From f5622042fb8fd6e0e653e8bd99ff7fd00b8342de Mon Sep 17 00:00:00 2001
From: Benjamin Drung <bdrung@ubuntu.com>
Date: Wed, 3 Aug 2022 14:06:10 +0200
Subject: [PATCH] Include OpenSSL legacy.so for ripemd160 and whirlpool

OpenSSL 3.0 moved support for some crypto hashes (like ripemd160 and
whirlpool) into `/usr/lib/${arch}/ossl-modules/legacy.so`. Include this
library if the crypto hashes ripemd160 or whirlpool were detected.

Bug-Ubuntu: https://launchpad.net/bugs/1979159
Signed-off-by: Benjamin Drung <bdrung@ubuntu.com>
---
 debian/initramfs/hooks/cryptroot | 44 +++++++++++++++++++++++++++++++-
 1 file changed, 43 insertions(+), 1 deletion(-)

diff --git a/debian/initramfs/hooks/cryptroot b/debian/initramfs/hooks/cryptroot
index 81f65869..dbea51d6 100644
--- a/debian/initramfs/hooks/cryptroot
+++ b/debian/initramfs/hooks/cryptroot
@@ -200,6 +200,24 @@ generate_initrd_crypttab() {
     rm -f "$DESTDIR/cryptroot/targets"
 }
 
+# populate_CRYPTO_HASHES()
+#   Find out which crypto hashes are required for a crypttab(5) entry,
+#   and append them to the CRYPTO_HASHES variable.
+populate_CRYPTO_HASHES() {
+    local hashes
+
+    if ! cryptsetup isLuks "$CRYPTTAB_SOURCE"; then
+        return
+    fi
+
+    # TODO: Maybe use --dump-json-metadata and jq (new dependency)
+    hashes=$(cryptsetup luksDump "$CRYPTTAB_SOURCE" | sed -n 's/\W*Hash:\W*//p')
+    if test -z "$hashes"; then
+        return
+    fi
+    CRYPTO_HASHES="${CRYPTO_HASHES:+$CRYPTO_HASHES }${hashes}"
+}
+
 # populate_CRYPTO_MODULES()
 #   Find out which crypto modules are required for a crypttab(5) entry,
 #   and append them to the CRYPTO_MODULES variable.
@@ -263,6 +281,30 @@ add_crypto_modules() {
     done
 }
 
+# copy_cryptsetup()
+#   Copy cryptsetup binary and dependencies to initramfs.
+copy_cryptsetup() {
+    local arch legacy_so
+
+    copy_exec /sbin/cryptsetup
+
+    # OpenSSL 3.0 moved support for some crypto hashes into legacy.so
+    # See https://launchpad.net/bugs/1979159
+    arch=$(env --unset=LD_PRELOAD ldd /sbin/cryptsetup | sed -n 's@^.*=>\W*/lib/\([^/]*\)/libcrypto.so.*$@\1@p')
+    legacy_so="/usr/lib/${arch}/ossl-modules/legacy.so"
+    if ! test -e "${legacy_so}"; then
+        return
+    fi
+
+    CRYPTO_HASHES=
+    crypttab_foreach_entry populate_CRYPTO_HASHES
+    if ! echo "$CRYPTO_HASHES" | grep -Eqw '(ripemd160|whirlpool)'; then
+        return
+    fi
+
+    copy_exec "${legacy_so}"
+}
+
 
 #######################################################################
 # Begin real processing
@@ -296,7 +338,7 @@ fi
 manual_add_modules dm_mod
 manual_add_modules dm_crypt
 
-copy_exec /sbin/cryptsetup
+copy_cryptsetup
 copy_exec /sbin/dmsetup
 
 [ "$ASKPASS" = n ] || copy_exec /lib/cryptsetup/askpass
-- 
2.34.1