From: Matt Caswell Date: Tue, 11 Aug 2020 10:50:04 +0000 (+0100) Subject: Ensure libssl creates libctx aware MAC keys X-Git-Tag: openssl-3.0.0-alpha7~454 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6f0bd6ca1c675503962e4580e54ceecd078a8331;p=thirdparty%2Fopenssl.git Ensure libssl creates libctx aware MAC keys Convert various mac key creation function calls to use the _with_libctx variants. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/12637) --- diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 1a8e3cf829a..c842e20fbfa 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -1598,8 +1598,10 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, goto err; } - mackey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finishedkey, - hashsize); + mackey = EVP_PKEY_new_raw_private_key_with_libctx(s->ctx->libctx, "HMAC", + s->ctx->propq, + finishedkey, + hashsize); if (mackey == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 3eeafef828f..b5cd34b6462 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -771,10 +771,11 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, /* Verify the HMAC of the cookie */ hctx = EVP_MD_CTX_create(); - pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, - s->session_ctx->ext.cookie_hmac_key, - sizeof(s->session_ctx->ext - .cookie_hmac_key)); + pkey = EVP_PKEY_new_raw_private_key_with_libctx(s->ctx->libctx, "HMAC", + s->ctx->propq, + s->session_ctx->ext.cookie_hmac_key, + sizeof(s->session_ctx->ext + .cookie_hmac_key)); if (hctx == NULL || pkey == NULL) { EVP_MD_CTX_free(hctx); EVP_PKEY_free(pkey); @@ -1863,10 +1864,11 @@ EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context, /* HMAC the cookie */ hctx = EVP_MD_CTX_create(); - pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, - s->session_ctx->ext.cookie_hmac_key, - sizeof(s->session_ctx->ext - .cookie_hmac_key)); + pkey = EVP_PKEY_new_raw_private_key_with_libctx(s->ctx->libctx, "HMAC", + s->ctx->propq, + s->session_ctx->ext.cookie_hmac_key, + sizeof(s->session_ctx->ext + .cookie_hmac_key)); if (hctx == NULL || pkey == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE, ERR_R_MALLOC_FAILURE); diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 8285e5cd27f..2e461870241 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -376,9 +376,21 @@ int tls1_change_cipher_state(SSL *s, int which) memcpy(mac_secret, ms, i); if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) { - /* TODO(size_t): Convert this function */ - mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, mac_secret, - (int)*mac_secret_size); + if (mac_type == EVP_PKEY_HMAC) { + mac_key = EVP_PKEY_new_raw_private_key_with_libctx(s->ctx->libctx, + "HMAC", + s->ctx->propq, + mac_secret, + *mac_secret_size); + } else { + /* + * If its not HMAC then the only other types of MAC we support are + * the GOST MACs, so we need to use the old style way of creating + * a MAC key. + */ + mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, mac_secret, + (int)*mac_secret_size); + } if (mac_key == NULL || EVP_DigestSignInit_with_libctx(mac_ctx, NULL, EVP_MD_name(m), s->ctx->libctx, s->ctx->propq,