v1.17: [zk-token-sdk] Limit max seed length for key derivations (backport of #33700) (#33795)

[zk-token-sdk] Limit max seed length for key derivations (#33700)

* limit max seed length for elgamal keypairs

* limit max seed length for authenticated encryption keys

* Apply suggestions from code review

Co-authored-by: Jon Cinque <[email protected]>

* rename `SeedLengthTooLarge` to `SeedLengthTooLong`

---------

Co-authored-by: Jon Cinque <[email protected]>
(cherry picked from commit dd2b1bb)

Co-authored-by: samkim-crypto <[email protected]>

Author: mergify[bot]

zk-token-sdk/src/encryption/auth_encryption.rs

@@ -50,6 +50,8 @@ pub enum AuthenticatedEncryptionError {
     DerivationMethodNotSupported,
     #[error("seed length too short for derivation")]
     SeedLengthTooShort,
+    #[error("seed length too long for derivation")]
+    SeedLengthTooLong,
 }
 
 struct AuthenticatedEncryption;
@@ -172,10 +174,14 @@ impl EncodableKey for AeKey {
 impl SeedDerivable for AeKey {
     fn from_seed(seed: &[u8]) -> Result<Self, Box<dyn error::Error>> {
         const MINIMUM_SEED_LEN: usize = AE_KEY_LEN;
+        const MAXIMUM_SEED_LEN: usize = 65535;
 
         if seed.len() < MINIMUM_SEED_LEN {
             return Err(AuthenticatedEncryptionError::SeedLengthTooShort.into());
         }
+        if seed.len() > MAXIMUM_SEED_LEN {
+            return Err(AuthenticatedEncryptionError::SeedLengthTooLong.into());
+        }
 
         let mut hasher = Sha3_512::new();
         hasher.update(seed);
@@ -278,4 +284,16 @@ mod tests {
         let null_signer = NullSigner::new(&Pubkey::default());
         assert!(AeKey::new_from_signer(&null_signer, Pubkey::default().as_ref()).is_err());
     }
+
+    #[test]
+    fn test_aes_key_from_seed() {
+        let good_seed = vec![0; 32];
+        assert!(AeKey::from_seed(&good_seed).is_ok());
+
+        let too_short_seed = vec![0; 15];
+        assert!(AeKey::from_seed(&too_short_seed).is_err());
+
+        let too_long_seed = vec![0; 65536];
+        assert!(AeKey::from_seed(&too_long_seed).is_err());
+    }
 }

zk-token-sdk/src/encryption/elgamal.rs

@@ -76,6 +76,8 @@ pub enum ElGamalError {
     DerivationMethodNotSupported,
     #[error("seed length too short for derivation")]
     SeedLengthTooShort,
+    #[error("seed length too long for derivation")]
+    SeedLengthTooLong,
 }
 
 /// Algorithm handle for the twisted ElGamal encryption scheme
@@ -449,10 +451,14 @@ impl ElGamalSecretKey {
     /// Derive an ElGamal secret key from an entropy seed.
     pub fn from_seed(seed: &[u8]) -> Result<Self, ElGamalError> {
         const MINIMUM_SEED_LEN: usize = ELGAMAL_SECRET_KEY_LEN;
+        const MAXIMUM_SEED_LEN: usize = 65535;
 
         if seed.len() < MINIMUM_SEED_LEN {
             return Err(ElGamalError::SeedLengthTooShort);
         }
+        if seed.len() > MAXIMUM_SEED_LEN {
+            return Err(ElGamalError::SeedLengthTooLong);
+        }
         Ok(ElGamalSecretKey(Scalar::hash_from_bytes::<Sha3_512>(seed)))
     }
 
@@ -1026,6 +1032,9 @@ mod tests {
 
         let too_short_seed = vec![0; 31];
         assert!(ElGamalKeypair::from_seed(&too_short_seed).is_err());
+
+        let too_long_seed = vec![0; 65536];
+        assert!(ElGamalKeypair::from_seed(&too_long_seed).is_err());
     }
 
     #[test]