[multiple] openssl 3.0.0 digest interface migrate

provide implementations for conventional digest interfaces but use the newer openssl digest interfaces under the hood <rant> It is baffling that the openssl library -- with *thousands* of public interfaces -- does not provide these, and suggests that openssl developers do not frequently write apps which utilize these interfaces. </rant>
7 months ago · 7553ef7f44
2 changed files with 169 additions and 11 deletions
--- a/src/mod_secdownload.c
+++ b/src/mod_secdownload.c
@ -27,6 +27,32 @@
 #endif
 #endif

+#if defined(USE_OPENSSL_CRYPTO) && OPENSSL_VERSION_NUMBER >= 0x30000000L
+#define HMAC EVP_HMAC
+static unsigned char *
+EVP_HMAC (const EVP_MD *evp_md, const void *key,
+          int key_len, const unsigned char *d, int n,
+          unsigned char *md, size_t *md_len)
+{
+    EVP_PKEY * const pkey =
+      EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, key_len);
+    if (NULL == pkey) return NULL;
+
+    EVP_MD_CTX * const ctx = EVP_MD_CTX_new();
+    if (NULL == ctx) {
+        EVP_PKEY_free(pkey);
+        return NULL;
+    }
+
+    int rc = (1 == EVP_DigestSignInit(ctx, NULL, evp_md, NULL, pkey))
+          && (1 == EVP_DigestSignUpdate(ctx, d, n))
+          && (1 == EVP_DigestSignFinal(ctx, md, md_len));
+    EVP_MD_CTX_free(ctx);
+    EVP_PKEY_free(pkey);
+    return (1 == rc) ? md : NULL;
+}
+#endif
+
 /*
 * mod_secdownload verifies a checksum associated with a timestamp
 * and a path.
@ -68,9 +94,9 @@
    my $protected_path = '/' . sprintf("%08x", time) . $rel_path;
    my $url = '/'. encode_base64url(hmac_sha1($protected_path, $secret)) . $protected_path;
 *
- * # hmac-256
+ * # hmac-sha256
 * mac_len := 43  (no base64 padding)
- * mac := base64-url(hmac-256(<secret>, <protected-path>))
+ * mac := base64-url(hmac-sha256(<secret>, <protected-path>))
    use Digest::SHA qw(hmac_sha256);
    use MIME::Base64 qw(encode_base64url);
    my $secret = "verysecret";
--- a/src/sys-crypto-md.h
+++ b/src/sys-crypto-md.h
@ -257,21 +257,12 @@ SHA256_Update(SHA256_CTX *ctx, const void *data, size_t length)

 #elif defined(USE_OPENSSL_CRYPTO)

-#include <openssl/opensslv.h>
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-#include <openssl/macros.h>
-#undef DEPRECATEDIN_3_0
-#define DEPRECATEDIN_3_0(f) f;
-#endif
-
 #include <openssl/md4.h>
 #include <openssl/md5.h>
 #include <openssl/sha.h>
 #ifndef OPENSSL_NO_MD4
-#ifndef NO_MD4 /*(e.g. wolfSSL built without MD4)*/
 #define USE_LIB_CRYPTO_MD4
 #endif
-#endif
 #ifndef OPENSSL_NO_MD5
 #define USE_LIB_CRYPTO_MD5
 #endif
@ -281,6 +272,147 @@ SHA256_Update(SHA256_CTX *ctx, const void *data, size_t length)
 #define USE_LIB_CRYPTO_SHA512_256
 #endif

+#include <openssl/opensslv.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/evp.h>
+
+#ifdef USE_LIB_CRYPTO_MD4
+#define MD4_CTX EVP_MD4_CTX
+#define MD4_Init EVP_MD4_Init
+#define MD4_Final EVP_MD4_Final
+#define MD4_Update EVP_MD4_Update
+typedef EVP_MD_CTX * MD4_CTX;
+static inline int
+EVP_MD4_Init(EVP_MD4_CTX *ctx)
+{
+    return ((*ctx = EVP_MD_CTX_new()) != NULL
+            && 1 == EVP_DigestInit_ex(*ctx, EVP_md4(), NULL));
+}
+static inline int
+EVP_MD4_Final(unsigned char *digest, EVP_MD4_CTX *ctx)
+{
+    /* MD4_DIGEST_LENGTH; EVP_MD_size(EVP_md4()) */
+    int rc = EVP_DigestFinal_ex(*ctx, digest, NULL);
+    EVP_MD_CTX_free(*ctx);
+    return (1 == rc);
+}
+static inline int
+EVP_MD4_Update(EVP_MD4_CTX *ctx, const void *data, size_t length)
+{
+    return (1 == EVP_DigestUpdate(*ctx, data, length));
+}
+#endif
+
+#ifdef USE_LIB_CRYPTO_MD5
+#define MD5_CTX EVP_MD5_CTX
+#define MD5_Init EVP_MD5_Init
+#define MD5_Final EVP_MD5_Final
+#define MD5_Update EVP_MD5_Update
+typedef EVP_MD_CTX * EVP_MD5_CTX;
+static inline int
+EVP_MD5_Init(EVP_MD5_CTX *ctx)
+{
+    return ((*ctx = EVP_MD_CTX_new()) != NULL
+            && 1 == EVP_DigestInit_ex(*ctx, EVP_md5(), NULL));
+}
+static inline int
+EVP_MD5_Final(unsigned char *digest, EVP_MD5_CTX *ctx)
+{
+    /* MD5_DIGEST_LENGTH; EVP_MD_size(EVP_md5()) */
+    int rc = EVP_DigestFinal_ex(*ctx, digest, NULL);
+    EVP_MD_CTX_free(*ctx);
+    return (1 == rc);
+}
+static inline int
+EVP_MD5_Update(EVP_MD5_CTX *ctx, const void *data, size_t length)
+{
+    return (1 == EVP_DigestUpdate(*ctx, data, length));
+}
+#endif
+
+#ifdef USE_LIB_CRYPTO_SHA1
+#define SHA_CTX EVP_SHA1_CTX
+#define SHA1_Init EVP_SHA1_Init
+#define SHA1_Final EVP_SHA1_Final
+#define SHA1_Update EVP_SHA1_Update
+typedef EVP_MD_CTX * EVP_SHA1_CTX;
+static inline int
+EVP_SHA1_Init(EVP_SHA1_CTX *ctx)
+{
+    return ((*ctx = EVP_MD_CTX_new()) != NULL
+            && 1 == EVP_DigestInit_ex(*ctx, EVP_sha1(), NULL));
+}
+static inline int
+EVP_SHA1_Final(unsigned char *digest, EVP_SHA1_CTX *ctx)
+{
+    /* SHA_DIGEST_LENGTH; EVP_MD_size(EVP_sha1()) */
+    int rc = EVP_DigestFinal_ex(*ctx, digest, NULL);
+    EVP_MD_CTX_free(*ctx);
+    return (1 == rc);
+}
+static inline int
+EVP_SHA1_Update(EVP_SHA1_CTX *ctx, const void *data, size_t length)
+{
+    return (1 == EVP_DigestUpdate(*ctx, data, length));
+}
+#endif
+
+#ifdef USE_LIB_CRYPTO_SHA256
+#define SHA256_CTX EVP_SHA256_CTX
+#define SHA256_Init EVP_SHA256_Init
+#define SHA256_Final EVP_SHA256_Final
+#define SHA256_Update EVP_SHA256_Update
+typedef EVP_MD_CTX * EVP_SHA256_CTX;
+static inline int
+EVP_SHA256_Init(EVP_SHA256_CTX *ctx)
+{
+    return ((*ctx = EVP_MD_CTX_new()) != NULL
+            && 1 == EVP_DigestInit_ex(*ctx, EVP_sha256(), NULL));
+}
+static inline int
+EVP_SHA256_Final(unsigned char *digest, EVP_SHA256_CTX *ctx)
+{
+    /* SHA256_DIGEST_LENGTH; EVP_MD_size(EVP_sha256()) */
+    int rc = EVP_DigestFinal_ex(*ctx, digest, NULL);
+    EVP_MD_CTX_free(*ctx);
+    return (1 == rc);
+}
+static inline int
+EVP_SHA256_Update(EVP_SHA256_CTX *ctx, const void *data, size_t length)
+{
+    return (1 == EVP_DigestUpdate(*ctx, data, length));
+}
+#endif
+
+#ifdef USE_LIB_CRYPTO_SHA512_256
+#define SHA512_256_CTX EVP_SHA512_256_CTX
+#define SHA512_256_Init EVP_SHA512_256_Init
+#define SHA512_256_Final EVP_SHA512_256_Final
+#define SHA512_256_Update EVP_SHA512_256_Update
+typedef EVP_MD_CTX * EVP_SHA512_256_CTX;
+static inline int
+EVP_SHA512_256_Init(EVP_SHA512_256_CTX *ctx)
+{
+    return ((*ctx = EVP_MD_CTX_new()) != NULL
+            && 1 == EVP_DigestInit_ex(*ctx, EVP_sha512_256(), NULL));
+}
+static inline int
+EVP_SHA512_256_Final(unsigned char *digest, EVP_SHA512_256_CTX *ctx)
+{
+    /* SHA256_DIGEST_LENGTH; EVP_MD_size(EVP_sha512_256()) */
+    int rc = EVP_DigestFinal_ex(*ctx, digest, NULL);
+    EVP_MD_CTX_free(*ctx);
+    return (1 == rc);
+}
+static inline int
+EVP_SHA512_256_Update(EVP_SHA512_256_CTX *ctx, const void *data, size_t length)
+{
+    return (1 == EVP_DigestUpdate(*ctx, data, length));
+}
+#endif
+
+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+
 #elif defined(USE_GNUTLS_CRYPTO)

 #include <gnutls/crypto.h>