On Tue, 7 May 2024 at 20:54, Raymond Mao <raymond....@linaro.org> wrote:
>
> Adapt digest header files to support both original libs and MbedTLS
> by switching on/off MBEDTLS_LIB_CRYPTO
>
> FIXME:
> `IS_ENABLED` or `CONFIG_IS_ENABLED` is not applicable here, since
> including <linux/kconfig.h> causes undefined reference on schedule()
> with sandbox build.
> As <linux/kconfig.h> includes <generated/autoconf.h> which enables
> `CONFIG_HW_WATCHDOG` and `CONFIG_WATCHDOG` but no schedule() are
> defined in sandbox build.
> `#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)` is a workaround.
>
> Signed-off-by: Raymond Mao <raymond....@linaro.org>
> ---
> Changes in v2
> - Initial patch.
>
> include/u-boot/md5.h | 17 ++++++++++++-----
> include/u-boot/sha1.h | 21 ++++++++++++++++++++-
> include/u-boot/sha256.h | 20 ++++++++++++++++++++
> include/u-boot/sha512.h | 22 +++++++++++++++++++---
> lib/Makefile | 6 +++++-
> 5 files changed, 76 insertions(+), 10 deletions(-)
>
> diff --git a/include/u-boot/md5.h b/include/u-boot/md5.h
> index d61364c0ae3..3cfd33a8e56 100644
> --- a/include/u-boot/md5.h
> +++ b/include/u-boot/md5.h
> @@ -6,22 +6,29 @@
> #ifndef _MD5_H
> #define _MD5_H
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +#include <external/mbedtls/include/mbedtls/md5.h>
> +#endif
> #include "compiler.h"
>
> #define MD5_SUM_LEN 16
>
> -struct MD5Context {
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +typedef mbedtls_md5_context MD5Context;
> +#else
> +typedef struct MD5Context {
> __u32 buf[4];
> __u32 bits[2];
> union {
> unsigned char in[64];
> __u32 in32[16];
> };
> -};
> +} MD5Context;
> +#endif
>
> -void MD5Init(struct MD5Context *ctx);
> -void MD5Update(struct MD5Context *ctx, unsigned char const *buf, unsigned
> len);
> -void MD5Final(unsigned char digest[16], struct MD5Context *ctx);
> +void MD5Init(MD5Context *ctx);
> +void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int len);
> +void MD5Final(unsigned char digest[16], MD5Context *ctx);
>
> /*
> * Calculate and store in 'output' the MD5 digest of 'len' bytes at
> diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h
> index 09fee594d26..ee46fe947a0 100644
> --- a/include/u-boot/sha1.h
> +++ b/include/u-boot/sha1.h
> @@ -14,6 +14,21 @@
> #ifndef _SHA1_H
> #define _SHA1_H
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +/*
> + * FIXME:
> + * MbedTLS define the members of "mbedtls_sha256_context" as private,
> + * but "state" needs to be access by arch/arm/cpu/armv8/sha1_ce_glue.
> + * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
> + * access.
> + * Directly including <external/mbedtls/library/common.h> is not allowed,
> + * since this will include <malloc.h> and break the sandbox test.
> + */
> +#define MBEDTLS_ALLOW_PRIVATE_ACCESS
> +
> +#include <external/mbedtls/include/mbedtls/sha1.h>
> +#endif
> +
> #ifdef __cplusplus
> extern "C" {
> #endif
> @@ -24,6 +39,9 @@ extern "C" {
>
> extern const uint8_t sha1_der_prefix[];
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +typedef mbedtls_sha1_context sha1_context;
> +#else
> /**
> * \brief SHA-1 context structure
> */
> @@ -34,13 +52,14 @@ typedef struct
> unsigned char buffer[64]; /*!< data block being processed */
> }
> sha1_context;
> +#endif
>
> /**
> * \brief SHA-1 context setup
> *
> * \param ctx SHA-1 context to be initialized
> */
> -void sha1_starts( sha1_context *ctx );
> +void sha1_starts(sha1_context *ctx);
>
> /**
> * \brief SHA-1 process buffer
> diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h
> index 9aa1251789a..e2b7fdd41c8 100644
> --- a/include/u-boot/sha256.h
> +++ b/include/u-boot/sha256.h
> @@ -1,6 +1,22 @@
> #ifndef _SHA256_H
> #define _SHA256_H
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +/*
> + * FIXME:
> + * MbedTLS define the members of "mbedtls_sha256_context" as private,
> + * but "state" needs to be access by arch/arm/cpu/armv8/sha256_ce_glue.
'be able to access.'
Isn't the MBEDTLS_ALLOW_PRIVATE_ACCESS considered deprecated?
I'd prefer if we fix this properly.
Thanks
/Ilias
> + * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
> + * access.
> + * Directly including <external/mbedtls/library/common.h> is not allowed,
> + * since this will include <malloc.h> and break the sandbox test.
> + */
> +#define MBEDTLS_ALLOW_PRIVATE_ACCESS
> +
> +#include <external/mbedtls/include/mbedtls/sha256.h>
> +#endif
> +
> +#define SHA224_SUM_LEN 28
> #define SHA256_SUM_LEN 32
> #define SHA256_DER_LEN 19
>
> @@ -9,11 +25,15 @@ extern const uint8_t sha256_der_prefix[];
> /* Reset watchdog each time we process this many bytes */
> #define CHUNKSZ_SHA256 (64 * 1024)
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +typedef mbedtls_sha256_context sha256_context;
> +#else
> typedef struct {
> uint32_t total[2];
> uint32_t state[8];
> uint8_t buffer[64];
> } sha256_context;
> +#endif
>
> void sha256_starts(sha256_context * ctx);
> void sha256_update(sha256_context *ctx, const uint8_t *input, uint32_t
> length);
> diff --git a/include/u-boot/sha512.h b/include/u-boot/sha512.h
> index 516729d7750..a0c0de89d60 100644
> --- a/include/u-boot/sha512.h
> +++ b/include/u-boot/sha512.h
> @@ -1,6 +1,10 @@
> #ifndef _SHA512_H
> #define _SHA512_H
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +#include <external/mbedtls/include/mbedtls/sha512.h>
> +#endif
> +
> #define SHA384_SUM_LEN 48
> #define SHA384_DER_LEN 19
> #define SHA512_SUM_LEN 64
> @@ -10,11 +14,16 @@
> #define CHUNKSZ_SHA384 (16 * 1024)
> #define CHUNKSZ_SHA512 (16 * 1024)
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +typedef mbedtls_sha512_context sha384_context;
> +typedef mbedtls_sha512_context sha512_context;
> +#else
> typedef struct {
> uint64_t state[SHA512_SUM_LEN / 8];
> uint64_t count[2];
> uint8_t buf[SHA512_BLOCK_SIZE];
> } sha512_context;
> +#endif
>
> extern const uint8_t sha512_der_prefix[];
>
> @@ -27,12 +36,19 @@ void sha512_csum_wd(const unsigned char *input, unsigned
> int ilen,
>
> extern const uint8_t sha384_der_prefix[];
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +void sha384_starts(sha512_context *ctx);
> +void
> +sha384_update(sha512_context *ctx, const uint8_t *input, uint32_t length);
> +void sha384_finish(sha512_context *ctx, uint8_t digest[SHA384_SUM_LEN]);
> +void sha384_csum_wd(const unsigned char *input, unsigned int length,
> + unsigned char *output, unsigned int chunk_sz);
> +#else
> void sha384_starts(sha512_context * ctx);
> void sha384_update(sha512_context *ctx, const uint8_t *input, uint32_t
> length);
> void sha384_finish(sha512_context * ctx, uint8_t digest[SHA384_SUM_LEN]);
>
> void sha384_csum_wd(const unsigned char *input, unsigned int ilen,
> - unsigned char *output, unsigned int chunk_sz);
> -
> -
> + unsigned char *output, unsigned int chunk_sz);
> +#endif
> #endif /* _SHA512_H */
> diff --git a/lib/Makefile b/lib/Makefile
> index a4600b09f49..3534b3301ae 100644
> --- a/lib/Makefile
> +++ b/lib/Makefile
> @@ -69,14 +69,18 @@ obj-$(CONFIG_$(SPL_TPL_)CRC16) += crc16.o
> obj-y += crypto/
>
> obj-$(CONFIG_$(SPL_TPL_)ACPI) += acpi/
> -obj-$(CONFIG_$(SPL_)MD5) += md5.o
> obj-$(CONFIG_ECDSA) += ecdsa/
> obj-$(CONFIG_$(SPL_)RSA) += rsa/
> obj-$(CONFIG_HASH) += hash-checksum.o
> obj-$(CONFIG_BLAKE2) += blake2/blake2b.o
> +
> +ifneq ($(CONFIG_MBEDTLS_LIB_CRYPTO), y)
> +obj-$(CONFIG_$(SPL_)MD5) += md5.o
> obj-$(CONFIG_$(SPL_)SHA1) += sha1.o
> obj-$(CONFIG_$(SPL_)SHA256) += sha256.o
> obj-$(CONFIG_$(SPL_)SHA512) += sha512.o
> +endif
> +
> obj-$(CONFIG_CRYPT_PW) += crypt/
> obj-$(CONFIG_$(SPL_)ASN1_DECODER) += asn1_decoder.o
>
> --
> 2.25.1
>
