refactor(security): add OpenSSL 1.x compatibility
When updated to work with OpenSSL 3.0, the host tools lost their
compatibility with previous versions (1.x) of OpenSSL. This is
mainly due to the fact that 1.x APIs became deprecated in 3.0 and
therefore their use cause compiling errors. In addition, updating
for a newer version of OpenSSL meant improving the stability
against security threats. However, although version 1.1.1 is
now deprecated, it still receives security updates, so it would
not imply major security issues to keep compatibility with it too.
This patch adds backwards compatibility with OpenSSL 1.x versions
by adding back 1.x API code. It defines a macro USING_OPENSSL3,
which will select the appropriate OpenSSL API version depending on
the OpenSSL library path chosen (which is determined by the
already-existing OPENSSL_DIR variable).
In addition, cleanup items were packed in functions and moved to
the proper modules in order to make the code more maintainable and
legible.
Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>
Change-Id: I8deceb5e419edc73277792861882404790ccd33c
diff --git a/tools/cert_create/src/sha.c b/tools/cert_create/src/sha.c
index 06ef360..bb750d4 100644
--- a/tools/cert_create/src/sha.c
+++ b/tools/cert_create/src/sha.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -7,11 +7,16 @@
#include <stdio.h>
#include "debug.h"
#include "key.h"
+#if USING_OPENSSL3
#include <openssl/evp.h>
#include <openssl/obj_mac.h>
+#else
+#include <openssl/sha.h>
+#endif
#define BUFFER_SIZE 256
+#if USING_OPENSSL3
static int get_algorithm_nid(int hash_alg)
{
int nids[] = {NID_sha256, NID_sha384, NID_sha512};
@@ -20,16 +25,22 @@
}
return nids[hash_alg];
}
+#endif
int sha_file(int md_alg, const char *filename, unsigned char *md)
{
FILE *inFile;
+ int bytes;
+ unsigned char data[BUFFER_SIZE];
+#if USING_OPENSSL3
EVP_MD_CTX *mdctx;
const EVP_MD *md_type;
- int bytes;
int alg_nid;
unsigned int total_bytes;
- unsigned char data[BUFFER_SIZE];
+#else
+ SHA256_CTX shaContext;
+ SHA512_CTX sha512Context;
+#endif
if ((filename == NULL) || (md == NULL)) {
ERROR("%s(): NULL argument\n", __func__);
@@ -42,6 +53,8 @@
return 0;
}
+#if USING_OPENSSL3
+
mdctx = EVP_MD_CTX_new();
if (mdctx == NULL) {
fclose(inFile);
@@ -74,5 +87,32 @@
fclose(inFile);
EVP_MD_CTX_free(mdctx);
return 0;
+
+#else
+
+ if (md_alg == HASH_ALG_SHA384) {
+ SHA384_Init(&sha512Context);
+ while ((bytes = fread(data, 1, BUFFER_SIZE, inFile)) != 0) {
+ SHA384_Update(&sha512Context, data, bytes);
+ }
+ SHA384_Final(md, &sha512Context);
+ } else if (md_alg == HASH_ALG_SHA512) {
+ SHA512_Init(&sha512Context);
+ while ((bytes = fread(data, 1, BUFFER_SIZE, inFile)) != 0) {
+ SHA512_Update(&sha512Context, data, bytes);
+ }
+ SHA512_Final(md, &sha512Context);
+ } else {
+ SHA256_Init(&shaContext);
+ while ((bytes = fread(data, 1, BUFFER_SIZE, inFile)) != 0) {
+ SHA256_Update(&shaContext, data, bytes);
+ }
+ SHA256_Final(md, &shaContext);
+ }
+
+ fclose(inFile);
+ return 1;
+
+#endif
}