From 7ae346162a5e3d03bdfaeba82cce31a78f43789a Mon Sep 17 00:00:00 2001
From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Fri, 1 Oct 2021 13:00:12 -0500
Subject: [PATCH] Use EVP API for eap_fast_crypto.c

---
 .../types/rlm_eap_fast/eap_fast_crypto.c      | 56 +++++++++++--------
 1 file changed, 33 insertions(+), 23 deletions(-)

diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast_crypto.c b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast_crypto.c
index b17b1e84cd..34aae19dde 100644
--- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast_crypto.c
+++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast_crypto.c
@@ -223,51 +223,61 @@ static void crypto_rfc4346_p_hash(uint8_t *out, size_t out_len,
 				  uint8_t const *secret, size_t secret_len,
 				  uint8_t const *seed,  size_t seed_len)
 {
-	HMAC_CTX *ctx_a, *ctx_out;
-	uint8_t a[HMAC_MAX_MD_CBLOCK];
+	EVP_MD_CTX *ctx_a, *ctx_out;
+	EVP_PKEY *pkey;
+
+	uint8_t a[EVP_MAX_MD_SIZE];
 	size_t size;
 
-	ctx_a = HMAC_CTX_new();
-	ctx_out = HMAC_CTX_new();
-#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
-	HMAC_CTX_set_flags(ctx_a, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-	HMAC_CTX_set_flags(ctx_out, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-#endif
-	HMAC_Init_ex(ctx_a, secret, secret_len, evp_md, NULL);
-	HMAC_Init_ex(ctx_out, secret, secret_len, evp_md, NULL);
+	ctx_a = EVP_MD_CTX_new();
+	ctx_out = EVP_MD_CTX_new();
+
+	MEM(pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, secret, secret_len));
+
+	EVP_DigestSignInit(ctx_a, NULL, evp_md, NULL, pkey);
+	EVP_DigestSignInit(ctx_out, NULL, evp_md, NULL, pkey);
 
-	size = HMAC_size(ctx_out);
+	size = EVP_MD_size(evp_md);
 
 	/* Calculate A(1) */
-	HMAC_Update(ctx_a, seed, seed_len);
-	HMAC_Final(ctx_a, a, NULL);
+	EVP_DigestSignUpdate(ctx_a, seed, seed_len);
+
+	/*
+	 *	OpenSSL <= 1.1.1 requires a non-null pointer for len
+	 */
+	EVP_DigestSignFinal(ctx_a, a, &(size_t){ 0 });
 
 	while (1) {
 		/* Calculate next part of output */
-		HMAC_Update(ctx_out, a, size);
-		HMAC_Update(ctx_out, seed, seed_len);
+		EVP_DigestSignUpdate(ctx_out, a, size);
+		EVP_DigestSignUpdate(ctx_out, seed, seed_len);
 
 		/* Check if last part */
 		if (out_len < size) {
-			HMAC_Final(ctx_out, a, NULL);
+			EVP_DigestSignFinal(ctx_out, a, &(size_t){ 0 });
 			memcpy(out, a, out_len);
 			break;
 		}
 
 		/* Place digest in output buffer */
-		HMAC_Final(ctx_out, out, NULL);
-		HMAC_Init_ex(ctx_out, NULL, 0, NULL, NULL);
+		EVP_DigestSignFinal(ctx_out, out, &(size_t){ 0 });
+		EVP_MD_CTX_reset(ctx_out);
+
+		EVP_DigestSignInit(ctx_out, NULL, evp_md, NULL, pkey);
 		out += size;
 		out_len -= size;
 
 		/* Calculate next A(i) */
-		HMAC_Init_ex(ctx_a, NULL, 0, NULL, NULL);
-		HMAC_Update(ctx_a, a, size);
-		HMAC_Final(ctx_a, a, NULL);
+		EVP_MD_CTX_reset(ctx_a);
+		EVP_DigestSignInit(ctx_a, NULL, evp_md, NULL, pkey);
+		EVP_DigestSignUpdate(ctx_a, a, size);
+		EVP_DigestSignFinal(ctx_a, a, &(size_t){ 0 });
 	}
 
-	HMAC_CTX_free(ctx_a);
-	HMAC_CTX_free(ctx_out);
+	EVP_PKEY_free(pkey);
+
+	EVP_MD_CTX_free(ctx_a);
+	EVP_MD_CTX_free(ctx_out);
 #ifdef __STDC_LIB_EXT1__
 	memset_s(a, 0, sizeof(a), sizeof(a));
 #else
-- 
2.47.2