Support longer (up to RFC maximum) HKDF outputs.

2019-11-12 08:48:29 +03:00 · 2019-11-12 08:48:29 +03:00 · 1bbe3e8972
parent 86ef42f705
commit 1bbe3e8972
1 changed files with 25 additions and 8 deletions
--- a/security/nss/lib/softoken/pkcs11c.c
+++ b/security/nss/lib/softoken/pkcs11c.c
@ -7668,9 +7668,11 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession,
            const SECHashObject *rawHash;
            unsigned hashLen;
            CK_BYTE hashbuf[HASH_LENGTH_MAX];
-            CK_BYTE *prk; /* psuedo-random key */
+            CK_BYTE *prk;                 /* psuedo-random key */
            CK_ULONG prkLen;
-            CK_BYTE *okm; /* output keying material */
+            CK_BYTE *okm;                 /* output keying material */
+            unsigned allocated_space = 0; /* If we need more work space, track it */
+            unsigned char *key_buf = &key_block[0];

            rawHash = HASH_GetRawHashObject(hashType);
            if (rawHash == NULL || rawHash->length > sizeof(hashbuf)) {
@ -7686,7 +7688,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession,
                crv = CKR_MECHANISM_PARAM_INVALID;
                break;
            }
-            if (keySize == 0 || keySize > sizeof key_block ||
+            if (keySize == 0 ||
                (!params->bExpand && keySize > hashLen) ||
                (params->bExpand && keySize > 255 * hashLen)) {
                crv = CKR_TEMPLATE_INCONSISTENT;
@ -7736,34 +7738,49 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession,
                /* T(1) = HMAC-Hash(prk, "" | info | 0x01)
                 * T(n) = HMAC-Hash(prk, T(n-1) | info | n
                 * key material = T(1) | ... | T(n)
+                 *
+                 * If the requested output length does not fit
+                 * within |key_block|, allocate space for expansion.
                 */
                HMACContext *hmac;
                CK_BYTE bi;
-                unsigned iterations = PR_ROUNDUP(keySize, hashLen) / hashLen;
+                unsigned n_bytes = PR_ROUNDUP(keySize, hashLen);
+                unsigned iterations = n_bytes / hashLen;
                hmac = HMAC_Create(rawHash, prk, prkLen, isFIPS);
                if (hmac == NULL) {
                    crv = CKR_HOST_MEMORY;
                    break;
                }
-                for (bi = 1; bi <= iterations; ++bi) {
+                if (n_bytes > sizeof(key_block)) {
+                    key_buf = PORT_Alloc(n_bytes);
+                    if (key_buf == NULL) {
+                        crv = CKR_HOST_MEMORY;
+                        break;
+                    }
+                    allocated_space = n_bytes;
+                }
+                for (bi = 1; bi <= iterations && bi > 0; ++bi) {
                    unsigned len;
                    HMAC_Begin(hmac);
                    if (bi > 1) {
-                        HMAC_Update(hmac, key_block + ((bi - 2) * hashLen), hashLen);
+                        HMAC_Update(hmac, key_buf + ((bi - 2) * hashLen), hashLen);
                    }
                    if (params->ulInfoLen != 0) {
                        HMAC_Update(hmac, params->pInfo, params->ulInfoLen);
                    }
                    HMAC_Update(hmac, &bi, 1);
-                    HMAC_Finish(hmac, key_block + ((bi - 1) * hashLen), &len,
+                    HMAC_Finish(hmac, key_buf + ((bi - 1) * hashLen), &len,
                                hashLen);
                    PORT_Assert(len == hashLen);
                }
                HMAC_Destroy(hmac, PR_TRUE);
-                okm = key_block;
+                okm = key_buf;
            }
            /* key material = prk */
            crv = sftk_forceAttribute(key, CKA_VALUE, okm, keySize);
+            if (allocated_space) {
+                PORT_ZFree(key_buf, allocated_space);
+            }
            break;
        } /* end of CKM_NSS_HKDF_* */