RFR: 8331008: Implement JEP 478: Key Derivation Function API (Preview) [v24]

Kevin Driver kdriver at openjdk.org
Fri Sep 6 18:07:27 UTC 2024 

On Fri, 6 Sep 2024 13:27:05 GMT, Viktor Klang <vklang at openjdk.org> wrote:

>> Kevin Driver has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 31 additional commits since the last revision:
>> 
>>  - Merge remote-tracking branch 'origin/master' into kdf-jep-wip
>>    # Please enter a commit message to explain why this merge is necessary,
>>    # especially if it merges an updated upstream into a topic branch.
>>    #
>>    # Lines starting with '#' will be ignored, and an empty message aborts
>>    # the commit.
>>  - several more review comments
>>  - change impl class to use byte arrays rather than SecretKey objects where possible
>>  - updated delayed provider selection javadoc
>>  - review comments
>>  - use a delegate record to hold the spi and provider
>>  - assorted review comment changes
>>  - another round of review comments
>>  - consistency with wording for addIKM and addSalt
>>  - another round of code review comments
>>  - ... and 21 more: https://git.openjdk.org/jdk/compare/77683e2a...a35e98c9
>
> src/java.base/share/classes/com/sun/crypto/provider/HkdfKeyDerivation.java line 183:
> 
>> 181:             }
>> 182:             length = anExpand.length();
>> 183:             if (length > (hmacLen * 255)) {
> 
> Since hmacLen is an int, it makes sense to make the multiplication a long multiplication to avoid potential risk of overflow?
> 
> Suggestion:
> 
>             if (length > (hmacLen * 255L)) {

`hmacLen` will *at most* be 64 (size of an HMAC with SHA512). There isn't a real risk of overflow here, but I can make the change if you prefer.

> src/java.base/share/classes/com/sun/crypto/provider/HkdfKeyDerivation.java line 222:
> 
>> 220:             }
>> 221:             length = anExtractThenExpand.length();
>> 222:             if (length > (hmacLen * 255)) {
> 
> Same comment here w.r.t. overflow

`hmacLen` will *at most* be 64 (size of an HMAC with SHA512). There isn't a real risk of overflow here, but I can make the change if you prefer.

> src/java.base/share/classes/com/sun/crypto/provider/HkdfKeyDerivation.java line 337:
> 
>> 335:             info = new byte[0];
>> 336:         }
>> 337:         int rounds = (outLen + hmacLen - 1) / hmacLen;
> 
> Perhaps make the addition as long, to rule out the risk of overflow?
> Suggestion:
> 
>         int rounds = (0L + outLen + hmacLen - 1) / hmacLen;

`hmacLen` will *at most* be 64 (size of an HMAC with SHA512). There isn't a real risk of overflow here, but I can make the change if you prefer.

`outLen` is bounded by a max value of 255*`hmacLen` (as referenced above).

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/20301#discussion_r1747526118
PR Review Comment: https://git.openjdk.org/jdk/pull/20301#discussion_r1747526298
PR Review Comment: https://git.openjdk.org/jdk/pull/20301#discussion_r1747528228

More information about the security-dev mailing list