On Tue, Mar 09, 2021 at 10:17:43PM -0500, lingtao.klt wrote:
> In ngx_hkdf_expand, when use OPENSSL, the *pctx need to be free.
>
>
> ```
>
> static ngx_int_t
> ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest,
> const uint8_t *prk, size_t prk_len, const u_char *info, size_t
> info_len)
> {
> #ifdef OPENSSL_IS_BORINGSSL
> if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len)
> == 0)
> {
> return NGX_ERROR;
> }
> #else
>
> EVP_PKEY_CTX *pctx;
>
> pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
>
> if (EVP_PKEY_derive_init(pctx) <= 0) {
> return NGX_ERROR;
> }
>
> if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0)
> {
> return NGX_ERROR;
> }
>
> if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) {
> return NGX_ERROR;
> }
>
> if (EVP_PKEY_CTX_set1_hkdf_key(pctx, prk, prk_len) <= 0) {
> return NGX_ERROR;
> }
>
> if (EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len) <= 0) {
> return NGX_ERROR;
> }
>
> if (EVP_PKEY_derive(pctx, out_key, &out_len) <= 0) {
> return NGX_ERROR;
> }
>
> #endif
>
> return NGX_OK;
> }
>
> ```
Thank you for reporting, this was fixed:
http://hg.nginx.org/nginx-quic/rev/1c48629cfa74
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
