Use the correct length value for input salt

In this function the salt can be either a zero buffer of exactly mdlen
length, or an arbitrary salt of prevsecretlen length.
Although in practice OpenSSL will always pass in a salt of mdlen size
bytes in the current TLS 1.3 code, the openssl kdf command can pass in
arbitrary values (I did it for testing), and a future change in the
higher layer code could also result in unmatched lengths.

If prevsecretlen is > mdlen this will cause incorrect salt expansion, if
prevsecretlen < mdlen this could cause a crash or reading random
information. Inboth case the generated output would be incorrect.

Signed-off-by: Simo Sorce <simo@redhat.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25579)

(cherry picked from commit 5c91f70ba8)

providers/implementations/kdfs/hkdf.c

@@ -669,7 +669,7 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx,
         EVP_MD_CTX_free(mctx);
 
         /* Generate the pre-extract secret */
-        if (!prov_tls13_hkdf_expand(md, prevsecret, mdlen,
+        if (!prov_tls13_hkdf_expand(md, prevsecret, prevsecretlen,
                                     prefix, prefixlen, label, labellen,
                                     hash, mdlen, preextractsec, mdlen))
             return 0;

test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt

@@ -4935,3 +4935,13 @@ Ctrl.mode = mode:EXTRACT_AND_EXPAND
 Ctrl.digest = digest:SHA256
 Result = KDF_CTRL_ERROR
 
+# Test that salt of arbitrary length works
+FIPSversion = >=3.4.0
+KDF = TLS13-KDF
+Ctrl.mode = mode:EXTRACT_ONLY
+Ctrl.digest = digest:SHA2-256
+Ctrl.key = hexkey:f8af6aea2d397baf2948a25b2834200692cff17eee9165e4e27babee9edefd05
+Ctrl.salt = hexsalt:00010203040506070809000102030405060708090001020304050607080900010203040506070809
+Ctrl.prefix = hexprefix:746c73313320
+Ctrl.label = hexlabel:64657269766564
+Output = ef0aa4925ab6f4588759e15dfadcf7602ca7aa39ebb092bd7ab48f6a68c54449