summaryrefslogtreecommitdiffstats
path: root/CryptoPkg/Library/BaseCryptLib
diff options
context:
space:
mode:
Diffstat (limited to 'CryptoPkg/Library/BaseCryptLib')
-rw-r--r--CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf29
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c2
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Hash/CryptSha512.c354
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Hash/CryptSha512Null.c231
-rw-r--r--CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf40
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c24
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c10
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c147
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c31
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c4
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c729
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Pk/CryptTsNull.c48
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c95
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c30
-rw-r--r--CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf37
-rw-r--r--CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf34
-rw-r--r--CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathDivU64x64.S83
-rw-r--r--CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathDivU64x64.c88
-rw-r--r--CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathLShiftS64.S62
-rw-r--r--CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathLShiftS64.c54
-rw-r--r--CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathMultS64x64.S77
-rw-r--r--CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathMultS64x64.c79
-rw-r--r--CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathRShiftU64.S66
-rw-r--r--CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathRShiftU64.c57
-rw-r--r--CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathReminderU64x64.S89
-rw-r--r--CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathReminderU64x64.c93
26 files changed, 1708 insertions, 885 deletions
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index 08e9c24dcc..151797aec6 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -3,7 +3,7 @@
#
# Caution: This module requires additional review when modified.
# This library will have external input - signature.
-# This external input must be validated carefully to avoid security issues such as
+# This external input must be validated carefully to avoid security issues such as
# buffer overflow or integer overflow.
#
# Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
@@ -11,10 +11,10 @@
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
-#
+#
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-#
+#
##
[Defines]
@@ -37,6 +37,7 @@
Hash/CryptMd5.c
Hash/CryptSha1.c
Hash/CryptSha256.c
+ Hash/CryptSha512.c
Hmac/CryptHmacMd5.c
Hmac/CryptHmacSha1.c
Cipher/CryptAes.c
@@ -49,6 +50,7 @@
Pk/CryptDh.c
Pk/CryptX509.c
Pk/CryptAuthenticode.c
+ Pk/CryptTs.c
Pem/CryptPem.c
SysCall/CrtWrapper.c
@@ -56,24 +58,6 @@
SysCall/BaseMemAllocation.c
[Sources.Ia32]
- SysCall/Ia32/MathMultS64x64.c | MSFT
- SysCall/Ia32/MathDivU64x64.c | MSFT
- SysCall/Ia32/MathReminderU64x64.c | MSFT
- SysCall/Ia32/MathLShiftS64.c | MSFT
- SysCall/Ia32/MathRShiftU64.c | MSFT
-
- SysCall/Ia32/MathMultS64x64.c | INTEL
- SysCall/Ia32/MathDivU64x64.c | INTEL
- SysCall/Ia32/MathReminderU64x64.c | INTEL
- SysCall/Ia32/MathLShiftS64.c | INTEL
- SysCall/Ia32/MathRShiftU64.c | INTEL
-
- SysCall/Ia32/MathMultS64x64.S | GCC
- SysCall/Ia32/MathDivU64x64.S | GCC
- SysCall/Ia32/MathReminderU64x64.S | GCC
- SysCall/Ia32/MathLShiftS64.S | GCC
- SysCall/Ia32/MathRShiftU64.S | GCC
-
Rand/CryptRandTsc.c
[Sources.X64]
@@ -106,4 +90,7 @@
# Remove these [BuildOptions] after this library is cleaned up
#
[BuildOptions]
+ # suppress the following warnings so we do not break the build with warnings-as-errors:
+ # C4305: truncation from type1 to type2 (Introduced by RFC3161 Timestamp ASN.1 declarations)
+ MSFT:*_*_*_CC_FLAGS = /wd4305
GCC:*_GCC44_IA32_CC_FLAGS = "-D__cdecl=__attribute__((cdecl))" "-D__declspec(t)=__attribute__((t))"
diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c
index dcf76913cc..e1c10e342c 100644
--- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c
+++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c
@@ -56,7 +56,7 @@ Md5Init (
//
// Check input parameters.
//
- if ((Md5Context == NULL)) {
+ if (Md5Context == NULL) {
return FALSE;
}
diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha512.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha512.c
new file mode 100644
index 0000000000..491f45dce6
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha512.c
@@ -0,0 +1,354 @@
+/** @file
+ SHA-384 and SHA-512 Digest Wrapper Implementations over OpenSSL.
+
+Copyright (c) 2014, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include "InternalCryptLib.h"
+#include <openssl/sha.h>
+
+/**
+ Retrieves the size, in bytes, of the context buffer required for SHA-384 hash operations.
+
+ @return The size, in bytes, of the context buffer required for SHA-384 hash operations.
+
+**/
+UINTN
+EFIAPI
+Sha384GetContextSize (
+ VOID
+ )
+{
+ //
+ // Retrieves OpenSSL SHA-384 Context Size
+ //
+ return (UINTN) (sizeof (SHA512_CTX));
+}
+
+/**
+ Initializes user-supplied memory pointed by Sha384Context as SHA-384 hash context for
+ subsequent use.
+
+ If Sha384Context is NULL, then return FALSE.
+
+ @param[out] Sha384Context Pointer to SHA-384 context being initialized.
+
+ @retval TRUE SHA-384 context initialization succeeded.
+ @retval FALSE SHA-384 context initialization failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sha384Init (
+ OUT VOID *Sha384Context
+ )
+{
+ //
+ // Check input parameters.
+ //
+ if (Sha384Context == NULL) {
+ return FALSE;
+ }
+
+ //
+ // OpenSSL SHA-384 Context Initialization
+ //
+ return (BOOLEAN) (SHA384_Init ((SHA512_CTX *) Sha384Context));
+}
+
+/**
+ Makes a copy of an existing SHA-384 context.
+
+ If Sha384Context is NULL, then return FALSE.
+ If NewSha384Context is NULL, then return FALSE.
+ If this interface is not supported, then return FALSE.
+
+ @param[in] Sha384Context Pointer to SHA-384 context being copied.
+ @param[out] NewSha384Context Pointer to new SHA-384 context.
+
+ @retval TRUE SHA-384 context copy succeeded.
+ @retval FALSE SHA-384 context copy failed.
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha384Duplicate (
+ IN CONST VOID *Sha384Context,
+ OUT VOID *NewSha384Context
+ )
+{
+ //
+ // Check input parameters.
+ //
+ if (Sha384Context == NULL || NewSha384Context == NULL) {
+ return FALSE;
+ }
+
+ CopyMem (NewSha384Context, Sha384Context, sizeof (SHA512_CTX));
+
+ return TRUE;
+}
+
+/**
+ Digests the input data and updates SHA-384 context.
+
+ This function performs SHA-384 digest on a data buffer of the specified size.
+ It can be called multiple times to compute the digest of long or discontinuous data streams.
+ SHA-384 context should be already correctly intialized by Sha384Init(), and should not be finalized
+ by Sha384Final(). Behavior with invalid context is undefined.
+
+ If Sha384Context is NULL, then return FALSE.
+
+ @param[in, out] Sha384Context Pointer to the SHA-384 context.
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval TRUE SHA-384 data digest succeeded.
+ @retval FALSE SHA-384 data digest failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sha384Update (
+ IN OUT VOID *Sha384Context,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ //
+ // Check input parameters.
+ //
+ if (Sha384Context == NULL) {
+ return FALSE;
+ }
+
+ //
+ // Check invalid parameters, in case that only DataLength was checked in OpenSSL
+ //
+ if (Data == NULL && DataSize != 0) {
+ return FALSE;
+ }
+
+ //
+ // OpenSSL SHA-384 Hash Update
+ //
+ return (BOOLEAN) (SHA384_Update ((SHA512_CTX *) Sha384Context, Data, DataSize));
+}
+
+/**
+ Completes computation of the SHA-384 digest value.
+
+ This function completes SHA-384 hash computation and retrieves the digest value into
+ the specified memory. After this function has been called, the SHA-384 context cannot
+ be used again.
+ SHA-384 context should be already correctly intialized by Sha384Init(), and should not be
+ finalized by Sha384Final(). Behavior with invalid SHA-384 context is undefined.
+
+ If Sha384Context is NULL, then return FALSE.
+ If HashValue is NULL, then return FALSE.
+
+ @param[in, out] Sha384Context Pointer to the SHA-384 context.
+ @param[out] HashValue Pointer to a buffer that receives the SHA-384 digest
+ value (48 bytes).
+
+ @retval TRUE SHA-384 digest computation succeeded.
+ @retval FALSE SHA-384 digest computation failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sha384Final (
+ IN OUT VOID *Sha384Context,
+ OUT UINT8 *HashValue
+ )
+{
+ //
+ // Check input parameters.
+ //
+ if (Sha384Context == NULL || HashValue == NULL) {
+ return FALSE;
+ }
+
+ //
+ // OpenSSL SHA-384 Hash Finalization
+ //
+ return (BOOLEAN) (SHA384_Final (HashValue, (SHA512_CTX *) Sha384Context));
+}
+
+/**
+ Retrieves the size, in bytes, of the context buffer required for SHA-512 hash operations.
+
+ @return The size, in bytes, of the context buffer required for SHA-512 hash operations.
+
+**/
+UINTN
+EFIAPI
+Sha512GetContextSize (
+ VOID
+ )
+{
+ //
+ // Retrieves OpenSSL SHA-512 Context Size
+ //
+ return (UINTN) (sizeof (SHA512_CTX));
+}
+
+/**
+ Initializes user-supplied memory pointed by Sha512Context as SHA-512 hash context for
+ subsequent use.
+
+ If Sha512Context is NULL, then return FALSE.
+
+ @param[out] Sha512Context Pointer to SHA-512 context being initialized.
+
+ @retval TRUE SHA-512 context initialization succeeded.
+ @retval FALSE SHA-512 context initialization failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sha512Init (
+ OUT VOID *Sha512Context
+ )
+{
+ //
+ // Check input parameters.
+ //
+ if (Sha512Context == NULL) {
+ return FALSE;
+ }
+
+ //
+ // OpenSSL SHA-512 Context Initialization
+ //
+ return (BOOLEAN) (SHA512_Init ((SHA512_CTX *) Sha512Context));
+}
+
+/**
+ Makes a copy of an existing SHA-512 context.
+
+ If Sha512Context is NULL, then return FALSE.
+ If NewSha512Context is NULL, then return FALSE.
+ If this interface is not supported, then return FALSE.
+
+ @param[in] Sha512Context Pointer to SHA-512 context being copied.
+ @param[out] NewSha512Context Pointer to new SHA-512 context.
+
+ @retval TRUE SHA-512 context copy succeeded.
+ @retval FALSE SHA-512 context copy failed.
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha512Duplicate (
+ IN CONST VOID *Sha512Context,
+ OUT VOID *NewSha512Context
+ )
+{
+ //
+ // Check input parameters.
+ //
+ if (Sha512Context == NULL || NewSha512Context == NULL) {
+ return FALSE;
+ }
+
+ CopyMem (NewSha512Context, Sha512Context, sizeof (SHA512_CTX));
+
+ return TRUE;
+}
+
+/**
+ Digests the input data and updates SHA-512 context.
+
+ This function performs SHA-512 digest on a data buffer of the specified size.
+ It can be called multiple times to compute the digest of long or discontinuous data streams.
+ SHA-512 context should be already correctly intialized by Sha512Init(), and should not be finalized
+ by Sha512Final(). Behavior with invalid context is undefined.
+
+ If Sha512Context is NULL, then return FALSE.
+
+ @param[in, out] Sha512Context Pointer to the SHA-512 context.
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval TRUE SHA-512 data digest succeeded.
+ @retval FALSE SHA-512 data digest failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sha512Update (
+ IN OUT VOID *Sha512Context,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ //
+ // Check input parameters.
+ //
+ if (Sha512Context == NULL) {
+ return FALSE;
+ }
+
+ //
+ // Check invalid parameters, in case that only DataLength was checked in OpenSSL
+ //
+ if (Data == NULL && DataSize != 0) {
+ return FALSE;
+ }
+
+ //
+ // OpenSSL SHA-512 Hash Update
+ //
+ return (BOOLEAN) (SHA512_Update ((SHA512_CTX *) Sha512Context, Data, DataSize));
+}
+
+/**
+ Completes computation of the SHA-512 digest value.
+
+ This function completes SHA-512 hash computation and retrieves the digest value into
+ the specified memory. After this function has been called, the SHA-512 context cannot
+ be used again.
+ SHA-512 context should be already correctly intialized by Sha512Init(), and should not be
+ finalized by Sha512Final(). Behavior with invalid SHA-512 context is undefined.
+
+ If Sha512Context is NULL, then return FALSE.
+ If HashValue is NULL, then return FALSE.
+
+ @param[in, out] Sha512Context Pointer to the SHA-512 context.
+ @param[out] HashValue Pointer to a buffer that receives the SHA-512 digest
+ value (64 bytes).
+
+ @retval TRUE SHA-512 digest computation succeeded.
+ @retval FALSE SHA-512 digest computation failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sha512Final (
+ IN OUT VOID *Sha512Context,
+ OUT UINT8 *HashValue
+ )
+{
+ //
+ // Check input parameters.
+ //
+ if (Sha512Context == NULL || HashValue == NULL) {
+ return FALSE;
+ }
+
+ //
+ // OpenSSL SHA-512 Hash Finalization
+ //
+ return (BOOLEAN) (SHA384_Final (HashValue, (SHA512_CTX *) Sha512Context));
+}
diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha512Null.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha512Null.c
new file mode 100644
index 0000000000..89aeacc74e
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha512Null.c
@@ -0,0 +1,231 @@
+/** @file
+ SHA-384 and SHA-512 Digest Wrapper Implementations which does not provide real capabilities.
+
+Copyright (c) 2014, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Retrieves the size, in bytes, of the context buffer required for SHA-384 hash operations.
+
+ Return zero to indicate this interface is not supported.
+
+ @retval 0 This interface is not supported.
+
+**/
+UINTN
+EFIAPI
+Sha384GetContextSize (
+ VOID
+ )
+{
+ ASSERT (FALSE);
+ return 0;
+}
+
+/**
+ Initializes user-supplied memory pointed by Sha384Context as SHA-384 hash context for
+ subsequent use.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[out] Sha384Context Pointer to SHA-384 context being initialized.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha384Init (
+ OUT VOID *Sha384Context
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Makes a copy of an existing SHA-384 context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] Sha384Context Pointer to SHA-384 context being copied.
+ @param[out] NewSha384Context Pointer to new SHA-384 context.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha384Duplicate (
+ IN CONST VOID *Sha384Context,
+ OUT VOID *NewSha384Context
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Digests the input data and updates SHA-384 context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] Sha384Context Pointer to the SHA-384 context.
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha384Update (
+ IN OUT VOID *Sha384Context,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Completes computation of the SHA-384 digest value.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] Sha384Context Pointer to the SHA-384 context.
+ @param[out] HashValue Pointer to a buffer that receives the SHA-384 digest
+ value (48 bytes).
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha384Final (
+ IN OUT VOID *Sha384Context,
+ OUT UINT8 *HashValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Retrieves the size, in bytes, of the context buffer required for SHA-512 hash operations.
+
+ Return zero to indicate this interface is not supported.
+
+ @retval 0 This interface is not supported.
+
+**/
+UINTN
+EFIAPI
+Sha512GetContextSize (
+ VOID
+ )
+{
+ ASSERT (FALSE);
+ return 0;
+}
+
+/**
+ Initializes user-supplied memory pointed by Sha512Context as SHA-512 hash context for
+ subsequent use.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[out] Sha512Context Pointer to SHA-512 context being initialized.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha512Init (
+ OUT VOID *Sha512Context
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Makes a copy of an existing SHA-512 context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] Sha512Context Pointer to SHA-512 context being copied.
+ @param[out] NewSha512Context Pointer to new SHA-512 context.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha512Duplicate (
+ IN CONST VOID *Sha512Context,
+ OUT VOID *NewSha512Context
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Digests the input data and updates SHA-512 context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] Sha512Context Pointer to the SHA-512 context.
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha512Update (
+ IN OUT VOID *Sha512Context,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Completes computation of the SHA-512 digest value.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] Sha512Context Pointer to the SHA-512 context.
+ @param[out] HashValue Pointer to a buffer that receives the SHA-512 digest
+ value (64 bytes).
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha512Final (
+ IN OUT VOID *Sha512Context,
+ OUT UINT8 *HashValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index 913e3e14b3..e5ae5952c1 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -3,24 +3,25 @@
#
# Caution: This module requires additional review when modified.
# This library will have external input - signature.
-# This external input must be validated carefully to avoid security issues such as
+# This external input must be validated carefully to avoid security issues such as
# buffer overflow or integer overflow.
#
-# Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-# TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
-# Diffie-Hellman functions, X.509 certificate handler functions, authenticode
-# signature verification functions, PEM handler functions, and pseudorandom number
-# generator functions are not supported in this instance.
+# Note: MD4 Digest functions, SHA-384 Digest functions, SHA-512 Digest functions,
+# HMAC-MD5 functions, HMAC-SHA1 functions, AES/TDES/ARC4 functions, RSA external
+# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
+# certificate handler functions, authenticode signature verification functions,
+# PEM handler functions, and pseudorandom number generator functions are not
+# supported in this instance.
#
# Copyright (c) 2010 - 2014, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
-#
+#
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-#
+#
##
[Defines]
@@ -42,6 +43,7 @@
Hash/CryptMd5.c
Hash/CryptSha1.c
Hash/CryptSha256.c
+ Hash/CryptSha512Null.c
Hmac/CryptHmacMd5Null.c
Hmac/CryptHmacSha1Null.c
Cipher/CryptAesNull.c
@@ -56,6 +58,7 @@
Pk/CryptDhNull.c
Pk/CryptX509Null.c
Pk/CryptAuthenticodeNull.c
+ Pk/CryptTsNull.c
Pem/CryptPemNull.c
Rand/CryptRandNull.c
@@ -64,26 +67,6 @@
SysCall/ConstantTimeClock.c
SysCall/BaseMemAllocation.c
-
-[Sources.Ia32]
- SysCall/Ia32/MathMultS64x64.c | MSFT
- SysCall/Ia32/MathDivU64x64.c | MSFT
- SysCall/Ia32/MathReminderU64x64.c | MSFT
- SysCall/Ia32/MathLShiftS64.c | MSFT
- SysCall/Ia32/MathRShiftU64.c | MSFT
-
- SysCall/Ia32/MathMultS64x64.c | INTEL
- SysCall/Ia32/MathDivU64x64.c | INTEL
- SysCall/Ia32/MathReminderU64x64.c | INTEL
- SysCall/Ia32/MathLShiftS64.c | INTEL
- SysCall/Ia32/MathRShiftU64.c | INTEL
-
- SysCall/Ia32/MathMultS64x64.S | GCC
- SysCall/Ia32/MathDivU64x64.S | GCC
- SysCall/Ia32/MathReminderU64x64.S | GCC
- SysCall/Ia32/MathLShiftS64.S | GCC
- SysCall/Ia32/MathRShiftU64.S | GCC
-
[Packages]
MdePkg/MdePkg.dec
CryptoPkg/CryptoPkg.dec
@@ -101,4 +84,3 @@
#
[BuildOptions]
GCC:*_GCC44_IA32_CC_FLAGS = "-D__cdecl=__attribute__((cdecl))" "-D__declspec(t)=__attribute__((t))"
-
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
index 7b8bca53e7..9e933558e6 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
@@ -9,7 +9,7 @@
AuthenticodeVerify() will get PE/COFF Authenticode and will do basic check for
data structure.
-Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2011 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -72,6 +72,7 @@ AuthenticodeVerify (
{
BOOLEAN Status;
PKCS7 *Pkcs7;
+ CONST UINT8 *Temp;
CONST UINT8 *OrigAuthData;
UINT8 *SpcIndirectDataContent;
UINT8 Asn1Byte;
@@ -96,7 +97,8 @@ AuthenticodeVerify (
//
// Retrieve & Parse PKCS#7 Data (DER encoding) from Authenticode Signature
//
- Pkcs7 = d2i_PKCS7 (NULL, &AuthData, (int)DataSize);
+ Temp = AuthData;
+ Pkcs7 = d2i_PKCS7 (NULL, &Temp, (int)DataSize);
if (Pkcs7 == NULL) {
goto _Exit;
}
@@ -123,7 +125,7 @@ AuthenticodeVerify (
// Un-matched SPC_INDIRECT_DATA_OBJID.
//
goto _Exit;
- }
+ }
SpcIndirectDataContent = (UINT8 *)(Pkcs7->d.sign->contents->d.other->value.asn1_string->data);
@@ -135,16 +137,27 @@ AuthenticodeVerify (
if ((Asn1Byte & 0x80) == 0) {
//
- // Short Form of Length Encoding
+ // Short Form of Length Encoding (Length < 128)
//
ContentSize = (UINTN) (Asn1Byte & 0x7F);
//
// Skip the SEQUENCE Tag;
//
SpcIndirectDataContent += 2;
+
+ } else if ((Asn1Byte & 0x81) == 0x81) {
+ //
+ // Long Form of Length Encoding (128 <= Length < 255, Single Octet)
+ //
+ ContentSize = (UINTN) (*(UINT8 *)(SpcIndirectDataContent + 2));
+ //
+ // Skip the SEQUENCE Tag;
+ //
+ SpcIndirectDataContent += 3;
+
} else if ((Asn1Byte & 0x82) == 0x82) {
//
- // Long Form of Length Encoding, only support two bytes.
+ // Long Form of Length Encoding (Length > 255, Two Octet)
//
ContentSize = (UINTN) (*(UINT8 *)(SpcIndirectDataContent + 2));
ContentSize = (ContentSize << 8) + (UINTN)(*(UINT8 *)(SpcIndirectDataContent + 3));
@@ -152,6 +165,7 @@ AuthenticodeVerify (
// Skip the SEQUENCE Tag;
//
SpcIndirectDataContent += 4;
+
} else {
goto _Exit;
}
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
index 63fe78fc86..704eb4ec94 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
@@ -1,7 +1,7 @@
/** @file
PKCS#7 SignedData Sign Wrapper Implementation over OpenSSL.
-Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -116,9 +116,9 @@ Pkcs7Sign (
if (Key == NULL) {
goto _Exit;
}
- Key->save_type = EVP_PKEY_RSA;
- Key->type = EVP_PKEY_type (EVP_PKEY_RSA);
- Key->pkey.rsa = (RSA *) RsaContext;
+ if (EVP_PKEY_assign_RSA (Key, (RSA *) RsaContext) == 0) {
+ goto _Exit;
+ }
//
// Convert the data to be signed to BIO format.
@@ -175,7 +175,7 @@ Pkcs7Sign (
}
CopyMem (*SignedData, P7Data + 19, *SignedDataSize);
-
+
OPENSSL_free (P7Data);
Status = TRUE;
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index 05c3f87743..d0b0c838b8 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -10,7 +10,7 @@
WrapPkcs7Data(), Pkcs7GetSigners(), Pkcs7Verify() will get UEFI Authenticated
Variable and will do basic check for data structure.
-Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -123,7 +123,7 @@ X509VerifyCb (
@param[in] P7Length Length of the PKCS#7 message in bytes.
@param[out] WrapFlag If TRUE P7Data is a ContentInfo structure, otherwise
return FALSE.
- @param[out] WrapData If return status of this function is TRUE:
+ @param[out] WrapData If return status of this function is TRUE:
1) when WrapFlag is TRUE, pointer to P7Data.
2) when WrapFlag is FALSE, pointer to a new ContentInfo
structure. It's caller's responsibility to free this
@@ -227,7 +227,7 @@ WrapPkcs7Data (
@param[in] X509Stack Pointer to a X509 stack object.
@param[out] Cert Pointer to a X509 certificate.
@param[out] CertSize Length of output X509 certificate in bytes.
-
+
@retval TRUE The X509 stack pop succeeded.
@retval FALSE The pop operation failed.
@@ -273,7 +273,7 @@ X509PopCertificate (
goto _Exit;
}
- Length = ((BUF_MEM *) CertBio->ptr)->length;
+ Length = (INT32)(((BUF_MEM *) CertBio->ptr)->length);
if (Length <= 0) {
goto _Exit;
}
@@ -343,7 +343,7 @@ Pkcs7GetSigners (
PKCS7 *Pkcs7;
BOOLEAN Status;
UINT8 *SignedData;
- UINT8 *Temp;
+ CONST UINT8 *Temp;
UINTN SignedDataSize;
BOOLEAN Wrapped;
STACK_OF(X509) *Stack;
@@ -359,7 +359,7 @@ Pkcs7GetSigners (
(TrustedCert == NULL) || (CertLength == NULL) || (P7Length > INT_MAX)) {
return FALSE;
}
-
+
Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize);
if (!Status) {
return Status;
@@ -410,7 +410,7 @@ Pkcs7GetSigners (
//
BufferSize = sizeof (UINT8);
OldSize = BufferSize;
-
+
for (Index = 0; ; Index++) {
Status = X509PopCertificate (Stack, &SingleCert, &SingleCertSize);
if (!Status) {
@@ -455,7 +455,7 @@ Pkcs7GetSigners (
*CertStack = CertBuf;
*StackLength = BufferSize;
Status = TRUE;
- }
+ }
_Exit:
//
@@ -485,7 +485,7 @@ _Exit:
if (OldBuf != NULL) {
free (OldBuf);
}
-
+
return Status;
}
@@ -549,18 +549,18 @@ Pkcs7Verify (
X509 *Cert;
X509_STORE *CertStore;
UINT8 *SignedData;
- UINT8 *Temp;
+ CONST UINT8 *Temp;
UINTN SignedDataSize;
BOOLEAN Wrapped;
//
// Check input parameters.
//
- if (P7Data == NULL || TrustedCert == NULL || InData == NULL ||
+ if (P7Data == NULL || TrustedCert == NULL || InData == NULL ||
P7Length > INT_MAX || CertLength > INT_MAX || DataLength > INT_MAX) {
return FALSE;
}
-
+
Pkcs7 = NULL;
DataBio = NULL;
Cert = NULL;
@@ -578,18 +578,23 @@ Pkcs7Verify (
if (EVP_add_digest (EVP_sha256 ()) == 0) {
return FALSE;
}
+ if (EVP_add_digest (EVP_sha384 ()) == 0) {
+ return FALSE;
+ }
+ if (EVP_add_digest (EVP_sha512 ()) == 0) {
+ return FALSE;
+ }
if (EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA) == 0) {
return FALSE;
}
-
Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize);
if (!Status) {
return Status;
}
Status = FALSE;
-
+
//
// Retrieve PKCS#7 Data (DER encoding)
//
@@ -613,7 +618,8 @@ Pkcs7Verify (
//
// Read DER-encoded root certificate and Construct X509 Certificate
//
- Cert = d2i_X509 (NULL, &TrustedCert, (long) CertLength);
+ Temp = TrustedCert;
+ Cert = d2i_X509 (NULL, &Temp, (long) CertLength);
if (Cert == NULL) {
goto _Exit;
}
@@ -675,3 +681,114 @@ _Exit:
return Status;
}
+
+/**
+ Extracts the attached content from a PKCS#7 signed data if existed. The input signed
+ data could be wrapped in a ContentInfo structure.
+
+ If P7Data, Content, or ContentSize is NULL, then return FALSE. If P7Length overflow,
+ then return FAlSE. If the P7Data is not correctly formatted, then return FALSE.
+
+ Caution: This function may receive untrusted input. So this function will do
+ basic check for PKCS#7 data structure.
+
+ @param[in] P7Data Pointer to the PKCS#7 signed data to process.
+ @param[in] P7Length Length of the PKCS#7 signed data in bytes.
+ @param[out] Content Pointer to the extracted content from the PKCS#7 signedData.
+ It's caller's responsiblity to free the buffer.
+ @param[out] ContentSize The size of the extracted content in bytes.
+
+ @retval TRUE The P7Data was correctly formatted for processing.
+ @retval FALSE The P7Data was not correctly formatted for processing.
+
+*/
+BOOLEAN
+EFIAPI
+Pkcs7GetAttachedContent (
+ IN CONST UINT8 *P7Data,
+ IN UINTN P7Length,
+ OUT VOID **Content,
+ OUT UINTN *ContentSize
+ )
+{
+ BOOLEAN Status;
+ PKCS7 *Pkcs7;
+ UINT8 *SignedData;
+ UINTN SignedDataSize;
+ BOOLEAN Wrapped;
+ CONST UINT8 *Temp;
+ ASN1_OCTET_STRING *OctStr;
+
+ //
+ // Check input parameter.
+ //
+ if ((P7Data == NULL) || (P7Length > INT_MAX) || (Content == NULL) || (ContentSize == NULL)) {
+ return FALSE;
+ }
+
+ *Content = NULL;
+ Pkcs7 = NULL;
+ SignedData = NULL;
+ OctStr = NULL;
+
+ Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize);
+ if (!Status || (SignedDataSize > INT_MAX)) {
+ goto _Exit;
+ }
+
+ Status = FALSE;
+
+ //
+ // Decoding PKCS#7 SignedData
+ //
+ Temp = SignedData;
+ Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **)&Temp, (int)SignedDataSize);
+ if (Pkcs7 == NULL) {
+ goto _Exit;
+ }
+
+ //
+ // The type of Pkcs7 must be signedData
+ //
+ if (!PKCS7_type_is_signed (Pkcs7)) {
+ goto _Exit;
+ }
+
+ //
+ // Check for detached or attached content
+ //
+ if (PKCS7_get_detached (Pkcs7)) {
+ //
+ // No Content supplied for PKCS7 detached signedData
+ //
+ *Content = NULL;
+ *ContentSize = 0;
+ } else {
+ //
+ // Retrieve the attached content in PKCS7 signedData
+ //
+ OctStr = Pkcs7->d.sign->contents->d.data;
+ if ((OctStr->length > 0) && (OctStr->data != NULL)) {
+ *ContentSize = OctStr->length;
+ *Content = malloc (*ContentSize);
+ if (*Content == NULL) {
+ *ContentSize = 0;
+ goto _Exit;
+ }
+ CopyMem (*Content, OctStr->data, *ContentSize);
+ }
+ }
+ Status = TRUE;
+
+_Exit:
+ //
+ // Release Resources
+ //
+ PKCS7_free (Pkcs7);
+
+ if (!Wrapped) {
+ OPENSSL_free (SignedData);
+ }
+
+ return Status;
+}
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c
index 9a4c77a2fe..09b92c7f15 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c
@@ -2,7 +2,7 @@
PKCS#7 SignedData Verification Wrapper Implementation which does not provide
real capabilities.
-Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2012 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -98,3 +98,32 @@ Pkcs7Verify (
ASSERT (FALSE);
return FALSE;
}
+
+/**
+ Extracts the attached content from a PKCS#7 signed data if existed. The input signed
+ data could be wrapped in a ContentInfo structure.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] P7Data Pointer to the PKCS#7 signed data to process.
+ @param[in] P7Length Length of the PKCS#7 signed data in bytes.
+ @param[out] Content Pointer to the extracted content from the PKCS#7 signedData.
+ It's caller's responsiblity to free the buffer.
+ @param[out] ContentSize The size of the extracted content in bytes.
+
+ @retval TRUE The P7Data was correctly formatted for processing.
+ @retval FALSE The P7Data was not correctly formatted for processing.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetAttachedContent (
+ IN CONST UINT8 *P7Data,
+ IN UINTN P7Length,
+ OUT VOID **Content,
+ OUT UINTN *ContentSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
index 5c21d121f5..b890704a2e 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
@@ -243,7 +243,9 @@ _Exit:
}
/**
- Validates key components of RSA context.
+ Validates key components of RSA context.
+ NOTE: This function performs integrity checks on all the RSA key material, so
+ the RSA key structure must contain all the private key data.
This function validates key compoents of RSA context in following aspects:
- Whether p is a prime
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
new file mode 100644
index 0000000000..7d269b0458
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
@@ -0,0 +1,729 @@
+/** @file
+ RFC3161 Timestamp Countersignature Verification over OpenSSL.
+ The timestamp is generated by a TimeStamping Authority (TSA) and asserts that a
+ publisher's signature existed before the specified time. The timestamp extends
+ the lifetime of the signature when a signing certificate expires or is later
+ revoked.
+
+Copyright (c) 2014 - 2015, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include "InternalCryptLib.h"
+
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/pkcs7.h>
+
+//
+// OID ASN.1 Value for SPC_RFC3161_OBJID ("1.3.6.1.4.1.311.3.3.1")
+//
+UINT8 mSpcRFC3161OidValue[] = {
+ 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x03, 0x03, 0x01
+ };
+
+///
+/// The messageImprint field SHOULD contain the hash of the datum to be
+/// time-stamped. The hash is represented as an OCTET STRING. Its
+/// length MUST match the length of the hash value for that algorithm
+/// (e.g., 20 bytes for SHA-1 or 16 bytes for MD5).
+///
+/// MessageImprint ::= SEQUENCE {
+/// hashAlgorithm AlgorithmIdentifier,
+/// hashedMessage OCTET STRING }
+///
+typedef struct {
+ X509_ALGOR *HashAlgorithm;
+ ASN1_OCTET_STRING *HashedMessage;
+} TS_MESSAGE_IMPRINT;
+
+//
+// ASN.1 Functions for TS_MESSAGE_IMPRINT
+//
+DECLARE_ASN1_FUNCTIONS (TS_MESSAGE_IMPRINT)
+ASN1_SEQUENCE (TS_MESSAGE_IMPRINT) = {
+ ASN1_SIMPLE (TS_MESSAGE_IMPRINT, HashAlgorithm, X509_ALGOR),
+ ASN1_SIMPLE (TS_MESSAGE_IMPRINT, HashedMessage, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END (TS_MESSAGE_IMPRINT)
+IMPLEMENT_ASN1_FUNCTIONS (TS_MESSAGE_IMPRINT)
+
+///
+/// Accuracy represents the time deviation around the UTC time contained
+/// in GeneralizedTime of time-stamp token.
+///
+/// Accuracy ::= SEQUENCE {
+/// seconds INTEGER OPTIONAL,
+/// millis [0] INTEGER (1..999) OPTIONAL,
+/// micros [1] INTEGER (1..999) OPTIONAL }
+///
+typedef struct {
+ ASN1_INTEGER *Seconds;
+ ASN1_INTEGER *Millis;
+ ASN1_INTEGER *Micros;
+} TS_ACCURACY;
+
+//
+// ASN.1 Functions for TS_ACCURACY
+//
+DECLARE_ASN1_FUNCTIONS (TS_ACCURACY)
+ASN1_SEQUENCE (TS_ACCURACY) = {
+ ASN1_OPT (TS_ACCURACY, Seconds, ASN1_INTEGER),
+ ASN1_IMP_OPT (TS_ACCURACY, Millis, ASN1_INTEGER, 0),
+ ASN1_IMP_OPT (TS_ACCURACY, Micros, ASN1_INTEGER, 1)
+} ASN1_SEQUENCE_END (TS_ACCURACY)
+IMPLEMENT_ASN1_FUNCTIONS (TS_ACCURACY)
+
+///
+/// The timestamp token info resulting from a successful timestamp request,
+/// as defined in RFC 3161.
+///
+/// TSTInfo ::= SEQUENCE {
+/// version INTEGER { v1(1) },
+/// policy TSAPolicyId,
+/// messageImprint MessageImprint,
+/// -- MUST have the same value as the similar field in
+/// -- TimeStampReq
+/// serialNumber INTEGER,
+/// -- Time-Stamping users MUST be ready to accommodate integers
+/// -- up to 160 bits.
+/// genTime GeneralizedTime,
+/// accuracy Accuracy OPTIONAL,
+/// ordering BOOLEAN DEFAULT FALSE,
+/// nonce INTEGER OPTIONAL,
+/// -- MUST be present if the similar field was present
+/// -- in TimeStampReq. In that case it MUST have the same value.
+/// tsa [0] GeneralName OPTIONAL,
+/// extensions [1] IMPLICIT Extensions OPTIONAL }
+///
+typedef struct {
+ ASN1_INTEGER *Version;
+ ASN1_OBJECT *Policy;
+ TS_MESSAGE_IMPRINT *MessageImprint;
+ ASN1_INTEGER *SerialNumber;
+ ASN1_GENERALIZEDTIME *GenTime;
+ TS_ACCURACY *Accuracy;
+ ASN1_BOOLEAN Ordering;
+ ASN1_INTEGER *Nonce;
+ GENERAL_NAME *Tsa;
+ STACK_OF(X509_EXTENSION) *Extensions;
+} TS_TST_INFO;
+
+//
+// ASN.1 Functions for TS_TST_INFO
+//
+DECLARE_ASN1_FUNCTIONS (TS_TST_INFO)
+ASN1_SEQUENCE (TS_TST_INFO) = {
+ ASN1_SIMPLE (TS_TST_INFO, Version, ASN1_INTEGER),
+ ASN1_SIMPLE (TS_TST_INFO, Policy, ASN1_OBJECT),
+ ASN1_SIMPLE (TS_TST_INFO, MessageImprint, TS_MESSAGE_IMPRINT),
+ ASN1_SIMPLE (TS_TST_INFO, SerialNumber, ASN1_INTEGER),
+ ASN1_SIMPLE (TS_TST_INFO, GenTime, ASN1_GENERALIZEDTIME),
+ ASN1_OPT (TS_TST_INFO, Accuracy, TS_ACCURACY),
+ ASN1_OPT (TS_TST_INFO, Ordering, ASN1_FBOOLEAN),
+ ASN1_OPT (TS_TST_INFO, Nonce, ASN1_INTEGER),
+ ASN1_EXP_OPT(TS_TST_INFO, Tsa, GENERAL_NAME, 0),
+ ASN1_IMP_SEQUENCE_OF_OPT (TS_TST_INFO, Extensions, X509_EXTENSION, 1)
+} ASN1_SEQUENCE_END (TS_TST_INFO)
+IMPLEMENT_ASN1_FUNCTIONS (TS_TST_INFO)
+
+
+/**
+ Verification callback function to override any existing callbacks in OpenSSL
+ for intermediate TSA certificate supports.
+
+ @param[in] Status Original status before calling this callback.
+ @param[in] Context X509 store context.
+
+ @retval 1 Current X509 certificate is verified successfully.
+ @retval 0 Verification failed.
+
+**/
+int
+TSVerifyCallback (
+ IN int Status,
+ IN X509_STORE_CTX *Context
+ )
+{
+ X509_OBJECT *Obj;
+ INTN Error;
+ INTN Index;
+ INTN Count;
+
+ Obj = NULL;
+ Error = (INTN) X509_STORE_CTX_get_error (Context);
+
+ //
+ // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT and X509_V_ERR_UNABLE_TO_GET_ISSUER_
+ // CERT_LOCALLY mean a X509 certificate is not self signed and its issuer
+ // can not be found in X509_verify_cert of X509_vfy.c.
+ // In order to support intermediate certificate node, we override the
+ // errors if the certification is obtained from X509 store, i.e. it is
+ // a trusted ceritifcate node that is enrolled by user.
+ // Besides,X509_V_ERR_CERT_UNTRUSTED and X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
+ // are also ignored to enable such feature.
+ //
+ if ((Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) ||
+ (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) {
+ Obj = (X509_OBJECT *) malloc (sizeof (X509_OBJECT));
+ if (Obj == NULL) {
+ return 0;
+ }
+
+ Obj->type = X509_LU_X509;
+ Obj->data.x509 = Context->current_cert;
+
+ CRYPTO_w_lock (CRYPTO_LOCK_X509_STORE);
+
+ if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {
+ Status = 1;
+ } else {
+ //
+ // If any certificate in the chain is enrolled as trusted certificate,
+ // pass the certificate verification.
+ //
+ if (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {
+ Count = (INTN) sk_X509_num (Context->chain);
+ for (Index = 0; Index < Count; Index++) {
+ Obj->data.x509 = sk_X509_value (Context->chain, (int) Index);
+ if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {
+ Status = 1;
+ break;
+ }
+ }
+ }
+ }
+
+ CRYPTO_w_unlock (CRYPTO_LOCK_X509_STORE);
+ }
+
+ if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||
+ (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {
+ Status = 1;
+ }
+
+ if (Obj != NULL) {
+ OPENSSL_free (Obj);
+ }
+
+ return Status;
+}
+
+/**
+ Convert ASN.1 GeneralizedTime to EFI Time.
+
+ @param[in] Asn1Time Pointer to the ASN.1 GeneralizedTime to be converted.
+ @param[out] SigningTime Return the corresponding EFI Time.
+
+ @retval TRUE The time convertion succeeds.
+ @retval FALSE Invalid parameters.
+
+**/
+BOOLEAN
+EFIAPI
+ConvertAsn1TimeToEfiTime (
+ IN ASN1_TIME *Asn1Time,
+ OUT EFI_TIME *EfiTime
+ )
+{
+ CONST CHAR8 *Str;
+ UINTN Index;
+
+ if ((Asn1Time == NULL) || (EfiTime == NULL)) {
+ return FALSE;
+ }
+
+ Str = (CONST CHAR8*)Asn1Time->data;
+ SetMem (EfiTime, 0, sizeof (EFI_TIME));
+
+ Index = 0;
+ if (Asn1Time->type == V_ASN1_UTCTIME) { /* two digit year */
+ EfiTime->Year = (Str[Index++] - '0') * 10;
+ EfiTime->Year += (Str[Index++] - '0');
+ if (EfiTime->Year < 70) {
+ EfiTime->Year += 100;
+ }
+ } else if (Asn1Time->type == V_ASN1_GENERALIZEDTIME) { /* four digit year */
+ EfiTime->Year = (Str[Index++] - '0') * 1000;
+ EfiTime->Year += (Str[Index++] - '0') * 100;
+ EfiTime->Year += (Str[Index++] - '0') * 10;
+ EfiTime->Year += (Str[Index++] - '0');
+ if ((EfiTime->Year < 1900) || (EfiTime->Year > 9999)) {
+ return FALSE;
+ }
+ }
+
+ EfiTime->Month = (Str[Index++] - '0') * 10;
+ EfiTime->Month += (Str[Index++] - '0');
+ if ((EfiTime->Month < 1) || (EfiTime->Month > 12)) {
+ return FALSE;
+ }
+
+ EfiTime->Day = (Str[Index++] - '0') * 10;
+ EfiTime->Day += (Str[Index++] - '0');
+ if ((EfiTime->Day < 1) || (EfiTime->Day > 31)) {
+ return FALSE;
+ }
+
+ EfiTime->Hour = (Str[Index++] - '0') * 10;
+ EfiTime->Hour += (Str[Index++] - '0');
+ if (EfiTime->Hour > 23) {
+ return FALSE;
+ }
+
+ EfiTime->Minute = (Str[Index++] - '0') * 10;
+ EfiTime->Minute += (Str[Index++] - '0');
+ if (EfiTime->Minute > 59) {
+ return FALSE;
+ }
+
+ EfiTime->Second = (Str[Index++] - '0') * 10;
+ EfiTime->Second += (Str[Index++] - '0');
+ if (EfiTime->Second > 59) {
+ return FALSE;
+ }
+
+ /* Note: we did not adjust the time based on time zone information */
+
+ return TRUE;
+}
+
+/**
+
+ Check the validity of TimeStamp Token Information.
+
+ @param[in] TstInfo Pointer to the TS_TST_INFO structure.
+ @param[in] TimestampedData Pointer to the data to be time-stamped.
+ @param[in] DataSize Size of timestamped data in bytes.
+
+ @retval TRUE The TimeStamp Token Information is valid.
+ @retval FALSE Invalid TimeStamp Token Information.
+
+**/
+BOOLEAN
+EFIAPI
+CheckTSTInfo (
+ IN CONST TS_TST_INFO *TstInfo,
+ IN CONST UINT8 *TimestampedData,
+ IN UINTN DataSize
+ )
+{
+ BOOLEAN Status;
+ TS_MESSAGE_IMPRINT *Imprint;
+ X509_ALGOR *HashAlgo;
+ CONST EVP_MD *Md;
+ EVP_MD_CTX MdCtx;
+ UINTN MdSize;
+ UINT8 *HashedMsg;
+
+ //
+ // Initialization
+ //
+ Status = FALSE;
+ HashAlgo = NULL;
+ HashedMsg = NULL;
+
+ //
+ // -- Check version number of Timestamp:
+ // The version field (currently v1) describes the version of the time-stamp token.
+ // Conforming time-stamping servers MUST be able to provide version 1 time-stamp tokens.
+ //
+ if ((ASN1_INTEGER_get (TstInfo->Version)) != 1) {
+ return FALSE;
+ }
+
+ //
+ // -- Check Policies
+ // The policy field MUST indicate the TSA's policy under which the response was produced.
+ //
+ if (TstInfo->Policy == NULL) {
+ /// NOTE: Need to check if the requested and returned policies.
+ /// We have no information about the Requested TSA Policy.
+ return FALSE;
+ }
+
+ //
+ // -- Compute & Check Message Imprint
+ //
+ Imprint = TstInfo->MessageImprint;
+ HashAlgo = X509_ALGOR_dup (Imprint->HashAlgorithm);
+
+ Md = EVP_get_digestbyobj (HashAlgo->algorithm);
+ if (Md == NULL) {
+ goto _Exit;
+ }
+
+ MdSize = EVP_MD_size (Md);
+ HashedMsg = AllocateZeroPool (MdSize);
+ if (HashedMsg == NULL) {
+ goto _Exit;
+ }
+ EVP_DigestInit (&MdCtx, Md);
+ EVP_DigestUpdate (&MdCtx, TimestampedData, DataSize);
+ EVP_DigestFinal (&MdCtx, HashedMsg, NULL);
+ if ((MdSize == (UINTN)ASN1_STRING_length (Imprint->HashedMessage)) &&
+ (CompareMem (HashedMsg, ASN1_STRING_data (Imprint->HashedMessage), MdSize) != 0)) {
+ goto _Exit;
+ }
+
+ //
+ // -- Check Nonces
+ //
+ if (TstInfo->Nonce != NULL) {
+ //
+ // Nonces is optional, No error if no nonce is returned;
+ //
+ }
+
+ //
+ // -- Check if the TSA name and signer certificate is matched.
+ //
+ if (TstInfo->Tsa != NULL) {
+ //
+ // Ignored the optional Tsa field checking.
+ //
+ }
+
+ Status = TRUE;
+
+_Exit:
+ X509_ALGOR_free (HashAlgo);
+ if (HashedMsg != NULL) {
+ FreePool (HashedMsg);
+ }
+
+ return Status;
+}
+
+/**
+ Verifies the validility of a TimeStamp Token as described in RFC 3161 ("Internet
+ X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)").
+
+ If TSToken is NULL, then return FALSE.
+ If TimestampedData is NULL, then return FALSE.
+
+ @param[in] TSToken Pointer to the RFC3161 TimeStamp Token, which is generated
+ by a TSA and located in the software publisher's SignerInfo
+ structure.
+ @param[in] TokenSize Size of the TimeStamp Token in bytes.
+ @param[in] TsaCert Pointer to a trusted/root TSA certificate encoded in DER.
+ @param[in] CertSize Size of the trusted TSA certificate in bytes.
+ @param[in] TimestampedData Pointer to the data to be time-stamped.
+ @param[in] DataSize Size of timestamped data in bytes.
+ @param[out] SigningTime Return the time of timestamp generation time if the timestamp
+ signature is valid.
+
+ @retval TRUE The specified timestamp token is valid.
+ @retval FALSE Invalid timestamp token.
+
+**/
+BOOLEAN
+EFIAPI
+TimestampTokenVerify (
+ IN CONST UINT8 *TSToken,
+ IN UINTN TokenSize,
+ IN CONST UINT8 *TsaCert,
+ IN UINTN CertSize,
+ IN CONST UINT8 *TimestampedData,
+ IN UINTN DataSize,
+ OUT EFI_TIME *SigningTime
+ )
+{
+ BOOLEAN Status;
+ CONST UINT8 *TokenTemp;
+ PKCS7 *Pkcs7;
+ X509 *Cert;
+ CONST UINT8 *CertTemp;
+ X509_STORE *CertStore;
+ BIO *OutBio;
+ UINT8 *TstData;
+ UINTN TstSize;
+ CONST UINT8 *TstTemp;
+ TS_TST_INFO *TstInfo;
+
+ Status = FALSE;
+
+ //
+ // Check input parameters
+ //
+ if ((TSToken == NULL) || (TsaCert == NULL) || (TimestampedData == NULL) ||
+ (TokenSize > INT_MAX) || (CertSize > INT_MAX) || (DataSize > INT_MAX)) {
+ return FALSE;
+ }
+
+ //
+ // Initializations
+ //
+ if (SigningTime != NULL) {
+ SetMem (SigningTime, sizeof (EFI_TIME), 0);
+ }
+ Pkcs7 = NULL;
+ Cert = NULL;
+ CertStore = NULL;
+ OutBio = NULL;
+ TstData = NULL;
+ TstInfo = NULL;
+
+ //
+ // TimeStamp Token should contain one valid DER-encoded ASN.1 PKCS#7 structure.
+ //
+ TokenTemp = TSToken;
+ Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &TokenTemp, (int) TokenSize);
+ if (Pkcs7 == NULL) {
+ goto _Exit;
+ }
+
+ //
+ // The timestamp signature (TSA's response) will be one PKCS#7 signed data.
+ //
+ if (!PKCS7_type_is_signed (Pkcs7)) {
+ goto _Exit;
+ }
+
+ //
+ // Read the trusted TSA certificate (DER-encoded), and Construct X509 Certificate.
+ //
+ CertTemp = TsaCert;
+ Cert = d2i_X509 (NULL, &CertTemp, (long) CertSize);
+ if (Cert == NULL) {
+ goto _Exit;
+ }
+
+ //
+ // Setup X509 Store for trusted certificate.
+ //
+ CertStore = X509_STORE_new ();
+ if ((CertStore == NULL) || !(X509_STORE_add_cert (CertStore, Cert))) {
+ goto _Exit;
+ }
+
+ //
+ // Register customized X509 verification callback function to support
+ // trusted intermediate TSA certificate anchor.
+ //
+ CertStore->verify_cb = TSVerifyCallback;
+
+ X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);
+
+ //
+ // Verifies the PKCS#7 signedData structure, and output the signed contents.
+ //
+ OutBio = BIO_new (BIO_s_mem ());
+ if (OutBio == NULL) {
+ goto _Exit;
+ }
+ if (!PKCS7_verify (Pkcs7, NULL, CertStore, NULL, OutBio, PKCS7_BINARY)) {
+ goto _Exit;
+ }
+
+ //
+ // Read the signed contents detached in timestamp signature.
+ //
+ TstData = AllocateZeroPool (2048);
+ if (TstData == NULL) {
+ goto _Exit;
+ }
+ TstSize = BIO_read (OutBio, (void *) TstData, 2048);
+
+ //
+ // Construct TS_TST_INFO structure from the signed contents.
+ //
+ TstTemp = TstData;
+ TstInfo = d2i_TS_TST_INFO (NULL, (const unsigned char **) &TstTemp,
+ (int)TstSize);
+ if (TstInfo == NULL) {
+ goto _Exit;
+ }
+
+ //
+ // Check TS_TST_INFO structure.
+ //
+ Status = CheckTSTInfo (TstInfo, TimestampedData, DataSize);
+ if (!Status) {
+ goto _Exit;
+ }
+
+ //
+ // Retrieve the signing time from TS_TST_INFO structure.
+ //
+ if (SigningTime != NULL) {
+ SetMem (SigningTime, sizeof (EFI_TIME), 0);
+ Status = ConvertAsn1TimeToEfiTime (TstInfo->GenTime, SigningTime);
+ }
+
+_Exit:
+ //
+ // Release Resources
+ //
+ PKCS7_free (Pkcs7);
+ X509_free (Cert);
+ X509_STORE_free (CertStore);
+ BIO_free (OutBio);
+ TS_TST_INFO_free (TstInfo);
+
+ if (TstData != NULL) {
+ FreePool (TstData);
+ }
+
+ return Status;
+}
+
+/**
+ Verifies the validility of a RFC3161 Timestamp CounterSignature embedded in PE/COFF Authenticode
+ signature.
+
+ If AuthData is NULL, then return FALSE.
+
+ @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed
+ PE/COFF image to be verified.
+ @param[in] DataSize Size of the Authenticode Signature in bytes.
+ @param[in] TsaCert Pointer to a trusted/root TSA certificate encoded in DER, which
+ is used for TSA certificate chain verification.
+ @param[in] CertSize Size of the trusted certificate in bytes.
+ @param[out] SigningTime Return the time of timestamp generation time if the timestamp
+ signature is valid.
+
+ @retval TRUE The specified Authenticode includes a valid RFC3161 Timestamp CounterSignature.
+ @retval FALSE No valid RFC3161 Timestamp CounterSignature in the specified Authenticode data.
+
+**/
+BOOLEAN
+EFIAPI
+ImageTimestampVerify (
+ IN CONST UINT8 *AuthData,
+ IN UINTN DataSize,
+ IN CONST UINT8 *TsaCert,
+ IN UINTN CertSize,
+ OUT EFI_TIME *SigningTime
+ )
+{
+ BOOLEAN Status;
+ PKCS7 *Pkcs7;
+ CONST UINT8 *Temp;
+ STACK_OF(PKCS7_SIGNER_INFO) *SignerInfos;
+ PKCS7_SIGNER_INFO *SignInfo;
+ UINTN Index;
+ STACK_OF(X509_ATTRIBUTE) *Sk;
+ X509_ATTRIBUTE *Xa;
+ ASN1_TYPE *Asn1Type;
+ ASN1_OCTET_STRING *EncDigest;
+ UINT8 *TSToken;
+ UINTN TokenSize;
+
+ //
+ // Input Parameters Checking.
+ //
+ if ((AuthData == NULL) || (TsaCert == NULL)) {
+ return FALSE;
+ }
+
+ if ((DataSize > INT_MAX) || (CertSize > INT_MAX)) {
+ return FALSE;
+ }
+
+ //
+ // Register & Initialize necessary digest algorithms for PKCS#7 Handling.
+ //
+ if ((EVP_add_digest (EVP_md5 ()) == 0) || (EVP_add_digest (EVP_sha1 ()) == 0) ||
+ (EVP_add_digest (EVP_sha256 ()) == 0) || (EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) == 0) {
+ return FALSE;
+ }
+
+ //
+ // Initialization.
+ //
+ Status = FALSE;
+ Pkcs7 = NULL;
+ SignInfo = NULL;
+
+ //
+ // Decode ASN.1-encoded Authenticode data into PKCS7 structure.
+ //
+ Temp = AuthData;
+ Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &Temp, (int) DataSize);
+ if (Pkcs7 == NULL) {
+ goto _Exit;
+ }
+
+ //
+ // Check if there is one and only one signer.
+ //
+ SignerInfos = PKCS7_get_signer_info (Pkcs7);
+ if (!SignerInfos || (sk_PKCS7_SIGNER_INFO_num (SignerInfos) != 1)) {
+ goto _Exit;
+ }
+
+ //
+ // Locate the TimeStamp CounterSignature.
+ //
+ SignInfo = sk_PKCS7_SIGNER_INFO_value (SignerInfos, 0);
+ if (SignInfo == NULL) {
+ goto _Exit;
+ }
+
+ //
+ // Locate Message Digest which will be the data to be time-stamped.
+ //
+ EncDigest = SignInfo->enc_digest;
+ if (EncDigest == NULL) {
+ goto _Exit;
+ }
+
+ //
+ // The RFC3161 timestamp counterSignature is contained in unauthenticatedAttributes field
+ // of SignerInfo.
+ //
+ Sk = SignInfo->unauth_attr;
+ if (Sk == NULL) { // No timestamp counterSignature.
+ goto _Exit;
+ }
+
+ Asn1Type = NULL;
+ for (Index = 0; Index < (UINTN) sk_X509_ATTRIBUTE_num (Sk); Index++) {
+ //
+ // Search valid RFC3161 timestamp counterSignature based on OBJID.
+ //
+ Xa = sk_X509_ATTRIBUTE_value (Sk, (int)Index);
+ if ((Xa->object->length != sizeof (mSpcRFC3161OidValue)) ||
+ (CompareMem (Xa->object->data, mSpcRFC3161OidValue, sizeof (mSpcRFC3161OidValue)) != 0)) {
+ continue;
+ }
+ Asn1Type = sk_ASN1_TYPE_value (Xa->value.set, 0);
+ }
+
+ if (Asn1Type == NULL) {
+ Status = FALSE;
+ goto _Exit;
+ }
+ TSToken = Asn1Type->value.octet_string->data;
+ TokenSize = Asn1Type->value.octet_string->length;
+
+ //
+ // TimeStamp counterSignature (Token) verification.
+ //
+ Status = TimestampTokenVerify (
+ TSToken,
+ TokenSize,
+ TsaCert,
+ CertSize,
+ EncDigest->data,
+ EncDigest->length,
+ SigningTime
+ );
+
+_Exit:
+ //
+ // Release Resources
+ //
+ PKCS7_free (Pkcs7);
+
+ return Status;
+}
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTsNull.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTsNull.c
new file mode 100644
index 0000000000..eb32aafede
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTsNull.c
@@ -0,0 +1,48 @@
+/** @file
+ RFC3161 Timestamp Countersignature Verification Wrapper Implementation which does
+ not provide real capabilities.
+
+Copyright (c) 2014, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Verifies the validility of a RFC3161 Timestamp CounterSignature embedded in PE/COFF Authenticode
+ signature.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed
+ PE/COFF image to be verified.
+ @param[in] DataSize Size of the Authenticode Signature in bytes.
+ @param[in] TsaCert Pointer to a trusted/root TSA certificate encoded in DER, which
+ is used for TSA certificate chain verification.
+ @param[in] CertSize Size of the trusted certificate in bytes.
+ @param[out] SigningTime Return the time of timestamp generation time if the timestamp
+ signature is valid.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+ImageTimestampVerify (
+ IN CONST UINT8 *AuthData,
+ IN UINTN DataSize,
+ IN CONST UINT8 *TsaCert,
+ IN UINTN CertSize,
+ OUT EFI_TIME *SigningTime
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
index 5abe970cce..70b135a754 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
@@ -1,7 +1,7 @@
/** @file
X.509 Certificate Handler Wrapper Implementation over OpenSSL.
-Copyright (c) 2010 - 2012, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -38,7 +38,8 @@ X509ConstructCertificate (
OUT UINT8 **SingleX509Cert
)
{
- X509 *X509Cert;
+ X509 *X509Cert;
+ CONST UINT8 *Temp;
//
// Check input parameters.
@@ -50,7 +51,8 @@ X509ConstructCertificate (
//
// Read DER-encoded X509 Certificate and Construct X509 object.
//
- X509Cert = d2i_X509 (NULL, &Cert, (long) CertSize);
+ Temp = Cert;
+ X509Cert = d2i_X509 (NULL, &Temp, (long) CertSize);
if (X509Cert == NULL) {
return FALSE;
}
@@ -65,7 +67,7 @@ X509ConstructCertificate (
If X509Stack is NULL, then return FALSE.
- @param[in, out] X509Stack On input, pointer to an existing X509 stack object.
+ @param[in, out] X509Stack On input, pointer to an existing or NULL X509 stack object.
On output, pointer to the X509 stack object with new
inserted X509 certificate.
@param ... A list of DER-encoded single certificate data followed
@@ -123,17 +125,23 @@ X509ConstructCertificateStack (
}
CertSize = VA_ARG (Args, UINTN);
+ if (CertSize == 0) {
+ break;
+ }
//
// Construct X509 Object from the given DER-encoded certificate data.
//
+ X509Cert = NULL;
Status = X509ConstructCertificate (
(CONST UINT8 *) Cert,
CertSize,
(UINT8 **) &X509Cert
);
if (!Status) {
- X509_free (X509Cert);
+ if (X509Cert != NULL) {
+ X509_free (X509Cert);
+ }
break;
}
@@ -484,3 +492,80 @@ _Exit:
return Status;
}
+
+/**
+ Retrieve the TBSCertificate from one given X.509 certificate.
+
+ @param[in] Cert Pointer to the given DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] TBSCert DER-Encoded To-Be-Signed certificate.
+ @param[out] TBSCertSize Size of the TBS certificate in bytes.
+
+ If Cert is NULL, then return FALSE.
+ If TBSCert is NULL, then return FALSE.
+ If TBSCertSize is NULL, then return FALSE.
+
+ @retval TRUE The TBSCertificate was retrieved successfully.
+ @retval FALSE Invalid X.509 certificate.
+
+**/
+BOOLEAN
+EFIAPI
+X509GetTBSCert (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT UINT8 **TBSCert,
+ OUT UINTN *TBSCertSize
+ )
+{
+ CONST UINT8 *Temp;
+ INTN Asn1Tag;
+ INTN ObjClass;
+ UINTN Length;
+
+ //
+ // Check input parameters.
+ //
+ if ((Cert == NULL) || (TBSCert == NULL) ||
+ (TBSCertSize == NULL) || (CertSize > INT_MAX)) {
+ return FALSE;
+ }
+
+ //
+ // An X.509 Certificate is: (defined in RFC3280)
+ // Certificate ::= SEQUENCE {
+ // tbsCertificate TBSCertificate,
+ // signatureAlgorithm AlgorithmIdentifier,
+ // signature BIT STRING }
+ //
+ // and
+ //
+ // TBSCertificate ::= SEQUENCE {
+ // version [0] Version DEFAULT v1,
+ // ...
+ // }
+ //
+ // So we can just ASN1-parse the x.509 DER-encoded data. If we strip
+ // the first SEQUENCE, the second SEQUENCE is the TBSCertificate.
+ //
+ Temp = Cert;
+ ASN1_get_object (&Temp, (long *)&Length, (int *)&Asn1Tag, (int *)&ObjClass, (long)CertSize);
+
+ if (Asn1Tag != V_ASN1_SEQUENCE) {
+ return FALSE;
+ }
+
+ *TBSCert = (UINT8 *)Temp;
+
+ ASN1_get_object (&Temp, (long *)&Length, (int *)&Asn1Tag, (int *)&ObjClass, (long)Length);
+ //
+ // Verify the parsed TBSCertificate is one correct SEQUENCE data.
+ //
+ if (Asn1Tag != V_ASN1_SEQUENCE) {
+ return FALSE;
+ }
+
+ *TBSCertSize = Length + (Temp - *TBSCert);
+
+ return TRUE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c
index 5dbddca423..51aa0633a8 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c
@@ -2,7 +2,7 @@
X.509 Certificate Handler Wrapper Implementation which does not provide
real capabilities.
-Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2012 - 2014, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -44,7 +44,7 @@ X509ConstructCertificate (
Return FALSE to indicate this interface is not supported.
- @param[in, out] X509Stack On input, pointer to an existing X509 stack object.
+ @param[in, out] X509Stack On input, pointer to an existing or NULL X509 stack object.
On output, pointer to the X509 stack object with new
inserted X509 certificate.
@param ... A list of DER-encoded single certificate data followed
@@ -178,3 +178,29 @@ X509VerifyCert (
ASSERT (FALSE);
return FALSE;
}
+
+/**
+ Retrieve the TBSCertificate from one given X.509 certificate.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] Cert Pointer to the given DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] TBSCert DER-Encoded To-Be-Signed certificate.
+ @param[out] TBSCertSize Size of the TBS certificate in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+X509GetTBSCert (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT UINT8 **TBSCert,
+ OUT UINTN *TBSCertSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index d23e3db669..04f0689d90 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -3,23 +3,23 @@
#
# Caution: This module requires additional review when modified.
# This library will have external input - signature.
-# This external input must be validated carefully to avoid security issues such as
+# This external input must be validated carefully to avoid security issues such as
# buffer overflow or integer overflow.
#
-# Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-# TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
-# Diffie-Hellman functions, and authenticode signature verification functions are
-# not supported in this instance.
+# Note: MD4 Digest functions, SHA-384 Digest functions, SHA-512 Digest functions,
+# HMAC-MD5 functions, HMAC-SHA1 functions, AES/TDES/ARC4 functions, RSA external
+# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
+# authenticode signature verification functions are not supported in this instance.
#
# Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
-#
+#
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-#
+#
##
[Defines]
@@ -42,6 +42,7 @@
Hash/CryptMd5.c
Hash/CryptSha1.c
Hash/CryptSha256.c
+ Hash/CryptSha512Null.c
Hmac/CryptHmacMd5Null.c
Hmac/CryptHmacSha1Null.c
Cipher/CryptAesNull.c
@@ -50,10 +51,11 @@
Pk/CryptRsaBasic.c
Pk/CryptRsaExtNull.c
Pk/CryptPkcs7SignNull.c
- Pk/CryptPkcs7Verify.c
+ Pk/CryptPkcs7Verify.c
Pk/CryptDhNull.c
Pk/CryptX509.c
Pk/CryptAuthenticodeNull.c
+ Pk/CryptTsNull.c
Pem/CryptPem.c
SysCall/CrtWrapper.c
@@ -61,24 +63,6 @@
SysCall/RuntimeMemAllocation.c
[Sources.Ia32]
- SysCall/Ia32/MathMultS64x64.c | MSFT
- SysCall/Ia32/MathDivU64x64.c | MSFT
- SysCall/Ia32/MathReminderU64x64.c | MSFT
- SysCall/Ia32/MathLShiftS64.c | MSFT
- SysCall/Ia32/MathRShiftU64.c | MSFT
-
- SysCall/Ia32/MathMultS64x64.c | INTEL
- SysCall/Ia32/MathDivU64x64.c | INTEL
- SysCall/Ia32/MathReminderU64x64.c | INTEL
- SysCall/Ia32/MathLShiftS64.c | INTEL
- SysCall/Ia32/MathRShiftU64.c | INTEL
-
- SysCall/Ia32/MathMultS64x64.S | GCC
- SysCall/Ia32/MathDivU64x64.S | GCC
- SysCall/Ia32/MathReminderU64x64.S | GCC
- SysCall/Ia32/MathLShiftS64.S | GCC
- SysCall/Ia32/MathRShiftU64.S | GCC
-
Rand/CryptRandTsc.c
[Sources.X64]
@@ -113,4 +97,3 @@
#
[BuildOptions]
GCC:*_GCC44_IA32_CC_FLAGS = "-D__cdecl=__attribute__((cdecl))" "-D__declspec(t)=__attribute__((t))"
-
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index b31a785e21..fa54da61dd 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -3,23 +3,23 @@
#
# Caution: This module requires additional review when modified.
# This library will have external input - signature.
-# This external input must be validated carefully to avoid security issues such as
+# This external input must be validated carefully to avoid security issues such as
# buffer overflow or integer overflow.
#
-# Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-# TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
-# Diffie-Hellman functions, and authenticode signature verification functions are
-# not supported in this instance.
+# Note: MD4 Digest functions, SHA-384 Digest functions, SHA-512 Digest functions,
+# HMAC-MD5 functions, HMAC-SHA1 functions, AES/TDES/ARC4 functions, RSA external
+# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
+# authenticode signature verification functions are not supported in this instance.
#
# Copyright (c) 2010 - 2014, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
-#
+#
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-#
+#
##
[Defines]
@@ -42,6 +42,7 @@
Hash/CryptMd5.c
Hash/CryptSha1.c
Hash/CryptSha256.c
+ Hash/CryptSha512Null.c
Hmac/CryptHmacMd5Null.c
Hmac/CryptHmacSha1Null.c
Cipher/CryptAesNull.c
@@ -54,6 +55,7 @@
Pk/CryptDhNull.c
Pk/CryptX509.c
Pk/CryptAuthenticodeNull.c
+ Pk/CryptTsNull.c
Pem/CryptPem.c
SysCall/CrtWrapper.c
@@ -61,24 +63,6 @@
SysCall/BaseMemAllocation.c
[Sources.Ia32]
- SysCall/Ia32/MathMultS64x64.c | MSFT
- SysCall/Ia32/MathDivU64x64.c | MSFT
- SysCall/Ia32/MathReminderU64x64.c | MSFT
- SysCall/Ia32/MathLShiftS64.c | MSFT
- SysCall/Ia32/MathRShiftU64.c | MSFT
-
- SysCall/Ia32/MathMultS64x64.c | INTEL
- SysCall/Ia32/MathDivU64x64.c | INTEL
- SysCall/Ia32/MathReminderU64x64.c | INTEL
- SysCall/Ia32/MathLShiftS64.c | INTEL
- SysCall/Ia32/MathRShiftU64.c | INTEL
-
- SysCall/Ia32/MathMultS64x64.S | GCC
- SysCall/Ia32/MathDivU64x64.S | GCC
- SysCall/Ia32/MathReminderU64x64.S | GCC
- SysCall/Ia32/MathLShiftS64.S | GCC
- SysCall/Ia32/MathRShiftU64.S | GCC
-
Rand/CryptRandTsc.c
[Sources.X64]
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathDivU64x64.S b/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathDivU64x64.S
deleted file mode 100644
index f46d5b84f4..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathDivU64x64.S
+++ /dev/null
@@ -1,83 +0,0 @@
-#------------------------------------------------------------------------------
-#
-# Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
-# This program and the accompanying materials
-# are licensed and made available under the terms and conditions of the BSD License
-# which accompanies this distribution. The full text of the license may be found at
-# http://opensource.org/licenses/bsd-license.php.
-#
-# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-#
-# Module Name:
-#
-# MathDivU64x64.S
-#
-# Abstract:
-#
-# 64-bit Math Worker Function.
-# Divides a 64-bit unsigned value with a 64-bit unsigned value and returns
-# a 64-bit unsigned result.
-#
-#------------------------------------------------------------------------------
-
- .686:
- .code:
-
-ASM_GLOBAL ASM_PFX(__udivdi3), ASM_PFX(DivU64x64Remainder)
-
-#------------------------------------------------------------------------------
-#
-# void __cdecl __udivdi3 (void)
-#
-#------------------------------------------------------------------------------
-ASM_PFX(__udivdi3):
- # Original local stack when calling __udivdi3
- # -----------------
- # | |
- # |---------------|
- # | |
- # |-- Divisor --|
- # | |
- # |---------------|
- # | |
- # |-- Dividend --|
- # | |
- # |---------------|
- # | ReturnAddr** |
- # ESP---->|---------------|
- #
-
- #
- # Set up the local stack for NULL Reminder pointer
- #
- xorl %eax, %eax
- push %eax
-
- #
- # Set up the local stack for Divisor parameter
- #
- movl 20(%esp), %eax
- push %eax
- movl 20(%esp), %eax
- push %eax
-
- #
- # Set up the local stack for Dividend parameter
- #
- movl 20(%esp), %eax
- push %eax
- movl 20(%esp), %eax
- push %eax
-
- #
- # Call native DivU64x64Remainder of BaseLib
- #
- jmp ASM_PFX(DivU64x64Remainder)
-
- #
- # Adjust stack
- #
- addl $20, %esp
-
- ret $16
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathDivU64x64.c b/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathDivU64x64.c
deleted file mode 100644
index 4011653ae5..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathDivU64x64.c
+++ /dev/null
@@ -1,88 +0,0 @@
-/** @file
- 64-bit Math Worker Function.
- The 32-bit versions of C compiler generate calls to library routines
- to handle 64-bit math. These functions use non-standard calling conventions.
-
-Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include <Library/BaseLib.h>
-
-
-/*
- * Divides a 64-bit unsigned value with a 64-bit unsigned value and returns
- * a 64-bit unsigned result.
- */
-__declspec(naked) void __cdecl _aulldiv (void)
-{
- //
- // Wrapper Implementation over EDKII DivU64x64Reminder() routine
- // UINT64
- // EFIAPI
- // DivU64x64Remainder (
- // IN UINT64 Dividend,
- // IN UINT64 Divisor,
- // OUT UINT64 *Remainder OPTIONAL
- // )
- //
- _asm {
-
- ; Original local stack when calling _aulldiv
- ; -----------------
- ; | |
- ; |---------------|
- ; | |
- ; |-- Divisor --|
- ; | |
- ; |---------------|
- ; | |
- ; |-- Dividend --|
- ; | |
- ; |---------------|
- ; | ReturnAddr** |
- ; ESP---->|---------------|
- ;
-
- ;
- ; Set up the local stack for NULL Reminder pointer
- ;
- xor eax, eax
- push eax
-
- ;
- ; Set up the local stack for Divisor parameter
- ;
- mov eax, [esp + 20]
- push eax
- mov eax, [esp + 20]
- push eax
-
- ;
- ; Set up the local stack for Dividend parameter
- ;
- mov eax, [esp + 20]
- push eax
- mov eax, [esp + 20]
- push eax
-
- ;
- ; Call native DivU64x64Remainder of BaseLib
- ;
- call DivU64x64Remainder
-
- ;
- ; Adjust stack
- ;
- add esp, 20
-
- ret 16
- }
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathLShiftS64.S b/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathLShiftS64.S
deleted file mode 100644
index e89f553a08..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathLShiftS64.S
+++ /dev/null
@@ -1,62 +0,0 @@
-#------------------------------------------------------------------------------
-#
-# Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
-# This program and the accompanying materials
-# are licensed and made available under the terms and conditions of the BSD License
-# which accompanies this distribution. The full text of the license may be found at
-# http://opensource.org/licenses/bsd-license.php.
-#
-# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-#
-# Module Name:
-#
-# MathLShiftS64.S
-#
-# Abstract:
-#
-# 64-bit Math Worker Function.
-# Shifts a 64-bit signed value left by a certain number of bits.
-#
-#------------------------------------------------------------------------------
-
- .686:
- .code:
-
-ASM_GLOBAL ASM_PFX(__ashldi3)
-
-#------------------------------------------------------------------------------
-#
-# void __cdecl __ashldi3 (void)
-#
-#------------------------------------------------------------------------------
-ASM_PFX(__ashldi3):
- #
- # Handle shifting of 64 or more bits (return 0)
- #
- cmpb $64, %cl
- jae ReturnZero
-
- #
- # Handle shifting of between 0 and 31 bits
- #
- cmpb $32, %cl
- jae More32
- shld %cl, %eax, %edx
- shl %cl, %eax
- ret
-
- #
- # Handle shifting of between 32 and 63 bits
- #
-More32:
- movl %eax, %edx
- xor %eax, %eax
- and $31, %cl
- shl %cl, %edx
- ret
-
-ReturnZero:
- xor %eax, %eax
- xor %edx, %edx
- ret
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathLShiftS64.c b/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathLShiftS64.c
deleted file mode 100644
index 2ea628a007..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathLShiftS64.c
+++ /dev/null
@@ -1,54 +0,0 @@
-/** @file
- 64-bit Math Worker Function.
- The 32-bit versions of C compiler generate calls to library routines
- to handle 64-bit math. These functions use non-standard calling conventions.
-
-Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-
-/*
- * Shifts a 64-bit signed value left by a particular number of bits.
- */
-__declspec(naked) void __cdecl _allshl (void)
-{
- _asm {
- ;
- ; Handle shifting of 64 or more bits (return 0)
- ;
- cmp cl, 64
- jae short ReturnZero
-
- ;
- ; Handle shifting of between 0 and 31 bits
- ;
- cmp cl, 32
- jae short More32
- shld edx, eax, cl
- shl eax, cl
- ret
-
- ;
- ; Handle shifting of between 32 and 63 bits
- ;
-More32:
- mov edx, eax
- xor eax, eax
- and cl, 31
- shl edx, cl
- ret
-
-ReturnZero:
- xor eax,eax
- xor edx,edx
- ret
- }
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathMultS64x64.S b/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathMultS64x64.S
deleted file mode 100644
index 8a5f330e45..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathMultS64x64.S
+++ /dev/null
@@ -1,77 +0,0 @@
-#------------------------------------------------------------------------------
-#
-# Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
-# This program and the accompanying materials
-# are licensed and made available under the terms and conditions of the BSD License
-# which accompanies this distribution. The full text of the license may be found at
-# http://opensource.org/licenses/bsd-license.php.
-#
-# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-#
-# Module Name:
-#
-# MathMultS64x64.S
-#
-# Abstract:
-#
-# 64-bit Math Worker Function.
-# Multiplies a 64-bit signed or unsigned value by a 64-bit signed or unsigned value
-# and returns a 64-bit result
-#
-#------------------------------------------------------------------------------
-
- .686:
- .code:
-
-ASM_GLOBAL ASM_PFX(_mulll), ASM_PFX(MultS64x64)
-
-#------------------------------------------------------------------------------
-#
-# void __cdecl __mulll (void)
-#
-#------------------------------------------------------------------------------
-ASM_PFX(__mulll):
- # Original local stack when calling __mulll
- # -----------------
- # | |
- # |---------------|
- # | |
- # |--Multiplier --|
- # | |
- # |---------------|
- # | |
- # |--Multiplicand-|
- # | |
- # |---------------|
- # | ReturnAddr** |
- # ESP---->|---------------|
- #
-
- #
- # Set up the local stack for Multiplicand parameter
- #
- movl 16(%esp), %eax
- push %eax
- movl 16(%esp), %eax
- push %eax
-
- #
- # Set up the local stack for Multiplier parameter
- #
- movl 16(%esp), %eax
- push %eax
- movl 16(%esp), %eax
- push %eax
-
- #
- # Call native MulS64x64 of BaseLib
- #
- jmp ASM_PFX(MultS64x64)
-
- #
- # Adjust stack
- #
- add $16, %esp
-
- ret $16
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathMultS64x64.c b/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathMultS64x64.c
deleted file mode 100644
index 17a20bf629..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathMultS64x64.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/** @file
- 64-bit Math Worker Function.
- The 32-bit versions of C compiler generate calls to library routines
- to handle 64-bit math. These functions use non-standard calling conventions.
-
-Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include <Library/BaseLib.h>
-
-/*
- * Multiplies a 64-bit signed or unsigned value by a 64-bit signed or unsigned value
- * and returns a 64-bit result.
- */
-__declspec(naked) void __cdecl _allmul (void)
-{
- //
- // Wrapper Implementation over EDKII MultS64x64() routine
- // INT64
- // EFIAPI
- // MultS64x64 (
- // IN INT64 Multiplicand,
- // IN INT64 Multiplier
- // )
- //
- _asm {
- ; Original local stack when calling _allmul
- ; -----------------
- ; | |
- ; |---------------|
- ; | |
- ; |--Multiplier --|
- ; | |
- ; |---------------|
- ; | |
- ; |--Multiplicand-|
- ; | |
- ; |---------------|
- ; | ReturnAddr** |
- ; ESP---->|---------------|
- ;
-
- ;
- ; Set up the local stack for Multiplicand parameter
- ;
- mov eax, [esp + 16]
- push eax
- mov eax, [esp + 16]
- push eax
-
- ;
- ; Set up the local stack for Multiplier parameter
- ;
- mov eax, [esp + 16]
- push eax
- mov eax, [esp + 16]
- push eax
-
- ;
- ; Call native MulS64x64 of BaseLib
- ;
- call MultS64x64
-
- ;
- ; Adjust stack
- ;
- add esp, 16
-
- ret 16
- }
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathRShiftU64.S b/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathRShiftU64.S
deleted file mode 100644
index bf0587502f..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathRShiftU64.S
+++ /dev/null
@@ -1,66 +0,0 @@
-#------------------------------------------------------------------------------
-#
-# Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
-# This program and the accompanying materials
-# are licensed and made available under the terms and conditions of the BSD License
-# which accompanies this distribution. The full text of the license may be found at
-# http://opensource.org/licenses/bsd-license.php.
-#
-# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-#
-# Module Name:
-#
-# MathRShiftU64.S
-#
-# Abstract:
-#
-# 64-bit Math Worker Function.
-# Shifts a 64-bit unsigned value right by a certain number of bits.
-#
-#------------------------------------------------------------------------------
-
-
- .686:
- .code:
-
-ASM_GLOBAL ASM_PFX(__ashrdi3)
-
-#------------------------------------------------------------------------------
-#
-# void __cdecl __ashrdi3 (void)
-#
-#------------------------------------------------------------------------------
-ASM_PFX(__ashrdi3):
- #
- # Checking: Only handle 64bit shifting or more
- #
- cmpb $64, %cl
- jae _Exit
-
- #
- # Handle shifting between 0 and 31 bits
- #
- cmpb $32, %cl
- jae More32
- shrd %cl, %edx, %eax
- shr %cl, %edx
- ret
-
- #
- # Handle shifting of 32-63 bits
- #
-More32:
- movl %edx, %eax
- xor %edx, %edx
- and $31, %cl
- shr %cl, %eax
- ret
-
- #
- # Invalid number (less then 32bits), return 0
- #
-_Exit:
- xor %eax, %eax
- xor %edx, %edx
- ret
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathRShiftU64.c b/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathRShiftU64.c
deleted file mode 100644
index b7224d6455..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathRShiftU64.c
+++ /dev/null
@@ -1,57 +0,0 @@
-/** @file
- 64-bit Math Worker Function.
- The 32-bit versions of C compiler generate calls to library routines
- to handle 64-bit math. These functions use non-standard calling conventions.
-
-Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-
-/*
- * Shifts a 64-bit unsigned value right by a certain number of bits.
- */
-__declspec(naked) void __cdecl _aullshr (void)
-{
- _asm {
- ;
- ; Checking: Only handle 64bit shifting or more
- ;
- cmp cl, 64
- jae _Exit
-
- ;
- ; Handle shifting between 0 and 31 bits
- ;
- cmp cl, 32
- jae More32
- shrd eax, edx, cl
- shr edx, cl
- ret
-
- ;
- ; Handle shifting of 32-63 bits
- ;
-More32:
- mov eax, edx
- xor edx, edx
- and cl, 31
- shr eax, cl
- ret
-
- ;
- ; Invalid number (less then 32bits), return 0
- ;
-_Exit:
- xor eax, eax
- xor edx, edx
- ret
- }
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathReminderU64x64.S b/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathReminderU64x64.S
deleted file mode 100644
index 7c1f971644..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathReminderU64x64.S
+++ /dev/null
@@ -1,89 +0,0 @@
-#------------------------------------------------------------------------------
-#
-# Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
-# This program and the accompanying materials
-# are licensed and made available under the terms and conditions of the BSD License
-# which accompanies this distribution. The full text of the license may be found at
-# http://opensource.org/licenses/bsd-license.php.
-#
-# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-#
-# Module Name:
-#
-# MathReminderU64x64.S
-#
-# Abstract:
-#
-# 64-bit Math Worker Function.
-# Divides a 64-bit unsigned value by another 64-bit unsigned value and returns
-# the 64-bit unsigned remainder
-#
-#------------------------------------------------------------------------------
-
- .686:
- .code:
-
-ASM_GLOBAL ASM_PFX(__umoddi3), ASM_PFX(DivU64x64Remainder)
-
-#------------------------------------------------------------------------------
-#
-# void __cdecl __umoddi3 (void)
-#
-#------------------------------------------------------------------------------
-ASM_PFX(__umoddi3):
- # Original local stack when calling __umoddi3
- # -----------------
- # | |
- # |---------------|
- # | |
- # |-- Divisor --|
- # | |
- # |---------------|
- # | |
- # |-- Dividend --|
- # | |
- # |---------------|
- # | ReturnAddr** |
- # ESP---->|---------------|
- #
-
- #
- # Set up the local stack for Reminder pointer
- #
- sub $8, %esp
- push %esp
-
- #
- # Set up the local stack for Divisor parameter
- #
- movl 28(%esp), %eax
- push %eax
- movl 28(%esp), %eax
- push %eax
-
- #
- # Set up the local stack for Dividend parameter
- #
- movl 28(%esp), %eax
- push %eax
- movl 28(%esp), %eax
- push %eax
-
- #
- # Call native DivU64x64Remainder of BaseLib
- #
- jmp ASM_PFX(DivU64x64Remainder)
-
- #
- # Put the Reminder in EDX:EAX as return value
- #
- movl 20(%esp), %eax
- movl 24(%esp), %edx
-
- #
- # Adjust stack
- #
- add $28, %esp
-
- ret $16
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathReminderU64x64.c b/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathReminderU64x64.c
deleted file mode 100644
index be70770ebb..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/Ia32/MathReminderU64x64.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/** @file
- 64-bit Math Worker Function.
- The 32-bit versions of C compiler generate calls to library routines
- to handle 64-bit math. These functions use non-standard calling conventions.
-
-Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include <Library/BaseLib.h>
-
-
-/*
- * Divides a 64-bit unsigned value by another 64-bit unsigned value and returns
- * the 64-bit unsigned remainder.
- */
-__declspec(naked) void __cdecl _aullrem(void)
-{
- //
- // Wrapper Implementation over EDKII DivU64x64Remainder() routine
- // UINT64
- // EFIAPI
- // DivU64x64Remainder (
- // IN UINT64 Dividend,
- // IN UINT64 Divisor,
- // OUT UINT64 *Remainder OPTIONAL
- // )
- //
- _asm {
- ; Original local stack when calling _aullrem
- ; -----------------
- ; | |
- ; |---------------|
- ; | |
- ; |-- Divisor --|
- ; | |
- ; |---------------|
- ; | |
- ; |-- Dividend --|
- ; | |
- ; |---------------|
- ; | ReturnAddr** |
- ; ESP---->|---------------|
- ;
-
- ;
- ; Set up the local stack for Reminder pointer
- ;
- sub esp, 8
- push esp
-
- ;
- ; Set up the local stack for Divisor parameter
- ;
- mov eax, [esp + 28]
- push eax
- mov eax, [esp + 28]
- push eax
-
- ;
- ; Set up the local stack for Dividend parameter
- ;
- mov eax, [esp + 28]
- push eax
- mov eax, [esp + 28]
- push eax
-
- ;
- ; Call native DivU64x64Remainder of BaseLib
- ;
- call DivU64x64Remainder
-
- ;
- ; Put the Reminder in EDX:EAX as return value
- ;
- mov eax, [esp + 20]
- mov edx, [esp + 24]
-
- ;
- ; Adjust stack
- ;
- add esp, 28
-
- ret 16
- }
-}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-29 22:15:29 +0000