summaryrefslogtreecommitdiff
path: root/CryptoPkg
AgeCommit message (Collapse)AuthorFilesLines
2017-08-03edk2: Move License.txt file to rootMichael D Kinney1-25/+0
https://bugzilla.tianocore.org/show_bug.cgi?id=642 Add top level License.txt file with the BSD 2-Clause License that is used by the majority of the EKD II open source project content. Merge copyright statements from the BSD 2-Clause License files in each package directory and remove the duplication License.txt file from package directories. Cc: Leif Lindholm <leif.lindholm@linaro.org> Cc: Andrew Fish <afish@apple.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com> Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
2017-08-03edk2: Move TianoCore Contribution Agreement to rootMichael D Kinney1-218/+0
https://bugzilla.tianocore.org/show_bug.cgi?id=629 Move Contributions.txt that contains the TianoCore Contribution Agreement 1.0 to the root of the edk2 repository and remove the duplicate Contributions.txt files from all packages. Cc: Leif Lindholm <leif.lindholm@linaro.org> Cc: Andrew Fish <afish@apple.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com> Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
2017-08-02CryptoPkg/TlsLib: Remove the redundant free of BIO objectsJiaxin Wu1-9/+1
TLS BIO objects (InBio/OutBio) will be freed by SSL_free() function. So, the following free operation (BIO_free) in TlsFree is redundant. It can be removed directly. Cc: Ye Ting <ting.ye@intel.com> Cc: Long Qin <qin.long@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com> Reviewed-by: Long Qin <qin.long@intel.com> Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
2017-07-15CryptoPkg/OpensslLib AARCH64: clear XIP CC flagsArd Biesheuvel2-0/+22
Commit 0df6c8c157af ("BaseTools/tools_def AARCH64: avoid SIMD registers in XIP code") updated the compiler flags used by AARCH64 when building modules (including BASE libraries) that may execute before the MMU is enabled. This broke the build for OpensslLib/OpensslLibCrypto because the SIMD register file is shared with the FPU, and since OpenSSL contains some references to float/double types (which are mostly unused for UEFI btw), disabling floating point prevents the compiler from building OpenSSL at all. So for OpensslLib[Crypto], we need to override the XIP CC flags, to remove the -mgeneral-regs-only compiler flag again. When introducing the support for XIP CC flags, we were aware that this would affect BASE libraries as well, but were not expecting this to have any performance impact. However, in the case of software crypto, it makes sense not to needlessly inhibit the compiler's ability to generate fast code, and even if OpenssLib is a BASE library, it is guaranteed not to run with the MMU off. So omit -mstrict-align from the local XIP CC flags override as well. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org> Acked-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Long Qin <qin.long@intel.com>
2017-05-22CryptoPkg/BaseCryptLib: Add NULL pointer checks in DH and P7VerifyLong Qin2-4/+10
Add more NULL pointer checks before using them in DhGenerateKey and Pkcs7GetCertificatesList functions to eliminate possible dereferenced pointer issue. Cc: Ting Ye <ting.ye@intel.com> Cc: Hao Wu <hao.a.wu@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Hao Wu <hao.a.wu@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com>
2017-05-05CryptoPkg: Update package version to 0.97Long Qin2-3/+3
Update package version of CryptoPkg to 0.97. Cc: Ting Ye <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com>
2017-05-02CryptoPkg/SmmCryptLib: Enable HMAC-SHA256 support for SMM.Long Qin1-2/+2
Enable HMAC-SHA256 cipher support in SmmCryptLib instance. Cc: Ting Ye <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com>
2017-04-14CryptoPkg: Correct some minor issues in function commentsLong Qin2-10/+10
Correct some minor comment issues in BaseCryptLib.h and CryptPkcs7Verify.c, including: - missed "out" in parameter property for ARC4 interfaces; - Wrong Comment tail in Pkcs7GetAttachedContent function Cc: Ting Ye <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com>
2017-04-07CryptoPkg IntrinsicLib: Remove GCC -fno-builtin optionLiming Gao1-2/+1
GCC -fno-builtin option is added into tools_def.template at 90defe7198a42b3157ae5d9b93714f891cf06e57. So, there is no need to set it in module INF file. Cc: Qin Long <qin.long@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Liming Gao <liming.gao@intel.com> Reviewed-by: Qin Long <qin.long@intel.com>
2017-04-07CryptoPkg/BaseCryptLib: Adding NULL checking in time() wrapper.Qin Long1-2/+4
There are some explicit time(NULL) calls in openssl-1.1.0xx source, but the dummy time() wrapper in ConstantTimeClock.c (used by PEI and SMM module) has no any checks on NULL parameter. This is one bug and will cause the memory access issue. This patch adds the NULL parameter checking in time() wrapper. Cc: Ting Ye <ting.ye@intel.com> Cc: Eric Dong <eric.dong@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2017-04-07CryptoPkg: Fix possible unresolved external symbol issue.Qin Long2-1/+10
The compiler (visual studio) may optimize some explicit strcmp call in openssl source to use the intrinsic memcmp call. In CrtLibSupport.h, we just use #define to mapping memcmp to CompareMem API. So in Link phase, this kind of intrinsic optimization will cause the "unresolved external symbol" error. For example: OpensslLib.lib(v3_utl.obj) : error LNK2001: unresolved external symbol _memcmp This patch will keep the memcmp mapping, and provide extra Intrinsic memcmp wrapper to satisfy the symbol link. Cc: Ting Ye <ting.ye@intel.com> Cc: Feng Tian <feng.tian@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2017-04-07CryptoPkg/OpensslLib: Suppress extra build warnings in openssl sourceQin Long2-10/+20
(Need further follow-ups as described in https://bugzilla.tianocore.org/show_bug.cgi?id=455) This patch added some extra build options to suppress possible warnings when building openssl source under GCC48 and VS2010. Including: Adding "-Wno-error=maybe-uninitialized" to suppress the following GCC48 build warning: OpensslLib/openssl/ssl/statem/statem_clnt.c:2543:9: error: "len" may be used uninitialized in this function [-Werror=maybe-uninitialized] len += pskhdrlen; ^ And adding "/wd4306" to suppress the following VS2010 build warning: openssl\crypto\asn1\tasn_dec.c(795) : warning C4306: 'type cast' : conversion from 'int' to 'ASN1_VALUE *' of greater size Cc: Ting Ye <ting.ye@intel.com> Cc: Hao Wu <hao.a.wu@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2017-04-07CryptoPkg: Move openssl and CRT headers to private include sectionLong Qin21-1/+4
Moving the header files for openssl and CRT wrappers to the private include section, since these files should be referenced by CryptoPkg internally. This update was supported by new [Includes.Common.Private] setting in Package DEC file. The external consumer modules should only use the interfaces defined in BaseCryptLib.h to access crypto functions. This change will be helpful to immediately detect any illegal direct reference to internal openssl headers. The Perl script "process_files.pl" was also updated to reflect the new private include path. Cc: Gao Liming <liming.gao@intel.com> Cc: Ting Ye <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com>
2017-04-06CryptoPkg: Convert files to CRLF line endingHao Wu8-2916/+2923
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu <hao.a.wu@intel.com> Reviewed-by: Long Qin <qin.long@intel.com>
2017-03-30CryptoPkg/BaseCryptLib: Fix Build Warning issue in PEI ModuleQin Long1-1/+2
The memory free operation is empty function in PEI. The compiler optimization will bring the build warning in openssl/crypto/mem.c: warning C4718: 'CRYPTO_free': recursive call has no side effects, deleting This patch uses '/wd4718' to silence the build warning for PEI module building. Cc: Ting Ye <ting.ye@intel.com> Cc: Eric Dong <eric.dong@intel.com> Cc: Hao Wu <hao.a.wu@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Eric Dong <eric.dong@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com>
2017-03-29CryptoPkg/TlsLib: Update TLS Wrapper to align with OpenSSL changes.Qin Long3-46/+31
This patch update the wrapper implementation in TlsLib to align with the latest OpenSSL-1.1.0xx API changes. Cc: Ting Ye <ting.ye@intel.com> Cc: Palmer Thomas <thomas.palmer@hpe.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Gary Lin <glin@suse.com> Cc: Ronald Cron <ronald.cron@arm.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com>
2017-03-29CryptoPkg: Update PK Cipher Wrappers work with opaque objects.Qin Long7-249/+218
OpenSSL-1.1.xx makes most data structures opaque. This patch updates Public Key Cipher Wrapper implementations in BaseCryptLib to use the accessor APIs for opaque object access. The impacted interfaces includes RSA, DH, X509, PKCS7, etc. Cc: Ting Ye <ting.ye@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Gary Lin <glin@suse.com> Cc: Ronald Cron <ronald.cron@arm.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com> Tested-by: Laszlo Ersek <lersek@redhat.com> Tested-by: Gary Lin <glin@suse.com>
2017-03-29CryptoPkg: Update HMAC Wrapper with opaque HMAC_CTX object.Qin Long7-29/+411
OpenSSL-1.1.xx makes most data structures opaque. This patch updated HMAC Wrapper implementation with opaque HMAC_CTX object. The HmacXXGetContextSize() is marked as deprecated, and updated to use the fixed HMAC_CTX size, which is just kept for compatibility. New APIs (HmacXXNew(), HmacXXFree()) were added as the recommended HMAC_CTX usage interfaces for HMAC-XXXX operations. Cc: Ting Ye <ting.ye@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Gary Lin <glin@suse.com> Cc: Ronald Cron <ronald.cron@arm.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com> Tested-by: Laszlo Ersek <lersek@redhat.com>
2017-03-29CryptoPkg: Add extra build option to disable VS build warningQin Long6-8/+38
openssl/include/openssl/lhash.h will bring C4090 build warning issue, which is one known issue for OpenSSL under Visual Studio toolchain. Refer to https://github.com/openssl/openssl/issues/2214 for more discussions against this. Use /wd4090 to silence this build warning until OpenSSL fix this. Cc: Ting Ye <ting.ye@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Gary Lin <glin@suse.com> Cc: Ronald Cron <ronald.cron@arm.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com>
2017-03-29CryptoPkg: Clean-up CRT Library Wrapper.Qin Long39-731/+346
Cleaning-up CRT Library Wrapper for the third-party cryptography library building. The changes includes 1. Rename OpenSslSupport.h to CrtLibSupport.h for future alternative crypto provider support. 2. Remove all un-referenced CRT APIs and headers. (NOTE: More cleans-up could be possible after OpenSSL integrate the extra PR request: https://github.com/openssl/openssl/pull/2961) Cc: Ting Ye <ting.ye@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Gary Lin <glin@suse.com> Cc: Ronald Cron <ronald.cron@arm.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com> Tested-by: Laszlo Ersek <lersek@redhat.com> Tested-by: Gary Lin <glin@suse.com>
2017-03-29CryptoPkg: Fix handling of &strcmp function pointersQin Long2-3/+8
In a couple of places, OpenSSL code uses the address of the strcmp() function, and assigns it to another comparator function pointer. Unfortunately, this falls foul of the inconsistent function ABI that we use in EDKII. We '#define strcmp AsciiStrCmp' but AsciiStrCmp is an EFIAPI function with the Microsoft ABI. And we're assigning its address to a non-EFIAPI function, which may well have a different ABI. Fix this by providing an actual strcmp() function in the default ABI. We already *had* a prototype for it in OpenSslSupport.h, which was then superseded by the #define strcmp AsciiStrCmp. Now, OpenSSL code *can* use &strcmp without problems. Cc: Ting Ye <ting.ye@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Gary Lin <glin@suse.com> Cc: Ronald Cron <ronald.cron@arm.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Tested-by: Laszlo Ersek <lersek@redhat.com> Tested-by: Gary Lin <glin@suse.com>
2017-03-29CryptoPkg/OpensslLib: Add new OpenSSL-HOWTO document.Qin Long2-1/+54
Add one new OpenSSL-HOWTO.txt to introduce how to clone / download the latest OpenSSL release source for build. ALso update buildinf.h to reflect the latest update time. Cc: Ting Ye <ting.ye@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Gary Lin <glin@suse.com> Cc: Ronald Cron <ronald.cron@arm.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com> Acked-by: Laszlo Ersek <lersek@redhat.com> Tested-by: Laszlo Ersek <lersek@redhat.com> Acked-by: Gary Lin <glin@suse.com> Tested-by: Gary Lin <glin@suse.com>
2017-03-29CryptoPkg/OpensslLib: Add new Perl script for file list generation.Qin Long2-110/+223
OpenSSL-1.1.0xx configure mechanism was updated with new configdata. This patch update process_file.sh script to new Perl-based script for auto generation of file list and openssl config file (opensslconf.h). This only needs to be done once by a developer when updating to a new version of OpenSSL (or changing options, etc.). Normal users do not need to do this, since the results are already stored in the EDK2 git repository. Cc: Ting Ye <ting.ye@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Gary Lin <glin@suse.com> Cc: Ronald Cron <ronald.cron@arm.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com> Acked-by: Laszlo Ersek <lersek@redhat.com>
2017-03-29CryptoPkg/OpensslLib: Remove patch file and installation scripts.Qin Long4-2317/+0
This patch removes the EDKII-openssl-xxxx.patch, installation scripts, and Patch-HOWTO.txt which were used for old OpenSSL-1.0.2xx enabling. Cc: Ting Ye <ting.ye@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Gary Lin <glin@suse.com> Cc: Ronald Cron <ronald.cron@arm.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Tested-by: Laszlo Ersek <lersek@redhat.com>
2017-03-29CryptoPkg: Update .gitignore for OpenSSL source maskingQin Long1-2/+1
Updates .gitignore that masks the OpenSSL source: 1. Remove "Include/openssl" from .gitignore since we needn't duplicate openssl headers now 2. Update "openssl-*" to "openssl*", since we use "openssl" instead of "openssl-x.x.xx" as main source directory. Cc: Ting Ye <ting.ye@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Gary Lin <glin@suse.com> Cc: Ronald Cron <ronald.cron@arm.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Tested-by: Laszlo Ersek <lersek@redhat.com>
2017-03-29CryptoPkg/OpensslLib: Update INF files to support OpenSSL-1.1.0x buildQin Long7-1337/+1142
Update OpensslLib INF files to support OpenSSL-1.1.0x source build. The file list was generated from the latest OpenSSL-1.1.0e release. Main changes to support OpensslLib build in this patch include: 1. Use "openssl" instead of "openssl-x.x.xx" as main source directory, Also update include path in CryptoPkg.dec 2. Enable warnings in GCC builds; 3. Update Visual Studio build options to silence current possible build warnings. 4. Move the default opensslconf.h to Include/openssl, and add one dummy dso_conf.h for native UEFI build. The OpensslLib module build was validated as build -t VSXXXX -a XX -p CryptoPkg/CryptoPkg.dsc -m CryptoPkg/Library/OpensslLib/OpensslLib.inf (NOTE: The extra build options for ARM/RVCT/XCODE were kept, which expect further optimizations from community) Cc: Ting Ye <ting.ye@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Gary Lin <glin@suse.com> Cc: Ronald Cron <ronald.cron@arm.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com> Acked-by: Laszlo Ersek <lersek@redhat.com> Tested-by: Laszlo Ersek <lersek@redhat.com> Tested-by: Gary Lin <glin@suse.com>
2017-03-15CryptoPkg:SmmCryptLib: Add real Pkcs5Pbkdf2.c.Jiewen Yao1-2/+2
Cc: Qin Long <qin.long@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Qin Long <qin.long@intel.com>
2017-03-06CryptoPkg: Refine type cast for pointer subtractionHao Wu1-3/+3
For pointer subtraction, the result is of type "ptrdiff_t". According to the C11 standard (Committee Draft - April 12, 2011): "When two pointers are subtracted, both shall point to elements of the same array object, or one past the last element of the array object; the result is the difference of the subscripts of the two array elements. The size of the result is implementation-defined, and its type (a signed integer type) is ptrdiff_t defined in the <stddef.h> header. If the result is not representable in an object of that type, the behavior is undefined." In our codes, there are cases that the pointer subtraction is not performed by pointers to elements of the same array object. This might lead to potential issues, since the behavior is undefined according to C11 standard. Also, since the size of type "ptrdiff_t" is implementation-defined. Some static code checkers may warn that the pointer subtraction might underflow first and then being cast to a bigger size. For example: UINT8 *Ptr1, *Ptr2; UINTN PtrDiff; ... PtrDiff = (UINTN) (Ptr1 - Ptr2); The commit will refine the pointer subtraction expressions by casting each pointer to UINTN first and then perform the subtraction: PtrDiff = (UINTN) Ptr1 - (UINTN) Ptr2; Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu <hao.a.wu@intel.com> Acked-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com>
2017-02-28CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2kQin Long7-36/+36
v2: Re-generate the patch after the new OpensslLibCrypto instance. OpenSSL 1.0.2k was released with several severity fixes at 26-Jan-2017 (https://www.openssl.org/news/secadv/20170126.txt). This patch is to upgrade the supported OpenSSL version in CryptoPkg/OpensslLib to catch the latest release 1.0.2k. Cc: Ye Ting <ting.ye@intel.com> Cc: Wu Jiaxin <jiaxin.wu@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Tested-by: Laszlo Ersek <lersek@redhat.com>
2017-02-25CryptoPkg/OpensslLib: introduce OpensslLibCrypto instanceLaszlo Ersek3-6/+582
Commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib directly", 2016-12-14) pulls OpenSSL's libssl files into the "OpensslLib.inf" library instance unconditionally. If a platform doesn't include the TLS modules, such as - CryptoPkg/Library/TlsLib/TlsLib.inf - NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf - NetworkPkg/TlsDxe/TlsDxe.inf then the platform never actually uses the libssl functionality that gets built into "OpensslLib.inf". Tomas Hoger from Red Hat Product Security tells me that security evaluation is less demanding if we can actually *exclude* the libssl files from such OVMF builds that don't specify -D TLS_ENABLE (rather than just trust modules not to call libssl functions if we don't specify -D TLS_ENABLE). This patch introduces a parallel OpensslLib instance called "OpensslLibCrypto" that is appropriate for platform builds without TLS enablement. It does not build C source files in vain, and it eases security review -- all libssl vulnerabilities can be excluded at once. "OpensslLibCrypto.inf" is created as a copy of "OpensslLib.inf", modifying the BASE_NAME, MODULE_UNI_FILE and FILE_GUID defines. "process_files.sh" is extended to auto-generate the list of OpenSSL files for both library instances accordingly. This list is updated in "OpensslLibCrypto.inf" at once. "OpensslLibCrypto.uni" is introduced as a copy of "OpensslLib.uni", highlighting the difference. Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Gary Lin <glin@suse.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Qin Long <qin.long@intel.com> Cc: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Ting Ye <ting.ye@intel.com> Cc: Tomas Hoger <thoger@redhat.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com>
2017-02-25CryptoPkg/OpensslLib: refresh OpensslLib.inf, opensslconf.h after 32387e00Laszlo Ersek2-6/+1
Commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib directly", 2016-12-14) removed the "no-queue" configuration option in "process_files.sh", plus it enabled "process_files.sh" to place all libssl source files into "OpensslLib.inf". However, the patch apparently failed to capture two changes originating from the above actions: - the definitions of the OPENSSL_NO_PQUEUE and NO_PQUEUE macros were not removed from "opensslconf.h", - "ssl/ssl_conf.c" was not added to "OpensslLib.inf". Refresh these files, completing commit 32387e0081db. I built OVMF with -D SECURE_BOOT_ENABLE -D TLS_ENABLE, and ArmVirtQemu with -D SECURE_BOOT_ENABLE, after this fix, and experienced no regression. Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Gary Lin <glin@suse.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Qin Long <qin.long@intel.com> Cc: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Ting Ye <ting.ye@intel.com> Cc: Tomas Hoger <thoger@redhat.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com>
2017-01-06CryptoPkg/TlsLib: Refine the coding style.Jiaxin Wu2-4/+4
Cc: Ye Ting <ting.ye@intel.com> Cc: Fu Siyuan <siyuan.fu@intel.com> Cc: Long Qin <qin.long@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
2016-12-22CryptoPkg: Add new TlsLib libraryJiaxin Wu9-0/+2706
v2: * Code refine and Typo fix: TlsHandeAlert -> TlsHandleAlert This patch is used to add new TlsLib library, which is wrapped over OpenSSL. The implementation provides TLS library functions for EFI TLS protocol and EFI TLS Configuration Protocol. Cc: Ye Ting <ting.ye@intel.com> Cc: Long Qin <qin.long@intel.com> Cc: Fu Siyuan <siyuan.fu@intel.com> Cc: Zhang Lubo <lubo.zhang@intel.com> Cc: Thomas Palmer <thomas.palmer@hpe.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com>
2016-12-22CryptoPkg: Enable ssl build in OpensslLib directlyJiaxin Wu6-7/+75
This patch is used to enable ssl build in OpensslLib module directly. Cc: Wu Jiaxin <jiaxin.wu@intel.com> Cc: Ye Ting <ting.ye@intel.com> Cc: Long Qin <qin.long@intel.com> Cc: Fu Siyuan <siyuan.fu@intel.com> Cc: Zhang Lubo <lubo.zhang@intel.com> Cc: Thomas Palmer <thomas.palmer@hpe.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Long Qin <qin.long@intel.com> Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> Tested-by: Wu Jiaxin <jiaxin.wu@intel.com>
2016-11-11CryptoPkg/BaseCryptLib: Make comments consistent with the functionDandan Bi3-9/+9
Correct the unaligned parameter names in comments (BaseCryptLib.h and HMAC-SHA256 wrapper implementation) Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dandan Bi <dandan.bi@intel.com> Reviewed-by: Qin Long <qin.long@intel.com>
2016-11-07CryptoPkg: Fix typos in commentsGary Lin26-84/+84
- intialized -> initialized - componenet -> component - compoents -> components - FAlSE -> FALSE - responsiblity -> responsibility - validility -> validity - procudure -> procedure - pamameter -> parameter - randome -> random - buiild -> build Cc: Ting Ye <ting.ye@intel.com> Cc: Qin Long <qin.long@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Qin Long <qin.long@intel.com>
2016-11-02CryptoPkg: Add PKCS5 PBKDF2 interface for password derivation.Qin Long11-6/+319
Add one new API (Pkcs5HashPassword) to provide PKCS#5 v2.0 PBKDF2 support (Password based encryption key derivation function, specified in RFC 2898). Also update the Cryptest utility to include the new API testing (with the test vector from RFC6070). Cc: Ting Ye <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com>
2016-11-02CryptoPkg: Add HMAC-SHA256 cipher supportQin Long8-9/+510
Add new HMAC-SHA256 cipher support in CryptoPkg to meet more security and industry requirements, and update Cryptest utility to include new HMAC-SHA256 test case. Cc: Ting Ye <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com>
2016-11-02CryptoPkg: Add xxxxHashAll APIs to facilitate the digest computationQin Long9-10/+589
Add new xxxxHashAll APIs to facilitate the digest computation of blob data. New APIs include: Md4HashAll(), Md5HashAll(), Sha1HashAll(), Sha256HashAll(), Sha384HashAll(), and Sha512HashAll(). The corresponding test cases were added in Cryptest utility. Cc: Ting Ye <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com>
2016-09-30CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2jQin Long6-143/+62
Two official releases (OpenSSL 1.0.2i and 1.0.2j) were available with several severity fixes at 22-Sep-2016 and 26-Sep-2016. Refer to https://www.openssl.org/news/secadv/20160922.txt and https://www.openssl.org/news/secadv/20160926.txt. This patch is to upgrade the supported OpenSSL version in CryptoPkg/OpensslLib to catch the latest release 1.0.2j. Cc: Ting Ye <ting.ye@intel.com> Cc: David Woodhouse <David.Woodhouse@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com> Tested-by: Laszlo Ersek <lersek@redhat.com>
2016-09-21CryptoPkg: Clean up unreferenced symbol in Cryptest utility.Qin Long1-137/+0
Remove "TSCounterSignature" from TSVerify.c, which is not being used by anyone. Cc: Ting Ye <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com>
2016-08-11CryptoPkg: Fix "responsiblity" typosThomas Huth3-15/+15
It's "responsibility", not "responsiblity". Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> Reviewed-By: Wu Jiaxin <jiaxin.wu@intel.com>
2016-08-11CryptoPkg: Fix capitalization of path name in Patch-HOWTO.txtThomas Huth1-1/+1
It's "OpensslLib", not "OpenSslLib" - not a big issue, but the typo is annoying when trying to copy-n-paste the path name to use it on the command line on Linux. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> Reviewed-By: Wu Jiaxin <jiaxin.wu@intel.com>
2016-08-11CryptoPkg IntrinsicLib: Add the missing nasm source fileLiming Gao3-1/+100
Add two name files IntrinsicLib Ia32 MathLShiftS64.nasm and MathRShiftU64.nasm Cc: Qin Long <qin.long@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Liming Gao <liming.gao@intel.com> Reviewed-by: Qin Long <qin.long@intel.com>
2016-08-08CryptoPkg DSC: Add build option to disable deprecated APIsHao Wu1-0/+3
Add the following definition in the [BuildOptions] section in package DSC files to disable APIs that are deprecated: [BuildOptions] *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES Cc: Qin Long <qin.long@intel.com> Cc: Ting Ye <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu <hao.a.wu@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com>
2016-07-21MdePkg CryptoPkg EdkCompatibilityPkg: retire NO_BUILTIN_VA_FUNCS defineArd Biesheuvel1-1/+1
This is never set anymore, so unsetting it or testing whether it is unset no longer makes any sense. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com> Tested-by: Laszlo Ersek <lersek@redhat.com> Tested-By: Liming Gao <liming.gao@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
2016-07-21CryptoPkg: set new define to avoid MS ABI VA_LIST on GCC/X64Ard Biesheuvel1-1/+1
Set the #define NO_MSABI_VA_FUNCS that will be introduced in a subsequent patch to avoid the use of the MS ABI in variadic functions. In EDK2, such functions normally require the EFIAPI modifier to be used, but for external libraries such as OpenSSL, which lack these annotations, it is easier to simply revert to the default SysV style VA_LIST ABI. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com> Tested-by: Laszlo Ersek <lersek@redhat.com> Tested-By: Liming Gao <liming.gao@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
2016-07-20CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2hQin Long6-69/+62
OpenSSL 1.0.2h was released with several severity fixes at 03-May-2016 (https://www.openssl.org/news/secadv/20160503.txt). Upgrade the supported OpenSSL version in CryptoPkg/OpensslLib to catch the latest release 1.0.2h. Cc: Ting Ye <ting.ye@intel.com> Cc: David Woodhouse <David.Woodhouse@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> Tested-by: Laszlo Ersek <lersek@redhat.com>
2016-07-12CryptoPkg BaseCryptLib: Init the content of struct 'CertCtx' before useHao Wu1-1/+3
Some fields in structure 'CertCtx' might be used uninitialized in function Pkcs7GetCertificatesList(). This commit makes sure that 'CertCtx' gets initialized before being used. Cc: Long Qin <qin.long@intel.com> Cc: Ye Ting <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu <hao.a.wu@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com>
2016-07-12CryptoPkg BaseCryptLib: Avoid passing NULL ptr to function BN_bn2bin()Hao Wu1-2/+6
This commit modifies the code logic to avoid passing NULL pointer to function BN_bn2bin(). Cc: Long Qin <qin.long@intel.com> Cc: Ye Ting <ting.ye@intel.com> Cc: Fu Siyuan <siyuan.fu@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu <hao.a.wu@intel.com> Reviewed-by: Qin Long <qin.long@intel.com>