From: tb Date: Fri, 19 Nov 2021 18:53:10 +0000 (+0000) Subject: libssl: don't reach for pkey->save_type. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=7aaded86f9f3587cb266a6a48ae43ea799bfa0c0;p=openbsd libssl: don't reach for pkey->save_type. For some strange historical reason ECDSA_sign() and ECDSA_verify}() have a type argument that they ignore. For another strange historical reason, the type passed to them from libssl is pkey->save_type, which is used to avoid expensive engine lookups when setting the pkey type... Whatever the aforementioned reasons were, we can't access pkey->save_type with the OpenSSL 1.1 API, and this is thus in the way of making EVP_PKEY opaque. Simply pass in 0 instead. ok jsing --- diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index fe864d1cdcb..02bd3d5dfe1 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.117 2021/10/25 10:01:46 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.118 2021/11/19 18:53:10 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2427,8 +2427,8 @@ ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) goto err; if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL) goto err; - if (!ECDSA_sign(pkey->save_type, &data[MD5_DIGEST_LENGTH], - SHA_DIGEST_LENGTH, signature, &signature_len, pkey->pkey.ec)) { + if (!ECDSA_sign(0, &data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH, + signature, &signature_len, pkey->pkey.ec)) { SSLerror(s, ERR_R_ECDSA_LIB); goto err; } diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index 42f64bf86d4..13644c16253 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.123 2021/10/25 10:01:46 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.124 2021/11/19 18:53:10 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2241,7 +2241,7 @@ ssl3_get_cert_verify(SSL *s) goto fatal_err; } } else if (pkey->type == EVP_PKEY_EC) { - verify = ECDSA_verify(pkey->save_type, + verify = ECDSA_verify(0, &(S3I(s)->hs.tls12.cert_verify[MD5_DIGEST_LENGTH]), SHA_DIGEST_LENGTH, CBS_data(&signature), CBS_len(&signature), pkey->pkey.ec);