diff options
author | Jon Spillett <jon.spillett@oracle.com> | 2020-09-14 17:03:01 +1000 |
---|---|---|
committer | Pauli <paul.dale@oracle.com> | 2020-09-17 18:30:40 +1000 |
commit | 1cae59d14b9e10ac81e5418c568d7d14cdf617f1 (patch) | |
tree | cec03eecadd4877bfdd6c4f51b19e89138e0a587 /providers | |
parent | 00108705369078097c652149c26dcbfd36ecaf76 (diff) |
Make KDFs fail if requesting a zero-length key.
Also add more test cases
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12826)
Diffstat (limited to 'providers')
-rw-r--r-- | providers/implementations/kdfs/hkdf.c | 4 | ||||
-rw-r--r-- | providers/implementations/kdfs/kbkdf.c | 6 | ||||
-rw-r--r-- | providers/implementations/kdfs/tls1_prf.c | 4 |
3 files changed, 14 insertions, 0 deletions
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c index 987f1b28bf..00734119a4 100644 --- a/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c @@ -140,6 +140,10 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen) ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY); return 0; } + if (keylen == 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); + return 0; + } switch (ctx->mode) { case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c index c8b5cdf8c6..c967724376 100644 --- a/providers/implementations/kdfs/kbkdf.c +++ b/providers/implementations/kdfs/kbkdf.c @@ -212,6 +212,12 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen) return 0; } + /* Fail if the output length is zero */ + if (keylen == 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); + return 0; + } + h = EVP_MAC_size(ctx->ctx_init); if (h == 0) goto done; diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c index ca6c605351..b622a37d7e 100644 --- a/providers/implementations/kdfs/tls1_prf.c +++ b/providers/implementations/kdfs/tls1_prf.c @@ -151,6 +151,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SEED); return 0; } + if (keylen == 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); + return 0; + } return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, ctx->sec, ctx->seclen, |