Update AEAD handling

[franziskuskiefer]

In this PR I change when the counter gets increased. Before it was not increased when the decryption failed (invalid tag). Now the counter is increased even if the decryption fails.

[raphaelrobert]

I'm concerned this could introduce another attack:

If an attacker send completely bogus messages to a recipient, the recipient will now blindly increase the counter. When the recipient afterwards receives a valid message, they will not be able to decrypt it because of FS.

[franziskuskiefer]

If an attacker send completely bogus messages to a recipient, the recipient will now blindly increase the counter. When the recipient afterwards receives a valid message, they will not be able to decrypt it because of FS.

Sure, with the mechanisms currently available (the counter). There will always be one attack or the other.

[raphaelrobert]

The counter is covered by the MAC, so an attacker couldn't manipulate the counter with bogus messages (where the verification fails) until now. With this PR an attacker can increase the counter by sending any random message.

[franziskuskiefer]

Right, but at the moment an attacker can invalidate messages and thus produce a TooDistantFuture error that (if performed in both directions) is unrecoverable.

[franziskuskiefer]

Fixes https://github.com/wireapp/security/issues/22
@raphaelrobert how do you want to proceed here?

[franziskuskiefer]

@raphaelrobert can you review? Not counting anymore on failure, but properly handling decryption.

[raphaelrobert]

If we don't do any other changes we should bump the version number.