From: "Wang, Jian J" <jian.j.wang@intel.com>
To: "Gao, Zhichao" <zhichao.gao@intel.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Lu, XiaoyuX" <xiaoyux.lu@intel.com>,
"Fu, Siyuan" <siyuan.fu@intel.com>,
"Kinney, Michael D" <michael.d.kinney@intel.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>
Subject: Re: [PATCH V3 5/8] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm
Date: Fri, 8 May 2020 14:50:19 +0000 [thread overview]
Message-ID: <D827630B58408649ACB04F44C510003625A8430B@SHSMSX107.ccr.corp.intel.com> (raw)
In-Reply-To: <20200506235746.19500-6-zhichao.gao@intel.com>
Zhichao,
Similar to patch 3, please update OpensslLib/process_files.pl to update OpensslLibXxx.inf
Regards,
Jian
> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Thursday, May 07, 2020 7:58 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [PATCH V3 5/8] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode
> algorithm
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
>
> Aes Ecb mode is not secure any longer.
> Remove the Aes Ecb mode support from edk2.
> Change the Aes Ecb mode field name in EDKII_CRYPTO_PROTOCOL to indicate
> the
> function is unsupported any long.
>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
> CryptoPkg/CryptoPkg.dsc | 45 +++----
> CryptoPkg/Driver/Crypto.c | 65 ++--------
> .../Library/BaseCryptLib/Cipher/CryptAes.c | 114 ------------------
> .../BaseCryptLib/Cipher/CryptAesNull.c | 52 --------
> .../BaseCryptLibNull/Cipher/CryptAesNull.c | 52 --------
> .../BaseCryptLibOnProtocolPpi/CryptLib.c | 76 ------------
> CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 -
> .../Library/OpensslLib/OpensslLibCrypto.inf | 1 -
> CryptoPkg/Private/Protocol/Crypto.h | 61 ++--------
> 9 files changed, 40 insertions(+), 427 deletions(-)
>
> diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
> index 6ed7046563..1f68cc633b 100644
> --- a/CryptoPkg/CryptoPkg.dsc
> +++ b/CryptoPkg/CryptoPkg.dsc
> @@ -137,27 +137,30 @@
> gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06
>
> !if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
> -
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam
> ily | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family |
> PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family |
> PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam
> ily | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.GetC
> ontextSize | TRUE
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init
> | TRUE
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcE
> ncrypt | TRUE
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Cbc
> Decrypt | TRUE
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> !endif
>
> !if $(CRYPTO_SERVICES) == MIN_PEI
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> index a4106aae0b..341df3b814 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -1683,79 +1683,32 @@ CryptoServiceAesInit (
> }
>
> /**
> - Performs AES encryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs AES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (16 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - AesContext should be already correctly initialized by AesInit(). Behavior with
> - invalid AES context is undefined.
> -
> - If AesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (16 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES encryption
> output.
> -
> - @retval TRUE AES encryption succeeded.
> - @retval FALSE AES encryption failed.
> - @retval FALSE This interface is not supported.
> + AES ECB Mode is deprecated and unsupported any longer.
> + Keep the function field for binary compability.
>
> **/
> BOOLEAN
> EFIAPI
> -CryptoServiceAesEcbEncrypt (
> +DeprecatedCryptoServiceAesEcbEncrypt (
> IN VOID *AesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> OUT UINT8 *Output
> )
> {
> - return CALL_BASECRYPTLIB (Aes.Services.EcbEncrypt, AesEcbEncrypt,
> (AesContext, Input, InputSize, Output), FALSE);
> + return BaseCryptLibServciceDeprecated ("AesEcbEncrypt"), FALSE;
> }
>
> -/**
> - Performs AES decryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs AES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (16 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - AesContext should be already correctly initialized by AesInit(). Behavior with
> - invalid AES context is undefined.
> -
> - If AesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (16 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES decryption
> output.
> -
> - @retval TRUE AES decryption succeeded.
> - @retval FALSE AES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> BOOLEAN
> EFIAPI
> -CryptoServiceAesEcbDecrypt (
> +DeprecatedCryptoServiceAesEcbDecrypt (
> IN VOID *AesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> OUT UINT8 *Output
> )
> {
> - return CALL_BASECRYPTLIB (Aes.Services.EcbDecrypt, AesEcbDecrypt,
> (AesContext, Input, InputSize, Output), FALSE);
> + return BaseCryptLibServciceDeprecated ("AesEcbDecrypt"), FALSE;
> }
>
> /**
> @@ -4212,11 +4165,11 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
> DeprecatedCryptoServiceTdesEcbDecrypt,
> DeprecatedCryptoServiceTdesCbcEncrypt,
> DeprecatedCryptoServiceTdesCbcDecrypt,
> - /// AES
> + /// AES - ECB mode is deprecated and unsupported
> CryptoServiceAesGetContextSize,
> CryptoServiceAesInit,
> - CryptoServiceAesEcbEncrypt,
> - CryptoServiceAesEcbDecrypt,
> + DeprecatedCryptoServiceAesEcbEncrypt,
> + DeprecatedCryptoServiceAesEcbDecrypt,
> CryptoServiceAesCbcEncrypt,
> CryptoServiceAesCbcDecrypt,
> /// Arc4 - deprecated and unsupported
> diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
> b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
> index 2515b34bb8..914cffb211 100644
> --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
> +++ b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
> @@ -78,120 +78,6 @@ AesInit (
> return TRUE;
> }
>
> -/**
> - Performs AES encryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs AES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (16 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - AesContext should be already correctly initialized by AesInit(). Behavior with
> - invalid AES context is undefined.
> -
> - If AesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (16 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES encryption
> output.
> -
> - @retval TRUE AES encryption succeeded.
> - @retval FALSE AES encryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbEncrypt (
> - IN VOID *AesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - AES_KEY *AesKey;
> -
> - //
> - // Check input parameters.
> - //
> - if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0
> || Output == NULL) {
> - return FALSE;
> - }
> -
> - AesKey = (AES_KEY *) AesContext;
> -
> - //
> - // Perform AES data encryption with ECB mode (block-by-block)
> - //
> - while (InputSize > 0) {
> - AES_ecb_encrypt (Input, Output, AesKey, AES_ENCRYPT);
> - Input += AES_BLOCK_SIZE;
> - Output += AES_BLOCK_SIZE;
> - InputSize -= AES_BLOCK_SIZE;
> - }
> -
> - return TRUE;
> -}
> -
> -/**
> - Performs AES decryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs AES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (16 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - AesContext should be already correctly initialized by AesInit(). Behavior with
> - invalid AES context is undefined.
> -
> - If AesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (16 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES decryption
> output.
> -
> - @retval TRUE AES decryption succeeded.
> - @retval FALSE AES decryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbDecrypt (
> - IN VOID *AesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - AES_KEY *AesKey;
> -
> - //
> - // Check input parameters.
> - //
> - if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0
> || Output == NULL) {
> - return FALSE;
> - }
> -
> - AesKey = (AES_KEY *) AesContext;
> -
> - //
> - // Perform AES data decryption with ECB mode (block-by-block)
> - //
> - while (InputSize > 0) {
> - AES_ecb_encrypt (Input, Output, AesKey + 1, AES_DECRYPT);
> - Input += AES_BLOCK_SIZE;
> - Output += AES_BLOCK_SIZE;
> - InputSize -= AES_BLOCK_SIZE;
> - }
> -
> - return TRUE;
> -}
> -
> /**
> Performs AES encryption on a data buffer of the specified size in CBC mode.
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
> b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
> index a82adacf4f..d235422e7a 100644
> --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
> +++ b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
> @@ -50,58 +50,6 @@ AesInit (
> return FALSE;
> }
>
> -/**
> - Performs AES encryption on a data buffer of the specified size in ECB mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES encryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbEncrypt (
> - IN VOID *AesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs AES decryption on a data buffer of the specified size in ECB mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES decryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbDecrypt (
> - IN VOID *AesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> /**
> Performs AES encryption on a data buffer of the specified size in CBC mode.
>
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
> b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
> index a82adacf4f..d235422e7a 100644
> --- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
> +++ b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
> @@ -50,58 +50,6 @@ AesInit (
> return FALSE;
> }
>
> -/**
> - Performs AES encryption on a data buffer of the specified size in ECB mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES encryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbEncrypt (
> - IN VOID *AesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> -/**
> - Performs AES decryption on a data buffer of the specified size in ECB mode.
> -
> - Return FALSE to indicate this interface is not supported.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES decryption
> output.
> -
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbDecrypt (
> - IN VOID *AesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - ASSERT (FALSE);
> - return FALSE;
> -}
> -
> /**
> Performs AES encryption on a data buffer of the specified size in CBC mode.
>
> diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> index 43ee4e0841..c937f8540d 100644
> --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> @@ -1518,82 +1518,6 @@ AesInit (
> CALL_CRYPTO_SERVICE (AesInit, (AesContext, Key, KeyLength), FALSE);
> }
>
> -/**
> - Performs AES encryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs AES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (16 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - AesContext should be already correctly initialized by AesInit(). Behavior with
> - invalid AES context is undefined.
> -
> - If AesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (16 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES encryption
> output.
> -
> - @retval TRUE AES encryption succeeded.
> - @retval FALSE AES encryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbEncrypt (
> - IN VOID *AesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - CALL_CRYPTO_SERVICE (AesEcbEncrypt, (AesContext, Input, InputSize,
> Output), FALSE);
> -}
> -
> -/**
> - Performs AES decryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs AES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (16 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - AesContext should be already correctly initialized by AesInit(). Behavior with
> - invalid AES context is undefined.
> -
> - If AesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (16 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES decryption
> output.
> -
> - @retval TRUE AES decryption succeeded.
> - @retval FALSE AES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbDecrypt (
> - IN VOID *AesContext,
> - IN CONST UINT8 *Input,
> - IN UINTN InputSize,
> - OUT UINT8 *Output
> - )
> -{
> - CALL_CRYPTO_SERVICE (AesEcbDecrypt, (AesContext, Input, InputSize,
> Output), FALSE);
> -}
> -
> /**
> Performs AES encryption on a data buffer of the specified size in CBC mode.
>
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> index d66f1cb03f..c8ec9454bd 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> @@ -29,7 +29,6 @@
> $(OPENSSL_PATH)/crypto/aes/aes_cbc.c
> $(OPENSSL_PATH)/crypto/aes/aes_cfb.c
> $(OPENSSL_PATH)/crypto/aes/aes_core.c
> - $(OPENSSL_PATH)/crypto/aes/aes_ecb.c
> $(OPENSSL_PATH)/crypto/aes/aes_ige.c
> $(OPENSSL_PATH)/crypto/aes/aes_misc.c
> $(OPENSSL_PATH)/crypto/aes/aes_ofb.c
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> index 5788d13cf7..2f232e3e12 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> @@ -29,7 +29,6 @@
> $(OPENSSL_PATH)/crypto/aes/aes_cbc.c
> $(OPENSSL_PATH)/crypto/aes/aes_cfb.c
> $(OPENSSL_PATH)/crypto/aes/aes_core.c
> - $(OPENSSL_PATH)/crypto/aes/aes_ecb.c
> $(OPENSSL_PATH)/crypto/aes/aes_ige.c
> $(OPENSSL_PATH)/crypto/aes/aes_misc.c
> $(OPENSSL_PATH)/crypto/aes/aes_ofb.c
> diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> b/CryptoPkg/Private/Protocol/Crypto.h
> index a30660c192..e76ff623a5 100644
> --- a/CryptoPkg/Private/Protocol/Crypto.h
> +++ b/CryptoPkg/Private/Protocol/Crypto.h
> @@ -2498,69 +2498,22 @@ BOOLEAN
> );
>
> /**
> - Performs AES encryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs AES encryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (16 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - AesContext should be already correctly initialized by AesInit(). Behavior with
> - invalid AES context is undefined.
> -
> - If AesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (16 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> encrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES encryption
> output.
> -
> - @retval TRUE AES encryption succeeded.
> - @retval FALSE AES encryption failed.
> - @retval FALSE This interface is not supported.
> + AES ECB Mode is deprecated and unsupported any longer.
> + Keep the function field for binary compability.
>
> **/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_AES_ECB_ENCRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_AES_ECB_ENCRYPT) (
> IN VOID *AesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> OUT UINT8 *Output
> );
>
> -/**
> - Performs AES decryption on a data buffer of the specified size in ECB mode.
> -
> - This function performs AES decryption on data buffer pointed by Input, of
> specified
> - size of InputSize, in ECB mode.
> - InputSize must be multiple of block size (16 bytes). This function does not
> perform
> - padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> - AesContext should be already correctly initialized by AesInit(). Behavior with
> - invalid AES context is undefined.
> -
> - If AesContext is NULL, then return FALSE.
> - If Input is NULL, then return FALSE.
> - If InputSize is not multiple of block size (16 bytes), then return FALSE.
> - If Output is NULL, then return FALSE.
> - If this interface is not supported, then return FALSE.
> -
> - @param[in] AesContext Pointer to the AES context.
> - @param[in] Input Pointer to the buffer containing the data to be
> decrypted.
> - @param[in] InputSize Size of the Input buffer in bytes.
> - @param[out] Output Pointer to a buffer that receives the AES decryption
> output.
> -
> - @retval TRUE AES decryption succeeded.
> - @retval FALSE AES decryption failed.
> - @retval FALSE This interface is not supported.
> -
> -**/
> typedef
> BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_AES_ECB_DECRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_AES_ECB_DECRYPT) (
> IN VOID *AesContext,
> IN CONST UINT8 *Input,
> IN UINTN InputSize,
> @@ -3779,11 +3732,11 @@ struct _EDKII_CRYPTO_PROTOCOL {
> DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT
> DeprecatedTdesEcbDecrypt;
> DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT
> DeprecatedTdesCbcEncrypt;
> DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT
> DeprecatedTdesCbcDecrypt;
> - /// AES
> + /// AES - ECB Mode is deprecated and unsupported
> EDKII_CRYPTO_AES_GET_CONTEXT_SIZE AesGetContextSize;
> EDKII_CRYPTO_AES_INIT AesInit;
> - EDKII_CRYPTO_AES_ECB_ENCRYPT AesEcbEncrypt;
> - EDKII_CRYPTO_AES_ECB_DECRYPT AesEcbDecrypt;
> + DEPRECATED_EDKII_CRYPTO_AES_ECB_ENCRYPT
> DeprecatedAesEcbEncrypt;
> + DEPRECATED_EDKII_CRYPTO_AES_ECB_DECRYPT
> DeprecatedAesEcbDecrypt;
> EDKII_CRYPTO_AES_CBC_ENCRYPT AesCbcEncrypt;
> EDKII_CRYPTO_AES_CBC_DECRYPT AesCbcDecrypt;
> /// Arc4 - deprecated and unsupported
> --
> 2.21.0.windows.1
next prev parent reply other threads:[~2020-05-08 14:50 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-06 23:57 [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions Gao, Zhichao
2020-05-06 23:57 ` [PATCH V3 1/8] CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm Gao, Zhichao
2020-05-07 7:45 ` [edk2-devel] " Philippe Mathieu-Daudé
2020-05-07 7:48 ` Philippe Mathieu-Daudé
2020-05-08 1:09 ` Gao, Zhichao
2020-05-08 12:59 ` Philippe Mathieu-Daudé
2020-05-06 23:57 ` [PATCH V3 2/8] CryptoPkg/BaseCrpytLib: Retire MD4 algorithm Gao, Zhichao
2020-05-08 15:19 ` Wang, Jian J
2020-05-06 23:57 ` [PATCH V3 3/8] CryptoPkg/BaseCryptLib: Retire ARC4 algorithm Gao, Zhichao
2020-05-08 14:34 ` Wang, Jian J
2020-05-06 23:57 ` [PATCH V3 4/8] CryptoPkg/BaseCryptLib: Retire the Tdes algorithm Gao, Zhichao
2020-05-07 7:51 ` [edk2-devel] " Philippe Mathieu-Daudé
2020-05-08 14:42 ` Wang, Jian J
2020-05-06 23:57 ` [PATCH V3 5/8] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm Gao, Zhichao
2020-05-08 14:50 ` Wang, Jian J [this message]
2020-05-06 23:57 ` [PATCH V3 6/8] CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm Gao, Zhichao
2020-05-08 15:03 ` Wang, Jian J
2020-05-06 23:57 ` [PATCH V3 7/8] CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm Gao, Zhichao
2020-05-08 15:11 ` Wang, Jian J
2020-05-06 23:57 ` [PATCH V3 8/8] CryptoPkg/Crypto.h: Update the version of Crypto Driver Gao, Zhichao
2020-05-08 15:13 ` Wang, Jian J
2020-05-08 7:23 ` [edk2-devel] [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions Guomin Jiang
2020-05-08 8:00 ` Dong, Eric
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D827630B58408649ACB04F44C510003625A8430B@SHSMSX107.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox