creds-util: switch to OpenSSL 3.0 APIs

Let's switch from the low-level SHA256 APIs to EVP APIs. The former are
deprecated on OpenSSL 3.0, the latter are supported both by old
OpenSSL and by OpenSSL 3.0, hence are the better choice.

Fixes: #20775

diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c
index d1ca3778b7352458929d4619cab3b336e964f0db..b764198b76cbc277092e6d0825868bd7bf03e324 100644 (file)
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@@ -401,7 +401,8 @@ static int sha256_hash_host_and_tpm2_key(
                 size_t tpm2_key_size,
                 uint8_t ret[static SHA256_DIGEST_LENGTH]) {
 
-        SHA256_CTX sha256_context;
+        _cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX *md = NULL;
+        unsigned l;
 
         assert(host_key_size == 0 || host_key);
         assert(tpm2_key_size == 0 || tpm2_key);
@@ -409,18 +410,25 @@ static int sha256_hash_host_and_tpm2_key(
 
         /* Combines the host key and the TPM2 HMAC hash into a SHA256 hash value we'll use as symmetric encryption key. */
 
-        if (SHA256_Init(&sha256_context) != 1)
+        md = EVP_MD_CTX_new();
+        if (!md)
+                return log_oom();
+
+        if (EVP_DigestInit_ex(md, EVP_sha256(), NULL) != 1)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initial SHA256 context.");
 
-        if (host_key && SHA256_Update(&sha256_context, host_key, host_key_size) != 1)
+        if (host_key && EVP_DigestUpdate(md, host_key, host_key_size) != 1)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash host key.");
 
-        if (tpm2_key && SHA256_Update(&sha256_context, tpm2_key, tpm2_key_size) != 1)
+        if (tpm2_key && EVP_DigestUpdate(md, tpm2_key, tpm2_key_size) != 1)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash TPM2 key.");
 
-        if (SHA256_Final(ret, &sha256_context) != 1)
+        assert(EVP_MD_CTX_size(md) == SHA256_DIGEST_LENGTH);
+
+        if (EVP_DigestFinal_ex(md, ret, &l) != 1)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finalize SHA256 hash.");
 
+        assert(l == SHA256_DIGEST_LENGTH);
         return 0;
 }
 

diff --git a/src/shared/openssl-util.h b/src/shared/openssl-util.h
index 66441c232c04e7e582ca349ff7816d219491f36a..5840d57d16590e2cf0f4960d2f46edd82d3d305b 100644 (file)
--- a/src/shared/openssl-util.h
+++ b/src/shared/openssl-util.h
@@ -17,6 +17,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER_CTX*, EVP_CIPHER_CTX_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(PKCS7*, PKCS7_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(SSL*, SSL_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free, NULL);
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MD_CTX*, EVP_MD_CTX_free, NULL);
 
 static inline void sk_X509_free_allp(STACK_OF(X509) **sk) {
         if (!sk || !*sk)