Currently the max length constants for plaintext (P_MAX), associated data (A_MAX), and ciphertext (C_MAX) are not correct for XAES-256-GCM in xaes-256-gcm/src/lib.rs.
|
Current |
Correct |
P_MAX |
1 << 36 |
(1 << 36) - 32 |
A_MAX |
1 << 36 |
(1 << 61) - 1 |
C_MAX |
(1 << 36) + 16 |
(1 << 36) - 32 |
The maximums are set by the underlying aes_gcm AEAD call.
One reason for the discrepancy: the current max also includes the 16-byte tag in the C_MAX length. However, the AeadInOut trait explicitly operates in a detached state where the tag is handled separately from the ciphertext, meaning the ciphertext is always the same length as the plaintext. So the current C_MAX check in decrypt_inout_detached() can be replaced with a P_MAX check (alternatively, C_MAX could be defined as equivalent to P_MAX).
I opened PR #836 as one potential fix, however you may have a different solution.
Currently the max length constants for plaintext (
P_MAX), associated data (A_MAX), and ciphertext (C_MAX) are not correct forXAES-256-GCMin xaes-256-gcm/src/lib.rs.P_MAX1 << 36(1 << 36) - 32A_MAX1 << 36(1 << 61) - 1C_MAX(1 << 36) + 16(1 << 36) - 32The maximums are set by the underlying
aes_gcmAEAD call.One reason for the discrepancy: the current max also includes the 16-byte tag in the
C_MAXlength. However, theAeadInOuttrait explicitly operates in a detached state where the tag is handled separately from the ciphertext, meaning the ciphertext is always the same length as the plaintext. So the currentC_MAXcheck indecrypt_inout_detached()can be replaced with aP_MAXcheck (alternatively,C_MAXcould be defined as equivalent toP_MAX).I opened PR #836 as one potential fix, however you may have a different solution.