feat: Validate input key size in SEIPDv2 decryption (#236)

Adds a validation step to ensure the input key size matches the expected algorithm key size before proceeding to the HKDF step in SEIPDv2 decryption.
ProtonMail · Oct 28, 2024 · b97cc3c · b97cc3c
1 parent 20ab0e4
commit b97cc3c
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/openpgp/packet/symmetrically_encrypted_aead.go b/openpgp/packet/symmetrically_encrypted_aead.go
@@ -7,6 +7,7 @@ package packet
 import (
 	"crypto/cipher"
 	"crypto/sha256"
+	"fmt"
 	"io"
 	"strconv"
 
@@ -63,8 +64,11 @@ func (se *SymmetricallyEncrypted) associatedData() []byte {
 // decryptAead decrypts a V2 SEIPD packet (AEAD) as specified in
 // https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.13.2
 func (se *SymmetricallyEncrypted) decryptAead(inputKey []byte) (io.ReadCloser, error) {
-	aead, nonce := getSymmetricallyEncryptedAeadInstance(se.Cipher, se.Mode, inputKey, se.Salt[:], se.associatedData())
+	if se.Cipher.KeySize() != len(inputKey) {
+		return nil, errors.StructuralError(fmt.Sprintf("invalid session key length for cipher: got %d bytes, but expected %d bytes", len(inputKey), se.Cipher.KeySize()))
+	}
 
+	aead, nonce := getSymmetricallyEncryptedAeadInstance(se.Cipher, se.Mode, inputKey, se.Salt[:], se.associatedData())
 	// Carry the first tagLen bytes
 	tagLen := se.Mode.TagLength()
 	peekedBytes := make([]byte, tagLen)