Commit Graph

166 Commits

Author SHA1 Message Date
Jiewen Yao 7e1bc8cdb3 CryptoPkg:SmmCryptLib: Add real Pkcs5Pbkdf2.c.
Cc: Qin Long <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2017-03-15 21:50:52 +08:00
Hao Wu 6e4489d812 CryptoPkg: Refine type cast for pointer subtraction
For pointer subtraction, the result is of type "ptrdiff_t". According to
the C11 standard (Committee Draft - April 12, 2011):

"When two pointers are subtracted, both shall point to elements of the
same array object, or one past the last element of the array object; the
result is the difference of the subscripts of the two array elements. The
size of the result is implementation-defined, and its type (a signed
integer type) is ptrdiff_t defined in the <stddef.h> header. If the result
is not representable in an object of that type, the behavior is
undefined."

In our codes, there are cases that the pointer subtraction is not
performed by pointers to elements of the same array object. This might
lead to potential issues, since the behavior is undefined according to C11
standard.

Also, since the size of type "ptrdiff_t" is implementation-defined. Some
static code checkers may warn that the pointer subtraction might underflow
first and then being cast to a bigger size. For example:

UINT8  *Ptr1, *Ptr2;
UINTN  PtrDiff;
...
PtrDiff = (UINTN) (Ptr1 - Ptr2);

The commit will refine the pointer subtraction expressions by casting each
pointer to UINTN first and then perform the subtraction:

PtrDiff = (UINTN) Ptr1 - (UINTN) Ptr2;

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2017-03-06 14:14:29 +08:00
Qin Long 14e3b94964 CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2k
v2:
Re-generate the patch after the new OpensslLibCrypto instance.

OpenSSL 1.0.2k was released with several severity fixes at
26-Jan-2017 (https://www.openssl.org/news/secadv/20170126.txt).
This patch is to upgrade the supported OpenSSL version in
CryptoPkg/OpensslLib to catch the latest release 1.0.2k.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
2017-02-28 08:48:06 +08:00
Laszlo Ersek 823005621e CryptoPkg/OpensslLib: introduce OpensslLibCrypto instance
Commit 32387e0081 ("CryptoPkg: Enable ssl build in OpensslLib directly",
2016-12-14) pulls OpenSSL's libssl files into the "OpensslLib.inf" library
instance unconditionally.

If a platform doesn't include the TLS modules, such as

- CryptoPkg/Library/TlsLib/TlsLib.inf
- NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
- NetworkPkg/TlsDxe/TlsDxe.inf

then the platform never actually uses the libssl functionality that gets
built into "OpensslLib.inf".

Tomas Hoger from Red Hat Product Security tells me that security
evaluation is less demanding if we can actually *exclude* the libssl files
from such OVMF builds that don't specify -D TLS_ENABLE (rather than just
trust modules not to call libssl functions if we don't specify -D
TLS_ENABLE).

This patch introduces a parallel OpensslLib instance called
"OpensslLibCrypto" that is appropriate for platform builds without TLS
enablement. It does not build C source files in vain, and it eases
security review -- all libssl vulnerabilities can be excluded at once.

"OpensslLibCrypto.inf" is created as a copy of "OpensslLib.inf", modifying
the BASE_NAME, MODULE_UNI_FILE and FILE_GUID defines.

"process_files.sh" is extended to auto-generate the list of OpenSSL files
for both library instances accordingly. This list is updated in
"OpensslLibCrypto.inf" at once.

"OpensslLibCrypto.uni" is introduced as a copy of "OpensslLib.uni",
highlighting the difference.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2017-02-25 14:55:55 +01:00
Laszlo Ersek 4e719ab5d1 CryptoPkg/OpensslLib: refresh OpensslLib.inf, opensslconf.h after 32387e00
Commit 32387e0081 ("CryptoPkg: Enable ssl build in OpensslLib directly",
2016-12-14) removed the "no-queue" configuration option in
"process_files.sh", plus it enabled "process_files.sh" to place all libssl
source files into "OpensslLib.inf".

However, the patch apparently failed to capture two changes originating
from the above actions:
- the definitions of the OPENSSL_NO_PQUEUE and NO_PQUEUE macros were not
  removed from "opensslconf.h",
- "ssl/ssl_conf.c" was not added to "OpensslLib.inf".

Refresh these files, completing commit 32387e0081.

I built OVMF with -D SECURE_BOOT_ENABLE -D TLS_ENABLE, and ArmVirtQemu
with -D SECURE_BOOT_ENABLE, after this fix, and experienced no regression.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2017-02-25 14:55:10 +01:00
Jiaxin Wu 9fba84ac6e CryptoPkg/TlsLib: Refine the coding style.
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Long Qin <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
2017-01-06 11:59:43 +08:00
Jiaxin Wu 9396cdfeaa CryptoPkg: Add new TlsLib library
v2:
* Code refine and Typo fix:
TlsHandeAlert -> TlsHandleAlert

This patch is used to add new TlsLib library, which is wrapped
over OpenSSL. The implementation provides TLS library functions
for EFI TLS protocol and EFI TLS Configuration Protocol.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Zhang Lubo <lubo.zhang@intel.com>
Cc: Thomas Palmer <thomas.palmer@hpe.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
2016-12-22 20:33:22 +08:00
Jiaxin Wu 32387e0081 CryptoPkg: Enable ssl build in OpensslLib directly
This patch is used to enable ssl build in OpensslLib module
directly.

Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Zhang Lubo <lubo.zhang@intel.com>
Cc: Thomas Palmer <thomas.palmer@hpe.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Long Qin <qin.long@intel.com>
Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Tested-by: Wu Jiaxin <jiaxin.wu@intel.com>
2016-12-22 20:33:15 +08:00
Dandan Bi 68ae7cd66b CryptoPkg/BaseCryptLib: Make comments consistent with the function
Correct the unaligned parameter names in comments (BaseCryptLib.h and
HMAC-SHA256 wrapper implementation)

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2016-11-11 13:46:04 +08:00
Gary Lin 2998af8624 CryptoPkg: Fix typos in comments
- intialized -> initialized
- componenet -> component
- compoents -> components
- FAlSE -> FALSE
- responsiblity -> responsibility
- validility -> validity
- procudure -> procedure
- pamameter -> parameter
- randome -> random
- buiild -> build

Cc: Ting Ye <ting.ye@intel.com>
Cc: Qin Long <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2016-11-07 23:21:22 +08:00
Qin Long a8f37449c7 CryptoPkg: Add PKCS5 PBKDF2 interface for password derivation.
Add one new API (Pkcs5HashPassword) to provide PKCS#5 v2.0 PBKDF2
support (Password based encryption key derivation function, specified
in RFC 2898).
Also update the Cryptest utility to include the new API testing (with
the test vector from RFC6070).

Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
2016-11-02 23:19:01 +08:00
Qin Long 72009c626d CryptoPkg: Add HMAC-SHA256 cipher support
Add new HMAC-SHA256 cipher support in CryptoPkg to meet more security
and industry requirements,

and update Cryptest utility to include new HMAC-SHA256 test case.

Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
2016-11-02 23:17:21 +08:00
Qin Long b7d1ba0a8a CryptoPkg: Add xxxxHashAll APIs to facilitate the digest computation
Add new xxxxHashAll APIs to facilitate the digest computation of blob
data. New APIs include: Md4HashAll(), Md5HashAll(), Sha1HashAll(),
Sha256HashAll(), Sha384HashAll(), and Sha512HashAll().

The corresponding test cases were added in Cryptest utility.

Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
2016-11-02 23:16:10 +08:00
Qin Long dab62c5ec8 CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2j
Two official releases (OpenSSL 1.0.2i and 1.0.2j) were available
with several severity fixes at 22-Sep-2016 and 26-Sep-2016.
Refer to
https://www.openssl.org/news/secadv/20160922.txt and
https://www.openssl.org/news/secadv/20160926.txt.
This patch is to upgrade the supported OpenSSL version in
CryptoPkg/OpensslLib to catch the latest release 1.0.2j.

Cc: Ting Ye <ting.ye@intel.com>
Cc: David Woodhouse <David.Woodhouse@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
2016-09-30 09:18:45 +08:00
Qin Long 558311c94a CryptoPkg: Clean up unreferenced symbol in Cryptest utility.
Remove "TSCounterSignature" from TSVerify.c, which is not being
used by anyone.

Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
2016-09-21 16:40:19 +08:00
Thomas Huth 210abffdca CryptoPkg: Fix "responsiblity" typos
It's "responsibility", not "responsiblity".

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Reviewed-By: Wu Jiaxin <jiaxin.wu@intel.com>
2016-08-11 15:21:49 +08:00
Thomas Huth 34a4babec8 CryptoPkg: Fix capitalization of path name in Patch-HOWTO.txt
It's "OpensslLib", not "OpenSslLib" - not a big issue, but the
typo is annoying when trying to copy-n-paste the path name to
use it on the command line on Linux.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Reviewed-By: Wu Jiaxin <jiaxin.wu@intel.com>
2016-08-11 15:21:30 +08:00
Liming Gao cbe09e3121 CryptoPkg IntrinsicLib: Add the missing nasm source file
Add two name files IntrinsicLib Ia32 MathLShiftS64.nasm and MathRShiftU64.nasm

Cc: Qin Long <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2016-08-11 10:08:32 +08:00
Hao Wu 5c8075fce3 CryptoPkg DSC: Add build option to disable deprecated APIs
Add the following definition in the [BuildOptions] section in package DSC
files to disable APIs that are deprecated:

[BuildOptions]
  *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES

Cc: Qin Long <qin.long@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
2016-08-08 11:00:13 +08:00
Ard Biesheuvel 17ab1ec5ac MdePkg CryptoPkg EdkCompatibilityPkg: retire NO_BUILTIN_VA_FUNCS define
This is never set anymore, so unsetting it or testing whether it is unset
no longer makes any sense.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Tested-By: Liming Gao <liming.gao@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2016-07-21 13:32:09 +02:00
Ard Biesheuvel b2dc04a87f CryptoPkg: set new define to avoid MS ABI VA_LIST on GCC/X64
Set the #define NO_MSABI_VA_FUNCS that will be introduced in a subsequent
patch to avoid the use of the MS ABI in variadic functions. In EDK2, such
functions normally require the EFIAPI modifier to be used, but for external
libraries such as OpenSSL, which lack these annotations, it is easier to
simply revert to the default SysV style VA_LIST ABI.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Tested-By: Liming Gao <liming.gao@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2016-07-21 13:32:09 +02:00
Qin Long 8ff7187cfd CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2h
OpenSSL 1.0.2h was released with several severity fixes at
03-May-2016 (https://www.openssl.org/news/secadv/20160503.txt).
Upgrade the supported OpenSSL version in CryptoPkg/OpensslLib to
catch the latest release 1.0.2h.

Cc: Ting Ye <ting.ye@intel.com>
Cc: David Woodhouse <David.Woodhouse@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
2016-07-20 16:09:58 +08:00
Hao Wu 07cae06597 CryptoPkg BaseCryptLib: Init the content of struct 'CertCtx' before use
Some fields in structure 'CertCtx' might be used uninitialized in function
Pkcs7GetCertificatesList().

This commit makes sure that 'CertCtx' gets initialized before being used.

Cc: Long Qin <qin.long@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
2016-07-12 08:53:19 +08:00
Hao Wu 8824c6144c CryptoPkg BaseCryptLib: Avoid passing NULL ptr to function BN_bn2bin()
This commit modifies the code logic to avoid passing NULL pointer to
function BN_bn2bin().

Cc: Long Qin <qin.long@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2016-07-12 08:53:19 +08:00
Giri P Mudusuru ab6cee31e7 CryptoPkg: Fix typos in comments
- availabe to available

Cc: Qin Long <qin.long@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Giri P Mudusuru <giri.p.mudusuru@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2016-07-11 10:29:46 +08:00
Eugene Cohen 179bcd31f3 CryptoPkg: update openssl to ignore RVCT 3079
Getting openssl 1.0.2g building with ARM RVCT requires a change to
ignore an unset variable used before set was necessary.
(NOTE: This was fixed in OpenSSL 1.1 HEAD with commit
       d9b8b89bec4480de3a10bdaf9425db371c19145b, and can be dropped then.)

corrects x509_vfy.c(875): error C3017: ok may be used before being set

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eugene Cohen <eugene@hp.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2016-07-08 15:56:50 +08:00
Qin Long bfba88bc68 CryptoPkg/SmmCryptLib: Enable AES support for SMM.
Enable AES cipher support for SmmCryptLib instance.

Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
2016-05-16 10:49:21 +08:00
Jiaxin Wu 5e2318dd37 CryptoPkg: Fix the potential system hang issue
This patch is used to fix the potential system hang
caused by the NULL 'time' parameter usage.

Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Long Qin <qin.long@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
2016-03-15 09:04:20 +08:00
Qin Long ec3a1a11dc CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2g
OpenSSL 1.0.2g was released with several severity fixes at
01-Mar-2016(https://www.openssl.org/news/secadv/20160301.txt).
Upgrade the supported OpenSSL version in CryptoPkg/OpensslLib to
catch the latest release 1.0.2g.
(NOTE: RT4175 from David Woodhouse was included in 1.0.2g. The
       new-generated patch will remove this part. And the line
       endings were still kept as before in this version for
       consistency)

CC: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
2016-03-11 13:57:18 -08:00
David Woodhouse f6326d1fba CryptoPkg/OpensslLib: Convert saved opensslconf.h to DOS line endings
Until we fix the git repository to store line endings properly and then
just check them out in the appropriate form for the platform, let's make
process_files.sh convert the opensslconf.h to DOS line endings when it
creates it.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2016-03-11 13:16:51 -08:00
David Woodhouse 9353c60cea CryptoPkg/OpensslLib: Fix CRLF breakage in process_files.sh
This got broken in committing, due to a catalogue of broken practices.

Firstly, we should *pull* git submissions, never recommit them. You
preserve the correct history then, and don't risk rebasing to result in
a history which *never* worked in the form that gets preserved.

That would have kept the authorship attrbution correct too.

Secondly, we shouldn't be storing CRLF line endings in the objects that
git stores in its database. It is designed to store simple LF line endings,
and then check that out as appropriate for the system (resulting in CRLF
in the working tree for Windows users, as they expect). That would avoid
this problem, and all the other problems we have with patches being
exchanged.

Make it executable too, which also got lost in the commit mess.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
2016-03-05 16:48:21 +00:00
Qin Long f949616754 CryptoPkg/OpensslLib: Automatically configure OpenSSL and generate file list
OpenSSL 1.1 (as well as our backport to 1.0.2) now allows us to run its
standard Configure script and import the result into the EDK II source
repository for others to build natively. The opensslconf.h file and the
list of files in OpensslLib.inf don't need to be managed manually.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
2016-03-05 23:45:59 +08:00
Qin Long 42d6834267 CryptoPkg/OpensslLib: Fix OpenSSL link failures on Windows (RT#4310)
This is pull request #755 for OpenSSL 1.1, along with a little extra fix
in the RSA_NET code which has been removed from 1.1 so we can't fix it
there.

https://github.com/openssl/openssl/pull/755

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
2016-03-05 23:44:40 +08:00
Qin Long 65213f2955 CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3969
Support for the UEFI target has been added to OpenSSL in commit 4d60c7e10.

Drop our partial implementation and use a backported version of what's
upstream. This includes a couple of fixes which will be needed when we
automatically generate the file list and opensslconf.h instead of
manually maintaining those.

This includes the subsequent fix in commit fb4844bbc.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
2016-03-05 23:43:21 +08:00
Qin Long a62a7cc7f9 CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3992
Instead of commenting out the Signed Certificate Timestamps purely based
on the OPENSSL_SYS_UEFI flag, OpenSSL 1.1 supports a no-sct configuration
option, added in commit 05d7bf6c5. Drop our own hack and use that.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
2016-03-05 23:42:24 +08:00
Qin Long e94546e77b CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3951
A more complete implementation of the X509_V_FLAG_NO_CHECK_TIME flag was
added to OpenSSL 1.1 as commit d35ff2c0a. Drop our own version and use a
backport of what was committed upstream.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
2016-03-05 23:41:31 +08:00
Qin Long f0e3cd1927 CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3674
A more complete fix for the no-cms configuration has been added to
OpenSSL 1.1 as commit e968561d5. Drop our own version and use a
backport of what was committed upstream.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
2016-03-05 23:40:40 +08:00
Qin Long b9dbddd88a CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3955
A different fix for the excessive stack usage has been merged into
OpenSSL 1.1 as commit 8e704858f. Drop our own version and use a backport
of what was committed upstream.

Note: This requires the free() function to work correctly when passed
      a NULL argument (qv).

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
2016-03-05 23:39:47 +08:00
Qin Long e578aa19dc CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3628
A complete implementation of the no-filenames configuration option was
added to OpenSSL 1.1 in commit 02f7114a7. Drop our own version and use
a backport of what was committed upstream.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
2016-03-05 23:38:51 +08:00
Qin Long ca6fa1fe3b CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3964
Extensive fixes for the no-stdio configuration have been merged into
OpenSSL 1.1, primarily in commit 984d6c605.

The backport to 1.0.2 is slightly different because we still have a
mixture of no-fp-api and no-stdio in 1.0.2, although they are hopelessly
intertwined. Nevertheless, drop our own original version and switch to
a backported version of what went into 1.1.

This includes subsequent fixes in commit c0cf5b84d for the TS code.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
2016-03-05 23:37:42 +08:00
Qin Long 503f6e3888 CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#4175
A different fix for the PKCS7_verify() regression on Authenticode
signatures has landed in the OpenSSL 1.0.2 branch as commit c436c990f
and will be present in the 1.0.2g release.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
2016-03-05 23:36:37 +08:00
Qin Long 3f73ccb37a CryptoPkg/OpensslLib: Regenerate OpenSSL patch
All the OpenSSL changes we carry in our EDKII_openssl patch for 1.0.2
are now merged into upstream OpenSSL and will be in the upcoming 1.1
release.

As a first step towards switching out our original hacks for backported
versions of the commits which were actually accepted into OpenSSL 1.1,
just regenerate the *existing* patch against the 1.0.2f release using
'git diff'.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
2016-03-05 23:35:04 +08:00
Qin Long 259d0e71af CryptoPkg/OpensslLib: Include complete copy of opensslconf.h
This can be an auto-generated file, and it *isn't* in the OpenSSL git tree;
it's only in the generated tarballs. So rather than including it in our
OpenSSL patch, just have the user copy it into place.

This makes it easier to manage changes, and is a step towards better
integration.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
2016-03-05 23:33:59 +08:00
Qin Long 6c56c76c75 CryptoPkg: Use OpenSSL include directory directly
The standard OpenSSL 1.0.2 configuration and build process will already
symlink or copy the necessary header files to the include/openssl/
directory within the OpenSSL source tree.

When we transition to OpenSSL 1.1 it won't even be necessary to link
or copy the files there; they have just been moved outright.

So let's use them from there. Change the include directory specified
in CryptoPkg/CryptoPkg.dec, and modify the Install.cmd and Install.sh
scripts to copy the files to the normal directory within the OpenSSL
source tree, instead of CryptoPkg/Include/openssl/.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
2016-03-05 23:32:55 +08:00
Laszlo Ersek e89d672110 CryptoPkg: RuntimeCryptLib: support realloc(NULL, size)
The ISO C standard says about realloc(),

  If ptr is a null pointer, the realloc function behaves like the malloc
  function for the specified size.

The realloc() implementation doesn't conform to this currently, so add a
check and call malloc() if appropriate.

Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Qin Long <qin.long@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2016-02-25 11:04:31 +01:00
Laszlo Ersek 1246dde58e CryptoPkg: RuntimeCryptLib: support free(NULL)
The ISO C standard says about free(),

  If ptr is a null pointer, no action occurs.

This is not true of the RuntimeFreeMem() internal function. Therefore we
must not forward the argument of free() to RuntimeFreeMem() without
checking.

Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Qin Long <qin.long@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2016-02-25 11:04:28 +01:00
Laszlo Ersek 211372d63a CryptoPkg: BaseCryptLib: support free(NULL)
The ISO C standard says about free(),

  If ptr is a null pointer, no action occurs.

This is not true of the FreePool() interface of the MemoryAllocationLib
class:

  Buffer must have been allocated on a previous call to the pool
  allocation services of the Memory Allocation Library. [...] If Buffer
  was not allocated with a pool allocation function in the Memory
  Allocation Library, then ASSERT().

Therefore we must not forward the argument of free() to FreePool() without
checking.

This bug can be triggered by upstream OpenSSL commit 8e704858f219
("RT3955: Reduce some stack usage"), for example.

Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Qin Long <qin.long@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2016-02-25 11:04:02 +01:00
Qin Long e6b2c99121 CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2f
OpenSSL has released version 1.0.2f with two security fixes
(http://www.openssl.org/news/secadv/20160128.txt) at 28-Jan-2016.
Upgrade the supported OpenSSL version in CryptoPkg/OpensslLib
to catch the latest release 1.0.2f.
(NOTE: The patch file was just re-generated, and no new source
       changes was introduced for 1.0.2f enabling)

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
2016-02-23 11:12:51 +08:00
Karyne Mayer 03805fc376 CryptoPkg: Fix function qsort for non 32-bit machines
Although the function qsort receives as an argument a "compare" function
which returns an "int", QuickSortWorker (the function used internally by
qsort to do its job) receives as an argument a "CompareFunction" which
returns an "INTN". In a 32-bit machine, "INTN" is defined as "INT32",
which is defined as "int" and everything works well. However, when qsort
is compiled for a 64-bit machine, "INTN" is defined as "INT64" and the
return values of the compare functions become incompatible ("int" for
qsort and "INT64" for QuickSortWorker), causing malfunction.

For example, let's assume qsort is being compiled for a 64-bit machine.
As stated before, the "compare" function will be returning an "int",
and "CompareFunction" will be returning an "INT64". When, for example,
the "compare" function (which was passed as an argument to qsort and,
then, re-passed as an argument to QuickSortWorker) returns -1 (or
0xffffffff, in a 32-bit integer, its original return type) from inside
a call to QuickSortWorker, its return value is interpreted as being an
"INT64" value - which turns out to be 4294967295 (or 0x00000000ffffffff,
in a 64-bit integer) -, making the function QuickSortWorker to behave
unexpectedly.

Note that this unexpected (or incorrect) conversion does not happen when
casting an "INT32" to an "INT64" directly, but does happen when casting
function types.

The issue is fixed by changing the return type of SORT_COMPARE (the type
of "CompareFunction", used by QuickSortWorker) from "INTN" to "int".
This way, both qsort and QuickSortWorker use compatible definitions for
their compare functions.

Contributed-under: TianoCore Contribution Agreement 1.0
Acked-by: Paulo Alcantara Cavalcanti <paulo.alc.cavalcanti@hp.com>
Signed-off-by: Karyne Mayer <kmayer@hp.com>
Signed-off-by: Rodrigo Dias Correa <rodrigo.dia.correa@hp.com>
Signed-off-by: Arthur Crippa Burigo <acb@hp.com>
Reviewed-by: Qin Long <qin.long@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19748 6f19259b-4bc3-4df7-8a09-765794883524
2016-01-26 08:51:13 +00:00
Hao Wu e7efd897d0 CryptoPkg: Add NOOPT target in CryptoPkg.dsc
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19670 6f19259b-4bc3-4df7-8a09-765794883524
2016-01-19 04:04:54 +00:00