Reject invalid HKDF key sizes

Sun Jul 3 17:02:21 CEST 2022

Your fix introduces a memory leak. Please free 'h' before returning.

diff --git a/cipher/kdf.c b/cipher/kdf.c
index 2e5eef3..d371bdd 100644
--- a/cipher/kdf.c
+++ b/cipher/kdf.c
@@ -1699,7 +1699,10 @@ hkdf_open (gcry_kdf_hd_t *hd, int macalgo,
     }

   if (outlen > 255 * h->blklen)
-    return GPG_ERR_INV_VALUE;
+    {
+      xfree (h);
+      return GPG_ERR_INV_VALUE;
+    }

   ec = _gcry_mac_open (&h->md, macalgo, 0, NULL);
   if (ec)

On Tue, Jun 21, 2022 at 7:02 AM NIIBE Yutaka <gniibe at fsij.org> wrote:

> Guido Vranken wrote:
> > HKDF prohibits output sizes which exceed digest size * 255. See section
> 2.3
> > of RFC 5869.
>
> Thank you.
>
> Fixed in the commit:
>
>         e0f0c788dc0f268965c0f63eb33d9f98c0575d58
> --
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20220703/ac619641/attachment.html>
