From 220b7e0afa943693a4fdafd9a5b8d9e38ea4e785 Mon Sep 17 00:00:00 2001

From: Petr Gotthard <petr.gotthard@centrum.cz>

Date: Sat, 7 Aug 2021 15:54:51 +0200

Subject: [PATCH 09/17] openssl: Convert deprecated SHA256|384 digesters to

 EVP_Digest

The EVP_Digest function is available since OpenSSL 1.1.0

Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>

---

 lib/tpm2_identity_util.c | 34 ++++++++++++++++++++++++----------

 lib/tpm2_kdfe.c          | 13 +++++++++++--

 lib/tpm2_openssl.c       | 17 -----------------

 lib/tpm2_openssl.h       | 28 ----------------------------

 lib/tpm2_util.c          | 15 +++++++++++----

 5 files changed, 46 insertions(+), 61 deletions(-)

diff --git a/lib/tpm2_identity_util.c b/lib/tpm2_identity_util.c

index a268295f..e0c3f404 100644

--- a/lib/tpm2_identity_util.c

+++ b/lib/tpm2_identity_util.c

@@ -391,11 +391,20 @@ bool tpm2_identity_util_calculate_inner_integrity(TPMI_ALG_HASH name_alg,

     Tss2_MU_UINT16_Marshal(hash_size, marshalled_sensitive_and_name_digest,

             sizeof(uint16_t), &digest_size_info);

-    digester d = tpm2_openssl_halg_to_digester(name_alg);

-    d(buffer_marshalled_sensitiveArea,

-            marshalled_sensitive_size_info + marshalled_sensitive_size

-                    + pubname->size,

-            marshalled_sensitive_and_name_digest + digest_size_info);

+    const EVP_MD *md = tpm2_openssl_halg_from_tpmhalg(name_alg);

+    if (!md) {

+        LOG_ERR("Algorithm not supported: %x", name_alg);

+        return false;

+    }

+    int rc = EVP_Digest(buffer_marshalled_sensitiveArea,

+                        marshalled_sensitive_size_info + marshalled_sensitive_size

+                            + pubname->size,

+                        marshalled_sensitive_and_name_digest + digest_size_info,

+                        NULL, md, NULL);

+    if (!rc) {

+        LOG_ERR("Hash calculation failed");

+        return false;

+    }

     //Inner integrity

     encrypted_inner_integrity->size = marshalled_sensitive_size_info

@@ -452,16 +461,21 @@ bool tpm2_identity_create_name(TPM2B_PUBLIC *public, TPM2B_NAME *pubname) {

             &tpmt_marshalled_size);

     // Step 3 - Hash the data into name just past the alg type.

-    digester d = tpm2_openssl_halg_to_digester(name_alg);

-    if (!d) {

+    const EVP_MD *md = tpm2_openssl_halg_from_tpmhalg(name_alg);

+    if (!md) {

+        LOG_ERR("Algorithm not supported: %x", name_alg);

         return false;

     }

-    d((const unsigned char *) &marshaled_tpmt, tpmt_marshalled_size,

-            pubname->name + hash_offset);

+    unsigned int hash_size;

+    int rc = EVP_Digest(&marshaled_tpmt, tpmt_marshalled_size,

+                        pubname->name + hash_offset, &hash_size, md, NULL);

+    if (!rc) {

+        LOG_ERR("Hash calculation failed");

+        return false;

+    }

     //Set the name size, UINT16 followed by HASH

-    UINT16 hash_size = tpm2_alg_util_get_hash_size(name_alg);

     pubname->size = hash_size + hash_offset;

     return true;

diff --git a/lib/tpm2_kdfe.c b/lib/tpm2_kdfe.c

index e8aeb04c..aa4d3e0b 100644

--- a/lib/tpm2_kdfe.c

+++ b/lib/tpm2_kdfe.c

@@ -42,13 +42,22 @@ TSS2_RC tpm2_kdfe(

     tpm2_util_concat_buffer(&hash_input, (TPM2B *) party_u);

     tpm2_util_concat_buffer(&hash_input, (TPM2B *) party_v);

-    digester d = tpm2_openssl_halg_to_digester(hash_alg);

+    const EVP_MD *md = tpm2_openssl_halg_from_tpmhalg(hash_alg);

+    if (!md) {

+        LOG_ERR("Algorithm not supported: %x", hash_alg);

+        return TPM2_RC_HASH;

+    }

     for (done = 0, counter = 1; done < bytes; done += hash_size, counter++) {

         counter_be = tpm2_util_hton_32(counter);

         memcpy(hash_input.buffer, &counter_be, 4);

-        d(hash_input.buffer, hash_input.size, result_key->buffer + done);

+        int rc = EVP_Digest(hash_input.buffer, hash_input.size,

+                            result_key->buffer + done, NULL, md, NULL);

+        if (!rc) {

+            LOG_ERR("Hash calculation failed");

+            return TPM2_RC_MEMORY;

+        }

     }

     // truncate the result to the desired size

     result_key->size = bytes;

diff --git a/lib/tpm2_openssl.c b/lib/tpm2_openssl.c

index 1752525e..cdce92f8 100644

--- a/lib/tpm2_openssl.c

+++ b/lib/tpm2_openssl.c

@@ -368,23 +368,6 @@ out:

     return result;

 }

-digester tpm2_openssl_halg_to_digester(TPMI_ALG_HASH halg) {

-

-    switch (halg) {

-    case TPM2_ALG_SHA1:

-        return SHA1;

-    case TPM2_ALG_SHA256:

-        return SHA256;

-    case TPM2_ALG_SHA384:

-        return SHA384;

-    case TPM2_ALG_SHA512:

-        return SHA512;

-        /* no default */

-    }

-

-    return NULL;

-}

-

 /*

  * Per man openssl(1), handle the following --passin formats:

  *     pass:password

diff --git a/lib/tpm2_openssl.h b/lib/tpm2_openssl.h

index 642e4635..78cb826a 100644

--- a/lib/tpm2_openssl.h

+++ b/lib/tpm2_openssl.h

@@ -28,23 +28,6 @@

         EC_POINT_get_affine_coordinates_GFp(group, tpm_pub_key, bn_x, bn_y, dmy)

 #endif /* OPENSSL_VERSION_NUMBER >= 0x10101000L */

-/**

- * Function prototype for a hashing routine.

- *

- * This is a wrapper around OSSL SHA256|384 and etc digesters.

- *

- * @param d

- *  The data to digest.

- * @param n

- *  The length of the data to digest.

- * @param md

- *  The output message digest.

- * @return

- * A pointer to the digest or NULL on error.

- */

-typedef unsigned char *(*digester)(const unsigned char *d, size_t n,

-        unsigned char *md);

-

 static inline const char *tpm2_openssl_get_err(void) {

     return ERR_error_string(ERR_get_error(), NULL);

 }

@@ -147,17 +130,6 @@ bool tpm2_openssl_hash_pcr_banks_le(TPMI_ALG_HASH hashAlg,

 bool tpm2_openssl_pcr_extend(TPMI_ALG_HASH halg, BYTE *pcr,

         const BYTE *data, UINT16 length);

-/**

- * Returns a function pointer capable of performing the

- * given digest from a TPMI_HASH_ALG.

- *

- * @param halg

- *  The hashing algorithm to use.

- * @return

- *  NULL on failure or a valid digester on success.

- */

-digester tpm2_openssl_halg_to_digester(TPMI_ALG_HASH halg);

-

 typedef enum tpm2_openssl_load_rc tpm2_openssl_load_rc;

 enum tpm2_openssl_load_rc {

     lprc_error = 0, /* an error has occurred */

diff --git a/lib/tpm2_util.c b/lib/tpm2_util.c

index 4125a4b9..d2c654db 100644

--- a/lib/tpm2_util.c

+++ b/lib/tpm2_util.c

@@ -579,13 +579,20 @@ bool tpm2_util_calc_unique(TPMI_ALG_HASH name_alg,

     memcpy(buf.buffer, seed->buffer, seed->size);

     memcpy(&buf.buffer[seed->size], key->buffer, key->size);

-    digester d = tpm2_openssl_halg_to_digester(name_alg);

-    if (!d) {

+    const EVP_MD *md = tpm2_openssl_halg_from_tpmhalg(name_alg);

+    if (!md) {

+        LOG_ERR("Algorithm not supported: %x", name_alg);

         return false;

     }

-    unique_data->size = tpm2_alg_util_get_hash_size(name_alg);

-    d(buf.buffer, buf.size, unique_data->buffer);

+    unsigned int hash_size;

+    int rc = EVP_Digest(buf.buffer, buf.size, unique_data->buffer, &hash_size,

+                        md, NULL);

+    if (!rc) {

+        LOG_ERR("Hash calculation failed");

+        return false;

+    }

+    unique_data->size = hash_size;

     return true;

 }

-- 

2.31.1