[PATCH v4 08/29] hash: integrate hash on mbedtls
Ilias Apalodimas
ilias.apalodimas at linaro.org
Wed Jul 3 10:56:05 CEST 2024
Hi Raymond
On Tue, 2 Jul 2024 at 21:27, Raymond Mao <raymond.mao at linaro.org> wrote:
>
> Integrate common/hash.c on the hash shim layer so that hash APIs
> from mbedtls can be leveraged by boot/image and efi_loader.
>
> Signed-off-by: Raymond Mao <raymond.mao at linaro.org>
> ---
> Changes in v2
> - Use the original head files instead of creating new ones.
> Changes in v3
> - Add handle checkers for malloc.
> Changes in v4
> - None.
>
> common/hash.c | 143 ++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 143 insertions(+)
>
> diff --git a/common/hash.c b/common/hash.c
> index ac63803fed9..96caf074374 100644
> --- a/common/hash.c
> +++ b/common/hash.c
> @@ -35,6 +35,141 @@
> #include <u-boot/sha512.h>
> #include <u-boot/md5.h>
>
> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO)
> +
> +static int hash_init_sha1(struct hash_algo *algo, void **ctxp)
> +{
> + int ret;
> + mbedtls_sha1_context *ctx = malloc(sizeof(mbedtls_sha1_context));
> +
> + if (!ctx)
> + return -ENOMEM;
> +
> + mbedtls_sha1_init(ctx);
> + ret = mbedtls_sha1_starts(ctx);
> + if (!ret) {
> + *ctxp = ctx;
> + } else {
> + mbedtls_sha1_free(ctx);
> + free(ctx);
> + }
> +
> + return ret;
> +}
> +
> +static int hash_update_sha1(struct hash_algo *algo, void *ctx, const void *buf,
> + unsigned int size, int is_last)
> +{
> + return mbedtls_sha1_update((mbedtls_sha1_context *)ctx, buf, size);
> +}
> +
> +static int
> +hash_finish_sha1(struct hash_algo *algo, void *ctx, void *dest_buf, int size)
> +{
> + int ret;
> +
> + if (size < algo->digest_size)
> + return -1;
> +
> + ret = mbedtls_sha1_finish((mbedtls_sha1_context *)ctx, dest_buf);
> + if (!ret) {
> + mbedtls_sha1_free((mbedtls_sha1_context *)ctx);
> + free(ctx);
> + }
> +
> + return ret;
> +}
> +
> +static int hash_init_sha256(struct hash_algo *algo, void **ctxp)
> +{
> + int ret;
> + int is224 = algo->digest_size == SHA224_SUM_LEN ? 1 : 0;
> + mbedtls_sha256_context *ctx = malloc(sizeof(mbedtls_sha256_context));
I prefer sizeof(*ctx) on all the allocations. Also since it's a crypto
stack I prefer a calloc (sha384 for example will allocate more bytes)
> +
> + if (!ctx)
> + return -ENOMEM;
> +
> + mbedtls_sha256_init(ctx);
> + ret = mbedtls_sha256_starts(ctx, is224);
> + if (!ret) {
> + *ctxp = ctx;
> + } else {
> + mbedtls_sha256_free(ctx);
> + free(ctx);
> + }
> +
> + return ret;
> +}
> +
> +static int hash_update_sha256(struct hash_algo *algo, void *ctx, const void *buf,
> + uint size, int is_last)
> +{
> + return mbedtls_sha256_update((mbedtls_sha256_context *)ctx, buf, size);
> +}
> +
> +static int
> +hash_finish_sha256(struct hash_algo *algo, void *ctx, void *dest_buf, int size)
> +{
> + int ret;
> +
> + if (size < algo->digest_size)
> + return -1;
> +
> + ret = mbedtls_sha256_finish((mbedtls_sha256_context *)ctx, dest_buf);
> + if (!ret) {
> + mbedtls_sha256_free((mbedtls_sha256_context *)ctx);
> + free(ctx);
> + }
> +
> + return ret;
> +}
> +
> +static int hash_init_sha512(struct hash_algo *algo, void **ctxp)
> +{
> + int ret;
> + int is384 = algo->digest_size == SHA384_SUM_LEN ? 1 : 0;
> + mbedtls_sha512_context *ctx = malloc(sizeof(mbedtls_sha512_context));
> +
> + if (!ctx)
> + return -ENOMEM;
> +
> + mbedtls_sha512_init(ctx);
> + ret = mbedtls_sha512_starts(ctx, is384);
> + if (!ret) {
> + *ctxp = ctx;
> + } else {
> + mbedtls_sha512_free(ctx);
> + free(ctx);
> + }
> +
> + return ret;
> +}
> +
> +static int hash_update_sha512(struct hash_algo *algo, void *ctx, const void *buf,
> + uint size, int is_last)
> +{
> + return mbedtls_sha512_update((mbedtls_sha512_context *)ctx, buf, size);
> +}
> +
> +static int
> +hash_finish_sha512(struct hash_algo *algo, void *ctx, void *dest_buf, int size)
> +{
> + int ret;
> +
> + if (size < algo->digest_size)
> + return -1;
> +
> + ret = mbedtls_sha512_finish((mbedtls_sha512_context *)ctx, dest_buf);
> + if (!ret) {
> + mbedtls_sha512_free((mbedtls_sha512_context *)ctx);
> + free(ctx);
> + }
> +
> + return ret;
> +}
> +
> +#else /* CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO) */
> +
> static int __maybe_unused hash_init_sha1(struct hash_algo *algo, void **ctxp)
> {
> sha1_context *ctx = malloc(sizeof(sha1_context));
> @@ -143,6 +278,8 @@ static int __maybe_unused hash_finish_sha512(struct hash_algo *algo, void *ctx,
> return 0;
> }
>
> +#endif /* CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO) */
> +
> static int hash_init_crc16_ccitt(struct hash_algo *algo, void **ctxp)
> {
> uint16_t *ctx = malloc(sizeof(uint16_t));
> @@ -267,10 +404,16 @@ static struct hash_algo hash_algo[] = {
> .hash_init = hw_sha_init,
> .hash_update = hw_sha_update,
> .hash_finish = hw_sha_finish,
> +#else
> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO)
> + .hash_init = hash_init_sha512,
> + .hash_update = hash_update_sha512,
> + .hash_finish = hash_finish_sha512,
I don't have strong opinion here, but you could alternatively define
sha384 wrappers for mbedTLS and avoid this ifdef.
In any case I personally don't mind.
> #else
> .hash_init = hash_init_sha384,
> .hash_update = hash_update_sha384,
> .hash_finish = hash_finish_sha384,
> +#endif
> #endif
> },
> #endif
> --
> 2.25.1
>
More information about the U-Boot
mailing list