REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3654
Adding native instruction support for accelerated OpenSSL features for
IA32 architecture, following the pattern set by the previous commits for
X64 native support.
Cc: Yi Li <yi1.li@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Christopher Zurcher <christopher.zurcher@microsoft.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Add unit test for CryptoBn.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Yi Li <yi1.li@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3828
The implementation provides CryptBn library functions
for EFI Driver and EFI BaseCrypt Protocol.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Yi Li <yi1.li@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3828
This patch is used to add CryptBn library, which is wrapped
over OpenSSL.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Yi Li <yi1.li@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Rename file from CryptHmacSha256 to CryptHmac and
add HmacSha384 and HmacSha256All funcitons.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4025
Signed-off-by: Qi Zhang <qi1.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
CertCtx is used to be defined as a struct and ZeroMem is called to
init this struct. But now CertCtx is defined as a point, so use
ZeroMem (&CertCtx, sizeof (CertCtx)) is not correct any more.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Wenyi Xie <xiewenyi2@huawei.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853
This is the Cryptographic library instance for SEC. The motivation of
this library is to support SHA384 in SEC phase for Td guest. So only
Hash/CryptSha512.c is included which supports SHA384 and SHA512. Other
cryptographics are added with the null version, such as CryptMd5Null.c.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
RVCT is obsolete and no longer used.
Remove support for it.
Signed-off-by: Rebecca Cran <quic_rcran@quicinc.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Files generated by process_files.pl from openssl sources should not be checked for edk2 code style.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Yi Li <yi1.li@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Run process_files.pl with the current openssl submodule version.
Signed-off-by: Yi Li <yi1.li@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Recommend from Gerd:
(2) Keep the EC config option, but update process_files.pl to
automatically add the PcdEcEnabled config option handling
to the files it generates.
When remove 'no-ec' from openssl configure list, will automatically remove
'OPENSSL_NO_EC', 'OPENSSL_NO_ECDH', 'OPENSSL_NO_ECDSA', 'OPENSSL_NO_TLS1_3',
form header, and add '/ec/.', '/sm2/.' files to INF files.
Signed-off-by: Yi Li <yi1.li@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Move auto-generated openssl config to openssl/opensslconf_generated,
And openssl/opensslconf.h will contain both edk2 conditional openssl
feature and openssl/opensslconf_generated.
Will make two part more clear.
New conditional feture code in opensslconf.h will look like:
/* Autogenerated conditional openssl feature list starts here */
[.....]
/* Autogenerated conditional openssl feature list ends here */
Signed-off-by: Yi Li <yi1.li@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
PcdOpensslXXXEnabled is a more appropriate choice.
Signed-off-by: Yi Li <yi1.li@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3679
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3828
Tls/Base/Pei/Smm/RuntimeCryptLib.inf will use OpensslLib,
and the opensslconf.h in openssllib will use PcdEcEnabled,
but it is not declared in the inf file now,
it will cause warnings in some compilers.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Yi Li <yi1.li@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
MU_CHANGE tags are used in a different project (Project Mu) to
highlight deviations from Tianocore. Therefore, the comments are
not needed when the changes are present in a Tianocore repository.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3679
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3828
Use PCD gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled to config-able
source files list in OpensslLib.inf and OpensslLibCrypto.inf.
If PcdEcEnabled equals to FALSE, this file will not be compiled.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: yi1 li <yi1.li@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3679
This dependency is needed to build openssl lib with ECC ciphers
under IA32 Windows and adds implementation for _allmul and _allshr
instrinsics.
It is taken from Project Mu:
microsoft/mu_basecore@b55b341
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: yi1 li <yi1.li@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
openssl 3.0 wants at least 512 bytes, otherwise it throws an error:
error:0280007E:Diffie-Hellman routines::modulus too small
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
strcpy() returns a pointer to the destination string, AsciiStrCpyS()
does not. So a simple #define does not work. Create a function
instead.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Add dummy MODULESDIR #define
Will be needed by openssl 3.0.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Add define for UINT_MAX.
Will be needed by openssl 3.0.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Add #define for INT_MIN.
Will be needed by openssl 3.0.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Add #define for strstr().
Will be needed by openssl 3.0.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Add fcntl.h header file.
Will be needed by openssl 3.0.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3885
Parallel hash patch redefines uint_64 type in CrtLibSupport.h
which has been defined in openssl/include/openssl/e_os2.h.
CryptMd5.c including e_os2.h cause redefinition bug.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Signed-off-by: Zhihao Li <zhihao.li@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Pick up bugfixes from latest openssl release. Includes CVE-2022-0778
fix (I don't think edk2 is affected though due to EC being disabled).
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3596
Parallel hash function ParallelHash256HashAll, as defined in NIST's
Special Publication 800-185, published December 2016. It utilizes
multi-process to calculate the digest.
Passed CI test.
Onprotocol version code passed test.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Signed-off-by: Zhihao Li <zhihao.li@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3737
Apply uncrustify changes to .c/.h files in the CryptoPkg package
Cc: Andrew Fish <afish@apple.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3767
Update use of DEBUG_CODE(Expression) if Expression is a complex code
block with if/while/for/case statements that use {}.
Cc: Andrew Fish <afish@apple.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Michael Kubacki <michael.kubacki@microsoft.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3760
Update all use of ', OPTIONAL' to ' OPTIONAL,' for function params.
Cc: Andrew Fish <afish@apple.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Michael Kubacki <michael.kubacki@microsoft.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3749
Update package YAML files to ignore ECC errors that are
already present. These issues must be fixed in the future,
but should not block source code changes for these known
issues.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Michael Kubacki <michael.kubacki@microsoft.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3617
Create a read-only openSSL BIO wrapper for the existing input
buffer passed to Pkcs7Verify() instead of copying the buffer
into an empty writable BIO which causes memory allocations
within openSSL.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Bob Morgan <bobm@nvidia.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3550
Function ConvertAsn1TimeToEfiTime initializes timestamp to zeroes with
SetMem, but the actual parameters are out of order. The result is
the SetMem operation has no effect. The fix is to put the actual
parameters in the correct order.
Signed-off-by: Chris Stewart <chris.stewart@hp.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2507
Adding the auto-generated assembly files for X64 architectures.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Mike Kinney <michael.d.kinney@intel.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Christopher Zurcher <christopher.zurcher@microsoft.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2507
Adding OpensslLibX64.inf and modifying process_files.pl to process this
file and generate the necessary assembly files.
Adding OpensslLibX64Gcc.inf to allow building with GCC toolchain.
ApiHooks.c contains a stub function for a Windows API call.
uefi-asm.conf contains the limited assembly configurations for OpenSSL.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Mike Kinney <michael.d.kinney@intel.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Christopher Zurcher <christopher.zurcher@microsoft.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Intel Platform utility Syscfg/sysfwupdt will trigger SMI
to enter BIOS interface. then BIOS invoke EncodePassword
in SMM mode to check password.
it's need sha384(in CryptSha512.c) in SMM mode.
the origin SmmCryptLib.lib size is 1389KB,
after changed, the size is 1391KB.
the origin RuntimeCryptLib.lib size is 911KB,
after changed,the size is 913KB.
in SmmCryptLib.inf and RuntimeCryptLib.inf,
change CryptSha512NULL.c to CryptSha512.c.
https://bugzilla.tianocore.org/show_bug.cgi?id=3423
Signed-off-by: xueshengfeng <xueshengfeng@byosoft.com.cn>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3455
Enforce salt length to be equal to digest length for RSA-PSS
encoding scheme.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Sachin Agrawal <sachin.agrawal@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
`Result` can be used uninitialized in both functions after following
either first or second `goto` statement.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Sergei Dmitrouk <sergei@posteo.net>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3308
The EDK II Build Specifications do not restrict the set of
CPU architectures that can be supported. Remove places in
the EDK II that assume a fixed set of CPU architectures.
Update SIXTY_FOUR_BIT and THIRTY_TWO_BIT defines in the
CryptoPkg to allow one of them to be predefined on the EDK II
build command line using /D flag or in DSC file [BuildOptions]
sections.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Andrew Fish <afish@apple.com>
Cc: Abner Chang <abner.chang@hpe.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Abner Chang <abner.chang@hpe.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3288
Simplify the DSC file by using the library mappings from
UnitTestFrameworkPkgTarget.dsc.inc to build the CryptoPkg
target based unit tests that run from the UEFI Shell.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3287
Remove duplicate declaration of the function prototype
EDKII_CRYPTO_RSA_GET_PUBLIC_KEY_FROM_X509.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3246
MdeLibs.dsc.inc was added for some basic/default library
instances provided by MdePkg and RegisterFilterLibNull Library
was also added into it as the first version of MdeLibs.dsc.inc.
So update platform dsc to consume MdeLibs.dsc.inc for
RegisterFilterLibNull which will be consumed by IoLib and BaseLib.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Update openssl from 1.1.1g to 1.1.1j. Current OpenSSL version
1.1.1g contains the vulnerabilities of CVE-2021-23841 and
CVE-2021-23840. The related vulnerable API EVP_DecryptUpdate
are used in drivers.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3266
Besides, the opensslconf.h automatically generated by process_files.pl.
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Liu Wei <weix.c.liu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2459
SignerCert is part of Pkcs7 instance when both have valid content. OpenSLL
PKCS7_free function will release the memory of SignerCert when applicable.
Freeing SignerCert with X509_free again might cause page fault if use-
after-free guard is enabled.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Kun Qin <kun.q@outlook.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Only include MD5 unit tests if ENABLE_MD5_DEPRECATED_INTERFACES
is defined and define ENABLE_MD5_DEPRECATED_INTERFACES for host
based unit tests so MD5 services are always tested.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Reviewed-by: Zhichao Gao <zhichao.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021
Make the deprecated MD5 disable as default setting for
security.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Message-Id: <20201112055558.2348-14-zhichao.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021
CRYPTO_SERVICES PACKAGES and ALL config would enable MD5
function. So explicitly enable MD5 while CRYPTO_SERVICES
are set PACKAGES and ALL.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Message-Id: <20201112055558.2348-4-zhichao.gao@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1914
AuthenticodeVerify() calls OpenSSLs d2i_PKCS7() API to parse asn encoded
signed authenticode pkcs#7 data. when this successfully returns, a type
check is done by calling PKCS7_type_is_signed() and then
Pkcs7->d.sign->contents->type is used. It is possible to construct an asn1
blob that successfully decodes and have d2i_PKCS7() return a valid pointer
and have PKCS7_type_is_signed() also return success but have Pkcs7->d.sign
be a NULL pointer.
Looking at how PKCS7_verify() [inside of OpenSSL] implements checking for
pkcs7 structs it does the following:
- call PKCS7_type_is_signed()
- call PKCS7_get_detached()
Looking into how PKCS7_get_detatched() is implemented, it checks to see if
p7->d.sign is NULL or if p7->d.sign->contents->d.ptr is NULL.
As such, the fix is to do the same as OpenSSL after calling d2i_PKCS7().
- Add call to PKS7_get_detached() to existing error handling
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
This adds a new INF for BaseCryptLib suitable for
host based environments. It adds a host based unit test for
BaseCryptLib that can also be built as a shell based Unit Test.
In addition, this also adds a UnitTestHostCrtWrapper.c file, which provides
some of the functionality not provided by the default host based unit test
system that OpenSSL expects. This is used by UnitTestHostBaseCryptLib, a
version of the BaseCryptLib meant specifically for host based unit testing.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Matthew Carlson <matthewfcarlson@gmail.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Crypto algorithms, hkdf-sha256/hmac-sha256/aes, are needed to verify
integrity of variable data, derive hmac and encryption keys, and
encrypt/decrypt varible. Replacing null version source code with real
implementations makes sure we can enable full functionalities of protected
variable later.
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Nishant C Mistry <nishant.c.mistry@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Ref: https://github.com/tianocore/edk2/pull/845
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1871
Changes OpenSSL to no longer depend on TimerLib and instead use RngLib.
This allows platforms to decide for themsevles what sort of entropy source
they provide to OpenSSL and TlsLib.
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Signed-off-by: Matthew Carlson <matthewfcarlson@gmail.com>
Add configuration ExceptionList and IgnoreFiles for package config
files. So users can rely on this to ignore some Ecc issues.
Besides, add submodule path in IgnoreFiles section.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Guomin Jiang <guomin.jiang@intel.com>
Add configuration IgnoreFiles for package config files.
So users can rely on this to skip license conflict for
some generated files.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Guomin Jiang <guomin.jiang@intel.com>
Upgrade openssl to 1.1.1g. the directory have been reorganized,
openssl moved crypto/include/internal to include/crypto folder.
So we change directory to match the re-organization.
The dso_conf.h and opensslconf.h will generated in UNIX format,
change process_files.pl to covent the EOL automatically.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1682
SHA1 is deprecated but it is required for compatible issue.
So add a MARCO for the platform to disable the usage of SHA1 for
security.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1682
MD5 is deprecated but it is required for compatible issue.
So add a MARCO for the platform to disable the usage of MD5 for
security.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
The binary is totally changed, so update the Crypto Version to 7:
1. Retire below deprecated function:
MD4, ARC4, TDES, AES ECB MODE, HMAC MD5, HMAC SHA1
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
Convert file ending of the crypto created openssl config file -
opensslconf.h from '\n' to '\r\n' to make align the line ending and
pass the patch check.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
HMAC SHA1 is not secure any longer.
Remove the HMAC SHA1 support from edk2.
Change the HMAC SHA1 field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
HMAC MD5 is not secure any longer.
Remove the HMAC MD5 support from edk2.
Change the HMAC MD5 field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
Add the unrequired aes_ecb files in process_files.pl and run it
thru perl.
It would remove the unrequired aes_ecb files from OpensslLib inf.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
Aes Ecb mode is not secure any longer.
Remove the Aes Ecb mode support from edk2.
Change the Aes Ecb mode field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
This patch is create by adding the setting "no_des" of
process_files.pl and running it thru perl.
It would remove the TDES from OpensslLib.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
TDES is not secure any longer.
Remove the Tdes support from edk2.
Change the Tdes field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
This patch is create by adding the setting "no_rc4" of
process_files.pl and running it thru perl.
It would remove the ARC4 from OpensslLib.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
ARC4 is not secure any longer.
Remove the ARC4 support from edk2.
Change the ARC4 field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
This patch is create by adding the setting "no_md4" of
process_files.pl and running it thru perl.
It would remove the MD4 from OpensslLib.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
MD4 is not secure any longer.
Remove the MD4 support from edk2.
Change the MD4 field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
Add a internal worker function to indicate the deprecated functions.
It would print out debug messages and asserts to inform the consumer
they are using a deprecated function.
Change the Name of BaseCryptLibServciceNotEnabled to correct spelling
BaseCryptLibServiceNotEnabled.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2539
Microsoft signtool supports creation of attached P7's with any OID payload
via the "/p7co" parameter. It is necessary to check the data before get
the string.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2552
According to CryptoPkg.dsc, the library class only have HashApiLib, so i
think the BaseHashApiLib should be considered as base name rather than
library class.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
Reviewed-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2552
DxeCryptLibConstructor have no comments for it, add comments for it.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
Reviewed-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
This is enabling a future EVP implementation to utilize the
EVP_get_digestbyname() function.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Christopher J Zurcher <christopher.j.zurcher@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
This prevents the .inf files from being randomized after every run
of process_files.pl.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Christopher J Zurcher <christopher.j.zurcher@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2511
This commit changes the PCD PcdHashApiLibPolicy to the type
PcdsFixedAtBuild so as to be able to optimize away the unused hashing
algorithms in HashApiLib instance used by a driver.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Amol N Sukerkar <amol.n.sukerkar@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2511
This commit aligns the baseHashApiLib with TPM 2.0 Implementation
as follows:
- Remove reference to MD4 and MD5 algorithms as they are deprecated
- Align the enumerations for hashing algoerithms with the one used
in TPM 2.0 implementation defined in IndustryStandard/Tpm20.h.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Amol N Sukerkar <amol.n.sukerkar@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Fix few typos in comments.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Antoine Coeur <coeur@gmx.fr>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
Message-Id: <20200207010831.9046-2-philmd@redhat.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2420
Based on the following package with changes to merge into
CryptoPkg.
https://github.com/microsoft/mu_plus/tree/dev/201908/SharedCryptoPkg
Add Crypto library instances and modules that consume/produce
the EDK II Crypto Protocols/PPIs to the CryptoPkg DSC file.
The default build of CryptoPkg performs a package verification
build.
The CRYPTO_SERVICES define is added that supports the following
settings.
* PACKAGE - Package verification build of all components. Null
versions of libraries are used to minimize build times.
* ALL - Build PEIM, DXE, and SMM drivers. Protocols and PPIs
publish all services.
* NONE - Build PEIM, DXE, and SMM drivers. Protocols and PPIs
publish no services. Used to verify compiler/linker
optimizations are working correctly.
* MIN_PEI - Build PEIM with PPI that publishes minimum required
services.
* MIN_DXE_MIN_SMM - Build DXE and SMM drivers with Protocols that publish
minimum required services.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2420
Based on the following package with changes to merge into
CryptoPkg.
https://github.com/microsoft/mu_plus/tree/dev/201908/SharedCryptoPkg
Add the PeiCryptLib, DxeCryptLib, and SmmCryptLib instances
of the BaseCryptLib library classes that are implemented using
the services of EDK II Crypto Protocols/PPIs.
These library instances all set a dependency expression on the
EDK II Crypto Protocols/PPIs, so any modules that use these
library instances are not dispatched until the modules that
produce the EDK II Crypto Protocols/PPIs are dispatched.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2420
Based on the following package with changes to merge into
CryptoPkg.
https://github.com/microsoft/mu_plus/tree/dev/201908/SharedCryptoPkg
Add the CryptoPei, CryptoDxe, and CryptoSmm modules that produce
EDK II Crypto Protocols/PPIs that provide the same services as
the BaseCryptLib class.
In order to optimize the size of CryptoPei, CryptoDxe, and
CryptoSmm modules for a specific platform, the FixedAtBuild
PCD gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable
is used to determine if a specific service is enabled or
disabled. If a service is enabled, then a call is made to
the BaseCryptLib service. If the service is disabled, then
a DEBUG() message and ASSERT() are performed and a default
return value is returned. This provides simple detection
of a service that is disabled but is used by another module
when DEBUG()/ASSERT() macros are enabled.
The use of a FixedAtBuild PCD is required so the compiler
and linker know each services enable/disable setting at
build time and allows disabled services to be optimized away.
CryptoPei supports both pre-mem and post-mem use cases.
If CryptoPei is initially dispatched pre-mmem, the the
register for shadow service is used so the Crypto PPI can
be reinstalled post-mem.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2420
Based on the following package with changes to merge into
CryptoPkg.
https://github.com/microsoft/mu_plus/tree/dev/201908/SharedCryptoPkg
Add the EDK II Crypto Protocol, EDK II SMM Crypto Protocol
and EDK II Crypto PPI that provide the same services as the
BaseCryptLib. One additional GetVersion() services is provided
to support backward compatible extensions to these new
Protocols/PPIs if new services are added to BaseCryptLib in the
future. The EDK II Crypto Protocols/PPIs are located in a
private directory so they are only available CryptoPkg components.
In order to optimize the size of modules that produce the
EDK II Crypto Protocols/PPIs define a FixedAtBuild PCD
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.
This PCD is type VOID* and is associated with the structure
PCD_CRYPTO_SERVICE_FAMILY_ENABLE. This structure contains
bitfields and unions that allow a platform DSC files to
enable/disable entire families of services or enable/disable
individual services in the produced EDK II Crypto
Protocols/PPIs.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2420
Add X509ConstructCertificateStackV() to BaseCryptLib that is
identical in behavior to X509ConstructCertificateStack(), but
it takes a VA_LIST parameter for the variable argument list.
The VA_LIST form of this function is required for BaseCryptLib
functions to be wrapped in a Protocol/PPI.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2493
The BaseCryptLib was expanded to add the HkdfSha256ExtractAndExpand()
service in the following commit:
4b1b7c1913
When BaseCryptLibNull was added in the commit below, this new
service was not included.
d95de082da
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2151
This commit introduces a Unified Hash API to calculate hash using a
hashing algorithm specified by the PCD, PcdHashApiLibPolicy. This library
interfaces with the various hashing API, such as, MD4, MD5, SHA1, SHA256,
SHA512 and SM3_256 implemented in BaseCryptLib. The user can calculate
the desired hash by setting PcdHashApiLibPolicy to appropriate value.
This feature is documented in the Bugzilla,
https://bugzilla.tianocore.org/show_bug.cgi?id=2151.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Amol N Sukerkar <amol.n.sukerkar@intel.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2151
Added CryptoPkg Token Space GUID to be able to define PCDs.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Amol N Sukerkar <amol.n.sukerkar@intel.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1792
Hmac(Md5|Sha1|Sha256)GetContextSize() use a deprecated macro
HMAC_MAX_MD_CBLOCK defined in openssl. They should be dropped to
avoid misuses in the future. For context allocation and release,
use HmacXxxNew() and HmacXxxFree() instead.
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1792
HmacXxxInit() is supposed to be initialize user supplied buffer as HMAC
context, as well as user supplied key. Currently it has no real use cases.
Due to BZ1792, the user has no way to get correct size of context buffer
after it's fixed, and then cannot make use of HmacXxxInit to initialize
it.
So it's decided to replace it with HmacXxxSetKey to keep the functionality
of supplying a key to HMAC, but drop all other initialization works. The
user can still get HMAC context via HmacXxxNew interface, which hides the
details about the context.
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2389
Currently RSA signing scheme support is available for MD5, SHA-1 or
SHA-256 algorithms.The fix is to extend this support for SHA384 and
SHA512.
Cc: Liming Gao <liming.gao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Bob Feng <bob.c.feng@intel.com>
Signed-off-by: Pavana.K <pavana.k@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Commit 8906f076de ("CryptoPkg/OpensslLib: Add missing header files in
INF file", 2019-08-16) incorrectly placed "ms/uplink.h" in the
auto-generated part of [Sources], in "OpensslLib.inf".
("ms/uplink.h" was added in the right spot in "OpensslLibCrypto.inf".)
Subsequently, when commit 9f4fbd56d4 ("CryptoPkg/OpensslLib: Update
process_files.pl to generate .h files", 2019-10-30) re-generated that part
of "OpensslLib.inf", the "ms/uplink.h" file reference was lost. This
triggers a warning from the "build" utility now.
Name the header file in the right spot in [Sources].
This change makes "OpensslLib.inf" consistent with "OpensslLibCrypto.inf".
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Shenglei Zhang <shenglei.zhang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Fixes: 8906f076de
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
When diffing "OpensslLib.inf" against "OpensslLibCrypto.inf", the *only*
differences should be:
- BASE_NAME, MODULE_UNI_FILE, and FILE_GUID are expected to differ, in
[Defines];
- "OpensslLib.inf" is expected to list "$(OPENSSL_PATH)/ssl/..." source
files in the auto-generated part of the [Sources] section.
Commit 8906f076de ("CryptoPkg/OpensslLib: Add missing header files in
INF file", 2019-08-16) broke that invariant, by adding "buildinf.h" and
"rand_pool_noise.h" in different order to both INF files.
Fix that order in "OpensslLib.inf" now. (Note that this does not
re-establish full consistency between both INF files -- it just highlights
another problem, which we'll fix in the next patch.)
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Shenglei Zhang <shenglei.zhang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Fixes: 8906f076de
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
https://bugzilla.tianocore.org/show_bug.cgi?id=2315
Add YAML file to the package directory with the
configuration of the checks to perform during a
CI build.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Upgrade openssl from 1.1.1b to 1.1.1d.
Something needs to be noticed is that, there is a bug existing in the
released 1_1_1d version(894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596),
which causes build failure. So we switch the code base to a usable
version, which is 2 commits later than the stable tag.
Now we use the version c3656cc594daac8167721dde7220f0e59ae146fc.
This log is to fix the build failure.
https://bugzilla.tianocore.org/show_bug.cgi?id=2226
Besides, the absense of "DSO_NONE" in dso_conf.h causes build failure
in OvmfPkg. So update process_files.pl to generate information from
"crypto/include/internal/dso_conf.h.in".
shm.h and utsname.h are added to avoid GCC build failure.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Using the inet_pton() function that we imported in the previous patches,
recognize if "HostName" is an IP address literal, and then parse it into
binary representation. Passing the latter to OpenSSL for server
certificate validation is important, per RFC-2818
<https://tools.ietf.org/html/rfc2818#section-3.1>:
> In some cases, the URI is specified as an IP address rather than a
> hostname. In this case, the iPAddress subjectAltName must be present in
> the certificate and must exactly match the IP in the URI.
Note: we cannot use X509_VERIFY_PARAM_set1_ip_asc() because in the OpenSSL
version that is currently consumed by edk2, said function depends on
sscanf() for parsing IPv4 literals. In
"CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c", we only provide an
empty -- always failing -- stub for sscanf(), however.
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Suggested-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
For TianoCore BZ#1734, StdLib has been moved from the edk2 project to the
edk2-libc project, in commit 964f432b9b ("edk2: Remove AppPkg, StdLib,
StdLibPrivateInternalFiles", 2019-04-29).
We'd like to use the inet_pton() function in CryptoPkg. Resurrect the
"inet_pton.c" file from just before the StdLib removal, as follows:
$ git show \
964f432b9b0a^:StdLib/BsdSocketLib/inet_pton.c \
> CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c
The inet_pton() function is only intended for the DXE phase at this time,
therefore only the "BaseCryptLib" instance INF file receives the new file.
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
In a later patch in this series, we're going to resurrect "inet_pton.c"
(originally from the StdLib package). That source file has a number of
standard C and BSD socket dependencies. Provide those dependencies here:
- The header files below will simply #include <CrtLibSupport.h>:
- arpa/inet.h
- arpa/nameser.h
- netinet/in.h
- sys/param.h
- sys/socket.h
- EAFNOSUPPORT comes from "StdLib/Include/errno.h", at commit
e2d3a25f1a31; which is the commit immediately preceding the removal of
StdLib from edk2 (964f432b9b).
Note that the other error macro, which we alread #define, namely EINVAL,
has a value (22) that also matches "StdLib/Include/errno.h".
- The AF_INET and AF_INET6 address family macros come from
"StdLib/Include/sys/socket.h".
- The NS_INT16SZ, NS_INADDRSZ and NS_IN6ADDRSZ macros come from
"StdLib/Include/arpa/nameser.h".
- The "u_int" and "u_char" types come from "StdLib/Include/sys/types.h".
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
According to the ISO C standard, strchr() is a function. We #define it as
a macro. Unfortunately, our macro evaluates the first argument ("str")
twice. If the expression passed for "str" has side effects, the behavior
may be undefined.
In a later patch in this series, we're going to resurrect "inet_pton.c"
(originally from the StdLib package), which calls strchr() just like that:
strchr((xdigits = xdigits_l), ch)
strchr((xdigits = xdigits_u), ch)
To enable this kind of function call, turn strchr() into a function.
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
In the patch, we add the new API "TlsSetVerifyHost" for the TLS
protocol to set the specified host name that need to be verified.
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20190927034441.3096-3-Jiaxin.wu@intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
There are missing headers added into INF files at 8906f076de35b222a..
They are now manually added but not auto-generated. So we update the
perl script to enable this feature.
Meanwhile, update the order of the .h files in INF files, which are
auto-generated now.
https://bugzilla.tianocore.org/show_bug.cgi?id=2085
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1603
With this change, global variable _fltused will not be removed by LTO
Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2257
Add a Null instance of the BaseCryptLib class. This lib instance
can be used as a template for new implementations of the BaseCryptLib
class and can also be used to reduce CI build times for build
checks that depend on the BaseCryptLib class.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2258
Add a Null instance of the TlsLib class. This lib instance
can be used as a template for new implementations of the TlsLib
class and can also be used to reduce CI build times for build
checks that depend on the TlsLib class.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2254
Update CryptoPkg.dsc to guarantee all libraries and modules
are always built. Add the following components.
* CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Update attribute "Out" to "out".
The original "Out" can not pass ECC check.
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
The header files are used but missing in INF,which causes
warning message when building them.
https://bugzilla.tianocore.org/show_bug.cgi?id=2036
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=1910
edk2/Readme.md has added a section to explain the correct clone
commands for submodules. Detailed steps in the OpenSSL-HOWTO.txt
are removed to avoid any inconsistency.
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
Reviewed-by: Liming Gao <liming.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1928
1. Implement OpenSSL HKDF wrapped function in CryptHkdf.c file.
2. Implement stub implementation function in CryptHkdfNull.c file.
3. Add wrapped HKDF function declaration to BaseCryptLib.h file.
4. Add CryptHkdf.c to module information BaseCryptLib.inf file.
5. Add CryptHkdfNull.c to module information PeiCryptLib.inf,
RuntimeCryptLib.inf and SmmCryptLib.inf
Signed-off-by: Gary West <Gary.West@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Reviewed-by: Jian Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2027
Refer to CSS_2_1 5.7.2.1 "Non-Boolean comparisons must use a
compare operator (==, !=, >, < >=, <=).", use compare operator
for the non-boolean comparisons.
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
The BaseTools build feature introduced for TianoCore#1804 / in commit
1fa6699e6c ("BaseTools: Add a checking for Sources section in INF file",
2019-06-10) logs some (non-fatal) warnings about unlisted internal header
files. List those files explicitly.
Note: header files are added in lexicographical order only if the
underlying INF file already keeps the [Sources] and [LibraryClasses]
sections in lexicographical order. Otherwise, header files are added in
rough "logical" order.
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1881
Commit(0a1b13fd4d) fix VS2017 build failure
remove useless file in OpensslLib[Crypto].inf,
but we use process_files.pl to generate files.
So exclude err_all.c file in process_files.pl
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1926
This problem was found by Rebecca Cran <rebecca@bluestop.org>.
REF: https://edk2.groups.io/g/devel/topic/32100684
OpenSSL will automatically load a system config file which configures
default ssl options. In UEFI, It will cause TlsInitialize failed
without OPENSSL_INIT_NO_LOAD_CONFIG flag. we don't use this feature,
So disable it.
Re-run process_files.py to generate OpensslLib[Crypto].inf files.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Rebecca Cran <rebecca@bluestop.org>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Re-run process_files.py to generate OpensslLib[Crypto].inf.
CryptoPkg/Library/Include/openssl/opensslconf.h is coped from OpenSSL,
So keep the CR/LF style like OpenSSL source file.
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
CryptoPkg\Library\Include\CrtLibSupport.h maps strxxxx interfaces to
edk2 PrintLib interfaces but related module inf file don't claim the
use of it. This will cause unresolved symbol issue with VS2017 build
which has enabled strict symbol check. This patch resolves the problem
by adding PrintLib to inf files.
Cc: Liming Gao <liming.gao@intel.com>
Cc: Dandan Bi <dandan.bi@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
When use clang-3.8 to build the NetworkPkg, compiler optimization
may use memcpy for memory copy. For example:
CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_rsa.c:918: undefined
reference to `memcpy'`
Compiler optimization is sophisticated, but we can work around it
use __attribute__((__used__)) to informs the compiler that symbol
should be retained in the object file, even if it may be
unreferenced.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Dandan Bi <dandan.bi@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1878
This issue is specific to VS2017 which tries to resolve symbol referenced
by a symbol not really referenced eventually.
ossl_init_load_crypto_strings
-> err_load_crypto_strings_int (not really referenced)
-> ERR_load_OSSL_STORE_strings
Because OPENSSL_NO_ERR and OPENSSL_NO_AUTOERRINIT are not defined by
default, err_load_crypto_strings_int() will not be actually referenced
by ossl_init_load_crypto_strings().
Since err_load_crypto_strings_int() is not actually referenced at all,
the fix can be done simply by removing crypto/err/err_all.c from build.
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089
When building CryptoPkg with XCODE, blow error may result
* usr/lib/clang/9.0.0/include/stdatomic.h:105:17:
error: unknown type name 'wchar_t'
Since the C native atomics are C11 feature we can explicitly
use C99 to work around it.
add -std=c99 to avoid it
* openssl/crypto/conf/conf_sap.c:71:12: error: variable 'ret' is
uninitialized
when used here [-Werror,-Wuninitialized]
Suppress warnings in OpenSSL so we don't break the build with -Werror.
add -Wno-error=uninitialized to disalbe this warning
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Commit c51f8bae7c ("CryptoPkg: Fix possible build problem with
Clang") added -std=c99 to the CLANG38 compiler command line of
packages that incorporate parts of OpenSSL, to ensure that the new
C atomics code used by OpenSSL for refcounting (which we don't care
about) does not pull in system C library headers, which we cannot
rely on when (cross)building EDK2 code.
Unsurprisingly, CLANG35 (which is only defined for ARM and AARCH64)
suffers from the exact same issue, so let's add the same flags
there as well.
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1089
OpenSSL internally redefines the size of HMAC_CTX at
crypto/hmac/hmac_lcl.h(OpenSSL commit e0810e35).
Ref: https://github.com/openssl/openssl/pull/4338
We should not use it directly and should remove relevant
functions(Hmac*GetContextSize).
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1792
But for compatiblility, temporarily change these definition
of HMAC_*_CTX_SIZE.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089
* Update OpenSSL submodule to OpenSSL_1_1_1b
OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)
* Run process_files.pl script to regenerate OpensslLib[Crypto].inf
and opensslconf.h
* Remove -DNO_SYSLOG from OPENSSL_FLAGS in OpensslLib[Crypto].inf,
due to upstream OpenSSL commit cff55b90e95e("Cleaning UEFI
Build with additional OPENSSL_SYS_UEFI flags", 2017-03-29),
which was first released as part of OpenSSL_1_1_1.
* Starting with OpenSSL commit 8a8d9e1905(first release in
OpenSSL_1_1_1), the OpenSSL_version() function can no longer
return a pointer to the string literal "compiler: information
not available", in the case CFLAGS macro is not defined.
Instead, the function now has a hard dependency on the global
variable 'compiler_flags'. This variable is normally placed
by "util/mkbuildinf.pl" into "buildinf.h". In edk2 we don't
run that script whenever we build OpenSSL, therefore we
must provide our own dummy 'compiler_flags'.
* BUFSIZ is used by crypto/evp/evp_key.c(OpenSSL_1_1_1b)
And it is declared in stdio.h. So add it to CrtLibSupport.h.
Here's a discussion about this.
Ref: https://github.com/openssl/openssl/issues/8904
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089
* From OpenSSL_1_1_0i(97c0959f27b294fe1eb10b547145ebef2524b896) to
OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687), OpenSSL
updated DRBG / RAND to request nonce and additional low entropy
randomness from system(line 229 openssl/CHANGES).
Since OpenSSL_1_1_1b doesn't fully implement rand pool functions
for UEFI. We must provide a method to implenet these method.
TSC is used as first entropy source if it's availabe otherwise
fallback to TimerLib. But we are not sure the amount of randomness
they provide. If you really care about the security, one choice is
overrided it with hardware generator.
Add rand_pool.c to implement these functions required by OpenSSL
rand_pool_acquire_entropy
rand_pool_add_nonce_data
rand_pool_add_additional_data
rand_pool_init
rand_pool_cleanup
rand_pool_keep_random_devices_open
And add rand_pool_noise.* for getting entropy noise from different
architecture.
* We don't need ossl_store functions. We exclude relative files
through process_files.pl. And ossl_store_cleanup_int was first
added in crypto/init.c OpenSSL_1_1_1(71a5516d).
So add a new file(ossl_store.c) to implement ossl_store_cleanup_int
function.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089
When building CryptoPkg with Clang, blow error may result
* /usr/lib/llvm-3.8/lib/clang/3.8.0/include/stdatomic.h:105:17: error:
unknown type name 'wchar_t'
Since the C native atomics are C11 feature we can explicitly
use C99 to work around it.
add -std=c99 to avoid it
* openssl/crypto/conf/conf_sap.c:71:12: error: variable 'ret' is
uninitialized
when used here [-Werror,-Wuninitialized]
Suppress warnings in OpenSSL so we don't break the build with -Werror.
add -Wno-error=uninitialized to disalbe this warning
Cc: Ting Ye <ting.ye@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089
Disable warning for building OpenSSL_1_1_1b
add /wd4132 /wd4700 /wd4310 for Visual Studio in OpensslLib[Crypto].inf
add -Wno-error=unused-but-set-variable for GCC in OpensslLib[Crypto].inf
Although this option is set in some build environments by default.
But this is only for OpenSSL compilation, no matter how the
default options change.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089
This is for the upcoming upgrade to OpenSSL_1_1_1b
Compiler optimization(Visual Studio) may automatically use _ftol2
instead of some type conversion. For example:
OpensslLib.lib(drbg_lib.obj) : error LNK2001:
unresolved external symbol __ftol2
This patch add _ftol2 function for the compiler intrinsic.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089
When running process_files.py to configure OpenSSL, we can exclude
some unnecessary files. This can reduce porting time, compiling
time and library size.
Upstream OpenSSL commit 71a5516dcc8a which was as part of
OpenSSL_1_1_1b, Add the STORE module(crypto/store/*).
But UEFI don't use them. So exclude these files.
Functions in crypto/rand/randfile.c OpenSSL and edk2 don't
call them. And it requires more crt runtime support.
So exclude it.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089
OpenSSL configure mechanism use --with-rand-seed=xxx option to configure
random number generation.
OpenSSL_1_1_0j(74f2d9c1ec5f5510e1d3da5a9f03c28df0977762)
we use default --with-rand-seed=os option to for building it.
But OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)
only support seeding NONE for UEFI(rand_unix.c line 93).
This OpenSSL change was introduced in commit
8389ec4b4950 ("Add --with-rand-seed", 2017-07-22).
So add --with-rand-seed=none to process_files.pl.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1805
CryptRandItc.c is only for IPF arch, which has not been supported any
more in edk2. And no module actually reference this file. This patch
just removes it from tree.
Cc: Liming Gao <liming.gao@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1736
For accroding with the doxygen special documention blocks
in section 2.3.5, removing the blank line in the file comments
of the file header for PeiCryptLib.inf
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Jian Wang <jian.j.wang@intel.com>
When building OpenSSL, the OpenBSD/FreeBSD/DFBSD code in crypto/uid.c
calls issetugid(). Add the declaration of this function to
CrtLibSupport.h to avoid the need to patch the openssl code on these
platforms.
Signed-off-by: Rebecca Cran <rebecca@bluestop.org>
Reviewed-by: Jian Wang <jian.j.wang@intel.com>
Christopher Zurcher
Yi Li
Qi Zhang
Wenyi Xie
Min Xu
Rebecca Cran
Gerd Hoffmann
Michael Kubacki
Li, Zhihao
Michael D Kinney
Bob Morgan
Stewart, Chris (SW Architect) via groups.io
Christopher Zurcher
xueshengfeng
Agrawal, Sachin
Sergei Dmitrouk
Dandan Bi
Liu Wei
Kun Qin
Gao, Zhichao
Jian J Wang
Matthew Carlson
Shenglei Zhang
Abner Chang
Guomin Jiang
GuoMinJ
Zurcher, Christopher J
Amol N Sukerkar
Antoine Coeur
Pavana.K
Laszlo Ersek
Liming Gao
Wu, Jiaxin
Sean Brogan
Gary West
Xiaoyu Lu
Bret Barkelew
Ard Biesheuvel
rebecca via Groups.Io