Use custom library context for rc4 instead of global default context #3980
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lrstewart
force-pushed
the
rc4_fix
branch
2 times, most recently
from
d4a0db0
to
6841246
Compare
jmayclin
approved these changes
May 4, 2023
toidiu
reviewed
May 4, 2023
lrstewart
commented
May 4, 2023
There was a problem hiding this comment.
I'm wondering if we should just remove the complexity, accept that RC4 is incredibly deprecated, and just drop support if built with Openssl-3.0. I can't imagine that's going to break someone.
That would be this as an alternative: #3982
toidiu
approved these changes
May 4, 2023
toidiu
reviewed
May 4, 2023
dougch
pushed a commit
to dougch/s2n-tls
that referenced
this pull request
May 31, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes:
We forgot to add Openssl-3.0 to the unit tests, so missed that the newest unit test broke with Openssl-3.0.
The problem is that the default openssl context is global. So when we manually loaded providers so that we could access the legacy RC4 algorithm, that change affected any other uses of openssl within the same process. When we then unloaded those providers, we unloaded them for everyone, and openssl basically stopped working because it had no algorithms.
So instead, I now load the legacy provider required for RC4 into a custom openssl context so that we can retrieve the RC4 algorithm.
Callouts
I put the call to s2n_rc4_init in s2n_cipher_suites_init instead of the base s2n_init method because we have to setup RC4 before we can setup any cipher suites that use RC4. I thought it might be clearer. But maybe I should just put it in s2n_init with a comment?
Testing:
The failing s2n_random_test now passes. I also added some sanity checks to s2n_rc4_test to make sure we're still using RC4 where expected.
I also double checked that the Openssl-3.0 test was actually running (s2nUnitOpenSSL3GCC9 in GeneralBatch).
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.