Skip to content

Commit 8a43348

Browse files
dkosticskmcgrail
dkostic
authored and
skmcgrail
committed
reject zero-sized digests in HKDF EVP_PKEY
Reject digests with EVP_MD_size <= 0 when configuring HKDF and when deriving, preventing divide-by-zero in HKDF_expand if an XOF digest is selected. We would like to thank Joshua Rogers (https://joshua.hu/) of AISLE Research Team (https://aisle.com/) for reporting this issue.
1 parent dcd1690 commit 8a43348

File tree

2 files changed

+23
-1
lines changed

2 files changed

+23
-1
lines changed

crypto/fipsmodule/evp/p_hkdf.c

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -100,6 +100,10 @@ static int pkey_hkdf_derive(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *out_len) {
100100
OPENSSL_PUT_ERROR(EVP, EVP_R_MISSING_PARAMETERS);
101101
return 0;
102102
}
103+
if (EVP_MD_size(hctx->md) <= 0) {
104+
OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_OPERATION);
105+
return 0;
106+
}
103107
if (hctx->key_len == 0) {
104108
OPENSSL_PUT_ERROR(EVP, EVP_R_NO_KEY_SET);
105109
return 0;
@@ -148,7 +152,11 @@ static int pkey_hkdf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
148152
hctx->mode = p1;
149153
return 1;
150154
case EVP_PKEY_CTRL_HKDF_MD:
151-
hctx->md = p2;
155+
if (p2 == NULL || EVP_MD_size((const EVP_MD *)p2) <= 0) {
156+
OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_OPERATION);
157+
return 0;
158+
}
159+
hctx->md = (const EVP_MD *)p2;
152160
return 1;
153161
case EVP_PKEY_CTRL_HKDF_KEY: {
154162
const CBS *key = p2;

crypto/fipsmodule/hkdf/hkdf_test.cc

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -579,3 +579,17 @@ static void RunTest(FileTest *t)
579579
TEST(HKDFTest, HKDFExpandCAVP) {
580580
FileTestGTest("crypto/evp_extra/kbkdf_expand_tests.txt", RunTest);
581581
}
582+
583+
TEST(HKDFTest, EVP_PKEY_HKDF_RejectsXOF) {
584+
bssl::UniquePtr<EVP_PKEY_CTX> ctx(
585+
EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, nullptr));
586+
ASSERT_TRUE(ctx);
587+
ASSERT_TRUE(EVP_PKEY_derive_init(ctx.get()));
588+
589+
// XOF digests should be rejected when setting the digest.
590+
EXPECT_FALSE(EVP_PKEY_CTX_set_hkdf_md(ctx.get(), EVP_shake128()));
591+
EXPECT_FALSE(EVP_PKEY_CTX_set_hkdf_md(ctx.get(), EVP_shake256()));
592+
593+
// Non-XOF digests should succeed.
594+
EXPECT_TRUE(EVP_PKEY_CTX_set_hkdf_md(ctx.get(), EVP_sha256()));
595+
}

0 commit comments

Comments
 (0)