From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 29 Sep 2021 07:47:08 +0000 (+0200)
Subject: creds-util: switch to OpenSSL 3.0 APIs
X-Git-Tag: v250-rc1~585^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=18f568b8e64b48f6aee204cc6384b4796cd27eb0;p=thirdparty%2Fsystemd.git

creds-util: switch to OpenSSL 3.0 APIs

Let's switch from the low-level SHA256 APIs to EVP APIs. The former are
deprecated on OpenSSL 3.0, the latter are supported both by old
OpenSSL and by OpenSSL 3.0, hence are the better choice.

Fixes: #20775
---

diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c
index d1ca3778b73..b764198b76c 100644
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@@ -401,7 +401,8 @@ static int sha256_hash_host_and_tpm2_key(
                 size_t tpm2_key_size,
                 uint8_t ret[static SHA256_DIGEST_LENGTH]) {
 
-        SHA256_CTX sha256_context;
+        _cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX *md = NULL;
+        unsigned l;
 
         assert(host_key_size == 0 || host_key);
         assert(tpm2_key_size == 0 || tpm2_key);
@@ -409,18 +410,25 @@ static int sha256_hash_host_and_tpm2_key(
 
         /* Combines the host key and the TPM2 HMAC hash into a SHA256 hash value we'll use as symmetric encryption key. */
 
-        if (SHA256_Init(&sha256_context) != 1)
+        md = EVP_MD_CTX_new();
+        if (!md)
+                return log_oom();
+
+        if (EVP_DigestInit_ex(md, EVP_sha256(), NULL) != 1)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initial SHA256 context.");
 
-        if (host_key && SHA256_Update(&sha256_context, host_key, host_key_size) != 1)
+        if (host_key && EVP_DigestUpdate(md, host_key, host_key_size) != 1)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash host key.");
 
-        if (tpm2_key && SHA256_Update(&sha256_context, tpm2_key, tpm2_key_size) != 1)
+        if (tpm2_key && EVP_DigestUpdate(md, tpm2_key, tpm2_key_size) != 1)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash TPM2 key.");
 
-        if (SHA256_Final(ret, &sha256_context) != 1)
+        assert(EVP_MD_CTX_size(md) == SHA256_DIGEST_LENGTH);
+
+        if (EVP_DigestFinal_ex(md, ret, &l) != 1)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finalize SHA256 hash.");
 
+        assert(l == SHA256_DIGEST_LENGTH);
         return 0;
 }
 
diff --git a/src/shared/openssl-util.h b/src/shared/openssl-util.h
index 66441c232c0..5840d57d165 100644
--- a/src/shared/openssl-util.h
+++ b/src/shared/openssl-util.h
@@ -17,6 +17,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER_CTX*, EVP_CIPHER_CTX_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(PKCS7*, PKCS7_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(SSL*, SSL_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free, NULL);
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MD_CTX*, EVP_MD_CTX_free, NULL);
 
 static inline void sk_X509_free_allp(STACK_OF(X509) **sk) {
         if (!sk || !*sk)