https://bugzilla.mindrot.org/show_bug.cgi?id=2366
--- Comment #4 from Ron Frederick <[email protected]> --- The bug I found actually wasn't related to the additional authenticated data. For this particular case of using the cipher to encrypt an OpenSSH format private key, the additional data is empty in fact. The bug here had to do with the length of the data passed to the cipher_crypt() call when decrypting the key. Instead of passing in the length of the encrypted data, the code is passing in the length of the encrypted data plus the length of the MAC which is placed after it. However, the MAC is not encrypted, since the keys are following the "encrypt then MAC" approach. The fix is to pass in the proper encrypted length, after validating that there are enough bytes in the buffer to hold both this encrypted data and a trailing MAC of the expected size. There was also a bug when consuming the data later than only encrypted_len bytes were consumed, even though it attempted to decrypt more bytes than that. The correct thing here would be to consume encrypted_len bytes plus the length of the MAC, and then check to make sure that no bytes beyond that were remaining in the buffer. The patch I've attached here addresses all of these issues. Only the decrypt code needed any changes. The encrypt function was fine as-is. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
