wasi-crypto symmetric_state_squeeze on HKDF-EXPAND not support arbitrary-long output length

[Puellaquae]

Description

WasmEdge/plugins/wasi_crypto/symmetric/kdf.cpp

Lines 61 to 74 in 5332b8f

	template <int ShaNid>
	WasiCryptoExpect<void>
	Hkdf<ShaNid>::Expand::State::squeeze(Span<uint8_t> Out) noexcept {
	size_t KeyLen = Out.size();
	{
	std::scoped_lock Lock{Ctx->Mutex};
	ensureOrReturn(EVP_PKEY_derive(Ctx->RawCtx.get(), Out.data(), &KeyLen),
	__WASI_CRYPTO_ERRNO_INVALID_KEY);
	}
	ensureOrReturn(KeyLen == getKeySize(), __WASI_CRYPTO_ERRNO_ALGORITHM_FAILURE);
	return {};
	}

As https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_derive.html read,

The EVP_PKEY_derive() derives a shared secret using ctx. If key is NULL then the maximum size of the output buffer is written to the keylen parameter. If key is not NULL then before the call the keylen parameter should contain the length of the key buffer, if the call is successful the shared secret is written to key and the amount of data written to keylen.

ensureOrReturn(KeyLen == getKeySize(), __WASI_CRYPTO_ERRNO_ALGORITHM_FAILURE); is unnecessary in this case, which KeyLen won't be updated.

Additionly, as wasi-crypto proposal read,

Key derivation functions: outputs an arbitrary-long derived key.

But getKeySize() will only return 32 or 64 , so it can't meet proposal.

WasmEdge/plugins/wasi_crypto/symmetric/kdf.cpp

Lines 18 to 25 in 5332b8f

	template <int ShaNid> constexpr uint32_t Hkdf<ShaNid>::getKeySize() noexcept {
	static_assert(ShaNid == NID_sha256 || ShaNid == NID_sha512);
	if constexpr (ShaNid == NID_sha256)
	return 32;
	if constexpr (ShaNid == NID_sha512)
	return 64;
	}

Current State

Expected

Environment

• Hardware Architecture: x86_64
• Operating system: Debian 11

Steps to Reproduce

wasi binding use https://github.com/WebAssembly/wasi-crypto/blob/main/implementations/bindings/rust/src/raw.rs

let key = b"key";
let salt = b"salt";
let info = b"info";
let out = vec![0; 48]; // getKeySize() will return 32 for using "sha256", so it will fail on squeeze
let none_opts = OptOptions {
    tag: OPT_OPTIONS_U_NONE.raw(),
    u: OptOptionsUnion { none: () },
};
let extract_key = symmetric_key_import("HKDF-EXTRACT/SHA-256", key.as_ptr(), key.len())?;
let extract_handle = symmetric_state_open(
    "HKDF-EXTRACT/SHA-256",
    OptSymmetricKey {
        tag: OPT_SYMMETRIC_KEY_U_SOME.raw(),
        u: OptSymmetricKeyUnion { some: extract_key },
    },
    none_opts,
)?;
symmetric_state_absorb(extract_handle, salt.as_ptr(), salt.len())?;
let expand_key = symmetric_state_squeeze_key(extract_handle, "HKDF-EXPAND/SHA-256")?;
let expand_handle = symmetric_state_open(
    "HKDF-EXPAND/SHA-256",
    OptSymmetricKey {
        tag: OPT_SYMMETRIC_KEY_U_SOME.raw(),
        u: OptSymmetricKeyUnion { some: expand_key },
    },
    none_opts,
)?;
symmetric_state_absorb(expand_handle, info.as_ptr(), info.len())?;
symmetric_state_squeeze(expand_handle, out.as_mut_ptr(), out.len())?;

It will cause WASI_CRYPTO_ERRNO_ALGORITHM_FAILURE on last symmetric_state_squeeze.