Get rid of the deprecated OpenSSL API

It turns out there is a way to get the uncompressed format from the low-level API, which is not (yet?) deprecated so this removes all of the TODO's for ECDSA keys and moves the EC_KEY structure in the high-level EVP_PKEY. Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Norbert Pocs <npocs@redhat.com>
2026-02-04 20:30:38 +09:00 · 2023-01-06 17:25:44 +01:00
parent 02fda2ef80
commit 1eb3df5254
7 changed files with 444 additions and 763 deletions
--- a/include/libssh/crypto.h
+++ b/include/libssh/crypto.h
@@ -111,11 +111,7 @@ struct ssh_crypto_struct {
 #endif /* WITH_GEX */
 #ifdef HAVE_ECDH
 #ifdef HAVE_OPENSSL_ECC
-/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
- * https://github.com/openssl/openssl/pull/16624
- * #if OPENSSL_VERSION_NUMBER < 0x30000000L
- */
-#if 1
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
    EC_KEY *ecdh_privkey;
 #else
    EVP_PKEY *ecdh_privkey;
--- a/include/libssh/libcrypto.h
+++ b/include/libssh/libcrypto.h
@@ -25,6 +25,7 @@

 #ifdef HAVE_LIBCRYPTO

+#include "libssh/libssh.h"
 #include <openssl/dsa.h>
 #include <openssl/rsa.h>
 #include <openssl/sha.h>
@@ -32,6 +33,7 @@
 #include <openssl/hmac.h>
 #include <openssl/evp.h>
 #include <openssl/crypto.h>
+#include <openssl/ec.h>

 typedef EVP_MD_CTX* SHACTX;
 typedef EVP_MD_CTX* SHA256CTX;
@@ -116,6 +118,8 @@ typedef BN_CTX* bignum_CTX;
 #define ssh_fips_mode() false
 #endif

+ssh_string pki_key_make_ecpoint_string(const EC_GROUP *g, const EC_POINT *p);
+int pki_key_ecgroup_name_to_nid(const char *group);
 #endif /* HAVE_LIBCRYPTO */

 #endif /* LIBCRYPTO_H_ */
--- a/include/libssh/pki.h
+++ b/include/libssh/pki.h
@@ -65,17 +65,8 @@ struct ssh_key_struct {
    mbedtls_ecdsa_context *ecdsa;
    void *dsa;
 #elif defined(HAVE_LIBCRYPTO)
-/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
- * https://github.com/openssl/openssl/pull/16624
- * Move into the #if above
- */
-# if defined(HAVE_OPENSSL_ECC)
-    EC_KEY *ecdsa;
-# else
-    void *ecdsa;
-# endif /* HAVE_OPENSSL_EC_H */
    /* This holds either ENGINE key for PKCS#11 support or just key in
-     * high-level format required by OpenSSL 3.0 */
+     * high-level format */
    EVP_PKEY *key;
    uint8_t *ed25519_pubkey;
    uint8_t *ed25519_privkey;
@@ -103,7 +94,7 @@ struct ssh_signature_struct {
 #endif /* HAVE_LIBGCRYPT */
 #ifndef HAVE_LIBCRYPTO
    ed25519_signature *ed25519_sig;
-#endif
+#endif /* HAVE_LIBGCRYPT */
    ssh_string raw_sig;

    /* Security Key specific additions */