TLS connect failure with an engine (OpenSSL 3.0.8)
Manish Patidar
mann.patidar at gmail.com
Tue Nov 21 18:17:38 UTC 2023
Hi
I am using OpenSSL 3.0.8 with an engine .
We are using an engine for AES GCM encryption/decryption.
While TLS connection, connection is failing during change cipher state.
int tls1_change_cipher_state(SSL *s, int which) {
if (EVP_CIPHER_get0_provider(c) != NULL
&& !*tls_provider_set_tls_params*(s, *dd*, c, m)) {
/* SSLfatal already called */
goto err;
}
}
int tls_provider_set_tls_params(SSL *s, EVP_CIPHER_CTX **ctx*,
const EVP_CIPHER *ciph,
const EVP_MD *md) {
if (!*EVP_CIPHER_CTX_set_params*(*ctx*, params)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
}
}
int EVP_CIPHER_CTX_set_params(EVP_CIPHER_CTX **ctx*, const OSSL_PARAM
params[])
{
if (ctx->cipher != NULL && ctx->*cipher*->*set_ctx_params* != NULL) {
ctx->iv_len = -1;
return ctx->cipher->set_ctx_params(ctx->algctx, params);
}
*return 0;*
}
I think there is some issue here, as ctx->cipher is created from the
engine, *set_ctx_param* is not set in the ctx->cipher.
This check is leading to a drop in the connection.
If we bypass this check , the TLS connection is passing.
Is there something missing here, please let me know how to avoid this issue.
Regards
Manish
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20231121/6f752570/attachment.htm>
More information about the openssl-users
mailing list