[botan-devel] PKCS5_PBKDF2::derive_key() length check

Jack Lloyd lloyd at randombit.net
Fri Apr 3 23:55:02 EDT 2015

On Mon, Mar 23, 2015 at 04:13:38PM +0000, Maricel Gregoraschko wrote:

> Hi,I'm using the stable version of botan (1.10.9), and looking at
> the source code of PKCS5_PBKDF2::derive_key(), in
> src/pbkdf/pbkdf2/pbkdf2.cpp/pbkdf2.cpp,I notice that  the derived
> key length is not checked to be a multiple of the mac algorithm
> output length. If you pass say 31 for key derived length, it will
> write 32 bytes, last byte into unallocated memory.  Maybe a check
> could be useful (I haven't looked if it was added in the development
> branch). 

Hi Maricel,

Do you have an example that replicates this issue? Looking at
the code I do not see how additional data could be copied, since
the key write is bounded by:

      size_t T_size = std::min<size_t>(mac->output_length(), key_len);

where key_len is, at this point in the code, the remaining bytes to write out.

I also tried to replicate it using:

#include <botan/pbkdf2.h>
#include <botan/sha2_32.h>
#include <botan/hmac.h>
#include <iostream>

int main()
   using namespace Botan;
   PKCS5_PBKDF2 pbkdf(new HMAC(new SHA_256));

   const byte salt[4] = { 0xAA, 0xAA, 0xAA, 0xAA };
   SymmetricKey key = pbkdf.derive_key(31, "foo", salt, sizeof(salt), 1000);
   std::cout << key.as_string() << "\n";

and additionally there are tests in 1.10.9 for PBKDF2 producing a
various 'odd' sized outputs (14, 30, etc byte), neither of which which
do not cause any warnings about overwrites under valgrind on my


More information about the botan-devel mailing list