
pkesks[0].decrypt(&mut pair, None)
.and_then(|(algo, session_key)| decrypt(algo, &session_key))
.map(|_| None)
// XXX: In production code, return the Fingerprint of the
......
......@@ -104,7 +104,7 @@ impl<'a> DecryptionHelper for Helper<'a> {
for pkesk in pkesks {
if let Some(key) = self.keys.get(pkesk.recipient()) {
let mut pair = KeyPair::new(self.ctx, key)?;
if let Ok(_) = pkesk.decrypt(&mut pair)
if let Ok(_) = pkesk.decrypt(&mut pair, None)
.and_then(|(algo, session_key)| decrypt(algo, &session_key))
{
break;
......
......@@ -289,7 +289,7 @@ fn decrypt() {
.take(1).next().unwrap().key())
.unwrap();
pkesks[0].decrypt(&mut keypair)
pkesks[0].decrypt(&mut keypair, None)
.and_then(|(algo, session_key)| decrypt(algo, &session_key))
.map(|_| None)
// XXX: In production code, return the Fingerprint of the
......
......@@ -48,7 +48,7 @@ pub extern "C" fn pgp_pkesk_decrypt(errp: Option<&mut *mut crate::error::Error>,
.into_keypair()
{
Ok(mut keypair) => {
match pkesk.decrypt(&mut keypair) {
match pkesk.decrypt(&mut keypair, None /* XXX */) {
Ok((a, k)) => {
*algo = a.into();
if !key.is_null() && *key_len >= k.len() {
......
......@@ -91,7 +91,7 @@ impl DecryptionHelper for Helper {
// Try each PKESK until we succeed.
for pkesk in pkesks {
if let Some(pair) = self.keys.get_mut(pkesk.recipient()) {
if let Ok(_) = pkesk.decrypt(pair)
if let Ok(_) = pkesk.decrypt(pair, None)
.and_then(|(algo, session_key)| decrypt(algo, &session_key))
{
break;
......
......@@ -130,7 +130,7 @@ impl<'a> DecryptionHelper for Helper<'a> {
// The secret key is not encrypted.
let mut pair = key.mark_parts_secret().unwrap().into_keypair().unwrap();
pkesks[0].decrypt(&mut pair)
pkesks[0].decrypt(&mut pair, None)
.and_then(|(algo, session_key)| decrypt(algo, &session_key))
.map(|_| None)
// XXX: In production code, return the Fingerprint of the
......
......@@ -1658,7 +1658,13 @@ mod tests {
let pkesk =
PKESK3::for_recipient(cipher, &sk, &key.mark_parts_public())
.unwrap();
let (cipher_, sk_) = pkesk.decrypt(&mut keypair).unwrap();
let (cipher_, sk_) = pkesk.decrypt(&mut keypair, None).unwrap();
assert_eq!(cipher, cipher_);
assert_eq!(sk, sk_);
let (cipher_, sk_) =
pkesk.decrypt(&mut keypair, Some(cipher)).unwrap();
assert_eq!(cipher, cipher_);
assert_eq!(sk, sk_);
......@@ -1802,8 +1808,7 @@ mod tests {
// Expected
let mut decryptor = key.into_keypair().unwrap();
let got_sk = pkesk.decrypt(&mut decryptor).unwrap();
let got_sk = pkesk.decrypt(&mut decryptor, None).unwrap();
assert_eq!(got_sk.1, sk);
}
......
......@@ -130,12 +130,25 @@ impl PKESK3 {
::std::mem::replace(&mut self.esk, esk)
}
/// Decrypts the ESK and returns the session key and symmetric algorithm
/// used to encrypt the following payload.
pub fn decrypt(&self, decryptor: &mut dyn Decryptor)
/// Decrypts the encrypted session key.
///
/// If the symmetric algorithm used to encrypt the message is
/// known in advance, it should be given as argument. This allows
/// us to reduce the side-channel leakage of the decryption
/// operation for RSA.
///
/// Returns the session key and symmetric algorithm used to
/// encrypt the following payload.
pub fn decrypt(&self, decryptor: &mut dyn Decryptor,
sym_algo_hint: Option<SymmetricAlgorithm>)
-> Result<(SymmetricAlgorithm, SessionKey)>
{
let plain = decryptor.decrypt(&self.esk, None)?;
let plaintext_len = if let Some(s) = sym_algo_hint {
Some(1 /* cipher octet */ + s.key_size()? + 2 /* chksum */)
} else {
None
};
let plain = decryptor.decrypt(&self.esk, plaintext_len)?;
let key_rgn = 1..(plain.len() - 2);
let sym_algo: SymmetricAlgorithm = plain[0].into();
let mut key: SessionKey = vec![0u8; sym_algo.key_size()?].into();
......@@ -216,7 +229,11 @@ mod tests {
let pkg = pile.descendants().skip(0).next().clone();
if let Some(Packet::PKESK(ref pkesk)) = pkg {
let plain = pkesk.decrypt(&mut keypair).unwrap();
let plain = pkesk.decrypt(&mut keypair, None).unwrap();
let plain_ =
pkesk.decrypt(&mut keypair, Some(SymmetricAlgorithm::AES256))
.unwrap();
assert_eq!(plain, plain_);
eprintln!("plain: {:?}", plain);
} else {
......@@ -237,7 +254,11 @@ mod tests {
let pkg = pile.descendants().skip(0).next().clone();
if let Some(Packet::PKESK(ref pkesk)) = pkg {
let plain = pkesk.decrypt(&mut keypair).unwrap();
let plain = pkesk.decrypt(&mut keypair, None).unwrap();
let plain_ =
pkesk.decrypt(&mut keypair, Some(SymmetricAlgorithm::AES256))
.unwrap();
assert_eq!(plain, plain_);
eprintln!("plain: {:?}", plain);
} else {
......@@ -258,7 +279,11 @@ mod tests {
let pkg = pile.descendants().skip(0).next().clone();
if let Some(Packet::PKESK(ref pkesk)) = pkg {
let plain = pkesk.decrypt(&mut keypair).unwrap();
let plain = pkesk.decrypt(&mut keypair, None).unwrap();
let plain_ =
pkesk.decrypt(&mut keypair, Some(SymmetricAlgorithm::AES256))
.unwrap();
assert_eq!(plain, plain_);
eprintln!("plain: {:?}", plain);
} else {
......@@ -279,7 +304,11 @@ mod tests {
let pkg = pile.descendants().skip(0).next().clone();
if let Some(Packet::PKESK(ref pkesk)) = pkg {
let plain = pkesk.decrypt(&mut keypair).unwrap();
let plain = pkesk.decrypt(&mut keypair, None).unwrap();
let plain_ =
pkesk.decrypt(&mut keypair, Some(SymmetricAlgorithm::AES256))
.unwrap();
assert_eq!(plain, plain_);
eprintln!("plain: {:?}", plain);
} else {
......@@ -300,7 +329,11 @@ mod tests {
let pkg = pile.descendants().skip(0).next().clone();
if let Some(Packet::PKESK(ref pkesk)) = pkg {
let plain = pkesk.decrypt(&mut keypair).unwrap();
let plain = pkesk.decrypt(&mut keypair, None).unwrap();
let plain_ =
pkesk.decrypt(&mut keypair, Some(SymmetricAlgorithm::AES256))
.unwrap();
assert_eq!(plain, plain_);
eprintln!("plain: {:?}", plain);
} else {
......@@ -353,6 +386,6 @@ mod tests {
&key).unwrap();
let mut keypair =
key.mark_parts_secret().unwrap().into_keypair().unwrap();
pkesk.decrypt(&mut keypair).unwrap();
pkesk.decrypt(&mut keypair, None).unwrap();
}
}
......@@ -1707,7 +1707,7 @@ mod test {
.map(|ka| ka.key()).next().unwrap()
.clone().mark_parts_secret().unwrap()
.into_keypair().unwrap();
pkesks[0].decrypt(&mut keypair)
pkesks[0].decrypt(&mut keypair, None)
.and_then(|(algo, session_key)| decrypt(algo, &session_key))
.map(|_| None)
}
......
......@@ -92,7 +92,7 @@ impl<'a> Helper<'a> {
where D: FnMut(SymmetricAlgorithm, &SessionKey) -> openpgp::Result<()>
{
let keyid = keypair.public().fingerprint().into();
match pkesk.decrypt(keypair)
match pkesk.decrypt(keypair, None)
.and_then(|(algo, sk)| {
decrypt(algo, &sk)?; Ok(sk)
})
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment