From 84b89d7cfe452f91fa22f2646ef53a3a7e990456 Mon Sep 17 00:00:00 2001
From: Frank Denis <124872+jedisct1@users.noreply.github.com>
Date: Wed, 22 Mar 2023 07:17:52 +0100
Subject: [PATCH] crypto.hmac: set the recommended key size to the block size
 (#15031)

HMAC supports arbitrary key sizes, and there are no practical reasons
to use more than 256 bit keys.

It still makes sense to match the security level, though, especially
since a distinction between the block size and the key size can be
confusing.

Using HMAC.key_size instead of HMAC.mac_size caused our TLS
implementation to compute wrong shared secrets when SHA-384 was
used. So, fix it directly in `crypto.hmac` in order to prevent
other misuses.
---
 lib/std/crypto/hmac.zig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/std/crypto/hmac.zig b/lib/std/crypto/hmac.zig
index 457cc5ec18..f279132ee8 100644
--- a/lib/std/crypto/hmac.zig
+++ b/lib/std/crypto/hmac.zig
@@ -18,7 +18,7 @@ pub fn Hmac(comptime Hash: type) type {
         const Self = @This();
         pub const mac_length = Hash.digest_length;
         pub const key_length_min = 0;
-        pub const key_length = 32; // recommended key length
+        pub const key_length = mac_length; // recommended key length
 
         o_key_pad: [Hash.block_length]u8,
         hash: Hash,