[PATCH 1/2] ima_boot_aggregate: Fix openssl 3.0 deprecation warnings

Fri, 01 Nov 2024 07:38:11 -0700 

>From the docs:
https://docs.openssl.org/3.0/man7/migration_guide/#deprecated-low-level-digest-functions

    Use of low-level digest functions such as SHA1_Init(3) have been
    informally discouraged from use for a long time. Applications should
    instead use the high level EVP APIs EVP_DigestInit_ex(3),
    EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3), or the quick one-shot
    EVP_Q_digest(3).

Signed-off-by: Petr Vorel <pvo...@suse.cz>
---
 .../integrity/ima/src/ima_boot_aggregate.c    | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c 
b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
index 62468e0d19..68d12fc3c2 100644
--- a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
+++ b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
@@ -24,6 +24,7 @@
 
 #if HAVE_LIBCRYPTO
 #include <openssl/sha.h>
+#include <openssl/evp.h>
 
 #define MAX_EVENT_SIZE (1024*1024)
 #define EVENT_HEADER_SIZE 32
@@ -61,7 +62,11 @@ static void display_sha1_digest(unsigned char *pcr)
 static void do_test(void)
 {
        FILE *fp;
+#if OPENSSL_VERSION_NUMBER > 0x030000000L
+       EVP_MD_CTX *c = NULL;
+#else
        SHA_CTX c;
+#endif
        int i;
 
        if (!file)
@@ -85,12 +90,24 @@ static void do_test(void)
                }
 
                if (event.header.pcr < NUM_PCRS) {
+#if OPENSSL_VERSION_NUMBER > 0x030000000L
+                       if ((c = EVP_MD_CTX_new()) == NULL)
+                               tst_brk(TBROK, "can't get new context");
+
+                       EVP_DigestInit_ex(c, EVP_sha1(), NULL);
+                       EVP_DigestUpdate(c, pcr[event.header.pcr].digest,
+                                        SHA_DIGEST_LENGTH);
+                       EVP_DigestUpdate(c, event.header.digest, 
SHA_DIGEST_LENGTH);
+                       EVP_DigestFinal_ex(c, pcr[event.header.pcr].digest, 
NULL);
+                       EVP_MD_CTX_free(c);
+#else
                        SHA1_Init(&c);
                        SHA1_Update(&c, pcr[event.header.pcr].digest,
                                    SHA_DIGEST_LENGTH);
                        SHA1_Update(&c, event.header.digest,
                                    SHA_DIGEST_LENGTH);
                        SHA1_Final(pcr[event.header.pcr].digest, &c);
+#endif
                }
 
 #if MAX_EVENT_DATA_SIZE < USHRT_MAX
@@ -107,15 +124,30 @@ static void do_test(void)
 
        /* Extend the boot aggregate with the pseudo PCR digest values */
        memset(&boot_aggregate, 0, SHA_DIGEST_LENGTH);
+
+#if OPENSSL_VERSION_NUMBER > 0x030000000L
+       EVP_DigestInit_ex(c, EVP_sha1(), NULL);
+#else
        SHA1_Init(&c);
+#endif
+
        for (i = 0; i < NUM_PCRS; i++) {
                if (debug) {
                        printf("PCR-%2.2x: ", i);
                        display_sha1_digest(pcr[i].digest);
                }
+#if OPENSSL_VERSION_NUMBER > 0x030000000L
+               EVP_DigestUpdate(c, pcr[i].digest, SHA_DIGEST_LENGTH);
+#else
                SHA1_Update(&c, pcr[i].digest, SHA_DIGEST_LENGTH);
+#endif
        }
+
+#if OPENSSL_VERSION_NUMBER > 0x030000000L
+       EVP_MD_CTX_free(c);
+#else
        SHA1_Final(boot_aggregate, &c);
+#endif
 
        printf("sha1:");
        display_sha1_digest(boot_aggregate);
-- 
2.45.2

Reply via email to