diff --git a/CryptoPkg/CryptoPkg.ci.yaml b/CryptoPkg/CryptoPkg.ci.yaml
index e2d190a90c..2ade777aad 100644
--- a/CryptoPkg/CryptoPkg.ci.yaml
+++ b/CryptoPkg/CryptoPkg.ci.yaml
@@ -18,7 +18,9 @@
],
## Both file path and directory path are accepted.
"IgnoreFiles": [
- "Library/OpensslLib/openssl"
+ "Library/OpensslLib/openssl",
+ # this has OpenSSL interfaces that aren't UEFI spec compliant
+ "Library/OpensslLib/rand_pool.c"
]
},
"CompilerPlugin": {
diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index 1af78468a1..0490eeb7e2 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -60,6 +60,7 @@
BaseCryptLib|CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
+ RngLib|MdePkg/Library/BaseRngLibNull/BaseRngLibNull.inf
[LibraryClasses.ARM, LibraryClasses.AARCH64]
#
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index cc27b8c57c..b00bb74ce6 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -571,22 +571,9 @@
$(OPENSSL_PATH)/ssl/statem/statem_local.h
# Autogenerated files list ends here
buildinf.h
- rand_pool_noise.h
ossl_store.c
rand_pool.c
-[Sources.Ia32]
- rand_pool_noise_tsc.c
-
-[Sources.X64]
- rand_pool_noise_tsc.c
-
-[Sources.ARM]
- rand_pool_noise.c
-
-[Sources.AARCH64]
- rand_pool_noise.c
-
[Packages]
MdePkg/MdePkg.dec
CryptoPkg/CryptoPkg.dec
@@ -594,7 +581,7 @@
[LibraryClasses]
BaseLib
DebugLib
- TimerLib
+ RngLib
PrintLib
[LibraryClasses.ARM]
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index 616ccd9f62..3557711bd8 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -520,22 +520,9 @@
$(OPENSSL_PATH)/crypto/x509v3/v3_admis.h
# Autogenerated files list ends here
buildinf.h
- rand_pool_noise.h
ossl_store.c
rand_pool.c
-[Sources.Ia32]
- rand_pool_noise_tsc.c
-
-[Sources.X64]
- rand_pool_noise_tsc.c
-
-[Sources.ARM]
- rand_pool_noise.c
-
-[Sources.AARCH64]
- rand_pool_noise.c
-
[Packages]
MdePkg/MdePkg.dec
CryptoPkg/CryptoPkg.dec
@@ -543,7 +530,7 @@
[LibraryClasses]
BaseLib
DebugLib
- TimerLib
+ RngLib
PrintLib
[LibraryClasses.ARM]
diff --git a/CryptoPkg/Library/OpensslLib/rand_pool.c b/CryptoPkg/Library/OpensslLib/rand_pool.c
index 9e0179b034..6218ae0c1c 100644
--- a/CryptoPkg/Library/OpensslLib/rand_pool.c
+++ b/CryptoPkg/Library/OpensslLib/rand_pool.c
@@ -2,8 +2,8 @@
OpenSSL_1_1_1b doesn't implement rand_pool_* functions for UEFI.
The file implement these functions.
-Copyright (c) 2019, Intel Corporation. All rights reserved.
-SPDX-License-Identifier: BSD-2-Clause-Patent
+ Copyright (c) 2019, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -11,53 +11,18 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include
#include
-#include
-
-#include "rand_pool_noise.h"
-
-/**
- Get some randomness from low-order bits of GetPerformanceCounter results.
- And combine them to the 64-bit value
-
- @param[out] Rand Buffer pointer to store the 64-bit random value.
-
- @retval TRUE Random number generated successfully.
- @retval FALSE Failed to generate.
-**/
-STATIC
-BOOLEAN
-EFIAPI
-GetRandNoise64FromPerformanceCounter(
- OUT UINT64 *Rand
- )
-{
- UINT32 Index;
- UINT32 *RandPtr;
-
- if (NULL == Rand) {
- return FALSE;
- }
-
- RandPtr = (UINT32 *) Rand;
-
- for (Index = 0; Index < 2; Index ++) {
- *RandPtr = (UINT32) (GetPerformanceCounter () & 0xFF);
- MicroSecondDelay (10);
- RandPtr++;
- }
-
- return TRUE;
-}
+#include
/**
Calls RandomNumber64 to fill
a buffer of arbitrary size with random bytes.
+ This is a shim layer to RngLib.
@param[in] Length Size of the buffer, in bytes, to fill with.
@param[out] RandBuffer Pointer to the buffer to store the random result.
- @retval EFI_SUCCESS Random bytes generation succeeded.
- @retval EFI_NOT_READY Failed to request random bytes.
+ @retval TRUE Random bytes generation succeeded.
+ @retval FALSE Failed to request random bytes.
**/
STATIC
@@ -65,7 +30,7 @@ BOOLEAN
EFIAPI
RandGetBytes (
IN UINTN Length,
- OUT UINT8 *RandBuffer
+ OUT UINT8 *RandBuffer
)
{
BOOLEAN Ret;
@@ -73,17 +38,17 @@ RandGetBytes (
Ret = FALSE;
+ if (RandBuffer == NULL) {
+ DEBUG((DEBUG_ERROR, "[OPENSSL_RAND_POOL] NULL RandBuffer. No random numbers are generated and your system is not secure\n"));
+ ASSERT (RandBuffer != NULL); // Since we can't generate random numbers, we should assert. Otherwise we will just blow up later.
+ return Ret;
+ }
+
+
while (Length > 0) {
- //
- // Get random noise from platform.
- // If it failed, fallback to PerformanceCounter
- // If you really care about security, you must override
- // GetRandomNoise64FromPlatform.
- //
- Ret = GetRandomNoise64 (&TempRand);
- if (Ret == FALSE) {
- Ret = GetRandNoise64FromPerformanceCounter (&TempRand);
- }
+ // Use RngLib to get random number
+ Ret = GetRandomNumber64 (&TempRand);
+
if (!Ret) {
return Ret;
}
@@ -91,7 +56,8 @@ RandGetBytes (
*((UINT64*) RandBuffer) = TempRand;
RandBuffer += sizeof (UINT64);
Length -= sizeof (TempRand);
- } else {
+ }
+ else {
CopyMem (RandBuffer, &TempRand, Length);
Length = 0;
}
@@ -100,125 +66,6 @@ RandGetBytes (
return Ret;
}
-/**
- Creates a 128bit random value that is fully forward and backward prediction resistant,
- suitable for seeding a NIST SP800-90 Compliant.
- This function takes multiple random numbers from PerformanceCounter to ensure reseeding
- and performs AES-CBC-MAC over the data to compute the seed value.
-
- @param[out] SeedBuffer Pointer to a 128bit buffer to store the random seed.
-
- @retval TRUE Random seed generation succeeded.
- @retval FALSE Failed to request random bytes.
-
-**/
-STATIC
-BOOLEAN
-EFIAPI
-RandGetSeed128 (
- OUT UINT8 *SeedBuffer
- )
-{
- BOOLEAN Ret;
- UINT8 RandByte[16];
- UINT8 Key[16];
- UINT8 Ffv[16];
- UINT8 Xored[16];
- UINT32 Index;
- UINT32 Index2;
- AES_KEY AESKey;
-
- //
- // Chose an arbitrary key and zero the feed_forward_value (FFV)
- //
- for (Index = 0; Index < 16; Index++) {
- Key[Index] = (UINT8) Index;
- Ffv[Index] = 0;
- }
-
- AES_set_encrypt_key (Key, 16 * 8, &AESKey);
-
- //
- // Perform CBC_MAC over 32 * 128 bit values, with 10us gaps between 128 bit value
- // The 10us gaps will ensure multiple reseeds within the system time with a large
- // design margin.
- //
- for (Index = 0; Index < 32; Index++) {
- MicroSecondDelay (10);
- Ret = RandGetBytes (16, RandByte);
- if (!Ret) {
- return Ret;
- }
-
- //
- // Perform XOR operations on two 128-bit value.
- //
- for (Index2 = 0; Index2 < 16; Index2++) {
- Xored[Index2] = RandByte[Index2] ^ Ffv[Index2];
- }
-
- AES_encrypt (Xored, Ffv, &AESKey);
- }
-
- for (Index = 0; Index < 16; Index++) {
- SeedBuffer[Index] = Ffv[Index];
- }
-
- return Ret;
-}
-
-/**
- Generate high-quality entropy source.
-
- @param[in] Length Size of the buffer, in bytes, to fill with.
- @param[out] Entropy Pointer to the buffer to store the entropy data.
-
- @retval EFI_SUCCESS Entropy generation succeeded.
- @retval EFI_NOT_READY Failed to request random data.
-
-**/
-STATIC
-BOOLEAN
-EFIAPI
-RandGenerateEntropy (
- IN UINTN Length,
- OUT UINT8 *Entropy
- )
-{
- BOOLEAN Ret;
- UINTN BlockCount;
- UINT8 Seed[16];
- UINT8 *Ptr;
-
- BlockCount = Length / 16;
- Ptr = (UINT8 *) Entropy;
-
- //
- // Generate high-quality seed for DRBG Entropy
- //
- while (BlockCount > 0) {
- Ret = RandGetSeed128 (Seed);
- if (!Ret) {
- return Ret;
- }
- CopyMem (Ptr, Seed, 16);
-
- BlockCount--;
- Ptr = Ptr + 16;
- }
-
- //
- // Populate the remained data as request.
- //
- Ret = RandGetSeed128 (Seed);
- if (!Ret) {
- return Ret;
- }
- CopyMem (Ptr, Seed, (Length % 16));
-
- return Ret;
-}
-
/*
* Add random bytes to the pool to acquire requested amount of entropy
*
@@ -227,27 +74,31 @@ RandGenerateEntropy (
*
* This is OpenSSL required interface.
*/
-size_t rand_pool_acquire_entropy(RAND_POOL *pool)
+size_t
+rand_pool_acquire_entropy (
+ RAND_POOL *pool
+ )
{
- BOOLEAN Ret;
- size_t bytes_needed;
- unsigned char * buffer;
+ BOOLEAN Ret;
+ size_t Bytes_needed;
+ unsigned char *Buffer;
- bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
- if (bytes_needed > 0) {
- buffer = rand_pool_add_begin(pool, bytes_needed);
+ Bytes_needed = rand_pool_bytes_needed (pool, 1 /*entropy_factor*/);
+ if (Bytes_needed > 0) {
+ Buffer = rand_pool_add_begin (pool, Bytes_needed);
- if (buffer != NULL) {
- Ret = RandGenerateEntropy(bytes_needed, buffer);
+ if (Buffer != NULL) {
+ Ret = RandGetBytes (Bytes_needed, Buffer);
if (FALSE == Ret) {
- rand_pool_add_end(pool, 0, 0);
- } else {
- rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed);
+ rand_pool_add_end (pool, 0, 0);
+ }
+ else {
+ rand_pool_add_end (pool, Bytes_needed, 8 * Bytes_needed);
}
}
}
- return rand_pool_entropy_available(pool);
+ return rand_pool_entropy_available (pool);
}
/*
@@ -255,17 +106,15 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
*
* This is OpenSSL required interface.
*/
-int rand_pool_add_nonce_data(RAND_POOL *pool)
+int
+rand_pool_add_nonce_data (
+ RAND_POOL *pool
+ )
{
- struct {
- UINT64 Rand;
- UINT64 TimerValue;
- } data = { 0 };
+ UINT8 data[16];
+ RandGetBytes (sizeof(data), data);
- RandGetBytes(8, (UINT8 *)&(data.Rand));
- data.TimerValue = GetPerformanceCounter();
-
- return rand_pool_add(pool, (unsigned char*)&data, sizeof(data), 0);
+ return rand_pool_add (pool, (unsigned char*)&data, sizeof(data), 0);
}
/*
@@ -273,17 +122,15 @@ int rand_pool_add_nonce_data(RAND_POOL *pool)
*
* This is OpenSSL required interface.
*/
-int rand_pool_add_additional_data(RAND_POOL *pool)
+int
+rand_pool_add_additional_data (
+ RAND_POOL *pool
+ )
{
- struct {
- UINT64 Rand;
- UINT64 TimerValue;
- } data = { 0 };
+ UINT8 data[16];
+ RandGetBytes (sizeof(data), data);
- RandGetBytes(8, (UINT8 *)&(data.Rand));
- data.TimerValue = GetPerformanceCounter();
-
- return rand_pool_add(pool, (unsigned char*)&data, sizeof(data), 0);
+ return rand_pool_add (pool, (unsigned char*)&data, sizeof(data), 0);
}
/*
@@ -291,7 +138,10 @@ int rand_pool_add_additional_data(RAND_POOL *pool)
*
* This is OpenSSL required interface.
*/
-int rand_pool_init(void)
+int
+rand_pool_init (
+ VOID
+ )
{
return 1;
}
@@ -301,7 +151,10 @@ int rand_pool_init(void)
*
* This is OpenSSL required interface.
*/
-void rand_pool_cleanup(void)
+VOID
+rand_pool_cleanup(
+ VOID
+ )
{
}
@@ -310,7 +163,9 @@ void rand_pool_cleanup(void)
*
* This is OpenSSL required interface.
*/
-void rand_pool_keep_random_devices_open(int keep)
+VOID
+rand_pool_keep_random_devices_open (
+ int keep
+ )
{
}
-
diff --git a/CryptoPkg/Library/OpensslLib/rand_pool_noise.c b/CryptoPkg/Library/OpensslLib/rand_pool_noise.c
deleted file mode 100644
index 212834e27a..0000000000
--- a/CryptoPkg/Library/OpensslLib/rand_pool_noise.c
+++ /dev/null
@@ -1,29 +0,0 @@
-/** @file
- Provide rand noise source.
-
-Copyright (c) 2019, Intel Corporation. All rights reserved.
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include
-
-/**
- Get 64-bit noise source
-
- @param[out] Rand Buffer pointer to store 64-bit noise source
-
- @retval FALSE Failed to generate
-**/
-BOOLEAN
-EFIAPI
-GetRandomNoise64 (
- OUT UINT64 *Rand
- )
-{
- //
- // Return FALSE will fallback to use PerformanceCounter to
- // generate noise.
- //
- return FALSE;
-}
diff --git a/CryptoPkg/Library/OpensslLib/rand_pool_noise.h b/CryptoPkg/Library/OpensslLib/rand_pool_noise.h
deleted file mode 100644
index 75acc686a9..0000000000
--- a/CryptoPkg/Library/OpensslLib/rand_pool_noise.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/** @file
- Provide rand noise source.
-
-Copyright (c) 2019, Intel Corporation. All rights reserved.
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef __RAND_POOL_NOISE_H__
-#define __RAND_POOL_NOISE_H__
-
-#include
-
-/**
- Get 64-bit noise source.
-
- @param[out] Rand Buffer pointer to store 64-bit noise source
-
- @retval TRUE Get randomness successfully.
- @retval FALSE Failed to generate
-**/
-BOOLEAN
-EFIAPI
-GetRandomNoise64 (
- OUT UINT64 *Rand
- );
-
-
-#endif // __RAND_POOL_NOISE_H__
diff --git a/CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c b/CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c
deleted file mode 100644
index 4158106231..0000000000
--- a/CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c
+++ /dev/null
@@ -1,43 +0,0 @@
-/** @file
- Provide rand noise source.
-
-Copyright (c) 2019, Intel Corporation. All rights reserved.
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include
-#include
-#include
-
-/**
- Get 64-bit noise source
-
- @param[out] Rand Buffer pointer to store 64-bit noise source
-
- @retval TRUE Get randomness successfully.
- @retval FALSE Failed to generate
-**/
-BOOLEAN
-EFIAPI
-GetRandomNoise64 (
- OUT UINT64 *Rand
- )
-{
- UINT32 Index;
- UINT32 *RandPtr;
-
- if (NULL == Rand) {
- return FALSE;
- }
-
- RandPtr = (UINT32 *)Rand;
-
- for (Index = 0; Index < 2; Index ++) {
- *RandPtr = (UINT32) ((AsmReadTsc ()) & 0xFF);
- RandPtr++;
- MicroSecondDelay (10);
- }
-
- return TRUE;
-}