From bf1a29e9e192a001e7e91fdb18b38462d36709da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Mon, 16 Jan 2023 12:56:53 +0100
Subject: [PATCH] Use OpenSSL 1.x SHA_CTX API in isc_iterated_hash()

If the OpenSSL SHA1_{Init,Update,Final} API is still available, use it.
The API has been deprecated in OpenSSL 3.0, but it is significantly
faster than EVP_MD API, so make an exception here and keep using it
until we can't.

(cherry picked from commit 25db8d010337b8f62705b44a7f01aa4658ce1c6f)
---
 lib/isc/iterated_hash.c | 77 +++++++++++++++++++++++++++++++++++++----
 1 file changed, 70 insertions(+), 7 deletions(-)

diff --git a/lib/isc/iterated_hash.c b/lib/isc/iterated_hash.c
index 5e5b67c388..de1f3a36a3 100644
--- a/lib/isc/iterated_hash.c
+++ b/lib/isc/iterated_hash.c
@@ -13,12 +13,64 @@
 
 #include <stdio.h>
 
-#include <openssl/evp.h>
+#include <openssl/opensslv.h>
 
 #include <isc/iterated_hash.h>
-#include <isc/md.h>
 #include <isc/util.h>
 
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+
+#include <openssl/sha.h>
+
+int
+isc_iterated_hash(unsigned char *out, const unsigned int hashalg,
+		  const int iterations, const unsigned char *salt,
+		  const int saltlength, const unsigned char *in,
+		  const int inlength) {
+	REQUIRE(out != NULL);
+
+	int n = 0;
+	size_t len;
+	const unsigned char *buf;
+	SHA_CTX ctx;
+
+	if (hashalg != 1) {
+		return (0);
+	}
+
+	buf = in;
+	len = inlength;
+
+	do {
+		if (SHA1_Init(&ctx) != 1) {
+			return (0);
+		}
+
+		if (SHA1_Update(&ctx, buf, len) != 1) {
+			return (0);
+		}
+
+		if (SHA1_Update(&ctx, salt, saltlength) != 1) {
+			return (0);
+		}
+
+		if (SHA1_Final(out, &ctx) != 1) {
+			return (0);
+		}
+
+		buf = out;
+		len = SHA_DIGEST_LENGTH;
+	} while (n++ < iterations);
+
+	return (SHA_DIGEST_LENGTH);
+}
+
+#else
+
+#include <openssl/evp.h>
+
+#include <isc/md.h>
+
 int
 isc_iterated_hash(unsigned char *out, const unsigned int hashalg,
 		  const int iterations, const unsigned char *salt,
@@ -30,18 +82,24 @@ isc_iterated_hash(unsigned char *out, const unsigned int hashalg,
 	size_t len;
 	unsigned int outlength = 0;
 	const unsigned char *buf;
-	EVP_MD_CTX *ctx = EVP_MD_CTX_create();
-
-	RUNTIME_CHECK(ctx != NULL);
+	EVP_MD_CTX *ctx;
+	;
+	EVP_MD *md;
 
 	if (hashalg != 1) {
 		return (0);
 	}
 
-	len = inlength;
+	ctx = EVP_MD_CTX_new();
+	RUNTIME_CHECK(ctx != NULL);
+	md = EVP_MD_fetch(NULL, "SHA1", NULL);
+	RUNTIME_CHECK(md != NULL);
+
 	buf = in;
+	len = inlength;
+
 	do {
-		if (EVP_DigestInit_ex(ctx, ISC_MD_SHA1, NULL) != 1) {
+		if (EVP_DigestInit_ex(ctx, md, NULL) != 1) {
 			goto fail;
 		}
 
@@ -62,10 +120,15 @@ isc_iterated_hash(unsigned char *out, const unsigned int hashalg,
 	} while (n++ < iterations);
 
 	EVP_MD_CTX_free(ctx);
+	EVP_MD_free(md);
 
 	return (outlength);
 
 fail:
 	EVP_MD_CTX_free(ctx);
+	EVP_MD_free(md);
+
 	return (0);
 }
+
+#endif