From 35940569f1d86517befb9231afde94d8b022d174 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sat, 22 Jun 2024 10:24:51 +0900 Subject: [PATCH] Replace HKDF backward compatibility patch with the official one Related: RHEL-40823 Signed-off-by: Daiki Ueno --- ...kward-compatibility-with-older-provi.patch | 67 +++++++++++++------ openssl.spec | 6 +- 2 files changed, 53 insertions(+), 20 deletions(-) diff --git a/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch b/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch index c88588f..85f97c6 100644 --- a/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch +++ b/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch @@ -1,33 +1,62 @@ -From 34a709e89e0c43928d9353aca1fb0c82aaa7e6ab Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Wed, 12 Jun 2024 20:14:04 +0900 -Subject: [PATCH] kdf: Preserve backward compatibility with older providers +From a4daab0c29bce044d385bdeada177a88c32cba4c Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 17 Jun 2024 16:48:26 +0200 +Subject: [PATCH] Fix regression of EVP_PKEY_CTX_add1_hkdf_info() with older + providers -Suggested in: -https://github.com/openssl/openssl/issues/24611#issuecomment-2162560293 +If there is no get_ctx_params() implemented in the key exchange +provider implementation the fallback will not work. Instead +check the gettable_ctx_params() to see if the fallback should be +performed. + +Fixes #24611 + +Reviewed-by: Paul Dale +Reviewed-by: Tom Cosgrove +(Merged from https://github.com/openssl/openssl/pull/24661) + +(cherry picked from commit 663dbc9c9c897392a9f9d18aa9a8400ca024dc5d) --- - crypto/evp/pmeth_lib.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) + crypto/evp/pmeth_lib.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c -index 015f756..e776ea5 100644 +index 2caff2cd6d..d15e43be05 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c -@@ -1068,8 +1068,13 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, +@@ -1026,6 +1026,7 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, + int datalen) + { + OSSL_PARAM os_params[2]; ++ const OSSL_PARAM *gettables; + unsigned char *info = NULL; + size_t info_len = 0; + size_t info_alloc = 0; +@@ -1049,6 +1050,12 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, + return 1; + } + ++ /* Check for older provider that doesn't support getting this parameter */ ++ gettables = EVP_PKEY_CTX_gettable_params(ctx); ++ if (gettables == NULL || OSSL_PARAM_locate_const(gettables, param) == NULL) ++ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, ++ data, datalen); ++ + /* Get the original value length */ os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0); os_params[1] = OSSL_PARAM_construct_end(); - -- if (!EVP_PKEY_CTX_get_params(ctx, os_params)) -+ if (!EVP_PKEY_CTX_get_params(ctx, os_params)) { -+ if (EVP_PKEY_CTX_gettable_params(ctx) == NULL) { -+ /* Older provider that doesn't support gettable parameters */ -+ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen); -+ } +@@ -1056,9 +1063,9 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, + if (!EVP_PKEY_CTX_get_params(ctx, os_params)) return 0; -+ } - /* Older provider that doesn't support getting this parameter */ +- /* Older provider that doesn't support getting this parameter */ ++ /* This should not happen but check to be sure. */ if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED) +- return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen); ++ return 0; + + info_alloc = os_params[0].return_size + datalen; + if (info_alloc == 0) -- 2.45.1 diff --git a/openssl.spec b/openssl.spec index 409b08f..a837266 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.2.2 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -498,6 +498,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco %ldconfig_scriptlets libs %changelog +* Sat Jun 22 2024 Daiki Ueno - 1:3.2.2-3 +- Replace HKDF backward compatibility patch with the official one + Related: RHEL-40823 + * Wed Jun 12 2024 Daiki Ueno - 1:3.2.2-2 - Add workaround for EVP_PKEY_CTX_add1_hkdf_info with older providers Resolves: RHEL-40823