Commit Graph

298 Commits

Author SHA1 Message Date
Zurcher, Christopher J 6b7855209a CryptoPkg/OpensslLib: Remove "no-autoalginit" flag from OpenSSL build
This is enabling a future EVP implementation to utilize the
EVP_get_digestbyname() function.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Christopher J Zurcher <christopher.j.zurcher@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2020-03-10 09:08:34 +00:00
Zurcher, Christopher J c72ca46668 CryptoPkg/OpensslLib: Add "sort" keyword to header file parsing loop
This prevents the .inf files from being randomized after every run
of process_files.pl.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Christopher J Zurcher <christopher.j.zurcher@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2020-03-10 09:08:34 +00:00
Amol N Sukerkar 70228e101e CryptoPkg/BaseHashApiLib: Change PcdHashApiLibPolicy type to FixedAtBuild
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2511

This commit changes the PCD PcdHashApiLibPolicy to the type
PcdsFixedAtBuild so as to be able to optimize away the unused hashing
algorithms in HashApiLib instance used by a driver.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Amol N Sukerkar <amol.n.sukerkar@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2020-02-19 16:38:22 +00:00
Amol N Sukerkar c70bdf9d4a CryptoPkg/BaseHashApiLib: Align BaseHashApiLib with TPM 2.0 Implementation
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2511

This commit aligns the baseHashApiLib with TPM 2.0 Implementation
as follows:
- Remove reference to MD4 and MD5 algorithms as they are deprecated
- Align the enumerations for hashing algoerithms with the one used
  in TPM 2.0 implementation defined in IndustryStandard/Tpm20.h.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Amol N Sukerkar <amol.n.sukerkar@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2020-02-19 16:38:22 +00:00
Antoine Coeur 7aa8af4576 CryptoPkg/OpensslLib: Fix few typos
Fix few typos in comments.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Antoine Coeur <coeur@gmx.fr>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
Message-Id: <20200207010831.9046-2-philmd@redhat.com>
2020-02-10 22:30:07 +00:00
Michael D Kinney bd33a385ee CryptoPkg/CryptoPkg.dsc: Add build of Crypto libraries/modules
https://bugzilla.tianocore.org/show_bug.cgi?id=2420

Based on the following package with changes to merge into
CryptoPkg.

https://github.com/microsoft/mu_plus/tree/dev/201908/SharedCryptoPkg

Add Crypto library instances and modules that consume/produce
the EDK II Crypto Protocols/PPIs to the CryptoPkg DSC file.

The default build of CryptoPkg performs a package verification
build.

The CRYPTO_SERVICES define is added that supports the following
settings.

* PACKAGE         - Package verification build of all components.  Null
                    versions of libraries are used to minimize build times.
* ALL             - Build PEIM, DXE, and SMM drivers.  Protocols and PPIs
                    publish all services.
* NONE            - Build PEIM, DXE, and SMM drivers.  Protocols and PPIs
                    publish no services.  Used to verify compiler/linker
                    optimizations are working correctly.
* MIN_PEI         - Build PEIM with PPI that publishes minimum required
                    services.
* MIN_DXE_MIN_SMM - Build DXE and SMM drivers with Protocols that publish
                    minimum required services.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2020-02-07 16:32:13 +00:00
Michael D Kinney cd70de1cc0 CryptoPkg/Library: Add BaseCryptLibOnProtocolPpi instances
https://bugzilla.tianocore.org/show_bug.cgi?id=2420

Based on the following package with changes to merge into
CryptoPkg.

https://github.com/microsoft/mu_plus/tree/dev/201908/SharedCryptoPkg

Add the PeiCryptLib, DxeCryptLib, and SmmCryptLib instances
of the BaseCryptLib library classes that are implemented using
the services of EDK II Crypto Protocols/PPIs.

These library instances all set a dependency expression on the
EDK II Crypto Protocols/PPIs, so any modules that use these
library instances are not dispatched until the modules that
produce the EDK II Crypto Protocols/PPIs are dispatched.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2020-02-07 16:32:13 +00:00
Michael D Kinney cc1d13c922 CryptoPkg/Driver: Add Crypto PEIM, DXE, and SMM modules
https://bugzilla.tianocore.org/show_bug.cgi?id=2420

Based on the following package with changes to merge into
CryptoPkg.

https://github.com/microsoft/mu_plus/tree/dev/201908/SharedCryptoPkg

Add the CryptoPei, CryptoDxe, and CryptoSmm modules that produce
EDK II Crypto Protocols/PPIs that provide the same services as
the BaseCryptLib class.

In order to optimize the size of CryptoPei, CryptoDxe, and
CryptoSmm modules for a specific platform, the FixedAtBuild
PCD gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable
is used to determine if a specific service is enabled or
disabled.  If a service is enabled, then a call is made to
the BaseCryptLib service.  If the service is disabled, then
a DEBUG() message and ASSERT() are performed and a default
return value is returned.  This provides simple detection
of a service that is disabled but is used by another module
when DEBUG()/ASSERT() macros are enabled.

The use of a FixedAtBuild PCD is required so the compiler
and linker know each services enable/disable setting at
build time and allows disabled services to be optimized away.

CryptoPei supports both pre-mem and post-mem use cases.
If CryptoPei is initially dispatched pre-mmem, the the
register for shadow service is used so the Crypto PPI can
be reinstalled post-mem.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2020-02-07 16:32:13 +00:00
Michael D Kinney 3b0e04305b CryptoPkg: Add EDK II Crypto Protocols/PPIs/PCDs
https://bugzilla.tianocore.org/show_bug.cgi?id=2420

Based on the following package with changes to merge into
CryptoPkg.

https://github.com/microsoft/mu_plus/tree/dev/201908/SharedCryptoPkg

Add the EDK II Crypto Protocol, EDK II SMM Crypto Protocol
and EDK II Crypto PPI that provide the same services as the
BaseCryptLib.  One additional GetVersion() services is provided
to support backward compatible extensions to these new
Protocols/PPIs if new services are added to BaseCryptLib in the
future.  The EDK II Crypto Protocols/PPIs are located in a
private directory so they are only available CryptoPkg components.

In order to optimize the size of modules that produce the
EDK II Crypto Protocols/PPIs define a FixedAtBuild PCD
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.
This PCD is type VOID* and is associated with the structure
PCD_CRYPTO_SERVICE_FAMILY_ENABLE.  This structure contains
bitfields and unions that allow a platform DSC files to
enable/disable entire families of services or enable/disable
individual services in the produced EDK II Crypto
Protocols/PPIs.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2020-02-07 16:32:13 +00:00
Michael D Kinney 668621362f CryptoPkg/BaseCryptLib: Add X509ConstructCertificateStackV().
https://bugzilla.tianocore.org/show_bug.cgi?id=2420

Add X509ConstructCertificateStackV() to BaseCryptLib that is
identical in behavior to X509ConstructCertificateStack(), but
it takes a VA_LIST parameter for the variable argument list.

The VA_LIST form of this function is required for BaseCryptLib
functions to be wrapped in a Protocol/PPI.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2020-02-07 16:32:13 +00:00
Michael D Kinney 422da35375 CryptoPkg/BaseCryptLibNull: Add missing HkdfSha256ExtractAndExpand()
https://bugzilla.tianocore.org/show_bug.cgi?id=2493

The BaseCryptLib was expanded to add the HkdfSha256ExtractAndExpand()
service in the following commit:

4b1b7c1913

When BaseCryptLibNull was added in the commit below, this new
service was not included.

d95de082da

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2020-02-04 21:35:48 +00:00
Amol N Sukerkar 3feea54eae CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
https://bugzilla.tianocore.org/show_bug.cgi?id=2151

This commit introduces a Unified Hash API to calculate hash using a
hashing algorithm specified by the PCD, PcdHashApiLibPolicy. This library
interfaces with the various hashing API, such as, MD4, MD5, SHA1, SHA256,
SHA512 and SM3_256 implemented in BaseCryptLib. The user can calculate
the desired hash by setting PcdHashApiLibPolicy to appropriate value.

This feature is documented in the Bugzilla,
https://bugzilla.tianocore.org/show_bug.cgi?id=2151.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Amol N Sukerkar <amol.n.sukerkar@intel.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
2020-02-03 23:49:28 +00:00
Amol N Sukerkar 2c061de063 CryptoPkg: Add CryptoPkg Token Space GUID
https://bugzilla.tianocore.org/show_bug.cgi?id=2151

Added CryptoPkg Token Space GUID to be able to define PCDs.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Amol N Sukerkar <amol.n.sukerkar@intel.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
2020-02-03 23:49:28 +00:00
Jian J Wang 9a1f14ad72 CryptoPkg/BaseCryptLib: remove HmacXxxGetContextSize interface
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1792

Hmac(Md5|Sha1|Sha256)GetContextSize() use a deprecated macro
HMAC_MAX_MD_CBLOCK defined in openssl. They should be dropped to
avoid misuses in the future. For context allocation and release,
use HmacXxxNew() and HmacXxxFree() instead.

Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
2020-01-20 16:41:23 +00:00
Jian J Wang a23fdff6fb CryptoPkg/BaseCryptLib: replace HmacXxxInit API with HmacXxxSetKey
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1792

HmacXxxInit() is supposed to be initialize user supplied buffer as HMAC
context, as well as user supplied key. Currently it has no real use cases.

Due to BZ1792, the user has no way to get correct size of context buffer
after it's fixed, and then cannot make use of HmacXxxInit to initialize
it.

So it's decided to replace it with HmacXxxSetKey to keep the functionality
of supplying a key to HMAC, but drop all other initialization works. The
user can still get HMAC context via HmacXxxNew interface, which hides the
details about the context.

Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
2020-01-20 16:41:23 +00:00
Pavana.K c9d7262843 CryptoPkg: Support for SHA384 & SHA512 RSA signing schemes
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2389

Currently RSA signing scheme support is available for MD5, SHA-1 or
SHA-256 algorithms.The fix is to extend this support for SHA384 and
SHA512.

Cc: Liming Gao <liming.gao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Bob Feng <bob.c.feng@intel.com>

Signed-off-by: Pavana.K <pavana.k@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2020-01-08 06:57:44 +00:00
Laszlo Ersek 4d613feee5 CryptoPkg/OpensslLib.inf: list OpenSSL local header "ms/uplink.h"
Commit 8906f076de ("CryptoPkg/OpensslLib: Add missing header files in
INF file", 2019-08-16) incorrectly placed "ms/uplink.h" in the
auto-generated part of [Sources], in "OpensslLib.inf".

("ms/uplink.h" was added in the right spot in "OpensslLibCrypto.inf".)

Subsequently, when commit 9f4fbd56d4 ("CryptoPkg/OpensslLib: Update
process_files.pl to generate .h files", 2019-10-30) re-generated that part
of "OpensslLib.inf", the "ms/uplink.h" file reference was lost. This
triggers a warning from the "build" utility now.

Name the header file in the right spot in [Sources].

This change makes "OpensslLib.inf" consistent with "OpensslLibCrypto.inf".

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Shenglei Zhang <shenglei.zhang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Fixes: 8906f076de
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
2019-12-02 19:35:18 +00:00
Laszlo Ersek b49a6c8f80 CryptoPkg/OpensslLib: improve INF file consistency
When diffing "OpensslLib.inf" against "OpensslLibCrypto.inf", the *only*
differences should be:

- BASE_NAME, MODULE_UNI_FILE, and FILE_GUID are expected to differ, in
  [Defines];

- "OpensslLib.inf" is expected to list "$(OPENSSL_PATH)/ssl/..." source
  files in the auto-generated part of the [Sources] section.

Commit 8906f076de ("CryptoPkg/OpensslLib: Add missing header files in
INF file", 2019-08-16) broke that invariant, by adding "buildinf.h" and
"rand_pool_noise.h" in different order to both INF files.

Fix that order in "OpensslLib.inf" now. (Note that this does not
re-establish full consistency between both INF files -- it just highlights
another problem, which we'll fix in the next patch.)

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Shenglei Zhang <shenglei.zhang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Fixes: 8906f076de
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
2019-12-02 19:35:18 +00:00
Liming Gao 8ecd8c49e4 CryptoPkg CryptoLib: Update tool chain name to CLANGPDB
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2341

Signed-off-by: Liming Gao <liming.gao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-11-15 06:04:21 +00:00
Michael D Kinney f98a44541f CryptoPkg: Add YAML file for CI builds
https://bugzilla.tianocore.org/show_bug.cgi?id=2315

Add YAML file to the package directory with the
configuration of the checks to perform during a
CI build.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2019-11-11 13:02:07 -08:00
Shenglei Zhang 1bcc65b9a1 CryptoPkg: Upgrade OpenSSL to 1.1.1d
Upgrade openssl from 1.1.1b to 1.1.1d.
Something needs to be noticed is that, there is a bug existing in the
released 1_1_1d version(894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596),
which causes build failure. So we switch the code base to a usable
version, which is 2 commits later than the stable tag.
Now we use the version c3656cc594daac8167721dde7220f0e59ae146fc.
This log is to fix the build failure.
https://bugzilla.tianocore.org/show_bug.cgi?id=2226

Besides, the absense of "DSO_NONE" in dso_conf.h causes build failure
in OvmfPkg. So update process_files.pl to generate information from
"crypto/include/internal/dso_conf.h.in".

shm.h and utsname.h are added to avoid GCC build failure.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
2019-11-05 10:42:07 +08:00
Laszlo Ersek 1e72b1fb2e CryptoPkg/TlsLib: TlsSetVerifyHost: parse IP address literals as such (CVE-2019-14553)
Using the inet_pton() function that we imported in the previous patches,
recognize if "HostName" is an IP address literal, and then parse it into
binary representation. Passing the latter to OpenSSL for server
certificate validation is important, per RFC-2818
<https://tools.ietf.org/html/rfc2818#section-3.1>:

> In some cases, the URI is specified as an IP address rather than a
> hostname. In this case, the iPAddress subjectAltName must be present in
> the certificate and must exactly match the IP in the URI.

Note: we cannot use X509_VERIFY_PARAM_set1_ip_asc() because in the OpenSSL
version that is currently consumed by edk2, said function depends on
sscanf() for parsing IPv4 literals. In
"CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c", we only provide an
empty -- always failing -- stub for sscanf(), however.

Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Suggested-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2019-11-02 12:08:05 +01:00
Laszlo Ersek 8d16ef8269 CryptoPkg/Crt: import "inet_pton.c" (CVE-2019-14553)
For TianoCore BZ#1734, StdLib has been moved from the edk2 project to the
edk2-libc project, in commit 964f432b9b ("edk2: Remove AppPkg, StdLib,
StdLibPrivateInternalFiles", 2019-04-29).

We'd like to use the inet_pton() function in CryptoPkg. Resurrect the
"inet_pton.c" file from just before the StdLib removal, as follows:

  $ git show \
      964f432b9b0a^:StdLib/BsdSocketLib/inet_pton.c \
      > CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c

The inet_pton() function is only intended for the DXE phase at this time,
therefore only the "BaseCryptLib" instance INF file receives the new file.

Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2019-11-02 12:07:59 +01:00
Laszlo Ersek 2ac41c12c0 CryptoPkg/Crt: satisfy "inet_pton.c" dependencies (CVE-2019-14553)
In a later patch in this series, we're going to resurrect "inet_pton.c"
(originally from the StdLib package). That source file has a number of
standard C and BSD socket dependencies. Provide those dependencies here:

- The header files below will simply #include <CrtLibSupport.h>:

  - arpa/inet.h
  - arpa/nameser.h
  - netinet/in.h
  - sys/param.h
  - sys/socket.h

- EAFNOSUPPORT comes from "StdLib/Include/errno.h", at commit
  e2d3a25f1a31; which is the commit immediately preceding the removal of
  StdLib from edk2 (964f432b9b).

  Note that the other error macro, which we alread #define, namely EINVAL,
  has a value (22) that also matches "StdLib/Include/errno.h".

- The AF_INET and AF_INET6 address family macros come from
  "StdLib/Include/sys/socket.h".

- The NS_INT16SZ, NS_INADDRSZ and NS_IN6ADDRSZ macros come from
  "StdLib/Include/arpa/nameser.h".

- The "u_int" and "u_char" types come from "StdLib/Include/sys/types.h".

Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2019-11-02 12:07:52 +01:00
Laszlo Ersek eb520d94db CryptoPkg/Crt: turn strchr() into a function (CVE-2019-14553)
According to the ISO C standard, strchr() is a function. We #define it as
a macro. Unfortunately, our macro evaluates the first argument ("str")
twice. If the expression passed for "str" has side effects, the behavior
may be undefined.

In a later patch in this series, we're going to resurrect "inet_pton.c"
(originally from the StdLib package), which calls strchr() just like that:

  strchr((xdigits = xdigits_l), ch)
  strchr((xdigits = xdigits_u), ch)

To enable this kind of function call, turn strchr() into a function.

Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
2019-11-02 12:07:25 +01:00
Wu, Jiaxin 2ca74e1a17 CryptoPkg/TlsLib: Add the new API "TlsSetVerifyHost" (CVE-2019-14553)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
In the patch, we add the new API "TlsSetVerifyHost" for the TLS
protocol to set the specified host name that need to be verified.

Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20190927034441.3096-3-Jiaxin.wu@intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-11-02 12:07:23 +01:00
Shenglei Zhang 9f4fbd56d4 CryptoPkg/OpensslLib: Update process_files.pl to generate .h files
There are missing headers added into INF files at 8906f076de35b222a..
They are now manually added but not auto-generated. So we update the
perl script to enable this feature.
Meanwhile, update the order of the .h files in INF files, which are
auto-generated now.
https://bugzilla.tianocore.org/show_bug.cgi?id=2085

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
2019-10-30 10:38:03 +08:00
Liming Gao 933681b208 CryptoPkg IntrinsicLib: Make _fltused always be used
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1603
With this change, global variable _fltused will not be removed by LTO

Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
2019-10-24 09:41:34 +08:00
Liming Gao 3d61650f95 CryptoPkg: Append options to make CLANG9 tool chain pass build
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1603
Disable warning reported from CLANG9.

Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-10-24 09:41:33 +08:00
Sean Brogan d95de082da CryptoPkg: Add Null instance of the BaseCryptLib class
https://bugzilla.tianocore.org/show_bug.cgi?id=2257

Add a Null instance of the BaseCryptLib class.  This lib instance
can be used as a template for new implementations of the BaseCryptLib
class and can also be used to reduce CI build times for build
checks that depend on the BaseCryptLib class.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-10-23 18:37:19 -07:00
Sean Brogan 79cd636f3e CryptoPkg: Add Null instance of the TlsLib class
https://bugzilla.tianocore.org/show_bug.cgi?id=2258

Add a Null instance of the TlsLib class.  This lib instance
can be used as a template for new implementations of the TlsLib
class and can also be used to reduce CI build times for build
checks that depend on the TlsLib class.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-10-23 14:42:28 -07:00
Sean Brogan 412c963842 CryptoPkg: Add missing components to CryptoPkg.dsc
https://bugzilla.tianocore.org/show_bug.cgi?id=2254

Update CryptoPkg.dsc to guarantee all libraries and modules
are always built.  Add the following components.

* CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-10-23 10:38:33 -07:00
Shenglei Zhang 944bd5cf1d CryptoPkg: Fix coding style
Update attribute "Out" to "out".
The original "Out" can not pass ECC check.

Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-08-19 08:45:29 +08:00
Shenglei Zhang 8906f076de CryptoPkg/OpensslLib: Add missing header files in INF file
The header files are used but missing in INF,which causes
warning message when building them.
https://bugzilla.tianocore.org/show_bug.cgi?id=2036

Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-08-16 11:26:57 +08:00
Jian J Wang 5ab96088ae CryptoPkg/OpensslLib: remove clone commands
https://bugzilla.tianocore.org/show_bug.cgi?id=1910

edk2/Readme.md has added a section to explain the correct clone
commands for submodules. Detailed steps in the OpenSSL-HOWTO.txt
are removed to avoid any inconsistency.

Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2019-08-15 09:56:37 +08:00
Gary West 4b1b7c1913 CryptoPkg/BaseCryptLib: Wrap OpenSSL HKDF algorithm
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1928

1. Implement OpenSSL HKDF wrapped function in CryptHkdf.c file.
2. Implement stub implementation function in CryptHkdfNull.c file.
3. Add wrapped HKDF function declaration to BaseCryptLib.h file.
4. Add CryptHkdf.c to module information BaseCryptLib.inf file.
5. Add CryptHkdfNull.c to module information PeiCryptLib.inf,
   RuntimeCryptLib.inf and SmmCryptLib.inf

Signed-off-by: Gary West <Gary.West@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Reviewed-by: Jian Wang <jian.j.wang@intel.com>
2019-08-09 09:38:56 +08:00
Zhichao Gao b3d00df69c CryptoPkg/BaseCryptLib: Use cmp-operator for non-Boolean comparisons
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2027

Refer to CSS_2_1 5.7.2.1 "Non-Boolean comparisons must use a
compare operator (==, !=, >, < >=, <=).", use compare operator
for the non-boolean comparisons.

Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-07-31 09:19:43 +08:00
Laszlo Ersek 9e55ce6b75 CryptoPkg/BaseCryptLib: list module-internal header files in INF [Sources]
The BaseTools build feature introduced for TianoCore#1804 / in commit
1fa6699e6c ("BaseTools: Add a checking for Sources section in INF file",
2019-06-10) logs some (non-fatal) warnings about unlisted internal header
files. List those files explicitly.

Note: header files are added in lexicographical order only if the
underlying INF file already keeps the [Sources] and [LibraryClasses]
sections in lexicographical order. Otherwise, header files are added in
rough "logical" order.

Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-07-23 00:20:30 +02:00
Xiaoyu Lu 51f7a3e6c5 CryptoPkg/OpensslLib: Exclude err_all.c in process_files.pl
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1881

Commit(0a1b13fd4d) fix VS2017 build failure
remove useless file in OpensslLib[Crypto].inf,
but we use process_files.pl to generate files.
So exclude err_all.c file in process_files.pl

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-25 16:45:54 +08:00
Xiaoyu Lu b86fbe1f98 CryptoPkg/OpensslLib: disable autoload-config for OpenSSL
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1926

This problem was found by Rebecca Cran <rebecca@bluestop.org>.
REF: https://edk2.groups.io/g/devel/topic/32100684

OpenSSL will automatically load a system config file which configures
default ssl options. In UEFI, It will cause TlsInitialize failed
without OPENSSL_INIT_NO_LOAD_CONFIG flag. we don't use this feature,
So disable it.

Re-run process_files.py to generate OpensslLib[Crypto].inf files.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Rebecca Cran <rebecca@bluestop.org>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-21 17:25:02 +08:00
Lu, XiaoyuX 90e8f13d51 CryptoPkg/OpensslLib: Fix CR/LF issue
Re-run process_files.py to generate OpensslLib[Crypto].inf.
CryptoPkg/Library/Include/openssl/opensslconf.h is coped from OpenSSL,
So keep the CR/LF style like OpenSSL source file.

Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-21 17:16:52 +08:00
Bret Barkelew a860eb9668 CryptoPkg: Add missing instance for build only
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1900

Add the missing instance to [Components] of dsc file
for build only.

Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-15 03:42:29 +08:00
Lu, XiaoyuX f0718d1d6b CryptoPkg/BaseCryptLib: Wrap OpenSSL SM3 algorithm
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1861

1. Implement OpenSSL SM3 wrapped functions in CryptSm3.c file.
2. Add wrapped SM3 functions declaration to BaseCryptLib.h file.
3. Add CryptSm3.c to each module information file.

Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-08 05:18:41 +08:00
Wang, Jian J 20d2e5a125 CryptoPkg/OpensslLib: fix build break caused by missing library
CryptoPkg\Library\Include\CrtLibSupport.h maps strxxxx interfaces to
edk2 PrintLib interfaces but related module inf file don't claim the
use of it. This will cause unresolved symbol issue with VS2017 build
which has enabled strict symbol check. This patch resolves the problem
by adding PrintLib to inf files.

Cc: Liming Gao <liming.gao@intel.com>
Cc: Dandan Bi <dandan.bi@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2019-06-06 12:51:42 +08:00
Xiaoyu Lu 98d8f194e5 CryptoPkg/IntrinsicLib: Fix CLANG38 IA32 build problem
When use clang-3.8 to build the NetworkPkg, compiler optimization
may use memcpy for memory copy. For example:

 CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_rsa.c:918: undefined
 reference to `memcpy'`

Compiler optimization is sophisticated, but we can work around it
use __attribute__((__used__)) to informs the compiler that symbol
should be retained in the object file, even if it may be
unreferenced.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Dandan Bi <dandan.bi@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2019-06-06 11:01:50 +08:00
Wang, Jian J 0a1b13fd4d CryptoPkg/OpensslLib: fix VS2017 build failure
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1878

This issue is specific to VS2017 which tries to resolve symbol referenced
by a symbol not really referenced eventually.

ossl_init_load_crypto_strings
-> err_load_crypto_strings_int (not really referenced)
-> ERR_load_OSSL_STORE_strings

Because OPENSSL_NO_ERR and OPENSSL_NO_AUTOERRINIT are not defined by
default, err_load_crypto_strings_int() will not be actually referenced
by ossl_init_load_crypto_strings().

Since err_load_crypto_strings_int() is not actually referenced at all,
the fix can be done simply by removing crypto/err/err_all.c from build.

Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2019-06-05 16:21:35 +08:00
Xiaoyu Lu 466c66341a CryptoPkg: Fix build problem with XCODE
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089

When building CryptoPkg with XCODE, blow error may result

* usr/lib/clang/9.0.0/include/stdatomic.h:105:17:
error: unknown type name 'wchar_t'

Since the C native atomics are C11 feature we can explicitly
use C99 to work around it.
add -std=c99 to avoid it

* openssl/crypto/conf/conf_sap.c:71:12: error: variable 'ret' is
    uninitialized
    when used here [-Werror,-Wuninitialized]

Suppress warnings in OpenSSL so we don't break the build with -Werror.
add -Wno-error=uninitialized to disalbe this warning

Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-04 08:10:14 +08:00
Ard Biesheuvel f03859ea6c CryptoPkg CLANG35: add -std=c99 to dodge OpenSSL C atomics issue
Commit c51f8bae7c ("CryptoPkg: Fix possible build problem with
Clang") added -std=c99 to the CLANG38 compiler command line of
packages that incorporate parts of OpenSSL, to ensure that the new
C atomics code used by OpenSSL for refcounting (which we don't care
about) does not pull in system C library headers, which we cannot
rely on when (cross)building EDK2 code.

Unsurprisingly, CLANG35 (which is only defined for ARM and AARCH64)
suffers from the exact same issue, so let's add the same flags
there as well.

Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2019-06-03 18:33:53 +02:00
Xiaoyu Lu acfb909118 CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward compatible
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1089

OpenSSL internally redefines the size of HMAC_CTX at
crypto/hmac/hmac_lcl.h(OpenSSL commit e0810e35).
Ref: https://github.com/openssl/openssl/pull/4338

We should not use it directly and should remove relevant
functions(Hmac*GetContextSize).
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1792

But for compatiblility, temporarily change these definition
of HMAC_*_CTX_SIZE.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-03 08:28:03 +08:00
XiaoyuX Lu 456dd8b99f CryptoPkg: Upgrade OpenSSL to 1.1.1b
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089

* Update OpenSSL submodule to OpenSSL_1_1_1b
   OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)

* Run process_files.pl script to regenerate OpensslLib[Crypto].inf
  and opensslconf.h

* Remove -DNO_SYSLOG from OPENSSL_FLAGS in OpensslLib[Crypto].inf,
  due to upstream OpenSSL commit cff55b90e95e("Cleaning UEFI
  Build with additional OPENSSL_SYS_UEFI flags", 2017-03-29),
  which was first released as part of OpenSSL_1_1_1.

* Starting with OpenSSL commit 8a8d9e1905(first release in
  OpenSSL_1_1_1), the OpenSSL_version() function can no longer
  return a pointer to the string literal "compiler: information
  not available", in the case CFLAGS macro is not defined.
  Instead, the function now has a hard dependency on the global
  variable 'compiler_flags'. This variable is normally placed
  by "util/mkbuildinf.pl" into "buildinf.h". In edk2 we don't
  run that script whenever we build OpenSSL, therefore we
  must provide our own dummy 'compiler_flags'.

* BUFSIZ is used by crypto/evp/evp_key.c(OpenSSL_1_1_1b)
  And it is declared in stdio.h. So add it to CrtLibSupport.h.
  Here's a discussion about this.
  Ref: https://github.com/openssl/openssl/issues/8904

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-03 08:28:03 +08:00