From: "Xiaoyu Lu" <xiaoyux.lu@intel.com>
To: Laszlo Ersek <lersek@redhat.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>,
"Wang, Jian J" <jian.j.wang@intel.com>
Cc: "Ye, Ting" <ting.ye@intel.com>
Subject: Re: [edk2-devel] [PATCH v4 6/7] CryptoPkg: Upgrade OpenSSL to 1.1.1b
Date: Fri, 17 May 2019 11:14:57 +0000 [thread overview]
Message-ID: <BFD21A70FD4B3446B866B6088E3259E50B95E718@SHSMSX101.ccr.corp.intel.com> (raw)
In-Reply-To: <1bd39ee7-5cf4-2897-4571-812029754475@redhat.com>
Laszlo,
I think (b) is better and have already done this.
About (b/1):
One the one hand, the implementation still need discuss later.
On the other hand:
Refer to openssl/INSTALL the meaning of --with-rand-seed=none
> none: Disable automatic seeding. This is the default
> on some operating systems where no suitable
> entropy source exists, or no support for it is
> implemented yet.
I think when --with-rand-seed=none option is set, the best way to implement rand_pool_acquire_entropy should like this:
>size_t rand_pool_acquire_entropy(RAND_POOL *pool)
>{
> return rand_pool_entropy_available(pool);
>}
>
>int rand_pool_add_nonce_data(RAND_POOL *pool)
>{
> // I think PerformanceCounter is an optional nonce.
> UINT64 data;
> data = GetPerformanceCounter();
>
> return rand_pool_add(pool, (unsigned char*)&data, sizeof(data), 0);>}
>
>int rand_pool_add_additional_data(RAND_POOL *pool)
>{
> return 0;
>}
With this, we handed the Rand_seed work to caller. (caller must provide safe seed).
What do you think?
Thanks,
Xiaoyu
-----Original Message-----
From: Laszlo Ersek [mailto:lersek@redhat.com]
Sent: Friday, May 17, 2019 12:32 AM
To: devel@edk2.groups.io; Lu, XiaoyuX <xiaoyux.lu@intel.com>; Wang, Jian J <jian.j.wang@intel.com>
Cc: Ye, Ting <ting.ye@intel.com>
Subject: Re: [edk2-devel] [PATCH v4 6/7] CryptoPkg: Upgrade OpenSSL to 1.1.1b
Hi Jian,
On 05/16/19 09:54, Xiaoyu lu wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089
>
> * Update OpenSSL submodule to OpenSSL_1_1_1b
> OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)
>
> * Run process_files.pl script to regenerate OpensslLib[Crypto].inf
> and opensslconf.h
>
> * Remove -DNO_SYSLOG from OPENSSL_FLAGS in OpensslLib[Crypto].inf,
> due to upstream OpenSSL commit cff55b90e95e("Cleaning UEFI
> Build with additional OPENSSL_SYS_UEFI flags", 2017-03-29),
> which was first released as part of OpenSSL_1_1_1.
>
> * Starting with OpenSSL commit 8a8d9e1905(first release in
> OpenSSL_1_1_1), the OpenSSL_version() function can no longer
> return a pointer to the string literal "compiler: information
> not available", in the case CFLAGS macro is not defined.
> Instead, the function now has a hard dependency on the global
> variable 'compiler_flags'. This variable is normally placed
> by "util/mkbuildinf.pl" into "buildinf.h". In edk2 we don't
> run that script whenever we build OpenSSL, therefore we
> must provide our own dummy 'compiler_flags'.
>
> * From OpenSSL_1_1_0i(97c0959f27b294fe1eb10b547145ebef2524b896) to
> OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687), OpenSSL
> updated DRBG / RAND to request nonce and additional low entropy
> randomness from system(line 229 openssl/CHANGES).
>
> Since OpenSSL_1_1_1b doesn't fully implement rand pool functions
> for UEFI. We must provide a method to implenet these method.
> TSC is used as first entropy source if it's availabe otherwise
> fallback to TimerLib. But we are not sure the amount of randomness
> they provide. If you really care about the security, one choice is
> overrided it with hardware generator.
>
> Add rand_pool.c to implement these functions required by OpenSSL
> rand_pool_acquire_entropy
> rand_pool_add_nonce_data
> rand_pool_add_additional_data
> rand_pool_init
> rand_pool_cleanup
> rand_pool_keep_random_devices_open
>
> And add rand_pool_noise.* for getting entropy noise from different
> architecture.
>
> * We don't need ossl_store functions. We exclude relative files
> through process_files.pl. And ossl_store_cleanup_int was first
> added in crypto/init.c OpenSSL_1_1_1(71a5516d).
> So add a new file(ossl_store.c) to implement ossl_store_cleanup_int
> function.
>
> * BUFSIZ is used by crypto/evp/evp_key.c(OpenSSL_1_1_1b)
> And it is declared in stdio.h. So add it to CrtLibSupport.h.
> Here's a discussion about this.
> Ref: https://github.com/openssl/openssl/issues/8904
>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Ting Ye <ting.ye@intel.com>
> Signed-off-by: Xiaoyu Lu <xiaoyux.lu@intel.com>
> ---
> CryptoPkg/Library/OpensslLib/OpensslLib.inf | 60 +++-
> CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 51 +++-
> CryptoPkg/Library/Include/CrtLibSupport.h | 13 +-
> CryptoPkg/Library/Include/openssl/opensslconf.h | 54 +++-
> CryptoPkg/Library/OpensslLib/buildinf.h | 2 +
> CryptoPkg/Library/OpensslLib/rand_pool_noise.h | 29 ++
> CryptoPkg/Library/OpensslLib/ossl_store.c | 17 ++
> CryptoPkg/Library/OpensslLib/rand_pool.c | 316 +++++++++++++++++++++
> CryptoPkg/Library/OpensslLib/rand_pool_noise.c | 29 ++
> CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c | 43 +++
> CryptoPkg/Library/OpensslLib/openssl | 2 +-
> 11 files changed, 584 insertions(+), 32 deletions(-) create mode
> 100644 CryptoPkg/Library/OpensslLib/rand_pool_noise.h
> create mode 100644 CryptoPkg/Library/OpensslLib/ossl_store.c
> create mode 100644 CryptoPkg/Library/OpensslLib/rand_pool.c
> create mode 100644 CryptoPkg/Library/OpensslLib/rand_pool_noise.c
> create mode 100644 CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c
For this patch, I can offer two kinds of reviews:
---*---
(a) If you prefer to push this patch in the present form (that is, exactly as posted), then I will not give any official feedback tags, due to the crypto contents. I will not block the patch either, so if you and Ting are fine with the patch, it's OK for you to push it, from my side.
---*---
(b) Alternatively, you could split the patch in two halves, as follows:
(b/1) In the first half, collect all the hunks for the following files:
CryptoPkg/Library/OpensslLib/ossl_store.c
CryptoPkg/Library/OpensslLib/rand_pool.c
CryptoPkg/Library/OpensslLib/rand_pool_noise.c
CryptoPkg/Library/OpensslLib/rand_pool_noise.h
CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c
plus include the commit message paragraphs about "rand_pool.c" and "ossl_store.c".
For this half (b/1), I will not give any feedback.
(b/2) In the second half, collect the rest of the changes, that is, the hunks for the following files / submodules, and the rest of the commit
message:
CryptoPkg/Library/Include/CrtLibSupport.h
CryptoPkg/Library/Include/openssl/opensslconf.h
CryptoPkg/Library/OpensslLib/OpensslLib.inf
CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
CryptoPkg/Library/OpensslLib/buildinf.h
CryptoPkg/Library/OpensslLib/openssl
For the (b/2) half *ONLY*, you can add:
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
---*---
It's up to you whether you pick (a) or (b).
Normally I would request a v5 series for implementing (b), but we're out of time. If the community thinks that splitting up this patch into halves (b/1) and (b/2) is too intrusive for a maintainer to do without proper review, then I suggest going with (a) -- and then I'll provide no feedback tags. (But, I will also not block the patch, see above.)
... Well, in theory anyway, Xiaoyu could very quickly submit a v5 series, splitting this patch as explained under (b). In that case, the
(b/2) half -- and *ONLY* that half -- of this patch could include my R-b at once.
So, please decide.
Thanks!
Laszlo
>
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> index f4d7772c068c..62dd61969cb0 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> @@ -1,7 +1,7 @@
> ## @file
> # This module provides OpenSSL Library implementation.
> #
> -# Copyright (c) 2010 - 2018, Intel Corporation. All rights
> reserved.<BR>
> +# Copyright (c) 2010 - 2019, Intel Corporation. All rights
> +reserved.<BR>
> # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -15,7 +15,7
> @@ [Defines]
> VERSION_STRING = 1.0
> LIBRARY_CLASS = OpensslLib
> DEFINE OPENSSL_PATH = openssl
> - DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DNO_SYSLOG
> + DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE
>
> #
> # VALID_ARCHITECTURES = IA32 X64 ARM AARCH64
> @@ -32,6 +32,7 @@ [Sources]
> $(OPENSSL_PATH)/crypto/aes/aes_misc.c
> $(OPENSSL_PATH)/crypto/aes/aes_ofb.c
> $(OPENSSL_PATH)/crypto/aes/aes_wrap.c
> + $(OPENSSL_PATH)/crypto/aria/aria.c
> $(OPENSSL_PATH)/crypto/asn1/a_bitstr.c
> $(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c
> $(OPENSSL_PATH)/crypto/asn1/a_digest.c
> @@ -54,6 +55,7 @@ [Sources]
> $(OPENSSL_PATH)/crypto/asn1/ameth_lib.c
> $(OPENSSL_PATH)/crypto/asn1/asn1_err.c
> $(OPENSSL_PATH)/crypto/asn1/asn1_gen.c
> + $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.c
> $(OPENSSL_PATH)/crypto/asn1/asn1_lib.c
> $(OPENSSL_PATH)/crypto/asn1/asn1_par.c
> $(OPENSSL_PATH)/crypto/asn1/asn_mime.c
> @@ -172,6 +174,7 @@ [Sources]
> $(OPENSSL_PATH)/crypto/conf/conf_ssl.c
> $(OPENSSL_PATH)/crypto/cpt_err.c
> $(OPENSSL_PATH)/crypto/cryptlib.c
> + $(OPENSSL_PATH)/crypto/ctype.c
> $(OPENSSL_PATH)/crypto/cversion.c
> $(OPENSSL_PATH)/crypto/des/cbc_cksm.c
> $(OPENSSL_PATH)/crypto/des/cbc_enc.c
> @@ -189,7 +192,6 @@ [Sources]
> $(OPENSSL_PATH)/crypto/des/pcbc_enc.c
> $(OPENSSL_PATH)/crypto/des/qud_cksm.c
> $(OPENSSL_PATH)/crypto/des/rand_key.c
> - $(OPENSSL_PATH)/crypto/des/rpc_enc.c
> $(OPENSSL_PATH)/crypto/des/set_key.c
> $(OPENSSL_PATH)/crypto/des/str2key.c
> $(OPENSSL_PATH)/crypto/des/xcbc_enc.c
> @@ -206,6 +208,7 @@ [Sources]
> $(OPENSSL_PATH)/crypto/dh/dh_pmeth.c
> $(OPENSSL_PATH)/crypto/dh/dh_prn.c
> $(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c
> + $(OPENSSL_PATH)/crypto/dh/dh_rfc7919.c
> $(OPENSSL_PATH)/crypto/dso/dso_dl.c
> $(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c
> $(OPENSSL_PATH)/crypto/dso/dso_err.c
> @@ -228,6 +231,7 @@ [Sources]
> $(OPENSSL_PATH)/crypto/evp/e_aes.c
> $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha1.c
> $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha256.c
> + $(OPENSSL_PATH)/crypto/evp/e_aria.c
> $(OPENSSL_PATH)/crypto/evp/e_bf.c
> $(OPENSSL_PATH)/crypto/evp/e_camellia.c
> $(OPENSSL_PATH)/crypto/evp/e_cast.c
> @@ -242,6 +246,7 @@ [Sources]
> $(OPENSSL_PATH)/crypto/evp/e_rc4_hmac_md5.c
> $(OPENSSL_PATH)/crypto/evp/e_rc5.c
> $(OPENSSL_PATH)/crypto/evp/e_seed.c
> + $(OPENSSL_PATH)/crypto/evp/e_sm4.c
> $(OPENSSL_PATH)/crypto/evp/e_xcbc_d.c
> $(OPENSSL_PATH)/crypto/evp/encode.c
> $(OPENSSL_PATH)/crypto/evp/evp_cnf.c
> @@ -259,6 +264,7 @@ [Sources]
> $(OPENSSL_PATH)/crypto/evp/m_null.c
> $(OPENSSL_PATH)/crypto/evp/m_ripemd.c
> $(OPENSSL_PATH)/crypto/evp/m_sha1.c
> + $(OPENSSL_PATH)/crypto/evp/m_sha3.c
> $(OPENSSL_PATH)/crypto/evp/m_sigver.c
> $(OPENSSL_PATH)/crypto/evp/m_wp.c
> $(OPENSSL_PATH)/crypto/evp/names.c
> @@ -271,10 +277,10 @@ [Sources]
> $(OPENSSL_PATH)/crypto/evp/p_seal.c
> $(OPENSSL_PATH)/crypto/evp/p_sign.c
> $(OPENSSL_PATH)/crypto/evp/p_verify.c
> + $(OPENSSL_PATH)/crypto/evp/pbe_scrypt.c
> $(OPENSSL_PATH)/crypto/evp/pmeth_fn.c
> $(OPENSSL_PATH)/crypto/evp/pmeth_gn.c
> $(OPENSSL_PATH)/crypto/evp/pmeth_lib.c
> - $(OPENSSL_PATH)/crypto/evp/scrypt.c
> $(OPENSSL_PATH)/crypto/ex_data.c
> $(OPENSSL_PATH)/crypto/getenv.c
> $(OPENSSL_PATH)/crypto/hmac/hm_ameth.c
> @@ -283,6 +289,7 @@ [Sources]
> $(OPENSSL_PATH)/crypto/init.c
> $(OPENSSL_PATH)/crypto/kdf/hkdf.c
> $(OPENSSL_PATH)/crypto/kdf/kdf_err.c
> + $(OPENSSL_PATH)/crypto/kdf/scrypt.c
> $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c
> $(OPENSSL_PATH)/crypto/lhash/lh_stats.c
> $(OPENSSL_PATH)/crypto/lhash/lhash.c
> @@ -360,14 +367,14 @@ [Sources]
> $(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c
> $(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c
> $(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c
> - $(OPENSSL_PATH)/crypto/rand/md_rand.c
> + $(OPENSSL_PATH)/crypto/rand/drbg_ctr.c
> + $(OPENSSL_PATH)/crypto/rand/drbg_lib.c
> $(OPENSSL_PATH)/crypto/rand/rand_egd.c
> $(OPENSSL_PATH)/crypto/rand/rand_err.c
> $(OPENSSL_PATH)/crypto/rand/rand_lib.c
> $(OPENSSL_PATH)/crypto/rand/rand_unix.c
> $(OPENSSL_PATH)/crypto/rand/rand_vms.c
> $(OPENSSL_PATH)/crypto/rand/rand_win.c
> - $(OPENSSL_PATH)/crypto/rand/randfile.c
> $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
> $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
> @@ -379,8 +386,8 @@ [Sources]
> $(OPENSSL_PATH)/crypto/rsa/rsa_gen.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_lib.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_meth.c
> + $(OPENSSL_PATH)/crypto/rsa/rsa_mp.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_none.c
> - $(OPENSSL_PATH)/crypto/rsa/rsa_null.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_oaep.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_ossl.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_pk1.c
> @@ -392,15 +399,27 @@ [Sources]
> $(OPENSSL_PATH)/crypto/rsa/rsa_ssl.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_x931.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c
> + $(OPENSSL_PATH)/crypto/sha/keccak1600.c
> $(OPENSSL_PATH)/crypto/sha/sha1_one.c
> $(OPENSSL_PATH)/crypto/sha/sha1dgst.c
> $(OPENSSL_PATH)/crypto/sha/sha256.c
> $(OPENSSL_PATH)/crypto/sha/sha512.c
> + $(OPENSSL_PATH)/crypto/siphash/siphash.c
> + $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
> + $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
> + $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
> + $(OPENSSL_PATH)/crypto/sm3/sm3.c
> + $(OPENSSL_PATH)/crypto/sm4/sm4.c
> $(OPENSSL_PATH)/crypto/stack/stack.c
> $(OPENSSL_PATH)/crypto/threads_none.c
> $(OPENSSL_PATH)/crypto/threads_pthread.c
> $(OPENSSL_PATH)/crypto/threads_win.c
> $(OPENSSL_PATH)/crypto/txt_db/txt_db.c
> + $(OPENSSL_PATH)/crypto/ui/ui_err.c
> + $(OPENSSL_PATH)/crypto/ui/ui_lib.c
> + $(OPENSSL_PATH)/crypto/ui/ui_null.c
> + $(OPENSSL_PATH)/crypto/ui/ui_openssl.c
> + $(OPENSSL_PATH)/crypto/ui/ui_util.c
> $(OPENSSL_PATH)/crypto/uid.c
> $(OPENSSL_PATH)/crypto/x509/by_dir.c
> $(OPENSSL_PATH)/crypto/x509/by_file.c
> @@ -445,6 +464,7 @@ [Sources]
> $(OPENSSL_PATH)/crypto/x509v3/pcy_node.c
> $(OPENSSL_PATH)/crypto/x509v3/pcy_tree.c
> $(OPENSSL_PATH)/crypto/x509v3/v3_addr.c
> + $(OPENSSL_PATH)/crypto/x509v3/v3_admis.c
> $(OPENSSL_PATH)/crypto/x509v3/v3_akey.c
> $(OPENSSL_PATH)/crypto/x509v3/v3_akeya.c
> $(OPENSSL_PATH)/crypto/x509v3/v3_alt.c
> @@ -479,12 +499,14 @@ [Sources]
> $(OPENSSL_PATH)/ssl/d1_msg.c
> $(OPENSSL_PATH)/ssl/d1_srtp.c
> $(OPENSSL_PATH)/ssl/methods.c
> + $(OPENSSL_PATH)/ssl/packet.c
> $(OPENSSL_PATH)/ssl/pqueue.c
> $(OPENSSL_PATH)/ssl/record/dtls1_bitmap.c
> $(OPENSSL_PATH)/ssl/record/rec_layer_d1.c
> $(OPENSSL_PATH)/ssl/record/rec_layer_s3.c
> $(OPENSSL_PATH)/ssl/record/ssl3_buffer.c
> $(OPENSSL_PATH)/ssl/record/ssl3_record.c
> + $(OPENSSL_PATH)/ssl/record/ssl3_record_tls13.c
> $(OPENSSL_PATH)/ssl/s3_cbc.c
> $(OPENSSL_PATH)/ssl/s3_enc.c
> $(OPENSSL_PATH)/ssl/s3_lib.c
> @@ -502,25 +524,45 @@ [Sources]
> $(OPENSSL_PATH)/ssl/ssl_stat.c
> $(OPENSSL_PATH)/ssl/ssl_txt.c
> $(OPENSSL_PATH)/ssl/ssl_utst.c
> + $(OPENSSL_PATH)/ssl/statem/extensions.c
> + $(OPENSSL_PATH)/ssl/statem/extensions_clnt.c
> + $(OPENSSL_PATH)/ssl/statem/extensions_cust.c
> + $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c
> $(OPENSSL_PATH)/ssl/statem/statem.c
> $(OPENSSL_PATH)/ssl/statem/statem_clnt.c
> $(OPENSSL_PATH)/ssl/statem/statem_dtls.c
> $(OPENSSL_PATH)/ssl/statem/statem_lib.c
> $(OPENSSL_PATH)/ssl/statem/statem_srvr.c
> $(OPENSSL_PATH)/ssl/t1_enc.c
> - $(OPENSSL_PATH)/ssl/t1_ext.c
> $(OPENSSL_PATH)/ssl/t1_lib.c
> - $(OPENSSL_PATH)/ssl/t1_reneg.c
> $(OPENSSL_PATH)/ssl/t1_trce.c
> + $(OPENSSL_PATH)/ssl/tls13_enc.c
> $(OPENSSL_PATH)/ssl/tls_srp.c
> # Autogenerated files list ends here
>
> + ossl_store.c
> + rand_pool.c
> +
> +[Sources.Ia32]
> + rand_pool_noise_tsc.c
> +
> +[Sources.X64]
> + rand_pool_noise_tsc.c
> +
> +[Sources.ARM]
> + rand_pool_noise.c
> +
> +[Sources.AARCH64]
> + rand_pool_noise.c
> +
> [Packages]
> MdePkg/MdePkg.dec
> CryptoPkg/CryptoPkg.dec
>
> [LibraryClasses]
> + BaseLib
> DebugLib
> + TimerLib
>
> [LibraryClasses.ARM]
> ArmSoftFloatLib
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> index fd12d112edb2..49599a42d180 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> @@ -1,7 +1,7 @@
> ## @file
> # This module provides OpenSSL Library implementation.
> #
> -# Copyright (c) 2010 - 2018, Intel Corporation. All rights
> reserved.<BR>
> +# Copyright (c) 2010 - 2019, Intel Corporation. All rights
> +reserved.<BR>
> # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -15,7 +15,7
> @@ [Defines]
> VERSION_STRING = 1.0
> LIBRARY_CLASS = OpensslLib
> DEFINE OPENSSL_PATH = openssl
> - DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DNO_SYSLOG
> + DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE
>
> #
> # VALID_ARCHITECTURES = IA32 X64 ARM AARCH64
> @@ -32,6 +32,7 @@ [Sources]
> $(OPENSSL_PATH)/crypto/aes/aes_misc.c
> $(OPENSSL_PATH)/crypto/aes/aes_ofb.c
> $(OPENSSL_PATH)/crypto/aes/aes_wrap.c
> + $(OPENSSL_PATH)/crypto/aria/aria.c
> $(OPENSSL_PATH)/crypto/asn1/a_bitstr.c
> $(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c
> $(OPENSSL_PATH)/crypto/asn1/a_digest.c
> @@ -54,6 +55,7 @@ [Sources]
> $(OPENSSL_PATH)/crypto/asn1/ameth_lib.c
> $(OPENSSL_PATH)/crypto/asn1/asn1_err.c
> $(OPENSSL_PATH)/crypto/asn1/asn1_gen.c
> + $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.c
> $(OPENSSL_PATH)/crypto/asn1/asn1_lib.c
> $(OPENSSL_PATH)/crypto/asn1/asn1_par.c
> $(OPENSSL_PATH)/crypto/asn1/asn_mime.c
> @@ -172,6 +174,7 @@ [Sources]
> $(OPENSSL_PATH)/crypto/conf/conf_ssl.c
> $(OPENSSL_PATH)/crypto/cpt_err.c
> $(OPENSSL_PATH)/crypto/cryptlib.c
> + $(OPENSSL_PATH)/crypto/ctype.c
> $(OPENSSL_PATH)/crypto/cversion.c
> $(OPENSSL_PATH)/crypto/des/cbc_cksm.c
> $(OPENSSL_PATH)/crypto/des/cbc_enc.c
> @@ -189,7 +192,6 @@ [Sources]
> $(OPENSSL_PATH)/crypto/des/pcbc_enc.c
> $(OPENSSL_PATH)/crypto/des/qud_cksm.c
> $(OPENSSL_PATH)/crypto/des/rand_key.c
> - $(OPENSSL_PATH)/crypto/des/rpc_enc.c
> $(OPENSSL_PATH)/crypto/des/set_key.c
> $(OPENSSL_PATH)/crypto/des/str2key.c
> $(OPENSSL_PATH)/crypto/des/xcbc_enc.c
> @@ -206,6 +208,7 @@ [Sources]
> $(OPENSSL_PATH)/crypto/dh/dh_pmeth.c
> $(OPENSSL_PATH)/crypto/dh/dh_prn.c
> $(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c
> + $(OPENSSL_PATH)/crypto/dh/dh_rfc7919.c
> $(OPENSSL_PATH)/crypto/dso/dso_dl.c
> $(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c
> $(OPENSSL_PATH)/crypto/dso/dso_err.c
> @@ -228,6 +231,7 @@ [Sources]
> $(OPENSSL_PATH)/crypto/evp/e_aes.c
> $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha1.c
> $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha256.c
> + $(OPENSSL_PATH)/crypto/evp/e_aria.c
> $(OPENSSL_PATH)/crypto/evp/e_bf.c
> $(OPENSSL_PATH)/crypto/evp/e_camellia.c
> $(OPENSSL_PATH)/crypto/evp/e_cast.c
> @@ -242,6 +246,7 @@ [Sources]
> $(OPENSSL_PATH)/crypto/evp/e_rc4_hmac_md5.c
> $(OPENSSL_PATH)/crypto/evp/e_rc5.c
> $(OPENSSL_PATH)/crypto/evp/e_seed.c
> + $(OPENSSL_PATH)/crypto/evp/e_sm4.c
> $(OPENSSL_PATH)/crypto/evp/e_xcbc_d.c
> $(OPENSSL_PATH)/crypto/evp/encode.c
> $(OPENSSL_PATH)/crypto/evp/evp_cnf.c
> @@ -259,6 +264,7 @@ [Sources]
> $(OPENSSL_PATH)/crypto/evp/m_null.c
> $(OPENSSL_PATH)/crypto/evp/m_ripemd.c
> $(OPENSSL_PATH)/crypto/evp/m_sha1.c
> + $(OPENSSL_PATH)/crypto/evp/m_sha3.c
> $(OPENSSL_PATH)/crypto/evp/m_sigver.c
> $(OPENSSL_PATH)/crypto/evp/m_wp.c
> $(OPENSSL_PATH)/crypto/evp/names.c
> @@ -271,10 +277,10 @@ [Sources]
> $(OPENSSL_PATH)/crypto/evp/p_seal.c
> $(OPENSSL_PATH)/crypto/evp/p_sign.c
> $(OPENSSL_PATH)/crypto/evp/p_verify.c
> + $(OPENSSL_PATH)/crypto/evp/pbe_scrypt.c
> $(OPENSSL_PATH)/crypto/evp/pmeth_fn.c
> $(OPENSSL_PATH)/crypto/evp/pmeth_gn.c
> $(OPENSSL_PATH)/crypto/evp/pmeth_lib.c
> - $(OPENSSL_PATH)/crypto/evp/scrypt.c
> $(OPENSSL_PATH)/crypto/ex_data.c
> $(OPENSSL_PATH)/crypto/getenv.c
> $(OPENSSL_PATH)/crypto/hmac/hm_ameth.c
> @@ -283,6 +289,7 @@ [Sources]
> $(OPENSSL_PATH)/crypto/init.c
> $(OPENSSL_PATH)/crypto/kdf/hkdf.c
> $(OPENSSL_PATH)/crypto/kdf/kdf_err.c
> + $(OPENSSL_PATH)/crypto/kdf/scrypt.c
> $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c
> $(OPENSSL_PATH)/crypto/lhash/lh_stats.c
> $(OPENSSL_PATH)/crypto/lhash/lhash.c
> @@ -360,14 +367,14 @@ [Sources]
> $(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c
> $(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c
> $(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c
> - $(OPENSSL_PATH)/crypto/rand/md_rand.c
> + $(OPENSSL_PATH)/crypto/rand/drbg_ctr.c
> + $(OPENSSL_PATH)/crypto/rand/drbg_lib.c
> $(OPENSSL_PATH)/crypto/rand/rand_egd.c
> $(OPENSSL_PATH)/crypto/rand/rand_err.c
> $(OPENSSL_PATH)/crypto/rand/rand_lib.c
> $(OPENSSL_PATH)/crypto/rand/rand_unix.c
> $(OPENSSL_PATH)/crypto/rand/rand_vms.c
> $(OPENSSL_PATH)/crypto/rand/rand_win.c
> - $(OPENSSL_PATH)/crypto/rand/randfile.c
> $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
> $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
> @@ -379,8 +386,8 @@ [Sources]
> $(OPENSSL_PATH)/crypto/rsa/rsa_gen.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_lib.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_meth.c
> + $(OPENSSL_PATH)/crypto/rsa/rsa_mp.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_none.c
> - $(OPENSSL_PATH)/crypto/rsa/rsa_null.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_oaep.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_ossl.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_pk1.c
> @@ -392,15 +399,27 @@ [Sources]
> $(OPENSSL_PATH)/crypto/rsa/rsa_ssl.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_x931.c
> $(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c
> + $(OPENSSL_PATH)/crypto/sha/keccak1600.c
> $(OPENSSL_PATH)/crypto/sha/sha1_one.c
> $(OPENSSL_PATH)/crypto/sha/sha1dgst.c
> $(OPENSSL_PATH)/crypto/sha/sha256.c
> $(OPENSSL_PATH)/crypto/sha/sha512.c
> + $(OPENSSL_PATH)/crypto/siphash/siphash.c
> + $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
> + $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
> + $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
> + $(OPENSSL_PATH)/crypto/sm3/sm3.c
> + $(OPENSSL_PATH)/crypto/sm4/sm4.c
> $(OPENSSL_PATH)/crypto/stack/stack.c
> $(OPENSSL_PATH)/crypto/threads_none.c
> $(OPENSSL_PATH)/crypto/threads_pthread.c
> $(OPENSSL_PATH)/crypto/threads_win.c
> $(OPENSSL_PATH)/crypto/txt_db/txt_db.c
> + $(OPENSSL_PATH)/crypto/ui/ui_err.c
> + $(OPENSSL_PATH)/crypto/ui/ui_lib.c
> + $(OPENSSL_PATH)/crypto/ui/ui_null.c
> + $(OPENSSL_PATH)/crypto/ui/ui_openssl.c
> + $(OPENSSL_PATH)/crypto/ui/ui_util.c
> $(OPENSSL_PATH)/crypto/uid.c
> $(OPENSSL_PATH)/crypto/x509/by_dir.c
> $(OPENSSL_PATH)/crypto/x509/by_file.c
> @@ -445,6 +464,7 @@ [Sources]
> $(OPENSSL_PATH)/crypto/x509v3/pcy_node.c
> $(OPENSSL_PATH)/crypto/x509v3/pcy_tree.c
> $(OPENSSL_PATH)/crypto/x509v3/v3_addr.c
> + $(OPENSSL_PATH)/crypto/x509v3/v3_admis.c
> $(OPENSSL_PATH)/crypto/x509v3/v3_akey.c
> $(OPENSSL_PATH)/crypto/x509v3/v3_akeya.c
> $(OPENSSL_PATH)/crypto/x509v3/v3_alt.c
> @@ -476,12 +496,29 @@ [Sources]
> $(OPENSSL_PATH)/crypto/x509v3/v3err.c
> # Autogenerated files list ends here
>
> + ossl_store.c
> + rand_pool.c
> +
> +[Sources.Ia32]
> + rand_pool_noise_tsc.c
> +
> +[Sources.X64]
> + rand_pool_noise_tsc.c
> +
> +[Sources.ARM]
> + rand_pool_noise.c
> +
> +[Sources.AARCH64]
> + rand_pool_noise.c
> +
> [Packages]
> MdePkg/MdePkg.dec
> CryptoPkg/CryptoPkg.dec
>
> [LibraryClasses]
> + BaseLib
> DebugLib
> + TimerLib
>
> [LibraryClasses.ARM]
> ArmSoftFloatLib
> diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h
> b/CryptoPkg/Library/Include/CrtLibSupport.h
> index b05c5d908ce2..5806f50f7485 100644
> --- a/CryptoPkg/Library/Include/CrtLibSupport.h
> +++ b/CryptoPkg/Library/Include/CrtLibSupport.h
> @@ -2,7 +2,7 @@
> Root include file of C runtime library to support building the third-party
> cryptographic library.
>
> -Copyright (c) 2010 - 2017, Intel Corporation. All rights
> reserved.<BR>
> +Copyright (c) 2010 - 2019, Intel Corporation. All rights
> +reserved.<BR>
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
> **/
> @@ -21,6 +21,17 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> #define MAX_STRING_SIZE 0x1000
>
> //
> +// We already have "no-ui" in out Configure invocation.
> +// but the code still fails to compile.
> +// Ref: https://github.com/openssl/openssl/issues/8904
> +//
> +// This is defined in CRT library(stdio.h).
> +//
> +#ifndef BUFSIZ
> +#define BUFSIZ 8192
> +#endif
> +
> +//
> // OpenSSL relies on explicit configuration for word size in
> crypto/bn, // but we want it to be automatically inferred from the
> target. So we // bypass what's in <openssl/opensslconf.h> for
> OPENSSL_SYS_UEFI, and diff --git
> a/CryptoPkg/Library/Include/openssl/opensslconf.h
> b/CryptoPkg/Library/Include/openssl/opensslconf.h
> index 28dd9ab93c61..07fa2d3ce280 100644
> --- a/CryptoPkg/Library/Include/openssl/opensslconf.h
> +++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
> @@ -10,6 +10,8 @@
> * https://www.openssl.org/source/license.html
> */
>
> +#include <openssl/opensslv.h>
> +
> #ifdef __cplusplus
> extern "C" {
> #endif
> @@ -77,18 +79,21 @@ extern "C" {
> #ifndef OPENSSL_NO_SEED
> # define OPENSSL_NO_SEED
> #endif
> +#ifndef OPENSSL_NO_SM2
> +# define OPENSSL_NO_SM2
> +#endif
> #ifndef OPENSSL_NO_SRP
> # define OPENSSL_NO_SRP
> #endif
> #ifndef OPENSSL_NO_TS
> # define OPENSSL_NO_TS
> #endif
> -#ifndef OPENSSL_NO_UI
> -# define OPENSSL_NO_UI
> -#endif
> #ifndef OPENSSL_NO_WHIRLPOOL
> # define OPENSSL_NO_WHIRLPOOL
> #endif
> +#ifndef OPENSSL_RAND_SEED_NONE
> +# define OPENSSL_RAND_SEED_NONE
> +#endif
> #ifndef OPENSSL_NO_AFALGENG
> # define OPENSSL_NO_AFALGENG
> #endif
> @@ -122,6 +127,9 @@ extern "C" {
> #ifndef OPENSSL_NO_DEPRECATED
> # define OPENSSL_NO_DEPRECATED
> #endif
> +#ifndef OPENSSL_NO_DEVCRYPTOENG
> +# define OPENSSL_NO_DEVCRYPTOENG
> +#endif
> #ifndef OPENSSL_NO_DGRAM
> # define OPENSSL_NO_DGRAM
> #endif
> @@ -155,6 +163,9 @@ extern "C" {
> #ifndef OPENSSL_NO_ERR
> # define OPENSSL_NO_ERR
> #endif
> +#ifndef OPENSSL_NO_EXTERNAL_TESTS
> +# define OPENSSL_NO_EXTERNAL_TESTS
> +#endif
> #ifndef OPENSSL_NO_FILENAMES
> # define OPENSSL_NO_FILENAMES
> #endif
> @@ -209,15 +220,24 @@ extern "C" {
> #ifndef OPENSSL_NO_TESTS
> # define OPENSSL_NO_TESTS
> #endif
> +#ifndef OPENSSL_NO_TLS1_3
> +# define OPENSSL_NO_TLS1_3
> +#endif
> #ifndef OPENSSL_NO_UBSAN
> # define OPENSSL_NO_UBSAN
> #endif
> +#ifndef OPENSSL_NO_UI_CONSOLE
> +# define OPENSSL_NO_UI_CONSOLE
> +#endif
> #ifndef OPENSSL_NO_UNIT_TEST
> # define OPENSSL_NO_UNIT_TEST
> #endif
> #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
> # define OPENSSL_NO_WEAK_SSL_CIPHERS
> #endif
> +#ifndef OPENSSL_NO_DYNAMIC_ENGINE
> +# define OPENSSL_NO_DYNAMIC_ENGINE
> +#endif
> #ifndef OPENSSL_NO_AFALGENG
> # define OPENSSL_NO_AFALGENG
> #endif
> @@ -236,15 +256,11 @@ extern "C" {
> * functions.
> */
> #ifndef DECLARE_DEPRECATED
> -# if defined(OPENSSL_NO_DEPRECATED)
> -# define DECLARE_DEPRECATED(f)
> -# else
> -# define DECLARE_DEPRECATED(f) f;
> -# ifdef __GNUC__
> -# if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0)
> -# undef DECLARE_DEPRECATED
> -# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
> -# endif
> +# define DECLARE_DEPRECATED(f) f;
> +# ifdef __GNUC__
> +# if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0)
> +# undef DECLARE_DEPRECATED
> +# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
> # endif
> # endif
> #endif
> @@ -268,6 +284,18 @@ extern "C" {
> # define OPENSSL_API_COMPAT OPENSSL_MIN_API #endif
>
> +/*
> + * Do not deprecate things to be deprecated in version 1.2.0 before
> +the
> + * OpenSSL version number matches.
> + */
> +#if OPENSSL_VERSION_NUMBER < 0x10200000L
> +# define DEPRECATEDIN_1_2_0(f) f;
> +#elif OPENSSL_API_COMPAT < 0x10200000L
> +# define DEPRECATEDIN_1_2_0(f) DECLARE_DEPRECATED(f)
> +#else
> +# define DEPRECATEDIN_1_2_0(f)
> +#endif
> +
> #if OPENSSL_API_COMPAT < 0x10100000L
> # define DEPRECATEDIN_1_1_0(f) DECLARE_DEPRECATED(f)
> #else
> @@ -286,8 +314,6 @@ extern "C" {
> # define DEPRECATEDIN_0_9_8(f)
> #endif
>
> -
> -
> /* Generate 80386 code? */
> #undef I386_ONLY
>
> diff --git a/CryptoPkg/Library/OpensslLib/buildinf.h
> b/CryptoPkg/Library/OpensslLib/buildinf.h
> index c5ca293c729f..b840c8656a28 100644
> --- a/CryptoPkg/Library/OpensslLib/buildinf.h
> +++ b/CryptoPkg/Library/OpensslLib/buildinf.h
> @@ -1,2 +1,4 @@
> #define PLATFORM "UEFI"
> #define DATE "Fri Dec 22 01:23:45 PDT 2017"
> +
> +const char * compiler_flags = "compiler: information not available
> +from edk2";
> diff --git a/CryptoPkg/Library/OpensslLib/rand_pool_noise.h
> b/CryptoPkg/Library/OpensslLib/rand_pool_noise.h
> new file mode 100644
> index 000000000000..75acc686a9f1
> --- /dev/null
> +++ b/CryptoPkg/Library/OpensslLib/rand_pool_noise.h
> @@ -0,0 +1,29 @@
> +/** @file
> + Provide rand noise source.
> +
> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef __RAND_POOL_NOISE_H__
> +#define __RAND_POOL_NOISE_H__
> +
> +#include <Uefi/UefiBaseType.h>
> +
> +/**
> + Get 64-bit noise source.
> +
> + @param[out] Rand Buffer pointer to store 64-bit noise source
> +
> + @retval TRUE Get randomness successfully.
> + @retval FALSE Failed to generate
> +**/
> +BOOLEAN
> +EFIAPI
> +GetRandomNoise64 (
> + OUT UINT64 *Rand
> + );
> +
> +
> +#endif // __RAND_POOL_NOISE_H__
> diff --git a/CryptoPkg/Library/OpensslLib/ossl_store.c
> b/CryptoPkg/Library/OpensslLib/ossl_store.c
> new file mode 100644
> index 000000000000..29e1506048e3
> --- /dev/null
> +++ b/CryptoPkg/Library/OpensslLib/ossl_store.c
> @@ -0,0 +1,17 @@
> +/** @file
> + Dummy implement ossl_store(Store retrieval functions) for UEFI.
> +
> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +/*
> + * This function is cleanup ossl store.
> + *
> + * Dummy Implement for UEFI
> + */
> +void ossl_store_cleanup_int(void)
> +{
> +}
> +
> diff --git a/CryptoPkg/Library/OpensslLib/rand_pool.c
> b/CryptoPkg/Library/OpensslLib/rand_pool.c
> new file mode 100644
> index 000000000000..9d2a4ad13823
> --- /dev/null
> +++ b/CryptoPkg/Library/OpensslLib/rand_pool.c
> @@ -0,0 +1,316 @@
> +/** @file
> + OpenSSL_1_1_1b doesn't implement rand_pool_* functions for UEFI.
> + The file implement these functions.
> +
> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include "internal/rand_int.h"
> +#include <openssl/aes.h>
> +
> +#include <Uefi.h>
> +#include <Library/TimerLib.h>
> +
> +#include "rand_pool_noise.h"
> +
> +/**
> + Get some randomness from low-order bits of GetPerformanceCounter results.
> + And combine them to the 64-bit value
> +
> + @param[out] Rand Buffer pointer to store the 64-bit random value.
> +
> + @retval TRUE Random number generated successfully.
> + @retval FALSE Failed to generate.
> +**/
> +STATIC
> +BOOLEAN
> +EFIAPI
> +GetRandNoise64FromPerformanceCounter(
> + OUT UINT64 *Rand
> + )
> +{
> + UINT32 Index;
> + UINT32 *RandPtr;
> +
> + if (NULL == Rand) {
> + return FALSE;
> + }
> +
> + RandPtr = (UINT32 *) Rand;
> +
> + for (Index = 0; Index < 2; Index ++) {
> + *RandPtr = (UINT32) (GetPerformanceCounter () & 0xFF);
> + MicroSecondDelay (10);
> + RandPtr++;
> + }
> +
> + return TRUE;
> +}
> +
> +/**
> + Calls RandomNumber64 to fill
> + a buffer of arbitrary size with random bytes.
> +
> + @param[in] Length Size of the buffer, in bytes, to fill with.
> + @param[out] RandBuffer Pointer to the buffer to store the random result.
> +
> + @retval EFI_SUCCESS Random bytes generation succeeded.
> + @retval EFI_NOT_READY Failed to request random bytes.
> +
> +**/
> +STATIC
> +BOOLEAN
> +EFIAPI
> +RandGetBytes (
> + IN UINTN Length,
> + OUT UINT8 *RandBuffer
> + )
> +{
> + BOOLEAN Ret;
> + UINT64 TempRand;
> +
> + Ret = FALSE;
> +
> + while (Length > 0) {
> + //
> + // Get random noise from platform.
> + // If it failed, fallback to PerformanceCounter
> + // If you really care about security, you must override
> + // GetRandomNoise64FromPlatform.
> + //
> + Ret = GetRandomNoise64 (&TempRand);
> + if (Ret == FALSE) {
> + Ret = GetRandNoise64FromPerformanceCounter (&TempRand);
> + }
> + if (!Ret) {
> + return Ret;
> + }
> + if (Length >= sizeof (TempRand)) {
> + *((UINT64*) RandBuffer) = TempRand;
> + RandBuffer += sizeof (UINT64);
> + Length -= sizeof (TempRand);
> + } else {
> + CopyMem (RandBuffer, &TempRand, Length);
> + Length = 0;
> + }
> + }
> +
> + return Ret;
> +}
> +
> +/**
> + Creates a 128bit random value that is fully forward and backward
> +prediction resistant,
> + suitable for seeding a NIST SP800-90 Compliant.
> + This function takes multiple random numbers from PerformanceCounter
> +to ensure reseeding
> + and performs AES-CBC-MAC over the data to compute the seed value.
> +
> + @param[out] SeedBuffer Pointer to a 128bit buffer to store the random seed.
> +
> + @retval TRUE Random seed generation succeeded.
> + @retval FALSE Failed to request random bytes.
> +
> +**/
> +STATIC
> +BOOLEAN
> +EFIAPI
> +RandGetSeed128 (
> + OUT UINT8 *SeedBuffer
> + )
> +{
> + BOOLEAN Ret;
> + UINT8 RandByte[16];
> + UINT8 Key[16];
> + UINT8 Ffv[16];
> + UINT8 Xored[16];
> + UINT32 Index;
> + UINT32 Index2;
> + AES_KEY AESKey;
> +
> + //
> + // Chose an arbitary key and zero the feed_forward_value (FFV) //
> + for (Index = 0; Index < 16; Index++) {
> + Key[Index] = (UINT8) Index;
> + Ffv[Index] = 0;
> + }
> +
> + AES_set_encrypt_key (Key, 16 * 8, &AESKey);
> +
> + //
> + // Perform CBC_MAC over 32 * 128 bit values, with 10us gaps between
> + 128 bit value // The 10us gaps will ensure multiple reseeds within
> + the system time with a large // design margin.
> + //
> + for (Index = 0; Index < 32; Index++) {
> + MicroSecondDelay (10);
> + Ret = RandGetBytes (16, RandByte);
> + if (!Ret) {
> + return Ret;
> + }
> +
> + //
> + // Perform XOR operations on two 128-bit value.
> + //
> + for (Index2 = 0; Index2 < 16; Index2++) {
> + Xored[Index2] = RandByte[Index2] ^ Ffv[Index2];
> + }
> +
> + AES_encrypt (Xored, Ffv, &AESKey); }
> +
> + for (Index = 0; Index < 16; Index++) {
> + SeedBuffer[Index] = Ffv[Index];
> + }
> +
> + return Ret;
> +}
> +
> +/**
> + Generate high-quality entropy source.
> +
> + @param[in] Length Size of the buffer, in bytes, to fill with.
> + @param[out] Entropy Pointer to the buffer to store the entropy data.
> +
> + @retval EFI_SUCCESS Entropy generation succeeded.
> + @retval EFI_NOT_READY Failed to request random data.
> +
> +**/
> +STATIC
> +BOOLEAN
> +EFIAPI
> +RandGenerateEntropy (
> + IN UINTN Length,
> + OUT UINT8 *Entropy
> + )
> +{
> + BOOLEAN Ret;
> + UINTN BlockCount;
> + UINT8 Seed[16];
> + UINT8 *Ptr;
> +
> + BlockCount = Length / 16;
> + Ptr = (UINT8 *) Entropy;
> +
> + //
> + // Generate high-quality seed for DRBG Entropy // while
> + (BlockCount > 0) {
> + Ret = RandGetSeed128 (Seed);
> + if (!Ret) {
> + return Ret;
> + }
> + CopyMem (Ptr, Seed, 16);
> +
> + BlockCount--;
> + Ptr = Ptr + 16;
> + }
> +
> + //
> + // Populate the remained data as request.
> + //
> + Ret = RandGetSeed128 (Seed);
> + if (!Ret) {
> + return Ret;
> + }
> + CopyMem (Ptr, Seed, (Length % 16));
> +
> + return Ret;
> +}
> +
> +/*
> + * Add random bytes to the pool to acquire requested amount of
> +entropy
> + *
> + * This function is platform specific and tries to acquire the
> +requested
> + * amount of entropy by polling platform specific entropy sources.
> + *
> + * This is OpenSSL required interface.
> + */
> +size_t rand_pool_acquire_entropy(RAND_POOL *pool) {
> + BOOLEAN Ret;
> + size_t bytes_needed;
> + unsigned char * buffer;
> +
> + bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
> + if (bytes_needed > 0) {
> + buffer = rand_pool_add_begin(pool, bytes_needed);
> +
> + if (buffer != NULL) {
> + Ret = RandGenerateEntropy(bytes_needed, buffer);
> + if (FALSE == Ret) {
> + rand_pool_add_end(pool, 0, 0);
> + } else {
> + rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed);
> + }
> + }
> + }
> +
> + return rand_pool_entropy_available(pool);
> +}
> +
> +/*
> + * Implementation for UEFI
> + *
> + * This is OpenSSL required interface.
> + */
> +int rand_pool_add_nonce_data(RAND_POOL *pool) {
> + struct {
> + UINT64 Rand;
> + UINT64 TimerValue;
> + } data = { 0 };
> +
> + RandGetBytes(8, (UINT8 *)&(data.Rand)); data.TimerValue =
> + GetPerformanceCounter();
> +
> + return rand_pool_add(pool, (unsigned char*)&data, sizeof(data), 0);
> +}
> +
> +/*
> + * Implementation for UEFI
> + *
> + * This is OpenSSL required interface.
> + */
> +int rand_pool_add_additional_data(RAND_POOL *pool) {
> + struct {
> + UINT64 Rand;
> + UINT64 TimerValue;
> + } data = { 0 };
> +
> + RandGetBytes(8, (UINT8 *)&(data.Rand)); data.TimerValue =
> + GetPerformanceCounter();
> +
> + return rand_pool_add(pool, (unsigned char*)&data, sizeof(data), 0);
> +}
> +
> +/*
> + * Dummy Implememtation for UEFI
> + *
> + * This is OpenSSL required interface.
> + */
> +int rand_pool_init(void)
> +{
> + return 1;
> +}
> +
> +/*
> + * Dummy Implememtation for UEFI
> + *
> + * This is OpenSSL required interface.
> + */
> +void rand_pool_cleanup(void)
> +{
> +}
> +
> +/*
> + * Dummy Implememtation for UEFI
> + *
> + * This is OpenSSL required interface.
> + */
> +void rand_pool_keep_random_devices_open(int keep) { }
> +
> diff --git a/CryptoPkg/Library/OpensslLib/rand_pool_noise.c
> b/CryptoPkg/Library/OpensslLib/rand_pool_noise.c
> new file mode 100644
> index 000000000000..c16ed8b45496
> --- /dev/null
> +++ b/CryptoPkg/Library/OpensslLib/rand_pool_noise.c
> @@ -0,0 +1,29 @@
> +/** @file
> + Provide rand noise source.
> +
> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include <Library/BaseLib.h>
> +
> +/**
> + Get 64-bit noise source
> +
> + @param[out] Rand Buffer pointer to store 64-bit noise source
> +
> + @retval FALSE Failed to generate
> +**/
> +BOOLEAN
> +EFIAPI
> +GetRandomNoise64 (
> + OUT UINT64 *Rand
> + )
> +{
> + //
> + // Return FALSE will fallback to use PerformaceCounter to
> + // generate noise.
> + //
> + return FALSE;
> +}
> diff --git a/CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c
> b/CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c
> new file mode 100644
> index 000000000000..4158106231fd
> --- /dev/null
> +++ b/CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c
> @@ -0,0 +1,43 @@
> +/** @file
> + Provide rand noise source.
> +
> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include <Library/BaseLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/TimerLib.h>
> +
> +/**
> + Get 64-bit noise source
> +
> + @param[out] Rand Buffer pointer to store 64-bit noise source
> +
> + @retval TRUE Get randomness successfully.
> + @retval FALSE Failed to generate
> +**/
> +BOOLEAN
> +EFIAPI
> +GetRandomNoise64 (
> + OUT UINT64 *Rand
> + )
> +{
> + UINT32 Index;
> + UINT32 *RandPtr;
> +
> + if (NULL == Rand) {
> + return FALSE;
> + }
> +
> + RandPtr = (UINT32 *)Rand;
> +
> + for (Index = 0; Index < 2; Index ++) {
> + *RandPtr = (UINT32) ((AsmReadTsc ()) & 0xFF);
> + RandPtr++;
> + MicroSecondDelay (10);
> + }
> +
> + return TRUE;
> +}
> diff --git a/CryptoPkg/Library/OpensslLib/openssl
> b/CryptoPkg/Library/OpensslLib/openssl
> index 74f2d9c1ec5f..50eaac9f3337 160000
> --- a/CryptoPkg/Library/OpensslLib/openssl
> +++ b/CryptoPkg/Library/OpensslLib/openssl
> @@ -1 +1 @@
> -Subproject commit 74f2d9c1ec5f5510e1d3da5a9f03c28df0977762
> +Subproject commit 50eaac9f3337667259de725451f201e784599687
>
next prev parent reply other threads:[~2019-05-17 11:15 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-16 7:54 [PATCH v4 0/7] CryptoPkg: Upgrade OpenSSL to 1.1.1b Xiaoyu lu
2019-05-16 7:54 ` [PATCH v4 1/7] CryptoPkg/OpensslLib: Modify process_files.pl for upgrading OpenSSL Xiaoyu lu
2019-05-16 7:54 ` [PATCH v4 2/7] CryptoPkg/OpensslLib: Exclude unnecessary files in process_files.pl Xiaoyu lu
2019-05-16 15:51 ` [edk2-devel] " Laszlo Ersek
2019-05-16 7:54 ` [PATCH v4 3/7] CryptoPkg/IntrinsicLib: Fix possible unresolved external symbol issue Xiaoyu lu
2019-05-16 7:54 ` [PATCH v4 4/7] CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL Xiaoyu lu
2019-05-16 7:54 ` [PATCH v4 5/7] CryptoPkg/OpensslLib: Fix cross-build problem for AARCH64 Xiaoyu lu
2019-05-16 15:58 ` [edk2-devel] " Laszlo Ersek
2019-05-16 7:54 ` [PATCH v4 6/7] CryptoPkg: Upgrade OpenSSL to 1.1.1b Xiaoyu lu
2019-05-16 16:31 ` [edk2-devel] " Laszlo Ersek
2019-05-17 11:14 ` Xiaoyu Lu [this message]
2019-05-17 13:15 ` Laszlo Ersek
2019-05-18 7:16 ` Xiaoyu Lu
2019-05-16 7:54 ` [PATCH v4 7/7] CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward compatible Xiaoyu lu
2019-05-16 18:25 ` [edk2-devel] [PATCH v4 0/7] CryptoPkg: Upgrade OpenSSL to 1.1.1b Laszlo Ersek
2019-05-17 5:11 ` Wang, Jian J
2019-05-17 13:04 ` Laszlo Ersek
2019-05-17 13:16 ` Laszlo Ersek
2019-05-17 15:06 ` Ard Biesheuvel
2019-05-20 1:40 ` Wang, Jian J
[not found] ` <15A0408CA29C0595.820@groups.io>
2019-05-21 7:43 ` Wang, Jian J
2019-05-21 9:01 ` Ard Biesheuvel
2019-05-21 9:09 ` Wang, Jian J
2019-05-21 12:23 ` Laszlo Ersek
2019-05-21 13:02 ` Wang, Jian J
2019-05-21 13:34 ` Laszlo Ersek
2019-05-21 13:39 ` Ard Biesheuvel
2019-05-23 5:10 ` Wang, Jian J
2019-05-17 10:12 ` Xiaoyu Lu
2019-05-17 13:08 ` Laszlo Ersek
2019-05-18 7:37 ` Xiaoyu Lu
2019-05-16 18:53 ` Laszlo Ersek
2019-05-17 5:00 ` [edk2-devel] " Wang, Jian J
2019-05-17 9:17 ` Gary Lin
2019-05-18 7:26 ` Xiaoyu Lu
2019-05-20 1:48 ` Gary Lin
2019-05-21 21:14 ` Laszlo Ersek
2019-05-22 0:10 ` Michael D Kinney
2019-05-22 9:05 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BFD21A70FD4B3446B866B6088E3259E50B95E718@SHSMSX101.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox