From 63ca3f229581ef4eb762d20627a570102c0f4a15 Mon Sep 17 00:00:00 2001
From: Bernd Schoolmann <mail@quexten.com>
Date: Tue, 9 Jan 2024 23:29:05 +0100
Subject: [PATCH] Add error handling for cipher decryption

---
 agent/bitwarden/crypto/encstring.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/agent/bitwarden/crypto/encstring.go b/agent/bitwarden/crypto/encstring.go
index 1eca8d7..a4e93f1 100644
--- a/agent/bitwarden/crypto/encstring.go
+++ b/agent/bitwarden/crypto/encstring.go
@@ -154,6 +154,12 @@ func DecryptWith(s EncString, key SymmetricEncryptionKey) ([]byte, error) {
 		if !isMacValid(msg, s.MAC, macKeyData) {
 			return nil, fmt.Errorf("decrypt: MAC mismatch")
 		}
+	} else if s.Type == AesCbc256_B64 {
+		return nil, fmt.Errorf("decrypt: cipher of unsupported type %q", s.Type)
+	}
+
+	if len(s.IV) != block.BlockSize() {
+		return nil, fmt.Errorf("decrypt: invalid IV length, expected %d, got %d", block.BlockSize(), len(s.IV))
 	}
 
 	mode := cipher.NewCBCDecrypter(block, s.IV)
@@ -168,7 +174,13 @@ func DecryptWith(s EncString, key SymmetricEncryptionKey) ([]byte, error) {
 
 func EncryptWith(data []byte, typ EncStringType, key SymmetricEncryptionKey) (EncString, error) {
 	encKeyData, err := key.EncryptionKeyBytes()
+	if err != nil {
+		return EncString{}, err
+	}
 	macKeyData, err := key.MacKeyBytes()
+	if err != nil {
+		return EncString{}, err
+	}
 
 	s := EncString{}
 	switch typ {