[PATCH] lib: rsa: use actual OpenSSL 1.1.0 EVP MD API
Since OpenSSL 1.1.0, EVP_MD_CTX_create() is EVP_MD_CTX_new() EVP_MD_CTX_destroy() is EVP_MD_CTX_free() EVP_MD_CTX_init() is EVP_MD_CTX_reset()
As there's no need to reset a newly created EVP_MD_CTX, moreover EVP_DigestSignInit() does the reset, thus call to EVP_MD_CTX_init() can be dropped. As there's no need to reset an EVP_MD_CTX before it's destroyed, as it will be reset by EVP_MD_CTX_free(), call to EVP_MD_CTX_reset() is not needed and can be dropped.
Signed-off-by: Yann Droneaud ydroneaud@opteya.com ---
lib/rsa/rsa-sign.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c index 3e7b7982890b..b2a21199e485 100644 --- a/lib/rsa/rsa-sign.c +++ b/lib/rsa/rsa-sign.c @@ -383,12 +383,11 @@ static int rsa_sign_with_key(EVP_PKEY *pkey, struct padding_algo *padding_algo, goto err_alloc; }
- context = EVP_MD_CTX_create(); + context = EVP_MD_CTX_new(); if (!context) { ret = rsa_err("EVP context creation failed"); goto err_create; } - EVP_MD_CTX_init(context);
ckey = EVP_PKEY_CTX_new(pkey, NULL); if (!ckey) { @@ -425,8 +424,7 @@ static int rsa_sign_with_key(EVP_PKEY *pkey, struct padding_algo *padding_algo, goto err_sign; }
- EVP_MD_CTX_reset(context); - EVP_MD_CTX_destroy(context); + EVP_MD_CTX_free(context);
debug("Got signature: %zu bytes, expected %d\n", size, EVP_PKEY_size(pkey)); *sigp = sig; @@ -435,7 +433,7 @@ static int rsa_sign_with_key(EVP_PKEY *pkey, struct padding_algo *padding_algo, return 0;
err_sign: - EVP_MD_CTX_destroy(context); + EVP_MD_CTX_free(context); err_create: free(sig); err_alloc:
Hi,
On Tue, 1 Mar 2022 at 08:12, Yann Droneaud ydroneaud@opteya.com wrote:
Since OpenSSL 1.1.0, EVP_MD_CTX_create() is EVP_MD_CTX_new() EVP_MD_CTX_destroy() is EVP_MD_CTX_free() EVP_MD_CTX_init() is EVP_MD_CTX_reset()
As there's no need to reset a newly created EVP_MD_CTX, moreover EVP_DigestSignInit() does the reset, thus call to EVP_MD_CTX_init() can be dropped. As there's no need to reset an EVP_MD_CTX before it's destroyed, as it will be reset by EVP_MD_CTX_free(), call to EVP_MD_CTX_reset() is not needed and can be dropped.
Do we still need to support the old version?
Signed-off-by: Yann Droneaud ydroneaud@opteya.com
lib/rsa/rsa-sign.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-)
Regards, Simon
On 3/2/22 02:10, Simon Glass wrote:
Hi,
On Tue, 1 Mar 2022 at 08:12, Yann Droneaud ydroneaud@opteya.com wrote:
Since OpenSSL 1.1.0, EVP_MD_CTX_create() is EVP_MD_CTX_new() EVP_MD_CTX_destroy() is EVP_MD_CTX_free() EVP_MD_CTX_init() is EVP_MD_CTX_reset()
As there's no need to reset a newly created EVP_MD_CTX, moreover EVP_DigestSignInit() does the reset, thus call to EVP_MD_CTX_init() can be dropped. As there's no need to reset an EVP_MD_CTX before it's destroyed, as it will be reset by EVP_MD_CTX_free(), call to EVP_MD_CTX_reset() is not needed and can be dropped.
Do we still need to support the old version?
https://endoflife.software/applications/security-libraries/openssl says support for 1.1.0 expired 2018. So there is no need to support older APIs. But as many LTS distros are not on OpenSSL 3 yet, we have to stay with the 1.1.1 API.
Best regards
Heinrich
Signed-off-by: Yann Droneaud ydroneaud@opteya.com
lib/rsa/rsa-sign.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-)
Regards, Simon
Hi,
Le 02/03/2022 à 02:10, Simon Glass a écrit :
On Tue, 1 Mar 2022 at 08:12, Yann Droneaud ydroneaud@opteya.com wrote:
Since OpenSSL 1.1.0, EVP_MD_CTX_create() is EVP_MD_CTX_new() EVP_MD_CTX_destroy() is EVP_MD_CTX_free() EVP_MD_CTX_init() is EVP_MD_CTX_reset()
As there's no need to reset a newly created EVP_MD_CTX, moreover EVP_DigestSignInit() does the reset, thus call to EVP_MD_CTX_init() can be dropped. As there's no need to reset an EVP_MD_CTX before it's destroyed, as it will be reset by EVP_MD_CTX_free(), call to EVP_MD_CTX_reset() is not needed and can be dropped.
Do we still need to support the old version?
No, see https://source.denx.de/u-boot/u-boot/-/commit/fe68a67a5f11991146f47c2975a4e1...
Regards
On Tue, Mar 01, 2022 at 04:12:34PM +0100, Yann Droneaud wrote:
Since OpenSSL 1.1.0, EVP_MD_CTX_create() is EVP_MD_CTX_new() EVP_MD_CTX_destroy() is EVP_MD_CTX_free() EVP_MD_CTX_init() is EVP_MD_CTX_reset()
As there's no need to reset a newly created EVP_MD_CTX, moreover EVP_DigestSignInit() does the reset, thus call to EVP_MD_CTX_init() can be dropped. As there's no need to reset an EVP_MD_CTX before it's destroyed, as it will be reset by EVP_MD_CTX_free(), call to EVP_MD_CTX_reset() is not needed and can be dropped.
Signed-off-by: Yann Droneaud ydroneaud@opteya.com
Applied to u-boot/master, thanks!
participants (4)
-
Heinrich Schuchardt -
Simon Glass -
Tom Rini -
Yann Droneaud