Various warning fixes

ssh-ecdsa-sk.c

@@ -236,7 +236,6 @@ ssh_ecdsa_sk_verify(const struct sshkey *key,
     struct sshkey_sig_details **detailsp)
 {
 	ECDSA_SIG *esig = NULL;
-	EVP_MD_CTX *md_ctx = NULL;
 	BIGNUM *sig_r = NULL, *sig_s = NULL;
 	u_char sig_flags;
 	u_char msghash[32], apphash[32];
@@ -376,8 +375,7 @@ ssh_ecdsa_sk_verify(const struct sshkey *key,
 		ret = SSH_ERR_LIBCRYPTO_ERROR;
 		goto out;
 	}
-	if ((sigb = malloc(len)) == NULL ||
-	    (md_ctx = EVP_MD_CTX_new()) == NULL) {
+	if ((sigb = malloc(len)) == NULL) {
 		ret = SSH_ERR_ALLOC_FAIL;
 		goto out;
 	}
@@ -386,22 +384,13 @@ ssh_ecdsa_sk_verify(const struct sshkey *key,
 		ret = SSH_ERR_LIBCRYPTO_ERROR;
 		goto out;
 	}
-	if (EVP_DigestVerifyInit(md_ctx, NULL, EVP_sha256(), NULL,
-	    key->pkey) != 1) {
-		ret = SSH_ERR_LIBCRYPTO_ERROR;
-		goto out;
-	}
-	switch(EVP_DigestVerify(md_ctx, sigb, len, sshbuf_ptr(original_signed), sshbuf_len(original_signed))) {
-	case 1:
-		ret = 0;
-		break;
-	case 0:
-		ret = SSH_ERR_SIGNATURE_INVALID;
-		goto out;
-	default:
-		ret = SSH_ERR_LIBCRYPTO_ERROR;
+	ret = sshkey_verify_signature(key->pkey, SSH_DIGEST_SHA256,
+		sshbuf_ptr(original_signed), sshbuf_len(original_signed),
+		sigb, len);
+
+	if (ret != 0)
 		goto out;
-	}
+
 	/* success */
 	if (detailsp != NULL) {
 		*detailsp = details;
@@ -424,7 +413,6 @@ ssh_ecdsa_sk_verify(const struct sshkey *key,
 	BN_clear_free(sig_s);
 	free(ktype);
 	free(sigb);
-	EVP_MD_CTX_free(md_ctx);
 	return ret;
 }
 

ssh-keygen.c

@@ -804,6 +804,7 @@ do_convert_from_pkcs8(struct sshkey **k, int *private)
 		(*k)->type = KEY_DSA;
 		(*k)->dsa = EVP_PKEY_get1_DSA(pubkey);
 		break;
+#ifdef OPENSSL_HAS_ECC
 	case EVP_PKEY_EC:
 		if ((*k = sshkey_new(KEY_UNSPEC)) == NULL)
 			fatal("sshkey_new failed");
@@ -812,6 +813,7 @@ do_convert_from_pkcs8(struct sshkey **k, int *private)
 		pubkey = NULL;
 		(*k)->ecdsa_nid = sshkey_ecdsa_key_to_nid((*k)->pkey);
 		break;
+#endif
 	default:
 		fatal_f("unsupported pubkey type %d",
 		    EVP_PKEY_base_id(pubkey));

sshkey.c

@@ -1427,6 +1427,7 @@ sshkey_check_rsa_length(const struct sshkey *k, int min_size)
 
 #ifdef WITH_OPENSSL
 # ifdef OPENSSL_HAS_ECC
+# if OPENSSL_VERSION_NUMBER < 0x30000000L
 static int
 sshkey_ec_key_to_nid(EC_KEY *k)
 {
@@ -1470,6 +1471,7 @@ sshkey_ec_key_to_nid(EC_KEY *k)
         }
         return nids[i];
 }
+#endif
 
 int
 sshkey_ecdsa_key_to_nid(EVP_PKEY *pkey)

sshkey.h

@@ -38,12 +38,18 @@
 # ifdef OPENSSL_HAS_ECC
 #  include <openssl/ecdsa.h>
 # else /* OPENSSL_HAS_ECC */
+#  define EC_KEY	void
+#  define EC_GROUP	void
+#  define EC_POINT	void
 # endif /* OPENSSL_HAS_ECC */
 #define SSH_OPENSSL_VERSION OpenSSL_version(OPENSSL_VERSION)
 #else /* WITH_OPENSSL */
 # define BIGNUM		void
 # define EVP_PKEY	void
 # define DSA		void
+# define EC_KEY	void
+# define EC_GROUP	void
+# define EC_POINT	void
 #define SSH_OPENSSL_VERSION "without OpenSSL"
 #endif /* WITH_OPENSSL */
 
@@ -256,6 +262,8 @@ u_int		 sshkey_curve_nid_to_bits(int);
 int		 sshkey_ecdsa_bits_to_nid(int);
 int		 sshkey_ecdsa_key_to_nid(EVP_PKEY *);
 int		 sshkey_ec_nid_to_hash_alg(int nid);
+int		 sshkey_ec_validate_public(const EC_GROUP *, const EC_POINT *);
+int		 sshkey_ec_validate_private(const EC_KEY *);
 const char	*sshkey_ssh_name(const struct sshkey *);
 const char	*sshkey_ssh_name_plain(const struct sshkey *);
 int		 sshkey_names_valid2(const char *, int, int);
@@ -350,6 +358,13 @@ int pkcs11_get_ecdsa_idx(void);
 #if !defined(WITH_OPENSSL)
 # undef EVP_PKEY
 # undef DSA
+# undef EC_KEY
+# undef EC_GROUP
+# undef EC_POINT
+#elif !defined(OPENSSL_HAS_ECC)
+# undef EC_KEY
+# undef EC_GROUP
+# undef EC_POINT
 #endif
 
 #endif /* SSHKEY_H */