diff options
| author | Neal H. Walfield <neal@pep.foundation> | 2019-10-12 14:24:06 +0200 |
|---|---|---|
| committer | Neal H. Walfield <neal@pep.foundation> | 2019-10-22 23:03:02 +0200 |
| commit | a3c4f05848d0d9d46a7b9cdc9b227ed27189e231 (patch) | |
| tree | d905a95b2fccf3f03b3fedae9382489d3ed7773b /openpgp/src/parse | |
| parent | 7d6496aa0786c8576a9e3130dfd03d2328e7bf9b (diff) | |
openpgp: Fix AEAD encryption.
- The AEAD implementation did not correctly handle messages where
the last chunk was a bit smaller than the chunk size.
Specifically, assume that the chunk size is 32 bytes and the
digest size is 16 bytes, and consider a message with 17 bytes of
data. That message will be encrypted as follows:
[ chunk1 ][ tag1 ][ tagF ]
17B 16B 16B
If we read a chunk and a digest, we'll successfully read 48
bytes of data. Unfortunately, we'll have over read: the
last 15 bytes are from the final tag.
To correctly handle this case, we have to make sure that
there are at least a tag worth of bytes left over when we
read a chunk and a tag.
- Test encrypting and decrypting more message sizes using AEAD.
- Also, check that the AEAD implementation correctly handles
corruption (specifically, a corrupted final tag).
Diffstat (limited to 'openpgp/src/parse')
| -rw-r--r-- | openpgp/src/parse/parse.rs | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/openpgp/src/parse/parse.rs b/openpgp/src/parse/parse.rs index 2883ef3c..5a5a356e 100644 --- a/openpgp/src/parse/parse.rs +++ b/openpgp/src/parse/parse.rs @@ -3619,7 +3619,8 @@ impl<'a> PacketParser<'a> { // `aead::Decryptor` won't see EOF and think that // it has a partial block and it needs to verify // the final chunk. - let amount = aed.chunk_digest_size()? + 1; + let amount + = aed.chunk_digest_size()? + aed.aead().digest_size()?; let data = self.data(amount)?; let dec = aead::Decryptor::new( 1, aed.symmetric_algo(), aed.aead(), aed.chunk_size(), |