diff options
author | Jesse Luehrs <doy@tozt.net> | 2021-04-17 14:24:59 -0400 |
---|---|---|
committer | Jesse Luehrs <doy@tozt.net> | 2021-04-17 20:58:57 -0400 |
commit | 828e61a574f484aea575f3cd98322407d3f9aea5 (patch) | |
tree | d7d9deb3fb0b4a6181bce962b132d822d203f627 /src/cipherstring.rs | |
parent | 516072b496e2cdd6e68230e6b500b5099bbe4b42 (diff) | |
download | rbw-828e61a574f484aea575f3cd98322407d3f9aea5.tar.gz rbw-828e61a574f484aea575f3cd98322407d3f9aea5.zip |
stop using ring
Diffstat (limited to 'src/cipherstring.rs')
-rw-r--r-- | src/cipherstring.rs | 29 |
1 files changed, 10 insertions, 19 deletions
diff --git a/src/cipherstring.rs b/src/cipherstring.rs index f213cf7..cd1d25b 100644 --- a/src/cipherstring.rs +++ b/src/cipherstring.rs @@ -1,6 +1,7 @@ use crate::prelude::*; use block_modes::BlockMode as _; +use hmac::{Mac as _, NewMac as _}; use rand::RngCore as _; pub enum CipherString { @@ -94,8 +95,6 @@ impl CipherString { ) -> Result<Self> { let iv = random_iv(); - // ring doesn't currently support CBC ciphers, so we have to do it - // manually. see https://github.com/briansmith/ring/issues/588 let cipher = block_modes::Cbc::< aes::Aes256, block_modes::block_padding::Pkcs7, @@ -103,12 +102,12 @@ impl CipherString { .map_err(|source| Error::CreateBlockMode { source })?; let ciphertext = cipher.encrypt_vec(plaintext); - let mut digest = ring::hmac::Context::with_key( - &ring::hmac::Key::new(ring::hmac::HMAC_SHA256, keys.mac_key()), - ); + let mut digest = + hmac::Hmac::<sha2::Sha256>::new_varkey(keys.mac_key()) + .map_err(|source| Error::CreateHmac { source })?; digest.update(&iv); digest.update(&ciphertext); - let mac = digest.sign().as_ref().to_vec(); + let mac = digest.finalize().into_bytes().as_slice().to_vec(); Ok(Self::Symmetric { iv, @@ -182,9 +181,6 @@ impl CipherString { ) -> Result<crate::locked::Vec> { match self { Self::Asymmetric { ciphertext } => { - // ring doesn't currently support asymmetric encryption (only - // signatures). see - // https://github.com/briansmith/ring/issues/691 let pkey = openssl::pkey::PKey::private_key_from_pkcs8( private_key.private_key(), ) @@ -223,21 +219,16 @@ fn decrypt_common_symmetric( ) -> Result<block_modes::Cbc<aes::Aes256, block_modes::block_padding::Pkcs7>> { if let Some(mac) = mac { - let key = - ring::hmac::Key::new(ring::hmac::HMAC_SHA256, keys.mac_key()); - // it'd be nice to not have to pull this into a vec, but ring - // doesn't currently support non-contiguous verification. see - // https://github.com/briansmith/ring/issues/615 - let data: Vec<_> = - iv.iter().chain(ciphertext.iter()).copied().collect(); + let mut key = hmac::Hmac::<sha2::Sha256>::new_varkey(keys.mac_key()) + .map_err(|source| Error::CreateHmac { source })?; + key.update(&iv); + key.update(&ciphertext); - if ring::hmac::verify(&key, &data, mac).is_err() { + if key.verify(mac).is_err() { return Err(Error::InvalidMac); } } - // ring doesn't currently support CBC ciphers, so we have to do it - // manually. see https://github.com/briansmith/ring/issues/588 Ok(block_modes::Cbc::< aes::Aes256, block_modes::block_padding::Pkcs7, |