From b97cc3cc403885d5e5f635f2fbe7870c543202a0 Mon Sep 17 00:00:00 2001
From: Lukas Burkhalter <10532077+lubux@users.noreply.github.com>
Date: Mon, 28 Oct 2024 12:33:39 +0100
Subject: [PATCH] feat: Validate input key size in SEIPDv2 decryption (#236)

Adds a validation step to ensure the input key size matches the expected
algorithm key size before proceeding to the HKDF step in SEIPDv2 decryption.
---
 openpgp/packet/symmetrically_encrypted_aead.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/openpgp/packet/symmetrically_encrypted_aead.go b/openpgp/packet/symmetrically_encrypted_aead.go
index 95341255..3957b2d5 100644
--- a/openpgp/packet/symmetrically_encrypted_aead.go
+++ b/openpgp/packet/symmetrically_encrypted_aead.go
@@ -7,6 +7,7 @@ package packet
 import (
 	"crypto/cipher"
 	"crypto/sha256"
+	"fmt"
 	"io"
 	"strconv"
 
@@ -63,8 +64,11 @@ func (se *SymmetricallyEncrypted) associatedData() []byte {
 // decryptAead decrypts a V2 SEIPD packet (AEAD) as specified in
 // https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.13.2
 func (se *SymmetricallyEncrypted) decryptAead(inputKey []byte) (io.ReadCloser, error) {
-	aead, nonce := getSymmetricallyEncryptedAeadInstance(se.Cipher, se.Mode, inputKey, se.Salt[:], se.associatedData())
+	if se.Cipher.KeySize() != len(inputKey) {
+		return nil, errors.StructuralError(fmt.Sprintf("invalid session key length for cipher: got %d bytes, but expected %d bytes", len(inputKey), se.Cipher.KeySize()))
+	}
 
+	aead, nonce := getSymmetricallyEncryptedAeadInstance(se.Cipher, se.Mode, inputKey, se.Salt[:], se.associatedData())
 	// Carry the first tagLen bytes
 	tagLen := se.Mode.TagLength()
 	peekedBytes := make([]byte, tagLen)