From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id AD86ED806DD for ; Fri, 28 Jul 2023 06:41:59 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=lq8fgRbMZhVmKxI9hydW6fR0ETHz5DEL1wVip2VJ6No=; c=relaxed/simple; d=groups.io; h=X-Received:X-Received:X-IronPort-AV:X-IronPort-AV:X-Received:X-ExtLoop1:X-IronPort-AV:X-IronPort-AV:X-Received:From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:X-Gm-Message-State:Content-Transfer-Encoding; s=20140610; t=1690526518; v=1; b=EdPX9KAmrJ9/FdX0kUtSyJYdq1O9ZHO/CdUnHtpL6JivvJuTDRYSODasRRuPUKPc5lqbsAHk 7xgYzHx4yX7jxzMRvPR05RxVOWGV0n/Ys1cw4YHQgn7Y2hOK1Z2TrlJteFpj/XnvGnun+FWSn9l 84QCq7tWR9OelJhnD3bqg86M= X-Received: by 127.0.0.2 with SMTP id A6GUYY7687511xqf7j9CHvEw; Thu, 27 Jul 2023 23:41:58 -0700 X-Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.100]) by mx.groups.io with SMTP id smtpd.web11.27232.1690526514264363438 for ; Thu, 27 Jul 2023 23:41:56 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10784"; a="434804354" X-IronPort-AV: E=Sophos;i="6.01,236,1684825200"; d="scan'208";a="434804354" X-Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Jul 2023 23:41:17 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10784"; a="762496138" X-IronPort-AV: E=Sophos;i="6.01,236,1684825200"; d="scan'208";a="762496138" X-Received: from liyi4-desktop.ccr.corp.intel.com ([10.239.153.10]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Jul 2023 23:41:12 -0700 From: "Li, Yi" To: devel@edk2.groups.io Cc: Yi Li , Jiewen Yao , Xiaoyu Lu , Guomin Jiang Subject: [edk2-devel] [PATCH 15/29] CryptoPkg: use UEFI provider as default Date: Fri, 28 Jul 2023 14:40:01 +0800 Message-Id: <39b099724a543f7348a86f42a4eb640f6a467e55.1690444292.git.yi1.li@intel.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,yi1.li@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: qrGTEOGoiOMEXR5QfL4tupV8x7686176AA= Content-Transfer-Encoding: 8bit X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=EdPX9KAm; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none) Added UEFI provider which removed unused features to optimize the size of openssl3. Signed-off-by: Yi Li Cc: Jiewen Yao Cc: Xiaoyu Lu Cc: Guomin Jiang --- CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 + .../Library/OpensslLib/OpensslLibAccel.inf | 1 + .../Library/OpensslLib/OpensslLibCrypto.inf | 1 + .../Library/OpensslLib/OpensslLibFull.inf | 1 + .../OpensslLib/OpensslLibFullAccel.inf | 1 + .../Library/OpensslLib/OpensslStub/uefiprov.c | 325 ++++++++++++++++++ 6 files changed, 330 insertions(+) create mode 100644 CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf index c6f72193e7..270f96ee69 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf @@ -39,6 +39,7 @@ OpensslStub/rand_pool.c # OpensslStub/SslNull.c OpensslStub/EcSm2Null.c + OpensslStub/uefiprov.c [Packages] MdePkg/MdePkg.dec diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibAccel.inf b/CryptoPkg/Library/OpensslLib/OpensslLibAccel.inf index 98fcad47dc..3bd3dfd37a 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLibAccel.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLibAccel.inf @@ -41,6 +41,7 @@ OpensslStub/rand_pool.c # OpensslStub/SslNull.c OpensslStub/EcSm2Null.c + OpensslStub/uefiprov.c [Sources.IA32] # Autogenerated files list starts here diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf index 861f42c3d8..581f556eb2 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf @@ -40,6 +40,7 @@ OpensslStub/rand_pool.c OpensslStub/SslNull.c OpensslStub/EcSm2Null.c + OpensslStub/uefiprov.c [Packages] MdePkg/MdePkg.dec diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf b/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf index 7815b5fea1..0011f157eb 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf @@ -44,6 +44,7 @@ OpensslStub/rand_pool.c # OpensslStub/SslNull.c # OpensslStub/EcSm2Null.c + OpensslStub/uefiprov.c [Packages] MdePkg/MdePkg.dec diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibFullAccel.inf b/CryptoPkg/Library/OpensslLib/OpensslLibFullAccel.inf index 0a13bd04bf..fa8aabdccf 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLibFullAccel.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLibFullAccel.inf @@ -46,6 +46,7 @@ OpensslStub/rand_pool.c # OpensslStub/SslNull.c # OpensslStub/EcSm2Null.c + OpensslStub/uefiprov.c [Sources.IA32] # Autogenerated files list starts here diff --git a/CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c b/CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c new file mode 100644 index 0000000000..55ca1563af --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c @@ -0,0 +1,325 @@ +/** @file + UEFI Openssl provider implementation. + + Copyright (c) 2022, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include +#include +#include "prov/bio.h" +#include "prov/provider_ctx.h" +#include "prov/providercommon.h" +#include "prov/implementations.h" +#include "prov/names.h" +#include "prov/provider_util.h" +#include "prov/seeding.h" +#include "internal/nelem.h" +#include "provider_local.h" + +OSSL_provider_init_fn ossl_uefi_provider_init; +const OSSL_PROVIDER_INFO ossl_predefined_providers[] = { + { "default", NULL, ossl_uefi_provider_init, NULL, 1 }, + { NULL, NULL, NULL, NULL, 0 } +}; + +/* + * Forward declarations to ensure that interface functions are correctly + * defined. + */ +static OSSL_FUNC_provider_gettable_params_fn deflt_gettable_params; +static OSSL_FUNC_provider_get_params_fn deflt_get_params; +static OSSL_FUNC_provider_query_operation_fn deflt_query; + +#define ALGC(NAMES, FUNC, CHECK) { { NAMES, "provider=default", FUNC }, CHECK } +#define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) + +/* Functions provided by the core */ +static OSSL_FUNC_core_gettable_params_fn *c_gettable_params = NULL; +static OSSL_FUNC_core_get_params_fn *c_get_params = NULL; + +/* Parameters we provide to the core */ +static const OSSL_PARAM deflt_param_types[] = { + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0), + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0), + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0), + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0), + OSSL_PARAM_END +}; + +static const OSSL_PARAM *deflt_gettable_params(void *provctx) +{ + return deflt_param_types; +} + +static int deflt_get_params(void *provctx, OSSL_PARAM params[]) +{ + OSSL_PARAM *p; + + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); + if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL Default Provider")) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION); + if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR)) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO); + if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR)) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS); + if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) + return 0; + return 1; +} + +/* + * For the algorithm names, we use the following formula for our primary + * names: + * + * ALGNAME[VERSION?][-SUBNAME[VERSION?]?][-SIZE?][-MODE?] + * + * VERSION is only present if there are multiple versions of + * an alg (MD2, MD4, MD5). It may be omitted if there is only + * one version (if a subsequent version is released in the future, + * we can always change the canonical name, and add the old name + * as an alias). + * + * SUBNAME may be present where we are combining multiple + * algorithms together, e.g. MD5-SHA1. + * + * SIZE is only present if multiple versions of an algorithm exist + * with different sizes (e.g. AES-128-CBC, AES-256-CBC) + * + * MODE is only present where applicable. + * + * We add diverse other names where applicable, such as the names that + * NIST uses, or that are used for ASN.1 OBJECT IDENTIFIERs, or names + * we have used historically. + * + * Algorithm names are case insensitive, but we use all caps in our "canonical" + * names for consistency. + */ +static const OSSL_ALGORITHM deflt_digests[] = { + /* Our primary name:NIST name[:our older names] */ + { PROV_NAMES_SHA1, "provider=default", ossl_sha1_functions }, + { PROV_NAMES_SHA2_224, "provider=default", ossl_sha224_functions }, + { PROV_NAMES_SHA2_256, "provider=default", ossl_sha256_functions }, + { PROV_NAMES_SHA2_384, "provider=default", ossl_sha384_functions }, + { PROV_NAMES_SHA2_512, "provider=default", ossl_sha512_functions }, + +#ifndef OPENSSL_NO_SM3 + { PROV_NAMES_SM3, "provider=default", ossl_sm3_functions }, +#endif /* OPENSSL_NO_SM3 */ + +#ifndef OPENSSL_NO_MD5 + { PROV_NAMES_MD5, "provider=default", ossl_md5_functions }, +#endif /* OPENSSL_NO_MD5 */ + + { PROV_NAMES_NULL, "provider=default", ossl_nullmd_functions }, + { NULL, NULL, NULL } +}; + +static const OSSL_ALGORITHM_CAPABLE deflt_ciphers[] = { + ALG(PROV_NAMES_NULL, ossl_null_functions), + ALG(PROV_NAMES_AES_256_ECB, ossl_aes256ecb_functions), + ALG(PROV_NAMES_AES_192_ECB, ossl_aes192ecb_functions), + ALG(PROV_NAMES_AES_128_ECB, ossl_aes128ecb_functions), + ALG(PROV_NAMES_AES_256_CBC, ossl_aes256cbc_functions), + ALG(PROV_NAMES_AES_192_CBC, ossl_aes192cbc_functions), + ALG(PROV_NAMES_AES_128_CBC, ossl_aes128cbc_functions), + + ALG(PROV_NAMES_AES_256_CTR, ossl_aes256ctr_functions), + ALG(PROV_NAMES_AES_192_CTR, ossl_aes192ctr_functions), + ALG(PROV_NAMES_AES_128_CTR, ossl_aes128ctr_functions), + + ALG(PROV_NAMES_AES_256_GCM, ossl_aes256gcm_functions), + ALG(PROV_NAMES_AES_192_GCM, ossl_aes192gcm_functions), + ALG(PROV_NAMES_AES_128_GCM, ossl_aes128gcm_functions), + + { { NULL, NULL, NULL }, NULL } +}; +static OSSL_ALGORITHM exported_ciphers[OSSL_NELEM(deflt_ciphers)]; + +static const OSSL_ALGORITHM deflt_macs[] = { + { PROV_NAMES_HMAC, "provider=default", ossl_hmac_functions }, + { PROV_NAMES_SSKDF, "provider=default", ossl_kdf_sskdf_functions }, + { PROV_NAMES_SSHKDF, "provider=default", ossl_kdf_sshkdf_functions }, + { PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_tls1_prf_functions }, + { NULL, NULL, NULL } +}; + +static const OSSL_ALGORITHM deflt_kdfs[] = { + { PROV_NAMES_HKDF, "provider=default", ossl_kdf_hkdf_functions }, + { PROV_NAMES_PBKDF2, "provider=default", ossl_kdf_pbkdf2_functions }, + { NULL, NULL, NULL } +}; + +static const OSSL_ALGORITHM deflt_keyexch[] = { +#ifndef OPENSSL_NO_DH + { PROV_NAMES_DH, "provider=default", ossl_dh_keyexch_functions }, +#endif +#ifndef OPENSSL_NO_EC + { PROV_NAMES_ECDH, "provider=default", ossl_ecdh_keyexch_functions }, +#endif + { PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_tls1_prf_keyexch_functions }, + { PROV_NAMES_HKDF, "provider=default", ossl_kdf_hkdf_keyexch_functions }, + { NULL, NULL, NULL } +}; + +static const OSSL_ALGORITHM deflt_rands[] = { + { PROV_NAMES_CTR_DRBG, "provider=default", ossl_drbg_ctr_functions }, + { PROV_NAMES_HASH_DRBG, "provider=default", ossl_drbg_hash_functions }, + { NULL, NULL, NULL } +}; + +static const OSSL_ALGORITHM deflt_signature[] = { + { PROV_NAMES_RSA, "provider=default", ossl_rsa_signature_functions }, +#ifndef OPENSSL_NO_EC + { PROV_NAMES_ECDSA, "provider=default", ossl_ecdsa_signature_functions }, +#endif + + { NULL, NULL, NULL } +}; + +static const OSSL_ALGORITHM deflt_asym_cipher[] = { + { PROV_NAMES_RSA, "provider=default", ossl_rsa_asym_cipher_functions }, + { NULL, NULL, NULL } +}; + +static const OSSL_ALGORITHM deflt_keymgmt[] = { +#ifndef OPENSSL_NO_DH + { PROV_NAMES_DH, "provider=default", ossl_dh_keymgmt_functions, + PROV_DESCS_DH }, + { PROV_NAMES_DHX, "provider=default", ossl_dhx_keymgmt_functions, + PROV_DESCS_DHX }, +#endif + + { PROV_NAMES_RSA, "provider=default", ossl_rsa_keymgmt_functions, + PROV_DESCS_RSA }, + { PROV_NAMES_RSA_PSS, "provider=default", ossl_rsapss_keymgmt_functions, + PROV_DESCS_RSA_PSS }, +#ifndef OPENSSL_NO_EC + { PROV_NAMES_EC, "provider=default", ossl_ec_keymgmt_functions, + PROV_DESCS_EC }, +#endif + { PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_keymgmt_functions, + PROV_DESCS_TLS1_PRF_SIGN }, + { PROV_NAMES_HKDF, "provider=default", ossl_kdf_keymgmt_functions, + PROV_DESCS_HKDF_SIGN }, + + { NULL, NULL, NULL } +}; + +static const OSSL_ALGORITHM deflt_decoder[] = { +#define DECODER_PROVIDER "default" +#include "decoders.inc" + { NULL, NULL, NULL } +#undef DECODER_PROVIDER +}; + +static const OSSL_ALGORITHM *deflt_query(void *provctx, int operation_id, + int *no_cache) +{ + *no_cache = 0; + switch (operation_id) { + case OSSL_OP_DIGEST: + return deflt_digests; + case OSSL_OP_CIPHER: + return exported_ciphers; + case OSSL_OP_MAC: + return deflt_macs; + case OSSL_OP_KDF: + return deflt_kdfs; + case OSSL_OP_RAND: + return deflt_rands; + case OSSL_OP_KEYMGMT: + return deflt_keymgmt; + case OSSL_OP_KEYEXCH: + return deflt_keyexch; + case OSSL_OP_SIGNATURE: + return deflt_signature; + case OSSL_OP_ASYM_CIPHER: + return deflt_asym_cipher; + case OSSL_OP_DECODER: + return deflt_decoder; + } + return NULL; +} + + +static void deflt_teardown(void *provctx) +{ + BIO_meth_free(ossl_prov_ctx_get0_core_bio_method(provctx)); + ossl_prov_ctx_free(provctx); +} + +/* Functions we provide to the core */ +static const OSSL_DISPATCH deflt_dispatch_table[] = { + { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))deflt_teardown }, + { OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))deflt_gettable_params }, + { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))deflt_get_params }, + { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))deflt_query }, + { OSSL_FUNC_PROVIDER_GET_CAPABILITIES, + (void (*)(void))ossl_prov_get_capabilities }, + { 0, NULL } +}; + +OSSL_provider_init_fn ossl_uefi_provider_init; + +int ossl_uefi_provider_init(const OSSL_CORE_HANDLE *handle, + const OSSL_DISPATCH *in, + const OSSL_DISPATCH **out, + void **provctx) +{ + OSSL_FUNC_core_get_libctx_fn *c_get_libctx = NULL; + BIO_METHOD *corebiometh; + + if (!ossl_prov_bio_from_dispatch(in) + || !ossl_prov_seeding_from_dispatch(in)) + return 0; + for (; in->function_id != 0; in++) { + switch (in->function_id) { + case OSSL_FUNC_CORE_GETTABLE_PARAMS: + c_gettable_params = OSSL_FUNC_core_gettable_params(in); + break; + case OSSL_FUNC_CORE_GET_PARAMS: + c_get_params = OSSL_FUNC_core_get_params(in); + break; + case OSSL_FUNC_CORE_GET_LIBCTX: + c_get_libctx = OSSL_FUNC_core_get_libctx(in); + break; + default: + /* Just ignore anything we don't understand */ + break; + } + } + + if (c_get_libctx == NULL) + return 0; + + /* + * We want to make sure that all calls from this provider that requires + * a library context use the same context as the one used to call our + * functions. We do that by passing it along in the provider context. + * + * This only works for built-in providers. Most providers should + * create their own library context. + */ + if ((*provctx = ossl_prov_ctx_new()) == NULL + || (corebiometh = ossl_bio_prov_init_bio_method()) == NULL) { + ossl_prov_ctx_free(*provctx); + *provctx = NULL; + return 0; + } + ossl_prov_ctx_set0_libctx(*provctx, + (OSSL_LIB_CTX *)c_get_libctx(handle)); + ossl_prov_ctx_set0_handle(*provctx, handle); + ossl_prov_ctx_set0_core_bio_method(*provctx, corebiometh); + + *out = deflt_dispatch_table; + ossl_prov_cache_exported_algorithms(deflt_ciphers, exported_ciphers); + + return 1; +} -- 2.31.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#107355): https://edk2.groups.io/g/devel/message/107355 Mute This Topic: https://groups.io/mt/100406062/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-