Bug 2215856

Summary: openssl kdf.h header is broken
Product: Red Hat Enterprise Linux 8 Reporter: Peter van Dijk (PowerDNS) <peter.van.dijk>
Component: opensslAssignee: Dmitry Belyavskiy <dbelyavs>
Status: NEW --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: low    
Version: 8.8CC: cllang
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter van Dijk (PowerDNS) 2023-06-19 08:38:30 UTC 
Description of problem:

a powerdns users reported a missing feature in our builds for EL8 - see the story at https://github.com/PowerDNS/pdns/issues/12926

Apparently, some code from openssl3 was backported to 1.1.1, but never updated to incorporate fixes that were done after the backport.

Version-Release number of selected component (if applicable):
openssl-devel-1.1.1k-9.el8_7.x86_64

How reproducible:
100%


Steps to Reproduce:
1. try to compile a C program that has #include <openssl/kdf.h>

Actual results:

/usr/include/openssl/kdf.h:33:46: error: unknown type name 'va_list'
/usr/include/openssl/kdf.h:35:1: note: 'size_t' is defined in header '<stddef.h>'; did you forget to '#include <stddef.h>'?



Expected results:
successful compile

Additional info:
copied from the pdns ticket:

As far as I can tell this does not match any released version of OpenSSL..
EVP_KDF_vctrl was added in openssl/openssl@5a285ad before openssl-3.0.0-alpha1 but the header issue was quickly fixed by openssl/openssl@0cf5c6a (also before 3.0.0-alpha1) and the function was completely removed by openssl/openssl@fb9e6dd (still before 3.0.0-alpha1). But the log is talking about openssl-1.1.1k-9.el8_7.x86_64.rpm..
Comment 1 Dmitry Belyavskiy 2023-06-28 12:14:17 UTC 
The change is introduced in openssl-1.1.1-evp-kdf.patch

As it's the only complaint during several years, it probably would be better to fix it in PowerDNS downstream. Unfortunately, we don't plan any changes in OpenSSL in 8.x beyond the CVE fixes. 

Sorry for inconvinience