File openssl-1_1-ossl-sli-018-TLS13-HKDF.patch of Package openssl-1_1

Index: openssl-1.1.1w/crypto/fips/fips_kdf_selftest.c
===================================================================
--- openssl-1.1.1w.orig/crypto/fips/fips_kdf_selftest.c
+++ openssl-1.1.1w/crypto/fips/fips_kdf_selftest.c
@@ -32,7 +32,7 @@ int FIPS_selftest_hkdf(void)
     if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
         goto err;
     }
-    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) {
+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secretSECRETsecretSECRET", (size_t)24) <= 0) {
         goto err;
     }
     if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO,
@@ -45,7 +45,7 @@ int FIPS_selftest_hkdf(void)
 
     {
         const unsigned char expected[sizeof(out)] = {
-            0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
+            0x4, 0xb6, 0x43, 0x68, 0x62, 0x5c, 0x10, 0x17, 0x1, 0x76
         };
         if (memcmp(out, expected, sizeof(expected))) {
             goto err;
@@ -120,7 +120,7 @@ int FIPS_selftest_tls(void)
         goto err;
 
     if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET,
-                     "secret", (size_t)6) <= 0)
+                     "secretSECRETsecret", (size_t)18) <= 0)
         goto err;
 
     if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed", (size_t)4) <= 0)
@@ -131,8 +131,8 @@ int FIPS_selftest_tls(void)
 
     {
         const unsigned char expected[sizeof(out)] = {
-            0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
-            0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
+            0xe8, 0x91, 0x68, 0x49, 0x6d, 0xe5, 0xe, 0x3b, 
+            0x34, 0x49, 0x10, 0xbd, 0x89, 0x42, 0x3d, 0x64
         };
         if (memcmp(out, expected, sizeof(expected))) {
             goto err;
Index: openssl-1.1.1w/crypto/kdf/hkdf.c
===================================================================
--- openssl-1.1.1w.orig/crypto/kdf/hkdf.c
+++ openssl-1.1.1w/crypto/kdf/hkdf.c
@@ -222,9 +222,10 @@ static int kdf_hkdf_derive(EVP_KDF_IMPL
     }
 }
 
-static int kdf_hkdf_fips_sli_is_approved(ossl_unused const EVP_KDF_IMPL *impl) {
-    return 0; /* can't check whether this is only used for DH / TLS1.3 because
-    this is handled by the application. Thus label HKDF as non-approved. */
+static int kdf_hkdf_fips_sli_is_approved(EVP_KDF_IMPL *impl) {
+    if (impl->key_len < 112)
+        return 0;
+    return 1;
 }
 
 const EVP_KDF_METHOD hkdf_kdf_meth = {
Index: openssl-1.1.1w/util/libcrypto.num
===================================================================
--- openssl-1.1.1w.orig/util/libcrypto.num
+++ openssl-1.1.1w/util/libcrypto.num
@@ -4650,3 +4650,4 @@ fips_sli_RAND_priv_bytes_is_approved
 FIPS_entropy_init                       6611	1_1_1l	EXIST::FUNCTION:
 FIPS_entropy_cleanup                    6612	1_1_1l	EXIST::FUNCTION:
 OCSP_RESPONSE_check_status              6613	1_1_1l	EXIST::FUNCTION:OCSP
+FIPS_drbg_lock_cleanup                  6614	1_1_1w	EXIST::FUNCTION: