From: Job Snijders <job@openbsd.org>
Subject: rpki-client: change SHA256_{Init,Update,Final} to EVP_Digest{Init_ex,Update,Final_ex}
To: tech@openbsd.org
Date: Tue, 27 Feb 2024 21:23:37 +0000

Changing the following to help with future portability.

SHA256_Init() -> EVP_DigestInit_ex()
SHA256_Update() -> EVP_DigestUpdate()
SHA256_Final() -> EVP_DigestFinal_ex()

Also add EVP_MD_CTX_new() and EVP_MD_CTX_free()

OK?

Index: rrdp.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/rrdp.c,v
diff -u -p -r1.33 rrdp.c
--- rrdp.c	16 Feb 2024 11:46:57 -0000	1.33
+++ rrdp.c	27 Feb 2024 21:15:57 -0000
@@ -28,7 +28,7 @@
 #include <imsg.h>
 
 #include <expat.h>
-#include <openssl/sha.h>
+#include <openssl/evp.h>
 
 #include "extern.h"
 #include "rrdp.h"
@@ -63,7 +63,7 @@ struct rrdp {
 	enum rrdp_task		 task;
 
 	char			 hash[SHA256_DIGEST_LENGTH];
-	SHA256_CTX		 ctx;
+	EVP_MD_CTX		*ctx;
 
 	struct rrdp_session	*repository;
 	struct rrdp_session	*current;
@@ -509,7 +509,8 @@ rrdp_data_handler(struct rrdp *s)
 		if (s->task != NOTIFICATION) {
 			char h[SHA256_DIGEST_LENGTH];
 
-			SHA256_Final(h, &s->ctx);
+			EVP_DigestFinal_ex(s->ctx, h, NULL);
+			EVP_MD_CTX_free(s->ctx);
 			if (memcmp(s->hash, h, sizeof(s->hash)) != 0) {
 				s->state |= RRDP_STATE_PARSE_ERROR;
 				warnx("%s: bad message digest", s->local);
@@ -523,7 +524,7 @@ rrdp_data_handler(struct rrdp *s)
 
 	/* parse and maybe hash the bytes just read */
 	if (s->task != NOTIFICATION)
-		SHA256_Update(&s->ctx, buf, len);
+		EVP_DigestUpdate(s->ctx, buf, len);
 	if ((s->state & RRDP_STATE_PARSE_ERROR) == 0 &&
 	    XML_Parse(p, buf, len, 0) != XML_STATUS_OK) {
 		warnx("%s: parse error at line %llu: %s", s->local,
@@ -568,7 +569,9 @@ proc_rrdp(int fd)
 					uri = notification_get_next(s->nxml,
 					    s->hash, sizeof(s->hash),
 					    s->task);
-					SHA256_Init(&s->ctx);
+					s->ctx = EVP_MD_CTX_new();
+					EVP_DigestInit_ex(s->ctx, EVP_sha256(),
+					    NULL);
 					rrdp_http_req(s->id, uri, NULL);
 					break;
 				}
Index: validate.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/validate.c,v
diff -u -p -r1.72 validate.c
--- validate.c	22 Feb 2024 12:49:42 -0000	1.72
+++ validate.c	27 Feb 2024 21:15:57 -0000
@@ -25,6 +25,8 @@
 #include <string.h>
 #include <unistd.h>
 
+#include <openssl/evp.h>
+
 #include "extern.h"
 
 extern ASN1_OBJECT	*certpol_oid;
@@ -218,10 +220,10 @@ valid_spl(const char *fn, struct cert *c
 int
 valid_filehash(int fd, const char *hash, size_t hlen)
 {
-	SHA256_CTX	ctx;
-	char		filehash[SHA256_DIGEST_LENGTH];
-	char		buffer[8192];
-	ssize_t		nr;
+	EVP_MD_CTX	*ctx;
+	char		 filehash[SHA256_DIGEST_LENGTH];
+	char		 buffer[8192];
+	ssize_t		 nr;
 
 	if (hlen != sizeof(filehash))
 		errx(1, "bad hash size");
@@ -229,11 +231,13 @@ valid_filehash(int fd, const char *hash,
 	if (fd == -1)
 		return 0;
 
-	SHA256_Init(&ctx);
+	ctx = EVP_MD_CTX_new();
+	EVP_DigestInit_ex(ctx, EVP_sha256(), NULL);
 	while ((nr = read(fd, buffer, sizeof(buffer))) > 0)
-		SHA256_Update(&ctx, buffer, nr);
+		EVP_DigestUpdate(ctx, buffer, nr);
 	close(fd);
-	SHA256_Final(filehash, &ctx);
+	EVP_DigestFinal_ex(ctx, filehash, NULL);
+	EVP_MD_CTX_free(ctx);
 
 	if (memcmp(hash, filehash, sizeof(filehash)) != 0)
 		return 0;