OpenSSL v3 emits deprecated warnings for SHA1 functions. Use the EVP_ functions when walking the TPM 1.2 binary bios measurements to calculate the TPM 1.2 PCRs. Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> --- src/evmctl.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 59 insertions(+), 6 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index 621136b5b85f..6534950f3683 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -2296,6 +2296,11 @@ static int cmd_ima_measurement(struct command *cmd) return ima_measurement(file); } +/* + * read_binary_bios_measurements - read the TPM 1.2 event log + * + * Returns 0 on success, 1 on failure. + */ #define MAX_EVENT_DATA_SIZE 200000 static int read_binary_bios_measurements(char *file, struct tpm_bank_info *bank) { @@ -2308,12 +2313,19 @@ static int read_binary_bios_measurements(char *file, struct tpm_bank_info *bank) } header; unsigned char data[MAX_EVENT_DATA_SIZE]; } event; + EVP_MD_CTX *mdctx; + const EVP_MD *md; + unsigned int mdlen; + int evp_err = 1; /* success */ struct stat s; FILE *fp; - SHA_CTX c; int err = 0; int len; int i; +#if OPENSSL_VERSION_NUMBER < 0x10100000 + EVP_MD_CTX ctx; + mdctx = &ctx; +#endif if (stat(file, &s) == -1) { errno = 0; @@ -2335,6 +2347,23 @@ static int read_binary_bios_measurements(char *file, struct tpm_bank_info *bank) if (imaevm_params.verbose > LOG_INFO) log_info("Reading the TPM 1.2 event log %s.\n", file); + md = EVP_get_digestbyname(bank->algo_name); + if (!md) { + log_errno("Unknown message digest %s\n", bank->algo_name); + errno = 0; + fclose(fp); + return 1; + } + +#if OPENSSL_VERSION_NUMBER >= 0x10100000 + mdctx = EVP_MD_CTX_new(); + if (!mdctx) { + log_err("EVP_MD_CTX_new failed\n"); + fclose(fp); + return 1; + } +#endif + /* Extend the pseudo TPM PCRs with the event digest */ while (fread(&event, sizeof(event.header), 1, fp) == 1) { if (imaevm_params.verbose > LOG_INFO) { @@ -2343,13 +2372,30 @@ static int read_binary_bios_measurements(char *file, struct tpm_bank_info *bank) } if (event.header.pcr >= NUM_PCRS) { log_err("Invalid PCR %d.\n", event.header.pcr); - err = 1; break; } - SHA1_Init(&c); - SHA1_Update(&c, bank->pcr[event.header.pcr], 20); - SHA1_Update(&c, event.header.digest, 20); - SHA1_Final(bank->pcr[event.header.pcr], &c); + + evp_err = EVP_DigestInit(mdctx, md); + if (evp_err == 0) { + log_err("EVP_DigestInit() failed\n"); + break; + } + + evp_err = EVP_DigestUpdate(mdctx, bank->pcr[event.header.pcr], 20); + if (evp_err == 0) { + log_err("EVP_DigestUpdate() failed\n"); + break; + } + evp_err = EVP_DigestUpdate(mdctx, event.header.digest, 20); + if (evp_err == 0) { + log_err("EVP_DigestUpdate() failed\n"); + break; + } + evp_err = EVP_DigestFinal(mdctx, bank->pcr[event.header.pcr], &mdlen); + if (evp_err == 0) { + log_err("EVP_DigestFinal() failed\n"); + break; + } if (event.header.len > MAX_EVENT_DATA_SIZE) { log_err("Event data event too long.\n"); err = 1; @@ -2358,10 +2404,17 @@ static int read_binary_bios_measurements(char *file, struct tpm_bank_info *bank) len = fread(event.data, event.header.len, 1, fp); if (len != 1) { log_errno("Failed reading event data (short read)\n"); + err = 1; break; } } + + if (evp_err == 0) /* EVP_ functions return 1 on success, 0 on failure */ + err = 1; fclose(fp); +#if OPENSSL_VERSION_NUMBER >= 0x10100000 + EVP_MD_CTX_free(mdctx); +#endif if (imaevm_params.verbose <= LOG_INFO) return err; -- 2.31.1