Tighten Kyber decrypt parsing and deterministic malformed-ciphertext errors by Psychevus · Pull Request #184 · Psychevus/cryptography-suite

Psychevus · 2026-02-25T13:09:31Z

Ensure kyber_decrypt strictly validates ciphertext structure to prevent out-of-bounds parsing and avoid accepting truncated inputs.
Make error reporting deterministic: malformed ciphertext must raise DecryptionError rather than leaking lower-level exceptions like ValueError or InvalidTag.

Enforced a minimum ciphertext length by requiring ct_size + 16 + 12 + 16 (KEM ciphertext + salt(16) + nonce(12) + tag(16)) before parsing.
Wrapped KEM decapsulation (alg.decrypt) errors and AES-GCM decryption errors in DecryptionError("Invalid ciphertext") to normalize failure reporting.
Added tests that assert malformed inputs produce DecryptionError, and imported DecryptionError into the test module.
New tests cover short ciphertext rejection and corruption of the nonce and tag regions in the Kyber payload.

Ran pytest -q tests/test_pqc.py, which completed successfully with 6 passed.
New negative tests added: short ciphertext path and corrupted nonce/tag paths each assert DecryptionError is raised (these tests passed).

Harden Kyber ciphertext validation and error handling

da2b748

Psychevus added the codex label Feb 25, 2026 — with ChatGPT Codex Connector

Psychevus added 3 commits February 25, 2026 16:42

Format pqc module to satisfy ruff check

023ccdc

Fix ruff lint issues in PQC module and tests

485e06c

Fix mypy type narrowing in Kyber tamper tests

30b5109

Psychevus removed the codex label Feb 25, 2026

Psychevus merged commit 9f48dbe into main Feb 25, 2026
6 checks passed

Psychevus deleted the codex/fix-kyber-ciphertext-parsing-errors branch February 25, 2026 13:22

Provide feedback