RFR: 8331008: KDF Implementation (Preview) [v14]
Kevin Driver
kdriver at openjdk.org
Fri May 10 18:43:34 UTC 2024
On Wed, 8 May 2024 20:53:54 GMT, Kevin Driver <kdriver at openjdk.org> wrote:
>> src/java.base/share/classes/com/sun/crypto/provider/HkdfKeyDerivation.java line 370:
>>
>>> 368: }
>>> 369: int rounds = (outLen + hmacLen - 1) / hmacLen;
>>> 370: kdfOutput = new byte[rounds * hmacLen];
>>
>> Are we missing a check to ensure that the `outLen` parameter is less than or equal to 255 * HashLen? See RFC 5869 sec. 2.3.
>
> Yes! I intended to. Thanks for catching it.
see commit: https://github.com/openjdk/jdk/pull/18924/commits/e1b63f3a90ea5583ac86687ddd89bf9fda7d2613
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18924#discussion_r1597091632
More information about the security-dev
mailing list