From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga17.intel.com (mga17.intel.com []) by mx.groups.io with SMTP id smtpd.web11.3969.1585274199082932232 for ; Thu, 26 Mar 2020 18:56:52 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=fail (domain: intel.com, ip: , mailfrom: zhichao.gao@intel.com) IronPort-SDR: vsIX45RECs6TgjFSvjIYPCUeFAxMFuN/oGeOs4mP6YgUHWBNk1nAOsHh/hJl79TPHKS3q4H7yM FvwsFGyYY6UQ== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Mar 2020 18:56:52 -0700 IronPort-SDR: ZYkC0p/96gQj9sXac9NFByIeq60Wt7tItKNlMeplDWqPuPN/53l/DyQT4AicwHpqh1jBIOtFcG iD8BldwfYJJA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.72,310,1580803200"; d="scan'208";a="447246853" Received: from fieedk001.ccr.corp.intel.com ([10.239.33.114]) by fmsmga005.fm.intel.com with ESMTP; 26 Mar 2020 18:56:50 -0700 From: "Gao, Zhichao" To: devel@edk2.groups.io Cc: Jian J Wang , Xiaoyu Lu Subject: [PATCH 8/8] CryptoPkg/BaseCryptLib: Use Pcd to control the SHA1 enablement Date: Fri, 27 Mar 2020 09:56:29 +0800 Message-Id: <20200327015629.2588-9-zhichao.gao@intel.com> X-Mailer: git-send-email 2.21.0.windows.1 In-Reply-To: <20200327015629.2588-1-zhichao.gao@intel.com> References: <20200327015629.2588-1-zhichao.gao@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1682 Md5 and SHA1 is not secure any longer but uefi spec need to keep them for backwards compatibility. Use pcd PcdSHA1Enable to control the SHA1 function enablement. When disable the SHA1 functions would not be complied. Cc: Jian J Wang Cc: Xiaoyu Lu Signed-off-by: Zhichao Gao --- CryptoPkg/Driver/Crypto.c | 8 ++++++++ CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf | 1 + CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c | 3 +++ .../Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c | 3 +++ CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 1 + CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c | 3 +++ CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c | 2 ++ CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c | 2 ++ CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf | 1 + CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 1 + .../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c | 4 +++- .../Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 4 ++++ CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c | 12 ++++++++++++ CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf | 1 + CryptoPkg/Private/Protocol/Crypto.h | 9 ++++++++- 15 files changed, 53 insertions(+), 2 deletions(-) diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c index b53da85bad..f7902205b3 100644 --- a/CryptoPkg/Driver/Crypto.c +++ b/CryptoPkg/Driver/Crypto.c @@ -266,6 +266,7 @@ CryptoServiceMd5HashAll ( } #endif +#if (FixedPcdGetBool (PcdSHA1Enable)) /** Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations. @@ -423,6 +424,7 @@ CryptoServiceSha1HashAll ( { return CALL_BASECRYPTLIB (Sha1.Services.HashAll, Sha1HashAll, (Data, DataSize, HashValue), FALSE); } +#endif /** Retrieves the size, in bytes, of the context buffer required for SHA-256 hash operations. @@ -1177,6 +1179,7 @@ CryptoServiceHmacMd5Final ( } #endif +#if (FixedPcdGetBool (PcdSHA1Enable)) /** Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use. @@ -1327,6 +1330,7 @@ CryptoServiceHmacSha1Final ( { return CALL_BASECRYPTLIB (HmacSha1.Services.Final, HmacSha1Final, (HmacSha1Context, HmacValue), FALSE); } +#endif /** Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use. @@ -3820,6 +3824,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = { CryptoServiceHmacMd5Update, CryptoServiceHmacMd5Final, #endif +#if (FixedPcdGetBool (PcdSHA1Enable)) /// HMAC SHA1 CryptoServiceHmacSha1New, CryptoServiceHmacSha1Free, @@ -3827,6 +3832,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = { CryptoServiceHmacSha1Duplicate, CryptoServiceHmacSha1Update, CryptoServiceHmacSha1Final, +#endif /// HMAC SHA256 CryptoServiceHmacSha256New, CryptoServiceHmacSha256Free, @@ -3877,6 +3883,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = { CryptoServiceRsaPkcs1Verify, CryptoServiceRsaGetPrivateKeyFromPem, CryptoServiceRsaGetPublicKeyFromX509, +#if (FixedPcdGetBool (PcdSHA1Enable)) /// Sha1 CryptoServiceSha1GetContextSize, CryptoServiceSha1Init, @@ -3884,6 +3891,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = { CryptoServiceSha1Update, CryptoServiceSha1Final, CryptoServiceSha1HashAll, +#endif /// Sha256 CryptoServiceSha256GetContextSize, CryptoServiceSha256Init, diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf index 5c65ef5892..9ffd98096c 100644 --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf @@ -85,6 +85,7 @@ [Pcd] gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable + gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable # # Remove these [BuildOptions] after this library is cleaned up diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c index 7593ca55b1..baba6b267c 100644 --- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c +++ b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c @@ -6,6 +6,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ +#include +#if (FixedPcdGetBool (PcdSHA1Enable)) #include "InternalCryptLib.h" #include @@ -214,3 +216,4 @@ HmacSha1Final ( return TRUE; } +#endif diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c index e8c0f341b7..1314fa1a77 100644 --- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c +++ b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c @@ -6,6 +6,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ +#include +#if (FixedPcdGetBool (PcdSHA1Enable)) #include "InternalCryptLib.h" /** @@ -137,3 +139,4 @@ HmacSha1Final ( ASSERT (FALSE); return FALSE; } +#endif diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf index cebc74ccf2..b40e76f243 100644 --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf @@ -78,6 +78,7 @@ [Pcd] gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable + gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable # # Remove these [BuildOptions] after this library is cleaned up diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c index a89c1525c1..15e6bc2cb4 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c @@ -7,6 +7,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include "InternalCryptLib.h" +#include #include #include @@ -68,9 +69,11 @@ Pkcs5HashPassword ( // Make sure the digest algorithm is supported. // switch (DigestSize) { +#if (FixedPcdGetBool (PcdSHA1Enable)) case SHA1_DIGEST_SIZE: HashAlg = EVP_sha1(); break; +#endif case SHA256_DIGEST_SIZE: HashAlg = EVP_sha256(); break; diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c index 31b78464d2..549ee1b933 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c @@ -298,9 +298,11 @@ RsaPkcs1Verify ( break; #endif +#if (FixedPcdGetBool (PcdSHA1Enable)) case SHA1_DIGEST_SIZE: DigestType = NID_sha1; break; +#endif case SHA256_DIGEST_SIZE: DigestType = NID_sha256; diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c index 1a50be1d78..60605e3486 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c @@ -336,9 +336,11 @@ RsaPkcs1Sign ( break; #endif +#if (FixedPcdGetBool (PcdSHA1Enable)) case SHA1_DIGEST_SIZE: DigestType = NID_sha1; break; +#endif case SHA256_DIGEST_SIZE: DigestType = NID_sha256; diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf index 72d4cd03ab..b6c0be70f2 100644 --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf @@ -90,6 +90,7 @@ [Pcd] gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable + gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable # # Remove these [BuildOptions] after this library is cleaned up diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf index 21f104c916..7f678eee93 100644 --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf @@ -89,6 +89,7 @@ [Pcd] gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable + gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable # # Remove these [BuildOptions] after this library is cleaned up diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c index e8c0f341b7..3aac798188 100644 --- a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c +++ b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c @@ -5,7 +5,8 @@ Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent **/ - +#include +#if (FixedPcdGetBool (PcdSHA1Enable)) #include "InternalCryptLib.h" /** @@ -137,3 +138,4 @@ HmacSha1Final ( ASSERT (FALSE); return FALSE; } +#endif diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c index cba1e4c8bf..8429fefc0b 100644 --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c @@ -260,6 +260,7 @@ Md5HashAll ( } #endif +#if (FixedPcdGetBool (PcdSHA1Enable)) /** Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations. @@ -417,6 +418,7 @@ Sha1HashAll ( { CALL_CRYPTO_SERVICE (Sha1HashAll, (Data, DataSize, HashValue), FALSE); } +#endif /** Retrieves the size, in bytes, of the context buffer required for SHA-256 hash operations. @@ -1171,6 +1173,7 @@ HmacMd5Final ( } #endif +#if (FixedPcdGetBool (PcdSHA1Enable)) /** Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use. @@ -1321,6 +1324,7 @@ HmacSha1Final ( { CALL_CRYPTO_SERVICE (HmacSha1Final, (HmacSha1Context, HmacValue), FALSE); } +#endif /** Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use. diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c index f9796b2158..754d75aeb2 100644 --- a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c +++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c @@ -33,9 +33,11 @@ HashApiGetContextSize ( ) { switch (PcdGet32 (PcdHashApiLibPolicy)) { +#if (FixedPcdGetBool (PcdSHA1Enable)) case HASH_ALG_SHA1: return Sha1GetContextSize (); break; +#endif case HASH_ALG_SHA256: return Sha256GetContextSize (); @@ -75,9 +77,11 @@ HashApiInit ( ) { switch (PcdGet32 (PcdHashApiLibPolicy)) { +#if (FixedPcdGetBool (PcdSHA1Enable)) case HASH_ALG_SHA1: return Sha1Init (HashContext); break; +#endif case HASH_ALG_SHA256: return Sha256Init (HashContext); @@ -119,9 +123,11 @@ HashApiDuplicate ( ) { switch (PcdGet32 (PcdHashApiLibPolicy)) { +#if (FixedPcdGetBool (PcdSHA1Enable)) case HASH_ALG_SHA1: return Sha1Duplicate (HashContext, NewHashContext); break; +#endif case HASH_ALG_SHA256: return Sha256Duplicate (HashContext, NewHashContext); @@ -165,9 +171,11 @@ HashApiUpdate ( ) { switch (PcdGet32 (PcdHashApiLibPolicy)) { +#if (FixedPcdGetBool (PcdSHA1Enable)) case HASH_ALG_SHA1: return Sha1Update (HashContext, DataToHash, DataToHashLen); break; +#endif case HASH_ALG_SHA256: return Sha256Update (HashContext, DataToHash, DataToHashLen); @@ -209,9 +217,11 @@ HashApiFinal ( ) { switch (PcdGet32 (PcdHashApiLibPolicy)) { +#if (FixedPcdGetBool (PcdSHA1Enable)) case HASH_ALG_SHA1: return Sha1Final (HashContext, Digest); break; +#endif case HASH_ALG_SHA256: return Sha256Final (HashContext, Digest); @@ -255,9 +265,11 @@ HashApiHashAll ( ) { switch (PcdGet32 (PcdHashApiLibPolicy)) { +#if (FixedPcdGetBool (PcdSHA1Enable)) case HASH_ALG_SHA1: return Sha1HashAll (DataToHash, DataToHashLen, Digest); break; +#endif case HASH_ALG_SHA256: return Sha256HashAll (DataToHash, DataToHashLen, Digest); diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf index b4d8675ddd..29f7d7abfd 100644 --- a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf +++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf @@ -42,3 +42,4 @@ [Pcd] gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy ## CONSUMES + gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable ## CONSUMES diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h index 527318dc23..3f8c5751a7 100644 --- a/CryptoPkg/Private/Protocol/Crypto.h +++ b/CryptoPkg/Private/Protocol/Crypto.h @@ -179,6 +179,7 @@ BOOLEAN ); #endif +#if (FixedPcdGetBool (PcdSHA1Enable)) /** Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use. @@ -315,7 +316,7 @@ BOOLEAN IN OUT VOID *HmacSha1Context, OUT UINT8 *HmacValue ); - +#endif /** Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use. @@ -1537,6 +1538,7 @@ BOOLEAN // SHA //---------------------------------------- +#if (FixedPcdGetBool (PcdSHA1Enable)) /** Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations. @@ -1676,6 +1678,7 @@ BOOLEAN IN UINTN DataSize, OUT UINT8 *HashValue ); +#endif /** Retrieves the size, in bytes, of the context buffer required for SHA-256 hash operations. @@ -3453,6 +3456,7 @@ struct _EDKII_CRYPTO_PROTOCOL { EDKII_CRYPTO_HMAC_MD5_UPDATE HmacMd5Update; EDKII_CRYPTO_HMAC_MD5_FINAL HmacMd5Final; #endif +#if (FixedPcdGetBool (PcdSHA1Enable)) /// HMAC SHA1 EDKII_CRYPTO_HMAC_SHA1_NEW HmacSha1New; EDKII_CRYPTO_HMAC_SHA1_FREE HmacSha1Free; @@ -3460,6 +3464,7 @@ struct _EDKII_CRYPTO_PROTOCOL { EDKII_CRYPTO_HMAC_SHA1_DUPLICATE HmacSha1Duplicate; EDKII_CRYPTO_HMAC_SHA1_UPDATE HmacSha1Update; EDKII_CRYPTO_HMAC_SHA1_FINAL HmacSha1Final; +#endif /// HMAC SHA256 EDKII_CRYPTO_HMAC_SHA256_NEW HmacSha256New; EDKII_CRYPTO_HMAC_SHA256_FREE HmacSha256Free; @@ -3510,6 +3515,7 @@ struct _EDKII_CRYPTO_PROTOCOL { EDKII_CRYPTO_RSA_PKCS1_VERIFY RsaPkcs1Verify; EDKII_CRYPTO_RSA_GET_PRIVATE_KEY_FROM_PEM RsaGetPrivateKeyFromPem; EDKII_CRYPTO_RSA_GET_PUBLIC_KEY_FROM_X509 RsaGetPublicKeyFromX509; +#if (FixedPcdGetBool (PcdSHA1Enable)) /// Sha1 EDKII_CRYPTO_SHA1_GET_CONTEXT_SIZE Sha1GetContextSize; EDKII_CRYPTO_SHA1_INIT Sha1Init; @@ -3517,6 +3523,7 @@ struct _EDKII_CRYPTO_PROTOCOL { EDKII_CRYPTO_SHA1_UPDATE Sha1Update; EDKII_CRYPTO_SHA1_FINAL Sha1Final; EDKII_CRYPTO_SHA1_HASH_ALL Sha1HashAll; +#endif /// Sha256 EDKII_CRYPTO_SHA256_GET_CONTEXT_SIZE Sha256GetContextSize; EDKII_CRYPTO_SHA256_INIT Sha256Init; -- 2.21.0.windows.1