Skip to content

Commit

Permalink
Merge pull request #71 from microsoft/dev/qmuntal/hkdfcheck
Browse files Browse the repository at this point in the history
Validate KEY_DATA_BLOB_VERSION1 content in ExtractHKDF
  • Loading branch information
qmuntal authored Oct 31, 2024
2 parents 27606ce + 47565cc commit 6d46b29
Showing 1 changed file with 9 additions and 4 deletions.
13 changes: 9 additions & 4 deletions cng/hkdf.go
Original file line number Diff line number Diff line change
Expand Up @@ -156,14 +156,19 @@ func ExtractHKDF(h func() hash.Hash, secret, salt []byte) ([]byte, error) {
return nil, errors.New("cng: unknown key data blob version")
}
// KEY_DATA_BLOB_VERSION1 format is:
// cbHash uint32 // Big-endian
// hashName [cbHash]byte
// cbHashName uint32 // Big-endian
// pHashName [cbHash]byte
// key []byte // Rest of the blob
if len(blob) < 4 {
return nil, errors.New("cng: exported key is corrupted")
}
hashLength := binary.BigEndian.Uint32(blob[:])
return blob[4+hashLength:], nil
cbHashName := binary.BigEndian.Uint32(blob)
blob = blob[4:]
if len(blob) < int(cbHashName) {
return nil, errors.New("cng: exported key is corrupted")
}
// Skip pHashName.
return blob[cbHashName:], nil
}

func ExpandHKDF(h func() hash.Hash, pseudorandomKey, info []byte) (io.Reader, error) {
Expand Down

0 comments on commit 6d46b29

Please sign in to comment.