From d53f31aa805e037f96e1517ba19c439848151edf Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Wed, 12 Jun 2024 20:19:44 +0900 Subject: [PATCH] Add workaround for EVP_PKEY_CTX_add1_hkdf_info with older providers Resolves: RHEL-40823 Signed-off-by: Daiki Ueno --- ...kward-compatibility-with-older-provi.patch | 33 +++++++++++++++++++ openssl.spec | 8 ++++- 2 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 0123-kdf-Preserve-backward-compatibility-with-older-provi.patch diff --git a/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch b/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch new file mode 100644 index 0000000..c88588f --- /dev/null +++ b/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch @@ -0,0 +1,33 @@ +From 34a709e89e0c43928d9353aca1fb0c82aaa7e6ab Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 12 Jun 2024 20:14:04 +0900 +Subject: [PATCH] kdf: Preserve backward compatibility with older providers + +Suggested in: +https://github.com/openssl/openssl/issues/24611#issuecomment-2162560293 +--- + crypto/evp/pmeth_lib.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c +index 015f756..e776ea5 100644 +--- a/crypto/evp/pmeth_lib.c ++++ b/crypto/evp/pmeth_lib.c +@@ -1068,8 +1068,13 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, + os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0); + os_params[1] = OSSL_PARAM_construct_end(); + +- if (!EVP_PKEY_CTX_get_params(ctx, os_params)) ++ if (!EVP_PKEY_CTX_get_params(ctx, os_params)) { ++ if (EVP_PKEY_CTX_gettable_params(ctx) == NULL) { ++ /* Older provider that doesn't support gettable parameters */ ++ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen); ++ } + return 0; ++ } + + /* Older provider that doesn't support getting this parameter */ + if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED) +-- +2.45.1 + diff --git a/openssl.spec b/openssl.spec index 995e513..409b08f 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.2.2 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -157,6 +157,8 @@ Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch Patch121: 0121-FIPS-cms-defaults.patch # KTLS regression, temporary skip tests Patch122: 0122-TMP-KTLS-test-skip.patch +# HKDF regression with older provider implementations +Patch123: 0123-kdf-Preserve-backward-compatibility-with-older-provi.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -496,6 +498,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco %ldconfig_scriptlets libs %changelog +* Wed Jun 12 2024 Daiki Ueno - 1:3.2.2-2 +- Add workaround for EVP_PKEY_CTX_add1_hkdf_info with older providers + Resolves: RHEL-40823 + * Wed Jun 05 2024 Dmitry Belyavskiy - 1:3.2.2-1 - Rebase to OpenSSL 3.2.2. Fixes CVE-2024-2511, CVE-2024-4603, CVE-2024-4741, and Minerva attack.