diff options
author | Tomas Mraz <tomas@openssl.org> | 2024-06-17 16:48:26 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2024-06-21 16:42:06 +0200 |
commit | 7433b6c1ae18fbea87c294f7c5415c0342e53d9a (patch) | |
tree | 36ddd89edd2daf6ece39f85da064bc409138d7f5 | |
parent | ae1e12ef1d94cb34e58722b19e8242ded1457269 (diff) |
Fix regression of EVP_PKEY_CTX_add1_hkdf_info() with older providers
If there is no get_ctx_params() implemented in the key exchange
provider implementation the fallback will not work. Instead
check the gettable_ctx_params() to see if the fallback should be
performed.
Fixes #24611
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24661)
(cherry picked from commit 663dbc9c9c897392a9f9d18aa9a8400ca024dc5d)
-rw-r--r-- | crypto/evp/pmeth_lib.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index cffd88725c..5cd0c4b27f 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -1034,6 +1034,7 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, int datalen) { OSSL_PARAM os_params[2]; + const OSSL_PARAM *gettables; unsigned char *info = NULL; size_t info_len = 0; size_t info_alloc = 0; @@ -1057,6 +1058,12 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, return 1; } + /* Check for older provider that doesn't support getting this parameter */ + gettables = EVP_PKEY_CTX_gettable_params(ctx); + if (gettables == NULL || OSSL_PARAM_locate_const(gettables, param) == NULL) + return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, + data, datalen); + /* Get the original value length */ os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0); os_params[1] = OSSL_PARAM_construct_end(); @@ -1064,9 +1071,9 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, if (!EVP_PKEY_CTX_get_params(ctx, os_params)) return 0; - /* Older provider that doesn't support getting this parameter */ + /* This should not happen but check to be sure. */ if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED) - return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen); + return 0; info_alloc = os_params[0].return_size + datalen; if (info_alloc == 0) |