Fix the SSL_CIPHER_find() function when used with a QCSO

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22011)

diff --git a/include/internal/quic_ssl.h b/include/internal/quic_ssl.h
index 260cef87b97632560bbffa5ed4fd8dce53659f99..66cea1bfe12ce5962fa59e26ed187522726d4f6f 100644 (file)
--- a/include/internal/quic_ssl.h
+++ b/include/internal/quic_ssl.h
@@ -36,6 +36,7 @@ __owur long ossl_quic_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)
 __owur size_t ossl_quic_pending(const SSL *s);
 __owur int ossl_quic_key_update(SSL *s, int update_type);
 __owur int ossl_quic_get_key_update_type(const SSL *s);
+__owur const SSL_CIPHER *ossl_quic_get_cipher_by_char(const unsigned char *p);
 __owur int ossl_quic_num_ciphers(void);
 __owur const SSL_CIPHER *ossl_quic_get_cipher(unsigned int u);
 int ossl_quic_renegotiate_check(SSL *ssl, int initok);

diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c
index ca4ef0ebbbbda5c91475f56deff82380ee9ee306..b632ad22db2f86e329415382c64b965285a459ce 100644 (file)
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@@ -3535,6 +3535,16 @@ int ossl_quic_renegotiate_check(SSL *ssl, int initok)
     return 0;
 }
 
+const SSL_CIPHER *ossl_quic_get_cipher_by_char(const unsigned char *p)
+{
+    const SSL_CIPHER *ciph = ssl3_get_cipher_by_char(p);
+
+    if ((ciph->algorithm2 & SSL_QUIC) == 0)
+        return NULL;
+
+    return ciph;
+}
+
 /*
  * These functions define the TLSv1.2 (and below) ciphers that are supported by
  * the SSL_METHOD. Since QUIC only supports TLSv1.3 we don't support any.

diff --git a/ssl/quic/quic_local.h b/ssl/quic/quic_local.h
index 517904d90f7750b6d0610db2dc7688ca4dd65013..063df7796a2410f6d5539336943fcd1546176c22 100644 (file)
--- a/ssl/quic/quic_local.h
+++ b/ssl/quic/quic_local.h
@@ -321,7 +321,7 @@ const SSL_METHOD *func_name(void)  \
                 NULL /* dispatch_alert */, \
                 ossl_quic_ctrl, \
                 ossl_quic_ctx_ctrl, \
-                NULL /* get_cipher_by_char */, \
+                ossl_quic_get_cipher_by_char, \
                 NULL /* put_cipher_by_char */, \
                 ossl_quic_pending, \
                 ossl_quic_num_ciphers, \

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 29af55bc61e8fa06dc50bdbbb4a57940f384e5ec..1f778c342347310b9672133716b02b5b85c3c110 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -47,7 +47,7 @@ static SSL_CIPHER tls13_ciphers[] = {
         TLS1_3_VERSION, TLS1_3_VERSION,
         0, 0,
         SSL_HIGH,
-        SSL_HANDSHAKE_MAC_SHA256,
+        SSL_HANDSHAKE_MAC_SHA256 | SSL_QUIC,
         128,
         128,
     }, {
@@ -62,7 +62,7 @@ static SSL_CIPHER tls13_ciphers[] = {
         TLS1_3_VERSION, TLS1_3_VERSION,
         0, 0,
         SSL_HIGH,
-        SSL_HANDSHAKE_MAC_SHA384,
+        SSL_HANDSHAKE_MAC_SHA384 | SSL_QUIC,
         256,
         256,
     },
@@ -78,7 +78,7 @@ static SSL_CIPHER tls13_ciphers[] = {
         TLS1_3_VERSION, TLS1_3_VERSION,
         0, 0,
         SSL_HIGH,
-        SSL_HANDSHAKE_MAC_SHA256,
+        SSL_HANDSHAKE_MAC_SHA256 | SSL_QUIC,
         256,
         256,
     },

diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 29715781ee90ee6feff1b978b1572d742ceef3d7..d1ef358932e00dae7785fad0035e8a7f8597818c 100644 (file)
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -236,6 +236,9 @@
  */
 # define TLS1_TLSTREE 0x20000
 
+/* Ciphersuite supported in QUIC */
+# define SSL_QUIC                0x00040000U
+
 # define SSL_STRONG_MASK         0x0000001FU
 # define SSL_DEFAULT_MASK        0X00000020U