Commit Graph

278 Commits

Author SHA1 Message Date
Ard Biesheuvel 2c010aba22 CryptoPkg/SmmCryptLib: permit use by MM_STANDALONE modules
Permit SmmCryptLib to be used by MM_STANDALONE modules

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-01-21 13:42:49 +01:00
Laszlo Ersek 300b8c5f15 CryptoPkg/BaseCryptLib: drop build flags specific to GCC44
We've removed BaseTools support for GCC44..GCC47. Drop
CryptoPkg/BaseCryptLib build flags that are specific to any of those gcc
versions.

No GCC44..GCC47 references remain under CryptoPkg after this patch.

Cc: Gang Wei <gang.wei@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1377
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2019-01-08 02:39:43 +01:00
Jian J Wang a18f784cfd Upgrade OpenSSL to 1.1.0j
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1393

BZ#1089 (https://bugzilla.tianocore.org/show_bug.cgi?id=1089) requests
to upgrade the OpenSSL to the latest 1.1.1 release. Since OpenSSL-1.1.1
has many changes, more porting efforts and feature evaluation are needed.
This might lead to a situation that it cannot catch the Q1'19 stable tag.

One of the solution is upgrade current version (1.1.0h) to 1.1.0j.
According to following web page in openssl.org, all security issues
solved in 1.1.1 have been also back-ported to 1.1.0.j. This can make
sure that no security vulnerabilities left in edk2 master before 1.1.1.

https://www.openssl.org/news/vulnerabilities-1.1.1.html

Cc: Ting Ye <ting.ye@intel.com>
Cc: Gang Wei <gang.wei@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Gang Wei <gang.wei@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
2018-12-21 10:07:42 +08:00
Jian J Wang 366a7672cf CryptoPkg/IntrinsicLib: add missing BaseLib declaration
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=596

BaseLib interfaces are used in this library but not declared in module's
inf file. This patch fix this situation to keep inf and its code in
consistency. No functionality or interface change are involved.

Cc: Qin Long <qin.long@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
2018-12-10 11:02:47 +08:00
Long Qin 269f3b5180 CryptoPkg/BaseCryptLib: Fix potential integer overflow issue.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1275

The LookupFreeMemRegion() in RuntimeMemAllocate.c is used to look-up
free memory region for runtime resource allocation, which was designed
to support runtime authenticated variable service.
The ReqPages in this function is the required pages to be allocated,
which depends on the malloc() call in internal OpenSSL routines. The
direct offset subtractions on ReqPages may bring possible integer
overflow issue.

This patch is to add the extra parameter checks to remove this possible
overflow risk.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Long Qin <qin.long@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
2018-10-31 11:07:53 +08:00
Chen A Chen 94d67262d8 CryptoPkg: Removing ipf which is no longer supported from edk2.
Removing rules for Ipf sources file:
* Remove the source file which path with "ipf" and also listed in
  [Sources.IPF] section of INF file.
* Remove the source file which listed in [Components.IPF] section
  of DSC file and not listed in any other [Components] section.
* Remove the embedded Ipf code for MDE_CPU_IPF.

Removing rules for Inf file:
* Remove IPF from VALID_ARCHITECTURES comments.
* Remove DXE_SAL_DRIVER from LIBRARY_CLASS in [Defines] section.
* Remove the INF which only listed in [Components.IPF] section in DSC.
* Remove statements from [BuildOptions] that provide IPF specific flags.
* Remove any IPF sepcific sections.

Removing rules for Dec file:
* Remove [Includes.IPF] section from Dec.

Removing rules for Dsc file:
* Remove IPF from SUPPORTED_ARCHITECTURES in [Defines] section of DSC.
* Remove any IPF specific sections.
* Remove statements from [BuildOptions] that provide IPF specific flags.

The following rules are specially proposed by package owner:
* Remove whole "CryptRuntimeDxe" folder which was designed for IPF.
* Remove whole "Include/Protocol" folder
* Update .Dec and .Dsc file accordingly.

Cc: Qin Long <qin.long@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chen A Chen <chen.a.chen@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2018-09-25 23:40:41 +08:00
Liming Gao 630f67ddfe CryptoPkg: Clean up source files
1. Do not use tab characters
2. No trailing white space in one line
3. All files must end with CRLF

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Liming Gao <liming.gao@intel.com>
2018-06-28 11:19:40 +08:00
Zhang, Chao B d69e8a7b79 CryptoPkg PeiCryptLib: Enable SHA384/512 support
Enable SHA384/512 support in PEI phase.

Cc: Long Qin <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2018-06-08 10:55:53 +08:00
Long Qin 0b6457efab CryptoPkg: Remove deprecated function usage in X509GetCommonName()
BZ#: https://bugzilla.tianocore.org/show_bug.cgi?id=923

X509_NAME_get_text_by_NID() used in X509GetCommonName() implementation
is one legacy function which have various limitations. The returned
data may be not usable  when the target cert contains multicharacter
string type like a BMPString or a UTF8String.
This patch replaced the legacy function usage with more general
X509_NAME_get_index_by_NID() / X509_NAME_get_entry() APIs for X509
CommonName retrieving.

Tests: Validated the commonName retrieving with test certificates
       containing PrintableString or BMPString data.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Long Qin <qin.long@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
2018-06-05 10:16:03 +08:00
Laszlo Ersek ee3198e672 CryptoPkg/CrtLibSupport: add secure_getenv() stub function
The Fedora distro ships a modified OpenSSL 1.1.0 package stream. One of
their patches calls the secure_getenv() C library function. We already
have a stub for getenv(); it applies trivially to secure_getenv() as well.
Add the secure_getenv() stub so that edk2 can be built with Fedora's
OpenSSL 1.1.0 sources.

Cc: Qin Long <qin.long@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2018-05-08 13:29:06 +02:00
Laszlo Ersek e31fe995b8 CryptoPkg/OpensslLib: remove OpenSSL version number from OpenSSL-HOWTO.txt
Remove any concrete OpenSSL version numbers from "OpenSSL-HOWTO.txt". That
information is out of date and there's no reason for us to refresh it:

We now track stable OpenSSL releases via a git submodule. CryptoPkg
maintainers push such submodule updates to edk2 that identify the correct
stable releases of OpenSSL. "OpenSSL-HOWTO.txt" already provides
instructions to users for updating their local submodules.

Cc: Qin Long <qin.long@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2018-04-26 12:46:27 +02:00
Long Qin b85b20fba4 CryptoPkg/OpensslLib: Update OpenSSL version to 1.1.0h
(https://bugzilla.tianocore.org/show_bug.cgi?id=927)

(V2 Update:
    Removing the wrong "--remote" option from git submodule update
    command in this commit message. Thanks Laszlo's clarification
    to correct this)

Update OpenSSL version to 1.1.0h release (27-Mar-2018) to include the
fix for CVE-2018-0739 issue (Handling of crafted recursive ASN.1
structures can cause a stack overflow and resulting denial of service,
Refer to https://www.openssl.org/news/secadv/20180327.txt for more
information).

Please note "git pull" will not update the submodule repository.
use the following commend to make your existing submodule track this
update:
   $ git submodule update --recursive

Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ye Ting <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Long Qin <qin.long@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
2018-04-15 21:08:37 +08:00
Long Qin a701ea0fe1 CryptoPkg/OpensslLib: Fix the documentation about submodule update
This patch is to drop "--remote" option from the original suggested
submodule update command ("$ git submodule update --recursive
--remote") in HOWTO document.

"--remote" option will integrate changes from the upstream subproject
with the submodules's "current HEAD", instead of using the edk2
superproject's "recorded SHA-1".

It is important here for the edk2 consumers to updating the working
tree of the submodules to match the commit / release tag that the
superproject expects. So removing "--remote" option to fix this
documentation issue here.

Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ye Ting <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Long Qin <qin.long@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2018-04-15 21:07:38 +08:00
Laszlo Ersek 2167c7f7a5 CryptoPkg/TlsLib: rewrite TlsSetCipherList()
Rewrite the TlsSetCipherList() function in order to fix the following
issues:

- Any cipher identifier in CipherId that is not recognized by
  TlsGetCipherMapping() will cause the function to return EFI_UNSUPPORTED.

  This is a problem because CipherId is an ordered preference list, and a
  caller should not get EFI_UNSUPPORTED just because it has an elaborate
  CipherId preference list. Instead, we can filter out cipher identifiers
  that we don't recognize, as long as we keep the relative order intact.

- CipherString is allocated on the stack, with 500 bytes.

  While processing a large CipherId preference list, this room may not be
  enough. Although no buffer overflow is possible, CipherString exhaustion
  can lead to a failed TLS connection, because any cipher names that don't
  fit on CipherString cannot be negotiated.

  Compute CipherStringSize first, and allocate CipherString dynamically.

- Finally, the "@STRENGTH" pseudo cipher name is appended to CipherString.
  (Assuming there is enough room left in CipherString.) This causes
  OpenSSL to sort the cipher list "in order of encryption algorithm key
  length".

  This is a bad idea. The caller specifically passes an ordered preference
  list in CipherId. Therefore TlsSetCipherList() must not ask OpenSSL to
  reorder the list, for any reason. Drop "@STRENGTH".

While at it, fix and unify the documentation of the CipherId parameter.

Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2018-04-13 14:06:24 +02:00
Laszlo Ersek a347b08973 CryptoPkg/TlsLib: sanitize lib classes in internal header and INF
"InternalTlsLib.h" includes "BaseCryptLib.h", but the lib class is not
listed in the INF file.

The INF file lists a good number of lib classes, but none of the lib class
headers are included by "InternalTlsLib.h".

Synchronize & sort both lists, while removing those library classes that
aren't actually needed. (IntrinsicLib and OpensslLib have no edk2 class
headers.)

Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2018-04-13 14:06:21 +02:00
Laszlo Ersek 96015d5fc5 CryptoPkg/TlsLib: pre-compute OpensslCipherLength in TlsCipherMappingTable
In the next patches, we'll need the lengths of the
TLS_CIPHER_MAPPING.OpensslCipher string fields. These lengths can be
computed at build time; add the new field "OpensslCipherLength", and
introduce the MAP() macro for populating it.

While at it, add some horizontal whitespace to "TlsCipherMappingTable",
and add a comma after the last element. This will come handy in a later
patch.

(The patch does not change the first two columns of
"TlsCipherMappingTable", which can be easily verified with "git show
--word-diff".)

Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2018-04-13 14:06:19 +02:00
Laszlo Ersek 5eadb54e26 CryptoPkg/TlsLib: use binary search in the TlsGetCipherMapping() function
Improve the performance of the TlsGetCipherMapping() function by adopting
the binary search from DhcpFindOptionFormat()
[MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Option.c].

Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2018-04-13 14:06:16 +02:00
Laszlo Ersek ecfd37ba1b CryptoPkg/TlsLib: replace TlsGetCipherString() with TlsGetCipherMapping()
In the following patches it will be useful if the IANA CipherId lookup
returns a pointer to the whole matching IANA-to-OpenSSL mapping structure,
not just the OpenSSL cipher suite name. Rename TLS_CIPHER_PAIR and
TlsGetCipherString() to TLS_CIPHER_MAPPING and TlsGetCipherMapping()
respectively, and make the function return a pointer to
TLS_CIPHER_MAPPING.

Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2018-04-13 14:06:14 +02:00
Long Qin cd9349ac53 CryptoPkg: Update package version to 0.98
Update package version of CryptoPkg to 0.98.

Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
2018-01-23 08:56:27 +08:00
Long Qin ab187ae25a CryptoPkg/BaseCryptLib: Add error handling for time() wrapper
In time() wrapper implementation, the gRT->GetTime() call may be not
available. This patch adds the extra error handling to avoid the
potential dead loop.

Cc: Star Zeng <star.zeng@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2018-01-22 14:28:15 +08:00
Heyi Guo 1dbd423fbb CryptoPkg/OpensslLib: ignore uninitialized warning
We also got maybe-uninitialized warning when building OpensslLib.inf
with GCC48 for ARM and AARCH64, so add -Wno-error=maybe-uninitialized
build option just as other platforms.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Heyi Guo <heyi.guo@linaro.org>
Cc: Qin Long <qin.long@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Qin Long <qin.long@intel.com>
2018-01-18 16:22:14 +08:00
Long Qin 0c1ffb9504 CryptoPkg: Adding OpenSSL as one submodule of EDKII repo
A submodule allows to keep another Git repository in a subdirectory
of main repository. The submodule repository has its own history, which
does not interfere with the history of the current repository. This can
be used to have external dependencies such as third party libraries.

After the extra patch for EDKII-OpenSSL build was removed, OpenSSL can
be one typical submodule use case in EDKII project. This patch adds the
openssl git repository into EDKII project as one submodule.

One .gitmodules file will be generated with the submodule info:
    [submodule "CryptoPkg/Library/OpensslLib/openssl"]
            path = CryptoPkg/Library/OpensslLib/openssl
            url = https://github.com/openssl/openssl

The user can use the following command to clone both main EDKII repo and
openssl submodule:
   1) Add the "--recursive" flag to their git clone command:
      $ git clone --recursive https://github.com/tianocore/edk2
or 2) Manually initialize and the submodules after the clone operation:
      $ git clone https://github.com/tianocore/edk2
      $ git submodule update -–init -–recursive

For Pull operations, "git pull" will not update the submodule repository.
So the following combined commands can be used to pull the remote submodule
updates (e.g. Updating to new supported OpenSSL release)
  $ git pull –-recurse-submodules && \
    git submodule update -–recursive --remote

Cc: Ye Ting <ting.ye@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2018-01-18 14:06:15 +08:00
Zhang, Chao B 2067d9f8bf CrptoPkg/BaseCryptLib: Fix type mismatch when calling OpenSSL function
Type definition in UEFI & OpeenSSL is different. Sometime it could cause
write overflow. Should use same data type when accessing the same region

Cc: Long Qin <qin.long@intel.com>
Cc: Chen Chen <chen.a.chen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2018-01-15 16:39:52 +08:00
Long Qin 228e4f4706 CryptoPkg/OpensslLib: Suppress format warning with extra flag.
Under a certain [outdated] GCC482 compiler, the new-added "-Wno-format"
flag will not take effect, and break the x86_64 build.
This is one known issue in some Ubuntu/GCC-4.8.2 environment, which will
overwrite "-Wno-format" with some default setting.  see more information
and discussion from:
  https://gcc.gnu.org/ml/gcc-help/2014-03/msg00003.html
  https://wiki.ubuntu.com/ToolChain/CompilerFlags
This patch adds one extra "-Wno-error=format" for gcc x86_64 builds to
suppress this warning.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Long Qin <qin.long@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2018-01-15 14:24:27 +08:00
Ard Biesheuvel c24d664dca CryptoPkg/OpensslLib AARCH64: disable rather than demote format warning
We recently added -Wno-error=format to the OpenSslLib build script to
work around an issue in the upstream OpenSSL code. This does not inhibit
the warning, but prevents it from breaking the build by not treating it
as a fatal error.

Unfortunately, this interacts poorly with the -Wno-unused-const-variable
option that we added to GCC49 and later. Those versions of GCC ignore
-Wno-xxxx options that they don't understand, unless warnings are emitted
for another reason, in which case the warning is emitted after all, and
in our case, this breaks the build when the non-fatal format warning is
emitted.

CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/x_int64.c: In function 'uint64_print':
CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/x_int64.c:105:32: warning: format '%ld' expects argument of type 'long int', but argument 3 has type 'int64_t {aka long long int}' [-Wformat=]
         return BIO_printf(out, "%"BIO_PRI64"d\n", **(int64_t **)pval);
                                ^
CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/x_int64.c:106:28: warning: format '%lu' expects argument of type 'long unsigned int', but argument 3 has type 'uint64_t {aka long long unsigned int}' [-Wformat=]
     return BIO_printf(out, "%"BIO_PRI64"u\n", **(uint64_t **)pval);
                            ^
CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/x_int64.c: At top level:
cc1: error: unrecognized command line option '-Wno-unused-const-variable' [-Werror]
cc1: all warnings being treated as errors

So replace -Wno-error=format with -Wno-format to suppress the warning
entirely.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Long Qin <qin.long@intel.com>
2017-12-27 10:00:19 +00:00
Ard Biesheuvel 08ba82934e CryptoPkg/OpensslLib AARCH64: suppress format string warning
On GCC Build: openssl-1.1.0g introduced one additional build warning:
 ...\openssl\crypto\asn1\x_int64.c:105:32: error: format '%ld' expects
     argument of type 'long int', but argument 3 has type 'int64_t
     {aka long long int}' [-Werror=format=]
 return BIO_printf(out, "%"BIO_PRI64"d\n", **(int64_t **)pval);
                             ^
Add "-Wno-error=format" to GCC build flags to suppress this warning,
since we have no real printf usage in BaseCryptLib, and BIO_printf()
was already wrapped as a dummy implementation in CryptoPkg.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Long Qin <qin.long@intel.com>
2017-12-27 08:54:06 +00:00
Long Qin 4a75acbed3 CryptoPkg: Remove Cryptest Application from CryptoPkg
BZ#: https://bugzilla.tianocore.org/show_bug.cgi?id=819
Remove Cryptest application from CryptoPkg, which was only for
unit test.

Cc: Ye Ting <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Long Qin <qin.long@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
2017-12-27 02:32:13 +08:00
Long Qin dce03c46aa CryptoPkg/OpensslLib: Update OpenSSL version to 1.1.0g
Update the supported OpenSSL version to the latest 1.1.0g (02-Nov-2017).
The changes includes:
 - Re-generate the OpensslLib[crypto].inf using process_files.pl script
   to reflect the openssl source changes.
 - Update OpenSSL-HOWTO.txt
 - On Visual Studio Build: adding "/wd4819" to disable one addition build
   warning issue, which was already fixed in OpenSSL-HEAD
   https://github.com/openssl/openssl/pull/4691.
 - On GCC Build: openssl-1.1.0g introduced one additional build warning:
    ...\openssl\crypto\asn1\x_int64.c:105:32: error: format '%ld' expects
        argument of type 'long int', but argument 3 has type 'int64_t
        {aka long long int}' [-Werror=format=]
    return BIO_printf(out, "%"BIO_PRI64"d\n", **(int64_t **)pval);
                                ^
    Adding "-Wno-error=format" to GCC build flag to suppress this warning,
    since we have no real printf usage in BaseCryptLib, and BIO_printf()
    was already wrappered as the dummy implementation in CryptoPkg.

Cc: Ye Ting <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Long Qin <qin.long@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
2017-12-27 02:18:08 +08:00
Jiaxin Wu 9c14f76bae CryptoPkg/TlsLib: Add some parameter check and clarification.
Cc: Ye Ting <ting.ye@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2017-12-22 15:50:37 +08:00
Gary Lin 108ff4a04b CryptoPkg/IntrinsicLib: Fix the warning on memset
Gcc issued the warning when compiling CryptoPkg:

CryptoPkg/Library/Include/CrtLibSupport.h:135:17: warning: type of 'memset' does not match original declaration [-Wlto-type-mismatch]
 void           *memset     (void *, int, size_t);
                 ^
CryptoPkg/Library/IntrinsicLib/MemoryIntrinsics.c:27:8: note: type mismatch in parameter 2
 void * memset (void *dest, char ch, size_t count)
        ^

This commit changes the type of ch from char to int to match the
declaration.

Cc: Qin Long <qin.long@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2017-11-24 16:36:29 +08:00
Jiaxin Wu 0878771f0c CryptoPkg/TlsLib: Change the return type of TlsInitialize().
V2:
* Correct the commit log.

Currently, the return code of OPENSSL_init_ssl(0 or 1) and RandomSeed
(TRUE or FALSE) are not checked in TlsInitialize(). Also "VOID" is used
as the return type of TlsInitialize(), which can't be used to capture
the returned value for error handling.

From Long Qin (CryptoPkg owner):
The early version of OPENSSL_init_ssl() use the "VOID" as the return
value, which was updated to "int" later because the function changes
can fail.

So, this patch is to change the return type of TlsInitialize() to
follow up the OPENSSL_init_ssl() update.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2017-11-24 08:46:20 +08:00
chenc2 3702637a52 CryptoPkg/BaseCryptLib: Add C-structure to matching certificate stack
The parameter CertStack of Pkcs7GetSigners will return all embedded X.509
certificate in one given PKCS7 signature. The format is:
//
// UINT8  CertNumber;
// UINT32 Cert1Length;
// UINT8  Cert1[];
// UINT32 Cert2Length;
// UINT8  Cert2[];
// ...
// UINT32 CertnLength;
// UINT8  Certn[];
//
Add EFI_CERT_STACK and EFI_CERT_DATA structure, these two C-structure are
used for parsing CertStack more clearly.

Cc: Long Qin <qin.long@intel.com>
Cc: Zhang Chao <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: chenc2 <chen.a.chen@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Zhang Chao <chao.b.zhang@intel.com>
2017-11-07 22:06:48 +08:00
Long Qin 6fe575d052 CryptoPkg/BaseCryptLib: Fix mismatched memory allocation/free
The malloc/free (instead of AllocatePool/FreePool) were used directly
in some wrapper implementations, which was designed to leverage the
light-weight memory management routines at Runtime phase.
The malloc/free and AllocatePool/FreePool usages are required to be
matched, after extra memory size info header was introduced in malloc
wrapper.

This patch corrects two memory allocation cases, which requires the
caller to free the buffer with FreePool() outside the function call.

And some comments were also added to clarify the correct memory
release functions if it's the caller's responsibility to free the
memory buffer.

Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2017-11-06 14:51:39 +08:00
Long Qin cf8197a39d CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper
There is one long-standing problem in CRT realloc wrapper, which will
cause the obvious buffer overflow issue when re-allocating one bigger
memory block:
    void *realloc (void *ptr, size_t size)
    {
      //
      // BUG: hardcode OldSize == size! We have no any knowledge about
      // memory size of original pointer ptr.
      //
      return ReallocatePool ((UINTN) size, (UINTN) size, ptr);
    }
This patch introduces one extra header to record the memory buffer size
information when allocating memory block from malloc routine, and re-wrap
the realloc() and free() routines to remove this BUG.

Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Validated-by: Jian J Wang <jian.j.wang@intel.com>
2017-11-06 14:50:17 +08:00
Peter Jones b5a985ca92 CryptoPkg/BaseCryptLib: remove some duplicate initializations.
clang-analyzer noticed this:

Pk/CryptPkcs7Verify.c:600:5: warning: Value stored to 'OldSize' is never read
    OldSize    = BufferSize;
    ^            ~~~~~~~~~~
Pk/CryptPkcs7Verify.c:644:5: warning: Value stored to 'OldSize' is never read
    OldSize    = BufferSize;
    ^            ~~~~~~~~~~
2 warnings generated.

These are each immediately followed by a loop that initializes them (to
the same values) a second time, and are otherwise only referenced inside
that loop, so there's just no point to these assignments at all.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2017-10-24 15:20:22 +08:00
Qin Long 5b7c224505 CryptoPkg: Add new API to retrieve commonName of X.509 certificate
v3: Add extra CommonNameSize check since OpenSSL didn't check this
    input parameter. (One openssl issue was filed to address this risk:
    https://github.com/openssl/openssl/issues/4392)
v2: Update function interface to return RETURN_STATUS to represent
    different error cases.

Add one new API (X509GetCommonName()) to retrieve the subject commonName
string from one X.509 certificate.

Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
2017-09-25 00:06:41 +08:00
Michael D Kinney 2a98de0344 edk2: Move License.txt file to root
https://bugzilla.tianocore.org/show_bug.cgi?id=642

Add top level License.txt file with the BSD 2-Clause
License that is used by the majority of the EKD II open
source project content.  Merge copyright statements
from the BSD 2-Clause License files in each package
directory and remove the duplication License.txt
file from package directories.

Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Andrew Fish <afish@apple.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
2017-08-03 11:02:17 -07:00
Michael D Kinney bbdd3bad1b edk2: Move TianoCore Contribution Agreement to root
https://bugzilla.tianocore.org/show_bug.cgi?id=629

Move Contributions.txt that contains the TianoCore
Contribution Agreement 1.0 to the root of the edk2
repository and remove the duplicate Contributions.txt
files from all packages.

Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Andrew Fish <afish@apple.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
2017-08-03 11:01:53 -07:00
Jiaxin Wu 6aac2db4a1 CryptoPkg/TlsLib: Remove the redundant free of BIO objects
TLS BIO objects (InBio/OutBio) will be freed by SSL_free() function.
So, the following free operation (BIO_free) in TlsFree is redundant.
It can be removed directly.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Long Qin <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
2017-08-02 15:31:46 +08:00
Ard Biesheuvel e38eb2595b CryptoPkg/OpensslLib AARCH64: clear XIP CC flags
Commit 0df6c8c157 ("BaseTools/tools_def AARCH64: avoid SIMD registers
in XIP code") updated the compiler flags used by AARCH64 when building
modules (including BASE libraries) that may execute before the MMU is
enabled.

This broke the build for OpensslLib/OpensslLibCrypto because the SIMD
register file is shared with the FPU, and since OpenSSL contains some
references to float/double types (which are mostly unused for UEFI btw),
disabling floating point prevents the compiler from building OpenSSL
at all. So for OpensslLib[Crypto], we need to override the XIP CC flags,
to remove the -mgeneral-regs-only compiler flag again.

When introducing the support for XIP CC flags, we were aware that this
would affect BASE libraries as well, but were not expecting this to
have any performance impact. However, in the case of software crypto,
it makes sense not to needlessly inhibit the compiler's ability to
generate fast code, and even if OpenssLib is a BASE library, it is
guaranteed not to run with the MMU off. So omit -mstrict-align from the
local XIP CC flags override as well.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2017-07-15 13:36:58 +01:00
Long Qin a9fb7b7803 CryptoPkg/BaseCryptLib: Add NULL pointer checks in DH and P7Verify
Add more NULL pointer checks before using them in DhGenerateKey and
Pkcs7GetCertificatesList functions to eliminate possible dereferenced
pointer issue.

Cc: Ting Ye <ting.ye@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
2017-05-22 08:57:48 +08:00
Long Qin b5a9dc8beb CryptoPkg: Update package version to 0.97
Update package version of CryptoPkg to 0.97.

Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
2017-05-05 11:29:22 +08:00
Long Qin 25942a4026 CryptoPkg/SmmCryptLib: Enable HMAC-SHA256 support for SMM.
Enable HMAC-SHA256 cipher support in SmmCryptLib instance.

Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
2017-05-02 08:59:57 +08:00
Long Qin 0c9fc4b167 CryptoPkg: Correct some minor issues in function comments
Correct some minor comment issues in BaseCryptLib.h and
CryptPkcs7Verify.c, including:
  - missed "out" in parameter property for ARC4 interfaces;
  - Wrong Comment tail in Pkcs7GetAttachedContent function

Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
2017-04-14 16:40:04 +08:00
Liming Gao 00b6bbd958 CryptoPkg IntrinsicLib: Remove GCC -fno-builtin option
GCC -fno-builtin option is added into tools_def.template at
90defe7198.
So, there is no need to set it in module INF file.

Cc: Qin Long <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2017-04-07 15:15:58 +08:00
Qin Long 7c410b3d41 CryptoPkg/BaseCryptLib: Adding NULL checking in time() wrapper.
There are some explicit time(NULL) calls in openssl-1.1.0xx source,
but the dummy time() wrapper in ConstantTimeClock.c (used by PEI
and SMM module) has no any checks on NULL parameter. This is one bug
and will cause the memory access issue.
This patch adds the NULL parameter checking in time() wrapper.

Cc: Ting Ye <ting.ye@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2017-04-07 00:28:56 +08:00
Qin Long 5d7a1d63c0 CryptoPkg: Fix possible unresolved external symbol issue.
The compiler (visual studio) may optimize some explicit strcmp call
in openssl source to use the intrinsic memcmp call.
In CrtLibSupport.h, we just use #define to mapping memcmp to
CompareMem API. So in Link phase, this kind of intrinsic optimization
will cause the "unresolved external symbol" error. For example:
    OpensslLib.lib(v3_utl.obj) : error LNK2001:
                               unresolved external symbol _memcmp

This patch will keep the memcmp mapping, and provide extra Intrinsic
memcmp wrapper to satisfy the symbol link.

Cc: Ting Ye <ting.ye@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2017-04-07 00:27:34 +08:00
Qin Long 81bec7aa52 CryptoPkg/OpensslLib: Suppress extra build warnings in openssl source
(Need further follow-ups as described in
    https://bugzilla.tianocore.org/show_bug.cgi?id=455)

This patch added some extra build options to suppress possible warnings
when building openssl source under GCC48 and VS2010. Including:

Adding "-Wno-error=maybe-uninitialized" to suppress the following GCC48
build warning:
  OpensslLib/openssl/ssl/statem/statem_clnt.c:2543:9: error: "len" may
     be used uninitialized in this function [-Werror=maybe-uninitialized]
       len += pskhdrlen;
           ^

And adding "/wd4306" to suppress the following VS2010 build warning:
  openssl\crypto\asn1\tasn_dec.c(795) : warning C4306: 'type cast' :
               conversion from 'int' to 'ASN1_VALUE *' of greater size

Cc: Ting Ye <ting.ye@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2017-04-07 00:24:16 +08:00
Long Qin abc4c8173d CryptoPkg: Move openssl and CRT headers to private include section
Moving the header files for openssl and CRT wrappers to the private
include section, since these files should be referenced by CryptoPkg
internally. This update was supported by new [Includes.Common.Private]
setting in Package DEC file.
The external consumer modules should only use the interfaces defined
in BaseCryptLib.h to access crypto functions. This change will be
helpful to immediately detect any illegal direct reference to internal
openssl headers.
The Perl script "process_files.pl" was also updated to reflect the new
private include path.

Cc: Gao Liming <liming.gao@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
2017-04-07 00:22:07 +08:00
Hao Wu 264702a04b CryptoPkg: Convert files to CRLF line ending
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2017-04-06 15:42:34 +08:00
Qin Long f663ed8a32 CryptoPkg/BaseCryptLib: Fix Build Warning issue in PEI Module
The memory free operation is empty function in PEI. The compiler
optimization will bring the build warning in openssl/crypto/mem.c:
      warning C4718: 'CRYPTO_free': recursive call has no side
                     effects, deleting
This patch uses '/wd4718' to silence the build warning for PEI
module building.

Cc: Ting Ye <ting.ye@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
2017-03-30 16:00:51 +08:00
Qin Long 113581e6f3 CryptoPkg/TlsLib: Update TLS Wrapper to align with OpenSSL changes.
This patch update the wrapper implementation in TlsLib to align
with the latest OpenSSL-1.1.0xx API changes.

Cc: Ting Ye <ting.ye@intel.com>
Cc: Palmer Thomas <thomas.palmer@hpe.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Ronald Cron <ronald.cron@arm.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
2017-03-29 16:19:55 +08:00
Qin Long f56b11d2cd CryptoPkg: Update PK Cipher Wrappers work with opaque objects.
OpenSSL-1.1.xx makes most data structures opaque.
This patch updates Public Key Cipher Wrapper implementations in
BaseCryptLib to use the accessor APIs for opaque object access.
The impacted interfaces includes RSA, DH, X509, PKCS7, etc.

Cc: Ting Ye <ting.ye@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Ronald Cron <ronald.cron@arm.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gary Lin <glin@suse.com>
2017-03-29 16:18:32 +08:00
Qin Long 4c27024399 CryptoPkg: Update HMAC Wrapper with opaque HMAC_CTX object.
OpenSSL-1.1.xx makes most data structures opaque.
This patch updated HMAC Wrapper implementation with opaque
HMAC_CTX object.
The HmacXXGetContextSize() is marked as deprecated, and updated
to use the fixed HMAC_CTX size, which is just kept for compatibility.
New APIs (HmacXXNew(), HmacXXFree()) were added  as the recommended
HMAC_CTX usage interfaces for HMAC-XXXX operations.

Cc: Ting Ye <ting.ye@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Ronald Cron <ronald.cron@arm.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
2017-03-29 16:17:24 +08:00
Qin Long ec7ad9e103 CryptoPkg: Add extra build option to disable VS build warning
openssl/include/openssl/lhash.h will bring C4090 build warning
issue, which is one known issue for OpenSSL under Visual Studio
toolchain.
Refer to https://github.com/openssl/openssl/issues/2214 for more
discussions against this.
Use /wd4090 to silence this build warning until OpenSSL fix this.

Cc: Ting Ye <ting.ye@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Ronald Cron <ronald.cron@arm.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
2017-03-29 16:15:19 +08:00
Qin Long fc9fa685d6 CryptoPkg: Clean-up CRT Library Wrapper.
Cleaning-up CRT Library Wrapper for the third-party cryptography
library building. The changes includes
1. Rename OpenSslSupport.h to CrtLibSupport.h for future alternative
   crypto provider support.
2. Remove all un-referenced CRT APIs and headers.

(NOTE: More cleans-up could be possible after OpenSSL integrate the
      extra PR request: https://github.com/openssl/openssl/pull/2961)

Cc: Ting Ye <ting.ye@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Ronald Cron <ronald.cron@arm.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gary Lin <glin@suse.com>
2017-03-29 16:13:58 +08:00
Qin Long 420e508397 CryptoPkg: Fix handling of &strcmp function pointers
In a couple of places, OpenSSL code uses the address of the
strcmp() function, and assigns it to another comparator function
pointer.

Unfortunately, this falls foul of the inconsistent function ABI
that we use in EDKII. We '#define strcmp AsciiStrCmp' but AsciiStrCmp
is an EFIAPI function with the Microsoft ABI. And we're assigning its
address to a non-EFIAPI function, which may well have a different ABI.

Fix this by providing an actual strcmp() function in the default ABI.
We already *had* a prototype for it in OpenSslSupport.h, which was
then superseded by the #define strcmp AsciiStrCmp.

Now, OpenSSL code *can* use &strcmp without problems.

Cc: Ting Ye <ting.ye@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Ronald Cron <ronald.cron@arm.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gary Lin <glin@suse.com>
2017-03-29 16:12:32 +08:00
Qin Long d2cd3b6830 CryptoPkg/OpensslLib: Add new OpenSSL-HOWTO document.
Add one new OpenSSL-HOWTO.txt to introduce how to clone / download
the latest OpenSSL release source for build.
ALso update buildinf.h to reflect the latest update time.

Cc: Ting Ye <ting.ye@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Ronald Cron <ronald.cron@arm.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Gary Lin <glin@suse.com>
Tested-by: Gary Lin <glin@suse.com>
2017-03-29 16:10:58 +08:00
Qin Long da9676f89c CryptoPkg/OpensslLib: Add new Perl script for file list generation.
OpenSSL-1.1.0xx configure mechanism was updated with new configdata.
This patch update process_file.sh script to new Perl-based script for
auto generation of file list and openssl config file (opensslconf.h).

This only needs to be done once by a developer when updating to a new
version of OpenSSL (or changing options, etc.). Normal users do not
need to do this, since the results are already stored in the EDK2 git
repository.

Cc: Ting Ye <ting.ye@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Ronald Cron <ronald.cron@arm.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
2017-03-29 16:09:28 +08:00
Qin Long 58ce70f7ed CryptoPkg/OpensslLib: Remove patch file and installation scripts.
This patch removes the EDKII-openssl-xxxx.patch, installation scripts,
and Patch-HOWTO.txt which were used for old OpenSSL-1.0.2xx enabling.

Cc: Ting Ye <ting.ye@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Ronald Cron <ronald.cron@arm.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
2017-03-29 16:07:44 +08:00
Qin Long 452dc7cb81 CryptoPkg: Update .gitignore for OpenSSL source masking
Updates .gitignore that masks the OpenSSL source:
1. Remove "Include/openssl" from .gitignore since we needn't duplicate
   openssl headers now
2. Update "openssl-*" to "openssl*", since we use "openssl" instead of
   "openssl-x.x.xx" as main source directory.

Cc: Ting Ye <ting.ye@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Ronald Cron <ronald.cron@arm.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
2017-03-29 16:05:42 +08:00
Qin Long 2c86774429 CryptoPkg/OpensslLib: Update INF files to support OpenSSL-1.1.0x build
Update OpensslLib INF files to support OpenSSL-1.1.0x source build.
The file list was generated from the latest OpenSSL-1.1.0e release.

Main changes to support OpensslLib build in this patch include:
1. Use "openssl" instead of "openssl-x.x.xx" as main source directory,
   Also update include path in CryptoPkg.dec
2. Enable warnings in GCC builds;
3. Update Visual Studio build options to silence current possible build
   warnings.
4. Move the default opensslconf.h to Include/openssl, and add one dummy
   dso_conf.h for native UEFI build.

The OpensslLib module build was validated as
  build -t VSXXXX -a XX -p CryptoPkg/CryptoPkg.dsc
        -m CryptoPkg/Library/OpensslLib/OpensslLib.inf

(NOTE: The extra build options for ARM/RVCT/XCODE were kept, which expect
       further optimizations from community)

Cc: Ting Ye <ting.ye@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Ronald Cron <ronald.cron@arm.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gary Lin <glin@suse.com>
2017-03-29 16:03:41 +08:00
Jiewen Yao 7e1bc8cdb3 CryptoPkg:SmmCryptLib: Add real Pkcs5Pbkdf2.c.
Cc: Qin Long <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2017-03-15 21:50:52 +08:00
Hao Wu 6e4489d812 CryptoPkg: Refine type cast for pointer subtraction
For pointer subtraction, the result is of type "ptrdiff_t". According to
the C11 standard (Committee Draft - April 12, 2011):

"When two pointers are subtracted, both shall point to elements of the
same array object, or one past the last element of the array object; the
result is the difference of the subscripts of the two array elements. The
size of the result is implementation-defined, and its type (a signed
integer type) is ptrdiff_t defined in the <stddef.h> header. If the result
is not representable in an object of that type, the behavior is
undefined."

In our codes, there are cases that the pointer subtraction is not
performed by pointers to elements of the same array object. This might
lead to potential issues, since the behavior is undefined according to C11
standard.

Also, since the size of type "ptrdiff_t" is implementation-defined. Some
static code checkers may warn that the pointer subtraction might underflow
first and then being cast to a bigger size. For example:

UINT8  *Ptr1, *Ptr2;
UINTN  PtrDiff;
...
PtrDiff = (UINTN) (Ptr1 - Ptr2);

The commit will refine the pointer subtraction expressions by casting each
pointer to UINTN first and then perform the subtraction:

PtrDiff = (UINTN) Ptr1 - (UINTN) Ptr2;

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2017-03-06 14:14:29 +08:00
Qin Long 14e3b94964 CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2k
v2:
Re-generate the patch after the new OpensslLibCrypto instance.

OpenSSL 1.0.2k was released with several severity fixes at
26-Jan-2017 (https://www.openssl.org/news/secadv/20170126.txt).
This patch is to upgrade the supported OpenSSL version in
CryptoPkg/OpensslLib to catch the latest release 1.0.2k.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
2017-02-28 08:48:06 +08:00
Laszlo Ersek 823005621e CryptoPkg/OpensslLib: introduce OpensslLibCrypto instance
Commit 32387e0081 ("CryptoPkg: Enable ssl build in OpensslLib directly",
2016-12-14) pulls OpenSSL's libssl files into the "OpensslLib.inf" library
instance unconditionally.

If a platform doesn't include the TLS modules, such as

- CryptoPkg/Library/TlsLib/TlsLib.inf
- NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
- NetworkPkg/TlsDxe/TlsDxe.inf

then the platform never actually uses the libssl functionality that gets
built into "OpensslLib.inf".

Tomas Hoger from Red Hat Product Security tells me that security
evaluation is less demanding if we can actually *exclude* the libssl files
from such OVMF builds that don't specify -D TLS_ENABLE (rather than just
trust modules not to call libssl functions if we don't specify -D
TLS_ENABLE).

This patch introduces a parallel OpensslLib instance called
"OpensslLibCrypto" that is appropriate for platform builds without TLS
enablement. It does not build C source files in vain, and it eases
security review -- all libssl vulnerabilities can be excluded at once.

"OpensslLibCrypto.inf" is created as a copy of "OpensslLib.inf", modifying
the BASE_NAME, MODULE_UNI_FILE and FILE_GUID defines.

"process_files.sh" is extended to auto-generate the list of OpenSSL files
for both library instances accordingly. This list is updated in
"OpensslLibCrypto.inf" at once.

"OpensslLibCrypto.uni" is introduced as a copy of "OpensslLib.uni",
highlighting the difference.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2017-02-25 14:55:55 +01:00
Laszlo Ersek 4e719ab5d1 CryptoPkg/OpensslLib: refresh OpensslLib.inf, opensslconf.h after 32387e00
Commit 32387e0081 ("CryptoPkg: Enable ssl build in OpensslLib directly",
2016-12-14) removed the "no-queue" configuration option in
"process_files.sh", plus it enabled "process_files.sh" to place all libssl
source files into "OpensslLib.inf".

However, the patch apparently failed to capture two changes originating
from the above actions:
- the definitions of the OPENSSL_NO_PQUEUE and NO_PQUEUE macros were not
  removed from "opensslconf.h",
- "ssl/ssl_conf.c" was not added to "OpensslLib.inf".

Refresh these files, completing commit 32387e0081.

I built OVMF with -D SECURE_BOOT_ENABLE -D TLS_ENABLE, and ArmVirtQemu
with -D SECURE_BOOT_ENABLE, after this fix, and experienced no regression.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2017-02-25 14:55:10 +01:00
Jiaxin Wu 9fba84ac6e CryptoPkg/TlsLib: Refine the coding style.
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Long Qin <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
2017-01-06 11:59:43 +08:00
Jiaxin Wu 9396cdfeaa CryptoPkg: Add new TlsLib library
v2:
* Code refine and Typo fix:
TlsHandeAlert -> TlsHandleAlert

This patch is used to add new TlsLib library, which is wrapped
over OpenSSL. The implementation provides TLS library functions
for EFI TLS protocol and EFI TLS Configuration Protocol.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Zhang Lubo <lubo.zhang@intel.com>
Cc: Thomas Palmer <thomas.palmer@hpe.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
2016-12-22 20:33:22 +08:00
Jiaxin Wu 32387e0081 CryptoPkg: Enable ssl build in OpensslLib directly
This patch is used to enable ssl build in OpensslLib module
directly.

Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Zhang Lubo <lubo.zhang@intel.com>
Cc: Thomas Palmer <thomas.palmer@hpe.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Long Qin <qin.long@intel.com>
Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Tested-by: Wu Jiaxin <jiaxin.wu@intel.com>
2016-12-22 20:33:15 +08:00
Dandan Bi 68ae7cd66b CryptoPkg/BaseCryptLib: Make comments consistent with the function
Correct the unaligned parameter names in comments (BaseCryptLib.h and
HMAC-SHA256 wrapper implementation)

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2016-11-11 13:46:04 +08:00
Gary Lin 2998af8624 CryptoPkg: Fix typos in comments
- intialized -> initialized
- componenet -> component
- compoents -> components
- FAlSE -> FALSE
- responsiblity -> responsibility
- validility -> validity
- procudure -> procedure
- pamameter -> parameter
- randome -> random
- buiild -> build

Cc: Ting Ye <ting.ye@intel.com>
Cc: Qin Long <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2016-11-07 23:21:22 +08:00
Qin Long a8f37449c7 CryptoPkg: Add PKCS5 PBKDF2 interface for password derivation.
Add one new API (Pkcs5HashPassword) to provide PKCS#5 v2.0 PBKDF2
support (Password based encryption key derivation function, specified
in RFC 2898).
Also update the Cryptest utility to include the new API testing (with
the test vector from RFC6070).

Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
2016-11-02 23:19:01 +08:00
Qin Long 72009c626d CryptoPkg: Add HMAC-SHA256 cipher support
Add new HMAC-SHA256 cipher support in CryptoPkg to meet more security
and industry requirements,

and update Cryptest utility to include new HMAC-SHA256 test case.

Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
2016-11-02 23:17:21 +08:00
Qin Long b7d1ba0a8a CryptoPkg: Add xxxxHashAll APIs to facilitate the digest computation
Add new xxxxHashAll APIs to facilitate the digest computation of blob
data. New APIs include: Md4HashAll(), Md5HashAll(), Sha1HashAll(),
Sha256HashAll(), Sha384HashAll(), and Sha512HashAll().

The corresponding test cases were added in Cryptest utility.

Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
2016-11-02 23:16:10 +08:00
Qin Long dab62c5ec8 CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2j
Two official releases (OpenSSL 1.0.2i and 1.0.2j) were available
with several severity fixes at 22-Sep-2016 and 26-Sep-2016.
Refer to
https://www.openssl.org/news/secadv/20160922.txt and
https://www.openssl.org/news/secadv/20160926.txt.
This patch is to upgrade the supported OpenSSL version in
CryptoPkg/OpensslLib to catch the latest release 1.0.2j.

Cc: Ting Ye <ting.ye@intel.com>
Cc: David Woodhouse <David.Woodhouse@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
2016-09-30 09:18:45 +08:00
Qin Long 558311c94a CryptoPkg: Clean up unreferenced symbol in Cryptest utility.
Remove "TSCounterSignature" from TSVerify.c, which is not being
used by anyone.

Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
2016-09-21 16:40:19 +08:00
Thomas Huth 210abffdca CryptoPkg: Fix "responsiblity" typos
It's "responsibility", not "responsiblity".

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Reviewed-By: Wu Jiaxin <jiaxin.wu@intel.com>
2016-08-11 15:21:49 +08:00
Thomas Huth 34a4babec8 CryptoPkg: Fix capitalization of path name in Patch-HOWTO.txt
It's "OpensslLib", not "OpenSslLib" - not a big issue, but the
typo is annoying when trying to copy-n-paste the path name to
use it on the command line on Linux.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Reviewed-By: Wu Jiaxin <jiaxin.wu@intel.com>
2016-08-11 15:21:30 +08:00
Liming Gao cbe09e3121 CryptoPkg IntrinsicLib: Add the missing nasm source file
Add two name files IntrinsicLib Ia32 MathLShiftS64.nasm and MathRShiftU64.nasm

Cc: Qin Long <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2016-08-11 10:08:32 +08:00
Hao Wu 5c8075fce3 CryptoPkg DSC: Add build option to disable deprecated APIs
Add the following definition in the [BuildOptions] section in package DSC
files to disable APIs that are deprecated:

[BuildOptions]
  *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES

Cc: Qin Long <qin.long@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
2016-08-08 11:00:13 +08:00
Ard Biesheuvel 17ab1ec5ac MdePkg CryptoPkg EdkCompatibilityPkg: retire NO_BUILTIN_VA_FUNCS define
This is never set anymore, so unsetting it or testing whether it is unset
no longer makes any sense.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Tested-By: Liming Gao <liming.gao@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2016-07-21 13:32:09 +02:00
Ard Biesheuvel b2dc04a87f CryptoPkg: set new define to avoid MS ABI VA_LIST on GCC/X64
Set the #define NO_MSABI_VA_FUNCS that will be introduced in a subsequent
patch to avoid the use of the MS ABI in variadic functions. In EDK2, such
functions normally require the EFIAPI modifier to be used, but for external
libraries such as OpenSSL, which lack these annotations, it is easier to
simply revert to the default SysV style VA_LIST ABI.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Tested-By: Liming Gao <liming.gao@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2016-07-21 13:32:09 +02:00
Qin Long 8ff7187cfd CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2h
OpenSSL 1.0.2h was released with several severity fixes at
03-May-2016 (https://www.openssl.org/news/secadv/20160503.txt).
Upgrade the supported OpenSSL version in CryptoPkg/OpensslLib to
catch the latest release 1.0.2h.

Cc: Ting Ye <ting.ye@intel.com>
Cc: David Woodhouse <David.Woodhouse@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
2016-07-20 16:09:58 +08:00
Hao Wu 07cae06597 CryptoPkg BaseCryptLib: Init the content of struct 'CertCtx' before use
Some fields in structure 'CertCtx' might be used uninitialized in function
Pkcs7GetCertificatesList().

This commit makes sure that 'CertCtx' gets initialized before being used.

Cc: Long Qin <qin.long@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
2016-07-12 08:53:19 +08:00
Hao Wu 8824c6144c CryptoPkg BaseCryptLib: Avoid passing NULL ptr to function BN_bn2bin()
This commit modifies the code logic to avoid passing NULL pointer to
function BN_bn2bin().

Cc: Long Qin <qin.long@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2016-07-12 08:53:19 +08:00
Giri P Mudusuru ab6cee31e7 CryptoPkg: Fix typos in comments
- availabe to available

Cc: Qin Long <qin.long@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Giri P Mudusuru <giri.p.mudusuru@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2016-07-11 10:29:46 +08:00
Eugene Cohen 179bcd31f3 CryptoPkg: update openssl to ignore RVCT 3079
Getting openssl 1.0.2g building with ARM RVCT requires a change to
ignore an unset variable used before set was necessary.
(NOTE: This was fixed in OpenSSL 1.1 HEAD with commit
       d9b8b89bec4480de3a10bdaf9425db371c19145b, and can be dropped then.)

corrects x509_vfy.c(875): error C3017: ok may be used before being set

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eugene Cohen <eugene@hp.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2016-07-08 15:56:50 +08:00
Qin Long bfba88bc68 CryptoPkg/SmmCryptLib: Enable AES support for SMM.
Enable AES cipher support for SmmCryptLib instance.

Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
2016-05-16 10:49:21 +08:00
Jiaxin Wu 5e2318dd37 CryptoPkg: Fix the potential system hang issue
This patch is used to fix the potential system hang
caused by the NULL 'time' parameter usage.

Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Long Qin <qin.long@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
2016-03-15 09:04:20 +08:00
Qin Long ec3a1a11dc CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2g
OpenSSL 1.0.2g was released with several severity fixes at
01-Mar-2016(https://www.openssl.org/news/secadv/20160301.txt).
Upgrade the supported OpenSSL version in CryptoPkg/OpensslLib to
catch the latest release 1.0.2g.
(NOTE: RT4175 from David Woodhouse was included in 1.0.2g. The
       new-generated patch will remove this part. And the line
       endings were still kept as before in this version for
       consistency)

CC: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
2016-03-11 13:57:18 -08:00
David Woodhouse f6326d1fba CryptoPkg/OpensslLib: Convert saved opensslconf.h to DOS line endings
Until we fix the git repository to store line endings properly and then
just check them out in the appropriate form for the platform, let's make
process_files.sh convert the opensslconf.h to DOS line endings when it
creates it.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2016-03-11 13:16:51 -08:00
David Woodhouse 9353c60cea CryptoPkg/OpensslLib: Fix CRLF breakage in process_files.sh
This got broken in committing, due to a catalogue of broken practices.

Firstly, we should *pull* git submissions, never recommit them. You
preserve the correct history then, and don't risk rebasing to result in
a history which *never* worked in the form that gets preserved.

That would have kept the authorship attrbution correct too.

Secondly, we shouldn't be storing CRLF line endings in the objects that
git stores in its database. It is designed to store simple LF line endings,
and then check that out as appropriate for the system (resulting in CRLF
in the working tree for Windows users, as they expect). That would avoid
this problem, and all the other problems we have with patches being
exchanged.

Make it executable too, which also got lost in the commit mess.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
2016-03-05 16:48:21 +00:00
Qin Long f949616754 CryptoPkg/OpensslLib: Automatically configure OpenSSL and generate file list
OpenSSL 1.1 (as well as our backport to 1.0.2) now allows us to run its
standard Configure script and import the result into the EDK II source
repository for others to build natively. The opensslconf.h file and the
list of files in OpensslLib.inf don't need to be managed manually.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
2016-03-05 23:45:59 +08:00
Qin Long 42d6834267 CryptoPkg/OpensslLib: Fix OpenSSL link failures on Windows (RT#4310)
This is pull request #755 for OpenSSL 1.1, along with a little extra fix
in the RSA_NET code which has been removed from 1.1 so we can't fix it
there.

https://github.com/openssl/openssl/pull/755

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
2016-03-05 23:44:40 +08:00
Qin Long 65213f2955 CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3969
Support for the UEFI target has been added to OpenSSL in commit 4d60c7e10.

Drop our partial implementation and use a backported version of what's
upstream. This includes a couple of fixes which will be needed when we
automatically generate the file list and opensslconf.h instead of
manually maintaining those.

This includes the subsequent fix in commit fb4844bbc.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
2016-03-05 23:43:21 +08:00
Qin Long a62a7cc7f9 CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3992
Instead of commenting out the Signed Certificate Timestamps purely based
on the OPENSSL_SYS_UEFI flag, OpenSSL 1.1 supports a no-sct configuration
option, added in commit 05d7bf6c5. Drop our own hack and use that.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
2016-03-05 23:42:24 +08:00
Qin Long e94546e77b CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3951
A more complete implementation of the X509_V_FLAG_NO_CHECK_TIME flag was
added to OpenSSL 1.1 as commit d35ff2c0a. Drop our own version and use a
backport of what was committed upstream.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
2016-03-05 23:41:31 +08:00
Qin Long f0e3cd1927 CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3674
A more complete fix for the no-cms configuration has been added to
OpenSSL 1.1 as commit e968561d5. Drop our own version and use a
backport of what was committed upstream.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
2016-03-05 23:40:40 +08:00
Qin Long b9dbddd88a CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3955
A different fix for the excessive stack usage has been merged into
OpenSSL 1.1 as commit 8e704858f. Drop our own version and use a backport
of what was committed upstream.

Note: This requires the free() function to work correctly when passed
      a NULL argument (qv).

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
2016-03-05 23:39:47 +08:00