From aeab8fe0aafabfb19384dbffab319b32735102a8 Mon Sep 17 00:00:00 2001 From: tb Date: Mon, 18 Dec 2023 06:06:57 +0000 Subject: [PATCH] Remove EVP_MD_meth_*() dependency This broken API was added for Erlang's otp-test-engine which was disabled for LibreSSL without explanation shortly afterward. So we can remove this hazard again. Unfortunately, libfido2 started using EVP_MD_meth_dup(), but for no good reason: they dup static data into a buffer that is passed unmodified to EVP_PKEY_CTX_set_signature_md() only to be freed right after. This makes no sense. Rework this and the ifdefery to make it clear that it is OpenSSL who broke API contracts (again), not LibreSSL. ok djm jsing --- lib/libfido2/src/rs1.c | 31 ++++--------------------------- lib/libfido2/src/rs256.c | 31 ++++--------------------------- 2 files changed, 8 insertions(+), 54 deletions(-) diff --git a/lib/libfido2/src/rs1.c b/lib/libfido2/src/rs1.c index 134068b1674..326c84c3599 100644 --- a/lib/libfido2/src/rs1.c +++ b/lib/libfido2/src/rs1.c @@ -9,25 +9,7 @@ #include "fido.h" -#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050200fL -static EVP_MD * -rs1_get_EVP_MD(void) -{ - const EVP_MD *from; - EVP_MD *to = NULL; - - if ((from = EVP_sha1()) != NULL && (to = malloc(sizeof(*to))) != NULL) - memcpy(to, from, sizeof(*to)); - - return (to); -} - -static void -rs1_free_EVP_MD(EVP_MD *md) -{ - freezero(md, sizeof(*md)); -} -#elif OPENSSL_VERSION_NUMBER >= 0x30000000 +#if OPENSSL_VERSION_NUMBER >= 0x30000000 static EVP_MD * rs1_get_EVP_MD(void) { @@ -43,20 +25,15 @@ rs1_free_EVP_MD(EVP_MD *md) static EVP_MD * rs1_get_EVP_MD(void) { - const EVP_MD *md; - - if ((md = EVP_sha1()) == NULL) - return (NULL); - - return (EVP_MD_meth_dup(md)); + return ((EVP_MD *)EVP_sha1()); } static void rs1_free_EVP_MD(EVP_MD *md) { - EVP_MD_meth_free(md); + (void)md; } -#endif /* LIBRESSL_VERSION_NUMBER */ +#endif /* OPENSSL_VERSION_NUMBER */ int rs1_verify_sig(const fido_blob_t *dgst, EVP_PKEY *pkey, diff --git a/lib/libfido2/src/rs256.c b/lib/libfido2/src/rs256.c index 95bae167a17..400d063132e 100644 --- a/lib/libfido2/src/rs256.c +++ b/lib/libfido2/src/rs256.c @@ -17,25 +17,7 @@ #define get0_RSA(x) EVP_PKEY_get0((x)) #endif -#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050200fL -static EVP_MD * -rs256_get_EVP_MD(void) -{ - const EVP_MD *from; - EVP_MD *to = NULL; - - if ((from = EVP_sha256()) != NULL && (to = malloc(sizeof(*to))) != NULL) - memcpy(to, from, sizeof(*to)); - - return (to); -} - -static void -rs256_free_EVP_MD(EVP_MD *md) -{ - freezero(md, sizeof(*md)); -} -#elif OPENSSL_VERSION_NUMBER >= 0x30000000 +#if OPENSSL_VERSION_NUMBER >= 0x30000000 static EVP_MD * rs256_get_EVP_MD(void) { @@ -51,20 +33,15 @@ rs256_free_EVP_MD(EVP_MD *md) static EVP_MD * rs256_get_EVP_MD(void) { - const EVP_MD *md; - - if ((md = EVP_sha256()) == NULL) - return (NULL); - - return (EVP_MD_meth_dup(md)); + return ((EVP_MD *)EVP_sha256()); } static void rs256_free_EVP_MD(EVP_MD *md) { - EVP_MD_meth_free(md); + (void)md; } -#endif /* LIBRESSL_VERSION_NUMBER */ +#endif /* OPENSSL_VERSION_NUMBER */ static int decode_bignum(const cbor_item_t *item, void *ptr, size_t len) -- 2.20.1