Fix the SSL_CIPHER_find() function when used with a QCSO

Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22011)
2025-01-18 13:44:20 +08:00 · 2023-09-07 17:45:49 +01:00 · 2023-09-07 17:45:49 +01:00 · 547ea58821
commit 547ea58821
parent 1e4fc0b2e5
5 changed files with 18 additions and 4 deletions
--- a/include/internal/quic_ssl.h
+++ b/include/internal/quic_ssl.h
@ -36,6 +36,7 @@ __owur long ossl_quic_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)
 __owur size_t ossl_quic_pending(const SSL *s);
 __owur int ossl_quic_key_update(SSL *s, int update_type);
 __owur int ossl_quic_get_key_update_type(const SSL *s);
+__owur const SSL_CIPHER *ossl_quic_get_cipher_by_char(const unsigned char *p);
 __owur int ossl_quic_num_ciphers(void);
 __owur const SSL_CIPHER *ossl_quic_get_cipher(unsigned int u);
 int ossl_quic_renegotiate_check(SSL *ssl, int initok);
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@ -3535,6 +3535,16 @@ int ossl_quic_renegotiate_check(SSL *ssl, int initok)
    return 0;
 }

+const SSL_CIPHER *ossl_quic_get_cipher_by_char(const unsigned char *p)
+{
+    const SSL_CIPHER *ciph = ssl3_get_cipher_by_char(p);
+
+    if ((ciph->algorithm2 & SSL_QUIC) == 0)
+        return NULL;
+
+    return ciph;
+}
+
 /*
 * These functions define the TLSv1.2 (and below) ciphers that are supported by
 * the SSL_METHOD. Since QUIC only supports TLSv1.3 we don't support any.
--- a/ssl/quic/quic_local.h
+++ b/ssl/quic/quic_local.h
@ -321,7 +321,7 @@ const SSL_METHOD *func_name(void)  \
                NULL /* dispatch_alert */, \
                ossl_quic_ctrl, \
                ossl_quic_ctx_ctrl, \
-                NULL /* get_cipher_by_char */, \
+                ossl_quic_get_cipher_by_char, \
                NULL /* put_cipher_by_char */, \
                ossl_quic_pending, \
                ossl_quic_num_ciphers, \
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@ -47,7 +47,7 @@ static SSL_CIPHER tls13_ciphers[] = {
        TLS1_3_VERSION, TLS1_3_VERSION,
        0, 0,
        SSL_HIGH,
-        SSL_HANDSHAKE_MAC_SHA256,
+        SSL_HANDSHAKE_MAC_SHA256 | SSL_QUIC,
        128,
        128,
    }, {
@ -62,7 +62,7 @@ static SSL_CIPHER tls13_ciphers[] = {
        TLS1_3_VERSION, TLS1_3_VERSION,
        0, 0,
        SSL_HIGH,
-        SSL_HANDSHAKE_MAC_SHA384,
+        SSL_HANDSHAKE_MAC_SHA384 | SSL_QUIC,
        256,
        256,
    },
@ -78,7 +78,7 @@ static SSL_CIPHER tls13_ciphers[] = {
        TLS1_3_VERSION, TLS1_3_VERSION,
        0, 0,
        SSL_HIGH,
-        SSL_HANDSHAKE_MAC_SHA256,
+        SSL_HANDSHAKE_MAC_SHA256 | SSL_QUIC,
        256,
        256,
    },
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@ -236,6 +236,9 @@
 */
 # define TLS1_TLSTREE 0x20000

+/* Ciphersuite supported in QUIC */
+# define SSL_QUIC                0x00040000U
+
 # define SSL_STRONG_MASK         0x0000001FU
 # define SSL_DEFAULT_MASK        0X00000020U