Replace HKDF backward compatibility patch with the official one

Related: RHEL-40823
Signed-off-by: Daiki Ueno <dueno@redhat.com>
This commit is contained in:
Daiki Ueno 2024-06-22 10:24:51 +09:00
parent d53f31aa80
commit 35940569f1
2 changed files with 53 additions and 20 deletions

View File

@ -1,33 +1,62 @@
From 34a709e89e0c43928d9353aca1fb0c82aaa7e6ab Mon Sep 17 00:00:00 2001 From a4daab0c29bce044d385bdeada177a88c32cba4c Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build> From: Tomas Mraz <tomas@openssl.org>
Date: Wed, 12 Jun 2024 20:14:04 +0900 Date: Mon, 17 Jun 2024 16:48:26 +0200
Subject: [PATCH] kdf: Preserve backward compatibility with older providers Subject: [PATCH] Fix regression of EVP_PKEY_CTX_add1_hkdf_info() with older
providers
Suggested in: If there is no get_ctx_params() implemented in the key exchange
https://github.com/openssl/openssl/issues/24611#issuecomment-2162560293 provider implementation the fallback will not work. Instead
check the gettable_ctx_params() to see if the fallback should be
performed.
Fixes #24611
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24661)
(cherry picked from commit 663dbc9c9c897392a9f9d18aa9a8400ca024dc5d)
--- ---
crypto/evp/pmeth_lib.c | 7 ++++++- crypto/evp/pmeth_lib.c | 11 +++++++++--
1 file changed, 6 insertions(+), 1 deletion(-) 1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index 015f756..e776ea5 100644 index 2caff2cd6d..d15e43be05 100644
--- a/crypto/evp/pmeth_lib.c --- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c
@@ -1068,8 +1068,13 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, @@ -1026,6 +1026,7 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
int datalen)
{
OSSL_PARAM os_params[2];
+ const OSSL_PARAM *gettables;
unsigned char *info = NULL;
size_t info_len = 0;
size_t info_alloc = 0;
@@ -1049,6 +1050,12 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
return 1;
}
+ /* Check for older provider that doesn't support getting this parameter */
+ gettables = EVP_PKEY_CTX_gettable_params(ctx);
+ if (gettables == NULL || OSSL_PARAM_locate_const(gettables, param) == NULL)
+ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl,
+ data, datalen);
+
/* Get the original value length */
os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0); os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
os_params[1] = OSSL_PARAM_construct_end(); os_params[1] = OSSL_PARAM_construct_end();
@@ -1056,9 +1063,9 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
- if (!EVP_PKEY_CTX_get_params(ctx, os_params)) if (!EVP_PKEY_CTX_get_params(ctx, os_params))
+ if (!EVP_PKEY_CTX_get_params(ctx, os_params)) {
+ if (EVP_PKEY_CTX_gettable_params(ctx) == NULL) {
+ /* Older provider that doesn't support gettable parameters */
+ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
+ }
return 0; return 0;
+ }
/* Older provider that doesn't support getting this parameter */ - /* Older provider that doesn't support getting this parameter */
+ /* This should not happen but check to be sure. */
if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED) if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
- return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
+ return 0;
info_alloc = os_params[0].return_size + datalen;
if (info_alloc == 0)
-- --
2.45.1 2.45.1

View File

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 3.2.2 Version: 3.2.2
Release: 2%{?dist} Release: 3%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -498,6 +498,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Sat Jun 22 2024 Daiki Ueno <dueno@redhat.com> - 1:3.2.2-3
- Replace HKDF backward compatibility patch with the official one
Related: RHEL-40823
* Wed Jun 12 2024 Daiki Ueno <dueno@redhat.com> - 1:3.2.2-2 * Wed Jun 12 2024 Daiki Ueno <dueno@redhat.com> - 1:3.2.2-2
- Add workaround for EVP_PKEY_CTX_add1_hkdf_info with older providers - Add workaround for EVP_PKEY_CTX_add1_hkdf_info with older providers
Resolves: RHEL-40823 Resolves: RHEL-40823