Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

blake2: Refuse empty keys in keyed hash construction #510

Merged
merged 1 commit into from
Jan 11, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions blake2/src/macros.rs
Original file line number Diff line number Diff line change
Expand Up @@ -276,9 +276,12 @@ macro_rules! blake2_mac_impl {
{
/// Create new instance using provided key, salt, and persona.
///
/// Key length should not be bigger than block size, salt and persona
/// length should not be bigger than quarter of block size. If any
/// of those conditions is false the method will return an error.
/// # Errors
///
/// Key length should not be empty or bigger than the block size and
/// the salt and persona length should not be bigger than quarter of
/// block size. If any of those conditions is false the method will
/// return an error.
#[inline]
pub fn new_with_salt_and_personal(
key: &[u8],
Expand All @@ -288,7 +291,7 @@ macro_rules! blake2_mac_impl {
let kl = key.len();
let bs = <$hash as BlockSizeUser>::BlockSize::USIZE;
let qbs = bs / 4;
if kl > bs || salt.len() > qbs || persona.len() > qbs {
if kl == 0 || kl > bs || salt.len() > qbs || persona.len() > qbs {
return Err(InvalidLength);
}
let mut padded_key = Block::<$hash>::default();
Expand Down
6 changes: 6 additions & 0 deletions blake2/tests/mac.rs
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,9 @@ fn blake2b_new_test() {
run::<blake2::Blake2sMac256>(&[0x42; 32]);
run::<blake2::Blake2bMac512>(&[0x42; 64]);
}

#[test]
fn mac_refuses_empty_keys() {
assert!(blake2::Blake2bMac512::new_with_salt_and_personal(&[], b"salt", b"persona").is_err());
assert!(blake2::Blake2sMac256::new_with_salt_and_personal(&[], b"salt", b"persona").is_err());
}
Loading