Refactor Error and Result usage for pkcs5 crate

[dwhjames]

• introduce Error enum with one and only existing error value
• introduce specialized Result type for crate
• rewrite references to der crate Error & Result types

[dwhjames]

@tarcieri, admittedly I’m just trying to do easy/accessible things, with learning being the primary motivation. I hope this is actually useful work, and not just busy work. It it did seem that the one error value was actually rolling up a variety of distinct error categories, so I thought I’d rewrite the one and only error, before moving on to separating out the cases.

[tarcieri]

It'd make sense if Error had more than one variant. Perhaps you can eliminate some of the map_errs that are discarding error values with From conversions?

Note that the only variants I think should be added are ones which distinguish encoding-related errors from actual cryptographic errors. I don't think you should try to categorize the various kinds of cryptographic errors or propagate information about it. That has the potential for leakage.

[dwhjames]

Here were my ideas:

1. ‘encrypt/decrypt not supported for PBES1’

• formats/pkcs5/src/lib.rs

  Lines 89 to 90 in a391e5b

  	Self::Pbes2(params) => params.decrypt_in_place(password, buffer),
  	_ => Err(Error::Crypto),

• and three other locations

2. ‘invalid scrypt params’

• formats/pkcs5/src/pbes2/kdf.rs

  Lines 364 to 365 in a391e5b

  	block_size: params.r().try_into().map_err(|_| Error::Crypto)?,
  	parallelization: params.p().try_into().map_err(|_| Error::Crypto)?,

• formats/pkcs5/src/pbes2/kdf.rs

  Lines 429 to 438 in a391e5b

  	if 1 << log_n != n {
  	return Err(Error::Crypto);
  	}
  	scrypt::Params::new(
  	log_n,
  	params.block_size.into(),
  	params.parallelization.into(),
  	)
  	.map_err(|_| Error::Crypto)

3. ‘invalid block cipher params’

• formats/pkcs5/src/pbes2/encryption.rs

  Lines 40 to 41 in a391e5b

  	let cipher = Aes128Cbc::new_from_slices(encryption_key.as_slice(), iv)
  	.map_err(|_| Error::Crypto)?;

• and several other locations
• one could argue that these could be panic’s at this point and that there could be validation at an earlier point

4. ‘no buffer remaining for block cipher padding during encryption’

• formats/pkcs5/src/pbes2/encryption.rs

  Line 42 in a391e5b

  cipher.encrypt(buffer, pos).map_err(|_| Error::Crypto)

• and several other locations

5. ‘decryption error - invalid ciphertext size or malformed padding’

• formats/pkcs5/src/pbes2/encryption.rs

  Line 97 in a391e5b

  cipher.decrypt(buffer).map_err(|_| Error::Crypto)

• and several other locations

6. ‘encryption not supported for cipher’

• formats/pkcs5/src/pbes2/encryption.rs

  Line 61 in a391e5b

  EncryptionScheme::DesCbc { .. } => Err(Error::Crypto),

7. ‘key derivation with Sha1 not enabled’

• formats/pkcs5/src/pbes2/encryption.rs

  Line 130 in a391e5b

  Pbkdf2Prf::HmacWithSha1 => return Err(Error::Crypto),

8. ‘scrypt derivation failure’

• formats/pkcs5/src/pbes2/encryption.rs

  Lines 187 to 194 in a391e5b

  	let mut buffer = [0u8; MAX_KEY_LEN];
  	scrypt(
  	password,
  	params.salt,
  	&params.try_into()?,
  	&mut buffer[..length],
  	)
  	.map_err(|_| Error::Crypto)?;

• this also seems like a library bug thus panic, rather than a plausible runtime error — entirely prevented as long as the constants in the crate are set appropriately

[jklong]

1. ‘decryption error - invalid ciphertext size or malformed padding’


* https://github.com/RustCrypto/formats/blob/a391e5b0995ae7aa9224972749d4186625b6ec5c/pkcs5/src/pbes2/encryption.rs#L97

* and several other locations

I'd be careful with this one in particular. Once you start identifying information around padding you're introducing the possibility of a padding oracle. That's a large potential foot-gun if the library user isn't careful about that information leaking.

[tarcieri]

Going through these one-by-one:

1. ‘encrypt/decrypt not supported for PBES1’

I think it's fine to have a variant that says PBES1 is unsupported. This will effectively be a perpetual WONTFIX.

2. ‘invalid scrypt params’
3. ‘invalid block cipher params’

I would really like to avoid overspecializing variants for specific algorithms, especially if they are variants that are only available via conditional compilation.

How about something like: AlgorithmParametersInvalid { oid: ObjectIdentifier }?

If you'd really like to break the cases above down, perhaps it could be KdfParametersInvalid { oid } versus CipherParametersInvalid { oid }.

4. ‘no buffer remaining for block cipher padding during encryption’

An error case for the output buffer being too small sounds fine. I would avoid mentioning anything about padding: the real problem is that the buffer is too small.

5. ‘decryption error - invalid ciphertext size or malformed padding’

This is the kind of error I'd personally prefer to continue to keep an opaque Crypto error. If you really want to split out errors specifically related to decryption, something like Error::DecryptFailed would be OK.

6. ‘encryption not supported for cipher’
7. ‘key derivation with Sha1 not enabled’

These are effectively unsupported algorithm errors. As I mentioned earlier, I'd prefer not to get too off in the weeds with algorithm-specific error variants.

Something like UnsupportedAlgorithm { oid: ObjectIdentifier } seems fine to me though.

8. ‘scrypt derivation failure’
   this also seems like a library bug thus panic, rather than a plausible runtime error — entirely prevented as long as the constants in the crate are set appropriately

Across the RustCrypto projects we generally try to minimize any potential runtime panics, and especially in low-level libraries like this we are aiming for panic-free code. The reason is we'd like to make these libraries usable in contexts where panics are unacceptable, like OS kernels or bare metal embedded device programming.

That's not a hard rule, or an easily enforceable one (see previous link for some discussion on that), but we would like to ensure that there is a baseline level of functionality which does not require a panic handler.

[tarcieri]

I'd be careful with this one in particular. Once you start identifying information around padding you're introducing the possibility of a padding oracle. That's a large potential foot-gun if the library user isn't careful about that information leaking.

Yep, exactly, avoiding this sort of leakage is exactly why we've largely kept the error types opaque.

[dwhjames]

@jklong @tarcieri thanks for the great feedback.

I’ll come back with something concrete.

[tarcieri]

Looks good! I'll hold off on merging this until we're ready to make breaking changes

[tarcieri]

@dwhjames can you rebase? If so, I can merge after that

[dwhjames]

@tarcieri, 👍, conflicts resolved.

[tarcieri]

Rather than eagerly calculating this, you could make it a function on Parameters, e.g. Parameters::invalid_error.

[dwhjames]

see d30f931

[tarcieri]

Ditto here re: https://github.com/RustCrypto/formats/pull/26/files#r725524106

[dwhjames]

see d30f931

[tarcieri]

It would probably be good to leave this fallible.

I'm not sure why u16 was used for the iteration count but it unnecessarily constrains the number of iterations. Using 100,000+ should be supported.

However, if this type is changed to a u32, it would also be good to set a sanity limit on the number of iterations.

RFC8018 says the sanity limit is implementation defined:

https://datatracker.ietf.org/doc/html/rfc8018#appendix-A.2

iterationCount specifies the iteration count. The maximum iteration count allowed depends on the implementation. It is expected that implementation profiles may further constrain the bounds.

[dwhjames]

see d30f931

sanity limit chosen as 100 million

[tarcieri]

This can also be replaced with a function on params.

Edit: actually, since it's private I guess this is fine. You could also use this approach on the other params structs.

[dwhjames]

see d30f931

same added for Pbkdf2Params

[tarcieri]

Thank you!