chacha20_poly1305_openssh: Don't panic in open_in_place.

Return an error instead of panicking. Luckily, since the slicing is done after the Poly1305 verification is done, it won't be hit by anybody in practice unless Poly1305 is broken. Unfortunately, for the same reason, it is too hard to write a test. Also, the user will have needed to have already decrypted the packet length before calling `open_in_place`, which means they must have successfully parsed a packet length.
briansmith · Jan 16, 2025 · 53adab1 · 53adab1
1 parent 0223acb
commit 53adab1
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/src/aead/chacha20_poly1305_openssh.rs b/src/aead/chacha20_poly1305_openssh.rs
@@ -126,6 +126,10 @@ impl OpeningKey {
         ciphertext_in_plaintext_out: &'a mut [u8],
         tag: &[u8; TAG_LEN],
     ) -> Result<&'a [u8], error::Unspecified> {
+        if ciphertext_in_plaintext_out.len() < PACKET_LENGTH_LEN {
+            return Err(error::Unspecified);
+        }
+
         let mut counter = make_counter(sequence_number);
 
         // We must verify the tag before decrypting so that
@@ -134,7 +138,9 @@ impl OpeningKey {
         let poly_key = derive_poly1305_key(&self.key.k_2, counter.increment());
         verify(poly_key, ciphertext_in_plaintext_out, tag)?;
 
+        // Won't panic because the length was checked above.
         let plaintext_in_ciphertext_out = &mut ciphertext_in_plaintext_out[PACKET_LENGTH_LEN..];
+
         self.key
             .k_2
             .encrypt_in_place(counter, plaintext_in_ciphertext_out);