summaryrefslogtreecommitdiffstats
path: root/CryptoPkg
Commit message (Collapse)AuthorAgeFilesLines
* CryptoPkg/BaseCryptLib: remove unused code for IPFJian J Wang2019-05-171-112/+0
| | | | | | | | | | | | | | BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1805 CryptRandItc.c is only for IPF arch, which has not been supported any more in edk2. And no module actually reference this file. This patch just removes it from tree. Cc: Liming Gao <liming.gao@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Ting Ye <ting.ye@intel.com> Signed-off-by: Jian J Wang <jian.j.wang@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
* CryptoPkg/BaseCryptLib: Remove the blank line in the commentsZhichao Gao2019-04-291-1/+0
| | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1736 For accroding with the doxygen special documention blocks in section 2.3.5, removing the blank line in the file comments of the file header for PeiCryptLib.inf Cc: Jian Wang <jian.j.wang@intel.com> Cc: Ting Ye <ting.ye@intel.com> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com> Reviewed-by: Jian Wang <jian.j.wang@intel.com>
* CryptoPkg: add issetugid declaration to fix openssl build on FreeBSDrebecca via Groups.Io2019-04-241-0/+1
| | | | | | | | | | When building OpenSSL, the OpenBSD/FreeBSD/DFBSD code in crypto/uid.c calls issetugid(). Add the declaration of this function to CrtLibSupport.h to avoid the need to patch the openssl code on these platforms. Signed-off-by: Rebecca Cran <rebecca@bluestop.org> Reviewed-by: Jian Wang <jian.j.wang@intel.com>
* CryptoPkg/BaseCryptLib: Add PKCS1v2 (RSAES-OAEP) support.Bret Barkelew2019-04-186-0/+263
| | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1403 Add support for PKCS 1v2 RSAES-OAEP PKI encryption in BaseCryptLib. Signed-off-by: Zhichao Gao <zhichao.gao@intel.com> Cc: Ting Ye <ting.ye@intel.com> Cc: Gang Wei <gang.wei@intel.com> Cc: Wang Jian J <jian.j.wang@intel.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael Turner <Michael.Turner@microsoft.com> Cc: Bret Barkelew <Bret.Barkelew@microsoft.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
* CryptoPkg/BaseCryptLib.h: Add PKCS1v2 (RSAES-OAEP) support.Bret Barkelew2019-04-181-1/+43
| | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1403 Add prototype of new API Pkcs1v2Encrypt in header file to support PKCS1v2 (RSAES-OAEP) encrypt. Signed-off-by: Zhichao Gao <zhichao.gao@intel.com> Cc: Ting Ye <ting.ye@intel.com> Cc: Gang Wei <gang.wei@intel.com> Cc: Wang Jian J <jian.j.wang@intel.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael Turner <Michael.Turner@microsoft.com> Cc: Bret Barkelew <Bret.Barkelew@microsoft.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
* CryptoPkg/BaseCryptLib: Add new API VerifyEKUsInPkcs7SignatureBret Barkelew2019-04-186-1/+584
| | | | | | | | | | | | | | | | | REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1402 Add the API VerifyEKUsInPkcs7Signature to check if x509 cert has any or all EKUs. Signed-off-by: Zhichao Gao <zhichao.gao@intel.com> Cc: Ting Ye <ting.ye@intel.com> Cc: Gang Wei <gang.wei@intel.com> Cc: Wang Jian J <jian.j.wang@intel.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael Turner <Michael.Turner@microsoft.com> Cc: Bret Barkelew <Bret.Barkelew@microsoft.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
* CryptoPkg/BaseCryptLib.h: Add new API VerifyEKUsInPkcs7SignatureBret Barkelew2019-04-181-0/+42
| | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1402 Add a prototype of new API VerifyEKUsInPkcs7Signature. Signed-off-by: Zhichao Gao <zhichao.gao@intel.com> Cc: Ting Ye <ting.ye@intel.com> Cc: Gang Wei <gang.wei@intel.com> Cc: Wang Jian J <jian.j.wang@intel.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael Turner <Michael.Turner@microsoft.com> Cc: Bret Barkelew <Bret.Barkelew@microsoft.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
* CryptoPkg/BaseCryptLib: Add new API to get organization nameBret Barkelew2019-04-182-12/+122
| | | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1401 Implement a common function to get the NID name. And use this function to get common name and organization name. Add a null function API X509GetOrganizationName of null function source file. Signed-off-by: Zhichao Gao <zhichao.gao@intel.com> Cc: Ting Ye <ting.ye@intel.com> Cc: Gang Wei <gang.wei@intel.com> Cc: Wang Jian J <jian.j.wang@intel.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael Turner <Michael.Turner@microsoft.com> Cc: Bret Barkelew <Bret.Barkelew@microsoft.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
* CryptoPkg/BaseCryptLib.h: Add new API to get organization nameBret Barkelew2019-04-181-0/+35
| | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1401 Add a prototype declaration of the new API X509GetOrganizationName in the header file. Signed-off-by: Zhichao Gao <zhichao.gao@intel.com> Cc: Ting Ye <ting.ye@intel.com> Cc: Gang Wei <gang.wei@intel.com> Cc: Wang Jian J <jian.j.wang@intel.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael Turner <Michael.Turner@microsoft.com> Cc: Bret Barkelew <Bret.Barkelew@microsoft.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
* CryptoPkg: Replace BSD License with BSD+Patent LicenseMichael D Kinney2019-04-0999-693/+99
| | | | | | | | | | | | | | | | | | | | https://bugzilla.tianocore.org/show_bug.cgi?id=1373 Replace BSD 2-Clause License with BSD+Patent License. This change is based on the following emails: https://lists.01.org/pipermail/edk2-devel/2019-February/036260.html https://lists.01.org/pipermail/edk2-devel/2018-October/030385.html RFCs with detailed process for the license change: V3: https://lists.01.org/pipermail/edk2-devel/2019-March/038116.html V2: https://lists.01.org/pipermail/edk2-devel/2019-March/037669.html V1: https://lists.01.org/pipermail/edk2-devel/2019-March/037500.html Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
* CryptoPkg/IntrinsicLib: Remove .S files for IA32 archShenglei Zhang2019-04-033-130/+0
| | | | | | | | | | | | | .nasm file has been added for X86 arch. .S assembly code is not required any more. https://bugzilla.tianocore.org/show_bug.cgi?id=1594 Cc: Ting Ye <ting.ye@intel.com> Cc: Jian Wang <jian.j.wang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
* CryptoPkg: Fix various typosAntoine Coeur2019-02-112-3/+3
| | | | | | | | | Fix various typos in CryptoPkg. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Coeur <coeur@gmx.fr> Reviewed-by: Ye Ting <ting.ye@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
* CryptoPkg/BaseCryptLib: split CryptPkcs7Verify.c on behalf of runtimeJian J Wang2019-01-318-119/+220
| | | | | | | | | | | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1493 Pkcs7GetAttachedContent() implementation in current CryptPkcs7Verify.c is actually shared by RuntimeCryptLib.inf, SmmCryptLib.inf and BaseCryptLib.inf, which are not correct since there's no use scenario for runtime and AllocatePool() used in this method can only be called in boot time. This patch fix this issue by splitting file CryptPkcs7Verify.c into 3 parts. CryptPkcs7VerifyCommon.c (shared among Base, SMM, Runtime) CryptPkcs7VerifyBase.c (shared between Base, SMM) CryptPkcs7VerifyRuntime.c (for Runtime only) CryptPkcs7VerifyBase.c will have original implementation of Pkcs7GetAttachedContent() as CryptPkcs7Verify.c. CryptPkcs7VerifyRuntime.c provide a NULL version of Pkcs7GetAttachedContent(). No functionality and interface change is involved in this patch. Cc: Ting Ye <ting.ye@intel.com> Cc: Qin Long <qin.long@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jian J Wang <jian.j.wang@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com>
* CryptoPkg/SmmCryptLib: permit use by MM_STANDALONE modulesArd Biesheuvel2019-01-211-1/+1
| | | | | | | | Permit SmmCryptLib to be used by MM_STANDALONE modules Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
* CryptoPkg/BaseCryptLib: drop build flags specific to GCC44Laszlo Ersek2019-01-084-7/+0
| | | | | | | | | | | | | | | | | | | We've removed BaseTools support for GCC44..GCC47. Drop CryptoPkg/BaseCryptLib build flags that are specific to any of those gcc versions. No GCC44..GCC47 references remain under CryptoPkg after this patch. Cc: Gang Wei <gang.wei@intel.com> Cc: Jian Wang <jian.j.wang@intel.com> Cc: Ting Ye <ting.ye@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1377 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
* Upgrade OpenSSL to 1.1.0jJian J Wang2018-12-216-7/+20
| | | | | | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1393 BZ#1089 (https://bugzilla.tianocore.org/show_bug.cgi?id=1089) requests to upgrade the OpenSSL to the latest 1.1.1 release. Since OpenSSL-1.1.1 has many changes, more porting efforts and feature evaluation are needed. This might lead to a situation that it cannot catch the Q1'19 stable tag. One of the solution is upgrade current version (1.1.0h) to 1.1.0j. According to following web page in openssl.org, all security issues solved in 1.1.1 have been also back-ported to 1.1.0.j. This can make sure that no security vulnerabilities left in edk2 master before 1.1.1. https://www.openssl.org/news/vulnerabilities-1.1.1.html Cc: Ting Ye <ting.ye@intel.com> Cc: Gang Wei <gang.wei@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jian J Wang <jian.j.wang@intel.com> Reviewed-by: Gang Wei <gang.wei@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com>
* CryptoPkg/IntrinsicLib: add missing BaseLib declarationJian J Wang2018-12-101-0/+1
| | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=596 BaseLib interfaces are used in this library but not declared in module's inf file. This patch fix this situation to keep inf and its code in consistency. No functionality or interface change are involved. Cc: Qin Long <qin.long@intel.com> Cc: Ting Ye <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jian J Wang <jian.j.wang@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com>
* CryptoPkg/BaseCryptLib: Fix potential integer overflow issue.Long Qin2018-10-311-1/+13
| | | | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1275 The LookupFreeMemRegion() in RuntimeMemAllocate.c is used to look-up free memory region for runtime resource allocation, which was designed to support runtime authenticated variable service. The ReqPages in this function is the required pages to be allocated, which depends on the malloc() call in internal OpenSSL routines. The direct offset subtractions on ReqPages may bring possible integer overflow issue. This patch is to add the extra parameter checks to remove this possible overflow risk. Cc: Ye Ting <ting.ye@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Long Qin <qin.long@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com>
* CryptoPkg: Removing ipf which is no longer supported from edk2.Chen A Chen2018-09-2535-3319/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Removing rules for Ipf sources file: * Remove the source file which path with "ipf" and also listed in [Sources.IPF] section of INF file. * Remove the source file which listed in [Components.IPF] section of DSC file and not listed in any other [Components] section. * Remove the embedded Ipf code for MDE_CPU_IPF. Removing rules for Inf file: * Remove IPF from VALID_ARCHITECTURES comments. * Remove DXE_SAL_DRIVER from LIBRARY_CLASS in [Defines] section. * Remove the INF which only listed in [Components.IPF] section in DSC. * Remove statements from [BuildOptions] that provide IPF specific flags. * Remove any IPF sepcific sections. Removing rules for Dec file: * Remove [Includes.IPF] section from Dec. Removing rules for Dsc file: * Remove IPF from SUPPORTED_ARCHITECTURES in [Defines] section of DSC. * Remove any IPF specific sections. * Remove statements from [BuildOptions] that provide IPF specific flags. The following rules are specially proposed by package owner: * Remove whole "CryptRuntimeDxe" folder which was designed for IPF. * Remove whole "Include/Protocol" folder * Update .Dec and .Dsc file accordingly. Cc: Qin Long <qin.long@intel.com> Cc: Ting Ye <ting.ye@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chen A Chen <chen.a.chen@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> Reviewed-by: Long Qin <qin.long@intel.com>
* CryptoPkg: Clean up source filesLiming Gao2018-06-2851-151/+151
| | | | | | | | | 1. Do not use tab characters 2. No trailing white space in one line 3. All files must end with CRLF Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Liming Gao <liming.gao@intel.com>
* CryptoPkg PeiCryptLib: Enable SHA384/512 supportZhang, Chao B2018-06-081-3/+3
| | | | | | | | | Enable SHA384/512 support in PEI phase. Cc: Long Qin <qin.long@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Long Qin <qin.long@intel.com>
* CryptoPkg: Remove deprecated function usage in X509GetCommonName()Long Qin2018-06-053-14/+47
| | | | | | | | | | | | | | | | | | | | | BZ#: https://bugzilla.tianocore.org/show_bug.cgi?id=923 X509_NAME_get_text_by_NID() used in X509GetCommonName() implementation is one legacy function which have various limitations. The returned data may be not usable when the target cert contains multicharacter string type like a BMPString or a UTF8String. This patch replaced the legacy function usage with more general X509_NAME_get_index_by_NID() / X509_NAME_get_entry() APIs for X509 CommonName retrieving. Tests: Validated the commonName retrieving with test certificates containing PrintableString or BMPString data. Cc: Ye Ting <ting.ye@intel.com> Cc: Michael Turner <Michael.Turner@microsoft.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Long Qin <qin.long@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com>
* CryptoPkg/CrtLibSupport: add secure_getenv() stub functionLaszlo Ersek2018-05-082-0/+14
| | | | | | | | | | | | | | The Fedora distro ships a modified OpenSSL 1.1.0 package stream. One of their patches calls the secure_getenv() C library function. We already have a stub for getenv(); it applies trivially to secure_getenv() as well. Add the secure_getenv() stub so that edk2 can be built with Fedora's OpenSSL 1.1.0 sources. Cc: Qin Long <qin.long@intel.com> Cc: Ting Ye <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Long Qin <qin.long@intel.com>
* CryptoPkg/OpensslLib: remove OpenSSL version number from OpenSSL-HOWTO.txtLaszlo Ersek2018-04-261-1/+0
| | | | | | | | | | | | | | | | Remove any concrete OpenSSL version numbers from "OpenSSL-HOWTO.txt". That information is out of date and there's no reason for us to refresh it: We now track stable OpenSSL releases via a git submodule. CryptoPkg maintainers push such submodule updates to edk2 that identify the correct stable releases of OpenSSL. "OpenSSL-HOWTO.txt" already provides instructions to users for updating their local submodules. Cc: Qin Long <qin.long@intel.com> Cc: Ting Ye <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Long Qin <qin.long@intel.com>
* CryptoPkg/OpensslLib: Update OpenSSL version to 1.1.0hLong Qin2018-04-151-0/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | (https://bugzilla.tianocore.org/show_bug.cgi?id=927) (V2 Update: Removing the wrong "--remote" option from git submodule update command in this commit message. Thanks Laszlo's clarification to correct this) Update OpenSSL version to 1.1.0h release (27-Mar-2018) to include the fix for CVE-2018-0739 issue (Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service, Refer to https://www.openssl.org/news/secadv/20180327.txt for more information). Please note "git pull" will not update the submodule repository. use the following commend to make your existing submodule track this update: $ git submodule update --recursive Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ye Ting <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Long Qin <qin.long@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Tested-by: Laszlo Ersek <lersek@redhat.com>
* CryptoPkg/OpensslLib: Fix the documentation about submodule updateLong Qin2018-04-151-1/+1
| | | | | | | | | | | | | | | | | | | | | This patch is to drop "--remote" option from the original suggested submodule update command ("$ git submodule update --recursive --remote") in HOWTO document. "--remote" option will integrate changes from the upstream subproject with the submodules's "current HEAD", instead of using the edk2 superproject's "recorded SHA-1". It is important here for the edk2 consumers to updating the working tree of the submodules to match the commit / release tag that the superproject expects. So removing "--remote" option to fix this documentation issue here. Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ye Ting <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Long Qin <qin.long@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
* CryptoPkg/TlsLib: rewrite TlsSetCipherList()Laszlo Ersek2018-04-134-26/+157
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rewrite the TlsSetCipherList() function in order to fix the following issues: - Any cipher identifier in CipherId that is not recognized by TlsGetCipherMapping() will cause the function to return EFI_UNSUPPORTED. This is a problem because CipherId is an ordered preference list, and a caller should not get EFI_UNSUPPORTED just because it has an elaborate CipherId preference list. Instead, we can filter out cipher identifiers that we don't recognize, as long as we keep the relative order intact. - CipherString is allocated on the stack, with 500 bytes. While processing a large CipherId preference list, this room may not be enough. Although no buffer overflow is possible, CipherString exhaustion can lead to a failed TLS connection, because any cipher names that don't fit on CipherString cannot be negotiated. Compute CipherStringSize first, and allocate CipherString dynamically. - Finally, the "@STRENGTH" pseudo cipher name is appended to CipherString. (Assuming there is enough room left in CipherString.) This causes OpenSSL to sort the cipher list "in order of encryption algorithm key length". This is a bad idea. The caller specifically passes an ordered preference list in CipherId. Therefore TlsSetCipherList() must not ask OpenSSL to reorder the list, for any reason. Drop "@STRENGTH". While at it, fix and unify the documentation of the CipherId parameter. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Qin Long <qin.long@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Cc: Ting Ye <ting.ye@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Long Qin <qin.long@intel.com> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
* CryptoPkg/TlsLib: sanitize lib classes in internal header and INFLaszlo Ersek2018-04-132-4/+5
| | | | | | | | | | | | | | | | | | | | | | "InternalTlsLib.h" includes "BaseCryptLib.h", but the lib class is not listed in the INF file. The INF file lists a good number of lib classes, but none of the lib class headers are included by "InternalTlsLib.h". Synchronize & sort both lists, while removing those library classes that aren't actually needed. (IntrinsicLib and OpensslLib have no edk2 class headers.) Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Qin Long <qin.long@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Cc: Ting Ye <ting.ye@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Long Qin <qin.long@intel.com> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
* CryptoPkg/TlsLib: pre-compute OpensslCipherLength in TlsCipherMappingTableLaszlo Ersek2018-04-131-23/+35
| | | | | | | | | | | | | | | | | | | | | | | | | In the next patches, we'll need the lengths of the TLS_CIPHER_MAPPING.OpensslCipher string fields. These lengths can be computed at build time; add the new field "OpensslCipherLength", and introduce the MAP() macro for populating it. While at it, add some horizontal whitespace to "TlsCipherMappingTable", and add a comma after the last element. This will come handy in a later patch. (The patch does not change the first two columns of "TlsCipherMappingTable", which can be easily verified with "git show --word-diff".) Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Qin Long <qin.long@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Cc: Ting Ye <ting.ye@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Long Qin <qin.long@intel.com> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
* CryptoPkg/TlsLib: use binary search in the TlsGetCipherMapping() functionLaszlo Ersek2018-04-131-13/+23
| | | | | | | | | | | | | | | | Improve the performance of the TlsGetCipherMapping() function by adopting the binary search from DhcpFindOptionFormat() [MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Option.c]. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Qin Long <qin.long@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Cc: Ting Ye <ting.ye@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Long Qin <qin.long@intel.com> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
* CryptoPkg/TlsLib: replace TlsGetCipherString() with TlsGetCipherMapping()Laszlo Ersek2018-04-131-17/+20
| | | | | | | | | | | | | | | | | | | In the following patches it will be useful if the IANA CipherId lookup returns a pointer to the whole matching IANA-to-OpenSSL mapping structure, not just the OpenSSL cipher suite name. Rename TLS_CIPHER_PAIR and TlsGetCipherString() to TLS_CIPHER_MAPPING and TlsGetCipherMapping() respectively, and make the function return a pointer to TLS_CIPHER_MAPPING. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Qin Long <qin.long@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Cc: Ting Ye <ting.ye@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Long Qin <qin.long@intel.com> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
* CryptoPkg: Update package version to 0.98Long Qin2018-01-232-4/+4
| | | | | | | | | Update package version of CryptoPkg to 0.98. Cc: Ting Ye <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com>
* CryptoPkg/BaseCryptLib: Add error handling for time() wrapperLong Qin2018-01-221-5/+9
| | | | | | | | | | | | In time() wrapper implementation, the gRT->GetTime() call may be not available. This patch adds the extra error handling to avoid the potential dead loop. Cc: Star Zeng <star.zeng@intel.com> Cc: Ting Ye <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com>
* CryptoPkg/OpensslLib: ignore uninitialized warningHeyi Guo2018-01-182-4/+4
| | | | | | | | | | | | | We also got maybe-uninitialized warning when building OpensslLib.inf with GCC48 for ARM and AARCH64, so add -Wno-error=maybe-uninitialized build option just as other platforms. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Heyi Guo <heyi.guo@linaro.org> Cc: Qin Long <qin.long@intel.com> Cc: Ting Ye <ting.ye@intel.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Qin Long <qin.long@intel.com>
* CryptoPkg: Adding OpenSSL as one submodule of EDKII repoLong Qin2018-01-183-15/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A submodule allows to keep another Git repository in a subdirectory of main repository. The submodule repository has its own history, which does not interfere with the history of the current repository. This can be used to have external dependencies such as third party libraries. After the extra patch for EDKII-OpenSSL build was removed, OpenSSL can be one typical submodule use case in EDKII project. This patch adds the openssl git repository into EDKII project as one submodule. One .gitmodules file will be generated with the submodule info: [submodule "CryptoPkg/Library/OpensslLib/openssl"] path = CryptoPkg/Library/OpensslLib/openssl url = https://github.com/openssl/openssl The user can use the following command to clone both main EDKII repo and openssl submodule: 1) Add the "--recursive" flag to their git clone command: $ git clone --recursive https://github.com/tianocore/edk2 or 2) Manually initialize and the submodules after the clone operation: $ git clone https://github.com/tianocore/edk2 $ git submodule update -–init -–recursive For Pull operations, "git pull" will not update the submodule repository. So the following combined commands can be used to pull the remote submodule updates (e.g. Updating to new supported OpenSSL release) $ git pull –-recurse-submodules && \ git submodule update -–recursive --remote Cc: Ye Ting <ting.ye@intel.com> Cc: Liming Gao <liming.gao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
* CrptoPkg/BaseCryptLib: Fix type mismatch when calling OpenSSL functionZhang, Chao B2018-01-151-3/+4
| | | | | | | | | | | Type definition in UEFI & OpeenSSL is different. Sometime it could cause write overflow. Should use same data type when accessing the same region Cc: Long Qin <qin.long@intel.com> Cc: Chen Chen <chen.a.chen@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Long Qin <qin.long@intel.com>
* CryptoPkg/OpensslLib: Suppress format warning with extra flag.Long Qin2018-01-152-2/+2
| | | | | | | | | | | | | | | | | | Under a certain [outdated] GCC482 compiler, the new-added "-Wno-format" flag will not take effect, and break the x86_64 build. This is one known issue in some Ubuntu/GCC-4.8.2 environment, which will overwrite "-Wno-format" with some default setting. see more information and discussion from: https://gcc.gnu.org/ml/gcc-help/2014-03/msg00003.html https://wiki.ubuntu.com/ToolChain/CompilerFlags This patch adds one extra "-Wno-error=format" for gcc x86_64 builds to suppress this warning. Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Liming Gao <liming.gao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Long Qin <qin.long@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
* CryptoPkg/OpensslLib AARCH64: disable rather than demote format warningArd Biesheuvel2017-12-272-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We recently added -Wno-error=format to the OpenSslLib build script to work around an issue in the upstream OpenSSL code. This does not inhibit the warning, but prevents it from breaking the build by not treating it as a fatal error. Unfortunately, this interacts poorly with the -Wno-unused-const-variable option that we added to GCC49 and later. Those versions of GCC ignore -Wno-xxxx options that they don't understand, unless warnings are emitted for another reason, in which case the warning is emitted after all, and in our case, this breaks the build when the non-fatal format warning is emitted. CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/x_int64.c: In function 'uint64_print': CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/x_int64.c:105:32: warning: format '%ld' expects argument of type 'long int', but argument 3 has type 'int64_t {aka long long int}' [-Wformat=] return BIO_printf(out, "%"BIO_PRI64"d\n", **(int64_t **)pval); ^ CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/x_int64.c:106:28: warning: format '%lu' expects argument of type 'long unsigned int', but argument 3 has type 'uint64_t {aka long long unsigned int}' [-Wformat=] return BIO_printf(out, "%"BIO_PRI64"u\n", **(uint64_t **)pval); ^ CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/x_int64.c: At top level: cc1: error: unrecognized command line option '-Wno-unused-const-variable' [-Werror] cc1: all warnings being treated as errors So replace -Wno-error=format with -Wno-format to suppress the warning entirely. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Long Qin <qin.long@intel.com>
* CryptoPkg/OpensslLib AARCH64: suppress format string warningArd Biesheuvel2017-12-272-2/+2
| | | | | | | | | | | | | | | | On GCC Build: openssl-1.1.0g introduced one additional build warning: ...\openssl\crypto\asn1\x_int64.c:105:32: error: format '%ld' expects argument of type 'long int', but argument 3 has type 'int64_t {aka long long int}' [-Werror=format=] return BIO_printf(out, "%"BIO_PRI64"d\n", **(int64_t **)pval); ^ Add "-Wno-error=format" to GCC build flags to suppress this warning, since we have no real printf usage in BaseCryptLib, and BIO_printf() was already wrapped as a dummy implementation in CryptoPkg. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Long Qin <qin.long@intel.com>
* CryptoPkg: Remove Cryptest Application from CryptoPkgLong Qin2017-12-2716-3978/+0
| | | | | | | | | | | | BZ#: https://bugzilla.tianocore.org/show_bug.cgi?id=819 Remove Cryptest application from CryptoPkg, which was only for unit test. Cc: Ye Ting <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Long Qin <qin.long@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com>
* CryptoPkg/OpensslLib: Update OpenSSL version to 1.1.0gLong Qin2017-12-274-16/+24
| | | | | | | | | | | | | | | | | | | | | | | | | Update the supported OpenSSL version to the latest 1.1.0g (02-Nov-2017). The changes includes: - Re-generate the OpensslLib[crypto].inf using process_files.pl script to reflect the openssl source changes. - Update OpenSSL-HOWTO.txt - On Visual Studio Build: adding "/wd4819" to disable one addition build warning issue, which was already fixed in OpenSSL-HEAD https://github.com/openssl/openssl/pull/4691. - On GCC Build: openssl-1.1.0g introduced one additional build warning: ...\openssl\crypto\asn1\x_int64.c:105:32: error: format '%ld' expects argument of type 'long int', but argument 3 has type 'int64_t {aka long long int}' [-Werror=format=] return BIO_printf(out, "%"BIO_PRI64"d\n", **(int64_t **)pval); ^ Adding "-Wno-error=format" to GCC build flag to suppress this warning, since we have no real printf usage in BaseCryptLib, and BIO_printf() was already wrappered as the dummy implementation in CryptoPkg. Cc: Ye Ting <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Long Qin <qin.long@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com>
* CryptoPkg/TlsLib: Add some parameter check and clarification.Jiaxin Wu2017-12-222-1/+13
| | | | | | | | | Cc: Ye Ting <ting.ye@intel.com> Cc: Long Qin <qin.long@intel.com> Cc: Fu Siyuan <siyuan.fu@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com> Reviewed-by: Long Qin <qin.long@intel.com>
* CryptoPkg/IntrinsicLib: Fix the warning on memsetGary Lin2017-11-241-2/+2
| | | | | | | | | | | | | | | | | | | | Gcc issued the warning when compiling CryptoPkg: CryptoPkg/Library/Include/CrtLibSupport.h:135:17: warning: type of 'memset' does not match original declaration [-Wlto-type-mismatch] void *memset (void *, int, size_t); ^ CryptoPkg/Library/IntrinsicLib/MemoryIntrinsics.c:27:8: note: type mismatch in parameter 2 void * memset (void *dest, char ch, size_t count) ^ This commit changes the type of ch from char to int to match the declaration. Cc: Qin Long <qin.long@intel.com> Cc: Ting Ye <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Qin Long <qin.long@intel.com>
* CryptoPkg/TlsLib: Change the return type of TlsInitialize().Jiaxin Wu2017-11-242-8/+19
| | | | | | | | | | | | | | | | | | | | | | | | | V2: * Correct the commit log. Currently, the return code of OPENSSL_init_ssl(0 or 1) and RandomSeed (TRUE or FALSE) are not checked in TlsInitialize(). Also "VOID" is used as the return type of TlsInitialize(), which can't be used to capture the returned value for error handling. From Long Qin (CryptoPkg owner): The early version of OPENSSL_init_ssl() use the "VOID" as the return value, which was updated to "int" later because the function changes can fail. So, this patch is to change the return type of TlsInitialize() to follow up the OPENSSL_init_ssl() update. Cc: Ye Ting <ting.ye@intel.com> Cc: Long Qin <qin.long@intel.com> Cc: Fu Siyuan <siyuan.fu@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com> Reviewed-by: Long Qin <qin.long@intel.com>
* CryptoPkg/BaseCryptLib: Add C-structure to matching certificate stackchenc22017-11-073-0/+39
| | | | | | | | | | | | | | | | | | | | | | | | The parameter CertStack of Pkcs7GetSigners will return all embedded X.509 certificate in one given PKCS7 signature. The format is: // // UINT8 CertNumber; // UINT32 Cert1Length; // UINT8 Cert1[]; // UINT32 Cert2Length; // UINT8 Cert2[]; // ... // UINT32 CertnLength; // UINT8 Certn[]; // Add EFI_CERT_STACK and EFI_CERT_DATA structure, these two C-structure are used for parsing CertStack more clearly. Cc: Long Qin <qin.long@intel.com> Cc: Zhang Chao <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: chenc2 <chen.a.chen@intel.com> Reviewed-by: Long Qin <qin.long@intel.com> Reviewed-by: Zhang Chao <chao.b.zhang@intel.com>
* CryptoPkg/BaseCryptLib: Fix mismatched memory allocation/freeLong Qin2017-11-065-20/+32
| | | | | | | | | | | | | | | | | | | | | | | The malloc/free (instead of AllocatePool/FreePool) were used directly in some wrapper implementations, which was designed to leverage the light-weight memory management routines at Runtime phase. The malloc/free and AllocatePool/FreePool usages are required to be matched, after extra memory size info header was introduced in malloc wrapper. This patch corrects two memory allocation cases, which requires the caller to free the buffer with FreePool() outside the function call. And some comments were also added to clarify the correct memory release functions if it's the caller's responsibility to free the memory buffer. Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ting Ye <ting.ye@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
* CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapperLong Qin2017-11-061-7/+76
| | | | | | | | | | | | | | | | | | | | | | | | | There is one long-standing problem in CRT realloc wrapper, which will cause the obvious buffer overflow issue when re-allocating one bigger memory block: void *realloc (void *ptr, size_t size) { // // BUG: hardcode OldSize == size! We have no any knowledge about // memory size of original pointer ptr. // return ReallocatePool ((UINTN) size, (UINTN) size, ptr); } This patch introduces one extra header to record the memory buffer size information when allocating memory block from malloc routine, and re-wrap the realloc() and free() routines to remove this BUG. Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ting Ye <ting.ye@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com> Validated-by: Jian J Wang <jian.j.wang@intel.com>
* CryptoPkg/BaseCryptLib: remove some duplicate initializations.Peter Jones2017-10-241-2/+0
| | | | | | | | | | | | | | | | | | | | | clang-analyzer noticed this: Pk/CryptPkcs7Verify.c:600:5: warning: Value stored to 'OldSize' is never read OldSize = BufferSize; ^ ~~~~~~~~~~ Pk/CryptPkcs7Verify.c:644:5: warning: Value stored to 'OldSize' is never read OldSize = BufferSize; ^ ~~~~~~~~~~ 2 warnings generated. These are each immediately followed by a loop that initializes them (to the same values) a second time, and are otherwise only referenced inside that loop, so there's just no point to these assignments at all. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Peter Jones <pjones@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Long Qin <qin.long@intel.com>
* CryptoPkg: Add new API to retrieve commonName of X.509 certificateQin Long2017-09-255-8/+234
| | | | | | | | | | | | | | | | | | | v3: Add extra CommonNameSize check since OpenSSL didn't check this input parameter. (One openssl issue was filed to address this risk: https://github.com/openssl/openssl/issues/4392) v2: Update function interface to return RETURN_STATUS to represent different error cases. Add one new API (X509GetCommonName()) to retrieve the subject commonName string from one X.509 certificate. Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ting Ye <ting.ye@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> Acked-by: Laszlo Ersek <lersek@redhat.com>
* edk2: Move License.txt file to rootMichael D Kinney2017-08-031-25/+0
| | | | | | | | | | | | | | | | | | | https://bugzilla.tianocore.org/show_bug.cgi?id=642 Add top level License.txt file with the BSD 2-Clause License that is used by the majority of the EKD II open source project content. Merge copyright statements from the BSD 2-Clause License files in each package directory and remove the duplication License.txt file from package directories. Cc: Leif Lindholm <leif.lindholm@linaro.org> Cc: Andrew Fish <afish@apple.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com> Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>