From 38f0cd43f2cb2f294c7d195481f78e58b35dfb44 Mon Sep 17 00:00:00 2001
From: Jesse Luehrs <doy@tozt.net>
Date: Sat, 17 Apr 2021 22:45:29 -0400
Subject: stop using openssl

---
 src/cipherstring.rs | 34 ++++++++++++++++++----------------
 src/error.rs        |  7 +++++--
 2 files changed, 23 insertions(+), 18 deletions(-)

(limited to 'src')

diff --git a/src/cipherstring.rs b/src/cipherstring.rs
index 72681f8..fc63ac9 100644
--- a/src/cipherstring.rs
+++ b/src/cipherstring.rs
@@ -1,8 +1,10 @@
 use crate::prelude::*;
 
 use block_modes::BlockMode as _;
+use block_padding::Padding as _;
 use hmac::{Mac as _, NewMac as _};
 use rand::RngCore as _;
+use zeroize::Zeroize as _;
 
 pub enum CipherString {
     Symmetric {
@@ -181,24 +183,24 @@ impl CipherString {
     ) -> Result<crate::locked::Vec> {
         match self {
             Self::Asymmetric { ciphertext } => {
-                let pkey = openssl::pkey::PKey::private_key_from_pkcs8(
-                    private_key.private_key(),
-                )
-                .map_err(|source| Error::OpenSsl { source })?;
-                let rsa =
-                    pkey.rsa().map_err(|source| Error::OpenSsl { source })?;
-
-                let mut res = crate::locked::Vec::new();
-                res.extend(std::iter::repeat(0).take(rsa.size() as usize));
-
-                let bytes = rsa
-                    .private_decrypt(
+                let privkey_data = private_key.private_key();
+                let privkey_data = block_padding::Pkcs7::unpad(privkey_data)
+                    .map_err(|_| Error::Padding)?;
+                let pkey = rsa::RSAPrivateKey::from_pkcs8(privkey_data)
+                    .map_err(|source| Error::Rsa { source })?;
+                let mut bytes = pkey
+                    .decrypt(
+                        rsa::padding::PaddingScheme::new_oaep::<sha1::Sha1>(),
                         ciphertext,
-                        res.data_mut(),
-                        openssl::rsa::Padding::PKCS1_OAEP,
                     )
-                    .map_err(|source| Error::OpenSsl { source })?;
-                res.truncate(bytes);
+                    .map_err(|source| Error::Rsa { source })?;
+
+                // XXX it'd be great if the rsa crate would let us decrypt
+                // into a preallocated buffer directly to avoid the
+                // intermediate vec that needs to be manually zeroized, etc
+                let mut res = crate::locked::Vec::new();
+                res.extend(bytes.iter().copied());
+                bytes.zeroize();
 
                 Ok(res)
             }
diff --git a/src/error.rs b/src/error.rs
index 7544e76..82fdb49 100644
--- a/src/error.rs
+++ b/src/error.rs
@@ -102,8 +102,8 @@ pub enum Error {
         file: std::path::PathBuf,
     },
 
-    #[error("openssl error")]
-    OpenSsl { source: openssl::error::ErrorStack },
+    #[error("invalid padding")]
+    Padding,
 
     #[error("failed to parse match type {s}")]
     ParseMatchType { s: String },
@@ -138,6 +138,9 @@ pub enum Error {
     #[error("error making api request")]
     Reqwest { source: reqwest::Error },
 
+    #[error("failed to decrypt")]
+    Rsa { source: rsa::errors::Error },
+
     #[error("failed to save config to {}", .file.display())]
     SaveConfig {
         source: std::io::Error,
-- 
cgit v1.2.3-54-g00ecf