mlock sensitive memory

author: Jesse Luehrs <doy@tozt.net> 2020-04-08 03:45:45 -0400
committer: Jesse Luehrs <doy@tozt.net> 2020-04-08 03:45:45 -0400
commit: 56d47b757da04bdb4414e350e6438a93242f53c8 (patch)
tree: ba28afa56e7746f9c33f8021c37d2c2b45d41204 /src/cipherstring.rs
parent: 47968ec94ee172f5ae8924f2bb3850142e77dcd3 (diff)
download: rbw-56d47b757da04bdb4414e350e6438a93242f53c8.tar.gz
rbw-56d47b757da04bdb4414e350e6438a93242f53c8.zip
1 files changed, 33 insertions, 11 deletions
diff --git a/src/cipherstring.rs b/src/cipherstring.rs
index 75edec4..9f2c261 100644
--- a/src/cipherstring.rs
+++ b/src/cipherstring.rs
@@ -51,32 +51,54 @@ impl CipherString {
         })
     }
 
-    pub fn decrypt(&self, enc_key: &[u8], mac_key: &[u8]) -> Result<Vec<u8>> {
+    pub fn decrypt(&self, keys: &crate::locked::Keys) -> Result<Vec<u8>> {
+        let cipher = self.decrypt_common(keys)?;
+        cipher
+            .decrypt_vec(&self.ciphertext)
+            .context(crate::error::Decrypt)
+    }
+
+    pub fn decrypt_locked(
+        &self,
+        keys: &crate::locked::Keys,
+    ) -> Result<crate::locked::Vec> {
+        let mut res = crate::locked::Vec::new();
+        res.extend(self.ciphertext.iter().copied());
+        let cipher = self.decrypt_common(keys)?;
+        cipher
+            .decrypt(res.data_mut())
+            .context(crate::error::Decrypt)?;
+        Ok(res)
+    }
+
+    fn decrypt_common(
+        &self,
+        keys: &crate::locked::Keys,
+    ) -> Result<
+        block_modes::Cbc<aes::Aes256, block_modes::block_padding::Pkcs7>,
+    > {
         if self.ty != 2 {
             unimplemented!()
         }
 
         if let Some(mac) = &self.mac {
-            let mut digest = hmac::Hmac::<sha2::Sha256>::new_varkey(mac_key)
-                .map_err(|_| Error::InvalidMacKey)?;
+            let mut digest =
+                hmac::Hmac::<sha2::Sha256>::new_varkey(keys.mac_key())
+                    .map_err(|_| Error::InvalidMacKey)?;
             digest.input(&self.iv);
             digest.input(&self.ciphertext);
             let calculated_mac = digest.result().code();
 
-            if !macs_equal(mac, &calculated_mac, mac_key)? {
+            if !macs_equal(mac, &calculated_mac, keys.mac_key())? {
                 return Err(Error::InvalidMac);
             }
         }
 
-        let cipher = block_modes::Cbc::<
+        Ok(block_modes::Cbc::<
             aes::Aes256,
             block_modes::block_padding::Pkcs7,
-        >::new_var(enc_key, &self.iv)
-        .context(crate::error::CreateBlockMode)?;
-
-        cipher
-            .decrypt_vec(&self.ciphertext)
-            .context(crate::error::Decrypt)
+        >::new_var(keys.enc_key(), &self.iv)
+        .context(crate::error::CreateBlockMode)?)
     }
 }
author	Jesse Luehrs <doy@tozt.net>	2020-04-08 03:45:45 -0400
committer	Jesse Luehrs <doy@tozt.net>	2020-04-08 03:45:45 -0400
commit	56d47b757da04bdb4414e350e6438a93242f53c8 (patch)
tree	ba28afa56e7746f9c33f8021c37d2c2b45d41204 /src/cipherstring.rs
parent	47968ec94ee172f5ae8924f2bb3850142e77dcd3 (diff)
download	rbw-56d47b757da04bdb4414e350e6438a93242f53c8.tar.gz rbw-56d47b757da04bdb4414e350e6438a93242f53c8.zip