diff --git a/.packit.yml b/.packit.yml index 98b71fc15e..962c77913e 100644 --- a/.packit.yml +++ b/.packit.yml @@ -31,9 +31,6 @@ actions: # [0] https://github.com/mesonbuild/meson/issues/7360 # [1] https://github.com/systemd/systemd/pull/18908#issuecomment-792250110 - 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec' - # FIXME: temporarily disable the deprecated-declarations check to suppress - # OpenSSL 3.0 warnings in Rawhide - - 'sed -i "1 i %global optflags %{optflags} -Wno-deprecated-declarations" .packit_rpm/systemd.spec' jobs: - job: copr_build diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c index d1ca3778b7..b764198b76 100644 --- a/src/shared/creds-util.c +++ b/src/shared/creds-util.c @@ -401,7 +401,8 @@ static int sha256_hash_host_and_tpm2_key( size_t tpm2_key_size, uint8_t ret[static SHA256_DIGEST_LENGTH]) { - SHA256_CTX sha256_context; + _cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX *md = NULL; + unsigned l; assert(host_key_size == 0 || host_key); assert(tpm2_key_size == 0 || tpm2_key); @@ -409,18 +410,25 @@ static int sha256_hash_host_and_tpm2_key( /* Combines the host key and the TPM2 HMAC hash into a SHA256 hash value we'll use as symmetric encryption key. */ - if (SHA256_Init(&sha256_context) != 1) + md = EVP_MD_CTX_new(); + if (!md) + return log_oom(); + + if (EVP_DigestInit_ex(md, EVP_sha256(), NULL) != 1) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initial SHA256 context."); - if (host_key && SHA256_Update(&sha256_context, host_key, host_key_size) != 1) + if (host_key && EVP_DigestUpdate(md, host_key, host_key_size) != 1) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash host key."); - if (tpm2_key && SHA256_Update(&sha256_context, tpm2_key, tpm2_key_size) != 1) + if (tpm2_key && EVP_DigestUpdate(md, tpm2_key, tpm2_key_size) != 1) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash TPM2 key."); - if (SHA256_Final(ret, &sha256_context) != 1) + assert(EVP_MD_CTX_size(md) == SHA256_DIGEST_LENGTH); + + if (EVP_DigestFinal_ex(md, ret, &l) != 1) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finalize SHA256 hash."); + assert(l == SHA256_DIGEST_LENGTH); return 0; } diff --git a/src/shared/openssl-util.c b/src/shared/openssl-util.c index bb47ae5e87..bd728e6c7c 100644 --- a/src/shared/openssl-util.c +++ b/src/shared/openssl-util.c @@ -46,7 +46,6 @@ int rsa_pkey_to_suitable_key_size( size_t *ret_suitable_key_size) { size_t suitable_key_size; - const RSA *rsa; int bits; assert_se(pkey); @@ -58,11 +57,7 @@ int rsa_pkey_to_suitable_key_size( if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), "X.509 certificate does not refer to RSA key."); - rsa = EVP_PKEY_get0_RSA(pkey); - if (!rsa) - return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to acquire RSA public key from X.509 certificate."); - - bits = RSA_bits(rsa); + bits = EVP_PKEY_bits(pkey); log_debug("Bits in RSA key: %i", bits); /* We use PKCS#1 padding for the RSA cleartext, hence let's leave some extra space for it, hence only diff --git a/src/shared/openssl-util.h b/src/shared/openssl-util.h index 66441c232c..5840d57d16 100644 --- a/src/shared/openssl-util.h +++ b/src/shared/openssl-util.h @@ -17,6 +17,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER_CTX*, EVP_CIPHER_CTX_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(PKCS7*, PKCS7_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(SSL*, SSL_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MD_CTX*, EVP_MD_CTX_free, NULL); static inline void sk_X509_free_allp(STACK_OF(X509) **sk) { if (!sk || !*sk)