Remove EVP_MD_meth_*() dependency

This broken API was added for Erlang's otp-test-engine which was disabled
for LibreSSL without explanation shortly afterward. So we can remove this
hazard again.

Unfortunately, libfido2 started using EVP_MD_meth_dup(), but for no good
reason: they dup static data into a buffer that is passed unmodified to
EVP_PKEY_CTX_set_signature_md() only to be freed right after. This makes
no sense.

Rework this and the ifdefery to make it clear that it is OpenSSL who broke
API contracts (again), not LibreSSL.

ok djm jsing

diff --git a/lib/libfido2/src/rs1.c b/lib/libfido2/src/rs1.c
index 134068b..326c84c 100644 (file)
--- a/lib/libfido2/src/rs1.c
+++ b/lib/libfido2/src/rs1.c
@@ -9,25 +9,7 @@
 
 #include "fido.h"
 
-#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050200fL
-static EVP_MD *
-rs1_get_EVP_MD(void)
-{
-       const EVP_MD *from;
-       EVP_MD *to = NULL;
-
-       if ((from = EVP_sha1()) != NULL && (to = malloc(sizeof(*to))) != NULL)
-               memcpy(to, from, sizeof(*to));
-
-       return (to);
-}
-
-static void
-rs1_free_EVP_MD(EVP_MD *md)
-{
-       freezero(md, sizeof(*md));
-}
-#elif OPENSSL_VERSION_NUMBER >= 0x30000000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
 static EVP_MD *
 rs1_get_EVP_MD(void)
 {
@@ -43,20 +25,15 @@ rs1_free_EVP_MD(EVP_MD *md)
 static EVP_MD *
 rs1_get_EVP_MD(void)
 {
-       const EVP_MD *md;
-
-       if ((md = EVP_sha1()) == NULL)
-               return (NULL);
-
-       return (EVP_MD_meth_dup(md));
+       return ((EVP_MD *)EVP_sha1());
 }
 
 static void
 rs1_free_EVP_MD(EVP_MD *md)
 {
-       EVP_MD_meth_free(md);
+       (void)md;
 }
-#endif /* LIBRESSL_VERSION_NUMBER */
+#endif /* OPENSSL_VERSION_NUMBER */
 
 int
 rs1_verify_sig(const fido_blob_t *dgst, EVP_PKEY *pkey,

diff --git a/lib/libfido2/src/rs256.c b/lib/libfido2/src/rs256.c
index 95bae16..400d063 100644 (file)
--- a/lib/libfido2/src/rs256.c
+++ b/lib/libfido2/src/rs256.c
@@ -17,25 +17,7 @@
 #define get0_RSA(x)    EVP_PKEY_get0((x))
 #endif
 
-#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050200fL
-static EVP_MD *
-rs256_get_EVP_MD(void)
-{
-       const EVP_MD *from;
-       EVP_MD *to = NULL;
-
-       if ((from = EVP_sha256()) != NULL && (to = malloc(sizeof(*to))) != NULL)
-               memcpy(to, from, sizeof(*to));
-
-       return (to);
-}
-
-static void
-rs256_free_EVP_MD(EVP_MD *md)
-{
-       freezero(md, sizeof(*md));
-}
-#elif OPENSSL_VERSION_NUMBER >= 0x30000000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
 static EVP_MD *
 rs256_get_EVP_MD(void)
 {
@@ -51,20 +33,15 @@ rs256_free_EVP_MD(EVP_MD *md)
 static EVP_MD *
 rs256_get_EVP_MD(void)
 {
-       const EVP_MD *md;
-
-       if ((md = EVP_sha256()) == NULL)
-               return (NULL);
-
-       return (EVP_MD_meth_dup(md));
+       return ((EVP_MD *)EVP_sha256());
 }
 
 static void
 rs256_free_EVP_MD(EVP_MD *md)
 {
-       EVP_MD_meth_free(md);
+       (void)md;
 }
-#endif /* LIBRESSL_VERSION_NUMBER */
+#endif /* OPENSSL_VERSION_NUMBER */
 
 static int
 decode_bignum(const cbor_item_t *item, void *ptr, size_t len)