Commit Graph

278 Commits

Author SHA1 Message Date
Shenglei Zhang 1bcc65b9a1 CryptoPkg: Upgrade OpenSSL to 1.1.1d
Upgrade openssl from 1.1.1b to 1.1.1d.
Something needs to be noticed is that, there is a bug existing in the
released 1_1_1d version(894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596),
which causes build failure. So we switch the code base to a usable
version, which is 2 commits later than the stable tag.
Now we use the version c3656cc594daac8167721dde7220f0e59ae146fc.
This log is to fix the build failure.
https://bugzilla.tianocore.org/show_bug.cgi?id=2226

Besides, the absense of "DSO_NONE" in dso_conf.h causes build failure
in OvmfPkg. So update process_files.pl to generate information from
"crypto/include/internal/dso_conf.h.in".

shm.h and utsname.h are added to avoid GCC build failure.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
2019-11-05 10:42:07 +08:00
Laszlo Ersek 1e72b1fb2e CryptoPkg/TlsLib: TlsSetVerifyHost: parse IP address literals as such (CVE-2019-14553)
Using the inet_pton() function that we imported in the previous patches,
recognize if "HostName" is an IP address literal, and then parse it into
binary representation. Passing the latter to OpenSSL for server
certificate validation is important, per RFC-2818
<https://tools.ietf.org/html/rfc2818#section-3.1>:

> In some cases, the URI is specified as an IP address rather than a
> hostname. In this case, the iPAddress subjectAltName must be present in
> the certificate and must exactly match the IP in the URI.

Note: we cannot use X509_VERIFY_PARAM_set1_ip_asc() because in the OpenSSL
version that is currently consumed by edk2, said function depends on
sscanf() for parsing IPv4 literals. In
"CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c", we only provide an
empty -- always failing -- stub for sscanf(), however.

Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Suggested-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2019-11-02 12:08:05 +01:00
Laszlo Ersek 8d16ef8269 CryptoPkg/Crt: import "inet_pton.c" (CVE-2019-14553)
For TianoCore BZ#1734, StdLib has been moved from the edk2 project to the
edk2-libc project, in commit 964f432b9b ("edk2: Remove AppPkg, StdLib,
StdLibPrivateInternalFiles", 2019-04-29).

We'd like to use the inet_pton() function in CryptoPkg. Resurrect the
"inet_pton.c" file from just before the StdLib removal, as follows:

  $ git show \
      964f432b9b0a^:StdLib/BsdSocketLib/inet_pton.c \
      > CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c

The inet_pton() function is only intended for the DXE phase at this time,
therefore only the "BaseCryptLib" instance INF file receives the new file.

Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2019-11-02 12:07:59 +01:00
Laszlo Ersek 2ac41c12c0 CryptoPkg/Crt: satisfy "inet_pton.c" dependencies (CVE-2019-14553)
In a later patch in this series, we're going to resurrect "inet_pton.c"
(originally from the StdLib package). That source file has a number of
standard C and BSD socket dependencies. Provide those dependencies here:

- The header files below will simply #include <CrtLibSupport.h>:

  - arpa/inet.h
  - arpa/nameser.h
  - netinet/in.h
  - sys/param.h
  - sys/socket.h

- EAFNOSUPPORT comes from "StdLib/Include/errno.h", at commit
  e2d3a25f1a31; which is the commit immediately preceding the removal of
  StdLib from edk2 (964f432b9b).

  Note that the other error macro, which we alread #define, namely EINVAL,
  has a value (22) that also matches "StdLib/Include/errno.h".

- The AF_INET and AF_INET6 address family macros come from
  "StdLib/Include/sys/socket.h".

- The NS_INT16SZ, NS_INADDRSZ and NS_IN6ADDRSZ macros come from
  "StdLib/Include/arpa/nameser.h".

- The "u_int" and "u_char" types come from "StdLib/Include/sys/types.h".

Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2019-11-02 12:07:52 +01:00
Laszlo Ersek eb520d94db CryptoPkg/Crt: turn strchr() into a function (CVE-2019-14553)
According to the ISO C standard, strchr() is a function. We #define it as
a macro. Unfortunately, our macro evaluates the first argument ("str")
twice. If the expression passed for "str" has side effects, the behavior
may be undefined.

In a later patch in this series, we're going to resurrect "inet_pton.c"
(originally from the StdLib package), which calls strchr() just like that:

  strchr((xdigits = xdigits_l), ch)
  strchr((xdigits = xdigits_u), ch)

To enable this kind of function call, turn strchr() into a function.

Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2019-11-02 12:07:25 +01:00
Wu, Jiaxin 2ca74e1a17 CryptoPkg/TlsLib: Add the new API "TlsSetVerifyHost" (CVE-2019-14553)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
In the patch, we add the new API "TlsSetVerifyHost" for the TLS
protocol to set the specified host name that need to be verified.

Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20190927034441.3096-3-Jiaxin.wu@intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-11-02 12:07:23 +01:00
Shenglei Zhang 9f4fbd56d4 CryptoPkg/OpensslLib: Update process_files.pl to generate .h files
There are missing headers added into INF files at 8906f076de35b222a..
They are now manually added but not auto-generated. So we update the
perl script to enable this feature.
Meanwhile, update the order of the .h files in INF files, which are
auto-generated now.
https://bugzilla.tianocore.org/show_bug.cgi?id=2085

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
2019-10-30 10:38:03 +08:00
Liming Gao 933681b208 CryptoPkg IntrinsicLib: Make _fltused always be used
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1603
With this change, global variable _fltused will not be removed by LTO

Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
2019-10-24 09:41:34 +08:00
Liming Gao 3d61650f95 CryptoPkg: Append options to make CLANG9 tool chain pass build
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1603
Disable warning reported from CLANG9.

Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-10-24 09:41:33 +08:00
Sean Brogan d95de082da CryptoPkg: Add Null instance of the BaseCryptLib class
https://bugzilla.tianocore.org/show_bug.cgi?id=2257

Add a Null instance of the BaseCryptLib class.  This lib instance
can be used as a template for new implementations of the BaseCryptLib
class and can also be used to reduce CI build times for build
checks that depend on the BaseCryptLib class.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-10-23 18:37:19 -07:00
Sean Brogan 79cd636f3e CryptoPkg: Add Null instance of the TlsLib class
https://bugzilla.tianocore.org/show_bug.cgi?id=2258

Add a Null instance of the TlsLib class.  This lib instance
can be used as a template for new implementations of the TlsLib
class and can also be used to reduce CI build times for build
checks that depend on the TlsLib class.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-10-23 14:42:28 -07:00
Sean Brogan 412c963842 CryptoPkg: Add missing components to CryptoPkg.dsc
https://bugzilla.tianocore.org/show_bug.cgi?id=2254

Update CryptoPkg.dsc to guarantee all libraries and modules
are always built.  Add the following components.

* CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-10-23 10:38:33 -07:00
Shenglei Zhang 944bd5cf1d CryptoPkg: Fix coding style
Update attribute "Out" to "out".
The original "Out" can not pass ECC check.

Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-08-19 08:45:29 +08:00
Shenglei Zhang 8906f076de CryptoPkg/OpensslLib: Add missing header files in INF file
The header files are used but missing in INF,which causes
warning message when building them.
https://bugzilla.tianocore.org/show_bug.cgi?id=2036

Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-08-16 11:26:57 +08:00
Jian J Wang 5ab96088ae CryptoPkg/OpensslLib: remove clone commands
https://bugzilla.tianocore.org/show_bug.cgi?id=1910

edk2/Readme.md has added a section to explain the correct clone
commands for submodules. Detailed steps in the OpenSSL-HOWTO.txt
are removed to avoid any inconsistency.

Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2019-08-15 09:56:37 +08:00
Gary West 4b1b7c1913 CryptoPkg/BaseCryptLib: Wrap OpenSSL HKDF algorithm
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1928

1. Implement OpenSSL HKDF wrapped function in CryptHkdf.c file.
2. Implement stub implementation function in CryptHkdfNull.c file.
3. Add wrapped HKDF function declaration to BaseCryptLib.h file.
4. Add CryptHkdf.c to module information BaseCryptLib.inf file.
5. Add CryptHkdfNull.c to module information PeiCryptLib.inf,
   RuntimeCryptLib.inf and SmmCryptLib.inf

Signed-off-by: Gary West <Gary.West@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Reviewed-by: Jian Wang <jian.j.wang@intel.com>
2019-08-09 09:38:56 +08:00
Zhichao Gao b3d00df69c CryptoPkg/BaseCryptLib: Use cmp-operator for non-Boolean comparisons
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2027

Refer to CSS_2_1 5.7.2.1 "Non-Boolean comparisons must use a
compare operator (==, !=, >, < >=, <=).", use compare operator
for the non-boolean comparisons.

Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-07-31 09:19:43 +08:00
Laszlo Ersek 9e55ce6b75 CryptoPkg/BaseCryptLib: list module-internal header files in INF [Sources]
The BaseTools build feature introduced for TianoCore#1804 / in commit
1fa6699e6c ("BaseTools: Add a checking for Sources section in INF file",
2019-06-10) logs some (non-fatal) warnings about unlisted internal header
files. List those files explicitly.

Note: header files are added in lexicographical order only if the
underlying INF file already keeps the [Sources] and [LibraryClasses]
sections in lexicographical order. Otherwise, header files are added in
rough "logical" order.

Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-07-23 00:20:30 +02:00
Xiaoyu Lu 51f7a3e6c5 CryptoPkg/OpensslLib: Exclude err_all.c in process_files.pl
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1881

Commit(0a1b13fd4d) fix VS2017 build failure
remove useless file in OpensslLib[Crypto].inf,
but we use process_files.pl to generate files.
So exclude err_all.c file in process_files.pl

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-25 16:45:54 +08:00
Xiaoyu Lu b86fbe1f98 CryptoPkg/OpensslLib: disable autoload-config for OpenSSL
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1926

This problem was found by Rebecca Cran <rebecca@bluestop.org>.
REF: https://edk2.groups.io/g/devel/topic/32100684

OpenSSL will automatically load a system config file which configures
default ssl options. In UEFI, It will cause TlsInitialize failed
without OPENSSL_INIT_NO_LOAD_CONFIG flag. we don't use this feature,
So disable it.

Re-run process_files.py to generate OpensslLib[Crypto].inf files.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Rebecca Cran <rebecca@bluestop.org>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-21 17:25:02 +08:00
Lu, XiaoyuX 90e8f13d51 CryptoPkg/OpensslLib: Fix CR/LF issue
Re-run process_files.py to generate OpensslLib[Crypto].inf.
CryptoPkg/Library/Include/openssl/opensslconf.h is coped from OpenSSL,
So keep the CR/LF style like OpenSSL source file.

Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-21 17:16:52 +08:00
Bret Barkelew a860eb9668 CryptoPkg: Add missing instance for build only
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1900

Add the missing instance to [Components] of dsc file
for build only.

Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-15 03:42:29 +08:00
Lu, XiaoyuX f0718d1d6b CryptoPkg/BaseCryptLib: Wrap OpenSSL SM3 algorithm
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1861

1. Implement OpenSSL SM3 wrapped functions in CryptSm3.c file.
2. Add wrapped SM3 functions declaration to BaseCryptLib.h file.
3. Add CryptSm3.c to each module information file.

Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-08 05:18:41 +08:00
Wang, Jian J 20d2e5a125 CryptoPkg/OpensslLib: fix build break caused by missing library
CryptoPkg\Library\Include\CrtLibSupport.h maps strxxxx interfaces to
edk2 PrintLib interfaces but related module inf file don't claim the
use of it. This will cause unresolved symbol issue with VS2017 build
which has enabled strict symbol check. This patch resolves the problem
by adding PrintLib to inf files.

Cc: Liming Gao <liming.gao@intel.com>
Cc: Dandan Bi <dandan.bi@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2019-06-06 12:51:42 +08:00
Xiaoyu Lu 98d8f194e5 CryptoPkg/IntrinsicLib: Fix CLANG38 IA32 build problem
When use clang-3.8 to build the NetworkPkg, compiler optimization
may use memcpy for memory copy. For example:

 CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_rsa.c:918: undefined
 reference to `memcpy'`

Compiler optimization is sophisticated, but we can work around it
use __attribute__((__used__)) to informs the compiler that symbol
should be retained in the object file, even if it may be
unreferenced.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Dandan Bi <dandan.bi@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2019-06-06 11:01:50 +08:00
Wang, Jian J 0a1b13fd4d CryptoPkg/OpensslLib: fix VS2017 build failure
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1878

This issue is specific to VS2017 which tries to resolve symbol referenced
by a symbol not really referenced eventually.

ossl_init_load_crypto_strings
-> err_load_crypto_strings_int (not really referenced)
-> ERR_load_OSSL_STORE_strings

Because OPENSSL_NO_ERR and OPENSSL_NO_AUTOERRINIT are not defined by
default, err_load_crypto_strings_int() will not be actually referenced
by ossl_init_load_crypto_strings().

Since err_load_crypto_strings_int() is not actually referenced at all,
the fix can be done simply by removing crypto/err/err_all.c from build.

Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2019-06-05 16:21:35 +08:00
Xiaoyu Lu 466c66341a CryptoPkg: Fix build problem with XCODE
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089

When building CryptoPkg with XCODE, blow error may result

* usr/lib/clang/9.0.0/include/stdatomic.h:105:17:
error: unknown type name 'wchar_t'

Since the C native atomics are C11 feature we can explicitly
use C99 to work around it.
add -std=c99 to avoid it

* openssl/crypto/conf/conf_sap.c:71:12: error: variable 'ret' is
    uninitialized
    when used here [-Werror,-Wuninitialized]

Suppress warnings in OpenSSL so we don't break the build with -Werror.
add -Wno-error=uninitialized to disalbe this warning

Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-04 08:10:14 +08:00
Ard Biesheuvel f03859ea6c CryptoPkg CLANG35: add -std=c99 to dodge OpenSSL C atomics issue
Commit c51f8bae7c ("CryptoPkg: Fix possible build problem with
Clang") added -std=c99 to the CLANG38 compiler command line of
packages that incorporate parts of OpenSSL, to ensure that the new
C atomics code used by OpenSSL for refcounting (which we don't care
about) does not pull in system C library headers, which we cannot
rely on when (cross)building EDK2 code.

Unsurprisingly, CLANG35 (which is only defined for ARM and AARCH64)
suffers from the exact same issue, so let's add the same flags
there as well.

Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2019-06-03 18:33:53 +02:00
Xiaoyu Lu acfb909118 CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward compatible
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1089

OpenSSL internally redefines the size of HMAC_CTX at
crypto/hmac/hmac_lcl.h(OpenSSL commit e0810e35).
Ref: https://github.com/openssl/openssl/pull/4338

We should not use it directly and should remove relevant
functions(Hmac*GetContextSize).
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1792

But for compatiblility, temporarily change these definition
of HMAC_*_CTX_SIZE.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-03 08:28:03 +08:00
XiaoyuX Lu 456dd8b99f CryptoPkg: Upgrade OpenSSL to 1.1.1b
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089

* Update OpenSSL submodule to OpenSSL_1_1_1b
   OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)

* Run process_files.pl script to regenerate OpensslLib[Crypto].inf
  and opensslconf.h

* Remove -DNO_SYSLOG from OPENSSL_FLAGS in OpensslLib[Crypto].inf,
  due to upstream OpenSSL commit cff55b90e95e("Cleaning UEFI
  Build with additional OPENSSL_SYS_UEFI flags", 2017-03-29),
  which was first released as part of OpenSSL_1_1_1.

* Starting with OpenSSL commit 8a8d9e1905(first release in
  OpenSSL_1_1_1), the OpenSSL_version() function can no longer
  return a pointer to the string literal "compiler: information
  not available", in the case CFLAGS macro is not defined.
  Instead, the function now has a hard dependency on the global
  variable 'compiler_flags'. This variable is normally placed
  by "util/mkbuildinf.pl" into "buildinf.h". In edk2 we don't
  run that script whenever we build OpenSSL, therefore we
  must provide our own dummy 'compiler_flags'.

* BUFSIZ is used by crypto/evp/evp_key.c(OpenSSL_1_1_1b)
  And it is declared in stdio.h. So add it to CrtLibSupport.h.
  Here's a discussion about this.
  Ref: https://github.com/openssl/openssl/issues/8904

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-03 08:28:03 +08:00
XiaoyuX Lu b739678918 CryptoPkg/OpensslLib: Add functions for upgrading OpenSSL1_1_1b
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089

* From OpenSSL_1_1_0i(97c0959f27b294fe1eb10b547145ebef2524b896) to
  OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687), OpenSSL
  updated DRBG / RAND to request nonce and additional low entropy
  randomness from system(line 229 openssl/CHANGES).

  Since OpenSSL_1_1_1b doesn't fully implement rand pool functions
  for UEFI. We must provide a method to implenet these method.
  TSC is used as first entropy source if it's availabe otherwise
  fallback to TimerLib. But we are not sure the amount of randomness
  they provide. If you really care about the security, one choice is
  overrided it with hardware generator.

  Add rand_pool.c to implement these functions required by OpenSSL
    rand_pool_acquire_entropy
    rand_pool_add_nonce_data
    rand_pool_add_additional_data
    rand_pool_init
    rand_pool_cleanup
    rand_pool_keep_random_devices_open

  And add rand_pool_noise.* for getting entropy noise from different
  architecture.

* We don't need ossl_store functions. We exclude relative files
  through process_files.pl. And ossl_store_cleanup_int was first
  added in crypto/init.c OpenSSL_1_1_1(71a5516d).
  So add a new file(ossl_store.c) to implement ossl_store_cleanup_int
  function.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-03 08:28:02 +08:00
XiaoyuX Lu c51f8bae7c CryptoPkg: Fix possible build problem with Clang
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089

When building CryptoPkg with Clang, blow error may result

* /usr/lib/llvm-3.8/lib/clang/3.8.0/include/stdatomic.h:105:17: error:
    unknown type name 'wchar_t'

Since the C native atomics are C11 feature we can explicitly
use C99 to work around it.
add -std=c99 to avoid it

* openssl/crypto/conf/conf_sap.c:71:12: error: variable 'ret' is
  uninitialized
  when used here [-Werror,-Wuninitialized]

Suppress warnings in OpenSSL so we don't break the build with -Werror.
add -Wno-error=uninitialized to disalbe this warning

Cc: Ting Ye <ting.ye@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-03 08:28:02 +08:00
Laszlo Ersek 9c3c5c91ce CryptoPkg/OpensslLib: Fix cross-build problem for AARCH64
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1089

Thanks Laszlo Ersek <lersek@redhat.com>.
Ref: https://edk2.groups.io/g/devel/message/40375

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-03 08:28:02 +08:00
XiaoyuX Lu 5db2fbff23 CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089

Disable warning for building OpenSSL_1_1_1b

add /wd4132 /wd4700 /wd4310 for Visual Studio in OpensslLib[Crypto].inf

add -Wno-error=unused-but-set-variable for GCC in OpensslLib[Crypto].inf
Although this option is set in some build environments by default.
But this is only for OpenSSL compilation, no matter how the
default options change.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-03 08:28:01 +08:00
Xiaoyu Lu 96dbfad9b0 CryptoPkg/IntrinsicLib: Fix possible unresolved external symbol issue
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089

This is for the upcoming upgrade to OpenSSL_1_1_1b

Compiler optimization(Visual Studio) may automatically use _ftol2
instead of some type conversion. For example:

 OpensslLib.lib(drbg_lib.obj) : error LNK2001:
    unresolved external symbol __ftol2

This patch add _ftol2 function for the compiler intrinsic.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-03 08:28:01 +08:00
Xiaoyu Lu 7eee048894 CryptoPkg/OpensslLib: Exclude unnecessary files in process_files.pl
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089

When running process_files.py to configure OpenSSL, we can exclude
some unnecessary files. This can reduce porting time, compiling
time and library size.

Upstream OpenSSL commit 71a5516dcc8a which was as part of
OpenSSL_1_1_1b, Add the STORE module(crypto/store/*).
But UEFI don't use them. So exclude these files.

Functions in crypto/rand/randfile.c OpenSSL and edk2 don't
call them. And it requires more crt runtime support.
So exclude it.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-03 08:28:00 +08:00
Xiaoyu Lu 6fcc3d68eb CryptoPkg/OpensslLib: Modify process_files.pl for upgrading OpenSSL
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089

OpenSSL configure mechanism use --with-rand-seed=xxx option to configure
random number generation.

OpenSSL_1_1_0j(74f2d9c1ec5f5510e1d3da5a9f03c28df0977762)
we use default --with-rand-seed=os option to for building it.

But OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)
only support seeding NONE for UEFI(rand_unix.c line 93).

This OpenSSL change was introduced in commit
8389ec4b4950 ("Add --with-rand-seed", 2017-07-22).

So add --with-rand-seed=none to process_files.pl.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-03 08:28:00 +08:00
Jian J Wang c2eab535c6 CryptoPkg/BaseCryptLib: remove unused code for IPF
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1805

CryptRandItc.c is only for IPF arch, which has not been supported any
more in edk2. And no module actually reference this file. This patch
just removes it from tree.

Cc: Liming Gao <liming.gao@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2019-05-17 13:13:41 +08:00
Zhichao Gao 038f929c92 CryptoPkg/BaseCryptLib: Remove the blank line in the comments
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1736

For accroding with the doxygen special documention blocks
in section 2.3.5, removing the blank line in the file comments
of the file header for PeiCryptLib.inf

Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Jian Wang <jian.j.wang@intel.com>
2019-04-29 17:07:12 +08:00
rebecca via Groups.Io 1a734ed85f CryptoPkg: add issetugid declaration to fix openssl build on FreeBSD
When building OpenSSL, the OpenBSD/FreeBSD/DFBSD code in crypto/uid.c
calls issetugid(). Add the declaration of this function to
CrtLibSupport.h to avoid the need to patch the openssl code on these
platforms.

Signed-off-by: Rebecca Cran <rebecca@bluestop.org>
Reviewed-by: Jian Wang <jian.j.wang@intel.com>
2019-04-24 16:31:11 +08:00
Bret Barkelew 933f1990f5 CryptoPkg/BaseCryptLib: Add PKCS1v2 (RSAES-OAEP) support.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1403

Add support for PKCS 1v2 RSAES-OAEP PKI encryption in BaseCryptLib.

Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Gang Wei <gang.wei@intel.com>
Cc: Wang Jian J <jian.j.wang@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-04-18 13:11:22 +08:00
Bret Barkelew aed90beee5 CryptoPkg/BaseCryptLib.h: Add PKCS1v2 (RSAES-OAEP) support.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1403

Add prototype of new API Pkcs1v2Encrypt in header file to
support PKCS1v2 (RSAES-OAEP) encrypt.

Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Gang Wei <gang.wei@intel.com>
Cc: Wang Jian J <jian.j.wang@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-04-18 13:11:21 +08:00
Bret Barkelew 23c3178c4d CryptoPkg/BaseCryptLib: Add new API VerifyEKUsInPkcs7Signature
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1402

Add the API VerifyEKUsInPkcs7Signature to check if x509 cert
has any or all EKUs.

Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Gang Wei <gang.wei@intel.com>
Cc: Wang Jian J <jian.j.wang@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-04-18 13:11:21 +08:00
Bret Barkelew 1796a39493 CryptoPkg/BaseCryptLib.h: Add new API VerifyEKUsInPkcs7Signature
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1402

Add a prototype of new API VerifyEKUsInPkcs7Signature.

Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Gang Wei <gang.wei@intel.com>
Cc: Wang Jian J <jian.j.wang@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-04-18 13:11:20 +08:00
Bret Barkelew 912e1e1ee2 CryptoPkg/BaseCryptLib: Add new API to get organization name
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1401

Implement a common function to get the NID name. And use
this function to get common name and organization name.

Add a null function API X509GetOrganizationName of null
function source file.

Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Gang Wei <gang.wei@intel.com>
Cc: Wang Jian J <jian.j.wang@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-04-18 13:11:20 +08:00
Bret Barkelew e2a673b853 CryptoPkg/BaseCryptLib.h: Add new API to get organization name
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1401

Add a prototype declaration of the new API X509GetOrganizationName
in the header file.

Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Gang Wei <gang.wei@intel.com>
Cc: Wang Jian J <jian.j.wang@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-04-18 13:11:19 +08:00
Michael D Kinney 2009f6b4c5 CryptoPkg: Replace BSD License with BSD+Patent License
https://bugzilla.tianocore.org/show_bug.cgi?id=1373

Replace BSD 2-Clause License with BSD+Patent License.  This change is
based on the following emails:

  https://lists.01.org/pipermail/edk2-devel/2019-February/036260.html
  https://lists.01.org/pipermail/edk2-devel/2018-October/030385.html

RFCs with detailed process for the license change:

  V3: https://lists.01.org/pipermail/edk2-devel/2019-March/038116.html
  V2: https://lists.01.org/pipermail/edk2-devel/2019-March/037669.html
  V1: https://lists.01.org/pipermail/edk2-devel/2019-March/037500.html

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-04-09 09:10:22 -07:00
Shenglei Zhang fcc61ca4b1 CryptoPkg/IntrinsicLib: Remove .S files for IA32 arch
.nasm file has been added for X86 arch. .S assembly code
is not required any more.
https://bugzilla.tianocore.org/show_bug.cgi?id=1594

Cc: Ting Ye <ting.ye@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2019-04-03 13:27:44 +08:00
Antoine Coeur 2a784a2cc3 CryptoPkg: Fix various typos
Fix various typos in CryptoPkg.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Coeur <coeur@gmx.fr>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-02-11 11:09:44 +08:00
Jian J Wang cc01b26e05 CryptoPkg/BaseCryptLib: split CryptPkcs7Verify.c on behalf of runtime
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1493

Pkcs7GetAttachedContent() implementation in current CryptPkcs7Verify.c
is actually shared by RuntimeCryptLib.inf, SmmCryptLib.inf and
BaseCryptLib.inf, which are not correct since there's no use scenario
for runtime and AllocatePool() used in this method can only be called
in boot time.

This patch fix this issue by splitting file CryptPkcs7Verify.c into 3 parts.

  CryptPkcs7VerifyCommon.c  (shared among Base, SMM, Runtime)
  CryptPkcs7VerifyBase.c    (shared between Base, SMM)
  CryptPkcs7VerifyRuntime.c (for Runtime only)

CryptPkcs7VerifyBase.c will have original implementation of
Pkcs7GetAttachedContent() as CryptPkcs7Verify.c. CryptPkcs7VerifyRuntime.c
provide a NULL version of Pkcs7GetAttachedContent().

No functionality and interface change is involved in this patch.

Cc: Ting Ye <ting.ye@intel.com>
Cc: Qin Long <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
2019-01-31 21:25:05 +08:00