sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
31,018 Commits 13 Branches 33 Tags
fd1820b7ea09e53e404d6f56bb8bc4b51a5dd83e
Commit Graph

368 Commits

Author SHA1 Message Date
Min Xu
b1567b2e15 CryptoPkg: Add SecCryptLib 
RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853

This is the Cryptographic library instance for SEC. The motivation of
this library is to support SHA384 in SEC phase for Td guest. So only
Hash/CryptSha512.c is included which supports SHA384 and SHA512. Other
cryptographics are added with the null version, such as CryptMd5Null.c.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
 2022-06-03 11:41:36 +00:00
Rebecca Cran
e9eeb0ad2b CryptoPkg: Remove RVCT support 
RVCT is obsolete and no longer used.
Remove support for it.

Signed-off-by: Rebecca Cran <quic_rcran@quicinc.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
 2022-05-13 14:58:54 +00:00
Yi Li
a332ffb6ef CryptoPkg/openssl: update generated files 
Run process_files.pl with the current openssl submodule version.

Signed-off-by: Yi Li <yi1.li@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
 2022-05-11 00:04:39 +00:00
Yi Li
499b0d5fa5 CryptoPkg: Update process_files.pl to automatically add PCD config option 
Recommend from Gerd:
(2) Keep the EC config option, but update process_files.pl to
  automatically add the PcdEcEnabled config option handling
  to the files it generates.

When remove 'no-ec' from openssl configure list, will automatically remove
'OPENSSL_NO_EC', 'OPENSSL_NO_ECDH', 'OPENSSL_NO_ECDSA', 'OPENSSL_NO_TLS1_3',
form header, and add '/ec/.', '/sm2/.' files to INF files.

Signed-off-by: Yi Li <yi1.li@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
 2022-05-11 00:04:39 +00:00
Yi Li
f753c36209 CryptoPkg: Separate auto-generated openssl config and edk2 openssl config 
Move auto-generated openssl config to openssl/opensslconf_generated,
 And openssl/opensslconf.h will contain both edk2 conditional openssl
 feature and openssl/opensslconf_generated.
Will make two part more clear.
New conditional feture code in opensslconf.h will look like:

/* Autogenerated conditional openssl feature list starts here */
[.....]
/* Autogenerated conditional openssl feature list ends here */

Signed-off-by: Yi Li <yi1.li@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
 2022-05-11 00:04:39 +00:00
Yi Li
43613b2fe8 CryptoPkg: Rename PCD about openssl EC configuration 
PcdOpensslXXXEnabled is a more appropriate choice.

Signed-off-by: Yi Li <yi1.li@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
 2022-05-11 00:04:39 +00:00
Yi Li
b06a007b64 CryptoPkg: Declare PcdEcEnabled in Library consuming OpensslLib 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3679
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3828

Tls/Base/Pei/Smm/RuntimeCryptLib.inf will use OpensslLib,
and the opensslconf.h in openssllib will use PcdEcEnabled,
but it is not declared in the inf file now,
it will cause warnings in some compilers.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Yi Li <yi1.li@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
 2022-04-21 05:06:37 +00:00
Gerd Hoffmann
532bd4ec38 CryptoPkg/Crt: fix strcpy build on older VS compilers 
Drop 'restrict' keyword which older visual studio compiler
versions complain about.

Fixes: fab6285a73 ("CryptoPkg/CrtLibSupport: fix strcpy")
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
 2022-04-20 10:56:03 +00:00
Michael Kubacki
f3da13461c CryptoPkg/TlsLibNull: Remove MU_CHANGE comment markers 
MU_CHANGE tags are used in a different project (Project Mu) to
highlight deviations from Tianocore. Therefore, the comments are
not needed when the changes are present in a Tianocore repository.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
 2022-04-14 14:50:20 +00:00
yi1 li
0c901fcc20 CryptoPkg: Make EC source file config-able 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3679
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3828

Use PCD gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled to config-able
source files list in OpensslLib.inf and OpensslLibCrypto.inf.
If PcdEcEnabled equals to FALSE, this file will not be compiled.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: yi1 li <yi1.li@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
 2022-04-14 03:16:59 +00:00
yi1 li
efc39e65e5 CryptoPkg: Reconfigure OpensslLib to add EC algorithms 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3679
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3828

Reconfigure OpensslLib to add elliptic curve cipher algorithms.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: yi1 li <yi1.li@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
 2022-04-14 03:16:59 +00:00
yi1 li
1a49e2aa3c CryptoPkg: Add instrinsics to support building ECC on IA32 windows 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3679

This dependency is needed to build openssl lib with ECC ciphers
under IA32 Windows and adds implementation for _allmul and _allshr
instrinsics.

It is taken from Project Mu:
microsoft/mu_basecore@b55b341

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: yi1 li <yi1.li@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
 2022-04-14 03:16:59 +00:00
Gerd Hoffmann
fab6285a73 CryptoPkg/CrtLibSupport: fix strcpy 
strcpy() returns a pointer to the destination string, AsciiStrCpyS()
does not.  So a simple #define does not work.  Create a function
instead.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
 2022-04-12 14:39:01 +00:00
Gerd Hoffmann
03951e5645 CryptoPkg/CrtLibSupport: add off_t 
Add typedef for off_t.
Will be needed by openssl 3.0.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
 2022-04-12 14:39:01 +00:00
Gerd Hoffmann
fd5f347c84 CryptoPkg/CrtLibSupport: add MODULESDIR 
Add dummy MODULESDIR #define
Will be needed by openssl 3.0.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
 2022-04-12 14:39:01 +00:00
Gerd Hoffmann
2759e42fbc CryptoPkg/CrtLibSupport: add UINT_MAX 
Add define for UINT_MAX.
Will be needed by openssl 3.0.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
 2022-04-12 14:39:01 +00:00
Gerd Hoffmann
58771f4b2d CryptoPkg/CrtLibSupport: add INT_MIN 
Add #define for INT_MIN.
Will be needed by openssl 3.0.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
 2022-04-12 14:39:01 +00:00
Gerd Hoffmann
3b4b49cf00 CryptoPkg/CrtLibSupport: add strstr() 
Add #define for strstr().
Will be needed by openssl 3.0.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
 2022-04-12 14:39:01 +00:00
Gerd Hoffmann
4352d115c4 CryptoPkg/CrtLibSupport: add fcntl.h 
Add fcntl.h header file.
Will be needed by openssl 3.0.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
 2022-04-12 14:39:01 +00:00
Li, Zhihao
355515a06a CryptoPkg? Redefinition bug in CrtLibSupport.h. 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3885

Parallel hash patch redefines uint_64 type in CrtLibSupport.h
which has been defined in openssl/include/openssl/e_os2.h.
CryptMd5.c including e_os2.h cause redefinition bug.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>

Signed-off-by: Zhihao Li <zhihao.li@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
 2022-03-26 10:40:04 +00:00
Gerd Hoffmann
4a2e1000a1 CryptoPkg: update openssl submodule to 1.1.1n 
Pick up bugfixes from latest openssl release.  Includes CVE-2022-0778
fix (I don't think edk2 is affected though due to EC being disabled).

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
 2022-03-26 07:14:45 +00:00
Zhihao Li
c1e662101a CryptoPkg: Add new hash algorithm ParallelHash256HashAll in BaseCryptLib. 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3596

Parallel hash function ParallelHash256HashAll, as defined in NIST's
Special Publication 800-185, published December 2016. It utilizes
multi-process to calculate the digest.

Passed CI test.
Onprotocol version code passed test.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>

Signed-off-by: Zhihao Li <zhihao.li@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
 2022-03-18 06:49:18 +00:00
Michael Kubacki
7c34237831 CryptoPkg: Apply uncrustify changes 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3737

Apply uncrustify changes to .c/.h files in the CryptoPkg package

Cc: Andrew Fish <afish@apple.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
 2021-12-07 17:24:28 +00:00
Michael D Kinney
e3b855f283 CryptoPkg: Change complex DEBUG_CODE() to DEBUG_CODE_BEGIN/END() 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3767

Update use of DEBUG_CODE(Expression) if Expression is a complex code
block with if/while/for/case statements that use {}.

Cc: Andrew Fish <afish@apple.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Michael Kubacki <michael.kubacki@microsoft.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
 2021-12-07 17:24:28 +00:00
Michael D Kinney
c8f46130f8 CryptoPkg: Change OPTIONAL keyword usage style 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3760

Update all use of ', OPTIONAL' to ' OPTIONAL,' for function params.

Cc: Andrew Fish <afish@apple.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Michael Kubacki <michael.kubacki@microsoft.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
 2021-12-07 17:24:28 +00:00
Bob Morgan
f22feb0e3b CryptoPkg/BaseCryptLib: Eliminate extra buffer copy in Pkcs7Verify() 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3617

Create a read-only openSSL BIO wrapper for the existing input
buffer passed to Pkcs7Verify() instead of copying the buffer
into an empty writable BIO which causes memory allocations
within openSSL.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Bob Morgan <bobm@nvidia.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
 2021-10-13 01:45:18 +00:00
Stewart, Chris (SW Architect) via groups.io
7b4a99be8a CryptoPkg: BaseCryptLib fix incorrect param order 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3550

Function ConvertAsn1TimeToEfiTime initializes timestamp to zeroes with
SetMem, but the actual parameters are out of order. The result is
the SetMem operation has no effect. The fix is to put the actual
parameters in the correct order.

Signed-off-by: Chris Stewart <chris.stewart@hp.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
 2021-08-24 00:35:06 +00:00
Christopher Zurcher
147f34b56c CryptoPkg/OpensslLib: Commit the auto-generated assembly files for X64 
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2507

Adding the auto-generated assembly files for X64 architectures.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Mike Kinney <michael.d.kinney@intel.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Christopher Zurcher <christopher.zurcher@microsoft.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
 2021-07-26 07:30:11 +00:00
Christopher Zurcher
878a92a887 CryptoPkg/OpensslLib: Add native instruction support for X64 
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2507

Adding OpensslLibX64.inf and modifying process_files.pl to process this
file and generate the necessary assembly files.
Adding OpensslLibX64Gcc.inf to allow building with GCC toolchain.
ApiHooks.c contains a stub function for a Windows API call.
uefi-asm.conf contains the limited assembly configurations for OpenSSL.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Mike Kinney <michael.d.kinney@intel.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Christopher Zurcher <christopher.zurcher@microsoft.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
 2021-07-26 07:30:11 +00:00
xueshengfeng
eba32695ee CryptoPkg/BaseCryptLib: Enabled CryptSha512 for Smm/Runtime drivers 
Intel Platform utility Syscfg/sysfwupdt will trigger SMI
to enter BIOS interface. then BIOS invoke EncodePassword
in SMM mode to check password.
it's need sha384(in CryptSha512.c) in SMM mode.

the origin SmmCryptLib.lib size is 1389KB,
after changed, the size is 1391KB.

the origin RuntimeCryptLib.lib size is 911KB,
after changed,the size is 913KB.

in SmmCryptLib.inf and RuntimeCryptLib.inf,
change CryptSha512NULL.c to CryptSha512.c.

https://bugzilla.tianocore.org/show_bug.cgi?id=3423

Signed-off-by: xueshengfeng <xueshengfeng@byosoft.com.cn>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
 2021-06-24 02:46:14 +00:00
Agrawal, Sachin
20ca528828 CryptoPkg: BaseCryptLib: Update Salt length requirement for RSA-PSS scheme. 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3455

Enforce salt length to be equal to digest length for RSA-PSS
encoding scheme.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>

Signed-off-by: Sachin Agrawal <sachin.agrawal@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
 2021-06-23 15:19:44 +00:00
Sergei Dmitrouk
15ee7b7689 CryptoPkg/BaseCryptLib: Fix possible uninitialized use 
`Result` can be used uninitialized in both functions after following
either first or second `goto` statement.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Sergei Dmitrouk <sergei@posteo.net>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
 2021-05-19 01:39:49 +00:00
Sachin Agrawal
22ac5cc9d9 CryptoPkg: BaseCryptLib: Add RSA PSS verify support 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3314

This patch uses Openssl's EVP API's to perform RSASSA-PSS verification
of a binary blob.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Sachin Agrawal <sachin.agrawal@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
 2021-05-14 03:35:33 +00:00
Michael D Kinney
d0bf83e1cc CryptoPkg/Library/Include: Allow CPU specific defines to be predefined 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3308

The EDK II Build Specifications do not restrict the set of
CPU architectures that can be supported.  Remove places in
the EDK II that assume a fixed set of CPU architectures.

Update SIXTY_FOUR_BIT and THIRTY_TWO_BIT defines in the
CryptoPkg to allow one of them to be predefined on the EDK II
build command line using /D flag or in DSC file [BuildOptions]
sections.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Andrew Fish <afish@apple.com>
Cc: Abner Chang <abner.chang@hpe.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Abner Chang <abner.chang@hpe.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
 2021-04-15 15:58:44 +00:00
Liu Wei
0ecdcb6142 CryptoPkg/OpensslLib: Upgrade OpenSSL to 1.1.1j 
Update openssl from 1.1.1g to 1.1.1j. Current OpenSSL version
1.1.1g contains the vulnerabilities of CVE-2021-23841 and
CVE-2021-23840. The related vulnerable API EVP_DecryptUpdate
are used in drivers.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3266

Besides, the opensslconf.h automatically generated by process_files.pl.
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Liu Wei <weix.c.liu@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
 2021-03-23 05:37:56 +00:00
Kun Qin
21f984cede CryptoPkg: BaseCryptLib: Fix buffer double free in CryptPkcs7VerifyEku 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2459

SignerCert is part of Pkcs7 instance when both have valid content. OpenSLL
PKCS7_free function will release the memory of SignerCert when applicable.
Freeing SignerCert with X509_free again might cause page fault if use-
after-free guard is enabled.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>

Signed-off-by: Kun Qin <kun.q@outlook.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
 2020-11-26 03:22:24 +00:00
Gao, Zhichao
e6a12a0fc8 CryptoPkg: Make the MD5 disable as default for security 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021

Make the deprecated MD5 disable as default setting for
security.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Message-Id: <20201112055558.2348-14-zhichao.gao@intel.com>
 2020-11-17 19:26:50 +00:00
Jian J Wang
26442d11e6 CryptoPkg/BaseCryptLib: fix NULL dereference (CVE-2019-14584) 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1914

AuthenticodeVerify() calls OpenSSLs d2i_PKCS7() API to parse asn encoded
signed authenticode pkcs#7 data. when this successfully returns, a type
check is done by calling PKCS7_type_is_signed() and then
Pkcs7->d.sign->contents->type is used. It is possible to construct an asn1
blob that successfully decodes and have d2i_PKCS7() return a valid pointer
and have PKCS7_type_is_signed() also return success  but have Pkcs7->d.sign
be a NULL pointer.

Looking at how PKCS7_verify() [inside of OpenSSL] implements checking for
pkcs7 structs it does the following:
- call PKCS7_type_is_signed()
- call PKCS7_get_detached()
Looking into how PKCS7_get_detatched() is implemented, it checks to see if
p7->d.sign is NULL or if p7->d.sign->contents->d.ptr is NULL.

As such, the fix is to do the same as OpenSSL after calling d2i_PKCS7().
- Add call to PKS7_get_detached() to existing error handling

Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
 2020-10-21 06:32:46 +00:00
Matthew Carlson
694bfd6ff5 CryptoPkg: BaseCryptLib: Add unit tests (Host and Shell based) 
This adds a new INF for BaseCryptLib suitable for
host based environments. It adds a host based unit test for
BaseCryptLib that can also be built as a shell based Unit Test.

In addition, this also adds a UnitTestHostCrtWrapper.c file, which provides
some of the functionality not provided by the default host based unit test
system that OpenSSL expects. This is used by UnitTestHostBaseCryptLib, a
version of the BaseCryptLib meant specifically for host based unit testing.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Matthew Carlson <matthewfcarlson@gmail.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
 2020-10-18 00:49:58 +00:00
Wang, Jian J
52dbaaeace CryptoPkg/BaseCryptLib: add crypto algorithms needed by variable protection 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594

Crypto algorithms, hkdf-sha256/hmac-sha256/aes, are needed to verify
integrity of variable data, derive hmac and encryption keys, and
encrypt/decrypt varible. Replacing null version source code with real
implementations makes sure we can enable full functionalities of protected
variable later.

Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Nishant C Mistry <nishant.c.mistry@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
 2020-09-29 05:58:58 +00:00
Matthew Carlson
b5701a4c7a CryptoPkg: OpensslLib: Use RngLib to generate entropy in rand_pool 
Ref: https://github.com/tianocore/edk2/pull/845
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1871

Changes OpenSSL to no longer depend on TimerLib and instead use RngLib.
This allows platforms to decide for themsevles what sort of entropy source
they provide to OpenSSL and TlsLib.

Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>

Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Signed-off-by: Matthew Carlson <matthewfcarlson@gmail.com>
 2020-09-18 02:19:21 +00:00
Abner Chang
be01087e07 CryptoPkg/Library: Remove the redundant build option 
Remove the redundant build option for RISCV64 architecture.
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2848

Signed-off-by: Abner Chang <abner.chang@hpe.com>

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Guomin Jiang <guomin.jiang@intel.com>
 2020-08-12 04:25:48 +00:00
Guomin Jiang
8c30327deb CryptoPkg/OpensslLib: Upgrade OpenSSL to 1.1.1g 
Upgrade openssl to 1.1.1g. the directory have been reorganized,
openssl moved crypto/include/internal to include/crypto folder.
So we change directory to match the re-organization.

The dso_conf.h and opensslconf.h will generated in UNIX format,
change process_files.pl to covent the EOL automatically.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
 2020-07-25 06:27:14 +00:00
Zhichao Gao
0f01cec52f CryptoPkg/BaseCryptLib: Add MARCO to disable the deprecated SHA1 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1682

SHA1 is deprecated but it is required for compatible issue.
So add a MARCO for the platform to disable the usage of SHA1 for
security.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
 2020-06-29 05:25:55 +00:00
Zhichao Gao
acfd555795 CryptoPkg/BaseCryptLib: Add MARCO to disable the deprecated MD5 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1682

MD5 is deprecated but it is required for compatible issue.
So add a MARCO for the platform to disable the usage of MD5 for
security.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
 2020-06-29 05:25:55 +00:00
Zhichao Gao
b99917ce3e CryptoPkg/opensslconf.h: Covert the file ending to dos format 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

Convert file ending of the crypto created openssl config file -
opensslconf.h from '\n' to '\r\n' to make align the line ending and
pass the patch check.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
 2020-05-15 07:22:36 +00:00
Zhichao Gao
c812d3209c CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

HMAC SHA1 is not secure any longer.
Remove the HMAC SHA1 support from edk2.
Change the HMAC SHA1 field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
 2020-05-15 07:22:36 +00:00
Zhichao Gao
b6174e2d09 CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

HMAC MD5 is not secure any longer.
Remove the HMAC MD5 support from edk2.
Change the HMAC MD5 field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
 2020-05-15 07:22:36 +00:00
Zhichao Gao
89db28b9c9 CryptoPkg/OpensslLib: Remove the Aes Ecb file in the OpensslLib 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

Add the unrequired aes_ecb files in process_files.pl and run it
thru perl.
It would remove the unrequired aes_ecb files from OpensslLib inf.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
 2020-05-15 07:22:36 +00:00
Zhichao Gao
80e28dcec8 CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

Aes Ecb mode is not secure any longer.
Remove the Aes Ecb mode support from edk2.
Change the Aes Ecb mode field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
 2020-05-15 07:22:36 +00:00