From ad10153f537e7d8312bb2c09968317a36cf9ad03 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Jul 12 2018 07:20:46 +0000
Subject: crypto: Make one condition more defensive in NSS version of sss_hmac_sha1()


This makes the code more robust in case the if-block is moved to some
other place without the 'if (key_len > HMAC_SHA1_BLOCKSIZE)' check
before.

Reviewed-by: Sumit Bose <sbose@redhat.com>

---

diff --git a/src/util/crypto/nss/nss_hmac_sha1.c b/src/util/crypto/nss/nss_hmac_sha1.c
index 7074fe7..f30bbfc 100644
--- a/src/util/crypto/nss/nss_hmac_sha1.c
+++ b/src/util/crypto/nss/nss_hmac_sha1.c
@@ -63,7 +63,7 @@ int sss_hmac_sha1(const unsigned char *key,
     } else {
         /* keys shorter than blocksize are zero-padded */
         memcpy(ikey, key, key_len);
-        if (key_len != HMAC_SHA1_BLOCKSIZE) {
+        if (key_len < HMAC_SHA1_BLOCKSIZE) {
             memset(ikey + key_len, 0, HMAC_SHA1_BLOCKSIZE - key_len);
         }
     }