From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by mx.groups.io with SMTP id smtpd.web11.11602.1588948955763068557 for ; Fri, 08 May 2020 07:42:35 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.93, mailfrom: jian.j.wang@intel.com) IronPort-SDR: +JpJggcTez6rTA/ex5mbUkDtbhGSQM0Rad4hwTNxkaiykUp2or21zCL9bGuonlHcNXM3mxIrvj U0For6Sth94A== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 May 2020 07:42:33 -0700 IronPort-SDR: VcD9UOej0lKFfx9JQJ0YnJ8zn3jr7cUDKjer2uIpzHXL+O2pjbR7PefhmcbgWCVGPdCY59IRIW OuDRUrb/NIqw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,367,1583222400"; d="scan'208";a="260990234" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by orsmga003.jf.intel.com with ESMTP; 08 May 2020 07:42:31 -0700 Received: from fmsmsx156.amr.corp.intel.com (10.18.116.74) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.439.0; Fri, 8 May 2020 07:42:30 -0700 Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by fmsmsx156.amr.corp.intel.com (10.18.116.74) with Microsoft SMTP Server (TLS) id 14.3.439.0; Fri, 8 May 2020 07:42:29 -0700 Received: from shsmsx107.ccr.corp.intel.com ([169.254.9.200]) by SHSMSX151.ccr.corp.intel.com ([169.254.3.91]) with mapi id 14.03.0439.000; Fri, 8 May 2020 22:42:25 +0800 From: "Wang, Jian J" To: "Gao, Zhichao" , "devel@edk2.groups.io" CC: "Lu, XiaoyuX" , "Fu, Siyuan" , "Kinney, Michael D" , "Yao, Jiewen" Subject: Re: [PATCH V3 4/8] CryptoPkg/BaseCryptLib: Retire the Tdes algorithm Thread-Topic: [PATCH V3 4/8] CryptoPkg/BaseCryptLib: Retire the Tdes algorithm Thread-Index: AQHWJAIxOwoBZn+bxUGHEjJK23VDVaieREgQ Date: Fri, 8 May 2020 14:42:25 +0000 Message-ID: References: <20200506235746.19500-1-zhichao.gao@intel.com> <20200506235746.19500-5-zhichao.gao@intel.com> In-Reply-To: <20200506235746.19500-5-zhichao.gao@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: jian.j.wang@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Zhichao, Similar comments, please refer to them in my review email for patch 3. Regards, Jian > -----Original Message----- > From: Gao, Zhichao > Sent: Thursday, May 07, 2020 7:58 AM > To: devel@edk2.groups.io > Cc: Wang, Jian J ; Lu, XiaoyuX ; > Fu, Siyuan ; Kinney, Michael D > ; Yao, Jiewen > Subject: [PATCH V3 4/8] CryptoPkg/BaseCryptLib: Retire the Tdes algorithm >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1898 >=20 > Tdes is not secure any longer. > Remove the Tdes support from edk2. > Change the Tdes field name in EDKII_CRYPTO_PROTOCOL to indicate the > function is unsupported any longer. >=20 > Cc: Jian J Wang > Cc: Xiaoyu Lu > Cc: Siyuan Fu > Cc: Michael D Kinney > Cc: Jiewen Yao > Signed-off-by: Zhichao Gao > --- > CryptoPkg/Driver/Crypto.c | 181 +-------- > CryptoPkg/Include/Library/BaseCryptLib.h | 196 ---------- > .../Library/BaseCryptLib/BaseCryptLib.inf | 1 - > .../Library/BaseCryptLib/Cipher/CryptTdes.c | 364 ------------------ > .../BaseCryptLib/Cipher/CryptTdesNull.c | 160 -------- > .../Library/BaseCryptLib/PeiCryptLib.inf | 3 +- > .../Library/BaseCryptLib/PeiCryptLib.uni | 6 +- > CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c | 7 +- > .../Library/BaseCryptLib/RuntimeCryptLib.inf | 3 +- > .../Library/BaseCryptLib/RuntimeCryptLib.uni | 6 +- > .../Library/BaseCryptLib/SmmCryptLib.inf | 3 +- > .../Library/BaseCryptLib/SmmCryptLib.uni | 6 +- > .../BaseCryptLibNull/BaseCryptLibNull.inf | 1 - > .../BaseCryptLibNull/Cipher/CryptTdesNull.c | 160 -------- > .../BaseCryptLibOnProtocolPpi/CryptLib.c | 214 ---------- > .../Library/Include/openssl/opensslconf.h | 3 + > CryptoPkg/Library/OpensslLib/OpensslLib.inf | 21 - > .../Library/OpensslLib/OpensslLibCrypto.inf | 21 - > CryptoPkg/Private/Protocol/Crypto.h | 169 +------- > 19 files changed, 53 insertions(+), 1472 deletions(-) > delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c > delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c > delete mode 100644 > CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c >=20 > diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c > index 388a6e4b4b..a4106aae0b 100644 > --- a/CryptoPkg/Driver/Crypto.c > +++ b/CryptoPkg/Driver/Crypto.c > @@ -1557,167 +1557,57 @@ CryptoServiceHmacSha256Final ( >=20 > //=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > /** > - Retrieves the size, in bytes, of the context buffer required for TDES = operations. > - > - If this interface is not supported, then return zero. > - > - @return The size, in bytes, of the context buffer required for TDES o= perations. > - @retval 0 This interface is not supported. > + TDES is deprecated and unsupported any longer. > + Keep the function field for binary compability. >=20 > **/ > UINTN > EFIAPI > -CryptoServiceTdesGetContextSize ( > +DeprecatedCryptoServiceTdesGetContextSize ( > VOID > ) > { > - return CALL_BASECRYPTLIB (Tdes.Services.GetContextSize, > TdesGetContextSize, (), 0); > + return BaseCryptLibServciceDeprecated ("TdesGetContextSize"), 0; > } >=20 > -/** > - Initializes user-supplied memory as TDES context for subsequent use. > - > - This function initializes user-supplied memory pointed by TdesContext = as TDES > context. > - In addition, it sets up all TDES key materials for subsequent encrypti= on and > decryption > - operations. > - There are 3 key options as follows: > - KeyLength =3D 64, Keying option 1: K1 =3D=3D K2 =3D=3D K3 (Backward c= ompatibility with > DES) > - KeyLength =3D 128, Keying option 2: K1 !=3D K2 and K3 =3D K1 (Less Sec= urity) > - KeyLength =3D 192 Keying option 3: K1 !=3D K2 !=3D K3 (Strongest) > - > - If TdesContext is NULL, then return FALSE. > - If Key is NULL, then return FALSE. > - If KeyLength is not valid, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[out] TdesContext Pointer to TDES context being initialized. > - @param[in] Key Pointer to the user-supplied TDES key. > - @param[in] KeyLength Length of TDES key in bits. > - > - @retval TRUE TDES context initialization succeeded. > - @retval FALSE TDES context initialization failed. > - @retval FALSE This interface is not supported. > - > -**/ > BOOLEAN > EFIAPI > -CryptoServiceTdesInit ( > +DeprecatedCryptoServiceTdesInit ( > OUT VOID *TdesContext, > IN CONST UINT8 *Key, > IN UINTN KeyLength > ) > { > - return CALL_BASECRYPTLIB (Tdes.Services.Init, TdesInit, (TdesContext, = Key, > KeyLength), FALSE); > + return BaseCryptLibServciceDeprecated ("TdesInit"), FALSE; > } >=20 > -/** > - Performs TDES encryption on a data buffer of the specified size in ECB= mode. > - > - This function performs TDES encryption on data buffer pointed by Input= , of > specified > - size of InputSize, in ECB mode. > - InputSize must be multiple of block size (8 bytes). This function does= not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - TdesContext should be already correctly initialized by TdesInit(). Beh= avior with > - invalid TDES context is undefined. > - > - If TdesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (8 bytes), then return FALS= E. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval TRUE TDES encryption succeeded. > - @retval FALSE TDES encryption failed. > - @retval FALSE This interface is not supported. > - > -**/ > BOOLEAN > EFIAPI > -CryptoServiceTdesEcbEncrypt ( > +DeprecatedCryptoServiceTdesEcbEncrypt ( > IN VOID *TdesContext, > IN CONST UINT8 *Input, > IN UINTN InputSize, > OUT UINT8 *Output > ) > { > - return CALL_BASECRYPTLIB (Tdes.Services.EcbEncrypt, TdesEcbEncrypt, > (TdesContext, Input, InputSize, Output), FALSE); > + return BaseCryptLibServciceDeprecated ("TdesEcbEncrypt"), FALSE; > } >=20 > -/** > - Performs TDES decryption on a data buffer of the specified size in ECB= mode. > - > - This function performs TDES decryption on data buffer pointed by Input= , of > specified > - size of InputSize, in ECB mode. > - InputSize must be multiple of block size (8 bytes). This function does= not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - TdesContext should be already correctly initialized by TdesInit(). Beh= avior with > - invalid TDES context is undefined. > - > - If TdesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (8 bytes), then return FALS= E. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > decrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the TDES d= ecryption > output. > - > - @retval TRUE TDES decryption succeeded. > - @retval FALSE TDES decryption failed. > - @retval FALSE This interface is not supported. > - > -**/ > BOOLEAN > EFIAPI > -CryptoServiceTdesEcbDecrypt ( > +DeprecatedCryptoServiceTdesEcbDecrypt ( > IN VOID *TdesContext, > IN CONST UINT8 *Input, > IN UINTN InputSize, > OUT UINT8 *Output > ) > { > - return CALL_BASECRYPTLIB (Tdes.Services.EcbDecrypt, TdesEcbDecrypt, > (TdesContext, Input, InputSize, Output), FALSE); > + return BaseCryptLibServciceDeprecated ("TdesEcbDecrypt"), FALSE; > } >=20 > -/** > - Performs TDES encryption on a data buffer of the specified size in CBC= mode. > - > - This function performs TDES encryption on data buffer pointed by Input= , of > specified > - size of InputSize, in CBC mode. > - InputSize must be multiple of block size (8 bytes). This function does= not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - Initialization vector should be one block size (8 bytes). > - TdesContext should be already correctly initialized by TdesInit(). Beh= avior with > - invalid TDES context is undefined. > - > - If TdesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (8 bytes), then return FALS= E. > - If Ivec is NULL, then return FALSE. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[in] Ivec Pointer to initialization vector. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval TRUE TDES encryption succeeded. > - @retval FALSE TDES encryption failed. > - @retval FALSE This interface is not supported. > - > -**/ > BOOLEAN > EFIAPI > -CryptoServiceTdesCbcEncrypt ( > +DeprecatedCryptoServiceTdesCbcEncrypt ( > IN VOID *TdesContext, > IN CONST UINT8 *Input, > IN UINTN InputSize, > @@ -1725,41 +1615,12 @@ CryptoServiceTdesCbcEncrypt ( > OUT UINT8 *Output > ) > { > - return CALL_BASECRYPTLIB (Tdes.Services.CbcEncrypt, TdesCbcEncrypt, > (TdesContext, Input, InputSize, Ivec, Output), FALSE); > + return BaseCryptLibServciceDeprecated ("TdesCbcEncrypt"), FALSE; > } >=20 > -/** > - Performs TDES decryption on a data buffer of the specified size in CBC= mode. > - > - This function performs TDES decryption on data buffer pointed by Input= , of > specified > - size of InputSize, in CBC mode. > - InputSize must be multiple of block size (8 bytes). This function does= not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - Initialization vector should be one block size (8 bytes). > - TdesContext should be already correctly initialized by TdesInit(). Beh= avior with > - invalid TDES context is undefined. > - > - If TdesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (8 bytes), then return FALS= E. > - If Ivec is NULL, then return FALSE. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[in] Ivec Pointer to initialization vector. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval TRUE TDES decryption succeeded. > - @retval FALSE TDES decryption failed. > - @retval FALSE This interface is not supported. > - > -**/ > BOOLEAN > EFIAPI > -CryptoServiceTdesCbcDecrypt ( > +DeprecatedCryptoServiceTdesCbcDecrypt ( > IN VOID *TdesContext, > IN CONST UINT8 *Input, > IN UINTN InputSize, > @@ -1767,7 +1628,7 @@ CryptoServiceTdesCbcDecrypt ( > OUT UINT8 *Output > ) > { > - return CALL_BASECRYPTLIB (Tdes.Services.CbcDecrypt, TdesCbcDecrypt, > (TdesContext, Input, InputSize, Ivec, Output), FALSE); > + return BaseCryptLibServciceDeprecated ("TdesCbcDecrypt"), FALSE; > } >=20 > /** > @@ -4344,13 +4205,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto =3D { > CryptoServiceX509Free, > CryptoServiceX509StackFree, > CryptoServiceX509GetTBSCert, > - /// TDES > - CryptoServiceTdesGetContextSize, > - CryptoServiceTdesInit, > - CryptoServiceTdesEcbEncrypt, > - CryptoServiceTdesEcbDecrypt, > - CryptoServiceTdesCbcEncrypt, > - CryptoServiceTdesCbcDecrypt, > + /// TDES - deprecated and unsupported > + DeprecatedCryptoServiceTdesGetContextSize, > + DeprecatedCryptoServiceTdesInit, > + DeprecatedCryptoServiceTdesEcbEncrypt, > + DeprecatedCryptoServiceTdesEcbDecrypt, > + DeprecatedCryptoServiceTdesCbcEncrypt, > + DeprecatedCryptoServiceTdesCbcDecrypt, > /// AES > CryptoServiceAesGetContextSize, > CryptoServiceAesInit, > diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h > b/CryptoPkg/Include/Library/BaseCryptLib.h > index 25e236c4a3..621bcfd1c4 100644 > --- a/CryptoPkg/Include/Library/BaseCryptLib.h > +++ b/CryptoPkg/Include/Library/BaseCryptLib.h > @@ -1278,202 +1278,6 @@ HmacSha256Final ( > // Symmetric Cryptography Primitive >=20 > //=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > -/** > - Retrieves the size, in bytes, of the context buffer required for TDES = operations. > - > - If this interface is not supported, then return zero. > - > - @return The size, in bytes, of the context buffer required for TDES o= perations. > - @retval 0 This interface is not supported. > - > -**/ > -UINTN > -EFIAPI > -TdesGetContextSize ( > - VOID > - ); > - > -/** > - Initializes user-supplied memory as TDES context for subsequent use. > - > - This function initializes user-supplied memory pointed by TdesContext = as TDES > context. > - In addition, it sets up all TDES key materials for subsequent encrypti= on and > decryption > - operations. > - There are 3 key options as follows: > - KeyLength =3D 64, Keying option 1: K1 =3D=3D K2 =3D=3D K3 (Backward c= ompatibility with > DES) > - KeyLength =3D 128, Keying option 2: K1 !=3D K2 and K3 =3D K1 (Less Sec= urity) > - KeyLength =3D 192 Keying option 3: K1 !=3D K2 !=3D K3 (Strongest) > - > - If TdesContext is NULL, then return FALSE. > - If Key is NULL, then return FALSE. > - If KeyLength is not valid, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[out] TdesContext Pointer to TDES context being initialized. > - @param[in] Key Pointer to the user-supplied TDES key. > - @param[in] KeyLength Length of TDES key in bits. > - > - @retval TRUE TDES context initialization succeeded. > - @retval FALSE TDES context initialization failed. > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesInit ( > - OUT VOID *TdesContext, > - IN CONST UINT8 *Key, > - IN UINTN KeyLength > - ); > - > -/** > - Performs TDES encryption on a data buffer of the specified size in ECB= mode. > - > - This function performs TDES encryption on data buffer pointed by Input= , of > specified > - size of InputSize, in ECB mode. > - InputSize must be multiple of block size (8 bytes). This function does= not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - TdesContext should be already correctly initialized by TdesInit(). Beh= avior with > - invalid TDES context is undefined. > - > - If TdesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (8 bytes), then return FALS= E. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval TRUE TDES encryption succeeded. > - @retval FALSE TDES encryption failed. > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesEcbEncrypt ( > - IN VOID *TdesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - OUT UINT8 *Output > - ); > - > -/** > - Performs TDES decryption on a data buffer of the specified size in ECB= mode. > - > - This function performs TDES decryption on data buffer pointed by Input= , of > specified > - size of InputSize, in ECB mode. > - InputSize must be multiple of block size (8 bytes). This function does= not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - TdesContext should be already correctly initialized by TdesInit(). Beh= avior with > - invalid TDES context is undefined. > - > - If TdesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (8 bytes), then return FALS= E. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > decrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the TDES d= ecryption > output. > - > - @retval TRUE TDES decryption succeeded. > - @retval FALSE TDES decryption failed. > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesEcbDecrypt ( > - IN VOID *TdesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - OUT UINT8 *Output > - ); > - > -/** > - Performs TDES encryption on a data buffer of the specified size in CBC= mode. > - > - This function performs TDES encryption on data buffer pointed by Input= , of > specified > - size of InputSize, in CBC mode. > - InputSize must be multiple of block size (8 bytes). This function does= not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - Initialization vector should be one block size (8 bytes). > - TdesContext should be already correctly initialized by TdesInit(). Beh= avior with > - invalid TDES context is undefined. > - > - If TdesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (8 bytes), then return FALS= E. > - If Ivec is NULL, then return FALSE. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[in] Ivec Pointer to initialization vector. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval TRUE TDES encryption succeeded. > - @retval FALSE TDES encryption failed. > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesCbcEncrypt ( > - IN VOID *TdesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - IN CONST UINT8 *Ivec, > - OUT UINT8 *Output > - ); > - > -/** > - Performs TDES decryption on a data buffer of the specified size in CBC= mode. > - > - This function performs TDES decryption on data buffer pointed by Input= , of > specified > - size of InputSize, in CBC mode. > - InputSize must be multiple of block size (8 bytes). This function does= not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - Initialization vector should be one block size (8 bytes). > - TdesContext should be already correctly initialized by TdesInit(). Beh= avior with > - invalid TDES context is undefined. > - > - If TdesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (8 bytes), then return FALS= E. > - If Ivec is NULL, then return FALSE. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[in] Ivec Pointer to initialization vector. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval TRUE TDES decryption succeeded. > - @retval FALSE TDES decryption failed. > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesCbcDecrypt ( > - IN VOID *TdesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - IN CONST UINT8 *Ivec, > - OUT UINT8 *Output > - ); > - > /** > Retrieves the size, in bytes, of the context buffer required for AES o= perations. >=20 > diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > index da38ea552f..2de8e9c346 100644 > --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > @@ -39,7 +39,6 @@ > Hmac/CryptHmacSha256.c > Kdf/CryptHkdf.c > Cipher/CryptAes.c > - Cipher/CryptTdes.c > Pk/CryptRsaBasic.c > Pk/CryptRsaExt.c > Pk/CryptPkcs1Oaep.c > diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c > b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c > deleted file mode 100644 > index fd799f3398..0000000000 > --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c > +++ /dev/null > @@ -1,364 +0,0 @@ > -/** @file > - TDES Wrapper Implementation over OpenSSL. > - > -Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.
> -SPDX-License-Identifier: BSD-2-Clause-Patent > - > -**/ > - > -#include "InternalCryptLib.h" > -#include > - > -/** > - Retrieves the size, in bytes, of the context buffer required for TDES = operations. > - > - @return The size, in bytes, of the context buffer required for TDES o= perations. > - > -**/ > -UINTN > -EFIAPI > -TdesGetContextSize ( > - VOID > - ) > -{ > - // > - // Memory for 3 copies of DES_key_schedule is allocated, for K1, K2 an= d K3 > each. > - // > - return (UINTN) (3 * sizeof (DES_key_schedule)); > -} > - > -/** > - Initializes user-supplied memory as TDES context for subsequent use. > - > - This function initializes user-supplied memory pointed by TdesContext = as TDES > context. > - In addition, it sets up all TDES key materials for subsequent encrypti= on and > decryption > - operations. > - There are 3 key options as follows: > - KeyLength =3D 64, Keying option 1: K1 =3D=3D K2 =3D=3D K3 (Backward c= ompatibility with > DES) > - KeyLength =3D 128, Keying option 2: K1 !=3D K2 and K3 =3D K1 (Less Sec= urity) > - KeyLength =3D 192 Keying option 3: K1 !=3D K2 !=3D K3 (Strongest) > - > - If TdesContext is NULL, then return FALSE. > - If Key is NULL, then return FALSE. > - If KeyLength is not valid, then return FALSE. > - > - @param[out] TdesContext Pointer to TDES context being initialized. > - @param[in] Key Pointer to the user-supplied TDES key. > - @param[in] KeyLength Length of TDES key in bits. > - > - @retval TRUE TDES context initialization succeeded. > - @retval FALSE TDES context initialization failed. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesInit ( > - OUT VOID *TdesContext, > - IN CONST UINT8 *Key, > - IN UINTN KeyLength > - ) > -{ > - DES_key_schedule *KeySchedule; > - > - // > - // Check input parameters. > - // > - if (TdesContext =3D=3D NULL || Key =3D=3D NULL || (KeyLength !=3D 64 &= & KeyLength !=3D > 128 && KeyLength !=3D 192)) { > - return FALSE; > - } > - > - KeySchedule =3D (DES_key_schedule *) TdesContext; > - > - // > - // If input Key is a weak key, return error. > - // > - if (DES_is_weak_key ((const_DES_cblock *) Key) =3D=3D 1) { > - return FALSE; > - } > - > - DES_set_key_unchecked ((const_DES_cblock *) Key, KeySchedule); > - > - if (KeyLength =3D=3D 64) { > - CopyMem (KeySchedule + 1, KeySchedule, sizeof (DES_key_schedule)); > - CopyMem (KeySchedule + 2, KeySchedule, sizeof (DES_key_schedule)); > - return TRUE; > - } > - > - if (DES_is_weak_key ((const_DES_cblock *) (Key + 8)) =3D=3D 1) { > - return FALSE; > - } > - > - DES_set_key_unchecked ((const_DES_cblock *) (Key + 8), KeySchedule + 1= ); > - > - if (KeyLength =3D=3D 128) { > - CopyMem (KeySchedule + 2, KeySchedule, sizeof (DES_key_schedule)); > - return TRUE; > - } > - > - if (DES_is_weak_key ((const_DES_cblock *) (Key + 16)) =3D=3D 1) { > - return FALSE; > - } > - > - DES_set_key_unchecked ((const_DES_cblock *) (Key + 16), KeySchedule + = 2); > - > - return TRUE; > -} > - > -/** > - Performs TDES encryption on a data buffer of the specified size in ECB= mode. > - > - This function performs TDES encryption on data buffer pointed by Input= , of > specified > - size of InputSize, in ECB mode. > - InputSize must be multiple of block size (8 bytes). This function does= not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - TdesContext should be already correctly initialized by TdesInit(). Beh= avior with > - invalid TDES context is undefined. > - > - If TdesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (8 bytes), then return FALS= E. > - If Output is NULL, then return FALSE. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval TRUE TDES encryption succeeded. > - @retval FALSE TDES encryption failed. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesEcbEncrypt ( > - IN VOID *TdesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - OUT UINT8 *Output > - ) > -{ > - DES_key_schedule *KeySchedule; > - > - // > - // Check input parameters. > - // > - if (TdesContext =3D=3D NULL || Input =3D=3D NULL || (InputSize % > TDES_BLOCK_SIZE) !=3D 0 || Output =3D=3D NULL) { > - return FALSE; > - } > - > - KeySchedule =3D (DES_key_schedule *) TdesContext; > - > - while (InputSize > 0) { > - DES_ecb3_encrypt ( > - (const_DES_cblock *) Input, > - (DES_cblock *) Output, > - KeySchedule, > - KeySchedule + 1, > - KeySchedule + 2, > - DES_ENCRYPT > - ); > - Input +=3D TDES_BLOCK_SIZE; > - Output +=3D TDES_BLOCK_SIZE; > - InputSize -=3D TDES_BLOCK_SIZE; > - } > - > - return TRUE; > -} > - > -/** > - Performs TDES decryption on a data buffer of the specified size in ECB= mode. > - > - This function performs TDES decryption on data buffer pointed by Input= , of > specified > - size of InputSize, in ECB mode. > - InputSize must be multiple of block size (8 bytes). This function does= not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - TdesContext should be already correctly initialized by TdesInit(). Beh= avior with > - invalid TDES context is undefined. > - > - If TdesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (8 bytes), then return FALS= E. > - If Output is NULL, then return FALSE. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > decrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the TDES d= ecryption > output. > - > - @retval TRUE TDES decryption succeeded. > - @retval FALSE TDES decryption failed. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesEcbDecrypt ( > - IN VOID *TdesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - OUT UINT8 *Output > - ) > -{ > - DES_key_schedule *KeySchedule; > - > - // > - // Check input parameters. > - // > - if (TdesContext =3D=3D NULL || Input =3D=3D NULL || (InputSize % > TDES_BLOCK_SIZE) !=3D 0 || Output =3D=3D NULL) { > - return FALSE; > - } > - > - KeySchedule =3D (DES_key_schedule *) TdesContext; > - > - while (InputSize > 0) { > - DES_ecb3_encrypt ( > - (const_DES_cblock *) Input, > - (DES_cblock *) Output, > - KeySchedule, > - KeySchedule + 1, > - KeySchedule + 2, > - DES_DECRYPT > - ); > - Input +=3D TDES_BLOCK_SIZE; > - Output +=3D TDES_BLOCK_SIZE; > - InputSize -=3D TDES_BLOCK_SIZE; > - } > - > - return TRUE; > -} > - > -/** > - Performs TDES encryption on a data buffer of the specified size in CBC= mode. > - > - This function performs TDES encryption on data buffer pointed by Input= , of > specified > - size of InputSize, in CBC mode. > - InputSize must be multiple of block size (8 bytes). This function does= not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - Initialization vector should be one block size (8 bytes). > - TdesContext should be already correctly initialized by TdesInit(). Beh= avior with > - invalid TDES context is undefined. > - > - If TdesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (8 bytes), then return FALS= E. > - If Ivec is NULL, then return FALSE. > - If Output is NULL, then return FALSE. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[in] Ivec Pointer to initialization vector. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval TRUE TDES encryption succeeded. > - @retval FALSE TDES encryption failed. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesCbcEncrypt ( > - IN VOID *TdesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - IN CONST UINT8 *Ivec, > - OUT UINT8 *Output > - ) > -{ > - DES_key_schedule *KeySchedule; > - UINT8 IvecBuffer[TDES_BLOCK_SIZE]; > - > - // > - // Check input parameters. > - // > - if (TdesContext =3D=3D NULL || Input =3D=3D NULL || (InputSize % > TDES_BLOCK_SIZE) !=3D 0) { > - return FALSE; > - } > - > - if (Ivec =3D=3D NULL || Output =3D=3D NULL || InputSize > INT_MAX) { > - return FALSE; > - } > - > - KeySchedule =3D (DES_key_schedule *) TdesContext; > - CopyMem (IvecBuffer, Ivec, TDES_BLOCK_SIZE); > - > - DES_ede3_cbc_encrypt ( > - Input, > - Output, > - (UINT32) InputSize, > - KeySchedule, > - KeySchedule + 1, > - KeySchedule + 2, > - (DES_cblock *) IvecBuffer, > - DES_ENCRYPT > - ); > - > - return TRUE; > -} > - > -/** > - Performs TDES decryption on a data buffer of the specified size in CBC= mode. > - > - This function performs TDES decryption on data buffer pointed by Input= , of > specified > - size of InputSize, in CBC mode. > - InputSize must be multiple of block size (8 bytes). This function does= not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - Initialization vector should be one block size (8 bytes). > - TdesContext should be already correctly initialized by TdesInit(). Beh= avior with > - invalid TDES context is undefined. > - > - If TdesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (8 bytes), then return FALS= E. > - If Ivec is NULL, then return FALSE. > - If Output is NULL, then return FALSE. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[in] Ivec Pointer to initialization vector. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval TRUE TDES decryption succeeded. > - @retval FALSE TDES decryption failed. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesCbcDecrypt ( > - IN VOID *TdesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - IN CONST UINT8 *Ivec, > - OUT UINT8 *Output > - ) > -{ > - DES_key_schedule *KeySchedule; > - UINT8 IvecBuffer[TDES_BLOCK_SIZE]; > - > - // > - // Check input parameters. > - // > - if (TdesContext =3D=3D NULL || Input =3D=3D NULL || (InputSize % > TDES_BLOCK_SIZE) !=3D 0) { > - return FALSE; > - } > - > - if (Ivec =3D=3D NULL || Output =3D=3D NULL || InputSize > INT_MAX) { > - return FALSE; > - } > - > - KeySchedule =3D (DES_key_schedule *) TdesContext; > - CopyMem (IvecBuffer, Ivec, TDES_BLOCK_SIZE); > - > - DES_ede3_cbc_encrypt ( > - Input, > - Output, > - (UINT32) InputSize, > - KeySchedule, > - KeySchedule + 1, > - KeySchedule + 2, > - (DES_cblock *) IvecBuffer, > - DES_DECRYPT > - ); > - > - return TRUE; > -} > - > diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c > b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c > deleted file mode 100644 > index efa2716063..0000000000 > --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c > +++ /dev/null > @@ -1,160 +0,0 @@ > -/** @file > - TDES Wrapper Implementation which does not provide real capabilities. > - > -Copyright (c) 2012, Intel Corporation. All rights reserved.
> -SPDX-License-Identifier: BSD-2-Clause-Patent > - > -**/ > - > -#include "InternalCryptLib.h" > - > -/** > - Retrieves the size, in bytes, of the context buffer required for TDES = operations. > - > - Return zero to indicate this interface is not supported. > - > - @retval 0 This interface is not supported. > - > -**/ > -UINTN > -EFIAPI > -TdesGetContextSize ( > - VOID > - ) > -{ > - ASSERT (FALSE); > - return 0; > -} > - > -/** > - Initializes user-supplied memory as TDES context for subsequent use. > - > - Return FALSE to indicate this interface is not supported. > - > - @param[out] TdesContext Pointer to TDES context being initialized. > - @param[in] Key Pointer to the user-supplied TDES key. > - @param[in] KeyLength Length of TDES key in bits. > - > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesInit ( > - OUT VOID *TdesContext, > - IN CONST UINT8 *Key, > - IN UINTN KeyLength > - ) > -{ > - ASSERT (FALSE); > - return FALSE; > -} > - > -/** > - Performs TDES encryption on a data buffer of the specified size in ECB= mode. > - > - Return FALSE to indicate this interface is not supported. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesEcbEncrypt ( > - IN VOID *TdesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - OUT UINT8 *Output > - ) > -{ > - ASSERT (FALSE); > - return FALSE; > -} > - > -/** > - Performs TDES decryption on a data buffer of the specified size in ECB= mode. > - > - Return FALSE to indicate this interface is not supported. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > decrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the TDES d= ecryption > output. > - > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesEcbDecrypt ( > - IN VOID *TdesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - OUT UINT8 *Output > - ) > -{ > - ASSERT (FALSE); > - return FALSE; > -} > - > -/** > - Performs TDES encryption on a data buffer of the specified size in CBC= mode. > - > - Return FALSE to indicate this interface is not supported. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[in] Ivec Pointer to initialization vector. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesCbcEncrypt ( > - IN VOID *TdesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - IN CONST UINT8 *Ivec, > - OUT UINT8 *Output > - ) > -{ > - ASSERT (FALSE); > - return FALSE; > -} > - > -/** > - Performs TDES decryption on a data buffer of the specified size in CBC= mode. > - > - Return FALSE to indicate this interface is not supported. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[in] Ivec Pointer to initialization vector. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesCbcDecrypt ( > - IN VOID *TdesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - IN CONST UINT8 *Ivec, > - OUT UINT8 *Output > - ) > -{ > - ASSERT (FALSE); > - return FALSE; > -} > - > diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > index f43953b78c..f631f8d879 100644 > --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > @@ -7,7 +7,7 @@ > # buffer overflow or integer overflow. > # > # Note: > -# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions, > RSA external > +# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA > external > # functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions= , X.509 > # certificate handler functions, authenticode signature verification fu= nctions, > # PEM handler functions, and pseudorandom number generator functions ar= e > not > @@ -45,7 +45,6 @@ > Hmac/CryptHmacSha256Null.c > Kdf/CryptHkdfNull.c > Cipher/CryptAesNull.c > - Cipher/CryptTdesNull.c > Pk/CryptRsaBasic.c > Pk/CryptRsaExtNull.c > Pk/CryptPkcs1OaepNull.c > diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni > b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni > index 5abd8e8dfb..c906935d3d 100644 > --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni > +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni > @@ -6,8 +6,8 @@ > // This external input must be validated carefully to avoid security iss= ues such as > // buffer overflow or integer overflow. > // > -// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ > -// TDES functions, RSA external functions, PKCS#7 SignedData sign functi= ons, > +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES > +// functions, RSA external functions, PKCS#7 SignedData sign functions, > // Diffie-Hellman functions, X.509 certificate handler functions, authen= ticode > // signature verification functions, PEM handler functions, and pseudora= ndom > number > // generator functions are not supported in this instance. > @@ -21,5 +21,5 @@ >=20 > #string STR_MODULE_ABSTRACT #language en-US "Cryptographic > Library Instance for PEIM" >=20 > -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This > module requires additional review when modified. This library will have e= xternal > input - signature. This external input must be validated carefully to avo= id security > issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functi= ons, > HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 > SignedData sign functions, Diffie-Hellman functions, X.509 certificate ha= ndler > functions, authenticode signature verification functions, PEM handler fun= ctions, > and pseudorandom number generator functions are not supported in this > instance." > +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This > module requires additional review when modified. This library will have e= xternal > input - signature. This external input must be validated carefully to avo= id security > issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functi= ons, > HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 > SignedData sign functions, Diffie-Hellman functions, X.509 certificate ha= ndler > functions, authenticode signature verification functions, PEM handler fun= ctions, > and pseudorandom number generator functions are not supported in this > instance." >=20 > diff --git a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c > b/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c > index 75a133bd0c..6f7e1971f8 100644 > --- a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c > +++ b/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c > @@ -1,7 +1,7 @@ > /** @file > PEM (Privacy Enhanced Mail) Format Handler Wrapper Implementation over > OpenSSL. >=20 > -Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
> +Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.
> SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > **/ > @@ -82,11 +82,8 @@ RsaGetPrivateKeyFromPem ( >=20 > // > // Add possible block-cipher descriptor for PEM data decryption. > - // NOTE: Only support most popular ciphers (3DES, AES) for the encrypt= ed PEM. > + // NOTE: Only support most popular ciphers AES for the encrypted PEM. > // > - if (EVP_add_cipher (EVP_des_ede3_cbc ()) =3D=3D 0) { > - return FALSE; > - } > if (EVP_add_cipher (EVP_aes_128_cbc ()) =3D=3D 0) { > return FALSE; > } > diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > index f1eb099b67..672e19299c 100644 > --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > @@ -7,7 +7,7 @@ > # buffer overflow or integer overflow. > # > # Note: SHA-384 Digest functions, SHA-512 Digest functions, > -# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions, > RSA external > +# HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA > external > # functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions= , and > # authenticode signature verification functions are not supported in th= is > instance. > # > @@ -45,7 +45,6 @@ > Hmac/CryptHmacSha256Null.c > Kdf/CryptHkdfNull.c > Cipher/CryptAesNull.c > - Cipher/CryptTdesNull.c > Pk/CryptRsaBasic.c > Pk/CryptRsaExtNull.c > Pk/CryptPkcs1OaepNull.c > diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni > b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni > index 5a48d2a308..0a3bb1c04f 100644 > --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni > +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni > @@ -6,8 +6,8 @@ > // This external input must be validated carefully to avoid security iss= ues such as > // buffer overflow or integer overflow. > // > -// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ > -// TDES functions, RSA external functions, PKCS#7 SignedData sign functi= ons, > +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES > +// functions, RSA external functions, PKCS#7 SignedData sign functions, > // Diffie-Hellman functions, and authenticode signature verification fun= ctions > are > // not supported in this instance. > // > @@ -20,5 +20,5 @@ >=20 > #string STR_MODULE_ABSTRACT #language en-US "Cryptographic > Library Instance for DXE_RUNTIME_DRIVER" >=20 > -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This > module requires additional review when modified. This library will have e= xternal > input - signature. This external input must be validated carefully to avo= id security > issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functi= ons, > HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 > SignedData sign functions, Diffie-Hellman functions, and authenticode sig= nature > verification functions are not supported in this instance." > +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This > module requires additional review when modified. This library will have e= xternal > input - signature. This external input must be validated carefully to avo= id security > issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functi= ons, > HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 > SignedData sign functions, Diffie-Hellman functions, and authenticode sig= nature > verification functions are not supported in this instance." >=20 > diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > index 3a94655775..cc3556ae3f 100644 > --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > @@ -7,7 +7,7 @@ > # buffer overflow or integer overflow. > # > # Note: SHA-384 Digest functions, SHA-512 Digest functions, > -# HMAC-MD5 functions, HMAC-SHA1 functions, TDES functions, RSA external > +# HMAC-MD5 functions, HMAC-SHA1 functions, RSA external > # functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions= , and > # authenticode signature verification functions are not supported in th= is > instance. > # > @@ -44,7 +44,6 @@ > Hmac/CryptHmacSha256.c > Kdf/CryptHkdfNull.c > Cipher/CryptAes.c > - Cipher/CryptTdesNull.c > Pk/CryptRsaBasic.c > Pk/CryptRsaExtNull.c > Pk/CryptPkcs1Oaep.c > diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni > b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni > index 0561f107e8..2e362c635f 100644 > --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni > +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni > @@ -6,8 +6,8 @@ > // This external input must be validated carefully to avoid security iss= ues such as > // buffer overflow or integer overflow. > // > -// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ > -// TDES functions, RSA external functions, PKCS#7 SignedData sign functi= ons, > +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES > +// functions, RSA external functions, PKCS#7 SignedData sign functions, > // Diffie-Hellman functions, and authenticode signature verification fun= ctions > are > // not supported in this instance. > // > @@ -20,5 +20,5 @@ >=20 > #string STR_MODULE_ABSTRACT #language en-US "Cryptographic > Library Instance for SMM driver" >=20 > -#string STR_MODULE_DESCRIPTION #language en-US "Caution: This > module requires additional review when modified. This library will have e= xternal > input - signature. This external input must be validated carefully to avo= id security > issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functi= ons, > HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 > SignedData sign functions, Diffie-Hellman functions, and authenticode sig= nature > verification functions are not supported in this instance." > +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This > module requires additional review when modified. This library will have e= xternal > input - signature. This external input must be validated carefully to avo= id security > issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functi= ons, > HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 > SignedData sign functions, Diffie-Hellman functions, and authenticode sig= nature > verification functions are not supported in this instance." >=20 > diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf > b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf > index a205c9005d..04b552f8b7 100644 > --- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf > +++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf > @@ -39,7 +39,6 @@ > Hmac/CryptHmacSha256Null.c > Kdf/CryptHkdfNull.c > Cipher/CryptAesNull.c > - Cipher/CryptTdesNull.c > Pk/CryptRsaBasicNull.c > Pk/CryptRsaExtNull.c > Pk/CryptPkcs1OaepNull.c > diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c > b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c > deleted file mode 100644 > index efa2716063..0000000000 > --- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c > +++ /dev/null > @@ -1,160 +0,0 @@ > -/** @file > - TDES Wrapper Implementation which does not provide real capabilities. > - > -Copyright (c) 2012, Intel Corporation. All rights reserved.
> -SPDX-License-Identifier: BSD-2-Clause-Patent > - > -**/ > - > -#include "InternalCryptLib.h" > - > -/** > - Retrieves the size, in bytes, of the context buffer required for TDES = operations. > - > - Return zero to indicate this interface is not supported. > - > - @retval 0 This interface is not supported. > - > -**/ > -UINTN > -EFIAPI > -TdesGetContextSize ( > - VOID > - ) > -{ > - ASSERT (FALSE); > - return 0; > -} > - > -/** > - Initializes user-supplied memory as TDES context for subsequent use. > - > - Return FALSE to indicate this interface is not supported. > - > - @param[out] TdesContext Pointer to TDES context being initialized. > - @param[in] Key Pointer to the user-supplied TDES key. > - @param[in] KeyLength Length of TDES key in bits. > - > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesInit ( > - OUT VOID *TdesContext, > - IN CONST UINT8 *Key, > - IN UINTN KeyLength > - ) > -{ > - ASSERT (FALSE); > - return FALSE; > -} > - > -/** > - Performs TDES encryption on a data buffer of the specified size in ECB= mode. > - > - Return FALSE to indicate this interface is not supported. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesEcbEncrypt ( > - IN VOID *TdesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - OUT UINT8 *Output > - ) > -{ > - ASSERT (FALSE); > - return FALSE; > -} > - > -/** > - Performs TDES decryption on a data buffer of the specified size in ECB= mode. > - > - Return FALSE to indicate this interface is not supported. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > decrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the TDES d= ecryption > output. > - > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesEcbDecrypt ( > - IN VOID *TdesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - OUT UINT8 *Output > - ) > -{ > - ASSERT (FALSE); > - return FALSE; > -} > - > -/** > - Performs TDES encryption on a data buffer of the specified size in CBC= mode. > - > - Return FALSE to indicate this interface is not supported. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[in] Ivec Pointer to initialization vector. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesCbcEncrypt ( > - IN VOID *TdesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - IN CONST UINT8 *Ivec, > - OUT UINT8 *Output > - ) > -{ > - ASSERT (FALSE); > - return FALSE; > -} > - > -/** > - Performs TDES decryption on a data buffer of the specified size in CBC= mode. > - > - Return FALSE to indicate this interface is not supported. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[in] Ivec Pointer to initialization vector. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesCbcDecrypt ( > - IN VOID *TdesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - IN CONST UINT8 *Ivec, > - OUT UINT8 *Output > - ) > -{ > - ASSERT (FALSE); > - return FALSE; > -} > - > diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c > b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c > index 77915bdb86..43ee4e0841 100644 > --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c > +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c > @@ -1467,220 +1467,6 @@ HmacSha256Final ( > // Symmetric Cryptography Primitive >=20 > //=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > -/** > - Retrieves the size, in bytes, of the context buffer required for TDES = operations. > - > - If this interface is not supported, then return zero. > - > - @return The size, in bytes, of the context buffer required for TDES o= perations. > - @retval 0 This interface is not supported. > - > -**/ > -UINTN > -EFIAPI > -TdesGetContextSize ( > - VOID > - ) > -{ > - CALL_CRYPTO_SERVICE (TdesGetContextSize, (), 0); > -} > - > -/** > - Initializes user-supplied memory as TDES context for subsequent use. > - > - This function initializes user-supplied memory pointed by TdesContext = as TDES > context. > - In addition, it sets up all TDES key materials for subsequent encrypti= on and > decryption > - operations. > - There are 3 key options as follows: > - KeyLength =3D 64, Keying option 1: K1 =3D=3D K2 =3D=3D K3 (Backward c= ompatibility with > DES) > - KeyLength =3D 128, Keying option 2: K1 !=3D K2 and K3 =3D K1 (Less Sec= urity) > - KeyLength =3D 192 Keying option 3: K1 !=3D K2 !=3D K3 (Strongest) > - > - If TdesContext is NULL, then return FALSE. > - If Key is NULL, then return FALSE. > - If KeyLength is not valid, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[out] TdesContext Pointer to TDES context being initialized. > - @param[in] Key Pointer to the user-supplied TDES key. > - @param[in] KeyLength Length of TDES key in bits. > - > - @retval TRUE TDES context initialization succeeded. > - @retval FALSE TDES context initialization failed. > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesInit ( > - OUT VOID *TdesContext, > - IN CONST UINT8 *Key, > - IN UINTN KeyLength > - ) > -{ > - CALL_CRYPTO_SERVICE (TdesInit, (TdesContext, Key, KeyLength), FALSE); > -} > - > -/** > - Performs TDES encryption on a data buffer of the specified size in ECB= mode. > - > - This function performs TDES encryption on data buffer pointed by Input= , of > specified > - size of InputSize, in ECB mode. > - InputSize must be multiple of block size (8 bytes). This function does= not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - TdesContext should be already correctly initialized by TdesInit(). Beh= avior with > - invalid TDES context is undefined. > - > - If TdesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (8 bytes), then return FALS= E. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval TRUE TDES encryption succeeded. > - @retval FALSE TDES encryption failed. > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesEcbEncrypt ( > - IN VOID *TdesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - OUT UINT8 *Output > - ) > -{ > - CALL_CRYPTO_SERVICE (TdesEcbEncrypt, (TdesContext, Input, InputSize, > Output), FALSE); > -} > - > -/** > - Performs TDES decryption on a data buffer of the specified size in ECB= mode. > - > - This function performs TDES decryption on data buffer pointed by Input= , of > specified > - size of InputSize, in ECB mode. > - InputSize must be multiple of block size (8 bytes). This function does= not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - TdesContext should be already correctly initialized by TdesInit(). Beh= avior with > - invalid TDES context is undefined. > - > - If TdesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (8 bytes), then return FALS= E. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > decrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the TDES d= ecryption > output. > - > - @retval TRUE TDES decryption succeeded. > - @retval FALSE TDES decryption failed. > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesEcbDecrypt ( > - IN VOID *TdesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - OUT UINT8 *Output > - ) > -{ > - CALL_CRYPTO_SERVICE (TdesEcbDecrypt, (TdesContext, Input, InputSize, > Output), FALSE); > -} > - > -/** > - Performs TDES encryption on a data buffer of the specified size in CBC= mode. > - > - This function performs TDES encryption on data buffer pointed by Input= , of > specified > - size of InputSize, in CBC mode. > - InputSize must be multiple of block size (8 bytes). This function does= not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - Initialization vector should be one block size (8 bytes). > - TdesContext should be already correctly initialized by TdesInit(). Beh= avior with > - invalid TDES context is undefined. > - > - If TdesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (8 bytes), then return FALS= E. > - If Ivec is NULL, then return FALSE. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[in] Ivec Pointer to initialization vector. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval TRUE TDES encryption succeeded. > - @retval FALSE TDES encryption failed. > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesCbcEncrypt ( > - IN VOID *TdesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - IN CONST UINT8 *Ivec, > - OUT UINT8 *Output > - ) > -{ > - CALL_CRYPTO_SERVICE (TdesCbcEncrypt, (TdesContext, Input, InputSize, I= vec, > Output), FALSE); > -} > - > -/** > - Performs TDES decryption on a data buffer of the specified size in CBC= mode. > - > - This function performs TDES decryption on data buffer pointed by Input= , of > specified > - size of InputSize, in CBC mode. > - InputSize must be multiple of block size (8 bytes). This function does= not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - Initialization vector should be one block size (8 bytes). > - TdesContext should be already correctly initialized by TdesInit(). Beh= avior with > - invalid TDES context is undefined. > - > - If TdesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (8 bytes), then return FALS= E. > - If Ivec is NULL, then return FALSE. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[in] Ivec Pointer to initialization vector. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval TRUE TDES decryption succeeded. > - @retval FALSE TDES decryption failed. > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -TdesCbcDecrypt ( > - IN VOID *TdesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - IN CONST UINT8 *Ivec, > - OUT UINT8 *Output > - ) > -{ > - CALL_CRYPTO_SERVICE (TdesCbcDecrypt, (TdesContext, Input, InputSize, I= vec, > Output), FALSE); > -} > - > /** > Retrieves the size, in bytes, of the context buffer required for AES o= perations. >=20 > diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h > b/CryptoPkg/Library/Include/openssl/opensslconf.h > index 22acabef87..4868cfa963 100644 > --- a/CryptoPkg/Library/Include/openssl/opensslconf.h > +++ b/CryptoPkg/Library/Include/openssl/opensslconf.h > @@ -247,6 +247,9 @@ extern "C" { > #ifndef OPENSSL_NO_RC4 > # define OPENSSL_NO_RC4 > #endif > +#ifndef OPENSSL_NO_DES > +# define OPENSSL_NO_DES > +#endif >=20 >=20 > /* > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > index dfaefd1c08..d66f1cb03f 100644 > --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > @@ -178,25 +178,6 @@ > $(OPENSSL_PATH)/crypto/cryptlib.c > $(OPENSSL_PATH)/crypto/ctype.c > $(OPENSSL_PATH)/crypto/cversion.c > - $(OPENSSL_PATH)/crypto/des/cbc_cksm.c > - $(OPENSSL_PATH)/crypto/des/cbc_enc.c > - $(OPENSSL_PATH)/crypto/des/cfb64ede.c > - $(OPENSSL_PATH)/crypto/des/cfb64enc.c > - $(OPENSSL_PATH)/crypto/des/cfb_enc.c > - $(OPENSSL_PATH)/crypto/des/des_enc.c > - $(OPENSSL_PATH)/crypto/des/ecb3_enc.c > - $(OPENSSL_PATH)/crypto/des/ecb_enc.c > - $(OPENSSL_PATH)/crypto/des/fcrypt.c > - $(OPENSSL_PATH)/crypto/des/fcrypt_b.c > - $(OPENSSL_PATH)/crypto/des/ofb64ede.c > - $(OPENSSL_PATH)/crypto/des/ofb64enc.c > - $(OPENSSL_PATH)/crypto/des/ofb_enc.c > - $(OPENSSL_PATH)/crypto/des/pcbc_enc.c > - $(OPENSSL_PATH)/crypto/des/qud_cksm.c > - $(OPENSSL_PATH)/crypto/des/rand_key.c > - $(OPENSSL_PATH)/crypto/des/set_key.c > - $(OPENSSL_PATH)/crypto/des/str2key.c > - $(OPENSSL_PATH)/crypto/des/xcbc_enc.c > $(OPENSSL_PATH)/crypto/dh/dh_ameth.c > $(OPENSSL_PATH)/crypto/dh/dh_asn1.c > $(OPENSSL_PATH)/crypto/dh/dh_check.c > @@ -514,8 +495,6 @@ > $(OPENSSL_PATH)/crypto/comp/comp_lcl.h > $(OPENSSL_PATH)/crypto/conf/conf_def.h > $(OPENSSL_PATH)/crypto/conf/conf_lcl.h > - $(OPENSSL_PATH)/crypto/des/des_locl.h > - $(OPENSSL_PATH)/crypto/des/spr.h > $(OPENSSL_PATH)/crypto/dh/dh_locl.h > $(OPENSSL_PATH)/crypto/dso/dso_locl.h > $(OPENSSL_PATH)/crypto/evp/evp_locl.h > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > index 080e1d9305..5788d13cf7 100644 > --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > @@ -178,25 +178,6 @@ > $(OPENSSL_PATH)/crypto/cryptlib.c > $(OPENSSL_PATH)/crypto/ctype.c > $(OPENSSL_PATH)/crypto/cversion.c > - $(OPENSSL_PATH)/crypto/des/cbc_cksm.c > - $(OPENSSL_PATH)/crypto/des/cbc_enc.c > - $(OPENSSL_PATH)/crypto/des/cfb64ede.c > - $(OPENSSL_PATH)/crypto/des/cfb64enc.c > - $(OPENSSL_PATH)/crypto/des/cfb_enc.c > - $(OPENSSL_PATH)/crypto/des/des_enc.c > - $(OPENSSL_PATH)/crypto/des/ecb3_enc.c > - $(OPENSSL_PATH)/crypto/des/ecb_enc.c > - $(OPENSSL_PATH)/crypto/des/fcrypt.c > - $(OPENSSL_PATH)/crypto/des/fcrypt_b.c > - $(OPENSSL_PATH)/crypto/des/ofb64ede.c > - $(OPENSSL_PATH)/crypto/des/ofb64enc.c > - $(OPENSSL_PATH)/crypto/des/ofb_enc.c > - $(OPENSSL_PATH)/crypto/des/pcbc_enc.c > - $(OPENSSL_PATH)/crypto/des/qud_cksm.c > - $(OPENSSL_PATH)/crypto/des/rand_key.c > - $(OPENSSL_PATH)/crypto/des/set_key.c > - $(OPENSSL_PATH)/crypto/des/str2key.c > - $(OPENSSL_PATH)/crypto/des/xcbc_enc.c > $(OPENSSL_PATH)/crypto/dh/dh_ameth.c > $(OPENSSL_PATH)/crypto/dh/dh_asn1.c > $(OPENSSL_PATH)/crypto/dh/dh_check.c > @@ -514,8 +495,6 @@ > $(OPENSSL_PATH)/crypto/comp/comp_lcl.h > $(OPENSSL_PATH)/crypto/conf/conf_def.h > $(OPENSSL_PATH)/crypto/conf/conf_lcl.h > - $(OPENSSL_PATH)/crypto/des/des_locl.h > - $(OPENSSL_PATH)/crypto/des/spr.h > $(OPENSSL_PATH)/crypto/dh/dh_locl.h > $(OPENSSL_PATH)/crypto/dso/dso_locl.h > $(OPENSSL_PATH)/crypto/evp/evp_locl.h > diff --git a/CryptoPkg/Private/Protocol/Crypto.h > b/CryptoPkg/Private/Protocol/Crypto.h > index f36c5c1aff..a30660c192 100644 > --- a/CryptoPkg/Private/Protocol/Crypto.h > +++ b/CryptoPkg/Private/Protocol/Crypto.h > @@ -2396,155 +2396,45 @@ BOOLEAN >=20 > //=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > /** > - Retrieves the size, in bytes, of the context buffer required for TDES = operations. > - > - If this interface is not supported, then return zero. > - > - @return The size, in bytes, of the context buffer required for TDES o= perations. > - @retval 0 This interface is not supported. > + TDES is deprecated and unsupported any longer. > + Keep the function field for binary compability. >=20 > **/ > typedef > UINTN > -(EFIAPI *EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE) ( > +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE) ( > VOID > ); >=20 > -/** > - Initializes user-supplied memory as TDES context for subsequent use. > - > - This function initializes user-supplied memory pointed by TdesContext = as TDES > context. > - In addition, it sets up all TDES key materials for subsequent encrypti= on and > decryption > - operations. > - There are 3 key options as follows: > - KeyLength =3D 64, Keying option 1: K1 =3D=3D K2 =3D=3D K3 (Backward c= ompatibility with > DES) > - KeyLength =3D 128, Keying option 2: K1 !=3D K2 and K3 =3D K1 (Less Sec= urity) > - KeyLength =3D 192 Keying option 3: K1 !=3D K2 !=3D K3 (Strongest) > - > - If TdesContext is NULL, then return FALSE. > - If Key is NULL, then return FALSE. > - If KeyLength is not valid, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[out] TdesContext Pointer to TDES context being initialized. > - @param[in] Key Pointer to the user-supplied TDES key. > - @param[in] KeyLength Length of TDES key in bits. > - > - @retval TRUE TDES context initialization succeeded. > - @retval FALSE TDES context initialization failed. > - @retval FALSE This interface is not supported. > - > -**/ > typedef > BOOLEAN > -(EFIAPI *EDKII_CRYPTO_TDES_INIT) ( > +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_INIT) ( > OUT VOID *TdesContext, > IN CONST UINT8 *Key, > IN UINTN KeyLength > ); >=20 > -/** > - Performs TDES encryption on a data buffer of the specified size in ECB= mode. > - > - This function performs TDES encryption on data buffer pointed by Input= , of > specified > - size of InputSize, in ECB mode. > - InputSize must be multiple of block size (8 bytes). This function does= not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - TdesContext should be already correctly initialized by TdesInit(). Beh= avior with > - invalid TDES context is undefined. > - > - If TdesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (8 bytes), then return FALS= E. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval TRUE TDES encryption succeeded. > - @retval FALSE TDES encryption failed. > - @retval FALSE This interface is not supported. > - > -**/ > typedef > BOOLEAN > -(EFIAPI *EDKII_CRYPTO_TDES_ECB_ENCRYPT) ( > +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_ECB_ENCRYPT) ( > IN VOID *TdesContext, > IN CONST UINT8 *Input, > IN UINTN InputSize, > OUT UINT8 *Output > ); >=20 > -/** > - Performs TDES decryption on a data buffer of the specified size in ECB= mode. > - > - This function performs TDES decryption on data buffer pointed by Input= , of > specified > - size of InputSize, in ECB mode. > - InputSize must be multiple of block size (8 bytes). This function does= not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - TdesContext should be already correctly initialized by TdesInit(). Beh= avior with > - invalid TDES context is undefined. > - > - If TdesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (8 bytes), then return FALS= E. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > decrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the TDES d= ecryption > output. > - > - @retval TRUE TDES decryption succeeded. > - @retval FALSE TDES decryption failed. > - @retval FALSE This interface is not supported. > - > -**/ > typedef > BOOLEAN > -(EFIAPI *EDKII_CRYPTO_TDES_ECB_DECRYPT) ( > +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT) ( > IN VOID *TdesContext, > IN CONST UINT8 *Input, > IN UINTN InputSize, > OUT UINT8 *Output > ); >=20 > -/** > - Performs TDES encryption on a data buffer of the specified size in CBC= mode. > - > - This function performs TDES encryption on data buffer pointed by Input= , of > specified > - size of InputSize, in CBC mode. > - InputSize must be multiple of block size (8 bytes). This function does= not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - Initialization vector should be one block size (8 bytes). > - TdesContext should be already correctly initialized by TdesInit(). Beh= avior with > - invalid TDES context is undefined. > - > - If TdesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (8 bytes), then return FALS= E. > - If Ivec is NULL, then return FALSE. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[in] Ivec Pointer to initialization vector. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval TRUE TDES encryption succeeded. > - @retval FALSE TDES encryption failed. > - @retval FALSE This interface is not supported. > - > -**/ > typedef > BOOLEAN > -(EFIAPI *EDKII_CRYPTO_TDES_CBC_ENCRYPT) ( > +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT) ( > IN VOID *TdesContext, > IN CONST UINT8 *Input, > IN UINTN InputSize, > @@ -2552,38 +2442,9 @@ BOOLEAN > OUT UINT8 *Output > ); >=20 > -/** > - Performs TDES decryption on a data buffer of the specified size in CBC= mode. > - > - This function performs TDES decryption on data buffer pointed by Input= , of > specified > - size of InputSize, in CBC mode. > - InputSize must be multiple of block size (8 bytes). This function does= not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - Initialization vector should be one block size (8 bytes). > - TdesContext should be already correctly initialized by TdesInit(). Beh= avior with > - invalid TDES context is undefined. > - > - If TdesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (8 bytes), then return FALS= E. > - If Ivec is NULL, then return FALSE. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] TdesContext Pointer to the TDES context. > - @param[in] Input Pointer to the buffer containing the data to= be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[in] Ivec Pointer to initialization vector. > - @param[out] Output Pointer to a buffer that receives the TDES e= ncryption > output. > - > - @retval TRUE TDES decryption succeeded. > - @retval FALSE TDES decryption failed. > - @retval FALSE This interface is not supported. > - > -**/ > typedef > BOOLEAN > -(EFIAPI *EDKII_CRYPTO_TDES_CBC_DECRYPT) ( > +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT) ( > IN VOID *TdesContext, > IN CONST UINT8 *Input, > IN UINTN InputSize, > @@ -3911,13 +3772,13 @@ struct _EDKII_CRYPTO_PROTOCOL { > EDKII_CRYPTO_X509_FREE X509Free; > EDKII_CRYPTO_X509_STACK_FREE X509StackFree; > EDKII_CRYPTO_X509_GET_TBS_CERT X509GetTBSCert; > - /// TDES > - EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE TdesGetContextSize; > - EDKII_CRYPTO_TDES_INIT TdesInit; > - EDKII_CRYPTO_TDES_ECB_ENCRYPT TdesEcbEncrypt; > - EDKII_CRYPTO_TDES_ECB_DECRYPT TdesEcbDecrypt; > - EDKII_CRYPTO_TDES_CBC_ENCRYPT TdesCbcEncrypt; > - EDKII_CRYPTO_TDES_CBC_DECRYPT TdesCbcDecrypt; > + /// TDES - deprecated and unsupported > + DEPRECATED_EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE > DeprecatedTdesGetContextSize; > + DEPRECATED_EDKII_CRYPTO_TDES_INIT DeprecatedTdesInit; > + DEPRECATED_EDKII_CRYPTO_TDES_ECB_ENCRYPT > DeprecatedTdesEcbEncrypt; > + DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT > DeprecatedTdesEcbDecrypt; > + DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT > DeprecatedTdesCbcEncrypt; > + DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT > DeprecatedTdesCbcDecrypt; > /// AES > EDKII_CRYPTO_AES_GET_CONTEXT_SIZE AesGetContextSize; > EDKII_CRYPTO_AES_INIT AesInit; > -- > 2.21.0.windows.1