[botan-devel] PKCS5_PBKDF2::derive_key() length check

Jack Lloyd lloyd at randombit.net
Fri Apr 3 23:55:02 EDT 2015


On Mon, Mar 23, 2015 at 04:13:38PM +0000, Maricel Gregoraschko wrote:

> Hi,I'm using the stable version of botan (1.10.9), and looking at
> the source code of PKCS5_PBKDF2::derive_key(), in
> src/pbkdf/pbkdf2/pbkdf2.cpp/pbkdf2.cpp,I notice that  the derived
> key length is not checked to be a multiple of the mac algorithm
> output length. If you pass say 31 for key derived length, it will
> write 32 bytes, last byte into unallocated memory.  Maybe a check
> could be useful (I haven't looked if it was added in the development
> branch). 

Hi Maricel,

Do you have an example that replicates this issue? Looking at
the code I do not see how additional data could be copied, since
the key write is bounded by:

      size_t T_size = std::min<size_t>(mac->output_length(), key_len);

where key_len is, at this point in the code, the remaining bytes to write out.

I also tried to replicate it using:

-----
#include <botan/pbkdf2.h>
#include <botan/sha2_32.h>
#include <botan/hmac.h>
#include <iostream>

int main()
   {
   using namespace Botan;
   PKCS5_PBKDF2 pbkdf(new HMAC(new SHA_256));

   const byte salt[4] = { 0xAA, 0xAA, 0xAA, 0xAA };
   SymmetricKey key = pbkdf.derive_key(31, "foo", salt, sizeof(salt), 1000);
   std::cout << key.as_string() << "\n";
   }
-----

and additionally there are tests in 1.10.9 for PBKDF2 producing a
various 'odd' sized outputs (14, 30, etc byte), neither of which which
do not cause any warnings about overwrites under valgrind on my
machine.

Cheers,
  Jack



More information about the botan-devel mailing list