This removes a bunch of weird code around the counter overflow check in
concatKDF and makes it actually work for different hash output sizes.
The overflow check worked as follows: concatKDF applies the hash function N
times, where N is roundup(kdLen, hashsize) / hashsize. N should not
overflow 32 bits because that would lead to a repetition in the KDF output.
A couple issues with the overflow check:
- It used the hash.BlockSize, which is wrong because the
block size is about the input of the hash function. Luckily, all standard
hash functions have a block size that's greater than the output size, so
concatKDF didn't crash, it just generated too much key material.
- The check used big.Int to compare against 2^32-1.
- The calculation could still overflow before reaching the check.
The new code in concatKDF doesn't check for overflow. Instead, there is a
new check on ECIESParams which ensures that params.KeyLen is < 512. This
removes any possibility of overflow.
There are a couple of miscellaneous improvements bundled in with this
change:
- The key buffer is pre-allocated instead of appending the hash output
to an initially empty slice.
- The code that uses concatKDF to derive keys is now shared between Encrypt
and Decrypt.
- There was a redundant invocation of IsOnCurve in Decrypt. This is now removed
because elliptic.Unmarshal already checks whether the input is a valid curve
point since Go 1.5.
Co-authored-by: Felix Lange <fjl@twurst.com>
