diff options
| author | tb <> | 2021-11-19 18:53:10 +0000 |
|---|---|---|
| committer | tb <> | 2021-11-19 18:53:10 +0000 |
| commit | 3d755921799d0394eade3c0043ddc31a5a71be7c (patch) | |
| tree | ca9c45f564999e1c3b0473915deaf8aff354e8ae /src | |
| parent | 4416af51ae397e0cc3c3a0f3e64d26068bf641b7 (diff) | |
| download | openbsd-3d755921799d0394eade3c0043ddc31a5a71be7c.tar.gz openbsd-3d755921799d0394eade3c0043ddc31a5a71be7c.tar.bz2 openbsd-3d755921799d0394eade3c0043ddc31a5a71be7c.zip | |
libssl: don't reach for pkey->save_type.
For some strange historical reason ECDSA_sign() and ECDSA_verify}() have
a type argument that they ignore. For another strange historical reason,
the type passed to them from libssl is pkey->save_type, which is used to
avoid expensive engine lookups when setting the pkey type... Whatever the
aforementioned reasons were, we can't access pkey->save_type with the
OpenSSL 1.1 API, and this is thus in the way of making EVP_PKEY opaque.
Simply pass in 0 instead.
ok jsing
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/ssl_clnt.c | 6 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_srvr.c | 4 |
2 files changed, 5 insertions, 5 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index fe864d1cdc..02bd3d5dfe 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_clnt.c,v 1.117 2021/10/25 10:01:46 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_clnt.c,v 1.118 2021/11/19 18:53:10 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -2427,8 +2427,8 @@ ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) | |||
| 2427 | goto err; | 2427 | goto err; |
| 2428 | if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL) | 2428 | if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL) |
| 2429 | goto err; | 2429 | goto err; |
| 2430 | if (!ECDSA_sign(pkey->save_type, &data[MD5_DIGEST_LENGTH], | 2430 | if (!ECDSA_sign(0, &data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH, |
| 2431 | SHA_DIGEST_LENGTH, signature, &signature_len, pkey->pkey.ec)) { | 2431 | signature, &signature_len, pkey->pkey.ec)) { |
| 2432 | SSLerror(s, ERR_R_ECDSA_LIB); | 2432 | SSLerror(s, ERR_R_ECDSA_LIB); |
| 2433 | goto err; | 2433 | goto err; |
| 2434 | } | 2434 | } |
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 42f64bf86d..13644c1625 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_srvr.c,v 1.123 2021/10/25 10:01:46 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_srvr.c,v 1.124 2021/11/19 18:53:10 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -2241,7 +2241,7 @@ ssl3_get_cert_verify(SSL *s) | |||
| 2241 | goto fatal_err; | 2241 | goto fatal_err; |
| 2242 | } | 2242 | } |
| 2243 | } else if (pkey->type == EVP_PKEY_EC) { | 2243 | } else if (pkey->type == EVP_PKEY_EC) { |
| 2244 | verify = ECDSA_verify(pkey->save_type, | 2244 | verify = ECDSA_verify(0, |
| 2245 | &(S3I(s)->hs.tls12.cert_verify[MD5_DIGEST_LENGTH]), | 2245 | &(S3I(s)->hs.tls12.cert_verify[MD5_DIGEST_LENGTH]), |
| 2246 | SHA_DIGEST_LENGTH, CBS_data(&signature), | 2246 | SHA_DIGEST_LENGTH, CBS_data(&signature), |
| 2247 | CBS_len(&signature), pkey->pkey.ec); | 2247 | CBS_len(&signature), pkey->pkey.ec); |