Update hkdf.c to avoid potentially vulnerable code pattern

[openssl.git] / providers / implementations / kdfs / hkdf.c

diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
index f0b46a1fc50b07cb97937c49d2de8772e7303ef2..7f42f426479f308f3b777021d78e228c6c9d6ce3 100644 (file)
--- a/providers/implementations/kdfs/hkdf.c
+++ b/providers/implementations/kdfs/hkdf.c
@@ -531,7 +531,7 @@ static int HKDF_Expand(const EVP_MD *evp_md,
         if (!HMAC_Final(hmac, prev, NULL))
             goto err;
 
-        copy_len = (done_len + dig_len > okm_len) ?
+        copy_len = (dig_len > okm_len - done_len) ?
                        okm_len - done_len :
                        dig_len;