Update to *ring* 0.16.2 to improve sealing operations.

Restore the allocation/copying behavior to what it was before the *ring* 0.16.0 upgrade.
2019-07-22 21:14:23 +01:00 · 2019-07-22 21:14:23 +01:00 · 675ad27250
parent 666a2cbd2a
commit 675ad27250
3 changed files with 17 additions and 25 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -13,7 +13,7 @@ categories = ["network-programming", "cryptography"]
 [dependencies]
 base64 = "0.10"
 log = { version = "0.4.4", optional = true }
-ring = "0.16.0"
+ring = "0.16.2"
 sct = "0.6.0"
 webpki = "0.21.0"
--- a/src/cipher.rs
+++ b/src/cipher.rs
@ -207,22 +207,19 @@ impl MessageEncrypter for GCMMessageEncrypter {
            aead::Nonce::assume_unique_for_key(nonce)
        };
        let total_len = msg.payload.len() + self.alg.tag_len();
        let mut buf = Vec::with_capacity(total_len);
        buf.extend_from_slice(&msg.payload);
        let mut aad = [0u8; TLS12_AAD_SIZE];
        make_tls12_aad(seq, msg.typ, msg.version, msg.payload.len(), &mut aad);
        let aad = aead::Aad::from(&aad);
        let total_len = msg.payload.len() + self.alg.tag_len();
        let mut payload = Vec::with_capacity(GCM_EXPLICIT_NONCE_LEN + total_len);
        payload.extend_from_slice(&nonce.as_ref()[4..]);
        payload.extend_from_slice(&msg.payload);
-        self.enc_key.seal_in_place(nonce, aad, &mut buf)
+        self.enc_key.seal_in_place_separate_tag(nonce, aad, &mut payload[GCM_EXPLICIT_NONCE_LEN..])
            .map(|tag| payload.extend(tag.as_ref()))
            .map_err(|_| TLSError::General("encrypt failed".to_string()))?;
        payload.extend_from_slice(&buf);
        Ok(Message {
            typ: msg.typ,
            version: msg.version,
@ -322,7 +319,7 @@ impl MessageEncrypter for TLS13MessageEncrypter {
        let mut aad = [0u8; TLS13_AAD_SIZE];
        make_tls13_aad(total_len, &mut aad);
-        self.enc_key.seal_in_place(nonce, aead::Aad::from(&aad), &mut buf)
+        self.enc_key.seal_in_place_append_tag(nonce, aead::Aad::from(&aad), &mut buf)
            .map_err(|_| TLSError::General("encrypt failed".to_string()))?;
        Ok(Message {
@ -524,7 +521,7 @@ impl MessageEncrypter for ChaCha20Poly1305MessageEncrypter {
        let mut buf = Vec::with_capacity(total_len);
        buf.extend_from_slice(&msg.payload);
-        self.enc_key.seal_in_place(nonce, aad, &mut buf)
+        self.enc_key.seal_in_place_append_tag(nonce, aad, &mut buf)
            .map_err(|_| TLSError::General("encrypt failed".to_string()))?;
        Ok(Message {
--- a/src/ticketer.rs
+++ b/src/ticketer.rs
@ -68,21 +68,16 @@ impl ProducesTickets for AEADTicketer {
        let nonce = ring::aead::Nonce::assume_unique_for_key(nonce_buf);
        let aad = ring::aead::Aad::empty();
-        let cipher_len = message.len() + self.alg.tag_len();
+        let mut ciphertext =
-        let mut ciphertext = Vec::with_capacity(cipher_len);
+            Vec::with_capacity(nonce_buf.len() + message.len() + self.key.algorithm().tag_len());
-        ciphertext.extend_from_slice(message);
+        ciphertext.extend(&nonce_buf);
-
+        ciphertext.extend(message);
-        match self.key.seal_in_place(nonce,
+        self.key.seal_in_place_separate_tag(nonce,aad, &mut ciphertext[nonce_buf.len()..])
-                                     aad,
+            .map(|tag| {
-                                     &mut ciphertext) {
+                ciphertext.extend(tag.as_ref());
-            Err(_) => return None,
+                ciphertext
-            Ok(_) => ()
+            })
-        };
+            .ok()
        let mut out = Vec::with_capacity(nonce_buf.len() + cipher_len);
        out.extend_from_slice(&nonce_buf);
        out.extend_from_slice(&ciphertext);
        Some(out)
    }
    /// Decrypt `ciphertext` and recover the original message.