Fix implementation of RFC6979 private key derivation
RFC6979 private key derivation allows one to derive an elliptic curve
private key using HMAC-DRBG. It is defined in such a way that you can
use any hash function, assuming its output is sufficiently long to
guarantee the required security level.
The function derivePrivateKey was incorrectly using the private_key
buffer as an intermediate value, resulting in problems when the buffer
is not sufficiently large to store SHA512-HMAC output.
We fix the problem by
1. having hmac check its output buffer size, and
2. remove the private_key buffer as an input to derivePrivateKey
Change-Id: Idf6fe3115e022df485ab24916547e25a09999458
Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/144130
Reviewed-by: Andrew Scull <ascull@google.com>
Commit-Queue: Atul Luykx <aluykx@google.com>
diff --git a/include/dice/known_test_values.h b/include/dice/known_test_values.h
index c3a052b..cb0925b 100644
--- a/include/dice/known_test_values.h
+++ b/include/dice/known_test_values.h
@@ -54,8 +54,7 @@
// 5c:8d
// X509v3 extensions:
// X509v3 Authority Key Identifier:
-// keyid:7A:06:EE:E4:1B:78:9F:48:63:D8:6B:87:78:B1:A2:01:A6:FE:DD:56
-//
+// 7A:06:EE:E4:1B:78:9F:48:63:D8:6B:87:78:B1:A2:01:A6:FE:DD:56
// X509v3 Subject Key Identifier:
// 67:C2:2A:88:59:06:2B:98:68:18:E8:E7:2B:0B:CD:9F:59:34:9C:89
// X509v3 Key Usage: critical
@@ -86,10 +85,11 @@
// 209:d=2 hl=2 l= 1 prim: ENUMERATED :00
//
// Signature Algorithm: ED25519
-// 70:23:a8:a3:78:fe:5f:8c:8d:83:49:95:ff:ee:e6:12:39:9c:
-// 4d:a0:49:f6:4b:4f:f7:02:1e:9f:97:0c:bd:3b:7f:94:78:26:
-// 09:fe:f2:91:7c:a4:dd:90:07:cc:95:a8:bc:4a:f4:84:69:ec:
-// 24:a4:9e:b7:01:0e:81:3a:a3:0a
+// Signature Value:
+// 70:23:a8:a3:78:fe:5f:8c:8d:83:49:95:ff:ee:e6:12:39:9c:
+// 4d:a0:49:f6:4b:4f:f7:02:1e:9f:97:0c:bd:3b:7f:94:78:26:
+// 09:fe:f2:91:7c:a4:dd:90:07:cc:95:a8:bc:4a:f4:84:69:ec:
+// 24:a4:9e:b7:01:0e:81:3a:a3:0a
constexpr uint8_t kExpectedX509Ed25519Cert_ZeroInput[638] = {
0x30, 0x82, 0x02, 0x7a, 0x30, 0x82, 0x02, 0x2c, 0xa0, 0x03, 0x02, 0x01,
0x02, 0x02, 0x14, 0x67, 0xc2, 0x2a, 0x88, 0x59, 0x06, 0x2b, 0x98, 0x68,
@@ -171,8 +171,7 @@
// NIST CURVE: P-256
// X509v3 extensions:
// X509v3 Authority Key Identifier:
-// keyid:4C:51:4D:88:DB:0F:81:D5:7B:EB:96:17:7E:3D:7E:A4:AA:58:1E:66
-//
+// 4C:51:4D:88:DB:0F:81:D5:7B:EB:96:17:7E:3D:7E:A4:AA:58:1E:66
// X509v3 Subject Key Identifier:
// 7C:7D:C0:A3:C1:E7:8D:4E:68:BC:C1:A2:32:9E:F9:1C:A8:12:44:91
// X509v3 Key Usage: critical
@@ -203,10 +202,11 @@
// 209:d=2 hl=2 l= 1 prim: ENUMERATED :00
//
// Signature Algorithm: ecdsa-with-SHA512
-// 30:44:02:20:5c:20:d4:32:af:59:4b:44:fc:49:e5:d4:5d:b6:
-// fe:9c:ac:55:02:74:8b:66:c8:8c:f5:9a:70:8a:97:3c:bc:e0:
-// 02:20:66:83:d1:78:8c:75:44:83:90:c7:1e:d7:4c:98:1f:10:
-// 7f:14:6a:45:c0:1c:48:99:ce:6e:8f:6d:d3:dc:f3:93
+// Signature Value:
+// 30:44:02:20:5c:20:d4:32:af:59:4b:44:fc:49:e5:d4:5d:b6:
+// fe:9c:ac:55:02:74:8b:66:c8:8c:f5:9a:70:8a:97:3c:bc:e0:
+// 02:20:66:83:d1:78:8c:75:44:83:90:c7:1e:d7:4c:98:1f:10:
+// 7f:14:6a:45:c0:1c:48:99:ce:6e:8f:6d:d3:dc:f3:93
constexpr uint8_t kExpectedX509P256Cert_ZeroInput[705] = {
0x30, 0x82, 0x02, 0xbd, 0x30, 0x82, 0x02, 0x62, 0xa0, 0x03, 0x02, 0x01,
0x02, 0x02, 0x14, 0x7c, 0x7d, 0xc0, 0xa3, 0xc1, 0xe7, 0x8d, 0x4e, 0x68,
@@ -349,15 +349,15 @@
0xfc, 0xe0, 0x3c, 0xdc, 0x5d, 0x1b, 0x58, 0x16, 0x69, 0xdd, 0x44, 0x24,
0x67, 0xbf, 0x21, 0xd7, 0x47, 0xf3, 0x13, 0xd1, 0x47, 0x6c, 0x4b, 0xd3,
0x05, 0xb5, 0x29, 0xa0, 0xf1, 0x3a, 0x00, 0x47, 0x44, 0x58, 0x41, 0x20,
- 0x58, 0x60, 0xb0, 0xb7, 0x0f, 0x47, 0xfa, 0xba, 0xca, 0x05, 0x16, 0x4f,
- 0x1e, 0xd1, 0x73, 0x15, 0x94, 0x17, 0xcd, 0x6b, 0x3c, 0x0e, 0x18, 0x77,
- 0xc0, 0x6e, 0x53, 0x97, 0xf2, 0x03, 0xb9, 0xbb, 0x82, 0xde, 0xe0, 0x2d,
- 0xb3, 0xc8, 0x0e, 0x7a, 0x5e, 0xb0, 0x74, 0x15, 0xbe, 0x25, 0x6a, 0x7c,
- 0x90, 0x30, 0x80, 0x0c, 0x90, 0x20, 0x00, 0xc5, 0x42, 0xbf, 0xf7, 0x4e,
- 0x1b, 0xd8, 0xe2, 0xe4, 0x32, 0xd5, 0xf3, 0x8e, 0x1e, 0x59, 0x9f, 0x1e,
- 0x71, 0x8e, 0xc3, 0x2e, 0x50, 0x8a, 0xa0, 0x02, 0xa4, 0xd3, 0xe6, 0x8c,
- 0x68, 0xbb, 0x5e, 0x33, 0xfd, 0x81, 0x12, 0xa7, 0xdc, 0x68, 0xc7, 0x7a,
- 0x4b, 0xfa};
+ 0x58, 0x60, 0x2b, 0xe7, 0xe6, 0xee, 0xd2, 0x40, 0xa4, 0xf6, 0x2b, 0x30,
+ 0xda, 0x0d, 0x60, 0x89, 0xa4, 0x0c, 0x99, 0xa6, 0x95, 0x85, 0x77, 0xae,
+ 0xe8, 0x7f, 0xcd, 0x66, 0x81, 0xca, 0xd1, 0x5c, 0x56, 0xcf, 0x62, 0x05,
+ 0xa8, 0xb8, 0x66, 0x66, 0x46, 0x39, 0xc7, 0x9a, 0x7a, 0x47, 0xe4, 0x64,
+ 0xee, 0x36, 0xd9, 0x40, 0x8d, 0xd4, 0x88, 0x82, 0xbf, 0x24, 0x70, 0x56,
+ 0x03, 0x23, 0x6a, 0x45, 0x39, 0x38, 0xa2, 0xdd, 0x02, 0x18, 0x7e, 0x72,
+ 0x89, 0xe5, 0xf9, 0x38, 0xfe, 0xef, 0x50, 0xf4, 0x31, 0xae, 0xb4, 0xbe,
+ 0x33, 0xb2, 0x22, 0xd4, 0x34, 0x16, 0xa6, 0x53, 0x49, 0xe1, 0x54, 0x1a,
+ 0x9d, 0x3e};
constexpr uint8_t kExpectedCdiAttest_HashOnlyInput[32] = {
0x08, 0x4e, 0xf4, 0x06, 0xc6, 0x9b, 0xa7, 0x4b, 0x1e, 0x24, 0xd0,
@@ -390,8 +390,7 @@
// 9a:5a
// X509v3 extensions:
// X509v3 Authority Key Identifier:
-// keyid:47:57:08:EB:3B:42:6F:38:6C:FC:E8:F3:BA:F5:43:90:46:27:8D:FA
-//
+// 47:57:08:EB:3B:42:6F:38:6C:FC:E8:F3:BA:F5:43:90:46:27:8D:FA
// X509v3 Subject Key Identifier:
// 0D:04:0E:2F:46:00:52:A5:31:1C:1B:91:DB:F9:B4:40:83:32:EC:29
// X509v3 Key Usage: critical
@@ -422,10 +421,11 @@
// 209:d=2 hl=2 l= 1 prim: ENUMERATED :00
//
// Signature Algorithm: ED25519
-// 27:68:51:a1:be:41:b7:90:03:8d:ce:ce:9c:35:9c:69:ff:f7:
-// 7c:14:fb:8d:59:06:71:cf:39:d8:c9:8e:95:79:70:f2:8f:89:
-// af:4d:92:a7:40:c8:fb:85:2a:7c:21:3d:09:8a:d4:f2:25:96:
-// cd:f6:29:06:73:98:db:70:74:08
+// Signature Value:
+// 27:68:51:a1:be:41:b7:90:03:8d:ce:ce:9c:35:9c:69:ff:f7:
+// 7c:14:fb:8d:59:06:71:cf:39:d8:c9:8e:95:79:70:f2:8f:89:
+// af:4d:92:a7:40:c8:fb:85:2a:7c:21:3d:09:8a:d4:f2:25:96:
+// cd:f6:29:06:73:98:db:70:74:08
constexpr uint8_t kExpectedX509Ed25519Cert_HashOnlyInput[638] = {
0x30, 0x82, 0x02, 0x7a, 0x30, 0x82, 0x02, 0x2c, 0xa0, 0x03, 0x02, 0x01,
0x02, 0x02, 0x14, 0x0d, 0x04, 0x0e, 0x2f, 0x46, 0x00, 0x52, 0xa5, 0x31,
@@ -507,8 +507,7 @@
// NIST CURVE: P-256
// X509v3 extensions:
// X509v3 Authority Key Identifier:
-// keyid:1B:E5:68:79:33:DB:3D:9C:D5:FC:A7:29:E8:1D:66:85:46:5A:7B:F1
-//
+// 1B:E5:68:79:33:DB:3D:9C:D5:FC:A7:29:E8:1D:66:85:46:5A:7B:F1
// X509v3 Subject Key Identifier:
// 68:49:58:D9:AE:A7:2E:BF:7C:06:AF:20:03:B6:44:47:82:4A:62:71
// X509v3 Key Usage: critical
@@ -539,10 +538,11 @@
// 209:d=2 hl=2 l= 1 prim: ENUMERATED :00
//
// Signature Algorithm: ecdsa-with-SHA512
-// 30:46:02:21:00:d0:ff:60:84:d4:74:47:eb:f4:29:86:c5:2a:
-// 12:01:f9:7e:5b:ab:fd:fe:d3:11:75:bc:26:63:71:57:2b:b1:
-// c8:02:21:00:e0:16:72:65:b0:4a:92:ca:c6:c9:e2:0f:50:f0:
-// 1c:70:01:64:a7:8d:7d:51:e9:59:fe:e6:7f:31:28:30:04:04
+// Signature Value:
+// 30:46:02:21:00:d0:ff:60:84:d4:74:47:eb:f4:29:86:c5:2a:
+// 12:01:f9:7e:5b:ab:fd:fe:d3:11:75:bc:26:63:71:57:2b:b1:
+// c8:02:21:00:e0:16:72:65:b0:4a:92:ca:c6:c9:e2:0f:50:f0:
+// 1c:70:01:64:a7:8d:7d:51:e9:59:fe:e6:7f:31:28:30:04:04
constexpr uint8_t kExpectedX509P256Cert_HashOnlyInput[707] = {
0x30, 0x82, 0x02, 0xbf, 0x30, 0x82, 0x02, 0x62, 0xa0, 0x03, 0x02, 0x01,
0x02, 0x02, 0x14, 0x68, 0x49, 0x58, 0xd9, 0xae, 0xa7, 0x2e, 0xbf, 0x7c,
@@ -685,15 +685,15 @@
0x5c, 0x90, 0xfb, 0x4b, 0x6d, 0x96, 0x42, 0x77, 0xe2, 0xf6, 0x58, 0x3d,
0x37, 0xa7, 0x3d, 0x2e, 0xca, 0xd1, 0x2c, 0xa4, 0xd4, 0xa7, 0xaf, 0x25,
0xc3, 0xb2, 0xe7, 0x34, 0xf5, 0x3a, 0x00, 0x47, 0x44, 0x58, 0x41, 0x20,
- 0x58, 0x60, 0x84, 0x9a, 0x2e, 0x89, 0xeb, 0x6d, 0x61, 0x93, 0xe0, 0x0e,
- 0xb9, 0x57, 0xc6, 0x84, 0x08, 0x28, 0x77, 0xeb, 0x9e, 0x39, 0xad, 0x74,
- 0x78, 0xf3, 0x8f, 0xf7, 0xdf, 0xfa, 0xa2, 0xbf, 0x01, 0x4f, 0x94, 0x1a,
- 0xa1, 0x27, 0xaa, 0x93, 0x57, 0xe4, 0x49, 0x07, 0xb9, 0xd7, 0x49, 0xdb,
- 0x73, 0x1e, 0xa1, 0x7e, 0xf1, 0x19, 0x87, 0x8e, 0x5a, 0x89, 0xb7, 0x02,
- 0x19, 0x13, 0xdb, 0x20, 0x3f, 0x5f, 0x49, 0xc9, 0xb7, 0xcf, 0x52, 0xc3,
- 0xd2, 0xf7, 0x90, 0x52, 0xf7, 0xaa, 0x39, 0x66, 0x78, 0x7a, 0x5b, 0xb3,
- 0xa7, 0xe9, 0x33, 0xc6, 0x4f, 0xe6, 0x78, 0xf3, 0x4b, 0x51, 0xf1, 0xed,
- 0x15, 0xeb};
+ 0x58, 0x60, 0xd3, 0xbc, 0x6f, 0x53, 0x2c, 0x6a, 0x35, 0x3b, 0x2d, 0x7c,
+ 0x4f, 0x1e, 0x1f, 0x06, 0xcf, 0x52, 0x87, 0xc2, 0xbe, 0x1c, 0x2c, 0xd1,
+ 0x12, 0xd8, 0x13, 0x8e, 0xe4, 0xc8, 0x15, 0x65, 0x89, 0x97, 0xba, 0xc4,
+ 0x80, 0xd2, 0xaf, 0xd2, 0xd0, 0xf8, 0x4b, 0xa1, 0xf6, 0x24, 0x5a, 0xd2,
+ 0x25, 0x59, 0x7e, 0xb5, 0x6d, 0xe2, 0xae, 0x0a, 0x37, 0x4d, 0x50, 0x31,
+ 0x8e, 0xc3, 0x21, 0xee, 0xf4, 0xf6, 0x7f, 0x16, 0xfd, 0xa3, 0x06, 0x27,
+ 0x56, 0x0f, 0x74, 0xb7, 0xf8, 0x4c, 0xba, 0xb0, 0xc5, 0x93, 0xce, 0xe3,
+ 0x24, 0x9c, 0x04, 0xdb, 0xac, 0x26, 0x14, 0xc6, 0x05, 0x04, 0xdb, 0x49,
+ 0x5f, 0xe0};
constexpr uint8_t kExpectedCdiAttest_DescriptorInput[32] = {
0x20, 0xd5, 0x0c, 0x68, 0x5a, 0xd9, 0xe2, 0xdf, 0x77, 0x60, 0x78,
@@ -726,8 +726,7 @@
// 62:20
// X509v3 extensions:
// X509v3 Authority Key Identifier:
-// keyid:47:57:08:EB:3B:42:6F:38:6C:FC:E8:F3:BA:F5:43:90:46:27:8D:FA
-//
+// 47:57:08:EB:3B:42:6F:38:6C:FC:E8:F3:BA:F5:43:90:46:27:8D:FA
// X509v3 Subject Key Identifier:
// 52:1F:03:5C:21:E3:2F:16:74:1C:1E:AE:6B:DE:D9:3C:E3:21:E0:DF
// X509v3 Key Usage: critical
@@ -779,10 +778,11 @@
// 427:d=2 hl=2 l= 1 prim: ENUMERATED :00
//
// Signature Algorithm: ED25519
-// 23:23:66:8c:b2:de:08:0a:fa:96:01:3f:5c:f3:87:ac:33:e0:
-// d0:86:9b:f5:6b:df:2c:6e:9e:63:a5:5c:dd:d4:55:27:df:7e:
-// 6f:ad:6a:95:99:fd:0f:91:a9:44:25:42:c4:02:c5:ed:2a:b3:
-// 72:23:4e:79:76:f9:13:6e:f7:00
+// Signature Value:
+// 23:23:66:8c:b2:de:08:0a:fa:96:01:3f:5c:f3:87:ac:33:e0:
+// d0:86:9b:f5:6b:df:2c:6e:9e:63:a5:5c:dd:d4:55:27:df:7e:
+// 6f:ad:6a:95:99:fd:0f:91:a9:44:25:42:c4:02:c5:ed:2a:b3:
+// 72:23:4e:79:76:f9:13:6e:f7:00
constexpr uint8_t kExpectedX509Ed25519Cert_DescriptorInput[858] = {
0x30, 0x82, 0x03, 0x56, 0x30, 0x82, 0x03, 0x08, 0xa0, 0x03, 0x02, 0x01,
0x02, 0x02, 0x14, 0x52, 0x1f, 0x03, 0x5c, 0x21, 0xe3, 0x2f, 0x16, 0x74,
@@ -882,8 +882,7 @@
// NIST CURVE: P-256
// X509v3 extensions:
// X509v3 Authority Key Identifier:
-// keyid:1B:E5:68:79:33:DB:3D:9C:D5:FC:A7:29:E8:1D:66:85:46:5A:7B:F1
-//
+// 1B:E5:68:79:33:DB:3D:9C:D5:FC:A7:29:E8:1D:66:85:46:5A:7B:F1
// X509v3 Subject Key Identifier:
// 2C:0D:E9:55:C4:FA:08:2C:2C:3A:0B:40:66:59:AF:A1:C1:C0:84:6C
// X509v3 Key Usage: critical
@@ -935,10 +934,11 @@
// 427:d=2 hl=2 l= 1 prim: ENUMERATED :00
//
// Signature Algorithm: ecdsa-with-SHA512
-// 30:46:02:21:00:a9:57:7d:ac:e0:80:8e:1c:7a:e1:4d:7d:2a:
-// 52:d2:5e:fb:5a:7d:45:1e:fa:67:17:04:9e:b3:05:c2:34:f0:
-// 7a:02:21:00:b7:3a:31:25:ae:1d:2b:06:8b:ba:44:d9:3a:bf:
-// 8b:e2:3f:89:e2:a6:14:0c:fa:c2:b1:dd:0c:0a:78:ac:60:19
+// Signature Value:
+// 30:46:02:21:00:a9:57:7d:ac:e0:80:8e:1c:7a:e1:4d:7d:2a:
+// 52:d2:5e:fb:5a:7d:45:1e:fa:67:17:04:9e:b3:05:c2:34:f0:
+// 7a:02:21:00:b7:3a:31:25:ae:1d:2b:06:8b:ba:44:d9:3a:bf:
+// 8b:e2:3f:89:e2:a6:14:0c:fa:c2:b1:dd:0c:0a:78:ac:60:19
constexpr uint8_t kExpectedX509P256Cert_DescriptorInput[927] = {
0x30, 0x82, 0x03, 0x9b, 0x30, 0x82, 0x03, 0x3e, 0xa0, 0x03, 0x02, 0x01,
0x02, 0x02, 0x14, 0x2c, 0x0d, 0xe9, 0x55, 0xc4, 0xfa, 0x08, 0x2c, 0x2c,
@@ -1138,14 +1138,14 @@
0xb2, 0xc1, 0xc6, 0x6f, 0xb4, 0x16, 0xa4, 0x78, 0x76, 0x73, 0x6f, 0xcb,
0xf5, 0x7d, 0x26, 0xc2, 0x37, 0xe9, 0x58, 0x98, 0xeb, 0xef, 0x11, 0x7c,
0x8d, 0x1d, 0x4b, 0x3a, 0x00, 0x47, 0x44, 0x58, 0x41, 0x20, 0x58, 0x60,
- 0x12, 0xa5, 0xb9, 0xc3, 0xbf, 0x06, 0x10, 0x7d, 0x22, 0x4b, 0xc1, 0xd2,
- 0x58, 0xce, 0xd8, 0x4c, 0x42, 0x48, 0x69, 0x58, 0xf0, 0x83, 0x4a, 0x54,
- 0x39, 0x90, 0xec, 0x10, 0xef, 0x76, 0x2e, 0xb0, 0x33, 0x82, 0x6f, 0x93,
- 0x2b, 0xc3, 0xb2, 0xc4, 0x6a, 0xcb, 0xde, 0x4c, 0x21, 0x62, 0x56, 0x07,
- 0xc7, 0xb1, 0xd6, 0xde, 0xff, 0x95, 0x2c, 0xce, 0xbf, 0x3c, 0x0b, 0xdc,
- 0xd0, 0xc5, 0x39, 0x6d, 0xc3, 0x59, 0x23, 0x7b, 0x54, 0x11, 0xf4, 0xb1,
- 0x33, 0x66, 0x94, 0x47, 0x3c, 0x14, 0x99, 0x0a, 0xca, 0xa9, 0x84, 0xf4,
- 0xc9, 0x24, 0xfd, 0x11, 0xe7, 0xcc, 0x37, 0x6f, 0x12, 0x2b, 0x1a, 0xa7};
+ 0x6d, 0x1f, 0xb6, 0xd3, 0x9f, 0xfa, 0xaa, 0x73, 0xcf, 0x2d, 0x59, 0x99,
+ 0x9d, 0xef, 0x0f, 0x20, 0xc4, 0xeb, 0x31, 0x99, 0xa8, 0x9c, 0xae, 0xeb,
+ 0x85, 0x02, 0x34, 0x51, 0x24, 0x1a, 0x68, 0xc9, 0xfd, 0x87, 0xfd, 0x3d,
+ 0xc8, 0xe4, 0x88, 0x16, 0x8a, 0x31, 0x67, 0xa5, 0x95, 0xec, 0x2d, 0x4d,
+ 0x41, 0x08, 0x52, 0x3c, 0x26, 0x44, 0x3f, 0xca, 0xc8, 0xa3, 0x79, 0xc5,
+ 0x56, 0x40, 0xc0, 0x62, 0x0d, 0x5c, 0xd4, 0xcf, 0x69, 0x22, 0x05, 0x94,
+ 0xf2, 0x66, 0xcb, 0x1e, 0x8a, 0xdf, 0x98, 0xc4, 0xcd, 0x26, 0x4b, 0xd5,
+ 0xc6, 0x3d, 0x08, 0xf5, 0x5a, 0xa7, 0xde, 0x21, 0xbe, 0x5d, 0x04, 0x94};
} // namespace test
} // namespace dice
diff --git a/src/boringssl_ecdsa_utils.c b/src/boringssl_ecdsa_utils.c
index 9513cd4..ef31812 100644
--- a/src/boringssl_ecdsa_utils.c
+++ b/src/boringssl_ecdsa_utils.c
@@ -36,7 +36,7 @@
unsigned int out_len) {
int ret = 0;
- if (out_len > 64 || out_len < 0) {
+ if (out_len != 64) {
goto out;
}
HMAC_CTX ctx;
@@ -82,15 +82,21 @@
return ret;
}
-// Algorithm from section 3.2 of IETF RFC6979
+// Algorithm from section 3.2 of IETF RFC6979; limited to generating up to 64
+// byte private keys.
static BIGNUM *derivePrivateKey(const EC_GROUP *group, const uint8_t *seed,
- size_t seed_size, uint8_t *private_key,
- size_t private_key_len) {
+ size_t seed_size, size_t private_key_len) {
BIGNUM *candidate = NULL;
uint8_t v[64];
uint8_t k[64];
+ uint8_t temp[64];
memset(v, 1, 64);
memset(k, 0, 64);
+ memset(temp, 0, 64);
+
+ if (private_key_len > 64) {
+ goto err;
+ }
if (1 != hmac3(k, v, 0x00, seed, (unsigned int)seed_size, k)) {
goto err;
@@ -105,13 +111,13 @@
if (1 != hmac(k, v, v, sizeof(v))) {
goto err;
}
- if (1 != hmac(k, v, private_key, private_key_len)) {
+ if (1 != hmac(k, v, temp, sizeof(temp))) {
goto err;
}
if (1 != hmac3(k, v, 0x00, NULL, 0, k)) {
goto err;
}
- candidate = BN_bin2bn(private_key, private_key_len, NULL);
+ candidate = BN_bin2bn(temp, private_key_len, NULL);
if (!candidate) {
goto err;
}
@@ -148,8 +154,7 @@
goto out;
}
- pD = derivePrivateKey(group, seed, DICE_PRIVATE_KEY_SEED_SIZE, private_key,
- P384_PRIVATE_KEY_SIZE);
+ pD = derivePrivateKey(group, seed, DICE_PRIVATE_KEY_SEED_SIZE, P384_PRIVATE_KEY_SIZE);
if (!pD) {
goto out;
}
