From: "Wang, Jian J" <jian.j.wang@intel.com>
To: "Gao, Zhichao" <zhichao.gao@intel.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Lu, XiaoyuX" <xiaoyux.lu@intel.com>,
"Fu, Siyuan" <siyuan.fu@intel.com>,
"Kinney, Michael D" <michael.d.kinney@intel.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>
Subject: Re: [PATCH V3 4/8] CryptoPkg/BaseCryptLib: Retire the Tdes algorithm
Date: Fri, 8 May 2020 14:42:25 +0000 [thread overview]
Message-ID: <D827630B58408649ACB04F44C510003625A842B5@SHSMSX107.ccr.corp.intel.com> (raw)
In-Reply-To: <20200506235746.19500-5-zhichao.gao@intel.com>
Zhichao,
Similar comments, please refer to them in my review email for patch 3.
Regards,
Jian
> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Thursday, May 07, 2020 7:58 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [PATCH V3 4/8] CryptoPkg/BaseCryptLib: Retire the Tdes algorithm
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
>
> Tdes is not secure any longer.
> Remove the Tdes support from edk2.
> Change the Tdes field name in EDKII_CRYPTO_PROTOCOL to indicate the
> function is unsupported any longer.
>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
> CryptoPkg/Driver/Crypto.c | 181 +--------
> CryptoPkg/Include/Library/BaseCryptLib.h | 196 ----------
> .../Library/BaseCryptLib/BaseCryptLib.inf | 1 -
> .../Library/BaseCryptLib/Cipher/CryptTdes.c | 364 ------------------
> .../BaseCryptLib/Cipher/CryptTdesNull.c | 160 --------
> .../Library/BaseCryptLib/PeiCryptLib.inf | 3 +-
> .../Library/BaseCryptLib/PeiCryptLib.uni | 6 +-
> CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c | 7 +-
> .../Library/BaseCryptLib/RuntimeCryptLib.inf | 3 +-
> .../Library/BaseCryptLib/RuntimeCryptLib.uni | 6 +-
> .../Library/BaseCryptLib/SmmCryptLib.inf | 3 +-
> .../Library/BaseCryptLib/SmmCryptLib.uni | 6 +-
> .../BaseCryptLibNull/BaseCryptLibNull.inf | 1 -
> .../BaseCryptLibNull/Cipher/CryptTdesNull.c | 160 --------
> .../BaseCryptLibOnProtocolPpi/CryptLib.c | 214 ----------
> .../Library/Include/openssl/opensslconf.h | 3 +
> CryptoPkg/Library/OpensslLib/OpensslLib.inf | 21 -
> .../Library/OpensslLib/OpensslLibCrypto.inf | 21 -
> CryptoPkg/Private/Protocol/Crypto.h | 169 +-------
> 19 files changed, 53 insertions(+), 1472 deletions(-)
> delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
> delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
> delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
>
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> index 388a6e4b4b..a4106aae0b 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -1557,167 +1557,57 @@ CryptoServiceHmacSha256Final (
>
> //===============================================================
> ======================
>
> /**
> - Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> - If this interface is not supported, then return zero.
> -
> - @return The size, in bytes, of the context buffer required for TDES operations.
> - @retval 0 This interface is not supported.
> + TDES is deprecated and unsupported any longer.
> + Keep the function field for binary compability.
>
> **/
> UINTN
> EFIAPI
> -CryptoServiceTdesGetContextSize (
> +DeprecatedCryptoServiceTdesGetContextSize (
> VOID
> )
> {
> - return CALL_BASECRYPTLIB (Tdes.Services.GetContextSize,
> TdesGetContextSize, (), 0);
> + return BaseCryptLibServciceDeprecated ("TdesGetContextSize"), 0;
> }
>
> -/**
> - Initializes user-supplied memory as TDES context for subsequent use.
> -
> - This function initializes user-supplied memory pointed by TdesContext as TDES
> context.
> - In addition, it sets up all TDES key materials for subsequent encryption and
> decryption
> - operations.
> - There are 3 key options as follows:
> - KeyLength = 64, Keying option 1: K1 == K2 == K3 (Backward compatibility with
> DES)
> - KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
> - KeyLength = 192 Keying option 3: K1 != K2 != K3 (Strongest)
> -
> - If TdesContext is NULL, then return FALSE.
> - If Key is NULL, then return FALSE.
> - If KeyLength is not valid, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] TdesContext Pointer to TDES context being initialized.
> - @param[in] Key Pointer to the user-supplied TDES key.
> - @param[in] KeyLength Length of TDES key in bits.
> -
> - @retval TRUE TDES context initialization succeeded.
> - @retval FALSE TDES context initialization failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceTdesInit (
> +DeprecatedCryptoServiceTdesInit (
> OUT VOID *TdesContext,
> IN CONST UINT8 *Key,
> IN UINTN KeyLength
> )
> {
> - return CALL_BASECRYPTLIB (Tdes.Services.Init, TdesInit, (TdesContext, Key,
> KeyLength), FALSE);
> + return BaseCryptLibServciceDeprecated ("TdesInit"), FALSE;
> }
>
> -/**
> - Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs TDES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES encryption succeeded.
> - @retval FALSE TDES encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceTdesEcbEncrypt (
> +DeprecatedCryptoServiceTdesEcbEncrypt (
> IN VOID *TdesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> OUT UINT8 *Output
> )
> {
> - return CALL_BASECRYPTLIB (Tdes.Services.EcbEncrypt, TdesEcbEncrypt,
> (TdesContext, Input, InputSize, Output), FALSE);
> + return BaseCryptLibServciceDeprecated ("TdesEcbEncrypt"), FALSE;
> }
>
> -/**
> - Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs TDES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES decryption
> output.
> -
> - @retval TRUE TDES decryption succeeded.
> - @retval FALSE TDES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceTdesEcbDecrypt (
> +DeprecatedCryptoServiceTdesEcbDecrypt (
> IN VOID *TdesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> OUT UINT8 *Output
> )
> {
> - return CALL_BASECRYPTLIB (Tdes.Services.EcbDecrypt, TdesEcbDecrypt,
> (TdesContext, Input, InputSize, Output), FALSE);
> + return BaseCryptLibServciceDeprecated ("TdesEcbDecrypt"), FALSE;
> }
>
> -/**
> - Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> - This function performs TDES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in CBC mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - Initialization vector should be one block size (8 bytes).
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Ivec is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES encryption succeeded.
> - @retval FALSE TDES encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceTdesCbcEncrypt (
> +DeprecatedCryptoServiceTdesCbcEncrypt (
> IN VOID *TdesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> @@ -1725,41 +1615,12 @@ CryptoServiceTdesCbcEncrypt (
> OUT UINT8 *Output
> )
> {
> - return CALL_BASECRYPTLIB (Tdes.Services.CbcEncrypt, TdesCbcEncrypt,
> (TdesContext, Input, InputSize, Ivec, Output), FALSE);
> + return BaseCryptLibServciceDeprecated ("TdesCbcEncrypt"), FALSE;
> }
>
> -/**
> - Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> - This function performs TDES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in CBC mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - Initialization vector should be one block size (8 bytes).
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Ivec is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES decryption succeeded.
> - @retval FALSE TDES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceTdesCbcDecrypt (
> +DeprecatedCryptoServiceTdesCbcDecrypt (
> IN VOID *TdesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> @@ -1767,7 +1628,7 @@ CryptoServiceTdesCbcDecrypt (
> OUT UINT8 *Output
> )
> {
> - return CALL_BASECRYPTLIB (Tdes.Services.CbcDecrypt, TdesCbcDecrypt,
> (TdesContext, Input, InputSize, Ivec, Output), FALSE);
> + return BaseCryptLibServciceDeprecated ("TdesCbcDecrypt"), FALSE;
> }
>
> /**
> @@ -4344,13 +4205,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
> CryptoServiceX509Free,
> CryptoServiceX509StackFree,
> CryptoServiceX509GetTBSCert,
> - /// TDES
> - CryptoServiceTdesGetContextSize,
> - CryptoServiceTdesInit,
> - CryptoServiceTdesEcbEncrypt,
> - CryptoServiceTdesEcbDecrypt,
> - CryptoServiceTdesCbcEncrypt,
> - CryptoServiceTdesCbcDecrypt,
> + /// TDES - deprecated and unsupported
> + DeprecatedCryptoServiceTdesGetContextSize,
> + DeprecatedCryptoServiceTdesInit,
> + DeprecatedCryptoServiceTdesEcbEncrypt,
> + DeprecatedCryptoServiceTdesEcbDecrypt,
> + DeprecatedCryptoServiceTdesCbcEncrypt,
> + DeprecatedCryptoServiceTdesCbcDecrypt,
> /// AES
> CryptoServiceAesGetContextSize,
> CryptoServiceAesInit,
> diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
> b/CryptoPkg/Include/Library/BaseCryptLib.h
> index 25e236c4a3..621bcfd1c4 100644
> --- a/CryptoPkg/Include/Library/BaseCryptLib.h
> +++ b/CryptoPkg/Include/Library/BaseCryptLib.h
> @@ -1278,202 +1278,6 @@ HmacSha256Final (
> // Symmetric Cryptography Primitive
>
> //===============================================================
> ======================
>
> -/**
> - Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> - If this interface is not supported, then return zero.
> -
> - @return The size, in bytes, of the context buffer required for TDES operations.
> - @retval 0 This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -TdesGetContextSize (
> - VOID
> - );
> -
> -/**
> - Initializes user-supplied memory as TDES context for subsequent use.
> -
> - This function initializes user-supplied memory pointed by TdesContext as TDES
> context.
> - In addition, it sets up all TDES key materials for subsequent encryption and
> decryption
> - operations.
> - There are 3 key options as follows:
> - KeyLength = 64, Keying option 1: K1 == K2 == K3 (Backward compatibility with
> DES)
> - KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
> - KeyLength = 192 Keying option 3: K1 != K2 != K3 (Strongest)
> -
> - If TdesContext is NULL, then return FALSE.
> - If Key is NULL, then return FALSE.
> - If KeyLength is not valid, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] TdesContext Pointer to TDES context being initialized.
> - @param[in] Key Pointer to the user-supplied TDES key.
> - @param[in] KeyLength Length of TDES key in bits.
> -
> - @retval TRUE TDES context initialization succeeded.
> - @retval FALSE TDES context initialization failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesInit (
> - OUT VOID *TdesContext,
> - IN CONST UINT8 *Key,
> - IN UINTN KeyLength
> - );
> -
> -/**
> - Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs TDES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES encryption succeeded.
> - @retval FALSE TDES encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbEncrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - );
> -
> -/**
> - Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs TDES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES decryption
> output.
> -
> - @retval TRUE TDES decryption succeeded.
> - @retval FALSE TDES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbDecrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - );
> -
> -/**
> - Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> - This function performs TDES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in CBC mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - Initialization vector should be one block size (8 bytes).
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Ivec is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES encryption succeeded.
> - @retval FALSE TDES encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcEncrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - IN CONST UINT8 *Ivec,
> - OUT UINT8 *Output
> - );
> -
> -/**
> - Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> - This function performs TDES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in CBC mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - Initialization vector should be one block size (8 bytes).
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Ivec is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES decryption succeeded.
> - @retval FALSE TDES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcDecrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - IN CONST UINT8 *Ivec,
> - OUT UINT8 *Output
> - );
> -
> /**
> Retrieves the size, in bytes, of the context buffer required for AES operations.
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> index da38ea552f..2de8e9c346 100644
> --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> @@ -39,7 +39,6 @@
> Hmac/CryptHmacSha256.c
> Kdf/CryptHkdf.c
> Cipher/CryptAes.c
> - Cipher/CryptTdes.c
> Pk/CryptRsaBasic.c
> Pk/CryptRsaExt.c
> Pk/CryptPkcs1Oaep.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
> b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
> deleted file mode 100644
> index fd799f3398..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
> +++ /dev/null
> @@ -1,364 +0,0 @@
> -/** @file
> - TDES Wrapper Implementation over OpenSSL.
> -
> -Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -#include <openssl/des.h>
> -
> -/**
> - Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> - @return The size, in bytes, of the context buffer required for TDES operations.
> -
> -**/
> -UINTN
> -EFIAPI
> -TdesGetContextSize (
> - VOID
> - )
> -{
> - //
> - // Memory for 3 copies of DES_key_schedule is allocated, for K1, K2 and K3
> each.
> - //
> - return (UINTN) (3 * sizeof (DES_key_schedule));
> -}
> -
> -/**
> - Initializes user-supplied memory as TDES context for subsequent use.
> -
> - This function initializes user-supplied memory pointed by TdesContext as TDES
> context.
> - In addition, it sets up all TDES key materials for subsequent encryption and
> decryption
> - operations.
> - There are 3 key options as follows:
> - KeyLength = 64, Keying option 1: K1 == K2 == K3 (Backward compatibility with
> DES)
> - KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
> - KeyLength = 192 Keying option 3: K1 != K2 != K3 (Strongest)
> -
> - If TdesContext is NULL, then return FALSE.
> - If Key is NULL, then return FALSE.
> - If KeyLength is not valid, then return FALSE.
> -
> - @param[out] TdesContext Pointer to TDES context being initialized.
> - @param[in] Key Pointer to the user-supplied TDES key.
> - @param[in] KeyLength Length of TDES key in bits.
> -
> - @retval TRUE TDES context initialization succeeded.
> - @retval FALSE TDES context initialization failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesInit (
> - OUT VOID *TdesContext,
> - IN CONST UINT8 *Key,
> - IN UINTN KeyLength
> - )
> -{
> - DES_key_schedule *KeySchedule;
> -
> - //
> - // Check input parameters.
> - //
> - if (TdesContext == NULL || Key == NULL || (KeyLength != 64 && KeyLength !=
> 128 && KeyLength != 192)) {
> - return FALSE;
> - }
> -
> - KeySchedule = (DES_key_schedule *) TdesContext;
> -
> - //
> - // If input Key is a weak key, return error.
> - //
> - if (DES_is_weak_key ((const_DES_cblock *) Key) == 1) {
> - return FALSE;
> - }
> -
> - DES_set_key_unchecked ((const_DES_cblock *) Key, KeySchedule);
> -
> - if (KeyLength == 64) {
> - CopyMem (KeySchedule + 1, KeySchedule, sizeof (DES_key_schedule));
> - CopyMem (KeySchedule + 2, KeySchedule, sizeof (DES_key_schedule));
> - return TRUE;
> - }
> -
> - if (DES_is_weak_key ((const_DES_cblock *) (Key + 8)) == 1) {
> - return FALSE;
> - }
> -
> - DES_set_key_unchecked ((const_DES_cblock *) (Key + 8), KeySchedule + 1);
> -
> - if (KeyLength == 128) {
> - CopyMem (KeySchedule + 2, KeySchedule, sizeof (DES_key_schedule));
> - return TRUE;
> - }
> -
> - if (DES_is_weak_key ((const_DES_cblock *) (Key + 16)) == 1) {
> - return FALSE;
> - }
> -
> - DES_set_key_unchecked ((const_DES_cblock *) (Key + 16), KeySchedule + 2);
> -
> - return TRUE;
> -}
> -
> -/**
> - Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs TDES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES encryption succeeded.
> - @retval FALSE TDES encryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbEncrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - DES_key_schedule *KeySchedule;
> -
> - //
> - // Check input parameters.
> - //
> - if (TdesContext == NULL || Input == NULL || (InputSize %
> TDES_BLOCK_SIZE) != 0 || Output == NULL) {
> - return FALSE;
> - }
> -
> - KeySchedule = (DES_key_schedule *) TdesContext;
> -
> - while (InputSize > 0) {
> - DES_ecb3_encrypt (
> - (const_DES_cblock *) Input,
> - (DES_cblock *) Output,
> - KeySchedule,
> - KeySchedule + 1,
> - KeySchedule + 2,
> - DES_ENCRYPT
> - );
> - Input += TDES_BLOCK_SIZE;
> - Output += TDES_BLOCK_SIZE;
> - InputSize -= TDES_BLOCK_SIZE;
> - }
> -
> - return TRUE;
> -}
> -
> -/**
> - Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs TDES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES decryption
> output.
> -
> - @retval TRUE TDES decryption succeeded.
> - @retval FALSE TDES decryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbDecrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - DES_key_schedule *KeySchedule;
> -
> - //
> - // Check input parameters.
> - //
> - if (TdesContext == NULL || Input == NULL || (InputSize %
> TDES_BLOCK_SIZE) != 0 || Output == NULL) {
> - return FALSE;
> - }
> -
> - KeySchedule = (DES_key_schedule *) TdesContext;
> -
> - while (InputSize > 0) {
> - DES_ecb3_encrypt (
> - (const_DES_cblock *) Input,
> - (DES_cblock *) Output,
> - KeySchedule,
> - KeySchedule + 1,
> - KeySchedule + 2,
> - DES_DECRYPT
> - );
> - Input += TDES_BLOCK_SIZE;
> - Output += TDES_BLOCK_SIZE;
> - InputSize -= TDES_BLOCK_SIZE;
> - }
> -
> - return TRUE;
> -}
> -
> -/**
> - Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> - This function performs TDES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in CBC mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - Initialization vector should be one block size (8 bytes).
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Ivec is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES encryption succeeded.
> - @retval FALSE TDES encryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcEncrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - IN CONST UINT8 *Ivec,
> - OUT UINT8 *Output
> - )
> -{
> - DES_key_schedule *KeySchedule;
> - UINT8 IvecBuffer[TDES_BLOCK_SIZE];
> -
> - //
> - // Check input parameters.
> - //
> - if (TdesContext == NULL || Input == NULL || (InputSize %
> TDES_BLOCK_SIZE) != 0) {
> - return FALSE;
> - }
> -
> - if (Ivec == NULL || Output == NULL || InputSize > INT_MAX) {
> - return FALSE;
> - }
> -
> - KeySchedule = (DES_key_schedule *) TdesContext;
> - CopyMem (IvecBuffer, Ivec, TDES_BLOCK_SIZE);
> -
> - DES_ede3_cbc_encrypt (
> - Input,
> - Output,
> - (UINT32) InputSize,
> - KeySchedule,
> - KeySchedule + 1,
> - KeySchedule + 2,
> - (DES_cblock *) IvecBuffer,
> - DES_ENCRYPT
> - );
> -
> - return TRUE;
> -}
> -
> -/**
> - Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> - This function performs TDES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in CBC mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - Initialization vector should be one block size (8 bytes).
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Ivec is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES decryption succeeded.
> - @retval FALSE TDES decryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcDecrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - IN CONST UINT8 *Ivec,
> - OUT UINT8 *Output
> - )
> -{
> - DES_key_schedule *KeySchedule;
> - UINT8 IvecBuffer[TDES_BLOCK_SIZE];
> -
> - //
> - // Check input parameters.
> - //
> - if (TdesContext == NULL || Input == NULL || (InputSize %
> TDES_BLOCK_SIZE) != 0) {
> - return FALSE;
> - }
> -
> - if (Ivec == NULL || Output == NULL || InputSize > INT_MAX) {
> - return FALSE;
> - }
> -
> - KeySchedule = (DES_key_schedule *) TdesContext;
> - CopyMem (IvecBuffer, Ivec, TDES_BLOCK_SIZE);
> -
> - DES_ede3_cbc_encrypt (
> - Input,
> - Output,
> - (UINT32) InputSize,
> - KeySchedule,
> - KeySchedule + 1,
> - KeySchedule + 2,
> - (DES_cblock *) IvecBuffer,
> - DES_DECRYPT
> - );
> -
> - return TRUE;
> -}
> -
> diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
> b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
> deleted file mode 100644
> index efa2716063..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
> +++ /dev/null
> @@ -1,160 +0,0 @@
> -/** @file
> - TDES Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> - Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> - Return zero to indicate this interface is not supported.
> -
> - @retval 0 This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -TdesGetContextSize (
> - VOID
> - )
> -{
> - ASSERT (FALSE);
> - return 0;
> -}
> -
> -/**
> - Initializes user-supplied memory as TDES context for subsequent use.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[out] TdesContext Pointer to TDES context being initialized.
> - @param[in] Key Pointer to the user-supplied TDES key.
> - @param[in] KeyLength Length of TDES key in bits.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesInit (
> - OUT VOID *TdesContext,
> - IN CONST UINT8 *Key,
> - IN UINTN KeyLength
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbEncrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES decryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbDecrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcEncrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - IN CONST UINT8 *Ivec,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcDecrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - IN CONST UINT8 *Ivec,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> index f43953b78c..f631f8d879 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> @@ -7,7 +7,7 @@
> # buffer overflow or integer overflow.
> #
> # Note:
> -# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions,
> RSA external
> +# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA
> external
> # functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
> # certificate handler functions, authenticode signature verification functions,
> # PEM handler functions, and pseudorandom number generator functions are
> not
> @@ -45,7 +45,6 @@
> Hmac/CryptHmacSha256Null.c
> Kdf/CryptHkdfNull.c
> Cipher/CryptAesNull.c
> - Cipher/CryptTdesNull.c
> Pk/CryptRsaBasic.c
> Pk/CryptRsaExtNull.c
> Pk/CryptPkcs1OaepNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> index 5abd8e8dfb..c906935d3d 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> @@ -6,8 +6,8 @@
> // This external input must be validated carefully to avoid security issues such as
> // buffer overflow or integer overflow.
> //
> -// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> -// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
> +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
> +// functions, RSA external functions, PKCS#7 SignedData sign functions,
> // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
> // signature verification functions, PEM handler functions, and pseudorandom
> number
> // generator functions are not supported in this instance.
> @@ -21,5 +21,5 @@
>
> #string STR_MODULE_ABSTRACT #language en-US "Cryptographic
> Library Instance for PEIM"
>
> -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler
> functions, authenticode signature verification functions, PEM handler functions,
> and pseudorandom number generator functions are not supported in this
> instance."
> +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler
> functions, authenticode signature verification functions, PEM handler functions,
> and pseudorandom number generator functions are not supported in this
> instance."
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
> b/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
> index 75a133bd0c..6f7e1971f8 100644
> --- a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
> +++ b/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
> @@ -1,7 +1,7 @@
> /** @file
> PEM (Privacy Enhanced Mail) Format Handler Wrapper Implementation over
> OpenSSL.
>
> -Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
> **/
> @@ -82,11 +82,8 @@ RsaGetPrivateKeyFromPem (
>
> //
> // Add possible block-cipher descriptor for PEM data decryption.
> - // NOTE: Only support most popular ciphers (3DES, AES) for the encrypted PEM.
> + // NOTE: Only support most popular ciphers AES for the encrypted PEM.
> //
> - if (EVP_add_cipher (EVP_des_ede3_cbc ()) == 0) {
> - return FALSE;
> - }
> if (EVP_add_cipher (EVP_aes_128_cbc ()) == 0) {
> return FALSE;
> }
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> index f1eb099b67..672e19299c 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> @@ -7,7 +7,7 @@
> # buffer overflow or integer overflow.
> #
> # Note: SHA-384 Digest functions, SHA-512 Digest functions,
> -# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions,
> RSA external
> +# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA
> external
> # functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
> # authenticode signature verification functions are not supported in this
> instance.
> #
> @@ -45,7 +45,6 @@
> Hmac/CryptHmacSha256Null.c
> Kdf/CryptHkdfNull.c
> Cipher/CryptAesNull.c
> - Cipher/CryptTdesNull.c
> Pk/CryptRsaBasic.c
> Pk/CryptRsaExtNull.c
> Pk/CryptPkcs1OaepNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> index 5a48d2a308..0a3bb1c04f 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> @@ -6,8 +6,8 @@
> // This external input must be validated carefully to avoid security issues such as
> // buffer overflow or integer overflow.
> //
> -// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> -// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
> +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
> +// functions, RSA external functions, PKCS#7 SignedData sign functions,
> // Diffie-Hellman functions, and authenticode signature verification functions
> are
> // not supported in this instance.
> //
> @@ -20,5 +20,5 @@
>
> #string STR_MODULE_ABSTRACT #language en-US "Cryptographic
> Library Instance for DXE_RUNTIME_DRIVER"
>
> -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, and authenticode signature
> verification functions are not supported in this instance."
> +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, and authenticode signature
> verification functions are not supported in this instance."
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> index 3a94655775..cc3556ae3f 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> @@ -7,7 +7,7 @@
> # buffer overflow or integer overflow.
> #
> # Note: SHA-384 Digest functions, SHA-512 Digest functions,
> -# HMAC-MD5 functions, HMAC-SHA1 functions, TDES functions, RSA external
> +# HMAC-MD5 functions, HMAC-SHA1 functions, RSA external
> # functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
> # authenticode signature verification functions are not supported in this
> instance.
> #
> @@ -44,7 +44,6 @@
> Hmac/CryptHmacSha256.c
> Kdf/CryptHkdfNull.c
> Cipher/CryptAes.c
> - Cipher/CryptTdesNull.c
> Pk/CryptRsaBasic.c
> Pk/CryptRsaExtNull.c
> Pk/CryptPkcs1Oaep.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> index 0561f107e8..2e362c635f 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> @@ -6,8 +6,8 @@
> // This external input must be validated carefully to avoid security issues such as
> // buffer overflow or integer overflow.
> //
> -// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> -// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
> +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
> +// functions, RSA external functions, PKCS#7 SignedData sign functions,
> // Diffie-Hellman functions, and authenticode signature verification functions
> are
> // not supported in this instance.
> //
> @@ -20,5 +20,5 @@
>
> #string STR_MODULE_ABSTRACT #language en-US "Cryptographic
> Library Instance for SMM driver"
>
> -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, and authenticode signature
> verification functions are not supported in this instance."
> +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, and authenticode signature
> verification functions are not supported in this instance."
>
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> index a205c9005d..04b552f8b7 100644
> --- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> +++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> @@ -39,7 +39,6 @@
> Hmac/CryptHmacSha256Null.c
> Kdf/CryptHkdfNull.c
> Cipher/CryptAesNull.c
> - Cipher/CryptTdesNull.c
> Pk/CryptRsaBasicNull.c
> Pk/CryptRsaExtNull.c
> Pk/CryptPkcs1OaepNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
> b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
> deleted file mode 100644
> index efa2716063..0000000000
> --- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
> +++ /dev/null
> @@ -1,160 +0,0 @@
> -/** @file
> - TDES Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> - Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> - Return zero to indicate this interface is not supported.
> -
> - @retval 0 This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -TdesGetContextSize (
> - VOID
> - )
> -{
> - ASSERT (FALSE);
> - return 0;
> -}
> -
> -/**
> - Initializes user-supplied memory as TDES context for subsequent use.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[out] TdesContext Pointer to TDES context being initialized.
> - @param[in] Key Pointer to the user-supplied TDES key.
> - @param[in] KeyLength Length of TDES key in bits.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesInit (
> - OUT VOID *TdesContext,
> - IN CONST UINT8 *Key,
> - IN UINTN KeyLength
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbEncrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES decryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbDecrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcEncrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - IN CONST UINT8 *Ivec,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcDecrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - IN CONST UINT8 *Ivec,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> index 77915bdb86..43ee4e0841 100644
> --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> @@ -1467,220 +1467,6 @@ HmacSha256Final (
> // Symmetric Cryptography Primitive
>
> //===============================================================
> ======================
>
> -/**
> - Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> - If this interface is not supported, then return zero.
> -
> - @return The size, in bytes, of the context buffer required for TDES operations.
> - @retval 0 This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -TdesGetContextSize (
> - VOID
> - )
> -{
> - CALL_CRYPTO_SERVICE (TdesGetContextSize, (), 0);
> -}
> -
> -/**
> - Initializes user-supplied memory as TDES context for subsequent use.
> -
> - This function initializes user-supplied memory pointed by TdesContext as TDES
> context.
> - In addition, it sets up all TDES key materials for subsequent encryption and
> decryption
> - operations.
> - There are 3 key options as follows:
> - KeyLength = 64, Keying option 1: K1 == K2 == K3 (Backward compatibility with
> DES)
> - KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
> - KeyLength = 192 Keying option 3: K1 != K2 != K3 (Strongest)
> -
> - If TdesContext is NULL, then return FALSE.
> - If Key is NULL, then return FALSE.
> - If KeyLength is not valid, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] TdesContext Pointer to TDES context being initialized.
> - @param[in] Key Pointer to the user-supplied TDES key.
> - @param[in] KeyLength Length of TDES key in bits.
> -
> - @retval TRUE TDES context initialization succeeded.
> - @retval FALSE TDES context initialization failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesInit (
> - OUT VOID *TdesContext,
> - IN CONST UINT8 *Key,
> - IN UINTN KeyLength
> - )
> -{
> - CALL_CRYPTO_SERVICE (TdesInit, (TdesContext, Key, KeyLength), FALSE);
> -}
> -
> -/**
> - Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs TDES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES encryption succeeded.
> - @retval FALSE TDES encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbEncrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - CALL_CRYPTO_SERVICE (TdesEcbEncrypt, (TdesContext, Input, InputSize,
> Output), FALSE);
> -}
> -
> -/**
> - Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs TDES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES decryption
> output.
> -
> - @retval TRUE TDES decryption succeeded.
> - @retval FALSE TDES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbDecrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - CALL_CRYPTO_SERVICE (TdesEcbDecrypt, (TdesContext, Input, InputSize,
> Output), FALSE);
> -}
> -
> -/**
> - Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> - This function performs TDES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in CBC mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - Initialization vector should be one block size (8 bytes).
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Ivec is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES encryption succeeded.
> - @retval FALSE TDES encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcEncrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - IN CONST UINT8 *Ivec,
> - OUT UINT8 *Output
> - )
> -{
> - CALL_CRYPTO_SERVICE (TdesCbcEncrypt, (TdesContext, Input, InputSize, Ivec,
> Output), FALSE);
> -}
> -
> -/**
> - Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> - This function performs TDES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in CBC mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - Initialization vector should be one block size (8 bytes).
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Ivec is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES decryption succeeded.
> - @retval FALSE TDES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcDecrypt (
> - IN VOID *TdesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - IN CONST UINT8 *Ivec,
> - OUT UINT8 *Output
> - )
> -{
> - CALL_CRYPTO_SERVICE (TdesCbcDecrypt, (TdesContext, Input, InputSize, Ivec,
> Output), FALSE);
> -}
> -
> /**
> Retrieves the size, in bytes, of the context buffer required for AES operations.
>
> diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h
> b/CryptoPkg/Library/Include/openssl/opensslconf.h
> index 22acabef87..4868cfa963 100644
> --- a/CryptoPkg/Library/Include/openssl/opensslconf.h
> +++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
> @@ -247,6 +247,9 @@ extern "C" {
> #ifndef OPENSSL_NO_RC4
> # define OPENSSL_NO_RC4
> #endif
> +#ifndef OPENSSL_NO_DES
> +# define OPENSSL_NO_DES
> +#endif
>
>
> /*
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> index dfaefd1c08..d66f1cb03f 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> @@ -178,25 +178,6 @@
> $(OPENSSL_PATH)/crypto/cryptlib.c
> $(OPENSSL_PATH)/crypto/ctype.c
> $(OPENSSL_PATH)/crypto/cversion.c
> - $(OPENSSL_PATH)/crypto/des/cbc_cksm.c
> - $(OPENSSL_PATH)/crypto/des/cbc_enc.c
> - $(OPENSSL_PATH)/crypto/des/cfb64ede.c
> - $(OPENSSL_PATH)/crypto/des/cfb64enc.c
> - $(OPENSSL_PATH)/crypto/des/cfb_enc.c
> - $(OPENSSL_PATH)/crypto/des/des_enc.c
> - $(OPENSSL_PATH)/crypto/des/ecb3_enc.c
> - $(OPENSSL_PATH)/crypto/des/ecb_enc.c
> - $(OPENSSL_PATH)/crypto/des/fcrypt.c
> - $(OPENSSL_PATH)/crypto/des/fcrypt_b.c
> - $(OPENSSL_PATH)/crypto/des/ofb64ede.c
> - $(OPENSSL_PATH)/crypto/des/ofb64enc.c
> - $(OPENSSL_PATH)/crypto/des/ofb_enc.c
> - $(OPENSSL_PATH)/crypto/des/pcbc_enc.c
> - $(OPENSSL_PATH)/crypto/des/qud_cksm.c
> - $(OPENSSL_PATH)/crypto/des/rand_key.c
> - $(OPENSSL_PATH)/crypto/des/set_key.c
> - $(OPENSSL_PATH)/crypto/des/str2key.c
> - $(OPENSSL_PATH)/crypto/des/xcbc_enc.c
> $(OPENSSL_PATH)/crypto/dh/dh_ameth.c
> $(OPENSSL_PATH)/crypto/dh/dh_asn1.c
> $(OPENSSL_PATH)/crypto/dh/dh_check.c
> @@ -514,8 +495,6 @@
> $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
> $(OPENSSL_PATH)/crypto/conf/conf_def.h
> $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
> - $(OPENSSL_PATH)/crypto/des/des_locl.h
> - $(OPENSSL_PATH)/crypto/des/spr.h
> $(OPENSSL_PATH)/crypto/dh/dh_locl.h
> $(OPENSSL_PATH)/crypto/dso/dso_locl.h
> $(OPENSSL_PATH)/crypto/evp/evp_locl.h
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> index 080e1d9305..5788d13cf7 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> @@ -178,25 +178,6 @@
> $(OPENSSL_PATH)/crypto/cryptlib.c
> $(OPENSSL_PATH)/crypto/ctype.c
> $(OPENSSL_PATH)/crypto/cversion.c
> - $(OPENSSL_PATH)/crypto/des/cbc_cksm.c
> - $(OPENSSL_PATH)/crypto/des/cbc_enc.c
> - $(OPENSSL_PATH)/crypto/des/cfb64ede.c
> - $(OPENSSL_PATH)/crypto/des/cfb64enc.c
> - $(OPENSSL_PATH)/crypto/des/cfb_enc.c
> - $(OPENSSL_PATH)/crypto/des/des_enc.c
> - $(OPENSSL_PATH)/crypto/des/ecb3_enc.c
> - $(OPENSSL_PATH)/crypto/des/ecb_enc.c
> - $(OPENSSL_PATH)/crypto/des/fcrypt.c
> - $(OPENSSL_PATH)/crypto/des/fcrypt_b.c
> - $(OPENSSL_PATH)/crypto/des/ofb64ede.c
> - $(OPENSSL_PATH)/crypto/des/ofb64enc.c
> - $(OPENSSL_PATH)/crypto/des/ofb_enc.c
> - $(OPENSSL_PATH)/crypto/des/pcbc_enc.c
> - $(OPENSSL_PATH)/crypto/des/qud_cksm.c
> - $(OPENSSL_PATH)/crypto/des/rand_key.c
> - $(OPENSSL_PATH)/crypto/des/set_key.c
> - $(OPENSSL_PATH)/crypto/des/str2key.c
> - $(OPENSSL_PATH)/crypto/des/xcbc_enc.c
> $(OPENSSL_PATH)/crypto/dh/dh_ameth.c
> $(OPENSSL_PATH)/crypto/dh/dh_asn1.c
> $(OPENSSL_PATH)/crypto/dh/dh_check.c
> @@ -514,8 +495,6 @@
> $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
> $(OPENSSL_PATH)/crypto/conf/conf_def.h
> $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
> - $(OPENSSL_PATH)/crypto/des/des_locl.h
> - $(OPENSSL_PATH)/crypto/des/spr.h
> $(OPENSSL_PATH)/crypto/dh/dh_locl.h
> $(OPENSSL_PATH)/crypto/dso/dso_locl.h
> $(OPENSSL_PATH)/crypto/evp/evp_locl.h
> diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> b/CryptoPkg/Private/Protocol/Crypto.h
> index f36c5c1aff..a30660c192 100644
> --- a/CryptoPkg/Private/Protocol/Crypto.h
> +++ b/CryptoPkg/Private/Protocol/Crypto.h
> @@ -2396,155 +2396,45 @@ BOOLEAN
>
> //===============================================================
> ======================
>
> /**
> - Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> - If this interface is not supported, then return zero.
> -
> - @return The size, in bytes, of the context buffer required for TDES operations.
> - @retval 0 This interface is not supported.
> + TDES is deprecated and unsupported any longer.
> + Keep the function field for binary compability.
>
> **/
> typedef
> UINTN
> -(EFIAPI *EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE) (
> VOID
> );
>
> -/**
> - Initializes user-supplied memory as TDES context for subsequent use.
> -
> - This function initializes user-supplied memory pointed by TdesContext as TDES
> context.
> - In addition, it sets up all TDES key materials for subsequent encryption and
> decryption
> - operations.
> - There are 3 key options as follows:
> - KeyLength = 64, Keying option 1: K1 == K2 == K3 (Backward compatibility with
> DES)
> - KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
> - KeyLength = 192 Keying option 3: K1 != K2 != K3 (Strongest)
> -
> - If TdesContext is NULL, then return FALSE.
> - If Key is NULL, then return FALSE.
> - If KeyLength is not valid, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[out] TdesContext Pointer to TDES context being initialized.
> - @param[in] Key Pointer to the user-supplied TDES key.
> - @param[in] KeyLength Length of TDES key in bits.
> -
> - @retval TRUE TDES context initialization succeeded.
> - @retval FALSE TDES context initialization failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_TDES_INIT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_INIT) (
> OUT VOID *TdesContext,
> IN CONST UINT8 *Key,
> IN UINTN KeyLength
> );
>
> -/**
> - Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs TDES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES encryption succeeded.
> - @retval FALSE TDES encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_TDES_ECB_ENCRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_ECB_ENCRYPT) (
> IN VOID *TdesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> OUT UINT8 *Output
> );
>
> -/**
> - Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs TDES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the TDES decryption
> output.
> -
> - @retval TRUE TDES decryption succeeded.
> - @retval FALSE TDES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_TDES_ECB_DECRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT) (
> IN VOID *TdesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> OUT UINT8 *Output
> );
>
> -/**
> - Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> - This function performs TDES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in CBC mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - Initialization vector should be one block size (8 bytes).
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Ivec is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES encryption succeeded.
> - @retval FALSE TDES encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_TDES_CBC_ENCRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT) (
> IN VOID *TdesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> @@ -2552,38 +2442,9 @@ BOOLEAN
> OUT UINT8 *Output
> );
>
> -/**
> - Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> - This function performs TDES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in CBC mode.
> - InputSize must be multiple of block size (8 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - Initialization vector should be one block size (8 bytes).
> - TdesContext should be already correctly initialized by TdesInit(). Behavior with
> - invalid TDES context is undefined.
> -
> - If TdesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (8 bytes), then return FALSE.
> - If Ivec is NULL, then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] TdesContext Pointer to the TDES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[in] Ivec Pointer to initialization vector.
> - @param[out] Output Pointer to a buffer that receives the TDES encryption
> output.
> -
> - @retval TRUE TDES decryption succeeded.
> - @retval FALSE TDES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_TDES_CBC_DECRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT) (
> IN VOID *TdesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> @@ -3911,13 +3772,13 @@ struct _EDKII_CRYPTO_PROTOCOL {
> EDKII_CRYPTO_X509_FREE X509Free;
> EDKII_CRYPTO_X509_STACK_FREE X509StackFree;
> EDKII_CRYPTO_X509_GET_TBS_CERT X509GetTBSCert;
> - /// TDES
> - EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE TdesGetContextSize;
> - EDKII_CRYPTO_TDES_INIT TdesInit;
> - EDKII_CRYPTO_TDES_ECB_ENCRYPT TdesEcbEncrypt;
> - EDKII_CRYPTO_TDES_ECB_DECRYPT TdesEcbDecrypt;
> - EDKII_CRYPTO_TDES_CBC_ENCRYPT TdesCbcEncrypt;
> - EDKII_CRYPTO_TDES_CBC_DECRYPT TdesCbcDecrypt;
> + /// TDES - deprecated and unsupported
> + DEPRECATED_EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE
> DeprecatedTdesGetContextSize;
> + DEPRECATED_EDKII_CRYPTO_TDES_INIT DeprecatedTdesInit;
> + DEPRECATED_EDKII_CRYPTO_TDES_ECB_ENCRYPT
> DeprecatedTdesEcbEncrypt;
> + DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT
> DeprecatedTdesEcbDecrypt;
> + DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT
> DeprecatedTdesCbcEncrypt;
> + DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT
> DeprecatedTdesCbcDecrypt;
> /// AES
> EDKII_CRYPTO_AES_GET_CONTEXT_SIZE AesGetContextSize;
> EDKII_CRYPTO_AES_INIT AesInit;
> --
> 2.21.0.windows.1
next prev parent reply other threads:[~2020-05-08 14:42 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-06 23:57 [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions Gao, Zhichao
2020-05-06 23:57 ` [PATCH V3 1/8] CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm Gao, Zhichao
2020-05-07 7:45 ` [edk2-devel] " Philippe Mathieu-Daudé
2020-05-07 7:48 ` Philippe Mathieu-Daudé
2020-05-08 1:09 ` Gao, Zhichao
2020-05-08 12:59 ` Philippe Mathieu-Daudé
2020-05-06 23:57 ` [PATCH V3 2/8] CryptoPkg/BaseCrpytLib: Retire MD4 algorithm Gao, Zhichao
2020-05-08 15:19 ` Wang, Jian J
2020-05-06 23:57 ` [PATCH V3 3/8] CryptoPkg/BaseCryptLib: Retire ARC4 algorithm Gao, Zhichao
2020-05-08 14:34 ` Wang, Jian J
2020-05-06 23:57 ` [PATCH V3 4/8] CryptoPkg/BaseCryptLib: Retire the Tdes algorithm Gao, Zhichao
2020-05-07 7:51 ` [edk2-devel] " Philippe Mathieu-Daudé
2020-05-08 14:42 ` Wang, Jian J [this message]
2020-05-06 23:57 ` [PATCH V3 5/8] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm Gao, Zhichao
2020-05-08 14:50 ` Wang, Jian J
2020-05-06 23:57 ` [PATCH V3 6/8] CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm Gao, Zhichao
2020-05-08 15:03 ` Wang, Jian J
2020-05-06 23:57 ` [PATCH V3 7/8] CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm Gao, Zhichao
2020-05-08 15:11 ` Wang, Jian J
2020-05-06 23:57 ` [PATCH V3 8/8] CryptoPkg/Crypto.h: Update the version of Crypto Driver Gao, Zhichao
2020-05-08 15:13 ` Wang, Jian J
2020-05-08 7:23 ` [edk2-devel] [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions Guomin Jiang
2020-05-08 8:00 ` Dong, Eric
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D827630B58408649ACB04F44C510003625A842B5@SHSMSX107.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox