diff options
author | Matt Caswell <matt@openssl.org> | 2020-03-20 12:37:20 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-03-26 13:46:43 +0000 |
commit | 9727f4e7fd02e55b637058249cd8e1bc80501c7f (patch) | |
tree | 7a40d189d6f7ecffa812eeaff5da3a818bff6686 /ssl/ssl_ciph.c | |
parent | 148bfd26a4c2d0250b77c57acf30cf5c190a1d29 (diff) |
Use a fetched cipher for the TLSv1.3 early secret
We should use an explicitly fetched cipher to ensure that we are using
the correct libctx and property query.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11402)
Diffstat (limited to 'ssl/ssl_ciph.c')
-rw-r--r-- | ssl/ssl_ciph.c | 46 |
1 files changed, 28 insertions, 18 deletions
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 64c791636a..23d156a702 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -439,6 +439,32 @@ static int load_builtin_compressions(void) } #endif +int ssl_cipher_get_evp_cipher(SSL_CTX *ctx, const SSL_CIPHER *sslc, + const EVP_CIPHER **enc) +{ + int i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, sslc->algorithm_enc); + + if (i == -1) { + *enc = NULL; + } else { + if (i == SSL_ENC_NULL_IDX) { + /* + * We assume we don't care about this coming from an ENGINE so + * just do a normal EVP_CIPHER_fetch instead of + * ssl_evp_cipher_fetch() + */ + *enc = EVP_CIPHER_fetch(ctx->libctx, "NULL", ctx->propq); + if (*enc == NULL) + return 0; + } else { + if (!ssl_evp_cipher_up_ref(ctx->ssl_cipher_methods[i])) + return 0; + *enc = ctx->ssl_cipher_methods[i]; + } + } + return 1; +} + int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s, const EVP_CIPHER **enc, const EVP_MD **md, int *mac_pkey_type, size_t *mac_secret_size, @@ -474,24 +500,8 @@ int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s, if ((enc == NULL) || (md == NULL)) return 0; - i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, c->algorithm_enc); - - if (i == -1) { - *enc = NULL; - } else { - if (i == SSL_ENC_NULL_IDX) { - /* - * We assume we don't care about this coming from an ENGINE so - * just do a normal EVP_CIPHER_fetch instead of - * ssl_evp_cipher_fetch() - */ - *enc = EVP_CIPHER_fetch(ctx->libctx, "NULL", ctx->propq); - } else { - if (!ssl_evp_cipher_up_ref(ctx->ssl_cipher_methods[i])) - return 0; - *enc = ctx->ssl_cipher_methods[i]; - } - } + if (!ssl_cipher_get_evp_cipher(ctx, c, enc)) + return 0; i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac); if (i == -1) { |