Add workaround for EVP_PKEY_CTX_add1_hkdf_info with older providers

Resolves: RHEL-40823
Signed-off-by: Daiki Ueno <dueno@redhat.com>
This commit is contained in:
Daiki Ueno 2024-06-12 20:19:44 +09:00
parent ed09ce6530
commit d53f31aa80
2 changed files with 40 additions and 1 deletions

View File

@ -0,0 +1,33 @@
From 34a709e89e0c43928d9353aca1fb0c82aaa7e6ab Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 12 Jun 2024 20:14:04 +0900
Subject: [PATCH] kdf: Preserve backward compatibility with older providers
Suggested in:
https://github.com/openssl/openssl/issues/24611#issuecomment-2162560293
---
crypto/evp/pmeth_lib.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index 015f756..e776ea5 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -1068,8 +1068,13 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
os_params[1] = OSSL_PARAM_construct_end();
- if (!EVP_PKEY_CTX_get_params(ctx, os_params))
+ if (!EVP_PKEY_CTX_get_params(ctx, os_params)) {
+ if (EVP_PKEY_CTX_gettable_params(ctx) == NULL) {
+ /* Older provider that doesn't support gettable parameters */
+ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
+ }
return 0;
+ }
/* Older provider that doesn't support getting this parameter */
if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
--
2.45.1

View File

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 3.2.2 Version: 3.2.2
Release: 1%{?dist} Release: 2%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -157,6 +157,8 @@ Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch
Patch121: 0121-FIPS-cms-defaults.patch Patch121: 0121-FIPS-cms-defaults.patch
# KTLS regression, temporary skip tests # KTLS regression, temporary skip tests
Patch122: 0122-TMP-KTLS-test-skip.patch Patch122: 0122-TMP-KTLS-test-skip.patch
# HKDF regression with older provider implementations
Patch123: 0123-kdf-Preserve-backward-compatibility-with-older-provi.patch
License: ASL 2.0 License: ASL 2.0
URL: http://www.openssl.org/ URL: http://www.openssl.org/
@ -496,6 +498,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Wed Jun 12 2024 Daiki Ueno <dueno@redhat.com> - 1:3.2.2-2
- Add workaround for EVP_PKEY_CTX_add1_hkdf_info with older providers
Resolves: RHEL-40823
* Wed Jun 05 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-1 * Wed Jun 05 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-1
- Rebase to OpenSSL 3.2.2. Fixes CVE-2024-2511, CVE-2024-4603, CVE-2024-4741, - Rebase to OpenSSL 3.2.2. Fixes CVE-2024-2511, CVE-2024-4603, CVE-2024-4741,
and Minerva attack. and Minerva attack.