From 9fa6fb273559d29d471df80942ce066e6e40dfde Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sat, 2 Dec 2017 00:41:25 +0800
Subject: Pass the right length of null bytes when no salt is provided to HKDF
 (#4036)

This bug looks bad but ends up being benign because HMAC is specified to
pad null bytes if a key is too short. So we passed too few bytes and
then OpenSSL obligingly padded it out to the correct length. However, we
should still do the right thing obviously.
---
 src/cryptography/hazmat/primitives/kdf/hkdf.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/cryptography/hazmat/primitives/kdf/hkdf.py b/src/cryptography/hazmat/primitives/kdf/hkdf.py
index 82ed9b1c..964ac2cc 100644
--- a/src/cryptography/hazmat/primitives/kdf/hkdf.py
+++ b/src/cryptography/hazmat/primitives/kdf/hkdf.py
@@ -30,7 +30,7 @@ class HKDF(object):
             raise TypeError("salt must be bytes.")
 
         if salt is None:
-            salt = b"\x00" * (self._algorithm.digest_size // 8)
+            salt = b"\x00" * self._algorithm.digest_size
 
         self._salt = salt
 
-- 
cgit v1.2.3