add_hkdf_info: use patched version if fips is enabled (#30)

openssl/openssl#23448 has been fixed in the
openssl upstream and backported to all 3.y branches. However, unpatched
instances of openssl may still contain the bug. This can be the same for
openssl fips providers, which are usually quite stable, and receive only
CVE patches. Using patched version of add_hkdf_info function in FIPS
environment enables this usecase.

Signed-off-by: Zuzana Miklankova <zmiklank@redhat.com>

Author: zmiklank

src/hkdf.rs

@@ -107,22 +107,28 @@ impl RustlsHkdfExpander for HkdfExpander {
     }
 }
 
-#[cfg(bugged_add_hkdf_info)]
 fn add_hkdf_info<T>(ctx: &mut PkeyCtxRef<T>, info: &[&[u8]]) -> Result<(), ErrorStack> {
-    // Concatenate the info strings to work around https://github.com/openssl/openssl/issues/23448
-    let infos = info.iter().fold(Vec::new(), |mut acc, i| {
-        acc.extend_from_slice(i);
-        acc
-    });
-    ctx.add_hkdf_info(&infos)
-}
 
-#[cfg(not(bugged_add_hkdf_info))]
-fn add_hkdf_info<T>(ctx: &mut PkeyCtxRef<T>, info: &[&[u8]]) -> Result<(), ErrorStack> {
-    for info in info {
-        ctx.add_hkdf_info(info)?;
+    #[cfg(bugged_add_hkdf_info)]
+    let bugged_version = true;
+
+    #[cfg(not(bugged_add_hkdf_info))]
+    let bugged_version = false;
+
+    if bugged_version || crate::fips::enabled() {
+        // Concatenate the info strings to work around
+        // https://github.com/openssl/openssl/issues/23448
+        let infos = info.iter().fold(Vec::new(), |mut acc, i| {
+            acc.extend_from_slice(i);
+            acc
+        });
+        ctx.add_hkdf_info(&infos)
+    } else {
+        for info in info {
+            ctx.add_hkdf_info(info)?;
+        }
+        Ok(())
     }
-    Ok(())
 }
 
 impl Drop for HkdfExpander {