diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/efi_loader/Kconfig | 1 | ||||
| -rw-r--r-- | lib/efi_loader/efi_boottime.c | 2 | ||||
| -rw-r--r-- | lib/efi_loader/efi_memory.c | 15 | ||||
| -rw-r--r-- | lib/efi_loader/efi_tcg2.c | 5 | ||||
| -rw-r--r-- | lib/lmb.c | 22 | ||||
| -rw-r--r-- | lib/lwip/Makefile | 3 | ||||
| -rw-r--r-- | lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c | 49 | ||||
| -rw-r--r-- | lib/lwip/lwip/src/core/tcp_out.c | 8 | ||||
| -rw-r--r-- | lib/lwip/lwip/src/include/lwip/altcp_tls.h | 2 | ||||
| -rw-r--r-- | lib/lwip/u-boot/arch/cc.h | 5 | ||||
| -rw-r--r-- | lib/lwip/u-boot/lwipopts.h | 6 | ||||
| -rw-r--r-- | lib/mbedtls/Kconfig | 12 | ||||
| -rw-r--r-- | lib/mbedtls/Makefile | 31 | ||||
| -rw-r--r-- | lib/mbedtls/mbedtls_def_config.h | 52 | ||||
| -rw-r--r-- | lib/rsa/rsa-sign.c | 9 | ||||
| -rw-r--r-- | lib/strto.c | 5 | ||||
| -rw-r--r-- | lib/tiny-printf.c | 2 | ||||
| -rw-r--r-- | lib/tpm-v2.c | 2 | ||||
| -rw-r--r-- | lib/uuid.c | 5 | ||||
| -rw-r--r-- | lib/vsprintf.c | 2 |
20 files changed, 185 insertions, 53 deletions
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 58d49789f12..d93f28b8422 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -481,7 +481,6 @@ endmenu menu "Misc options" config EFI_LOADER_BOUNCE_BUFFER bool "EFI Applications use bounce buffers for DMA operations" - depends on ARM64 help Some hardware does not support DMA to full 64bit addresses. For this hardware we can create a bounce buffer so that payloads don't have to diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index 4f52284b4c6..080e7f78ae3 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -2234,7 +2234,7 @@ static efi_status_t EFIAPI efi_exit_boot_services(efi_handle_t image_handle, if (IS_ENABLED(CONFIG_USB_DEVICE)) udc_disconnect(); board_quiesce_devices(); - dm_remove_devices_flags(DM_REMOVE_ACTIVE_ALL); + dm_remove_devices_active(); } /* Patch out unsupported runtime function */ diff --git a/lib/efi_loader/efi_memory.c b/lib/efi_loader/efi_memory.c index d2f5d563f2a..e493934c713 100644 --- a/lib/efi_loader/efi_memory.c +++ b/lib/efi_loader/efi_memory.c @@ -451,7 +451,7 @@ efi_status_t efi_allocate_pages(enum efi_allocate_type type, enum efi_memory_type memory_type, efi_uintn_t pages, uint64_t *memory) { - u64 len; + u64 efi_addr, len; uint flags; efi_status_t ret; phys_addr_t addr; @@ -499,14 +499,17 @@ efi_status_t efi_allocate_pages(enum efi_allocate_type type, return EFI_INVALID_PARAMETER; } - addr = (u64)(uintptr_t)map_sysmem(addr, 0); + efi_addr = (u64)(uintptr_t)map_sysmem(addr, 0); /* Reserve that map in our memory maps */ - ret = efi_add_memory_map_pg(addr, pages, memory_type, true); - if (ret != EFI_SUCCESS) + ret = efi_add_memory_map_pg(efi_addr, pages, memory_type, true); + if (ret != EFI_SUCCESS) { /* Map would overlap, bail out */ + lmb_free_flags(addr, (u64)pages << EFI_PAGE_SHIFT, flags); + unmap_sysmem((void *)(uintptr_t)efi_addr); return EFI_OUT_OF_RESOURCES; + } - *memory = addr; + *memory = efi_addr; return EFI_SUCCESS; } @@ -546,6 +549,8 @@ efi_status_t efi_free_pages(uint64_t memory, efi_uintn_t pages) if (status) return EFI_NOT_FOUND; + unmap_sysmem((void *)(uintptr_t)memory); + return ret; } diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 866a529857e..572c6b5bf63 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -607,12 +607,9 @@ efi_tcg2_hash_log_extend_event(struct efi_tcg2_protocol *this, u64 flags, * Format" */ if (flags & PE_COFF_IMAGE) { - IMAGE_NT_HEADERS32 *nt; - ret = efi_check_pe((void *)(uintptr_t)data_to_hash, - data_to_hash_len, (void **)&nt); + data_to_hash_len, NULL); if (ret != EFI_SUCCESS) { - log_err("Not a valid PE-COFF file\n"); ret = EFI_UNSUPPORTED; goto out; } diff --git a/lib/lmb.c b/lib/lmb.c index 74ffa9f9272..14b9b8466ff 100644 --- a/lib/lmb.c +++ b/lib/lmb.c @@ -481,16 +481,22 @@ static int lmb_map_update_notify(phys_addr_t addr, phys_size_t size, u8 op, static void lmb_print_region_flags(enum lmb_flags flags) { - u64 bitpos; const char *flag_str[] = { "none", "no-map", "no-overwrite", "no-notify" }; + unsigned int pflags = flags & + (LMB_NOMAP | LMB_NOOVERWRITE | LMB_NONOTIFY); + + if (flags != pflags) { + printf("invalid %#x\n", flags); + return; + } do { - bitpos = flags ? fls(flags) - 1 : 0; - assert_noisy(bitpos < ARRAY_SIZE(flag_str)); + int bitpos = pflags ? fls(pflags) - 1 : 0; + printf("%s", flag_str[bitpos]); - flags &= ~(1ull << bitpos); - puts(flags ? ", " : "\n"); - } while (flags); + pflags &= ~(1u << bitpos); + puts(pflags ? ", " : "\n"); + } while (pflags); } static void lmb_dump_region(struct alist *lmb_rgn_lst, char *name) @@ -500,7 +506,7 @@ static void lmb_dump_region(struct alist *lmb_rgn_lst, char *name) enum lmb_flags flags; int i; - printf(" %s.count = 0x%x\n", name, lmb_rgn_lst->count); + printf(" %s.count = %#x\n", name, lmb_rgn_lst->count); for (i = 0; i < lmb_rgn_lst->count; i++) { base = rgn[i].base; @@ -508,7 +514,7 @@ static void lmb_dump_region(struct alist *lmb_rgn_lst, char *name) end = base + size - 1; flags = rgn[i].flags; - printf(" %s[%d]\t[0x%llx-0x%llx], 0x%08llx bytes flags: ", + printf(" %s[%d]\t[%#llx-%#llx], %#llx bytes, flags: ", name, i, base, end, size); lmb_print_region_flags(flags); } diff --git a/lib/lwip/Makefile b/lib/lwip/Makefile index dfcd700ca47..19e5c6897f5 100644 --- a/lib/lwip/Makefile +++ b/lib/lwip/Makefile @@ -53,3 +53,6 @@ obj-y += \ lwip/src/core/timeouts.o \ lwip/src/core/udp.o \ lwip/src/netif/ethernet.o + +obj-$(CONFIG_MBEDTLS_LIB_TLS) += lwip/src/apps/altcp_tls/altcp_tls_mbedtls.o \ + lwip/src/apps/altcp_tls/altcp_tls_mbedtls_mem.o diff --git a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c index a8c2fc2ee2c..6643b05ee94 100644 --- a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c +++ b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c @@ -70,7 +70,6 @@ /* @todo: which includes are really needed? */ #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" -#include "mbedtls/certs.h" #include "mbedtls/x509.h" #include "mbedtls/ssl.h" #include "mbedtls/net_sockets.h" @@ -81,8 +80,6 @@ #include "mbedtls/ssl_cache.h" #include "mbedtls/ssl_ticket.h" -#include "mbedtls/ssl_internal.h" /* to call mbedtls_flush_output after ERR_MEM */ - #include <string.h> #ifndef ALTCP_MBEDTLS_ENTROPY_PTR @@ -109,6 +106,7 @@ struct altcp_tls_config { u8_t pkey_count; u8_t pkey_max; mbedtls_x509_crt *ca; + char host[256]; #if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_USE_SESSION_CACHE /** Inter-connection cache for fast connection startup */ struct mbedtls_ssl_cache_context cache; @@ -132,6 +130,16 @@ static err_t altcp_mbedtls_lower_recv_process(struct altcp_pcb *conn, altcp_mbed static err_t altcp_mbedtls_handle_rx_appldata(struct altcp_pcb *conn, altcp_mbedtls_state_t *state); static int altcp_mbedtls_bio_send(void *ctx, const unsigned char *dataptr, size_t size); +static void +altcp_mbedtls_flush_output(altcp_mbedtls_state_t *state) +{ + if (state->ssl_context.MBEDTLS_PRIVATE(out_left) != 0) { + int flushed = mbedtls_ssl_send_alert_message(&state->ssl_context, 0, 0); + if (flushed) { + LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_send_alert_message failed: %d\n", flushed)); + } + } +} /* callback functions from inner/lower connection: */ @@ -524,14 +532,14 @@ altcp_mbedtls_lower_sent(void *arg, struct altcp_pcb *inner_conn, u16_t len) LWIP_ASSERT("state", state != NULL); LWIP_ASSERT("pcb mismatch", conn->inner_conn == inner_conn); /* calculate TLS overhead part to not send it to application */ - overhead = state->overhead_bytes_adjust + state->ssl_context.out_left; + overhead = state->overhead_bytes_adjust + state->ssl_context.MBEDTLS_PRIVATE(out_left); if ((unsigned)overhead > len) { overhead = len; } /* remove ACKed bytes from overhead adjust counter */ state->overhead_bytes_adjust -= len; /* try to send more if we failed before (may increase overhead adjust counter) */ - mbedtls_ssl_flush_output(&state->ssl_context); + altcp_mbedtls_flush_output(state); /* remove calculated overhead from ACKed bytes len */ app_len = len - (u16_t)overhead; /* update application write counter and inform application */ @@ -559,7 +567,7 @@ altcp_mbedtls_lower_poll(void *arg, struct altcp_pcb *inner_conn) if (conn->state) { altcp_mbedtls_state_t *state = (altcp_mbedtls_state_t *)conn->state; /* try to send more if we failed before */ - mbedtls_ssl_flush_output(&state->ssl_context); + altcp_mbedtls_flush_output(state); if (altcp_mbedtls_handle_rx_appldata(conn, state) == ERR_ABRT) { return ERR_ABRT; } @@ -635,6 +643,7 @@ altcp_mbedtls_setup(void *conf, struct altcp_pcb *conn, struct altcp_pcb *inner_ /* tell mbedtls about our I/O functions */ mbedtls_ssl_set_bio(&state->ssl_context, conn, altcp_mbedtls_bio_send, altcp_mbedtls_bio_recv, NULL); + mbedtls_ssl_set_hostname(&state->ssl_context, config->host); altcp_mbedtls_setup_callbacks(conn, inner_conn); conn->inner_conn = inner_conn; conn->fns = &altcp_mbedtls_functions; @@ -683,7 +692,7 @@ altcp_tls_set_session(struct altcp_pcb *conn, struct altcp_tls_session *session) if (session && conn && conn->state) { altcp_mbedtls_state_t *state = (altcp_mbedtls_state_t *)conn->state; int ret = -1; - if (session->data.start) + if (session->data.MBEDTLS_PRIVATE(start)) ret = mbedtls_ssl_set_session(&state->ssl_context, &session->data); return ret < 0 ? ERR_VAL : ERR_OK; } @@ -776,7 +785,7 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav struct altcp_tls_config *conf; mbedtls_x509_crt *mem; - if (TCP_WND < MBEDTLS_SSL_MAX_CONTENT_LEN) { + if (TCP_WND < MBEDTLS_SSL_IN_CONTENT_LEN || TCP_WND < MBEDTLS_SSL_OUT_CONTENT_LEN) { LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG|LWIP_DBG_LEVEL_SERIOUS, ("altcp_tls: TCP_WND is smaller than the RX decrypion buffer, connection RX might stall!\n")); } @@ -900,7 +909,7 @@ err_t altcp_tls_config_server_add_privkey_cert(struct altcp_tls_config *config, return ERR_VAL; } - ret = mbedtls_pk_parse_key(pkey, (const unsigned char *) privkey, privkey_len, privkey_pass, privkey_pass_len); + ret = mbedtls_pk_parse_key(pkey, (const unsigned char *) privkey, privkey_len, privkey_pass, privkey_pass_len, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg); if (ret != 0) { LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_pk_parse_public_key failed: %d\n", ret)); mbedtls_x509_crt_free(srvcert); @@ -944,7 +953,7 @@ altcp_tls_create_config_server_privkey_cert(const u8_t *privkey, size_t privkey_ } static struct altcp_tls_config * -altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2wayauth) +altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2wayauth, char *host) { int ret; struct altcp_tls_config *conf = altcp_tls_create_config(0, (is_2wayauth) ? 1 : 0, (is_2wayauth) ? 1 : 0, ca != NULL); @@ -966,13 +975,15 @@ altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2way mbedtls_ssl_conf_ca_chain(&conf->conf, conf->ca, NULL); } + strlcpy(conf->host, host, sizeof(conf->host)); + return conf; } struct altcp_tls_config * -altcp_tls_create_config_client(const u8_t *ca, size_t ca_len) +altcp_tls_create_config_client(const u8_t *ca, size_t ca_len, char *host) { - return altcp_tls_create_config_client_common(ca, ca_len, 0); + return altcp_tls_create_config_client_common(ca, ca_len, 0, host); } struct altcp_tls_config * @@ -988,7 +999,7 @@ altcp_tls_create_config_client_2wayauth(const u8_t *ca, size_t ca_len, const u8_ return NULL; } - conf = altcp_tls_create_config_client_common(ca, ca_len, 1); + conf = altcp_tls_create_config_client_common(ca, ca_len, 1, NULL); if (conf == NULL) { return NULL; } @@ -1003,7 +1014,7 @@ altcp_tls_create_config_client_2wayauth(const u8_t *ca, size_t ca_len, const u8_ } mbedtls_pk_init(conf->pkey); - ret = mbedtls_pk_parse_key(conf->pkey, privkey, privkey_len, privkey_pass, privkey_pass_len); + ret = mbedtls_pk_parse_key(conf->pkey, privkey, privkey_len, privkey_pass, privkey_pass_len, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg); if (ret != 0) { LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_pk_parse_key failed: %d 0x%x\n", ret, -1*ret)); altcp_tls_free_config(conf); @@ -1189,7 +1200,7 @@ altcp_mbedtls_sndbuf(struct altcp_pcb *conn) size_t ret; #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) /* @todo: adjust ssl_added to real value related to negotiated cipher */ - size_t max_frag_len = mbedtls_ssl_get_max_frag_len(&state->ssl_context); + size_t max_frag_len = mbedtls_ssl_get_max_in_record_payload(&state->ssl_context); max_len = LWIP_MIN(max_frag_len, max_len); #endif /* Adjust sndbuf of inner_conn with what added by SSL */ @@ -1232,9 +1243,9 @@ altcp_mbedtls_write(struct altcp_pcb *conn, const void *dataptr, u16_t len, u8_t /* HACK: if there is something left to send, try to flush it and only allow sending more if this succeeded (this is a hack because neither returning 0 nor MBEDTLS_ERR_SSL_WANT_WRITE worked for me) */ - if (state->ssl_context.out_left) { - mbedtls_ssl_flush_output(&state->ssl_context); - if (state->ssl_context.out_left) { + if (state->ssl_context.MBEDTLS_PRIVATE(out_left)) { + altcp_mbedtls_flush_output(state); + if (state->ssl_context.MBEDTLS_PRIVATE(out_left)) { return ERR_MEM; } } @@ -1284,6 +1295,8 @@ altcp_mbedtls_bio_send(void *ctx, const unsigned char *dataptr, size_t size) while (size_left) { u16_t write_len = (u16_t)LWIP_MIN(size_left, 0xFFFF); err_t err = altcp_write(conn->inner_conn, (const void *)dataptr, write_len, apiflags); + /* try to send data... */ + altcp_output(conn->inner_conn); if (err == ERR_OK) { written += write_len; size_left -= write_len; diff --git a/lib/lwip/lwip/src/core/tcp_out.c b/lib/lwip/lwip/src/core/tcp_out.c index 64579ee5cbd..6dbc5f96b60 100644 --- a/lib/lwip/lwip/src/core/tcp_out.c +++ b/lib/lwip/lwip/src/core/tcp_out.c @@ -1255,14 +1255,6 @@ tcp_output(struct tcp_pcb *pcb) LWIP_ASSERT("don't call tcp_output for listen-pcbs", pcb->state != LISTEN); - /* First, check if we are invoked by the TCP input processing - code. If so, we do not output anything. Instead, we rely on the - input processing code to call us when input processing is done - with. */ - if (tcp_input_pcb == pcb) { - return ERR_OK; - } - wnd = LWIP_MIN(pcb->snd_wnd, pcb->cwnd); seg = pcb->unsent; diff --git a/lib/lwip/lwip/src/include/lwip/altcp_tls.h b/lib/lwip/lwip/src/include/lwip/altcp_tls.h index fcb784d89d7..fb061823448 100644 --- a/lib/lwip/lwip/src/include/lwip/altcp_tls.h +++ b/lib/lwip/lwip/src/include/lwip/altcp_tls.h @@ -92,7 +92,7 @@ struct altcp_tls_config *altcp_tls_create_config_server_privkey_cert(const u8_t /** @ingroup altcp_tls * Create an ALTCP_TLS client configuration handle */ -struct altcp_tls_config *altcp_tls_create_config_client(const u8_t *cert, size_t cert_len); +struct altcp_tls_config *altcp_tls_create_config_client(const u8_t *cert, size_t cert_len, char *host); /** @ingroup altcp_tls * Create an ALTCP_TLS client configuration handle with two-way server/client authentication diff --git a/lib/lwip/u-boot/arch/cc.h b/lib/lwip/u-boot/arch/cc.h index 563d3bfa98b..de138846358 100644 --- a/lib/lwip/u-boot/arch/cc.h +++ b/lib/lwip/u-boot/arch/cc.h @@ -29,8 +29,9 @@ #define LWIP_DONT_PROVIDE_BYTEORDER_FUNCTIONS -#define LWIP_PLATFORM_ASSERT(x) do {printf("Assertion \"%s\" failed at line %d in %s\n", \ - x, __LINE__, __FILE__); } while (0) +#define LWIP_PLATFORM_ASSERT(x) do { \ + printf("Assertion \"%s\" failed at line %d in %s\n", \ + x, __LINE__, __FILE__); } while (0) #define atoi(str) (int)dectoul(str, NULL) #define lwip_strnstr(a, b, c) strstr(a, b) diff --git a/lib/lwip/u-boot/lwipopts.h b/lib/lwip/u-boot/lwipopts.h index 9d618625fac..88d6faf327a 100644 --- a/lib/lwip/u-boot/lwipopts.h +++ b/lib/lwip/u-boot/lwipopts.h @@ -154,4 +154,10 @@ #define MEMP_MEM_INIT 1 #define MEM_LIBC_MALLOC 1 +#if defined(CONFIG_MBEDTLS_LIB_TLS) +#define LWIP_ALTCP 1 +#define LWIP_ALTCP_TLS 1 +#define LWIP_ALTCP_TLS_MBEDTLS 1 +#endif + #endif /* LWIP_UBOOT_LWIPOPTS_H */ diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index d71adc3648a..78167ffa252 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -430,4 +430,16 @@ endif # SPL endif # MBEDTLS_LIB_X509 +config MBEDTLS_LIB_TLS + bool "MbedTLS TLS library" + depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS + depends on X509_CERTIFICATE_PARSER_MBEDTLS + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS + depends on ASN1_DECODER_MBEDTLS + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS + depends on MBEDTLS_LIB_CRYPTO + help + Enable MbedTLS TLS library. Required for HTTPs support + in wget + endif # MBEDTLS_LIB diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 83cb3c2fa70..ce0a61e4054 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -26,6 +26,7 @@ mbedtls_lib_crypto-y := \ $(MBEDTLS_LIB_DIR)/platform_util.o \ $(MBEDTLS_LIB_DIR)/constant_time.o \ $(MBEDTLS_LIB_DIR)/md.o + mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) += $(MBEDTLS_LIB_DIR)/md5.o mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += $(MBEDTLS_LIB_DIR)/sha1.o mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \ @@ -54,3 +55,33 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/x509_crt.o mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/pkcs7.o + +#mbedTLS TLS support +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o +mbedtls_lib_tls-y := \ + $(MBEDTLS_LIB_DIR)/mps_reader.o \ + $(MBEDTLS_LIB_DIR)/mps_trace.o \ + $(MBEDTLS_LIB_DIR)/net_sockets.o \ + $(MBEDTLS_LIB_DIR)/pk_ecc.o \ + $(MBEDTLS_LIB_DIR)/ssl_cache.o \ + $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \ + $(MBEDTLS_LIB_DIR)/ssl_client.o \ + $(MBEDTLS_LIB_DIR)/ssl_cookie.o \ + $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \ + $(MBEDTLS_LIB_DIR)/ssl_msg.o \ + $(MBEDTLS_LIB_DIR)/ssl_ticket.o \ + $(MBEDTLS_LIB_DIR)/ssl_tls.o \ + $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \ + $(MBEDTLS_LIB_DIR)/hmac_drbg.o \ + $(MBEDTLS_LIB_DIR)/ctr_drbg.o \ + $(MBEDTLS_LIB_DIR)/entropy.o \ + $(MBEDTLS_LIB_DIR)/entropy_poll.o \ + $(MBEDTLS_LIB_DIR)/aes.o \ + $(MBEDTLS_LIB_DIR)/cipher.o \ + $(MBEDTLS_LIB_DIR)/cipher_wrap.o \ + $(MBEDTLS_LIB_DIR)/ecdh.o \ + $(MBEDTLS_LIB_DIR)/ecdsa.o \ + $(MBEDTLS_LIB_DIR)/ecp.o \ + $(MBEDTLS_LIB_DIR)/ecp_curves.o \ + $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \ + $(MBEDTLS_LIB_DIR)/gcm.o \ diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h index 1af911c2003..d27f017d084 100644 --- a/lib/mbedtls/mbedtls_def_config.h +++ b/lib/mbedtls/mbedtls_def_config.h @@ -87,4 +87,56 @@ #endif /* #if defined CONFIG_MBEDTLS_LIB_X509 */ +#if IS_ENABLED(CONFIG_MBEDTLS_LIB_TLS) +#include "rtc.h" + +/* Generic options */ +#define MBEDTLS_ENTROPY_HARDWARE_ALT +#define MBEDTLS_HAVE_TIME +#define MBEDTLS_PLATFORM_MS_TIME_ALT +#define MBEDTLS_PLATFORM_TIME_MACRO rtc_mktime +#define MBEDTLS_PLATFORM_C +#define MBEDTLS_SSL_CLI_C +#define MBEDTLS_SSL_TLS_C +#define MBEDTLS_CIPHER_C +#define MBEDTLS_MD_C +#define MBEDTLS_CTR_DRBG_C +#define MBEDTLS_AES_C +#define MBEDTLS_ENTROPY_C +#define MBEDTLS_NO_PLATFORM_ENTROPY +#define MBEDTLS_SSL_PROTO_TLS1_2 +#define MBEDTLS_SSL_SERVER_NAME_INDICATION +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED + +/* RSA */ +#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED +#define MBEDTLS_GCM_C + +/* ECDSA */ +#define MBEDTLS_ECDSA_C +#define MBEDTLS_ECDH_C +#define MBEDTLS_ECDSA_DETERMINISTIC +#define MBEDTLS_HMAC_DRBG_C +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +#define MBEDTLS_CAN_ECDH +#define MBEDTLS_PK_CAN_ECDSA_SIGN +#define MBEDTLS_ECP_C +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED +#define MBEDTLS_ECP_DP_BP256R1_ENABLED +#define MBEDTLS_ECP_DP_BP384R1_ENABLED +#define MBEDTLS_ECP_DP_BP512R1_ENABLED + +#endif /* #if defined CONFIG_MBEDTLS_LIB_TLS */ + #endif /* #if defined CONFIG_MBEDTLS_LIB */ diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c index 2304030e32f..fa9e143b4ca 100644 --- a/lib/rsa/rsa-sign.c +++ b/lib/rsa/rsa-sign.c @@ -428,6 +428,15 @@ static int rsa_sign_with_key(EVP_PKEY *pkey, struct padding_algo *padding_algo, ret = rsa_err("Signer padding setup failed"); goto err_sign; } + + /* Per RFC 3447 (and convention) the Typical salt length is the + * length of the output of the digest algorithm. + */ + if (EVP_PKEY_CTX_set_rsa_pss_saltlen(ckey, + checksum_algo->checksum_len) <= 0) { + ret = rsa_err("Signer salt length setup failed"); + goto err_sign; + } } for (i = 0; i < region_count; i++) { diff --git a/lib/strto.c b/lib/strto.c index f83ac67c666..206d1e91847 100644 --- a/lib/strto.c +++ b/lib/strto.c @@ -78,6 +78,11 @@ ulong hextoul(const char *cp, char **endp) return simple_strtoul(cp, endp, 16); } +unsigned long long hextoull(const char *cp, char **endp) +{ + return simple_strtoull(cp, endp, 16); +} + ulong dectoul(const char *cp, char **endp) { return simple_strtoul(cp, endp, 10); diff --git a/lib/tiny-printf.c b/lib/tiny-printf.c index cc1dfe61cf7..0503c17341f 100644 --- a/lib/tiny-printf.c +++ b/lib/tiny-printf.c @@ -312,7 +312,7 @@ static int _vprintf(struct printf_info *info, const char *fmt, va_list va) *info->bf = 0; info->bf = p; - while (*info->bf++ && width > 0) + while (width > 0 && info->bf && *info->bf++) width--; while (width-- > 0) info->putc(info, lz ? '0' : ' '); diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c index 59e6cbafafa..ad2b5ab0c32 100644 --- a/lib/tpm-v2.c +++ b/lib/tpm-v2.c @@ -821,7 +821,7 @@ u32 tpm2_report_state(struct udevice *dev, uint vendor_cmd, uint vendor_subcmd, if (*recv_size < 12) return -ENODATA; *recv_size -= 12; - memcpy(recvbuf, recvbuf + 12, *recv_size); + memmove(recvbuf, recvbuf + 12, *recv_size); return 0; } diff --git a/lib/uuid.c b/lib/uuid.c index c6a27b7d044..538a1ba6aa8 100644 --- a/lib/uuid.c +++ b/lib/uuid.c @@ -35,6 +35,7 @@ #ifdef USE_HOSTCC /* polyfill hextoul to avoid pulling in strto.c */ #define hextoul(cp, endp) strtoul(cp, endp, 16) +#define hextoull(cp, endp) strtoull(cp, endp, 16) #endif int uuid_str_valid(const char *uuid) @@ -312,7 +313,7 @@ int uuid_str_to_bin(const char *uuid_str, unsigned char *uuid_bin, tmp16 = cpu_to_be16(hextoul(uuid_str + 19, NULL)); memcpy(uuid_bin + 8, &tmp16, 2); - tmp64 = cpu_to_be64(hextoul(uuid_str + 24, NULL)); + tmp64 = cpu_to_be64(hextoull(uuid_str + 24, NULL)); memcpy(uuid_bin + 10, (char *)&tmp64 + 2, 6); return 0; @@ -339,7 +340,7 @@ int uuid_str_to_le_bin(const char *uuid_str, unsigned char *uuid_bin) tmp16 = cpu_to_le16(hextoul(uuid_str + 19, NULL)); memcpy(uuid_bin + 8, &tmp16, 2); - tmp64 = cpu_to_le64(hextoul(uuid_str + 24, NULL)); + tmp64 = cpu_to_le64(hextoull(uuid_str + 24, NULL)); memcpy(uuid_bin + 10, &tmp64, 6); return 0; diff --git a/lib/vsprintf.c b/lib/vsprintf.c index e5802866632..c7340a047b2 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -308,7 +308,7 @@ static __maybe_unused char *string16(char *buf, char *end, u16 *s, return buf; } -#if CONFIG_IS_ENABLED(EFI_DEVICE_PATH_TO_TEXT) +#if CONFIG_IS_ENABLED(EFI_DEVICE_PATH_TO_TEXT) && !defined(API_BUILD) static char *device_path_string(char *buf, char *end, void *dp, int field_width, int precision, int flags) { |