From: "Gao, Zhichao" <zhichao.gao@intel.com>
To: devel@edk2.groups.io
Cc: Jian J Wang <jian.j.wang@intel.com>, Xiaoyu Lu <xiaoyux.lu@intel.com>
Subject: [PATCH 7/8] Crypto/BaseCryptLib: Using pcd to control MD5 enablement
Date: Fri, 27 Mar 2020 09:56:28 +0800 [thread overview]
Message-ID: <20200327015629.2588-8-zhichao.gao@intel.com> (raw)
In-Reply-To: <20200327015629.2588-1-zhichao.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1682
Md5 and SHA1 is not secure any longer but uefi spec need to keep them
for backwards compatibility.
Use pcd PcdMD5Enable to control the MD5 function enablement.
When disable the MD5 functions would not be complied.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
CryptoPkg/Driver/Crypto.c | 9 +++++++++
CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf | 3 +++
CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c | 5 ++++-
CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c | 3 +++
CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c | 3 +++
CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 3 +++
CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c | 3 +++
CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c | 3 +++
CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf | 3 +++
CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 3 +++
CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd5Null.c | 3 +++
.../Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c | 3 +++
CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 5 +++++
CryptoPkg/Private/Protocol/Crypto.h | 7 ++++++-
14 files changed, 54 insertions(+), 2 deletions(-)
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index cc5fd922b7..b53da85bad 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -13,6 +13,7 @@
#include <Library/TlsLib.h>
#include <Protocol/Crypto.h>
#include <Pcd/PcdCryptoServiceFamilyEnable.h>
+#include <Library/PcdLib.h>
/**
A macro used to retrieve the FixedAtBuild PcdCryptoServiceFamilyEnable with a
@@ -105,6 +106,7 @@ CryptoServiceGetCryptoVersion (
// One-Way Cryptographic Hash Primitives
//=====================================================================================
+#if (FixedPcdGetBool (PcdMD5Enable))
/**
Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
@@ -262,6 +264,7 @@ CryptoServiceMd5HashAll (
{
return CALL_BASECRYPTLIB (Md5.Services.HashAll, Md5HashAll, (Data, DataSize, HashValue), FALSE);
}
+#endif
/**
Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations.
@@ -1021,6 +1024,7 @@ CryptoServiceSm3HashAll (
// MAC (Message Authentication Code) Primitive
//=====================================================================================
+#if (FixedPcdGetBool (PcdMD5Enable))
/**
Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
@@ -1171,6 +1175,7 @@ CryptoServiceHmacMd5Final (
{
return CALL_BASECRYPTLIB (HmacMd5.Services.Final, HmacMd5Final, (HmacMd5Context, HmacValue), FALSE);
}
+#endif
/**
Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
@@ -3806,6 +3811,7 @@ CryptoServiceTlsGetCertRevocationList (
const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
/// Version
CryptoServiceGetCryptoVersion,
+#if (FixedPcdGetBool (PcdMD5Enable))
/// HMAC MD5
CryptoServiceHmacMd5New,
CryptoServiceHmacMd5Free,
@@ -3813,6 +3819,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
CryptoServiceHmacMd5Duplicate,
CryptoServiceHmacMd5Update,
CryptoServiceHmacMd5Final,
+#endif
/// HMAC SHA1
CryptoServiceHmacSha1New,
CryptoServiceHmacSha1Free,
@@ -3827,6 +3834,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
CryptoServiceHmacSha256Duplicate,
CryptoServiceHmacSha256Update,
CryptoServiceHmacSha256Final,
+#if (FixedPcdGetBool (PcdMD5Enable))
/// Md5
CryptoServiceMd5GetContextSize,
CryptoServiceMd5Init,
@@ -3834,6 +3842,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
CryptoServiceMd5Update,
CryptoServiceMd5Final,
CryptoServiceMd5HashAll,
+#endif
/// Pkcs
CryptoServicePkcs1v2Encrypt,
CryptoServicePkcs5HashPassword,
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index 498e0f75e8..5c65ef5892 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -83,6 +83,9 @@
IntrinsicLib
PrintLib
+[Pcd]
+ gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable
+
#
# Remove these [BuildOptions] after this library is cleaned up
#
diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c
index 0e0d0ec54d..5af0c03a1c 100644
--- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c
+++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c
@@ -1,11 +1,13 @@
/** @file
MD5 Digest Wrapper Implementation over OpenSSL.
-Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
+#include <Library/PcdLib.h>
+#if (FixedPcdGetBool (PcdMD5Enable))
#include "InternalCryptLib.h"
#include <openssl/md5.h>
@@ -223,3 +225,4 @@ Md5HashAll (
return TRUE;
}
}
+#endif
diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
index da46ce09f4..2946e6432b 100644
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
+++ b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
@@ -6,6 +6,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
+#include <Library/PcdLib.h>
+#if (FixedPcdGetBool (PcdMD5Enable))
#include "InternalCryptLib.h"
#include <openssl/hmac.h>
@@ -214,3 +216,4 @@ HmacMd5Final (
return TRUE;
}
+#endif
diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
index 5de55bf0d5..befd0b4c08 100644
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
+++ b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
@@ -6,6 +6,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
+#include <Library/PcdLib.h>
+#if (FixedPcdGetBool (PcdMD5Enable))
#include "InternalCryptLib.h"
/**
@@ -137,3 +139,4 @@ HmacMd5Final (
ASSERT (FALSE);
return FALSE;
}
+#endif
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index f631f8d879..cebc74ccf2 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -76,6 +76,9 @@
OpensslLib
IntrinsicLib
+[Pcd]
+ gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable
+
#
# Remove these [BuildOptions] after this library is cleaned up
#
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
index d24e1fdf68..31b78464d2 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
@@ -13,6 +13,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "InternalCryptLib.h"
+#include <Library/PcdLib.h>
#include <openssl/bn.h>
#include <openssl/rsa.h>
@@ -291,9 +292,11 @@ RsaPkcs1Verify (
// Only MD5, SHA-1, SHA-256, SHA-384 or SHA-512 algorithm is supported.
//
switch (HashSize) {
+#if (FixedPcdGetBool (PcdMD5Enable))
case MD5_DIGEST_SIZE:
DigestType = NID_md5;
break;
+#endif
case SHA1_DIGEST_SIZE:
DigestType = NID_sha1;
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
index 7cd5fecf04..1a50be1d78 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
@@ -13,6 +13,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "InternalCryptLib.h"
+#include <Library/PcdLib.h>
#include <openssl/bn.h>
#include <openssl/rsa.h>
@@ -329,9 +330,11 @@ RsaPkcs1Sign (
// Only MD5, SHA-1, SHA-256, SHA-384 or SHA-512 algorithm is supported.
//
switch (HashSize) {
+#if (FixedPcdGetBool (PcdMD5Enable))
case MD5_DIGEST_SIZE:
DigestType = NID_md5;
break;
+#endif
case SHA1_DIGEST_SIZE:
DigestType = NID_sha1;
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index 3b664ae30a..72d4cd03ab 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -88,6 +88,9 @@
IntrinsicLib
PrintLib
+[Pcd]
+ gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable
+
#
# Remove these [BuildOptions] after this library is cleaned up
#
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index cc3556ae3f..21f104c916 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -87,6 +87,9 @@
IntrinsicLib
PrintLib
+[Pcd]
+ gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable
+
#
# Remove these [BuildOptions] after this library is cleaned up
#
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd5Null.c b/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd5Null.c
index 34c539fe3a..cbf863b1f8 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd5Null.c
+++ b/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd5Null.c
@@ -7,6 +7,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
+#include <Library/PcdLib.h>
+#if (FixedPcdGetBool (PcdMD5Enable))
#include "InternalCryptLib.h"
@@ -163,3 +165,4 @@ Md5HashAll(
ASSERT(FALSE);
return FALSE;
}
+#endif
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
index 5de55bf0d5..befd0b4c08 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
+++ b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
@@ -6,6 +6,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
+#include <Library/PcdLib.h>
+#if (FixedPcdGetBool (PcdMD5Enable))
#include "InternalCryptLib.h"
/**
@@ -137,3 +139,4 @@ HmacMd5Final (
ASSERT (FALSE);
return FALSE;
}
+#endif
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index c937f8540d..cba1e4c8bf 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -14,6 +14,7 @@
#include <Library/BaseCryptLib.h>
#include <Library/TlsLib.h>
#include <Protocol/Crypto.h>
+#include <Library/PcdLib.h>
/**
A macro used to call a non-void service in an EDK II Crypto Protocol.
@@ -99,6 +100,7 @@ CryptoServiceNotAvailable (
// One-Way Cryptographic Hash Primitives
//=====================================================================================
+#if (FixedPcdGetBool (PcdMD5Enable))
/**
Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
@@ -256,6 +258,7 @@ Md5HashAll (
{
CALL_CRYPTO_SERVICE (Md5HashAll, (Data, DataSize, HashValue), FALSE);
}
+#endif
/**
Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations.
@@ -1015,6 +1018,7 @@ Sm3HashAll (
// MAC (Message Authentication Code) Primitive
//=====================================================================================
+#if (FixedPcdGetBool (PcdMD5Enable))
/**
Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
@@ -1165,6 +1169,7 @@ HmacMd5Final (
{
CALL_CRYPTO_SERVICE (HmacMd5Final, (HmacMd5Context, HmacValue), FALSE);
}
+#endif
/**
Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index 2c46a91eb6..527318dc23 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -43,6 +43,7 @@ UINTN
//=====================================================================================
// MAC (Message Authentication Code) Primitive
//=====================================================================================
+#if (FixedPcdGetBool (PcdMD5Enable))
/**
Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
@@ -176,7 +177,7 @@ BOOLEAN
IN OUT VOID *HmacMd5Context,
OUT UINT8 *HmacValue
);
-
+#endif
/**
Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
@@ -3443,6 +3444,7 @@ EFI_STATUS
struct _EDKII_CRYPTO_PROTOCOL {
/// Version
EDKII_CRYPTO_GET_VERSION GetVersion;
+#if (FixedPcdGetBool (PcdMD5Enable))
/// HMAC MD5
EDKII_CRYPTO_HMAC_MD5_NEW HmacMd5New;
EDKII_CRYPTO_HMAC_MD5_FREE HmacMd5Free;
@@ -3450,6 +3452,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
EDKII_CRYPTO_HMAC_MD5_DUPLICATE HmacMd5Duplicate;
EDKII_CRYPTO_HMAC_MD5_UPDATE HmacMd5Update;
EDKII_CRYPTO_HMAC_MD5_FINAL HmacMd5Final;
+#endif
/// HMAC SHA1
EDKII_CRYPTO_HMAC_SHA1_NEW HmacSha1New;
EDKII_CRYPTO_HMAC_SHA1_FREE HmacSha1Free;
@@ -3464,6 +3467,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
EDKII_CRYPTO_HMAC_SHA256_DUPLICATE HmacSha256Duplicate;
EDKII_CRYPTO_HMAC_SHA256_UPDATE HmacSha256Update;
EDKII_CRYPTO_HMAC_SHA256_FINAL HmacSha256Final;
+#if (FixedPcdGetBool (PcdMD5Enable))
/// Md5
EDKII_CRYPTO_MD5_GET_CONTEXT_SIZE Md5GetContextSize;
EDKII_CRYPTO_MD5_INIT Md5Init;
@@ -3471,6 +3475,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
EDKII_CRYPTO_MD5_UPDATE Md5Update;
EDKII_CRYPTO_MD5_FINAL Md5Final;
EDKII_CRYPTO_MD5_HASH_ALL Md5HashAll;
+#endif
/// Pkcs
EDKII_CRYPTO_PKCS1_ENCRYPT_V2 Pkcs1v2Encrypt;
EDKII_CRYPTO_PKCS5_PW_HASH Pkcs5HashPassword;
--
2.21.0.windows.1
next prev parent reply other threads:[~2020-03-27 1:56 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-27 1:56 [PATCH 0/8] CryptoPkg: Retire the deprecate function Gao, Zhichao
2020-03-27 1:56 ` [PATCH 1/8] CryptoPkg/BaseCrpytLib: Retire MD4 algorithm Gao, Zhichao
2020-03-27 1:56 ` [PATCH 2/8] CryptoPkg/BaseCryptLib: Retire ARC4 algorithm Gao, Zhichao
2020-03-27 1:56 ` [PATCH 3/8] CryptoPkg/BaseCryptLib: Retire the Tdes algorithm Gao, Zhichao
2020-03-27 1:56 ` [PATCH 4/8] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm Gao, Zhichao
2020-03-27 1:56 ` [PATCH 5/8] CryptoPkg/dec: Add pcds to avoid building the deprecated function Gao, Zhichao
2020-03-27 1:56 ` [PATCH 6/8] NetWorkPkg/Pcd.inc: Enable the MD5 for iSCSI Gao, Zhichao
2020-03-27 2:07 ` Siyuan, Fu
2020-03-30 12:01 ` [edk2-devel] " Maciej Rabeda
2020-03-27 1:56 ` Gao, Zhichao [this message]
2020-03-27 1:56 ` [PATCH 8/8] CryptoPkg/BaseCryptLib: Use Pcd to control the SHA1 enablement Gao, Zhichao
2020-03-27 2:04 ` [edk2-devel] " Michael D Kinney
2020-03-27 2:44 ` Gao, Zhichao
2020-03-27 2:51 ` Wang, Jian J
2020-03-27 17:35 ` Laszlo Ersek
2020-03-27 2:01 ` [edk2-devel] [PATCH 0/8] CryptoPkg: Retire the deprecate function Yao, Jiewen
2020-03-27 2:43 ` Gao, Zhichao
2020-03-27 2:50 ` Yao, Jiewen
2020-03-27 2:54 ` Gao, Zhichao
[not found] ` <160006BBBC4857E5.7267@groups.io>
2020-03-27 2:20 ` Yao, Jiewen
2020-03-27 2:53 ` Gao, Zhichao
2020-03-27 2:47 ` Siyuan, Fu
2020-03-27 2:57 ` [edk2-devel] " Yao, Jiewen
2020-03-27 3:06 ` Siyuan, Fu
2020-03-27 4:59 ` Yao, Jiewen
2020-03-27 5:43 ` Siyuan, Fu
2020-03-27 5:50 ` Yao, Jiewen
2020-03-27 6:03 ` Siyuan, Fu
2020-03-27 6:15 ` Yao, Jiewen
2020-03-27 9:19 ` Ni, Ray
2020-03-27 16:38 ` Michael D Kinney
2020-03-27 23:43 ` Yao, Jiewen
2020-03-30 2:17 ` Siyuan, Fu
2020-03-30 2:47 ` Yao, Jiewen
2020-03-30 3:04 ` Siyuan, Fu
2020-03-30 17:30 ` Michael D Kinney
2020-03-31 0:34 ` Yao, Jiewen
2020-04-14 4:36 ` Gao, Zhichao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200327015629.2588-8-zhichao.gao@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox