From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Fri, 17 May 2019 06:16:03 -0700 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 55DFFC0A4F66; Fri, 17 May 2019 13:15:53 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-94.rdu2.redhat.com [10.10.120.94]) by smtp.corp.redhat.com (Postfix) with ESMTP id 92B3B7856E; Fri, 17 May 2019 13:15:45 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v4 6/7] CryptoPkg: Upgrade OpenSSL to 1.1.1b To: "Lu, XiaoyuX" , "devel@edk2.groups.io" , "Wang, Jian J" Cc: "Ye, Ting" References: <1557993298-22205-1-git-send-email-xiaoyux.lu@intel.com> <1557993298-22205-7-git-send-email-xiaoyux.lu@intel.com> <1bd39ee7-5cf4-2897-4571-812029754475@redhat.com> From: "Laszlo Ersek" Message-ID: <4e655317-cadd-4830-795a-35125c4b6594@redhat.com> Date: Fri, 17 May 2019 15:15:39 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Fri, 17 May 2019 13:16:00 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 05/17/19 13:14, Lu, XiaoyuX wrote: > Laszlo, > > I think (b) is better and have already done this. What do you mean by "already done"? In your personal development tree perhaps? > About (b/1): > > One the one hand, the implementation still need discuss later. > On the other hand: > > Refer to openssl/INSTALL the meaning of --with-rand-seed=none > > > none: Disable automatic seeding. This is the default > > on some operating systems where no suitable > > entropy source exists, or no support for it is > > implemented yet. > > I think when --with-rand-seed=none option is set, the best way to implement rand_pool_acquire_entropy should like this: > >> size_t rand_pool_acquire_entropy(RAND_POOL *pool) >> { >> return rand_pool_entropy_available(pool); >> } >> >> int rand_pool_add_nonce_data(RAND_POOL *pool) >> { >> // I think PerformanceCounter is an optional nonce. >> UINT64 data; >> data = GetPerformanceCounter(); >> >> return rand_pool_add(pool, (unsigned char*)&data, sizeof(data), 0);>} >> >> int rand_pool_add_additional_data(RAND_POOL *pool) >> { >> return 0; >> } > > With this, we handed the Rand_seed work to caller. (caller must provide safe seed). > > What do you think? Sorry, no idea. Thanks Laszlo > > Thanks, > Xiaoyu > > -----Original Message----- > From: Laszlo Ersek [mailto:lersek@redhat.com] > Sent: Friday, May 17, 2019 12:32 AM > To: devel@edk2.groups.io; Lu, XiaoyuX ; Wang, Jian J > Cc: Ye, Ting > Subject: Re: [edk2-devel] [PATCH v4 6/7] CryptoPkg: Upgrade OpenSSL to 1.1.1b > > Hi Jian, > > On 05/16/19 09:54, Xiaoyu lu wrote: >> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089 >> >> * Update OpenSSL submodule to OpenSSL_1_1_1b >> OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687) >> >> * Run process_files.pl script to regenerate OpensslLib[Crypto].inf >> and opensslconf.h >> >> * Remove -DNO_SYSLOG from OPENSSL_FLAGS in OpensslLib[Crypto].inf, >> due to upstream OpenSSL commit cff55b90e95e("Cleaning UEFI >> Build with additional OPENSSL_SYS_UEFI flags", 2017-03-29), >> which was first released as part of OpenSSL_1_1_1. >> >> * Starting with OpenSSL commit 8a8d9e1905(first release in >> OpenSSL_1_1_1), the OpenSSL_version() function can no longer >> return a pointer to the string literal "compiler: information >> not available", in the case CFLAGS macro is not defined. >> Instead, the function now has a hard dependency on the global >> variable 'compiler_flags'. This variable is normally placed >> by "util/mkbuildinf.pl" into "buildinf.h". In edk2 we don't >> run that script whenever we build OpenSSL, therefore we >> must provide our own dummy 'compiler_flags'. >> >> * From OpenSSL_1_1_0i(97c0959f27b294fe1eb10b547145ebef2524b896) to >> OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687), OpenSSL >> updated DRBG / RAND to request nonce and additional low entropy >> randomness from system(line 229 openssl/CHANGES). >> >> Since OpenSSL_1_1_1b doesn't fully implement rand pool functions >> for UEFI. We must provide a method to implenet these method. >> TSC is used as first entropy source if it's availabe otherwise >> fallback to TimerLib. But we are not sure the amount of randomness >> they provide. If you really care about the security, one choice is >> overrided it with hardware generator. >> >> Add rand_pool.c to implement these functions required by OpenSSL >> rand_pool_acquire_entropy >> rand_pool_add_nonce_data >> rand_pool_add_additional_data >> rand_pool_init >> rand_pool_cleanup >> rand_pool_keep_random_devices_open >> >> And add rand_pool_noise.* for getting entropy noise from different >> architecture. >> >> * We don't need ossl_store functions. We exclude relative files >> through process_files.pl. And ossl_store_cleanup_int was first >> added in crypto/init.c OpenSSL_1_1_1(71a5516d). >> So add a new file(ossl_store.c) to implement ossl_store_cleanup_int >> function. >> >> * BUFSIZ is used by crypto/evp/evp_key.c(OpenSSL_1_1_1b) >> And it is declared in stdio.h. So add it to CrtLibSupport.h. >> Here's a discussion about this. >> Ref: https://github.com/openssl/openssl/issues/8904 >> >> Cc: Jian J Wang >> Cc: Ting Ye >> Signed-off-by: Xiaoyu Lu >> --- >> CryptoPkg/Library/OpensslLib/OpensslLib.inf | 60 +++- >> CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 51 +++- >> CryptoPkg/Library/Include/CrtLibSupport.h | 13 +- >> CryptoPkg/Library/Include/openssl/opensslconf.h | 54 +++- >> CryptoPkg/Library/OpensslLib/buildinf.h | 2 + >> CryptoPkg/Library/OpensslLib/rand_pool_noise.h | 29 ++ >> CryptoPkg/Library/OpensslLib/ossl_store.c | 17 ++ >> CryptoPkg/Library/OpensslLib/rand_pool.c | 316 +++++++++++++++++++++ >> CryptoPkg/Library/OpensslLib/rand_pool_noise.c | 29 ++ >> CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c | 43 +++ >> CryptoPkg/Library/OpensslLib/openssl | 2 +- >> 11 files changed, 584 insertions(+), 32 deletions(-) create mode >> 100644 CryptoPkg/Library/OpensslLib/rand_pool_noise.h >> create mode 100644 CryptoPkg/Library/OpensslLib/ossl_store.c >> create mode 100644 CryptoPkg/Library/OpensslLib/rand_pool.c >> create mode 100644 CryptoPkg/Library/OpensslLib/rand_pool_noise.c >> create mode 100644 CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c > > For this patch, I can offer two kinds of reviews: > > ---*--- > > (a) If you prefer to push this patch in the present form (that is, exactly as posted), then I will not give any official feedback tags, due to the crypto contents. I will not block the patch either, so if you and Ting are fine with the patch, it's OK for you to push it, from my side. > > ---*--- > > (b) Alternatively, you could split the patch in two halves, as follows: > > (b/1) In the first half, collect all the hunks for the following files: > > CryptoPkg/Library/OpensslLib/ossl_store.c > CryptoPkg/Library/OpensslLib/rand_pool.c > CryptoPkg/Library/OpensslLib/rand_pool_noise.c > CryptoPkg/Library/OpensslLib/rand_pool_noise.h > CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c > > plus include the commit message paragraphs about "rand_pool.c" and "ossl_store.c". > > For this half (b/1), I will not give any feedback. > > > (b/2) In the second half, collect the rest of the changes, that is, the hunks for the following files / submodules, and the rest of the commit > message: > > CryptoPkg/Library/Include/CrtLibSupport.h > CryptoPkg/Library/Include/openssl/opensslconf.h > CryptoPkg/Library/OpensslLib/OpensslLib.inf > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > CryptoPkg/Library/OpensslLib/buildinf.h > CryptoPkg/Library/OpensslLib/openssl > > For the (b/2) half *ONLY*, you can add: > > Reviewed-by: Laszlo Ersek > > ---*--- > > It's up to you whether you pick (a) or (b). > > Normally I would request a v5 series for implementing (b), but we're out of time. If the community thinks that splitting up this patch into halves (b/1) and (b/2) is too intrusive for a maintainer to do without proper review, then I suggest going with (a) -- and then I'll provide no feedback tags. (But, I will also not block the patch, see above.) > > ... Well, in theory anyway, Xiaoyu could very quickly submit a v5 series, splitting this patch as explained under (b). In that case, the > (b/2) half -- and *ONLY* that half -- of this patch could include my R-b at once. > > So, please decide. > > Thanks! > Laszlo > >> >> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf >> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf >> index f4d7772c068c..62dd61969cb0 100644 >> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf >> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf >> @@ -1,7 +1,7 @@ >> ## @file >> # This module provides OpenSSL Library implementation. >> # >> -# Copyright (c) 2010 - 2018, Intel Corporation. All rights >> reserved.
>> +# Copyright (c) 2010 - 2019, Intel Corporation. All rights >> +reserved.
>> # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -15,7 +15,7 >> @@ [Defines] >> VERSION_STRING = 1.0 >> LIBRARY_CLASS = OpensslLib >> DEFINE OPENSSL_PATH = openssl >> - DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DNO_SYSLOG >> + DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE >> >> # >> # VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 >> @@ -32,6 +32,7 @@ [Sources] >> $(OPENSSL_PATH)/crypto/aes/aes_misc.c >> $(OPENSSL_PATH)/crypto/aes/aes_ofb.c >> $(OPENSSL_PATH)/crypto/aes/aes_wrap.c >> + $(OPENSSL_PATH)/crypto/aria/aria.c >> $(OPENSSL_PATH)/crypto/asn1/a_bitstr.c >> $(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c >> $(OPENSSL_PATH)/crypto/asn1/a_digest.c >> @@ -54,6 +55,7 @@ [Sources] >> $(OPENSSL_PATH)/crypto/asn1/ameth_lib.c >> $(OPENSSL_PATH)/crypto/asn1/asn1_err.c >> $(OPENSSL_PATH)/crypto/asn1/asn1_gen.c >> + $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.c >> $(OPENSSL_PATH)/crypto/asn1/asn1_lib.c >> $(OPENSSL_PATH)/crypto/asn1/asn1_par.c >> $(OPENSSL_PATH)/crypto/asn1/asn_mime.c >> @@ -172,6 +174,7 @@ [Sources] >> $(OPENSSL_PATH)/crypto/conf/conf_ssl.c >> $(OPENSSL_PATH)/crypto/cpt_err.c >> $(OPENSSL_PATH)/crypto/cryptlib.c >> + $(OPENSSL_PATH)/crypto/ctype.c >> $(OPENSSL_PATH)/crypto/cversion.c >> $(OPENSSL_PATH)/crypto/des/cbc_cksm.c >> $(OPENSSL_PATH)/crypto/des/cbc_enc.c >> @@ -189,7 +192,6 @@ [Sources] >> $(OPENSSL_PATH)/crypto/des/pcbc_enc.c >> $(OPENSSL_PATH)/crypto/des/qud_cksm.c >> $(OPENSSL_PATH)/crypto/des/rand_key.c >> - $(OPENSSL_PATH)/crypto/des/rpc_enc.c >> $(OPENSSL_PATH)/crypto/des/set_key.c >> $(OPENSSL_PATH)/crypto/des/str2key.c >> $(OPENSSL_PATH)/crypto/des/xcbc_enc.c >> @@ -206,6 +208,7 @@ [Sources] >> $(OPENSSL_PATH)/crypto/dh/dh_pmeth.c >> $(OPENSSL_PATH)/crypto/dh/dh_prn.c >> $(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c >> + $(OPENSSL_PATH)/crypto/dh/dh_rfc7919.c >> $(OPENSSL_PATH)/crypto/dso/dso_dl.c >> $(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c >> $(OPENSSL_PATH)/crypto/dso/dso_err.c >> @@ -228,6 +231,7 @@ [Sources] >> $(OPENSSL_PATH)/crypto/evp/e_aes.c >> $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha1.c >> $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha256.c >> + $(OPENSSL_PATH)/crypto/evp/e_aria.c >> $(OPENSSL_PATH)/crypto/evp/e_bf.c >> $(OPENSSL_PATH)/crypto/evp/e_camellia.c >> $(OPENSSL_PATH)/crypto/evp/e_cast.c >> @@ -242,6 +246,7 @@ [Sources] >> $(OPENSSL_PATH)/crypto/evp/e_rc4_hmac_md5.c >> $(OPENSSL_PATH)/crypto/evp/e_rc5.c >> $(OPENSSL_PATH)/crypto/evp/e_seed.c >> + $(OPENSSL_PATH)/crypto/evp/e_sm4.c >> $(OPENSSL_PATH)/crypto/evp/e_xcbc_d.c >> $(OPENSSL_PATH)/crypto/evp/encode.c >> $(OPENSSL_PATH)/crypto/evp/evp_cnf.c >> @@ -259,6 +264,7 @@ [Sources] >> $(OPENSSL_PATH)/crypto/evp/m_null.c >> $(OPENSSL_PATH)/crypto/evp/m_ripemd.c >> $(OPENSSL_PATH)/crypto/evp/m_sha1.c >> + $(OPENSSL_PATH)/crypto/evp/m_sha3.c >> $(OPENSSL_PATH)/crypto/evp/m_sigver.c >> $(OPENSSL_PATH)/crypto/evp/m_wp.c >> $(OPENSSL_PATH)/crypto/evp/names.c >> @@ -271,10 +277,10 @@ [Sources] >> $(OPENSSL_PATH)/crypto/evp/p_seal.c >> $(OPENSSL_PATH)/crypto/evp/p_sign.c >> $(OPENSSL_PATH)/crypto/evp/p_verify.c >> + $(OPENSSL_PATH)/crypto/evp/pbe_scrypt.c >> $(OPENSSL_PATH)/crypto/evp/pmeth_fn.c >> $(OPENSSL_PATH)/crypto/evp/pmeth_gn.c >> $(OPENSSL_PATH)/crypto/evp/pmeth_lib.c >> - $(OPENSSL_PATH)/crypto/evp/scrypt.c >> $(OPENSSL_PATH)/crypto/ex_data.c >> $(OPENSSL_PATH)/crypto/getenv.c >> $(OPENSSL_PATH)/crypto/hmac/hm_ameth.c >> @@ -283,6 +289,7 @@ [Sources] >> $(OPENSSL_PATH)/crypto/init.c >> $(OPENSSL_PATH)/crypto/kdf/hkdf.c >> $(OPENSSL_PATH)/crypto/kdf/kdf_err.c >> + $(OPENSSL_PATH)/crypto/kdf/scrypt.c >> $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c >> $(OPENSSL_PATH)/crypto/lhash/lh_stats.c >> $(OPENSSL_PATH)/crypto/lhash/lhash.c >> @@ -360,14 +367,14 @@ [Sources] >> $(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c >> $(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c >> $(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c >> - $(OPENSSL_PATH)/crypto/rand/md_rand.c >> + $(OPENSSL_PATH)/crypto/rand/drbg_ctr.c >> + $(OPENSSL_PATH)/crypto/rand/drbg_lib.c >> $(OPENSSL_PATH)/crypto/rand/rand_egd.c >> $(OPENSSL_PATH)/crypto/rand/rand_err.c >> $(OPENSSL_PATH)/crypto/rand/rand_lib.c >> $(OPENSSL_PATH)/crypto/rand/rand_unix.c >> $(OPENSSL_PATH)/crypto/rand/rand_vms.c >> $(OPENSSL_PATH)/crypto/rand/rand_win.c >> - $(OPENSSL_PATH)/crypto/rand/randfile.c >> $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c >> $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c >> $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c >> @@ -379,8 +386,8 @@ [Sources] >> $(OPENSSL_PATH)/crypto/rsa/rsa_gen.c >> $(OPENSSL_PATH)/crypto/rsa/rsa_lib.c >> $(OPENSSL_PATH)/crypto/rsa/rsa_meth.c >> + $(OPENSSL_PATH)/crypto/rsa/rsa_mp.c >> $(OPENSSL_PATH)/crypto/rsa/rsa_none.c >> - $(OPENSSL_PATH)/crypto/rsa/rsa_null.c >> $(OPENSSL_PATH)/crypto/rsa/rsa_oaep.c >> $(OPENSSL_PATH)/crypto/rsa/rsa_ossl.c >> $(OPENSSL_PATH)/crypto/rsa/rsa_pk1.c >> @@ -392,15 +399,27 @@ [Sources] >> $(OPENSSL_PATH)/crypto/rsa/rsa_ssl.c >> $(OPENSSL_PATH)/crypto/rsa/rsa_x931.c >> $(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c >> + $(OPENSSL_PATH)/crypto/sha/keccak1600.c >> $(OPENSSL_PATH)/crypto/sha/sha1_one.c >> $(OPENSSL_PATH)/crypto/sha/sha1dgst.c >> $(OPENSSL_PATH)/crypto/sha/sha256.c >> $(OPENSSL_PATH)/crypto/sha/sha512.c >> + $(OPENSSL_PATH)/crypto/siphash/siphash.c >> + $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c >> + $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c >> + $(OPENSSL_PATH)/crypto/sm3/m_sm3.c >> + $(OPENSSL_PATH)/crypto/sm3/sm3.c >> + $(OPENSSL_PATH)/crypto/sm4/sm4.c >> $(OPENSSL_PATH)/crypto/stack/stack.c >> $(OPENSSL_PATH)/crypto/threads_none.c >> $(OPENSSL_PATH)/crypto/threads_pthread.c >> $(OPENSSL_PATH)/crypto/threads_win.c >> $(OPENSSL_PATH)/crypto/txt_db/txt_db.c >> + $(OPENSSL_PATH)/crypto/ui/ui_err.c >> + $(OPENSSL_PATH)/crypto/ui/ui_lib.c >> + $(OPENSSL_PATH)/crypto/ui/ui_null.c >> + $(OPENSSL_PATH)/crypto/ui/ui_openssl.c >> + $(OPENSSL_PATH)/crypto/ui/ui_util.c >> $(OPENSSL_PATH)/crypto/uid.c >> $(OPENSSL_PATH)/crypto/x509/by_dir.c >> $(OPENSSL_PATH)/crypto/x509/by_file.c >> @@ -445,6 +464,7 @@ [Sources] >> $(OPENSSL_PATH)/crypto/x509v3/pcy_node.c >> $(OPENSSL_PATH)/crypto/x509v3/pcy_tree.c >> $(OPENSSL_PATH)/crypto/x509v3/v3_addr.c >> + $(OPENSSL_PATH)/crypto/x509v3/v3_admis.c >> $(OPENSSL_PATH)/crypto/x509v3/v3_akey.c >> $(OPENSSL_PATH)/crypto/x509v3/v3_akeya.c >> $(OPENSSL_PATH)/crypto/x509v3/v3_alt.c >> @@ -479,12 +499,14 @@ [Sources] >> $(OPENSSL_PATH)/ssl/d1_msg.c >> $(OPENSSL_PATH)/ssl/d1_srtp.c >> $(OPENSSL_PATH)/ssl/methods.c >> + $(OPENSSL_PATH)/ssl/packet.c >> $(OPENSSL_PATH)/ssl/pqueue.c >> $(OPENSSL_PATH)/ssl/record/dtls1_bitmap.c >> $(OPENSSL_PATH)/ssl/record/rec_layer_d1.c >> $(OPENSSL_PATH)/ssl/record/rec_layer_s3.c >> $(OPENSSL_PATH)/ssl/record/ssl3_buffer.c >> $(OPENSSL_PATH)/ssl/record/ssl3_record.c >> + $(OPENSSL_PATH)/ssl/record/ssl3_record_tls13.c >> $(OPENSSL_PATH)/ssl/s3_cbc.c >> $(OPENSSL_PATH)/ssl/s3_enc.c >> $(OPENSSL_PATH)/ssl/s3_lib.c >> @@ -502,25 +524,45 @@ [Sources] >> $(OPENSSL_PATH)/ssl/ssl_stat.c >> $(OPENSSL_PATH)/ssl/ssl_txt.c >> $(OPENSSL_PATH)/ssl/ssl_utst.c >> + $(OPENSSL_PATH)/ssl/statem/extensions.c >> + $(OPENSSL_PATH)/ssl/statem/extensions_clnt.c >> + $(OPENSSL_PATH)/ssl/statem/extensions_cust.c >> + $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c >> $(OPENSSL_PATH)/ssl/statem/statem.c >> $(OPENSSL_PATH)/ssl/statem/statem_clnt.c >> $(OPENSSL_PATH)/ssl/statem/statem_dtls.c >> $(OPENSSL_PATH)/ssl/statem/statem_lib.c >> $(OPENSSL_PATH)/ssl/statem/statem_srvr.c >> $(OPENSSL_PATH)/ssl/t1_enc.c >> - $(OPENSSL_PATH)/ssl/t1_ext.c >> $(OPENSSL_PATH)/ssl/t1_lib.c >> - $(OPENSSL_PATH)/ssl/t1_reneg.c >> $(OPENSSL_PATH)/ssl/t1_trce.c >> + $(OPENSSL_PATH)/ssl/tls13_enc.c >> $(OPENSSL_PATH)/ssl/tls_srp.c >> # Autogenerated files list ends here >> >> + ossl_store.c >> + rand_pool.c >> + >> +[Sources.Ia32] >> + rand_pool_noise_tsc.c >> + >> +[Sources.X64] >> + rand_pool_noise_tsc.c >> + >> +[Sources.ARM] >> + rand_pool_noise.c >> + >> +[Sources.AARCH64] >> + rand_pool_noise.c >> + >> [Packages] >> MdePkg/MdePkg.dec >> CryptoPkg/CryptoPkg.dec >> >> [LibraryClasses] >> + BaseLib >> DebugLib >> + TimerLib >> >> [LibraryClasses.ARM] >> ArmSoftFloatLib >> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf >> b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf >> index fd12d112edb2..49599a42d180 100644 >> --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf >> +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf >> @@ -1,7 +1,7 @@ >> ## @file >> # This module provides OpenSSL Library implementation. >> # >> -# Copyright (c) 2010 - 2018, Intel Corporation. All rights >> reserved.
>> +# Copyright (c) 2010 - 2019, Intel Corporation. All rights >> +reserved.
>> # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -15,7 +15,7 >> @@ [Defines] >> VERSION_STRING = 1.0 >> LIBRARY_CLASS = OpensslLib >> DEFINE OPENSSL_PATH = openssl >> - DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DNO_SYSLOG >> + DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE >> >> # >> # VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 >> @@ -32,6 +32,7 @@ [Sources] >> $(OPENSSL_PATH)/crypto/aes/aes_misc.c >> $(OPENSSL_PATH)/crypto/aes/aes_ofb.c >> $(OPENSSL_PATH)/crypto/aes/aes_wrap.c >> + $(OPENSSL_PATH)/crypto/aria/aria.c >> $(OPENSSL_PATH)/crypto/asn1/a_bitstr.c >> $(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c >> $(OPENSSL_PATH)/crypto/asn1/a_digest.c >> @@ -54,6 +55,7 @@ [Sources] >> $(OPENSSL_PATH)/crypto/asn1/ameth_lib.c >> $(OPENSSL_PATH)/crypto/asn1/asn1_err.c >> $(OPENSSL_PATH)/crypto/asn1/asn1_gen.c >> + $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.c >> $(OPENSSL_PATH)/crypto/asn1/asn1_lib.c >> $(OPENSSL_PATH)/crypto/asn1/asn1_par.c >> $(OPENSSL_PATH)/crypto/asn1/asn_mime.c >> @@ -172,6 +174,7 @@ [Sources] >> $(OPENSSL_PATH)/crypto/conf/conf_ssl.c >> $(OPENSSL_PATH)/crypto/cpt_err.c >> $(OPENSSL_PATH)/crypto/cryptlib.c >> + $(OPENSSL_PATH)/crypto/ctype.c >> $(OPENSSL_PATH)/crypto/cversion.c >> $(OPENSSL_PATH)/crypto/des/cbc_cksm.c >> $(OPENSSL_PATH)/crypto/des/cbc_enc.c >> @@ -189,7 +192,6 @@ [Sources] >> $(OPENSSL_PATH)/crypto/des/pcbc_enc.c >> $(OPENSSL_PATH)/crypto/des/qud_cksm.c >> $(OPENSSL_PATH)/crypto/des/rand_key.c >> - $(OPENSSL_PATH)/crypto/des/rpc_enc.c >> $(OPENSSL_PATH)/crypto/des/set_key.c >> $(OPENSSL_PATH)/crypto/des/str2key.c >> $(OPENSSL_PATH)/crypto/des/xcbc_enc.c >> @@ -206,6 +208,7 @@ [Sources] >> $(OPENSSL_PATH)/crypto/dh/dh_pmeth.c >> $(OPENSSL_PATH)/crypto/dh/dh_prn.c >> $(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c >> + $(OPENSSL_PATH)/crypto/dh/dh_rfc7919.c >> $(OPENSSL_PATH)/crypto/dso/dso_dl.c >> $(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c >> $(OPENSSL_PATH)/crypto/dso/dso_err.c >> @@ -228,6 +231,7 @@ [Sources] >> $(OPENSSL_PATH)/crypto/evp/e_aes.c >> $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha1.c >> $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha256.c >> + $(OPENSSL_PATH)/crypto/evp/e_aria.c >> $(OPENSSL_PATH)/crypto/evp/e_bf.c >> $(OPENSSL_PATH)/crypto/evp/e_camellia.c >> $(OPENSSL_PATH)/crypto/evp/e_cast.c >> @@ -242,6 +246,7 @@ [Sources] >> $(OPENSSL_PATH)/crypto/evp/e_rc4_hmac_md5.c >> $(OPENSSL_PATH)/crypto/evp/e_rc5.c >> $(OPENSSL_PATH)/crypto/evp/e_seed.c >> + $(OPENSSL_PATH)/crypto/evp/e_sm4.c >> $(OPENSSL_PATH)/crypto/evp/e_xcbc_d.c >> $(OPENSSL_PATH)/crypto/evp/encode.c >> $(OPENSSL_PATH)/crypto/evp/evp_cnf.c >> @@ -259,6 +264,7 @@ [Sources] >> $(OPENSSL_PATH)/crypto/evp/m_null.c >> $(OPENSSL_PATH)/crypto/evp/m_ripemd.c >> $(OPENSSL_PATH)/crypto/evp/m_sha1.c >> + $(OPENSSL_PATH)/crypto/evp/m_sha3.c >> $(OPENSSL_PATH)/crypto/evp/m_sigver.c >> $(OPENSSL_PATH)/crypto/evp/m_wp.c >> $(OPENSSL_PATH)/crypto/evp/names.c >> @@ -271,10 +277,10 @@ [Sources] >> $(OPENSSL_PATH)/crypto/evp/p_seal.c >> $(OPENSSL_PATH)/crypto/evp/p_sign.c >> $(OPENSSL_PATH)/crypto/evp/p_verify.c >> + $(OPENSSL_PATH)/crypto/evp/pbe_scrypt.c >> $(OPENSSL_PATH)/crypto/evp/pmeth_fn.c >> $(OPENSSL_PATH)/crypto/evp/pmeth_gn.c >> $(OPENSSL_PATH)/crypto/evp/pmeth_lib.c >> - $(OPENSSL_PATH)/crypto/evp/scrypt.c >> $(OPENSSL_PATH)/crypto/ex_data.c >> $(OPENSSL_PATH)/crypto/getenv.c >> $(OPENSSL_PATH)/crypto/hmac/hm_ameth.c >> @@ -283,6 +289,7 @@ [Sources] >> $(OPENSSL_PATH)/crypto/init.c >> $(OPENSSL_PATH)/crypto/kdf/hkdf.c >> $(OPENSSL_PATH)/crypto/kdf/kdf_err.c >> + $(OPENSSL_PATH)/crypto/kdf/scrypt.c >> $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c >> $(OPENSSL_PATH)/crypto/lhash/lh_stats.c >> $(OPENSSL_PATH)/crypto/lhash/lhash.c >> @@ -360,14 +367,14 @@ [Sources] >> $(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c >> $(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c >> $(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c >> - $(OPENSSL_PATH)/crypto/rand/md_rand.c >> + $(OPENSSL_PATH)/crypto/rand/drbg_ctr.c >> + $(OPENSSL_PATH)/crypto/rand/drbg_lib.c >> $(OPENSSL_PATH)/crypto/rand/rand_egd.c >> $(OPENSSL_PATH)/crypto/rand/rand_err.c >> $(OPENSSL_PATH)/crypto/rand/rand_lib.c >> $(OPENSSL_PATH)/crypto/rand/rand_unix.c >> $(OPENSSL_PATH)/crypto/rand/rand_vms.c >> $(OPENSSL_PATH)/crypto/rand/rand_win.c >> - $(OPENSSL_PATH)/crypto/rand/randfile.c >> $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c >> $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c >> $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c >> @@ -379,8 +386,8 @@ [Sources] >> $(OPENSSL_PATH)/crypto/rsa/rsa_gen.c >> $(OPENSSL_PATH)/crypto/rsa/rsa_lib.c >> $(OPENSSL_PATH)/crypto/rsa/rsa_meth.c >> + $(OPENSSL_PATH)/crypto/rsa/rsa_mp.c >> $(OPENSSL_PATH)/crypto/rsa/rsa_none.c >> - $(OPENSSL_PATH)/crypto/rsa/rsa_null.c >> $(OPENSSL_PATH)/crypto/rsa/rsa_oaep.c >> $(OPENSSL_PATH)/crypto/rsa/rsa_ossl.c >> $(OPENSSL_PATH)/crypto/rsa/rsa_pk1.c >> @@ -392,15 +399,27 @@ [Sources] >> $(OPENSSL_PATH)/crypto/rsa/rsa_ssl.c >> $(OPENSSL_PATH)/crypto/rsa/rsa_x931.c >> $(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c >> + $(OPENSSL_PATH)/crypto/sha/keccak1600.c >> $(OPENSSL_PATH)/crypto/sha/sha1_one.c >> $(OPENSSL_PATH)/crypto/sha/sha1dgst.c >> $(OPENSSL_PATH)/crypto/sha/sha256.c >> $(OPENSSL_PATH)/crypto/sha/sha512.c >> + $(OPENSSL_PATH)/crypto/siphash/siphash.c >> + $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c >> + $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c >> + $(OPENSSL_PATH)/crypto/sm3/m_sm3.c >> + $(OPENSSL_PATH)/crypto/sm3/sm3.c >> + $(OPENSSL_PATH)/crypto/sm4/sm4.c >> $(OPENSSL_PATH)/crypto/stack/stack.c >> $(OPENSSL_PATH)/crypto/threads_none.c >> $(OPENSSL_PATH)/crypto/threads_pthread.c >> $(OPENSSL_PATH)/crypto/threads_win.c >> $(OPENSSL_PATH)/crypto/txt_db/txt_db.c >> + $(OPENSSL_PATH)/crypto/ui/ui_err.c >> + $(OPENSSL_PATH)/crypto/ui/ui_lib.c >> + $(OPENSSL_PATH)/crypto/ui/ui_null.c >> + $(OPENSSL_PATH)/crypto/ui/ui_openssl.c >> + $(OPENSSL_PATH)/crypto/ui/ui_util.c >> $(OPENSSL_PATH)/crypto/uid.c >> $(OPENSSL_PATH)/crypto/x509/by_dir.c >> $(OPENSSL_PATH)/crypto/x509/by_file.c >> @@ -445,6 +464,7 @@ [Sources] >> $(OPENSSL_PATH)/crypto/x509v3/pcy_node.c >> $(OPENSSL_PATH)/crypto/x509v3/pcy_tree.c >> $(OPENSSL_PATH)/crypto/x509v3/v3_addr.c >> + $(OPENSSL_PATH)/crypto/x509v3/v3_admis.c >> $(OPENSSL_PATH)/crypto/x509v3/v3_akey.c >> $(OPENSSL_PATH)/crypto/x509v3/v3_akeya.c >> $(OPENSSL_PATH)/crypto/x509v3/v3_alt.c >> @@ -476,12 +496,29 @@ [Sources] >> $(OPENSSL_PATH)/crypto/x509v3/v3err.c >> # Autogenerated files list ends here >> >> + ossl_store.c >> + rand_pool.c >> + >> +[Sources.Ia32] >> + rand_pool_noise_tsc.c >> + >> +[Sources.X64] >> + rand_pool_noise_tsc.c >> + >> +[Sources.ARM] >> + rand_pool_noise.c >> + >> +[Sources.AARCH64] >> + rand_pool_noise.c >> + >> [Packages] >> MdePkg/MdePkg.dec >> CryptoPkg/CryptoPkg.dec >> >> [LibraryClasses] >> + BaseLib >> DebugLib >> + TimerLib >> >> [LibraryClasses.ARM] >> ArmSoftFloatLib >> diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h >> b/CryptoPkg/Library/Include/CrtLibSupport.h >> index b05c5d908ce2..5806f50f7485 100644 >> --- a/CryptoPkg/Library/Include/CrtLibSupport.h >> +++ b/CryptoPkg/Library/Include/CrtLibSupport.h >> @@ -2,7 +2,7 @@ >> Root include file of C runtime library to support building the third-party >> cryptographic library. >> >> -Copyright (c) 2010 - 2017, Intel Corporation. All rights >> reserved.
>> +Copyright (c) 2010 - 2019, Intel Corporation. All rights >> +reserved.
>> SPDX-License-Identifier: BSD-2-Clause-Patent >> >> **/ >> @@ -21,6 +21,17 @@ SPDX-License-Identifier: BSD-2-Clause-Patent >> #define MAX_STRING_SIZE 0x1000 >> >> // >> +// We already have "no-ui" in out Configure invocation. >> +// but the code still fails to compile. >> +// Ref: https://github.com/openssl/openssl/issues/8904 >> +// >> +// This is defined in CRT library(stdio.h). >> +// >> +#ifndef BUFSIZ >> +#define BUFSIZ 8192 >> +#endif >> + >> +// >> // OpenSSL relies on explicit configuration for word size in >> crypto/bn, // but we want it to be automatically inferred from the >> target. So we // bypass what's in for >> OPENSSL_SYS_UEFI, and diff --git >> a/CryptoPkg/Library/Include/openssl/opensslconf.h >> b/CryptoPkg/Library/Include/openssl/opensslconf.h >> index 28dd9ab93c61..07fa2d3ce280 100644 >> --- a/CryptoPkg/Library/Include/openssl/opensslconf.h >> +++ b/CryptoPkg/Library/Include/openssl/opensslconf.h >> @@ -10,6 +10,8 @@ >> * https://www.openssl.org/source/license.html >> */ >> >> +#include >> + >> #ifdef __cplusplus >> extern "C" { >> #endif >> @@ -77,18 +79,21 @@ extern "C" { >> #ifndef OPENSSL_NO_SEED >> # define OPENSSL_NO_SEED >> #endif >> +#ifndef OPENSSL_NO_SM2 >> +# define OPENSSL_NO_SM2 >> +#endif >> #ifndef OPENSSL_NO_SRP >> # define OPENSSL_NO_SRP >> #endif >> #ifndef OPENSSL_NO_TS >> # define OPENSSL_NO_TS >> #endif >> -#ifndef OPENSSL_NO_UI >> -# define OPENSSL_NO_UI >> -#endif >> #ifndef OPENSSL_NO_WHIRLPOOL >> # define OPENSSL_NO_WHIRLPOOL >> #endif >> +#ifndef OPENSSL_RAND_SEED_NONE >> +# define OPENSSL_RAND_SEED_NONE >> +#endif >> #ifndef OPENSSL_NO_AFALGENG >> # define OPENSSL_NO_AFALGENG >> #endif >> @@ -122,6 +127,9 @@ extern "C" { >> #ifndef OPENSSL_NO_DEPRECATED >> # define OPENSSL_NO_DEPRECATED >> #endif >> +#ifndef OPENSSL_NO_DEVCRYPTOENG >> +# define OPENSSL_NO_DEVCRYPTOENG >> +#endif >> #ifndef OPENSSL_NO_DGRAM >> # define OPENSSL_NO_DGRAM >> #endif >> @@ -155,6 +163,9 @@ extern "C" { >> #ifndef OPENSSL_NO_ERR >> # define OPENSSL_NO_ERR >> #endif >> +#ifndef OPENSSL_NO_EXTERNAL_TESTS >> +# define OPENSSL_NO_EXTERNAL_TESTS >> +#endif >> #ifndef OPENSSL_NO_FILENAMES >> # define OPENSSL_NO_FILENAMES >> #endif >> @@ -209,15 +220,24 @@ extern "C" { >> #ifndef OPENSSL_NO_TESTS >> # define OPENSSL_NO_TESTS >> #endif >> +#ifndef OPENSSL_NO_TLS1_3 >> +# define OPENSSL_NO_TLS1_3 >> +#endif >> #ifndef OPENSSL_NO_UBSAN >> # define OPENSSL_NO_UBSAN >> #endif >> +#ifndef OPENSSL_NO_UI_CONSOLE >> +# define OPENSSL_NO_UI_CONSOLE >> +#endif >> #ifndef OPENSSL_NO_UNIT_TEST >> # define OPENSSL_NO_UNIT_TEST >> #endif >> #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS >> # define OPENSSL_NO_WEAK_SSL_CIPHERS >> #endif >> +#ifndef OPENSSL_NO_DYNAMIC_ENGINE >> +# define OPENSSL_NO_DYNAMIC_ENGINE >> +#endif >> #ifndef OPENSSL_NO_AFALGENG >> # define OPENSSL_NO_AFALGENG >> #endif >> @@ -236,15 +256,11 @@ extern "C" { >> * functions. >> */ >> #ifndef DECLARE_DEPRECATED >> -# if defined(OPENSSL_NO_DEPRECATED) >> -# define DECLARE_DEPRECATED(f) >> -# else >> -# define DECLARE_DEPRECATED(f) f; >> -# ifdef __GNUC__ >> -# if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0) >> -# undef DECLARE_DEPRECATED >> -# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated)); >> -# endif >> +# define DECLARE_DEPRECATED(f) f; >> +# ifdef __GNUC__ >> +# if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0) >> +# undef DECLARE_DEPRECATED >> +# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated)); >> # endif >> # endif >> #endif >> @@ -268,6 +284,18 @@ extern "C" { >> # define OPENSSL_API_COMPAT OPENSSL_MIN_API #endif >> >> +/* >> + * Do not deprecate things to be deprecated in version 1.2.0 before >> +the >> + * OpenSSL version number matches. >> + */ >> +#if OPENSSL_VERSION_NUMBER < 0x10200000L >> +# define DEPRECATEDIN_1_2_0(f) f; >> +#elif OPENSSL_API_COMPAT < 0x10200000L >> +# define DEPRECATEDIN_1_2_0(f) DECLARE_DEPRECATED(f) >> +#else >> +# define DEPRECATEDIN_1_2_0(f) >> +#endif >> + >> #if OPENSSL_API_COMPAT < 0x10100000L >> # define DEPRECATEDIN_1_1_0(f) DECLARE_DEPRECATED(f) >> #else >> @@ -286,8 +314,6 @@ extern "C" { >> # define DEPRECATEDIN_0_9_8(f) >> #endif >> >> - >> - >> /* Generate 80386 code? */ >> #undef I386_ONLY >> >> diff --git a/CryptoPkg/Library/OpensslLib/buildinf.h >> b/CryptoPkg/Library/OpensslLib/buildinf.h >> index c5ca293c729f..b840c8656a28 100644 >> --- a/CryptoPkg/Library/OpensslLib/buildinf.h >> +++ b/CryptoPkg/Library/OpensslLib/buildinf.h >> @@ -1,2 +1,4 @@ >> #define PLATFORM "UEFI" >> #define DATE "Fri Dec 22 01:23:45 PDT 2017" >> + >> +const char * compiler_flags = "compiler: information not available >> +from edk2"; >> diff --git a/CryptoPkg/Library/OpensslLib/rand_pool_noise.h >> b/CryptoPkg/Library/OpensslLib/rand_pool_noise.h >> new file mode 100644 >> index 000000000000..75acc686a9f1 >> --- /dev/null >> +++ b/CryptoPkg/Library/OpensslLib/rand_pool_noise.h >> @@ -0,0 +1,29 @@ >> +/** @file >> + Provide rand noise source. >> + >> +Copyright (c) 2019, Intel Corporation. All rights reserved.
>> +SPDX-License-Identifier: BSD-2-Clause-Patent >> + >> +**/ >> + >> +#ifndef __RAND_POOL_NOISE_H__ >> +#define __RAND_POOL_NOISE_H__ >> + >> +#include >> + >> +/** >> + Get 64-bit noise source. >> + >> + @param[out] Rand Buffer pointer to store 64-bit noise source >> + >> + @retval TRUE Get randomness successfully. >> + @retval FALSE Failed to generate >> +**/ >> +BOOLEAN >> +EFIAPI >> +GetRandomNoise64 ( >> + OUT UINT64 *Rand >> + ); >> + >> + >> +#endif // __RAND_POOL_NOISE_H__ >> diff --git a/CryptoPkg/Library/OpensslLib/ossl_store.c >> b/CryptoPkg/Library/OpensslLib/ossl_store.c >> new file mode 100644 >> index 000000000000..29e1506048e3 >> --- /dev/null >> +++ b/CryptoPkg/Library/OpensslLib/ossl_store.c >> @@ -0,0 +1,17 @@ >> +/** @file >> + Dummy implement ossl_store(Store retrieval functions) for UEFI. >> + >> +Copyright (c) 2019, Intel Corporation. All rights reserved.
>> +SPDX-License-Identifier: BSD-2-Clause-Patent >> + >> +**/ >> + >> +/* >> + * This function is cleanup ossl store. >> + * >> + * Dummy Implement for UEFI >> + */ >> +void ossl_store_cleanup_int(void) >> +{ >> +} >> + >> diff --git a/CryptoPkg/Library/OpensslLib/rand_pool.c >> b/CryptoPkg/Library/OpensslLib/rand_pool.c >> new file mode 100644 >> index 000000000000..9d2a4ad13823 >> --- /dev/null >> +++ b/CryptoPkg/Library/OpensslLib/rand_pool.c >> @@ -0,0 +1,316 @@ >> +/** @file >> + OpenSSL_1_1_1b doesn't implement rand_pool_* functions for UEFI. >> + The file implement these functions. >> + >> +Copyright (c) 2019, Intel Corporation. All rights reserved.
>> +SPDX-License-Identifier: BSD-2-Clause-Patent >> + >> +**/ >> + >> +#include "internal/rand_int.h" >> +#include >> + >> +#include >> +#include >> + >> +#include "rand_pool_noise.h" >> + >> +/** >> + Get some randomness from low-order bits of GetPerformanceCounter results. >> + And combine them to the 64-bit value >> + >> + @param[out] Rand Buffer pointer to store the 64-bit random value. >> + >> + @retval TRUE Random number generated successfully. >> + @retval FALSE Failed to generate. >> +**/ >> +STATIC >> +BOOLEAN >> +EFIAPI >> +GetRandNoise64FromPerformanceCounter( >> + OUT UINT64 *Rand >> + ) >> +{ >> + UINT32 Index; >> + UINT32 *RandPtr; >> + >> + if (NULL == Rand) { >> + return FALSE; >> + } >> + >> + RandPtr = (UINT32 *) Rand; >> + >> + for (Index = 0; Index < 2; Index ++) { >> + *RandPtr = (UINT32) (GetPerformanceCounter () & 0xFF); >> + MicroSecondDelay (10); >> + RandPtr++; >> + } >> + >> + return TRUE; >> +} >> + >> +/** >> + Calls RandomNumber64 to fill >> + a buffer of arbitrary size with random bytes. >> + >> + @param[in] Length Size of the buffer, in bytes, to fill with. >> + @param[out] RandBuffer Pointer to the buffer to store the random result. >> + >> + @retval EFI_SUCCESS Random bytes generation succeeded. >> + @retval EFI_NOT_READY Failed to request random bytes. >> + >> +**/ >> +STATIC >> +BOOLEAN >> +EFIAPI >> +RandGetBytes ( >> + IN UINTN Length, >> + OUT UINT8 *RandBuffer >> + ) >> +{ >> + BOOLEAN Ret; >> + UINT64 TempRand; >> + >> + Ret = FALSE; >> + >> + while (Length > 0) { >> + // >> + // Get random noise from platform. >> + // If it failed, fallback to PerformanceCounter >> + // If you really care about security, you must override >> + // GetRandomNoise64FromPlatform. >> + // >> + Ret = GetRandomNoise64 (&TempRand); >> + if (Ret == FALSE) { >> + Ret = GetRandNoise64FromPerformanceCounter (&TempRand); >> + } >> + if (!Ret) { >> + return Ret; >> + } >> + if (Length >= sizeof (TempRand)) { >> + *((UINT64*) RandBuffer) = TempRand; >> + RandBuffer += sizeof (UINT64); >> + Length -= sizeof (TempRand); >> + } else { >> + CopyMem (RandBuffer, &TempRand, Length); >> + Length = 0; >> + } >> + } >> + >> + return Ret; >> +} >> + >> +/** >> + Creates a 128bit random value that is fully forward and backward >> +prediction resistant, >> + suitable for seeding a NIST SP800-90 Compliant. >> + This function takes multiple random numbers from PerformanceCounter >> +to ensure reseeding >> + and performs AES-CBC-MAC over the data to compute the seed value. >> + >> + @param[out] SeedBuffer Pointer to a 128bit buffer to store the random seed. >> + >> + @retval TRUE Random seed generation succeeded. >> + @retval FALSE Failed to request random bytes. >> + >> +**/ >> +STATIC >> +BOOLEAN >> +EFIAPI >> +RandGetSeed128 ( >> + OUT UINT8 *SeedBuffer >> + ) >> +{ >> + BOOLEAN Ret; >> + UINT8 RandByte[16]; >> + UINT8 Key[16]; >> + UINT8 Ffv[16]; >> + UINT8 Xored[16]; >> + UINT32 Index; >> + UINT32 Index2; >> + AES_KEY AESKey; >> + >> + // >> + // Chose an arbitary key and zero the feed_forward_value (FFV) // >> + for (Index = 0; Index < 16; Index++) { >> + Key[Index] = (UINT8) Index; >> + Ffv[Index] = 0; >> + } >> + >> + AES_set_encrypt_key (Key, 16 * 8, &AESKey); >> + >> + // >> + // Perform CBC_MAC over 32 * 128 bit values, with 10us gaps between >> + 128 bit value // The 10us gaps will ensure multiple reseeds within >> + the system time with a large // design margin. >> + // >> + for (Index = 0; Index < 32; Index++) { >> + MicroSecondDelay (10); >> + Ret = RandGetBytes (16, RandByte); >> + if (!Ret) { >> + return Ret; >> + } >> + >> + // >> + // Perform XOR operations on two 128-bit value. >> + // >> + for (Index2 = 0; Index2 < 16; Index2++) { >> + Xored[Index2] = RandByte[Index2] ^ Ffv[Index2]; >> + } >> + >> + AES_encrypt (Xored, Ffv, &AESKey); } >> + >> + for (Index = 0; Index < 16; Index++) { >> + SeedBuffer[Index] = Ffv[Index]; >> + } >> + >> + return Ret; >> +} >> + >> +/** >> + Generate high-quality entropy source. >> + >> + @param[in] Length Size of the buffer, in bytes, to fill with. >> + @param[out] Entropy Pointer to the buffer to store the entropy data. >> + >> + @retval EFI_SUCCESS Entropy generation succeeded. >> + @retval EFI_NOT_READY Failed to request random data. >> + >> +**/ >> +STATIC >> +BOOLEAN >> +EFIAPI >> +RandGenerateEntropy ( >> + IN UINTN Length, >> + OUT UINT8 *Entropy >> + ) >> +{ >> + BOOLEAN Ret; >> + UINTN BlockCount; >> + UINT8 Seed[16]; >> + UINT8 *Ptr; >> + >> + BlockCount = Length / 16; >> + Ptr = (UINT8 *) Entropy; >> + >> + // >> + // Generate high-quality seed for DRBG Entropy // while >> + (BlockCount > 0) { >> + Ret = RandGetSeed128 (Seed); >> + if (!Ret) { >> + return Ret; >> + } >> + CopyMem (Ptr, Seed, 16); >> + >> + BlockCount--; >> + Ptr = Ptr + 16; >> + } >> + >> + // >> + // Populate the remained data as request. >> + // >> + Ret = RandGetSeed128 (Seed); >> + if (!Ret) { >> + return Ret; >> + } >> + CopyMem (Ptr, Seed, (Length % 16)); >> + >> + return Ret; >> +} >> + >> +/* >> + * Add random bytes to the pool to acquire requested amount of >> +entropy >> + * >> + * This function is platform specific and tries to acquire the >> +requested >> + * amount of entropy by polling platform specific entropy sources. >> + * >> + * This is OpenSSL required interface. >> + */ >> +size_t rand_pool_acquire_entropy(RAND_POOL *pool) { >> + BOOLEAN Ret; >> + size_t bytes_needed; >> + unsigned char * buffer; >> + >> + bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); >> + if (bytes_needed > 0) { >> + buffer = rand_pool_add_begin(pool, bytes_needed); >> + >> + if (buffer != NULL) { >> + Ret = RandGenerateEntropy(bytes_needed, buffer); >> + if (FALSE == Ret) { >> + rand_pool_add_end(pool, 0, 0); >> + } else { >> + rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed); >> + } >> + } >> + } >> + >> + return rand_pool_entropy_available(pool); >> +} >> + >> +/* >> + * Implementation for UEFI >> + * >> + * This is OpenSSL required interface. >> + */ >> +int rand_pool_add_nonce_data(RAND_POOL *pool) { >> + struct { >> + UINT64 Rand; >> + UINT64 TimerValue; >> + } data = { 0 }; >> + >> + RandGetBytes(8, (UINT8 *)&(data.Rand)); data.TimerValue = >> + GetPerformanceCounter(); >> + >> + return rand_pool_add(pool, (unsigned char*)&data, sizeof(data), 0); >> +} >> + >> +/* >> + * Implementation for UEFI >> + * >> + * This is OpenSSL required interface. >> + */ >> +int rand_pool_add_additional_data(RAND_POOL *pool) { >> + struct { >> + UINT64 Rand; >> + UINT64 TimerValue; >> + } data = { 0 }; >> + >> + RandGetBytes(8, (UINT8 *)&(data.Rand)); data.TimerValue = >> + GetPerformanceCounter(); >> + >> + return rand_pool_add(pool, (unsigned char*)&data, sizeof(data), 0); >> +} >> + >> +/* >> + * Dummy Implememtation for UEFI >> + * >> + * This is OpenSSL required interface. >> + */ >> +int rand_pool_init(void) >> +{ >> + return 1; >> +} >> + >> +/* >> + * Dummy Implememtation for UEFI >> + * >> + * This is OpenSSL required interface. >> + */ >> +void rand_pool_cleanup(void) >> +{ >> +} >> + >> +/* >> + * Dummy Implememtation for UEFI >> + * >> + * This is OpenSSL required interface. >> + */ >> +void rand_pool_keep_random_devices_open(int keep) { } >> + >> diff --git a/CryptoPkg/Library/OpensslLib/rand_pool_noise.c >> b/CryptoPkg/Library/OpensslLib/rand_pool_noise.c >> new file mode 100644 >> index 000000000000..c16ed8b45496 >> --- /dev/null >> +++ b/CryptoPkg/Library/OpensslLib/rand_pool_noise.c >> @@ -0,0 +1,29 @@ >> +/** @file >> + Provide rand noise source. >> + >> +Copyright (c) 2019, Intel Corporation. All rights reserved.
>> +SPDX-License-Identifier: BSD-2-Clause-Patent >> + >> +**/ >> + >> +#include >> + >> +/** >> + Get 64-bit noise source >> + >> + @param[out] Rand Buffer pointer to store 64-bit noise source >> + >> + @retval FALSE Failed to generate >> +**/ >> +BOOLEAN >> +EFIAPI >> +GetRandomNoise64 ( >> + OUT UINT64 *Rand >> + ) >> +{ >> + // >> + // Return FALSE will fallback to use PerformaceCounter to >> + // generate noise. >> + // >> + return FALSE; >> +} >> diff --git a/CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c >> b/CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c >> new file mode 100644 >> index 000000000000..4158106231fd >> --- /dev/null >> +++ b/CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c >> @@ -0,0 +1,43 @@ >> +/** @file >> + Provide rand noise source. >> + >> +Copyright (c) 2019, Intel Corporation. All rights reserved.
>> +SPDX-License-Identifier: BSD-2-Clause-Patent >> + >> +**/ >> + >> +#include >> +#include >> +#include >> + >> +/** >> + Get 64-bit noise source >> + >> + @param[out] Rand Buffer pointer to store 64-bit noise source >> + >> + @retval TRUE Get randomness successfully. >> + @retval FALSE Failed to generate >> +**/ >> +BOOLEAN >> +EFIAPI >> +GetRandomNoise64 ( >> + OUT UINT64 *Rand >> + ) >> +{ >> + UINT32 Index; >> + UINT32 *RandPtr; >> + >> + if (NULL == Rand) { >> + return FALSE; >> + } >> + >> + RandPtr = (UINT32 *)Rand; >> + >> + for (Index = 0; Index < 2; Index ++) { >> + *RandPtr = (UINT32) ((AsmReadTsc ()) & 0xFF); >> + RandPtr++; >> + MicroSecondDelay (10); >> + } >> + >> + return TRUE; >> +} >> diff --git a/CryptoPkg/Library/OpensslLib/openssl >> b/CryptoPkg/Library/OpensslLib/openssl >> index 74f2d9c1ec5f..50eaac9f3337 160000 >> --- a/CryptoPkg/Library/OpensslLib/openssl >> +++ b/CryptoPkg/Library/OpensslLib/openssl >> @@ -1 +1 @@ >> -Subproject commit 74f2d9c1ec5f5510e1d3da5a9f03c28df0977762 >> +Subproject commit 50eaac9f3337667259de725451f201e784599687 >> >