From 0f00ed7720257512924a7c891336d66e1c1083fa Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 15 Jan 2020 11:20:58 +0000 Subject: [PATCH] Use the OPENSSL_CTX and property query string in EVP_PKEY_CTX When we use an EVP_PKEY_CTX in libssl we should be doing so with the OPENSSL_CTX and property query string that were specified when the SSL_CTX object was first created. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/10854) --- ssl/s3_lib.c | 16 +++++++++++++--- ssl/ssl_local.h | 2 +- ssl/statem/extensions_srvr.c | 2 +- ssl/statem/statem_clnt.c | 8 +++++--- ssl/statem/statem_srvr.c | 6 +++--- 5 files changed, 23 insertions(+), 11 deletions(-) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index f5e313b21f..706290be9b 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -4676,14 +4676,14 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, } /* Generate a private key from parameters */ -EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm) +EVP_PKEY *ssl_generate_pkey(SSL *s, EVP_PKEY *pm) { EVP_PKEY_CTX *pctx = NULL; EVP_PKEY *pkey = NULL; if (pm == NULL) return NULL; - pctx = EVP_PKEY_CTX_new(pm, NULL); + pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pm, s->ctx->propq); if (pctx == NULL) goto err; if (EVP_PKEY_keygen_init(pctx) <= 0) @@ -4716,6 +4716,11 @@ EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id) goto err; } gtype = ginf->flags & TLS_GROUP_TYPE; + /* + * TODO(3.0): Convert these EVP_PKEY_CTX_new_id calls to ones that take + * s->ctx->libctx and s->ctx->propq when keygen has been updated to be + * provider aware. + */ # ifndef OPENSSL_NO_DH if (gtype == TLS_GROUP_FFDHE) pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL); @@ -4809,6 +4814,11 @@ EVP_PKEY *ssl_generate_param_group(uint16_t id) return NULL; } + /* + * TODO(3.0): Convert this EVP_PKEY_CTX_new_id call to one that takes + * s->ctx->libctx and s->ctx->propq when paramgen has been updated to be + * provider aware. + */ pkey_ctx_id = (ginf->flags & TLS_GROUP_FFDHE) ? EVP_PKEY_DH : EVP_PKEY_EC; pctx = EVP_PKEY_CTX_new_id(pkey_ctx_id, NULL); @@ -4855,7 +4865,7 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret) return 0; } - pctx = EVP_PKEY_CTX_new(privkey, NULL); + pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, privkey, s->ctx->propq); if (EVP_PKEY_derive_init(pctx) <= 0 || EVP_PKEY_derive_set_peer(pctx, pubkey) <= 0 diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index eefc4ea31d..31c01328ce 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2411,7 +2411,7 @@ __owur int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, size_t len, DOWNGRADE dgrd); __owur int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, int free_pms); -__owur EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm); +__owur EVP_PKEY *ssl_generate_pkey(SSL *s, EVP_PKEY *pm); __owur int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int genmaster); __owur EVP_PKEY *ssl_dh_to_pkey(DH *dh); diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 999e1cd832..36201c68e4 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1728,7 +1728,7 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, return EXT_RETURN_FAIL; } - skey = ssl_generate_pkey(ckey); + skey = ssl_generate_pkey(s, ckey); if (skey == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE); diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index e524e62b93..ba2fe0802d 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -3049,7 +3049,7 @@ static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt) goto err; } - ckey = ssl_generate_pkey(skey); + ckey = ssl_generate_pkey(s, skey); if (ckey == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, ERR_R_INTERNAL_ERROR); @@ -3107,7 +3107,7 @@ static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt) return 0; } - ckey = ssl_generate_pkey(skey); + ckey = ssl_generate_pkey(s, skey); if (ckey == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_MALLOC_FAILURE); @@ -3173,7 +3173,9 @@ static int tls_construct_cke_gost(SSL *s, WPACKET *pkt) return 0; } - pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL); + pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, + X509_get0_pubkey(peer_cert), + s->ctx->propq); if (pkey_ctx == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_MALLOC_FAILURE); diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 256575f1a0..ab032ae956 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2568,7 +2568,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) goto err; } - s->s3.tmp.pkey = ssl_generate_pkey(pkdhp); + s->s3.tmp.pkey = ssl_generate_pkey(s, pkdhp); if (s->s3.tmp.pkey == NULL) { /* SSLfatal() already called */ goto err; @@ -3013,7 +3013,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt) return 0; } - ctx = EVP_PKEY_CTX_new(rsa, NULL); + ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, rsa, s->ctx->propq); if (ctx == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_MALLOC_FAILURE); @@ -3296,7 +3296,7 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt) pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; } - pkey_ctx = EVP_PKEY_CTX_new(pk, NULL); + pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pk, s->ctx->propq); if (pkey_ctx == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_MALLOC_FAILURE); -- 2.34.1