Use the OPENSSL_CTX and property query string in EVP_PKEY_CTX

When we use an EVP_PKEY_CTX in libssl we should be doing so with the OPENSSL_CTX and property query string that were specified when the SSL_CTX object was first created. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10854)
2025-02-17 14:32:04 +08:00 · 2020-01-15 11:20:58 +00:00 · 2020-01-15 11:20:58 +00:00 · 0f00ed7720
commit 0f00ed7720
parent c8f6c28a93
5 changed files with 23 additions and 11 deletions
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@ -4676,14 +4676,14 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
 }

 /* Generate a private key from parameters */
-EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm)
+EVP_PKEY *ssl_generate_pkey(SSL *s, EVP_PKEY *pm)
 {
    EVP_PKEY_CTX *pctx = NULL;
    EVP_PKEY *pkey = NULL;

    if (pm == NULL)
        return NULL;
-    pctx = EVP_PKEY_CTX_new(pm, NULL);
+    pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pm, s->ctx->propq);
    if (pctx == NULL)
        goto err;
    if (EVP_PKEY_keygen_init(pctx) <= 0)
@ -4716,6 +4716,11 @@ EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id)
        goto err;
    }
    gtype = ginf->flags & TLS_GROUP_TYPE;
+    /*
+     * TODO(3.0): Convert these EVP_PKEY_CTX_new_id calls to ones that take
+     * s->ctx->libctx and s->ctx->propq when keygen has been updated to be
+     * provider aware.
+     */
 # ifndef OPENSSL_NO_DH
    if (gtype == TLS_GROUP_FFDHE)
        pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
@ -4809,6 +4814,11 @@ EVP_PKEY *ssl_generate_param_group(uint16_t id)
        return NULL;
    }

+    /*
+     * TODO(3.0): Convert this EVP_PKEY_CTX_new_id call to one that takes
+     * s->ctx->libctx and s->ctx->propq when paramgen has been updated to be
+     * provider aware.
+     */
    pkey_ctx_id = (ginf->flags & TLS_GROUP_FFDHE)
                        ? EVP_PKEY_DH : EVP_PKEY_EC;
    pctx = EVP_PKEY_CTX_new_id(pkey_ctx_id, NULL);
@ -4855,7 +4865,7 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret)
        return 0;
    }

-    pctx = EVP_PKEY_CTX_new(privkey, NULL);
+    pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, privkey, s->ctx->propq);

    if (EVP_PKEY_derive_init(pctx) <= 0
        || EVP_PKEY_derive_set_peer(pctx, pubkey) <= 0
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@ -2411,7 +2411,7 @@ __owur int ssl_fill_hello_random(SSL *s, int server, unsigned char *field,
                                 size_t len, DOWNGRADE dgrd);
 __owur int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
                                      int free_pms);
-__owur EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm);
+__owur EVP_PKEY *ssl_generate_pkey(SSL *s, EVP_PKEY *pm);
 __owur int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey,
                      int genmaster);
 __owur EVP_PKEY *ssl_dh_to_pkey(DH *dh);
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@ -1728,7 +1728,7 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
        return EXT_RETURN_FAIL;
    }

-    skey = ssl_generate_pkey(ckey);
+    skey = ssl_generate_pkey(s, ckey);
    if (skey == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
                 ERR_R_MALLOC_FAILURE);
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@ -3049,7 +3049,7 @@ static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt)
        goto err;
    }

-    ckey = ssl_generate_pkey(skey);
+    ckey = ssl_generate_pkey(s, skey);
    if (ckey == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE,
                 ERR_R_INTERNAL_ERROR);
@ -3107,7 +3107,7 @@ static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt)
        return 0;
    }

-    ckey = ssl_generate_pkey(skey);
+    ckey = ssl_generate_pkey(s, skey);
    if (ckey == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE,
                 ERR_R_MALLOC_FAILURE);
@ -3173,7 +3173,9 @@ static int tls_construct_cke_gost(SSL *s, WPACKET *pkt)
        return 0;
    }

-    pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL);
+    pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx,
+                                          X509_get0_pubkey(peer_cert),
+                                          s->ctx->propq);
    if (pkey_ctx == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST,
                 ERR_R_MALLOC_FAILURE);
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@ -2568,7 +2568,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
            goto err;
        }

-        s->s3.tmp.pkey = ssl_generate_pkey(pkdhp);
+        s->s3.tmp.pkey = ssl_generate_pkey(s, pkdhp);
        if (s->s3.tmp.pkey == NULL) {
            /* SSLfatal() already called */
            goto err;
@ -3013,7 +3013,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt)
        return 0;
    }

-    ctx = EVP_PKEY_CTX_new(rsa, NULL);
+    ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, rsa, s->ctx->propq);
    if (ctx == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
                 ERR_R_MALLOC_FAILURE);
@ -3296,7 +3296,7 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt)
        pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
    }

-    pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
+    pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pk, s->ctx->propq);
    if (pkey_ctx == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
                 ERR_R_MALLOC_FAILURE);