On Wed, 8 May 2024 20:53:54 GMT, Kevin Driver <kdri...@openjdk.org> wrote:
>> src/java.base/share/classes/com/sun/crypto/provider/HkdfKeyDerivation.java >> line 370: >> >>> 368: } >>> 369: int rounds = (outLen + hmacLen - 1) / hmacLen; >>> 370: kdfOutput = new byte[rounds * hmacLen]; >> >> Are we missing a check to ensure that the `outLen` parameter is less than or >> equal to 255 * HashLen? See RFC 5869 sec. 2.3. > > Yes! I intended to. Thanks for catching it. see commit: https://github.com/openjdk/jdk/pull/18924/commits/e1b63f3a90ea5583ac86687ddd89bf9fda7d2613 ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/18924#discussion_r1597091632
