Feedback

aws · Jul 18, 2024 · 3c10a3b · 3c10a3b
1 parent 37bc2ec
commit 3c10a3b
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 10 deletions.
diff --git a/crypto/fipsmodule/kdf/kbkdf.c b/crypto/fipsmodule/kdf/kbkdf.c
@@ -27,15 +27,20 @@ int KBKDF_ctr_hmac(uint8_t *out_key, size_t out_len, const EVP_MD *digest,
   // Determine the length of the output in bytes of a single invocation of the
   // HMAC function.
   size_t h_output_bytes = HMAC_size(hmac_ctx);
-  if (h_output_bytes <= 0) {
+  if (h_output_bytes == 0 || h_output_bytes > EVP_MAX_MD_SIZE) {
+    goto err;
+  }
+
+  if (out_len > SIZE_MAX - h_output_bytes) {
     goto err;
   }
 
   // NIST.SP.800-108r1-upd1: Step 1:
   // Determine how many output chunks are required to produce the requested
   // output length |out_len|. This determines how many times the variant compute
   // function will be called to output key material.
-  size_t n = (out_len + h_output_bytes - 1) / h_output_bytes;
+  uint64_t n = ((uint64_t)out_len + (uint64_t)h_output_bytes - 1) /
+               (uint64_t)h_output_bytes;
 
   // NIST.SP.800-108r1-upd1: Step 2:
   // Verify that the number of output chunks does not exceed an unsigned 32-bit
@@ -87,7 +92,7 @@ int KBKDF_ctr_hmac(uint8_t *out_key, size_t out_len, const EVP_MD *digest,
   ret = 1;
 
 err:
-  if(ret <= 0 && out_key && out_len > 0) {
+  if (ret <= 0 && out_key && out_len > 0) {
     OPENSSL_cleanse(out_key, out_len);
   }
   HMAC_CTX_free(hmac_ctx);

diff --git a/crypto/fipsmodule/kdf/kdf_test.cc b/crypto/fipsmodule/kdf/kdf_test.cc
@@ -146,7 +146,7 @@ TEST(KBKDFCounterTest, TestVectors) {
         std::vector<uint8_t> out(expect.size());
 
         ASSERT_TRUE(KBKDF_ctr_hmac(out.data(), out.size(), md, secret.data(),
-                              secret.size(), info.data(), info.size()));
+                                   secret.size(), info.data(), info.size()));
         ASSERT_EQ(Bytes(expect.data(), expect.size()),
                   Bytes(out.data(), out.size()));
       });
@@ -158,21 +158,21 @@ TEST(KBKDFCounterTest, NegativeTests) {
 
   // NULL output
   ASSERT_FALSE(KBKDF_ctr_hmac(NULL, out.size(), EVP_sha256(), &secret[0],
-                         sizeof(secret), NULL, 0));
+                              sizeof(secret), NULL, 0));
 
   // zero-length output
   ASSERT_FALSE(KBKDF_ctr_hmac(out.data(), 0, EVP_sha256(), &secret[0],
-                         sizeof(secret), NULL, 0));
+                              sizeof(secret), NULL, 0));
 
   // NULL Digest
   ASSERT_FALSE(KBKDF_ctr_hmac(out.data(), out.size(), NULL, &secret[0],
-                         sizeof(secret), NULL, 0));
+                              sizeof(secret), NULL, 0));
 
   // NULL secret
   ASSERT_FALSE(KBKDF_ctr_hmac(out.data(), out.size(), EVP_sha256(), NULL,
-                         sizeof(secret), NULL, 0));
+                              sizeof(secret), NULL, 0));
 
   // zero-length secret
   ASSERT_FALSE(KBKDF_ctr_hmac(out.data(), out.size(), EVP_sha256(), &secret[0],
-                         0, NULL, 0));
+                              0, NULL, 0));
 }
diff --git a/crypto/fipsmodule/kdf/sskdf.c b/crypto/fipsmodule/kdf/sskdf.c
@@ -227,7 +227,8 @@ static int SSKDF(const sskdf_variant *variant, sskdf_variant_ctx *ctx,
   // Determine how many output chunks are required to produce the requested
   // output length |out_len|. This determines how many times the variant compute
   // function will be called to output key material.
-  uint64_t n = (out_len + h_output_bytes - 1) / h_output_bytes;
+  uint64_t n = ((uint64_t)out_len + (uint64_t)h_output_bytes - 1) /
+               (uint64_t)h_output_bytes;
 
   // NIST.SP.800-56Cr2 Step 2:
   // Verify that the number of output chunks does not exceed an unsigned 32-bit