libtls: unbreak with OpenSSL 3.x

In OpenSSL 3.x due to a behaviour change EVP_PKEY_get1_EC_KEY() returns a cashed copy of the provider's key, so subsequent updates are not reflected back breaking the privsep usage and making the handshake fail with a cryptic "missing private key". Instead, we have to set the changed key explicitly. See #1171
OpenSMTPD · May 13, 2023 · a2cf739 · a2cf739
1 parent 35f7a4a
commit a2cf739
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/openbsd-compat/libtls/tls.c b/openbsd-compat/libtls/tls.c
@@ -399,21 +399,24 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p
 	switch (EVP_PKEY_id(pkey)) {
 	case EVP_PKEY_RSA:
 		if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL ||
-		    RSA_set_ex_data(rsa, 0, keypair->pubkey_hash) == 0) {
+		    RSA_set_ex_data(rsa, 0, keypair->pubkey_hash) == 0 ||
+		    EVP_PKEY_set1_RSA(pkey, rsa) == 0) {
 			tls_set_errorx(ctx, "RSA key setup failure");
 			goto err;
 		}
 		break;
 	case EVP_PKEY_EC:
 #if defined(SUPPORT_ECDSA)
 		if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL ||
-		    ECDSA_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0) {
+		    ECDSA_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0 ||
+		    EVP_PKEY_set1_EC_KEY(pkey, eckey) == 0) {
 			tls_set_errorx(ctx, "EC key setup failure");
 			goto err;
 		}
 #else
 		if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL ||
-		    EC_KEY_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0) {
+		    EC_KEY_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0 ||
+		    EVP_PKEY_set1_EC_KEY(pkey, eckey) == 0) {
 			tls_set_errorx(ctx, "EC key setup failure");
 			goto err;
 		}