From a3c4f05848d0d9d46a7b9cdc9b227ed27189e231 Mon Sep 17 00:00:00 2001 From: "Neal H. Walfield" Date: Sat, 12 Oct 2019 14:24:06 +0200 Subject: openpgp: Fix AEAD encryption. - The AEAD implementation did not correctly handle messages where the last chunk was a bit smaller than the chunk size. Specifically, assume that the chunk size is 32 bytes and the digest size is 16 bytes, and consider a message with 17 bytes of data. That message will be encrypted as follows: [ chunk1 ][ tag1 ][ tagF ] 17B 16B 16B If we read a chunk and a digest, we'll successfully read 48 bytes of data. Unfortunately, we'll have over read: the last 15 bytes are from the final tag. To correctly handle this case, we have to make sure that there are at least a tag worth of bytes left over when we read a chunk and a tag. - Test encrypting and decrypting more message sizes using AEAD. - Also, check that the AEAD implementation correctly handles corruption (specifically, a corrupted final tag). --- openpgp/src/parse/parse.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'openpgp/src/parse') diff --git a/openpgp/src/parse/parse.rs b/openpgp/src/parse/parse.rs index 2883ef3c..5a5a356e 100644 --- a/openpgp/src/parse/parse.rs +++ b/openpgp/src/parse/parse.rs @@ -3619,7 +3619,8 @@ impl<'a> PacketParser<'a> { // `aead::Decryptor` won't see EOF and think that // it has a partial block and it needs to verify // the final chunk. - let amount = aed.chunk_digest_size()? + 1; + let amount + = aed.chunk_digest_size()? + aed.aead().digest_size()?; let data = self.data(amount)?; let dec = aead::Decryptor::new( 1, aed.symmetric_algo(), aed.aead(), aed.chunk_size(), -- cgit v1.2.3