Reject invalid HKDF key sizes
Guido Vranken
guidovranken at gmail.com
Fri Jun 17 20:14:24 CEST 2022
HKDF prohibits output sizes which exceed digest size * 255. See section 2.3
of RFC 5869.
In the following code, the abort() should not be reached:
#include <gcrypt.h>
#define CF_CHECK_EQ(expr, res) if ( (expr) != (res) ) { goto end; }
#define OUTSIZE ((32 * 255) + 1)
int main(void)
{
const unsigned char password[] = {0x00};
const unsigned char salt[] = {0x00};
const unsigned char info[] = {0x00};
gcry_kdf_hd_t hd = {0};
uint8_t out[OUTSIZE];
unsigned long param[1] = {OUTSIZE};
CF_CHECK_EQ(gcry_kdf_open(
&hd,
GCRY_KDF_HKDF,
GCRY_MAC_HMAC_SHA256,
param,
1,
password, sizeof(password),
NULL, 0,
salt, sizeof(salt),
info, sizeof(info)), GPG_ERR_NO_ERROR);
CF_CHECK_EQ(gcry_kdf_compute(hd, NULL), GPG_ERR_NO_ERROR);
CF_CHECK_EQ(gcry_kdf_final(hd, OUTSIZE, out), GPG_ERR_NO_ERROR);
/* Should not be reached */
abort();
end:
gcry_kdf_close(hd);
return 0;
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20220617/f50c1f4d/attachment-0001.html>
More information about the Gcrypt-devel
mailing list