Stop reaching into EVP_PKEY in the rest of libssl.

ok inoguchi jsing

diff --git a/lib/libssl/ssl_both.c b/lib/libssl/ssl_both.c
index 6e38463..62652f8 100644 (file)
--- a/lib/libssl/ssl_both.c
+++ b/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_both.c,v 1.38 2021/10/23 13:36:03 jsing Exp $ */
+/* $OpenBSD: ssl_both.c,v 1.39 2021/11/26 16:41:42 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -534,7 +534,7 @@ ssl_cert_type(X509 *x, EVP_PKEY *pkey)
        if (pk == NULL)
                goto err;
 
-       i = pk->type;
+       i = EVP_PKEY_id(pk);
        if (i == EVP_PKEY_RSA) {
                ret = SSL_PKEY_RSA;
        } else if (i == EVP_PKEY_EC) {

diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c
index 4c39925..e7de319 100644 (file)
--- a/lib/libssl/ssl_cert.c
+++ b/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_cert.c,v 1.86 2021/10/23 20:42:50 beck Exp $ */
+/* $OpenBSD: ssl_cert.c,v 1.87 2021/11/26 16:41:42 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -229,9 +229,7 @@ ssl_cert_dup(CERT *cert)
 
                if (cert->pkeys[i].privatekey != NULL) {
                        ret->pkeys[i].privatekey = cert->pkeys[i].privatekey;
-                       CRYPTO_add(&ret->pkeys[i].privatekey->references, 1,
-                       CRYPTO_LOCK_EVP_PKEY);
-
+                       EVP_PKEY_up_ref(ret->pkeys[i].privatekey);
                        switch (i) {
                                /*
                                 * If there was anything special to do for

diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index 02bd3d5..6fe15dc 100644 (file)
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.118 2021/11/19 18:53:10 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.119 2021/11/26 16:41:42 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1925,6 +1925,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
        unsigned char *enc_pms = NULL;
        uint16_t max_legacy_version;
        EVP_PKEY *pkey = NULL;
+       RSA *rsa;
        int ret = -1;
        int enc_len;
        CBB epms;
@@ -1934,8 +1935,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
         */
 
        pkey = X509_get_pubkey(sess_cert->peer_pkeys[SSL_PKEY_RSA].x509);
-       if (pkey == NULL || pkey->type != EVP_PKEY_RSA ||
-           pkey->pkey.rsa == NULL) {
+       if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
                SSLerror(s, ERR_R_INTERNAL_ERROR);
                goto err;
        }
@@ -1953,12 +1953,12 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
        pms[1] = max_legacy_version & 0xff;
        arc4random_buf(&pms[2], sizeof(pms) - 2);
 
-       if ((enc_pms = malloc(RSA_size(pkey->pkey.rsa))) == NULL) {
+       if ((enc_pms = malloc(RSA_size(rsa))) == NULL) {
                SSLerror(s, ERR_R_MALLOC_FAILURE);
                goto err;
        }
 
-       enc_len = RSA_public_encrypt(sizeof(pms), pms, enc_pms, pkey->pkey.rsa,
+       enc_len = RSA_public_encrypt(sizeof(pms), pms, enc_pms, rsa,
            RSA_PKCS1_PADDING);
        if (enc_len <= 0) {
                SSLerror(s, SSL_R_BAD_RSA_ENCRYPT);
@@ -2385,6 +2385,7 @@ static int
 ssl3_send_client_verify_rsa(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
 {
        CBB cbb_signature;
+       RSA *rsa;
        unsigned char data[EVP_MAX_MD_SIZE];
        unsigned char *signature = NULL;
        unsigned int signature_len;
@@ -2395,8 +2396,10 @@ ssl3_send_client_verify_rsa(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
                goto err;
        if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
                goto err;
-       if (RSA_sign(NID_md5_sha1, data, data_len, signature,
-           &signature_len, pkey->pkey.rsa) <= 0 ) {
+       if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL)
+               goto err;
+       if (RSA_sign(NID_md5_sha1, data, data_len, signature, &signature_len,
+           rsa) <= 0 ) {
                SSLerror(s, ERR_R_RSA_LIB);
                goto err;
        }
@@ -2418,6 +2421,7 @@ static int
 ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
 {
        CBB cbb_signature;
+       EC_KEY *eckey;
        unsigned char data[EVP_MAX_MD_SIZE];
        unsigned char *signature = NULL;
        unsigned int signature_len;
@@ -2427,8 +2431,10 @@ ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
                goto err;
        if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
                goto err;
+       if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL)
+               goto err;
        if (!ECDSA_sign(0, &data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH,
-           signature, &signature_len, pkey->pkey.ec)) {
+           signature, &signature_len, eckey)) {
                SSLerror(s, ERR_R_ECDSA_LIB);
                goto err;
        }
@@ -2543,15 +2549,15 @@ ssl3_send_client_verify(SSL *s)
                        if (!ssl3_send_client_verify_sigalgs(s, pkey, sigalg,
                            &cert_verify))
                                goto err;
-               } else if (pkey->type == EVP_PKEY_RSA) {
+               } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
                        if (!ssl3_send_client_verify_rsa(s, pkey, &cert_verify))
                                goto err;
-               } else if (pkey->type == EVP_PKEY_EC) {
+               } else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
                        if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify))
                                goto err;
 #ifndef OPENSSL_NO_GOST
-               } else if (pkey->type == NID_id_GostR3410_94 ||
-                   pkey->type == NID_id_GostR3410_2001) {
+               } else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 ||
+                   EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
                        if (!ssl3_send_client_verify_gost(s, pkey, &cert_verify))
                                goto err;
 #endif

diff --git a/lib/libssl/ssl_sigalgs.c b/lib/libssl/ssl_sigalgs.c
index 765f39d..95c624a 100644 (file)
--- a/lib/libssl/ssl_sigalgs.c
+++ b/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.37 2021/06/29 19:36:14 jsing Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.38 2021/11/26 16:41:42 tb Exp $ */
 /*
  * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
@@ -246,7 +246,7 @@ static const struct ssl_sigalg *
 ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey)
 {
        /* Default signature algorithms used for TLSv1.2 and earlier. */
-       switch (pkey->type) {
+       switch (EVP_PKEY_id(pkey)) {
        case EVP_PKEY_RSA:
                if (S3I(s)->hs.negotiated_tls_version < TLS1_2_VERSION)
                        return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
@@ -267,12 +267,12 @@ ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
 {
        if (sigalg == NULL || pkey == NULL)
                return 0;
-       if (sigalg->key_type != pkey->type)
+       if (sigalg->key_type != EVP_PKEY_id(pkey))
                return 0;
 
        /* RSA PSS must have a sufficiently large RSA key. */
        if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
-               if (pkey->type != EVP_PKEY_RSA ||
+               if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA ||
                    EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
                        return 0;
        }
@@ -286,7 +286,7 @@ ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
                return 0;
 
        /* Ensure that curve matches for EC keys. */
-       if (pkey->type == EVP_PKEY_EC) {
+       if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
                if (sigalg->curve_nid == 0)
                        return 0;
                if (EC_GROUP_get_curve_name(EC_KEY_get0_group(

diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index 13644c1..6b0d85b 100644 (file)
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.124 2021/11/19 18:53:10 tb Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.125 2021/11/26 16:41:42 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1727,13 +1727,11 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs)
        fakekey[1] = S3I(s)->hs.peer_legacy_version & 0xff;
 
        pkey = s->cert->pkeys[SSL_PKEY_RSA].privatekey;
-       if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) ||
-           (pkey->pkey.rsa == NULL)) {
+       if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerror(s, SSL_R_MISSING_RSA_CERTIFICATE);
                goto fatal_err;
        }
-       rsa = pkey->pkey.rsa;
 
        pms_len = RSA_size(rsa);
        if (pms_len < SSL_MAX_MASTER_KEY_LENGTH)
@@ -2226,10 +2224,17 @@ ssl3_get_cert_verify(SSL *s)
                        SSLerror(s, SSL_R_BAD_SIGNATURE);
                        goto fatal_err;
                }
-       } else if (pkey->type == EVP_PKEY_RSA) {
+       } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
+               RSA *rsa;
+
+               if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
+                       al = SSL_AD_INTERNAL_ERROR;
+                       SSLerror(s, ERR_R_EVP_LIB);
+                       goto fatal_err;
+               }
                verify = RSA_verify(NID_md5_sha1, S3I(s)->hs.tls12.cert_verify,
                    MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, CBS_data(&signature),
-                   CBS_len(&signature), pkey->pkey.rsa);
+                   CBS_len(&signature), rsa);
                if (verify < 0) {
                        al = SSL_AD_DECRYPT_ERROR;
                        SSLerror(s, SSL_R_BAD_RSA_DECRYPT);
@@ -2240,19 +2245,26 @@ ssl3_get_cert_verify(SSL *s)
                        SSLerror(s, SSL_R_BAD_RSA_SIGNATURE);
                        goto fatal_err;
                }
-       } else if (pkey->type == EVP_PKEY_EC) {
+       } else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
+               EC_KEY *eckey;
+
+               if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) {
+                       al = SSL_AD_INTERNAL_ERROR;
+                       SSLerror(s, ERR_R_EVP_LIB);
+                       goto fatal_err;
+               }
                verify = ECDSA_verify(0,
                    &(S3I(s)->hs.tls12.cert_verify[MD5_DIGEST_LENGTH]),
                    SHA_DIGEST_LENGTH, CBS_data(&signature),
-                   CBS_len(&signature), pkey->pkey.ec);
+                   CBS_len(&signature), eckey);
                if (verify <= 0) {
                        al = SSL_AD_DECRYPT_ERROR;
                        SSLerror(s, SSL_R_BAD_ECDSA_SIGNATURE);
                        goto fatal_err;
                }
 #ifndef OPENSSL_NO_GOST
-       } else if (pkey->type == NID_id_GostR3410_94 ||
-           pkey->type == NID_id_GostR3410_2001) {
+       } else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 ||
+           EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
                unsigned char sigbuf[128];
                unsigned int siglen = sizeof(sigbuf);
                EVP_PKEY_CTX *pctx;

diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c
index 092331a..7853205 100644 (file)
--- a/lib/libssl/t1_lib.c
+++ b/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.183 2021/10/25 10:01:46 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.184 2021/11/26 16:41:42 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -572,16 +572,17 @@ tls1_check_ec_server_key(SSL *s)
        CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
        uint16_t curve_id;
        uint8_t comp_id;
+       EC_KEY *eckey;
        EVP_PKEY *pkey;
        int rv;
 
        if (cpk->x509 == NULL || cpk->privatekey == NULL)
                return (0);
-       if ((pkey = X509_get_pubkey(cpk->x509)) == NULL)
+       if ((pkey = X509_get0_pubkey(cpk->x509)) == NULL)
                return (0);
-       rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec);
-       EVP_PKEY_free(pkey);
-       if (rv != 1)
+       if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL)
+               return (0);
+       if ((rv = tls1_set_ec_id(&curve_id, &comp_id, eckey)) != 1)
                return (0);
 
        return tls1_check_ec_key(s, &curve_id, &comp_id);