From 80e28dcec86d011b525667148e6d16d30e7693cf Mon Sep 17 00:00:00 2001 From: Zhichao Gao Date: Thu, 23 Apr 2020 14:43:08 +0800 Subject: CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898 Aes Ecb mode is not secure any longer. Remove the Aes Ecb mode support from edk2. Change the Aes Ecb mode field name in EDKII_CRYPTO_PROTOCOL to indicate the function is unsupported any longer. Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Siyuan Fu Cc: Michael D Kinney Cc: Jiewen Yao Cc: Philippe Mathieu-Daude Reviewed-by: Jian J Wang Signed-off-by: Zhichao Gao --- CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c | 114 --------------------- .../Library/BaseCryptLib/Cipher/CryptAesNull.c | 52 ---------- .../Library/BaseCryptLibNull/Cipher/CryptAesNull.c | 52 ---------- .../Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 76 -------------- 4 files changed, 294 deletions(-) (limited to 'CryptoPkg/Library') diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c index 2515b34bb8..914cffb211 100644 --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c +++ b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c @@ -78,120 +78,6 @@ AesInit ( return TRUE; } -/** - Performs AES encryption on a data buffer of the specified size in ECB mode. - - This function performs AES encryption on data buffer pointed by Input, of specified - size of InputSize, in ECB mode. - InputSize must be multiple of block size (16 bytes). This function does not perform - padding. Caller must perform padding, if necessary, to ensure valid input data size. - AesContext should be already correctly initialized by AesInit(). Behavior with - invalid AES context is undefined. - - If AesContext is NULL, then return FALSE. - If Input is NULL, then return FALSE. - If InputSize is not multiple of block size (16 bytes), then return FALSE. - If Output is NULL, then return FALSE. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be encrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES encryption output. - - @retval TRUE AES encryption succeeded. - @retval FALSE AES encryption failed. - -**/ -BOOLEAN -EFIAPI -AesEcbEncrypt ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ) -{ - AES_KEY *AesKey; - - // - // Check input parameters. - // - if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0 || Output == NULL) { - return FALSE; - } - - AesKey = (AES_KEY *) AesContext; - - // - // Perform AES data encryption with ECB mode (block-by-block) - // - while (InputSize > 0) { - AES_ecb_encrypt (Input, Output, AesKey, AES_ENCRYPT); - Input += AES_BLOCK_SIZE; - Output += AES_BLOCK_SIZE; - InputSize -= AES_BLOCK_SIZE; - } - - return TRUE; -} - -/** - Performs AES decryption on a data buffer of the specified size in ECB mode. - - This function performs AES decryption on data buffer pointed by Input, of specified - size of InputSize, in ECB mode. - InputSize must be multiple of block size (16 bytes). This function does not perform - padding. Caller must perform padding, if necessary, to ensure valid input data size. - AesContext should be already correctly initialized by AesInit(). Behavior with - invalid AES context is undefined. - - If AesContext is NULL, then return FALSE. - If Input is NULL, then return FALSE. - If InputSize is not multiple of block size (16 bytes), then return FALSE. - If Output is NULL, then return FALSE. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be decrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES decryption output. - - @retval TRUE AES decryption succeeded. - @retval FALSE AES decryption failed. - -**/ -BOOLEAN -EFIAPI -AesEcbDecrypt ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ) -{ - AES_KEY *AesKey; - - // - // Check input parameters. - // - if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0 || Output == NULL) { - return FALSE; - } - - AesKey = (AES_KEY *) AesContext; - - // - // Perform AES data decryption with ECB mode (block-by-block) - // - while (InputSize > 0) { - AES_ecb_encrypt (Input, Output, AesKey + 1, AES_DECRYPT); - Input += AES_BLOCK_SIZE; - Output += AES_BLOCK_SIZE; - InputSize -= AES_BLOCK_SIZE; - } - - return TRUE; -} - /** Performs AES encryption on a data buffer of the specified size in CBC mode. diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c index a82adacf4f..d235422e7a 100644 --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c +++ b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c @@ -50,58 +50,6 @@ AesInit ( return FALSE; } -/** - Performs AES encryption on a data buffer of the specified size in ECB mode. - - Return FALSE to indicate this interface is not supported. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be encrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES encryption output. - - @retval FALSE This interface is not supported. - -**/ -BOOLEAN -EFIAPI -AesEcbEncrypt ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ) -{ - ASSERT (FALSE); - return FALSE; -} - -/** - Performs AES decryption on a data buffer of the specified size in ECB mode. - - Return FALSE to indicate this interface is not supported. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be decrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES decryption output. - - @retval FALSE This interface is not supported. - -**/ -BOOLEAN -EFIAPI -AesEcbDecrypt ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ) -{ - ASSERT (FALSE); - return FALSE; -} - /** Performs AES encryption on a data buffer of the specified size in CBC mode. diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c index a82adacf4f..d235422e7a 100644 --- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c +++ b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c @@ -50,58 +50,6 @@ AesInit ( return FALSE; } -/** - Performs AES encryption on a data buffer of the specified size in ECB mode. - - Return FALSE to indicate this interface is not supported. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be encrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES encryption output. - - @retval FALSE This interface is not supported. - -**/ -BOOLEAN -EFIAPI -AesEcbEncrypt ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ) -{ - ASSERT (FALSE); - return FALSE; -} - -/** - Performs AES decryption on a data buffer of the specified size in ECB mode. - - Return FALSE to indicate this interface is not supported. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be decrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES decryption output. - - @retval FALSE This interface is not supported. - -**/ -BOOLEAN -EFIAPI -AesEcbDecrypt ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ) -{ - ASSERT (FALSE); - return FALSE; -} - /** Performs AES encryption on a data buffer of the specified size in CBC mode. diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c index 43ee4e0841..c937f8540d 100644 --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c @@ -1518,82 +1518,6 @@ AesInit ( CALL_CRYPTO_SERVICE (AesInit, (AesContext, Key, KeyLength), FALSE); } -/** - Performs AES encryption on a data buffer of the specified size in ECB mode. - - This function performs AES encryption on data buffer pointed by Input, of specified - size of InputSize, in ECB mode. - InputSize must be multiple of block size (16 bytes). This function does not perform - padding. Caller must perform padding, if necessary, to ensure valid input data size. - AesContext should be already correctly initialized by AesInit(). Behavior with - invalid AES context is undefined. - - If AesContext is NULL, then return FALSE. - If Input is NULL, then return FALSE. - If InputSize is not multiple of block size (16 bytes), then return FALSE. - If Output is NULL, then return FALSE. - If this interface is not supported, then return FALSE. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be encrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES encryption output. - - @retval TRUE AES encryption succeeded. - @retval FALSE AES encryption failed. - @retval FALSE This interface is not supported. - -**/ -BOOLEAN -EFIAPI -AesEcbEncrypt ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ) -{ - CALL_CRYPTO_SERVICE (AesEcbEncrypt, (AesContext, Input, InputSize, Output), FALSE); -} - -/** - Performs AES decryption on a data buffer of the specified size in ECB mode. - - This function performs AES decryption on data buffer pointed by Input, of specified - size of InputSize, in ECB mode. - InputSize must be multiple of block size (16 bytes). This function does not perform - padding. Caller must perform padding, if necessary, to ensure valid input data size. - AesContext should be already correctly initialized by AesInit(). Behavior with - invalid AES context is undefined. - - If AesContext is NULL, then return FALSE. - If Input is NULL, then return FALSE. - If InputSize is not multiple of block size (16 bytes), then return FALSE. - If Output is NULL, then return FALSE. - If this interface is not supported, then return FALSE. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be decrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES decryption output. - - @retval TRUE AES decryption succeeded. - @retval FALSE AES decryption failed. - @retval FALSE This interface is not supported. - -**/ -BOOLEAN -EFIAPI -AesEcbDecrypt ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ) -{ - CALL_CRYPTO_SERVICE (AesEcbDecrypt, (AesContext, Input, InputSize, Output), FALSE); -} - /** Performs AES encryption on a data buffer of the specified size in CBC mode. -- cgit v1.2.3