From 53adab13b6c233c1a87fe5d32f267fb6b4144e9f Mon Sep 17 00:00:00 2001
From: Brian Smith <brian@briansmith.org>
Date: Thu, 16 Jan 2025 08:36:23 -0800
Subject: [PATCH] chacha20_poly1305_openssh: Don't panic in `open_in_place`.

Return an error instead of panicking. Luckily, since the slicing
is done after the Poly1305 verification is done, it won't be hit
by anybody in practice unless Poly1305 is broken. Unfortunately,
for the same reason, it is too hard to write a test.

Also, the user will have needed to have already decrypted the
packet length before calling `open_in_place`, which means they
must have successfully parsed a packet length.
---
 src/aead/chacha20_poly1305_openssh.rs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/aead/chacha20_poly1305_openssh.rs b/src/aead/chacha20_poly1305_openssh.rs
index 529fd06536..39b9e7f0b4 100644
--- a/src/aead/chacha20_poly1305_openssh.rs
+++ b/src/aead/chacha20_poly1305_openssh.rs
@@ -126,6 +126,10 @@ impl OpeningKey {
         ciphertext_in_plaintext_out: &'a mut [u8],
         tag: &[u8; TAG_LEN],
     ) -> Result<&'a [u8], error::Unspecified> {
+        if ciphertext_in_plaintext_out.len() < PACKET_LENGTH_LEN {
+            return Err(error::Unspecified);
+        }
+
         let mut counter = make_counter(sequence_number);
 
         // We must verify the tag before decrypting so that
@@ -134,7 +138,9 @@ impl OpeningKey {
         let poly_key = derive_poly1305_key(&self.key.k_2, counter.increment());
         verify(poly_key, ciphertext_in_plaintext_out, tag)?;
 
+        // Won't panic because the length was checked above.
         let plaintext_in_ciphertext_out = &mut ciphertext_in_plaintext_out[PACKET_LENGTH_LEN..];
+
         self.key
             .k_2
             .encrypt_in_place(counter, plaintext_in_ciphertext_out);