SRTP-KDF: use two bytes of index

SparkiDev · SparkiDev · commit b1d35294195e · 2026-02-03T11:01:11.000+10:00
One byte of index creates up to 4096 bytes for a key.
Increase output size to match specification.
diff --git a/wolfcrypt/src/kdf.c b/wolfcrypt/src/kdf.c
@@ -896,8 +896,7 @@ static void wc_srtp_kdf_first_block(const byte* salt, word32 saltSz, int kdrIdx,
         block[i] = 0;
     }
     XMEMCPY(block + WC_SRTP_MAX_SALT - saltSz, salt, saltSz);
-    block[WC_SRTP_MAX_SALT] = 0;
-    /* block[15] is counter. */
+    /* block[14-15] are counter. */
 
     /* When kdrIdx is -1, don't XOR in index. */
     if (kdrIdx >= 0) {
@@ -947,6 +946,7 @@ static int wc_srtp_kdf_derive_key(byte* block, int idxSz, byte label,
     block[WC_SRTP_MAX_SALT - idxSz - 1] ^= label;
     for (i = 0; (ret == 0) && (i < blocks); i++) {
         /* Set counter. */
+        block[14] = (byte)(i >> 8);
         block[15] = (byte)i;
         /* Encrypt block into key buffer. */
         ret = wc_AesEcbEncrypt(aes, key, block, WC_AES_BLOCK_SIZE);
@@ -959,6 +959,7 @@ static int wc_srtp_kdf_derive_key(byte* block, int idxSz, byte label,
     if ((ret == 0) && (keySz > 0)) {
         byte enc[WC_AES_BLOCK_SIZE];
         /* Set counter. */
+        block[14] = (byte)(i >> 8);
         block[15] = (byte)i;
         /* Encrypt block into temporary. */
         ret = wc_AesEcbEncrypt(aes, enc, block, WC_AES_BLOCK_SIZE);
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
@@ -31783,6 +31783,8 @@ typedef struct Srtp_Kdf_Tv {
     word32 ksSz;
 } Srtp_Kdf_Tv;
 
+#define SRTP_KDF_LONG_KEY   5000
+
 WOLFSSL_TEST_SUBROUTINE wc_test_ret_t srtpkdf_test(void)
 {
     wc_test_ret_t ret = 0;
@@ -32034,6 +32036,18 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t srtpkdf_test(void)
     unsigned char keyE[32];
     unsigned char keyA[20];
     unsigned char keyS[14];
+#ifndef BENCH_EMBEDDED
+    WC_DECLARE_VAR(keyELong, byte, SRTP_KDF_LONG_KEY, HEAP_HINT);
+    WC_DECLARE_VAR(keyALong, byte, SRTP_KDF_LONG_KEY, HEAP_HINT);
+    WC_DECLARE_VAR(keySLong, byte, SRTP_KDF_LONG_KEY, HEAP_HINT);
+#endif
+
+#ifndef BENCH_EMBEDDED
+    WC_ALLOC_VAR(keyELong, byte, SRTP_KDF_LONG_KEY, HEAP_HINT);
+    WC_ALLOC_VAR(keyALong, byte, SRTP_KDF_LONG_KEY, HEAP_HINT);
+    WC_ALLOC_VAR(keySLong, byte, SRTP_KDF_LONG_KEY, HEAP_HINT);
+#endif
+
     WOLFSSL_ENTER("srtpkdf_test");
 
     for (i = 0; (ret == 0) && (i < SRTP_TV_CNT); i++) {
@@ -32284,6 +32298,30 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t srtpkdf_test(void)
             return WC_TEST_RET_ENC_NC;
     }
 
+#ifndef BENCH_EMBEDDED
+    /* Check that long messages can be created. */
+    ret = wc_SRTP_KDF(tv[0].key, tv[0].keySz, tv[0].salt, tv[0].saltSz,
+        tv[0].kdfIdx, tv[0].index_c, keyELong, SRTP_KDF_LONG_KEY, keyALong,
+        SRTP_KDF_LONG_KEY, keySLong, SRTP_KDF_LONG_KEY);
+    if (ret != 0)
+        return WC_TEST_RET_ENC_EC(ret);
+
+    /* Check that two bytes of counter are being used. */
+    if (XMEMCMP(keyELong, keyELong + 4096, SRTP_KDF_LONG_KEY - 4096) == 0) {
+        return WC_TEST_RET_ENC_NC;
+    }
+    if (XMEMCMP(keyELong, keyALong + 4096, SRTP_KDF_LONG_KEY - 4096) == 0) {
+        return WC_TEST_RET_ENC_NC;
+    }
+    if (XMEMCMP(keyELong, keySLong + 4096, SRTP_KDF_LONG_KEY - 4096) == 0) {
+        return WC_TEST_RET_ENC_NC;
+    }
+
+    WC_FREE_VAR(keyELong, HEAP_HINT);
+    WC_FREE_VAR(keyALong, HEAP_HINT);
+    WC_FREE_VAR(keySLong, HEAP_HINT);
+#endif
+
     return 0;
 }
 #endif
