From dfb3583fefbf3bb45db9cdfd90faf5e5e5a2d426 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Sat, 22 Jun 2024 10:15:11 +0900
Subject: [PATCH] Replace HKDF backward compatibility patch with the official
 one

Related: RHEL-41261
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 ...kward-compatibility-with-older-provi.patch | 67 +++++++++++++------
 openssl.spec                                  |  6 +-
 2 files changed, 53 insertions(+), 20 deletions(-)

diff --git a/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch b/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch
index c88588f..85f97c6 100644
--- a/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch
+++ b/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch
@@ -1,33 +1,62 @@
-From 34a709e89e0c43928d9353aca1fb0c82aaa7e6ab Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Wed, 12 Jun 2024 20:14:04 +0900
-Subject: [PATCH] kdf: Preserve backward compatibility with older providers
+From a4daab0c29bce044d385bdeada177a88c32cba4c Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Mon, 17 Jun 2024 16:48:26 +0200
+Subject: [PATCH] Fix regression of EVP_PKEY_CTX_add1_hkdf_info() with older
+ providers
 
-Suggested in:
-https://github.com/openssl/openssl/issues/24611#issuecomment-2162560293
+If there is no get_ctx_params() implemented in the key exchange
+provider implementation the fallback will not work. Instead
+check the gettable_ctx_params() to see if the fallback should be
+performed.
+
+Fixes #24611
+
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
+(Merged from https://github.com/openssl/openssl/pull/24661)
+
+(cherry picked from commit 663dbc9c9c897392a9f9d18aa9a8400ca024dc5d)
 ---
- crypto/evp/pmeth_lib.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
+ crypto/evp/pmeth_lib.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
 
 diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
-index 015f756..e776ea5 100644
+index 2caff2cd6d..d15e43be05 100644
 --- a/crypto/evp/pmeth_lib.c
 +++ b/crypto/evp/pmeth_lib.c
-@@ -1068,8 +1068,13 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
+@@ -1026,6 +1026,7 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
+                                           int datalen)
+ {
+     OSSL_PARAM os_params[2];
++    const OSSL_PARAM *gettables;
+     unsigned char *info = NULL;
+     size_t info_len = 0;
+     size_t info_alloc = 0;
+@@ -1049,6 +1050,12 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
+         return 1;
+     }
+ 
++    /* Check for older provider that doesn't support getting this parameter */
++    gettables = EVP_PKEY_CTX_gettable_params(ctx);
++    if (gettables == NULL || OSSL_PARAM_locate_const(gettables, param) == NULL)
++        return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl,
++                                              data, datalen);
++
+     /* Get the original value length */
      os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
      os_params[1] = OSSL_PARAM_construct_end();
- 
--    if (!EVP_PKEY_CTX_get_params(ctx, os_params))
-+    if (!EVP_PKEY_CTX_get_params(ctx, os_params)) {
-+        if (EVP_PKEY_CTX_gettable_params(ctx) == NULL) {
-+            /* Older provider that doesn't support gettable parameters */
-+            return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
-+        }
+@@ -1056,9 +1063,9 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
+     if (!EVP_PKEY_CTX_get_params(ctx, os_params))
          return 0;
-+    }
  
-     /* Older provider that doesn't support getting this parameter */
+-    /* Older provider that doesn't support getting this parameter */
++    /* This should not happen but check to be sure. */
      if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
+-        return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
++        return 0;
+ 
+     info_alloc = os_params[0].return_size + datalen;
+     if (info_alloc == 0)
 -- 
 2.45.1
 
diff --git a/openssl.spec b/openssl.spec
index eb5e3c2..a48984d 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.2.2
-Release: 4%{?dist}
+Release: 5%{?dist}
 Epoch: 1
 Source: openssl-%{version}.tar.gz
 Source2: Makefile.certificate
@@ -505,6 +505,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
 %ldconfig_scriptlets libs
 
 %changelog
+* Mon Jul  1 2024 Daiki Ueno <dueno@redhat.com> - 1:3.2.2-5
+- Replace HKDF backward compatibility patch with the official one
+  Related: RHEL-41261
+
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1:3.2.2-4
 - Bump release for June 2024 mass rebuild