systemd/SOURCES/0604-openssl-replace-openssl_hash-with-openssl_digest.patch

167 lines
6.4 KiB
Diff
Raw Permalink Normal View History

2024-04-30 11:42:21 +00:00
From aa2a2c0bd0d89624e1a03c1f602f026f13ac4073 Mon Sep 17 00:00:00 2001
From: Dan Streetman <ddstreet@ieee.org>
Date: Wed, 5 Jul 2023 16:53:01 -0400
Subject: [PATCH] openssl: replace openssl_hash() with openssl_digest()
The openssl_hash() function was used only by string_hashnum(); change it to use
openssl_digest() instead.
(cherry picked from commit 11f7bc5e9c6f3bffcefd08076e493f3159e23bc1)
Related: RHEL-16182
---
src/shared/openssl-util.c | 53 ++++++---------------------------------
src/shared/openssl-util.h | 8 +++---
src/test/test-cryptolib.c | 8 +++---
3 files changed, 15 insertions(+), 54 deletions(-)
diff --git a/src/shared/openssl-util.c b/src/shared/openssl-util.c
index 0aef979e8c..7a69db4195 100644
--- a/src/shared/openssl-util.c
+++ b/src/shared/openssl-util.c
@@ -50,43 +50,6 @@ int openssl_pkey_from_pem(const void *pem, size_t pem_size, EVP_PKEY **ret) {
return 0;
}
-int openssl_hash(const EVP_MD *alg,
- const void *msg,
- size_t msg_len,
- uint8_t *ret_hash,
- size_t *ret_hash_len) {
-
- _cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX *ctx = NULL;
- unsigned len;
- int r;
-
- ctx = EVP_MD_CTX_new();
- if (!ctx)
- /* This function just calls OPENSSL_zalloc, so failure
- * here is almost certainly a failed allocation. */
- return -ENOMEM;
-
- /* The documentation claims EVP_DigestInit behaves just like
- * EVP_DigestInit_ex if passed NULL, except it also calls
- * EVP_MD_CTX_reset, which deinitializes the context. */
- r = EVP_DigestInit_ex(ctx, alg, NULL);
- if (r == 0)
- return -EIO;
-
- r = EVP_DigestUpdate(ctx, msg, msg_len);
- if (r == 0)
- return -EIO;
-
- r = EVP_DigestFinal_ex(ctx, ret_hash, &len);
- if (r == 0)
- return -EIO;
-
- if (ret_hash_len)
- *ret_hash_len = len;
-
- return 0;
-}
-
/* Returns the number of bytes generated by the specified digest algorithm. This can be used only for
* fixed-size algorithms, e.g. md5, sha1, sha256, etc. Do not use this for variable-sized digest algorithms,
* e.g. shake128. Returns 0 on success, -EOPNOTSUPP if the algorithm is not supported, or < 0 for any other
@@ -638,18 +601,19 @@ int pubkey_fingerprint(EVP_PKEY *pk, const EVP_MD *md, void **ret, size_t *ret_s
int string_hashsum(
const char *s,
size_t len,
- const EVP_MD *md_algorithm,
+ const char *md_algorithm,
char **ret) {
- uint8_t hash[EVP_MAX_MD_SIZE];
+ _cleanup_free_ void *hash = NULL;
size_t hash_size;
- char *enc;
+ _cleanup_free_ char *enc;
int r;
- hash_size = EVP_MD_size(md_algorithm);
- assert(hash_size > 0);
+ assert(s || len == 0);
+ assert(md_algorithm);
+ assert(ret);
- r = openssl_hash(md_algorithm, s, len, hash, NULL);
+ r = openssl_digest(md_algorithm, s, len, &hash, &hash_size);
if (r < 0)
return r;
@@ -657,9 +621,8 @@ int string_hashsum(
if (!enc)
return -ENOMEM;
- *ret = enc;
+ *ret = TAKE_PTR(enc);
return 0;
-
}
# endif
#endif
diff --git a/src/shared/openssl-util.h b/src/shared/openssl-util.h
index f1c84c102e..a37c6e3a50 100644
--- a/src/shared/openssl-util.h
+++ b/src/shared/openssl-util.h
@@ -57,8 +57,6 @@ static inline void sk_X509_free_allp(STACK_OF(X509) **sk) {
int openssl_pkey_from_pem(const void *pem, size_t pem_size, EVP_PKEY **ret);
-int openssl_hash(const EVP_MD *alg, const void *msg, size_t msg_len, uint8_t *ret_hash, size_t *ret_hash_len);
-
int openssl_digest_size(const char *digest_alg, size_t *ret_digest_size);
int openssl_digest_many(const char *digest_alg, const struct iovec data[], size_t n_data, void **ret_digest, size_t *ret_digest_size);
@@ -128,13 +126,13 @@ typedef gcry_md_hd_t hash_context_t;
#endif
#if PREFER_OPENSSL
-int string_hashsum(const char *s, size_t len, hash_algorithm_t md_algorithm, char **ret);
+int string_hashsum(const char *s, size_t len, const char *md_algorithm, char **ret);
static inline int string_hashsum_sha224(const char *s, size_t len, char **ret) {
- return string_hashsum(s, len, EVP_sha224(), ret);
+ return string_hashsum(s, len, "SHA224", ret);
}
static inline int string_hashsum_sha256(const char *s, size_t len, char **ret) {
- return string_hashsum(s, len, EVP_sha256(), ret);
+ return string_hashsum(s, len, "SHA256", ret);
}
#endif
diff --git a/src/test/test-cryptolib.c b/src/test/test-cryptolib.c
index ef39bda653..6202a5d6d4 100644
--- a/src/test/test-cryptolib.c
+++ b/src/test/test-cryptolib.c
@@ -11,25 +11,25 @@ TEST(string_hashsum) {
_cleanup_free_ char *out1 = NULL, *out2 = NULL, *out3 = NULL, *out4 = NULL;
assert_se(string_hashsum("asdf", 4,
- OPENSSL_OR_GCRYPT(EVP_sha224(), GCRY_MD_SHA224),
+ OPENSSL_OR_GCRYPT("SHA224", GCRY_MD_SHA224),
&out1) == 0);
/* echo -n 'asdf' | sha224sum - */
assert_se(streq(out1, "7872a74bcbf298a1e77d507cd95d4f8d96131cbbd4cdfc571e776c8a"));
assert_se(string_hashsum("asdf", 4,
- OPENSSL_OR_GCRYPT(EVP_sha256(), GCRY_MD_SHA256),
+ OPENSSL_OR_GCRYPT("SHA256", GCRY_MD_SHA256),
&out2) == 0);
/* echo -n 'asdf' | sha256sum - */
assert_se(streq(out2, "f0e4c2f76c58916ec258f246851bea091d14d4247a2fc3e18694461b1816e13b"));
assert_se(string_hashsum("", 0,
- OPENSSL_OR_GCRYPT(EVP_sha224(), GCRY_MD_SHA224),
+ OPENSSL_OR_GCRYPT("SHA224", GCRY_MD_SHA224),
&out3) == 0);
/* echo -n '' | sha224sum - */
assert_se(streq(out3, "d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f"));
assert_se(string_hashsum("", 0,
- OPENSSL_OR_GCRYPT(EVP_sha256(), GCRY_MD_SHA256),
+ OPENSSL_OR_GCRYPT("SHA256", GCRY_MD_SHA256),
&out4) == 0);
/* echo -n '' | sha256sum - */
assert_se(streq(out4, "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"));