diff options
| author | Matt Caswell <matt@openssl.org> | 2020-08-11 11:50:04 +0100 |
|---|---|---|
| committer | Pauli <paul.dale@oracle.com> | 2020-08-29 17:40:10 +1000 |
| commit | 6f0bd6ca1c675503962e4580e54ceecd078a8331 (patch) | |
| tree | fe64ff3296d1e2dc4d2a57f375b663dbc097b633 /ssl | |
| parent | ada0670bf6c2f67016a55750b1f6b08c54f4242c (diff) | |
Ensure libssl creates libctx aware MAC keys
Convert various mac key creation function calls to use the _with_libctx
variants.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/statem/extensions.c | 6 | ||||
| -rw-r--r-- | ssl/statem/extensions_srvr.c | 18 | ||||
| -rw-r--r-- | ssl/t1_enc.c | 18 |
3 files changed, 29 insertions, 13 deletions
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 1a8e3cf829..c842e20fbf 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -1598,8 +1598,10 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, goto err; } - mackey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finishedkey, - hashsize); + mackey = EVP_PKEY_new_raw_private_key_with_libctx(s->ctx->libctx, "HMAC", + s->ctx->propq, + finishedkey, + hashsize); if (mackey == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 3eeafef828..b5cd34b646 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -771,10 +771,11 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, /* Verify the HMAC of the cookie */ hctx = EVP_MD_CTX_create(); - pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, - s->session_ctx->ext.cookie_hmac_key, - sizeof(s->session_ctx->ext - .cookie_hmac_key)); + pkey = EVP_PKEY_new_raw_private_key_with_libctx(s->ctx->libctx, "HMAC", + s->ctx->propq, + s->session_ctx->ext.cookie_hmac_key, + sizeof(s->session_ctx->ext + .cookie_hmac_key)); if (hctx == NULL || pkey == NULL) { EVP_MD_CTX_free(hctx); EVP_PKEY_free(pkey); @@ -1863,10 +1864,11 @@ EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context, /* HMAC the cookie */ hctx = EVP_MD_CTX_create(); - pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, - s->session_ctx->ext.cookie_hmac_key, - sizeof(s->session_ctx->ext - .cookie_hmac_key)); + pkey = EVP_PKEY_new_raw_private_key_with_libctx(s->ctx->libctx, "HMAC", + s->ctx->propq, + s->session_ctx->ext.cookie_hmac_key, + sizeof(s->session_ctx->ext + .cookie_hmac_key)); if (hctx == NULL || pkey == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE, ERR_R_MALLOC_FAILURE); diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 8285e5cd27..2e46187024 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -376,9 +376,21 @@ int tls1_change_cipher_state(SSL *s, int which) memcpy(mac_secret, ms, i); if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) { - /* TODO(size_t): Convert this function */ - mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, mac_secret, - (int)*mac_secret_size); + if (mac_type == EVP_PKEY_HMAC) { + mac_key = EVP_PKEY_new_raw_private_key_with_libctx(s->ctx->libctx, + "HMAC", + s->ctx->propq, + mac_secret, + *mac_secret_size); + } else { + /* + * If its not HMAC then the only other types of MAC we support are + * the GOST MACs, so we need to use the old style way of creating + * a MAC key. + */ + mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, mac_secret, + (int)*mac_secret_size); + } if (mac_key == NULL || EVP_DigestSignInit_with_libctx(mac_ctx, NULL, EVP_MD_name(m), s->ctx->libctx, s->ctx->propq, |