* [PATCH V3 1/8] CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm
2020-05-06 23:57 [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions Gao, Zhichao
@ 2020-05-06 23:57 ` Gao, Zhichao
2020-05-07 7:45 ` [edk2-devel] " Philippe Mathieu-Daudé
2020-05-06 23:57 ` [PATCH V3 2/8] CryptoPkg/BaseCrpytLib: Retire MD4 algorithm Gao, Zhichao
` (7 subsequent siblings)
8 siblings, 1 reply; 23+ messages in thread
From: Gao, Zhichao @ 2020-05-06 23:57 UTC (permalink / raw)
To: devel; +Cc: Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney, Jiewen Yao
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
Add a internal worker function to indicate the deprecated functions.
It would print out debug messages and asserts ot inform the consumer
they are using a deprecated function.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
CryptoPkg/Driver/Crypto.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 35bf2d3d92..05ad4b5d55 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -86,6 +86,24 @@ BaseCryptLibServciceNotEnabled (
ASSERT_EFI_ERROR (EFI_UNSUPPORTED);
}
+/**
+ Internal worker function that prints a debug message and asserts if a call is
+ made to a BaseCryptLib function that is deprecated and unsupported any longer.
+
+ @param[in] FunctionName Null-terminated ASCII string that is the name of an
+ EDK II Crypto service.
+
+**/
+static
+VOID
+BaseCryptLibServciceDeprecated (
+ IN CONST CHAR8 *FunctionName
+ )
+{
+ DEBUG ((DEBUG_ERROR, "[%a] Function %a() is deprecated and unsupported any longer\n", gEfiCallerBaseName, FunctionName));
+ ASSERT_EFI_ERROR (EFI_UNSUPPORTED);
+}
+
/**
Returns the version of the EDK II Crypto Protocol.
--
2.21.0.windows.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* Re: [edk2-devel] [PATCH V3 1/8] CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm
2020-05-06 23:57 ` [PATCH V3 1/8] CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm Gao, Zhichao
@ 2020-05-07 7:45 ` Philippe Mathieu-Daudé
2020-05-07 7:48 ` Philippe Mathieu-Daudé
0 siblings, 1 reply; 23+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-05-07 7:45 UTC (permalink / raw)
To: devel, zhichao.gao
Cc: Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney, Jiewen Yao
On 5/7/20 1:57 AM, Gao, Zhichao wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
>
> Add a internal worker function to indicate the deprecated functions.
> It would print out debug messages and asserts ot inform the consumer
Typo "to inform".
> they are using a deprecated function.
>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
> CryptoPkg/Driver/Crypto.c | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> index 35bf2d3d92..05ad4b5d55 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -86,6 +86,24 @@ BaseCryptLibServciceNotEnabled (
> ASSERT_EFI_ERROR (EFI_UNSUPPORTED);
> }
>
> +/**
> + Internal worker function that prints a debug message and asserts if a call is
> + made to a BaseCryptLib function that is deprecated and unsupported any longer.
> +
> + @param[in] FunctionName Null-terminated ASCII string that is the name of an
> + EDK II Crypto service.
> +
> +**/
> +static
> +VOID
> +BaseCryptLibServciceDeprecated (
> + IN CONST CHAR8 *FunctionName
Why extra space alignment?
Otherwise:
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
> + )
> +{
> + DEBUG ((DEBUG_ERROR, "[%a] Function %a() is deprecated and unsupported any longer\n", gEfiCallerBaseName, FunctionName));
> + ASSERT_EFI_ERROR (EFI_UNSUPPORTED);
> +}
> +
> /**
> Returns the version of the EDK II Crypto Protocol.
>
>
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [edk2-devel] [PATCH V3 1/8] CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm
2020-05-07 7:45 ` [edk2-devel] " Philippe Mathieu-Daudé
@ 2020-05-07 7:48 ` Philippe Mathieu-Daudé
2020-05-08 1:09 ` Gao, Zhichao
0 siblings, 1 reply; 23+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-05-07 7:48 UTC (permalink / raw)
To: edk2-devel-groups-io, Zhichao Gao
Cc: Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney, Jiewen Yao
On Thu, May 7, 2020 at 9:45 AM Philippe Mathieu-Daudé <philmd@redhat.com> wrote:
>
> On 5/7/20 1:57 AM, Gao, Zhichao wrote:
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> >
> > Add a internal worker function to indicate the deprecated functions.
> > It would print out debug messages and asserts ot inform the consumer
>
> Typo "to inform".
>
> > they are using a deprecated function.
> >
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> > Cc: Siyuan Fu <siyuan.fu@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> > ---
> > CryptoPkg/Driver/Crypto.c | 18 ++++++++++++++++++
> > 1 file changed, 18 insertions(+)
> >
> > diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> > index 35bf2d3d92..05ad4b5d55 100644
> > --- a/CryptoPkg/Driver/Crypto.c
> > +++ b/CryptoPkg/Driver/Crypto.c
> > @@ -86,6 +86,24 @@ BaseCryptLibServciceNotEnabled (
> > ASSERT_EFI_ERROR (EFI_UNSUPPORTED);
> > }
> >
> > +/**
> > + Internal worker function that prints a debug message and asserts if a call is
> > + made to a BaseCryptLib function that is deprecated and unsupported any longer.
> > +
> > + @param[in] FunctionName Null-terminated ASCII string that is the name of an
> > + EDK II Crypto service.
> > +
> > +**/
> > +static
> > +VOID
> > +BaseCryptLibServciceDeprecated (
Oh also another typo (extra 'c'):
"BaseCryptLibServiceDeprecated"
Maybe rename as "BaseCryptLibDeprecatedService"?
> > + IN CONST CHAR8 *FunctionName
>
> Why extra space alignment?
>
> Otherwise:
> Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
>
> > + )
> > +{
> > + DEBUG ((DEBUG_ERROR, "[%a] Function %a() is deprecated and unsupported any longer\n", gEfiCallerBaseName, FunctionName));
> > + ASSERT_EFI_ERROR (EFI_UNSUPPORTED);
> > +}
> > +
> > /**
> > Returns the version of the EDK II Crypto Protocol.
> >
> >
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [edk2-devel] [PATCH V3 1/8] CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm
2020-05-07 7:48 ` Philippe Mathieu-Daudé
@ 2020-05-08 1:09 ` Gao, Zhichao
2020-05-08 12:59 ` Philippe Mathieu-Daudé
0 siblings, 1 reply; 23+ messages in thread
From: Gao, Zhichao @ 2020-05-08 1:09 UTC (permalink / raw)
To: devel@edk2.groups.io, philmd@redhat.com
Cc: Wang, Jian J, Lu, XiaoyuX, Fu, Siyuan, Kinney, Michael D,
Yao, Jiewen
Thanks for point out the typo. I would fix it.
About the align, see below.
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Philippe
> Mathieu-Daudé
> Sent: Thursday, May 7, 2020 3:48 PM
> To: edk2-devel-groups-io <devel@edk2.groups.io>; Gao, Zhichao
> <zhichao.gao@intel.com>
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: Re: [edk2-devel] [PATCH V3 1/8] CryptoPkg/CryptoDxe: Add function to
> indicate the deprecated algorithm
>
> On Thu, May 7, 2020 at 9:45 AM Philippe Mathieu-Daudé <philmd@redhat.com>
> wrote:
> >
> > On 5/7/20 1:57 AM, Gao, Zhichao wrote:
> > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> > >
> > > Add a internal worker function to indicate the deprecated functions.
> > > It would print out debug messages and asserts ot inform the consumer
> >
> > Typo "to inform".
> >
> > > they are using a deprecated function.
> > >
> > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> > > Cc: Siyuan Fu <siyuan.fu@intel.com>
> > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> > > ---
> > > CryptoPkg/Driver/Crypto.c | 18 ++++++++++++++++++
> > > 1 file changed, 18 insertions(+)
> > >
> > > diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> > > index 35bf2d3d92..05ad4b5d55 100644
> > > --- a/CryptoPkg/Driver/Crypto.c
> > > +++ b/CryptoPkg/Driver/Crypto.c
> > > @@ -86,6 +86,24 @@ BaseCryptLibServciceNotEnabled (
> > > ASSERT_EFI_ERROR (EFI_UNSUPPORTED);
> > > }
> > >
> > > +/**
> > > + Internal worker function that prints a debug message and asserts
> > > +if a call is
> > > + made to a BaseCryptLib function that is deprecated and unsupported any
> longer.
> > > +
> > > + @param[in] FunctionName Null-terminated ASCII string that is the name
> of an
> > > + EDK II Crypto service.
> > > +
> > > +**/
> > > +static
> > > +VOID
> > > +BaseCryptLibServciceDeprecated (
>
> Oh also another typo (extra 'c'):
>
> "BaseCryptLibServiceDeprecated"
>
> Maybe rename as "BaseCryptLibDeprecatedService"?
>
> > > + IN CONST CHAR8 *FunctionName
> >
> > Why extra space alignment?
See the CCS spec 2.1, 5.7.17:
5.7.1.7 The next lines contain parameters.
Each line will contain a single argument and will start indented two spaces (one tab stop). Type
and argument columns should be aligned to maximize readability and should include
appropriate spacing to ensure this alignment. No comments are allowed in this region.
Parameters are documented clearly in the function header comment block.
Thanks,
Zhichao
> >
> > Otherwise:
> > Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
> >
> > > + )
> > > +{
> > > + DEBUG ((DEBUG_ERROR, "[%a] Function %a() is deprecated and
> > > +unsupported any longer\n", gEfiCallerBaseName, FunctionName));
> > > + ASSERT_EFI_ERROR (EFI_UNSUPPORTED); }
> > > +
> > > /**
> > > Returns the version of the EDK II Crypto Protocol.
> > >
> > >
>
>
>
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [edk2-devel] [PATCH V3 1/8] CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm
2020-05-08 1:09 ` Gao, Zhichao
@ 2020-05-08 12:59 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 23+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-05-08 12:59 UTC (permalink / raw)
To: Gao, Zhichao, devel@edk2.groups.io
Cc: Wang, Jian J, Lu, XiaoyuX, Fu, Siyuan, Kinney, Michael D,
Yao, Jiewen
On 5/8/20 3:09 AM, Gao, Zhichao wrote:
> Thanks for point out the typo. I would fix it.
> About the align, see below.
>
>> -----Original Message-----
>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Philippe
>> Mathieu-Daudé
>> Sent: Thursday, May 7, 2020 3:48 PM
>> To: edk2-devel-groups-io <devel@edk2.groups.io>; Gao, Zhichao
>> <zhichao.gao@intel.com>
>> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
>> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
>> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
>> Subject: Re: [edk2-devel] [PATCH V3 1/8] CryptoPkg/CryptoDxe: Add function to
>> indicate the deprecated algorithm
>>
>> On Thu, May 7, 2020 at 9:45 AM Philippe Mathieu-Daudé <philmd@redhat.com>
>> wrote:
>>>
>>> On 5/7/20 1:57 AM, Gao, Zhichao wrote:
>>>> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
>>>>
>>>> Add a internal worker function to indicate the deprecated functions.
>>>> It would print out debug messages and asserts ot inform the consumer
>>>
>>> Typo "to inform".
>>>
>>>> they are using a deprecated function.
>>>>
>>>> Cc: Jian J Wang <jian.j.wang@intel.com>
>>>> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
>>>> Cc: Siyuan Fu <siyuan.fu@intel.com>
>>>> Cc: Michael D Kinney <michael.d.kinney@intel.com>
>>>> Cc: Jiewen Yao <jiewen.yao@intel.com>
>>>> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
>>>> ---
>>>> CryptoPkg/Driver/Crypto.c | 18 ++++++++++++++++++
>>>> 1 file changed, 18 insertions(+)
>>>>
>>>> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
>>>> index 35bf2d3d92..05ad4b5d55 100644
>>>> --- a/CryptoPkg/Driver/Crypto.c
>>>> +++ b/CryptoPkg/Driver/Crypto.c
>>>> @@ -86,6 +86,24 @@ BaseCryptLibServciceNotEnabled (
>>>> ASSERT_EFI_ERROR (EFI_UNSUPPORTED);
>>>> }
>>>>
>>>> +/**
>>>> + Internal worker function that prints a debug message and asserts
>>>> +if a call is
>>>> + made to a BaseCryptLib function that is deprecated and unsupported any
>> longer.
>>>> +
>>>> + @param[in] FunctionName Null-terminated ASCII string that is the name
>> of an
>>>> + EDK II Crypto service.
>>>> +
>>>> +**/
>>>> +static
>>>> +VOID
>>>> +BaseCryptLibServciceDeprecated (
>>
>> Oh also another typo (extra 'c'):
>>
>> "BaseCryptLibServiceDeprecated"
>>
>> Maybe rename as "BaseCryptLibDeprecatedService"?
>>
>>>> + IN CONST CHAR8 *FunctionName
>>>
>>> Why extra space alignment?
>
> See the CCS spec 2.1, 5.7.17:
> 5.7.1.7 The next lines contain parameters.
> Each line will contain a single argument and will start indented two spaces (one tab stop). Type
> and argument columns should be aligned to maximize readability and should include
> appropriate spacing to ensure this alignment. No comments are allowed in this region.
> Parameters are documented clearly in the function header comment block.
OK, thanks Zhichao.
>
> Thanks,
> Zhichao
>
>>>
>>> Otherwise:
>>> Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
>>>
>>>> + )
>>>> +{
>>>> + DEBUG ((DEBUG_ERROR, "[%a] Function %a() is deprecated and
>>>> +unsupported any longer\n", gEfiCallerBaseName, FunctionName));
>>>> + ASSERT_EFI_ERROR (EFI_UNSUPPORTED); }
>>>> +
>>>> /**
>>>> Returns the version of the EDK II Crypto Protocol.
>>>>
>>>>
>>
>>
>>
>
^ permalink raw reply [flat|nested] 23+ messages in thread
* [PATCH V3 2/8] CryptoPkg/BaseCrpytLib: Retire MD4 algorithm
2020-05-06 23:57 [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions Gao, Zhichao
2020-05-06 23:57 ` [PATCH V3 1/8] CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm Gao, Zhichao
@ 2020-05-06 23:57 ` Gao, Zhichao
2020-05-08 15:19 ` Wang, Jian J
2020-05-06 23:57 ` [PATCH V3 3/8] CryptoPkg/BaseCryptLib: Retire ARC4 algorithm Gao, Zhichao
` (6 subsequent siblings)
8 siblings, 1 reply; 23+ messages in thread
From: Gao, Zhichao @ 2020-05-06 23:57 UTC (permalink / raw)
To: devel; +Cc: Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney, Jiewen Yao
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
MD4 is not secure any longer.
Remove the MD4 support from edk2.
Change the MD4 field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
CryptoPkg/CryptoPkg.dsc | 1 -
CryptoPkg/Driver/Crypto.c | 135 ++---------
CryptoPkg/Include/Library/BaseCryptLib.h | 145 ------------
.../Library/BaseCryptLib/BaseCryptLib.inf | 3 +-
.../Library/BaseCryptLib/Hash/CryptMd4.c | 223 ------------------
.../Library/BaseCryptLib/Hash/CryptMd4Null.c | 143 -----------
.../Library/BaseCryptLib/PeiCryptLib.inf | 5 +-
.../Library/BaseCryptLib/PeiCryptLib.uni | 6 +-
.../Library/BaseCryptLib/RuntimeCryptLib.inf | 5 +-
.../Library/BaseCryptLib/RuntimeCryptLib.uni | 6 +-
.../Library/BaseCryptLib/SmmCryptLib.inf | 5 +-
.../Library/BaseCryptLib/SmmCryptLib.uni | 6 +-
.../BaseCryptLibNull/BaseCryptLibNull.inf | 1 -
.../BaseCryptLibNull/Hash/CryptMd4Null.c | 143 -----------
.../BaseCryptLibOnProtocolPpi/CryptLib.c | 158 -------------
.../Library/Include/openssl/opensslconf.h | 3 +
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 3 -
.../Library/OpensslLib/OpensslLibCrypto.inf | 3 -
CryptoPkg/Private/Protocol/Crypto.h | 123 ++--------
19 files changed, 55 insertions(+), 1062 deletions(-)
delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index f79ff331cf..6ed7046563 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -140,7 +140,6 @@
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md4.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 05ad4b5d55..95fc834bde 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -124,161 +124,68 @@ CryptoServiceGetCryptoVersion (
//=====================================================================================
/**
- Retrieves the size, in bytes, of the context buffer required for MD4 hash operations.
-
- If this interface is not supported, then return zero.
-
- @return The size, in bytes, of the context buffer required for MD4 hash operations.
- @retval 0 This interface is not supported.
+ MD4 is deprecated and unsupported any longer.
+ Keep the function field for binary compability.
**/
UINTN
EFIAPI
-CryptoServiceMd4GetContextSize (
+DeprecatedCryptoServiceMd4GetContextSize (
VOID
)
{
- return CALL_BASECRYPTLIB (Md4.Services.GetContextSize, Md4GetContextSize, (), 0);
+ return BaseCryptLibServciceDeprecated ("Md4GetContextSize"), 0;
}
-/**
- Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
- subsequent use.
-
- If Md4Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[out] Md4Context Pointer to MD4 context being initialized.
-
- @retval TRUE MD4 context initialization succeeded.
- @retval FALSE MD4 context initialization failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceMd4Init (
+DeprecatedCryptoServiceMd4Init (
OUT VOID *Md4Context
)
{
- return CALL_BASECRYPTLIB (Md4.Services.Init, Md4Init, (Md4Context), FALSE);
+ return BaseCryptLibServciceDeprecated ("Md4Init"), FALSE;
}
-/**
- Makes a copy of an existing MD4 context.
-
- If Md4Context is NULL, then return FALSE.
- If NewMd4Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] Md4Context Pointer to MD4 context being copied.
- @param[out] NewMd4Context Pointer to new MD4 context.
-
- @retval TRUE MD4 context copy succeeded.
- @retval FALSE MD4 context copy failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceMd4Duplicate (
+DeprecatedCryptoServiceMd4Duplicate (
IN CONST VOID *Md4Context,
OUT VOID *NewMd4Context
)
{
- return CALL_BASECRYPTLIB (Md4.Services.Duplicate, Md4Duplicate, (Md4Context, NewMd4Context), FALSE);
+ return BaseCryptLibServciceDeprecated ("Md4Duplicate"), FALSE;
}
-/**
- Digests the input data and updates MD4 context.
-
- This function performs MD4 digest on a data buffer of the specified size.
- It can be called multiple times to compute the digest of long or discontinuous data streams.
- MD4 context should be already correctly initialized by Md4Init(), and should not be finalized
- by Md4Final(). Behavior with invalid context is undefined.
-
- If Md4Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] Md4Context Pointer to the MD4 context.
- @param[in] Data Pointer to the buffer containing the data to be hashed.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval TRUE MD4 data digest succeeded.
- @retval FALSE MD4 data digest failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceMd4Update (
+DeprecatedCryptoServiceMd4Update (
IN OUT VOID *Md4Context,
IN CONST VOID *Data,
IN UINTN DataSize
)
{
- return CALL_BASECRYPTLIB (Md4.Services.Update, Md4Update, (Md4Context, Data, DataSize), FALSE);
+ return BaseCryptLibServciceDeprecated ("Md4Update"), FALSE;
}
-/**
- Completes computation of the MD4 digest value.
-
- This function completes MD4 hash computation and retrieves the digest value into
- the specified memory. After this function has been called, the MD4 context cannot
- be used again.
- MD4 context should be already correctly initialized by Md4Init(), and should not be
- finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
-
- If Md4Context is NULL, then return FALSE.
- If HashValue is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] Md4Context Pointer to the MD4 context.
- @param[out] HashValue Pointer to a buffer that receives the MD4 digest
- value (16 bytes).
-
- @retval TRUE MD4 digest computation succeeded.
- @retval FALSE MD4 digest computation failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceMd4Final (
+DeprecatedCryptoServiceMd4Final (
IN OUT VOID *Md4Context,
OUT UINT8 *HashValue
)
{
- return CALL_BASECRYPTLIB (Md4.Services.Final, Md4Final, (Md4Context, HashValue), FALSE);
+ return BaseCryptLibServciceDeprecated ("Md4Final"), FALSE;
}
-/**
- Computes the MD4 message digest of a input data buffer.
-
- This function performs the MD4 message digest of a given data buffer, and places
- the digest value into the specified memory.
-
- If this interface is not supported, then return FALSE.
-
- @param[in] Data Pointer to the buffer containing the data to be hashed.
- @param[in] DataSize Size of Data buffer in bytes.
- @param[out] HashValue Pointer to a buffer that receives the MD4 digest
- value (16 bytes).
-
- @retval TRUE MD4 digest computation succeeded.
- @retval FALSE MD4 digest computation failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceMd4HashAll (
+DeprecatedCryptoServiceMd4HashAll (
IN CONST VOID *Data,
IN UINTN DataSize,
OUT UINT8 *HashValue
)
{
- return CALL_BASECRYPTLIB (Md4.Services.HashAll, Md4HashAll, (Data, DataSize, HashValue), FALSE);
+ return BaseCryptLibServciceDeprecated ("Md4HashAll"), FALSE;
}
/**
@@ -4440,13 +4347,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
CryptoServiceHmacSha256Duplicate,
CryptoServiceHmacSha256Update,
CryptoServiceHmacSha256Final,
- /// Md4
- CryptoServiceMd4GetContextSize,
- CryptoServiceMd4Init,
- CryptoServiceMd4Duplicate,
- CryptoServiceMd4Update,
- CryptoServiceMd4Final,
- CryptoServiceMd4HashAll,
+ /// Md4 - deprecated and unsupported
+ DeprecatedCryptoServiceMd4GetContextSize,
+ DeprecatedCryptoServiceMd4Init,
+ DeprecatedCryptoServiceMd4Duplicate,
+ DeprecatedCryptoServiceMd4Update,
+ DeprecatedCryptoServiceMd4Final,
+ DeprecatedCryptoServiceMd4HashAll,
/// Md5
CryptoServiceMd5GetContextSize,
CryptoServiceMd5Init,
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 5e8f2e0a10..c862f0334f 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -14,11 +14,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Uefi/UefiBaseType.h>
-///
-/// MD4 digest size in bytes
-///
-#define MD4_DIGEST_SIZE 16
-
///
/// MD5 digest size in bytes
///
@@ -77,146 +72,6 @@ typedef enum {
// One-Way Cryptographic Hash Primitives
//=====================================================================================
-/**
- Retrieves the size, in bytes, of the context buffer required for MD4 hash operations.
-
- If this interface is not supported, then return zero.
-
- @return The size, in bytes, of the context buffer required for MD4 hash operations.
- @retval 0 This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-Md4GetContextSize (
- VOID
- );
-
-/**
- Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
- subsequent use.
-
- If Md4Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[out] Md4Context Pointer to MD4 context being initialized.
-
- @retval TRUE MD4 context initialization succeeded.
- @retval FALSE MD4 context initialization failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Init (
- OUT VOID *Md4Context
- );
-
-/**
- Makes a copy of an existing MD4 context.
-
- If Md4Context is NULL, then return FALSE.
- If NewMd4Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] Md4Context Pointer to MD4 context being copied.
- @param[out] NewMd4Context Pointer to new MD4 context.
-
- @retval TRUE MD4 context copy succeeded.
- @retval FALSE MD4 context copy failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Duplicate (
- IN CONST VOID *Md4Context,
- OUT VOID *NewMd4Context
- );
-
-/**
- Digests the input data and updates MD4 context.
-
- This function performs MD4 digest on a data buffer of the specified size.
- It can be called multiple times to compute the digest of long or discontinuous data streams.
- MD4 context should be already correctly initialized by Md4Init(), and should not be finalized
- by Md4Final(). Behavior with invalid context is undefined.
-
- If Md4Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] Md4Context Pointer to the MD4 context.
- @param[in] Data Pointer to the buffer containing the data to be hashed.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval TRUE MD4 data digest succeeded.
- @retval FALSE MD4 data digest failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Update (
- IN OUT VOID *Md4Context,
- IN CONST VOID *Data,
- IN UINTN DataSize
- );
-
-/**
- Completes computation of the MD4 digest value.
-
- This function completes MD4 hash computation and retrieves the digest value into
- the specified memory. After this function has been called, the MD4 context cannot
- be used again.
- MD4 context should be already correctly initialized by Md4Init(), and should not be
- finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
-
- If Md4Context is NULL, then return FALSE.
- If HashValue is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] Md4Context Pointer to the MD4 context.
- @param[out] HashValue Pointer to a buffer that receives the MD4 digest
- value (16 bytes).
-
- @retval TRUE MD4 digest computation succeeded.
- @retval FALSE MD4 digest computation failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Final (
- IN OUT VOID *Md4Context,
- OUT UINT8 *HashValue
- );
-
-/**
- Computes the MD4 message digest of a input data buffer.
-
- This function performs the MD4 message digest of a given data buffer, and places
- the digest value into the specified memory.
-
- If this interface is not supported, then return FALSE.
-
- @param[in] Data Pointer to the buffer containing the data to be hashed.
- @param[in] DataSize Size of Data buffer in bytes.
- @param[out] HashValue Pointer to a buffer that receives the MD4 digest
- value (16 bytes).
-
- @retval TRUE MD4 digest computation succeeded.
- @retval FALSE MD4 digest computation failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4HashAll (
- IN CONST VOID *Data,
- IN UINTN DataSize,
- OUT UINT8 *HashValue
- );
-
/**
Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index a63ad66b4f..22992e7d43 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -6,7 +6,7 @@
# This external input must be validated carefully to avoid security issues such as
# buffer overflow or integer overflow.
#
-# Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
# Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights reserved.<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
@@ -29,7 +29,6 @@
[Sources]
InternalCryptLib.h
- Hash/CryptMd4.c
Hash/CryptMd5.c
Hash/CryptSha1.c
Hash/CryptSha256.c
diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
deleted file mode 100644
index bc02da07b0..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
+++ /dev/null
@@ -1,223 +0,0 @@
-/** @file
- MD4 Digest Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-#include <openssl/md4.h>
-
-/**
- Retrieves the size, in bytes, of the context buffer required for MD4 hash operations.
-
- @return The size, in bytes, of the context buffer required for MD4 hash operations.
-
-**/
-UINTN
-EFIAPI
-Md4GetContextSize (
- VOID
- )
-{
- //
- // Retrieves the OpenSSL MD4 Context Size
- //
- return (UINTN) (sizeof (MD4_CTX));
-}
-
-/**
- Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
- subsequent use.
-
- If Md4Context is NULL, then return FALSE.
-
- @param[out] Md4Context Pointer to MD4 context being initialized.
-
- @retval TRUE MD4 context initialization succeeded.
- @retval FALSE MD4 context initialization failed.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Init (
- OUT VOID *Md4Context
- )
-{
- //
- // Check input parameters.
- //
- if (Md4Context == NULL) {
- return FALSE;
- }
-
- //
- // OpenSSL MD4 Context Initialization
- //
- return (BOOLEAN) (MD4_Init ((MD4_CTX *) Md4Context));
-}
-
-/**
- Makes a copy of an existing MD4 context.
-
- If Md4Context is NULL, then return FALSE.
- If NewMd4Context is NULL, then return FALSE.
-
- @param[in] Md4Context Pointer to MD4 context being copied.
- @param[out] NewMd4Context Pointer to new MD4 context.
-
- @retval TRUE MD4 context copy succeeded.
- @retval FALSE MD4 context copy failed.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Duplicate (
- IN CONST VOID *Md4Context,
- OUT VOID *NewMd4Context
- )
-{
- //
- // Check input parameters.
- //
- if (Md4Context == NULL || NewMd4Context == NULL) {
- return FALSE;
- }
-
- CopyMem (NewMd4Context, Md4Context, sizeof (MD4_CTX));
-
- return TRUE;
-}
-
-/**
- Digests the input data and updates MD4 context.
-
- This function performs MD4 digest on a data buffer of the specified size.
- It can be called multiple times to compute the digest of long or discontinuous data streams.
- MD4 context should be already correctly initialized by Md4Init(), and should not be finalized
- by Md4Final(). Behavior with invalid context is undefined.
-
- If Md4Context is NULL, then return FALSE.
-
- @param[in, out] Md4Context Pointer to the MD4 context.
- @param[in] Data Pointer to the buffer containing the data to be hashed.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval TRUE MD4 data digest succeeded.
- @retval FALSE MD4 data digest failed.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Update (
- IN OUT VOID *Md4Context,
- IN CONST VOID *Data,
- IN UINTN DataSize
- )
-{
- //
- // Check input parameters.
- //
- if (Md4Context == NULL) {
- return FALSE;
- }
-
- //
- // Check invalid parameters, in case that only DataLength was checked in OpenSSL
- //
- if (Data == NULL && DataSize != 0) {
- return FALSE;
- }
-
- //
- // OpenSSL MD4 Hash Update
- //
- return (BOOLEAN) (MD4_Update ((MD4_CTX *) Md4Context, Data, DataSize));
-}
-
-/**
- Completes computation of the MD4 digest value.
-
- This function completes MD4 hash computation and retrieves the digest value into
- the specified memory. After this function has been called, the MD4 context cannot
- be used again.
- MD4 context should be already correctly initialized by Md4Init(), and should not be
- finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
-
- If Md4Context is NULL, then return FALSE.
- If HashValue is NULL, then return FALSE.
-
- @param[in, out] Md4Context Pointer to the MD4 context.
- @param[out] HashValue Pointer to a buffer that receives the MD4 digest
- value (16 bytes).
-
- @retval TRUE MD4 digest computation succeeded.
- @retval FALSE MD4 digest computation failed.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Final (
- IN OUT VOID *Md4Context,
- OUT UINT8 *HashValue
- )
-{
- //
- // Check input parameters.
- //
- if (Md4Context == NULL || HashValue == NULL) {
- return FALSE;
- }
-
- //
- // OpenSSL MD4 Hash Finalization
- //
- return (BOOLEAN) (MD4_Final (HashValue, (MD4_CTX *) Md4Context));
-}
-
-/**
- Computes the MD4 message digest of a input data buffer.
-
- This function performs the MD4 message digest of a given data buffer, and places
- the digest value into the specified memory.
-
- If this interface is not supported, then return FALSE.
-
- @param[in] Data Pointer to the buffer containing the data to be hashed.
- @param[in] DataSize Size of Data buffer in bytes.
- @param[out] HashValue Pointer to a buffer that receives the MD4 digest
- value (16 bytes).
-
- @retval TRUE MD4 digest computation succeeded.
- @retval FALSE MD4 digest computation failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4HashAll (
- IN CONST VOID *Data,
- IN UINTN DataSize,
- OUT UINT8 *HashValue
- )
-{
- //
- // Check input parameters.
- //
- if (HashValue == NULL) {
- return FALSE;
- }
- if (Data == NULL && DataSize != 0) {
- return FALSE;
- }
-
- //
- // OpenSSL MD4 Hash Computation.
- //
- if (MD4 (Data, DataSize, HashValue) == NULL) {
- return FALSE;
- } else {
- return TRUE;
- }
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
deleted file mode 100644
index 610c61c713..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
+++ /dev/null
@@ -1,143 +0,0 @@
-/** @file
- MD4 Digest Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
- Retrieves the size, in bytes, of the context buffer required for MD4 hash
- operations.
-
- Return zero to indicate this interface is not supported.
-
- @retval 0 This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-Md4GetContextSize (
- VOID
- )
-{
- ASSERT (FALSE);
- return 0;
-}
-
-/**
- Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
- subsequent use.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[out] Md4Context Pointer to MD4 context being initialized.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Init (
- OUT VOID *Md4Context
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Makes a copy of an existing MD4 context.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in] Md4Context Pointer to MD4 context being copied.
- @param[out] NewMd4Context Pointer to new MD4 context.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Duplicate (
- IN CONST VOID *Md4Context,
- OUT VOID *NewMd4Context
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Digests the input data and updates MD4 context.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in, out] Md4Context Pointer to the MD4 context.
- @param[in] Data Pointer to the buffer containing the data to be hashed.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Update (
- IN OUT VOID *Md4Context,
- IN CONST VOID *Data,
- IN UINTN DataSize
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Completes computation of the MD4 digest value.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in, out] Md4Context Pointer to the MD4 context.
- @param[out] HashValue Pointer to a buffer that receives the MD4 digest
- value (16 bytes).
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Final (
- IN OUT VOID *Md4Context,
- OUT UINT8 *HashValue
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Computes the MD4 message digest of a input data buffer.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in] Data Pointer to the buffer containing the data to be hashed.
- @param[in] DataSize Size of Data buffer in bytes.
- @param[out] HashValue Pointer to a buffer that receives the MD4 digest
- value (16 bytes).
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4HashAll (
- IN CONST VOID *Data,
- IN UINTN DataSize,
- OUT UINT8 *HashValue
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index c836c257f8..e9add0127d 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -6,14 +6,14 @@
# This external input must be validated carefully to avoid security issues such as
# buffer overflow or integer overflow.
#
-# Note: MD4 Digest functions,
+# Note:
# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4 functions, RSA external
# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
# certificate handler functions, authenticode signature verification functions,
# PEM handler functions, and pseudorandom number generator functions are not
# supported in this instance.
#
-# Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
##
@@ -35,7 +35,6 @@
[Sources]
InternalCryptLib.h
- Hash/CryptMd4Null.c
Hash/CryptMd5.c
Hash/CryptSha1.c
Hash/CryptSha256.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
index 9937555beb..374bfb3f65 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
@@ -6,13 +6,13 @@
// This external input must be validated carefully to avoid security issues such as
// buffer overflow or integer overflow.
//
-// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
// Diffie-Hellman functions, X.509 certificate handler functions, authenticode
// signature verification functions, PEM handler functions, and pseudorandom number
// generator functions are not supported in this instance.
//
-// Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
+// Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
//
// SPDX-License-Identifier: BSD-2-Clause-Patent
//
@@ -21,5 +21,5 @@
#string STR_MODULE_ABSTRACT #language en-US "Cryptographic Library Instance for PEIM"
-#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index e5b8ececc1..0a2eb03232 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -6,12 +6,12 @@
# This external input must be validated carefully to avoid security issues such as
# buffer overflow or integer overflow.
#
-# Note: MD4 Digest functions, SHA-384 Digest functions, SHA-512 Digest functions,
+# Note: SHA-384 Digest functions, SHA-512 Digest functions,
# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4 functions, RSA external
# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
# authenticode signature verification functions are not supported in this instance.
#
-# Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
# Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights reserved.<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
@@ -35,7 +35,6 @@
[Sources]
InternalCryptLib.h
- Hash/CryptMd4Null.c
Hash/CryptMd5.c
Hash/CryptSha1.c
Hash/CryptSha256.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
index c0a16f1b84..b6d751176e 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
@@ -6,12 +6,12 @@
// This external input must be validated carefully to avoid security issues such as
// buffer overflow or integer overflow.
//
-// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
// Diffie-Hellman functions, and authenticode signature verification functions are
// not supported in this instance.
//
-// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+// Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
//
// SPDX-License-Identifier: BSD-2-Clause-Patent
//
@@ -20,5 +20,5 @@
#string STR_MODULE_ABSTRACT #language en-US "Cryptographic Library Instance for DXE_RUNTIME_DRIVER"
-#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index cc0b65fd25..139983075e 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -6,12 +6,12 @@
# This external input must be validated carefully to avoid security issues such as
# buffer overflow or integer overflow.
#
-# Note: MD4 Digest functions, SHA-384 Digest functions, SHA-512 Digest functions,
+# Note: SHA-384 Digest functions, SHA-512 Digest functions,
# HMAC-MD5 functions, HMAC-SHA1 functions, TDES/ARC4 functions, RSA external
# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
# authenticode signature verification functions are not supported in this instance.
#
-# Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
##
@@ -34,7 +34,6 @@
[Sources]
InternalCryptLib.h
- Hash/CryptMd4Null.c
Hash/CryptMd5.c
Hash/CryptSha1.c
Hash/CryptSha256.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
index 83485fbb90..b8d7953d2b 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
@@ -6,12 +6,12 @@
// This external input must be validated carefully to avoid security issues such as
// buffer overflow or integer overflow.
//
-// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
// Diffie-Hellman functions, and authenticode signature verification functions are
// not supported in this instance.
//
-// Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
+// Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
//
// SPDX-License-Identifier: BSD-2-Clause-Patent
//
@@ -20,5 +20,5 @@
#string STR_MODULE_ABSTRACT #language en-US "Cryptographic Library Instance for SMM driver"
-#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
index 9b4991cbb0..b03681b146 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -29,7 +29,6 @@
[Sources]
InternalCryptLib.h
- Hash/CryptMd4Null.c
Hash/CryptMd5Null.c
Hash/CryptSha1Null.c
Hash/CryptSha256Null.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c b/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
deleted file mode 100644
index 610c61c713..0000000000
--- a/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
+++ /dev/null
@@ -1,143 +0,0 @@
-/** @file
- MD4 Digest Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
- Retrieves the size, in bytes, of the context buffer required for MD4 hash
- operations.
-
- Return zero to indicate this interface is not supported.
-
- @retval 0 This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-Md4GetContextSize (
- VOID
- )
-{
- ASSERT (FALSE);
- return 0;
-}
-
-/**
- Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
- subsequent use.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[out] Md4Context Pointer to MD4 context being initialized.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Init (
- OUT VOID *Md4Context
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Makes a copy of an existing MD4 context.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in] Md4Context Pointer to MD4 context being copied.
- @param[out] NewMd4Context Pointer to new MD4 context.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Duplicate (
- IN CONST VOID *Md4Context,
- OUT VOID *NewMd4Context
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Digests the input data and updates MD4 context.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in, out] Md4Context Pointer to the MD4 context.
- @param[in] Data Pointer to the buffer containing the data to be hashed.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Update (
- IN OUT VOID *Md4Context,
- IN CONST VOID *Data,
- IN UINTN DataSize
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Completes computation of the MD4 digest value.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in, out] Md4Context Pointer to the MD4 context.
- @param[out] HashValue Pointer to a buffer that receives the MD4 digest
- value (16 bytes).
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Final (
- IN OUT VOID *Md4Context,
- OUT UINT8 *HashValue
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Computes the MD4 message digest of a input data buffer.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in] Data Pointer to the buffer containing the data to be hashed.
- @param[in] DataSize Size of Data buffer in bytes.
- @param[out] HashValue Pointer to a buffer that receives the MD4 digest
- value (16 bytes).
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4HashAll (
- IN CONST VOID *Data,
- IN UINTN DataSize,
- OUT UINT8 *HashValue
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index c2a1df9afc..5e470028f4 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -99,164 +99,6 @@ CryptoServiceNotAvailable (
// One-Way Cryptographic Hash Primitives
//=====================================================================================
-/**
- Retrieves the size, in bytes, of the context buffer required for MD4 hash operations.
-
- If this interface is not supported, then return zero.
-
- @return The size, in bytes, of the context buffer required for MD4 hash operations.
- @retval 0 This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-Md4GetContextSize (
- VOID
- )
-{
- CALL_CRYPTO_SERVICE (Md4GetContextSize, (), 0);
-}
-
-/**
- Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
- subsequent use.
-
- If Md4Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[out] Md4Context Pointer to MD4 context being initialized.
-
- @retval TRUE MD4 context initialization succeeded.
- @retval FALSE MD4 context initialization failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Init (
- OUT VOID *Md4Context
- )
-{
- CALL_CRYPTO_SERVICE (Md4Init, (Md4Context), FALSE);
-}
-
-/**
- Makes a copy of an existing MD4 context.
-
- If Md4Context is NULL, then return FALSE.
- If NewMd4Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] Md4Context Pointer to MD4 context being copied.
- @param[out] NewMd4Context Pointer to new MD4 context.
-
- @retval TRUE MD4 context copy succeeded.
- @retval FALSE MD4 context copy failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Duplicate (
- IN CONST VOID *Md4Context,
- OUT VOID *NewMd4Context
- )
-{
- CALL_CRYPTO_SERVICE (Md4Duplicate, (Md4Context, NewMd4Context), FALSE);
-}
-
-/**
- Digests the input data and updates MD4 context.
-
- This function performs MD4 digest on a data buffer of the specified size.
- It can be called multiple times to compute the digest of long or discontinuous data streams.
- MD4 context should be already correctly initialized by Md4Init(), and should not be finalized
- by Md4Final(). Behavior with invalid context is undefined.
-
- If Md4Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] Md4Context Pointer to the MD4 context.
- @param[in] Data Pointer to the buffer containing the data to be hashed.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval TRUE MD4 data digest succeeded.
- @retval FALSE MD4 data digest failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Update (
- IN OUT VOID *Md4Context,
- IN CONST VOID *Data,
- IN UINTN DataSize
- )
-{
- CALL_CRYPTO_SERVICE (Md4Update, (Md4Context, Data, DataSize), FALSE);
-}
-
-/**
- Completes computation of the MD4 digest value.
-
- This function completes MD4 hash computation and retrieves the digest value into
- the specified memory. After this function has been called, the MD4 context cannot
- be used again.
- MD4 context should be already correctly initialized by Md4Init(), and should not be
- finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
-
- If Md4Context is NULL, then return FALSE.
- If HashValue is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] Md4Context Pointer to the MD4 context.
- @param[out] HashValue Pointer to a buffer that receives the MD4 digest
- value (16 bytes).
-
- @retval TRUE MD4 digest computation succeeded.
- @retval FALSE MD4 digest computation failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Final (
- IN OUT VOID *Md4Context,
- OUT UINT8 *HashValue
- )
-{
- CALL_CRYPTO_SERVICE (Md4Final, (Md4Context, HashValue), FALSE);
-}
-
-/**
- Computes the MD4 message digest of a input data buffer.
-
- This function performs the MD4 message digest of a given data buffer, and places
- the digest value into the specified memory.
-
- If this interface is not supported, then return FALSE.
-
- @param[in] Data Pointer to the buffer containing the data to be hashed.
- @param[in] DataSize Size of Data buffer in bytes.
- @param[out] HashValue Pointer to a buffer that receives the MD4 digest
- value (16 bytes).
-
- @retval TRUE MD4 digest computation succeeded.
- @retval FALSE MD4 digest computation failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4HashAll (
- IN CONST VOID *Data,
- IN UINTN DataSize,
- OUT UINT8 *HashValue
- )
-{
- CALL_CRYPTO_SERVICE (Md4HashAll, (Data, DataSize, HashValue), FALSE);
-}
-
/**
Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h
index bd34e53ef2..4f3f9ba377 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -241,6 +241,9 @@ extern "C" {
#ifndef OPENSSL_NO_AFALGENG
# define OPENSSL_NO_AFALGENG
#endif
+#ifndef OPENSSL_NO_MD4
+# define OPENSSL_NO_MD4
+#endif
/*
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 9ed0175553..10710e4a7c 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -294,8 +294,6 @@
$(OPENSSL_PATH)/crypto/kdf/tls1_prf.c
$(OPENSSL_PATH)/crypto/lhash/lh_stats.c
$(OPENSSL_PATH)/crypto/lhash/lhash.c
- $(OPENSSL_PATH)/crypto/md4/md4_dgst.c
- $(OPENSSL_PATH)/crypto/md4/md4_one.c
$(OPENSSL_PATH)/crypto/md5/md5_dgst.c
$(OPENSSL_PATH)/crypto/md5/md5_one.c
$(OPENSSL_PATH)/crypto/mem.c
@@ -525,7 +523,6 @@
$(OPENSSL_PATH)/crypto/evp/evp_locl.h
$(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
$(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
- $(OPENSSL_PATH)/crypto/md4/md4_locl.h
$(OPENSSL_PATH)/crypto/md5/md5_locl.h
$(OPENSSL_PATH)/crypto/modes/modes_lcl.h
$(OPENSSL_PATH)/crypto/objects/obj_dat.h
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index 03da266627..d9782a3098 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -294,8 +294,6 @@
$(OPENSSL_PATH)/crypto/kdf/tls1_prf.c
$(OPENSSL_PATH)/crypto/lhash/lh_stats.c
$(OPENSSL_PATH)/crypto/lhash/lhash.c
- $(OPENSSL_PATH)/crypto/md4/md4_dgst.c
- $(OPENSSL_PATH)/crypto/md4/md4_one.c
$(OPENSSL_PATH)/crypto/md5/md5_dgst.c
$(OPENSSL_PATH)/crypto/md5/md5_one.c
$(OPENSSL_PATH)/crypto/mem.c
@@ -525,7 +523,6 @@
$(OPENSSL_PATH)/crypto/evp/evp_locl.h
$(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
$(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
- $(OPENSSL_PATH)/crypto/md4/md4_locl.h
$(OPENSSL_PATH)/crypto/md5/md5_locl.h
$(OPENSSL_PATH)/crypto/modes/modes_lcl.h
$(OPENSSL_PATH)/crypto/objects/obj_dat.h
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index 40c387e002..ae0f29695c 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -451,145 +451,52 @@ BOOLEAN
//=====================================================================================
/**
- Retrieves the size, in bytes, of the context buffer required for MD4 hash operations.
-
- If this interface is not supported, then return zero.
-
- @return The size, in bytes, of the context buffer required for MD4 hash operations.
- @retval 0 This interface is not supported.
+ MD4 is deprecated and unsupported any longer.
+ Keep the function field for binary compability.
**/
typedef
UINTN
-(EFIAPI *EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE) (
VOID
);
-/**
- Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
- subsequent use.
-
- If Md4Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[out] Md4Context Pointer to MD4 context being initialized.
-
- @retval TRUE MD4 context initialization succeeded.
- @retval FALSE MD4 context initialization failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_MD4_INIT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_INIT) (
OUT VOID *Md4Context
);
-/**
- Makes a copy of an existing MD4 context.
-
- If Md4Context is NULL, then return FALSE.
- If NewMd4Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] Md4Context Pointer to MD4 context being copied.
- @param[out] NewMd4Context Pointer to new MD4 context.
-
- @retval TRUE MD4 context copy succeeded.
- @retval FALSE MD4 context copy failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_MD4_DUPLICATE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_DUPLICATE) (
IN CONST VOID *Md4Context,
OUT VOID *NewMd4Context
);
-/**
- Digests the input data and updates MD4 context.
-
- This function performs MD4 digest on a data buffer of the specified size.
- It can be called multiple times to compute the digest of long or discontinuous data streams.
- MD4 context should be already correctly initialized by Md4Init(), and should not be finalized
- by Md4Final(). Behavior with invalid context is undefined.
-
- If Md4Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] Md4Context Pointer to the MD4 context.
- @param[in] Data Pointer to the buffer containing the data to be hashed.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval TRUE MD4 data digest succeeded.
- @retval FALSE MD4 data digest failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_MD4_UPDATE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_UPDATE) (
IN OUT VOID *Md4Context,
IN CONST VOID *Data,
IN UINTN DataSize
);
-/**
- Completes computation of the MD4 digest value.
-
- This function completes MD4 hash computation and retrieves the digest value into
- the specified memory. After this function has been called, the MD4 context cannot
- be used again.
- MD4 context should be already correctly initialized by Md4Init(), and should not be
- finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
-
- If Md4Context is NULL, then return FALSE.
- If HashValue is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] Md4Context Pointer to the MD4 context.
- @param[out] HashValue Pointer to a buffer that receives the MD4 digest
- value (16 bytes).
-
- @retval TRUE MD4 digest computation succeeded.
- @retval FALSE MD4 digest computation failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_MD4_FINAL) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_FINAL) (
IN OUT VOID *Md4Context,
OUT UINT8 *HashValue
);
-/**
- Computes the MD4 message digest of a input data buffer.
-
- This function performs the MD4 message digest of a given data buffer, and places
- the digest value into the specified memory.
-
- If this interface is not supported, then return FALSE.
-
- @param[in] Data Pointer to the buffer containing the data to be hashed.
- @param[in] DataSize Size of Data buffer in bytes.
- @param[out] HashValue Pointer to a buffer that receives the MD4 digest
- value (16 bytes).
-
- @retval TRUE MD4 digest computation succeeded.
- @retval FALSE MD4 digest computation failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_MD4_HASH_ALL) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_HASH_ALL) (
IN CONST VOID *Data,
IN UINTN DataSize,
OUT UINT8 *HashValue
@@ -4007,13 +3914,13 @@ struct _EDKII_CRYPTO_PROTOCOL {
EDKII_CRYPTO_HMAC_SHA256_DUPLICATE HmacSha256Duplicate;
EDKII_CRYPTO_HMAC_SHA256_UPDATE HmacSha256Update;
EDKII_CRYPTO_HMAC_SHA256_FINAL HmacSha256Final;
- /// Md4
- EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE Md4GetContextSize;
- EDKII_CRYPTO_MD4_INIT Md4Init;
- EDKII_CRYPTO_MD4_DUPLICATE Md4Duplicate;
- EDKII_CRYPTO_MD4_UPDATE Md4Update;
- EDKII_CRYPTO_MD4_FINAL Md4Final;
- EDKII_CRYPTO_MD4_HASH_ALL Md4HashAll;
+ /// Md4 - deprecated and unsupported
+ DEPRECATED_EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE DeprecatedMd4GetContextSize;
+ DEPRECATED_EDKII_CRYPTO_MD4_INIT DeprecatedMd4Init;
+ DEPRECATED_EDKII_CRYPTO_MD4_DUPLICATE DeprecatedMd4Duplicate;
+ DEPRECATED_EDKII_CRYPTO_MD4_UPDATE DeprecatedMd4Update;
+ DEPRECATED_EDKII_CRYPTO_MD4_FINAL DeprecatedMd4Final;
+ DEPRECATED_EDKII_CRYPTO_MD4_HASH_ALL DeprecatedMd4HashAll;
/// Md5
EDKII_CRYPTO_MD5_GET_CONTEXT_SIZE Md5GetContextSize;
EDKII_CRYPTO_MD5_INIT Md5Init;
--
2.21.0.windows.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* Re: [PATCH V3 2/8] CryptoPkg/BaseCrpytLib: Retire MD4 algorithm
2020-05-06 23:57 ` [PATCH V3 2/8] CryptoPkg/BaseCrpytLib: Retire MD4 algorithm Gao, Zhichao
@ 2020-05-08 15:19 ` Wang, Jian J
0 siblings, 0 replies; 23+ messages in thread
From: Wang, Jian J @ 2020-05-08 15:19 UTC (permalink / raw)
To: Gao, Zhichao, devel@edk2.groups.io
Cc: Lu, XiaoyuX, Fu, Siyuan, Kinney, Michael D, Yao, Jiewen
Sorry for the out-of-order review. Please refer to comments for patch 3.
Regards,
Jian
> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Thursday, May 07, 2020 7:58 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [PATCH V3 2/8] CryptoPkg/BaseCrpytLib: Retire MD4 algorithm
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
>
> MD4 is not secure any longer.
> Remove the MD4 support from edk2.
> Change the MD4 field name in EDKII_CRYPTO_PROTOCOL to indicate the
> function is unsupported any longer.
>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
> CryptoPkg/CryptoPkg.dsc | 1 -
> CryptoPkg/Driver/Crypto.c | 135 ++---------
> CryptoPkg/Include/Library/BaseCryptLib.h | 145 ------------
> .../Library/BaseCryptLib/BaseCryptLib.inf | 3 +-
> .../Library/BaseCryptLib/Hash/CryptMd4.c | 223 ------------------
> .../Library/BaseCryptLib/Hash/CryptMd4Null.c | 143 -----------
> .../Library/BaseCryptLib/PeiCryptLib.inf | 5 +-
> .../Library/BaseCryptLib/PeiCryptLib.uni | 6 +-
> .../Library/BaseCryptLib/RuntimeCryptLib.inf | 5 +-
> .../Library/BaseCryptLib/RuntimeCryptLib.uni | 6 +-
> .../Library/BaseCryptLib/SmmCryptLib.inf | 5 +-
> .../Library/BaseCryptLib/SmmCryptLib.uni | 6 +-
> .../BaseCryptLibNull/BaseCryptLibNull.inf | 1 -
> .../BaseCryptLibNull/Hash/CryptMd4Null.c | 143 -----------
> .../BaseCryptLibOnProtocolPpi/CryptLib.c | 158 -------------
> .../Library/Include/openssl/opensslconf.h | 3 +
> CryptoPkg/Library/OpensslLib/OpensslLib.inf | 3 -
> .../Library/OpensslLib/OpensslLibCrypto.inf | 3 -
> CryptoPkg/Private/Protocol/Crypto.h | 123 ++--------
> 19 files changed, 55 insertions(+), 1062 deletions(-)
> delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
> delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
> delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
>
> diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
> index f79ff331cf..6ed7046563 100644
> --- a/CryptoPkg/CryptoPkg.dsc
> +++ b/CryptoPkg/CryptoPkg.dsc
> @@ -140,7 +140,6 @@
>
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam
> ily | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md4.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family |
> PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> index 05ad4b5d55..95fc834bde 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -124,161 +124,68 @@ CryptoServiceGetCryptoVersion (
>
> //===============================================================
> ======================
>
> /**
> - Retrieves the size, in bytes, of the context buffer required for MD4 hash
> operations.
> -
> - If this interface is not supported, then return zero.
> -
> - @return The size, in bytes, of the context buffer required for MD4 hash
> operations.
> - @retval 0 This interface is not supported.
> + MD4 is deprecated and unsupported any longer.
> + Keep the function field for binary compability.
>
> **/
> UINTN
> EFIAPI
> -CryptoServiceMd4GetContextSize (
> +DeprecatedCryptoServiceMd4GetContextSize (
> VOID
> )
> {
> - return CALL_BASECRYPTLIB (Md4.Services.GetContextSize,
> Md4GetContextSize, (), 0);
> + return BaseCryptLibServciceDeprecated ("Md4GetContextSize"), 0;
> }
>
> -/**
> - Initializes user-supplied memory pointed by Md4Context as MD4 hash context
> for
> - subsequent use.
> -
> - If Md4Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] Md4Context Pointer to MD4 context being initialized.
> -
> - @retval TRUE MD4 context initialization succeeded.
> - @retval FALSE MD4 context initialization failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceMd4Init (
> +DeprecatedCryptoServiceMd4Init (
> OUT VOID *Md4Context
> )
> {
> - return CALL_BASECRYPTLIB (Md4.Services.Init, Md4Init, (Md4Context), FALSE);
> + return BaseCryptLibServciceDeprecated ("Md4Init"), FALSE;
> }
>
> -/**
> - Makes a copy of an existing MD4 context.
> -
> - If Md4Context is NULL, then return FALSE.
> - If NewMd4Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] Md4Context Pointer to MD4 context being copied.
> - @param[out] NewMd4Context Pointer to new MD4 context.
> -
> - @retval TRUE MD4 context copy succeeded.
> - @retval FALSE MD4 context copy failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceMd4Duplicate (
> +DeprecatedCryptoServiceMd4Duplicate (
> IN CONST VOID *Md4Context,
> OUT VOID *NewMd4Context
> )
> {
> - return CALL_BASECRYPTLIB (Md4.Services.Duplicate, Md4Duplicate,
> (Md4Context, NewMd4Context), FALSE);
> + return BaseCryptLibServciceDeprecated ("Md4Duplicate"), FALSE;
> }
>
> -/**
> - Digests the input data and updates MD4 context.
> -
> - This function performs MD4 digest on a data buffer of the specified size.
> - It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> - MD4 context should be already correctly initialized by Md4Init(), and should
> not be finalized
> - by Md4Final(). Behavior with invalid context is undefined.
> -
> - If Md4Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] Md4Context Pointer to the MD4 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> hashed.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval TRUE MD4 data digest succeeded.
> - @retval FALSE MD4 data digest failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceMd4Update (
> +DeprecatedCryptoServiceMd4Update (
> IN OUT VOID *Md4Context,
> IN CONST VOID *Data,
> IN UINTN DataSize
> )
> {
> - return CALL_BASECRYPTLIB (Md4.Services.Update, Md4Update, (Md4Context,
> Data, DataSize), FALSE);
> + return BaseCryptLibServciceDeprecated ("Md4Update"), FALSE;
> }
>
> -/**
> - Completes computation of the MD4 digest value.
> -
> - This function completes MD4 hash computation and retrieves the digest value
> into
> - the specified memory. After this function has been called, the MD4 context
> cannot
> - be used again.
> - MD4 context should be already correctly initialized by Md4Init(), and should
> not be
> - finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
> -
> - If Md4Context is NULL, then return FALSE.
> - If HashValue is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] Md4Context Pointer to the MD4 context.
> - @param[out] HashValue Pointer to a buffer that receives the MD4 digest
> - value (16 bytes).
> -
> - @retval TRUE MD4 digest computation succeeded.
> - @retval FALSE MD4 digest computation failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceMd4Final (
> +DeprecatedCryptoServiceMd4Final (
> IN OUT VOID *Md4Context,
> OUT UINT8 *HashValue
> )
> {
> - return CALL_BASECRYPTLIB (Md4.Services.Final, Md4Final, (Md4Context,
> HashValue), FALSE);
> + return BaseCryptLibServciceDeprecated ("Md4Final"), FALSE;
> }
>
> -/**
> - Computes the MD4 message digest of a input data buffer.
> -
> - This function performs the MD4 message digest of a given data buffer, and
> places
> - the digest value into the specified memory.
> -
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] Data Pointer to the buffer containing the data to be hashed.
> - @param[in] DataSize Size of Data buffer in bytes.
> - @param[out] HashValue Pointer to a buffer that receives the MD4 digest
> - value (16 bytes).
> -
> - @retval TRUE MD4 digest computation succeeded.
> - @retval FALSE MD4 digest computation failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceMd4HashAll (
> +DeprecatedCryptoServiceMd4HashAll (
> IN CONST VOID *Data,
> IN UINTN DataSize,
> OUT UINT8 *HashValue
> )
> {
> - return CALL_BASECRYPTLIB (Md4.Services.HashAll, Md4HashAll, (Data,
> DataSize, HashValue), FALSE);
> + return BaseCryptLibServciceDeprecated ("Md4HashAll"), FALSE;
> }
>
> /**
> @@ -4440,13 +4347,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
> CryptoServiceHmacSha256Duplicate,
> CryptoServiceHmacSha256Update,
> CryptoServiceHmacSha256Final,
> - /// Md4
> - CryptoServiceMd4GetContextSize,
> - CryptoServiceMd4Init,
> - CryptoServiceMd4Duplicate,
> - CryptoServiceMd4Update,
> - CryptoServiceMd4Final,
> - CryptoServiceMd4HashAll,
> + /// Md4 - deprecated and unsupported
> + DeprecatedCryptoServiceMd4GetContextSize,
> + DeprecatedCryptoServiceMd4Init,
> + DeprecatedCryptoServiceMd4Duplicate,
> + DeprecatedCryptoServiceMd4Update,
> + DeprecatedCryptoServiceMd4Final,
> + DeprecatedCryptoServiceMd4HashAll,
> /// Md5
> CryptoServiceMd5GetContextSize,
> CryptoServiceMd5Init,
> diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
> b/CryptoPkg/Include/Library/BaseCryptLib.h
> index 5e8f2e0a10..c862f0334f 100644
> --- a/CryptoPkg/Include/Library/BaseCryptLib.h
> +++ b/CryptoPkg/Include/Library/BaseCryptLib.h
> @@ -14,11 +14,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>
> #include <Uefi/UefiBaseType.h>
>
> -///
> -/// MD4 digest size in bytes
> -///
> -#define MD4_DIGEST_SIZE 16
> -
> ///
> /// MD5 digest size in bytes
> ///
> @@ -77,146 +72,6 @@ typedef enum {
> // One-Way Cryptographic Hash Primitives
>
> //===============================================================
> ======================
>
> -/**
> - Retrieves the size, in bytes, of the context buffer required for MD4 hash
> operations.
> -
> - If this interface is not supported, then return zero.
> -
> - @return The size, in bytes, of the context buffer required for MD4 hash
> operations.
> - @retval 0 This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -Md4GetContextSize (
> - VOID
> - );
> -
> -/**
> - Initializes user-supplied memory pointed by Md4Context as MD4 hash context
> for
> - subsequent use.
> -
> - If Md4Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] Md4Context Pointer to MD4 context being initialized.
> -
> - @retval TRUE MD4 context initialization succeeded.
> - @retval FALSE MD4 context initialization failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Init (
> - OUT VOID *Md4Context
> - );
> -
> -/**
> - Makes a copy of an existing MD4 context.
> -
> - If Md4Context is NULL, then return FALSE.
> - If NewMd4Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] Md4Context Pointer to MD4 context being copied.
> - @param[out] NewMd4Context Pointer to new MD4 context.
> -
> - @retval TRUE MD4 context copy succeeded.
> - @retval FALSE MD4 context copy failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Duplicate (
> - IN CONST VOID *Md4Context,
> - OUT VOID *NewMd4Context
> - );
> -
> -/**
> - Digests the input data and updates MD4 context.
> -
> - This function performs MD4 digest on a data buffer of the specified size.
> - It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> - MD4 context should be already correctly initialized by Md4Init(), and should
> not be finalized
> - by Md4Final(). Behavior with invalid context is undefined.
> -
> - If Md4Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] Md4Context Pointer to the MD4 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> hashed.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval TRUE MD4 data digest succeeded.
> - @retval FALSE MD4 data digest failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Update (
> - IN OUT VOID *Md4Context,
> - IN CONST VOID *Data,
> - IN UINTN DataSize
> - );
> -
> -/**
> - Completes computation of the MD4 digest value.
> -
> - This function completes MD4 hash computation and retrieves the digest value
> into
> - the specified memory. After this function has been called, the MD4 context
> cannot
> - be used again.
> - MD4 context should be already correctly initialized by Md4Init(), and should
> not be
> - finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
> -
> - If Md4Context is NULL, then return FALSE.
> - If HashValue is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] Md4Context Pointer to the MD4 context.
> - @param[out] HashValue Pointer to a buffer that receives the MD4 digest
> - value (16 bytes).
> -
> - @retval TRUE MD4 digest computation succeeded.
> - @retval FALSE MD4 digest computation failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Final (
> - IN OUT VOID *Md4Context,
> - OUT UINT8 *HashValue
> - );
> -
> -/**
> - Computes the MD4 message digest of a input data buffer.
> -
> - This function performs the MD4 message digest of a given data buffer, and
> places
> - the digest value into the specified memory.
> -
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] Data Pointer to the buffer containing the data to be hashed.
> - @param[in] DataSize Size of Data buffer in bytes.
> - @param[out] HashValue Pointer to a buffer that receives the MD4 digest
> - value (16 bytes).
> -
> - @retval TRUE MD4 digest computation succeeded.
> - @retval FALSE MD4 digest computation failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4HashAll (
> - IN CONST VOID *Data,
> - IN UINTN DataSize,
> - OUT UINT8 *HashValue
> - );
> -
> /**
> Retrieves the size, in bytes, of the context buffer required for MD5 hash
> operations.
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> index a63ad66b4f..22992e7d43 100644
> --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> @@ -6,7 +6,7 @@
> # This external input must be validated carefully to avoid security issues such as
> # buffer overflow or integer overflow.
> #
> -# Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
> +# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> # Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights
> reserved.<BR>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> #
> @@ -29,7 +29,6 @@
>
> [Sources]
> InternalCryptLib.h
> - Hash/CryptMd4.c
> Hash/CryptMd5.c
> Hash/CryptSha1.c
> Hash/CryptSha256.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
> b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
> deleted file mode 100644
> index bc02da07b0..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
> +++ /dev/null
> @@ -1,223 +0,0 @@
> -/** @file
> - MD4 Digest Wrapper Implementation over OpenSSL.
> -
> -Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -#include <openssl/md4.h>
> -
> -/**
> - Retrieves the size, in bytes, of the context buffer required for MD4 hash
> operations.
> -
> - @return The size, in bytes, of the context buffer required for MD4 hash
> operations.
> -
> -**/
> -UINTN
> -EFIAPI
> -Md4GetContextSize (
> - VOID
> - )
> -{
> - //
> - // Retrieves the OpenSSL MD4 Context Size
> - //
> - return (UINTN) (sizeof (MD4_CTX));
> -}
> -
> -/**
> - Initializes user-supplied memory pointed by Md4Context as MD4 hash context
> for
> - subsequent use.
> -
> - If Md4Context is NULL, then return FALSE.
> -
> - @param[out] Md4Context Pointer to MD4 context being initialized.
> -
> - @retval TRUE MD4 context initialization succeeded.
> - @retval FALSE MD4 context initialization failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Init (
> - OUT VOID *Md4Context
> - )
> -{
> - //
> - // Check input parameters.
> - //
> - if (Md4Context == NULL) {
> - return FALSE;
> - }
> -
> - //
> - // OpenSSL MD4 Context Initialization
> - //
> - return (BOOLEAN) (MD4_Init ((MD4_CTX *) Md4Context));
> -}
> -
> -/**
> - Makes a copy of an existing MD4 context.
> -
> - If Md4Context is NULL, then return FALSE.
> - If NewMd4Context is NULL, then return FALSE.
> -
> - @param[in] Md4Context Pointer to MD4 context being copied.
> - @param[out] NewMd4Context Pointer to new MD4 context.
> -
> - @retval TRUE MD4 context copy succeeded.
> - @retval FALSE MD4 context copy failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Duplicate (
> - IN CONST VOID *Md4Context,
> - OUT VOID *NewMd4Context
> - )
> -{
> - //
> - // Check input parameters.
> - //
> - if (Md4Context == NULL || NewMd4Context == NULL) {
> - return FALSE;
> - }
> -
> - CopyMem (NewMd4Context, Md4Context, sizeof (MD4_CTX));
> -
> - return TRUE;
> -}
> -
> -/**
> - Digests the input data and updates MD4 context.
> -
> - This function performs MD4 digest on a data buffer of the specified size.
> - It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> - MD4 context should be already correctly initialized by Md4Init(), and should
> not be finalized
> - by Md4Final(). Behavior with invalid context is undefined.
> -
> - If Md4Context is NULL, then return FALSE.
> -
> - @param[in, out] Md4Context Pointer to the MD4 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> hashed.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval TRUE MD4 data digest succeeded.
> - @retval FALSE MD4 data digest failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Update (
> - IN OUT VOID *Md4Context,
> - IN CONST VOID *Data,
> - IN UINTN DataSize
> - )
> -{
> - //
> - // Check input parameters.
> - //
> - if (Md4Context == NULL) {
> - return FALSE;
> - }
> -
> - //
> - // Check invalid parameters, in case that only DataLength was checked in
> OpenSSL
> - //
> - if (Data == NULL && DataSize != 0) {
> - return FALSE;
> - }
> -
> - //
> - // OpenSSL MD4 Hash Update
> - //
> - return (BOOLEAN) (MD4_Update ((MD4_CTX *) Md4Context, Data, DataSize));
> -}
> -
> -/**
> - Completes computation of the MD4 digest value.
> -
> - This function completes MD4 hash computation and retrieves the digest value
> into
> - the specified memory. After this function has been called, the MD4 context
> cannot
> - be used again.
> - MD4 context should be already correctly initialized by Md4Init(), and should
> not be
> - finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
> -
> - If Md4Context is NULL, then return FALSE.
> - If HashValue is NULL, then return FALSE.
> -
> - @param[in, out] Md4Context Pointer to the MD4 context.
> - @param[out] HashValue Pointer to a buffer that receives the MD4 digest
> - value (16 bytes).
> -
> - @retval TRUE MD4 digest computation succeeded.
> - @retval FALSE MD4 digest computation failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Final (
> - IN OUT VOID *Md4Context,
> - OUT UINT8 *HashValue
> - )
> -{
> - //
> - // Check input parameters.
> - //
> - if (Md4Context == NULL || HashValue == NULL) {
> - return FALSE;
> - }
> -
> - //
> - // OpenSSL MD4 Hash Finalization
> - //
> - return (BOOLEAN) (MD4_Final (HashValue, (MD4_CTX *) Md4Context));
> -}
> -
> -/**
> - Computes the MD4 message digest of a input data buffer.
> -
> - This function performs the MD4 message digest of a given data buffer, and
> places
> - the digest value into the specified memory.
> -
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] Data Pointer to the buffer containing the data to be hashed.
> - @param[in] DataSize Size of Data buffer in bytes.
> - @param[out] HashValue Pointer to a buffer that receives the MD4 digest
> - value (16 bytes).
> -
> - @retval TRUE MD4 digest computation succeeded.
> - @retval FALSE MD4 digest computation failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4HashAll (
> - IN CONST VOID *Data,
> - IN UINTN DataSize,
> - OUT UINT8 *HashValue
> - )
> -{
> - //
> - // Check input parameters.
> - //
> - if (HashValue == NULL) {
> - return FALSE;
> - }
> - if (Data == NULL && DataSize != 0) {
> - return FALSE;
> - }
> -
> - //
> - // OpenSSL MD4 Hash Computation.
> - //
> - if (MD4 (Data, DataSize, HashValue) == NULL) {
> - return FALSE;
> - } else {
> - return TRUE;
> - }
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
> b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
> deleted file mode 100644
> index 610c61c713..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
> +++ /dev/null
> @@ -1,143 +0,0 @@
> -/** @file
> - MD4 Digest Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> - Retrieves the size, in bytes, of the context buffer required for MD4 hash
> - operations.
> -
> - Return zero to indicate this interface is not supported.
> -
> - @retval 0 This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -Md4GetContextSize (
> - VOID
> - )
> -{
> - ASSERT (FALSE);
> - return 0;
> -}
> -
> -/**
> - Initializes user-supplied memory pointed by Md4Context as MD4 hash context
> for
> - subsequent use.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[out] Md4Context Pointer to MD4 context being initialized.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Init (
> - OUT VOID *Md4Context
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Makes a copy of an existing MD4 context.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] Md4Context Pointer to MD4 context being copied.
> - @param[out] NewMd4Context Pointer to new MD4 context.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Duplicate (
> - IN CONST VOID *Md4Context,
> - OUT VOID *NewMd4Context
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Digests the input data and updates MD4 context.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in, out] Md4Context Pointer to the MD4 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> hashed.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Update (
> - IN OUT VOID *Md4Context,
> - IN CONST VOID *Data,
> - IN UINTN DataSize
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Completes computation of the MD4 digest value.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in, out] Md4Context Pointer to the MD4 context.
> - @param[out] HashValue Pointer to a buffer that receives the MD4 digest
> - value (16 bytes).
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Final (
> - IN OUT VOID *Md4Context,
> - OUT UINT8 *HashValue
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Computes the MD4 message digest of a input data buffer.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] Data Pointer to the buffer containing the data to be hashed.
> - @param[in] DataSize Size of Data buffer in bytes.
> - @param[out] HashValue Pointer to a buffer that receives the MD4 digest
> - value (16 bytes).
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4HashAll (
> - IN CONST VOID *Data,
> - IN UINTN DataSize,
> - OUT UINT8 *HashValue
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> index c836c257f8..e9add0127d 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> @@ -6,14 +6,14 @@
> # This external input must be validated carefully to avoid security issues such as
> # buffer overflow or integer overflow.
> #
> -# Note: MD4 Digest functions,
> +# Note:
> # HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4
> functions, RSA external
> # functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
> # certificate handler functions, authenticode signature verification functions,
> # PEM handler functions, and pseudorandom number generator functions are
> not
> # supported in this instance.
> #
> -# Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
> +# Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> #
> ##
> @@ -35,7 +35,6 @@
>
> [Sources]
> InternalCryptLib.h
> - Hash/CryptMd4Null.c
> Hash/CryptMd5.c
> Hash/CryptSha1.c
> Hash/CryptSha256.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> index 9937555beb..374bfb3f65 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> @@ -6,13 +6,13 @@
> // This external input must be validated carefully to avoid security issues such as
> // buffer overflow or integer overflow.
> //
> -// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions,
> AES/
> +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> // TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> functions,
> // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
> // signature verification functions, PEM handler functions, and pseudorandom
> number
> // generator functions are not supported in this instance.
> //
> -// Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
> +// Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
> //
> // SPDX-License-Identifier: BSD-2-Clause-Patent
> //
> @@ -21,5 +21,5 @@
>
> #string STR_MODULE_ABSTRACT #language en-US "Cryptographic
> Library Instance for PEIM"
>
> -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: MD4 Digest functions,
> HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA
> external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> X.509 certificate handler functions, authenticode signature verification functions,
> PEM handler functions, and pseudorandom number generator functions are not
> supported in this instance."
> +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions,
> PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate
> handler functions, authenticode signature verification functions, PEM handler
> functions, and pseudorandom number generator functions are not supported in
> this instance."
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> index e5b8ececc1..0a2eb03232 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> @@ -6,12 +6,12 @@
> # This external input must be validated carefully to avoid security issues such as
> # buffer overflow or integer overflow.
> #
> -# Note: MD4 Digest functions, SHA-384 Digest functions, SHA-512 Digest
> functions,
> +# Note: SHA-384 Digest functions, SHA-512 Digest functions,
> # HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4
> functions, RSA external
> # functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
> # authenticode signature verification functions are not supported in this
> instance.
> #
> -# Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
> +# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> # Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights
> reserved.<BR>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> #
> @@ -35,7 +35,6 @@
>
> [Sources]
> InternalCryptLib.h
> - Hash/CryptMd4Null.c
> Hash/CryptMd5.c
> Hash/CryptSha1.c
> Hash/CryptSha256.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> index c0a16f1b84..b6d751176e 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> @@ -6,12 +6,12 @@
> // This external input must be validated carefully to avoid security issues such as
> // buffer overflow or integer overflow.
> //
> -// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions,
> AES/
> +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> // TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> functions,
> // Diffie-Hellman functions, and authenticode signature verification functions
> are
> // not supported in this instance.
> //
> -// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
> +// Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> //
> // SPDX-License-Identifier: BSD-2-Clause-Patent
> //
> @@ -20,5 +20,5 @@
>
> #string STR_MODULE_ABSTRACT #language en-US "Cryptographic
> Library Instance for DXE_RUNTIME_DRIVER"
>
> -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: MD4 Digest functions,
> HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA
> external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> and authenticode signature verification functions are not supported in this
> instance."
> +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions,
> PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode
> signature verification functions are not supported in this instance."
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> index cc0b65fd25..139983075e 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> @@ -6,12 +6,12 @@
> # This external input must be validated carefully to avoid security issues such as
> # buffer overflow or integer overflow.
> #
> -# Note: MD4 Digest functions, SHA-384 Digest functions, SHA-512 Digest
> functions,
> +# Note: SHA-384 Digest functions, SHA-512 Digest functions,
> # HMAC-MD5 functions, HMAC-SHA1 functions, TDES/ARC4 functions, RSA
> external
> # functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
> # authenticode signature verification functions are not supported in this
> instance.
> #
> -# Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
> +# Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> #
> ##
> @@ -34,7 +34,6 @@
>
> [Sources]
> InternalCryptLib.h
> - Hash/CryptMd4Null.c
> Hash/CryptMd5.c
> Hash/CryptSha1.c
> Hash/CryptSha256.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> index 83485fbb90..b8d7953d2b 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> @@ -6,12 +6,12 @@
> // This external input must be validated carefully to avoid security issues such as
> // buffer overflow or integer overflow.
> //
> -// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions,
> AES/
> +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> // TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> functions,
> // Diffie-Hellman functions, and authenticode signature verification functions
> are
> // not supported in this instance.
> //
> -// Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
> +// Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
> //
> // SPDX-License-Identifier: BSD-2-Clause-Patent
> //
> @@ -20,5 +20,5 @@
>
> #string STR_MODULE_ABSTRACT #language en-US "Cryptographic
> Library Instance for SMM driver"
>
> -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: MD4 Digest functions,
> HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA
> external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> and authenticode signature verification functions are not supported in this
> instance."
> +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions,
> PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode
> signature verification functions are not supported in this instance."
>
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> index 9b4991cbb0..b03681b146 100644
> --- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> +++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> @@ -29,7 +29,6 @@
>
> [Sources]
> InternalCryptLib.h
> - Hash/CryptMd4Null.c
> Hash/CryptMd5Null.c
> Hash/CryptSha1Null.c
> Hash/CryptSha256Null.c
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
> b/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
> deleted file mode 100644
> index 610c61c713..0000000000
> --- a/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
> +++ /dev/null
> @@ -1,143 +0,0 @@
> -/** @file
> - MD4 Digest Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> - Retrieves the size, in bytes, of the context buffer required for MD4 hash
> - operations.
> -
> - Return zero to indicate this interface is not supported.
> -
> - @retval 0 This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -Md4GetContextSize (
> - VOID
> - )
> -{
> - ASSERT (FALSE);
> - return 0;
> -}
> -
> -/**
> - Initializes user-supplied memory pointed by Md4Context as MD4 hash context
> for
> - subsequent use.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[out] Md4Context Pointer to MD4 context being initialized.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Init (
> - OUT VOID *Md4Context
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Makes a copy of an existing MD4 context.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] Md4Context Pointer to MD4 context being copied.
> - @param[out] NewMd4Context Pointer to new MD4 context.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Duplicate (
> - IN CONST VOID *Md4Context,
> - OUT VOID *NewMd4Context
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Digests the input data and updates MD4 context.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in, out] Md4Context Pointer to the MD4 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> hashed.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Update (
> - IN OUT VOID *Md4Context,
> - IN CONST VOID *Data,
> - IN UINTN DataSize
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Completes computation of the MD4 digest value.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in, out] Md4Context Pointer to the MD4 context.
> - @param[out] HashValue Pointer to a buffer that receives the MD4 digest
> - value (16 bytes).
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Final (
> - IN OUT VOID *Md4Context,
> - OUT UINT8 *HashValue
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Computes the MD4 message digest of a input data buffer.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] Data Pointer to the buffer containing the data to be hashed.
> - @param[in] DataSize Size of Data buffer in bytes.
> - @param[out] HashValue Pointer to a buffer that receives the MD4 digest
> - value (16 bytes).
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4HashAll (
> - IN CONST VOID *Data,
> - IN UINTN DataSize,
> - OUT UINT8 *HashValue
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> index c2a1df9afc..5e470028f4 100644
> --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> @@ -99,164 +99,6 @@ CryptoServiceNotAvailable (
> // One-Way Cryptographic Hash Primitives
>
> //===============================================================
> ======================
>
> -/**
> - Retrieves the size, in bytes, of the context buffer required for MD4 hash
> operations.
> -
> - If this interface is not supported, then return zero.
> -
> - @return The size, in bytes, of the context buffer required for MD4 hash
> operations.
> - @retval 0 This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -Md4GetContextSize (
> - VOID
> - )
> -{
> - CALL_CRYPTO_SERVICE (Md4GetContextSize, (), 0);
> -}
> -
> -/**
> - Initializes user-supplied memory pointed by Md4Context as MD4 hash context
> for
> - subsequent use.
> -
> - If Md4Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] Md4Context Pointer to MD4 context being initialized.
> -
> - @retval TRUE MD4 context initialization succeeded.
> - @retval FALSE MD4 context initialization failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Init (
> - OUT VOID *Md4Context
> - )
> -{
> - CALL_CRYPTO_SERVICE (Md4Init, (Md4Context), FALSE);
> -}
> -
> -/**
> - Makes a copy of an existing MD4 context.
> -
> - If Md4Context is NULL, then return FALSE.
> - If NewMd4Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] Md4Context Pointer to MD4 context being copied.
> - @param[out] NewMd4Context Pointer to new MD4 context.
> -
> - @retval TRUE MD4 context copy succeeded.
> - @retval FALSE MD4 context copy failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Duplicate (
> - IN CONST VOID *Md4Context,
> - OUT VOID *NewMd4Context
> - )
> -{
> - CALL_CRYPTO_SERVICE (Md4Duplicate, (Md4Context, NewMd4Context),
> FALSE);
> -}
> -
> -/**
> - Digests the input data and updates MD4 context.
> -
> - This function performs MD4 digest on a data buffer of the specified size.
> - It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> - MD4 context should be already correctly initialized by Md4Init(), and should
> not be finalized
> - by Md4Final(). Behavior with invalid context is undefined.
> -
> - If Md4Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] Md4Context Pointer to the MD4 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> hashed.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval TRUE MD4 data digest succeeded.
> - @retval FALSE MD4 data digest failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Update (
> - IN OUT VOID *Md4Context,
> - IN CONST VOID *Data,
> - IN UINTN DataSize
> - )
> -{
> - CALL_CRYPTO_SERVICE (Md4Update, (Md4Context, Data, DataSize), FALSE);
> -}
> -
> -/**
> - Completes computation of the MD4 digest value.
> -
> - This function completes MD4 hash computation and retrieves the digest value
> into
> - the specified memory. After this function has been called, the MD4 context
> cannot
> - be used again.
> - MD4 context should be already correctly initialized by Md4Init(), and should
> not be
> - finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
> -
> - If Md4Context is NULL, then return FALSE.
> - If HashValue is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] Md4Context Pointer to the MD4 context.
> - @param[out] HashValue Pointer to a buffer that receives the MD4 digest
> - value (16 bytes).
> -
> - @retval TRUE MD4 digest computation succeeded.
> - @retval FALSE MD4 digest computation failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Final (
> - IN OUT VOID *Md4Context,
> - OUT UINT8 *HashValue
> - )
> -{
> - CALL_CRYPTO_SERVICE (Md4Final, (Md4Context, HashValue), FALSE);
> -}
> -
> -/**
> - Computes the MD4 message digest of a input data buffer.
> -
> - This function performs the MD4 message digest of a given data buffer, and
> places
> - the digest value into the specified memory.
> -
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] Data Pointer to the buffer containing the data to be hashed.
> - @param[in] DataSize Size of Data buffer in bytes.
> - @param[out] HashValue Pointer to a buffer that receives the MD4 digest
> - value (16 bytes).
> -
> - @retval TRUE MD4 digest computation succeeded.
> - @retval FALSE MD4 digest computation failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4HashAll (
> - IN CONST VOID *Data,
> - IN UINTN DataSize,
> - OUT UINT8 *HashValue
> - )
> -{
> - CALL_CRYPTO_SERVICE (Md4HashAll, (Data, DataSize, HashValue), FALSE);
> -}
> -
> /**
> Retrieves the size, in bytes, of the context buffer required for MD5 hash
> operations.
>
> diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h
> b/CryptoPkg/Library/Include/openssl/opensslconf.h
> index bd34e53ef2..4f3f9ba377 100644
> --- a/CryptoPkg/Library/Include/openssl/opensslconf.h
> +++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
> @@ -241,6 +241,9 @@ extern "C" {
> #ifndef OPENSSL_NO_AFALGENG
> # define OPENSSL_NO_AFALGENG
> #endif
> +#ifndef OPENSSL_NO_MD4
> +# define OPENSSL_NO_MD4
> +#endif
>
>
> /*
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> index 9ed0175553..10710e4a7c 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> @@ -294,8 +294,6 @@
> $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c
> $(OPENSSL_PATH)/crypto/lhash/lh_stats.c
> $(OPENSSL_PATH)/crypto/lhash/lhash.c
> - $(OPENSSL_PATH)/crypto/md4/md4_dgst.c
> - $(OPENSSL_PATH)/crypto/md4/md4_one.c
> $(OPENSSL_PATH)/crypto/md5/md5_dgst.c
> $(OPENSSL_PATH)/crypto/md5/md5_one.c
> $(OPENSSL_PATH)/crypto/mem.c
> @@ -525,7 +523,6 @@
> $(OPENSSL_PATH)/crypto/evp/evp_locl.h
> $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
> $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
> - $(OPENSSL_PATH)/crypto/md4/md4_locl.h
> $(OPENSSL_PATH)/crypto/md5/md5_locl.h
> $(OPENSSL_PATH)/crypto/modes/modes_lcl.h
> $(OPENSSL_PATH)/crypto/objects/obj_dat.h
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> index 03da266627..d9782a3098 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> @@ -294,8 +294,6 @@
> $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c
> $(OPENSSL_PATH)/crypto/lhash/lh_stats.c
> $(OPENSSL_PATH)/crypto/lhash/lhash.c
> - $(OPENSSL_PATH)/crypto/md4/md4_dgst.c
> - $(OPENSSL_PATH)/crypto/md4/md4_one.c
> $(OPENSSL_PATH)/crypto/md5/md5_dgst.c
> $(OPENSSL_PATH)/crypto/md5/md5_one.c
> $(OPENSSL_PATH)/crypto/mem.c
> @@ -525,7 +523,6 @@
> $(OPENSSL_PATH)/crypto/evp/evp_locl.h
> $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
> $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
> - $(OPENSSL_PATH)/crypto/md4/md4_locl.h
> $(OPENSSL_PATH)/crypto/md5/md5_locl.h
> $(OPENSSL_PATH)/crypto/modes/modes_lcl.h
> $(OPENSSL_PATH)/crypto/objects/obj_dat.h
> diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> b/CryptoPkg/Private/Protocol/Crypto.h
> index 40c387e002..ae0f29695c 100644
> --- a/CryptoPkg/Private/Protocol/Crypto.h
> +++ b/CryptoPkg/Private/Protocol/Crypto.h
> @@ -451,145 +451,52 @@ BOOLEAN
>
> //===============================================================
> ======================
>
> /**
> - Retrieves the size, in bytes, of the context buffer required for MD4 hash
> operations.
> -
> - If this interface is not supported, then return zero.
> -
> - @return The size, in bytes, of the context buffer required for MD4 hash
> operations.
> - @retval 0 This interface is not supported.
> + MD4 is deprecated and unsupported any longer.
> + Keep the function field for binary compability.
>
> **/
> typedef
> UINTN
> -(EFIAPI *EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE) (
> VOID
> );
>
>
> -/**
> - Initializes user-supplied memory pointed by Md4Context as MD4 hash context
> for
> - subsequent use.
> -
> - If Md4Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] Md4Context Pointer to MD4 context being initialized.
> -
> - @retval TRUE MD4 context initialization succeeded.
> - @retval FALSE MD4 context initialization failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_MD4_INIT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_INIT) (
> OUT VOID *Md4Context
> );
>
>
> -/**
> - Makes a copy of an existing MD4 context.
> -
> - If Md4Context is NULL, then return FALSE.
> - If NewMd4Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] Md4Context Pointer to MD4 context being copied.
> - @param[out] NewMd4Context Pointer to new MD4 context.
> -
> - @retval TRUE MD4 context copy succeeded.
> - @retval FALSE MD4 context copy failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_MD4_DUPLICATE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_DUPLICATE) (
> IN CONST VOID *Md4Context,
> OUT VOID *NewMd4Context
> );
>
>
> -/**
> - Digests the input data and updates MD4 context.
> -
> - This function performs MD4 digest on a data buffer of the specified size.
> - It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> - MD4 context should be already correctly initialized by Md4Init(), and should
> not be finalized
> - by Md4Final(). Behavior with invalid context is undefined.
> -
> - If Md4Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] Md4Context Pointer to the MD4 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> hashed.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval TRUE MD4 data digest succeeded.
> - @retval FALSE MD4 data digest failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_MD4_UPDATE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_UPDATE) (
> IN OUT VOID *Md4Context,
> IN CONST VOID *Data,
> IN UINTN DataSize
> );
>
>
> -/**
> - Completes computation of the MD4 digest value.
> -
> - This function completes MD4 hash computation and retrieves the digest value
> into
> - the specified memory. After this function has been called, the MD4 context
> cannot
> - be used again.
> - MD4 context should be already correctly initialized by Md4Init(), and should
> not be
> - finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
> -
> - If Md4Context is NULL, then return FALSE.
> - If HashValue is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] Md4Context Pointer to the MD4 context.
> - @param[out] HashValue Pointer to a buffer that receives the MD4 digest
> - value (16 bytes).
> -
> - @retval TRUE MD4 digest computation succeeded.
> - @retval FALSE MD4 digest computation failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_MD4_FINAL) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_FINAL) (
> IN OUT VOID *Md4Context,
> OUT UINT8 *HashValue
> );
>
>
> -/**
> - Computes the MD4 message digest of a input data buffer.
> -
> - This function performs the MD4 message digest of a given data buffer, and
> places
> - the digest value into the specified memory.
> -
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] Data Pointer to the buffer containing the data to be hashed.
> - @param[in] DataSize Size of Data buffer in bytes.
> - @param[out] HashValue Pointer to a buffer that receives the MD4 digest
> - value (16 bytes).
> -
> - @retval TRUE MD4 digest computation succeeded.
> - @retval FALSE MD4 digest computation failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_MD4_HASH_ALL) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_HASH_ALL) (
> IN CONST VOID *Data,
> IN UINTN DataSize,
> OUT UINT8 *HashValue
> @@ -4007,13 +3914,13 @@ struct _EDKII_CRYPTO_PROTOCOL {
> EDKII_CRYPTO_HMAC_SHA256_DUPLICATE HmacSha256Duplicate;
> EDKII_CRYPTO_HMAC_SHA256_UPDATE HmacSha256Update;
> EDKII_CRYPTO_HMAC_SHA256_FINAL HmacSha256Final;
> - /// Md4
> - EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE Md4GetContextSize;
> - EDKII_CRYPTO_MD4_INIT Md4Init;
> - EDKII_CRYPTO_MD4_DUPLICATE Md4Duplicate;
> - EDKII_CRYPTO_MD4_UPDATE Md4Update;
> - EDKII_CRYPTO_MD4_FINAL Md4Final;
> - EDKII_CRYPTO_MD4_HASH_ALL Md4HashAll;
> + /// Md4 - deprecated and unsupported
> + DEPRECATED_EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE
> DeprecatedMd4GetContextSize;
> + DEPRECATED_EDKII_CRYPTO_MD4_INIT DeprecatedMd4Init;
> + DEPRECATED_EDKII_CRYPTO_MD4_DUPLICATE
> DeprecatedMd4Duplicate;
> + DEPRECATED_EDKII_CRYPTO_MD4_UPDATE DeprecatedMd4Update;
> + DEPRECATED_EDKII_CRYPTO_MD4_FINAL DeprecatedMd4Final;
> + DEPRECATED_EDKII_CRYPTO_MD4_HASH_ALL DeprecatedMd4HashAll;
> /// Md5
> EDKII_CRYPTO_MD5_GET_CONTEXT_SIZE Md5GetContextSize;
> EDKII_CRYPTO_MD5_INIT Md5Init;
> --
> 2.21.0.windows.1
^ permalink raw reply [flat|nested] 23+ messages in thread
* [PATCH V3 3/8] CryptoPkg/BaseCryptLib: Retire ARC4 algorithm
2020-05-06 23:57 [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions Gao, Zhichao
2020-05-06 23:57 ` [PATCH V3 1/8] CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm Gao, Zhichao
2020-05-06 23:57 ` [PATCH V3 2/8] CryptoPkg/BaseCrpytLib: Retire MD4 algorithm Gao, Zhichao
@ 2020-05-06 23:57 ` Gao, Zhichao
2020-05-08 14:34 ` Wang, Jian J
2020-05-06 23:57 ` [PATCH V3 4/8] CryptoPkg/BaseCryptLib: Retire the Tdes algorithm Gao, Zhichao
` (5 subsequent siblings)
8 siblings, 1 reply; 23+ messages in thread
From: Gao, Zhichao @ 2020-05-06 23:57 UTC (permalink / raw)
To: devel; +Cc: Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney, Jiewen Yao
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
ARC4 is not secure any longer.
Remove the ARC4 support from edk2.
Change the ARC4 field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
CryptoPkg/Driver/Crypto.c | 125 ++---------
CryptoPkg/Include/Library/BaseCryptLib.h | 132 -----------
.../Library/BaseCryptLib/BaseCryptLib.inf | 1 -
.../Library/BaseCryptLib/Cipher/CryptArc4.c | 205 ------------------
.../BaseCryptLib/Cipher/CryptArc4Null.c | 124 -----------
.../Library/BaseCryptLib/PeiCryptLib.inf | 3 +-
.../Library/BaseCryptLib/PeiCryptLib.uni | 4 +-
.../Library/BaseCryptLib/RuntimeCryptLib.inf | 3 +-
.../Library/BaseCryptLib/RuntimeCryptLib.uni | 4 +-
.../Library/BaseCryptLib/SmmCryptLib.inf | 3 +-
.../Library/BaseCryptLib/SmmCryptLib.uni | 4 +-
.../BaseCryptLibNull/BaseCryptLibNull.inf | 1 -
.../BaseCryptLibNull/Cipher/CryptArc4Null.c | 124 -----------
.../BaseCryptLibOnProtocolPpi/CryptLib.c | 147 -------------
.../Library/Include/openssl/opensslconf.h | 3 +
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 3 -
.../Library/OpensslLib/OpensslLibCrypto.inf | 3 -
CryptoPkg/Private/Protocol/Crypto.h | 115 ++--------
18 files changed, 43 insertions(+), 961 deletions(-)
delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 95fc834bde..388a6e4b4b 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -1982,150 +1982,61 @@ CryptoServiceAesCbcDecrypt (
}
/**
- Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
- If this interface is not supported, then return zero.
-
- @return The size, in bytes, of the context buffer required for ARC4 operations.
- @retval 0 This interface is not supported.
+ ARC4 is deprecated and unsupported any longer.
+ Keep the function field for binary compability.
**/
UINTN
EFIAPI
-CryptoServiceArc4GetContextSize (
+DeprecatedCryptoServiceArc4GetContextSize (
VOID
)
{
- return CALL_BASECRYPTLIB (Arc4.Services.GetContextSize, Arc4GetContextSize, (), 0);
+ return BaseCryptLibServciceDeprecated ("Arc4GetContextSize"), 0;
}
-/**
- Initializes user-supplied memory as ARC4 context for subsequent use.
-
- This function initializes user-supplied memory pointed by Arc4Context as ARC4 context.
- In addition, it sets up all ARC4 key materials for subsequent encryption and decryption
- operations.
-
- If Arc4Context is NULL, then return FALSE.
- If Key is NULL, then return FALSE.
- If KeySize does not in the range of [5, 256] bytes, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[out] Arc4Context Pointer to ARC4 context being initialized.
- @param[in] Key Pointer to the user-supplied ARC4 key.
- @param[in] KeySize Size of ARC4 key in bytes.
-
- @retval TRUE ARC4 context initialization succeeded.
- @retval FALSE ARC4 context initialization failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceArc4Init (
+DeprecatedCryptoServiceArc4Init (
OUT VOID *Arc4Context,
IN CONST UINT8 *Key,
IN UINTN KeySize
)
{
- return CALL_BASECRYPTLIB (Arc4.Services.Init, Arc4Init, (Arc4Context, Key, KeySize), FALSE);
+ return BaseCryptLibServciceDeprecated ("Arc4Init"), FALSE;
}
-/**
- Performs ARC4 encryption on a data buffer of the specified size.
-
- This function performs ARC4 encryption on data buffer pointed by Input, of specified
- size of InputSize.
- Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
- invalid ARC4 context is undefined.
-
- If Arc4Context is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the ARC4 encryption output.
-
- @retval TRUE ARC4 encryption succeeded.
- @retval FALSE ARC4 encryption failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceArc4Encrypt (
+DeprecatedCryptoServiceArc4Encrypt (
IN OUT VOID *Arc4Context,
IN CONST UINT8 *Input,
IN UINTN InputSize,
OUT UINT8 *Output
)
{
- return CALL_BASECRYPTLIB (Arc4.Services.Encrypt, Arc4Encrypt, (Arc4Context, Input, InputSize, Output), FALSE);
+ return BaseCryptLibServciceDeprecated ("Arc4Encrypt"), FALSE;
}
-/**
- Performs ARC4 decryption on a data buffer of the specified size.
-
- This function performs ARC4 decryption on data buffer pointed by Input, of specified
- size of InputSize.
- Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
- invalid ARC4 context is undefined.
-
- If Arc4Context is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the ARC4 decryption output.
-
- @retval TRUE ARC4 decryption succeeded.
- @retval FALSE ARC4 decryption failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceArc4Decrypt (
+DeprecatedCryptoServiceArc4Decrypt (
IN OUT VOID *Arc4Context,
IN UINT8 *Input,
IN UINTN InputSize,
OUT UINT8 *Output
)
{
- return CALL_BASECRYPTLIB (Arc4.Services.Decrypt, Arc4Decrypt, (Arc4Context, Input, InputSize, Output), FALSE);
+ return BaseCryptLibServciceDeprecated ("Arc4Decrypt"), FALSE;
}
-/**
- Resets the ARC4 context to the initial state.
-
- The function resets the ARC4 context to the state it had immediately after the
- ARC4Init() function call.
- Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4 context
- should be already correctly initialized by ARC4Init().
-
- If Arc4Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
-
- @retval TRUE ARC4 reset succeeded.
- @retval FALSE ARC4 reset failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceArc4Reset (
+DeprecatedCryptoServiceArc4Reset (
IN OUT VOID *Arc4Context
)
{
- return CALL_BASECRYPTLIB (Arc4.Services.Reset, Arc4Reset, (Arc4Context), FALSE);
+ return BaseCryptLibServciceDeprecated ("Arc4Reset"), FALSE;
}
//=====================================================================================
@@ -4447,12 +4358,12 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
CryptoServiceAesEcbDecrypt,
CryptoServiceAesCbcEncrypt,
CryptoServiceAesCbcDecrypt,
- /// Arc4
- CryptoServiceArc4GetContextSize,
- CryptoServiceArc4Init,
- CryptoServiceArc4Encrypt,
- CryptoServiceArc4Decrypt,
- CryptoServiceArc4Reset,
+ /// Arc4 - deprecated and unsupported
+ DeprecatedCryptoServiceArc4GetContextSize,
+ DeprecatedCryptoServiceArc4Init,
+ DeprecatedCryptoServiceArc4Encrypt,
+ DeprecatedCryptoServiceArc4Decrypt,
+ DeprecatedCryptoServiceArc4Reset,
/// SM3
CryptoServiceSm3GetContextSize,
CryptoServiceSm3Init,
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index c862f0334f..25e236c4a3 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -1667,138 +1667,6 @@ AesCbcDecrypt (
OUT UINT8 *Output
);
-/**
- Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
- If this interface is not supported, then return zero.
-
- @return The size, in bytes, of the context buffer required for ARC4 operations.
- @retval 0 This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-Arc4GetContextSize (
- VOID
- );
-
-/**
- Initializes user-supplied memory as ARC4 context for subsequent use.
-
- This function initializes user-supplied memory pointed by Arc4Context as ARC4 context.
- In addition, it sets up all ARC4 key materials for subsequent encryption and decryption
- operations.
-
- If Arc4Context is NULL, then return FALSE.
- If Key is NULL, then return FALSE.
- If KeySize does not in the range of [5, 256] bytes, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[out] Arc4Context Pointer to ARC4 context being initialized.
- @param[in] Key Pointer to the user-supplied ARC4 key.
- @param[in] KeySize Size of ARC4 key in bytes.
-
- @retval TRUE ARC4 context initialization succeeded.
- @retval FALSE ARC4 context initialization failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Init (
- OUT VOID *Arc4Context,
- IN CONST UINT8 *Key,
- IN UINTN KeySize
- );
-
-/**
- Performs ARC4 encryption on a data buffer of the specified size.
-
- This function performs ARC4 encryption on data buffer pointed by Input, of specified
- size of InputSize.
- Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
- invalid ARC4 context is undefined.
-
- If Arc4Context is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the ARC4 encryption output.
-
- @retval TRUE ARC4 encryption succeeded.
- @retval FALSE ARC4 encryption failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Encrypt (
- IN OUT VOID *Arc4Context,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- );
-
-/**
- Performs ARC4 decryption on a data buffer of the specified size.
-
- This function performs ARC4 decryption on data buffer pointed by Input, of specified
- size of InputSize.
- Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
- invalid ARC4 context is undefined.
-
- If Arc4Context is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the ARC4 decryption output.
-
- @retval TRUE ARC4 decryption succeeded.
- @retval FALSE ARC4 decryption failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Decrypt (
- IN OUT VOID *Arc4Context,
- IN UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- );
-
-/**
- Resets the ARC4 context to the initial state.
-
- The function resets the ARC4 context to the state it had immediately after the
- ARC4Init() function call.
- Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4 context
- should be already correctly initialized by ARC4Init().
-
- If Arc4Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
-
- @retval TRUE ARC4 reset succeeded.
- @retval FALSE ARC4 reset failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Reset (
- IN OUT VOID *Arc4Context
- );
-
//=====================================================================================
// Asymmetric Cryptography Primitive
//=====================================================================================
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index 22992e7d43..da38ea552f 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -40,7 +40,6 @@
Kdf/CryptHkdf.c
Cipher/CryptAes.c
Cipher/CryptTdes.c
- Cipher/CryptArc4.c
Pk/CryptRsaBasic.c
Pk/CryptRsaExt.c
Pk/CryptPkcs1Oaep.c
diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
deleted file mode 100644
index 388d312bed..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
+++ /dev/null
@@ -1,205 +0,0 @@
-/** @file
- ARC4 Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-#include <openssl/rc4.h>
-
-/**
- Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
- @return The size, in bytes, of the context buffer required for ARC4 operations.
-
-**/
-UINTN
-EFIAPI
-Arc4GetContextSize (
- VOID
- )
-{
- //
- // Memory for 2 copies of RC4_KEY is allocated, one for working copy, and the other
- // for backup copy. When Arc4Reset() is called, we can use the backup copy to restore
- // the working copy to the initial state.
- //
- return (UINTN) (2 * sizeof (RC4_KEY));
-}
-
-/**
- Initializes user-supplied memory as ARC4 context for subsequent use.
-
- This function initializes user-supplied memory pointed by Arc4Context as ARC4 context.
- In addition, it sets up all ARC4 key materials for subsequent encryption and decryption
- operations.
-
- If Arc4Context is NULL, then return FALSE.
- If Key is NULL, then return FALSE.
- If KeySize does not in the range of [5, 256] bytes, then return FALSE.
-
- @param[out] Arc4Context Pointer to ARC4 context being initialized.
- @param[in] Key Pointer to the user-supplied ARC4 key.
- @param[in] KeySize Size of ARC4 key in bytes.
-
- @retval TRUE ARC4 context initialization succeeded.
- @retval FALSE ARC4 context initialization failed.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Init (
- OUT VOID *Arc4Context,
- IN CONST UINT8 *Key,
- IN UINTN KeySize
- )
-{
- RC4_KEY *Rc4Key;
-
- //
- // Check input parameters.
- //
- if (Arc4Context == NULL || Key == NULL || (KeySize < 5 || KeySize > 256)) {
- return FALSE;
- }
-
- Rc4Key = (RC4_KEY *) Arc4Context;
-
- RC4_set_key (Rc4Key, (UINT32) KeySize, Key);
-
- CopyMem (Rc4Key + 1, Rc4Key, sizeof (RC4_KEY));
-
- return TRUE;
-}
-
-/**
- Performs ARC4 encryption on a data buffer of the specified size.
-
- This function performs ARC4 encryption on data buffer pointed by Input, of specified
- size of InputSize.
- Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
- invalid ARC4 context is undefined.
-
- If Arc4Context is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If Output is NULL, then return FALSE.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the ARC4 encryption output.
-
- @retval TRUE ARC4 encryption succeeded.
- @retval FALSE ARC4 encryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Encrypt (
- IN OUT VOID *Arc4Context,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- RC4_KEY *Rc4Key;
-
- //
- // Check input parameters.
- //
- if (Arc4Context == NULL || Input == NULL || Output == NULL || InputSize > INT_MAX) {
- return FALSE;
- }
-
- Rc4Key = (RC4_KEY *) Arc4Context;
-
- RC4 (Rc4Key, (UINT32) InputSize, Input, Output);
-
- return TRUE;
-}
-
-/**
- Performs ARC4 decryption on a data buffer of the specified size.
-
- This function performs ARC4 decryption on data buffer pointed by Input, of specified
- size of InputSize.
- Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
- invalid ARC4 context is undefined.
-
- If Arc4Context is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If Output is NULL, then return FALSE.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the ARC4 decryption output.
-
- @retval TRUE ARC4 decryption succeeded.
- @retval FALSE ARC4 decryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Decrypt (
- IN OUT VOID *Arc4Context,
- IN UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- RC4_KEY *Rc4Key;
-
- //
- // Check input parameters.
- //
- if (Arc4Context == NULL || Input == NULL || Output == NULL || InputSize > INT_MAX) {
- return FALSE;
- }
-
- Rc4Key = (RC4_KEY *) Arc4Context;
-
- RC4 (Rc4Key, (UINT32) InputSize, Input, Output);
-
- return TRUE;
-}
-
-/**
- Resets the ARC4 context to the initial state.
-
- The function resets the ARC4 context to the state it had immediately after the
- ARC4Init() function call.
- Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4 context
- should be already correctly initialized by ARC4Init().
-
- If Arc4Context is NULL, then return FALSE.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
-
- @retval TRUE ARC4 reset succeeded.
- @retval FALSE ARC4 reset failed.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Reset (
- IN OUT VOID *Arc4Context
- )
-{
- RC4_KEY *Rc4Key;
-
- //
- // Check input parameters.
- //
- if (Arc4Context == NULL) {
- return FALSE;
- }
-
- Rc4Key = (RC4_KEY *) Arc4Context;
-
- CopyMem (Rc4Key, Rc4Key + 1, sizeof (RC4_KEY));
-
- return TRUE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
deleted file mode 100644
index 1f09bfa30e..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/** @file
- ARC4 Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
- Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
- Return zero to indicate this interface is not supported.
-
- @retval 0 This interface is not supported.
-
-
-**/
-UINTN
-EFIAPI
-Arc4GetContextSize (
- VOID
- )
-{
- ASSERT (FALSE);
- return 0;
-}
-
-/**
- Initializes user-supplied memory as ARC4 context for subsequent use.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[out] Arc4Context Pointer to ARC4 context being initialized.
- @param[in] Key Pointer to the user-supplied ARC4 key.
- @param[in] KeySize Size of ARC4 key in bytes.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Init (
- OUT VOID *Arc4Context,
- IN CONST UINT8 *Key,
- IN UINTN KeySize
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Performs ARC4 encryption on a data buffer of the specified size.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the ARC4 encryption output.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Encrypt (
- IN OUT VOID *Arc4Context,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Performs ARC4 decryption on a data buffer of the specified size.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the ARC4 decryption output.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Decrypt (
- IN OUT VOID *Arc4Context,
- IN UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Resets the ARC4 context to the initial state.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Reset (
- IN OUT VOID *Arc4Context
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index e9add0127d..f43953b78c 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -7,7 +7,7 @@
# buffer overflow or integer overflow.
#
# Note:
-# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4 functions, RSA external
+# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions, RSA external
# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
# certificate handler functions, authenticode signature verification functions,
# PEM handler functions, and pseudorandom number generator functions are not
@@ -46,7 +46,6 @@
Kdf/CryptHkdfNull.c
Cipher/CryptAesNull.c
Cipher/CryptTdesNull.c
- Cipher/CryptArc4Null.c
Pk/CryptRsaBasic.c
Pk/CryptRsaExtNull.c
Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
index 374bfb3f65..5abd8e8dfb 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
@@ -7,7 +7,7 @@
// buffer overflow or integer overflow.
//
// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
+// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
// Diffie-Hellman functions, X.509 certificate handler functions, authenticode
// signature verification functions, PEM handler functions, and pseudorandom number
// generator functions are not supported in this instance.
@@ -21,5 +21,5 @@
#string STR_MODULE_ABSTRACT #language en-US "Cryptographic Library Instance for PEIM"
-#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index 0a2eb03232..f1eb099b67 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -7,7 +7,7 @@
# buffer overflow or integer overflow.
#
# Note: SHA-384 Digest functions, SHA-512 Digest functions,
-# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4 functions, RSA external
+# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions, RSA external
# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
# authenticode signature verification functions are not supported in this instance.
#
@@ -46,7 +46,6 @@
Kdf/CryptHkdfNull.c
Cipher/CryptAesNull.c
Cipher/CryptTdesNull.c
- Cipher/CryptArc4Null.c
Pk/CryptRsaBasic.c
Pk/CryptRsaExtNull.c
Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
index b6d751176e..5a48d2a308 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
@@ -7,7 +7,7 @@
// buffer overflow or integer overflow.
//
// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
+// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
// Diffie-Hellman functions, and authenticode signature verification functions are
// not supported in this instance.
//
@@ -20,5 +20,5 @@
#string STR_MODULE_ABSTRACT #language en-US "Cryptographic Library Instance for DXE_RUNTIME_DRIVER"
-#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index 139983075e..3a94655775 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -7,7 +7,7 @@
# buffer overflow or integer overflow.
#
# Note: SHA-384 Digest functions, SHA-512 Digest functions,
-# HMAC-MD5 functions, HMAC-SHA1 functions, TDES/ARC4 functions, RSA external
+# HMAC-MD5 functions, HMAC-SHA1 functions, TDES functions, RSA external
# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
# authenticode signature verification functions are not supported in this instance.
#
@@ -45,7 +45,6 @@
Kdf/CryptHkdfNull.c
Cipher/CryptAes.c
Cipher/CryptTdesNull.c
- Cipher/CryptArc4Null.c
Pk/CryptRsaBasic.c
Pk/CryptRsaExtNull.c
Pk/CryptPkcs1Oaep.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
index b8d7953d2b..0561f107e8 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
@@ -7,7 +7,7 @@
// buffer overflow or integer overflow.
//
// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
+// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
// Diffie-Hellman functions, and authenticode signature verification functions are
// not supported in this instance.
//
@@ -20,5 +20,5 @@
#string STR_MODULE_ABSTRACT #language en-US "Cryptographic Library Instance for SMM driver"
-#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
index b03681b146..a205c9005d 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -40,7 +40,6 @@
Kdf/CryptHkdfNull.c
Cipher/CryptAesNull.c
Cipher/CryptTdesNull.c
- Cipher/CryptArc4Null.c
Pk/CryptRsaBasicNull.c
Pk/CryptRsaExtNull.c
Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
deleted file mode 100644
index 1f09bfa30e..0000000000
--- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/** @file
- ARC4 Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
- Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
- Return zero to indicate this interface is not supported.
-
- @retval 0 This interface is not supported.
-
-
-**/
-UINTN
-EFIAPI
-Arc4GetContextSize (
- VOID
- )
-{
- ASSERT (FALSE);
- return 0;
-}
-
-/**
- Initializes user-supplied memory as ARC4 context for subsequent use.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[out] Arc4Context Pointer to ARC4 context being initialized.
- @param[in] Key Pointer to the user-supplied ARC4 key.
- @param[in] KeySize Size of ARC4 key in bytes.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Init (
- OUT VOID *Arc4Context,
- IN CONST UINT8 *Key,
- IN UINTN KeySize
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Performs ARC4 encryption on a data buffer of the specified size.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the ARC4 encryption output.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Encrypt (
- IN OUT VOID *Arc4Context,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Performs ARC4 decryption on a data buffer of the specified size.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the ARC4 decryption output.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Decrypt (
- IN OUT VOID *Arc4Context,
- IN UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Resets the ARC4 context to the initial state.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Reset (
- IN OUT VOID *Arc4Context
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 5e470028f4..77915bdb86 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -1892,153 +1892,6 @@ AesCbcDecrypt (
CALL_CRYPTO_SERVICE (AesCbcDecrypt, (AesContext, Input, InputSize, Ivec, Output), FALSE);
}
-/**
- Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
- If this interface is not supported, then return zero.
-
- @return The size, in bytes, of the context buffer required for ARC4 operations.
- @retval 0 This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-Arc4GetContextSize (
- VOID
- )
-{
- CALL_CRYPTO_SERVICE (Arc4GetContextSize, (), 0);
-}
-
-/**
- Initializes user-supplied memory as ARC4 context for subsequent use.
-
- This function initializes user-supplied memory pointed by Arc4Context as ARC4 context.
- In addition, it sets up all ARC4 key materials for subsequent encryption and decryption
- operations.
-
- If Arc4Context is NULL, then return FALSE.
- If Key is NULL, then return FALSE.
- If KeySize does not in the range of [5, 256] bytes, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[out] Arc4Context Pointer to ARC4 context being initialized.
- @param[in] Key Pointer to the user-supplied ARC4 key.
- @param[in] KeySize Size of ARC4 key in bytes.
-
- @retval TRUE ARC4 context initialization succeeded.
- @retval FALSE ARC4 context initialization failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Init (
- OUT VOID *Arc4Context,
- IN CONST UINT8 *Key,
- IN UINTN KeySize
- )
-{
- CALL_CRYPTO_SERVICE (Arc4Init, (Arc4Context, Key, KeySize), FALSE);
-}
-
-/**
- Performs ARC4 encryption on a data buffer of the specified size.
-
- This function performs ARC4 encryption on data buffer pointed by Input, of specified
- size of InputSize.
- Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
- invalid ARC4 context is undefined.
-
- If Arc4Context is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the ARC4 encryption output.
-
- @retval TRUE ARC4 encryption succeeded.
- @retval FALSE ARC4 encryption failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Encrypt (
- IN OUT VOID *Arc4Context,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- CALL_CRYPTO_SERVICE (Arc4Encrypt, (Arc4Context, Input, InputSize, Output), FALSE);
-}
-
-/**
- Performs ARC4 decryption on a data buffer of the specified size.
-
- This function performs ARC4 decryption on data buffer pointed by Input, of specified
- size of InputSize.
- Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
- invalid ARC4 context is undefined.
-
- If Arc4Context is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the ARC4 decryption output.
-
- @retval TRUE ARC4 decryption succeeded.
- @retval FALSE ARC4 decryption failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Decrypt (
- IN OUT VOID *Arc4Context,
- IN UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- CALL_CRYPTO_SERVICE (Arc4Decrypt, (Arc4Context, Input, InputSize, Output), FALSE);
-}
-
-/**
- Resets the ARC4 context to the initial state.
-
- The function resets the ARC4 context to the state it had immediately after the
- ARC4Init() function call.
- Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4 context
- should be already correctly initialized by ARC4Init().
-
- If Arc4Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
-
- @retval TRUE ARC4 reset succeeded.
- @retval FALSE ARC4 reset failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Reset (
- IN OUT VOID *Arc4Context
- )
-{
- CALL_CRYPTO_SERVICE (Arc4Reset, (Arc4Context), FALSE);
-}
-
//=====================================================================================
// Asymmetric Cryptography Primitive
//=====================================================================================
diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h
index 4f3f9ba377..22acabef87 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -244,6 +244,9 @@ extern "C" {
#ifndef OPENSSL_NO_MD4
# define OPENSSL_NO_MD4
#endif
+#ifndef OPENSSL_NO_RC4
+# define OPENSSL_NO_RC4
+#endif
/*
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 10710e4a7c..dfaefd1c08 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -374,8 +374,6 @@
$(OPENSSL_PATH)/crypto/rand/rand_unix.c
$(OPENSSL_PATH)/crypto/rand/rand_vms.c
$(OPENSSL_PATH)/crypto/rand/rand_win.c
- $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
- $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
$(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
$(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c
$(OPENSSL_PATH)/crypto/rsa/rsa_chk.c
@@ -531,7 +529,6 @@
$(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
$(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
$(OPENSSL_PATH)/crypto/rand/rand_lcl.h
- $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h
$(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
$(OPENSSL_PATH)/crypto/sha/sha_locl.h
$(OPENSSL_PATH)/crypto/siphash/siphash_local.h
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index d9782a3098..080e1d9305 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -374,8 +374,6 @@
$(OPENSSL_PATH)/crypto/rand/rand_unix.c
$(OPENSSL_PATH)/crypto/rand/rand_vms.c
$(OPENSSL_PATH)/crypto/rand/rand_win.c
- $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
- $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
$(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
$(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c
$(OPENSSL_PATH)/crypto/rsa/rsa_chk.c
@@ -531,7 +529,6 @@
$(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
$(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
$(OPENSSL_PATH)/crypto/rand/rand_lcl.h
- $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h
$(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
$(OPENSSL_PATH)/crypto/sha/sha_locl.h
$(OPENSSL_PATH)/crypto/siphash/siphash_local.h
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index ae0f29695c..f36c5c1aff 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -2785,134 +2785,45 @@ BOOLEAN
);
/**
- Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
- If this interface is not supported, then return zero.
-
- @return The size, in bytes, of the context buffer required for ARC4 operations.
- @retval 0 This interface is not supported.
+ ARC4 is deprecated and unsupported any longer.
+ Keep the function field for binary compability.
**/
typedef
UINTN
-(EFIAPI *EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE) (
VOID
);
-/**
- Initializes user-supplied memory as ARC4 context for subsequent use.
-
- This function initializes user-supplied memory pointed by Arc4Context as ARC4 context.
- In addition, it sets up all ARC4 key materials for subsequent encryption and decryption
- operations.
-
- If Arc4Context is NULL, then return FALSE.
- If Key is NULL, then return FALSE.
- If KeySize does not in the range of [5, 256] bytes, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[out] Arc4Context Pointer to ARC4 context being initialized.
- @param[in] Key Pointer to the user-supplied ARC4 key.
- @param[in] KeySize Size of ARC4 key in bytes.
-
- @retval TRUE ARC4 context initialization succeeded.
- @retval FALSE ARC4 context initialization failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_ARC4_INIT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_INIT) (
OUT VOID *Arc4Context,
IN CONST UINT8 *Key,
IN UINTN KeySize
);
-/**
- Performs ARC4 encryption on a data buffer of the specified size.
-
- This function performs ARC4 encryption on data buffer pointed by Input, of specified
- size of InputSize.
- Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
- invalid ARC4 context is undefined.
-
- If Arc4Context is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the ARC4 encryption output.
-
- @retval TRUE ARC4 encryption succeeded.
- @retval FALSE ARC4 encryption failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_ARC4_ENCRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_ENCRYPT) (
IN OUT VOID *Arc4Context,
IN CONST UINT8 *Input,
IN UINTN InputSize,
OUT UINT8 *Output
);
-/**
- Performs ARC4 decryption on a data buffer of the specified size.
-
- This function performs ARC4 decryption on data buffer pointed by Input, of specified
- size of InputSize.
- Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
- invalid ARC4 context is undefined.
-
- If Arc4Context is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the ARC4 decryption output.
-
- @retval TRUE ARC4 decryption succeeded.
- @retval FALSE ARC4 decryption failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_ARC4_DECRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_DECRYPT) (
IN OUT VOID *Arc4Context,
IN UINT8 *Input,
IN UINTN InputSize,
OUT UINT8 *Output
);
-/**
- Resets the ARC4 context to the initial state.
-
- The function resets the ARC4 context to the state it had immediately after the
- ARC4Init() function call.
- Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4 context
- should be already correctly initialized by ARC4Init().
-
- If Arc4Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] Arc4Context Pointer to the ARC4 context.
-
- @retval TRUE ARC4 reset succeeded.
- @retval FALSE ARC4 reset failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_ARC4_RESET) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_RESET) (
IN OUT VOID *Arc4Context
);
@@ -4014,12 +3925,12 @@ struct _EDKII_CRYPTO_PROTOCOL {
EDKII_CRYPTO_AES_ECB_DECRYPT AesEcbDecrypt;
EDKII_CRYPTO_AES_CBC_ENCRYPT AesCbcEncrypt;
EDKII_CRYPTO_AES_CBC_DECRYPT AesCbcDecrypt;
- /// Arc4
- EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE Arc4GetContextSize;
- EDKII_CRYPTO_ARC4_INIT Arc4Init;
- EDKII_CRYPTO_ARC4_ENCRYPT Arc4Encrypt;
- EDKII_CRYPTO_ARC4_DECRYPT Arc4Decrypt;
- EDKII_CRYPTO_ARC4_RESET Arc4Reset;
+ /// Arc4 - deprecated and unsupported
+ DEPRECATED_EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE DeprecatedArc4GetContextSize;
+ DEPRECATED_EDKII_CRYPTO_ARC4_INIT DeprecatedArc4Init;
+ DEPRECATED_EDKII_CRYPTO_ARC4_ENCRYPT DeprecatedArc4Encrypt;
+ DEPRECATED_EDKII_CRYPTO_ARC4_DECRYPT DeprecatedArc4Decrypt;
+ DEPRECATED_EDKII_CRYPTO_ARC4_RESET DeprecatedArc4Reset;
/// SM3
EDKII_CRYPTO_SM3_GET_CONTEXT_SIZE Sm3GetContextSize;
EDKII_CRYPTO_SM3_INIT Sm3Init;
--
2.21.0.windows.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* Re: [PATCH V3 3/8] CryptoPkg/BaseCryptLib: Retire ARC4 algorithm
2020-05-06 23:57 ` [PATCH V3 3/8] CryptoPkg/BaseCryptLib: Retire ARC4 algorithm Gao, Zhichao
@ 2020-05-08 14:34 ` Wang, Jian J
0 siblings, 0 replies; 23+ messages in thread
From: Wang, Jian J @ 2020-05-08 14:34 UTC (permalink / raw)
To: Gao, Zhichao, devel@edk2.groups.io
Cc: Lu, XiaoyuX, Fu, Siyuan, Kinney, Michael D, Yao, Jiewen
Zhichao,
Thanks for making this patch series.
Just two comments for patch 3:
(1) If possible, please group patch file based on module unit. For this patch,
I think at least OpensslLib can be put in separate patch file.
(2) Please update process_files.pl in OpensslLib to generate OpensslLibXxx.inf
and opensslconf.h.
Regards,
Jian
> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Thursday, May 07, 2020 7:58 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [PATCH V3 3/8] CryptoPkg/BaseCryptLib: Retire ARC4 algorithm
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
>
> ARC4 is not secure any longer.
> Remove the ARC4 support from edk2.
> Change the ARC4 field name in EDKII_CRYPTO_PROTOCOL to indicate the
> function is unsupported any longer.
>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
> CryptoPkg/Driver/Crypto.c | 125 ++---------
> CryptoPkg/Include/Library/BaseCryptLib.h | 132 -----------
> .../Library/BaseCryptLib/BaseCryptLib.inf | 1 -
> .../Library/BaseCryptLib/Cipher/CryptArc4.c | 205 ------------------
> .../BaseCryptLib/Cipher/CryptArc4Null.c | 124 -----------
> .../Library/BaseCryptLib/PeiCryptLib.inf | 3 +-
> .../Library/BaseCryptLib/PeiCryptLib.uni | 4 +-
> .../Library/BaseCryptLib/RuntimeCryptLib.inf | 3 +-
> .../Library/BaseCryptLib/RuntimeCryptLib.uni | 4 +-
> .../Library/BaseCryptLib/SmmCryptLib.inf | 3 +-
> .../Library/BaseCryptLib/SmmCryptLib.uni | 4 +-
> .../BaseCryptLibNull/BaseCryptLibNull.inf | 1 -
> .../BaseCryptLibNull/Cipher/CryptArc4Null.c | 124 -----------
> .../BaseCryptLibOnProtocolPpi/CryptLib.c | 147 -------------
> .../Library/Include/openssl/opensslconf.h | 3 +
> CryptoPkg/Library/OpensslLib/OpensslLib.inf | 3 -
> .../Library/OpensslLib/OpensslLibCrypto.inf | 3 -
> CryptoPkg/Private/Protocol/Crypto.h | 115 ++--------
> 18 files changed, 43 insertions(+), 961 deletions(-)
> delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
> delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
>
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> index 95fc834bde..388a6e4b4b 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -1982,150 +1982,61 @@ CryptoServiceAesCbcDecrypt (
> }
>
> /**
> - Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
> -
> - If this interface is not supported, then return zero.
> -
> - @return The size, in bytes, of the context buffer required for ARC4 operations.
> - @retval 0 This interface is not supported.
> + ARC4 is deprecated and unsupported any longer.
> + Keep the function field for binary compability.
>
> **/
> UINTN
> EFIAPI
> -CryptoServiceArc4GetContextSize (
> +DeprecatedCryptoServiceArc4GetContextSize (
> VOID
> )
> {
> - return CALL_BASECRYPTLIB (Arc4.Services.GetContextSize,
> Arc4GetContextSize, (), 0);
> + return BaseCryptLibServciceDeprecated ("Arc4GetContextSize"), 0;
> }
>
> -/**
> - Initializes user-supplied memory as ARC4 context for subsequent use.
> -
> - This function initializes user-supplied memory pointed by Arc4Context as ARC4
> context.
> - In addition, it sets up all ARC4 key materials for subsequent encryption and
> decryption
> - operations.
> -
> - If Arc4Context is NULL, then return FALSE.
> - If Key is NULL, then return FALSE.
> - If KeySize does not in the range of [5, 256] bytes, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] Arc4Context Pointer to ARC4 context being initialized.
> - @param[in] Key Pointer to the user-supplied ARC4 key.
> - @param[in] KeySize Size of ARC4 key in bytes.
> -
> - @retval TRUE ARC4 context initialization succeeded.
> - @retval FALSE ARC4 context initialization failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceArc4Init (
> +DeprecatedCryptoServiceArc4Init (
> OUT VOID *Arc4Context,
> IN CONST UINT8 *Key,
> IN UINTN KeySize
> )
> {
> - return CALL_BASECRYPTLIB (Arc4.Services.Init, Arc4Init, (Arc4Context, Key,
> KeySize), FALSE);
> + return BaseCryptLibServciceDeprecated ("Arc4Init"), FALSE;
> }
>
> -/**
> - Performs ARC4 encryption on a data buffer of the specified size.
> -
> - This function performs ARC4 encryption on data buffer pointed by Input, of
> specified
> - size of InputSize.
> - Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
> - invalid ARC4 context is undefined.
> -
> - If Arc4Context is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the ARC4
> encryption output.
> -
> - @retval TRUE ARC4 encryption succeeded.
> - @retval FALSE ARC4 encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceArc4Encrypt (
> +DeprecatedCryptoServiceArc4Encrypt (
> IN OUT VOID *Arc4Context,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> OUT UINT8 *Output
> )
> {
> - return CALL_BASECRYPTLIB (Arc4.Services.Encrypt, Arc4Encrypt, (Arc4Context,
> Input, InputSize, Output), FALSE);
> + return BaseCryptLibServciceDeprecated ("Arc4Encrypt"), FALSE;
> }
>
> -/**
> - Performs ARC4 decryption on a data buffer of the specified size.
> -
> - This function performs ARC4 decryption on data buffer pointed by Input, of
> specified
> - size of InputSize.
> - Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
> - invalid ARC4 context is undefined.
> -
> - If Arc4Context is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the ARC4
> decryption output.
> -
> - @retval TRUE ARC4 decryption succeeded.
> - @retval FALSE ARC4 decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceArc4Decrypt (
> +DeprecatedCryptoServiceArc4Decrypt (
> IN OUT VOID *Arc4Context,
> IN UINT8 *Input,
> IN UINTN InputSize,
> OUT UINT8 *Output
> )
> {
> - return CALL_BASECRYPTLIB (Arc4.Services.Decrypt, Arc4Decrypt, (Arc4Context,
> Input, InputSize, Output), FALSE);
> + return BaseCryptLibServciceDeprecated ("Arc4Decrypt"), FALSE;
> }
>
> -/**
> - Resets the ARC4 context to the initial state.
> -
> - The function resets the ARC4 context to the state it had immediately after the
> - ARC4Init() function call.
> - Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4
> context
> - should be already correctly initialized by ARC4Init().
> -
> - If Arc4Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> -
> - @retval TRUE ARC4 reset succeeded.
> - @retval FALSE ARC4 reset failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceArc4Reset (
> +DeprecatedCryptoServiceArc4Reset (
> IN OUT VOID *Arc4Context
> )
> {
> - return CALL_BASECRYPTLIB (Arc4.Services.Reset, Arc4Reset, (Arc4Context),
> FALSE);
> + return BaseCryptLibServciceDeprecated ("Arc4Reset"), FALSE;
> }
>
>
> //===============================================================
> ======================
> @@ -4447,12 +4358,12 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
> CryptoServiceAesEcbDecrypt,
> CryptoServiceAesCbcEncrypt,
> CryptoServiceAesCbcDecrypt,
> - /// Arc4
> - CryptoServiceArc4GetContextSize,
> - CryptoServiceArc4Init,
> - CryptoServiceArc4Encrypt,
> - CryptoServiceArc4Decrypt,
> - CryptoServiceArc4Reset,
> + /// Arc4 - deprecated and unsupported
> + DeprecatedCryptoServiceArc4GetContextSize,
> + DeprecatedCryptoServiceArc4Init,
> + DeprecatedCryptoServiceArc4Encrypt,
> + DeprecatedCryptoServiceArc4Decrypt,
> + DeprecatedCryptoServiceArc4Reset,
> /// SM3
> CryptoServiceSm3GetContextSize,
> CryptoServiceSm3Init,
> diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
> b/CryptoPkg/Include/Library/BaseCryptLib.h
> index c862f0334f..25e236c4a3 100644
> --- a/CryptoPkg/Include/Library/BaseCryptLib.h
> +++ b/CryptoPkg/Include/Library/BaseCryptLib.h
> @@ -1667,138 +1667,6 @@ AesCbcDecrypt (
> OUT UINT8 *Output
> );
>
> -/**
> - Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
> -
> - If this interface is not supported, then return zero.
> -
> - @return The size, in bytes, of the context buffer required for ARC4 operations.
> - @retval 0 This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -Arc4GetContextSize (
> - VOID
> - );
> -
> -/**
> - Initializes user-supplied memory as ARC4 context for subsequent use.
> -
> - This function initializes user-supplied memory pointed by Arc4Context as ARC4
> context.
> - In addition, it sets up all ARC4 key materials for subsequent encryption and
> decryption
> - operations.
> -
> - If Arc4Context is NULL, then return FALSE.
> - If Key is NULL, then return FALSE.
> - If KeySize does not in the range of [5, 256] bytes, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] Arc4Context Pointer to ARC4 context being initialized.
> - @param[in] Key Pointer to the user-supplied ARC4 key.
> - @param[in] KeySize Size of ARC4 key in bytes.
> -
> - @retval TRUE ARC4 context initialization succeeded.
> - @retval FALSE ARC4 context initialization failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Init (
> - OUT VOID *Arc4Context,
> - IN CONST UINT8 *Key,
> - IN UINTN KeySize
> - );
> -
> -/**
> - Performs ARC4 encryption on a data buffer of the specified size.
> -
> - This function performs ARC4 encryption on data buffer pointed by Input, of
> specified
> - size of InputSize.
> - Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
> - invalid ARC4 context is undefined.
> -
> - If Arc4Context is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the ARC4
> encryption output.
> -
> - @retval TRUE ARC4 encryption succeeded.
> - @retval FALSE ARC4 encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Encrypt (
> - IN OUT VOID *Arc4Context,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - );
> -
> -/**
> - Performs ARC4 decryption on a data buffer of the specified size.
> -
> - This function performs ARC4 decryption on data buffer pointed by Input, of
> specified
> - size of InputSize.
> - Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
> - invalid ARC4 context is undefined.
> -
> - If Arc4Context is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the ARC4
> decryption output.
> -
> - @retval TRUE ARC4 decryption succeeded.
> - @retval FALSE ARC4 decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Decrypt (
> - IN OUT VOID *Arc4Context,
> - IN UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - );
> -
> -/**
> - Resets the ARC4 context to the initial state.
> -
> - The function resets the ARC4 context to the state it had immediately after the
> - ARC4Init() function call.
> - Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4
> context
> - should be already correctly initialized by ARC4Init().
> -
> - If Arc4Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> -
> - @retval TRUE ARC4 reset succeeded.
> - @retval FALSE ARC4 reset failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Reset (
> - IN OUT VOID *Arc4Context
> - );
> -
>
> //===============================================================
> ======================
> // Asymmetric Cryptography Primitive
>
> //===============================================================
> ======================
> diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> index 22992e7d43..da38ea552f 100644
> --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> @@ -40,7 +40,6 @@
> Kdf/CryptHkdf.c
> Cipher/CryptAes.c
> Cipher/CryptTdes.c
> - Cipher/CryptArc4.c
> Pk/CryptRsaBasic.c
> Pk/CryptRsaExt.c
> Pk/CryptPkcs1Oaep.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
> b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
> deleted file mode 100644
> index 388d312bed..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
> +++ /dev/null
> @@ -1,205 +0,0 @@
> -/** @file
> - ARC4 Wrapper Implementation over OpenSSL.
> -
> -Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -#include <openssl/rc4.h>
> -
> -/**
> - Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
> -
> - @return The size, in bytes, of the context buffer required for ARC4 operations.
> -
> -**/
> -UINTN
> -EFIAPI
> -Arc4GetContextSize (
> - VOID
> - )
> -{
> - //
> - // Memory for 2 copies of RC4_KEY is allocated, one for working copy, and
> the other
> - // for backup copy. When Arc4Reset() is called, we can use the backup copy to
> restore
> - // the working copy to the initial state.
> - //
> - return (UINTN) (2 * sizeof (RC4_KEY));
> -}
> -
> -/**
> - Initializes user-supplied memory as ARC4 context for subsequent use.
> -
> - This function initializes user-supplied memory pointed by Arc4Context as ARC4
> context.
> - In addition, it sets up all ARC4 key materials for subsequent encryption and
> decryption
> - operations.
> -
> - If Arc4Context is NULL, then return FALSE.
> - If Key is NULL, then return FALSE.
> - If KeySize does not in the range of [5, 256] bytes, then return FALSE.
> -
> - @param[out] Arc4Context Pointer to ARC4 context being initialized.
> - @param[in] Key Pointer to the user-supplied ARC4 key.
> - @param[in] KeySize Size of ARC4 key in bytes.
> -
> - @retval TRUE ARC4 context initialization succeeded.
> - @retval FALSE ARC4 context initialization failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Init (
> - OUT VOID *Arc4Context,
> - IN CONST UINT8 *Key,
> - IN UINTN KeySize
> - )
> -{
> - RC4_KEY *Rc4Key;
> -
> - //
> - // Check input parameters.
> - //
> - if (Arc4Context == NULL || Key == NULL || (KeySize < 5 || KeySize > 256)) {
> - return FALSE;
> - }
> -
> - Rc4Key = (RC4_KEY *) Arc4Context;
> -
> - RC4_set_key (Rc4Key, (UINT32) KeySize, Key);
> -
> - CopyMem (Rc4Key + 1, Rc4Key, sizeof (RC4_KEY));
> -
> - return TRUE;
> -}
> -
> -/**
> - Performs ARC4 encryption on a data buffer of the specified size.
> -
> - This function performs ARC4 encryption on data buffer pointed by Input, of
> specified
> - size of InputSize.
> - Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
> - invalid ARC4 context is undefined.
> -
> - If Arc4Context is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the ARC4
> encryption output.
> -
> - @retval TRUE ARC4 encryption succeeded.
> - @retval FALSE ARC4 encryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Encrypt (
> - IN OUT VOID *Arc4Context,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - RC4_KEY *Rc4Key;
> -
> - //
> - // Check input parameters.
> - //
> - if (Arc4Context == NULL || Input == NULL || Output == NULL || InputSize >
> INT_MAX) {
> - return FALSE;
> - }
> -
> - Rc4Key = (RC4_KEY *) Arc4Context;
> -
> - RC4 (Rc4Key, (UINT32) InputSize, Input, Output);
> -
> - return TRUE;
> -}
> -
> -/**
> - Performs ARC4 decryption on a data buffer of the specified size.
> -
> - This function performs ARC4 decryption on data buffer pointed by Input, of
> specified
> - size of InputSize.
> - Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
> - invalid ARC4 context is undefined.
> -
> - If Arc4Context is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the ARC4
> decryption output.
> -
> - @retval TRUE ARC4 decryption succeeded.
> - @retval FALSE ARC4 decryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Decrypt (
> - IN OUT VOID *Arc4Context,
> - IN UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - RC4_KEY *Rc4Key;
> -
> - //
> - // Check input parameters.
> - //
> - if (Arc4Context == NULL || Input == NULL || Output == NULL || InputSize >
> INT_MAX) {
> - return FALSE;
> - }
> -
> - Rc4Key = (RC4_KEY *) Arc4Context;
> -
> - RC4 (Rc4Key, (UINT32) InputSize, Input, Output);
> -
> - return TRUE;
> -}
> -
> -/**
> - Resets the ARC4 context to the initial state.
> -
> - The function resets the ARC4 context to the state it had immediately after the
> - ARC4Init() function call.
> - Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4
> context
> - should be already correctly initialized by ARC4Init().
> -
> - If Arc4Context is NULL, then return FALSE.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> -
> - @retval TRUE ARC4 reset succeeded.
> - @retval FALSE ARC4 reset failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Reset (
> - IN OUT VOID *Arc4Context
> - )
> -{
> - RC4_KEY *Rc4Key;
> -
> - //
> - // Check input parameters.
> - //
> - if (Arc4Context == NULL) {
> - return FALSE;
> - }
> -
> - Rc4Key = (RC4_KEY *) Arc4Context;
> -
> - CopyMem (Rc4Key, Rc4Key + 1, sizeof (RC4_KEY));
> -
> - return TRUE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
> b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
> deleted file mode 100644
> index 1f09bfa30e..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
> +++ /dev/null
> @@ -1,124 +0,0 @@
> -/** @file
> - ARC4 Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> - Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
> -
> - Return zero to indicate this interface is not supported.
> -
> - @retval 0 This interface is not supported.
> -
> -
> -**/
> -UINTN
> -EFIAPI
> -Arc4GetContextSize (
> - VOID
> - )
> -{
> - ASSERT (FALSE);
> - return 0;
> -}
> -
> -/**
> - Initializes user-supplied memory as ARC4 context for subsequent use.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[out] Arc4Context Pointer to ARC4 context being initialized.
> - @param[in] Key Pointer to the user-supplied ARC4 key.
> - @param[in] KeySize Size of ARC4 key in bytes.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Init (
> - OUT VOID *Arc4Context,
> - IN CONST UINT8 *Key,
> - IN UINTN KeySize
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs ARC4 encryption on a data buffer of the specified size.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the ARC4
> encryption output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Encrypt (
> - IN OUT VOID *Arc4Context,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs ARC4 decryption on a data buffer of the specified size.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the ARC4
> decryption output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Decrypt (
> - IN OUT VOID *Arc4Context,
> - IN UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Resets the ARC4 context to the initial state.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Reset (
> - IN OUT VOID *Arc4Context
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> index e9add0127d..f43953b78c 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> @@ -7,7 +7,7 @@
> # buffer overflow or integer overflow.
> #
> # Note:
> -# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4
> functions, RSA external
> +# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions,
> RSA external
> # functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
> # certificate handler functions, authenticode signature verification functions,
> # PEM handler functions, and pseudorandom number generator functions are
> not
> @@ -46,7 +46,6 @@
> Kdf/CryptHkdfNull.c
> Cipher/CryptAesNull.c
> Cipher/CryptTdesNull.c
> - Cipher/CryptArc4Null.c
> Pk/CryptRsaBasic.c
> Pk/CryptRsaExtNull.c
> Pk/CryptPkcs1OaepNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> index 374bfb3f65..5abd8e8dfb 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> @@ -7,7 +7,7 @@
> // buffer overflow or integer overflow.
> //
> // Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> -// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> functions,
> +// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
> // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
> // signature verification functions, PEM handler functions, and pseudorandom
> number
> // generator functions are not supported in this instance.
> @@ -21,5 +21,5 @@
>
> #string STR_MODULE_ABSTRACT #language en-US "Cryptographic
> Library Instance for PEIM"
>
> -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions,
> PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate
> handler functions, authenticode signature verification functions, PEM handler
> functions, and pseudorandom number generator functions are not supported in
> this instance."
> +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler
> functions, authenticode signature verification functions, PEM handler functions,
> and pseudorandom number generator functions are not supported in this
> instance."
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> index 0a2eb03232..f1eb099b67 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> @@ -7,7 +7,7 @@
> # buffer overflow or integer overflow.
> #
> # Note: SHA-384 Digest functions, SHA-512 Digest functions,
> -# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4
> functions, RSA external
> +# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions,
> RSA external
> # functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
> # authenticode signature verification functions are not supported in this
> instance.
> #
> @@ -46,7 +46,6 @@
> Kdf/CryptHkdfNull.c
> Cipher/CryptAesNull.c
> Cipher/CryptTdesNull.c
> - Cipher/CryptArc4Null.c
> Pk/CryptRsaBasic.c
> Pk/CryptRsaExtNull.c
> Pk/CryptPkcs1OaepNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> index b6d751176e..5a48d2a308 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> @@ -7,7 +7,7 @@
> // buffer overflow or integer overflow.
> //
> // Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> -// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> functions,
> +// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
> // Diffie-Hellman functions, and authenticode signature verification functions
> are
> // not supported in this instance.
> //
> @@ -20,5 +20,5 @@
>
> #string STR_MODULE_ABSTRACT #language en-US "Cryptographic
> Library Instance for DXE_RUNTIME_DRIVER"
>
> -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions,
> PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode
> signature verification functions are not supported in this instance."
> +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, and authenticode signature
> verification functions are not supported in this instance."
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> index 139983075e..3a94655775 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> @@ -7,7 +7,7 @@
> # buffer overflow or integer overflow.
> #
> # Note: SHA-384 Digest functions, SHA-512 Digest functions,
> -# HMAC-MD5 functions, HMAC-SHA1 functions, TDES/ARC4 functions, RSA
> external
> +# HMAC-MD5 functions, HMAC-SHA1 functions, TDES functions, RSA external
> # functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
> # authenticode signature verification functions are not supported in this
> instance.
> #
> @@ -45,7 +45,6 @@
> Kdf/CryptHkdfNull.c
> Cipher/CryptAes.c
> Cipher/CryptTdesNull.c
> - Cipher/CryptArc4Null.c
> Pk/CryptRsaBasic.c
> Pk/CryptRsaExtNull.c
> Pk/CryptPkcs1Oaep.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> index b8d7953d2b..0561f107e8 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> @@ -7,7 +7,7 @@
> // buffer overflow or integer overflow.
> //
> // Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> -// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> functions,
> +// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
> // Diffie-Hellman functions, and authenticode signature verification functions
> are
> // not supported in this instance.
> //
> @@ -20,5 +20,5 @@
>
> #string STR_MODULE_ABSTRACT #language en-US "Cryptographic
> Library Instance for SMM driver"
>
> -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions,
> PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode
> signature verification functions are not supported in this instance."
> +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, and authenticode signature
> verification functions are not supported in this instance."
>
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> index b03681b146..a205c9005d 100644
> --- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> +++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> @@ -40,7 +40,6 @@
> Kdf/CryptHkdfNull.c
> Cipher/CryptAesNull.c
> Cipher/CryptTdesNull.c
> - Cipher/CryptArc4Null.c
> Pk/CryptRsaBasicNull.c
> Pk/CryptRsaExtNull.c
> Pk/CryptPkcs1OaepNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
> b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
> deleted file mode 100644
> index 1f09bfa30e..0000000000
> --- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
> +++ /dev/null
> @@ -1,124 +0,0 @@
> -/** @file
> - ARC4 Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> - Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
> -
> - Return zero to indicate this interface is not supported.
> -
> - @retval 0 This interface is not supported.
> -
> -
> -**/
> -UINTN
> -EFIAPI
> -Arc4GetContextSize (
> - VOID
> - )
> -{
> - ASSERT (FALSE);
> - return 0;
> -}
> -
> -/**
> - Initializes user-supplied memory as ARC4 context for subsequent use.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[out] Arc4Context Pointer to ARC4 context being initialized.
> - @param[in] Key Pointer to the user-supplied ARC4 key.
> - @param[in] KeySize Size of ARC4 key in bytes.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Init (
> - OUT VOID *Arc4Context,
> - IN CONST UINT8 *Key,
> - IN UINTN KeySize
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs ARC4 encryption on a data buffer of the specified size.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the ARC4
> encryption output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Encrypt (
> - IN OUT VOID *Arc4Context,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs ARC4 decryption on a data buffer of the specified size.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the ARC4
> decryption output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Decrypt (
> - IN OUT VOID *Arc4Context,
> - IN UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Resets the ARC4 context to the initial state.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Reset (
> - IN OUT VOID *Arc4Context
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> index 5e470028f4..77915bdb86 100644
> --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> @@ -1892,153 +1892,6 @@ AesCbcDecrypt (
> CALL_CRYPTO_SERVICE (AesCbcDecrypt, (AesContext, Input, InputSize, Ivec,
> Output), FALSE);
> }
>
> -/**
> - Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
> -
> - If this interface is not supported, then return zero.
> -
> - @return The size, in bytes, of the context buffer required for ARC4 operations.
> - @retval 0 This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -Arc4GetContextSize (
> - VOID
> - )
> -{
> - CALL_CRYPTO_SERVICE (Arc4GetContextSize, (), 0);
> -}
> -
> -/**
> - Initializes user-supplied memory as ARC4 context for subsequent use.
> -
> - This function initializes user-supplied memory pointed by Arc4Context as ARC4
> context.
> - In addition, it sets up all ARC4 key materials for subsequent encryption and
> decryption
> - operations.
> -
> - If Arc4Context is NULL, then return FALSE.
> - If Key is NULL, then return FALSE.
> - If KeySize does not in the range of [5, 256] bytes, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] Arc4Context Pointer to ARC4 context being initialized.
> - @param[in] Key Pointer to the user-supplied ARC4 key.
> - @param[in] KeySize Size of ARC4 key in bytes.
> -
> - @retval TRUE ARC4 context initialization succeeded.
> - @retval FALSE ARC4 context initialization failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Init (
> - OUT VOID *Arc4Context,
> - IN CONST UINT8 *Key,
> - IN UINTN KeySize
> - )
> -{
> - CALL_CRYPTO_SERVICE (Arc4Init, (Arc4Context, Key, KeySize), FALSE);
> -}
> -
> -/**
> - Performs ARC4 encryption on a data buffer of the specified size.
> -
> - This function performs ARC4 encryption on data buffer pointed by Input, of
> specified
> - size of InputSize.
> - Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
> - invalid ARC4 context is undefined.
> -
> - If Arc4Context is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the ARC4
> encryption output.
> -
> - @retval TRUE ARC4 encryption succeeded.
> - @retval FALSE ARC4 encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Encrypt (
> - IN OUT VOID *Arc4Context,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - CALL_CRYPTO_SERVICE (Arc4Encrypt, (Arc4Context, Input, InputSize, Output),
> FALSE);
> -}
> -
> -/**
> - Performs ARC4 decryption on a data buffer of the specified size.
> -
> - This function performs ARC4 decryption on data buffer pointed by Input, of
> specified
> - size of InputSize.
> - Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
> - invalid ARC4 context is undefined.
> -
> - If Arc4Context is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the ARC4
> decryption output.
> -
> - @retval TRUE ARC4 decryption succeeded.
> - @retval FALSE ARC4 decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Decrypt (
> - IN OUT VOID *Arc4Context,
> - IN UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - CALL_CRYPTO_SERVICE (Arc4Decrypt, (Arc4Context, Input, InputSize, Output),
> FALSE);
> -}
> -
> -/**
> - Resets the ARC4 context to the initial state.
> -
> - The function resets the ARC4 context to the state it had immediately after the
> - ARC4Init() function call.
> - Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4
> context
> - should be already correctly initialized by ARC4Init().
> -
> - If Arc4Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> -
> - @retval TRUE ARC4 reset succeeded.
> - @retval FALSE ARC4 reset failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Reset (
> - IN OUT VOID *Arc4Context
> - )
> -{
> - CALL_CRYPTO_SERVICE (Arc4Reset, (Arc4Context), FALSE);
> -}
> -
>
> //===============================================================
> ======================
> // Asymmetric Cryptography Primitive
>
> //===============================================================
> ======================
> diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h
> b/CryptoPkg/Library/Include/openssl/opensslconf.h
> index 4f3f9ba377..22acabef87 100644
> --- a/CryptoPkg/Library/Include/openssl/opensslconf.h
> +++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
> @@ -244,6 +244,9 @@ extern "C" {
> #ifndef OPENSSL_NO_MD4
> # define OPENSSL_NO_MD4
> #endif
> +#ifndef OPENSSL_NO_RC4
> +# define OPENSSL_NO_RC4
> +#endif
>
>
> /*
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> index 10710e4a7c..dfaefd1c08 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> @@ -374,8 +374,6 @@
> $(OPENSSL_PATH)/crypto/rand/rand_unix.c
> $(OPENSSL_PATH)/crypto/rand/rand_vms.c
> $(OPENSSL_PATH)/crypto/rand/rand_win.c
> - $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
> - $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_chk.c
> @@ -531,7 +529,6 @@
> $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
> $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
> $(OPENSSL_PATH)/crypto/rand/rand_lcl.h
> - $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h
> $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
> $(OPENSSL_PATH)/crypto/sha/sha_locl.h
> $(OPENSSL_PATH)/crypto/siphash/siphash_local.h
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> index d9782a3098..080e1d9305 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> @@ -374,8 +374,6 @@
> $(OPENSSL_PATH)/crypto/rand/rand_unix.c
> $(OPENSSL_PATH)/crypto/rand/rand_vms.c
> $(OPENSSL_PATH)/crypto/rand/rand_win.c
> - $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
> - $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_chk.c
> @@ -531,7 +529,6 @@
> $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
> $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
> $(OPENSSL_PATH)/crypto/rand/rand_lcl.h
> - $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h
> $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
> $(OPENSSL_PATH)/crypto/sha/sha_locl.h
> $(OPENSSL_PATH)/crypto/siphash/siphash_local.h
> diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> b/CryptoPkg/Private/Protocol/Crypto.h
> index ae0f29695c..f36c5c1aff 100644
> --- a/CryptoPkg/Private/Protocol/Crypto.h
> +++ b/CryptoPkg/Private/Protocol/Crypto.h
> @@ -2785,134 +2785,45 @@ BOOLEAN
> );
>
> /**
> - Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
> -
> - If this interface is not supported, then return zero.
> -
> - @return The size, in bytes, of the context buffer required for ARC4 operations.
> - @retval 0 This interface is not supported.
> + ARC4 is deprecated and unsupported any longer.
> + Keep the function field for binary compability.
>
> **/
> typedef
> UINTN
> -(EFIAPI *EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE) (
> VOID
> );
>
> -/**
> - Initializes user-supplied memory as ARC4 context for subsequent use.
> -
> - This function initializes user-supplied memory pointed by Arc4Context as ARC4
> context.
> - In addition, it sets up all ARC4 key materials for subsequent encryption and
> decryption
> - operations.
> -
> - If Arc4Context is NULL, then return FALSE.
> - If Key is NULL, then return FALSE.
> - If KeySize does not in the range of [5, 256] bytes, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] Arc4Context Pointer to ARC4 context being initialized.
> - @param[in] Key Pointer to the user-supplied ARC4 key.
> - @param[in] KeySize Size of ARC4 key in bytes.
> -
> - @retval TRUE ARC4 context initialization succeeded.
> - @retval FALSE ARC4 context initialization failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_ARC4_INIT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_INIT) (
> OUT VOID *Arc4Context,
> IN CONST UINT8 *Key,
> IN UINTN KeySize
> );
>
> -/**
> - Performs ARC4 encryption on a data buffer of the specified size.
> -
> - This function performs ARC4 encryption on data buffer pointed by Input, of
> specified
> - size of InputSize.
> - Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
> - invalid ARC4 context is undefined.
> -
> - If Arc4Context is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the ARC4
> encryption output.
> -
> - @retval TRUE ARC4 encryption succeeded.
> - @retval FALSE ARC4 encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_ARC4_ENCRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_ENCRYPT) (
> IN OUT VOID *Arc4Context,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> OUT UINT8 *Output
> );
>
> -/**
> - Performs ARC4 decryption on a data buffer of the specified size.
> -
> - This function performs ARC4 decryption on data buffer pointed by Input, of
> specified
> - size of InputSize.
> - Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
> - invalid ARC4 context is undefined.
> -
> - If Arc4Context is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the ARC4
> decryption output.
> -
> - @retval TRUE ARC4 decryption succeeded.
> - @retval FALSE ARC4 decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_ARC4_DECRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_DECRYPT) (
> IN OUT VOID *Arc4Context,
> IN UINT8 *Input,
> IN UINTN InputSize,
> OUT UINT8 *Output
> );
>
> -/**
> - Resets the ARC4 context to the initial state.
> -
> - The function resets the ARC4 context to the state it had immediately after the
> - ARC4Init() function call.
> - Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4
> context
> - should be already correctly initialized by ARC4Init().
> -
> - If Arc4Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] Arc4Context Pointer to the ARC4 context.
> -
> - @retval TRUE ARC4 reset succeeded.
> - @retval FALSE ARC4 reset failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_ARC4_RESET) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_RESET) (
> IN OUT VOID *Arc4Context
> );
>
> @@ -4014,12 +3925,12 @@ struct _EDKII_CRYPTO_PROTOCOL {
> EDKII_CRYPTO_AES_ECB_DECRYPT AesEcbDecrypt;
> EDKII_CRYPTO_AES_CBC_ENCRYPT AesCbcEncrypt;
> EDKII_CRYPTO_AES_CBC_DECRYPT AesCbcDecrypt;
> - /// Arc4
> - EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE Arc4GetContextSize;
> - EDKII_CRYPTO_ARC4_INIT Arc4Init;
> - EDKII_CRYPTO_ARC4_ENCRYPT Arc4Encrypt;
> - EDKII_CRYPTO_ARC4_DECRYPT Arc4Decrypt;
> - EDKII_CRYPTO_ARC4_RESET Arc4Reset;
> + /// Arc4 - deprecated and unsupported
> + DEPRECATED_EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE
> DeprecatedArc4GetContextSize;
> + DEPRECATED_EDKII_CRYPTO_ARC4_INIT DeprecatedArc4Init;
> + DEPRECATED_EDKII_CRYPTO_ARC4_ENCRYPT DeprecatedArc4Encrypt;
> + DEPRECATED_EDKII_CRYPTO_ARC4_DECRYPT DeprecatedArc4Decrypt;
> + DEPRECATED_EDKII_CRYPTO_ARC4_RESET DeprecatedArc4Reset;
> /// SM3
> EDKII_CRYPTO_SM3_GET_CONTEXT_SIZE Sm3GetContextSize;
> EDKII_CRYPTO_SM3_INIT Sm3Init;
> --
> 2.21.0.windows.1
^ permalink raw reply [flat|nested] 23+ messages in thread
* [PATCH V3 4/8] CryptoPkg/BaseCryptLib: Retire the Tdes algorithm
2020-05-06 23:57 [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions Gao, Zhichao
` (2 preceding siblings ...)
2020-05-06 23:57 ` [PATCH V3 3/8] CryptoPkg/BaseCryptLib: Retire ARC4 algorithm Gao, Zhichao
@ 2020-05-06 23:57 ` Gao, Zhichao
2020-05-07 7:51 ` [edk2-devel] " Philippe Mathieu-Daudé
2020-05-08 14:42 ` Wang, Jian J
2020-05-06 23:57 ` [PATCH V3 5/8] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm Gao, Zhichao
` (4 subsequent siblings)
8 siblings, 2 replies; 23+ messages in thread
From: Gao, Zhichao @ 2020-05-06 23:57 UTC (permalink / raw)
To: devel; +Cc: Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney, Jiewen Yao
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
Tdes is not secure any longer.
Remove the Tdes support from edk2.
Change the Tdes field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
CryptoPkg/Driver/Crypto.c | 181 +--------
CryptoPkg/Include/Library/BaseCryptLib.h | 196 ----------
.../Library/BaseCryptLib/BaseCryptLib.inf | 1 -
.../Library/BaseCryptLib/Cipher/CryptTdes.c | 364 ------------------
.../BaseCryptLib/Cipher/CryptTdesNull.c | 160 --------
.../Library/BaseCryptLib/PeiCryptLib.inf | 3 +-
.../Library/BaseCryptLib/PeiCryptLib.uni | 6 +-
CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c | 7 +-
.../Library/BaseCryptLib/RuntimeCryptLib.inf | 3 +-
.../Library/BaseCryptLib/RuntimeCryptLib.uni | 6 +-
.../Library/BaseCryptLib/SmmCryptLib.inf | 3 +-
.../Library/BaseCryptLib/SmmCryptLib.uni | 6 +-
.../BaseCryptLibNull/BaseCryptLibNull.inf | 1 -
.../BaseCryptLibNull/Cipher/CryptTdesNull.c | 160 --------
.../BaseCryptLibOnProtocolPpi/CryptLib.c | 214 ----------
.../Library/Include/openssl/opensslconf.h | 3 +
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 21 -
.../Library/OpensslLib/OpensslLibCrypto.inf | 21 -
CryptoPkg/Private/Protocol/Crypto.h | 169 +-------
19 files changed, 53 insertions(+), 1472 deletions(-)
delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 388a6e4b4b..a4106aae0b 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -1557,167 +1557,57 @@ CryptoServiceHmacSha256Final (
//=====================================================================================
/**
- Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
- If this interface is not supported, then return zero.
-
- @return The size, in bytes, of the context buffer required for TDES operations.
- @retval 0 This interface is not supported.
+ TDES is deprecated and unsupported any longer.
+ Keep the function field for binary compability.
**/
UINTN
EFIAPI
-CryptoServiceTdesGetContextSize (
+DeprecatedCryptoServiceTdesGetContextSize (
VOID
)
{
- return CALL_BASECRYPTLIB (Tdes.Services.GetContextSize, TdesGetContextSize, (), 0);
+ return BaseCryptLibServciceDeprecated ("TdesGetContextSize"), 0;
}
-/**
- Initializes user-supplied memory as TDES context for subsequent use.
-
- This function initializes user-supplied memory pointed by TdesContext as TDES context.
- In addition, it sets up all TDES key materials for subsequent encryption and decryption
- operations.
- There are 3 key options as follows:
- KeyLength = 64, Keying option 1: K1 == K2 == K3 (Backward compatibility with DES)
- KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
- KeyLength = 192 Keying option 3: K1 != K2 != K3 (Strongest)
-
- If TdesContext is NULL, then return FALSE.
- If Key is NULL, then return FALSE.
- If KeyLength is not valid, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[out] TdesContext Pointer to TDES context being initialized.
- @param[in] Key Pointer to the user-supplied TDES key.
- @param[in] KeyLength Length of TDES key in bits.
-
- @retval TRUE TDES context initialization succeeded.
- @retval FALSE TDES context initialization failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceTdesInit (
+DeprecatedCryptoServiceTdesInit (
OUT VOID *TdesContext,
IN CONST UINT8 *Key,
IN UINTN KeyLength
)
{
- return CALL_BASECRYPTLIB (Tdes.Services.Init, TdesInit, (TdesContext, Key, KeyLength), FALSE);
+ return BaseCryptLibServciceDeprecated ("TdesInit"), FALSE;
}
-/**
- Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
- This function performs TDES encryption on data buffer pointed by Input, of specified
- size of InputSize, in ECB mode.
- InputSize must be multiple of block size (8 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- TdesContext should be already correctly initialized by TdesInit(). Behavior with
- invalid TDES context is undefined.
-
- If TdesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (8 bytes), then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval TRUE TDES encryption succeeded.
- @retval FALSE TDES encryption failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceTdesEcbEncrypt (
+DeprecatedCryptoServiceTdesEcbEncrypt (
IN VOID *TdesContext,
IN CONST UINT8 *Input,
IN UINTN InputSize,
OUT UINT8 *Output
)
{
- return CALL_BASECRYPTLIB (Tdes.Services.EcbEncrypt, TdesEcbEncrypt, (TdesContext, Input, InputSize, Output), FALSE);
+ return BaseCryptLibServciceDeprecated ("TdesEcbEncrypt"), FALSE;
}
-/**
- Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
- This function performs TDES decryption on data buffer pointed by Input, of specified
- size of InputSize, in ECB mode.
- InputSize must be multiple of block size (8 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- TdesContext should be already correctly initialized by TdesInit(). Behavior with
- invalid TDES context is undefined.
-
- If TdesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (8 bytes), then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the TDES decryption output.
-
- @retval TRUE TDES decryption succeeded.
- @retval FALSE TDES decryption failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceTdesEcbDecrypt (
+DeprecatedCryptoServiceTdesEcbDecrypt (
IN VOID *TdesContext,
IN CONST UINT8 *Input,
IN UINTN InputSize,
OUT UINT8 *Output
)
{
- return CALL_BASECRYPTLIB (Tdes.Services.EcbDecrypt, TdesEcbDecrypt, (TdesContext, Input, InputSize, Output), FALSE);
+ return BaseCryptLibServciceDeprecated ("TdesEcbDecrypt"), FALSE;
}
-/**
- Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
- This function performs TDES encryption on data buffer pointed by Input, of specified
- size of InputSize, in CBC mode.
- InputSize must be multiple of block size (8 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- Initialization vector should be one block size (8 bytes).
- TdesContext should be already correctly initialized by TdesInit(). Behavior with
- invalid TDES context is undefined.
-
- If TdesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (8 bytes), then return FALSE.
- If Ivec is NULL, then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[in] Ivec Pointer to initialization vector.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval TRUE TDES encryption succeeded.
- @retval FALSE TDES encryption failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceTdesCbcEncrypt (
+DeprecatedCryptoServiceTdesCbcEncrypt (
IN VOID *TdesContext,
IN CONST UINT8 *Input,
IN UINTN InputSize,
@@ -1725,41 +1615,12 @@ CryptoServiceTdesCbcEncrypt (
OUT UINT8 *Output
)
{
- return CALL_BASECRYPTLIB (Tdes.Services.CbcEncrypt, TdesCbcEncrypt, (TdesContext, Input, InputSize, Ivec, Output), FALSE);
+ return BaseCryptLibServciceDeprecated ("TdesCbcEncrypt"), FALSE;
}
-/**
- Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
- This function performs TDES decryption on data buffer pointed by Input, of specified
- size of InputSize, in CBC mode.
- InputSize must be multiple of block size (8 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- Initialization vector should be one block size (8 bytes).
- TdesContext should be already correctly initialized by TdesInit(). Behavior with
- invalid TDES context is undefined.
-
- If TdesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (8 bytes), then return FALSE.
- If Ivec is NULL, then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[in] Ivec Pointer to initialization vector.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval TRUE TDES decryption succeeded.
- @retval FALSE TDES decryption failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceTdesCbcDecrypt (
+DeprecatedCryptoServiceTdesCbcDecrypt (
IN VOID *TdesContext,
IN CONST UINT8 *Input,
IN UINTN InputSize,
@@ -1767,7 +1628,7 @@ CryptoServiceTdesCbcDecrypt (
OUT UINT8 *Output
)
{
- return CALL_BASECRYPTLIB (Tdes.Services.CbcDecrypt, TdesCbcDecrypt, (TdesContext, Input, InputSize, Ivec, Output), FALSE);
+ return BaseCryptLibServciceDeprecated ("TdesCbcDecrypt"), FALSE;
}
/**
@@ -4344,13 +4205,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
CryptoServiceX509Free,
CryptoServiceX509StackFree,
CryptoServiceX509GetTBSCert,
- /// TDES
- CryptoServiceTdesGetContextSize,
- CryptoServiceTdesInit,
- CryptoServiceTdesEcbEncrypt,
- CryptoServiceTdesEcbDecrypt,
- CryptoServiceTdesCbcEncrypt,
- CryptoServiceTdesCbcDecrypt,
+ /// TDES - deprecated and unsupported
+ DeprecatedCryptoServiceTdesGetContextSize,
+ DeprecatedCryptoServiceTdesInit,
+ DeprecatedCryptoServiceTdesEcbEncrypt,
+ DeprecatedCryptoServiceTdesEcbDecrypt,
+ DeprecatedCryptoServiceTdesCbcEncrypt,
+ DeprecatedCryptoServiceTdesCbcDecrypt,
/// AES
CryptoServiceAesGetContextSize,
CryptoServiceAesInit,
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 25e236c4a3..621bcfd1c4 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -1278,202 +1278,6 @@ HmacSha256Final (
// Symmetric Cryptography Primitive
//=====================================================================================
-/**
- Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
- If this interface is not supported, then return zero.
-
- @return The size, in bytes, of the context buffer required for TDES operations.
- @retval 0 This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-TdesGetContextSize (
- VOID
- );
-
-/**
- Initializes user-supplied memory as TDES context for subsequent use.
-
- This function initializes user-supplied memory pointed by TdesContext as TDES context.
- In addition, it sets up all TDES key materials for subsequent encryption and decryption
- operations.
- There are 3 key options as follows:
- KeyLength = 64, Keying option 1: K1 == K2 == K3 (Backward compatibility with DES)
- KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
- KeyLength = 192 Keying option 3: K1 != K2 != K3 (Strongest)
-
- If TdesContext is NULL, then return FALSE.
- If Key is NULL, then return FALSE.
- If KeyLength is not valid, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[out] TdesContext Pointer to TDES context being initialized.
- @param[in] Key Pointer to the user-supplied TDES key.
- @param[in] KeyLength Length of TDES key in bits.
-
- @retval TRUE TDES context initialization succeeded.
- @retval FALSE TDES context initialization failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesInit (
- OUT VOID *TdesContext,
- IN CONST UINT8 *Key,
- IN UINTN KeyLength
- );
-
-/**
- Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
- This function performs TDES encryption on data buffer pointed by Input, of specified
- size of InputSize, in ECB mode.
- InputSize must be multiple of block size (8 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- TdesContext should be already correctly initialized by TdesInit(). Behavior with
- invalid TDES context is undefined.
-
- If TdesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (8 bytes), then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval TRUE TDES encryption succeeded.
- @retval FALSE TDES encryption failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbEncrypt (
- IN VOID *TdesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- );
-
-/**
- Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
- This function performs TDES decryption on data buffer pointed by Input, of specified
- size of InputSize, in ECB mode.
- InputSize must be multiple of block size (8 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- TdesContext should be already correctly initialized by TdesInit(). Behavior with
- invalid TDES context is undefined.
-
- If TdesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (8 bytes), then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the TDES decryption output.
-
- @retval TRUE TDES decryption succeeded.
- @retval FALSE TDES decryption failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbDecrypt (
- IN VOID *TdesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- );
-
-/**
- Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
- This function performs TDES encryption on data buffer pointed by Input, of specified
- size of InputSize, in CBC mode.
- InputSize must be multiple of block size (8 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- Initialization vector should be one block size (8 bytes).
- TdesContext should be already correctly initialized by TdesInit(). Behavior with
- invalid TDES context is undefined.
-
- If TdesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (8 bytes), then return FALSE.
- If Ivec is NULL, then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[in] Ivec Pointer to initialization vector.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval TRUE TDES encryption succeeded.
- @retval FALSE TDES encryption failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcEncrypt (
- IN VOID *TdesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- IN CONST UINT8 *Ivec,
- OUT UINT8 *Output
- );
-
-/**
- Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
- This function performs TDES decryption on data buffer pointed by Input, of specified
- size of InputSize, in CBC mode.
- InputSize must be multiple of block size (8 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- Initialization vector should be one block size (8 bytes).
- TdesContext should be already correctly initialized by TdesInit(). Behavior with
- invalid TDES context is undefined.
-
- If TdesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (8 bytes), then return FALSE.
- If Ivec is NULL, then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[in] Ivec Pointer to initialization vector.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval TRUE TDES decryption succeeded.
- @retval FALSE TDES decryption failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcDecrypt (
- IN VOID *TdesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- IN CONST UINT8 *Ivec,
- OUT UINT8 *Output
- );
-
/**
Retrieves the size, in bytes, of the context buffer required for AES operations.
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index da38ea552f..2de8e9c346 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -39,7 +39,6 @@
Hmac/CryptHmacSha256.c
Kdf/CryptHkdf.c
Cipher/CryptAes.c
- Cipher/CryptTdes.c
Pk/CryptRsaBasic.c
Pk/CryptRsaExt.c
Pk/CryptPkcs1Oaep.c
diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
deleted file mode 100644
index fd799f3398..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
+++ /dev/null
@@ -1,364 +0,0 @@
-/** @file
- TDES Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-#include <openssl/des.h>
-
-/**
- Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
- @return The size, in bytes, of the context buffer required for TDES operations.
-
-**/
-UINTN
-EFIAPI
-TdesGetContextSize (
- VOID
- )
-{
- //
- // Memory for 3 copies of DES_key_schedule is allocated, for K1, K2 and K3 each.
- //
- return (UINTN) (3 * sizeof (DES_key_schedule));
-}
-
-/**
- Initializes user-supplied memory as TDES context for subsequent use.
-
- This function initializes user-supplied memory pointed by TdesContext as TDES context.
- In addition, it sets up all TDES key materials for subsequent encryption and decryption
- operations.
- There are 3 key options as follows:
- KeyLength = 64, Keying option 1: K1 == K2 == K3 (Backward compatibility with DES)
- KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
- KeyLength = 192 Keying option 3: K1 != K2 != K3 (Strongest)
-
- If TdesContext is NULL, then return FALSE.
- If Key is NULL, then return FALSE.
- If KeyLength is not valid, then return FALSE.
-
- @param[out] TdesContext Pointer to TDES context being initialized.
- @param[in] Key Pointer to the user-supplied TDES key.
- @param[in] KeyLength Length of TDES key in bits.
-
- @retval TRUE TDES context initialization succeeded.
- @retval FALSE TDES context initialization failed.
-
-**/
-BOOLEAN
-EFIAPI
-TdesInit (
- OUT VOID *TdesContext,
- IN CONST UINT8 *Key,
- IN UINTN KeyLength
- )
-{
- DES_key_schedule *KeySchedule;
-
- //
- // Check input parameters.
- //
- if (TdesContext == NULL || Key == NULL || (KeyLength != 64 && KeyLength != 128 && KeyLength != 192)) {
- return FALSE;
- }
-
- KeySchedule = (DES_key_schedule *) TdesContext;
-
- //
- // If input Key is a weak key, return error.
- //
- if (DES_is_weak_key ((const_DES_cblock *) Key) == 1) {
- return FALSE;
- }
-
- DES_set_key_unchecked ((const_DES_cblock *) Key, KeySchedule);
-
- if (KeyLength == 64) {
- CopyMem (KeySchedule + 1, KeySchedule, sizeof (DES_key_schedule));
- CopyMem (KeySchedule + 2, KeySchedule, sizeof (DES_key_schedule));
- return TRUE;
- }
-
- if (DES_is_weak_key ((const_DES_cblock *) (Key + 8)) == 1) {
- return FALSE;
- }
-
- DES_set_key_unchecked ((const_DES_cblock *) (Key + 8), KeySchedule + 1);
-
- if (KeyLength == 128) {
- CopyMem (KeySchedule + 2, KeySchedule, sizeof (DES_key_schedule));
- return TRUE;
- }
-
- if (DES_is_weak_key ((const_DES_cblock *) (Key + 16)) == 1) {
- return FALSE;
- }
-
- DES_set_key_unchecked ((const_DES_cblock *) (Key + 16), KeySchedule + 2);
-
- return TRUE;
-}
-
-/**
- Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
- This function performs TDES encryption on data buffer pointed by Input, of specified
- size of InputSize, in ECB mode.
- InputSize must be multiple of block size (8 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- TdesContext should be already correctly initialized by TdesInit(). Behavior with
- invalid TDES context is undefined.
-
- If TdesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (8 bytes), then return FALSE.
- If Output is NULL, then return FALSE.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval TRUE TDES encryption succeeded.
- @retval FALSE TDES encryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbEncrypt (
- IN VOID *TdesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- DES_key_schedule *KeySchedule;
-
- //
- // Check input parameters.
- //
- if (TdesContext == NULL || Input == NULL || (InputSize % TDES_BLOCK_SIZE) != 0 || Output == NULL) {
- return FALSE;
- }
-
- KeySchedule = (DES_key_schedule *) TdesContext;
-
- while (InputSize > 0) {
- DES_ecb3_encrypt (
- (const_DES_cblock *) Input,
- (DES_cblock *) Output,
- KeySchedule,
- KeySchedule + 1,
- KeySchedule + 2,
- DES_ENCRYPT
- );
- Input += TDES_BLOCK_SIZE;
- Output += TDES_BLOCK_SIZE;
- InputSize -= TDES_BLOCK_SIZE;
- }
-
- return TRUE;
-}
-
-/**
- Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
- This function performs TDES decryption on data buffer pointed by Input, of specified
- size of InputSize, in ECB mode.
- InputSize must be multiple of block size (8 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- TdesContext should be already correctly initialized by TdesInit(). Behavior with
- invalid TDES context is undefined.
-
- If TdesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (8 bytes), then return FALSE.
- If Output is NULL, then return FALSE.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the TDES decryption output.
-
- @retval TRUE TDES decryption succeeded.
- @retval FALSE TDES decryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbDecrypt (
- IN VOID *TdesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- DES_key_schedule *KeySchedule;
-
- //
- // Check input parameters.
- //
- if (TdesContext == NULL || Input == NULL || (InputSize % TDES_BLOCK_SIZE) != 0 || Output == NULL) {
- return FALSE;
- }
-
- KeySchedule = (DES_key_schedule *) TdesContext;
-
- while (InputSize > 0) {
- DES_ecb3_encrypt (
- (const_DES_cblock *) Input,
- (DES_cblock *) Output,
- KeySchedule,
- KeySchedule + 1,
- KeySchedule + 2,
- DES_DECRYPT
- );
- Input += TDES_BLOCK_SIZE;
- Output += TDES_BLOCK_SIZE;
- InputSize -= TDES_BLOCK_SIZE;
- }
-
- return TRUE;
-}
-
-/**
- Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
- This function performs TDES encryption on data buffer pointed by Input, of specified
- size of InputSize, in CBC mode.
- InputSize must be multiple of block size (8 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- Initialization vector should be one block size (8 bytes).
- TdesContext should be already correctly initialized by TdesInit(). Behavior with
- invalid TDES context is undefined.
-
- If TdesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (8 bytes), then return FALSE.
- If Ivec is NULL, then return FALSE.
- If Output is NULL, then return FALSE.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[in] Ivec Pointer to initialization vector.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval TRUE TDES encryption succeeded.
- @retval FALSE TDES encryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcEncrypt (
- IN VOID *TdesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- IN CONST UINT8 *Ivec,
- OUT UINT8 *Output
- )
-{
- DES_key_schedule *KeySchedule;
- UINT8 IvecBuffer[TDES_BLOCK_SIZE];
-
- //
- // Check input parameters.
- //
- if (TdesContext == NULL || Input == NULL || (InputSize % TDES_BLOCK_SIZE) != 0) {
- return FALSE;
- }
-
- if (Ivec == NULL || Output == NULL || InputSize > INT_MAX) {
- return FALSE;
- }
-
- KeySchedule = (DES_key_schedule *) TdesContext;
- CopyMem (IvecBuffer, Ivec, TDES_BLOCK_SIZE);
-
- DES_ede3_cbc_encrypt (
- Input,
- Output,
- (UINT32) InputSize,
- KeySchedule,
- KeySchedule + 1,
- KeySchedule + 2,
- (DES_cblock *) IvecBuffer,
- DES_ENCRYPT
- );
-
- return TRUE;
-}
-
-/**
- Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
- This function performs TDES decryption on data buffer pointed by Input, of specified
- size of InputSize, in CBC mode.
- InputSize must be multiple of block size (8 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- Initialization vector should be one block size (8 bytes).
- TdesContext should be already correctly initialized by TdesInit(). Behavior with
- invalid TDES context is undefined.
-
- If TdesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (8 bytes), then return FALSE.
- If Ivec is NULL, then return FALSE.
- If Output is NULL, then return FALSE.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[in] Ivec Pointer to initialization vector.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval TRUE TDES decryption succeeded.
- @retval FALSE TDES decryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcDecrypt (
- IN VOID *TdesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- IN CONST UINT8 *Ivec,
- OUT UINT8 *Output
- )
-{
- DES_key_schedule *KeySchedule;
- UINT8 IvecBuffer[TDES_BLOCK_SIZE];
-
- //
- // Check input parameters.
- //
- if (TdesContext == NULL || Input == NULL || (InputSize % TDES_BLOCK_SIZE) != 0) {
- return FALSE;
- }
-
- if (Ivec == NULL || Output == NULL || InputSize > INT_MAX) {
- return FALSE;
- }
-
- KeySchedule = (DES_key_schedule *) TdesContext;
- CopyMem (IvecBuffer, Ivec, TDES_BLOCK_SIZE);
-
- DES_ede3_cbc_encrypt (
- Input,
- Output,
- (UINT32) InputSize,
- KeySchedule,
- KeySchedule + 1,
- KeySchedule + 2,
- (DES_cblock *) IvecBuffer,
- DES_DECRYPT
- );
-
- return TRUE;
-}
-
diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
deleted file mode 100644
index efa2716063..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
+++ /dev/null
@@ -1,160 +0,0 @@
-/** @file
- TDES Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
- Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
- Return zero to indicate this interface is not supported.
-
- @retval 0 This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-TdesGetContextSize (
- VOID
- )
-{
- ASSERT (FALSE);
- return 0;
-}
-
-/**
- Initializes user-supplied memory as TDES context for subsequent use.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[out] TdesContext Pointer to TDES context being initialized.
- @param[in] Key Pointer to the user-supplied TDES key.
- @param[in] KeyLength Length of TDES key in bits.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesInit (
- OUT VOID *TdesContext,
- IN CONST UINT8 *Key,
- IN UINTN KeyLength
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbEncrypt (
- IN VOID *TdesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the TDES decryption output.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbDecrypt (
- IN VOID *TdesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[in] Ivec Pointer to initialization vector.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcEncrypt (
- IN VOID *TdesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- IN CONST UINT8 *Ivec,
- OUT UINT8 *Output
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[in] Ivec Pointer to initialization vector.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcDecrypt (
- IN VOID *TdesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- IN CONST UINT8 *Ivec,
- OUT UINT8 *Output
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index f43953b78c..f631f8d879 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -7,7 +7,7 @@
# buffer overflow or integer overflow.
#
# Note:
-# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions, RSA external
+# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA external
# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
# certificate handler functions, authenticode signature verification functions,
# PEM handler functions, and pseudorandom number generator functions are not
@@ -45,7 +45,6 @@
Hmac/CryptHmacSha256Null.c
Kdf/CryptHkdfNull.c
Cipher/CryptAesNull.c
- Cipher/CryptTdesNull.c
Pk/CryptRsaBasic.c
Pk/CryptRsaExtNull.c
Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
index 5abd8e8dfb..c906935d3d 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
@@ -6,8 +6,8 @@
// This external input must be validated carefully to avoid security issues such as
// buffer overflow or integer overflow.
//
-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
+// functions, RSA external functions, PKCS#7 SignedData sign functions,
// Diffie-Hellman functions, X.509 certificate handler functions, authenticode
// signature verification functions, PEM handler functions, and pseudorandom number
// generator functions are not supported in this instance.
@@ -21,5 +21,5 @@
#string STR_MODULE_ABSTRACT #language en-US "Cryptographic Library Instance for PEIM"
-#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
diff --git a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c b/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
index 75a133bd0c..6f7e1971f8 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
@@ -1,7 +1,7 @@
/** @file
PEM (Privacy Enhanced Mail) Format Handler Wrapper Implementation over OpenSSL.
-Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -82,11 +82,8 @@ RsaGetPrivateKeyFromPem (
//
// Add possible block-cipher descriptor for PEM data decryption.
- // NOTE: Only support most popular ciphers (3DES, AES) for the encrypted PEM.
+ // NOTE: Only support most popular ciphers AES for the encrypted PEM.
//
- if (EVP_add_cipher (EVP_des_ede3_cbc ()) == 0) {
- return FALSE;
- }
if (EVP_add_cipher (EVP_aes_128_cbc ()) == 0) {
return FALSE;
}
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index f1eb099b67..672e19299c 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -7,7 +7,7 @@
# buffer overflow or integer overflow.
#
# Note: SHA-384 Digest functions, SHA-512 Digest functions,
-# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions, RSA external
+# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA external
# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
# authenticode signature verification functions are not supported in this instance.
#
@@ -45,7 +45,6 @@
Hmac/CryptHmacSha256Null.c
Kdf/CryptHkdfNull.c
Cipher/CryptAesNull.c
- Cipher/CryptTdesNull.c
Pk/CryptRsaBasic.c
Pk/CryptRsaExtNull.c
Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
index 5a48d2a308..0a3bb1c04f 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
@@ -6,8 +6,8 @@
// This external input must be validated carefully to avoid security issues such as
// buffer overflow or integer overflow.
//
-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
+// functions, RSA external functions, PKCS#7 SignedData sign functions,
// Diffie-Hellman functions, and authenticode signature verification functions are
// not supported in this instance.
//
@@ -20,5 +20,5 @@
#string STR_MODULE_ABSTRACT #language en-US "Cryptographic Library Instance for DXE_RUNTIME_DRIVER"
-#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index 3a94655775..cc3556ae3f 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -7,7 +7,7 @@
# buffer overflow or integer overflow.
#
# Note: SHA-384 Digest functions, SHA-512 Digest functions,
-# HMAC-MD5 functions, HMAC-SHA1 functions, TDES functions, RSA external
+# HMAC-MD5 functions, HMAC-SHA1 functions, RSA external
# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
# authenticode signature verification functions are not supported in this instance.
#
@@ -44,7 +44,6 @@
Hmac/CryptHmacSha256.c
Kdf/CryptHkdfNull.c
Cipher/CryptAes.c
- Cipher/CryptTdesNull.c
Pk/CryptRsaBasic.c
Pk/CryptRsaExtNull.c
Pk/CryptPkcs1Oaep.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
index 0561f107e8..2e362c635f 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
@@ -6,8 +6,8 @@
// This external input must be validated carefully to avoid security issues such as
// buffer overflow or integer overflow.
//
-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
+// functions, RSA external functions, PKCS#7 SignedData sign functions,
// Diffie-Hellman functions, and authenticode signature verification functions are
// not supported in this instance.
//
@@ -20,5 +20,5 @@
#string STR_MODULE_ABSTRACT #language en-US "Cryptographic Library Instance for SMM driver"
-#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
index a205c9005d..04b552f8b7 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -39,7 +39,6 @@
Hmac/CryptHmacSha256Null.c
Kdf/CryptHkdfNull.c
Cipher/CryptAesNull.c
- Cipher/CryptTdesNull.c
Pk/CryptRsaBasicNull.c
Pk/CryptRsaExtNull.c
Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
deleted file mode 100644
index efa2716063..0000000000
--- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
+++ /dev/null
@@ -1,160 +0,0 @@
-/** @file
- TDES Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
- Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
- Return zero to indicate this interface is not supported.
-
- @retval 0 This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-TdesGetContextSize (
- VOID
- )
-{
- ASSERT (FALSE);
- return 0;
-}
-
-/**
- Initializes user-supplied memory as TDES context for subsequent use.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[out] TdesContext Pointer to TDES context being initialized.
- @param[in] Key Pointer to the user-supplied TDES key.
- @param[in] KeyLength Length of TDES key in bits.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesInit (
- OUT VOID *TdesContext,
- IN CONST UINT8 *Key,
- IN UINTN KeyLength
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbEncrypt (
- IN VOID *TdesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the TDES decryption output.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbDecrypt (
- IN VOID *TdesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[in] Ivec Pointer to initialization vector.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcEncrypt (
- IN VOID *TdesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- IN CONST UINT8 *Ivec,
- OUT UINT8 *Output
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[in] Ivec Pointer to initialization vector.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcDecrypt (
- IN VOID *TdesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- IN CONST UINT8 *Ivec,
- OUT UINT8 *Output
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 77915bdb86..43ee4e0841 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -1467,220 +1467,6 @@ HmacSha256Final (
// Symmetric Cryptography Primitive
//=====================================================================================
-/**
- Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
- If this interface is not supported, then return zero.
-
- @return The size, in bytes, of the context buffer required for TDES operations.
- @retval 0 This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-TdesGetContextSize (
- VOID
- )
-{
- CALL_CRYPTO_SERVICE (TdesGetContextSize, (), 0);
-}
-
-/**
- Initializes user-supplied memory as TDES context for subsequent use.
-
- This function initializes user-supplied memory pointed by TdesContext as TDES context.
- In addition, it sets up all TDES key materials for subsequent encryption and decryption
- operations.
- There are 3 key options as follows:
- KeyLength = 64, Keying option 1: K1 == K2 == K3 (Backward compatibility with DES)
- KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
- KeyLength = 192 Keying option 3: K1 != K2 != K3 (Strongest)
-
- If TdesContext is NULL, then return FALSE.
- If Key is NULL, then return FALSE.
- If KeyLength is not valid, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[out] TdesContext Pointer to TDES context being initialized.
- @param[in] Key Pointer to the user-supplied TDES key.
- @param[in] KeyLength Length of TDES key in bits.
-
- @retval TRUE TDES context initialization succeeded.
- @retval FALSE TDES context initialization failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesInit (
- OUT VOID *TdesContext,
- IN CONST UINT8 *Key,
- IN UINTN KeyLength
- )
-{
- CALL_CRYPTO_SERVICE (TdesInit, (TdesContext, Key, KeyLength), FALSE);
-}
-
-/**
- Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
- This function performs TDES encryption on data buffer pointed by Input, of specified
- size of InputSize, in ECB mode.
- InputSize must be multiple of block size (8 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- TdesContext should be already correctly initialized by TdesInit(). Behavior with
- invalid TDES context is undefined.
-
- If TdesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (8 bytes), then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval TRUE TDES encryption succeeded.
- @retval FALSE TDES encryption failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbEncrypt (
- IN VOID *TdesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- CALL_CRYPTO_SERVICE (TdesEcbEncrypt, (TdesContext, Input, InputSize, Output), FALSE);
-}
-
-/**
- Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
- This function performs TDES decryption on data buffer pointed by Input, of specified
- size of InputSize, in ECB mode.
- InputSize must be multiple of block size (8 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- TdesContext should be already correctly initialized by TdesInit(). Behavior with
- invalid TDES context is undefined.
-
- If TdesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (8 bytes), then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the TDES decryption output.
-
- @retval TRUE TDES decryption succeeded.
- @retval FALSE TDES decryption failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbDecrypt (
- IN VOID *TdesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- CALL_CRYPTO_SERVICE (TdesEcbDecrypt, (TdesContext, Input, InputSize, Output), FALSE);
-}
-
-/**
- Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
- This function performs TDES encryption on data buffer pointed by Input, of specified
- size of InputSize, in CBC mode.
- InputSize must be multiple of block size (8 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- Initialization vector should be one block size (8 bytes).
- TdesContext should be already correctly initialized by TdesInit(). Behavior with
- invalid TDES context is undefined.
-
- If TdesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (8 bytes), then return FALSE.
- If Ivec is NULL, then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[in] Ivec Pointer to initialization vector.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval TRUE TDES encryption succeeded.
- @retval FALSE TDES encryption failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcEncrypt (
- IN VOID *TdesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- IN CONST UINT8 *Ivec,
- OUT UINT8 *Output
- )
-{
- CALL_CRYPTO_SERVICE (TdesCbcEncrypt, (TdesContext, Input, InputSize, Ivec, Output), FALSE);
-}
-
-/**
- Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
- This function performs TDES decryption on data buffer pointed by Input, of specified
- size of InputSize, in CBC mode.
- InputSize must be multiple of block size (8 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- Initialization vector should be one block size (8 bytes).
- TdesContext should be already correctly initialized by TdesInit(). Behavior with
- invalid TDES context is undefined.
-
- If TdesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (8 bytes), then return FALSE.
- If Ivec is NULL, then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[in] Ivec Pointer to initialization vector.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval TRUE TDES decryption succeeded.
- @retval FALSE TDES decryption failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcDecrypt (
- IN VOID *TdesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- IN CONST UINT8 *Ivec,
- OUT UINT8 *Output
- )
-{
- CALL_CRYPTO_SERVICE (TdesCbcDecrypt, (TdesContext, Input, InputSize, Ivec, Output), FALSE);
-}
-
/**
Retrieves the size, in bytes, of the context buffer required for AES operations.
diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h
index 22acabef87..4868cfa963 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -247,6 +247,9 @@ extern "C" {
#ifndef OPENSSL_NO_RC4
# define OPENSSL_NO_RC4
#endif
+#ifndef OPENSSL_NO_DES
+# define OPENSSL_NO_DES
+#endif
/*
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index dfaefd1c08..d66f1cb03f 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -178,25 +178,6 @@
$(OPENSSL_PATH)/crypto/cryptlib.c
$(OPENSSL_PATH)/crypto/ctype.c
$(OPENSSL_PATH)/crypto/cversion.c
- $(OPENSSL_PATH)/crypto/des/cbc_cksm.c
- $(OPENSSL_PATH)/crypto/des/cbc_enc.c
- $(OPENSSL_PATH)/crypto/des/cfb64ede.c
- $(OPENSSL_PATH)/crypto/des/cfb64enc.c
- $(OPENSSL_PATH)/crypto/des/cfb_enc.c
- $(OPENSSL_PATH)/crypto/des/des_enc.c
- $(OPENSSL_PATH)/crypto/des/ecb3_enc.c
- $(OPENSSL_PATH)/crypto/des/ecb_enc.c
- $(OPENSSL_PATH)/crypto/des/fcrypt.c
- $(OPENSSL_PATH)/crypto/des/fcrypt_b.c
- $(OPENSSL_PATH)/crypto/des/ofb64ede.c
- $(OPENSSL_PATH)/crypto/des/ofb64enc.c
- $(OPENSSL_PATH)/crypto/des/ofb_enc.c
- $(OPENSSL_PATH)/crypto/des/pcbc_enc.c
- $(OPENSSL_PATH)/crypto/des/qud_cksm.c
- $(OPENSSL_PATH)/crypto/des/rand_key.c
- $(OPENSSL_PATH)/crypto/des/set_key.c
- $(OPENSSL_PATH)/crypto/des/str2key.c
- $(OPENSSL_PATH)/crypto/des/xcbc_enc.c
$(OPENSSL_PATH)/crypto/dh/dh_ameth.c
$(OPENSSL_PATH)/crypto/dh/dh_asn1.c
$(OPENSSL_PATH)/crypto/dh/dh_check.c
@@ -514,8 +495,6 @@
$(OPENSSL_PATH)/crypto/comp/comp_lcl.h
$(OPENSSL_PATH)/crypto/conf/conf_def.h
$(OPENSSL_PATH)/crypto/conf/conf_lcl.h
- $(OPENSSL_PATH)/crypto/des/des_locl.h
- $(OPENSSL_PATH)/crypto/des/spr.h
$(OPENSSL_PATH)/crypto/dh/dh_locl.h
$(OPENSSL_PATH)/crypto/dso/dso_locl.h
$(OPENSSL_PATH)/crypto/evp/evp_locl.h
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index 080e1d9305..5788d13cf7 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -178,25 +178,6 @@
$(OPENSSL_PATH)/crypto/cryptlib.c
$(OPENSSL_PATH)/crypto/ctype.c
$(OPENSSL_PATH)/crypto/cversion.c
- $(OPENSSL_PATH)/crypto/des/cbc_cksm.c
- $(OPENSSL_PATH)/crypto/des/cbc_enc.c
- $(OPENSSL_PATH)/crypto/des/cfb64ede.c
- $(OPENSSL_PATH)/crypto/des/cfb64enc.c
- $(OPENSSL_PATH)/crypto/des/cfb_enc.c
- $(OPENSSL_PATH)/crypto/des/des_enc.c
- $(OPENSSL_PATH)/crypto/des/ecb3_enc.c
- $(OPENSSL_PATH)/crypto/des/ecb_enc.c
- $(OPENSSL_PATH)/crypto/des/fcrypt.c
- $(OPENSSL_PATH)/crypto/des/fcrypt_b.c
- $(OPENSSL_PATH)/crypto/des/ofb64ede.c
- $(OPENSSL_PATH)/crypto/des/ofb64enc.c
- $(OPENSSL_PATH)/crypto/des/ofb_enc.c
- $(OPENSSL_PATH)/crypto/des/pcbc_enc.c
- $(OPENSSL_PATH)/crypto/des/qud_cksm.c
- $(OPENSSL_PATH)/crypto/des/rand_key.c
- $(OPENSSL_PATH)/crypto/des/set_key.c
- $(OPENSSL_PATH)/crypto/des/str2key.c
- $(OPENSSL_PATH)/crypto/des/xcbc_enc.c
$(OPENSSL_PATH)/crypto/dh/dh_ameth.c
$(OPENSSL_PATH)/crypto/dh/dh_asn1.c
$(OPENSSL_PATH)/crypto/dh/dh_check.c
@@ -514,8 +495,6 @@
$(OPENSSL_PATH)/crypto/comp/comp_lcl.h
$(OPENSSL_PATH)/crypto/conf/conf_def.h
$(OPENSSL_PATH)/crypto/conf/conf_lcl.h
- $(OPENSSL_PATH)/crypto/des/des_locl.h
- $(OPENSSL_PATH)/crypto/des/spr.h
$(OPENSSL_PATH)/crypto/dh/dh_locl.h
$(OPENSSL_PATH)/crypto/dso/dso_locl.h
$(OPENSSL_PATH)/crypto/evp/evp_locl.h
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index f36c5c1aff..a30660c192 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -2396,155 +2396,45 @@ BOOLEAN
//=====================================================================================
/**
- Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
- If this interface is not supported, then return zero.
-
- @return The size, in bytes, of the context buffer required for TDES operations.
- @retval 0 This interface is not supported.
+ TDES is deprecated and unsupported any longer.
+ Keep the function field for binary compability.
**/
typedef
UINTN
-(EFIAPI *EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE) (
VOID
);
-/**
- Initializes user-supplied memory as TDES context for subsequent use.
-
- This function initializes user-supplied memory pointed by TdesContext as TDES context.
- In addition, it sets up all TDES key materials for subsequent encryption and decryption
- operations.
- There are 3 key options as follows:
- KeyLength = 64, Keying option 1: K1 == K2 == K3 (Backward compatibility with DES)
- KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
- KeyLength = 192 Keying option 3: K1 != K2 != K3 (Strongest)
-
- If TdesContext is NULL, then return FALSE.
- If Key is NULL, then return FALSE.
- If KeyLength is not valid, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[out] TdesContext Pointer to TDES context being initialized.
- @param[in] Key Pointer to the user-supplied TDES key.
- @param[in] KeyLength Length of TDES key in bits.
-
- @retval TRUE TDES context initialization succeeded.
- @retval FALSE TDES context initialization failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_TDES_INIT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_INIT) (
OUT VOID *TdesContext,
IN CONST UINT8 *Key,
IN UINTN KeyLength
);
-/**
- Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
- This function performs TDES encryption on data buffer pointed by Input, of specified
- size of InputSize, in ECB mode.
- InputSize must be multiple of block size (8 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- TdesContext should be already correctly initialized by TdesInit(). Behavior with
- invalid TDES context is undefined.
-
- If TdesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (8 bytes), then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval TRUE TDES encryption succeeded.
- @retval FALSE TDES encryption failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_TDES_ECB_ENCRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_ECB_ENCRYPT) (
IN VOID *TdesContext,
IN CONST UINT8 *Input,
IN UINTN InputSize,
OUT UINT8 *Output
);
-/**
- Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
- This function performs TDES decryption on data buffer pointed by Input, of specified
- size of InputSize, in ECB mode.
- InputSize must be multiple of block size (8 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- TdesContext should be already correctly initialized by TdesInit(). Behavior with
- invalid TDES context is undefined.
-
- If TdesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (8 bytes), then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the TDES decryption output.
-
- @retval TRUE TDES decryption succeeded.
- @retval FALSE TDES decryption failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_TDES_ECB_DECRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT) (
IN VOID *TdesContext,
IN CONST UINT8 *Input,
IN UINTN InputSize,
OUT UINT8 *Output
);
-/**
- Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
- This function performs TDES encryption on data buffer pointed by Input, of specified
- size of InputSize, in CBC mode.
- InputSize must be multiple of block size (8 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- Initialization vector should be one block size (8 bytes).
- TdesContext should be already correctly initialized by TdesInit(). Behavior with
- invalid TDES context is undefined.
-
- If TdesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (8 bytes), then return FALSE.
- If Ivec is NULL, then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[in] Ivec Pointer to initialization vector.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval TRUE TDES encryption succeeded.
- @retval FALSE TDES encryption failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_TDES_CBC_ENCRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT) (
IN VOID *TdesContext,
IN CONST UINT8 *Input,
IN UINTN InputSize,
@@ -2552,38 +2442,9 @@ BOOLEAN
OUT UINT8 *Output
);
-/**
- Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
- This function performs TDES decryption on data buffer pointed by Input, of specified
- size of InputSize, in CBC mode.
- InputSize must be multiple of block size (8 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- Initialization vector should be one block size (8 bytes).
- TdesContext should be already correctly initialized by TdesInit(). Behavior with
- invalid TDES context is undefined.
-
- If TdesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (8 bytes), then return FALSE.
- If Ivec is NULL, then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] TdesContext Pointer to the TDES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[in] Ivec Pointer to initialization vector.
- @param[out] Output Pointer to a buffer that receives the TDES encryption output.
-
- @retval TRUE TDES decryption succeeded.
- @retval FALSE TDES decryption failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_TDES_CBC_DECRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT) (
IN VOID *TdesContext,
IN CONST UINT8 *Input,
IN UINTN InputSize,
@@ -3911,13 +3772,13 @@ struct _EDKII_CRYPTO_PROTOCOL {
EDKII_CRYPTO_X509_FREE X509Free;
EDKII_CRYPTO_X509_STACK_FREE X509StackFree;
EDKII_CRYPTO_X509_GET_TBS_CERT X509GetTBSCert;
- /// TDES
- EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE TdesGetContextSize;
- EDKII_CRYPTO_TDES_INIT TdesInit;
- EDKII_CRYPTO_TDES_ECB_ENCRYPT TdesEcbEncrypt;
- EDKII_CRYPTO_TDES_ECB_DECRYPT TdesEcbDecrypt;
- EDKII_CRYPTO_TDES_CBC_ENCRYPT TdesCbcEncrypt;
- EDKII_CRYPTO_TDES_CBC_DECRYPT TdesCbcDecrypt;
+ /// TDES - deprecated and unsupported
+ DEPRECATED_EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE DeprecatedTdesGetContextSize;
+ DEPRECATED_EDKII_CRYPTO_TDES_INIT DeprecatedTdesInit;
+ DEPRECATED_EDKII_CRYPTO_TDES_ECB_ENCRYPT DeprecatedTdesEcbEncrypt;
+ DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT DeprecatedTdesEcbDecrypt;
+ DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT DeprecatedTdesCbcEncrypt;
+ DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT DeprecatedTdesCbcDecrypt;
/// AES
EDKII_CRYPTO_AES_GET_CONTEXT_SIZE AesGetContextSize;
EDKII_CRYPTO_AES_INIT AesInit;
--
2.21.0.windows.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* Re: [edk2-devel] [PATCH V3 4/8] CryptoPkg/BaseCryptLib: Retire the Tdes algorithm
2020-05-06 23:57 ` [PATCH V3 4/8] CryptoPkg/BaseCryptLib: Retire the Tdes algorithm Gao, Zhichao
@ 2020-05-07 7:51 ` Philippe Mathieu-Daudé
2020-05-08 14:42 ` Wang, Jian J
1 sibling, 0 replies; 23+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-05-07 7:51 UTC (permalink / raw)
To: devel, zhichao.gao
Cc: Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney, Jiewen Yao
On 5/7/20 1:57 AM, Gao, Zhichao wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
>
> Tdes is not secure any longer.
Please write acronyms in caps: TDES.
> Remove the Tdes support from edk2.
> Change the Tdes field name in EDKII_CRYPTO_PROTOCOL to indicate the
> function is unsupported any longer.
>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
> CryptoPkg/Driver/Crypto.c | 181 +--------
> CryptoPkg/Include/Library/BaseCryptLib.h | 196 ----------
> .../Library/BaseCryptLib/BaseCryptLib.inf | 1 -
> .../Library/BaseCryptLib/Cipher/CryptTdes.c | 364 ------------------
> .../BaseCryptLib/Cipher/CryptTdesNull.c | 160 --------
> .../Library/BaseCryptLib/PeiCryptLib.inf | 3 +-
> .../Library/BaseCryptLib/PeiCryptLib.uni | 6 +-
> CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c | 7 +-
> .../Library/BaseCryptLib/RuntimeCryptLib.inf | 3 +-
> .../Library/BaseCryptLib/RuntimeCryptLib.uni | 6 +-
> .../Library/BaseCryptLib/SmmCryptLib.inf | 3 +-
> .../Library/BaseCryptLib/SmmCryptLib.uni | 6 +-
> .../BaseCryptLibNull/BaseCryptLibNull.inf | 1 -
> .../BaseCryptLibNull/Cipher/CryptTdesNull.c | 160 --------
> .../BaseCryptLibOnProtocolPpi/CryptLib.c | 214 ----------
> .../Library/Include/openssl/opensslconf.h | 3 +
> CryptoPkg/Library/OpensslLib/OpensslLib.inf | 21 -
> .../Library/OpensslLib/OpensslLibCrypto.inf | 21 -
> CryptoPkg/Private/Protocol/Crypto.h | 169 +-------
> 19 files changed, 53 insertions(+), 1472 deletions(-)
> delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
> delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
> delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [PATCH V3 4/8] CryptoPkg/BaseCryptLib: Retire the Tdes algorithm
2020-05-06 23:57 ` [PATCH V3 4/8] CryptoPkg/BaseCryptLib: Retire the Tdes algorithm Gao, Zhichao
2020-05-07 7:51 ` [edk2-devel] " Philippe Mathieu-Daudé
@ 2020-05-08 14:42 ` Wang, Jian J
1 sibling, 0 replies; 23+ messages in thread
From: Wang, Jian J @ 2020-05-08 14:42 UTC (permalink / raw)
To: Gao, Zhichao, devel@edk2.groups.io
Cc: Lu, XiaoyuX, Fu, Siyuan, Kinney, Michael D, Yao, Jiewen
Zhichao,
Similar comments, please refer to them in my review email for patch 3.
Regards,
Jian
> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Thursday, May 07, 2020 7:58 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [PATCH V3 4/8] CryptoPkg/BaseCryptLib: Retire the Tdes algorithm
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
>
> Tdes is not secure any longer.
> Remove the Tdes support from edk2.
> Change the Tdes field name in EDKII_CRYPTO_PROTOCOL to indicate the
> function is unsupported any longer.
>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
> CryptoPkg/Driver/Crypto.c | 181 +--------
> CryptoPkg/Include/Library/BaseCryptLib.h | 196 ----------
> .../Library/BaseCryptLib/BaseCryptLib.inf | 1 -
> .../Library/BaseCryptLib/Cipher/CryptTdes.c | 364 ------------------
> .../BaseCryptLib/Cipher/CryptTdesNull.c | 160 --------
> .../Library/BaseCryptLib/PeiCryptLib.inf | 3 +-
> .../Library/BaseCryptLib/PeiCryptLib.uni | 6 +-
> CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c | 7 +-
> .../Library/BaseCryptLib/RuntimeCryptLib.inf | 3 +-
> .../Library/BaseCryptLib/RuntimeCryptLib.uni | 6 +-
> .../Library/BaseCryptLib/SmmCryptLib.inf | 3 +-
> .../Library/BaseCryptLib/SmmCryptLib.uni | 6 +-
> .../BaseCryptLibNull/BaseCryptLibNull.inf | 1 -
> .../BaseCryptLibNull/Cipher/CryptTdesNull.c | 160 --------
> .../BaseCryptLibOnProtocolPpi/CryptLib.c | 214 ----------
> .../Library/Include/openssl/opensslconf.h | 3 +
> CryptoPkg/Library/OpensslLib/OpensslLib.inf | 21 -
> .../Library/OpensslLib/OpensslLibCrypto.inf | 21 -
> CryptoPkg/Private/Protocol/Crypto.h | 169 +-------
> 19 files changed, 53 insertions(+), 1472 deletions(-)
> delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
> delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
>
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> index 388a6e4b4b..a4106aae0b 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -1557,167 +1557,57 @@ CryptoServiceHmacSha256Final (
>
> //===============================================================
> ======================
>
> /**
> - Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> - If this interface is not supported, then return zero.
> -
> - @return The size, in bytes, of the context buffer required for TDES operations.
> - @retval 0 This interface is not supported.
> + TDES is deprecated and unsupported any longer.
> + Keep the function field for binary compability.
>
> **/
> UINTN
> EFIAPI
> -CryptoServiceTdesGetContextSize (
> +DeprecatedCryptoServiceTdesGetContextSize (
> VOID
> )
> {
> - return CALL_BASECRYPTLIB (Tdes.Services.GetContextSize,
> TdesGetContextSize, (), 0);
> + return BaseCryptLibServciceDeprecated ("TdesGetContextSize"), 0;
> }
>
> -/**
> - Initializes user-supplied memory as TDES context for subsequent use.
> -
> - This function initializes user-supplied memory pointed by TdesContext as TDES
> context.
> - In addition, it sets up all TDES key materials for subsequent encryption and
> decryption
> - operations.
> - There are 3 key options as follows:
> - KeyLength = 64, Keying option 1: K1 == K2 == K3 (Backward compatibility with
> DES)
> - KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
> - KeyLength = 192 Keying option 3: K1 != K2 != K3 (Strongest)
> -
> - If TdesContext is NULL, then return FALSE.
> - If Key is NULL, then return FALSE.
> - If KeyLength is not valid, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] TdesContext Pointer to TDES context being initialized.
> - @param[in] Key Pointer to the user-supplied TDES key.
> - @param[in] KeyLength Length of TDES key in bits.
> -
> - @retval TRUE TDES context initialization succeeded.
> - @retval FALSE TDES context initialization failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceTdesInit (
> +DeprecatedCryptoServiceTdesInit (
> OUT VOID *TdesContext,
> IN CONST UINT8 *Key,
> IN UINTN KeyLength
> )
> {
> - return CALL_BASECRYPTLIB (Tdes.Services.Init, TdesInit, (TdesContext, Key,
> KeyLength), FALSE);
> + return BaseCryptLibServciceDeprecated ("TdesInit"), FALSE;
> }
>
> -/**
> - Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs TDES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES encryption succeeded.
> - @retval FALSE TDES encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceTdesEcbEncrypt (
> +DeprecatedCryptoServiceTdesEcbEncrypt (
> IN VOID *TdesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> OUT UINT8 *Output
> )
> {
> - return CALL_BASECRYPTLIB (Tdes.Services.EcbEncrypt, TdesEcbEncrypt,
> (TdesContext, Input, InputSize, Output), FALSE);
> + return BaseCryptLibServciceDeprecated ("TdesEcbEncrypt"), FALSE;
> }
>
> -/**
> - Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs TDES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES decryption
> output.
> -
> - @retval TRUE TDES decryption succeeded.
> - @retval FALSE TDES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceTdesEcbDecrypt (
> +DeprecatedCryptoServiceTdesEcbDecrypt (
> IN VOID *TdesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> OUT UINT8 *Output
> )
> {
> - return CALL_BASECRYPTLIB (Tdes.Services.EcbDecrypt, TdesEcbDecrypt,
> (TdesContext, Input, InputSize, Output), FALSE);
> + return BaseCryptLibServciceDeprecated ("TdesEcbDecrypt"), FALSE;
> }
>
> -/**
> - Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> - This function performs TDES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in CBC mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - Initialization vector should be one block size (8 bytes).
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Ivec is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES encryption succeeded.
> - @retval FALSE TDES encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceTdesCbcEncrypt (
> +DeprecatedCryptoServiceTdesCbcEncrypt (
> IN VOID *TdesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> @@ -1725,41 +1615,12 @@ CryptoServiceTdesCbcEncrypt (
> OUT UINT8 *Output
> )
> {
> - return CALL_BASECRYPTLIB (Tdes.Services.CbcEncrypt, TdesCbcEncrypt,
> (TdesContext, Input, InputSize, Ivec, Output), FALSE);
> + return BaseCryptLibServciceDeprecated ("TdesCbcEncrypt"), FALSE;
> }
>
> -/**
> - Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> - This function performs TDES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in CBC mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - Initialization vector should be one block size (8 bytes).
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Ivec is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES decryption succeeded.
> - @retval FALSE TDES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceTdesCbcDecrypt (
> +DeprecatedCryptoServiceTdesCbcDecrypt (
> IN VOID *TdesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> @@ -1767,7 +1628,7 @@ CryptoServiceTdesCbcDecrypt (
> OUT UINT8 *Output
> )
> {
> - return CALL_BASECRYPTLIB (Tdes.Services.CbcDecrypt, TdesCbcDecrypt,
> (TdesContext, Input, InputSize, Ivec, Output), FALSE);
> + return BaseCryptLibServciceDeprecated ("TdesCbcDecrypt"), FALSE;
> }
>
> /**
> @@ -4344,13 +4205,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
> CryptoServiceX509Free,
> CryptoServiceX509StackFree,
> CryptoServiceX509GetTBSCert,
> - /// TDES
> - CryptoServiceTdesGetContextSize,
> - CryptoServiceTdesInit,
> - CryptoServiceTdesEcbEncrypt,
> - CryptoServiceTdesEcbDecrypt,
> - CryptoServiceTdesCbcEncrypt,
> - CryptoServiceTdesCbcDecrypt,
> + /// TDES - deprecated and unsupported
> + DeprecatedCryptoServiceTdesGetContextSize,
> + DeprecatedCryptoServiceTdesInit,
> + DeprecatedCryptoServiceTdesEcbEncrypt,
> + DeprecatedCryptoServiceTdesEcbDecrypt,
> + DeprecatedCryptoServiceTdesCbcEncrypt,
> + DeprecatedCryptoServiceTdesCbcDecrypt,
> /// AES
> CryptoServiceAesGetContextSize,
> CryptoServiceAesInit,
> diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
> b/CryptoPkg/Include/Library/BaseCryptLib.h
> index 25e236c4a3..621bcfd1c4 100644
> --- a/CryptoPkg/Include/Library/BaseCryptLib.h
> +++ b/CryptoPkg/Include/Library/BaseCryptLib.h
> @@ -1278,202 +1278,6 @@ HmacSha256Final (
> // Symmetric Cryptography Primitive
>
> //===============================================================
> ======================
>
> -/**
> - Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> - If this interface is not supported, then return zero.
> -
> - @return The size, in bytes, of the context buffer required for TDES operations.
> - @retval 0 This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -TdesGetContextSize (
> - VOID
> - );
> -
> -/**
> - Initializes user-supplied memory as TDES context for subsequent use.
> -
> - This function initializes user-supplied memory pointed by TdesContext as TDES
> context.
> - In addition, it sets up all TDES key materials for subsequent encryption and
> decryption
> - operations.
> - There are 3 key options as follows:
> - KeyLength = 64, Keying option 1: K1 == K2 == K3 (Backward compatibility with
> DES)
> - KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
> - KeyLength = 192 Keying option 3: K1 != K2 != K3 (Strongest)
> -
> - If TdesContext is NULL, then return FALSE.
> - If Key is NULL, then return FALSE.
> - If KeyLength is not valid, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] TdesContext Pointer to TDES context being initialized.
> - @param[in] Key Pointer to the user-supplied TDES key.
> - @param[in] KeyLength Length of TDES key in bits.
> -
> - @retval TRUE TDES context initialization succeeded.
> - @retval FALSE TDES context initialization failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesInit (
> - OUT VOID *TdesContext,
> - IN CONST UINT8 *Key,
> - IN UINTN KeyLength
> - );
> -
> -/**
> - Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs TDES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES encryption succeeded.
> - @retval FALSE TDES encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbEncrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - );
> -
> -/**
> - Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs TDES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES decryption
> output.
> -
> - @retval TRUE TDES decryption succeeded.
> - @retval FALSE TDES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbDecrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - );
> -
> -/**
> - Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> - This function performs TDES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in CBC mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - Initialization vector should be one block size (8 bytes).
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Ivec is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES encryption succeeded.
> - @retval FALSE TDES encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcEncrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - IN CONST UINT8 *Ivec,
> - OUT UINT8 *Output
> - );
> -
> -/**
> - Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> - This function performs TDES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in CBC mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - Initialization vector should be one block size (8 bytes).
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Ivec is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES decryption succeeded.
> - @retval FALSE TDES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcDecrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - IN CONST UINT8 *Ivec,
> - OUT UINT8 *Output
> - );
> -
> /**
> Retrieves the size, in bytes, of the context buffer required for AES operations.
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> index da38ea552f..2de8e9c346 100644
> --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> @@ -39,7 +39,6 @@
> Hmac/CryptHmacSha256.c
> Kdf/CryptHkdf.c
> Cipher/CryptAes.c
> - Cipher/CryptTdes.c
> Pk/CryptRsaBasic.c
> Pk/CryptRsaExt.c
> Pk/CryptPkcs1Oaep.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
> b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
> deleted file mode 100644
> index fd799f3398..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
> +++ /dev/null
> @@ -1,364 +0,0 @@
> -/** @file
> - TDES Wrapper Implementation over OpenSSL.
> -
> -Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -#include <openssl/des.h>
> -
> -/**
> - Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> - @return The size, in bytes, of the context buffer required for TDES operations.
> -
> -**/
> -UINTN
> -EFIAPI
> -TdesGetContextSize (
> - VOID
> - )
> -{
> - //
> - // Memory for 3 copies of DES_key_schedule is allocated, for K1, K2 and K3
> each.
> - //
> - return (UINTN) (3 * sizeof (DES_key_schedule));
> -}
> -
> -/**
> - Initializes user-supplied memory as TDES context for subsequent use.
> -
> - This function initializes user-supplied memory pointed by TdesContext as TDES
> context.
> - In addition, it sets up all TDES key materials for subsequent encryption and
> decryption
> - operations.
> - There are 3 key options as follows:
> - KeyLength = 64, Keying option 1: K1 == K2 == K3 (Backward compatibility with
> DES)
> - KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
> - KeyLength = 192 Keying option 3: K1 != K2 != K3 (Strongest)
> -
> - If TdesContext is NULL, then return FALSE.
> - If Key is NULL, then return FALSE.
> - If KeyLength is not valid, then return FALSE.
> -
> - @param[out] TdesContext Pointer to TDES context being initialized.
> - @param[in] Key Pointer to the user-supplied TDES key.
> - @param[in] KeyLength Length of TDES key in bits.
> -
> - @retval TRUE TDES context initialization succeeded.
> - @retval FALSE TDES context initialization failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesInit (
> - OUT VOID *TdesContext,
> - IN CONST UINT8 *Key,
> - IN UINTN KeyLength
> - )
> -{
> - DES_key_schedule *KeySchedule;
> -
> - //
> - // Check input parameters.
> - //
> - if (TdesContext == NULL || Key == NULL || (KeyLength != 64 && KeyLength !=
> 128 && KeyLength != 192)) {
> - return FALSE;
> - }
> -
> - KeySchedule = (DES_key_schedule *) TdesContext;
> -
> - //
> - // If input Key is a weak key, return error.
> - //
> - if (DES_is_weak_key ((const_DES_cblock *) Key) == 1) {
> - return FALSE;
> - }
> -
> - DES_set_key_unchecked ((const_DES_cblock *) Key, KeySchedule);
> -
> - if (KeyLength == 64) {
> - CopyMem (KeySchedule + 1, KeySchedule, sizeof (DES_key_schedule));
> - CopyMem (KeySchedule + 2, KeySchedule, sizeof (DES_key_schedule));
> - return TRUE;
> - }
> -
> - if (DES_is_weak_key ((const_DES_cblock *) (Key + 8)) == 1) {
> - return FALSE;
> - }
> -
> - DES_set_key_unchecked ((const_DES_cblock *) (Key + 8), KeySchedule + 1);
> -
> - if (KeyLength == 128) {
> - CopyMem (KeySchedule + 2, KeySchedule, sizeof (DES_key_schedule));
> - return TRUE;
> - }
> -
> - if (DES_is_weak_key ((const_DES_cblock *) (Key + 16)) == 1) {
> - return FALSE;
> - }
> -
> - DES_set_key_unchecked ((const_DES_cblock *) (Key + 16), KeySchedule + 2);
> -
> - return TRUE;
> -}
> -
> -/**
> - Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs TDES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES encryption succeeded.
> - @retval FALSE TDES encryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbEncrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - DES_key_schedule *KeySchedule;
> -
> - //
> - // Check input parameters.
> - //
> - if (TdesContext == NULL || Input == NULL || (InputSize %
> TDES_BLOCK_SIZE) != 0 || Output == NULL) {
> - return FALSE;
> - }
> -
> - KeySchedule = (DES_key_schedule *) TdesContext;
> -
> - while (InputSize > 0) {
> - DES_ecb3_encrypt (
> - (const_DES_cblock *) Input,
> - (DES_cblock *) Output,
> - KeySchedule,
> - KeySchedule + 1,
> - KeySchedule + 2,
> - DES_ENCRYPT
> - );
> - Input += TDES_BLOCK_SIZE;
> - Output += TDES_BLOCK_SIZE;
> - InputSize -= TDES_BLOCK_SIZE;
> - }
> -
> - return TRUE;
> -}
> -
> -/**
> - Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs TDES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES decryption
> output.
> -
> - @retval TRUE TDES decryption succeeded.
> - @retval FALSE TDES decryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbDecrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - DES_key_schedule *KeySchedule;
> -
> - //
> - // Check input parameters.
> - //
> - if (TdesContext == NULL || Input == NULL || (InputSize %
> TDES_BLOCK_SIZE) != 0 || Output == NULL) {
> - return FALSE;
> - }
> -
> - KeySchedule = (DES_key_schedule *) TdesContext;
> -
> - while (InputSize > 0) {
> - DES_ecb3_encrypt (
> - (const_DES_cblock *) Input,
> - (DES_cblock *) Output,
> - KeySchedule,
> - KeySchedule + 1,
> - KeySchedule + 2,
> - DES_DECRYPT
> - );
> - Input += TDES_BLOCK_SIZE;
> - Output += TDES_BLOCK_SIZE;
> - InputSize -= TDES_BLOCK_SIZE;
> - }
> -
> - return TRUE;
> -}
> -
> -/**
> - Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> - This function performs TDES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in CBC mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - Initialization vector should be one block size (8 bytes).
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Ivec is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES encryption succeeded.
> - @retval FALSE TDES encryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcEncrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - IN CONST UINT8 *Ivec,
> - OUT UINT8 *Output
> - )
> -{
> - DES_key_schedule *KeySchedule;
> - UINT8 IvecBuffer[TDES_BLOCK_SIZE];
> -
> - //
> - // Check input parameters.
> - //
> - if (TdesContext == NULL || Input == NULL || (InputSize %
> TDES_BLOCK_SIZE) != 0) {
> - return FALSE;
> - }
> -
> - if (Ivec == NULL || Output == NULL || InputSize > INT_MAX) {
> - return FALSE;
> - }
> -
> - KeySchedule = (DES_key_schedule *) TdesContext;
> - CopyMem (IvecBuffer, Ivec, TDES_BLOCK_SIZE);
> -
> - DES_ede3_cbc_encrypt (
> - Input,
> - Output,
> - (UINT32) InputSize,
> - KeySchedule,
> - KeySchedule + 1,
> - KeySchedule + 2,
> - (DES_cblock *) IvecBuffer,
> - DES_ENCRYPT
> - );
> -
> - return TRUE;
> -}
> -
> -/**
> - Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> - This function performs TDES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in CBC mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - Initialization vector should be one block size (8 bytes).
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Ivec is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES decryption succeeded.
> - @retval FALSE TDES decryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcDecrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - IN CONST UINT8 *Ivec,
> - OUT UINT8 *Output
> - )
> -{
> - DES_key_schedule *KeySchedule;
> - UINT8 IvecBuffer[TDES_BLOCK_SIZE];
> -
> - //
> - // Check input parameters.
> - //
> - if (TdesContext == NULL || Input == NULL || (InputSize %
> TDES_BLOCK_SIZE) != 0) {
> - return FALSE;
> - }
> -
> - if (Ivec == NULL || Output == NULL || InputSize > INT_MAX) {
> - return FALSE;
> - }
> -
> - KeySchedule = (DES_key_schedule *) TdesContext;
> - CopyMem (IvecBuffer, Ivec, TDES_BLOCK_SIZE);
> -
> - DES_ede3_cbc_encrypt (
> - Input,
> - Output,
> - (UINT32) InputSize,
> - KeySchedule,
> - KeySchedule + 1,
> - KeySchedule + 2,
> - (DES_cblock *) IvecBuffer,
> - DES_DECRYPT
> - );
> -
> - return TRUE;
> -}
> -
> diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
> b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
> deleted file mode 100644
> index efa2716063..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
> +++ /dev/null
> @@ -1,160 +0,0 @@
> -/** @file
> - TDES Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> - Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> - Return zero to indicate this interface is not supported.
> -
> - @retval 0 This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -TdesGetContextSize (
> - VOID
> - )
> -{
> - ASSERT (FALSE);
> - return 0;
> -}
> -
> -/**
> - Initializes user-supplied memory as TDES context for subsequent use.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[out] TdesContext Pointer to TDES context being initialized.
> - @param[in] Key Pointer to the user-supplied TDES key.
> - @param[in] KeyLength Length of TDES key in bits.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesInit (
> - OUT VOID *TdesContext,
> - IN CONST UINT8 *Key,
> - IN UINTN KeyLength
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbEncrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES decryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbDecrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcEncrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - IN CONST UINT8 *Ivec,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcDecrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - IN CONST UINT8 *Ivec,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> index f43953b78c..f631f8d879 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> @@ -7,7 +7,7 @@
> # buffer overflow or integer overflow.
> #
> # Note:
> -# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions,
> RSA external
> +# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA
> external
> # functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
> # certificate handler functions, authenticode signature verification functions,
> # PEM handler functions, and pseudorandom number generator functions are
> not
> @@ -45,7 +45,6 @@
> Hmac/CryptHmacSha256Null.c
> Kdf/CryptHkdfNull.c
> Cipher/CryptAesNull.c
> - Cipher/CryptTdesNull.c
> Pk/CryptRsaBasic.c
> Pk/CryptRsaExtNull.c
> Pk/CryptPkcs1OaepNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> index 5abd8e8dfb..c906935d3d 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> @@ -6,8 +6,8 @@
> // This external input must be validated carefully to avoid security issues such as
> // buffer overflow or integer overflow.
> //
> -// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> -// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
> +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
> +// functions, RSA external functions, PKCS#7 SignedData sign functions,
> // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
> // signature verification functions, PEM handler functions, and pseudorandom
> number
> // generator functions are not supported in this instance.
> @@ -21,5 +21,5 @@
>
> #string STR_MODULE_ABSTRACT #language en-US "Cryptographic
> Library Instance for PEIM"
>
> -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler
> functions, authenticode signature verification functions, PEM handler functions,
> and pseudorandom number generator functions are not supported in this
> instance."
> +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler
> functions, authenticode signature verification functions, PEM handler functions,
> and pseudorandom number generator functions are not supported in this
> instance."
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
> b/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
> index 75a133bd0c..6f7e1971f8 100644
> --- a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
> +++ b/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
> @@ -1,7 +1,7 @@
> /** @file
> PEM (Privacy Enhanced Mail) Format Handler Wrapper Implementation over
> OpenSSL.
>
> -Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
> **/
> @@ -82,11 +82,8 @@ RsaGetPrivateKeyFromPem (
>
> //
> // Add possible block-cipher descriptor for PEM data decryption.
> - // NOTE: Only support most popular ciphers (3DES, AES) for the encrypted PEM.
> + // NOTE: Only support most popular ciphers AES for the encrypted PEM.
> //
> - if (EVP_add_cipher (EVP_des_ede3_cbc ()) == 0) {
> - return FALSE;
> - }
> if (EVP_add_cipher (EVP_aes_128_cbc ()) == 0) {
> return FALSE;
> }
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> index f1eb099b67..672e19299c 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> @@ -7,7 +7,7 @@
> # buffer overflow or integer overflow.
> #
> # Note: SHA-384 Digest functions, SHA-512 Digest functions,
> -# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions,
> RSA external
> +# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA
> external
> # functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
> # authenticode signature verification functions are not supported in this
> instance.
> #
> @@ -45,7 +45,6 @@
> Hmac/CryptHmacSha256Null.c
> Kdf/CryptHkdfNull.c
> Cipher/CryptAesNull.c
> - Cipher/CryptTdesNull.c
> Pk/CryptRsaBasic.c
> Pk/CryptRsaExtNull.c
> Pk/CryptPkcs1OaepNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> index 5a48d2a308..0a3bb1c04f 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> @@ -6,8 +6,8 @@
> // This external input must be validated carefully to avoid security issues such as
> // buffer overflow or integer overflow.
> //
> -// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> -// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
> +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
> +// functions, RSA external functions, PKCS#7 SignedData sign functions,
> // Diffie-Hellman functions, and authenticode signature verification functions
> are
> // not supported in this instance.
> //
> @@ -20,5 +20,5 @@
>
> #string STR_MODULE_ABSTRACT #language en-US "Cryptographic
> Library Instance for DXE_RUNTIME_DRIVER"
>
> -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, and authenticode signature
> verification functions are not supported in this instance."
> +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, and authenticode signature
> verification functions are not supported in this instance."
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> index 3a94655775..cc3556ae3f 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> @@ -7,7 +7,7 @@
> # buffer overflow or integer overflow.
> #
> # Note: SHA-384 Digest functions, SHA-512 Digest functions,
> -# HMAC-MD5 functions, HMAC-SHA1 functions, TDES functions, RSA external
> +# HMAC-MD5 functions, HMAC-SHA1 functions, RSA external
> # functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
> # authenticode signature verification functions are not supported in this
> instance.
> #
> @@ -44,7 +44,6 @@
> Hmac/CryptHmacSha256.c
> Kdf/CryptHkdfNull.c
> Cipher/CryptAes.c
> - Cipher/CryptTdesNull.c
> Pk/CryptRsaBasic.c
> Pk/CryptRsaExtNull.c
> Pk/CryptPkcs1Oaep.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> index 0561f107e8..2e362c635f 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> @@ -6,8 +6,8 @@
> // This external input must be validated carefully to avoid security issues such as
> // buffer overflow or integer overflow.
> //
> -// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> -// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
> +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
> +// functions, RSA external functions, PKCS#7 SignedData sign functions,
> // Diffie-Hellman functions, and authenticode signature verification functions
> are
> // not supported in this instance.
> //
> @@ -20,5 +20,5 @@
>
> #string STR_MODULE_ABSTRACT #language en-US "Cryptographic
> Library Instance for SMM driver"
>
> -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, and authenticode signature
> verification functions are not supported in this instance."
> +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, and authenticode signature
> verification functions are not supported in this instance."
>
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> index a205c9005d..04b552f8b7 100644
> --- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> +++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> @@ -39,7 +39,6 @@
> Hmac/CryptHmacSha256Null.c
> Kdf/CryptHkdfNull.c
> Cipher/CryptAesNull.c
> - Cipher/CryptTdesNull.c
> Pk/CryptRsaBasicNull.c
> Pk/CryptRsaExtNull.c
> Pk/CryptPkcs1OaepNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
> b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
> deleted file mode 100644
> index efa2716063..0000000000
> --- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
> +++ /dev/null
> @@ -1,160 +0,0 @@
> -/** @file
> - TDES Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> - Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> - Return zero to indicate this interface is not supported.
> -
> - @retval 0 This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -TdesGetContextSize (
> - VOID
> - )
> -{
> - ASSERT (FALSE);
> - return 0;
> -}
> -
> -/**
> - Initializes user-supplied memory as TDES context for subsequent use.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[out] TdesContext Pointer to TDES context being initialized.
> - @param[in] Key Pointer to the user-supplied TDES key.
> - @param[in] KeyLength Length of TDES key in bits.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesInit (
> - OUT VOID *TdesContext,
> - IN CONST UINT8 *Key,
> - IN UINTN KeyLength
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbEncrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES decryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbDecrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcEncrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - IN CONST UINT8 *Ivec,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcDecrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - IN CONST UINT8 *Ivec,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> index 77915bdb86..43ee4e0841 100644
> --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> @@ -1467,220 +1467,6 @@ HmacSha256Final (
> // Symmetric Cryptography Primitive
>
> //===============================================================
> ======================
>
> -/**
> - Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> - If this interface is not supported, then return zero.
> -
> - @return The size, in bytes, of the context buffer required for TDES operations.
> - @retval 0 This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -TdesGetContextSize (
> - VOID
> - )
> -{
> - CALL_CRYPTO_SERVICE (TdesGetContextSize, (), 0);
> -}
> -
> -/**
> - Initializes user-supplied memory as TDES context for subsequent use.
> -
> - This function initializes user-supplied memory pointed by TdesContext as TDES
> context.
> - In addition, it sets up all TDES key materials for subsequent encryption and
> decryption
> - operations.
> - There are 3 key options as follows:
> - KeyLength = 64, Keying option 1: K1 == K2 == K3 (Backward compatibility with
> DES)
> - KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
> - KeyLength = 192 Keying option 3: K1 != K2 != K3 (Strongest)
> -
> - If TdesContext is NULL, then return FALSE.
> - If Key is NULL, then return FALSE.
> - If KeyLength is not valid, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] TdesContext Pointer to TDES context being initialized.
> - @param[in] Key Pointer to the user-supplied TDES key.
> - @param[in] KeyLength Length of TDES key in bits.
> -
> - @retval TRUE TDES context initialization succeeded.
> - @retval FALSE TDES context initialization failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesInit (
> - OUT VOID *TdesContext,
> - IN CONST UINT8 *Key,
> - IN UINTN KeyLength
> - )
> -{
> - CALL_CRYPTO_SERVICE (TdesInit, (TdesContext, Key, KeyLength), FALSE);
> -}
> -
> -/**
> - Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs TDES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES encryption succeeded.
> - @retval FALSE TDES encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbEncrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - CALL_CRYPTO_SERVICE (TdesEcbEncrypt, (TdesContext, Input, InputSize,
> Output), FALSE);
> -}
> -
> -/**
> - Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs TDES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES decryption
> output.
> -
> - @retval TRUE TDES decryption succeeded.
> - @retval FALSE TDES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbDecrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - CALL_CRYPTO_SERVICE (TdesEcbDecrypt, (TdesContext, Input, InputSize,
> Output), FALSE);
> -}
> -
> -/**
> - Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> - This function performs TDES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in CBC mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - Initialization vector should be one block size (8 bytes).
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Ivec is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES encryption succeeded.
> - @retval FALSE TDES encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcEncrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - IN CONST UINT8 *Ivec,
> - OUT UINT8 *Output
> - )
> -{
> - CALL_CRYPTO_SERVICE (TdesCbcEncrypt, (TdesContext, Input, InputSize, Ivec,
> Output), FALSE);
> -}
> -
> -/**
> - Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> - This function performs TDES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in CBC mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - Initialization vector should be one block size (8 bytes).
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Ivec is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES decryption succeeded.
> - @retval FALSE TDES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcDecrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - IN CONST UINT8 *Ivec,
> - OUT UINT8 *Output
> - )
> -{
> - CALL_CRYPTO_SERVICE (TdesCbcDecrypt, (TdesContext, Input, InputSize, Ivec,
> Output), FALSE);
> -}
> -
> /**
> Retrieves the size, in bytes, of the context buffer required for AES operations.
>
> diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h
> b/CryptoPkg/Library/Include/openssl/opensslconf.h
> index 22acabef87..4868cfa963 100644
> --- a/CryptoPkg/Library/Include/openssl/opensslconf.h
> +++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
> @@ -247,6 +247,9 @@ extern "C" {
> #ifndef OPENSSL_NO_RC4
> # define OPENSSL_NO_RC4
> #endif
> +#ifndef OPENSSL_NO_DES
> +# define OPENSSL_NO_DES
> +#endif
>
>
> /*
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> index dfaefd1c08..d66f1cb03f 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> @@ -178,25 +178,6 @@
> $(OPENSSL_PATH)/crypto/cryptlib.c
> $(OPENSSL_PATH)/crypto/ctype.c
> $(OPENSSL_PATH)/crypto/cversion.c
> - $(OPENSSL_PATH)/crypto/des/cbc_cksm.c
> - $(OPENSSL_PATH)/crypto/des/cbc_enc.c
> - $(OPENSSL_PATH)/crypto/des/cfb64ede.c
> - $(OPENSSL_PATH)/crypto/des/cfb64enc.c
> - $(OPENSSL_PATH)/crypto/des/cfb_enc.c
> - $(OPENSSL_PATH)/crypto/des/des_enc.c
> - $(OPENSSL_PATH)/crypto/des/ecb3_enc.c
> - $(OPENSSL_PATH)/crypto/des/ecb_enc.c
> - $(OPENSSL_PATH)/crypto/des/fcrypt.c
> - $(OPENSSL_PATH)/crypto/des/fcrypt_b.c
> - $(OPENSSL_PATH)/crypto/des/ofb64ede.c
> - $(OPENSSL_PATH)/crypto/des/ofb64enc.c
> - $(OPENSSL_PATH)/crypto/des/ofb_enc.c
> - $(OPENSSL_PATH)/crypto/des/pcbc_enc.c
> - $(OPENSSL_PATH)/crypto/des/qud_cksm.c
> - $(OPENSSL_PATH)/crypto/des/rand_key.c
> - $(OPENSSL_PATH)/crypto/des/set_key.c
> - $(OPENSSL_PATH)/crypto/des/str2key.c
> - $(OPENSSL_PATH)/crypto/des/xcbc_enc.c
> $(OPENSSL_PATH)/crypto/dh/dh_ameth.c
> $(OPENSSL_PATH)/crypto/dh/dh_asn1.c
> $(OPENSSL_PATH)/crypto/dh/dh_check.c
> @@ -514,8 +495,6 @@
> $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
> $(OPENSSL_PATH)/crypto/conf/conf_def.h
> $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
> - $(OPENSSL_PATH)/crypto/des/des_locl.h
> - $(OPENSSL_PATH)/crypto/des/spr.h
> $(OPENSSL_PATH)/crypto/dh/dh_locl.h
> $(OPENSSL_PATH)/crypto/dso/dso_locl.h
> $(OPENSSL_PATH)/crypto/evp/evp_locl.h
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> index 080e1d9305..5788d13cf7 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> @@ -178,25 +178,6 @@
> $(OPENSSL_PATH)/crypto/cryptlib.c
> $(OPENSSL_PATH)/crypto/ctype.c
> $(OPENSSL_PATH)/crypto/cversion.c
> - $(OPENSSL_PATH)/crypto/des/cbc_cksm.c
> - $(OPENSSL_PATH)/crypto/des/cbc_enc.c
> - $(OPENSSL_PATH)/crypto/des/cfb64ede.c
> - $(OPENSSL_PATH)/crypto/des/cfb64enc.c
> - $(OPENSSL_PATH)/crypto/des/cfb_enc.c
> - $(OPENSSL_PATH)/crypto/des/des_enc.c
> - $(OPENSSL_PATH)/crypto/des/ecb3_enc.c
> - $(OPENSSL_PATH)/crypto/des/ecb_enc.c
> - $(OPENSSL_PATH)/crypto/des/fcrypt.c
> - $(OPENSSL_PATH)/crypto/des/fcrypt_b.c
> - $(OPENSSL_PATH)/crypto/des/ofb64ede.c
> - $(OPENSSL_PATH)/crypto/des/ofb64enc.c
> - $(OPENSSL_PATH)/crypto/des/ofb_enc.c
> - $(OPENSSL_PATH)/crypto/des/pcbc_enc.c
> - $(OPENSSL_PATH)/crypto/des/qud_cksm.c
> - $(OPENSSL_PATH)/crypto/des/rand_key.c
> - $(OPENSSL_PATH)/crypto/des/set_key.c
> - $(OPENSSL_PATH)/crypto/des/str2key.c
> - $(OPENSSL_PATH)/crypto/des/xcbc_enc.c
> $(OPENSSL_PATH)/crypto/dh/dh_ameth.c
> $(OPENSSL_PATH)/crypto/dh/dh_asn1.c
> $(OPENSSL_PATH)/crypto/dh/dh_check.c
> @@ -514,8 +495,6 @@
> $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
> $(OPENSSL_PATH)/crypto/conf/conf_def.h
> $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
> - $(OPENSSL_PATH)/crypto/des/des_locl.h
> - $(OPENSSL_PATH)/crypto/des/spr.h
> $(OPENSSL_PATH)/crypto/dh/dh_locl.h
> $(OPENSSL_PATH)/crypto/dso/dso_locl.h
> $(OPENSSL_PATH)/crypto/evp/evp_locl.h
> diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> b/CryptoPkg/Private/Protocol/Crypto.h
> index f36c5c1aff..a30660c192 100644
> --- a/CryptoPkg/Private/Protocol/Crypto.h
> +++ b/CryptoPkg/Private/Protocol/Crypto.h
> @@ -2396,155 +2396,45 @@ BOOLEAN
>
> //===============================================================
> ======================
>
> /**
> - Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> - If this interface is not supported, then return zero.
> -
> - @return The size, in bytes, of the context buffer required for TDES operations.
> - @retval 0 This interface is not supported.
> + TDES is deprecated and unsupported any longer.
> + Keep the function field for binary compability.
>
> **/
> typedef
> UINTN
> -(EFIAPI *EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE) (
> VOID
> );
>
> -/**
> - Initializes user-supplied memory as TDES context for subsequent use.
> -
> - This function initializes user-supplied memory pointed by TdesContext as TDES
> context.
> - In addition, it sets up all TDES key materials for subsequent encryption and
> decryption
> - operations.
> - There are 3 key options as follows:
> - KeyLength = 64, Keying option 1: K1 == K2 == K3 (Backward compatibility with
> DES)
> - KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
> - KeyLength = 192 Keying option 3: K1 != K2 != K3 (Strongest)
> -
> - If TdesContext is NULL, then return FALSE.
> - If Key is NULL, then return FALSE.
> - If KeyLength is not valid, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] TdesContext Pointer to TDES context being initialized.
> - @param[in] Key Pointer to the user-supplied TDES key.
> - @param[in] KeyLength Length of TDES key in bits.
> -
> - @retval TRUE TDES context initialization succeeded.
> - @retval FALSE TDES context initialization failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_TDES_INIT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_INIT) (
> OUT VOID *TdesContext,
> IN CONST UINT8 *Key,
> IN UINTN KeyLength
> );
>
> -/**
> - Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs TDES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES encryption succeeded.
> - @retval FALSE TDES encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_TDES_ECB_ENCRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_ECB_ENCRYPT) (
> IN VOID *TdesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> OUT UINT8 *Output
> );
>
> -/**
> - Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs TDES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES decryption
> output.
> -
> - @retval TRUE TDES decryption succeeded.
> - @retval FALSE TDES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_TDES_ECB_DECRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT) (
> IN VOID *TdesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> OUT UINT8 *Output
> );
>
> -/**
> - Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> - This function performs TDES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in CBC mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - Initialization vector should be one block size (8 bytes).
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Ivec is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES encryption succeeded.
> - @retval FALSE TDES encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_TDES_CBC_ENCRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT) (
> IN VOID *TdesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> @@ -2552,38 +2442,9 @@ BOOLEAN
> OUT UINT8 *Output
> );
>
> -/**
> - Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> - This function performs TDES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in CBC mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - Initialization vector should be one block size (8 bytes).
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Ivec is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES decryption succeeded.
> - @retval FALSE TDES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_TDES_CBC_DECRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT) (
> IN VOID *TdesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> @@ -3911,13 +3772,13 @@ struct _EDKII_CRYPTO_PROTOCOL {
> EDKII_CRYPTO_X509_FREE X509Free;
> EDKII_CRYPTO_X509_STACK_FREE X509StackFree;
> EDKII_CRYPTO_X509_GET_TBS_CERT X509GetTBSCert;
> - /// TDES
> - EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE TdesGetContextSize;
> - EDKII_CRYPTO_TDES_INIT TdesInit;
> - EDKII_CRYPTO_TDES_ECB_ENCRYPT TdesEcbEncrypt;
> - EDKII_CRYPTO_TDES_ECB_DECRYPT TdesEcbDecrypt;
> - EDKII_CRYPTO_TDES_CBC_ENCRYPT TdesCbcEncrypt;
> - EDKII_CRYPTO_TDES_CBC_DECRYPT TdesCbcDecrypt;
> + /// TDES - deprecated and unsupported
> + DEPRECATED_EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE
> DeprecatedTdesGetContextSize;
> + DEPRECATED_EDKII_CRYPTO_TDES_INIT DeprecatedTdesInit;
> + DEPRECATED_EDKII_CRYPTO_TDES_ECB_ENCRYPT
> DeprecatedTdesEcbEncrypt;
> + DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT
> DeprecatedTdesEcbDecrypt;
> + DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT
> DeprecatedTdesCbcEncrypt;
> + DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT
> DeprecatedTdesCbcDecrypt;
> /// AES
> EDKII_CRYPTO_AES_GET_CONTEXT_SIZE AesGetContextSize;
> EDKII_CRYPTO_AES_INIT AesInit;
> --
> 2.21.0.windows.1
^ permalink raw reply [flat|nested] 23+ messages in thread
* [PATCH V3 5/8] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm
2020-05-06 23:57 [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions Gao, Zhichao
` (3 preceding siblings ...)
2020-05-06 23:57 ` [PATCH V3 4/8] CryptoPkg/BaseCryptLib: Retire the Tdes algorithm Gao, Zhichao
@ 2020-05-06 23:57 ` Gao, Zhichao
2020-05-08 14:50 ` Wang, Jian J
2020-05-06 23:57 ` [PATCH V3 6/8] CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm Gao, Zhichao
` (3 subsequent siblings)
8 siblings, 1 reply; 23+ messages in thread
From: Gao, Zhichao @ 2020-05-06 23:57 UTC (permalink / raw)
To: devel; +Cc: Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney, Jiewen Yao
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
Aes Ecb mode is not secure any longer.
Remove the Aes Ecb mode support from edk2.
Change the Aes Ecb mode field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any long.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
CryptoPkg/CryptoPkg.dsc | 45 +++----
CryptoPkg/Driver/Crypto.c | 65 ++--------
.../Library/BaseCryptLib/Cipher/CryptAes.c | 114 ------------------
.../BaseCryptLib/Cipher/CryptAesNull.c | 52 --------
.../BaseCryptLibNull/Cipher/CryptAesNull.c | 52 --------
.../BaseCryptLibOnProtocolPpi/CryptLib.c | 76 ------------
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 -
.../Library/OpensslLib/OpensslLibCrypto.inf | 1 -
CryptoPkg/Private/Protocol/Crypto.h | 61 ++--------
9 files changed, 40 insertions(+), 427 deletions(-)
diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index 6ed7046563..1f68cc633b 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -137,27 +137,30 @@
gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06
!if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.GetContextSize | TRUE
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init | TRUE
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcEncrypt | TRUE
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcDecrypt | TRUE
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
!endif
!if $(CRYPTO_SERVICES) == MIN_PEI
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index a4106aae0b..341df3b814 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -1683,79 +1683,32 @@ CryptoServiceAesInit (
}
/**
- Performs AES encryption on a data buffer of the specified size in ECB mode.
-
- This function performs AES encryption on data buffer pointed by Input, of specified
- size of InputSize, in ECB mode.
- InputSize must be multiple of block size (16 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- AesContext should be already correctly initialized by AesInit(). Behavior with
- invalid AES context is undefined.
-
- If AesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (16 bytes), then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] AesContext Pointer to the AES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the AES encryption output.
-
- @retval TRUE AES encryption succeeded.
- @retval FALSE AES encryption failed.
- @retval FALSE This interface is not supported.
+ AES ECB Mode is deprecated and unsupported any longer.
+ Keep the function field for binary compability.
**/
BOOLEAN
EFIAPI
-CryptoServiceAesEcbEncrypt (
+DeprecatedCryptoServiceAesEcbEncrypt (
IN VOID *AesContext,
IN CONST UINT8 *Input,
IN UINTN InputSize,
OUT UINT8 *Output
)
{
- return CALL_BASECRYPTLIB (Aes.Services.EcbEncrypt, AesEcbEncrypt, (AesContext, Input, InputSize, Output), FALSE);
+ return BaseCryptLibServciceDeprecated ("AesEcbEncrypt"), FALSE;
}
-/**
- Performs AES decryption on a data buffer of the specified size in ECB mode.
-
- This function performs AES decryption on data buffer pointed by Input, of specified
- size of InputSize, in ECB mode.
- InputSize must be multiple of block size (16 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- AesContext should be already correctly initialized by AesInit(). Behavior with
- invalid AES context is undefined.
-
- If AesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (16 bytes), then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] AesContext Pointer to the AES context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the AES decryption output.
-
- @retval TRUE AES decryption succeeded.
- @retval FALSE AES decryption failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceAesEcbDecrypt (
+DeprecatedCryptoServiceAesEcbDecrypt (
IN VOID *AesContext,
IN CONST UINT8 *Input,
IN UINTN InputSize,
OUT UINT8 *Output
)
{
- return CALL_BASECRYPTLIB (Aes.Services.EcbDecrypt, AesEcbDecrypt, (AesContext, Input, InputSize, Output), FALSE);
+ return BaseCryptLibServciceDeprecated ("AesEcbDecrypt"), FALSE;
}
/**
@@ -4212,11 +4165,11 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
DeprecatedCryptoServiceTdesEcbDecrypt,
DeprecatedCryptoServiceTdesCbcEncrypt,
DeprecatedCryptoServiceTdesCbcDecrypt,
- /// AES
+ /// AES - ECB mode is deprecated and unsupported
CryptoServiceAesGetContextSize,
CryptoServiceAesInit,
- CryptoServiceAesEcbEncrypt,
- CryptoServiceAesEcbDecrypt,
+ DeprecatedCryptoServiceAesEcbEncrypt,
+ DeprecatedCryptoServiceAesEcbDecrypt,
CryptoServiceAesCbcEncrypt,
CryptoServiceAesCbcDecrypt,
/// Arc4 - deprecated and unsupported
diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
index 2515b34bb8..914cffb211 100644
--- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
+++ b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
@@ -78,120 +78,6 @@ AesInit (
return TRUE;
}
-/**
- Performs AES encryption on a data buffer of the specified size in ECB mode.
-
- This function performs AES encryption on data buffer pointed by Input, of specified
- size of InputSize, in ECB mode.
- InputSize must be multiple of block size (16 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- AesContext should be already correctly initialized by AesInit(). Behavior with
- invalid AES context is undefined.
-
- If AesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (16 bytes), then return FALSE.
- If Output is NULL, then return FALSE.
-
- @param[in] AesContext Pointer to the AES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the AES encryption output.
-
- @retval TRUE AES encryption succeeded.
- @retval FALSE AES encryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbEncrypt (
- IN VOID *AesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- AES_KEY *AesKey;
-
- //
- // Check input parameters.
- //
- if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0 || Output == NULL) {
- return FALSE;
- }
-
- AesKey = (AES_KEY *) AesContext;
-
- //
- // Perform AES data encryption with ECB mode (block-by-block)
- //
- while (InputSize > 0) {
- AES_ecb_encrypt (Input, Output, AesKey, AES_ENCRYPT);
- Input += AES_BLOCK_SIZE;
- Output += AES_BLOCK_SIZE;
- InputSize -= AES_BLOCK_SIZE;
- }
-
- return TRUE;
-}
-
-/**
- Performs AES decryption on a data buffer of the specified size in ECB mode.
-
- This function performs AES decryption on data buffer pointed by Input, of specified
- size of InputSize, in ECB mode.
- InputSize must be multiple of block size (16 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- AesContext should be already correctly initialized by AesInit(). Behavior with
- invalid AES context is undefined.
-
- If AesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (16 bytes), then return FALSE.
- If Output is NULL, then return FALSE.
-
- @param[in] AesContext Pointer to the AES context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the AES decryption output.
-
- @retval TRUE AES decryption succeeded.
- @retval FALSE AES decryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbDecrypt (
- IN VOID *AesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- AES_KEY *AesKey;
-
- //
- // Check input parameters.
- //
- if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0 || Output == NULL) {
- return FALSE;
- }
-
- AesKey = (AES_KEY *) AesContext;
-
- //
- // Perform AES data decryption with ECB mode (block-by-block)
- //
- while (InputSize > 0) {
- AES_ecb_encrypt (Input, Output, AesKey + 1, AES_DECRYPT);
- Input += AES_BLOCK_SIZE;
- Output += AES_BLOCK_SIZE;
- InputSize -= AES_BLOCK_SIZE;
- }
-
- return TRUE;
-}
-
/**
Performs AES encryption on a data buffer of the specified size in CBC mode.
diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
index a82adacf4f..d235422e7a 100644
--- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
+++ b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
@@ -50,58 +50,6 @@ AesInit (
return FALSE;
}
-/**
- Performs AES encryption on a data buffer of the specified size in ECB mode.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in] AesContext Pointer to the AES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the AES encryption output.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbEncrypt (
- IN VOID *AesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Performs AES decryption on a data buffer of the specified size in ECB mode.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in] AesContext Pointer to the AES context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the AES decryption output.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbDecrypt (
- IN VOID *AesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
/**
Performs AES encryption on a data buffer of the specified size in CBC mode.
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
index a82adacf4f..d235422e7a 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
+++ b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
@@ -50,58 +50,6 @@ AesInit (
return FALSE;
}
-/**
- Performs AES encryption on a data buffer of the specified size in ECB mode.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in] AesContext Pointer to the AES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the AES encryption output.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbEncrypt (
- IN VOID *AesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Performs AES decryption on a data buffer of the specified size in ECB mode.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in] AesContext Pointer to the AES context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the AES decryption output.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbDecrypt (
- IN VOID *AesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
/**
Performs AES encryption on a data buffer of the specified size in CBC mode.
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 43ee4e0841..c937f8540d 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -1518,82 +1518,6 @@ AesInit (
CALL_CRYPTO_SERVICE (AesInit, (AesContext, Key, KeyLength), FALSE);
}
-/**
- Performs AES encryption on a data buffer of the specified size in ECB mode.
-
- This function performs AES encryption on data buffer pointed by Input, of specified
- size of InputSize, in ECB mode.
- InputSize must be multiple of block size (16 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- AesContext should be already correctly initialized by AesInit(). Behavior with
- invalid AES context is undefined.
-
- If AesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (16 bytes), then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] AesContext Pointer to the AES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the AES encryption output.
-
- @retval TRUE AES encryption succeeded.
- @retval FALSE AES encryption failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbEncrypt (
- IN VOID *AesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- CALL_CRYPTO_SERVICE (AesEcbEncrypt, (AesContext, Input, InputSize, Output), FALSE);
-}
-
-/**
- Performs AES decryption on a data buffer of the specified size in ECB mode.
-
- This function performs AES decryption on data buffer pointed by Input, of specified
- size of InputSize, in ECB mode.
- InputSize must be multiple of block size (16 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- AesContext should be already correctly initialized by AesInit(). Behavior with
- invalid AES context is undefined.
-
- If AesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (16 bytes), then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] AesContext Pointer to the AES context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the AES decryption output.
-
- @retval TRUE AES decryption succeeded.
- @retval FALSE AES decryption failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbDecrypt (
- IN VOID *AesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- )
-{
- CALL_CRYPTO_SERVICE (AesEcbDecrypt, (AesContext, Input, InputSize, Output), FALSE);
-}
-
/**
Performs AES encryption on a data buffer of the specified size in CBC mode.
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index d66f1cb03f..c8ec9454bd 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -29,7 +29,6 @@
$(OPENSSL_PATH)/crypto/aes/aes_cbc.c
$(OPENSSL_PATH)/crypto/aes/aes_cfb.c
$(OPENSSL_PATH)/crypto/aes/aes_core.c
- $(OPENSSL_PATH)/crypto/aes/aes_ecb.c
$(OPENSSL_PATH)/crypto/aes/aes_ige.c
$(OPENSSL_PATH)/crypto/aes/aes_misc.c
$(OPENSSL_PATH)/crypto/aes/aes_ofb.c
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index 5788d13cf7..2f232e3e12 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -29,7 +29,6 @@
$(OPENSSL_PATH)/crypto/aes/aes_cbc.c
$(OPENSSL_PATH)/crypto/aes/aes_cfb.c
$(OPENSSL_PATH)/crypto/aes/aes_core.c
- $(OPENSSL_PATH)/crypto/aes/aes_ecb.c
$(OPENSSL_PATH)/crypto/aes/aes_ige.c
$(OPENSSL_PATH)/crypto/aes/aes_misc.c
$(OPENSSL_PATH)/crypto/aes/aes_ofb.c
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index a30660c192..e76ff623a5 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -2498,69 +2498,22 @@ BOOLEAN
);
/**
- Performs AES encryption on a data buffer of the specified size in ECB mode.
-
- This function performs AES encryption on data buffer pointed by Input, of specified
- size of InputSize, in ECB mode.
- InputSize must be multiple of block size (16 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- AesContext should be already correctly initialized by AesInit(). Behavior with
- invalid AES context is undefined.
-
- If AesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (16 bytes), then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] AesContext Pointer to the AES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the AES encryption output.
-
- @retval TRUE AES encryption succeeded.
- @retval FALSE AES encryption failed.
- @retval FALSE This interface is not supported.
+ AES ECB Mode is deprecated and unsupported any longer.
+ Keep the function field for binary compability.
**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_AES_ECB_ENCRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_AES_ECB_ENCRYPT) (
IN VOID *AesContext,
IN CONST UINT8 *Input,
IN UINTN InputSize,
OUT UINT8 *Output
);
-/**
- Performs AES decryption on a data buffer of the specified size in ECB mode.
-
- This function performs AES decryption on data buffer pointed by Input, of specified
- size of InputSize, in ECB mode.
- InputSize must be multiple of block size (16 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- AesContext should be already correctly initialized by AesInit(). Behavior with
- invalid AES context is undefined.
-
- If AesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (16 bytes), then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] AesContext Pointer to the AES context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the AES decryption output.
-
- @retval TRUE AES decryption succeeded.
- @retval FALSE AES decryption failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_AES_ECB_DECRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_AES_ECB_DECRYPT) (
IN VOID *AesContext,
IN CONST UINT8 *Input,
IN UINTN InputSize,
@@ -3779,11 +3732,11 @@ struct _EDKII_CRYPTO_PROTOCOL {
DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT DeprecatedTdesEcbDecrypt;
DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT DeprecatedTdesCbcEncrypt;
DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT DeprecatedTdesCbcDecrypt;
- /// AES
+ /// AES - ECB Mode is deprecated and unsupported
EDKII_CRYPTO_AES_GET_CONTEXT_SIZE AesGetContextSize;
EDKII_CRYPTO_AES_INIT AesInit;
- EDKII_CRYPTO_AES_ECB_ENCRYPT AesEcbEncrypt;
- EDKII_CRYPTO_AES_ECB_DECRYPT AesEcbDecrypt;
+ DEPRECATED_EDKII_CRYPTO_AES_ECB_ENCRYPT DeprecatedAesEcbEncrypt;
+ DEPRECATED_EDKII_CRYPTO_AES_ECB_DECRYPT DeprecatedAesEcbDecrypt;
EDKII_CRYPTO_AES_CBC_ENCRYPT AesCbcEncrypt;
EDKII_CRYPTO_AES_CBC_DECRYPT AesCbcDecrypt;
/// Arc4 - deprecated and unsupported
--
2.21.0.windows.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* Re: [PATCH V3 5/8] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm
2020-05-06 23:57 ` [PATCH V3 5/8] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm Gao, Zhichao
@ 2020-05-08 14:50 ` Wang, Jian J
0 siblings, 0 replies; 23+ messages in thread
From: Wang, Jian J @ 2020-05-08 14:50 UTC (permalink / raw)
To: Gao, Zhichao, devel@edk2.groups.io
Cc: Lu, XiaoyuX, Fu, Siyuan, Kinney, Michael D, Yao, Jiewen
Zhichao,
Similar to patch 3, please update OpensslLib/process_files.pl to update OpensslLibXxx.inf
Regards,
Jian
> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Thursday, May 07, 2020 7:58 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [PATCH V3 5/8] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode
> algorithm
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
>
> Aes Ecb mode is not secure any longer.
> Remove the Aes Ecb mode support from edk2.
> Change the Aes Ecb mode field name in EDKII_CRYPTO_PROTOCOL to indicate
> the
> function is unsupported any long.
>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
> CryptoPkg/CryptoPkg.dsc | 45 +++----
> CryptoPkg/Driver/Crypto.c | 65 ++--------
> .../Library/BaseCryptLib/Cipher/CryptAes.c | 114 ------------------
> .../BaseCryptLib/Cipher/CryptAesNull.c | 52 --------
> .../BaseCryptLibNull/Cipher/CryptAesNull.c | 52 --------
> .../BaseCryptLibOnProtocolPpi/CryptLib.c | 76 ------------
> CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 -
> .../Library/OpensslLib/OpensslLibCrypto.inf | 1 -
> CryptoPkg/Private/Protocol/Crypto.h | 61 ++--------
> 9 files changed, 40 insertions(+), 427 deletions(-)
>
> diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
> index 6ed7046563..1f68cc633b 100644
> --- a/CryptoPkg/CryptoPkg.dsc
> +++ b/CryptoPkg/CryptoPkg.dsc
> @@ -137,27 +137,30 @@
> gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06
>
> !if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
> -
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam
> ily | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family |
> PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family |
> PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam
> ily | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.GetC
> ontextSize | TRUE
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init
> | TRUE
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcE
> ncrypt | TRUE
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Cbc
> Decrypt | TRUE
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> !endif
>
> !if $(CRYPTO_SERVICES) == MIN_PEI
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> index a4106aae0b..341df3b814 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -1683,79 +1683,32 @@ CryptoServiceAesInit (
> }
>
> /**
> - Performs AES encryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs AES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (16 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - AesContext should be already correctly initialized by AesInit(). Behavior with
> - invalid AES context is undefined.
> -
> - If AesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (16 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES encryption
> output.
> -
> - @retval TRUE AES encryption succeeded.
> - @retval FALSE AES encryption failed.
> - @retval FALSE This interface is not supported.
> + AES ECB Mode is deprecated and unsupported any longer.
> + Keep the function field for binary compability.
>
> **/
> BOOLEAN
> EFIAPI
> -CryptoServiceAesEcbEncrypt (
> +DeprecatedCryptoServiceAesEcbEncrypt (
> IN VOID *AesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> OUT UINT8 *Output
> )
> {
> - return CALL_BASECRYPTLIB (Aes.Services.EcbEncrypt, AesEcbEncrypt,
> (AesContext, Input, InputSize, Output), FALSE);
> + return BaseCryptLibServciceDeprecated ("AesEcbEncrypt"), FALSE;
> }
>
> -/**
> - Performs AES decryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs AES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (16 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - AesContext should be already correctly initialized by AesInit(). Behavior with
> - invalid AES context is undefined.
> -
> - If AesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (16 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES decryption
> output.
> -
> - @retval TRUE AES decryption succeeded.
> - @retval FALSE AES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceAesEcbDecrypt (
> +DeprecatedCryptoServiceAesEcbDecrypt (
> IN VOID *AesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> OUT UINT8 *Output
> )
> {
> - return CALL_BASECRYPTLIB (Aes.Services.EcbDecrypt, AesEcbDecrypt,
> (AesContext, Input, InputSize, Output), FALSE);
> + return BaseCryptLibServciceDeprecated ("AesEcbDecrypt"), FALSE;
> }
>
> /**
> @@ -4212,11 +4165,11 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
> DeprecatedCryptoServiceTdesEcbDecrypt,
> DeprecatedCryptoServiceTdesCbcEncrypt,
> DeprecatedCryptoServiceTdesCbcDecrypt,
> - /// AES
> + /// AES - ECB mode is deprecated and unsupported
> CryptoServiceAesGetContextSize,
> CryptoServiceAesInit,
> - CryptoServiceAesEcbEncrypt,
> - CryptoServiceAesEcbDecrypt,
> + DeprecatedCryptoServiceAesEcbEncrypt,
> + DeprecatedCryptoServiceAesEcbDecrypt,
> CryptoServiceAesCbcEncrypt,
> CryptoServiceAesCbcDecrypt,
> /// Arc4 - deprecated and unsupported
> diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
> b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
> index 2515b34bb8..914cffb211 100644
> --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
> +++ b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
> @@ -78,120 +78,6 @@ AesInit (
> return TRUE;
> }
>
> -/**
> - Performs AES encryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs AES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (16 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - AesContext should be already correctly initialized by AesInit(). Behavior with
> - invalid AES context is undefined.
> -
> - If AesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (16 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES encryption
> output.
> -
> - @retval TRUE AES encryption succeeded.
> - @retval FALSE AES encryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbEncrypt (
> - IN VOID *AesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - AES_KEY *AesKey;
> -
> - //
> - // Check input parameters.
> - //
> - if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0
> || Output == NULL) {
> - return FALSE;
> - }
> -
> - AesKey = (AES_KEY *) AesContext;
> -
> - //
> - // Perform AES data encryption with ECB mode (block-by-block)
> - //
> - while (InputSize > 0) {
> - AES_ecb_encrypt (Input, Output, AesKey, AES_ENCRYPT);
> - Input += AES_BLOCK_SIZE;
> - Output += AES_BLOCK_SIZE;
> - InputSize -= AES_BLOCK_SIZE;
> - }
> -
> - return TRUE;
> -}
> -
> -/**
> - Performs AES decryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs AES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (16 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - AesContext should be already correctly initialized by AesInit(). Behavior with
> - invalid AES context is undefined.
> -
> - If AesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (16 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES decryption
> output.
> -
> - @retval TRUE AES decryption succeeded.
> - @retval FALSE AES decryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbDecrypt (
> - IN VOID *AesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - AES_KEY *AesKey;
> -
> - //
> - // Check input parameters.
> - //
> - if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0
> || Output == NULL) {
> - return FALSE;
> - }
> -
> - AesKey = (AES_KEY *) AesContext;
> -
> - //
> - // Perform AES data decryption with ECB mode (block-by-block)
> - //
> - while (InputSize > 0) {
> - AES_ecb_encrypt (Input, Output, AesKey + 1, AES_DECRYPT);
> - Input += AES_BLOCK_SIZE;
> - Output += AES_BLOCK_SIZE;
> - InputSize -= AES_BLOCK_SIZE;
> - }
> -
> - return TRUE;
> -}
> -
> /**
> Performs AES encryption on a data buffer of the specified size in CBC mode.
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
> b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
> index a82adacf4f..d235422e7a 100644
> --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
> +++ b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
> @@ -50,58 +50,6 @@ AesInit (
> return FALSE;
> }
>
> -/**
> - Performs AES encryption on a data buffer of the specified size in ECB mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES encryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbEncrypt (
> - IN VOID *AesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs AES decryption on a data buffer of the specified size in ECB mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES decryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbDecrypt (
> - IN VOID *AesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> /**
> Performs AES encryption on a data buffer of the specified size in CBC mode.
>
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
> b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
> index a82adacf4f..d235422e7a 100644
> --- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
> +++ b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
> @@ -50,58 +50,6 @@ AesInit (
> return FALSE;
> }
>
> -/**
> - Performs AES encryption on a data buffer of the specified size in ECB mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES encryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbEncrypt (
> - IN VOID *AesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs AES decryption on a data buffer of the specified size in ECB mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES decryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbDecrypt (
> - IN VOID *AesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> /**
> Performs AES encryption on a data buffer of the specified size in CBC mode.
>
> diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> index 43ee4e0841..c937f8540d 100644
> --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> @@ -1518,82 +1518,6 @@ AesInit (
> CALL_CRYPTO_SERVICE (AesInit, (AesContext, Key, KeyLength), FALSE);
> }
>
> -/**
> - Performs AES encryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs AES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (16 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - AesContext should be already correctly initialized by AesInit(). Behavior with
> - invalid AES context is undefined.
> -
> - If AesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (16 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES encryption
> output.
> -
> - @retval TRUE AES encryption succeeded.
> - @retval FALSE AES encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbEncrypt (
> - IN VOID *AesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - CALL_CRYPTO_SERVICE (AesEcbEncrypt, (AesContext, Input, InputSize,
> Output), FALSE);
> -}
> -
> -/**
> - Performs AES decryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs AES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (16 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - AesContext should be already correctly initialized by AesInit(). Behavior with
> - invalid AES context is undefined.
> -
> - If AesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (16 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES decryption
> output.
> -
> - @retval TRUE AES decryption succeeded.
> - @retval FALSE AES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbDecrypt (
> - IN VOID *AesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - CALL_CRYPTO_SERVICE (AesEcbDecrypt, (AesContext, Input, InputSize,
> Output), FALSE);
> -}
> -
> /**
> Performs AES encryption on a data buffer of the specified size in CBC mode.
>
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> index d66f1cb03f..c8ec9454bd 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> @@ -29,7 +29,6 @@
> $(OPENSSL_PATH)/crypto/aes/aes_cbc.c
> $(OPENSSL_PATH)/crypto/aes/aes_cfb.c
> $(OPENSSL_PATH)/crypto/aes/aes_core.c
> - $(OPENSSL_PATH)/crypto/aes/aes_ecb.c
> $(OPENSSL_PATH)/crypto/aes/aes_ige.c
> $(OPENSSL_PATH)/crypto/aes/aes_misc.c
> $(OPENSSL_PATH)/crypto/aes/aes_ofb.c
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> index 5788d13cf7..2f232e3e12 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> @@ -29,7 +29,6 @@
> $(OPENSSL_PATH)/crypto/aes/aes_cbc.c
> $(OPENSSL_PATH)/crypto/aes/aes_cfb.c
> $(OPENSSL_PATH)/crypto/aes/aes_core.c
> - $(OPENSSL_PATH)/crypto/aes/aes_ecb.c
> $(OPENSSL_PATH)/crypto/aes/aes_ige.c
> $(OPENSSL_PATH)/crypto/aes/aes_misc.c
> $(OPENSSL_PATH)/crypto/aes/aes_ofb.c
> diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> b/CryptoPkg/Private/Protocol/Crypto.h
> index a30660c192..e76ff623a5 100644
> --- a/CryptoPkg/Private/Protocol/Crypto.h
> +++ b/CryptoPkg/Private/Protocol/Crypto.h
> @@ -2498,69 +2498,22 @@ BOOLEAN
> );
>
> /**
> - Performs AES encryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs AES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (16 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - AesContext should be already correctly initialized by AesInit(). Behavior with
> - invalid AES context is undefined.
> -
> - If AesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (16 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES encryption
> output.
> -
> - @retval TRUE AES encryption succeeded.
> - @retval FALSE AES encryption failed.
> - @retval FALSE This interface is not supported.
> + AES ECB Mode is deprecated and unsupported any longer.
> + Keep the function field for binary compability.
>
> **/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_AES_ECB_ENCRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_AES_ECB_ENCRYPT) (
> IN VOID *AesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> OUT UINT8 *Output
> );
>
> -/**
> - Performs AES decryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs AES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (16 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - AesContext should be already correctly initialized by AesInit(). Behavior with
> - invalid AES context is undefined.
> -
> - If AesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (16 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES decryption
> output.
> -
> - @retval TRUE AES decryption succeeded.
> - @retval FALSE AES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_AES_ECB_DECRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_AES_ECB_DECRYPT) (
> IN VOID *AesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> @@ -3779,11 +3732,11 @@ struct _EDKII_CRYPTO_PROTOCOL {
> DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT
> DeprecatedTdesEcbDecrypt;
> DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT
> DeprecatedTdesCbcEncrypt;
> DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT
> DeprecatedTdesCbcDecrypt;
> - /// AES
> + /// AES - ECB Mode is deprecated and unsupported
> EDKII_CRYPTO_AES_GET_CONTEXT_SIZE AesGetContextSize;
> EDKII_CRYPTO_AES_INIT AesInit;
> - EDKII_CRYPTO_AES_ECB_ENCRYPT AesEcbEncrypt;
> - EDKII_CRYPTO_AES_ECB_DECRYPT AesEcbDecrypt;
> + DEPRECATED_EDKII_CRYPTO_AES_ECB_ENCRYPT
> DeprecatedAesEcbEncrypt;
> + DEPRECATED_EDKII_CRYPTO_AES_ECB_DECRYPT
> DeprecatedAesEcbDecrypt;
> EDKII_CRYPTO_AES_CBC_ENCRYPT AesCbcEncrypt;
> EDKII_CRYPTO_AES_CBC_DECRYPT AesCbcDecrypt;
> /// Arc4 - deprecated and unsupported
> --
> 2.21.0.windows.1
^ permalink raw reply [flat|nested] 23+ messages in thread
* [PATCH V3 6/8] CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm
2020-05-06 23:57 [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions Gao, Zhichao
` (4 preceding siblings ...)
2020-05-06 23:57 ` [PATCH V3 5/8] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm Gao, Zhichao
@ 2020-05-06 23:57 ` Gao, Zhichao
2020-05-08 15:03 ` Wang, Jian J
2020-05-06 23:57 ` [PATCH V3 7/8] CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm Gao, Zhichao
` (2 subsequent siblings)
8 siblings, 1 reply; 23+ messages in thread
From: Gao, Zhichao @ 2020-05-06 23:57 UTC (permalink / raw)
To: devel; +Cc: Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney, Jiewen Yao
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
HMAC MD5 is not secure any longer.
Remove the HMAC MD5 support from edk2.
Change the HMAC MD5 field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any long.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
CryptoPkg/CryptoPkg.dsc | 1 -
CryptoPkg/Driver/Crypto.c | 128 ++---------
CryptoPkg/Include/Library/BaseCryptLib.h | 203 ----------------
.../Library/BaseCryptLib/BaseCryptLib.inf | 1 -
.../Library/BaseCryptLib/Hmac/CryptHmacMd5.c | 216 ------------------
.../BaseCryptLib/Hmac/CryptHmacMd5Null.c | 139 -----------
.../Library/BaseCryptLib/PeiCryptLib.inf | 3 +-
.../Library/BaseCryptLib/PeiCryptLib.uni | 4 +-
.../Library/BaseCryptLib/RuntimeCryptLib.inf | 3 +-
.../Library/BaseCryptLib/RuntimeCryptLib.uni | 4 +-
.../Library/BaseCryptLib/SmmCryptLib.inf | 3 +-
.../Library/BaseCryptLib/SmmCryptLib.uni | 4 +-
.../BaseCryptLibNull/BaseCryptLibNull.inf | 1 -
.../BaseCryptLibNull/Hmac/CryptHmacMd5Null.c | 139 -----------
.../BaseCryptLibOnProtocolPpi/CryptLib.c | 151 ------------
CryptoPkg/Private/Protocol/Crypto.h | 117 ++--------
16 files changed, 45 insertions(+), 1072 deletions(-)
delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index 1f68cc633b..9ddf73f9fa 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -137,7 +137,6 @@
gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06
!if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 341df3b814..dfde1cc005 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -1105,154 +1105,68 @@ CryptoServiceSm3HashAll (
//=====================================================================================
/**
- Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
- If this interface is not supported, then return NULL.
-
- @return Pointer to the HMAC_CTX context that has been initialized.
- If the allocations fails, HmacMd5New() returns NULL.
- @retval NULL This interface is not supported.
+ HMAC MD5 is deprecated and unsupported any longer.
+ Keep the function field for binary compability.
**/
VOID *
EFIAPI
-CryptoServiceHmacMd5New (
+DeprecatedCryptoServiceHmacMd5New (
VOID
)
{
- return CALL_BASECRYPTLIB (HmacMd5.Services.New, HmacMd5New, (), NULL);
+ return BaseCryptLibServciceDeprecated ("HmacMd5New"), NULL;
}
-/**
- Release the specified HMAC_CTX context.
-
- If this interface is not supported, then do nothing.
-
- @param[in] HmacMd5Ctx Pointer to the HMAC_CTX context to be released.
-
-**/
VOID
EFIAPI
-CryptoServiceHmacMd5Free (
+DeprecatedCryptoServiceHmacMd5Free (
IN VOID *HmacMd5Ctx
)
{
- CALL_VOID_BASECRYPTLIB (HmacMd5.Services.Free, HmacMd5Free, (HmacMd5Ctx));
+ BaseCryptLibServciceDeprecated ("HmacMd5Free");
}
-/**
- Set user-supplied key for subsequent use. It must be done before any
- calling to HmacMd5Update().
-
- If HmacMd5Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[out] HmacMd5Context Pointer to HMAC-MD5 context.
- @param[in] Key Pointer to the user-supplied key.
- @param[in] KeySize Key size in bytes.
-
- @retval TRUE Key is set successfully.
- @retval FALSE Key is set unsuccessfully.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceHmacMd5SetKey (
+DeprecatedCryptoServiceHmacMd5SetKey (
OUT VOID *HmacMd5Context,
IN CONST UINT8 *Key,
IN UINTN KeySize
)
{
- return CALL_BASECRYPTLIB (HmacMd5.Services.SetKey, HmacMd5SetKey, (HmacMd5Context, Key, KeySize), FALSE);
+ return BaseCryptLibServciceDeprecated ("HmacMd5SetKey"), FALSE;
}
-/**
- Makes a copy of an existing HMAC-MD5 context.
-
- If HmacMd5Context is NULL, then return FALSE.
- If NewHmacMd5Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] HmacMd5Context Pointer to HMAC-MD5 context being copied.
- @param[out] NewHmacMd5Context Pointer to new HMAC-MD5 context.
-
- @retval TRUE HMAC-MD5 context copy succeeded.
- @retval FALSE HMAC-MD5 context copy failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceHmacMd5Duplicate (
+DeprecatedCryptoServiceHmacMd5Duplicate (
IN CONST VOID *HmacMd5Context,
OUT VOID *NewHmacMd5Context
)
{
- return CALL_BASECRYPTLIB (HmacMd5.Services.Duplicate, HmacMd5Duplicate, (HmacMd5Context, NewHmacMd5Context), FALSE);
+ return BaseCryptLibServciceDeprecated ("HmacMd5Duplicate"), FALSE;
}
-/**
- Digests the input data and updates HMAC-MD5 context.
-
- This function performs HMAC-MD5 digest on a data buffer of the specified size.
- It can be called multiple times to compute the digest of long or discontinuous data streams.
- HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
- HmacMd5Final(). Behavior with invalid context is undefined.
-
- If HmacMd5Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
- @param[in] Data Pointer to the buffer containing the data to be digested.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval TRUE HMAC-MD5 data digest succeeded.
- @retval FALSE HMAC-MD5 data digest failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceHmacMd5Update (
+DeprecatedCryptoServiceHmacMd5Update (
IN OUT VOID *HmacMd5Context,
IN CONST VOID *Data,
IN UINTN DataSize
)
{
- return CALL_BASECRYPTLIB (HmacMd5.Services.Update, HmacMd5Update, (HmacMd5Context, Data, DataSize), FALSE);
+ return BaseCryptLibServciceDeprecated ("HmacMd5Update"), FALSE;
}
-/**
- Completes computation of the HMAC-MD5 digest value.
-
- This function completes HMAC-MD5 hash computation and retrieves the digest value into
- the specified memory. After this function has been called, the HMAC-MD5 context cannot
- be used again.
- HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
- HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
-
- If HmacMd5Context is NULL, then return FALSE.
- If HmacValue is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
- @param[out] HmacValue Pointer to a buffer that receives the HMAC-MD5 digest
- value (16 bytes).
-
- @retval TRUE HMAC-MD5 digest computation succeeded.
- @retval FALSE HMAC-MD5 digest computation failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceHmacMd5Final (
+DeprecatedCryptoServiceHmacMd5Final (
IN OUT VOID *HmacMd5Context,
OUT UINT8 *HmacValue
)
{
- return CALL_BASECRYPTLIB (HmacMd5.Services.Final, HmacMd5Final, (HmacMd5Context, HmacValue), FALSE);
+ return BaseCryptLibServciceDeprecated ("HmacMd5Final"), FALSE;
}
/**
@@ -4051,13 +3965,13 @@ CryptoServiceTlsGetCertRevocationList (
const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
/// Version
CryptoServiceGetCryptoVersion,
- /// HMAC MD5
- CryptoServiceHmacMd5New,
- CryptoServiceHmacMd5Free,
- CryptoServiceHmacMd5SetKey,
- CryptoServiceHmacMd5Duplicate,
- CryptoServiceHmacMd5Update,
- CryptoServiceHmacMd5Final,
+ /// HMAC MD5 - deprecated and unsupported
+ DeprecatedCryptoServiceHmacMd5New,
+ DeprecatedCryptoServiceHmacMd5Free,
+ DeprecatedCryptoServiceHmacMd5SetKey,
+ DeprecatedCryptoServiceHmacMd5Duplicate,
+ DeprecatedCryptoServiceHmacMd5Update,
+ DeprecatedCryptoServiceHmacMd5Final,
/// HMAC SHA1
CryptoServiceHmacSha1New,
CryptoServiceHmacSha1Free,
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 621bcfd1c4..b99401661c 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -880,139 +880,6 @@ Sm3HashAll (
// MAC (Message Authentication Code) Primitive
//=====================================================================================
-/**
- Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
- If this interface is not supported, then return NULL.
-
- @return Pointer to the HMAC_CTX context that has been initialized.
- If the allocations fails, HmacMd5New() returns NULL.
- @retval NULL This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacMd5New (
- VOID
- );
-
-/**
- Release the specified HMAC_CTX context.
-
- If this interface is not supported, then do nothing.
-
- @param[in] HmacMd5Ctx Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacMd5Free (
- IN VOID *HmacMd5Ctx
- );
-
-/**
- Set user-supplied key for subsequent use. It must be done before any
- calling to HmacMd5Update().
-
- If HmacMd5Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[out] HmacMd5Context Pointer to HMAC-MD5 context.
- @param[in] Key Pointer to the user-supplied key.
- @param[in] KeySize Key size in bytes.
-
- @retval TRUE Key is set successfully.
- @retval FALSE Key is set unsuccessfully.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5SetKey (
- OUT VOID *HmacMd5Context,
- IN CONST UINT8 *Key,
- IN UINTN KeySize
- );
-
-/**
- Makes a copy of an existing HMAC-MD5 context.
-
- If HmacMd5Context is NULL, then return FALSE.
- If NewHmacMd5Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] HmacMd5Context Pointer to HMAC-MD5 context being copied.
- @param[out] NewHmacMd5Context Pointer to new HMAC-MD5 context.
-
- @retval TRUE HMAC-MD5 context copy succeeded.
- @retval FALSE HMAC-MD5 context copy failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Duplicate (
- IN CONST VOID *HmacMd5Context,
- OUT VOID *NewHmacMd5Context
- );
-
-/**
- Digests the input data and updates HMAC-MD5 context.
-
- This function performs HMAC-MD5 digest on a data buffer of the specified size.
- It can be called multiple times to compute the digest of long or discontinuous data streams.
- HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
- HmacMd5Final(). Behavior with invalid context is undefined.
-
- If HmacMd5Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
- @param[in] Data Pointer to the buffer containing the data to be digested.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval TRUE HMAC-MD5 data digest succeeded.
- @retval FALSE HMAC-MD5 data digest failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Update (
- IN OUT VOID *HmacMd5Context,
- IN CONST VOID *Data,
- IN UINTN DataSize
- );
-
-/**
- Completes computation of the HMAC-MD5 digest value.
-
- This function completes HMAC-MD5 hash computation and retrieves the digest value into
- the specified memory. After this function has been called, the HMAC-MD5 context cannot
- be used again.
- HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
- HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
-
- If HmacMd5Context is NULL, then return FALSE.
- If HmacValue is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
- @param[out] HmacValue Pointer to a buffer that receives the HMAC-MD5 digest
- value (16 bytes).
-
- @retval TRUE HMAC-MD5 digest computation succeeded.
- @retval FALSE HMAC-MD5 digest computation failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Final (
- IN OUT VOID *HmacMd5Context,
- OUT UINT8 *HmacValue
- );
-
/**
Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
@@ -1323,76 +1190,6 @@ AesInit (
IN UINTN KeyLength
);
-/**
- Performs AES encryption on a data buffer of the specified size in ECB mode.
-
- This function performs AES encryption on data buffer pointed by Input, of specified
- size of InputSize, in ECB mode.
- InputSize must be multiple of block size (16 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- AesContext should be already correctly initialized by AesInit(). Behavior with
- invalid AES context is undefined.
-
- If AesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (16 bytes), then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] AesContext Pointer to the AES context.
- @param[in] Input Pointer to the buffer containing the data to be encrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the AES encryption output.
-
- @retval TRUE AES encryption succeeded.
- @retval FALSE AES encryption failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbEncrypt (
- IN VOID *AesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- );
-
-/**
- Performs AES decryption on a data buffer of the specified size in ECB mode.
-
- This function performs AES decryption on data buffer pointed by Input, of specified
- size of InputSize, in ECB mode.
- InputSize must be multiple of block size (16 bytes). This function does not perform
- padding. Caller must perform padding, if necessary, to ensure valid input data size.
- AesContext should be already correctly initialized by AesInit(). Behavior with
- invalid AES context is undefined.
-
- If AesContext is NULL, then return FALSE.
- If Input is NULL, then return FALSE.
- If InputSize is not multiple of block size (16 bytes), then return FALSE.
- If Output is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] AesContext Pointer to the AES context.
- @param[in] Input Pointer to the buffer containing the data to be decrypted.
- @param[in] InputSize Size of the Input buffer in bytes.
- @param[out] Output Pointer to a buffer that receives the AES decryption output.
-
- @retval TRUE AES decryption succeeded.
- @retval FALSE AES decryption failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbDecrypt (
- IN VOID *AesContext,
- IN CONST UINT8 *Input,
- IN UINTN InputSize,
- OUT UINT8 *Output
- );
-
/**
Performs AES encryption on a data buffer of the specified size in CBC mode.
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index 2de8e9c346..33d7c13bff 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -34,7 +34,6 @@
Hash/CryptSha256.c
Hash/CryptSha512.c
Hash/CryptSm3.c
- Hmac/CryptHmacMd5.c
Hmac/CryptHmacSha1.c
Hmac/CryptHmacSha256.c
Kdf/CryptHkdf.c
diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
deleted file mode 100644
index da46ce09f4..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
+++ /dev/null
@@ -1,216 +0,0 @@
-/** @file
- HMAC-MD5 Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-#include <openssl/hmac.h>
-
-/**
- Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
- @return Pointer to the HMAC_CTX context that has been initialized.
- If the allocations fails, HmacMd5New() returns NULL.
-
-**/
-VOID *
-EFIAPI
-HmacMd5New (
- VOID
- )
-{
- //
- // Allocates & Initializes HMAC_CTX Context by OpenSSL HMAC_CTX_new()
- //
- return (VOID *) HMAC_CTX_new ();
-}
-
-/**
- Release the specified HMAC_CTX context.
-
- @param[in] HmacMd5Ctx Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacMd5Free (
- IN VOID *HmacMd5Ctx
- )
-{
- //
- // Free OpenSSL HMAC_CTX Context
- //
- HMAC_CTX_free ((HMAC_CTX *)HmacMd5Ctx);
-}
-
-/**
- Set user-supplied key for subsequent use. It must be done before any
- calling to HmacMd5Update().
-
- If HmacMd5Context is NULL, then return FALSE.
-
- @param[out] HmacMd5Context Pointer to HMAC-MD5 context.
- @param[in] Key Pointer to the user-supplied key.
- @param[in] KeySize Key size in bytes.
-
- @retval TRUE Key is set successfully.
- @retval FALSE Key is set unsuccessfully.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5SetKey (
- OUT VOID *HmacMd5Context,
- IN CONST UINT8 *Key,
- IN UINTN KeySize
- )
-{
- //
- // Check input parameters.
- //
- if (HmacMd5Context == NULL || KeySize > INT_MAX) {
- return FALSE;
- }
-
- if (HMAC_Init_ex ((HMAC_CTX *)HmacMd5Context, Key, (UINT32) KeySize, EVP_md5(), NULL) != 1) {
- return FALSE;
- }
-
- return TRUE;
-}
-
-/**
- Makes a copy of an existing HMAC-MD5 context.
-
- If HmacMd5Context is NULL, then return FALSE.
- If NewHmacMd5Context is NULL, then return FALSE.
-
- @param[in] HmacMd5Context Pointer to HMAC-MD5 context being copied.
- @param[out] NewHmacMd5Context Pointer to new HMAC-MD5 context.
-
- @retval TRUE HMAC-MD5 context copy succeeded.
- @retval FALSE HMAC-MD5 context copy failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Duplicate (
- IN CONST VOID *HmacMd5Context,
- OUT VOID *NewHmacMd5Context
- )
-{
- //
- // Check input parameters.
- //
- if (HmacMd5Context == NULL || NewHmacMd5Context == NULL) {
- return FALSE;
- }
-
- if (HMAC_CTX_copy ((HMAC_CTX *)NewHmacMd5Context, (HMAC_CTX *)HmacMd5Context) != 1) {
- return FALSE;
- }
-
- return TRUE;
-}
-
-/**
- Digests the input data and updates HMAC-MD5 context.
-
- This function performs HMAC-MD5 digest on a data buffer of the specified size.
- It can be called multiple times to compute the digest of long or discontinuous data streams.
- HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
- HmacMd5Final(). Behavior with invalid context is undefined.
-
- If HmacMd5Context is NULL, then return FALSE.
-
- @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
- @param[in] Data Pointer to the buffer containing the data to be digested.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval TRUE HMAC-MD5 data digest succeeded.
- @retval FALSE HMAC-MD5 data digest failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Update (
- IN OUT VOID *HmacMd5Context,
- IN CONST VOID *Data,
- IN UINTN DataSize
- )
-{
- //
- // Check input parameters.
- //
- if (HmacMd5Context == NULL) {
- return FALSE;
- }
-
- //
- // Check invalid parameters, in case that only DataLength was checked in OpenSSL
- //
- if (Data == NULL && DataSize != 0) {
- return FALSE;
- }
-
- //
- // OpenSSL HMAC-MD5 digest update
- //
- if (HMAC_Update ((HMAC_CTX *)HmacMd5Context, Data, DataSize) != 1) {
- return FALSE;
- }
-
- return TRUE;
-}
-
-/**
- Completes computation of the HMAC-MD5 digest value.
-
- This function completes HMAC-MD5 digest computation and retrieves the digest value into
- the specified memory. After this function has been called, the HMAC-MD5 context cannot
- be used again.
- HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
- HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
-
- If HmacMd5Context is NULL, then return FALSE.
- If HmacValue is NULL, then return FALSE.
-
- @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
- @param[out] HmacValue Pointer to a buffer that receives the HMAC-MD5 digest
- value (16 bytes).
-
- @retval TRUE HMAC-MD5 digest computation succeeded.
- @retval FALSE HMAC-MD5 digest computation failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Final (
- IN OUT VOID *HmacMd5Context,
- OUT UINT8 *HmacValue
- )
-{
- UINT32 Length;
-
- //
- // Check input parameters.
- //
- if (HmacMd5Context == NULL || HmacValue == NULL) {
- return FALSE;
- }
-
- //
- // OpenSSL HMAC-MD5 digest finalization
- //
- if (HMAC_Final ((HMAC_CTX *)HmacMd5Context, HmacValue, &Length) != 1) {
- return FALSE;
- }
- if (HMAC_CTX_reset ((HMAC_CTX *)HmacMd5Context) != 1) {
- return FALSE;
- }
-
- return TRUE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
deleted file mode 100644
index 5de55bf0d5..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/** @file
- HMAC-MD5 Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
- Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
- Return NULL to indicate this interface is not supported.
-
- @retval NULL This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacMd5New (
- VOID
- )
-{
- ASSERT (FALSE);
- return NULL;
-}
-
-/**
- Release the specified HMAC_CTX context.
-
- This function will do nothing.
-
- @param[in] HmacMd5Ctx Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacMd5Free (
- IN VOID *HmacMd5Ctx
- )
-{
- ASSERT (FALSE);
- return;
-}
-
-/**
- Set user-supplied key for subsequent use. It must be done before any
- calling to HmacMd5Update().
-
- Return FALSE to indicate this interface is not supported.
-
- @param[out] HmacMd5Context Pointer to HMAC-MD5 context.
- @param[in] Key Pointer to the user-supplied key.
- @param[in] KeySize Key size in bytes.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5SetKey (
- OUT VOID *HmacMd5Context,
- IN CONST UINT8 *Key,
- IN UINTN KeySize
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Makes a copy of an existing HMAC-MD5 context.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in] HmacMd5Context Pointer to HMAC-MD5 context being copied.
- @param[out] NewHmacMd5Context Pointer to new HMAC-MD5 context.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Duplicate (
- IN CONST VOID *HmacMd5Context,
- OUT VOID *NewHmacMd5Context
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Digests the input data and updates HMAC-MD5 context.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
- @param[in] Data Pointer to the buffer containing the data to be digested.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Update (
- IN OUT VOID *HmacMd5Context,
- IN CONST VOID *Data,
- IN UINTN DataSize
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Completes computation of the HMAC-MD5 digest value.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
- @param[out] HmacValue Pointer to a buffer that receives the HMAC-MD5 digest
- value (16 bytes).
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Final (
- IN OUT VOID *HmacMd5Context,
- OUT UINT8 *HmacValue
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index f631f8d879..2a630ef290 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -7,7 +7,7 @@
# buffer overflow or integer overflow.
#
# Note:
-# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA external
+# HMAC-SHA1/SHA256 functions, AES functions, RSA external
# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
# certificate handler functions, authenticode signature verification functions,
# PEM handler functions, and pseudorandom number generator functions are not
@@ -40,7 +40,6 @@
Hash/CryptSha256.c
Hash/CryptSm3.c
Hash/CryptSha512.c
- Hmac/CryptHmacMd5Null.c
Hmac/CryptHmacSha1Null.c
Hmac/CryptHmacSha256Null.c
Kdf/CryptHkdfNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
index c906935d3d..95c71a8ae2 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
@@ -6,7 +6,7 @@
// This external input must be validated carefully to avoid security issues such as
// buffer overflow or integer overflow.
//
-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
+// Note: HMAC-SHA1 functions, AES
// functions, RSA external functions, PKCS#7 SignedData sign functions,
// Diffie-Hellman functions, X.509 certificate handler functions, authenticode
// signature verification functions, PEM handler functions, and pseudorandom number
@@ -21,5 +21,5 @@
#string STR_MODULE_ABSTRACT #language en-US "Cryptographic Library Instance for PEIM"
-#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index 672e19299c..1642521087 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -7,7 +7,7 @@
# buffer overflow or integer overflow.
#
# Note: SHA-384 Digest functions, SHA-512 Digest functions,
-# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA external
+# HMAC-SHA1/SHA256 functions, AES functions, RSA external
# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
# authenticode signature verification functions are not supported in this instance.
#
@@ -40,7 +40,6 @@
Hash/CryptSha256.c
Hash/CryptSm3.c
Hash/CryptSha512Null.c
- Hmac/CryptHmacMd5Null.c
Hmac/CryptHmacSha1Null.c
Hmac/CryptHmacSha256Null.c
Kdf/CryptHkdfNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
index 0a3bb1c04f..f7e1acb3a7 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
@@ -6,7 +6,7 @@
// This external input must be validated carefully to avoid security issues such as
// buffer overflow or integer overflow.
//
-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
+// Note: HMAC-SHA1 functions, AES
// functions, RSA external functions, PKCS#7 SignedData sign functions,
// Diffie-Hellman functions, and authenticode signature verification functions are
// not supported in this instance.
@@ -20,5 +20,5 @@
#string STR_MODULE_ABSTRACT #language en-US "Cryptographic Library Instance for DXE_RUNTIME_DRIVER"
-#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index cc3556ae3f..ec9c8e7c05 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -7,7 +7,7 @@
# buffer overflow or integer overflow.
#
# Note: SHA-384 Digest functions, SHA-512 Digest functions,
-# HMAC-MD5 functions, HMAC-SHA1 functions, RSA external
+# HMAC-SHA1 functions, RSA external
# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
# authenticode signature verification functions are not supported in this instance.
#
@@ -39,7 +39,6 @@
Hash/CryptSha256.c
Hash/CryptSm3.c
Hash/CryptSha512Null.c
- Hmac/CryptHmacMd5Null.c
Hmac/CryptHmacSha1Null.c
Hmac/CryptHmacSha256.c
Kdf/CryptHkdfNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
index 2e362c635f..8eb3acac93 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
@@ -6,7 +6,7 @@
// This external input must be validated carefully to avoid security issues such as
// buffer overflow or integer overflow.
//
-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
+// Note: HMAC-SHA1 functions, AES
// functions, RSA external functions, PKCS#7 SignedData sign functions,
// Diffie-Hellman functions, and authenticode signature verification functions are
// not supported in this instance.
@@ -20,5 +20,5 @@
#string STR_MODULE_ABSTRACT #language en-US "Cryptographic Library Instance for SMM driver"
-#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
index 04b552f8b7..558ccfc002 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -34,7 +34,6 @@
Hash/CryptSha256Null.c
Hash/CryptSha512Null.c
Hash/CryptSm3Null.c
- Hmac/CryptHmacMd5Null.c
Hmac/CryptHmacSha1Null.c
Hmac/CryptHmacSha256Null.c
Kdf/CryptHkdfNull.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
deleted file mode 100644
index 5de55bf0d5..0000000000
--- a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/** @file
- HMAC-MD5 Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
- Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
- Return NULL to indicate this interface is not supported.
-
- @retval NULL This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacMd5New (
- VOID
- )
-{
- ASSERT (FALSE);
- return NULL;
-}
-
-/**
- Release the specified HMAC_CTX context.
-
- This function will do nothing.
-
- @param[in] HmacMd5Ctx Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacMd5Free (
- IN VOID *HmacMd5Ctx
- )
-{
- ASSERT (FALSE);
- return;
-}
-
-/**
- Set user-supplied key for subsequent use. It must be done before any
- calling to HmacMd5Update().
-
- Return FALSE to indicate this interface is not supported.
-
- @param[out] HmacMd5Context Pointer to HMAC-MD5 context.
- @param[in] Key Pointer to the user-supplied key.
- @param[in] KeySize Key size in bytes.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5SetKey (
- OUT VOID *HmacMd5Context,
- IN CONST UINT8 *Key,
- IN UINTN KeySize
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Makes a copy of an existing HMAC-MD5 context.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in] HmacMd5Context Pointer to HMAC-MD5 context being copied.
- @param[out] NewHmacMd5Context Pointer to new HMAC-MD5 context.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Duplicate (
- IN CONST VOID *HmacMd5Context,
- OUT VOID *NewHmacMd5Context
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Digests the input data and updates HMAC-MD5 context.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
- @param[in] Data Pointer to the buffer containing the data to be digested.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Update (
- IN OUT VOID *HmacMd5Context,
- IN CONST VOID *Data,
- IN UINTN DataSize
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Completes computation of the HMAC-MD5 digest value.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
- @param[out] HmacValue Pointer to a buffer that receives the HMAC-MD5 digest
- value (16 bytes).
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Final (
- IN OUT VOID *HmacMd5Context,
- OUT UINT8 *HmacValue
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index c937f8540d..dfe7fb7e91 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -1015,157 +1015,6 @@ Sm3HashAll (
// MAC (Message Authentication Code) Primitive
//=====================================================================================
-/**
- Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
- If this interface is not supported, then return NULL.
-
- @return Pointer to the HMAC_CTX context that has been initialized.
- If the allocations fails, HmacMd5New() returns NULL.
- @retval NULL This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacMd5New (
- VOID
- )
-{
- CALL_CRYPTO_SERVICE (HmacMd5New, (), NULL);
-}
-
-/**
- Release the specified HMAC_CTX context.
-
- If this interface is not supported, then do nothing.
-
- @param[in] HmacMd5Ctx Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacMd5Free (
- IN VOID *HmacMd5Ctx
- )
-{
- CALL_VOID_CRYPTO_SERVICE (HmacMd5Free, (HmacMd5Ctx));
-}
-
-/**
- Set user-supplied key for subsequent use. It must be done before any
- calling to HmacMd5Update().
-
- If HmacMd5Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[out] HmacMd5Context Pointer to HMAC-MD5 context.
- @param[in] Key Pointer to the user-supplied key.
- @param[in] KeySize Key size in bytes.
-
- @retval TRUE Key is set successfully.
- @retval FALSE Key is set unsuccessfully.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5SetKey (
- OUT VOID *HmacMd5Context,
- IN CONST UINT8 *Key,
- IN UINTN KeySize
- )
-{
- CALL_CRYPTO_SERVICE (HmacMd5SetKey, (HmacMd5Context, Key, KeySize), FALSE);
-}
-
-/**
- Makes a copy of an existing HMAC-MD5 context.
-
- If HmacMd5Context is NULL, then return FALSE.
- If NewHmacMd5Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] HmacMd5Context Pointer to HMAC-MD5 context being copied.
- @param[out] NewHmacMd5Context Pointer to new HMAC-MD5 context.
-
- @retval TRUE HMAC-MD5 context copy succeeded.
- @retval FALSE HMAC-MD5 context copy failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Duplicate (
- IN CONST VOID *HmacMd5Context,
- OUT VOID *NewHmacMd5Context
- )
-{
- CALL_CRYPTO_SERVICE (HmacMd5Duplicate, (HmacMd5Context, NewHmacMd5Context), FALSE);
-}
-
-/**
- Digests the input data and updates HMAC-MD5 context.
-
- This function performs HMAC-MD5 digest on a data buffer of the specified size.
- It can be called multiple times to compute the digest of long or discontinuous data streams.
- HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
- HmacMd5Final(). Behavior with invalid context is undefined.
-
- If HmacMd5Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
- @param[in] Data Pointer to the buffer containing the data to be digested.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval TRUE HMAC-MD5 data digest succeeded.
- @retval FALSE HMAC-MD5 data digest failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Update (
- IN OUT VOID *HmacMd5Context,
- IN CONST VOID *Data,
- IN UINTN DataSize
- )
-{
- CALL_CRYPTO_SERVICE (HmacMd5Update, (HmacMd5Context, Data, DataSize), FALSE);
-}
-
-/**
- Completes computation of the HMAC-MD5 digest value.
-
- This function completes HMAC-MD5 hash computation and retrieves the digest value into
- the specified memory. After this function has been called, the HMAC-MD5 context cannot
- be used again.
- HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
- HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
-
- If HmacMd5Context is NULL, then return FALSE.
- If HmacValue is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
- @param[out] HmacValue Pointer to a buffer that receives the HMAC-MD5 digest
- value (16 bytes).
-
- @retval TRUE HMAC-MD5 digest computation succeeded.
- @retval FALSE HMAC-MD5 digest computation failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Final (
- IN OUT VOID *HmacMd5Context,
- OUT UINT8 *HmacValue
- )
-{
- CALL_CRYPTO_SERVICE (HmacMd5Final, (HmacMd5Context, HmacValue), FALSE);
-}
-
/**
Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index e76ff623a5..bd4cd7f383 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -43,135 +43,48 @@ UINTN
// MAC (Message Authentication Code) Primitive
//=====================================================================================
/**
- Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
- If this interface is not supported, then return NULL.
-
- @return Pointer to the HMAC_CTX context that has been initialized.
- If the allocations fails, HmacMd5New() returns NULL.
- @retval NULL This interface is not supported.
+ HMAC MD5 is deprecated and unsupported any longer.
+ Keep the function field for binary compability.
**/
typedef
VOID*
-(EFIAPI *EDKII_CRYPTO_HMAC_MD5_NEW) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_NEW) (
VOID
);
-/**
- Release the specified HMAC_CTX context.
-
- If this interface is not supported, then do nothing.
-
- @param[in] HmacMd5Ctx Pointer to the HMAC_CTX context to be released.
-
-**/
typedef
VOID
-(EFIAPI *EDKII_CRYPTO_HMAC_MD5_FREE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FREE) (
IN VOID *HmacMd5Ctx
);
-/**
- Set user-supplied key for subsequent use. It must be done before any
- calling to HmacMd5Update().
-
- If HmacMd5Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[out] HmacMd5Context Pointer to HMAC-MD5 context.
- @param[in] Key Pointer to the user-supplied key.
- @param[in] KeySize Key size in bytes.
-
- @retval TRUE HMAC-MD5 context initialization succeeded.
- @retval FALSE HMAC-MD5 context initialization failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_MD5_SET_KEY) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_SET_KEY) (
OUT VOID *HmacMd5Context,
IN CONST UINT8 *Key,
IN UINTN KeySize
);
-/**
- Makes a copy of an existing HMAC-MD5 context.
-
- If HmacMd5Context is NULL, then return FALSE.
- If NewHmacMd5Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] HmacMd5Context Pointer to HMAC-MD5 context being copied.
- @param[out] NewHmacMd5Context Pointer to new HMAC-MD5 context.
-
- @retval TRUE HMAC-MD5 context copy succeeded.
- @retval FALSE HMAC-MD5 context copy failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_MD5_DUPLICATE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_DUPLICATE) (
IN CONST VOID *HmacMd5Context,
OUT VOID *NewHmacMd5Context
);
-/**
- Digests the input data and updates HMAC-MD5 context.
-
- This function performs HMAC-MD5 digest on a data buffer of the specified size.
- It can be called multiple times to compute the digest of long or discontinuous data streams.
- HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
- HmacMd5Final(). Behavior with invalid context is undefined.
-
- If HmacMd5Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
- @param[in] Data Pointer to the buffer containing the data to be digested.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval TRUE HMAC-MD5 data digest succeeded.
- @retval FALSE HMAC-MD5 data digest failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_MD5_UPDATE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_UPDATE) (
IN OUT VOID *HmacMd5Context,
IN CONST VOID *Data,
IN UINTN DataSize
);
-
-/**
- Completes computation of the HMAC-MD5 digest value.
-
- This function completes HMAC-MD5 hash computation and retrieves the digest value into
- the specified memory. After this function has been called, the HMAC-MD5 context cannot
- be used again.
- HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
- HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
-
- If HmacMd5Context is NULL, then return FALSE.
- If HmacValue is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
- @param[out] HmacValue Pointer to a buffer that receives the HMAC-MD5 digest
- value (16 bytes).
-
- @retval TRUE HMAC-MD5 digest computation succeeded.
- @retval FALSE HMAC-MD5 digest computation failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_MD5_FINAL) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FINAL) (
IN OUT VOID *HmacMd5Context,
OUT UINT8 *HmacValue
);
@@ -3618,13 +3531,13 @@ EFI_STATUS
struct _EDKII_CRYPTO_PROTOCOL {
/// Version
EDKII_CRYPTO_GET_VERSION GetVersion;
- /// HMAC MD5
- EDKII_CRYPTO_HMAC_MD5_NEW HmacMd5New;
- EDKII_CRYPTO_HMAC_MD5_FREE HmacMd5Free;
- EDKII_CRYPTO_HMAC_MD5_SET_KEY HmacMd5SetKey;
- EDKII_CRYPTO_HMAC_MD5_DUPLICATE HmacMd5Duplicate;
- EDKII_CRYPTO_HMAC_MD5_UPDATE HmacMd5Update;
- EDKII_CRYPTO_HMAC_MD5_FINAL HmacMd5Final;
+ /// HMAC MD5 - deprecated and unsupported
+ DEPRECATED_EDKII_CRYPTO_HMAC_MD5_NEW DeprecatedHmacMd5New;
+ DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FREE DeprecatedHmacMd5Free;
+ DEPRECATED_EDKII_CRYPTO_HMAC_MD5_SET_KEY DeprecatedHmacMd5SetKey;
+ DEPRECATED_EDKII_CRYPTO_HMAC_MD5_DUPLICATE DeprecatedHmacMd5Duplicate;
+ DEPRECATED_EDKII_CRYPTO_HMAC_MD5_UPDATE DeprecatedHmacMd5Update;
+ DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FINAL DeprecatedHmacMd5Final;
/// HMAC SHA1
EDKII_CRYPTO_HMAC_SHA1_NEW HmacSha1New;
EDKII_CRYPTO_HMAC_SHA1_FREE HmacSha1Free;
--
2.21.0.windows.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* Re: [PATCH V3 6/8] CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm
2020-05-06 23:57 ` [PATCH V3 6/8] CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm Gao, Zhichao
@ 2020-05-08 15:03 ` Wang, Jian J
0 siblings, 0 replies; 23+ messages in thread
From: Wang, Jian J @ 2020-05-08 15:03 UTC (permalink / raw)
To: Gao, Zhichao, devel@edk2.groups.io
Cc: Lu, XiaoyuX, Fu, Siyuan, Kinney, Michael D, Yao, Jiewen
Zhichao,
The removal of AesEcbEncrypt() and AesEcbDecrypt() should go to patch 5.
Regards,
Jian
> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Thursday, May 07, 2020 7:58 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [PATCH V3 6/8] CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
>
> HMAC MD5 is not secure any longer.
> Remove the HMAC MD5 support from edk2.
> Change the HMAC MD5 field name in EDKII_CRYPTO_PROTOCOL to indicate the
> function is unsupported any long.
>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
> CryptoPkg/CryptoPkg.dsc | 1 -
> CryptoPkg/Driver/Crypto.c | 128 ++---------
> CryptoPkg/Include/Library/BaseCryptLib.h | 203 ----------------
> .../Library/BaseCryptLib/BaseCryptLib.inf | 1 -
> .../Library/BaseCryptLib/Hmac/CryptHmacMd5.c | 216 ------------------
> .../BaseCryptLib/Hmac/CryptHmacMd5Null.c | 139 -----------
> .../Library/BaseCryptLib/PeiCryptLib.inf | 3 +-
> .../Library/BaseCryptLib/PeiCryptLib.uni | 4 +-
> .../Library/BaseCryptLib/RuntimeCryptLib.inf | 3 +-
> .../Library/BaseCryptLib/RuntimeCryptLib.uni | 4 +-
> .../Library/BaseCryptLib/SmmCryptLib.inf | 3 +-
> .../Library/BaseCryptLib/SmmCryptLib.uni | 4 +-
> .../BaseCryptLibNull/BaseCryptLibNull.inf | 1 -
> .../BaseCryptLibNull/Hmac/CryptHmacMd5Null.c | 139 -----------
> .../BaseCryptLibOnProtocolPpi/CryptLib.c | 151 ------------
> CryptoPkg/Private/Protocol/Crypto.h | 117 ++--------
> 16 files changed, 45 insertions(+), 1072 deletions(-)
> delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
>
> diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
> index 1f68cc633b..9ddf73f9fa 100644
> --- a/CryptoPkg/CryptoPkg.dsc
> +++ b/CryptoPkg/CryptoPkg.dsc
> @@ -137,7 +137,6 @@
> gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06
>
> !if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
> -
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam
> ily | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> index 341df3b814..dfde1cc005 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -1105,154 +1105,68 @@ CryptoServiceSm3HashAll (
>
> //===============================================================
> ======================
>
> /**
> - Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5
> use.
> -
> - If this interface is not supported, then return NULL.
> -
> - @return Pointer to the HMAC_CTX context that has been initialized.
> - If the allocations fails, HmacMd5New() returns NULL.
> - @retval NULL This interface is not supported.
> + HMAC MD5 is deprecated and unsupported any longer.
> + Keep the function field for binary compability.
>
> **/
> VOID *
> EFIAPI
> -CryptoServiceHmacMd5New (
> +DeprecatedCryptoServiceHmacMd5New (
> VOID
> )
> {
> - return CALL_BASECRYPTLIB (HmacMd5.Services.New, HmacMd5New, (),
> NULL);
> + return BaseCryptLibServciceDeprecated ("HmacMd5New"), NULL;
> }
>
> -/**
> - Release the specified HMAC_CTX context.
> -
> - If this interface is not supported, then do nothing.
> -
> - @param[in] HmacMd5Ctx Pointer to the HMAC_CTX context to be released.
> -
> -**/
> VOID
> EFIAPI
> -CryptoServiceHmacMd5Free (
> +DeprecatedCryptoServiceHmacMd5Free (
> IN VOID *HmacMd5Ctx
> )
> {
> - CALL_VOID_BASECRYPTLIB (HmacMd5.Services.Free, HmacMd5Free,
> (HmacMd5Ctx));
> + BaseCryptLibServciceDeprecated ("HmacMd5Free");
> }
>
> -/**
> - Set user-supplied key for subsequent use. It must be done before any
> - calling to HmacMd5Update().
> -
> - If HmacMd5Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] HmacMd5Context Pointer to HMAC-MD5 context.
> - @param[in] Key Pointer to the user-supplied key.
> - @param[in] KeySize Key size in bytes.
> -
> - @retval TRUE Key is set successfully.
> - @retval FALSE Key is set unsuccessfully.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceHmacMd5SetKey (
> +DeprecatedCryptoServiceHmacMd5SetKey (
> OUT VOID *HmacMd5Context,
> IN CONST UINT8 *Key,
> IN UINTN KeySize
> )
> {
> - return CALL_BASECRYPTLIB (HmacMd5.Services.SetKey, HmacMd5SetKey,
> (HmacMd5Context, Key, KeySize), FALSE);
> + return BaseCryptLibServciceDeprecated ("HmacMd5SetKey"), FALSE;
> }
>
> -/**
> - Makes a copy of an existing HMAC-MD5 context.
> -
> - If HmacMd5Context is NULL, then return FALSE.
> - If NewHmacMd5Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] HmacMd5Context Pointer to HMAC-MD5 context being copied.
> - @param[out] NewHmacMd5Context Pointer to new HMAC-MD5 context.
> -
> - @retval TRUE HMAC-MD5 context copy succeeded.
> - @retval FALSE HMAC-MD5 context copy failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceHmacMd5Duplicate (
> +DeprecatedCryptoServiceHmacMd5Duplicate (
> IN CONST VOID *HmacMd5Context,
> OUT VOID *NewHmacMd5Context
> )
> {
> - return CALL_BASECRYPTLIB (HmacMd5.Services.Duplicate,
> HmacMd5Duplicate, (HmacMd5Context, NewHmacMd5Context), FALSE);
> + return BaseCryptLibServciceDeprecated ("HmacMd5Duplicate"), FALSE;
> }
>
> -/**
> - Digests the input data and updates HMAC-MD5 context.
> -
> - This function performs HMAC-MD5 digest on a data buffer of the specified size.
> - It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> - HMAC-MD5 context should be initialized by HmacMd5New(), and should not
> be finalized by
> - HmacMd5Final(). Behavior with invalid context is undefined.
> -
> - If HmacMd5Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> digested.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval TRUE HMAC-MD5 data digest succeeded.
> - @retval FALSE HMAC-MD5 data digest failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceHmacMd5Update (
> +DeprecatedCryptoServiceHmacMd5Update (
> IN OUT VOID *HmacMd5Context,
> IN CONST VOID *Data,
> IN UINTN DataSize
> )
> {
> - return CALL_BASECRYPTLIB (HmacMd5.Services.Update, HmacMd5Update,
> (HmacMd5Context, Data, DataSize), FALSE);
> + return BaseCryptLibServciceDeprecated ("HmacMd5Update"), FALSE;
> }
>
> -/**
> - Completes computation of the HMAC-MD5 digest value.
> -
> - This function completes HMAC-MD5 hash computation and retrieves the
> digest value into
> - the specified memory. After this function has been called, the HMAC-MD5
> context cannot
> - be used again.
> - HMAC-MD5 context should be initialized by HmacMd5New(), and should not
> be finalized by
> - HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
> -
> - If HmacMd5Context is NULL, then return FALSE.
> - If HmacValue is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
> - @param[out] HmacValue Pointer to a buffer that receives the HMAC-
> MD5 digest
> - value (16 bytes).
> -
> - @retval TRUE HMAC-MD5 digest computation succeeded.
> - @retval FALSE HMAC-MD5 digest computation failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceHmacMd5Final (
> +DeprecatedCryptoServiceHmacMd5Final (
> IN OUT VOID *HmacMd5Context,
> OUT UINT8 *HmacValue
> )
> {
> - return CALL_BASECRYPTLIB (HmacMd5.Services.Final, HmacMd5Final,
> (HmacMd5Context, HmacValue), FALSE);
> + return BaseCryptLibServciceDeprecated ("HmacMd5Final"), FALSE;
> }
>
> /**
> @@ -4051,13 +3965,13 @@ CryptoServiceTlsGetCertRevocationList (
> const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
> /// Version
> CryptoServiceGetCryptoVersion,
> - /// HMAC MD5
> - CryptoServiceHmacMd5New,
> - CryptoServiceHmacMd5Free,
> - CryptoServiceHmacMd5SetKey,
> - CryptoServiceHmacMd5Duplicate,
> - CryptoServiceHmacMd5Update,
> - CryptoServiceHmacMd5Final,
> + /// HMAC MD5 - deprecated and unsupported
> + DeprecatedCryptoServiceHmacMd5New,
> + DeprecatedCryptoServiceHmacMd5Free,
> + DeprecatedCryptoServiceHmacMd5SetKey,
> + DeprecatedCryptoServiceHmacMd5Duplicate,
> + DeprecatedCryptoServiceHmacMd5Update,
> + DeprecatedCryptoServiceHmacMd5Final,
> /// HMAC SHA1
> CryptoServiceHmacSha1New,
> CryptoServiceHmacSha1Free,
> diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
> b/CryptoPkg/Include/Library/BaseCryptLib.h
> index 621bcfd1c4..b99401661c 100644
> --- a/CryptoPkg/Include/Library/BaseCryptLib.h
> +++ b/CryptoPkg/Include/Library/BaseCryptLib.h
> @@ -880,139 +880,6 @@ Sm3HashAll (
> // MAC (Message Authentication Code) Primitive
>
> //===============================================================
> ======================
>
> -/**
> - Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5
> use.
> -
> - If this interface is not supported, then return NULL.
> -
> - @return Pointer to the HMAC_CTX context that has been initialized.
> - If the allocations fails, HmacMd5New() returns NULL.
> - @retval NULL This interface is not supported.
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacMd5New (
> - VOID
> - );
> -
> -/**
> - Release the specified HMAC_CTX context.
> -
> - If this interface is not supported, then do nothing.
> -
> - @param[in] HmacMd5Ctx Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacMd5Free (
> - IN VOID *HmacMd5Ctx
> - );
> -
> -/**
> - Set user-supplied key for subsequent use. It must be done before any
> - calling to HmacMd5Update().
> -
> - If HmacMd5Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] HmacMd5Context Pointer to HMAC-MD5 context.
> - @param[in] Key Pointer to the user-supplied key.
> - @param[in] KeySize Key size in bytes.
> -
> - @retval TRUE Key is set successfully.
> - @retval FALSE Key is set unsuccessfully.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5SetKey (
> - OUT VOID *HmacMd5Context,
> - IN CONST UINT8 *Key,
> - IN UINTN KeySize
> - );
> -
> -/**
> - Makes a copy of an existing HMAC-MD5 context.
> -
> - If HmacMd5Context is NULL, then return FALSE.
> - If NewHmacMd5Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] HmacMd5Context Pointer to HMAC-MD5 context being copied.
> - @param[out] NewHmacMd5Context Pointer to new HMAC-MD5 context.
> -
> - @retval TRUE HMAC-MD5 context copy succeeded.
> - @retval FALSE HMAC-MD5 context copy failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Duplicate (
> - IN CONST VOID *HmacMd5Context,
> - OUT VOID *NewHmacMd5Context
> - );
> -
> -/**
> - Digests the input data and updates HMAC-MD5 context.
> -
> - This function performs HMAC-MD5 digest on a data buffer of the specified size.
> - It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> - HMAC-MD5 context should be initialized by HmacMd5New(), and should not
> be finalized by
> - HmacMd5Final(). Behavior with invalid context is undefined.
> -
> - If HmacMd5Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> digested.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval TRUE HMAC-MD5 data digest succeeded.
> - @retval FALSE HMAC-MD5 data digest failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Update (
> - IN OUT VOID *HmacMd5Context,
> - IN CONST VOID *Data,
> - IN UINTN DataSize
> - );
> -
> -/**
> - Completes computation of the HMAC-MD5 digest value.
> -
> - This function completes HMAC-MD5 hash computation and retrieves the
> digest value into
> - the specified memory. After this function has been called, the HMAC-MD5
> context cannot
> - be used again.
> - HMAC-MD5 context should be initialized by HmacMd5New(), and should not
> be finalized by
> - HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
> -
> - If HmacMd5Context is NULL, then return FALSE.
> - If HmacValue is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
> - @param[out] HmacValue Pointer to a buffer that receives the HMAC-
> MD5 digest
> - value (16 bytes).
> -
> - @retval TRUE HMAC-MD5 digest computation succeeded.
> - @retval FALSE HMAC-MD5 digest computation failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Final (
> - IN OUT VOID *HmacMd5Context,
> - OUT UINT8 *HmacValue
> - );
> -
> /**
> Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
>
> @@ -1323,76 +1190,6 @@ AesInit (
> IN UINTN KeyLength
> );
>
> -/**
> - Performs AES encryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs AES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (16 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - AesContext should be already correctly initialized by AesInit(). Behavior with
> - invalid AES context is undefined.
> -
> - If AesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (16 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES encryption
> output.
> -
> - @retval TRUE AES encryption succeeded.
> - @retval FALSE AES encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbEncrypt (
> - IN VOID *AesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - );
> -
> -/**
> - Performs AES decryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs AES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (16 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - AesContext should be already correctly initialized by AesInit(). Behavior with
> - invalid AES context is undefined.
> -
> - If AesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (16 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES decryption
> output.
> -
> - @retval TRUE AES decryption succeeded.
> - @retval FALSE AES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbDecrypt (
> - IN VOID *AesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - );
> -
> /**
> Performs AES encryption on a data buffer of the specified size in CBC mode.
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> index 2de8e9c346..33d7c13bff 100644
> --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> @@ -34,7 +34,6 @@
> Hash/CryptSha256.c
> Hash/CryptSha512.c
> Hash/CryptSm3.c
> - Hmac/CryptHmacMd5.c
> Hmac/CryptHmacSha1.c
> Hmac/CryptHmacSha256.c
> Kdf/CryptHkdf.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
> b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
> deleted file mode 100644
> index da46ce09f4..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
> +++ /dev/null
> @@ -1,216 +0,0 @@
> -/** @file
> - HMAC-MD5 Wrapper Implementation over OpenSSL.
> -
> -Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -#include <openssl/hmac.h>
> -
> -/**
> - Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5
> use.
> -
> - @return Pointer to the HMAC_CTX context that has been initialized.
> - If the allocations fails, HmacMd5New() returns NULL.
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacMd5New (
> - VOID
> - )
> -{
> - //
> - // Allocates & Initializes HMAC_CTX Context by OpenSSL HMAC_CTX_new()
> - //
> - return (VOID *) HMAC_CTX_new ();
> -}
> -
> -/**
> - Release the specified HMAC_CTX context.
> -
> - @param[in] HmacMd5Ctx Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacMd5Free (
> - IN VOID *HmacMd5Ctx
> - )
> -{
> - //
> - // Free OpenSSL HMAC_CTX Context
> - //
> - HMAC_CTX_free ((HMAC_CTX *)HmacMd5Ctx);
> -}
> -
> -/**
> - Set user-supplied key for subsequent use. It must be done before any
> - calling to HmacMd5Update().
> -
> - If HmacMd5Context is NULL, then return FALSE.
> -
> - @param[out] HmacMd5Context Pointer to HMAC-MD5 context.
> - @param[in] Key Pointer to the user-supplied key.
> - @param[in] KeySize Key size in bytes.
> -
> - @retval TRUE Key is set successfully.
> - @retval FALSE Key is set unsuccessfully.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5SetKey (
> - OUT VOID *HmacMd5Context,
> - IN CONST UINT8 *Key,
> - IN UINTN KeySize
> - )
> -{
> - //
> - // Check input parameters.
> - //
> - if (HmacMd5Context == NULL || KeySize > INT_MAX) {
> - return FALSE;
> - }
> -
> - if (HMAC_Init_ex ((HMAC_CTX *)HmacMd5Context, Key, (UINT32) KeySize,
> EVP_md5(), NULL) != 1) {
> - return FALSE;
> - }
> -
> - return TRUE;
> -}
> -
> -/**
> - Makes a copy of an existing HMAC-MD5 context.
> -
> - If HmacMd5Context is NULL, then return FALSE.
> - If NewHmacMd5Context is NULL, then return FALSE.
> -
> - @param[in] HmacMd5Context Pointer to HMAC-MD5 context being copied.
> - @param[out] NewHmacMd5Context Pointer to new HMAC-MD5 context.
> -
> - @retval TRUE HMAC-MD5 context copy succeeded.
> - @retval FALSE HMAC-MD5 context copy failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Duplicate (
> - IN CONST VOID *HmacMd5Context,
> - OUT VOID *NewHmacMd5Context
> - )
> -{
> - //
> - // Check input parameters.
> - //
> - if (HmacMd5Context == NULL || NewHmacMd5Context == NULL) {
> - return FALSE;
> - }
> -
> - if (HMAC_CTX_copy ((HMAC_CTX *)NewHmacMd5Context, (HMAC_CTX
> *)HmacMd5Context) != 1) {
> - return FALSE;
> - }
> -
> - return TRUE;
> -}
> -
> -/**
> - Digests the input data and updates HMAC-MD5 context.
> -
> - This function performs HMAC-MD5 digest on a data buffer of the specified size.
> - It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> - HMAC-MD5 context should be initialized by HmacMd5New(), and should not
> be finalized by
> - HmacMd5Final(). Behavior with invalid context is undefined.
> -
> - If HmacMd5Context is NULL, then return FALSE.
> -
> - @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> digested.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval TRUE HMAC-MD5 data digest succeeded.
> - @retval FALSE HMAC-MD5 data digest failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Update (
> - IN OUT VOID *HmacMd5Context,
> - IN CONST VOID *Data,
> - IN UINTN DataSize
> - )
> -{
> - //
> - // Check input parameters.
> - //
> - if (HmacMd5Context == NULL) {
> - return FALSE;
> - }
> -
> - //
> - // Check invalid parameters, in case that only DataLength was checked in
> OpenSSL
> - //
> - if (Data == NULL && DataSize != 0) {
> - return FALSE;
> - }
> -
> - //
> - // OpenSSL HMAC-MD5 digest update
> - //
> - if (HMAC_Update ((HMAC_CTX *)HmacMd5Context, Data, DataSize) != 1) {
> - return FALSE;
> - }
> -
> - return TRUE;
> -}
> -
> -/**
> - Completes computation of the HMAC-MD5 digest value.
> -
> - This function completes HMAC-MD5 digest computation and retrieves the
> digest value into
> - the specified memory. After this function has been called, the HMAC-MD5
> context cannot
> - be used again.
> - HMAC-MD5 context should be initialized by HmacMd5New(), and should not
> be finalized by
> - HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
> -
> - If HmacMd5Context is NULL, then return FALSE.
> - If HmacValue is NULL, then return FALSE.
> -
> - @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
> - @param[out] HmacValue Pointer to a buffer that receives the HMAC-
> MD5 digest
> - value (16 bytes).
> -
> - @retval TRUE HMAC-MD5 digest computation succeeded.
> - @retval FALSE HMAC-MD5 digest computation failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Final (
> - IN OUT VOID *HmacMd5Context,
> - OUT UINT8 *HmacValue
> - )
> -{
> - UINT32 Length;
> -
> - //
> - // Check input parameters.
> - //
> - if (HmacMd5Context == NULL || HmacValue == NULL) {
> - return FALSE;
> - }
> -
> - //
> - // OpenSSL HMAC-MD5 digest finalization
> - //
> - if (HMAC_Final ((HMAC_CTX *)HmacMd5Context, HmacValue, &Length) != 1) {
> - return FALSE;
> - }
> - if (HMAC_CTX_reset ((HMAC_CTX *)HmacMd5Context) != 1) {
> - return FALSE;
> - }
> -
> - return TRUE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
> b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
> deleted file mode 100644
> index 5de55bf0d5..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
> +++ /dev/null
> @@ -1,139 +0,0 @@
> -/** @file
> - HMAC-MD5 Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> - Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5
> use.
> -
> - Return NULL to indicate this interface is not supported.
> -
> - @retval NULL This interface is not supported.
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacMd5New (
> - VOID
> - )
> -{
> - ASSERT (FALSE);
> - return NULL;
> -}
> -
> -/**
> - Release the specified HMAC_CTX context.
> -
> - This function will do nothing.
> -
> - @param[in] HmacMd5Ctx Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacMd5Free (
> - IN VOID *HmacMd5Ctx
> - )
> -{
> - ASSERT (FALSE);
> - return;
> -}
> -
> -/**
> - Set user-supplied key for subsequent use. It must be done before any
> - calling to HmacMd5Update().
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[out] HmacMd5Context Pointer to HMAC-MD5 context.
> - @param[in] Key Pointer to the user-supplied key.
> - @param[in] KeySize Key size in bytes.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5SetKey (
> - OUT VOID *HmacMd5Context,
> - IN CONST UINT8 *Key,
> - IN UINTN KeySize
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Makes a copy of an existing HMAC-MD5 context.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] HmacMd5Context Pointer to HMAC-MD5 context being copied.
> - @param[out] NewHmacMd5Context Pointer to new HMAC-MD5 context.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Duplicate (
> - IN CONST VOID *HmacMd5Context,
> - OUT VOID *NewHmacMd5Context
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Digests the input data and updates HMAC-MD5 context.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> digested.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Update (
> - IN OUT VOID *HmacMd5Context,
> - IN CONST VOID *Data,
> - IN UINTN DataSize
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Completes computation of the HMAC-MD5 digest value.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
> - @param[out] HmacValue Pointer to a buffer that receives the HMAC-
> MD5 digest
> - value (16 bytes).
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Final (
> - IN OUT VOID *HmacMd5Context,
> - OUT UINT8 *HmacValue
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> index f631f8d879..2a630ef290 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> @@ -7,7 +7,7 @@
> # buffer overflow or integer overflow.
> #
> # Note:
> -# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA
> external
> +# HMAC-SHA1/SHA256 functions, AES functions, RSA external
> # functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
> # certificate handler functions, authenticode signature verification functions,
> # PEM handler functions, and pseudorandom number generator functions are
> not
> @@ -40,7 +40,6 @@
> Hash/CryptSha256.c
> Hash/CryptSm3.c
> Hash/CryptSha512.c
> - Hmac/CryptHmacMd5Null.c
> Hmac/CryptHmacSha1Null.c
> Hmac/CryptHmacSha256Null.c
> Kdf/CryptHkdfNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> index c906935d3d..95c71a8ae2 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> @@ -6,7 +6,7 @@
> // This external input must be validated carefully to avoid security issues such as
> // buffer overflow or integer overflow.
> //
> -// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
> +// Note: HMAC-SHA1 functions, AES
> // functions, RSA external functions, PKCS#7 SignedData sign functions,
> // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
> // signature verification functions, PEM handler functions, and pseudorandom
> number
> @@ -21,5 +21,5 @@
>
> #string STR_MODULE_ABSTRACT #language en-US "Cryptographic
> Library Instance for PEIM"
>
> -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler
> functions, authenticode signature verification functions, PEM handler functions,
> and pseudorandom number generator functions are not supported in this
> instance."
> +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions,
> AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-
> Hellman functions, X.509 certificate handler functions, authenticode signature
> verification functions, PEM handler functions, and pseudorandom number
> generator functions are not supported in this instance."
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> index 672e19299c..1642521087 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> @@ -7,7 +7,7 @@
> # buffer overflow or integer overflow.
> #
> # Note: SHA-384 Digest functions, SHA-512 Digest functions,
> -# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA
> external
> +# HMAC-SHA1/SHA256 functions, AES functions, RSA external
> # functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
> # authenticode signature verification functions are not supported in this
> instance.
> #
> @@ -40,7 +40,6 @@
> Hash/CryptSha256.c
> Hash/CryptSm3.c
> Hash/CryptSha512Null.c
> - Hmac/CryptHmacMd5Null.c
> Hmac/CryptHmacSha1Null.c
> Hmac/CryptHmacSha256Null.c
> Kdf/CryptHkdfNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> index 0a3bb1c04f..f7e1acb3a7 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> @@ -6,7 +6,7 @@
> // This external input must be validated carefully to avoid security issues such as
> // buffer overflow or integer overflow.
> //
> -// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
> +// Note: HMAC-SHA1 functions, AES
> // functions, RSA external functions, PKCS#7 SignedData sign functions,
> // Diffie-Hellman functions, and authenticode signature verification functions
> are
> // not supported in this instance.
> @@ -20,5 +20,5 @@
>
> #string STR_MODULE_ABSTRACT #language en-US "Cryptographic
> Library Instance for DXE_RUNTIME_DRIVER"
>
> -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, and authenticode signature
> verification functions are not supported in this instance."
> +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions,
> AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-
> Hellman functions, and authenticode signature verification functions are not
> supported in this instance."
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> index cc3556ae3f..ec9c8e7c05 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> @@ -7,7 +7,7 @@
> # buffer overflow or integer overflow.
> #
> # Note: SHA-384 Digest functions, SHA-512 Digest functions,
> -# HMAC-MD5 functions, HMAC-SHA1 functions, RSA external
> +# HMAC-SHA1 functions, RSA external
> # functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
> # authenticode signature verification functions are not supported in this
> instance.
> #
> @@ -39,7 +39,6 @@
> Hash/CryptSha256.c
> Hash/CryptSm3.c
> Hash/CryptSha512Null.c
> - Hmac/CryptHmacMd5Null.c
> Hmac/CryptHmacSha1Null.c
> Hmac/CryptHmacSha256.c
> Kdf/CryptHkdfNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> index 2e362c635f..8eb3acac93 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> @@ -6,7 +6,7 @@
> // This external input must be validated carefully to avoid security issues such as
> // buffer overflow or integer overflow.
> //
> -// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
> +// Note: HMAC-SHA1 functions, AES
> // functions, RSA external functions, PKCS#7 SignedData sign functions,
> // Diffie-Hellman functions, and authenticode signature verification functions
> are
> // not supported in this instance.
> @@ -20,5 +20,5 @@
>
> #string STR_MODULE_ABSTRACT #language en-US "Cryptographic
> Library Instance for SMM driver"
>
> -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, and authenticode signature
> verification functions are not supported in this instance."
> +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions,
> AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-
> Hellman functions, and authenticode signature verification functions are not
> supported in this instance."
>
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> index 04b552f8b7..558ccfc002 100644
> --- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> +++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> @@ -34,7 +34,6 @@
> Hash/CryptSha256Null.c
> Hash/CryptSha512Null.c
> Hash/CryptSm3Null.c
> - Hmac/CryptHmacMd5Null.c
> Hmac/CryptHmacSha1Null.c
> Hmac/CryptHmacSha256Null.c
> Kdf/CryptHkdfNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
> b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
> deleted file mode 100644
> index 5de55bf0d5..0000000000
> --- a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
> +++ /dev/null
> @@ -1,139 +0,0 @@
> -/** @file
> - HMAC-MD5 Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> - Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5
> use.
> -
> - Return NULL to indicate this interface is not supported.
> -
> - @retval NULL This interface is not supported.
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacMd5New (
> - VOID
> - )
> -{
> - ASSERT (FALSE);
> - return NULL;
> -}
> -
> -/**
> - Release the specified HMAC_CTX context.
> -
> - This function will do nothing.
> -
> - @param[in] HmacMd5Ctx Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacMd5Free (
> - IN VOID *HmacMd5Ctx
> - )
> -{
> - ASSERT (FALSE);
> - return;
> -}
> -
> -/**
> - Set user-supplied key for subsequent use. It must be done before any
> - calling to HmacMd5Update().
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[out] HmacMd5Context Pointer to HMAC-MD5 context.
> - @param[in] Key Pointer to the user-supplied key.
> - @param[in] KeySize Key size in bytes.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5SetKey (
> - OUT VOID *HmacMd5Context,
> - IN CONST UINT8 *Key,
> - IN UINTN KeySize
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Makes a copy of an existing HMAC-MD5 context.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] HmacMd5Context Pointer to HMAC-MD5 context being copied.
> - @param[out] NewHmacMd5Context Pointer to new HMAC-MD5 context.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Duplicate (
> - IN CONST VOID *HmacMd5Context,
> - OUT VOID *NewHmacMd5Context
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Digests the input data and updates HMAC-MD5 context.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> digested.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Update (
> - IN OUT VOID *HmacMd5Context,
> - IN CONST VOID *Data,
> - IN UINTN DataSize
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Completes computation of the HMAC-MD5 digest value.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
> - @param[out] HmacValue Pointer to a buffer that receives the HMAC-
> MD5 digest
> - value (16 bytes).
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Final (
> - IN OUT VOID *HmacMd5Context,
> - OUT UINT8 *HmacValue
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> index c937f8540d..dfe7fb7e91 100644
> --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> @@ -1015,157 +1015,6 @@ Sm3HashAll (
> // MAC (Message Authentication Code) Primitive
>
> //===============================================================
> ======================
>
> -/**
> - Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5
> use.
> -
> - If this interface is not supported, then return NULL.
> -
> - @return Pointer to the HMAC_CTX context that has been initialized.
> - If the allocations fails, HmacMd5New() returns NULL.
> - @retval NULL This interface is not supported.
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacMd5New (
> - VOID
> - )
> -{
> - CALL_CRYPTO_SERVICE (HmacMd5New, (), NULL);
> -}
> -
> -/**
> - Release the specified HMAC_CTX context.
> -
> - If this interface is not supported, then do nothing.
> -
> - @param[in] HmacMd5Ctx Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacMd5Free (
> - IN VOID *HmacMd5Ctx
> - )
> -{
> - CALL_VOID_CRYPTO_SERVICE (HmacMd5Free, (HmacMd5Ctx));
> -}
> -
> -/**
> - Set user-supplied key for subsequent use. It must be done before any
> - calling to HmacMd5Update().
> -
> - If HmacMd5Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] HmacMd5Context Pointer to HMAC-MD5 context.
> - @param[in] Key Pointer to the user-supplied key.
> - @param[in] KeySize Key size in bytes.
> -
> - @retval TRUE Key is set successfully.
> - @retval FALSE Key is set unsuccessfully.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5SetKey (
> - OUT VOID *HmacMd5Context,
> - IN CONST UINT8 *Key,
> - IN UINTN KeySize
> - )
> -{
> - CALL_CRYPTO_SERVICE (HmacMd5SetKey, (HmacMd5Context, Key, KeySize),
> FALSE);
> -}
> -
> -/**
> - Makes a copy of an existing HMAC-MD5 context.
> -
> - If HmacMd5Context is NULL, then return FALSE.
> - If NewHmacMd5Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] HmacMd5Context Pointer to HMAC-MD5 context being copied.
> - @param[out] NewHmacMd5Context Pointer to new HMAC-MD5 context.
> -
> - @retval TRUE HMAC-MD5 context copy succeeded.
> - @retval FALSE HMAC-MD5 context copy failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Duplicate (
> - IN CONST VOID *HmacMd5Context,
> - OUT VOID *NewHmacMd5Context
> - )
> -{
> - CALL_CRYPTO_SERVICE (HmacMd5Duplicate, (HmacMd5Context,
> NewHmacMd5Context), FALSE);
> -}
> -
> -/**
> - Digests the input data and updates HMAC-MD5 context.
> -
> - This function performs HMAC-MD5 digest on a data buffer of the specified size.
> - It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> - HMAC-MD5 context should be initialized by HmacMd5New(), and should not
> be finalized by
> - HmacMd5Final(). Behavior with invalid context is undefined.
> -
> - If HmacMd5Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> digested.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval TRUE HMAC-MD5 data digest succeeded.
> - @retval FALSE HMAC-MD5 data digest failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Update (
> - IN OUT VOID *HmacMd5Context,
> - IN CONST VOID *Data,
> - IN UINTN DataSize
> - )
> -{
> - CALL_CRYPTO_SERVICE (HmacMd5Update, (HmacMd5Context, Data,
> DataSize), FALSE);
> -}
> -
> -/**
> - Completes computation of the HMAC-MD5 digest value.
> -
> - This function completes HMAC-MD5 hash computation and retrieves the
> digest value into
> - the specified memory. After this function has been called, the HMAC-MD5
> context cannot
> - be used again.
> - HMAC-MD5 context should be initialized by HmacMd5New(), and should not
> be finalized by
> - HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
> -
> - If HmacMd5Context is NULL, then return FALSE.
> - If HmacValue is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
> - @param[out] HmacValue Pointer to a buffer that receives the HMAC-
> MD5 digest
> - value (16 bytes).
> -
> - @retval TRUE HMAC-MD5 digest computation succeeded.
> - @retval FALSE HMAC-MD5 digest computation failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Final (
> - IN OUT VOID *HmacMd5Context,
> - OUT UINT8 *HmacValue
> - )
> -{
> - CALL_CRYPTO_SERVICE (HmacMd5Final, (HmacMd5Context, HmacValue),
> FALSE);
> -}
> -
> /**
> Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
>
> diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> b/CryptoPkg/Private/Protocol/Crypto.h
> index e76ff623a5..bd4cd7f383 100644
> --- a/CryptoPkg/Private/Protocol/Crypto.h
> +++ b/CryptoPkg/Private/Protocol/Crypto.h
> @@ -43,135 +43,48 @@ UINTN
> // MAC (Message Authentication Code) Primitive
>
> //===============================================================
> ======================
> /**
> - Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5
> use.
> -
> - If this interface is not supported, then return NULL.
> -
> - @return Pointer to the HMAC_CTX context that has been initialized.
> - If the allocations fails, HmacMd5New() returns NULL.
> - @retval NULL This interface is not supported.
> + HMAC MD5 is deprecated and unsupported any longer.
> + Keep the function field for binary compability.
>
> **/
> typedef
> VOID*
> -(EFIAPI *EDKII_CRYPTO_HMAC_MD5_NEW) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_NEW) (
> VOID
> );
>
> -/**
> - Release the specified HMAC_CTX context.
> -
> - If this interface is not supported, then do nothing.
> -
> - @param[in] HmacMd5Ctx Pointer to the HMAC_CTX context to be released.
> -
> -**/
> typedef
> VOID
> -(EFIAPI *EDKII_CRYPTO_HMAC_MD5_FREE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FREE) (
> IN VOID *HmacMd5Ctx
> );
>
> -/**
> - Set user-supplied key for subsequent use. It must be done before any
> - calling to HmacMd5Update().
> -
> - If HmacMd5Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] HmacMd5Context Pointer to HMAC-MD5 context.
> - @param[in] Key Pointer to the user-supplied key.
> - @param[in] KeySize Key size in bytes.
> -
> - @retval TRUE HMAC-MD5 context initialization succeeded.
> - @retval FALSE HMAC-MD5 context initialization failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_HMAC_MD5_SET_KEY) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_SET_KEY) (
> OUT VOID *HmacMd5Context,
> IN CONST UINT8 *Key,
> IN UINTN KeySize
> );
>
> -/**
> - Makes a copy of an existing HMAC-MD5 context.
> -
> - If HmacMd5Context is NULL, then return FALSE.
> - If NewHmacMd5Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] HmacMd5Context Pointer to HMAC-MD5 context being copied.
> - @param[out] NewHmacMd5Context Pointer to new HMAC-MD5 context.
> -
> - @retval TRUE HMAC-MD5 context copy succeeded.
> - @retval FALSE HMAC-MD5 context copy failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_HMAC_MD5_DUPLICATE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_DUPLICATE) (
> IN CONST VOID *HmacMd5Context,
> OUT VOID *NewHmacMd5Context
> );
>
> -/**
> - Digests the input data and updates HMAC-MD5 context.
> -
> - This function performs HMAC-MD5 digest on a data buffer of the specified size.
> - It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> - HMAC-MD5 context should be initialized by HmacMd5New(), and should not
> be finalized by
> - HmacMd5Final(). Behavior with invalid context is undefined.
> -
> - If HmacMd5Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> digested.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval TRUE HMAC-MD5 data digest succeeded.
> - @retval FALSE HMAC-MD5 data digest failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_HMAC_MD5_UPDATE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_UPDATE) (
> IN OUT VOID *HmacMd5Context,
> IN CONST VOID *Data,
> IN UINTN DataSize
> );
>
> -
> -/**
> - Completes computation of the HMAC-MD5 digest value.
> -
> - This function completes HMAC-MD5 hash computation and retrieves the
> digest value into
> - the specified memory. After this function has been called, the HMAC-MD5
> context cannot
> - be used again.
> - HMAC-MD5 context should be initialized by HmacMd5New(), and should not
> be finalized by
> - HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
> -
> - If HmacMd5Context is NULL, then return FALSE.
> - If HmacValue is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context.
> - @param[out] HmacValue Pointer to a buffer that receives the HMAC-
> MD5 digest
> - value (16 bytes).
> -
> - @retval TRUE HMAC-MD5 digest computation succeeded.
> - @retval FALSE HMAC-MD5 digest computation failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_HMAC_MD5_FINAL) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FINAL) (
> IN OUT VOID *HmacMd5Context,
> OUT UINT8 *HmacValue
> );
> @@ -3618,13 +3531,13 @@ EFI_STATUS
> struct _EDKII_CRYPTO_PROTOCOL {
> /// Version
> EDKII_CRYPTO_GET_VERSION GetVersion;
> - /// HMAC MD5
> - EDKII_CRYPTO_HMAC_MD5_NEW HmacMd5New;
> - EDKII_CRYPTO_HMAC_MD5_FREE HmacMd5Free;
> - EDKII_CRYPTO_HMAC_MD5_SET_KEY HmacMd5SetKey;
> - EDKII_CRYPTO_HMAC_MD5_DUPLICATE HmacMd5Duplicate;
> - EDKII_CRYPTO_HMAC_MD5_UPDATE HmacMd5Update;
> - EDKII_CRYPTO_HMAC_MD5_FINAL HmacMd5Final;
> + /// HMAC MD5 - deprecated and unsupported
> + DEPRECATED_EDKII_CRYPTO_HMAC_MD5_NEW
> DeprecatedHmacMd5New;
> + DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FREE
> DeprecatedHmacMd5Free;
> + DEPRECATED_EDKII_CRYPTO_HMAC_MD5_SET_KEY
> DeprecatedHmacMd5SetKey;
> + DEPRECATED_EDKII_CRYPTO_HMAC_MD5_DUPLICATE
> DeprecatedHmacMd5Duplicate;
> + DEPRECATED_EDKII_CRYPTO_HMAC_MD5_UPDATE
> DeprecatedHmacMd5Update;
> + DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FINAL
> DeprecatedHmacMd5Final;
> /// HMAC SHA1
> EDKII_CRYPTO_HMAC_SHA1_NEW HmacSha1New;
> EDKII_CRYPTO_HMAC_SHA1_FREE HmacSha1Free;
> --
> 2.21.0.windows.1
^ permalink raw reply [flat|nested] 23+ messages in thread
* [PATCH V3 7/8] CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm
2020-05-06 23:57 [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions Gao, Zhichao
` (5 preceding siblings ...)
2020-05-06 23:57 ` [PATCH V3 6/8] CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm Gao, Zhichao
@ 2020-05-06 23:57 ` Gao, Zhichao
2020-05-08 15:11 ` Wang, Jian J
2020-05-06 23:57 ` [PATCH V3 8/8] CryptoPkg/Crypto.h: Update the version of Crypto Driver Gao, Zhichao
2020-05-08 7:23 ` [edk2-devel] [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions Guomin Jiang
8 siblings, 1 reply; 23+ messages in thread
From: Gao, Zhichao @ 2020-05-06 23:57 UTC (permalink / raw)
To: devel; +Cc: Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney, Jiewen Yao
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
HMAC SHA1 is not secure any longer.
Remove the HMAC SHA1 support from edk2.
Change the HMAC SHA1 field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any long.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
CryptoPkg/CryptoPkg.dsc | 3 -
CryptoPkg/Driver/Crypto.c | 128 ++---------
CryptoPkg/Include/Library/BaseCryptLib.h | 133 -----------
.../Library/BaseCryptLib/BaseCryptLib.inf | 1 -
.../Library/BaseCryptLib/Hmac/CryptHmacSha1.c | 216 ------------------
.../BaseCryptLib/Hmac/CryptHmacSha1Null.c | 139 -----------
.../Library/BaseCryptLib/PeiCryptLib.inf | 3 +-
.../Library/BaseCryptLib/PeiCryptLib.uni | 4 +-
.../Library/BaseCryptLib/RuntimeCryptLib.inf | 3 +-
.../Library/BaseCryptLib/RuntimeCryptLib.uni | 4 +-
.../Library/BaseCryptLib/SmmCryptLib.inf | 4 +-
.../Library/BaseCryptLib/SmmCryptLib.uni | 4 +-
.../BaseCryptLibNull/BaseCryptLibNull.inf | 1 -
.../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c | 139 -----------
.../BaseCryptLibOnProtocolPpi/CryptLib.c | 151 ------------
CryptoPkg/Private/Protocol/Crypto.h | 121 ++--------
16 files changed, 45 insertions(+), 1009 deletions(-)
delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index 9ddf73f9fa..1af78468a1 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -137,7 +137,6 @@
gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06
!if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
@@ -163,7 +162,6 @@
!endif
!if $(CRYPTO_SERVICES) == MIN_PEI
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
@@ -178,7 +176,6 @@
!endif
!if $(CRYPTO_SERVICES) == MIN_DXE_MIN_SMM
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs1v2Encrypt | TRUE
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs5HashPassword | TRUE
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index dfde1cc005..95172de981 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -1170,154 +1170,68 @@ DeprecatedCryptoServiceHmacMd5Final (
}
/**
- Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
- If this interface is not supported, then return NULL.
-
- @return Pointer to the HMAC_CTX context that has been initialized.
- If the allocations fails, HmacSha1New() returns NULL.
- @return NULL This interface is not supported.
+ HMAC SHA1 is deprecated and unsupported any longer.
+ Keep the function field for binary compability.
**/
VOID *
EFIAPI
-CryptoServiceHmacSha1New (
+DeprecatedCryptoServiceHmacSha1New (
VOID
)
{
- return CALL_BASECRYPTLIB (HmacSha1.Services.New, HmacSha1New, (), NULL);
+ return BaseCryptLibServciceDeprecated ("HmacSha1New"), NULL;
}
-/**
- Release the specified HMAC_CTX context.
-
- If this interface is not supported, then do nothing.
-
- @param[in] HmacSha1Ctx Pointer to the HMAC_CTX context to be released.
-
-**/
VOID
EFIAPI
-CryptoServiceHmacSha1Free (
+DeprecatedCryptoServiceHmacSha1Free (
IN VOID *HmacSha1Ctx
)
{
- CALL_VOID_BASECRYPTLIB (HmacSha1.Services.Free, HmacSha1Free, (HmacSha1Ctx));
+ BaseCryptLibServciceDeprecated ("HmacSha1Free");
}
-/**
- Set user-supplied key for subsequent use. It must be done before any
- calling to HmacSha1Update().
-
- If HmacSha1Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[out] HmacSha1Context Pointer to HMAC-SHA1 context.
- @param[in] Key Pointer to the user-supplied key.
- @param[in] KeySize Key size in bytes.
-
- @retval TRUE The Key is set successfully.
- @retval FALSE The Key is set unsuccessfully.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceHmacSha1SetKey (
+DeprecatedCryptoServiceHmacSha1SetKey (
OUT VOID *HmacSha1Context,
IN CONST UINT8 *Key,
IN UINTN KeySize
)
{
- return CALL_BASECRYPTLIB (HmacSha1.Services.SetKey, HmacSha1SetKey, (HmacSha1Context, Key, KeySize), FALSE);
+ return BaseCryptLibServciceDeprecated ("HmacSha1SetKey"), FALSE;
}
-/**
- Makes a copy of an existing HMAC-SHA1 context.
-
- If HmacSha1Context is NULL, then return FALSE.
- If NewHmacSha1Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] HmacSha1Context Pointer to HMAC-SHA1 context being copied.
- @param[out] NewHmacSha1Context Pointer to new HMAC-SHA1 context.
-
- @retval TRUE HMAC-SHA1 context copy succeeded.
- @retval FALSE HMAC-SHA1 context copy failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceHmacSha1Duplicate (
+DeprecatedCryptoServiceHmacSha1Duplicate (
IN CONST VOID *HmacSha1Context,
OUT VOID *NewHmacSha1Context
)
{
- return CALL_BASECRYPTLIB (HmacSha1.Services.Duplicate, HmacSha1Duplicate, (HmacSha1Context, NewHmacSha1Context), FALSE);
+ return BaseCryptLibServciceDeprecated ("HmacSha1Duplicate"), FALSE;
}
-/**
- Digests the input data and updates HMAC-SHA1 context.
-
- This function performs HMAC-SHA1 digest on a data buffer of the specified size.
- It can be called multiple times to compute the digest of long or discontinuous data streams.
- HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
- HmacSha1Final(). Behavior with invalid context is undefined.
-
- If HmacSha1Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
- @param[in] Data Pointer to the buffer containing the data to be digested.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval TRUE HMAC-SHA1 data digest succeeded.
- @retval FALSE HMAC-SHA1 data digest failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceHmacSha1Update (
+DeprecatedCryptoServiceHmacSha1Update (
IN OUT VOID *HmacSha1Context,
IN CONST VOID *Data,
IN UINTN DataSize
)
{
- return CALL_BASECRYPTLIB (HmacSha1.Services.Update, HmacSha1Update, (HmacSha1Context, Data, DataSize), FALSE);
+ return BaseCryptLibServciceDeprecated ("HmacSha1Update"), FALSE;
}
-/**
- Completes computation of the HMAC-SHA1 digest value.
-
- This function completes HMAC-SHA1 hash computation and retrieves the digest value into
- the specified memory. After this function has been called, the HMAC-SHA1 context cannot
- be used again.
- HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized
- by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
-
- If HmacSha1Context is NULL, then return FALSE.
- If HmacValue is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
- @param[out] HmacValue Pointer to a buffer that receives the HMAC-SHA1 digest
- value (20 bytes).
-
- @retval TRUE HMAC-SHA1 digest computation succeeded.
- @retval FALSE HMAC-SHA1 digest computation failed.
- @retval FALSE This interface is not supported.
-
-**/
BOOLEAN
EFIAPI
-CryptoServiceHmacSha1Final (
+DeprecatedCryptoServiceHmacSha1Final (
IN OUT VOID *HmacSha1Context,
OUT UINT8 *HmacValue
)
{
- return CALL_BASECRYPTLIB (HmacSha1.Services.Final, HmacSha1Final, (HmacSha1Context, HmacValue), FALSE);
+ return BaseCryptLibServciceDeprecated ("HmacSha1Final"), FALSE;
}
/**
@@ -3972,13 +3886,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
DeprecatedCryptoServiceHmacMd5Duplicate,
DeprecatedCryptoServiceHmacMd5Update,
DeprecatedCryptoServiceHmacMd5Final,
- /// HMAC SHA1
- CryptoServiceHmacSha1New,
- CryptoServiceHmacSha1Free,
- CryptoServiceHmacSha1SetKey,
- CryptoServiceHmacSha1Duplicate,
- CryptoServiceHmacSha1Update,
- CryptoServiceHmacSha1Final,
+ /// HMAC SHA1 - deprecated and unsupported
+ DeprecatedCryptoServiceHmacSha1New,
+ DeprecatedCryptoServiceHmacSha1Free,
+ DeprecatedCryptoServiceHmacSha1SetKey,
+ DeprecatedCryptoServiceHmacSha1Duplicate,
+ DeprecatedCryptoServiceHmacSha1Update,
+ DeprecatedCryptoServiceHmacSha1Final,
/// HMAC SHA256
CryptoServiceHmacSha256New,
CryptoServiceHmacSha256Free,
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index b99401661c..1b1ffa75ef 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -880,139 +880,6 @@ Sm3HashAll (
// MAC (Message Authentication Code) Primitive
//=====================================================================================
-/**
- Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
- If this interface is not supported, then return NULL.
-
- @return Pointer to the HMAC_CTX context that has been initialized.
- If the allocations fails, HmacSha1New() returns NULL.
- @return NULL This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacSha1New (
- VOID
- );
-
-/**
- Release the specified HMAC_CTX context.
-
- If this interface is not supported, then do nothing.
-
- @param[in] HmacSha1Ctx Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacSha1Free (
- IN VOID *HmacSha1Ctx
- );
-
-/**
- Set user-supplied key for subsequent use. It must be done before any
- calling to HmacSha1Update().
-
- If HmacSha1Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[out] HmacSha1Context Pointer to HMAC-SHA1 context.
- @param[in] Key Pointer to the user-supplied key.
- @param[in] KeySize Key size in bytes.
-
- @retval TRUE The Key is set successfully.
- @retval FALSE The Key is set unsuccessfully.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1SetKey (
- OUT VOID *HmacSha1Context,
- IN CONST UINT8 *Key,
- IN UINTN KeySize
- );
-
-/**
- Makes a copy of an existing HMAC-SHA1 context.
-
- If HmacSha1Context is NULL, then return FALSE.
- If NewHmacSha1Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] HmacSha1Context Pointer to HMAC-SHA1 context being copied.
- @param[out] NewHmacSha1Context Pointer to new HMAC-SHA1 context.
-
- @retval TRUE HMAC-SHA1 context copy succeeded.
- @retval FALSE HMAC-SHA1 context copy failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Duplicate (
- IN CONST VOID *HmacSha1Context,
- OUT VOID *NewHmacSha1Context
- );
-
-/**
- Digests the input data and updates HMAC-SHA1 context.
-
- This function performs HMAC-SHA1 digest on a data buffer of the specified size.
- It can be called multiple times to compute the digest of long or discontinuous data streams.
- HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
- HmacSha1Final(). Behavior with invalid context is undefined.
-
- If HmacSha1Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
- @param[in] Data Pointer to the buffer containing the data to be digested.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval TRUE HMAC-SHA1 data digest succeeded.
- @retval FALSE HMAC-SHA1 data digest failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Update (
- IN OUT VOID *HmacSha1Context,
- IN CONST VOID *Data,
- IN UINTN DataSize
- );
-
-/**
- Completes computation of the HMAC-SHA1 digest value.
-
- This function completes HMAC-SHA1 hash computation and retrieves the digest value into
- the specified memory. After this function has been called, the HMAC-SHA1 context cannot
- be used again.
- HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized
- by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
-
- If HmacSha1Context is NULL, then return FALSE.
- If HmacValue is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
- @param[out] HmacValue Pointer to a buffer that receives the HMAC-SHA1 digest
- value (20 bytes).
-
- @retval TRUE HMAC-SHA1 digest computation succeeded.
- @retval FALSE HMAC-SHA1 digest computation failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Final (
- IN OUT VOID *HmacSha1Context,
- OUT UINT8 *HmacValue
- );
-
/**
Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use.
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index 33d7c13bff..4aae2aba95 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -34,7 +34,6 @@
Hash/CryptSha256.c
Hash/CryptSha512.c
Hash/CryptSm3.c
- Hmac/CryptHmacSha1.c
Hmac/CryptHmacSha256.c
Kdf/CryptHkdf.c
Cipher/CryptAes.c
diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
deleted file mode 100644
index 7593ca55b1..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
+++ /dev/null
@@ -1,216 +0,0 @@
-/** @file
- HMAC-SHA1 Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-#include <openssl/hmac.h>
-
-/**
- Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
- @return Pointer to the HMAC_CTX context that has been initialized.
- If the allocations fails, HmacSha1New() returns NULL.
-
-**/
-VOID *
-EFIAPI
-HmacSha1New (
- VOID
- )
-{
- //
- // Allocates & Initializes HMAC_CTX Context by OpenSSL HMAC_CTX_new()
- //
- return (VOID *) HMAC_CTX_new ();
-}
-
-/**
- Release the specified HMAC_CTX context.
-
- @param[in] HmacSha1Ctx Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacSha1Free (
- IN VOID *HmacSha1Ctx
- )
-{
- //
- // Free OpenSSL HMAC_CTX Context
- //
- HMAC_CTX_free ((HMAC_CTX *)HmacSha1Ctx);
-}
-
-/**
- Set user-supplied key for subsequent use. It must be done before any
- calling to HmacSha1Update().
-
- If HmacSha1Context is NULL, then return FALSE.
-
- @param[out] HmacSha1Context Pointer to HMAC-SHA1 context.
- @param[in] Key Pointer to the user-supplied key.
- @param[in] KeySize Key size in bytes.
-
- @retval TRUE The Key is set successfully.
- @retval FALSE The Key is set unsuccessfully.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1SetKey (
- OUT VOID *HmacSha1Context,
- IN CONST UINT8 *Key,
- IN UINTN KeySize
- )
-{
- //
- // Check input parameters.
- //
- if (HmacSha1Context == NULL || KeySize > INT_MAX) {
- return FALSE;
- }
-
- if (HMAC_Init_ex ((HMAC_CTX *)HmacSha1Context, Key, (UINT32) KeySize, EVP_sha1(), NULL) != 1) {
- return FALSE;
- }
-
- return TRUE;
-}
-
-/**
- Makes a copy of an existing HMAC-SHA1 context.
-
- If HmacSha1Context is NULL, then return FALSE.
- If NewHmacSha1Context is NULL, then return FALSE.
-
- @param[in] HmacSha1Context Pointer to HMAC-SHA1 context being copied.
- @param[out] NewHmacSha1Context Pointer to new HMAC-SHA1 context.
-
- @retval TRUE HMAC-SHA1 context copy succeeded.
- @retval FALSE HMAC-SHA1 context copy failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Duplicate (
- IN CONST VOID *HmacSha1Context,
- OUT VOID *NewHmacSha1Context
- )
-{
- //
- // Check input parameters.
- //
- if (HmacSha1Context == NULL || NewHmacSha1Context == NULL) {
- return FALSE;
- }
-
- if (HMAC_CTX_copy ((HMAC_CTX *)NewHmacSha1Context, (HMAC_CTX *)HmacSha1Context) != 1) {
- return FALSE;
- }
-
- return TRUE;
-}
-
-/**
- Digests the input data and updates HMAC-SHA1 context.
-
- This function performs HMAC-SHA1 digest on a data buffer of the specified size.
- It can be called multiple times to compute the digest of long or discontinuous data streams.
- HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
- HmacSha1Final(). Behavior with invalid context is undefined.
-
- If HmacSha1Context is NULL, then return FALSE.
-
- @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
- @param[in] Data Pointer to the buffer containing the data to be digested.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval TRUE HMAC-SHA1 data digest succeeded.
- @retval FALSE HMAC-SHA1 data digest failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Update (
- IN OUT VOID *HmacSha1Context,
- IN CONST VOID *Data,
- IN UINTN DataSize
- )
-{
- //
- // Check input parameters.
- //
- if (HmacSha1Context == NULL) {
- return FALSE;
- }
-
- //
- // Check invalid parameters, in case that only DataLength was checked in OpenSSL
- //
- if (Data == NULL && DataSize != 0) {
- return FALSE;
- }
-
- //
- // OpenSSL HMAC-SHA1 digest update
- //
- if (HMAC_Update ((HMAC_CTX *)HmacSha1Context, Data, DataSize) != 1) {
- return FALSE;
- }
-
- return TRUE;
-}
-
-/**
- Completes computation of the HMAC-SHA1 digest value.
-
- This function completes HMAC-SHA1 digest computation and retrieves the digest value into
- the specified memory. After this function has been called, the HMAC-SHA1 context cannot
- be used again.
- HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
- HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
-
- If HmacSha1Context is NULL, then return FALSE.
- If HmacValue is NULL, then return FALSE.
-
- @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
- @param[out] HmacValue Pointer to a buffer that receives the HMAC-SHA1 digest
- value (20 bytes).
-
- @retval TRUE HMAC-SHA1 digest computation succeeded.
- @retval FALSE HMAC-SHA1 digest computation failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Final (
- IN OUT VOID *HmacSha1Context,
- OUT UINT8 *HmacValue
- )
-{
- UINT32 Length;
-
- //
- // Check input parameters.
- //
- if (HmacSha1Context == NULL || HmacValue == NULL) {
- return FALSE;
- }
-
- //
- // OpenSSL HMAC-SHA1 digest finalization
- //
- if (HMAC_Final ((HMAC_CTX *)HmacSha1Context, HmacValue, &Length) != 1) {
- return FALSE;
- }
- if (HMAC_CTX_reset ((HMAC_CTX *)HmacSha1Context) != 1) {
- return FALSE;
- }
-
- return TRUE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
deleted file mode 100644
index e8c0f341b7..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/** @file
- HMAC-SHA1 Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
- Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
- Return NULL to indicate this interface is not supported.
-
- @return NULL This interface is not supported..
-
-**/
-VOID *
-EFIAPI
-HmacSha1New (
- VOID
- )
-{
- ASSERT (FALSE);
- return NULL;
-}
-
-/**
- Release the specified HMAC_CTX context.
-
- This function will do nothing.
-
- @param[in] HmacSha1Ctx Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacSha1Free (
- IN VOID *HmacSha1Ctx
- )
-{
- ASSERT (FALSE);
- return;
-}
-
-/**
- Set user-supplied key for subsequent use. It must be done before any
- calling to HmacSha1Update().
-
- Return FALSE to indicate this interface is not supported.
-
- @param[out] HmacSha1Context Pointer to HMAC-SHA1 context.
- @param[in] Key Pointer to the user-supplied key.
- @param[in] KeySize Key size in bytes.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1SetKey (
- OUT VOID *HmacSha1Context,
- IN CONST UINT8 *Key,
- IN UINTN KeySize
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Makes a copy of an existing HMAC-SHA1 context.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in] HmacSha1Context Pointer to HMAC-SHA1 context being copied.
- @param[out] NewHmacSha1Context Pointer to new HMAC-SHA1 context.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Duplicate (
- IN CONST VOID *HmacSha1Context,
- OUT VOID *NewHmacSha1Context
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Digests the input data and updates HMAC-SHA1 context.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
- @param[in] Data Pointer to the buffer containing the data to be digested.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Update (
- IN OUT VOID *HmacSha1Context,
- IN CONST VOID *Data,
- IN UINTN DataSize
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Completes computation of the HMAC-SHA1 digest value.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
- @param[out] HmacValue Pointer to a buffer that receives the HMAC-SHA1 digest
- value (20 bytes).
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Final (
- IN OUT VOID *HmacSha1Context,
- OUT UINT8 *HmacValue
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index 2a630ef290..dc28e3a11d 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -7,7 +7,7 @@
# buffer overflow or integer overflow.
#
# Note:
-# HMAC-SHA1/SHA256 functions, AES functions, RSA external
+# HMAC-SHA256 functions, AES functions, RSA external
# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
# certificate handler functions, authenticode signature verification functions,
# PEM handler functions, and pseudorandom number generator functions are not
@@ -40,7 +40,6 @@
Hash/CryptSha256.c
Hash/CryptSm3.c
Hash/CryptSha512.c
- Hmac/CryptHmacSha1Null.c
Hmac/CryptHmacSha256Null.c
Kdf/CryptHkdfNull.c
Cipher/CryptAesNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
index 95c71a8ae2..20ae64e8bf 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
@@ -6,7 +6,7 @@
// This external input must be validated carefully to avoid security issues such as
// buffer overflow or integer overflow.
//
-// Note: HMAC-SHA1 functions, AES
+// Note: AES
// functions, RSA external functions, PKCS#7 SignedData sign functions,
// Diffie-Hellman functions, X.509 certificate handler functions, authenticode
// signature verification functions, PEM handler functions, and pseudorandom number
@@ -21,5 +21,5 @@
#string STR_MODULE_ABSTRACT #language en-US "Cryptographic Library Instance for PEIM"
-#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index 1642521087..5005beed02 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -7,7 +7,7 @@
# buffer overflow or integer overflow.
#
# Note: SHA-384 Digest functions, SHA-512 Digest functions,
-# HMAC-SHA1/SHA256 functions, AES functions, RSA external
+# HMAC-SHA256 functions, AES functions, RSA external
# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
# authenticode signature verification functions are not supported in this instance.
#
@@ -40,7 +40,6 @@
Hash/CryptSha256.c
Hash/CryptSm3.c
Hash/CryptSha512Null.c
- Hmac/CryptHmacSha1Null.c
Hmac/CryptHmacSha256Null.c
Kdf/CryptHkdfNull.c
Cipher/CryptAesNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
index f7e1acb3a7..0cf378c5ab 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
@@ -6,7 +6,7 @@
// This external input must be validated carefully to avoid security issues such as
// buffer overflow or integer overflow.
//
-// Note: HMAC-SHA1 functions, AES
+// Note: AES
// functions, RSA external functions, PKCS#7 SignedData sign functions,
// Diffie-Hellman functions, and authenticode signature verification functions are
// not supported in this instance.
@@ -20,5 +20,5 @@
#string STR_MODULE_ABSTRACT #language en-US "Cryptographic Library Instance for DXE_RUNTIME_DRIVER"
-#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index ec9c8e7c05..91ec3e03bf 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -7,8 +7,7 @@
# buffer overflow or integer overflow.
#
# Note: SHA-384 Digest functions, SHA-512 Digest functions,
-# HMAC-SHA1 functions, RSA external
-# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
+# RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
# authenticode signature verification functions are not supported in this instance.
#
# Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
@@ -39,7 +38,6 @@
Hash/CryptSha256.c
Hash/CryptSm3.c
Hash/CryptSha512Null.c
- Hmac/CryptHmacSha1Null.c
Hmac/CryptHmacSha256.c
Kdf/CryptHkdfNull.c
Cipher/CryptAes.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
index 8eb3acac93..f0c33abbcf 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
@@ -6,7 +6,7 @@
// This external input must be validated carefully to avoid security issues such as
// buffer overflow or integer overflow.
//
-// Note: HMAC-SHA1 functions, AES
+// Note: AES
// functions, RSA external functions, PKCS#7 SignedData sign functions,
// Diffie-Hellman functions, and authenticode signature verification functions are
// not supported in this instance.
@@ -20,5 +20,5 @@
#string STR_MODULE_ABSTRACT #language en-US "Cryptographic Library Instance for SMM driver"
-#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
index 558ccfc002..689af4fedd 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -34,7 +34,6 @@
Hash/CryptSha256Null.c
Hash/CryptSha512Null.c
Hash/CryptSm3Null.c
- Hmac/CryptHmacSha1Null.c
Hmac/CryptHmacSha256Null.c
Kdf/CryptHkdfNull.c
Cipher/CryptAesNull.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
deleted file mode 100644
index e8c0f341b7..0000000000
--- a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/** @file
- HMAC-SHA1 Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
- Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
- Return NULL to indicate this interface is not supported.
-
- @return NULL This interface is not supported..
-
-**/
-VOID *
-EFIAPI
-HmacSha1New (
- VOID
- )
-{
- ASSERT (FALSE);
- return NULL;
-}
-
-/**
- Release the specified HMAC_CTX context.
-
- This function will do nothing.
-
- @param[in] HmacSha1Ctx Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacSha1Free (
- IN VOID *HmacSha1Ctx
- )
-{
- ASSERT (FALSE);
- return;
-}
-
-/**
- Set user-supplied key for subsequent use. It must be done before any
- calling to HmacSha1Update().
-
- Return FALSE to indicate this interface is not supported.
-
- @param[out] HmacSha1Context Pointer to HMAC-SHA1 context.
- @param[in] Key Pointer to the user-supplied key.
- @param[in] KeySize Key size in bytes.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1SetKey (
- OUT VOID *HmacSha1Context,
- IN CONST UINT8 *Key,
- IN UINTN KeySize
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Makes a copy of an existing HMAC-SHA1 context.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in] HmacSha1Context Pointer to HMAC-SHA1 context being copied.
- @param[out] NewHmacSha1Context Pointer to new HMAC-SHA1 context.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Duplicate (
- IN CONST VOID *HmacSha1Context,
- OUT VOID *NewHmacSha1Context
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Digests the input data and updates HMAC-SHA1 context.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
- @param[in] Data Pointer to the buffer containing the data to be digested.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Update (
- IN OUT VOID *HmacSha1Context,
- IN CONST VOID *Data,
- IN UINTN DataSize
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
-
-/**
- Completes computation of the HMAC-SHA1 digest value.
-
- Return FALSE to indicate this interface is not supported.
-
- @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
- @param[out] HmacValue Pointer to a buffer that receives the HMAC-SHA1 digest
- value (20 bytes).
-
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Final (
- IN OUT VOID *HmacSha1Context,
- OUT UINT8 *HmacValue
- )
-{
- ASSERT (FALSE);
- return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index dfe7fb7e91..a614b61ed4 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -1015,157 +1015,6 @@ Sm3HashAll (
// MAC (Message Authentication Code) Primitive
//=====================================================================================
-/**
- Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
- If this interface is not supported, then return NULL.
-
- @return Pointer to the HMAC_CTX context that has been initialized.
- If the allocations fails, HmacSha1New() returns NULL.
- @return NULL This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacSha1New (
- VOID
- )
-{
- CALL_CRYPTO_SERVICE (HmacSha1New, (), NULL);
-}
-
-/**
- Release the specified HMAC_CTX context.
-
- If this interface is not supported, then do nothing.
-
- @param[in] HmacSha1Ctx Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacSha1Free (
- IN VOID *HmacSha1Ctx
- )
-{
- CALL_VOID_CRYPTO_SERVICE (HmacSha1Free, (HmacSha1Ctx));
-}
-
-/**
- Set user-supplied key for subsequent use. It must be done before any
- calling to HmacSha1Update().
-
- If HmacSha1Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[out] HmacSha1Context Pointer to HMAC-SHA1 context.
- @param[in] Key Pointer to the user-supplied key.
- @param[in] KeySize Key size in bytes.
-
- @retval TRUE The Key is set successfully.
- @retval FALSE The Key is set unsuccessfully.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1SetKey (
- OUT VOID *HmacSha1Context,
- IN CONST UINT8 *Key,
- IN UINTN KeySize
- )
-{
- CALL_CRYPTO_SERVICE (HmacSha1SetKey, (HmacSha1Context, Key, KeySize), FALSE);
-}
-
-/**
- Makes a copy of an existing HMAC-SHA1 context.
-
- If HmacSha1Context is NULL, then return FALSE.
- If NewHmacSha1Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] HmacSha1Context Pointer to HMAC-SHA1 context being copied.
- @param[out] NewHmacSha1Context Pointer to new HMAC-SHA1 context.
-
- @retval TRUE HMAC-SHA1 context copy succeeded.
- @retval FALSE HMAC-SHA1 context copy failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Duplicate (
- IN CONST VOID *HmacSha1Context,
- OUT VOID *NewHmacSha1Context
- )
-{
- CALL_CRYPTO_SERVICE (HmacSha1Duplicate, (HmacSha1Context, NewHmacSha1Context), FALSE);
-}
-
-/**
- Digests the input data and updates HMAC-SHA1 context.
-
- This function performs HMAC-SHA1 digest on a data buffer of the specified size.
- It can be called multiple times to compute the digest of long or discontinuous data streams.
- HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
- HmacSha1Final(). Behavior with invalid context is undefined.
-
- If HmacSha1Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
- @param[in] Data Pointer to the buffer containing the data to be digested.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval TRUE HMAC-SHA1 data digest succeeded.
- @retval FALSE HMAC-SHA1 data digest failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Update (
- IN OUT VOID *HmacSha1Context,
- IN CONST VOID *Data,
- IN UINTN DataSize
- )
-{
- CALL_CRYPTO_SERVICE (HmacSha1Update, (HmacSha1Context, Data, DataSize), FALSE);
-}
-
-/**
- Completes computation of the HMAC-SHA1 digest value.
-
- This function completes HMAC-SHA1 hash computation and retrieves the digest value into
- the specified memory. After this function has been called, the HMAC-SHA1 context cannot
- be used again.
- HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized
- by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
-
- If HmacSha1Context is NULL, then return FALSE.
- If HmacValue is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
- @param[out] HmacValue Pointer to a buffer that receives the HMAC-SHA1 digest
- value (20 bytes).
-
- @retval TRUE HMAC-SHA1 digest computation succeeded.
- @retval FALSE HMAC-SHA1 digest computation failed.
- @retval FALSE This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Final (
- IN OUT VOID *HmacSha1Context,
- OUT UINT8 *HmacValue
- )
-{
- CALL_CRYPTO_SERVICE (HmacSha1Final, (HmacSha1Context, HmacValue), FALSE);
-}
-
/**
Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use.
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index bd4cd7f383..d167390774 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -89,140 +89,49 @@ BOOLEAN
OUT UINT8 *HmacValue
);
-
/**
- Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
- If this interface is not supported, then return NULL.
-
- @return Pointer to the HMAC_CTX context that has been initialized.
- If the allocations fails, HmacSha1New() returns NULL.
- @return NULL This interface is not supported.
+ HMAC SHA1 is deprecated and unsupported any longer.
+ Keep the function field for binary compability.
**/
typedef
VOID*
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_NEW) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_NEW) (
VOID
);
-/**
- Release the specified HMAC_CTX context.
-
- If this interface is not supported, then do nothing.
-
- @param[in] HmacSha1Ctx Pointer to the HMAC_CTX context to be released.
-
-**/
typedef
VOID
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_FREE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FREE) (
IN VOID *HmacSha1Ctx
);
-
-/**
- Set user-supplied key for subsequent use. It must be done before any
- calling to HmacSha1Update().
-
- If HmacSha1Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[out] HmacSha1Context Pointer to HMAC-SHA1 context.
- @param[in] Key Pointer to the user-supplied key.
- @param[in] KeySize Key size in bytes.
-
- @retval TRUE The Key is set successfully.
- @retval FALSE The Key is set unsuccessfully.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_SET_KEY) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_SET_KEY) (
OUT VOID *HmacSha1Context,
IN CONST UINT8 *Key,
IN UINTN KeySize
);
-
-/**
- Makes a copy of an existing HMAC-SHA1 context.
-
- If HmacSha1Context is NULL, then return FALSE.
- If NewHmacSha1Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in] HmacSha1Context Pointer to HMAC-SHA1 context being copied.
- @param[out] NewHmacSha1Context Pointer to new HMAC-SHA1 context.
-
- @retval TRUE HMAC-SHA1 context copy succeeded.
- @retval FALSE HMAC-SHA1 context copy failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_DUPLICATE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_DUPLICATE) (
IN CONST VOID *HmacSha1Context,
OUT VOID *NewHmacSha1Context
);
-
-/**
- Digests the input data and updates HMAC-SHA1 context.
-
- This function performs HMAC-SHA1 digest on a data buffer of the specified size.
- It can be called multiple times to compute the digest of long or discontinuous data streams.
- HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
- HmacSha1Final(). Behavior with invalid context is undefined.
-
- If HmacSha1Context is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
- @param[in] Data Pointer to the buffer containing the data to be digested.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval TRUE HMAC-SHA1 data digest succeeded.
- @retval FALSE HMAC-SHA1 data digest failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_UPDATE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_UPDATE) (
IN OUT VOID *HmacSha1Context,
IN CONST VOID *Data,
IN UINTN DataSize
);
-
-/**
- Completes computation of the HMAC-SHA1 digest value.
-
- This function completes HMAC-SHA1 hash computation and retrieves the digest value into
- the specified memory. After this function has been called, the HMAC-SHA1 context cannot
- be used again.
- HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized
- by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
-
- If HmacSha1Context is NULL, then return FALSE.
- If HmacValue is NULL, then return FALSE.
- If this interface is not supported, then return FALSE.
-
- @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
- @param[out] HmacValue Pointer to a buffer that receives the HMAC-SHA1 digest
- value (20 bytes).
-
- @retval TRUE HMAC-SHA1 digest computation succeeded.
- @retval FALSE HMAC-SHA1 digest computation failed.
- @retval FALSE This interface is not supported.
-
-**/
typedef
BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_FINAL) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FINAL) (
IN OUT VOID *HmacSha1Context,
OUT UINT8 *HmacValue
);
@@ -3538,13 +3447,13 @@ struct _EDKII_CRYPTO_PROTOCOL {
DEPRECATED_EDKII_CRYPTO_HMAC_MD5_DUPLICATE DeprecatedHmacMd5Duplicate;
DEPRECATED_EDKII_CRYPTO_HMAC_MD5_UPDATE DeprecatedHmacMd5Update;
DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FINAL DeprecatedHmacMd5Final;
- /// HMAC SHA1
- EDKII_CRYPTO_HMAC_SHA1_NEW HmacSha1New;
- EDKII_CRYPTO_HMAC_SHA1_FREE HmacSha1Free;
- EDKII_CRYPTO_HMAC_SHA1_SET_KEY HmacSha1SetKey;
- EDKII_CRYPTO_HMAC_SHA1_DUPLICATE HmacSha1Duplicate;
- EDKII_CRYPTO_HMAC_SHA1_UPDATE HmacSha1Update;
- EDKII_CRYPTO_HMAC_SHA1_FINAL HmacSha1Final;
+ /// HMAC SHA1 - deprecated and unsupported
+ DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_NEW DeprecatedHmacSha1New;
+ DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FREE DeprecatedHmacSha1Free;
+ DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_SET_KEY DeprecatedHmacSha1SetKey;
+ DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_DUPLICATE DeprecatedHmacSha1Duplicate;
+ DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_UPDATE DeprecatedHmacSha1Update;
+ DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FINAL DeprecatedHmacSha1Final;
/// HMAC SHA256
EDKII_CRYPTO_HMAC_SHA256_NEW HmacSha256New;
EDKII_CRYPTO_HMAC_SHA256_FREE HmacSha256Free;
--
2.21.0.windows.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* Re: [PATCH V3 7/8] CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm
2020-05-06 23:57 ` [PATCH V3 7/8] CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm Gao, Zhichao
@ 2020-05-08 15:11 ` Wang, Jian J
0 siblings, 0 replies; 23+ messages in thread
From: Wang, Jian J @ 2020-05-08 15:11 UTC (permalink / raw)
To: Gao, Zhichao, devel@edk2.groups.io
Cc: Lu, XiaoyuX, Fu, Siyuan, Kinney, Michael D, Yao, Jiewen
Just a typo (see below). With it addressed,
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Regards,
Jian
> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Thursday, May 07, 2020 7:58 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [PATCH V3 7/8] CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
>
> HMAC SHA1 is not secure any longer.
> Remove the HMAC SHA1 support from edk2.
> Change the HMAC SHA1 field name in EDKII_CRYPTO_PROTOCOL to indicate the
> function is unsupported any long.
'long' --> 'longer'
>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
> CryptoPkg/CryptoPkg.dsc | 3 -
> CryptoPkg/Driver/Crypto.c | 128 ++---------
> CryptoPkg/Include/Library/BaseCryptLib.h | 133 -----------
> .../Library/BaseCryptLib/BaseCryptLib.inf | 1 -
> .../Library/BaseCryptLib/Hmac/CryptHmacSha1.c | 216 ------------------
> .../BaseCryptLib/Hmac/CryptHmacSha1Null.c | 139 -----------
> .../Library/BaseCryptLib/PeiCryptLib.inf | 3 +-
> .../Library/BaseCryptLib/PeiCryptLib.uni | 4 +-
> .../Library/BaseCryptLib/RuntimeCryptLib.inf | 3 +-
> .../Library/BaseCryptLib/RuntimeCryptLib.uni | 4 +-
> .../Library/BaseCryptLib/SmmCryptLib.inf | 4 +-
> .../Library/BaseCryptLib/SmmCryptLib.uni | 4 +-
> .../BaseCryptLibNull/BaseCryptLibNull.inf | 1 -
> .../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c | 139 -----------
> .../BaseCryptLibOnProtocolPpi/CryptLib.c | 151 ------------
> CryptoPkg/Private/Protocol/Crypto.h | 121 ++--------
> 16 files changed, 45 insertions(+), 1009 deletions(-)
> delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
>
> diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
> index 9ddf73f9fa..1af78468a1 100644
> --- a/CryptoPkg/CryptoPkg.dsc
> +++ b/CryptoPkg/CryptoPkg.dsc
> @@ -137,7 +137,6 @@
> gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06
>
> !if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
> -
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam
> ily | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> @@ -163,7 +162,6 @@
> !endif
>
> !if $(CRYPTO_SERVICES) == MIN_PEI
> -
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam
> ily | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> @@ -178,7 +176,6 @@
> !endif
>
> !if $(CRYPTO_SERVICES) == MIN_DXE_MIN_SMM
> -
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam
> ily | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkc
> s1v2Encrypt | TRUE
>
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkc
> s5HashPassword | TRUE
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> index dfde1cc005..95172de981 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -1170,154 +1170,68 @@ DeprecatedCryptoServiceHmacMd5Final (
> }
>
> /**
> - Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> - If this interface is not supported, then return NULL.
> -
> - @return Pointer to the HMAC_CTX context that has been initialized.
> - If the allocations fails, HmacSha1New() returns NULL.
> - @return NULL This interface is not supported.
> + HMAC SHA1 is deprecated and unsupported any longer.
> + Keep the function field for binary compability.
>
> **/
> VOID *
> EFIAPI
> -CryptoServiceHmacSha1New (
> +DeprecatedCryptoServiceHmacSha1New (
> VOID
> )
> {
> - return CALL_BASECRYPTLIB (HmacSha1.Services.New, HmacSha1New, (),
> NULL);
> + return BaseCryptLibServciceDeprecated ("HmacSha1New"), NULL;
> }
>
> -/**
> - Release the specified HMAC_CTX context.
> -
> - If this interface is not supported, then do nothing.
> -
> - @param[in] HmacSha1Ctx Pointer to the HMAC_CTX context to be released.
> -
> -**/
> VOID
> EFIAPI
> -CryptoServiceHmacSha1Free (
> +DeprecatedCryptoServiceHmacSha1Free (
> IN VOID *HmacSha1Ctx
> )
> {
> - CALL_VOID_BASECRYPTLIB (HmacSha1.Services.Free, HmacSha1Free,
> (HmacSha1Ctx));
> + BaseCryptLibServciceDeprecated ("HmacSha1Free");
> }
>
> -/**
> - Set user-supplied key for subsequent use. It must be done before any
> - calling to HmacSha1Update().
> -
> - If HmacSha1Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] HmacSha1Context Pointer to HMAC-SHA1 context.
> - @param[in] Key Pointer to the user-supplied key.
> - @param[in] KeySize Key size in bytes.
> -
> - @retval TRUE The Key is set successfully.
> - @retval FALSE The Key is set unsuccessfully.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceHmacSha1SetKey (
> +DeprecatedCryptoServiceHmacSha1SetKey (
> OUT VOID *HmacSha1Context,
> IN CONST UINT8 *Key,
> IN UINTN KeySize
> )
> {
> - return CALL_BASECRYPTLIB (HmacSha1.Services.SetKey, HmacSha1SetKey,
> (HmacSha1Context, Key, KeySize), FALSE);
> + return BaseCryptLibServciceDeprecated ("HmacSha1SetKey"), FALSE;
> }
>
> -/**
> - Makes a copy of an existing HMAC-SHA1 context.
> -
> - If HmacSha1Context is NULL, then return FALSE.
> - If NewHmacSha1Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] HmacSha1Context Pointer to HMAC-SHA1 context being
> copied.
> - @param[out] NewHmacSha1Context Pointer to new HMAC-SHA1 context.
> -
> - @retval TRUE HMAC-SHA1 context copy succeeded.
> - @retval FALSE HMAC-SHA1 context copy failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceHmacSha1Duplicate (
> +DeprecatedCryptoServiceHmacSha1Duplicate (
> IN CONST VOID *HmacSha1Context,
> OUT VOID *NewHmacSha1Context
> )
> {
> - return CALL_BASECRYPTLIB (HmacSha1.Services.Duplicate,
> HmacSha1Duplicate, (HmacSha1Context, NewHmacSha1Context), FALSE);
> + return BaseCryptLibServciceDeprecated ("HmacSha1Duplicate"), FALSE;
> }
>
> -/**
> - Digests the input data and updates HMAC-SHA1 context.
> -
> - This function performs HMAC-SHA1 digest on a data buffer of the specified
> size.
> - It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> - HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized by
> - HmacSha1Final(). Behavior with invalid context is undefined.
> -
> - If HmacSha1Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> digested.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval TRUE HMAC-SHA1 data digest succeeded.
> - @retval FALSE HMAC-SHA1 data digest failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceHmacSha1Update (
> +DeprecatedCryptoServiceHmacSha1Update (
> IN OUT VOID *HmacSha1Context,
> IN CONST VOID *Data,
> IN UINTN DataSize
> )
> {
> - return CALL_BASECRYPTLIB (HmacSha1.Services.Update, HmacSha1Update,
> (HmacSha1Context, Data, DataSize), FALSE);
> + return BaseCryptLibServciceDeprecated ("HmacSha1Update"), FALSE;
> }
>
> -/**
> - Completes computation of the HMAC-SHA1 digest value.
> -
> - This function completes HMAC-SHA1 hash computation and retrieves the
> digest value into
> - the specified memory. After this function has been called, the HMAC-SHA1
> context cannot
> - be used again.
> - HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized
> - by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
> -
> - If HmacSha1Context is NULL, then return FALSE.
> - If HmacValue is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
> - @param[out] HmacValue Pointer to a buffer that receives the HMAC-
> SHA1 digest
> - value (20 bytes).
> -
> - @retval TRUE HMAC-SHA1 digest computation succeeded.
> - @retval FALSE HMAC-SHA1 digest computation failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceHmacSha1Final (
> +DeprecatedCryptoServiceHmacSha1Final (
> IN OUT VOID *HmacSha1Context,
> OUT UINT8 *HmacValue
> )
> {
> - return CALL_BASECRYPTLIB (HmacSha1.Services.Final, HmacSha1Final,
> (HmacSha1Context, HmacValue), FALSE);
> + return BaseCryptLibServciceDeprecated ("HmacSha1Final"), FALSE;
> }
>
> /**
> @@ -3972,13 +3886,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
> DeprecatedCryptoServiceHmacMd5Duplicate,
> DeprecatedCryptoServiceHmacMd5Update,
> DeprecatedCryptoServiceHmacMd5Final,
> - /// HMAC SHA1
> - CryptoServiceHmacSha1New,
> - CryptoServiceHmacSha1Free,
> - CryptoServiceHmacSha1SetKey,
> - CryptoServiceHmacSha1Duplicate,
> - CryptoServiceHmacSha1Update,
> - CryptoServiceHmacSha1Final,
> + /// HMAC SHA1 - deprecated and unsupported
> + DeprecatedCryptoServiceHmacSha1New,
> + DeprecatedCryptoServiceHmacSha1Free,
> + DeprecatedCryptoServiceHmacSha1SetKey,
> + DeprecatedCryptoServiceHmacSha1Duplicate,
> + DeprecatedCryptoServiceHmacSha1Update,
> + DeprecatedCryptoServiceHmacSha1Final,
> /// HMAC SHA256
> CryptoServiceHmacSha256New,
> CryptoServiceHmacSha256Free,
> diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
> b/CryptoPkg/Include/Library/BaseCryptLib.h
> index b99401661c..1b1ffa75ef 100644
> --- a/CryptoPkg/Include/Library/BaseCryptLib.h
> +++ b/CryptoPkg/Include/Library/BaseCryptLib.h
> @@ -880,139 +880,6 @@ Sm3HashAll (
> // MAC (Message Authentication Code) Primitive
>
> //===============================================================
> ======================
>
> -/**
> - Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> - If this interface is not supported, then return NULL.
> -
> - @return Pointer to the HMAC_CTX context that has been initialized.
> - If the allocations fails, HmacSha1New() returns NULL.
> - @return NULL This interface is not supported.
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacSha1New (
> - VOID
> - );
> -
> -/**
> - Release the specified HMAC_CTX context.
> -
> - If this interface is not supported, then do nothing.
> -
> - @param[in] HmacSha1Ctx Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacSha1Free (
> - IN VOID *HmacSha1Ctx
> - );
> -
> -/**
> - Set user-supplied key for subsequent use. It must be done before any
> - calling to HmacSha1Update().
> -
> - If HmacSha1Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] HmacSha1Context Pointer to HMAC-SHA1 context.
> - @param[in] Key Pointer to the user-supplied key.
> - @param[in] KeySize Key size in bytes.
> -
> - @retval TRUE The Key is set successfully.
> - @retval FALSE The Key is set unsuccessfully.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1SetKey (
> - OUT VOID *HmacSha1Context,
> - IN CONST UINT8 *Key,
> - IN UINTN KeySize
> - );
> -
> -/**
> - Makes a copy of an existing HMAC-SHA1 context.
> -
> - If HmacSha1Context is NULL, then return FALSE.
> - If NewHmacSha1Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] HmacSha1Context Pointer to HMAC-SHA1 context being
> copied.
> - @param[out] NewHmacSha1Context Pointer to new HMAC-SHA1 context.
> -
> - @retval TRUE HMAC-SHA1 context copy succeeded.
> - @retval FALSE HMAC-SHA1 context copy failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Duplicate (
> - IN CONST VOID *HmacSha1Context,
> - OUT VOID *NewHmacSha1Context
> - );
> -
> -/**
> - Digests the input data and updates HMAC-SHA1 context.
> -
> - This function performs HMAC-SHA1 digest on a data buffer of the specified
> size.
> - It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> - HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized by
> - HmacSha1Final(). Behavior with invalid context is undefined.
> -
> - If HmacSha1Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> digested.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval TRUE HMAC-SHA1 data digest succeeded.
> - @retval FALSE HMAC-SHA1 data digest failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Update (
> - IN OUT VOID *HmacSha1Context,
> - IN CONST VOID *Data,
> - IN UINTN DataSize
> - );
> -
> -/**
> - Completes computation of the HMAC-SHA1 digest value.
> -
> - This function completes HMAC-SHA1 hash computation and retrieves the
> digest value into
> - the specified memory. After this function has been called, the HMAC-SHA1
> context cannot
> - be used again.
> - HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized
> - by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
> -
> - If HmacSha1Context is NULL, then return FALSE.
> - If HmacValue is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
> - @param[out] HmacValue Pointer to a buffer that receives the HMAC-
> SHA1 digest
> - value (20 bytes).
> -
> - @retval TRUE HMAC-SHA1 digest computation succeeded.
> - @retval FALSE HMAC-SHA1 digest computation failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Final (
> - IN OUT VOID *HmacSha1Context,
> - OUT UINT8 *HmacValue
> - );
> -
> /**
> Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256
> use.
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> index 33d7c13bff..4aae2aba95 100644
> --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> @@ -34,7 +34,6 @@
> Hash/CryptSha256.c
> Hash/CryptSha512.c
> Hash/CryptSm3.c
> - Hmac/CryptHmacSha1.c
> Hmac/CryptHmacSha256.c
> Kdf/CryptHkdf.c
> Cipher/CryptAes.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> deleted file mode 100644
> index 7593ca55b1..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> +++ /dev/null
> @@ -1,216 +0,0 @@
> -/** @file
> - HMAC-SHA1 Wrapper Implementation over OpenSSL.
> -
> -Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -#include <openssl/hmac.h>
> -
> -/**
> - Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> - @return Pointer to the HMAC_CTX context that has been initialized.
> - If the allocations fails, HmacSha1New() returns NULL.
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacSha1New (
> - VOID
> - )
> -{
> - //
> - // Allocates & Initializes HMAC_CTX Context by OpenSSL HMAC_CTX_new()
> - //
> - return (VOID *) HMAC_CTX_new ();
> -}
> -
> -/**
> - Release the specified HMAC_CTX context.
> -
> - @param[in] HmacSha1Ctx Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacSha1Free (
> - IN VOID *HmacSha1Ctx
> - )
> -{
> - //
> - // Free OpenSSL HMAC_CTX Context
> - //
> - HMAC_CTX_free ((HMAC_CTX *)HmacSha1Ctx);
> -}
> -
> -/**
> - Set user-supplied key for subsequent use. It must be done before any
> - calling to HmacSha1Update().
> -
> - If HmacSha1Context is NULL, then return FALSE.
> -
> - @param[out] HmacSha1Context Pointer to HMAC-SHA1 context.
> - @param[in] Key Pointer to the user-supplied key.
> - @param[in] KeySize Key size in bytes.
> -
> - @retval TRUE The Key is set successfully.
> - @retval FALSE The Key is set unsuccessfully.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1SetKey (
> - OUT VOID *HmacSha1Context,
> - IN CONST UINT8 *Key,
> - IN UINTN KeySize
> - )
> -{
> - //
> - // Check input parameters.
> - //
> - if (HmacSha1Context == NULL || KeySize > INT_MAX) {
> - return FALSE;
> - }
> -
> - if (HMAC_Init_ex ((HMAC_CTX *)HmacSha1Context, Key, (UINT32) KeySize,
> EVP_sha1(), NULL) != 1) {
> - return FALSE;
> - }
> -
> - return TRUE;
> -}
> -
> -/**
> - Makes a copy of an existing HMAC-SHA1 context.
> -
> - If HmacSha1Context is NULL, then return FALSE.
> - If NewHmacSha1Context is NULL, then return FALSE.
> -
> - @param[in] HmacSha1Context Pointer to HMAC-SHA1 context being
> copied.
> - @param[out] NewHmacSha1Context Pointer to new HMAC-SHA1 context.
> -
> - @retval TRUE HMAC-SHA1 context copy succeeded.
> - @retval FALSE HMAC-SHA1 context copy failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Duplicate (
> - IN CONST VOID *HmacSha1Context,
> - OUT VOID *NewHmacSha1Context
> - )
> -{
> - //
> - // Check input parameters.
> - //
> - if (HmacSha1Context == NULL || NewHmacSha1Context == NULL) {
> - return FALSE;
> - }
> -
> - if (HMAC_CTX_copy ((HMAC_CTX *)NewHmacSha1Context, (HMAC_CTX
> *)HmacSha1Context) != 1) {
> - return FALSE;
> - }
> -
> - return TRUE;
> -}
> -
> -/**
> - Digests the input data and updates HMAC-SHA1 context.
> -
> - This function performs HMAC-SHA1 digest on a data buffer of the specified
> size.
> - It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> - HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized by
> - HmacSha1Final(). Behavior with invalid context is undefined.
> -
> - If HmacSha1Context is NULL, then return FALSE.
> -
> - @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> digested.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval TRUE HMAC-SHA1 data digest succeeded.
> - @retval FALSE HMAC-SHA1 data digest failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Update (
> - IN OUT VOID *HmacSha1Context,
> - IN CONST VOID *Data,
> - IN UINTN DataSize
> - )
> -{
> - //
> - // Check input parameters.
> - //
> - if (HmacSha1Context == NULL) {
> - return FALSE;
> - }
> -
> - //
> - // Check invalid parameters, in case that only DataLength was checked in
> OpenSSL
> - //
> - if (Data == NULL && DataSize != 0) {
> - return FALSE;
> - }
> -
> - //
> - // OpenSSL HMAC-SHA1 digest update
> - //
> - if (HMAC_Update ((HMAC_CTX *)HmacSha1Context, Data, DataSize) != 1) {
> - return FALSE;
> - }
> -
> - return TRUE;
> -}
> -
> -/**
> - Completes computation of the HMAC-SHA1 digest value.
> -
> - This function completes HMAC-SHA1 digest computation and retrieves the
> digest value into
> - the specified memory. After this function has been called, the HMAC-SHA1
> context cannot
> - be used again.
> - HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized by
> - HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
> -
> - If HmacSha1Context is NULL, then return FALSE.
> - If HmacValue is NULL, then return FALSE.
> -
> - @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
> - @param[out] HmacValue Pointer to a buffer that receives the HMAC-
> SHA1 digest
> - value (20 bytes).
> -
> - @retval TRUE HMAC-SHA1 digest computation succeeded.
> - @retval FALSE HMAC-SHA1 digest computation failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Final (
> - IN OUT VOID *HmacSha1Context,
> - OUT UINT8 *HmacValue
> - )
> -{
> - UINT32 Length;
> -
> - //
> - // Check input parameters.
> - //
> - if (HmacSha1Context == NULL || HmacValue == NULL) {
> - return FALSE;
> - }
> -
> - //
> - // OpenSSL HMAC-SHA1 digest finalization
> - //
> - if (HMAC_Final ((HMAC_CTX *)HmacSha1Context, HmacValue, &Length) != 1) {
> - return FALSE;
> - }
> - if (HMAC_CTX_reset ((HMAC_CTX *)HmacSha1Context) != 1) {
> - return FALSE;
> - }
> -
> - return TRUE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> deleted file mode 100644
> index e8c0f341b7..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> +++ /dev/null
> @@ -1,139 +0,0 @@
> -/** @file
> - HMAC-SHA1 Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> - Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> - Return NULL to indicate this interface is not supported.
> -
> - @return NULL This interface is not supported..
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacSha1New (
> - VOID
> - )
> -{
> - ASSERT (FALSE);
> - return NULL;
> -}
> -
> -/**
> - Release the specified HMAC_CTX context.
> -
> - This function will do nothing.
> -
> - @param[in] HmacSha1Ctx Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacSha1Free (
> - IN VOID *HmacSha1Ctx
> - )
> -{
> - ASSERT (FALSE);
> - return;
> -}
> -
> -/**
> - Set user-supplied key for subsequent use. It must be done before any
> - calling to HmacSha1Update().
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[out] HmacSha1Context Pointer to HMAC-SHA1 context.
> - @param[in] Key Pointer to the user-supplied key.
> - @param[in] KeySize Key size in bytes.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1SetKey (
> - OUT VOID *HmacSha1Context,
> - IN CONST UINT8 *Key,
> - IN UINTN KeySize
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Makes a copy of an existing HMAC-SHA1 context.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] HmacSha1Context Pointer to HMAC-SHA1 context being
> copied.
> - @param[out] NewHmacSha1Context Pointer to new HMAC-SHA1 context.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Duplicate (
> - IN CONST VOID *HmacSha1Context,
> - OUT VOID *NewHmacSha1Context
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Digests the input data and updates HMAC-SHA1 context.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> digested.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Update (
> - IN OUT VOID *HmacSha1Context,
> - IN CONST VOID *Data,
> - IN UINTN DataSize
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Completes computation of the HMAC-SHA1 digest value.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
> - @param[out] HmacValue Pointer to a buffer that receives the HMAC-
> SHA1 digest
> - value (20 bytes).
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Final (
> - IN OUT VOID *HmacSha1Context,
> - OUT UINT8 *HmacValue
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> index 2a630ef290..dc28e3a11d 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> @@ -7,7 +7,7 @@
> # buffer overflow or integer overflow.
> #
> # Note:
> -# HMAC-SHA1/SHA256 functions, AES functions, RSA external
> +# HMAC-SHA256 functions, AES functions, RSA external
> # functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
> # certificate handler functions, authenticode signature verification functions,
> # PEM handler functions, and pseudorandom number generator functions are
> not
> @@ -40,7 +40,6 @@
> Hash/CryptSha256.c
> Hash/CryptSm3.c
> Hash/CryptSha512.c
> - Hmac/CryptHmacSha1Null.c
> Hmac/CryptHmacSha256Null.c
> Kdf/CryptHkdfNull.c
> Cipher/CryptAesNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> index 95c71a8ae2..20ae64e8bf 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> @@ -6,7 +6,7 @@
> // This external input must be validated carefully to avoid security issues such as
> // buffer overflow or integer overflow.
> //
> -// Note: HMAC-SHA1 functions, AES
> +// Note: AES
> // functions, RSA external functions, PKCS#7 SignedData sign functions,
> // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
> // signature verification functions, PEM handler functions, and pseudorandom
> number
> @@ -21,5 +21,5 @@
>
> #string STR_MODULE_ABSTRACT #language en-US "Cryptographic
> Library Instance for PEIM"
>
> -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions,
> AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-
> Hellman functions, X.509 certificate handler functions, authenticode signature
> verification functions, PEM handler functions, and pseudorandom number
> generator functions are not supported in this instance."
> +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: AES functions, RSA
> external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> X.509 certificate handler functions, authenticode signature verification functions,
> PEM handler functions, and pseudorandom number generator functions are not
> supported in this instance."
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> index 1642521087..5005beed02 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> @@ -7,7 +7,7 @@
> # buffer overflow or integer overflow.
> #
> # Note: SHA-384 Digest functions, SHA-512 Digest functions,
> -# HMAC-SHA1/SHA256 functions, AES functions, RSA external
> +# HMAC-SHA256 functions, AES functions, RSA external
> # functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
> # authenticode signature verification functions are not supported in this
> instance.
> #
> @@ -40,7 +40,6 @@
> Hash/CryptSha256.c
> Hash/CryptSm3.c
> Hash/CryptSha512Null.c
> - Hmac/CryptHmacSha1Null.c
> Hmac/CryptHmacSha256Null.c
> Kdf/CryptHkdfNull.c
> Cipher/CryptAesNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> index f7e1acb3a7..0cf378c5ab 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> @@ -6,7 +6,7 @@
> // This external input must be validated carefully to avoid security issues such as
> // buffer overflow or integer overflow.
> //
> -// Note: HMAC-SHA1 functions, AES
> +// Note: AES
> // functions, RSA external functions, PKCS#7 SignedData sign functions,
> // Diffie-Hellman functions, and authenticode signature verification functions
> are
> // not supported in this instance.
> @@ -20,5 +20,5 @@
>
> #string STR_MODULE_ABSTRACT #language en-US "Cryptographic
> Library Instance for DXE_RUNTIME_DRIVER"
>
> -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions,
> AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-
> Hellman functions, and authenticode signature verification functions are not
> supported in this instance."
> +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: AES functions, RSA
> external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> and authenticode signature verification functions are not supported in this
> instance."
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> index ec9c8e7c05..91ec3e03bf 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> @@ -7,8 +7,7 @@
> # buffer overflow or integer overflow.
> #
> # Note: SHA-384 Digest functions, SHA-512 Digest functions,
> -# HMAC-SHA1 functions, RSA external
> -# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
> +# RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman
> functions, and
> # authenticode signature verification functions are not supported in this
> instance.
> #
> # Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
> @@ -39,7 +38,6 @@
> Hash/CryptSha256.c
> Hash/CryptSm3.c
> Hash/CryptSha512Null.c
> - Hmac/CryptHmacSha1Null.c
> Hmac/CryptHmacSha256.c
> Kdf/CryptHkdfNull.c
> Cipher/CryptAes.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> index 8eb3acac93..f0c33abbcf 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> @@ -6,7 +6,7 @@
> // This external input must be validated carefully to avoid security issues such as
> // buffer overflow or integer overflow.
> //
> -// Note: HMAC-SHA1 functions, AES
> +// Note: AES
> // functions, RSA external functions, PKCS#7 SignedData sign functions,
> // Diffie-Hellman functions, and authenticode signature verification functions
> are
> // not supported in this instance.
> @@ -20,5 +20,5 @@
>
> #string STR_MODULE_ABSTRACT #language en-US "Cryptographic
> Library Instance for SMM driver"
>
> -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions,
> AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-
> Hellman functions, and authenticode signature verification functions are not
> supported in this instance."
> +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: AES functions, RSA
> external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> and authenticode signature verification functions are not supported in this
> instance."
>
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> index 558ccfc002..689af4fedd 100644
> --- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> +++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> @@ -34,7 +34,6 @@
> Hash/CryptSha256Null.c
> Hash/CryptSha512Null.c
> Hash/CryptSm3Null.c
> - Hmac/CryptHmacSha1Null.c
> Hmac/CryptHmacSha256Null.c
> Kdf/CryptHkdfNull.c
> Cipher/CryptAesNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
> b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
> deleted file mode 100644
> index e8c0f341b7..0000000000
> --- a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
> +++ /dev/null
> @@ -1,139 +0,0 @@
> -/** @file
> - HMAC-SHA1 Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> - Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> - Return NULL to indicate this interface is not supported.
> -
> - @return NULL This interface is not supported..
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacSha1New (
> - VOID
> - )
> -{
> - ASSERT (FALSE);
> - return NULL;
> -}
> -
> -/**
> - Release the specified HMAC_CTX context.
> -
> - This function will do nothing.
> -
> - @param[in] HmacSha1Ctx Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacSha1Free (
> - IN VOID *HmacSha1Ctx
> - )
> -{
> - ASSERT (FALSE);
> - return;
> -}
> -
> -/**
> - Set user-supplied key for subsequent use. It must be done before any
> - calling to HmacSha1Update().
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[out] HmacSha1Context Pointer to HMAC-SHA1 context.
> - @param[in] Key Pointer to the user-supplied key.
> - @param[in] KeySize Key size in bytes.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1SetKey (
> - OUT VOID *HmacSha1Context,
> - IN CONST UINT8 *Key,
> - IN UINTN KeySize
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Makes a copy of an existing HMAC-SHA1 context.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] HmacSha1Context Pointer to HMAC-SHA1 context being
> copied.
> - @param[out] NewHmacSha1Context Pointer to new HMAC-SHA1 context.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Duplicate (
> - IN CONST VOID *HmacSha1Context,
> - OUT VOID *NewHmacSha1Context
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Digests the input data and updates HMAC-SHA1 context.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> digested.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Update (
> - IN OUT VOID *HmacSha1Context,
> - IN CONST VOID *Data,
> - IN UINTN DataSize
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Completes computation of the HMAC-SHA1 digest value.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
> - @param[out] HmacValue Pointer to a buffer that receives the HMAC-
> SHA1 digest
> - value (20 bytes).
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Final (
> - IN OUT VOID *HmacSha1Context,
> - OUT UINT8 *HmacValue
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> index dfe7fb7e91..a614b61ed4 100644
> --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> @@ -1015,157 +1015,6 @@ Sm3HashAll (
> // MAC (Message Authentication Code) Primitive
>
> //===============================================================
> ======================
>
> -/**
> - Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> - If this interface is not supported, then return NULL.
> -
> - @return Pointer to the HMAC_CTX context that has been initialized.
> - If the allocations fails, HmacSha1New() returns NULL.
> - @return NULL This interface is not supported.
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacSha1New (
> - VOID
> - )
> -{
> - CALL_CRYPTO_SERVICE (HmacSha1New, (), NULL);
> -}
> -
> -/**
> - Release the specified HMAC_CTX context.
> -
> - If this interface is not supported, then do nothing.
> -
> - @param[in] HmacSha1Ctx Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacSha1Free (
> - IN VOID *HmacSha1Ctx
> - )
> -{
> - CALL_VOID_CRYPTO_SERVICE (HmacSha1Free, (HmacSha1Ctx));
> -}
> -
> -/**
> - Set user-supplied key for subsequent use. It must be done before any
> - calling to HmacSha1Update().
> -
> - If HmacSha1Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] HmacSha1Context Pointer to HMAC-SHA1 context.
> - @param[in] Key Pointer to the user-supplied key.
> - @param[in] KeySize Key size in bytes.
> -
> - @retval TRUE The Key is set successfully.
> - @retval FALSE The Key is set unsuccessfully.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1SetKey (
> - OUT VOID *HmacSha1Context,
> - IN CONST UINT8 *Key,
> - IN UINTN KeySize
> - )
> -{
> - CALL_CRYPTO_SERVICE (HmacSha1SetKey, (HmacSha1Context, Key, KeySize),
> FALSE);
> -}
> -
> -/**
> - Makes a copy of an existing HMAC-SHA1 context.
> -
> - If HmacSha1Context is NULL, then return FALSE.
> - If NewHmacSha1Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] HmacSha1Context Pointer to HMAC-SHA1 context being
> copied.
> - @param[out] NewHmacSha1Context Pointer to new HMAC-SHA1 context.
> -
> - @retval TRUE HMAC-SHA1 context copy succeeded.
> - @retval FALSE HMAC-SHA1 context copy failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Duplicate (
> - IN CONST VOID *HmacSha1Context,
> - OUT VOID *NewHmacSha1Context
> - )
> -{
> - CALL_CRYPTO_SERVICE (HmacSha1Duplicate, (HmacSha1Context,
> NewHmacSha1Context), FALSE);
> -}
> -
> -/**
> - Digests the input data and updates HMAC-SHA1 context.
> -
> - This function performs HMAC-SHA1 digest on a data buffer of the specified
> size.
> - It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> - HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized by
> - HmacSha1Final(). Behavior with invalid context is undefined.
> -
> - If HmacSha1Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> digested.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval TRUE HMAC-SHA1 data digest succeeded.
> - @retval FALSE HMAC-SHA1 data digest failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Update (
> - IN OUT VOID *HmacSha1Context,
> - IN CONST VOID *Data,
> - IN UINTN DataSize
> - )
> -{
> - CALL_CRYPTO_SERVICE (HmacSha1Update, (HmacSha1Context, Data,
> DataSize), FALSE);
> -}
> -
> -/**
> - Completes computation of the HMAC-SHA1 digest value.
> -
> - This function completes HMAC-SHA1 hash computation and retrieves the
> digest value into
> - the specified memory. After this function has been called, the HMAC-SHA1
> context cannot
> - be used again.
> - HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized
> - by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
> -
> - If HmacSha1Context is NULL, then return FALSE.
> - If HmacValue is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
> - @param[out] HmacValue Pointer to a buffer that receives the HMAC-
> SHA1 digest
> - value (20 bytes).
> -
> - @retval TRUE HMAC-SHA1 digest computation succeeded.
> - @retval FALSE HMAC-SHA1 digest computation failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Final (
> - IN OUT VOID *HmacSha1Context,
> - OUT UINT8 *HmacValue
> - )
> -{
> - CALL_CRYPTO_SERVICE (HmacSha1Final, (HmacSha1Context, HmacValue),
> FALSE);
> -}
> -
> /**
> Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256
> use.
>
> diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> b/CryptoPkg/Private/Protocol/Crypto.h
> index bd4cd7f383..d167390774 100644
> --- a/CryptoPkg/Private/Protocol/Crypto.h
> +++ b/CryptoPkg/Private/Protocol/Crypto.h
> @@ -89,140 +89,49 @@ BOOLEAN
> OUT UINT8 *HmacValue
> );
>
> -
> /**
> - Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> - If this interface is not supported, then return NULL.
> -
> - @return Pointer to the HMAC_CTX context that has been initialized.
> - If the allocations fails, HmacSha1New() returns NULL.
> - @return NULL This interface is not supported.
> + HMAC SHA1 is deprecated and unsupported any longer.
> + Keep the function field for binary compability.
>
> **/
> typedef
> VOID*
> -(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_NEW) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_NEW) (
> VOID
> );
>
> -/**
> - Release the specified HMAC_CTX context.
> -
> - If this interface is not supported, then do nothing.
> -
> - @param[in] HmacSha1Ctx Pointer to the HMAC_CTX context to be released.
> -
> -**/
> typedef
> VOID
> -(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_FREE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FREE) (
> IN VOID *HmacSha1Ctx
> );
>
> -
> -/**
> - Set user-supplied key for subsequent use. It must be done before any
> - calling to HmacSha1Update().
> -
> - If HmacSha1Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] HmacSha1Context Pointer to HMAC-SHA1 context.
> - @param[in] Key Pointer to the user-supplied key.
> - @param[in] KeySize Key size in bytes.
> -
> - @retval TRUE The Key is set successfully.
> - @retval FALSE The Key is set unsuccessfully.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_SET_KEY) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_SET_KEY) (
> OUT VOID *HmacSha1Context,
> IN CONST UINT8 *Key,
> IN UINTN KeySize
> );
>
> -
> -/**
> - Makes a copy of an existing HMAC-SHA1 context.
> -
> - If HmacSha1Context is NULL, then return FALSE.
> - If NewHmacSha1Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] HmacSha1Context Pointer to HMAC-SHA1 context being
> copied.
> - @param[out] NewHmacSha1Context Pointer to new HMAC-SHA1 context.
> -
> - @retval TRUE HMAC-SHA1 context copy succeeded.
> - @retval FALSE HMAC-SHA1 context copy failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_DUPLICATE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_DUPLICATE) (
> IN CONST VOID *HmacSha1Context,
> OUT VOID *NewHmacSha1Context
> );
>
> -
> -/**
> - Digests the input data and updates HMAC-SHA1 context.
> -
> - This function performs HMAC-SHA1 digest on a data buffer of the specified
> size.
> - It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> - HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized by
> - HmacSha1Final(). Behavior with invalid context is undefined.
> -
> - If HmacSha1Context is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
> - @param[in] Data Pointer to the buffer containing the data to be
> digested.
> - @param[in] DataSize Size of Data buffer in bytes.
> -
> - @retval TRUE HMAC-SHA1 data digest succeeded.
> - @retval FALSE HMAC-SHA1 data digest failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_UPDATE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_UPDATE) (
> IN OUT VOID *HmacSha1Context,
> IN CONST VOID *Data,
> IN UINTN DataSize
> );
>
> -
> -/**
> - Completes computation of the HMAC-SHA1 digest value.
> -
> - This function completes HMAC-SHA1 hash computation and retrieves the
> digest value into
> - the specified memory. After this function has been called, the HMAC-SHA1
> context cannot
> - be used again.
> - HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized
> - by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
> -
> - If HmacSha1Context is NULL, then return FALSE.
> - If HmacValue is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context.
> - @param[out] HmacValue Pointer to a buffer that receives the HMAC-
> SHA1 digest
> - value (20 bytes).
> -
> - @retval TRUE HMAC-SHA1 digest computation succeeded.
> - @retval FALSE HMAC-SHA1 digest computation failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_FINAL) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FINAL) (
> IN OUT VOID *HmacSha1Context,
> OUT UINT8 *HmacValue
> );
> @@ -3538,13 +3447,13 @@ struct _EDKII_CRYPTO_PROTOCOL {
> DEPRECATED_EDKII_CRYPTO_HMAC_MD5_DUPLICATE
> DeprecatedHmacMd5Duplicate;
> DEPRECATED_EDKII_CRYPTO_HMAC_MD5_UPDATE
> DeprecatedHmacMd5Update;
> DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FINAL
> DeprecatedHmacMd5Final;
> - /// HMAC SHA1
> - EDKII_CRYPTO_HMAC_SHA1_NEW HmacSha1New;
> - EDKII_CRYPTO_HMAC_SHA1_FREE HmacSha1Free;
> - EDKII_CRYPTO_HMAC_SHA1_SET_KEY HmacSha1SetKey;
> - EDKII_CRYPTO_HMAC_SHA1_DUPLICATE HmacSha1Duplicate;
> - EDKII_CRYPTO_HMAC_SHA1_UPDATE HmacSha1Update;
> - EDKII_CRYPTO_HMAC_SHA1_FINAL HmacSha1Final;
> + /// HMAC SHA1 - deprecated and unsupported
> + DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_NEW
> DeprecatedHmacSha1New;
> + DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FREE
> DeprecatedHmacSha1Free;
> + DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_SET_KEY
> DeprecatedHmacSha1SetKey;
> + DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_DUPLICATE
> DeprecatedHmacSha1Duplicate;
> + DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_UPDATE
> DeprecatedHmacSha1Update;
> + DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FINAL
> DeprecatedHmacSha1Final;
> /// HMAC SHA256
> EDKII_CRYPTO_HMAC_SHA256_NEW HmacSha256New;
> EDKII_CRYPTO_HMAC_SHA256_FREE HmacSha256Free;
> --
> 2.21.0.windows.1
^ permalink raw reply [flat|nested] 23+ messages in thread
* [PATCH V3 8/8] CryptoPkg/Crypto.h: Update the version of Crypto Driver
2020-05-06 23:57 [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions Gao, Zhichao
` (6 preceding siblings ...)
2020-05-06 23:57 ` [PATCH V3 7/8] CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm Gao, Zhichao
@ 2020-05-06 23:57 ` Gao, Zhichao
2020-05-08 15:13 ` Wang, Jian J
2020-05-08 7:23 ` [edk2-devel] [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions Guomin Jiang
8 siblings, 1 reply; 23+ messages in thread
From: Gao, Zhichao @ 2020-05-06 23:57 UTC (permalink / raw)
To: devel; +Cc: Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney, Jiewen Yao
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
The binary is totally changed, so update the Crypto Version to 7:
1. Retire below deprecated function:
MD4, ARC4, TDES, AES ECB MODE, HMAC MD5, HMAC SHA1
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
CryptoPkg/Private/Protocol/Crypto.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index d167390774..4e3292ffc1 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -20,7 +20,7 @@
/// the EDK II Crypto Protocol is extended, this version define must be
/// increased.
///
-#define EDKII_CRYPTO_VERSION 6
+#define EDKII_CRYPTO_VERSION 7
///
/// EDK II Crypto Protocol forward declaration
--
2.21.0.windows.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* Re: [PATCH V3 8/8] CryptoPkg/Crypto.h: Update the version of Crypto Driver
2020-05-06 23:57 ` [PATCH V3 8/8] CryptoPkg/Crypto.h: Update the version of Crypto Driver Gao, Zhichao
@ 2020-05-08 15:13 ` Wang, Jian J
0 siblings, 0 replies; 23+ messages in thread
From: Wang, Jian J @ 2020-05-08 15:13 UTC (permalink / raw)
To: Gao, Zhichao, devel@edk2.groups.io
Cc: Lu, XiaoyuX, Fu, Siyuan, Kinney, Michael D, Yao, Jiewen
Zhichao,
You could add 'Intel' copyright in file header. With it addressed,
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Regards,
Jian
> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Thursday, May 07, 2020 7:58 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [PATCH V3 8/8] CryptoPkg/Crypto.h: Update the version of Crypto
> Driver
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
>
> The binary is totally changed, so update the Crypto Version to 7:
> 1. Retire below deprecated function:
> MD4, ARC4, TDES, AES ECB MODE, HMAC MD5, HMAC SHA1
>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
> CryptoPkg/Private/Protocol/Crypto.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> b/CryptoPkg/Private/Protocol/Crypto.h
> index d167390774..4e3292ffc1 100644
> --- a/CryptoPkg/Private/Protocol/Crypto.h
> +++ b/CryptoPkg/Private/Protocol/Crypto.h
> @@ -20,7 +20,7 @@
> /// the EDK II Crypto Protocol is extended, this version define must be
> /// increased.
> ///
> -#define EDKII_CRYPTO_VERSION 6
> +#define EDKII_CRYPTO_VERSION 7
>
> ///
> /// EDK II Crypto Protocol forward declaration
> --
> 2.21.0.windows.1
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [edk2-devel] [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions
2020-05-06 23:57 [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions Gao, Zhichao
` (7 preceding siblings ...)
2020-05-06 23:57 ` [PATCH V3 8/8] CryptoPkg/Crypto.h: Update the version of Crypto Driver Gao, Zhichao
@ 2020-05-08 7:23 ` Guomin Jiang
2020-05-08 8:00 ` Dong, Eric
8 siblings, 1 reply; 23+ messages in thread
From: Guomin Jiang @ 2020-05-08 7:23 UTC (permalink / raw)
To: devel@edk2.groups.io, Gao, Zhichao
Cc: Wang, Jian J, Lu, XiaoyuX, Fu, Siyuan, Kinney, Michael D,
Yao, Jiewen
It seem ok except some typo, please modify it.
Reviewed-by: Guomin Jiang <guomin.jiang@intel.com>
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Gao,
> Zhichao
> Sent: Thursday, May 7, 2020 7:58 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [edk2-devel] [PATCH V3 0/8] CryptoPkg: Retire the deprecated
> functions
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
>
> Retire below deprecated functions:
> MD4, ARC4, TDES, AES ECB MODE, HMAC MD5, HMAC SHA1.
>
> V2:
> Seprate the MD5 and SHA1 changes to other patch set.
> Change the deprecated function wrapper implementatuion in
> EDKII_CRYPTO_PROTOCOL to call a dummy function to print debug message
> and assert.
>
> V3:
> Remove the missing part of deprecated functions in V2.
> Change the name field in the EDKII_CRYPTO_PROTOCOL to indicate the
> function is deprecated and unsupported.
>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
>
> Zhichao Gao (8):
> CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm
> CryptoPkg/BaseCrpytLib: Retire MD4 algorithm
> CryptoPkg/BaseCryptLib: Retire ARC4 algorithm
> CryptoPkg/BaseCryptLib: Retire the Tdes algorithm
> CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm
> CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm
> CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm
> CryptoPkg/Crypto.h: Update the version of Crypto Driver
>
> CryptoPkg/CryptoPkg.dsc | 46 +-
> CryptoPkg/Driver/Crypto.c | 780 ++---------
> CryptoPkg/Include/Library/BaseCryptLib.h | 809 ------------
> .../Library/BaseCryptLib/BaseCryptLib.inf | 7 +-
> .../Library/BaseCryptLib/Cipher/CryptAes.c | 114 --
> .../BaseCryptLib/Cipher/CryptAesNull.c | 52 -
> .../Library/BaseCryptLib/Cipher/CryptArc4.c | 205 ---
> .../BaseCryptLib/Cipher/CryptArc4Null.c | 124 --
> .../Library/BaseCryptLib/Cipher/CryptTdes.c | 364 ------
> .../BaseCryptLib/Cipher/CryptTdesNull.c | 160 ---
> .../Library/BaseCryptLib/Hash/CryptMd4.c | 223 ----
> .../Library/BaseCryptLib/Hash/CryptMd4Null.c | 143 --
> .../Library/BaseCryptLib/Hmac/CryptHmacMd5.c | 216 ---
> .../BaseCryptLib/Hmac/CryptHmacMd5Null.c | 139 --
> .../Library/BaseCryptLib/Hmac/CryptHmacSha1.c | 216 ---
> .../BaseCryptLib/Hmac/CryptHmacSha1Null.c | 139 --
> .../Library/BaseCryptLib/PeiCryptLib.inf | 11 +-
> .../Library/BaseCryptLib/PeiCryptLib.uni | 4 +-
> CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c | 7 +-
> .../Library/BaseCryptLib/RuntimeCryptLib.inf | 11 +-
> .../Library/BaseCryptLib/RuntimeCryptLib.uni | 4 +-
> .../Library/BaseCryptLib/SmmCryptLib.inf | 12 +-
> .../Library/BaseCryptLib/SmmCryptLib.uni | 4 +-
> .../BaseCryptLibNull/BaseCryptLibNull.inf | 5 -
> .../BaseCryptLibNull/Cipher/CryptAesNull.c | 52 -
> .../BaseCryptLibNull/Cipher/CryptArc4Null.c | 124 --
> .../BaseCryptLibNull/Cipher/CryptTdesNull.c | 160 ---
> .../BaseCryptLibNull/Hash/CryptMd4Null.c | 143 --
> .../BaseCryptLibNull/Hmac/CryptHmacMd5Null.c | 139 --
> .../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c | 139 --
> .../BaseCryptLibOnProtocolPpi/CryptLib.c | 1157 ++---------------
> .../Library/Include/openssl/opensslconf.h | 9 +
> CryptoPkg/Library/OpensslLib/OpensslLib.inf | 28 -
> .../Library/OpensslLib/OpensslLibCrypto.inf | 28 -
> CryptoPkg/Private/Protocol/Crypto.h | 708 ++--------
> 35 files changed, 389 insertions(+), 6093 deletions(-) delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
> delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
> delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
> delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
>
> --
> 2.21.0.windows.1
>
>
>
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [edk2-devel] [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions
2020-05-08 7:23 ` [edk2-devel] [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions Guomin Jiang
@ 2020-05-08 8:00 ` Dong, Eric
0 siblings, 0 replies; 23+ messages in thread
From: Dong, Eric @ 2020-05-08 8:00 UTC (permalink / raw)
To: devel@edk2.groups.io, Jiang, Guomin, Gao, Zhichao
Cc: Wang, Jian J, Lu, XiaoyuX, Fu, Siyuan, Kinney, Michael D,
Yao, Jiewen
[-- Attachment #1: Type: text/plain, Size: 6382 bytes --]
Hi Guomin,
Where are the typos? Please point out all the typos you found; it makes easy for Zhichao to fix all the typos.
Thanks,
Eric
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Guomin Jiang
Sent: Friday, May 8, 2020 3:24 PM
To: devel@edk2.groups.io; Gao, Zhichao <zhichao.gao@intel.com>
Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
Subject: Re: [edk2-devel] [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions
It seem ok except some typo, please modify it.
Reviewed-by: Guomin Jiang <guomin.jiang@intel.com<mailto:guomin.jiang@intel.com>>
> -----Original Message-----
> From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Gao,
> Zhichao
> Sent: Thursday, May 7, 2020 7:58 AM
> To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
> Cc: Wang, Jian J <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>; Lu, XiaoyuX <xiaoyux.lu@intel.com<mailto:xiaoyux.lu@intel.com>>;
> Fu, Siyuan <siyuan.fu@intel.com<mailto:siyuan.fu@intel.com>>; Kinney, Michael D
> <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> Subject: [edk2-devel] [PATCH V3 0/8] CryptoPkg: Retire the deprecated
> functions
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
>
> Retire below deprecated functions:
> MD4, ARC4, TDES, AES ECB MODE, HMAC MD5, HMAC SHA1.
>
> V2:
> Seprate the MD5 and SHA1 changes to other patch set.
> Change the deprecated function wrapper implementatuion in
> EDKII_CRYPTO_PROTOCOL to call a dummy function to print debug message
> and assert.
>
> V3:
> Remove the missing part of deprecated functions in V2.
> Change the name field in the EDKII_CRYPTO_PROTOCOL to indicate the
> function is deprecated and unsupported.
>
> Cc: Jian J Wang <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com<mailto:xiaoyux.lu@intel.com>>
> Cc: Siyuan Fu <siyuan.fu@intel.com<mailto:siyuan.fu@intel.com>>
> Cc: Michael D Kinney <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
> Cc: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com<mailto:zhichao.gao@intel.com>>
>
> Zhichao Gao (8):
> CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm
> CryptoPkg/BaseCrpytLib: Retire MD4 algorithm
> CryptoPkg/BaseCryptLib: Retire ARC4 algorithm
> CryptoPkg/BaseCryptLib: Retire the Tdes algorithm
> CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm
> CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm
> CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm
> CryptoPkg/Crypto.h: Update the version of Crypto Driver
>
> CryptoPkg/CryptoPkg.dsc | 46 +-
> CryptoPkg/Driver/Crypto.c | 780 ++---------
> CryptoPkg/Include/Library/BaseCryptLib.h | 809 ------------
> .../Library/BaseCryptLib/BaseCryptLib.inf | 7 +-
> .../Library/BaseCryptLib/Cipher/CryptAes.c | 114 --
> .../BaseCryptLib/Cipher/CryptAesNull.c | 52 -
> .../Library/BaseCryptLib/Cipher/CryptArc4.c | 205 ---
> .../BaseCryptLib/Cipher/CryptArc4Null.c | 124 --
> .../Library/BaseCryptLib/Cipher/CryptTdes.c | 364 ------
> .../BaseCryptLib/Cipher/CryptTdesNull.c | 160 ---
> .../Library/BaseCryptLib/Hash/CryptMd4.c | 223 ----
> .../Library/BaseCryptLib/Hash/CryptMd4Null.c | 143 --
> .../Library/BaseCryptLib/Hmac/CryptHmacMd5.c | 216 ---
> .../BaseCryptLib/Hmac/CryptHmacMd5Null.c | 139 --
> .../Library/BaseCryptLib/Hmac/CryptHmacSha1.c | 216 ---
> .../BaseCryptLib/Hmac/CryptHmacSha1Null.c | 139 --
> .../Library/BaseCryptLib/PeiCryptLib.inf | 11 +-
> .../Library/BaseCryptLib/PeiCryptLib.uni | 4 +-
> CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c | 7 +-
> .../Library/BaseCryptLib/RuntimeCryptLib.inf | 11 +-
> .../Library/BaseCryptLib/RuntimeCryptLib.uni | 4 +-
> .../Library/BaseCryptLib/SmmCryptLib.inf | 12 +-
> .../Library/BaseCryptLib/SmmCryptLib.uni | 4 +-
> .../BaseCryptLibNull/BaseCryptLibNull.inf | 5 -
> .../BaseCryptLibNull/Cipher/CryptAesNull.c | 52 -
> .../BaseCryptLibNull/Cipher/CryptArc4Null.c | 124 --
> .../BaseCryptLibNull/Cipher/CryptTdesNull.c | 160 ---
> .../BaseCryptLibNull/Hash/CryptMd4Null.c | 143 --
> .../BaseCryptLibNull/Hmac/CryptHmacMd5Null.c | 139 --
> .../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c | 139 --
> .../BaseCryptLibOnProtocolPpi/CryptLib.c | 1157 ++---------------
> .../Library/Include/openssl/opensslconf.h | 9 +
> CryptoPkg/Library/OpensslLib/OpensslLib.inf | 28 -
> .../Library/OpensslLib/OpensslLibCrypto.inf | 28 -
> CryptoPkg/Private/Protocol/Crypto.h | 708 ++--------
> 35 files changed, 389 insertions(+), 6093 deletions(-) delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
> delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
> delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
> delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
>
> --
> 2.21.0.windows.1
>
>
>
[-- Attachment #2: Type: text/html, Size: 17629 bytes --]
^ permalink raw reply [flat|nested] 23+ messages in thread