Avoid using functions deprecated in OpenSSL 3.

nih-at · May 19, 2023 · 265aba3 · 265aba3
1 parent b3ac716
commit 265aba3
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 9 deletions.
diff --git a/NEWS.md b/NEWS.md
@@ -6,13 +6,13 @@
 * Fix handling of files of size 4294967295.
 * `zipmerge`: copy extra fields.
 * `zipmerge`: add option to keep files uncompressed.
-* CMake: add detection of mbedTLS version 3.
 * Use ISO C secure library functions, if available.
 * Fix reading/writing compressed data with buffers > 4GiB.
 * Restore support for torrentzip.
 * Add warnings when using deprecated functions.
 * Allow keeping files for empty archives.
-* Support mbedTLS>=3.3.0
+* Support mbedTLS>=3.3.0.
+* Support OpenSSL 3.
 
 
 # 1.9.2 [2022-06-28]

diff --git a/lib/zip_crypto_openssl.c b/lib/zip_crypto_openssl.c
@@ -40,11 +40,32 @@
 #include <limits.h>
 #include <openssl/rand.h>
 
-#if OPENSSL_VERSION_NUMBER < 0x1010000fL || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x02070000fL)
-#define USE_OPENSSL_1_0_API
+#ifdef USE_OPENSSL_3_API
+struct _zip_crypto_hmac_t {
+    EVP_MAC *mac;
+    EVP_MAC_CTX *ctx;
+};
+
+static _zip_crypto_hmac_t* hmac_new() {
+    _zip_crypto_hmac_t *hmac = (_zip_crypto_hmac_t*)malloc(sizeof(*hmac));
+    if (hmac != NULL) {
+        hmac->mac = NULL;
+        hmac->ctx = NULL;
+    }
+}
+static void hmac_free(_zip_crypto_hmac_t* hmac) {
+    if (hmac != NULL) {
+        if (hmac->ctx != NULL) {
+            EVP_MAC_CTX_free(hmac->ctx);
+        }
+        if (hmac->mac != NULL) {
+            EVP_MAC_free(hmac->mac);
+        }
+        free(hmac);
+    }
+}
 #endif
 
-
 _zip_crypto_aes_t *
 _zip_crypto_aes_new(const zip_uint8_t *key, zip_uint16_t key_size, zip_error_t *error) {
     _zip_crypto_aes_t *aes;
@@ -126,13 +147,34 @@ _zip_crypto_hmac_new(const zip_uint8_t *secret, zip_uint64_t secret_length, zip_
         return NULL;
     }
 
+#ifdef USE_OPENSSL_3_API
+    if ((hmac = hmac_new()) == NULL
+        || (hmac->mac = EVP_MAC_fetch(NULL, "HMAC", "provider=fips")) == NULL
+        || (hmac->ctx = EVP_MAC_CTX_new(hmac->mac)) == NULL) {
+        hmac_free(hmac);
+        zip_error_set(error, ZIP_ER_MEMORY, 0);
+        return NULL;
+    }
+
+    {
+        OSSL_PARAM params[2];
+        params[0] = OSSL_PARAM_construct_utf8_string("digest", "sha1", 0);
+        params[1] = OSSL_PARAM_construct_end();
+
+        if (!EVP_MAC_init(hmac->ctx, (const unsigned char *)secret, secret_length, params)) {
+            zip_error_set(error, ZIP_ER_INTERNAL, 0);
+            hmac_free(hmac);
+            return NULL;
+        }
+    }
+#else
 #ifdef USE_OPENSSL_1_0_API
     if ((hmac = (_zip_crypto_hmac_t *)malloc(sizeof(*hmac))) == NULL) {
         zip_error_set(error, ZIP_ER_MEMORY, 0);
         return NULL;
     }
 
-    HMAC_CTX_init(hmac);
+        HMAC_CTX_init(hmac);
 #else
     if ((hmac = HMAC_CTX_new()) == NULL) {
         zip_error_set(error, ZIP_ER_MEMORY, 0);
@@ -149,6 +191,7 @@ _zip_crypto_hmac_new(const zip_uint8_t *secret, zip_uint64_t secret_length, zip_
 #endif
         return NULL;
     }
+#endif
 
     return hmac;
 }
@@ -160,7 +203,9 @@ _zip_crypto_hmac_free(_zip_crypto_hmac_t *hmac) {
         return;
     }
 
-#ifdef USE_OPENSSL_1_0_API
+#if defined(USE_OPENSSL_3_API)
+    hmac_free(hmac);
+#elif defined(USE_OPENSSL_1_0_API)
     HMAC_CTX_cleanup(hmac);
     _zip_crypto_clear(hmac, sizeof(*hmac));
     free(hmac);
@@ -172,9 +217,13 @@ _zip_crypto_hmac_free(_zip_crypto_hmac_t *hmac) {
 
 bool
 _zip_crypto_hmac_output(_zip_crypto_hmac_t *hmac, zip_uint8_t *data) {
+#ifdef USE_OPENSSL_3_API
+    size_t length;
+    return EVP_MAC_final(hmac->ctx, data, &length, ZIP_CRYPTO_SHA1_LENGTH) == 1 && length == ZIP_CRYPTO_SHA1_LENGTH;
+#else
     unsigned int length;
-
     return HMAC_Final(hmac, data, &length) == 1;
+#endif
 }
 
 

diff --git a/lib/zip_crypto_openssl.h b/lib/zip_crypto_openssl.h
@@ -39,14 +39,27 @@
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x02070000fL)
+#define USE_OPENSSL_1_0_API
+#elif OPENSSL_VERSION_NUMBER < 0x3000000fL
+#define USE_OPENSSL_1_1_API
+#else
+#define USE_OPENSSL_3_API
+#endif
+
 #define _zip_crypto_aes_t EVP_CIPHER_CTX
+#ifdef USE_OPENSSL_3_API
+typedef struct _zip_crypto_hmac_t _zip_crypto_hmac_t;
+#define _zip_crypto_hmac(hmac, data, length) (EVP_MAC_update((hmac->ctx), (data), (length)) == 1)
+#else
 #define _zip_crypto_hmac_t HMAC_CTX
+#define _zip_crypto_hmac(hmac, data, length) (HMAC_Update((hmac), (data), (length)) == 1)
+#endif
 
 void _zip_crypto_aes_free(_zip_crypto_aes_t *aes);
 bool _zip_crypto_aes_encrypt_block(_zip_crypto_aes_t *aes, const zip_uint8_t *in, zip_uint8_t *out);
 _zip_crypto_aes_t *_zip_crypto_aes_new(const zip_uint8_t *key, zip_uint16_t key_size, zip_error_t *error);
 
-#define _zip_crypto_hmac(hmac, data, length) (HMAC_Update((hmac), (data), (length)) == 1)
 void _zip_crypto_hmac_free(_zip_crypto_hmac_t *hmac);
 _zip_crypto_hmac_t *_zip_crypto_hmac_new(const zip_uint8_t *secret, zip_uint64_t secret_length, zip_error_t *error);
 bool _zip_crypto_hmac_output(_zip_crypto_hmac_t *hmac, zip_uint8_t *data);