From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga17.intel.com (mga17.intel.com []) by mx.groups.io with SMTP id smtpd.web11.3969.1585274199082932232 for ; Thu, 26 Mar 2020 18:56:50 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=fail (domain: intel.com, ip: , mailfrom: zhichao.gao@intel.com) IronPort-SDR: JgSssFtVYXKSpFF7g/KpiTKWaQFWeg/mh8J3K6POexBAF+ez9hcDIkxc6MmG1J886q9jQdf2rP u4kKKLF5UPLw== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Mar 2020 18:56:50 -0700 IronPort-SDR: 4dW9HGZbQOF1V/LUl/IwgDUkfm098RsDkA4MgdJJpeEWGr1H99CSrf+asPSb4unqfh3znjJLq7 oKAFQf7VY+ZQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.72,310,1580803200"; d="scan'208";a="447246840" Received: from fieedk001.ccr.corp.intel.com ([10.239.33.114]) by fmsmga005.fm.intel.com with ESMTP; 26 Mar 2020 18:56:48 -0700 From: "Gao, Zhichao" To: devel@edk2.groups.io Cc: Jian J Wang , Xiaoyu Lu Subject: [PATCH 7/8] Crypto/BaseCryptLib: Using pcd to control MD5 enablement Date: Fri, 27 Mar 2020 09:56:28 +0800 Message-Id: <20200327015629.2588-8-zhichao.gao@intel.com> X-Mailer: git-send-email 2.21.0.windows.1 In-Reply-To: <20200327015629.2588-1-zhichao.gao@intel.com> References: <20200327015629.2588-1-zhichao.gao@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1682 Md5 and SHA1 is not secure any longer but uefi spec need to keep them for backwards compatibility. Use pcd PcdMD5Enable to control the MD5 function enablement. When disable the MD5 functions would not be complied. Cc: Jian J Wang Cc: Xiaoyu Lu Signed-off-by: Zhichao Gao --- CryptoPkg/Driver/Crypto.c | 9 +++++++++ CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf | 3 +++ CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c | 5 ++++- CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c | 3 +++ CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c | 3 +++ CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 3 +++ CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c | 3 +++ CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c | 3 +++ CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf | 3 +++ CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 3 +++ CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd5Null.c | 3 +++ .../Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c | 3 +++ CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 5 +++++ CryptoPkg/Private/Protocol/Crypto.h | 7 ++++++- 14 files changed, 54 insertions(+), 2 deletions(-) diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c index cc5fd922b7..b53da85bad 100644 --- a/CryptoPkg/Driver/Crypto.c +++ b/CryptoPkg/Driver/Crypto.c @@ -13,6 +13,7 @@ #include #include #include +#include /** A macro used to retrieve the FixedAtBuild PcdCryptoServiceFamilyEnable with a @@ -105,6 +106,7 @@ CryptoServiceGetCryptoVersion ( // One-Way Cryptographic Hash Primitives //===================================================================================== +#if (FixedPcdGetBool (PcdMD5Enable)) /** Retrieves the size, in bytes, of the context buffer required for MD5 hash operations. @@ -262,6 +264,7 @@ CryptoServiceMd5HashAll ( { return CALL_BASECRYPTLIB (Md5.Services.HashAll, Md5HashAll, (Data, DataSize, HashValue), FALSE); } +#endif /** Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations. @@ -1021,6 +1024,7 @@ CryptoServiceSm3HashAll ( // MAC (Message Authentication Code) Primitive //===================================================================================== +#if (FixedPcdGetBool (PcdMD5Enable)) /** Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use. @@ -1171,6 +1175,7 @@ CryptoServiceHmacMd5Final ( { return CALL_BASECRYPTLIB (HmacMd5.Services.Final, HmacMd5Final, (HmacMd5Context, HmacValue), FALSE); } +#endif /** Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use. @@ -3806,6 +3811,7 @@ CryptoServiceTlsGetCertRevocationList ( const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = { /// Version CryptoServiceGetCryptoVersion, +#if (FixedPcdGetBool (PcdMD5Enable)) /// HMAC MD5 CryptoServiceHmacMd5New, CryptoServiceHmacMd5Free, @@ -3813,6 +3819,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = { CryptoServiceHmacMd5Duplicate, CryptoServiceHmacMd5Update, CryptoServiceHmacMd5Final, +#endif /// HMAC SHA1 CryptoServiceHmacSha1New, CryptoServiceHmacSha1Free, @@ -3827,6 +3834,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = { CryptoServiceHmacSha256Duplicate, CryptoServiceHmacSha256Update, CryptoServiceHmacSha256Final, +#if (FixedPcdGetBool (PcdMD5Enable)) /// Md5 CryptoServiceMd5GetContextSize, CryptoServiceMd5Init, @@ -3834,6 +3842,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = { CryptoServiceMd5Update, CryptoServiceMd5Final, CryptoServiceMd5HashAll, +#endif /// Pkcs CryptoServicePkcs1v2Encrypt, CryptoServicePkcs5HashPassword, diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf index 498e0f75e8..5c65ef5892 100644 --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf @@ -83,6 +83,9 @@ IntrinsicLib PrintLib +[Pcd] + gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable + # # Remove these [BuildOptions] after this library is cleaned up # diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c index 0e0d0ec54d..5af0c03a1c 100644 --- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c +++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c @@ -1,11 +1,13 @@ /** @file MD5 Digest Wrapper Implementation over OpenSSL. -Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent **/ +#include +#if (FixedPcdGetBool (PcdMD5Enable)) #include "InternalCryptLib.h" #include @@ -223,3 +225,4 @@ Md5HashAll ( return TRUE; } } +#endif diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c index da46ce09f4..2946e6432b 100644 --- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c +++ b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c @@ -6,6 +6,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ +#include +#if (FixedPcdGetBool (PcdMD5Enable)) #include "InternalCryptLib.h" #include @@ -214,3 +216,4 @@ HmacMd5Final ( return TRUE; } +#endif diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c index 5de55bf0d5..befd0b4c08 100644 --- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c +++ b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c @@ -6,6 +6,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ +#include +#if (FixedPcdGetBool (PcdMD5Enable)) #include "InternalCryptLib.h" /** @@ -137,3 +139,4 @@ HmacMd5Final ( ASSERT (FALSE); return FALSE; } +#endif diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf index f631f8d879..cebc74ccf2 100644 --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf @@ -76,6 +76,9 @@ OpensslLib IntrinsicLib +[Pcd] + gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable + # # Remove these [BuildOptions] after this library is cleaned up # diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c index d24e1fdf68..31b78464d2 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c @@ -13,6 +13,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include "InternalCryptLib.h" +#include #include #include @@ -291,9 +292,11 @@ RsaPkcs1Verify ( // Only MD5, SHA-1, SHA-256, SHA-384 or SHA-512 algorithm is supported. // switch (HashSize) { +#if (FixedPcdGetBool (PcdMD5Enable)) case MD5_DIGEST_SIZE: DigestType = NID_md5; break; +#endif case SHA1_DIGEST_SIZE: DigestType = NID_sha1; diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c index 7cd5fecf04..1a50be1d78 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c @@ -13,6 +13,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include "InternalCryptLib.h" +#include #include #include @@ -329,9 +330,11 @@ RsaPkcs1Sign ( // Only MD5, SHA-1, SHA-256, SHA-384 or SHA-512 algorithm is supported. // switch (HashSize) { +#if (FixedPcdGetBool (PcdMD5Enable)) case MD5_DIGEST_SIZE: DigestType = NID_md5; break; +#endif case SHA1_DIGEST_SIZE: DigestType = NID_sha1; diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf index 3b664ae30a..72d4cd03ab 100644 --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf @@ -88,6 +88,9 @@ IntrinsicLib PrintLib +[Pcd] + gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable + # # Remove these [BuildOptions] after this library is cleaned up # diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf index cc3556ae3f..21f104c916 100644 --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf @@ -87,6 +87,9 @@ IntrinsicLib PrintLib +[Pcd] + gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable + # # Remove these [BuildOptions] after this library is cleaned up # diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd5Null.c b/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd5Null.c index 34c539fe3a..cbf863b1f8 100644 --- a/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd5Null.c +++ b/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd5Null.c @@ -7,6 +7,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ +#include +#if (FixedPcdGetBool (PcdMD5Enable)) #include "InternalCryptLib.h" @@ -163,3 +165,4 @@ Md5HashAll( ASSERT(FALSE); return FALSE; } +#endif diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c index 5de55bf0d5..befd0b4c08 100644 --- a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c +++ b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c @@ -6,6 +6,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ +#include +#if (FixedPcdGetBool (PcdMD5Enable)) #include "InternalCryptLib.h" /** @@ -137,3 +139,4 @@ HmacMd5Final ( ASSERT (FALSE); return FALSE; } +#endif diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c index c937f8540d..cba1e4c8bf 100644 --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c @@ -14,6 +14,7 @@ #include #include #include +#include /** A macro used to call a non-void service in an EDK II Crypto Protocol. @@ -99,6 +100,7 @@ CryptoServiceNotAvailable ( // One-Way Cryptographic Hash Primitives //===================================================================================== +#if (FixedPcdGetBool (PcdMD5Enable)) /** Retrieves the size, in bytes, of the context buffer required for MD5 hash operations. @@ -256,6 +258,7 @@ Md5HashAll ( { CALL_CRYPTO_SERVICE (Md5HashAll, (Data, DataSize, HashValue), FALSE); } +#endif /** Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations. @@ -1015,6 +1018,7 @@ Sm3HashAll ( // MAC (Message Authentication Code) Primitive //===================================================================================== +#if (FixedPcdGetBool (PcdMD5Enable)) /** Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use. @@ -1165,6 +1169,7 @@ HmacMd5Final ( { CALL_CRYPTO_SERVICE (HmacMd5Final, (HmacMd5Context, HmacValue), FALSE); } +#endif /** Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use. diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h index 2c46a91eb6..527318dc23 100644 --- a/CryptoPkg/Private/Protocol/Crypto.h +++ b/CryptoPkg/Private/Protocol/Crypto.h @@ -43,6 +43,7 @@ UINTN //===================================================================================== // MAC (Message Authentication Code) Primitive //===================================================================================== +#if (FixedPcdGetBool (PcdMD5Enable)) /** Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use. @@ -176,7 +177,7 @@ BOOLEAN IN OUT VOID *HmacMd5Context, OUT UINT8 *HmacValue ); - +#endif /** Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use. @@ -3443,6 +3444,7 @@ EFI_STATUS struct _EDKII_CRYPTO_PROTOCOL { /// Version EDKII_CRYPTO_GET_VERSION GetVersion; +#if (FixedPcdGetBool (PcdMD5Enable)) /// HMAC MD5 EDKII_CRYPTO_HMAC_MD5_NEW HmacMd5New; EDKII_CRYPTO_HMAC_MD5_FREE HmacMd5Free; @@ -3450,6 +3452,7 @@ struct _EDKII_CRYPTO_PROTOCOL { EDKII_CRYPTO_HMAC_MD5_DUPLICATE HmacMd5Duplicate; EDKII_CRYPTO_HMAC_MD5_UPDATE HmacMd5Update; EDKII_CRYPTO_HMAC_MD5_FINAL HmacMd5Final; +#endif /// HMAC SHA1 EDKII_CRYPTO_HMAC_SHA1_NEW HmacSha1New; EDKII_CRYPTO_HMAC_SHA1_FREE HmacSha1Free; @@ -3464,6 +3467,7 @@ struct _EDKII_CRYPTO_PROTOCOL { EDKII_CRYPTO_HMAC_SHA256_DUPLICATE HmacSha256Duplicate; EDKII_CRYPTO_HMAC_SHA256_UPDATE HmacSha256Update; EDKII_CRYPTO_HMAC_SHA256_FINAL HmacSha256Final; +#if (FixedPcdGetBool (PcdMD5Enable)) /// Md5 EDKII_CRYPTO_MD5_GET_CONTEXT_SIZE Md5GetContextSize; EDKII_CRYPTO_MD5_INIT Md5Init; @@ -3471,6 +3475,7 @@ struct _EDKII_CRYPTO_PROTOCOL { EDKII_CRYPTO_MD5_UPDATE Md5Update; EDKII_CRYPTO_MD5_FINAL Md5Final; EDKII_CRYPTO_MD5_HASH_ALL Md5HashAll; +#endif /// Pkcs EDKII_CRYPTO_PKCS1_ENCRYPT_V2 Pkcs1v2Encrypt; EDKII_CRYPTO_PKCS5_PW_HASH Pkcs5HashPassword; -- 2.21.0.windows.1