From 00a455c8a70dcb3095cdce39b499d212b69454b7 Mon Sep 17 00:00:00 2001 From: Alex Thiessen Date: Wed, 3 Jan 2018 06:29:52 +0000 Subject: util/broadcom/secimage: Add OpenSSL 1.1 support The `secimage` utility uses OpenSSL to calculate HMAC, which it does in a rather unorthodox way, using deprecated `HMAC_CTX_init` API and repeated calling of `HMAC_Init_ex` without a clear reason. The former causes build errors with OpenSSL 1.1 while the rest of the `HmacSha256Hash` function is confusing and overly complex. Make `HmacSha256Hash` use a single OpenSSL API call. Test passed: resulting signed binary remains identical. Change-Id: Ib23c0ad96f9d8cc30ad357de8c0b0ba967c7d724 Signed-off-by: Alex Thiessen Reviewed-on: https://review.coreboot.org/23069 Tested-by: build bot (Jenkins) Reviewed-by: Paul Menzel Reviewed-by: Stefan Reinauer --- util/broadcom/secimage/crypto.c | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) (limited to 'util/broadcom') diff --git a/util/broadcom/secimage/crypto.c b/util/broadcom/secimage/crypto.c index b7041c994b..2fe52b68cf 100644 --- a/util/broadcom/secimage/crypto.c +++ b/util/broadcom/secimage/crypto.c @@ -25,19 +25,16 @@ *---------------------------------------------------------------------*/ int HmacSha256Hash(uint8_t *data, uint32_t len, uint8_t *hash, uint8_t *key) { - HMAC_CTX hctx; + unsigned int hash_len = 0; - HMAC_CTX_init(&hctx); - HMAC_Init_ex(&hctx, key, 32, EVP_sha256(), NULL); - - /* FIXME: why we need this? NULL means to use whatever there is? - * if removed, result is different - */ - HMAC_Init_ex(&hctx, NULL, 0, NULL, NULL); - HMAC_Update(&hctx, data, len); - HMAC_Final(&hctx, hash, NULL); + if (!HMAC(EVP_sha256(), key, 32, data, len, hash, &hash_len)) { + printf("HMAC failed\n"); + return -1; + } else if (hash_len != 32) { + printf("HMAC reported unexpected md_len of %u\n", hash_len); + return -2; + } - HMAC_CTX_cleanup(&hctx); return 0; } -- cgit v1.2.3