mbedtls: access mbedtls private members in mscode and pkcs7 parser

U-Boot requires to access x509_internal.h, mbedtls_sha256_context and mbedtls_sha1_context in the porting layer, and this requires to enable MBEDTLS_ALLOW_PRIVATE_ACCESS. Enable it to mscode and pkcs7_parser to fix a mbedtls internal building error when X509 is selected. Moreover, Move it to a separate file to avoid enabling it in multiple places. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2025-02-03 14:08:13 -08:00
parent 47f6c36d2d
commit 8fb478b7c4
6 changed files with 61 additions and 28 deletions
--- a/include/crypto/mscode.h
+++ b/include/crypto/mscode.h
@@ -10,6 +10,7 @@
 #include <crypto/hash_info.h>
 #endif
 #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+#include "mbedtls_options.h"
 #include <mbedtls/asn1.h>
 #include <mbedtls/oid.h>
 #endif
--- a/include/crypto/pkcs7_parser.h
+++ b/include/crypto/pkcs7_parser.h
@@ -12,6 +12,7 @@
 #include <crypto/pkcs7.h>
 #include <crypto/x509_parser.h>
 #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+#include "mbedtls_options.h"
 #include <mbedtls/pkcs7.h>
 #include <library/x509_internal.h>
 #include <mbedtls/asn1.h>
--- a/include/u-boot/sha1.h
+++ b/include/u-boot/sha1.h
@@ -14,20 +14,11 @@
 #ifndef _SHA1_H
 #define _SHA1_H

+#include <linux/kconfig.h>
 #include <linux/types.h>

-#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
-/*
- * FIXME:
- * MbedTLS define the members of "mbedtls_sha256_context" as private,
- * but "state" needs to be access by arch/arm/cpu/armv8/sha1_ce_glue.
- * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
- * access.
- * Directly including <external/mbedtls/library/common.h> is not allowed,
- * since this will include <malloc.h> and break the sandbox test.
- */
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO)
+#include "mbedtls_options.h"
 #include <mbedtls/sha1.h>
 #endif

@@ -47,7 +38,7 @@ extern "C" {

 extern const uint8_t sha1_der_prefix[];

-#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO)
 typedef mbedtls_sha1_context sha1_context;
 #else
 /**
--- a/include/u-boot/sha256.h
+++ b/include/u-boot/sha256.h
@@ -1,20 +1,13 @@
 #ifndef _SHA256_H
 #define _SHA256_H

+#include <linux/compiler_attributes.h>
+#include <linux/errno.h>
+#include <linux/kconfig.h>
 #include <linux/types.h>

-#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
-/*
- * FIXME:
- * MbedTLS define the members of "mbedtls_sha256_context" as private,
- * but "state" needs to be access by arch/arm/cpu/armv8/sha256_ce_glue.
- * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
- * access.
- * Directly including <external/mbedtls/library/common.h> is not allowed,
- * since this will include <malloc.h> and break the sandbox test.
- */
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO)
+#include "mbedtls_options.h"
 #include <mbedtls/sha256.h>
 #endif

@@ -27,7 +20,7 @@ extern const uint8_t sha256_der_prefix[];
 /* Reset watchdog each time we process this many bytes */
 #define CHUNKSZ_SHA256	(64 * 1024)

-#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO)
 typedef mbedtls_sha256_context sha256_context;
 #else
 typedef struct {
@@ -44,4 +37,26 @@ void sha256_finish(sha256_context * ctx, uint8_t digest[SHA256_SUM_LEN]);
 void sha256_csum_wd(const unsigned char *input, unsigned int ilen,
 		unsigned char *output, unsigned int chunk_sz);

+int sha256_hmac(const unsigned char *key, int keylen,
+		const unsigned char *input, unsigned int ilen,
+		unsigned char *output);
+
+#if CONFIG_IS_ENABLED(HKDF_MBEDTLS)
+int sha256_hkdf(const unsigned char *salt, int saltlen,
+		const unsigned char *ikm, int ikmlen,
+		const unsigned char *info, int infolen,
+		unsigned char *output, int outputlen);
+#else
+static inline int sha256_hkdf(const unsigned char __always_unused *salt,
+			      int __always_unused saltlen,
+			      const unsigned char __always_unused *ikm,
+			      int __always_unused ikmlen,
+			      const unsigned char __always_unused *info,
+			      int __always_unused infolen,
+			      unsigned char __always_unused *output,
+			      int __always_unused outputlen) {
+	return -EOPNOTSUPP;
+}
+#endif
+
 #endif /* _SHA256_H */
--- a/lib/mbedtls/port/mbedtls_options.h
+++ b/lib/mbedtls/port/mbedtls_options.h
@@ -0,0 +1,23 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * Internal build options for MbedTLS
+ *
+ * Copyright (c) 2025 Linaro Limited
+ * Author: Raymond Mao <raymond.mao@linaro.org>
+ */
+
+#ifndef _MBEDTLS_OPT_H
+#define _MBEDTLS_OPT_H
+
+/*
+ * FIXME:
+ * U-Boot/MbedTLS port requires to access a few of members which are defined
+ * as private in MbedTLS context.
+ * E.g: x509_internal.h, mbedtls_sha256_context and mbedtls_sha1_context.
+ * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
+ * access, but directly including <external/mbedtls/library/common.h> is not
+ * allowed, since this will include <malloc.h> and break the sandbox test.
+ */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+
+#endif /* _MBEDTLS_OPT_H */
--- a/lib/sha1.c
+++ b/lib/sha1.c
@@ -312,14 +312,16 @@ void sha1_csum_wd(const unsigned char *input, unsigned int ilen,
 		  unsigned char *output, unsigned int chunk_sz)
 {
 	sha1_context ctx;
-#if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
+#if !defined(USE_HOSTCC) && \
+    (defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG))
 	const unsigned char *end, *curr;
 	int chunk;
 #endif

 	sha1_starts (&ctx);

-#if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
+#if !defined(USE_HOSTCC) && \
+    (defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG))
 	curr = input;
 	end = input + ilen;
 	while (curr < end) {