diff --git a/docs/getting_started/prerequisites.rst b/docs/getting_started/prerequisites.rst index 3a54e69fc..c625090e7 100644 --- a/docs/getting_started/prerequisites.rst +++ b/docs/getting_started/prerequisites.rst @@ -54,7 +54,7 @@ The following tools are required to obtain and build |TF-A|: The following libraries must be available to build one or more components or supporting tools: -- OpenSSL >= 1.0.1 +- OpenSSL >= 3.0 Required to build the cert_create tool. diff --git a/tools/cert_create/Makefile b/tools/cert_create/Makefile index 77d2007d5..ca548b836 100644 --- a/tools/cert_create/Makefile +++ b/tools/cert_create/Makefile @@ -1,5 +1,5 @@ # -# Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -62,7 +62,14 @@ HOSTCCFLAGS += ${DEFINES} # Make soft links and include from local directory otherwise wrong headers # could get pulled in from firmware tree. INC_DIR += -I ./include -I ${PLAT_INCLUDE} -I ${OPENSSL_DIR}/include -LIB_DIR := -L ${OPENSSL_DIR}/lib + +# Include library directories where OpenSSL library files are located. +# For a normal installation (i.e.: when ${OPENSSL_DIR} = /usr or +# /usr/local), binaries are located under the ${OPENSSL_DIR}/lib/ +# directory. However, for a local build of OpenSSL, the built binaries are +# located under the main project directory (i.e.: ${OPENSSL_DIR}, not +# ${OPENSSL_DIR}/lib/). +LIB_DIR := -L ${OPENSSL_DIR}/lib -L ${OPENSSL_DIR} LIB := -lssl -lcrypto HOSTCC ?= gcc diff --git a/tools/cert_create/src/cert.c b/tools/cert_create/src/cert.c index 4b35d735a..67ae1d6ee 100644 --- a/tools/cert_create/src/cert.c +++ b/tools/cert_create/src/cert.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -39,7 +39,7 @@ int rand_serial(BIGNUM *b, ASN1_INTEGER *ai) if (!btmp) return 0; - if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0)) + if (!BN_rand(btmp, SERIAL_RAND_BITS, 0, 0)) goto error; if (ai && !BN_to_ASN1_INTEGER(btmp, ai)) goto error; diff --git a/tools/cert_create/src/key.c b/tools/cert_create/src/key.c index 64359756f..2857a3b07 100644 --- a/tools/cert_create/src/key.c +++ b/tools/cert_create/src/key.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -40,69 +40,25 @@ int key_new(key_t *key) static int key_create_rsa(key_t *key, int key_bits) { - BIGNUM *e; - RSA *rsa = NULL; - - e = BN_new(); - if (e == NULL) { - printf("Cannot create RSA exponent\n"); - goto err; - } - - if (!BN_set_word(e, RSA_F4)) { - printf("Cannot assign RSA exponent\n"); - goto err; - } - - rsa = RSA_new(); + EVP_PKEY *rsa = EVP_RSA_gen(key_bits); if (rsa == NULL) { - printf("Cannot create RSA key\n"); - goto err; - } - - if (!RSA_generate_key_ex(rsa, key_bits, e, NULL)) { printf("Cannot generate RSA key\n"); - goto err; + return 0; } - - if (!EVP_PKEY_assign_RSA(key->key, rsa)) { - printf("Cannot assign RSA key\n"); - goto err; - } - - BN_free(e); + key->key = rsa; return 1; -err: - RSA_free(rsa); - BN_free(e); - return 0; } #ifndef OPENSSL_NO_EC static int key_create_ecdsa(key_t *key, int key_bits) { - EC_KEY *ec; - - ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + EVP_PKEY *ec = EVP_EC_gen("prime256v1"); if (ec == NULL) { - printf("Cannot create EC key\n"); - goto err; - } - if (!EC_KEY_generate_key(ec)) { printf("Cannot generate EC key\n"); - goto err; + return 0; } - EC_KEY_set_flags(ec, EC_PKEY_NO_PARAMETERS); - EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE); - if (!EVP_PKEY_assign_EC_KEY(key->key, ec)) { - printf("Cannot assign EC key\n"); - goto err; - } - + key->key = ec; return 1; -err: - EC_KEY_free(ec); - return 0; } #endif /* OPENSSL_NO_EC */ diff --git a/tools/cert_create/src/sha.c b/tools/cert_create/src/sha.c index 3d977fbfe..06ef3601b 100644 --- a/tools/cert_create/src/sha.c +++ b/tools/cert_create/src/sha.c @@ -1,26 +1,38 @@ /* - * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ -#include #include #include "debug.h" #include "key.h" +#include +#include #define BUFFER_SIZE 256 +static int get_algorithm_nid(int hash_alg) +{ + int nids[] = {NID_sha256, NID_sha384, NID_sha512}; + if (hash_alg < 0 || hash_alg >= sizeof(nids) / sizeof(*nids)) { + return NID_undef; + } + return nids[hash_alg]; +} + int sha_file(int md_alg, const char *filename, unsigned char *md) { FILE *inFile; - SHA256_CTX shaContext; - SHA512_CTX sha512Context; + EVP_MD_CTX *mdctx; + const EVP_MD *md_type; int bytes; + int alg_nid; + unsigned int total_bytes; unsigned char data[BUFFER_SIZE]; if ((filename == NULL) || (md == NULL)) { - ERROR("%s(): NULL argument\n", __FUNCTION__); + ERROR("%s(): NULL argument\n", __func__); return 0; } @@ -30,26 +42,37 @@ int sha_file(int md_alg, const char *filename, unsigned char *md) return 0; } - if (md_alg == HASH_ALG_SHA384) { - SHA384_Init(&sha512Context); - while ((bytes = fread(data, 1, BUFFER_SIZE, inFile)) != 0) { - SHA384_Update(&sha512Context, data, bytes); - } - SHA384_Final(md, &sha512Context); - } else if (md_alg == HASH_ALG_SHA512) { - SHA512_Init(&sha512Context); - while ((bytes = fread(data, 1, BUFFER_SIZE, inFile)) != 0) { - SHA512_Update(&sha512Context, data, bytes); - } - SHA512_Final(md, &sha512Context); - } else { - SHA256_Init(&shaContext); - while ((bytes = fread(data, 1, BUFFER_SIZE, inFile)) != 0) { - SHA256_Update(&shaContext, data, bytes); - } - SHA256_Final(md, &shaContext); + mdctx = EVP_MD_CTX_new(); + if (mdctx == NULL) { + fclose(inFile); + ERROR("%s(): Could not create EVP MD context\n", __func__); + return 0; } + alg_nid = get_algorithm_nid(md_alg); + if (alg_nid == NID_undef) { + ERROR("%s(): Invalid hash algorithm\n", __func__); + goto err; + } + + md_type = EVP_get_digestbynid(alg_nid); + if (EVP_DigestInit_ex(mdctx, md_type, NULL) == 0) { + ERROR("%s(): Could not initialize EVP MD digest\n", __func__); + goto err; + } + + while ((bytes = fread(data, 1, BUFFER_SIZE, inFile)) != 0) { + EVP_DigestUpdate(mdctx, data, bytes); + } + EVP_DigestFinal_ex(mdctx, md, &total_bytes); + fclose(inFile); + EVP_MD_CTX_free(mdctx); return 1; + +err: + fclose(inFile); + EVP_MD_CTX_free(mdctx); + return 0; } + diff --git a/tools/encrypt_fw/Makefile b/tools/encrypt_fw/Makefile index 96dff2324..60bd8ea74 100644 --- a/tools/encrypt_fw/Makefile +++ b/tools/encrypt_fw/Makefile @@ -1,5 +1,5 @@ # -# Copyright (c) 2019-2020, Linaro Limited. All rights reserved. +# Copyright (c) 2019-2022, Linaro Limited. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -39,7 +39,14 @@ endif # Make soft links and include from local directory otherwise wrong headers # could get pulled in from firmware tree. INC_DIR := -I ./include -I ../../include/tools_share -I ${OPENSSL_DIR}/include -LIB_DIR := -L ${OPENSSL_DIR}/lib + +# Include library directories where OpenSSL library files are located. +# For a normal installation (i.e.: when ${OPENSSL_DIR} = /usr or +# /usr/local), binaries are located under the ${OPENSSL_DIR}/lib/ +# directory. However, for a local build of OpenSSL, the built binaries are +# located under the main project directory (i.e.: ${OPENSSL_DIR}, not +# ${OPENSSL_DIR}/lib/). +LIB_DIR := -L ${OPENSSL_DIR}/lib -L ${OPENSSL_DIR} LIB := -lssl -lcrypto HOSTCC ?= gcc diff --git a/tools/fiptool/Makefile b/tools/fiptool/Makefile index 7c2a08379..e6aeba95b 100644 --- a/tools/fiptool/Makefile +++ b/tools/fiptool/Makefile @@ -1,5 +1,5 @@ # -# Copyright (c) 2014-2021, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2014-2022, ARM Limited and Contributors. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -22,7 +22,14 @@ ifeq (${DEBUG},1) else HOSTCCFLAGS += -O2 endif -LDLIBS := -L${OPENSSL_DIR}/lib -lcrypto + +# Include library directories where OpenSSL library files are located. +# For a normal installation (i.e.: when ${OPENSSL_DIR} = /usr or +# /usr/local), binaries are located under the ${OPENSSL_DIR}/lib/ +# directory. However, for a local build of OpenSSL, the built binaries are +# located under the main project directory (i.e.: ${OPENSSL_DIR}, not +# ${OPENSSL_DIR}/lib/). +LDLIBS := -L${OPENSSL_DIR}/lib -L${OPENSSL_DIR} -lcrypto ifeq (${V},0) Q := @