Skip to content

Commit

Permalink
chacha20_poly1305_openssh: Don't panic in open_in_place.
Browse files Browse the repository at this point in the history
Return an error instead of panicking. Luckily, since the slicing
is done after the Poly1305 verification is done, it won't be hit
by anybody in practice unless Poly1305 is broken. Unfortunately,
for the same reason, it is too hard to write a test.

Also, the user will have needed to have already decrypted the
packet length before calling `open_in_place`, which means they
must have successfully parsed a packet length.
  • Loading branch information
briansmith committed Jan 16, 2025
1 parent 0223acb commit b7be8ef
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion src/aead/chacha20_poly1305_openssh.rs
Original file line number Diff line number Diff line change
Expand Up @@ -126,15 +126,19 @@ impl OpeningKey {
ciphertext_in_plaintext_out: &'a mut [u8],
tag: &[u8; TAG_LEN],
) -> Result<&'a [u8], error::Unspecified> {
let mut counter = make_counter(sequence_number);
if ciphertext_in_plaintext_out.len() < PACKET_LENGTH_LEN {
return Err(error::Unspecified);
}

// We must verify the tag before decrypting so that
// `ciphertext_in_plaintext_out` is unmodified if verification fails.
// This is beyond what we guarantee.
let poly_key = derive_poly1305_key(&self.key.k_2, counter.increment());
verify(poly_key, ciphertext_in_plaintext_out, tag)?;

// Won't panic because the length was checked above.
let plaintext_in_ciphertext_out = &mut ciphertext_in_plaintext_out[PACKET_LENGTH_LEN..];

self.key
.k_2
.encrypt_in_place(counter, plaintext_in_ciphertext_out);
Expand Down

0 comments on commit b7be8ef

Please sign in to comment.