diff mbox series

[1/2] ima_boot_aggregate: Fix openssl 3.0 deprecation warnings

Message ID 20241101143726.1278291-1-pvorel@suse.cz
State Accepted
Headers show
Series [1/2] ima_boot_aggregate: Fix openssl 3.0 deprecation warnings | expand

Commit Message

Petr Vorel Nov. 1, 2024, 2:37 p.m. UTC
From the docs:
https://docs.openssl.org/3.0/man7/migration_guide/#deprecated-low-level-digest-functions

    Use of low-level digest functions such as SHA1_Init(3) have been
    informally discouraged from use for a long time. Applications should
    instead use the high level EVP APIs EVP_DigestInit_ex(3),
    EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3), or the quick one-shot
    EVP_Q_digest(3).

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 .../integrity/ima/src/ima_boot_aggregate.c    | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)

Comments

Mimi Zohar Nov. 15, 2024, 5:10 a.m. UTC | #1
On Fri, 2024-11-01 at 15:37 +0100, Petr Vorel wrote:
> From the docs:
> https://docs.openssl.org/3.0/man7/migration_guide/#deprecated-low-level-digest-functions
> 
>     Use of low-level digest functions such as SHA1_Init(3) have been
>     informally discouraged from use for a long time. Applications should
>     instead use the high level EVP APIs EVP_DigestInit_ex(3),
>     EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3), or the quick one-shot
>     EVP_Q_digest(3).
> 
> Signed-off-by: Petr Vorel <pvorel@suse.cz>

Sorry for the long delay in responding.  The patch nicely cleans up all the
warnings.

thanks,

Mimi

> ---
>  .../integrity/ima/src/ima_boot_aggregate.c    | 32 +++++++++++++++++++
>  1 file changed, 32 insertions(+)
> 
> diff --git a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
> index 62468e0d19..68d12fc3c2 100644
> --- a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
> +++ b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
> @@ -24,6 +24,7 @@
>  
>  #if HAVE_LIBCRYPTO
>  #include <openssl/sha.h>
> +#include <openssl/evp.h>
>  
>  #define MAX_EVENT_SIZE (1024*1024)
>  #define EVENT_HEADER_SIZE 32
> @@ -61,7 +62,11 @@ static void display_sha1_digest(unsigned char *pcr)
>  static void do_test(void)
>  {
>  	FILE *fp;
> +#if OPENSSL_VERSION_NUMBER > 0x030000000L
> +	EVP_MD_CTX *c = NULL;
> +#else
>  	SHA_CTX c;
> +#endif
>  	int i;
>  
>  	if (!file)
> @@ -85,12 +90,24 @@ static void do_test(void)
>  		}
>  
>  		if (event.header.pcr < NUM_PCRS) {
> +#if OPENSSL_VERSION_NUMBER > 0x030000000L
> +			if ((c = EVP_MD_CTX_new()) == NULL)
> +				tst_brk(TBROK, "can't get new context");
> +
> +			EVP_DigestInit_ex(c, EVP_sha1(), NULL);
> +			EVP_DigestUpdate(c, pcr[event.header.pcr].digest,
> +					 SHA_DIGEST_LENGTH);
> +			EVP_DigestUpdate(c, event.header.digest, SHA_DIGEST_LENGTH);
> +			EVP_DigestFinal_ex(c, pcr[event.header.pcr].digest, NULL);
> +			EVP_MD_CTX_free(c);
> +#else
>  			SHA1_Init(&c);
>  			SHA1_Update(&c, pcr[event.header.pcr].digest,
>  				    SHA_DIGEST_LENGTH);
>  			SHA1_Update(&c, event.header.digest,
>  				    SHA_DIGEST_LENGTH);
>  			SHA1_Final(pcr[event.header.pcr].digest, &c);
> +#endif
>  		}
>  
>  #if MAX_EVENT_DATA_SIZE < USHRT_MAX
> @@ -107,15 +124,30 @@ static void do_test(void)
>  
>  	/* Extend the boot aggregate with the pseudo PCR digest values */
>  	memset(&boot_aggregate, 0, SHA_DIGEST_LENGTH);
> +
> +#if OPENSSL_VERSION_NUMBER > 0x030000000L
> +	EVP_DigestInit_ex(c, EVP_sha1(), NULL);
> +#else
>  	SHA1_Init(&c);
> +#endif
> +
>  	for (i = 0; i < NUM_PCRS; i++) {
>  		if (debug) {
>  			printf("PCR-%2.2x: ", i);
>  			display_sha1_digest(pcr[i].digest);
>  		}
> +#if OPENSSL_VERSION_NUMBER > 0x030000000L
> +		EVP_DigestUpdate(c, pcr[i].digest, SHA_DIGEST_LENGTH);
> +#else
>  		SHA1_Update(&c, pcr[i].digest, SHA_DIGEST_LENGTH);
> +#endif
>  	}
> +
> +#if OPENSSL_VERSION_NUMBER > 0x030000000L
> +	EVP_MD_CTX_free(c);
> +#else
>  	SHA1_Final(boot_aggregate, &c);
> +#endif
>  
>  	printf("sha1:");
>  	display_sha1_digest(boot_aggregate);
diff mbox series

Patch

diff --git a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
index 62468e0d19..68d12fc3c2 100644
--- a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
+++ b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
@@ -24,6 +24,7 @@ 
 
 #if HAVE_LIBCRYPTO
 #include <openssl/sha.h>
+#include <openssl/evp.h>
 
 #define MAX_EVENT_SIZE (1024*1024)
 #define EVENT_HEADER_SIZE 32
@@ -61,7 +62,11 @@  static void display_sha1_digest(unsigned char *pcr)
 static void do_test(void)
 {
 	FILE *fp;
+#if OPENSSL_VERSION_NUMBER > 0x030000000L
+	EVP_MD_CTX *c = NULL;
+#else
 	SHA_CTX c;
+#endif
 	int i;
 
 	if (!file)
@@ -85,12 +90,24 @@  static void do_test(void)
 		}
 
 		if (event.header.pcr < NUM_PCRS) {
+#if OPENSSL_VERSION_NUMBER > 0x030000000L
+			if ((c = EVP_MD_CTX_new()) == NULL)
+				tst_brk(TBROK, "can't get new context");
+
+			EVP_DigestInit_ex(c, EVP_sha1(), NULL);
+			EVP_DigestUpdate(c, pcr[event.header.pcr].digest,
+					 SHA_DIGEST_LENGTH);
+			EVP_DigestUpdate(c, event.header.digest, SHA_DIGEST_LENGTH);
+			EVP_DigestFinal_ex(c, pcr[event.header.pcr].digest, NULL);
+			EVP_MD_CTX_free(c);
+#else
 			SHA1_Init(&c);
 			SHA1_Update(&c, pcr[event.header.pcr].digest,
 				    SHA_DIGEST_LENGTH);
 			SHA1_Update(&c, event.header.digest,
 				    SHA_DIGEST_LENGTH);
 			SHA1_Final(pcr[event.header.pcr].digest, &c);
+#endif
 		}
 
 #if MAX_EVENT_DATA_SIZE < USHRT_MAX
@@ -107,15 +124,30 @@  static void do_test(void)
 
 	/* Extend the boot aggregate with the pseudo PCR digest values */
 	memset(&boot_aggregate, 0, SHA_DIGEST_LENGTH);
+
+#if OPENSSL_VERSION_NUMBER > 0x030000000L
+	EVP_DigestInit_ex(c, EVP_sha1(), NULL);
+#else
 	SHA1_Init(&c);
+#endif
+
 	for (i = 0; i < NUM_PCRS; i++) {
 		if (debug) {
 			printf("PCR-%2.2x: ", i);
 			display_sha1_digest(pcr[i].digest);
 		}
+#if OPENSSL_VERSION_NUMBER > 0x030000000L
+		EVP_DigestUpdate(c, pcr[i].digest, SHA_DIGEST_LENGTH);
+#else
 		SHA1_Update(&c, pcr[i].digest, SHA_DIGEST_LENGTH);
+#endif
 	}
+
+#if OPENSSL_VERSION_NUMBER > 0x030000000L
+	EVP_MD_CTX_free(c);
+#else
 	SHA1_Final(boot_aggregate, &c);
+#endif
 
 	printf("sha1:");
 	display_sha1_digest(boot_aggregate);