Skip to content
Permalink
Browse files Browse the repository at this point in the history
libtls: unbreak with OpenSSL 3.x
In OpenSSL 3.x due to a behaviour change EVP_PKEY_get1_EC_KEY() returns
a cashed copy of the provider's key, so subsequent updates are not
reflected back breaking the privsep usage and making the handshake fail
with a cryptic "missing private key".  Instead, we have to set the
changed key explicitly.

See #1171
  • Loading branch information
omar-polo committed May 13, 2023
1 parent 35f7a4a commit a2cf739
Showing 1 changed file with 6 additions and 3 deletions.
9 changes: 6 additions & 3 deletions openbsd-compat/libtls/tls.c
Expand Up @@ -399,21 +399,24 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p
switch (EVP_PKEY_id(pkey)) {
case EVP_PKEY_RSA:
if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL ||
RSA_set_ex_data(rsa, 0, keypair->pubkey_hash) == 0) {
RSA_set_ex_data(rsa, 0, keypair->pubkey_hash) == 0 ||
EVP_PKEY_set1_RSA(pkey, rsa) == 0) {
tls_set_errorx(ctx, "RSA key setup failure");
goto err;
}
break;
case EVP_PKEY_EC:
#if defined(SUPPORT_ECDSA)
if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL ||
ECDSA_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0) {
ECDSA_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0 ||
EVP_PKEY_set1_EC_KEY(pkey, eckey) == 0) {
tls_set_errorx(ctx, "EC key setup failure");
goto err;
}
#else
if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL ||
EC_KEY_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0) {
EC_KEY_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0 ||
EVP_PKEY_set1_EC_KEY(pkey, eckey) == 0) {
tls_set_errorx(ctx, "EC key setup failure");
goto err;
}
Expand Down

0 comments on commit a2cf739

Please sign in to comment.