From c56cc4a056c8a442ed31ea2f47bb7e933569fcd4 Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Tue, 28 Nov 2017 14:14:49 -0500 Subject: Increase HMAC key size limit to 4096 bytes. The previous limit of 512 bytes meant that TLS was unable to negotiate using FFDHE-6144 or FFDHE-8192 groups. --- src/lib/mac/hmac/hmac.cpp | 6 ++++++ src/lib/mac/hmac/hmac.h | 6 +----- 2 files changed, 7 insertions(+), 5 deletions(-) (limited to 'src/lib') diff --git a/src/lib/mac/hmac/hmac.cpp b/src/lib/mac/hmac/hmac.cpp index 244946d88..532c98274 100644 --- a/src/lib/mac/hmac/hmac.cpp +++ b/src/lib/mac/hmac/hmac.cpp @@ -32,6 +32,12 @@ void HMAC::final_result(uint8_t mac[]) m_hash->update(m_ikey); } +Key_Length_Specification HMAC::key_spec() const + { + // Support very long lengths for things like PBKDF2 and the TLS PRF + return Key_Length_Specification(0, 4096); + } + /* * HMAC Key Schedule */ diff --git a/src/lib/mac/hmac/hmac.h b/src/lib/mac/hmac/hmac.h index 253184895..800159432 100644 --- a/src/lib/mac/hmac/hmac.h +++ b/src/lib/mac/hmac/hmac.h @@ -25,11 +25,7 @@ class BOTAN_PUBLIC_API(2,0) HMAC final : public MessageAuthenticationCode size_t output_length() const override { return m_hash->output_length(); } - Key_Length_Specification key_spec() const override - { - // Absurd max length here is to support PBKDF2 - return Key_Length_Specification(0, 512); - } + Key_Length_Specification key_spec() const override; /** * @param hash the hash to use for HMACing -- cgit v1.2.3