chacha20_poly1305_openssh: Minimize and document panicking.

src/aead/chacha20_poly1305_openssh.rs

@@ -56,6 +56,10 @@ impl SealingKey {
     /// `padding_length||payload||random padding`. It will be overwritten by
     /// `encrypted_packet_length||ciphertext`, where `encrypted_packet_length`
     /// is encrypted with `K_1` and `ciphertext` is encrypted by `K_2`.
+    ///
+    /// # Panics
+    ///
+    /// Panics if `plaintext_in_ciphertext_out.len() < PACKET_LENGTH_LEN`.
     pub fn seal_in_place(
         &self,
         sequence_number: u32,
@@ -126,6 +130,10 @@ impl OpeningKey {
         ciphertext_in_plaintext_out: &'a mut [u8],
         tag: &[u8; TAG_LEN],
     ) -> Result<&'a [u8], error::Unspecified> {
+        if ciphertext_in_plaintext_out.len() < PACKET_LENGTH_LEN {
+            return Err(error::Unspecified);
+        }
+
         let mut counter = make_counter(sequence_number);
 
         // We must verify the tag before decrypting so that
@@ -134,7 +142,9 @@ impl OpeningKey {
         let poly_key = derive_poly1305_key(&self.key.k_2, counter.increment());
         verify(poly_key, ciphertext_in_plaintext_out, tag)?;
 
+        // Won't panic because the length was checked above.
         let plaintext_in_ciphertext_out = &mut ciphertext_in_plaintext_out[PACKET_LENGTH_LEN..];
+
         self.key
             .k_2
             .encrypt_in_place(counter, plaintext_in_ciphertext_out);