preauthenticated decryption considered harmful
A few notes regarding agl’s post on encrypting streams and tools I’ve worked on.
signify will only verify a message if it is entirely correct. The OpenBSD installer doesn’t stream install files through tar anymore. This was something we needed to change precisely because of the situation Adam warns about. Instead the full tar file is downloaded, verified, and then extracted. Tainted data never hits the real file system.
pkg_add combined with signify works a little differently, instead checking the checksum of each file, but the tainted data is first saved to temporary files before being renamed. I’m less familiar with the exact details, but a quick chat with espie said it should be safe.
reop, which is a true encryption at rest tool, does in one sense repeat the mistakes of 20 years ago. Each message is encrypted as a single large “packet”. However, the entire message must decrypt and authenticate successfully before any output is produced, so it’s actually safer than a small packet streaming program which may produce partial output. (reop cheats a bit by imposing a message size limit; it simply can’t encrypt large files, for large values of large.)