diff options
author | Vitezslav Cizek <vcizek@suse.com> | 2015-10-29 14:00:26 +0100 |
---|---|---|
committer | Werner Koch <wk@gnupg.org> | 2016-03-18 15:35:42 +0100 |
commit | 0f741b0704bac5c0e2d2a0c2b34b44b35baa76d6 (patch) | |
tree | fefb6983a534877496338d5c64c2f5666256ff38 | |
parent | a242e3d9185e6e2dc13902ea9331131755bbba01 (diff) | |
download | libgcrypt-0f741b0704bac5c0e2d2a0c2b34b44b35baa76d6.tar.gz |
kdf: Add upper bound for derived key length in PBKDF2.
* cipher/kdf.c (_gcry_kdf_pkdf2): limit dkLen.
--
Add a missing step 1 from PBKDF specification.
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
-rw-r--r-- | cipher/kdf.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/cipher/kdf.c b/cipher/kdf.c index ad5c46ef..831edd24 100644 --- a/cipher/kdf.c +++ b/cipher/kdf.c @@ -138,7 +138,7 @@ _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen, unsigned long iter; /* Current iteration number. */ unsigned int i; - /* NWe allow for a saltlen of 0 here to support scrypt. It is not + /* We allow for a saltlen of 0 here to support scrypt. It is not clear whether rfc2898 allows for this this, thus we do a test on saltlen > 0 only in gcry_kdf_derive. */ if (!salt || !iterations || !dklen) @@ -150,8 +150,13 @@ _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen, secmode = _gcry_is_secure (passphrase) || _gcry_is_secure (keybuffer); - /* We ignore step 1 from pksc5v2.1 which demands a check that dklen - is not larger that 0xffffffff * hlen. */ + /* Step 1 */ + /* If dkLen > (2^32 - 1) * hLen, output "derived key too long" and stop. + We use a stronger inequality. */ + + if (dklen > 4294967295U) + return GPG_ERR_INV_VALUE; + /* Step 2 */ l = ((dklen - 1)/ hlen) + 1; |