Accepting request 738263 from home:adamm:node_test

- openssl-jsc-SLE-8789-backport_KDF.patch: retain old behaviour of EVP_PBE_scrypt. When key output buffer is not provided, only check if the input parameters are in valid range and ignore passphrase/salt fields as they are only used in the actual calculation. OBS-URL: https://build.opensuse.org/request/show/738263 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=44
2019-10-14 11:29:05 +00:00 · 2019-10-14 11:29:05 +00:00 · c8fd3bc915
commit c8fd3bc915
parent 0d52304a01
2 changed files with 65 additions and 0 deletions
--- a/openssl-1_1.changes
+++ b/openssl-1_1.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Mon Oct 14 08:45:39 UTC 2019 - Adam Majer <adam.majer@suse.de>
+
+- openssl-jsc-SLE-8789-backport_KDF.patch: retain old behaviour
+  of EVP_PBE_scrypt. When key output buffer is not provided,
+  only check if the input parameters are in valid range and
+  ignore passphrase/salt fields as they are only used in
+  the actual calculation.
+
 -------------------------------------------------------------------
 Wed Sep 11 09:32:16 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>

--- a/openssl-jsc-SLE-8789-backport_KDF.patch
+++ b/openssl-jsc-SLE-8789-backport_KDF.patch
@ -10713,3 +10713,59 @@ Index: openssl-1.1.1d/doc/man7/EVP_KDF_SSHKDF.pod
 +
 +=cut
 +
+Index: openssl-1.1.1d/crypto/evp/pbe_scrypt.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/evp/pbe_scrypt.c
+++ openssl-1.1.1d/crypto/evp/pbe_scrypt.c
+@@ -57,16 +57,26 @@ int EVP_PBE_scrypt(const char *pass, siz
+         EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PARAMETER_TOO_LARGE);
+         return 0;
+     }
+-    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, pass, (size_t)passlen) != 1
+-            || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
+-                            salt, (size_t)saltlen) != 1
+-            || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N, N) != 1
+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N, N) != 1
+             || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R, (uint32_t)r) != 1
+             || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P, (uint32_t)p) != 1
+-            || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES, maxmem) != 1
+-            || EVP_KDF_derive(kctx, key, keylen) != 1)
+            || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES, maxmem) != 1)
+         rv = 0;
+ 
+    /* Only set salt and passphrase when actual key generation is to take place.
+     * Without output key, we are only checking parameter ranges
+     */
+    if (rv && key != NULL) {
+        if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, pass, (size_t)passlen) != 1
+                || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
+                                salt, (size_t)saltlen) != 1)
+            rv = 0;
+    }
+
+    if (rv && EVP_KDF_derive(kctx, key, keylen) != 1)
+        rv = 0;
+
+
+     EVP_KDF_CTX_free(kctx);
+     return rv;
+ }
+Index: openssl-1.1.1d/crypto/kdf/scrypt.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/kdf/scrypt.c
+++ openssl-1.1.1d/crypto/kdf/scrypt.c
+@@ -251,12 +251,12 @@ static int kdf_scrypt_ctrl_str(EVP_KDF_I
+ static int kdf_scrypt_derive(EVP_KDF_IMPL *impl, unsigned char *key,
+                              size_t keylen)
+ {
+-    if (impl->pass == NULL) {
+    if (key != NULL && impl->pass == NULL) {
+         KDFerr(KDF_F_KDF_SCRYPT_DERIVE, KDF_R_MISSING_PASS);
+         return 0;
+     }
+ 
+-    if (impl->salt == NULL) {
+    if (key != NULL && impl->salt == NULL) {
+         KDFerr(KDF_F_KDF_SCRYPT_DERIVE, KDF_R_MISSING_SALT);
+         return 0;
+     }