Bug 309679
| Summary: | Missing initialization and error checks in OpenSSL HKDF function | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Adrien Destugues <pulkomandy> |
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | ap, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | All | ||
| OS: | All | ||
Adrien Destugues
The HKDF() function is missing a call to EVP_PKEY_derive_init()
as done in this example code: https://docs.openssl.org/master/man3/EVP_PKEY_CTX_set_hkdf_md/#examples
(Also it hardcodes to SHA-256 instead of forwarding the algorithm parameter, and it doesn't check the return codes).
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Alexey Proskuryakov
Thank you for the report! Could you please point to the specific place in WebKit code? Grepping for HKDF returns a lot of hits.
Adrien Destugues
This is a ticket associated with the corresponding merge request:
https://github.com/WebKit/WebKit/pull/60354
I initially associated it with another existing ticket but was asked to create a separate one.
Alexey Proskuryakov
Thank you, makes sense now! I expect that you are planning to update the commit message accordingly.
Radar WebKit Bug Importer
<rdar://problem/172833329>
EWS
Committed 312198@main (e611c7f8a9ff): <https://commits.webkit.org/312198@main>
Reviewed commits have been landed. Closing PR #60354 and removing active labels.