linux: fix HKDF TLS key derivation back to OpenSSL 3.0.8

OpenSSL prior to 3.3.1 had an issue with EVP_PKEY_CTX_add1_hkdf_info()
where it acted like a 'set1' function instead of an 'add1' as
documented.  Work around that by building the entire info vector outside
of the OpenSSL API and only calling this function once.

Signed-off-by: Chris Leech <[email protected]>

Author: cleech

src/nvme/linux.c

@@ -703,13 +703,13 @@ static DEFINE_CLEANUP_FUNC(
  * Returns the number of bytes appended to the HKDF info buffer, or -1 on an
  * error.
  */
-__attribute__((format(printf, 2, 3)))
-static int hkdf_info_printf(EVP_PKEY_CTX *ctx, char *fmt, ...)
+__attribute__((format(printf, 3, 4)))
+static int hkdf_info_printf(uint8_t *info, size_t *pos, char *fmt, ...)
 {
-	_cleanup_free_ char *str;
+	_cleanup_free_ char *str = NULL;
+	va_list myargs;
 	uint8_t len;
 	int ret;
-	va_list myargs;
 
 	va_start(myargs, fmt);
 	ret = vasprintf(&str, fmt, myargs);
@@ -719,11 +719,11 @@ static int hkdf_info_printf(EVP_PKEY_CTX *ctx, char *fmt, ...)
 	if (ret > 255)
 		return -1;
 	len = ret;
-	if (EVP_PKEY_CTX_add1_hkdf_info(ctx, (unsigned char *)&len, 1) <= 0)
-		return -1;
-	if (EVP_PKEY_CTX_add1_hkdf_info(ctx, (unsigned char *)str, len) <= 0)
-		return -1;
-	return (ret + 1);
+	info[*pos] = len;
+	*pos += 1;
+	memcpy(&info[*pos], str, len);
+	*pos += len;
+	return (len + 1);
 }
 
 /*
@@ -760,9 +760,17 @@ static int derive_retained_key(int hmac, const char *hostnqn,
 			       size_t key_len)
 {
 	_cleanup_evp_pkey_ctx_ EVP_PKEY_CTX *ctx = NULL;
+	_cleanup_free_ uint8_t *hkdf_info = NULL;
 	uint16_t length = htons(key_len & 0xFFFF);
 	const EVP_MD *md;
 	size_t hmac_len;
+	size_t pos;
+
+	hkdf_info = malloc(2 + 1 + strlen("tls13 HostNQN") + 256);
+	if (!hkdf_info) {
+		errno = ENOMEM;
+		return -1;
+	}
 
 	if (hmac == NVME_HMAC_ALG_NONE) {
 		memcpy(retained, configured, key_len);
@@ -793,20 +801,20 @@ static int derive_retained_key(int hmac, const char *hostnqn,
 		errno = ENOKEY;
 		return -1;
 	}
-	if (EVP_PKEY_CTX_add1_hkdf_info(ctx,
-			(const unsigned char *)&length, 2) <= 0) {
+	*(uint16_t *)&hkdf_info[0] = length;
+	pos = sizeof(uint16_t);
+	if (hkdf_info_printf(hkdf_info, &pos, "tls13 HostNQN") <= 0) {
 		errno = ENOKEY;
 		return -1;
 	}
-	if (hkdf_info_printf(ctx, "tls13 HostNQN") <= 0) {
+	if (hkdf_info_printf(hkdf_info, &pos, "%s", hostnqn) <= 0) {
 		errno = ENOKEY;
 		return -1;
 	}
-	if (hkdf_info_printf(ctx, "%s", hostnqn) <= 0) {
+	if(EVP_PKEY_CTX_add1_hkdf_info(ctx, hkdf_info, pos) <= 0) {
 		errno = ENOKEY;
 		return -1;
 	}
-
 	if (EVP_PKEY_derive(ctx, retained, &key_len) <= 0) {
 		errno = ENOKEY;
 		return -1;
@@ -821,9 +829,17 @@ static int derive_retained_key_compat(int hmac, const char *hostnqn,
 			       size_t key_len)
 {
 	_cleanup_evp_pkey_ctx_ EVP_PKEY_CTX *ctx = NULL;
+	_cleanup_free_ uint8_t *hkdf_info = NULL;
 	uint16_t length = key_len & 0xFFFF;
 	const EVP_MD *md;
 	size_t hmac_len;
+	size_t pos;
+
+	hkdf_info = malloc(2 + strlen("tls13 HostNQN") + 255);
+	if (!hkdf_info) {
+		errno = ENOMEM;
+		return -1;
+	}
 
 	if (hmac == NVME_HMAC_ALG_NONE) {
 		memcpy(retained, configured, key_len);
@@ -854,23 +870,17 @@ static int derive_retained_key_compat(int hmac, const char *hostnqn,
 		errno = ENOKEY;
 		return -1;
 	}
-	if (EVP_PKEY_CTX_add1_hkdf_info(ctx,
-			(const unsigned char *)&length, 2) <= 0) {
-		errno = ENOKEY;
-		return -1;
-	}
-	if (EVP_PKEY_CTX_add1_hkdf_info(ctx,
-			(const unsigned char *)"tls13 ", 6) <= 0) {
-		errno = ENOKEY;
-		return -1;
-	}
-	if (EVP_PKEY_CTX_add1_hkdf_info(ctx,
-			(const unsigned char *)"HostNQN", 7) <= 0) {
-		errno = ENOKEY;
-		return -1;
-	}
-	if (EVP_PKEY_CTX_add1_hkdf_info(ctx,
-			(const unsigned char *)hostnqn, strlen(hostnqn)) <= 0) {
+
+	*(uint16_t *)&hkdf_info[0] = length;
+	pos = sizeof(uint16_t);
+	memcpy(&hkdf_info[pos], "tls13 ", 6);
+	pos += 6;
+	memcpy(&hkdf_info[pos], "HostNQN", 7);
+	pos += 7;
+	memcpy(&hkdf_info[pos], hostnqn, strlen(hostnqn));
+	pos += strlen(hostnqn);
+
+	if (EVP_PKEY_CTX_add1_hkdf_info(ctx, hkdf_info, pos) <= 0) {
 		errno = ENOKEY;
 		return -1;
 	}
@@ -911,9 +921,17 @@ static int derive_tls_key(int version, unsigned char cipher,
 			  unsigned char *psk, size_t key_len)
 {
 	_cleanup_evp_pkey_ctx_ EVP_PKEY_CTX *ctx = NULL;
+	_cleanup_free_ uint8_t *hkdf_info = NULL;
 	uint16_t length = htons(key_len & 0xFFFF);
 	const EVP_MD *md;
 	size_t hmac_len;
+	size_t pos;
+
+	hkdf_info = malloc(2 + 1 + strlen("tls13 nvme-tls-psk") + 256);
+	if (!hkdf_info) {
+		errno = ENOMEM;
+		return -1;
+	}
 
 	md = select_hmac(cipher, &hmac_len);
 	if (!md || !hmac_len) {
@@ -939,24 +957,21 @@ static int derive_tls_key(int version, unsigned char cipher,
 		errno = ENOKEY;
 		return -1;
 	}
-	if (EVP_PKEY_CTX_add1_hkdf_info(ctx,
-			(const unsigned char *)&length, 2) <= 0) {
-		errno = ENOKEY;
-		return -1;
-	}
-	if (hkdf_info_printf(ctx, "tls13 nvme-tls-psk") <= 0) {
+	*(uint16_t *)&hkdf_info[0] = length;
+	pos = sizeof(uint16_t);
+	if (hkdf_info_printf(hkdf_info, &pos, "tls13 nvme-tls-psk") <= 0) {
 		errno = ENOKEY;
 		return -1;
 	}
 	switch (version) {
 	case 0:
-		if (hkdf_info_printf(ctx, "%s", context) <= 0) {
+		if (hkdf_info_printf(hkdf_info, &pos, "%s", context) <= 0) {
 			errno = ENOKEY;
 			return -1;
 		}
 		break;
 	case 1:
-		if (hkdf_info_printf(ctx, "%02d %s", cipher, context) <= 0) {
+		if (hkdf_info_printf(hkdf_info, &pos, "%02d %s", cipher, context) <= 0) {
 			errno = ENOKEY;
 			return -1;
 		}
@@ -965,7 +980,10 @@ static int derive_tls_key(int version, unsigned char cipher,
 		errno = ENOKEY;
 		return -1;
 	}
-
+	if(EVP_PKEY_CTX_add1_hkdf_info(ctx, hkdf_info, pos) <= 0) {
+		errno = ENOKEY;
+		return -1;
+	}
 	if (EVP_PKEY_derive(ctx, psk, &key_len) <= 0) {
 		errno = ENOKEY;
 		return -1;
@@ -979,9 +997,17 @@ static int derive_tls_key_compat(int version, unsigned char cipher,
 			  unsigned char *psk, size_t key_len)
 {
 	_cleanup_evp_pkey_ctx_ EVP_PKEY_CTX *ctx = NULL;
+	_cleanup_free_ uint8_t *hkdf_info = NULL;
 	uint16_t length = key_len & 0xFFFF;
 	const EVP_MD *md;
 	size_t hmac_len;
+	size_t pos;
+
+	hkdf_info = malloc(2 + strlen("tls13 nvme-tls-psk") + 255);
+	if (!hkdf_info) {
+		errno = ENOMEM;
+		return -1;
+	}
 
 	md = select_hmac(cipher, &hmac_len);
 	if (!md || !hmac_len) {
@@ -1007,39 +1033,25 @@ static int derive_tls_key_compat(int version, unsigned char cipher,
 		errno = ENOKEY;
 		return -1;
 	}
-	if (EVP_PKEY_CTX_add1_hkdf_info(ctx,
-			(const unsigned char *)&length, 2) <= 0) {
-		errno = ENOKEY;
-		return -1;
-	}
-	if (EVP_PKEY_CTX_add1_hkdf_info(ctx,
-			(const unsigned char *)"tls13 ", 6) <= 0) {
-		errno = ENOKEY;
-		return -1;
-	}
-	if (EVP_PKEY_CTX_add1_hkdf_info(ctx,
-			(const unsigned char *)"nvme-tls-psk", 12) <= 0) {
-		errno = ENOKEY;
-		return -1;
-	}
-	if (version == 1) {
-		char hash_str[5];
 
-		sprintf(hash_str, "%02d ", cipher);
-		if (EVP_PKEY_CTX_add1_hkdf_info(ctx,
-				(const unsigned char *)hash_str,
-				strlen(hash_str)) <= 0) {
-			errno = ENOKEY;
-			return -1;
-		}
+	*(uint16_t *)&hkdf_info[0] = length;
+	pos = sizeof(uint16_t);
+	memcpy(&hkdf_info[pos], "tls13 ", 6);
+	pos += 6;
+	memcpy(&hkdf_info[pos], "nvme-tls-psk", 12);
+	pos += 12;
+
+	if (version == 1) {
+		sprintf((char *)&hkdf_info[pos], "%02d ", cipher);
+		pos += 3;
 	}
-	if (EVP_PKEY_CTX_add1_hkdf_info(ctx,
-			(const unsigned char *)context,
-			strlen(context)) <= 0) {
+	memcpy(&hkdf_info[pos], context, strlen(context));
+	pos += strlen(context);
+
+	if(EVP_PKEY_CTX_add1_hkdf_info(ctx, hkdf_info, pos) <= 0) {
 		errno = ENOKEY;
 		return -1;
 	}
-
 	if (EVP_PKEY_derive(ctx, psk, &key_len) <= 0) {
 		errno = ENOKEY;
 		return -1;