-
-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't attempt to set provider params on an ENGINE based cipher #22864
Conversation
Confirm that using an ENGINE works as expected with TLS even if it is loaded late (after construction of the SSL_CTX).
If an ENGINE has been loaded after the SSL_CTX has been created then the cipher we have cached might be provider based, but the cipher we actually end up using might not be. Don't try to set provider params on a cipher that is actually ENGINE based.
We remove a function that was left behind and is no longer called after the record layer refactor
This is the master/3.2 version. Backport to 3.1/3.0 in #22865 |
int tls_provider_set_tls_params(SSL_CONNECTION *s, EVP_CIPHER_CTX *ctx, | ||
const EVP_CIPHER *ciph, | ||
const EVP_MD *md); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Redundant with ossl_set_tls_provider_parameter()
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. The code was moved into the record layer as part of the record layer refactor....but the original got left behind.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just one question, which doesn't block approval.
This pull request is ready to merge |
Confirm that using an ENGINE works as expected with TLS even if it is loaded late (after construction of the SSL_CTX). Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #22864)
If an ENGINE has been loaded after the SSL_CTX has been created then the cipher we have cached might be provider based, but the cipher we actually end up using might not be. Don't try to set provider params on a cipher that is actually ENGINE based. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #22864)
We remove a function that was left behind and is no longer called after the record layer refactor Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #22864)
If an ENGINE has been loaded after the SSL_CTX has been created then the cipher we have cached might be provider based, but the cipher we actually end up using might not be. Don't try to set provider params on a cipher that is actually ENGINE based. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #22864) (cherry picked from commit afcc12c)
Pushed to master/3.2. Thanks. |
Confirm that using an ENGINE works as expected with TLS even if it is loaded late (after construction of the SSL_CTX). Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl/openssl#22864) Signed-off-by: fly2x <fly2x@hitls.org>
If an ENGINE has been loaded after the SSL_CTX has been created then the cipher we have cached might be provider based, but the cipher we actually end up using might not be. Don't try to set provider params on a cipher that is actually ENGINE based. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl/openssl#22864) Signed-off-by: fly2x <fly2x@hitls.org>
We remove a function that was left behind and is no longer called after the record layer refactor Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl/openssl#22864) Signed-off-by: fly2x <fly2x@hitls.org>
Confirm that using an ENGINE works as expected with TLS even if it is loaded late (after construction of the SSL_CTX). Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl/openssl#22864) (cherry picked from commit 7765d25ffe4f2a60b2082d469dec3b40f3418024) Signed-off-by: fly2x <fly2x@hitls.org>
If an ENGINE has been loaded after the SSL_CTX has been created then the cipher we have cached might be provider based, but the cipher we actually end up using might not be. Don't try to set provider params on a cipher that is actually ENGINE based. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl/openssl#22864) (cherry picked from commit afcc12c41ad82c5b63194502592de015604dbd47) Signed-off-by: fly2x <fly2x@hitls.org>
We remove a function that was left behind and is no longer called after the record layer refactor Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl/openssl#22864) (cherry picked from commit e46a6b1a5de0759023c5c9c2143ead4621f20d20) Signed-off-by: fly2x <fly2x@hitls.org>
Confirm that using an ENGINE works as expected with TLS even if it is loaded late (after construction of the SSL_CTX). Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl#22864)
If an ENGINE has been loaded after the SSL_CTX has been created then the cipher we have cached might be provider based, but the cipher we actually end up using might not be. Don't try to set provider params on a cipher that is actually ENGINE based. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl#22864)
We remove a function that was left behind and is no longer called after the record layer refactor Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl#22864)
If an ENGINE has been loaded after the SSL_CTX has been created then
the cipher we have cached might be provider based, but the cipher we
actually end up using might not be. Don't try to set provider params on
a cipher that is actually ENGINE based.
We also add a test for this. While working on this issue I spotted some dead code resulting from the record layer refactor that is also removed.