diff --git a/src/kdf.c b/src/kdf.c index fd4fe218..9cf6be22 100644 --- a/src/kdf.c +++ b/src/kdf.c @@ -274,14 +274,16 @@ static int p11prov_hkdf_derive(void *ctx, unsigned char *key, size_t keylen, * opaque context<0..255> = Context; * } HkdfLabel; */ -#define TLS13_HL_LENGTH_SIZE 2 +#define TLS13_HL_KEY_SIZE 2 +#define TLS13_HL_KEY_MAX_LENGTH 65535 #define TLS13_HL_LABEL_SIZE 1 #define TLS13_HL_LABEL_MAX_LENGTH 255 #define TLS13_HL_CONTEXT_SIZE 1 #define TLS13_HL_CONTEXT_MAX_LENGTH 255 #define TLS13_HKDF_LABEL_MAX_SIZE \ - (TLS13_HL_LENGTH_SIZE + TLS13_HL_LABEL_SIZE + TLS13_HL_LABEL_MAX_LENGTH \ - + TLS13_HL_CONTEXT_SIZE + TLS13_HL_CONTEXT_MAX_LENGTH) + (TLS13_HL_KEY_SIZE + TLS13_HL_LABEL_SIZE \ + + TLS13_HL_LABEL_MAX_LENGTH + TLS13_HL_CONTEXT_SIZE \ + + TLS13_HL_CONTEXT_MAX_LENGTH) static CK_RV p11prov_tls13_expand_label(P11PROV_KDF_CTX *hkdfctx, P11PROV_OBJ *keyobj, uint8_t *prefix, @@ -316,7 +318,8 @@ static CK_RV p11prov_tls13_expand_label(P11PROV_KDF_CTX *hkdfctx, if (prefix == NULL || prefixlen == 0 || label == NULL || labellen == 0 || (prefixlen + labellen > TLS13_HL_LABEL_MAX_LENGTH) || (datalen > 0 && data == NULL) || (datalen == 0 && data != NULL) - || (datalen > TLS13_HL_CONTEXT_MAX_LENGTH)) { + || (datalen > TLS13_HL_CONTEXT_MAX_LENGTH) + || (keylen > TLS13_HL_KEY_MAX_LENGTH)) { return CKR_ARGUMENTS_BAD; } @@ -405,9 +408,6 @@ static CK_RV p11prov_tls13_derive_secret(P11PROV_KDF_CTX *hkdfctx, } /* In OpenSSL the salt is used as the derivation key */ - /* FIXME: OpenSSL sets the length to hashlen w/o checks, - * this may be a bug or intentional, further investigation needed - * [opened https://github.com/openssl/openssl/issues/25557] */ ret = inner_pkcs11_key(hkdfctx, hkdfctx->salt, hkdfctx->saltlen, &ek); if (ret != CKR_OK) { return ret;