From 18f568b8e64b48f6aee204cc6384b4796cd27eb0 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 29 Sep 2021 09:47:08 +0200
Subject: [PATCH 1/3] creds-util: switch to OpenSSL 3.0 APIs

Let's switch from the low-level SHA256 APIs to EVP APIs. The former are
deprecated on OpenSSL 3.0, the latter are supported both by old
OpenSSL and by OpenSSL 3.0, hence are the better choice.

Fixes: #20775
---
 src/shared/creds-util.c   | 18 +++++++++++++-----
 src/shared/openssl-util.h |  1 +
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c
index d1ca3778b7..b764198b76 100644
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@@ -401,7 +401,8 @@ static int sha256_hash_host_and_tpm2_key(
                 size_t tpm2_key_size,
                 uint8_t ret[static SHA256_DIGEST_LENGTH]) {
 
-        SHA256_CTX sha256_context;
+        _cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX *md = NULL;
+        unsigned l;
 
         assert(host_key_size == 0 || host_key);
         assert(tpm2_key_size == 0 || tpm2_key);
@@ -409,18 +410,25 @@ static int sha256_hash_host_and_tpm2_key(
 
         /* Combines the host key and the TPM2 HMAC hash into a SHA256 hash value we'll use as symmetric encryption key. */
 
-        if (SHA256_Init(&sha256_context) != 1)
+        md = EVP_MD_CTX_new();
+        if (!md)
+                return log_oom();
+
+        if (EVP_DigestInit_ex(md, EVP_sha256(), NULL) != 1)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initial SHA256 context.");
 
-        if (host_key && SHA256_Update(&sha256_context, host_key, host_key_size) != 1)
+        if (host_key && EVP_DigestUpdate(md, host_key, host_key_size) != 1)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash host key.");
 
-        if (tpm2_key && SHA256_Update(&sha256_context, tpm2_key, tpm2_key_size) != 1)
+        if (tpm2_key && EVP_DigestUpdate(md, tpm2_key, tpm2_key_size) != 1)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash TPM2 key.");
 
-        if (SHA256_Final(ret, &sha256_context) != 1)
+        assert(EVP_MD_CTX_size(md) == SHA256_DIGEST_LENGTH);
+
+        if (EVP_DigestFinal_ex(md, ret, &l) != 1)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finalize SHA256 hash.");
 
+        assert(l == SHA256_DIGEST_LENGTH);
         return 0;
 }
 
diff --git a/src/shared/openssl-util.h b/src/shared/openssl-util.h
index 66441c232c..5840d57d16 100644
--- a/src/shared/openssl-util.h
+++ b/src/shared/openssl-util.h
@@ -17,6 +17,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER_CTX*, EVP_CIPHER_CTX_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(PKCS7*, PKCS7_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(SSL*, SSL_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free, NULL);
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MD_CTX*, EVP_MD_CTX_free, NULL);
 
 static inline void sk_X509_free_allp(STACK_OF(X509) **sk) {
         if (!sk || !*sk)

From 7f12adc3000c08a370f74bd16c654506c8a99e92 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 29 Sep 2021 15:03:44 +0200
Subject: [PATCH 2/3] openssl-util: use EVP API to get RSA bits

---
 src/shared/openssl-util.c | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/src/shared/openssl-util.c b/src/shared/openssl-util.c
index bb47ae5e87..bd728e6c7c 100644
--- a/src/shared/openssl-util.c
+++ b/src/shared/openssl-util.c
@@ -46,7 +46,6 @@ int rsa_pkey_to_suitable_key_size(
                 size_t *ret_suitable_key_size) {
 
         size_t suitable_key_size;
-        const RSA *rsa;
         int bits;
 
         assert_se(pkey);
@@ -58,11 +57,7 @@ int rsa_pkey_to_suitable_key_size(
         if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA)
                 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), "X.509 certificate does not refer to RSA key.");
 
-        rsa = EVP_PKEY_get0_RSA(pkey);
-        if (!rsa)
-                return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to acquire RSA public key from X.509 certificate.");
-
-        bits = RSA_bits(rsa);
+        bits = EVP_PKEY_bits(pkey);
         log_debug("Bits in RSA key: %i", bits);
 
         /* We use PKCS#1 padding for the RSA cleartext, hence let's leave some extra space for it, hence only

From 6d74db7ef6fa52dcb4f08296083fb8f3c9f38961 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 29 Sep 2021 14:40:34 +0200
Subject: [PATCH 3/3] Revert "ci: temporarily set -Wno-deprecated-declarations
 in Packit"

This reverts commit af861917c5118cb9f1490f407d86f40fd5e01437.
---
 .packit.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.packit.yml b/.packit.yml
index 98b71fc15e..962c77913e 100644
--- a/.packit.yml
+++ b/.packit.yml
@@ -31,9 +31,6 @@ actions:
     # [0] https://github.com/mesonbuild/meson/issues/7360
     # [1] https://github.com/systemd/systemd/pull/18908#issuecomment-792250110
     - 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec'
-    # FIXME: temporarily disable the deprecated-declarations check to suppress
-    #        OpenSSL 3.0 warnings in Rawhide
-    - 'sed -i "1 i %global optflags %{optflags} -Wno-deprecated-declarations" .packit_rpm/systemd.spec'
 
 jobs:
 - job: copr_build