util/broadcom/secimage: Add OpenSSL 1.1 support

The `secimage` utility uses OpenSSL to calculate HMAC, which it does in
a rather unorthodox way, using deprecated `HMAC_CTX_init` API and
repeated calling of `HMAC_Init_ex` without a clear reason. The former
causes build errors with OpenSSL 1.1 while the rest of the
`HmacSha256Hash` function is confusing and overly complex.

Make `HmacSha256Hash` use a single OpenSSL API call. Test passed:
resulting signed binary remains identical.

Change-Id: Ib23c0ad96f9d8cc30ad357de8c0b0ba967c7d724
Signed-off-by: Alex Thiessen <alex.thiessen.de+coreboot@gmail.com>
Reviewed-on: https://review.coreboot.org/23069
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>

1 files changed, 8 insertions, 11 deletions

diff --git a/util/broadcom/secimage/crypto.c b/util/broadcom/secimage/crypto.c
index b7041c994b..2fe52b68cf 100644
--- a/util/broadcom/secimage/crypto.c
+++ b/util/broadcom/secimage/crypto.c
@@ -25,19 +25,16 @@
  *---------------------------------------------------------------------*/
 int HmacSha256Hash(uint8_t *data, uint32_t len, uint8_t *hash, uint8_t *key)
 {
-	HMAC_CTX hctx;
+	unsigned int hash_len = 0;
 
-	HMAC_CTX_init(&hctx);
-	HMAC_Init_ex(&hctx, key, 32, EVP_sha256(), NULL);
-
-	/* FIXME: why we need this? NULL means to use whatever there is?
-	 * if removed, result is different
-	 */
-	HMAC_Init_ex(&hctx, NULL, 0, NULL, NULL);
-	HMAC_Update(&hctx, data, len);
-	HMAC_Final(&hctx, hash, NULL);
+	if (!HMAC(EVP_sha256(), key, 32, data, len, hash, &hash_len)) {
+		printf("HMAC failed\n");
+		return -1;
+	} else if (hash_len != 32) {
+		printf("HMAC reported unexpected md_len of %u\n", hash_len);
+		return -2;
+	}
 
-	HMAC_CTX_cleanup(&hctx);
 	return 0;
 }