jeredfloyd commented on issue #7341: URL: https://github.com/apache/trafficserver/issues/7341#issuecomment-1151613445
This commit to OpenSSL (https://github.com/openssl/openssl/commit/5a285addbf39f91d567f95f04b2b41764127950d#diff-08361b6b082f3fc0700d4c885eb97ba8fe8c8b18df13ad1d169558313ae373e3) changed the behavior of EVP_PKEY_derive() to require the output buffer be the exact size of the output data. The documentation (https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_derive.html) still states: > If key is not NULL then before the call the keylen parameter should contain the length of the key buffer, if the call is successful the shared secret is written to key and the amount of data written to keylen. However the code now says: ``` if (prk_len != (size_t)EVP_MD_size(evp_md)) { KDFerr(KDF_F_HKDF_EXTRACT, KDF_R_WRONG_OUTPUT_BUFFER_SIZE); return 0; } ``` I'll verify that usage of the HKDF functions still works, and patch the test to use correct buffer sizes. (And report to OpenSSL the doc inconsistency.) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
