internal/stream: disallow empty final chunks

A non-empty payload of length a multiple of the chunk size can be
encrypted in two ways: with the last chunk full, or with an extra empty
last chunk. This is mostly an oversight in the original spec.

Both age and rage generate full last chunks, so we should be still in
time to pick one of the two, and avoid the underspecification. It's not
the one I would have picked originally, maybe, because disallowing full
last chunks would have avoided the trial decryption, but oh well.

cmd/age/age_test.go

@@ -65,7 +65,10 @@ func TestVectors(t *testing.T) {
 			r, err := age.Decrypt(in, identities...)
 			if expectFailure {
 				if err == nil {
-					t.Fatal("expected Decrypt failure")
+					_, err = io.ReadAll(r)
+				}
+				if err == nil {
+					t.Fatal("expected Decrypt or Read failure")
 				}
 				if e := new(age.NoIdentityMatchError); errors.As(err, &e) {
 					t.Errorf("got ErrIncorrectIdentity, expected more specific error")
@@ -87,7 +90,7 @@ func TestVectors(t *testing.T) {
 				}
 				t.Logf("%s", out)
 			} else {
-				t.Fatal("invalid test vector")
+				t.Fatal("invalid test vector: missing prefix")
 			}
 		})
 	}

cmd/age/testdata/good_empty_payload.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> X25519 JRosIz2avWchP2qSL6wF6U7uzD6kDuJXDbZvN1MOGmo
+KpIQxpkbBDHqp+JsHLiTy2d5RYRwp2qzvUrAe0aDOnk
+--- orVjbqbzm8U3S9njAs53o4PFi1wK39fIQQ4gRj3i7IU
+„Ïgñ¾<>Ô0‡‘µÆN¢'jûöao<61>¹&æT