From 3d755921799d0394eade3c0043ddc31a5a71be7c Mon Sep 17 00:00:00 2001
From: tb <>
Date: Fri, 19 Nov 2021 18:53:10 +0000
Subject: libssl: don't reach for pkey->save_type.

For some strange historical reason ECDSA_sign() and ECDSA_verify}() have
a type argument that they ignore. For another strange historical reason,
the type passed to them from libssl is pkey->save_type, which is used to
avoid expensive engine lookups when setting the pkey type... Whatever the
aforementioned reasons were, we can't access pkey->save_type with the
OpenSSL 1.1 API, and this is thus in the way of making EVP_PKEY opaque.
Simply pass in 0 instead.

ok jsing
---
 src/lib/libssl/ssl_clnt.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'src/lib/libssl/ssl_clnt.c')

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index fe864d1cdc..02bd3d5dfe 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.117 2021/10/25 10:01:46 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.118 2021/11/19 18:53:10 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2427,8 +2427,8 @@ ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
 		goto err;
 	if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
 		goto err;
-	if (!ECDSA_sign(pkey->save_type, &data[MD5_DIGEST_LENGTH],
-	    SHA_DIGEST_LENGTH, signature, &signature_len, pkey->pkey.ec)) {
+	if (!ECDSA_sign(0, &data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH,
+	    signature, &signature_len, pkey->pkey.ec)) {
 		SSLerror(s, ERR_R_ECDSA_LIB);
 		goto err;
 	}
-- 
cgit v1.2.3-55-g6feb