Closed 0x2b3bfa0 closed 2 years ago
As suggested in the commit message for 15df6e2cf71bd7457d6a7e1c15754030dc6a9304, it would be possible to add an exception to the following checks:
Unfortunately, changes to the newlineWriter.Write
function also affected the header MAC computation, invalidating the message.
https://github.com/FiloSottile/age/blob/15df6e2cf71bd7457d6a7e1c15754030dc6a9304/age.go#L200-L202
Would computing and checking the MAC for both formats be worth the effort?
Thank you for the detailed report!
No encrypted files produced by cmd/age are affected.
Ah, yep, this part turned out to be inaccurate, I didn't think about RSA key sizes.
Since no one noticed until now, it doesn't sound it's particularly disruptive, and we didn't commit to backwards compatibility until v1.0.0-rc.1. However, I need to make the error message mention this possibility.
Actually modulo 64
I think 48 is correct. The length of the body in bytes before encoding has to be a multiple of 48. The 4/3 term in your formula is part of the encoding itself.
Since no one noticed until now, it doesn't sound it's particularly disruptive, and we didn't commit to backwards compatibility until v1.0.0-rc.1. However, I need to make the error message mention this possibility.
Definitely! A good error message sounds much better than an overcomplicated workaround.
I think 48 is correct. The length of the body in bytes before encoding has to be a multiple of 48. The 4/3 term in your formula is part of the encoding itself.
I was thinking of the length of the body after the Base64 encoding step, not before. 🤦🏼♂️ Both numbers are “correct” then, although 48 probably makes more sense in this context.
$$\left\lceil\frac{l}{8}\right\rceil\equiv0\pmod{48}$$
Environment
age
version before the breaking change:1.0.0-beta6
age
version after the breaking change:1.0.0-beta7
Intent
Using a 3072 bit SSH RSA key:
age@v1.0.0-beta6
or earlier and decrypt it withage@v1.0.0-beta7
or later.age@v1.0.0-beta7
or later and decrypt it withage@v1.0.0-beta6
or earlier.Result
📖 Note: key length provided for illustrative purposes;
ssh-keygen(1)
generates 3072 bit SSH RSA keys by default.Changes
Commit message for 15df6e2cf71bd7457d6a7e1c15754030dc6a9304
[^48]: Actually modulo 64
Release notes for
1.0.0-beta7
Details
This bug affects any SSH RSA key whose length in bits
l
satisfies the following condition, being 3072 the most common example:$$\left\lceil\left\lceil\frac{l}{8}\right\rceil\times\frac{4}{3}\right\rceil\equiv0\pmod{64}$$