KDF interface returns truncated output if the algorithm doesn't support requested length

Question

KDF interface returns truncated output if the algorithm doesn't support requested length

guidovranken opened this issue 4 years ago · 5 comments

Eg. HKDF + MD5 with a key size > 4080 returns 4080 bytes.

4080 is 255 * 16 (MD5 output size).

The spec says key sizes larger than (255 * digest size) are illegal: https://tools.ietf.org/html/rfc5869#section-2.3 and most libraries I've tested simply return an error/throw an exception in those cases.

This is how I am invoking Botan's HKDF: https://github.com/guidovranken/cryptofuzz/blob/690e0d3199d6bd51f13957d31d8c89dca8cd91f0/modules/botan/module.cpp#L363-L382

Is Botan's behavior intentional?

Answer 1 · 2020-05-05T20:39:08.000Z

Not intentional, this is a bug, we just let the counter overflow :( Thanks for reporting.

Answer 2 · 2020-05-06T06:53:02.000Z

Apologies, actually this is intended behavior of the KDF interface. If the output requested is too large for the KDF to support we return a truncated amount. I'm not sure if this is good behavior - in fact it seems almost certainly not good - but it is how the KDF interface currently works and I'm not sure if we can in the immediate term change it without breaking compat. I've now officially deprecated this behavior so we can fix it in 3.0, but in the meantime you'll probably have to skip this test for Botan in cryptofuzz.

Answer 3 · 2020-05-06T12:34:18.000Z

Ok thanks, workaround in Cryptofuzz has been implemented, you may close this report when you want.

Answer 4 · 2020-11-28T15:34:42.000Z

@guidovranken The KDF truncation behavior has been removed on master so you should be able to enable KDF testing in cryptofuzz again.

Answer 5 · 2020-11-28T17:39:28.000Z

@randombit Great. I've removed the workaround for this bug in Cryptofuzz.