RESOLVED FIXED309679
Missing initialization and error checks in OpenSSL HKDF function 
https://bugs.webkit.org/show_bug.cgi?id=309679
Summary Missing initialization and error checks in OpenSSL HKDF function
Adrien Destugues
Reported 2026-03-11 08:12:35 PDT
The HKDF() function is missing a call to EVP_PKEY_derive_init() as done in this example code: https://docs.openssl.org/master/man3/EVP_PKEY_CTX_set_hkdf_md/#examples (Also it hardcodes to SHA-256 instead of forwarding the algorithm parameter, and it doesn't check the return codes).
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2026-03-11 09:17:24 PDT
Thank you for the report! Could you please point to the specific place in WebKit code? Grepping for HKDF returns a lot of hits.
Adrien Destugues
Comment 2 2026-03-11 09:21:28 PDT
This is a ticket associated with the corresponding merge request: https://github.com/WebKit/WebKit/pull/60354 I initially associated it with another existing ticket but was asked to create a separate one.
Alexey Proskuryakov
Comment 3 2026-03-11 09:33:33 PDT
Thank you, makes sense now! I expect that you are planning to update the commit message accordingly.
Radar WebKit Bug Importer
Comment 4 2026-03-18 08:13:11 PDT
<rdar://problem/172833329>
EWS
Comment 5 2026-04-28 07:18:45 PDT
Committed 312198@main (e611c7f8a9ff): <https://commits.webkit.org/312198@main> Reviewed commits have been landed. Closing PR #60354 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.