Concat KDF bug

Reported by Anders Rundgren by email:

Since things from the beginning didn't work, I had to follow your code in a debugger. Here I found a bug which fortunately doesn't have any disastrous effects so you can safely ignore it if you want!

In ConcatKDF there is a line where you calculate rounds:

     for (int i=1; i <= computeDigestCycles(md.getDigestLength(), keyLength); i++) {

Since "getDigestLength()" returns number of bytes while keyLength is in bits, the loop runs several times in vain:

In my own implementation I turned to integer math:

     int reps = (keyLengthInBytes + CONCAT_KDF_DIGEST_LENGTH - 1) / CONCAT_KDF_DIGEST_LENGTH;

AFAICT, only the following JWE algorithm combinations should generate a factor > 1:

Reps=2 Kea=ECDH-ES Dea=A192CBC-HS384 Reps=2 Kea=ECDH-ES Dea=A192CBC-HS384 Reps=2 Kea=ECDH-ES Dea=A256CBC-HS512 Reps=2 Kea=ECDH-ES Dea=A256CBC-HS512

Comments (2)