FAPI: Change SHA256_Update to EVP_DigestUpdate

Although the EVP_DigestUpdate functions are available in all OpenSSL versions and the EVP_DigestFinal_ex was added in OpenSSL 0.9.7, the EVP_MD_CTX_new was introduced in OpenSSL 1.1.0. The SHA256_Update function is deprecated in OpenSSL 3.0.0. This PR should work with OpenSSL 1.1.0 through 3.0.0. Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
JerryDevis · Aug 2, 2021 · f4f528f · f4f528f
1 parent fdc4f48
commit f4f528f
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 35 deletions.
diff --git a/Makefile-test.am b/Makefile-test.am
@@ -701,7 +701,7 @@ test_unit_fapi_get_intl_cert_CFLAGS = $(CMOCKA_CFLAGS) $(TESTS_CFLAGS)
 test_unit_fapi_get_intl_cert_LDADD = $(CMOCKA_LIBS)  $(TESTS_LDADD)
 test_unit_fapi_get_intl_cert_LDFLAGS = $(TESTS_LDFLAGS) $(JSONC_LIBS) $(CURL_LIBS) \
                                        -Wl,--wrap=ifapi_get_curl_buffer \
-                                       -Wl,--wrap=SHA256_Update
+                                       -Wl,--wrap=EVP_DigestUpdate
 test_unit_fapi_get_intl_cert_SOURCES = test/unit/fapi-get-intl-cert.c \
 	                                   src/tss2-fapi/ifapi_get_intl_cert.c \
                                        src/tss2-fapi/ifapi_json_deserialize.c \

diff --git a/src/tss2-fapi/ifapi_get_intl_cert.c b/src/tss2-fapi/ifapi_get_intl_cert.c
@@ -53,21 +53,26 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) {
         return NULL;
     }
 
-    SHA256_CTX sha256;
-    int is_success = SHA256_Init(&sha256);
+    EVP_MD_CTX *sha256ctx = EVP_MD_CTX_new();
+    if (!sha256ctx) {
+        LOG_ERROR("EVP_MD_CTX_new failed");
+        goto err;
+    }
+
+    int is_success = EVP_DigestInit(sha256ctx, EVP_sha256());
     if (!is_success) {
-        LOG_ERROR("SHA256_Init failed");
+        LOG_ERROR("EVP_DigestInit failed");
         goto err;
     }
 
     switch (ek_public->publicArea.type) {
     case TPM2_ALG_RSA:
         /* Add public key to the hash. */
-        is_success = SHA256_Update(&sha256,
-                                   ek_public->publicArea.unique.rsa.buffer,
-                                   ek_public->publicArea.unique.rsa.size);
+        is_success = EVP_DigestUpdate(sha256ctx,
+                                      ek_public->publicArea.unique.rsa.buffer,
+                                      ek_public->publicArea.unique.rsa.size);
         if (!is_success) {
-            LOG_ERROR("SHA256_Update failed");
+            LOG_ERROR("EVP_DigestUpdate failed");
             goto err;
         }
 
@@ -78,28 +83,28 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) {
         }
         /* Exponent 65537 will be added. */
         BYTE buf[3] = { 0x1, 0x00, 0x01 };
-        is_success = SHA256_Update(&sha256, buf, sizeof(buf));
+        is_success = EVP_DigestUpdate(sha256ctx, buf, sizeof(buf));
         if (!is_success) {
-            LOG_ERROR("SHA256_Update failed");
+            LOG_ERROR("EVP_DigestUpdate failed");
             goto err;
         }
         break;
 
     case TPM2_ALG_ECC:
-        is_success = SHA256_Update(&sha256,
-                                   ek_public->publicArea.unique.ecc.x.buffer,
-                                   ek_public->publicArea.unique.ecc.x.size);
+        is_success = EVP_DigestUpdate(sha256ctx,
+                                      ek_public->publicArea.unique.ecc.x.buffer,
+                                      ek_public->publicArea.unique.ecc.x.size);
         if (!is_success) {
-            LOG_ERROR("SHA256_Update failed");
+            LOG_ERROR("EVP_DigestUpdate failed");
             goto err;
         }
 
         /* Add public key to the hash. */
-        is_success = SHA256_Update(&sha256,
-                                   ek_public->publicArea.unique.ecc.y.buffer,
-                                   ek_public->publicArea.unique.ecc.y.size);
+        is_success = EVP_DigestUpdate(sha256ctx,
+                                      ek_public->publicArea.unique.ecc.y.buffer,
+                                      ek_public->publicArea.unique.ecc.y.size);
         if (!is_success) {
-            LOG_ERROR("SHA256_Update failed");
+            LOG_ERROR("EVP_DigestUpdate failed");
             goto err;
         }
         break;
@@ -109,17 +114,19 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) {
         goto err;
     }
 
-    is_success = SHA256_Final(hash, &sha256);
+    is_success = EVP_DigestFinal_ex(sha256ctx, hash, NULL);
     if (!is_success) {
         LOG_ERROR("SHA256_Final failed");
         goto err;
     }
 
+    EVP_MD_CTX_free(sha256ctx);
     LOG_TRACE("public-key-hash:");
     LOG_TRACE("  sha256: ");
     LOGBLOB_TRACE(&hash[0], SHA256_DIGEST_LENGTH, "Hash");
     return hash;
 err:
+    EVP_MD_CTX_free(sha256ctx);
     free(hash);
     return NULL;
 }

diff --git a/test/unit/fapi-get-intl-cert.c b/test/unit/fapi-get-intl-cert.c
@@ -15,7 +15,7 @@
 #include <stdio.h>
 #include <json-c/json_util.h>
 #include <json-c/json_tokener.h>
-#include <openssl/sha.h>
+#include <openssl/evp.h>
 
 #include <setjmp.h>
 #include <cmocka.h>
@@ -124,30 +124,30 @@ __wrap_ifapi_get_curl_buffer(unsigned char * url, unsigned char ** buffer,
                           size_t *buffer_size)
 {
     UNUSED(url);
-    *buffer = (unsigned char *)strdup(mock_json_cert);      ;
+    *buffer = (unsigned char *)strdup(mock_json_cert);
     *buffer_size = strlen(mock_json_cert) + 1;
     return 0;
 }
 
 /*
  * Wrapper function for updating the hash of EK public data.
  */
-size_t wrap_SHA256_update_test = 0;
+size_t wrap_EVP_DigestUpdate_test = 0;
 
 int
-__real_SHA256_Update(SHA256_CTX *c, const void *data, size_t len);
+__real_EVP_DigestUpdate(EVP_MD_CTX *c, const void *data, size_t len);
 
 int
-__wrap_SHA256_Update(SHA256_CTX *c, const void *data, size_t len)
+__wrap_EVP_DigestUpdate(EVP_MD_CTX *c, const void *data, size_t len)
 {
-    if (!wrap_SHA256_update_test) {
-        return __real_SHA256_Update(c, data, len);
-    } else if (wrap_SHA256_update_test == 1) {
-        wrap_SHA256_update_test = 0;
+    if (!wrap_EVP_DigestUpdate_test) {
+        return __real_EVP_DigestUpdate(c, data, len);
+    } else if (wrap_EVP_DigestUpdate_test == 1) {
+        wrap_EVP_DigestUpdate_test = 0;
         return mock_type(int);
     } else {
-        wrap_SHA256_update_test--;
-        return __real_SHA256_Update(c, data, len);
+        wrap_EVP_DigestUpdate_test--;
+        return __real_EVP_DigestUpdate(c, data, len);
     }
 }
 
@@ -213,21 +213,21 @@ check_get_intl_cert_sha_error(void **state) {
     unsigned char *cert_buf = NULL;
     size_t cert_size;
     TSS2_RC r;
-    will_return_always(__wrap_SHA256_Update, 0);
+    will_return_always(__wrap_EVP_DigestUpdate, 0);
     mock_json_cert = valid_json_cert;
-    wrap_SHA256_update_test = 1;
+    wrap_EVP_DigestUpdate_test = 1;
     r = ifapi_get_intl_ek_certificate(ctx, &eccPublic, &cert_buf, &cert_size);
     assert_int_equal(r,TSS2_FAPI_RC_NO_CERT);
 
-    wrap_SHA256_update_test = 1;
+    wrap_EVP_DigestUpdate_test = 1;
     r = ifapi_get_intl_ek_certificate(ctx, &rsaPublic, &cert_buf, &cert_size);
     assert_int_equal(r,TSS2_FAPI_RC_NO_CERT);
 
-    wrap_SHA256_update_test = 2;
+    wrap_EVP_DigestUpdate_test = 2;
     r = ifapi_get_intl_ek_certificate(ctx, &eccPublic, &cert_buf, &cert_size);
     assert_int_equal(r,TSS2_FAPI_RC_NO_CERT);
 
-    wrap_SHA256_update_test = 2;
+    wrap_EVP_DigestUpdate_test = 2;
     r = ifapi_get_intl_ek_certificate(ctx, &rsaPublic, &cert_buf, &cert_size);
     assert_int_equal(r,TSS2_FAPI_RC_NO_CERT);