age-core: Add plaintext size argument to aead_decrypt

This implements the same mitigation as FiloSottile/age for the multi-key attack. The age crate was already checking these lengths for built-in recipient types; this change extends the mitigation to other crates that reuse the age primitives, such as age plugins.
2025-04-04 19:37:51 +03:00 · 2020-12-26 01:16:41 +00:00 · 2020-12-26 01:16:41 +00:00 · d0d55872a7
commit d0d55872a7
parent 95fe900549
6 changed files with 48 additions and 22 deletions
--- a/age-core/src/format.rs
+++ b/age-core/src/format.rs
@ -7,17 +7,20 @@ use secrecy::{ExposeSecret, Secret};
 /// The prefix identifying an age stanza.
 const STANZA_TAG: &str = "-> ";

-/// A file key for encrypting or decrypting an age file.
-pub struct FileKey(Secret<[u8; 16]>);
+/// The length of an age file key.
+pub const FILE_KEY_BYTES: usize = 16;

-impl From<[u8; 16]> for FileKey {
-    fn from(file_key: [u8; 16]) -> Self {
+/// A file key for encrypting or decrypting an age file.
+pub struct FileKey(Secret<[u8; FILE_KEY_BYTES]>);
+
+impl From<[u8; FILE_KEY_BYTES]> for FileKey {
+    fn from(file_key: [u8; FILE_KEY_BYTES]) -> Self {
        FileKey(Secret::new(file_key))
    }
 }

-impl ExposeSecret<[u8; 16]> for FileKey {
-    fn expose_secret(&self) -> &[u8; 16] {
+impl ExposeSecret<[u8; FILE_KEY_BYTES]> for FileKey {
+    fn expose_secret(&self) -> &[u8; FILE_KEY_BYTES] {
        self.0.expose_secret()
    }
 }
--- a/age-core/src/primitives.rs
+++ b/age-core/src/primitives.rs
@ -1,13 +1,13 @@
 //! Primitive cryptographic operations used across various `age` components.

 use chacha20poly1305::{
-    aead::{self, Aead, NewAead},
+    aead::{self, generic_array::typenum::Unsigned, Aead, NewAead},
    ChaChaPoly1305,
 };
 use hkdf::Hkdf;
 use sha2::Sha256;

-/// `encrypt[key](plaintext)`
+/// `encrypt[key](plaintext)` - encrypts a message with a one-time key.
 ///
 /// ChaCha20-Poly1305 from [RFC 7539] with a zero nonce.
 ///
@ -18,12 +18,24 @@ pub fn aead_encrypt(key: &[u8; 32], plaintext: &[u8]) -> Vec<u8> {
        .expect("we won't overflow the ChaCha20 block counter")
 }

-/// `decrypt[key](ciphertext)`
+/// `decrypt[key](ciphertext)` - decrypts a message of an expected fixed size.
 ///
 /// ChaCha20-Poly1305 from [RFC 7539] with a zero nonce.
 ///
+/// The message size is limited to mitigate multi-key attacks, where a ciphertext can be
+/// crafted that decrypts successfully under multiple keys. Short ciphertexts can only
+/// target two keys, which has limited impact.
+///
 /// [RFC 7539]: https://tools.ietf.org/html/rfc7539
-pub fn aead_decrypt(key: &[u8; 32], ciphertext: &[u8]) -> Result<Vec<u8>, aead::Error> {
+pub fn aead_decrypt(
+    key: &[u8; 32],
+    size: usize,
+    ciphertext: &[u8],
+) -> Result<Vec<u8>, aead::Error> {
+    if ciphertext.len() != size + <ChaChaPoly1305<c2_chacha::Ietf> as Aead>::TagSize::to_usize() {
+        return Err(aead::Error);
+    }
+
    let c = ChaChaPoly1305::<c2_chacha::Ietf>::new(key.into());
    c.decrypt(&[0; 12].into(), ciphertext)
 }
@ -50,7 +62,7 @@ mod tests {
        let key = [14; 32];
        let plaintext = b"12345678";
        let encrypted = aead_encrypt(&key, plaintext);
-        let decrypted = aead_decrypt(&key, &encrypted).unwrap();
+        let decrypted = aead_decrypt(&key, plaintext.len(), &encrypted).unwrap();
        assert_eq!(decrypted, plaintext);
    }
 }