From dee82ef764576aef07ad18b59486b7604c44d936 Mon Sep 17 00:00:00 2001
From: Amine Alami <43780877+Alami-Amine@users.noreply.github.com>
Date: Tue, 26 Nov 2024 20:45:18 +0100
Subject: [PATCH] Make IsInitialized implementation in OpenSSL backward
 compatible with older OpenSSL versions (#36634)

---
 src/crypto/CHIPCryptoPALOpenSSL.cpp | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/crypto/CHIPCryptoPALOpenSSL.cpp b/src/crypto/CHIPCryptoPALOpenSSL.cpp
index e1a8acb55fe5d5..9f2592a12aee0c 100644
--- a/src/crypto/CHIPCryptoPALOpenSSL.cpp
+++ b/src/crypto/CHIPCryptoPALOpenSSL.cpp
@@ -479,11 +479,13 @@ bool Hash_SHA256_stream::IsInitialized()
     EVP_MD_CTX * mdctx = to_inner_hash_evp_md_ctx(&mContext);
     VerifyOrReturnValue(mdctx != nullptr, false);
 
-// Verify that the EVP_MD_CTX is initialized to SHA256 (ensures that EVP_DigestInit_ex was called)
-#if CHIP_CRYPTO_BORINGSSL
+// Verify that the EVP_MD_CTX is initialized to SHA256 (ensures that EVP_DigestInit_ex was successfully called).
+// The legacy API EVP_MD_CTX_md() to check SHA256 initialization is deprecated in OpenSSL 3.0
+// and was replaced by EVP_MD_CTX_get0_md().
+// OpenSSL 1.1.1, which BoringSSL also uses at the time of this comment, does not support the newer replacement API.
+#if CHIP_CRYPTO_BORINGSSL || (defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x30000000L)
     return EVP_MD_CTX_md(mdctx) == _digestForType(DigestType::SHA256);
 #else
-    // EVP_MD_CTX_md() was Deprecated in OPENSSL 3.0; However, BoringSSL does not support EVP_MD_CTX_get0_md() yet
     return EVP_MD_CTX_get0_md(mdctx) == _digestForType(DigestType::SHA256);
 #endif
 }