search

awslabs / aws-encryption-sdk-specification

AWS Encryption SDK Specification
Other
29 stars 27 forks source link

Implementation: Hold final frame plaintext on Decrypt until signature verifies #184

Open lavaleri opened 4 years ago

lavaleri commented 4 years ago

per https://github.com/awslabs/aws-encryption-sdk-specification/blob/master/client-apis/decrypt.md If streaming decrypt:

If this operation is using an algorithm suite with a signature algorithm,
all plaintext decrypted from regular frames SHOULD be released as soon as the above calculation,
including tag verification, succeeds.
Any plaintext decrypted from unframed data or a final frame MUST NOT
be released until signature verification successfully completes.