From 7553ef7f4411ae24a2d293319780aa05a06e4cd8 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Mon, 12 Oct 2020 07:55:04 -0400
Subject: [PATCH] [multiple] openssl 3.0.0 digest interface migrate

provide implementations for conventional digest interfaces
but use the newer openssl digest interfaces under the hood

<rant>
It is baffling that the openssl library -- with *thousands* of public
interfaces -- does not provide these, and suggests that openssl
developers do not frequently write apps which utilize these interfaces.
</rant>
---
 src/mod_secdownload.c |  30 ++++++++-
 src/sys-crypto-md.h   | 150 +++++++++++++++++++++++++++++++++++++++---
 2 files changed, 169 insertions(+), 11 deletions(-)

diff --git a/src/mod_secdownload.c b/src/mod_secdownload.c
index afa343cb..df2db6c2 100644
--- a/src/mod_secdownload.c
+++ b/src/mod_secdownload.c
@@ -27,6 +27,32 @@
 #endif
 #endif
 
+#if defined(USE_OPENSSL_CRYPTO) && OPENSSL_VERSION_NUMBER >= 0x30000000L
+#define HMAC EVP_HMAC
+static unsigned char *
+EVP_HMAC (const EVP_MD *evp_md, const void *key,
+          int key_len, const unsigned char *d, int n,
+          unsigned char *md, size_t *md_len)
+{
+    EVP_PKEY * const pkey =
+      EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, key_len);
+    if (NULL == pkey) return NULL;
+
+    EVP_MD_CTX * const ctx = EVP_MD_CTX_new();
+    if (NULL == ctx) {
+        EVP_PKEY_free(pkey);
+        return NULL;
+    }
+
+    int rc = (1 == EVP_DigestSignInit(ctx, NULL, evp_md, NULL, pkey))
+          && (1 == EVP_DigestSignUpdate(ctx, d, n))
+          && (1 == EVP_DigestSignFinal(ctx, md, md_len));
+    EVP_MD_CTX_free(ctx);
+    EVP_PKEY_free(pkey);
+    return (1 == rc) ? md : NULL;
+}
+#endif
+
 /*
  * mod_secdownload verifies a checksum associated with a timestamp
  * and a path.
@@ -68,9 +94,9 @@
     my $protected_path = '/' . sprintf("%08x", time) . $rel_path;
     my $url = '/'. encode_base64url(hmac_sha1($protected_path, $secret)) . $protected_path;
  *
- * # hmac-256
+ * # hmac-sha256
  * mac_len := 43  (no base64 padding)
- * mac := base64-url(hmac-256(<secret>, <protected-path>))
+ * mac := base64-url(hmac-sha256(<secret>, <protected-path>))
     use Digest::SHA qw(hmac_sha256);
     use MIME::Base64 qw(encode_base64url);
     my $secret = "verysecret";
diff --git a/src/sys-crypto-md.h b/src/sys-crypto-md.h
index f2283b6b..bb09573f 100644
--- a/src/sys-crypto-md.h
+++ b/src/sys-crypto-md.h
@@ -257,21 +257,12 @@ SHA256_Update(SHA256_CTX *ctx, const void *data, size_t length)
 
 #elif defined(USE_OPENSSL_CRYPTO)
 
-#include <openssl/opensslv.h>
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-#include <openssl/macros.h>
-#undef DEPRECATEDIN_3_0
-#define DEPRECATEDIN_3_0(f) f;
-#endif
-
 #include <openssl/md4.h>
 #include <openssl/md5.h>
 #include <openssl/sha.h>
 #ifndef OPENSSL_NO_MD4
-#ifndef NO_MD4 /*(e.g. wolfSSL built without MD4)*/
 #define USE_LIB_CRYPTO_MD4
 #endif
-#endif
 #ifndef OPENSSL_NO_MD5
 #define USE_LIB_CRYPTO_MD5
 #endif
@@ -281,6 +272,147 @@ SHA256_Update(SHA256_CTX *ctx, const void *data, size_t length)
 #define USE_LIB_CRYPTO_SHA512_256
 #endif
 
+#include <openssl/opensslv.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/evp.h>
+
+#ifdef USE_LIB_CRYPTO_MD4
+#define MD4_CTX EVP_MD4_CTX
+#define MD4_Init EVP_MD4_Init
+#define MD4_Final EVP_MD4_Final
+#define MD4_Update EVP_MD4_Update
+typedef EVP_MD_CTX * MD4_CTX;
+static inline int
+EVP_MD4_Init(EVP_MD4_CTX *ctx)
+{
+    return ((*ctx = EVP_MD_CTX_new()) != NULL
+            && 1 == EVP_DigestInit_ex(*ctx, EVP_md4(), NULL));
+}
+static inline int
+EVP_MD4_Final(unsigned char *digest, EVP_MD4_CTX *ctx)
+{
+    /* MD4_DIGEST_LENGTH; EVP_MD_size(EVP_md4()) */
+    int rc = EVP_DigestFinal_ex(*ctx, digest, NULL);
+    EVP_MD_CTX_free(*ctx);
+    return (1 == rc);
+}
+static inline int
+EVP_MD4_Update(EVP_MD4_CTX *ctx, const void *data, size_t length)
+{
+    return (1 == EVP_DigestUpdate(*ctx, data, length));
+}
+#endif
+
+#ifdef USE_LIB_CRYPTO_MD5
+#define MD5_CTX EVP_MD5_CTX
+#define MD5_Init EVP_MD5_Init
+#define MD5_Final EVP_MD5_Final
+#define MD5_Update EVP_MD5_Update
+typedef EVP_MD_CTX * EVP_MD5_CTX;
+static inline int
+EVP_MD5_Init(EVP_MD5_CTX *ctx)
+{
+    return ((*ctx = EVP_MD_CTX_new()) != NULL
+            && 1 == EVP_DigestInit_ex(*ctx, EVP_md5(), NULL));
+}
+static inline int
+EVP_MD5_Final(unsigned char *digest, EVP_MD5_CTX *ctx)
+{
+    /* MD5_DIGEST_LENGTH; EVP_MD_size(EVP_md5()) */
+    int rc = EVP_DigestFinal_ex(*ctx, digest, NULL);
+    EVP_MD_CTX_free(*ctx);
+    return (1 == rc);
+}
+static inline int
+EVP_MD5_Update(EVP_MD5_CTX *ctx, const void *data, size_t length)
+{
+    return (1 == EVP_DigestUpdate(*ctx, data, length));
+}
+#endif
+
+#ifdef USE_LIB_CRYPTO_SHA1
+#define SHA_CTX EVP_SHA1_CTX
+#define SHA1_Init EVP_SHA1_Init
+#define SHA1_Final EVP_SHA1_Final
+#define SHA1_Update EVP_SHA1_Update
+typedef EVP_MD_CTX * EVP_SHA1_CTX;
+static inline int
+EVP_SHA1_Init(EVP_SHA1_CTX *ctx)
+{
+    return ((*ctx = EVP_MD_CTX_new()) != NULL
+            && 1 == EVP_DigestInit_ex(*ctx, EVP_sha1(), NULL));
+}
+static inline int
+EVP_SHA1_Final(unsigned char *digest, EVP_SHA1_CTX *ctx)
+{
+    /* SHA_DIGEST_LENGTH; EVP_MD_size(EVP_sha1()) */
+    int rc = EVP_DigestFinal_ex(*ctx, digest, NULL);
+    EVP_MD_CTX_free(*ctx);
+    return (1 == rc);
+}
+static inline int
+EVP_SHA1_Update(EVP_SHA1_CTX *ctx, const void *data, size_t length)
+{
+    return (1 == EVP_DigestUpdate(*ctx, data, length));
+}
+#endif
+
+#ifdef USE_LIB_CRYPTO_SHA256
+#define SHA256_CTX EVP_SHA256_CTX
+#define SHA256_Init EVP_SHA256_Init
+#define SHA256_Final EVP_SHA256_Final
+#define SHA256_Update EVP_SHA256_Update
+typedef EVP_MD_CTX * EVP_SHA256_CTX;
+static inline int
+EVP_SHA256_Init(EVP_SHA256_CTX *ctx)
+{
+    return ((*ctx = EVP_MD_CTX_new()) != NULL
+            && 1 == EVP_DigestInit_ex(*ctx, EVP_sha256(), NULL));
+}
+static inline int
+EVP_SHA256_Final(unsigned char *digest, EVP_SHA256_CTX *ctx)
+{
+    /* SHA256_DIGEST_LENGTH; EVP_MD_size(EVP_sha256()) */
+    int rc = EVP_DigestFinal_ex(*ctx, digest, NULL);
+    EVP_MD_CTX_free(*ctx);
+    return (1 == rc);
+}
+static inline int
+EVP_SHA256_Update(EVP_SHA256_CTX *ctx, const void *data, size_t length)
+{
+    return (1 == EVP_DigestUpdate(*ctx, data, length));
+}
+#endif
+
+#ifdef USE_LIB_CRYPTO_SHA512_256
+#define SHA512_256_CTX EVP_SHA512_256_CTX
+#define SHA512_256_Init EVP_SHA512_256_Init
+#define SHA512_256_Final EVP_SHA512_256_Final
+#define SHA512_256_Update EVP_SHA512_256_Update
+typedef EVP_MD_CTX * EVP_SHA512_256_CTX;
+static inline int
+EVP_SHA512_256_Init(EVP_SHA512_256_CTX *ctx)
+{
+    return ((*ctx = EVP_MD_CTX_new()) != NULL
+            && 1 == EVP_DigestInit_ex(*ctx, EVP_sha512_256(), NULL));
+}
+static inline int
+EVP_SHA512_256_Final(unsigned char *digest, EVP_SHA512_256_CTX *ctx)
+{
+    /* SHA256_DIGEST_LENGTH; EVP_MD_size(EVP_sha512_256()) */
+    int rc = EVP_DigestFinal_ex(*ctx, digest, NULL);
+    EVP_MD_CTX_free(*ctx);
+    return (1 == rc);
+}
+static inline int
+EVP_SHA512_256_Update(EVP_SHA512_256_CTX *ctx, const void *data, size_t length)
+{
+    return (1 == EVP_DigestUpdate(*ctx, data, length));
+}
+#endif
+
+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+
 #elif defined(USE_GNUTLS_CRYPTO)
 
 #include <gnutls/crypto.h>