| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Drop the ArmSoftFloatLib dependency from the OpensslLib implementations,
so that we can retire this git submodule and associated dependencies in
other components.
The upshot of this is that OpenSSL can no longer be used on 32-bit ARM
by components that rely on the random number generation routines (which
is where the floating point usage resides). In practice, this means that
ARM platforms should use MbedTLs instead for things like signed
capsules, authenticated variables and TPM2 support. HTTPS boot is no
longer supported, as TlsDxe depends on OpensslLib directly.
Note that MbedTLS itself -surprisingly- depends on OpensslLib as well,
but only for the SM3 routines, and incorporating those does not require
softfloat support.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
|
| |
|
|
|
|
|
| |
BaseCryptLib turn gettimeofday() from a Macro into a function call,
apply the same change to BaseCryptLibMbedTls
Signed-off-by: Amy Chan <amy.chan@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now that the ResetVectors are USER_DEFINED modules, they will not
be linked against StackCheckLibNull, which were the only modules
causing issues. So, we can now remove the kludge we had before
and the requirement for every DSC to include StackCheckLibNull
for SEC modules and just apply StackCheckLibNull globally.
This also changes every DSC to drop the SEC definition of
StackCheckLibNull.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
|
| |
|
|
| |
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
|
| |
|
|
|
|
|
|
| |
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4867
Added MM_STANDALONE support in Driver and BaseCryptLibOnProtocolPpi.
Signed-off-by: Kanagavel S <kanagavels@ami.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Openssl 3.0.15 has a larger memory footprint.
Updating from EDK 2022.2 (openssl 1.1.j) to 2024.2 (openssl 3.0.15)
causes our EFI provisioning application[1] to fail due to an out of
memory condition.
On inspection, at the time of that fault, 2022.2 had an additional 900
pages. This is why this patch proposes the increase of the ScratchMemory
buffer by that same ammount.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
|
| |
|
|
|
|
|
|
| |
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4838
Updated the missed architectures in PeiCryptLib.inf file.
Signed-off-by: Kanagavel S <kanagavels@ami.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Without this change we get:
error: variable 'Index' set but not used
when building on XCODE5.
Co-authored-by: Savva Mitrofanov <savvamtr@gmail.com>
Signed-off-by: Mike Beaton <mjsbeaton@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
REF: https://edk2.groups.io/g/devel/message/88179
Without this change, we get:
fatal error: 'Availability.h' file not found
when building on XCODE5.
The workaround uses a define present in openssl/include/crypto/rand.h
which modifies openssl behaviour on Apple only, causing the library
to default to a non-system specific source of entropy in syscall_random()
in rand_unix.c.
Co-authored-by: Savva Mitrofanov <savvamtr@gmail.com>
Signed-off-by: Mike Beaton <mjsbeaton@gmail.com>
|
| |
|
|
|
|
| |
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4842
Signed-off-by: Li Yi <yi1.li@intel.com>
|
| |
|
|
|
|
|
|
|
| |
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4842
CVE-2024-6119 affects TLS-client implementation of EDK2. Fix it by
updating to 3.0.15.
Signed-off-by: Li Yi <yi1.li@intel.com>
|
| |
|
|
|
|
|
|
|
|
| |
Adding $(OPENSSL_PATH)/e_os.h to the list of source files had the effect
that $(OPENSSL_PATH)/ was added to the list of include directories.
With the file being gone in openssl-3.2.x this doesn't work any more.
Add the directory to the [Includes.Common.Private] section instead.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
| |
|
|
|
|
| |
Will be needed by openssl-3.4.x
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
| |
|
|
|
|
| |
Will be needed by openssl-3.2.x
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
| |
|
|
|
|
| |
Will be needed by openssl-3.2.x
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
| |
|
|
|
|
| |
No functional change.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
| |
|
|
|
|
|
|
| |
Turn gettimeofday() into a proper function with return value.
Will be needed by openssl-3.2.x
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
| |
|
|
|
|
| |
Will be needed by openssl-3.2.x
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Create a special OpensslLib implementation that only exposes the SM3
routines that MbedTlsLib borrows from OpensslLib, to avoid having to
pull in other parts of OpenSSL that are not needed (e.g., via the
library constructor)
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
|
| |
|
|
|
|
|
|
| |
SM3 needs to be tested so we can verify that alternative implementations
(such as the one I will be contributing to BaseCryptLibMbedTls) as well
as the reference implementation produce the expected value.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The CLANG35 and CLANG38 toolchain specifiers have been phased out, and
replaced with CLANGDWARF. Update the MbedTls library definitions
accordingly.
While at it, switch to the gnu99 C dialect, which is a better match with
GCC in C99 mode, which includes GCC specific GNU extensions.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
|
| |
|
|
|
|
|
| |
Remove the old stack check lib now that MdeLibs.inc includes
the new one.
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As per the emailed RFC in
https://edk2.groups.io/g/devel/topic/rfc_move/107675828,
this patch moves CompilerIntrinsicsLib from ArmPkg to
MdePkg as this library provides compiler intrinsics, which
are industry standard.
This aligns with the goal of integrating ArmPkg into existing
packages: https://bugzilla.tianocore.org/show_bug.cgi?id=4121.
The newly placed CompilerIntrinsicsLib is added to MdeLibs.dsc.inc
as every DSC that builds ARM/AARCH64 needs this library added. The
old location is removed from every DSC in edk2 in this commit also
to not break bisectability with minimal hoop jumping.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
|
| |
|
|
|
|
|
| |
Clang complains about a couple of variables potentially being
uninitialized, and those complaints seem to be valid.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
|
| |
|
|
|
|
|
|
|
| |
'asm' is not a keyword in C99, but GCC supports it nonetheless as a GNU
extension. So when using Clang, we must specify the gnu99 dialect
explicitly, or inline asm blocks using asm() rather than __asm__() will
be rejected by the compiler.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
|
| |
|
|
|
|
|
|
|
| |
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4830
Allow BrainpoolP512r1 to be leveraged when the corresponding curve ID
is passed to crypto libraries in EDK2
Signed-off-by: Michael G.A. Holland <michael.holland@intel.com>
|
| |
|
|
|
|
|
|
| |
Enable the following modules builds for AARCH64:
- OpensslLibAccel.inf
- OpensslLibFullAccel.inf
Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add AARCH64 specific implementations of:
- OPENSSL_cpuid_setup(), probing hardware capabilitie
(presence of FEAT_AES, etc.)
- OPENSSL_rdtsc(), returning non-trusted entropy by accessing
system counter.
Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
|
| |
|
|
|
|
|
|
| |
Generate AARCH64 related files and update .inf files,
running:
python CryptoPkg/Library/OpensslLib/configure.py
Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
|
| |
|
|
|
|
| |
Add native instruction support for AARCH64.
Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
|
| |
|
|
|
|
|
|
| |
Fix the wrong comment.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Yi Li <yi1.li@intel.com>
Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
|
| |
|
|
|
|
|
|
|
| |
The error codes during TLS handshake errors are sometimes
not enough to understand the root cause of the problem.
Extending the debug output by the function and optional data helps
in some cases.
Signed-off-by: Sebastian Witt <sebastian.witt@siemens.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Webservers hosting multiple websites require the TLS SNI
(Server Name Indication) in the ClientHello to know which certificate
to return.
The current TLS code does not include the server name in the
ClientHello handshake, which leads to failed HTTPS boots when the
server does not return the correct certificate.
This sets the host name for SNI in TlsSetVerifyHost which receives the
host name also for verification against the certificates.
Signed-off-by: Sebastian Witt <sebastian.witt@siemens.com>
|
| |
|
|
|
|
|
|
| |
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2817
Because the change for strncpy, add the strncpy implementation.
Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
|
| |
|
|
|
|
| |
Needed to properly initialize BaseRngLib.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Following https://bugzilla.tianocore.org/show_bug.cgi?id=2817 this
bug could also apply to strncpy and strcat.
For strncpy use count+1 if smaller than MAX_STRING_SIZE. This still
restricts the destination size to MAX_STRING_SIZE as before but allows
a strncpy when the source is close after destination without triggering
the InternalSafeStringNoAsciiStrOverlap check in AsciiStrnCpyS.
For strcat use the destination string length + the size of the source
string including the terminator as destination size if smaller than
MAX_STRING_SIZE.
Also move both functions to CrtWrapper.c as they do not return the
correct return value. AsciiStrnCpyS and AsciiStrCatS return
RETURN_VALUE instead of a char * to the destination buffer.
Signed-off-by: Sebastian Witt <sebastian.witt@siemens.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
strcpy fails when strSource is closer than 4096 bytes after strDest.
This is caused by an overlap check in AsciiStrCpyS:
//
// 5. Copying shall not take place between objects that overlap.
//
SAFE_STRING_CONSTRAINT_CHECK (InternalSafeStringNoAsciiStrOverlap
(Destination, DestMax, (CHAR8 *)Source, SourceLen + 1),
RETURN_ACCESS_DENIED);
Since DestMax is MAX_STRING_SIZE (0x1000) and with a Source
that is in this area behind Destination, AsciiStrCpyS will fail
and strcpy will do nothing.
When called by CRYPTO_strdup in openssl this leads to uninitialzed
memory that gets accessed instead of the copied string.
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2817
Signed-off-by: Sebastian Witt <sebastian.witt@siemens.com>
|
| |
|
|
|
|
|
|
|
|
| |
REF:
https://bugzilla.tianocore.org/show_bug.cgi?id=4509
Both return 0x80 value and
Asn1Tag != V_ASN1_SEQUENCE are wrong return.
Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
|
| |
|
|
|
|
|
|
| |
This facilitates RSA extension, PKCS7 sign, and bignum function to
broaden the range of algorithms available in SMM/StandaloneMM for
platform utilization.
Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4698
The default drbg type of randlib has been switched to aes_256_ctr in
openssl1.1.1, so sha1 is not really used in RandomSeed(). Remove related code
which do SHA-1 support checking in CryptRand.c and CryptRandTsc.c to avoid
potential compatibility errors.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Shang Qingyu <qingyu.shang@intel.com>
Reviewed-by: Yi Li <yi1.li@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4509
CryptX509.c file has X509GetTBSCert() funtion and it is added Inf variable
to collect the return value of ASN1_get_object(), which return 0x80 in error
case. Supplement the return value check during the second function call
and correct the check logic.
Signed-off-by: Qingyu <qingyu.shang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Yi Li <yi1.li@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4739
AES256-SHA256 is a Tls1.2 suite we need to support, add it to deflt_ciphers
in OpensslStub.
Signed-off-by: Shang Qingyu <qingyu.shang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Yi Li <yi1.li@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177
Because the Mbedlts 3.3.0 doesn't have Sm3, the Sm3
implementaion is based on Openssl.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Yi Li <yi1.li@intel.com>
Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
Reviewed-by: Yi Li <yi1.li@intel.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177
Update all *.inf in BaseCryptLibMbedTls based on new implementation.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Yi Li <yi1.li@intel.com>
Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
Reviewed-by: Yi Li <yi1.li@intel.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177
Timestamp Countersignature Verification implementaion based on Mbedtls.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Yi Li <yi1.li@intel.com>
Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
Reviewed-by: Yi Li <yi1.li@intel.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177
Implement AuthenticodeVerify based on Mbedtls.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Yi Li <yi1.li@intel.com>
Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
Reviewed-by: Yi Li <yi1.li@intel.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177
Implement more RSA functions such as RsaPkcs1Sign based Mbedlts.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Yi Li <yi1.li@intel.com>
Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
Reviewed-by: Yi Li <yi1.li@intel.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177
PBKDF2 Key Derivation Function Wrapper Implementation over MbedTLS.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Yi Li <yi1.li@intel.com>
Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
Reviewed-by: Yi Li <yi1.li@intel.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177
Because the current Mbedlts pkcs7 library doesn't support
authenticatedAttributes
and only support 0 or 1 certificates in Signed data,
the patch implement Pkcs7 by low Mbedtls Api.
And the implementation has pass unit_tes and integration test.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Yi Li <yi1.li@intel.com>
Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
Reviewed-by: Yi Li <yi1.li@intel.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177
X.509 Certificate Handler Wrapper Implementation over MbedTLS.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Yi Li <yi1.li@intel.com>
Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
Reviewed-by: Yi Li <yi1.li@intel.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
|
