diff options
| author | Matt Caswell <matt@openssl.org> | 2020-01-16 13:14:27 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2020-02-06 12:59:07 +0100 |
| commit | c8f6c28a938fc887ee3d2337f09db453e7fb0369 (patch) | |
| tree | 80fab6c444adfb668fa03edc2297b729757b53c9 /ssl/statem | |
| parent | Params: change UTF8 construct calls to avoid explicit strlen(3) calls. (diff) | |
| download | openssl-c8f6c28a938fc887ee3d2337f09db453e7fb0369.tar.xz openssl-c8f6c28a938fc887ee3d2337f09db453e7fb0369.zip | |
Explicitly fetch ciphers and digests in libssl
We modify libssl to use explicitly fetched ciphers, digests and other
algorithms as required based on the configured library context and
property query string for the SSL_CTX that is being used.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10854)
Diffstat (limited to 'ssl/statem')
| -rw-r--r-- | ssl/statem/extensions_clnt.c | 6 | ||||
| -rw-r--r-- | ssl/statem/extensions_srvr.c | 5 | ||||
| -rw-r--r-- | ssl/statem/statem_clnt.c | 6 | ||||
| -rw-r--r-- | ssl/statem/statem_lib.c | 4 | ||||
| -rw-r--r-- | ssl/statem/statem_srvr.c | 2 |
5 files changed, 12 insertions, 11 deletions
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 75fecdeaa6..776473e659 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -981,7 +981,7 @@ EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt, if (s->session->ssl_version == TLS1_3_VERSION && s->session->ext.ticklen != 0 && s->session->cipher != NULL) { - const EVP_MD *md = ssl_md(s->session->cipher->algorithm2); + const EVP_MD *md = ssl_md(s->ctx, s->session->cipher->algorithm2); if (md != NULL) { /* @@ -1059,7 +1059,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; } - mdres = ssl_md(s->session->cipher->algorithm2); + mdres = ssl_md(s->ctx, s->session->cipher->algorithm2); if (mdres == NULL) { /* * Don't recognize this cipher so we can't use the session. @@ -1132,7 +1132,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, return EXT_RETURN_NOT_SENT; if (s->psksession != NULL) { - mdpsk = ssl_md(s->psksession->cipher->algorithm2); + mdpsk = ssl_md(s->ctx, s->psksession->cipher->algorithm2); if (mdpsk == NULL) { /* * Don't recognize this cipher so we can't use the session. diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index a2a4ae8a6e..999e1cd832 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1238,8 +1238,9 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, } } - md = ssl_md(sess->cipher->algorithm2); - if (md != ssl_md(s->s3.tmp.new_cipher->algorithm2)) { + md = ssl_md(s->ctx, sess->cipher->algorithm2); + if (!EVP_MD_is_a(md, + EVP_MD_name(ssl_md(s->ctx, s->s3.tmp.new_cipher->algorithm2)))) { /* The ciphersuite is not compatible with this session. */ SSL_SESSION_free(sess); sess = NULL; diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index ef53fe7872..e524e62b93 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1376,8 +1376,8 @@ static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) * In TLSv1.3 it is valid for the server to select a different * ciphersuite as long as the hash is the same. */ - if (ssl_md(c->algorithm2) - != ssl_md(s->session->cipher->algorithm2)) { + if (ssl_md(s->ctx, c->algorithm2) + != ssl_md(s->ctx, s->session->cipher->algorithm2)) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED); @@ -2337,7 +2337,7 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) goto err; } - if (!tls1_lookup_md(s->s3.tmp.peer_sigalg, &md)) { + if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index c478bb47aa..c5956ea37c 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -247,7 +247,7 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt) } pkey = s->s3.tmp.cert->privatekey; - if (pkey == NULL || !tls1_lookup_md(lu, &md)) { + if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR); goto err; @@ -420,7 +420,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) goto err; } - if (!tls1_lookup_md(s->s3.tmp.peer_sigalg, &md)) { + if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_INTERNAL_ERROR); goto err; diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 50eaf69da4..256575f1a0 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2763,7 +2763,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) unsigned char *sigbytes1, *sigbytes2, *tbs; size_t siglen = 0, tbslen; - if (pkey == NULL || !tls1_lookup_md(lu, &md)) { + if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) { /* Should never happen */ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, |