Support ExpandHKDF with zero-length keys (#330)

qmuntal · gdams · dagood · web-flow · commit 9b5f537f54f7 · 2025-12-02T09:33:46.000+01:00
* add test

* fix test

* Apply suggestions from code review

Co-authored-by: Davis Goodin &lt;dagood@users.noreply.github.com&gt;

---------

Co-authored-by: George Adams &lt;georgeadams1995@gmail.com&gt;
Co-authored-by: Davis Goodin &lt;dagood@users.noreply.github.com&gt;
diff --git a/hkdf.go b/hkdf.go
@@ -208,6 +208,12 @@ func ExpandHKDFOneShot(h func() hash.Hash, pseudorandomKey, info []byte, keyLeng
 			return nil, err
 		}
 		defer ossl.EVP_PKEY_CTX_free(ctx)
+		if len(out) == 0 {
+			// Nothing to do, so exit early.
+			// We also can't call EVP_PKEY_derive because some engines error on zero-length output.
+			// We can only exit after calling newHKDFCtx1 because we still need it to validate the parameters.
+			return out, nil
+		}
 		keylen := keyLength
 		if _, err := ossl.EVP_PKEY_derive(ctx, base(out), &keylen); err != nil {
 			return nil, err
@@ -218,6 +224,12 @@ func ExpandHKDFOneShot(h func() hash.Hash, pseudorandomKey, info []byte, keyLeng
 			return nil, err
 		}
 		defer ossl.EVP_KDF_CTX_free(ctx)
+		if len(out) == 0 {
+			// Nothing to do, so exit early.
+			// We also can't call EVP_PKEY_derive because some engines error on zero-length output.
+			// We can only exit after calling newHKDFCtx3 because we still need it to validate the parameters.
+			return out, nil
+		}
 		if _, err := ossl.EVP_KDF_derive(ctx, base(out), keyLength, nil); err != nil {
 			return nil, err
 		}
diff --git a/hkdf_test.go b/hkdf_test.go
@@ -646,3 +646,23 @@ func TestExpandTLS13KDF(t *testing.T) {
 		}
 	}
 }
+
+func TestExpandHKDFZeroLengthKey(t *testing.T) {
+	if !openssl.SupportsHKDF() {
+		t.Skip("HKDF is not supported")
+	}
+	hash := openssl.NewSHA256
+	master := []byte{0x00, 0x01, 0x02, 0x03}
+	info := []byte{}
+	prk, err := openssl.ExtractHKDF(hash, master, nil)
+	if err != nil {
+		t.Fatalf("error extracting HKDF: %v.", err)
+	}
+	out, err := openssl.ExpandHKDFOneShot(hash, prk, info, 0)
+	if err != nil {
+		t.Errorf("error expanding HKDF zero-length key: %v.", err)
+	}
+	if len(out) != 0 {
+		t.Errorf("incorrect output length for zero-length key: have %d, need 0.", len(out))
+	}
+}
