Make sure we use the libctx when creating an EVP_PKEY_CTX in libssl

We should use EVP_PKEY_CTX_new_from_pkey() to ensure we use the correct libctx. Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/11401)
2025-01-30 14:01:55 +08:00 · 2020-03-12 14:49:19 +00:00 · 2020-03-12 14:49:19 +00:00 · d882e4ce56
commit d882e4ce56
parent fc69f32cd6
1 changed files with 28 additions and 3 deletions
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@ -4728,19 +4728,33 @@ EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id)
     */
 # ifndef OPENSSL_NO_DH
    if (gtype == TLS_GROUP_FFDHE)
+#  if 0
+        pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "DH", s->ctx->propq);
+#  else
        pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+#  endif
 #  ifndef OPENSSL_NO_EC
    else
-#  endif
-# endif
+#  endif /* OPENSSL_NO_EC */
+# endif /* OPENSSL_NO_DH */
 # ifndef OPENSSL_NO_EC
    {
+        /*
+         * TODO(3.0): When provider based EC key gen is present we can enable
+         * this code.
+         */
        if (gtype == TLS_GROUP_CURVE_CUSTOM)
            pctx = EVP_PKEY_CTX_new_id(ginf->nid, NULL);
        else
+#  if 0
+            pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "EC",
+                                              s->ctx->propq);
+#  else
            pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
+#  endif
+
    }
-# endif
+# endif /* OPENSSL_NO_EC */
    if (pctx == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP,
                 ERR_R_MALLOC_FAILURE);
@ -4806,7 +4820,11 @@ EVP_PKEY *ssl_generate_param_group(SSL *s, uint16_t id)
    EVP_PKEY_CTX *pctx = NULL;
    EVP_PKEY *pkey = NULL;
    const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id);
+#if 0
+    const char *pkey_ctx_name;
+#else
    int pkey_ctx_id;
+#endif

    if (ginf == NULL)
        goto err;
@ -4824,9 +4842,16 @@ EVP_PKEY *ssl_generate_param_group(SSL *s, uint16_t id)
     * s->ctx->libctx and s->ctx->propq when paramgen has been updated to be
     * provider aware.
     */
+#if 0
+    pkey_ctx_name = (ginf->flags & TLS_GROUP_FFDHE) != 0 ? "DH" : "EC";
+    pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, pkey_ctx_name,
+                                      s->ctx->propq);
+#else
    pkey_ctx_id = (ginf->flags & TLS_GROUP_FFDHE)
                        ? EVP_PKEY_DH : EVP_PKEY_EC;
    pctx = EVP_PKEY_CTX_new_id(pkey_ctx_id, NULL);
+#endif
+
    if (pctx == NULL)
        goto err;
    if (EVP_PKEY_paramgen_init(pctx) <= 0)