diff options
| author | Jesse Luehrs <doy@tozt.net> | 2021-04-17 22:45:29 -0400 |
|---|---|---|
| committer | Jesse Luehrs <doy@tozt.net> | 2021-04-17 23:50:43 -0400 |
| commit | 38f0cd43f2cb2f294c7d195481f78e58b35dfb44 (patch) | |
| tree | 67f0a40bf002c088896ed330e7008939a7b0e483 /src | |
| parent | c627737dfa6a30b71e3f7c32cca05675cc7e9b97 (diff) | |
| download | rbw-38f0cd43f2cb2f294c7d195481f78e58b35dfb44.tar.gz rbw-38f0cd43f2cb2f294c7d195481f78e58b35dfb44.zip | |
stop using openssl
Diffstat (limited to 'src')
| -rw-r--r-- | src/cipherstring.rs | 34 | ||||
| -rw-r--r-- | src/error.rs | 7 |
2 files changed, 23 insertions, 18 deletions
diff --git a/src/cipherstring.rs b/src/cipherstring.rs index 72681f8..fc63ac9 100644 --- a/src/cipherstring.rs +++ b/src/cipherstring.rs @@ -1,8 +1,10 @@ use crate::prelude::*; use block_modes::BlockMode as _; +use block_padding::Padding as _; use hmac::{Mac as _, NewMac as _}; use rand::RngCore as _; +use zeroize::Zeroize as _; pub enum CipherString { Symmetric { @@ -181,24 +183,24 @@ impl CipherString { ) -> Result<crate::locked::Vec> { match self { Self::Asymmetric { ciphertext } => { - let pkey = openssl::pkey::PKey::private_key_from_pkcs8( - private_key.private_key(), - ) - .map_err(|source| Error::OpenSsl { source })?; - let rsa = - pkey.rsa().map_err(|source| Error::OpenSsl { source })?; - - let mut res = crate::locked::Vec::new(); - res.extend(std::iter::repeat(0).take(rsa.size() as usize)); - - let bytes = rsa - .private_decrypt( + let privkey_data = private_key.private_key(); + let privkey_data = block_padding::Pkcs7::unpad(privkey_data) + .map_err(|_| Error::Padding)?; + let pkey = rsa::RSAPrivateKey::from_pkcs8(privkey_data) + .map_err(|source| Error::Rsa { source })?; + let mut bytes = pkey + .decrypt( + rsa::padding::PaddingScheme::new_oaep::<sha1::Sha1>(), ciphertext, - res.data_mut(), - openssl::rsa::Padding::PKCS1_OAEP, ) - .map_err(|source| Error::OpenSsl { source })?; - res.truncate(bytes); + .map_err(|source| Error::Rsa { source })?; + + // XXX it'd be great if the rsa crate would let us decrypt + // into a preallocated buffer directly to avoid the + // intermediate vec that needs to be manually zeroized, etc + let mut res = crate::locked::Vec::new(); + res.extend(bytes.iter().copied()); + bytes.zeroize(); Ok(res) } diff --git a/src/error.rs b/src/error.rs index 7544e76..82fdb49 100644 --- a/src/error.rs +++ b/src/error.rs @@ -102,8 +102,8 @@ pub enum Error { file: std::path::PathBuf, }, - #[error("openssl error")] - OpenSsl { source: openssl::error::ErrorStack }, + #[error("invalid padding")] + Padding, #[error("failed to parse match type {s}")] ParseMatchType { s: String }, @@ -138,6 +138,9 @@ pub enum Error { #[error("error making api request")] Reqwest { source: reqwest::Error }, + #[error("failed to decrypt")] + Rsa { source: rsa::errors::Error }, + #[error("failed to save config to {}", .file.display())] SaveConfig { source: std::io::Error, |