check HKDF return value in release builds to prevent zero-key signing (#34332)

fix brave/brave-browser#53225

Author: diracdeltas

components/brave_rewards/core/engine/util/signer.cc

@@ -56,7 +56,9 @@ std::optional<Signer> Signer::FromRecoverySeed(
                       recovery_seed.data(), kSeedLength, kHkdfSalt, kSaltLength,
                       info, sizeof(info) / sizeof(info[0]));
 
-  DCHECK(hkdf_res);
+  if (!hkdf_res) {
+    return std::nullopt;
+  }
 
   std::vector<uint8_t> public_key(crypto_sign_PUBLICKEYBYTES);
   secret_key.resize(crypto_sign_SECRETKEYBYTES);

components/brave_sync/crypto/crypto.cc

@@ -1,7 +1,7 @@
 /* Copyright 2019 The Brave Authors. All rights reserved.
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
 
 #include "brave/components/brave_sync/crypto/crypto.h"
 
@@ -37,7 +37,7 @@ std::vector<uint8_t> HKDFSha512(const std::vector<uint8_t>& ikm,
       HKDF(derived_key.data(), derived_key.size(), EVP_sha512(), ikm.data(),
            ikm.size(), salt ? salt->data() : nullptr, salt ? salt->size() : 0,
            info ? info->data() : nullptr, info ? info->size() : 0);
-  DCHECK(result);
+  CHECK(result);
   return derived_key;
 }