tweak bounds check; will need a revisit

author: Stuart Stock <stuart@int08h.com> 2018-10-21 20:36:07 -0500
committer: Stuart Stock <stuart@int08h.com> 2018-10-21 20:36:07 -0500
commit: 2225b7c4ecb40cef0c9bf6b4d50b48c0009e6e6a (patch)
tree: b41760a94237eac9ee312fab3c48240f5f93a456 /src
parent: 5c92c228af412e39633c11bc1eca3c975c161fb7 (diff)
download: roughenough-2225b7c4ecb40cef0c9bf6b4d50b48c0009e6e6a.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/src/kms/envelope.rs b/src/kms/envelope.rs
index bc75994..49f8d79 100644
--- a/src/kms/envelope.rs
+++ b/src/kms/envelope.rs
@@ -79,7 +79,7 @@ impl EnvelopeEncryption {
         let dek_len = tmp.read_u16::<LittleEndian>()? as usize;
         let nonce_len = tmp.read_u16::<LittleEndian>()? as usize;
 
-        if dek_len != DEK_SIZE_BYTES || nonce_len != NONCE_SIZE_BYTES {
+        if nonce_len != NONCE_SIZE_BYTES || dek_len > ciphertext_blob.len() {
             return Err(KmsError::InvalidData(format!(
                 "invalid DEK ({}) or nonce ({}) length",
                 dek_len, nonce_len
@@ -234,7 +234,7 @@ mod test {
         let ciphertext = enc_result.unwrap();
         let mut ciphertext_copy = ciphertext.clone();
 
-        ciphertext_copy[0] = 1;
+        ciphertext_copy[1] = 99;
         let dec_result = EnvelopeEncryption::decrypt_seed(&kms, &ciphertext_copy);
         match dec_result.expect_err("expected an error") {
             KmsError::InvalidData(msg) => assert!(msg.contains("invalid DEK")),
author	Stuart Stock <stuart@int08h.com>	2018-10-21 20:36:07 -0500
committer	Stuart Stock <stuart@int08h.com>	2018-10-21 20:36:07 -0500
commit	2225b7c4ecb40cef0c9bf6b4d50b48c0009e6e6a (patch)
tree	b41760a94237eac9ee312fab3c48240f5f93a456 /src
parent	5c92c228af412e39633c11bc1eca3c975c161fb7 (diff)
download	roughenough-2225b7c4ecb40cef0c9bf6b4d50b48c0009e6e6a.zip