Implement Explicit HMAC Verification for Stream EOF and Truncation Protection

[aarchiev]

The current implementation of DecryptedReader in main.rs relies on Ok(0) from the underlying reader to signal the end of the data stream. While functional for general use, it lacks a critical security check in the context of Authenticated Encryption with Associated Data (AEAD).

In the chacha20poly1305 stream implementation, it is vital to distinguish between a legitimate End-Of-File (EOF) and a malicious or accidental Truncation Attack (where the file is cut short).

Current Problem
Inside DecryptedReader::read

if read_bytes == 0 {
    self.eof = true;
    return Ok(0);
}

If the file is truncated before the final block is processed, the decryptor might never call the final verification step. An attacker could potentially remove the end of an encrypted file, and the program would treat the partial data as valid without throwing a MAC (Message Authentication Code) error.

Potential Impact

• Data Integrity: Users might unknowingly process incomplete files.
• Security: Vulnerability to truncation attacks where trailing data (which might contain critical termination sequences) is stripped by an adversary.

Proposed Solution

• Final Block Verification: Utilize the decrypt_last or equivalent mechanism provided by chacha20poly1305::aead::stream to ensure the final tag is verified.
• Explicit Length Check: Store the expected encrypted payload size in the header or ensure the stream state machine explicitly reaches the Final state before returning Ok(0).
• Refactor DecryptedReader:
  • Improve the loop to handle the last chunk specifically.
  • If self.inner.read returns 0 but the decryptor hasn't processed the final block, throw an UnexpectedEof error.