From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Thu, 16 May 2019 09:31:59 -0700 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 88F91307D84F; Thu, 16 May 2019 16:31:57 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-88.rdu2.redhat.com [10.10.121.88]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7F09B608D0; Thu, 16 May 2019 16:31:55 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v4 6/7] CryptoPkg: Upgrade OpenSSL to 1.1.1b To: devel@edk2.groups.io, xiaoyux.lu@intel.com, Jian J Wang Cc: Ting Ye References: <1557993298-22205-1-git-send-email-xiaoyux.lu@intel.com> <1557993298-22205-7-git-send-email-xiaoyux.lu@intel.com> From: "Laszlo Ersek" Message-ID: <1bd39ee7-5cf4-2897-4571-812029754475@redhat.com> Date: Thu, 16 May 2019 18:31:54 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <1557993298-22205-7-git-send-email-xiaoyux.lu@intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.48]); Thu, 16 May 2019 16:31:59 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Hi Jian, On 05/16/19 09:54, Xiaoyu lu wrote: > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089 > > * Update OpenSSL submodule to OpenSSL_1_1_1b > OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687) > > * Run process_files.pl script to regenerate OpensslLib[Crypto].inf > and opensslconf.h > > * Remove -DNO_SYSLOG from OPENSSL_FLAGS in OpensslLib[Crypto].inf, > due to upstream OpenSSL commit cff55b90e95e("Cleaning UEFI > Build with additional OPENSSL_SYS_UEFI flags", 2017-03-29), > which was first released as part of OpenSSL_1_1_1. > > * Starting with OpenSSL commit 8a8d9e1905(first release in > OpenSSL_1_1_1), the OpenSSL_version() function can no longer > return a pointer to the string literal "compiler: information > not available", in the case CFLAGS macro is not defined. > Instead, the function now has a hard dependency on the global > variable 'compiler_flags'. This variable is normally placed > by "util/mkbuildinf.pl" into "buildinf.h". In edk2 we don't > run that script whenever we build OpenSSL, therefore we > must provide our own dummy 'compiler_flags'. > > * From OpenSSL_1_1_0i(97c0959f27b294fe1eb10b547145ebef2524b896) to > OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687), OpenSSL > updated DRBG / RAND to request nonce and additional low entropy > randomness from system(line 229 openssl/CHANGES). > > Since OpenSSL_1_1_1b doesn't fully implement rand pool functions > for UEFI. We must provide a method to implenet these method. > TSC is used as first entropy source if it's availabe otherwise > fallback to TimerLib. But we are not sure the amount of randomness > they provide. If you really care about the security, one choice is > overrided it with hardware generator. > > Add rand_pool.c to implement these functions required by OpenSSL > rand_pool_acquire_entropy > rand_pool_add_nonce_data > rand_pool_add_additional_data > rand_pool_init > rand_pool_cleanup > rand_pool_keep_random_devices_open > > And add rand_pool_noise.* for getting entropy noise from different > architecture. > > * We don't need ossl_store functions. We exclude relative files > through process_files.pl. And ossl_store_cleanup_int was first > added in crypto/init.c OpenSSL_1_1_1(71a5516d). > So add a new file(ossl_store.c) to implement ossl_store_cleanup_int > function. > > * BUFSIZ is used by crypto/evp/evp_key.c(OpenSSL_1_1_1b) > And it is declared in stdio.h. So add it to CrtLibSupport.h. > Here's a discussion about this. > Ref: https://github.com/openssl/openssl/issues/8904 > > Cc: Jian J Wang > Cc: Ting Ye > Signed-off-by: Xiaoyu Lu > --- > CryptoPkg/Library/OpensslLib/OpensslLib.inf | 60 +++- > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 51 +++- > CryptoPkg/Library/Include/CrtLibSupport.h | 13 +- > CryptoPkg/Library/Include/openssl/opensslconf.h | 54 +++- > CryptoPkg/Library/OpensslLib/buildinf.h | 2 + > CryptoPkg/Library/OpensslLib/rand_pool_noise.h | 29 ++ > CryptoPkg/Library/OpensslLib/ossl_store.c | 17 ++ > CryptoPkg/Library/OpensslLib/rand_pool.c | 316 +++++++++++++++++++++ > CryptoPkg/Library/OpensslLib/rand_pool_noise.c | 29 ++ > CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c | 43 +++ > CryptoPkg/Library/OpensslLib/openssl | 2 +- > 11 files changed, 584 insertions(+), 32 deletions(-) > create mode 100644 CryptoPkg/Library/OpensslLib/rand_pool_noise.h > create mode 100644 CryptoPkg/Library/OpensslLib/ossl_store.c > create mode 100644 CryptoPkg/Library/OpensslLib/rand_pool.c > create mode 100644 CryptoPkg/Library/OpensslLib/rand_pool_noise.c > create mode 100644 CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c For this patch, I can offer two kinds of reviews: ---*--- (a) If you prefer to push this patch in the present form (that is, exactly as posted), then I will not give any official feedback tags, due to the crypto contents. I will not block the patch either, so if you and Ting are fine with the patch, it's OK for you to push it, from my side. ---*--- (b) Alternatively, you could split the patch in two halves, as follows: (b/1) In the first half, collect all the hunks for the following files: CryptoPkg/Library/OpensslLib/ossl_store.c CryptoPkg/Library/OpensslLib/rand_pool.c CryptoPkg/Library/OpensslLib/rand_pool_noise.c CryptoPkg/Library/OpensslLib/rand_pool_noise.h CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c plus include the commit message paragraphs about "rand_pool.c" and "ossl_store.c". For this half (b/1), I will not give any feedback. (b/2) In the second half, collect the rest of the changes, that is, the hunks for the following files / submodules, and the rest of the commit message: CryptoPkg/Library/Include/CrtLibSupport.h CryptoPkg/Library/Include/openssl/opensslconf.h CryptoPkg/Library/OpensslLib/OpensslLib.inf CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf CryptoPkg/Library/OpensslLib/buildinf.h CryptoPkg/Library/OpensslLib/openssl For the (b/2) half *ONLY*, you can add: Reviewed-by: Laszlo Ersek ---*--- It's up to you whether you pick (a) or (b). Normally I would request a v5 series for implementing (b), but we're out of time. If the community thinks that splitting up this patch into halves (b/1) and (b/2) is too intrusive for a maintainer to do without proper review, then I suggest going with (a) -- and then I'll provide no feedback tags. (But, I will also not block the patch, see above.) ... Well, in theory anyway, Xiaoyu could very quickly submit a v5 series, splitting this patch as explained under (b). In that case, the (b/2) half -- and *ONLY* that half -- of this patch could include my R-b at once. So, please decide. Thanks! Laszlo > > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > index f4d7772c068c..62dd61969cb0 100644 > --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > @@ -1,7 +1,7 @@ > ## @file > # This module provides OpenSSL Library implementation. > # > -# Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
> +# Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.
> # SPDX-License-Identifier: BSD-2-Clause-Patent > # > ## > @@ -15,7 +15,7 @@ [Defines] > VERSION_STRING = 1.0 > LIBRARY_CLASS = OpensslLib > DEFINE OPENSSL_PATH = openssl > - DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DNO_SYSLOG > + DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE > > # > # VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 > @@ -32,6 +32,7 @@ [Sources] > $(OPENSSL_PATH)/crypto/aes/aes_misc.c > $(OPENSSL_PATH)/crypto/aes/aes_ofb.c > $(OPENSSL_PATH)/crypto/aes/aes_wrap.c > + $(OPENSSL_PATH)/crypto/aria/aria.c > $(OPENSSL_PATH)/crypto/asn1/a_bitstr.c > $(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c > $(OPENSSL_PATH)/crypto/asn1/a_digest.c > @@ -54,6 +55,7 @@ [Sources] > $(OPENSSL_PATH)/crypto/asn1/ameth_lib.c > $(OPENSSL_PATH)/crypto/asn1/asn1_err.c > $(OPENSSL_PATH)/crypto/asn1/asn1_gen.c > + $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.c > $(OPENSSL_PATH)/crypto/asn1/asn1_lib.c > $(OPENSSL_PATH)/crypto/asn1/asn1_par.c > $(OPENSSL_PATH)/crypto/asn1/asn_mime.c > @@ -172,6 +174,7 @@ [Sources] > $(OPENSSL_PATH)/crypto/conf/conf_ssl.c > $(OPENSSL_PATH)/crypto/cpt_err.c > $(OPENSSL_PATH)/crypto/cryptlib.c > + $(OPENSSL_PATH)/crypto/ctype.c > $(OPENSSL_PATH)/crypto/cversion.c > $(OPENSSL_PATH)/crypto/des/cbc_cksm.c > $(OPENSSL_PATH)/crypto/des/cbc_enc.c > @@ -189,7 +192,6 @@ [Sources] > $(OPENSSL_PATH)/crypto/des/pcbc_enc.c > $(OPENSSL_PATH)/crypto/des/qud_cksm.c > $(OPENSSL_PATH)/crypto/des/rand_key.c > - $(OPENSSL_PATH)/crypto/des/rpc_enc.c > $(OPENSSL_PATH)/crypto/des/set_key.c > $(OPENSSL_PATH)/crypto/des/str2key.c > $(OPENSSL_PATH)/crypto/des/xcbc_enc.c > @@ -206,6 +208,7 @@ [Sources] > $(OPENSSL_PATH)/crypto/dh/dh_pmeth.c > $(OPENSSL_PATH)/crypto/dh/dh_prn.c > $(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c > + $(OPENSSL_PATH)/crypto/dh/dh_rfc7919.c > $(OPENSSL_PATH)/crypto/dso/dso_dl.c > $(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c > $(OPENSSL_PATH)/crypto/dso/dso_err.c > @@ -228,6 +231,7 @@ [Sources] > $(OPENSSL_PATH)/crypto/evp/e_aes.c > $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha1.c > $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha256.c > + $(OPENSSL_PATH)/crypto/evp/e_aria.c > $(OPENSSL_PATH)/crypto/evp/e_bf.c > $(OPENSSL_PATH)/crypto/evp/e_camellia.c > $(OPENSSL_PATH)/crypto/evp/e_cast.c > @@ -242,6 +246,7 @@ [Sources] > $(OPENSSL_PATH)/crypto/evp/e_rc4_hmac_md5.c > $(OPENSSL_PATH)/crypto/evp/e_rc5.c > $(OPENSSL_PATH)/crypto/evp/e_seed.c > + $(OPENSSL_PATH)/crypto/evp/e_sm4.c > $(OPENSSL_PATH)/crypto/evp/e_xcbc_d.c > $(OPENSSL_PATH)/crypto/evp/encode.c > $(OPENSSL_PATH)/crypto/evp/evp_cnf.c > @@ -259,6 +264,7 @@ [Sources] > $(OPENSSL_PATH)/crypto/evp/m_null.c > $(OPENSSL_PATH)/crypto/evp/m_ripemd.c > $(OPENSSL_PATH)/crypto/evp/m_sha1.c > + $(OPENSSL_PATH)/crypto/evp/m_sha3.c > $(OPENSSL_PATH)/crypto/evp/m_sigver.c > $(OPENSSL_PATH)/crypto/evp/m_wp.c > $(OPENSSL_PATH)/crypto/evp/names.c > @@ -271,10 +277,10 @@ [Sources] > $(OPENSSL_PATH)/crypto/evp/p_seal.c > $(OPENSSL_PATH)/crypto/evp/p_sign.c > $(OPENSSL_PATH)/crypto/evp/p_verify.c > + $(OPENSSL_PATH)/crypto/evp/pbe_scrypt.c > $(OPENSSL_PATH)/crypto/evp/pmeth_fn.c > $(OPENSSL_PATH)/crypto/evp/pmeth_gn.c > $(OPENSSL_PATH)/crypto/evp/pmeth_lib.c > - $(OPENSSL_PATH)/crypto/evp/scrypt.c > $(OPENSSL_PATH)/crypto/ex_data.c > $(OPENSSL_PATH)/crypto/getenv.c > $(OPENSSL_PATH)/crypto/hmac/hm_ameth.c > @@ -283,6 +289,7 @@ [Sources] > $(OPENSSL_PATH)/crypto/init.c > $(OPENSSL_PATH)/crypto/kdf/hkdf.c > $(OPENSSL_PATH)/crypto/kdf/kdf_err.c > + $(OPENSSL_PATH)/crypto/kdf/scrypt.c > $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c > $(OPENSSL_PATH)/crypto/lhash/lh_stats.c > $(OPENSSL_PATH)/crypto/lhash/lhash.c > @@ -360,14 +367,14 @@ [Sources] > $(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c > $(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c > $(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c > - $(OPENSSL_PATH)/crypto/rand/md_rand.c > + $(OPENSSL_PATH)/crypto/rand/drbg_ctr.c > + $(OPENSSL_PATH)/crypto/rand/drbg_lib.c > $(OPENSSL_PATH)/crypto/rand/rand_egd.c > $(OPENSSL_PATH)/crypto/rand/rand_err.c > $(OPENSSL_PATH)/crypto/rand/rand_lib.c > $(OPENSSL_PATH)/crypto/rand/rand_unix.c > $(OPENSSL_PATH)/crypto/rand/rand_vms.c > $(OPENSSL_PATH)/crypto/rand/rand_win.c > - $(OPENSSL_PATH)/crypto/rand/randfile.c > $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c > $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c > $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c > @@ -379,8 +386,8 @@ [Sources] > $(OPENSSL_PATH)/crypto/rsa/rsa_gen.c > $(OPENSSL_PATH)/crypto/rsa/rsa_lib.c > $(OPENSSL_PATH)/crypto/rsa/rsa_meth.c > + $(OPENSSL_PATH)/crypto/rsa/rsa_mp.c > $(OPENSSL_PATH)/crypto/rsa/rsa_none.c > - $(OPENSSL_PATH)/crypto/rsa/rsa_null.c > $(OPENSSL_PATH)/crypto/rsa/rsa_oaep.c > $(OPENSSL_PATH)/crypto/rsa/rsa_ossl.c > $(OPENSSL_PATH)/crypto/rsa/rsa_pk1.c > @@ -392,15 +399,27 @@ [Sources] > $(OPENSSL_PATH)/crypto/rsa/rsa_ssl.c > $(OPENSSL_PATH)/crypto/rsa/rsa_x931.c > $(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c > + $(OPENSSL_PATH)/crypto/sha/keccak1600.c > $(OPENSSL_PATH)/crypto/sha/sha1_one.c > $(OPENSSL_PATH)/crypto/sha/sha1dgst.c > $(OPENSSL_PATH)/crypto/sha/sha256.c > $(OPENSSL_PATH)/crypto/sha/sha512.c > + $(OPENSSL_PATH)/crypto/siphash/siphash.c > + $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c > + $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c > + $(OPENSSL_PATH)/crypto/sm3/m_sm3.c > + $(OPENSSL_PATH)/crypto/sm3/sm3.c > + $(OPENSSL_PATH)/crypto/sm4/sm4.c > $(OPENSSL_PATH)/crypto/stack/stack.c > $(OPENSSL_PATH)/crypto/threads_none.c > $(OPENSSL_PATH)/crypto/threads_pthread.c > $(OPENSSL_PATH)/crypto/threads_win.c > $(OPENSSL_PATH)/crypto/txt_db/txt_db.c > + $(OPENSSL_PATH)/crypto/ui/ui_err.c > + $(OPENSSL_PATH)/crypto/ui/ui_lib.c > + $(OPENSSL_PATH)/crypto/ui/ui_null.c > + $(OPENSSL_PATH)/crypto/ui/ui_openssl.c > + $(OPENSSL_PATH)/crypto/ui/ui_util.c > $(OPENSSL_PATH)/crypto/uid.c > $(OPENSSL_PATH)/crypto/x509/by_dir.c > $(OPENSSL_PATH)/crypto/x509/by_file.c > @@ -445,6 +464,7 @@ [Sources] > $(OPENSSL_PATH)/crypto/x509v3/pcy_node.c > $(OPENSSL_PATH)/crypto/x509v3/pcy_tree.c > $(OPENSSL_PATH)/crypto/x509v3/v3_addr.c > + $(OPENSSL_PATH)/crypto/x509v3/v3_admis.c > $(OPENSSL_PATH)/crypto/x509v3/v3_akey.c > $(OPENSSL_PATH)/crypto/x509v3/v3_akeya.c > $(OPENSSL_PATH)/crypto/x509v3/v3_alt.c > @@ -479,12 +499,14 @@ [Sources] > $(OPENSSL_PATH)/ssl/d1_msg.c > $(OPENSSL_PATH)/ssl/d1_srtp.c > $(OPENSSL_PATH)/ssl/methods.c > + $(OPENSSL_PATH)/ssl/packet.c > $(OPENSSL_PATH)/ssl/pqueue.c > $(OPENSSL_PATH)/ssl/record/dtls1_bitmap.c > $(OPENSSL_PATH)/ssl/record/rec_layer_d1.c > $(OPENSSL_PATH)/ssl/record/rec_layer_s3.c > $(OPENSSL_PATH)/ssl/record/ssl3_buffer.c > $(OPENSSL_PATH)/ssl/record/ssl3_record.c > + $(OPENSSL_PATH)/ssl/record/ssl3_record_tls13.c > $(OPENSSL_PATH)/ssl/s3_cbc.c > $(OPENSSL_PATH)/ssl/s3_enc.c > $(OPENSSL_PATH)/ssl/s3_lib.c > @@ -502,25 +524,45 @@ [Sources] > $(OPENSSL_PATH)/ssl/ssl_stat.c > $(OPENSSL_PATH)/ssl/ssl_txt.c > $(OPENSSL_PATH)/ssl/ssl_utst.c > + $(OPENSSL_PATH)/ssl/statem/extensions.c > + $(OPENSSL_PATH)/ssl/statem/extensions_clnt.c > + $(OPENSSL_PATH)/ssl/statem/extensions_cust.c > + $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c > $(OPENSSL_PATH)/ssl/statem/statem.c > $(OPENSSL_PATH)/ssl/statem/statem_clnt.c > $(OPENSSL_PATH)/ssl/statem/statem_dtls.c > $(OPENSSL_PATH)/ssl/statem/statem_lib.c > $(OPENSSL_PATH)/ssl/statem/statem_srvr.c > $(OPENSSL_PATH)/ssl/t1_enc.c > - $(OPENSSL_PATH)/ssl/t1_ext.c > $(OPENSSL_PATH)/ssl/t1_lib.c > - $(OPENSSL_PATH)/ssl/t1_reneg.c > $(OPENSSL_PATH)/ssl/t1_trce.c > + $(OPENSSL_PATH)/ssl/tls13_enc.c > $(OPENSSL_PATH)/ssl/tls_srp.c > # Autogenerated files list ends here > > + ossl_store.c > + rand_pool.c > + > +[Sources.Ia32] > + rand_pool_noise_tsc.c > + > +[Sources.X64] > + rand_pool_noise_tsc.c > + > +[Sources.ARM] > + rand_pool_noise.c > + > +[Sources.AARCH64] > + rand_pool_noise.c > + > [Packages] > MdePkg/MdePkg.dec > CryptoPkg/CryptoPkg.dec > > [LibraryClasses] > + BaseLib > DebugLib > + TimerLib > > [LibraryClasses.ARM] > ArmSoftFloatLib > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > index fd12d112edb2..49599a42d180 100644 > --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > @@ -1,7 +1,7 @@ > ## @file > # This module provides OpenSSL Library implementation. > # > -# Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
> +# Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.
> # SPDX-License-Identifier: BSD-2-Clause-Patent > # > ## > @@ -15,7 +15,7 @@ [Defines] > VERSION_STRING = 1.0 > LIBRARY_CLASS = OpensslLib > DEFINE OPENSSL_PATH = openssl > - DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DNO_SYSLOG > + DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE > > # > # VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 > @@ -32,6 +32,7 @@ [Sources] > $(OPENSSL_PATH)/crypto/aes/aes_misc.c > $(OPENSSL_PATH)/crypto/aes/aes_ofb.c > $(OPENSSL_PATH)/crypto/aes/aes_wrap.c > + $(OPENSSL_PATH)/crypto/aria/aria.c > $(OPENSSL_PATH)/crypto/asn1/a_bitstr.c > $(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c > $(OPENSSL_PATH)/crypto/asn1/a_digest.c > @@ -54,6 +55,7 @@ [Sources] > $(OPENSSL_PATH)/crypto/asn1/ameth_lib.c > $(OPENSSL_PATH)/crypto/asn1/asn1_err.c > $(OPENSSL_PATH)/crypto/asn1/asn1_gen.c > + $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.c > $(OPENSSL_PATH)/crypto/asn1/asn1_lib.c > $(OPENSSL_PATH)/crypto/asn1/asn1_par.c > $(OPENSSL_PATH)/crypto/asn1/asn_mime.c > @@ -172,6 +174,7 @@ [Sources] > $(OPENSSL_PATH)/crypto/conf/conf_ssl.c > $(OPENSSL_PATH)/crypto/cpt_err.c > $(OPENSSL_PATH)/crypto/cryptlib.c > + $(OPENSSL_PATH)/crypto/ctype.c > $(OPENSSL_PATH)/crypto/cversion.c > $(OPENSSL_PATH)/crypto/des/cbc_cksm.c > $(OPENSSL_PATH)/crypto/des/cbc_enc.c > @@ -189,7 +192,6 @@ [Sources] > $(OPENSSL_PATH)/crypto/des/pcbc_enc.c > $(OPENSSL_PATH)/crypto/des/qud_cksm.c > $(OPENSSL_PATH)/crypto/des/rand_key.c > - $(OPENSSL_PATH)/crypto/des/rpc_enc.c > $(OPENSSL_PATH)/crypto/des/set_key.c > $(OPENSSL_PATH)/crypto/des/str2key.c > $(OPENSSL_PATH)/crypto/des/xcbc_enc.c > @@ -206,6 +208,7 @@ [Sources] > $(OPENSSL_PATH)/crypto/dh/dh_pmeth.c > $(OPENSSL_PATH)/crypto/dh/dh_prn.c > $(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c > + $(OPENSSL_PATH)/crypto/dh/dh_rfc7919.c > $(OPENSSL_PATH)/crypto/dso/dso_dl.c > $(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c > $(OPENSSL_PATH)/crypto/dso/dso_err.c > @@ -228,6 +231,7 @@ [Sources] > $(OPENSSL_PATH)/crypto/evp/e_aes.c > $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha1.c > $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha256.c > + $(OPENSSL_PATH)/crypto/evp/e_aria.c > $(OPENSSL_PATH)/crypto/evp/e_bf.c > $(OPENSSL_PATH)/crypto/evp/e_camellia.c > $(OPENSSL_PATH)/crypto/evp/e_cast.c > @@ -242,6 +246,7 @@ [Sources] > $(OPENSSL_PATH)/crypto/evp/e_rc4_hmac_md5.c > $(OPENSSL_PATH)/crypto/evp/e_rc5.c > $(OPENSSL_PATH)/crypto/evp/e_seed.c > + $(OPENSSL_PATH)/crypto/evp/e_sm4.c > $(OPENSSL_PATH)/crypto/evp/e_xcbc_d.c > $(OPENSSL_PATH)/crypto/evp/encode.c > $(OPENSSL_PATH)/crypto/evp/evp_cnf.c > @@ -259,6 +264,7 @@ [Sources] > $(OPENSSL_PATH)/crypto/evp/m_null.c > $(OPENSSL_PATH)/crypto/evp/m_ripemd.c > $(OPENSSL_PATH)/crypto/evp/m_sha1.c > + $(OPENSSL_PATH)/crypto/evp/m_sha3.c > $(OPENSSL_PATH)/crypto/evp/m_sigver.c > $(OPENSSL_PATH)/crypto/evp/m_wp.c > $(OPENSSL_PATH)/crypto/evp/names.c > @@ -271,10 +277,10 @@ [Sources] > $(OPENSSL_PATH)/crypto/evp/p_seal.c > $(OPENSSL_PATH)/crypto/evp/p_sign.c > $(OPENSSL_PATH)/crypto/evp/p_verify.c > + $(OPENSSL_PATH)/crypto/evp/pbe_scrypt.c > $(OPENSSL_PATH)/crypto/evp/pmeth_fn.c > $(OPENSSL_PATH)/crypto/evp/pmeth_gn.c > $(OPENSSL_PATH)/crypto/evp/pmeth_lib.c > - $(OPENSSL_PATH)/crypto/evp/scrypt.c > $(OPENSSL_PATH)/crypto/ex_data.c > $(OPENSSL_PATH)/crypto/getenv.c > $(OPENSSL_PATH)/crypto/hmac/hm_ameth.c > @@ -283,6 +289,7 @@ [Sources] > $(OPENSSL_PATH)/crypto/init.c > $(OPENSSL_PATH)/crypto/kdf/hkdf.c > $(OPENSSL_PATH)/crypto/kdf/kdf_err.c > + $(OPENSSL_PATH)/crypto/kdf/scrypt.c > $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c > $(OPENSSL_PATH)/crypto/lhash/lh_stats.c > $(OPENSSL_PATH)/crypto/lhash/lhash.c > @@ -360,14 +367,14 @@ [Sources] > $(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c > $(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c > $(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c > - $(OPENSSL_PATH)/crypto/rand/md_rand.c > + $(OPENSSL_PATH)/crypto/rand/drbg_ctr.c > + $(OPENSSL_PATH)/crypto/rand/drbg_lib.c > $(OPENSSL_PATH)/crypto/rand/rand_egd.c > $(OPENSSL_PATH)/crypto/rand/rand_err.c > $(OPENSSL_PATH)/crypto/rand/rand_lib.c > $(OPENSSL_PATH)/crypto/rand/rand_unix.c > $(OPENSSL_PATH)/crypto/rand/rand_vms.c > $(OPENSSL_PATH)/crypto/rand/rand_win.c > - $(OPENSSL_PATH)/crypto/rand/randfile.c > $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c > $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c > $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c > @@ -379,8 +386,8 @@ [Sources] > $(OPENSSL_PATH)/crypto/rsa/rsa_gen.c > $(OPENSSL_PATH)/crypto/rsa/rsa_lib.c > $(OPENSSL_PATH)/crypto/rsa/rsa_meth.c > + $(OPENSSL_PATH)/crypto/rsa/rsa_mp.c > $(OPENSSL_PATH)/crypto/rsa/rsa_none.c > - $(OPENSSL_PATH)/crypto/rsa/rsa_null.c > $(OPENSSL_PATH)/crypto/rsa/rsa_oaep.c > $(OPENSSL_PATH)/crypto/rsa/rsa_ossl.c > $(OPENSSL_PATH)/crypto/rsa/rsa_pk1.c > @@ -392,15 +399,27 @@ [Sources] > $(OPENSSL_PATH)/crypto/rsa/rsa_ssl.c > $(OPENSSL_PATH)/crypto/rsa/rsa_x931.c > $(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c > + $(OPENSSL_PATH)/crypto/sha/keccak1600.c > $(OPENSSL_PATH)/crypto/sha/sha1_one.c > $(OPENSSL_PATH)/crypto/sha/sha1dgst.c > $(OPENSSL_PATH)/crypto/sha/sha256.c > $(OPENSSL_PATH)/crypto/sha/sha512.c > + $(OPENSSL_PATH)/crypto/siphash/siphash.c > + $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c > + $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c > + $(OPENSSL_PATH)/crypto/sm3/m_sm3.c > + $(OPENSSL_PATH)/crypto/sm3/sm3.c > + $(OPENSSL_PATH)/crypto/sm4/sm4.c > $(OPENSSL_PATH)/crypto/stack/stack.c > $(OPENSSL_PATH)/crypto/threads_none.c > $(OPENSSL_PATH)/crypto/threads_pthread.c > $(OPENSSL_PATH)/crypto/threads_win.c > $(OPENSSL_PATH)/crypto/txt_db/txt_db.c > + $(OPENSSL_PATH)/crypto/ui/ui_err.c > + $(OPENSSL_PATH)/crypto/ui/ui_lib.c > + $(OPENSSL_PATH)/crypto/ui/ui_null.c > + $(OPENSSL_PATH)/crypto/ui/ui_openssl.c > + $(OPENSSL_PATH)/crypto/ui/ui_util.c > $(OPENSSL_PATH)/crypto/uid.c > $(OPENSSL_PATH)/crypto/x509/by_dir.c > $(OPENSSL_PATH)/crypto/x509/by_file.c > @@ -445,6 +464,7 @@ [Sources] > $(OPENSSL_PATH)/crypto/x509v3/pcy_node.c > $(OPENSSL_PATH)/crypto/x509v3/pcy_tree.c > $(OPENSSL_PATH)/crypto/x509v3/v3_addr.c > + $(OPENSSL_PATH)/crypto/x509v3/v3_admis.c > $(OPENSSL_PATH)/crypto/x509v3/v3_akey.c > $(OPENSSL_PATH)/crypto/x509v3/v3_akeya.c > $(OPENSSL_PATH)/crypto/x509v3/v3_alt.c > @@ -476,12 +496,29 @@ [Sources] > $(OPENSSL_PATH)/crypto/x509v3/v3err.c > # Autogenerated files list ends here > > + ossl_store.c > + rand_pool.c > + > +[Sources.Ia32] > + rand_pool_noise_tsc.c > + > +[Sources.X64] > + rand_pool_noise_tsc.c > + > +[Sources.ARM] > + rand_pool_noise.c > + > +[Sources.AARCH64] > + rand_pool_noise.c > + > [Packages] > MdePkg/MdePkg.dec > CryptoPkg/CryptoPkg.dec > > [LibraryClasses] > + BaseLib > DebugLib > + TimerLib > > [LibraryClasses.ARM] > ArmSoftFloatLib > diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h b/CryptoPkg/Library/Include/CrtLibSupport.h > index b05c5d908ce2..5806f50f7485 100644 > --- a/CryptoPkg/Library/Include/CrtLibSupport.h > +++ b/CryptoPkg/Library/Include/CrtLibSupport.h > @@ -2,7 +2,7 @@ > Root include file of C runtime library to support building the third-party > cryptographic library. > > -Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
> +Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.
> SPDX-License-Identifier: BSD-2-Clause-Patent > > **/ > @@ -21,6 +21,17 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #define MAX_STRING_SIZE 0x1000 > > // > +// We already have "no-ui" in out Configure invocation. > +// but the code still fails to compile. > +// Ref: https://github.com/openssl/openssl/issues/8904 > +// > +// This is defined in CRT library(stdio.h). > +// > +#ifndef BUFSIZ > +#define BUFSIZ 8192 > +#endif > + > +// > // OpenSSL relies on explicit configuration for word size in crypto/bn, > // but we want it to be automatically inferred from the target. So we > // bypass what's in for OPENSSL_SYS_UEFI, and > diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h > index 28dd9ab93c61..07fa2d3ce280 100644 > --- a/CryptoPkg/Library/Include/openssl/opensslconf.h > +++ b/CryptoPkg/Library/Include/openssl/opensslconf.h > @@ -10,6 +10,8 @@ > * https://www.openssl.org/source/license.html > */ > > +#include > + > #ifdef __cplusplus > extern "C" { > #endif > @@ -77,18 +79,21 @@ extern "C" { > #ifndef OPENSSL_NO_SEED > # define OPENSSL_NO_SEED > #endif > +#ifndef OPENSSL_NO_SM2 > +# define OPENSSL_NO_SM2 > +#endif > #ifndef OPENSSL_NO_SRP > # define OPENSSL_NO_SRP > #endif > #ifndef OPENSSL_NO_TS > # define OPENSSL_NO_TS > #endif > -#ifndef OPENSSL_NO_UI > -# define OPENSSL_NO_UI > -#endif > #ifndef OPENSSL_NO_WHIRLPOOL > # define OPENSSL_NO_WHIRLPOOL > #endif > +#ifndef OPENSSL_RAND_SEED_NONE > +# define OPENSSL_RAND_SEED_NONE > +#endif > #ifndef OPENSSL_NO_AFALGENG > # define OPENSSL_NO_AFALGENG > #endif > @@ -122,6 +127,9 @@ extern "C" { > #ifndef OPENSSL_NO_DEPRECATED > # define OPENSSL_NO_DEPRECATED > #endif > +#ifndef OPENSSL_NO_DEVCRYPTOENG > +# define OPENSSL_NO_DEVCRYPTOENG > +#endif > #ifndef OPENSSL_NO_DGRAM > # define OPENSSL_NO_DGRAM > #endif > @@ -155,6 +163,9 @@ extern "C" { > #ifndef OPENSSL_NO_ERR > # define OPENSSL_NO_ERR > #endif > +#ifndef OPENSSL_NO_EXTERNAL_TESTS > +# define OPENSSL_NO_EXTERNAL_TESTS > +#endif > #ifndef OPENSSL_NO_FILENAMES > # define OPENSSL_NO_FILENAMES > #endif > @@ -209,15 +220,24 @@ extern "C" { > #ifndef OPENSSL_NO_TESTS > # define OPENSSL_NO_TESTS > #endif > +#ifndef OPENSSL_NO_TLS1_3 > +# define OPENSSL_NO_TLS1_3 > +#endif > #ifndef OPENSSL_NO_UBSAN > # define OPENSSL_NO_UBSAN > #endif > +#ifndef OPENSSL_NO_UI_CONSOLE > +# define OPENSSL_NO_UI_CONSOLE > +#endif > #ifndef OPENSSL_NO_UNIT_TEST > # define OPENSSL_NO_UNIT_TEST > #endif > #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS > # define OPENSSL_NO_WEAK_SSL_CIPHERS > #endif > +#ifndef OPENSSL_NO_DYNAMIC_ENGINE > +# define OPENSSL_NO_DYNAMIC_ENGINE > +#endif > #ifndef OPENSSL_NO_AFALGENG > # define OPENSSL_NO_AFALGENG > #endif > @@ -236,15 +256,11 @@ extern "C" { > * functions. > */ > #ifndef DECLARE_DEPRECATED > -# if defined(OPENSSL_NO_DEPRECATED) > -# define DECLARE_DEPRECATED(f) > -# else > -# define DECLARE_DEPRECATED(f) f; > -# ifdef __GNUC__ > -# if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0) > -# undef DECLARE_DEPRECATED > -# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated)); > -# endif > +# define DECLARE_DEPRECATED(f) f; > +# ifdef __GNUC__ > +# if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0) > +# undef DECLARE_DEPRECATED > +# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated)); > # endif > # endif > #endif > @@ -268,6 +284,18 @@ extern "C" { > # define OPENSSL_API_COMPAT OPENSSL_MIN_API > #endif > > +/* > + * Do not deprecate things to be deprecated in version 1.2.0 before the > + * OpenSSL version number matches. > + */ > +#if OPENSSL_VERSION_NUMBER < 0x10200000L > +# define DEPRECATEDIN_1_2_0(f) f; > +#elif OPENSSL_API_COMPAT < 0x10200000L > +# define DEPRECATEDIN_1_2_0(f) DECLARE_DEPRECATED(f) > +#else > +# define DEPRECATEDIN_1_2_0(f) > +#endif > + > #if OPENSSL_API_COMPAT < 0x10100000L > # define DEPRECATEDIN_1_1_0(f) DECLARE_DEPRECATED(f) > #else > @@ -286,8 +314,6 @@ extern "C" { > # define DEPRECATEDIN_0_9_8(f) > #endif > > - > - > /* Generate 80386 code? */ > #undef I386_ONLY > > diff --git a/CryptoPkg/Library/OpensslLib/buildinf.h b/CryptoPkg/Library/OpensslLib/buildinf.h > index c5ca293c729f..b840c8656a28 100644 > --- a/CryptoPkg/Library/OpensslLib/buildinf.h > +++ b/CryptoPkg/Library/OpensslLib/buildinf.h > @@ -1,2 +1,4 @@ > #define PLATFORM "UEFI" > #define DATE "Fri Dec 22 01:23:45 PDT 2017" > + > +const char * compiler_flags = "compiler: information not available from edk2"; > diff --git a/CryptoPkg/Library/OpensslLib/rand_pool_noise.h b/CryptoPkg/Library/OpensslLib/rand_pool_noise.h > new file mode 100644 > index 000000000000..75acc686a9f1 > --- /dev/null > +++ b/CryptoPkg/Library/OpensslLib/rand_pool_noise.h > @@ -0,0 +1,29 @@ > +/** @file > + Provide rand noise source. > + > +Copyright (c) 2019, Intel Corporation. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#ifndef __RAND_POOL_NOISE_H__ > +#define __RAND_POOL_NOISE_H__ > + > +#include > + > +/** > + Get 64-bit noise source. > + > + @param[out] Rand Buffer pointer to store 64-bit noise source > + > + @retval TRUE Get randomness successfully. > + @retval FALSE Failed to generate > +**/ > +BOOLEAN > +EFIAPI > +GetRandomNoise64 ( > + OUT UINT64 *Rand > + ); > + > + > +#endif // __RAND_POOL_NOISE_H__ > diff --git a/CryptoPkg/Library/OpensslLib/ossl_store.c b/CryptoPkg/Library/OpensslLib/ossl_store.c > new file mode 100644 > index 000000000000..29e1506048e3 > --- /dev/null > +++ b/CryptoPkg/Library/OpensslLib/ossl_store.c > @@ -0,0 +1,17 @@ > +/** @file > + Dummy implement ossl_store(Store retrieval functions) for UEFI. > + > +Copyright (c) 2019, Intel Corporation. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +/* > + * This function is cleanup ossl store. > + * > + * Dummy Implement for UEFI > + */ > +void ossl_store_cleanup_int(void) > +{ > +} > + > diff --git a/CryptoPkg/Library/OpensslLib/rand_pool.c b/CryptoPkg/Library/OpensslLib/rand_pool.c > new file mode 100644 > index 000000000000..9d2a4ad13823 > --- /dev/null > +++ b/CryptoPkg/Library/OpensslLib/rand_pool.c > @@ -0,0 +1,316 @@ > +/** @file > + OpenSSL_1_1_1b doesn't implement rand_pool_* functions for UEFI. > + The file implement these functions. > + > +Copyright (c) 2019, Intel Corporation. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include "internal/rand_int.h" > +#include > + > +#include > +#include > + > +#include "rand_pool_noise.h" > + > +/** > + Get some randomness from low-order bits of GetPerformanceCounter results. > + And combine them to the 64-bit value > + > + @param[out] Rand Buffer pointer to store the 64-bit random value. > + > + @retval TRUE Random number generated successfully. > + @retval FALSE Failed to generate. > +**/ > +STATIC > +BOOLEAN > +EFIAPI > +GetRandNoise64FromPerformanceCounter( > + OUT UINT64 *Rand > + ) > +{ > + UINT32 Index; > + UINT32 *RandPtr; > + > + if (NULL == Rand) { > + return FALSE; > + } > + > + RandPtr = (UINT32 *) Rand; > + > + for (Index = 0; Index < 2; Index ++) { > + *RandPtr = (UINT32) (GetPerformanceCounter () & 0xFF); > + MicroSecondDelay (10); > + RandPtr++; > + } > + > + return TRUE; > +} > + > +/** > + Calls RandomNumber64 to fill > + a buffer of arbitrary size with random bytes. > + > + @param[in] Length Size of the buffer, in bytes, to fill with. > + @param[out] RandBuffer Pointer to the buffer to store the random result. > + > + @retval EFI_SUCCESS Random bytes generation succeeded. > + @retval EFI_NOT_READY Failed to request random bytes. > + > +**/ > +STATIC > +BOOLEAN > +EFIAPI > +RandGetBytes ( > + IN UINTN Length, > + OUT UINT8 *RandBuffer > + ) > +{ > + BOOLEAN Ret; > + UINT64 TempRand; > + > + Ret = FALSE; > + > + while (Length > 0) { > + // > + // Get random noise from platform. > + // If it failed, fallback to PerformanceCounter > + // If you really care about security, you must override > + // GetRandomNoise64FromPlatform. > + // > + Ret = GetRandomNoise64 (&TempRand); > + if (Ret == FALSE) { > + Ret = GetRandNoise64FromPerformanceCounter (&TempRand); > + } > + if (!Ret) { > + return Ret; > + } > + if (Length >= sizeof (TempRand)) { > + *((UINT64*) RandBuffer) = TempRand; > + RandBuffer += sizeof (UINT64); > + Length -= sizeof (TempRand); > + } else { > + CopyMem (RandBuffer, &TempRand, Length); > + Length = 0; > + } > + } > + > + return Ret; > +} > + > +/** > + Creates a 128bit random value that is fully forward and backward prediction resistant, > + suitable for seeding a NIST SP800-90 Compliant. > + This function takes multiple random numbers from PerformanceCounter to ensure reseeding > + and performs AES-CBC-MAC over the data to compute the seed value. > + > + @param[out] SeedBuffer Pointer to a 128bit buffer to store the random seed. > + > + @retval TRUE Random seed generation succeeded. > + @retval FALSE Failed to request random bytes. > + > +**/ > +STATIC > +BOOLEAN > +EFIAPI > +RandGetSeed128 ( > + OUT UINT8 *SeedBuffer > + ) > +{ > + BOOLEAN Ret; > + UINT8 RandByte[16]; > + UINT8 Key[16]; > + UINT8 Ffv[16]; > + UINT8 Xored[16]; > + UINT32 Index; > + UINT32 Index2; > + AES_KEY AESKey; > + > + // > + // Chose an arbitary key and zero the feed_forward_value (FFV) > + // > + for (Index = 0; Index < 16; Index++) { > + Key[Index] = (UINT8) Index; > + Ffv[Index] = 0; > + } > + > + AES_set_encrypt_key (Key, 16 * 8, &AESKey); > + > + // > + // Perform CBC_MAC over 32 * 128 bit values, with 10us gaps between 128 bit value > + // The 10us gaps will ensure multiple reseeds within the system time with a large > + // design margin. > + // > + for (Index = 0; Index < 32; Index++) { > + MicroSecondDelay (10); > + Ret = RandGetBytes (16, RandByte); > + if (!Ret) { > + return Ret; > + } > + > + // > + // Perform XOR operations on two 128-bit value. > + // > + for (Index2 = 0; Index2 < 16; Index2++) { > + Xored[Index2] = RandByte[Index2] ^ Ffv[Index2]; > + } > + > + AES_encrypt (Xored, Ffv, &AESKey); > + } > + > + for (Index = 0; Index < 16; Index++) { > + SeedBuffer[Index] = Ffv[Index]; > + } > + > + return Ret; > +} > + > +/** > + Generate high-quality entropy source. > + > + @param[in] Length Size of the buffer, in bytes, to fill with. > + @param[out] Entropy Pointer to the buffer to store the entropy data. > + > + @retval EFI_SUCCESS Entropy generation succeeded. > + @retval EFI_NOT_READY Failed to request random data. > + > +**/ > +STATIC > +BOOLEAN > +EFIAPI > +RandGenerateEntropy ( > + IN UINTN Length, > + OUT UINT8 *Entropy > + ) > +{ > + BOOLEAN Ret; > + UINTN BlockCount; > + UINT8 Seed[16]; > + UINT8 *Ptr; > + > + BlockCount = Length / 16; > + Ptr = (UINT8 *) Entropy; > + > + // > + // Generate high-quality seed for DRBG Entropy > + // > + while (BlockCount > 0) { > + Ret = RandGetSeed128 (Seed); > + if (!Ret) { > + return Ret; > + } > + CopyMem (Ptr, Seed, 16); > + > + BlockCount--; > + Ptr = Ptr + 16; > + } > + > + // > + // Populate the remained data as request. > + // > + Ret = RandGetSeed128 (Seed); > + if (!Ret) { > + return Ret; > + } > + CopyMem (Ptr, Seed, (Length % 16)); > + > + return Ret; > +} > + > +/* > + * Add random bytes to the pool to acquire requested amount of entropy > + * > + * This function is platform specific and tries to acquire the requested > + * amount of entropy by polling platform specific entropy sources. > + * > + * This is OpenSSL required interface. > + */ > +size_t rand_pool_acquire_entropy(RAND_POOL *pool) > +{ > + BOOLEAN Ret; > + size_t bytes_needed; > + unsigned char * buffer; > + > + bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); > + if (bytes_needed > 0) { > + buffer = rand_pool_add_begin(pool, bytes_needed); > + > + if (buffer != NULL) { > + Ret = RandGenerateEntropy(bytes_needed, buffer); > + if (FALSE == Ret) { > + rand_pool_add_end(pool, 0, 0); > + } else { > + rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed); > + } > + } > + } > + > + return rand_pool_entropy_available(pool); > +} > + > +/* > + * Implementation for UEFI > + * > + * This is OpenSSL required interface. > + */ > +int rand_pool_add_nonce_data(RAND_POOL *pool) > +{ > + struct { > + UINT64 Rand; > + UINT64 TimerValue; > + } data = { 0 }; > + > + RandGetBytes(8, (UINT8 *)&(data.Rand)); > + data.TimerValue = GetPerformanceCounter(); > + > + return rand_pool_add(pool, (unsigned char*)&data, sizeof(data), 0); > +} > + > +/* > + * Implementation for UEFI > + * > + * This is OpenSSL required interface. > + */ > +int rand_pool_add_additional_data(RAND_POOL *pool) > +{ > + struct { > + UINT64 Rand; > + UINT64 TimerValue; > + } data = { 0 }; > + > + RandGetBytes(8, (UINT8 *)&(data.Rand)); > + data.TimerValue = GetPerformanceCounter(); > + > + return rand_pool_add(pool, (unsigned char*)&data, sizeof(data), 0); > +} > + > +/* > + * Dummy Implememtation for UEFI > + * > + * This is OpenSSL required interface. > + */ > +int rand_pool_init(void) > +{ > + return 1; > +} > + > +/* > + * Dummy Implememtation for UEFI > + * > + * This is OpenSSL required interface. > + */ > +void rand_pool_cleanup(void) > +{ > +} > + > +/* > + * Dummy Implememtation for UEFI > + * > + * This is OpenSSL required interface. > + */ > +void rand_pool_keep_random_devices_open(int keep) > +{ > +} > + > diff --git a/CryptoPkg/Library/OpensslLib/rand_pool_noise.c b/CryptoPkg/Library/OpensslLib/rand_pool_noise.c > new file mode 100644 > index 000000000000..c16ed8b45496 > --- /dev/null > +++ b/CryptoPkg/Library/OpensslLib/rand_pool_noise.c > @@ -0,0 +1,29 @@ > +/** @file > + Provide rand noise source. > + > +Copyright (c) 2019, Intel Corporation. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include > + > +/** > + Get 64-bit noise source > + > + @param[out] Rand Buffer pointer to store 64-bit noise source > + > + @retval FALSE Failed to generate > +**/ > +BOOLEAN > +EFIAPI > +GetRandomNoise64 ( > + OUT UINT64 *Rand > + ) > +{ > + // > + // Return FALSE will fallback to use PerformaceCounter to > + // generate noise. > + // > + return FALSE; > +} > diff --git a/CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c b/CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c > new file mode 100644 > index 000000000000..4158106231fd > --- /dev/null > +++ b/CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c > @@ -0,0 +1,43 @@ > +/** @file > + Provide rand noise source. > + > +Copyright (c) 2019, Intel Corporation. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include > +#include > +#include > + > +/** > + Get 64-bit noise source > + > + @param[out] Rand Buffer pointer to store 64-bit noise source > + > + @retval TRUE Get randomness successfully. > + @retval FALSE Failed to generate > +**/ > +BOOLEAN > +EFIAPI > +GetRandomNoise64 ( > + OUT UINT64 *Rand > + ) > +{ > + UINT32 Index; > + UINT32 *RandPtr; > + > + if (NULL == Rand) { > + return FALSE; > + } > + > + RandPtr = (UINT32 *)Rand; > + > + for (Index = 0; Index < 2; Index ++) { > + *RandPtr = (UINT32) ((AsmReadTsc ()) & 0xFF); > + RandPtr++; > + MicroSecondDelay (10); > + } > + > + return TRUE; > +} > diff --git a/CryptoPkg/Library/OpensslLib/openssl b/CryptoPkg/Library/OpensslLib/openssl > index 74f2d9c1ec5f..50eaac9f3337 160000 > --- a/CryptoPkg/Library/OpensslLib/openssl > +++ b/CryptoPkg/Library/OpensslLib/openssl > @@ -1 +1 @@ > -Subproject commit 74f2d9c1ec5f5510e1d3da5a9f03c28df0977762 > +Subproject commit 50eaac9f3337667259de725451f201e784599687 >