Fix few typos in comments.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Antoine Coeur <coeur@gmx.fr>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
Message-Id: <20200207010831.9046-2-philmd@redhat.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2420
Based on the following package with changes to merge into
CryptoPkg.
https://github.com/microsoft/mu_plus/tree/dev/201908/SharedCryptoPkg
Add Crypto library instances and modules that consume/produce
the EDK II Crypto Protocols/PPIs to the CryptoPkg DSC file.
The default build of CryptoPkg performs a package verification
build.
The CRYPTO_SERVICES define is added that supports the following
settings.
* PACKAGE - Package verification build of all components. Null
versions of libraries are used to minimize build times.
* ALL - Build PEIM, DXE, and SMM drivers. Protocols and PPIs
publish all services.
* NONE - Build PEIM, DXE, and SMM drivers. Protocols and PPIs
publish no services. Used to verify compiler/linker
optimizations are working correctly.
* MIN_PEI - Build PEIM with PPI that publishes minimum required
services.
* MIN_DXE_MIN_SMM - Build DXE and SMM drivers with Protocols that publish
minimum required services.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2420
Based on the following package with changes to merge into
CryptoPkg.
https://github.com/microsoft/mu_plus/tree/dev/201908/SharedCryptoPkg
Add the PeiCryptLib, DxeCryptLib, and SmmCryptLib instances
of the BaseCryptLib library classes that are implemented using
the services of EDK II Crypto Protocols/PPIs.
These library instances all set a dependency expression on the
EDK II Crypto Protocols/PPIs, so any modules that use these
library instances are not dispatched until the modules that
produce the EDK II Crypto Protocols/PPIs are dispatched.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2420
Based on the following package with changes to merge into
CryptoPkg.
https://github.com/microsoft/mu_plus/tree/dev/201908/SharedCryptoPkg
Add the CryptoPei, CryptoDxe, and CryptoSmm modules that produce
EDK II Crypto Protocols/PPIs that provide the same services as
the BaseCryptLib class.
In order to optimize the size of CryptoPei, CryptoDxe, and
CryptoSmm modules for a specific platform, the FixedAtBuild
PCD gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable
is used to determine if a specific service is enabled or
disabled. If a service is enabled, then a call is made to
the BaseCryptLib service. If the service is disabled, then
a DEBUG() message and ASSERT() are performed and a default
return value is returned. This provides simple detection
of a service that is disabled but is used by another module
when DEBUG()/ASSERT() macros are enabled.
The use of a FixedAtBuild PCD is required so the compiler
and linker know each services enable/disable setting at
build time and allows disabled services to be optimized away.
CryptoPei supports both pre-mem and post-mem use cases.
If CryptoPei is initially dispatched pre-mmem, the the
register for shadow service is used so the Crypto PPI can
be reinstalled post-mem.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2420
Based on the following package with changes to merge into
CryptoPkg.
https://github.com/microsoft/mu_plus/tree/dev/201908/SharedCryptoPkg
Add the EDK II Crypto Protocol, EDK II SMM Crypto Protocol
and EDK II Crypto PPI that provide the same services as the
BaseCryptLib. One additional GetVersion() services is provided
to support backward compatible extensions to these new
Protocols/PPIs if new services are added to BaseCryptLib in the
future. The EDK II Crypto Protocols/PPIs are located in a
private directory so they are only available CryptoPkg components.
In order to optimize the size of modules that produce the
EDK II Crypto Protocols/PPIs define a FixedAtBuild PCD
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.
This PCD is type VOID* and is associated with the structure
PCD_CRYPTO_SERVICE_FAMILY_ENABLE. This structure contains
bitfields and unions that allow a platform DSC files to
enable/disable entire families of services or enable/disable
individual services in the produced EDK II Crypto
Protocols/PPIs.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2420
Add X509ConstructCertificateStackV() to BaseCryptLib that is
identical in behavior to X509ConstructCertificateStack(), but
it takes a VA_LIST parameter for the variable argument list.
The VA_LIST form of this function is required for BaseCryptLib
functions to be wrapped in a Protocol/PPI.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2493
The BaseCryptLib was expanded to add the HkdfSha256ExtractAndExpand()
service in the following commit:
4b1b7c1913
When BaseCryptLibNull was added in the commit below, this new
service was not included.
d95de082da
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2151
This commit introduces a Unified Hash API to calculate hash using a
hashing algorithm specified by the PCD, PcdHashApiLibPolicy. This library
interfaces with the various hashing API, such as, MD4, MD5, SHA1, SHA256,
SHA512 and SM3_256 implemented in BaseCryptLib. The user can calculate
the desired hash by setting PcdHashApiLibPolicy to appropriate value.
This feature is documented in the Bugzilla,
https://bugzilla.tianocore.org/show_bug.cgi?id=2151.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Amol N Sukerkar <amol.n.sukerkar@intel.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2151
Added CryptoPkg Token Space GUID to be able to define PCDs.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Amol N Sukerkar <amol.n.sukerkar@intel.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1792
Hmac(Md5|Sha1|Sha256)GetContextSize() use a deprecated macro
HMAC_MAX_MD_CBLOCK defined in openssl. They should be dropped to
avoid misuses in the future. For context allocation and release,
use HmacXxxNew() and HmacXxxFree() instead.
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1792
HmacXxxInit() is supposed to be initialize user supplied buffer as HMAC
context, as well as user supplied key. Currently it has no real use cases.
Due to BZ1792, the user has no way to get correct size of context buffer
after it's fixed, and then cannot make use of HmacXxxInit to initialize
it.
So it's decided to replace it with HmacXxxSetKey to keep the functionality
of supplying a key to HMAC, but drop all other initialization works. The
user can still get HMAC context via HmacXxxNew interface, which hides the
details about the context.
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2389
Currently RSA signing scheme support is available for MD5, SHA-1 or
SHA-256 algorithms.The fix is to extend this support for SHA384 and
SHA512.
Cc: Liming Gao <liming.gao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Bob Feng <bob.c.feng@intel.com>
Signed-off-by: Pavana.K <pavana.k@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Commit 8906f076de ("CryptoPkg/OpensslLib: Add missing header files in
INF file", 2019-08-16) incorrectly placed "ms/uplink.h" in the
auto-generated part of [Sources], in "OpensslLib.inf".
("ms/uplink.h" was added in the right spot in "OpensslLibCrypto.inf".)
Subsequently, when commit 9f4fbd56d4 ("CryptoPkg/OpensslLib: Update
process_files.pl to generate .h files", 2019-10-30) re-generated that part
of "OpensslLib.inf", the "ms/uplink.h" file reference was lost. This
triggers a warning from the "build" utility now.
Name the header file in the right spot in [Sources].
This change makes "OpensslLib.inf" consistent with "OpensslLibCrypto.inf".
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Shenglei Zhang <shenglei.zhang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Fixes: 8906f076de
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
When diffing "OpensslLib.inf" against "OpensslLibCrypto.inf", the *only*
differences should be:
- BASE_NAME, MODULE_UNI_FILE, and FILE_GUID are expected to differ, in
[Defines];
- "OpensslLib.inf" is expected to list "$(OPENSSL_PATH)/ssl/..." source
files in the auto-generated part of the [Sources] section.
Commit 8906f076de ("CryptoPkg/OpensslLib: Add missing header files in
INF file", 2019-08-16) broke that invariant, by adding "buildinf.h" and
"rand_pool_noise.h" in different order to both INF files.
Fix that order in "OpensslLib.inf" now. (Note that this does not
re-establish full consistency between both INF files -- it just highlights
another problem, which we'll fix in the next patch.)
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Shenglei Zhang <shenglei.zhang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Fixes: 8906f076de
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
https://bugzilla.tianocore.org/show_bug.cgi?id=2315
Add YAML file to the package directory with the
configuration of the checks to perform during a
CI build.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Upgrade openssl from 1.1.1b to 1.1.1d.
Something needs to be noticed is that, there is a bug existing in the
released 1_1_1d version(894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596),
which causes build failure. So we switch the code base to a usable
version, which is 2 commits later than the stable tag.
Now we use the version c3656cc594daac8167721dde7220f0e59ae146fc.
This log is to fix the build failure.
https://bugzilla.tianocore.org/show_bug.cgi?id=2226
Besides, the absense of "DSO_NONE" in dso_conf.h causes build failure
in OvmfPkg. So update process_files.pl to generate information from
"crypto/include/internal/dso_conf.h.in".
shm.h and utsname.h are added to avoid GCC build failure.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Using the inet_pton() function that we imported in the previous patches,
recognize if "HostName" is an IP address literal, and then parse it into
binary representation. Passing the latter to OpenSSL for server
certificate validation is important, per RFC-2818
<https://tools.ietf.org/html/rfc2818#section-3.1>:
> In some cases, the URI is specified as an IP address rather than a
> hostname. In this case, the iPAddress subjectAltName must be present in
> the certificate and must exactly match the IP in the URI.
Note: we cannot use X509_VERIFY_PARAM_set1_ip_asc() because in the OpenSSL
version that is currently consumed by edk2, said function depends on
sscanf() for parsing IPv4 literals. In
"CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c", we only provide an
empty -- always failing -- stub for sscanf(), however.
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Suggested-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
For TianoCore BZ#1734, StdLib has been moved from the edk2 project to the
edk2-libc project, in commit 964f432b9b ("edk2: Remove AppPkg, StdLib,
StdLibPrivateInternalFiles", 2019-04-29).
We'd like to use the inet_pton() function in CryptoPkg. Resurrect the
"inet_pton.c" file from just before the StdLib removal, as follows:
$ git show \
964f432b9b0a^:StdLib/BsdSocketLib/inet_pton.c \
> CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c
The inet_pton() function is only intended for the DXE phase at this time,
therefore only the "BaseCryptLib" instance INF file receives the new file.
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
In a later patch in this series, we're going to resurrect "inet_pton.c"
(originally from the StdLib package). That source file has a number of
standard C and BSD socket dependencies. Provide those dependencies here:
- The header files below will simply #include <CrtLibSupport.h>:
- arpa/inet.h
- arpa/nameser.h
- netinet/in.h
- sys/param.h
- sys/socket.h
- EAFNOSUPPORT comes from "StdLib/Include/errno.h", at commit
e2d3a25f1a31; which is the commit immediately preceding the removal of
StdLib from edk2 (964f432b9b).
Note that the other error macro, which we alread #define, namely EINVAL,
has a value (22) that also matches "StdLib/Include/errno.h".
- The AF_INET and AF_INET6 address family macros come from
"StdLib/Include/sys/socket.h".
- The NS_INT16SZ, NS_INADDRSZ and NS_IN6ADDRSZ macros come from
"StdLib/Include/arpa/nameser.h".
- The "u_int" and "u_char" types come from "StdLib/Include/sys/types.h".
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
According to the ISO C standard, strchr() is a function. We #define it as
a macro. Unfortunately, our macro evaluates the first argument ("str")
twice. If the expression passed for "str" has side effects, the behavior
may be undefined.
In a later patch in this series, we're going to resurrect "inet_pton.c"
(originally from the StdLib package), which calls strchr() just like that:
strchr((xdigits = xdigits_l), ch)
strchr((xdigits = xdigits_u), ch)
To enable this kind of function call, turn strchr() into a function.
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
In the patch, we add the new API "TlsSetVerifyHost" for the TLS
protocol to set the specified host name that need to be verified.
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20190927034441.3096-3-Jiaxin.wu@intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
There are missing headers added into INF files at 8906f076de35b222a..
They are now manually added but not auto-generated. So we update the
perl script to enable this feature.
Meanwhile, update the order of the .h files in INF files, which are
auto-generated now.
https://bugzilla.tianocore.org/show_bug.cgi?id=2085
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1603
With this change, global variable _fltused will not be removed by LTO
Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2257
Add a Null instance of the BaseCryptLib class. This lib instance
can be used as a template for new implementations of the BaseCryptLib
class and can also be used to reduce CI build times for build
checks that depend on the BaseCryptLib class.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2258
Add a Null instance of the TlsLib class. This lib instance
can be used as a template for new implementations of the TlsLib
class and can also be used to reduce CI build times for build
checks that depend on the TlsLib class.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2254
Update CryptoPkg.dsc to guarantee all libraries and modules
are always built. Add the following components.
* CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Update attribute "Out" to "out".
The original "Out" can not pass ECC check.
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
The header files are used but missing in INF,which causes
warning message when building them.
https://bugzilla.tianocore.org/show_bug.cgi?id=2036
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=1910
edk2/Readme.md has added a section to explain the correct clone
commands for submodules. Detailed steps in the OpenSSL-HOWTO.txt
are removed to avoid any inconsistency.
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
Reviewed-by: Liming Gao <liming.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1928
1. Implement OpenSSL HKDF wrapped function in CryptHkdf.c file.
2. Implement stub implementation function in CryptHkdfNull.c file.
3. Add wrapped HKDF function declaration to BaseCryptLib.h file.
4. Add CryptHkdf.c to module information BaseCryptLib.inf file.
5. Add CryptHkdfNull.c to module information PeiCryptLib.inf,
RuntimeCryptLib.inf and SmmCryptLib.inf
Signed-off-by: Gary West <Gary.West@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Reviewed-by: Jian Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2027
Refer to CSS_2_1 5.7.2.1 "Non-Boolean comparisons must use a
compare operator (==, !=, >, < >=, <=).", use compare operator
for the non-boolean comparisons.
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
The BaseTools build feature introduced for TianoCore#1804 / in commit
1fa6699e6c ("BaseTools: Add a checking for Sources section in INF file",
2019-06-10) logs some (non-fatal) warnings about unlisted internal header
files. List those files explicitly.
Note: header files are added in lexicographical order only if the
underlying INF file already keeps the [Sources] and [LibraryClasses]
sections in lexicographical order. Otherwise, header files are added in
rough "logical" order.
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1881
Commit(0a1b13fd4d) fix VS2017 build failure
remove useless file in OpensslLib[Crypto].inf,
but we use process_files.pl to generate files.
So exclude err_all.c file in process_files.pl
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1926
This problem was found by Rebecca Cran <rebecca@bluestop.org>.
REF: https://edk2.groups.io/g/devel/topic/32100684
OpenSSL will automatically load a system config file which configures
default ssl options. In UEFI, It will cause TlsInitialize failed
without OPENSSL_INIT_NO_LOAD_CONFIG flag. we don't use this feature,
So disable it.
Re-run process_files.py to generate OpensslLib[Crypto].inf files.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Rebecca Cran <rebecca@bluestop.org>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Re-run process_files.py to generate OpensslLib[Crypto].inf.
CryptoPkg/Library/Include/openssl/opensslconf.h is coped from OpenSSL,
So keep the CR/LF style like OpenSSL source file.
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
CryptoPkg\Library\Include\CrtLibSupport.h maps strxxxx interfaces to
edk2 PrintLib interfaces but related module inf file don't claim the
use of it. This will cause unresolved symbol issue with VS2017 build
which has enabled strict symbol check. This patch resolves the problem
by adding PrintLib to inf files.
Cc: Liming Gao <liming.gao@intel.com>
Cc: Dandan Bi <dandan.bi@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
When use clang-3.8 to build the NetworkPkg, compiler optimization
may use memcpy for memory copy. For example:
CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_rsa.c:918: undefined
reference to `memcpy'`
Compiler optimization is sophisticated, but we can work around it
use __attribute__((__used__)) to informs the compiler that symbol
should be retained in the object file, even if it may be
unreferenced.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Dandan Bi <dandan.bi@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1878
This issue is specific to VS2017 which tries to resolve symbol referenced
by a symbol not really referenced eventually.
ossl_init_load_crypto_strings
-> err_load_crypto_strings_int (not really referenced)
-> ERR_load_OSSL_STORE_strings
Because OPENSSL_NO_ERR and OPENSSL_NO_AUTOERRINIT are not defined by
default, err_load_crypto_strings_int() will not be actually referenced
by ossl_init_load_crypto_strings().
Since err_load_crypto_strings_int() is not actually referenced at all,
the fix can be done simply by removing crypto/err/err_all.c from build.
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089
When building CryptoPkg with XCODE, blow error may result
* usr/lib/clang/9.0.0/include/stdatomic.h:105:17:
error: unknown type name 'wchar_t'
Since the C native atomics are C11 feature we can explicitly
use C99 to work around it.
add -std=c99 to avoid it
* openssl/crypto/conf/conf_sap.c:71:12: error: variable 'ret' is
uninitialized
when used here [-Werror,-Wuninitialized]
Suppress warnings in OpenSSL so we don't break the build with -Werror.
add -Wno-error=uninitialized to disalbe this warning
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Commit c51f8bae7c ("CryptoPkg: Fix possible build problem with
Clang") added -std=c99 to the CLANG38 compiler command line of
packages that incorporate parts of OpenSSL, to ensure that the new
C atomics code used by OpenSSL for refcounting (which we don't care
about) does not pull in system C library headers, which we cannot
rely on when (cross)building EDK2 code.
Unsurprisingly, CLANG35 (which is only defined for ARM and AARCH64)
suffers from the exact same issue, so let's add the same flags
there as well.
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1089
OpenSSL internally redefines the size of HMAC_CTX at
crypto/hmac/hmac_lcl.h(OpenSSL commit e0810e35).
Ref: https://github.com/openssl/openssl/pull/4338
We should not use it directly and should remove relevant
functions(Hmac*GetContextSize).
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1792
But for compatiblility, temporarily change these definition
of HMAC_*_CTX_SIZE.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089
* Update OpenSSL submodule to OpenSSL_1_1_1b
OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)
* Run process_files.pl script to regenerate OpensslLib[Crypto].inf
and opensslconf.h
* Remove -DNO_SYSLOG from OPENSSL_FLAGS in OpensslLib[Crypto].inf,
due to upstream OpenSSL commit cff55b90e95e("Cleaning UEFI
Build with additional OPENSSL_SYS_UEFI flags", 2017-03-29),
which was first released as part of OpenSSL_1_1_1.
* Starting with OpenSSL commit 8a8d9e1905(first release in
OpenSSL_1_1_1), the OpenSSL_version() function can no longer
return a pointer to the string literal "compiler: information
not available", in the case CFLAGS macro is not defined.
Instead, the function now has a hard dependency on the global
variable 'compiler_flags'. This variable is normally placed
by "util/mkbuildinf.pl" into "buildinf.h". In edk2 we don't
run that script whenever we build OpenSSL, therefore we
must provide our own dummy 'compiler_flags'.
* BUFSIZ is used by crypto/evp/evp_key.c(OpenSSL_1_1_1b)
And it is declared in stdio.h. So add it to CrtLibSupport.h.
Here's a discussion about this.
Ref: https://github.com/openssl/openssl/issues/8904
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089
* From OpenSSL_1_1_0i(97c0959f27b294fe1eb10b547145ebef2524b896) to
OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687), OpenSSL
updated DRBG / RAND to request nonce and additional low entropy
randomness from system(line 229 openssl/CHANGES).
Since OpenSSL_1_1_1b doesn't fully implement rand pool functions
for UEFI. We must provide a method to implenet these method.
TSC is used as first entropy source if it's availabe otherwise
fallback to TimerLib. But we are not sure the amount of randomness
they provide. If you really care about the security, one choice is
overrided it with hardware generator.
Add rand_pool.c to implement these functions required by OpenSSL
rand_pool_acquire_entropy
rand_pool_add_nonce_data
rand_pool_add_additional_data
rand_pool_init
rand_pool_cleanup
rand_pool_keep_random_devices_open
And add rand_pool_noise.* for getting entropy noise from different
architecture.
* We don't need ossl_store functions. We exclude relative files
through process_files.pl. And ossl_store_cleanup_int was first
added in crypto/init.c OpenSSL_1_1_1(71a5516d).
So add a new file(ossl_store.c) to implement ossl_store_cleanup_int
function.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089
When building CryptoPkg with Clang, blow error may result
* /usr/lib/llvm-3.8/lib/clang/3.8.0/include/stdatomic.h:105:17: error:
unknown type name 'wchar_t'
Since the C native atomics are C11 feature we can explicitly
use C99 to work around it.
add -std=c99 to avoid it
* openssl/crypto/conf/conf_sap.c:71:12: error: variable 'ret' is
uninitialized
when used here [-Werror,-Wuninitialized]
Suppress warnings in OpenSSL so we don't break the build with -Werror.
add -Wno-error=uninitialized to disalbe this warning
Cc: Ting Ye <ting.ye@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089
Disable warning for building OpenSSL_1_1_1b
add /wd4132 /wd4700 /wd4310 for Visual Studio in OpensslLib[Crypto].inf
add -Wno-error=unused-but-set-variable for GCC in OpensslLib[Crypto].inf
Although this option is set in some build environments by default.
But this is only for OpenSSL compilation, no matter how the
default options change.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>