From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by mx.groups.io with SMTP id smtpd.web12.11958.1588949425261424265 for ; Fri, 08 May 2020 07:50:25 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.100, mailfrom: jian.j.wang@intel.com) IronPort-SDR: uQplL3/coJm1903v9hawi0R14wBmRO7ipeva4tqCQx2oi3VcmaGlwPWlGO9te3WsxnvBT3rqGg ypKppQ94j7BQ== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 May 2020 07:50:24 -0700 IronPort-SDR: vJlRfG7ARKOXqOrjT8f4RI7yLMeXlY0BDjiAWiw8j2uCkCDOTUwgT3rGUiRmJlL+Xg2SNKMlwa Bnwmdm+rvqnA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,367,1583222400"; d="scan'208";a="260993055" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by orsmga003.jf.intel.com with ESMTP; 08 May 2020 07:50:24 -0700 Received: from fmsmsx126.amr.corp.intel.com (10.18.125.43) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.439.0; Fri, 8 May 2020 07:50:23 -0700 Received: from shsmsx102.ccr.corp.intel.com (10.239.4.154) by FMSMSX126.amr.corp.intel.com (10.18.125.43) with Microsoft SMTP Server (TLS) id 14.3.439.0; Fri, 8 May 2020 07:50:23 -0700 Received: from shsmsx107.ccr.corp.intel.com ([169.254.9.200]) by shsmsx102.ccr.corp.intel.com ([169.254.2.38]) with mapi id 14.03.0439.000; Fri, 8 May 2020 22:50:20 +0800 From: "Wang, Jian J" To: "Gao, Zhichao" , "devel@edk2.groups.io" CC: "Lu, XiaoyuX" , "Fu, Siyuan" , "Kinney, Michael D" , "Yao, Jiewen" Subject: Re: [PATCH V3 5/8] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm Thread-Topic: [PATCH V3 5/8] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm Thread-Index: AQHWJAIzrdmQRWtJikimOKUGPSPppaieRsCg Date: Fri, 8 May 2020 14:50:19 +0000 Message-ID: References: <20200506235746.19500-1-zhichao.gao@intel.com> <20200506235746.19500-6-zhichao.gao@intel.com> In-Reply-To: <20200506235746.19500-6-zhichao.gao@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: jian.j.wang@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Zhichao, Similar to patch 3, please update OpensslLib/process_files.pl to update Ope= nsslLibXxx.inf Regards, Jian > -----Original Message----- > From: Gao, Zhichao > Sent: Thursday, May 07, 2020 7:58 AM > To: devel@edk2.groups.io > Cc: Wang, Jian J ; Lu, XiaoyuX ; > Fu, Siyuan ; Kinney, Michael D > ; Yao, Jiewen > Subject: [PATCH V3 5/8] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode > algorithm >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1898 >=20 > Aes Ecb mode is not secure any longer. > Remove the Aes Ecb mode support from edk2. > Change the Aes Ecb mode field name in EDKII_CRYPTO_PROTOCOL to indicate > the > function is unsupported any long. >=20 > Cc: Jian J Wang > Cc: Xiaoyu Lu > Cc: Siyuan Fu > Cc: Michael D Kinney > Cc: Jiewen Yao > Signed-off-by: Zhichao Gao > --- > CryptoPkg/CryptoPkg.dsc | 45 +++---- > CryptoPkg/Driver/Crypto.c | 65 ++-------- > .../Library/BaseCryptLib/Cipher/CryptAes.c | 114 ------------------ > .../BaseCryptLib/Cipher/CryptAesNull.c | 52 -------- > .../BaseCryptLibNull/Cipher/CryptAesNull.c | 52 -------- > .../BaseCryptLibOnProtocolPpi/CryptLib.c | 76 ------------ > CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 - > .../Library/OpensslLib/OpensslLibCrypto.inf | 1 - > CryptoPkg/Private/Protocol/Crypto.h | 61 ++-------- > 9 files changed, 40 insertions(+), 427 deletions(-) >=20 > diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc > index 6ed7046563..1f68cc633b 100644 > --- a/CryptoPkg/CryptoPkg.dsc > +++ b/CryptoPkg/CryptoPkg.dsc > @@ -137,27 +137,30 @@ > gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06 >=20 > !if $(CRYPTO_SERVICES) IN "PACKAGE ALL" > - > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > - > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > - > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam > ily | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family = | > PCD_CRYPTO_SERVICE_ENABLE_FAMILY > - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family = | > PCD_CRYPTO_SERVICE_ENABLE_FAMILY > - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > + > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > + > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > + > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam > ily | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > + > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Get= C > ontextSize | TRUE > + > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Ini= t > | TRUE > + > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Cbc= E > ncrypt | TRUE > + > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Cbc > Decrypt | TRUE > + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > !endif >=20 > !if $(CRYPTO_SERVICES) =3D=3D MIN_PEI > diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c > index a4106aae0b..341df3b814 100644 > --- a/CryptoPkg/Driver/Crypto.c > +++ b/CryptoPkg/Driver/Crypto.c > @@ -1683,79 +1683,32 @@ CryptoServiceAesInit ( > } >=20 > /** > - Performs AES encryption on a data buffer of the specified size in ECB = mode. > - > - This function performs AES encryption on data buffer pointed by Input,= of > specified > - size of InputSize, in ECB mode. > - InputSize must be multiple of block size (16 bytes). This function doe= s not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - AesContext should be already correctly initialized by AesInit(). Behav= ior with > - invalid AES context is undefined. > - > - If AesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (16 bytes), then return FAL= SE. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] AesContext Pointer to the AES context. > - @param[in] Input Pointer to the buffer containing the data to = be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the AES enc= ryption > output. > - > - @retval TRUE AES encryption succeeded. > - @retval FALSE AES encryption failed. > - @retval FALSE This interface is not supported. > + AES ECB Mode is deprecated and unsupported any longer. > + Keep the function field for binary compability. >=20 > **/ > BOOLEAN > EFIAPI > -CryptoServiceAesEcbEncrypt ( > +DeprecatedCryptoServiceAesEcbEncrypt ( > IN VOID *AesContext, > IN CONST UINT8 *Input, > IN UINTN InputSize, > OUT UINT8 *Output > ) > { > - return CALL_BASECRYPTLIB (Aes.Services.EcbEncrypt, AesEcbEncrypt, > (AesContext, Input, InputSize, Output), FALSE); > + return BaseCryptLibServciceDeprecated ("AesEcbEncrypt"), FALSE; > } >=20 > -/** > - Performs AES decryption on a data buffer of the specified size in ECB = mode. > - > - This function performs AES decryption on data buffer pointed by Input,= of > specified > - size of InputSize, in ECB mode. > - InputSize must be multiple of block size (16 bytes). This function doe= s not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - AesContext should be already correctly initialized by AesInit(). Behav= ior with > - invalid AES context is undefined. > - > - If AesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (16 bytes), then return FAL= SE. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] AesContext Pointer to the AES context. > - @param[in] Input Pointer to the buffer containing the data to = be > decrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the AES dec= ryption > output. > - > - @retval TRUE AES decryption succeeded. > - @retval FALSE AES decryption failed. > - @retval FALSE This interface is not supported. > - > -**/ > BOOLEAN > EFIAPI > -CryptoServiceAesEcbDecrypt ( > +DeprecatedCryptoServiceAesEcbDecrypt ( > IN VOID *AesContext, > IN CONST UINT8 *Input, > IN UINTN InputSize, > OUT UINT8 *Output > ) > { > - return CALL_BASECRYPTLIB (Aes.Services.EcbDecrypt, AesEcbDecrypt, > (AesContext, Input, InputSize, Output), FALSE); > + return BaseCryptLibServciceDeprecated ("AesEcbDecrypt"), FALSE; > } >=20 > /** > @@ -4212,11 +4165,11 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto =3D { > DeprecatedCryptoServiceTdesEcbDecrypt, > DeprecatedCryptoServiceTdesCbcEncrypt, > DeprecatedCryptoServiceTdesCbcDecrypt, > - /// AES > + /// AES - ECB mode is deprecated and unsupported > CryptoServiceAesGetContextSize, > CryptoServiceAesInit, > - CryptoServiceAesEcbEncrypt, > - CryptoServiceAesEcbDecrypt, > + DeprecatedCryptoServiceAesEcbEncrypt, > + DeprecatedCryptoServiceAesEcbDecrypt, > CryptoServiceAesCbcEncrypt, > CryptoServiceAesCbcDecrypt, > /// Arc4 - deprecated and unsupported > diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c > b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c > index 2515b34bb8..914cffb211 100644 > --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c > +++ b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c > @@ -78,120 +78,6 @@ AesInit ( > return TRUE; > } >=20 > -/** > - Performs AES encryption on a data buffer of the specified size in ECB = mode. > - > - This function performs AES encryption on data buffer pointed by Input,= of > specified > - size of InputSize, in ECB mode. > - InputSize must be multiple of block size (16 bytes). This function doe= s not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - AesContext should be already correctly initialized by AesInit(). Behav= ior with > - invalid AES context is undefined. > - > - If AesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (16 bytes), then return FAL= SE. > - If Output is NULL, then return FALSE. > - > - @param[in] AesContext Pointer to the AES context. > - @param[in] Input Pointer to the buffer containing the data to = be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the AES enc= ryption > output. > - > - @retval TRUE AES encryption succeeded. > - @retval FALSE AES encryption failed. > - > -**/ > -BOOLEAN > -EFIAPI > -AesEcbEncrypt ( > - IN VOID *AesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - OUT UINT8 *Output > - ) > -{ > - AES_KEY *AesKey; > - > - // > - // Check input parameters. > - // > - if (AesContext =3D=3D NULL || Input =3D=3D NULL || (InputSize % AES_BL= OCK_SIZE) !=3D 0 > || Output =3D=3D NULL) { > - return FALSE; > - } > - > - AesKey =3D (AES_KEY *) AesContext; > - > - // > - // Perform AES data encryption with ECB mode (block-by-block) > - // > - while (InputSize > 0) { > - AES_ecb_encrypt (Input, Output, AesKey, AES_ENCRYPT); > - Input +=3D AES_BLOCK_SIZE; > - Output +=3D AES_BLOCK_SIZE; > - InputSize -=3D AES_BLOCK_SIZE; > - } > - > - return TRUE; > -} > - > -/** > - Performs AES decryption on a data buffer of the specified size in ECB = mode. > - > - This function performs AES decryption on data buffer pointed by Input,= of > specified > - size of InputSize, in ECB mode. > - InputSize must be multiple of block size (16 bytes). This function doe= s not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - AesContext should be already correctly initialized by AesInit(). Behav= ior with > - invalid AES context is undefined. > - > - If AesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (16 bytes), then return FAL= SE. > - If Output is NULL, then return FALSE. > - > - @param[in] AesContext Pointer to the AES context. > - @param[in] Input Pointer to the buffer containing the data to = be > decrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the AES dec= ryption > output. > - > - @retval TRUE AES decryption succeeded. > - @retval FALSE AES decryption failed. > - > -**/ > -BOOLEAN > -EFIAPI > -AesEcbDecrypt ( > - IN VOID *AesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - OUT UINT8 *Output > - ) > -{ > - AES_KEY *AesKey; > - > - // > - // Check input parameters. > - // > - if (AesContext =3D=3D NULL || Input =3D=3D NULL || (InputSize % AES_BL= OCK_SIZE) !=3D 0 > || Output =3D=3D NULL) { > - return FALSE; > - } > - > - AesKey =3D (AES_KEY *) AesContext; > - > - // > - // Perform AES data decryption with ECB mode (block-by-block) > - // > - while (InputSize > 0) { > - AES_ecb_encrypt (Input, Output, AesKey + 1, AES_DECRYPT); > - Input +=3D AES_BLOCK_SIZE; > - Output +=3D AES_BLOCK_SIZE; > - InputSize -=3D AES_BLOCK_SIZE; > - } > - > - return TRUE; > -} > - > /** > Performs AES encryption on a data buffer of the specified size in CBC = mode. >=20 > diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c > b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c > index a82adacf4f..d235422e7a 100644 > --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c > +++ b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c > @@ -50,58 +50,6 @@ AesInit ( > return FALSE; > } >=20 > -/** > - Performs AES encryption on a data buffer of the specified size in ECB = mode. > - > - Return FALSE to indicate this interface is not supported. > - > - @param[in] AesContext Pointer to the AES context. > - @param[in] Input Pointer to the buffer containing the data to = be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the AES enc= ryption > output. > - > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -AesEcbEncrypt ( > - IN VOID *AesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - OUT UINT8 *Output > - ) > -{ > - ASSERT (FALSE); > - return FALSE; > -} > - > -/** > - Performs AES decryption on a data buffer of the specified size in ECB = mode. > - > - Return FALSE to indicate this interface is not supported. > - > - @param[in] AesContext Pointer to the AES context. > - @param[in] Input Pointer to the buffer containing the data to = be > decrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the AES dec= ryption > output. > - > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -AesEcbDecrypt ( > - IN VOID *AesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - OUT UINT8 *Output > - ) > -{ > - ASSERT (FALSE); > - return FALSE; > -} > - > /** > Performs AES encryption on a data buffer of the specified size in CBC = mode. >=20 > diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c > b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c > index a82adacf4f..d235422e7a 100644 > --- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c > +++ b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c > @@ -50,58 +50,6 @@ AesInit ( > return FALSE; > } >=20 > -/** > - Performs AES encryption on a data buffer of the specified size in ECB = mode. > - > - Return FALSE to indicate this interface is not supported. > - > - @param[in] AesContext Pointer to the AES context. > - @param[in] Input Pointer to the buffer containing the data to = be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the AES enc= ryption > output. > - > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -AesEcbEncrypt ( > - IN VOID *AesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - OUT UINT8 *Output > - ) > -{ > - ASSERT (FALSE); > - return FALSE; > -} > - > -/** > - Performs AES decryption on a data buffer of the specified size in ECB = mode. > - > - Return FALSE to indicate this interface is not supported. > - > - @param[in] AesContext Pointer to the AES context. > - @param[in] Input Pointer to the buffer containing the data to = be > decrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the AES dec= ryption > output. > - > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -AesEcbDecrypt ( > - IN VOID *AesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - OUT UINT8 *Output > - ) > -{ > - ASSERT (FALSE); > - return FALSE; > -} > - > /** > Performs AES encryption on a data buffer of the specified size in CBC = mode. >=20 > diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c > b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c > index 43ee4e0841..c937f8540d 100644 > --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c > +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c > @@ -1518,82 +1518,6 @@ AesInit ( > CALL_CRYPTO_SERVICE (AesInit, (AesContext, Key, KeyLength), FALSE); > } >=20 > -/** > - Performs AES encryption on a data buffer of the specified size in ECB = mode. > - > - This function performs AES encryption on data buffer pointed by Input,= of > specified > - size of InputSize, in ECB mode. > - InputSize must be multiple of block size (16 bytes). This function doe= s not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - AesContext should be already correctly initialized by AesInit(). Behav= ior with > - invalid AES context is undefined. > - > - If AesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (16 bytes), then return FAL= SE. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] AesContext Pointer to the AES context. > - @param[in] Input Pointer to the buffer containing the data to = be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the AES enc= ryption > output. > - > - @retval TRUE AES encryption succeeded. > - @retval FALSE AES encryption failed. > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -AesEcbEncrypt ( > - IN VOID *AesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - OUT UINT8 *Output > - ) > -{ > - CALL_CRYPTO_SERVICE (AesEcbEncrypt, (AesContext, Input, InputSize, > Output), FALSE); > -} > - > -/** > - Performs AES decryption on a data buffer of the specified size in ECB = mode. > - > - This function performs AES decryption on data buffer pointed by Input,= of > specified > - size of InputSize, in ECB mode. > - InputSize must be multiple of block size (16 bytes). This function doe= s not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - AesContext should be already correctly initialized by AesInit(). Behav= ior with > - invalid AES context is undefined. > - > - If AesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (16 bytes), then return FAL= SE. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] AesContext Pointer to the AES context. > - @param[in] Input Pointer to the buffer containing the data to = be > decrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the AES dec= ryption > output. > - > - @retval TRUE AES decryption succeeded. > - @retval FALSE AES decryption failed. > - @retval FALSE This interface is not supported. > - > -**/ > -BOOLEAN > -EFIAPI > -AesEcbDecrypt ( > - IN VOID *AesContext, > - IN CONST UINT8 *Input, > - IN UINTN InputSize, > - OUT UINT8 *Output > - ) > -{ > - CALL_CRYPTO_SERVICE (AesEcbDecrypt, (AesContext, Input, InputSize, > Output), FALSE); > -} > - > /** > Performs AES encryption on a data buffer of the specified size in CBC = mode. >=20 > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > index d66f1cb03f..c8ec9454bd 100644 > --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > @@ -29,7 +29,6 @@ > $(OPENSSL_PATH)/crypto/aes/aes_cbc.c > $(OPENSSL_PATH)/crypto/aes/aes_cfb.c > $(OPENSSL_PATH)/crypto/aes/aes_core.c > - $(OPENSSL_PATH)/crypto/aes/aes_ecb.c > $(OPENSSL_PATH)/crypto/aes/aes_ige.c > $(OPENSSL_PATH)/crypto/aes/aes_misc.c > $(OPENSSL_PATH)/crypto/aes/aes_ofb.c > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > index 5788d13cf7..2f232e3e12 100644 > --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > @@ -29,7 +29,6 @@ > $(OPENSSL_PATH)/crypto/aes/aes_cbc.c > $(OPENSSL_PATH)/crypto/aes/aes_cfb.c > $(OPENSSL_PATH)/crypto/aes/aes_core.c > - $(OPENSSL_PATH)/crypto/aes/aes_ecb.c > $(OPENSSL_PATH)/crypto/aes/aes_ige.c > $(OPENSSL_PATH)/crypto/aes/aes_misc.c > $(OPENSSL_PATH)/crypto/aes/aes_ofb.c > diff --git a/CryptoPkg/Private/Protocol/Crypto.h > b/CryptoPkg/Private/Protocol/Crypto.h > index a30660c192..e76ff623a5 100644 > --- a/CryptoPkg/Private/Protocol/Crypto.h > +++ b/CryptoPkg/Private/Protocol/Crypto.h > @@ -2498,69 +2498,22 @@ BOOLEAN > ); >=20 > /** > - Performs AES encryption on a data buffer of the specified size in ECB = mode. > - > - This function performs AES encryption on data buffer pointed by Input,= of > specified > - size of InputSize, in ECB mode. > - InputSize must be multiple of block size (16 bytes). This function doe= s not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - AesContext should be already correctly initialized by AesInit(). Behav= ior with > - invalid AES context is undefined. > - > - If AesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (16 bytes), then return FAL= SE. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] AesContext Pointer to the AES context. > - @param[in] Input Pointer to the buffer containing the data to = be > encrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the AES enc= ryption > output. > - > - @retval TRUE AES encryption succeeded. > - @retval FALSE AES encryption failed. > - @retval FALSE This interface is not supported. > + AES ECB Mode is deprecated and unsupported any longer. > + Keep the function field for binary compability. >=20 > **/ > typedef > BOOLEAN > -(EFIAPI *EDKII_CRYPTO_AES_ECB_ENCRYPT) ( > +(EFIAPI *DEPRECATED_EDKII_CRYPTO_AES_ECB_ENCRYPT) ( > IN VOID *AesContext, > IN CONST UINT8 *Input, > IN UINTN InputSize, > OUT UINT8 *Output > ); >=20 > -/** > - Performs AES decryption on a data buffer of the specified size in ECB = mode. > - > - This function performs AES decryption on data buffer pointed by Input,= of > specified > - size of InputSize, in ECB mode. > - InputSize must be multiple of block size (16 bytes). This function doe= s not > perform > - padding. Caller must perform padding, if necessary, to ensure valid in= put data > size. > - AesContext should be already correctly initialized by AesInit(). Behav= ior with > - invalid AES context is undefined. > - > - If AesContext is NULL, then return FALSE. > - If Input is NULL, then return FALSE. > - If InputSize is not multiple of block size (16 bytes), then return FAL= SE. > - If Output is NULL, then return FALSE. > - If this interface is not supported, then return FALSE. > - > - @param[in] AesContext Pointer to the AES context. > - @param[in] Input Pointer to the buffer containing the data to = be > decrypted. > - @param[in] InputSize Size of the Input buffer in bytes. > - @param[out] Output Pointer to a buffer that receives the AES dec= ryption > output. > - > - @retval TRUE AES decryption succeeded. > - @retval FALSE AES decryption failed. > - @retval FALSE This interface is not supported. > - > -**/ > typedef > BOOLEAN > -(EFIAPI *EDKII_CRYPTO_AES_ECB_DECRYPT) ( > +(EFIAPI *DEPRECATED_EDKII_CRYPTO_AES_ECB_DECRYPT) ( > IN VOID *AesContext, > IN CONST UINT8 *Input, > IN UINTN InputSize, > @@ -3779,11 +3732,11 @@ struct _EDKII_CRYPTO_PROTOCOL { > DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT > DeprecatedTdesEcbDecrypt; > DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT > DeprecatedTdesCbcEncrypt; > DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT > DeprecatedTdesCbcDecrypt; > - /// AES > + /// AES - ECB Mode is deprecated and unsupported > EDKII_CRYPTO_AES_GET_CONTEXT_SIZE AesGetContextSize; > EDKII_CRYPTO_AES_INIT AesInit; > - EDKII_CRYPTO_AES_ECB_ENCRYPT AesEcbEncrypt; > - EDKII_CRYPTO_AES_ECB_DECRYPT AesEcbDecrypt; > + DEPRECATED_EDKII_CRYPTO_AES_ECB_ENCRYPT > DeprecatedAesEcbEncrypt; > + DEPRECATED_EDKII_CRYPTO_AES_ECB_DECRYPT > DeprecatedAesEcbDecrypt; > EDKII_CRYPTO_AES_CBC_ENCRYPT AesCbcEncrypt; > EDKII_CRYPTO_AES_CBC_DECRYPT AesCbcDecrypt; > /// Arc4 - deprecated and unsupported > -- > 2.21.0.windows.1