libtls: switch ECDSA_METHOD usage to EC_KEY_METHOD

smtpd and the bits it needs in libtls are the only consumer left of
ECDSA_METHOD, which is long deprecated.  This paves the way for the
removal in libcrypto.

The diff is from gilles' work on OpenSMTPD-portable, libretls had a
similar diff.

ok tb@, jsing@

diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c
index 989339d..8444169 100644 (file)
--- a/lib/libtls/tls.c
+++ b/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.96 2023/05/25 07:46:21 op Exp $ */
+/* $OpenBSD: tls.c,v 1.97 2023/06/18 11:43:03 op Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -389,7 +389,7 @@ static int
 tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *pkey)
 {
        RSA_METHOD *rsa_method;
-       ECDSA_METHOD *ecdsa_method;
+       EC_KEY_METHOD *ecdsa_method;
        RSA *rsa = NULL;
        EC_KEY *eckey = NULL;
        int ret = -1;
@@ -427,15 +427,15 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p
                break;
        case EVP_PKEY_EC:
                if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL ||
-                   ECDSA_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0) {
+                   EC_KEY_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0) {
                        tls_set_errorx(ctx, "EC key setup failure");
                        goto err;
                }
                if (ctx->config->sign_cb != NULL) {
                        ecdsa_method = tls_signer_ecdsa_method();
                        if (ecdsa_method == NULL ||
-                           ECDSA_set_ex_data(eckey, 1, ctx->config) == 0 ||
-                           ECDSA_set_method(eckey, ecdsa_method) == 0) {
+                           EC_KEY_set_ex_data(eckey, 1, ctx->config) == 0 ||
+                           EC_KEY_set_method(eckey, ecdsa_method) == 0) {
                                tls_set_errorx(ctx, "failed to setup EC key");
                                goto err;
                        }

diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h
index f4c23f6..af081a0 100644 (file)
--- a/lib/libtls/tls_internal.h
+++ b/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.81 2023/04/09 18:26:26 tb Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.82 2023/06/18 11:43:03 op Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -298,7 +298,7 @@ int tls_cert_pubkey_hash(X509 *_cert, char **_hash);
 int tls_password_cb(char *_buf, int _size, int _rwflag, void *_u);
 
 RSA_METHOD *tls_signer_rsa_method(void);
-ECDSA_METHOD *tls_signer_ecdsa_method(void);
+EC_KEY_METHOD *tls_signer_ecdsa_method(void);
 
 #define TLS_PADDING_NONE                       0
 #define TLS_PADDING_RSA_PKCS1                  1

diff --git a/lib/libtls/tls_signer.c b/lib/libtls/tls_signer.c
index f6005d3..372fa77 100644 (file)
--- a/lib/libtls/tls_signer.c
+++ b/lib/libtls/tls_signer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_signer.c,v 1.5 2023/04/09 18:26:26 tb Exp $ */
+/* $OpenBSD: tls_signer.c,v 1.6 2023/06/18 11:43:03 op Exp $ */
 /*
  * Copyright (c) 2021 Eric Faurot <eric@openbsd.org>
  *
@@ -419,26 +419,21 @@ tls_ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
        return (NULL);
 }
 
-ECDSA_METHOD *
+EC_KEY_METHOD *
 tls_signer_ecdsa_method(void)
 {
-       static ECDSA_METHOD *ecdsa_method = NULL;
+       static EC_KEY_METHOD *ecdsa_method = NULL;
 
        pthread_mutex_lock(&signer_method_lock);
 
        if (ecdsa_method != NULL)
                goto out;
 
-       ecdsa_method = calloc(1, sizeof(*ecdsa_method));
+       ecdsa_method = EC_KEY_METHOD_new(NULL);
        if (ecdsa_method == NULL)
                goto out;
 
-       ecdsa_method->ecdsa_do_sign = tls_ecdsa_do_sign;
-       ecdsa_method->name = strdup("libtls ECDSA method");
-       if (ecdsa_method->name == NULL) {
-               free(ecdsa_method);
-               ecdsa_method = NULL;
-       }
+       EC_KEY_METHOD_set_sign(ecdsa_method, NULL, NULL, tls_ecdsa_do_sign);
 
  out:
        pthread_mutex_unlock(&signer_method_lock);