[edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly

[edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly

[eddie wang]

[-- Attachment #1: Type: text/plain, Size: 838 bytes --]

Hi all,
We had an UEFI application that used the EDK2(2023/12/05), and  we would
like to take advantage of the services in BaseCryptLib .However, the API in
CryptPkg "*RandomSeed()*"(X64, in CryptRandTsc.c) always returned false
because of  the pseudorandom number generator set up failed. I am not sure
this issue is from the *openssl configuration in OpensslLib(we use the
default configuration)* or is from the *openssl 3.0.9*.

Is there any comments about this issue?

BR,
Eddie


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#115170): https://edk2.groups.io/g/devel/message/115170
Mute This Topic: https://groups.io/mt/104198931/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #2: Type: text/html, Size: 1381 bytes --]

Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly

[Laszlo Ersek]

On 2/6/24 08:00, eddie wang wrote:
> Hi all,
> We had an UEFI application that used the EDK2(2023/12/05), and  we would
> like to take advantage of the services in BaseCryptLib .However, the API
> in CryptPkg "*RandomSeed()*"(X64, in CryptRandTsc.c) always returned
> false because of  the pseudorandom number generator set up failed. I am
> not sure this issue is from the *openssl configuration in OpensslLib(we
> use the default configuration)* or is from the *openssl 3.0.9*. 
> 
> Is there any comments about this issue?

Can you narrow it down by inserting DEBUGs starting at RandomSeed()
[CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c], and then digging
down as necessary?

Laszlo



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#115254): https://edk2.groups.io/g/devel/message/115254
Mute This Topic: https://groups.io/mt/104198931/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly

[eddie wang]

[-- Attachment #1: Type: text/plain, Size: 1357 bytes --]

Hi Laszlo,
Thanks for your reply. How can I enable the DEBUGs at RandomSeed() ? Or any
suggesting information that I can provide?

BR,
Eddie

Laszlo Ersek <lersek@redhat.com> 於 2024年2月8日 週四 上午5:03寫道：

> On 2/6/24 08:00, eddie wang wrote:
> > Hi all,
> > We had an UEFI application that used the EDK2(2023/12/05), and  we would
> > like to take advantage of the services in BaseCryptLib .However, the API
> > in CryptPkg "*RandomSeed()*"(X64, in CryptRandTsc.c) always returned
> > false because of  the pseudorandom number generator set up failed. I am
> > not sure this issue is from the *openssl configuration in OpensslLib(we
> > use the default configuration)* or is from the *openssl 3.0.9*.
> >
> > Is there any comments about this issue?
>
> Can you narrow it down by inserting DEBUGs starting at RandomSeed()
> [CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c], and then digging
> down as necessary?
>
> Laszlo
>
>
>
> 
>
>
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#115519): https://edk2.groups.io/g/devel/message/115519
Mute This Topic: https://groups.io/mt/104198931/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #2: Type: text/html, Size: 2172 bytes --]

Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly

[Laszlo Ersek]

On 2/15/24 12:09, eddie wang wrote:
> Hi Laszlo,
> Thanks for your reply. How can I enable the DEBUGs at RandomSeed() ? Or
> any suggesting information that I can provide?

Sorry, upon a closer look, I see you had already narrowed it down to
RAND_seed() and RAND_status(), which are direct OpenSSL APIs. So my
suggestion would amount to adding DEBUGs to OpenSSL, such as to
RAND_seed() in
"CryptoPkg/Library/OpensslLib/openssl/crypto/rand/rand_lib.c".

But, I think you may be able to do just that.
"CryptoPkg/Library/Include/CrtLibSupport.h" already includes
<DebugLib.h>, and DebugLib is listed under [LibraryClasses] in each
instance of OpensslLib. So if you modify your
"CryptoPkg/Library/OpensslLib/openssl" submodule directory tree locally,
with the following patch:

| diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
| index 0fcf4fe3bc1e..e5f105268f52 100644
| --- a/crypto/rand/rand_lib.c
| +++ b/crypto/rand/rand_lib.c
| @@ -257,6 +257,8 @@ void RAND_seed(const void *buf, int num)
|      drbg = RAND_get0_primary(NULL);
|      if (drbg != NULL && num > 0)
|          EVP_RAND_reseed(drbg, 0, NULL, 0, buf, num);
| +
| +    DEBUG ((DEBUG_INFO, "%a: hello\n", __func__));
|  }
|
|  void RAND_add(const void *buf, int num, double randomness)

then you should get usable debug messages -- at least it builds for me.

Inserting DEBUGs like this (over multiple rounds of testing / narrowing)
should lead you to the exact location that is responsible for the
initialization failure.

You mention you have encountered the problem with a UEFI application.
That is relevant for choosing your DebugLib instance. If you already
have a function DebugLib instance for your platform (logging to the
serial port, for example), then just use that.

Otherwise, consider building your UEFI application with a module scope
override in the DSC file, one that resolves DebugLib to

  MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf

or

  MdePkg/Library/UefiDebugLibStdErr/UefiDebugLibStdErr.inf

These will send DEBUG messages to the UEFI console or standard error
devices, respectively.

hth
Laszlo

> Laszlo Ersek <lersek@redhat.com <mailto:lersek@redhat.com>> 於 2024年2月
> 8日 週四 上午5:03寫道：
>
>     On 2/6/24 08:00, eddie wang wrote:
>     > Hi all,
>     > We had an UEFI application that used the EDK2(2023/12/05), and  we
>     would
>     > like to take advantage of the services in BaseCryptLib .However,
>     the API
>     > in CryptPkg "*RandomSeed()*"(X64, in CryptRandTsc.c) always returned
>     > false because of  the pseudorandom number generator set up failed.
>     I am
>     > not sure this issue is from the *openssl configuration in
>     OpensslLib(we
>     > use the default configuration)* or is from the *openssl 3.0.9*.
>     >
>     > Is there any comments about this issue?
>
>     Can you narrow it down by inserting DEBUGs starting at RandomSeed()
>     [CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c], and then digging
>     down as necessary?
>
>     Laszlo
>
>
>
>     
>
>



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#115521): https://edk2.groups.io/g/devel/message/115521
Mute This Topic: https://groups.io/mt/104198931/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly

[eddie wang]

[-- Attachment #1: Type: text/plain, Size: 4233 bytes --]

Hi Laszlo,
After digging dipper,  we found that the *EVP_RAND_fetch *in "rand_new_seed"
and "rand_new_drbg" both got NULL in our case. It's meant the DRBG
implementation could
not be fetched. We also compared it to the case on Linux, and they could
both fetched DRBG implementation correctly. Is it possible that the
opensslLib 3.0.9 caused any compatibility issues with edk2?  Or has anyone
else encountered the same problem with these openssl services?

BR,
Eddie

Laszlo Ersek <lersek@redhat.com> 於 2024年2月15日 週四 下午7:48寫道：

> On 2/15/24 12:09, eddie wang wrote:
> > Hi Laszlo,
> > Thanks for your reply. How can I enable the DEBUGs at RandomSeed() ? Or
> > any suggesting information that I can provide?
>
> Sorry, upon a closer look, I see you had already narrowed it down to
> RAND_seed() and RAND_status(), which are direct OpenSSL APIs. So my
> suggestion would amount to adding DEBUGs to OpenSSL, such as to
> RAND_seed() in
> "CryptoPkg/Library/OpensslLib/openssl/crypto/rand/rand_lib.c".
>
> But, I think you may be able to do just that.
> "CryptoPkg/Library/Include/CrtLibSupport.h" already includes
> <DebugLib.h>, and DebugLib is listed under [LibraryClasses] in each
> instance of OpensslLib. So if you modify your
> "CryptoPkg/Library/OpensslLib/openssl" submodule directory tree locally,
> with the following patch:
>
> | diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
> | index 0fcf4fe3bc1e..e5f105268f52 100644
> | --- a/crypto/rand/rand_lib.c
> | +++ b/crypto/rand/rand_lib.c
> | @@ -257,6 +257,8 @@ void RAND_seed(const void *buf, int num)
> |      drbg = RAND_get0_primary(NULL);
> |      if (drbg != NULL && num > 0)
> |          EVP_RAND_reseed(drbg, 0, NULL, 0, buf, num);
> | +
> | +    DEBUG ((DEBUG_INFO, "%a: hello\n", __func__));
> |  }
> |
> |  void RAND_add(const void *buf, int num, double randomness)
>
> then you should get usable debug messages -- at least it builds for me.
>
> Inserting DEBUGs like this (over multiple rounds of testing / narrowing)
> should lead you to the exact location that is responsible for the
> initialization failure.
>
> You mention you have encountered the problem with a UEFI application.
> That is relevant for choosing your DebugLib instance. If you already
> have a function DebugLib instance for your platform (logging to the
> serial port, for example), then just use that.
>
> Otherwise, consider building your UEFI application with a module scope
> override in the DSC file, one that resolves DebugLib to
>
>   MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf
>
> or
>
>   MdePkg/Library/UefiDebugLibStdErr/UefiDebugLibStdErr.inf
>
> These will send DEBUG messages to the UEFI console or standard error
> devices, respectively.
>
> hth
> Laszlo
>
> > Laszlo Ersek <lersek@redhat.com <mailto:lersek@redhat.com>> 於 2024年2月
> > 8日 週四 上午5:03寫道：
> >
> >     On 2/6/24 08:00, eddie wang wrote:
> >     > Hi all,
> >     > We had an UEFI application that used the EDK2(2023/12/05), and  we
> >     would
> >     > like to take advantage of the services in BaseCryptLib .However,
> >     the API
> >     > in CryptPkg "*RandomSeed()*"(X64, in CryptRandTsc.c) always
> returned
> >     > false because of  the pseudorandom number generator set up failed.
> >     I am
> >     > not sure this issue is from the *openssl configuration in
> >     OpensslLib(we
> >     > use the default configuration)* or is from the *openssl 3.0.9*.
> >     >
> >     > Is there any comments about this issue?
> >
> >     Can you narrow it down by inserting DEBUGs starting at RandomSeed()
> >     [CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c], and then
> digging
> >     down as necessary?
> >
> >     Laszlo
> >
> >
> >
> >     
> >
> >
>
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#115565): https://edk2.groups.io/g/devel/message/115565
Mute This Topic: https://groups.io/mt/104198931/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #2: Type: text/html, Size: 5666 bytes --]

Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly

[Laszlo Ersek]

On 2/17/24 10:17, eddie wang wrote:
> Hi Laszlo,
> After digging dipper,  we found that the *EVP_RAND_fetch *in
> "rand_new_seed" and "rand_new_drbg" both got NULL in our case. It's
> meant the DRBG implementation could 
> not be fetched. We also compared it to the case on Linux, and they could
> both fetched DRBG implementation correctly. Is it possible that the
> opensslLib 3.0.9 caused any compatibility issues with edk2?  Or has
> anyone else encountered the same problem with these openssl services?

Sorry, I can't say.

If you have a small reproducer UEFI application that works fine when
built with edk2-stable202305, but does not work when built against
either edk2-stable202308 or current master, then filing a TianoCore BZ
(regression) seems justified. (AFAICT it was edk2-stable202308 that
incorporated the OpenSSL 3.0.9 upgrade, from 1.1.1u.) Attaching the
source code of the small repro application to the ticket would likely be
helpful.

Laszlo

> Laszlo Ersek <lersek@redhat.com <mailto:lersek@redhat.com>> 於 2024年2月
> 15日 週四 下午7:48寫道：
> 
>     On 2/15/24 12:09, eddie wang wrote:
>     > Hi Laszlo,
>     > Thanks for your reply. How can I enable the DEBUGs at RandomSeed()
>     ? Or
>     > any suggesting information that I can provide?
> 
>     Sorry, upon a closer look, I see you had already narrowed it down to
>     RAND_seed() and RAND_status(), which are direct OpenSSL APIs. So my
>     suggestion would amount to adding DEBUGs to OpenSSL, such as to
>     RAND_seed() in
>     "CryptoPkg/Library/OpensslLib/openssl/crypto/rand/rand_lib.c".
> 
>     But, I think you may be able to do just that.
>     "CryptoPkg/Library/Include/CrtLibSupport.h" already includes
>     <DebugLib.h>, and DebugLib is listed under [LibraryClasses] in each
>     instance of OpensslLib. So if you modify your
>     "CryptoPkg/Library/OpensslLib/openssl" submodule directory tree locally,
>     with the following patch:
> 
>     | diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
>     | index 0fcf4fe3bc1e..e5f105268f52 100644
>     | --- a/crypto/rand/rand_lib.c
>     | +++ b/crypto/rand/rand_lib.c
>     | @@ -257,6 +257,8 @@ void RAND_seed(const void *buf, int num)
>     |      drbg = RAND_get0_primary(NULL);
>     |      if (drbg != NULL && num > 0)
>     |          EVP_RAND_reseed(drbg, 0, NULL, 0, buf, num);
>     | +
>     | +    DEBUG ((DEBUG_INFO, "%a: hello\n", __func__));
>     |  }
>     |
>     |  void RAND_add(const void *buf, int num, double randomness)
> 
>     then you should get usable debug messages -- at least it builds for me.
> 
>     Inserting DEBUGs like this (over multiple rounds of testing / narrowing)
>     should lead you to the exact location that is responsible for the
>     initialization failure.
> 
>     You mention you have encountered the problem with a UEFI application.
>     That is relevant for choosing your DebugLib instance. If you already
>     have a function DebugLib instance for your platform (logging to the
>     serial port, for example), then just use that.
> 
>     Otherwise, consider building your UEFI application with a module scope
>     override in the DSC file, one that resolves DebugLib to
> 
>       MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf
> 
>     or
> 
>       MdePkg/Library/UefiDebugLibStdErr/UefiDebugLibStdErr.inf
> 
>     These will send DEBUG messages to the UEFI console or standard error
>     devices, respectively.
> 
>     hth
>     Laszlo
> 
>     > Laszlo Ersek <lersek@redhat.com <mailto:lersek@redhat.com>
>     <mailto:lersek@redhat.com <mailto:lersek@redhat.com>>> 於 2024年2月
>     > 8日 週四 上午5:03寫道：
>     >
>     >     On 2/6/24 08:00, eddie wang wrote:
>     >     > Hi all,
>     >     > We had an UEFI application that used the EDK2(2023/12/05),
>     and  we
>     >     would
>     >     > like to take advantage of the services in BaseCryptLib .However,
>     >     the API
>     >     > in CryptPkg "*RandomSeed()*"(X64, in CryptRandTsc.c) always
>     returned
>     >     > false because of  the pseudorandom number generator set up
>     failed.
>     >     I am
>     >     > not sure this issue is from the *openssl configuration in
>     >     OpensslLib(we
>     >     > use the default configuration)* or is from the *openssl 3.0.9*.
>     >     >
>     >     > Is there any comments about this issue?
>     >
>     >     Can you narrow it down by inserting DEBUGs starting at
>     RandomSeed()
>     >     [CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c], and then
>     digging
>     >     down as necessary?
>     >
>     >     Laszlo
>     >
>     >
>     >
>     >     
>     >
>     >
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#115599): https://edk2.groups.io/g/devel/message/115599
Mute This Topic: https://groups.io/mt/104198931/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly

[Yao, Jiewen]

Thanks Laslo and Eddie.

I am just back from Chinese New Year vocation, still checking email.

If you can file a Bugzilla (https://bugzilla.tianocore.org/) with source code of your app, that would be very helpful for us to investigate this issue.


> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Laszlo Ersek
> Sent: Tuesday, February 20, 2024 4:18 AM
> To: eddie wang <qw1562435@gmail.com>
> Cc: devel@edk2.groups.io
> Subject: Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom
> number generator properly
> 
> On 2/17/24 10:17, eddie wang wrote:
> > Hi Laszlo,
> > After digging dipper,  we found that the *EVP_RAND_fetch *in
> > "rand_new_seed" and "rand_new_drbg" both got NULL in our case. It's
> > meant the DRBG implementation could
> > not be fetched. We also compared it to the case on Linux, and they could
> > both fetched DRBG implementation correctly. Is it possible that the
> > opensslLib 3.0.9 caused any compatibility issues with edk2?  Or has
> > anyone else encountered the same problem with these openssl services?
> 
> Sorry, I can't say.
> 
> If you have a small reproducer UEFI application that works fine when
> built with edk2-stable202305, but does not work when built against
> either edk2-stable202308 or current master, then filing a TianoCore BZ
> (regression) seems justified. (AFAICT it was edk2-stable202308 that
> incorporated the OpenSSL 3.0.9 upgrade, from 1.1.1u.) Attaching the
> source code of the small repro application to the ticket would likely be
> helpful.
> 
> Laszlo
> 
> > Laszlo Ersek <lersek@redhat.com <mailto:lersek@redhat.com>> 於 2024年2月
> > 15日 週四 下午7:48寫道：
> >
> >     On 2/15/24 12:09, eddie wang wrote:
> >     > Hi Laszlo,
> >     > Thanks for your reply. How can I enable the DEBUGs at RandomSeed()
> >     ? Or
> >     > any suggesting information that I can provide?
> >
> >     Sorry, upon a closer look, I see you had already narrowed it down to
> >     RAND_seed() and RAND_status(), which are direct OpenSSL APIs. So my
> >     suggestion would amount to adding DEBUGs to OpenSSL, such as to
> >     RAND_seed() in
> >     "CryptoPkg/Library/OpensslLib/openssl/crypto/rand/rand_lib.c".
> >
> >     But, I think you may be able to do just that.
> >     "CryptoPkg/Library/Include/CrtLibSupport.h" already includes
> >     <DebugLib.h>, and DebugLib is listed under [LibraryClasses] in each
> >     instance of OpensslLib. So if you modify your
> >     "CryptoPkg/Library/OpensslLib/openssl" submodule directory tree locally,
> >     with the following patch:
> >
> >     | diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
> >     | index 0fcf4fe3bc1e..e5f105268f52 100644
> >     | --- a/crypto/rand/rand_lib.c
> >     | +++ b/crypto/rand/rand_lib.c
> >     | @@ -257,6 +257,8 @@ void RAND_seed(const void *buf, int num)
> >     |      drbg = RAND_get0_primary(NULL);
> >     |      if (drbg != NULL && num > 0)
> >     |          EVP_RAND_reseed(drbg, 0, NULL, 0, buf, num);
> >     | +
> >     | +    DEBUG ((DEBUG_INFO, "%a: hello\n", __func__));
> >     |  }
> >     |
> >     |  void RAND_add(const void *buf, int num, double randomness)
> >
> >     then you should get usable debug messages -- at least it builds for me.
> >
> >     Inserting DEBUGs like this (over multiple rounds of testing / narrowing)
> >     should lead you to the exact location that is responsible for the
> >     initialization failure.
> >
> >     You mention you have encountered the problem with a UEFI application.
> >     That is relevant for choosing your DebugLib instance. If you already
> >     have a function DebugLib instance for your platform (logging to the
> >     serial port, for example), then just use that.
> >
> >     Otherwise, consider building your UEFI application with a module scope
> >     override in the DSC file, one that resolves DebugLib to
> >
> >       MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf
> >
> >     or
> >
> >       MdePkg/Library/UefiDebugLibStdErr/UefiDebugLibStdErr.inf
> >
> >     These will send DEBUG messages to the UEFI console or standard error
> >     devices, respectively.
> >
> >     hth
> >     Laszlo
> >
> >     > Laszlo Ersek <lersek@redhat.com <mailto:lersek@redhat.com>
> >     <mailto:lersek@redhat.com <mailto:lersek@redhat.com>>> 於 2024年2月
> >     > 8日 週四 上午5:03寫道：
> >     >
> >     >     On 2/6/24 08:00, eddie wang wrote:
> >     >     > Hi all,
> >     >     > We had an UEFI application that used the EDK2(2023/12/05),
> >     and  we
> >     >     would
> >     >     > like to take advantage of the services in BaseCryptLib .However,
> >     >     the API
> >     >     > in CryptPkg "*RandomSeed()*"(X64, in CryptRandTsc.c) always
> >     returned
> >     >     > false because of  the pseudorandom number generator set up
> >     failed.
> >     >     I am
> >     >     > not sure this issue is from the *openssl configuration in
> >     >     OpensslLib(we
> >     >     > use the default configuration)* or is from the *openssl 3.0.9*.
> >     >     >
> >     >     > Is there any comments about this issue?
> >     >
> >     >     Can you narrow it down by inserting DEBUGs starting at
> >     RandomSeed()
> >     >     [CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c], and then
> >     digging
> >     >     down as necessary?
> >     >
> >     >     Laszlo
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >
> 
> 
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#115612): https://edk2.groups.io/g/devel/message/115612
Mute This Topic: https://groups.io/mt/104198931/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly

[Li, Yi]

Hi Eddie,

> the API in CryptPkg "RandomSeed()"(X64, in CryptRandTsc.c) always returned false

Does your code run in a XIP environment? Such like PreMemory stage or other cases.
The setup of Randlib in OpenSsl 3.0 relies on global variables, so there may be an error if the global variables are read-only.

Regards,
Yi


-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, Jiewen
Sent: Tuesday, February 20, 2024 9:11 AM
To: devel@edk2.groups.io; lersek@redhat.com; eddie wang <qw1562435@gmail.com>
Subject: Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly

Thanks Laslo and Eddie.

I am just back from Chinese New Year vocation, still checking email.

If you can file a Bugzilla (https://bugzilla.tianocore.org/) with source code of your app, that would be very helpful for us to investigate this issue.


> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Laszlo 
> Ersek
> Sent: Tuesday, February 20, 2024 4:18 AM
> To: eddie wang <qw1562435@gmail.com>
> Cc: devel@edk2.groups.io
> Subject: Re: [edk2-devel] The API in BaseCryptLib can't seed the 
> pseudorandom number generator properly
> 
> On 2/17/24 10:17, eddie wang wrote:
> > Hi Laszlo,
> > After digging dipper,  we found that the *EVP_RAND_fetch *in 
> > "rand_new_seed" and "rand_new_drbg" both got NULL in our case. It's 
> > meant the DRBG implementation could not be fetched. We also compared 
> > it to the case on Linux, and they could both fetched DRBG 
> > implementation correctly. Is it possible that the opensslLib 3.0.9 
> > caused any compatibility issues with edk2?  Or has anyone else 
> > encountered the same problem with these openssl services?
> 
> Sorry, I can't say.
> 
> If you have a small reproducer UEFI application that works fine when 
> built with edk2-stable202305, but does not work when built against 
> either edk2-stable202308 or current master, then filing a TianoCore BZ
> (regression) seems justified. (AFAICT it was edk2-stable202308 that 
> incorporated the OpenSSL 3.0.9 upgrade, from 1.1.1u.) Attaching the 
> source code of the small repro application to the ticket would likely 
> be helpful.
> 
> Laszlo
> 
> > Laszlo Ersek <lersek@redhat.com <mailto:lersek@redhat.com>> 於 
> > 2024年2月
> > 15日 週四 下午7:48寫道：
> >
> >     On 2/15/24 12:09, eddie wang wrote:
> >     > Hi Laszlo,
> >     > Thanks for your reply. How can I enable the DEBUGs at RandomSeed()
> >     ? Or
> >     > any suggesting information that I can provide?
> >
> >     Sorry, upon a closer look, I see you had already narrowed it down to
> >     RAND_seed() and RAND_status(), which are direct OpenSSL APIs. So my
> >     suggestion would amount to adding DEBUGs to OpenSSL, such as to
> >     RAND_seed() in
> >     "CryptoPkg/Library/OpensslLib/openssl/crypto/rand/rand_lib.c".
> >
> >     But, I think you may be able to do just that.
> >     "CryptoPkg/Library/Include/CrtLibSupport.h" already includes
> >     <DebugLib.h>, and DebugLib is listed under [LibraryClasses] in each
> >     instance of OpensslLib. So if you modify your
> >     "CryptoPkg/Library/OpensslLib/openssl" submodule directory tree locally,
> >     with the following patch:
> >
> >     | diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
> >     | index 0fcf4fe3bc1e..e5f105268f52 100644
> >     | --- a/crypto/rand/rand_lib.c
> >     | +++ b/crypto/rand/rand_lib.c
> >     | @@ -257,6 +257,8 @@ void RAND_seed(const void *buf, int num)
> >     |      drbg = RAND_get0_primary(NULL);
> >     |      if (drbg != NULL && num > 0)
> >     |          EVP_RAND_reseed(drbg, 0, NULL, 0, buf, num);
> >     | +
> >     | +    DEBUG ((DEBUG_INFO, "%a: hello\n", __func__));
> >     |  }
> >     |
> >     |  void RAND_add(const void *buf, int num, double randomness)
> >
> >     then you should get usable debug messages -- at least it builds for me.
> >
> >     Inserting DEBUGs like this (over multiple rounds of testing / narrowing)
> >     should lead you to the exact location that is responsible for the
> >     initialization failure.
> >
> >     You mention you have encountered the problem with a UEFI application.
> >     That is relevant for choosing your DebugLib instance. If you already
> >     have a function DebugLib instance for your platform (logging to the
> >     serial port, for example), then just use that.
> >
> >     Otherwise, consider building your UEFI application with a module scope
> >     override in the DSC file, one that resolves DebugLib to
> >
> >       MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf
> >
> >     or
> >
> >       MdePkg/Library/UefiDebugLibStdErr/UefiDebugLibStdErr.inf
> >
> >     These will send DEBUG messages to the UEFI console or standard error
> >     devices, respectively.
> >
> >     hth
> >     Laszlo
> >
> >     > Laszlo Ersek <lersek@redhat.com <mailto:lersek@redhat.com>
> >     <mailto:lersek@redhat.com <mailto:lersek@redhat.com>>> 於 2024年2月
> >     > 8日 週四 上午5:03寫道：
> >     >
> >     >     On 2/6/24 08:00, eddie wang wrote:
> >     >     > Hi all,
> >     >     > We had an UEFI application that used the EDK2(2023/12/05),
> >     and  we
> >     >     would
> >     >     > like to take advantage of the services in BaseCryptLib .However,
> >     >     the API
> >     >     > in CryptPkg "*RandomSeed()*"(X64, in CryptRandTsc.c) always
> >     returned
> >     >     > false because of  the pseudorandom number generator set up
> >     failed.
> >     >     I am
> >     >     > not sure this issue is from the *openssl configuration in
> >     >     OpensslLib(we
> >     >     > use the default configuration)* or is from the *openssl 3.0.9*.
> >     >     >
> >     >     > Is there any comments about this issue?
> >     >
> >     >     Can you narrow it down by inserting DEBUGs starting at
> >     RandomSeed()
> >     >     [CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c], and then
> >     digging
> >     >     down as necessary?
> >     >
> >     >     Laszlo
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >
> 
> 
> 
> 
> 








-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#115613): https://edk2.groups.io/g/devel/message/115613
Mute This Topic: https://groups.io/mt/104198931/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly

[eddie wang]

[-- Attachment #1.1: Type: text/plain, Size: 7661 bytes --]

Hi and many thanks to all of you,
I'm not entirely sure if it's running in a XIP environment, but I think
not. Our application executed on UEFI interactive shell and it was put in
an USB device(as the FS0 showed in the screenshot). And here's another
question as well, because I found that the drbg implementation counld not
be fetched in our case,  and I discovered that our package did not include
"OpensslLibCrypto.inf." Could it be connected to our problem?
[image: 430.png]


BR,
Eddie Wang

Li, Yi <yi1.li@intel.com> 於 2024年2月20日 週二 上午9:49寫道：

> Hi Eddie,
>
> > the API in CryptPkg "RandomSeed()"(X64, in CryptRandTsc.c) always
> returned false
>
> Does your code run in a XIP environment? Such like PreMemory stage or
> other cases.
> The setup of Randlib in OpenSsl 3.0 relies on global variables, so there
> may be an error if the global variables are read-only.
>
> Regards,
> Yi
>
>
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, Jiewen
> Sent: Tuesday, February 20, 2024 9:11 AM
> To: devel@edk2.groups.io; lersek@redhat.com; eddie wang <
> qw1562435@gmail.com>
> Subject: Re: [edk2-devel] The API in BaseCryptLib can't seed the
> pseudorandom number generator properly
>
> Thanks Laslo and Eddie.
>
> I am just back from Chinese New Year vocation, still checking email.
>
> If you can file a Bugzilla (https://bugzilla.tianocore.org/) with source
> code of your app, that would be very helpful for us to investigate this
> issue.
>
>
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Laszlo
> > Ersek
> > Sent: Tuesday, February 20, 2024 4:18 AM
> > To: eddie wang <qw1562435@gmail.com>
> > Cc: devel@edk2.groups.io
> > Subject: Re: [edk2-devel] The API in BaseCryptLib can't seed the
> > pseudorandom number generator properly
> >
> > On 2/17/24 10:17, eddie wang wrote:
> > > Hi Laszlo,
> > > After digging dipper,  we found that the *EVP_RAND_fetch *in
> > > "rand_new_seed" and "rand_new_drbg" both got NULL in our case. It's
> > > meant the DRBG implementation could not be fetched. We also compared
> > > it to the case on Linux, and they could both fetched DRBG
> > > implementation correctly. Is it possible that the opensslLib 3.0.9
> > > caused any compatibility issues with edk2?  Or has anyone else
> > > encountered the same problem with these openssl services?
> >
> > Sorry, I can't say.
> >
> > If you have a small reproducer UEFI application that works fine when
> > built with edk2-stable202305, but does not work when built against
> > either edk2-stable202308 or current master, then filing a TianoCore BZ
> > (regression) seems justified. (AFAICT it was edk2-stable202308 that
> > incorporated the OpenSSL 3.0.9 upgrade, from 1.1.1u.) Attaching the
> > source code of the small repro application to the ticket would likely
> > be helpful.
> >
> > Laszlo
> >
> > > Laszlo Ersek <lersek@redhat.com <mailto:lersek@redhat.com>> 於
> > > 2024年2月
> > > 15日 週四 下午7:48寫道：
> > >
> > >     On 2/15/24 12:09, eddie wang wrote:
> > >     > Hi Laszlo,
> > >     > Thanks for your reply. How can I enable the DEBUGs at
> RandomSeed()
> > >     ? Or
> > >     > any suggesting information that I can provide?
> > >
> > >     Sorry, upon a closer look, I see you had already narrowed it down
> to
> > >     RAND_seed() and RAND_status(), which are direct OpenSSL APIs. So my
> > >     suggestion would amount to adding DEBUGs to OpenSSL, such as to
> > >     RAND_seed() in
> > >     "CryptoPkg/Library/OpensslLib/openssl/crypto/rand/rand_lib.c".
> > >
> > >     But, I think you may be able to do just that.
> > >     "CryptoPkg/Library/Include/CrtLibSupport.h" already includes
> > >     <DebugLib.h>, and DebugLib is listed under [LibraryClasses] in each
> > >     instance of OpensslLib. So if you modify your
> > >     "CryptoPkg/Library/OpensslLib/openssl" submodule directory tree
> locally,
> > >     with the following patch:
> > >
> > >     | diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
> > >     | index 0fcf4fe3bc1e..e5f105268f52 100644
> > >     | --- a/crypto/rand/rand_lib.c
> > >     | +++ b/crypto/rand/rand_lib.c
> > >     | @@ -257,6 +257,8 @@ void RAND_seed(const void *buf, int num)
> > >     |      drbg = RAND_get0_primary(NULL);
> > >     |      if (drbg != NULL && num > 0)
> > >     |          EVP_RAND_reseed(drbg, 0, NULL, 0, buf, num);
> > >     | +
> > >     | +    DEBUG ((DEBUG_INFO, "%a: hello\n", __func__));
> > >     |  }
> > >     |
> > >     |  void RAND_add(const void *buf, int num, double randomness)
> > >
> > >     then you should get usable debug messages -- at least it builds
> for me.
> > >
> > >     Inserting DEBUGs like this (over multiple rounds of testing /
> narrowing)
> > >     should lead you to the exact location that is responsible for the
> > >     initialization failure.
> > >
> > >     You mention you have encountered the problem with a UEFI
> application.
> > >     That is relevant for choosing your DebugLib instance. If you
> already
> > >     have a function DebugLib instance for your platform (logging to the
> > >     serial port, for example), then just use that.
> > >
> > >     Otherwise, consider building your UEFI application with a module
> scope
> > >     override in the DSC file, one that resolves DebugLib to
> > >
> > >       MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf
> > >
> > >     or
> > >
> > >       MdePkg/Library/UefiDebugLibStdErr/UefiDebugLibStdErr.inf
> > >
> > >     These will send DEBUG messages to the UEFI console or standard
> error
> > >     devices, respectively.
> > >
> > >     hth
> > >     Laszlo
> > >
> > >     > Laszlo Ersek <lersek@redhat.com <mailto:lersek@redhat.com>
> > >     <mailto:lersek@redhat.com <mailto:lersek@redhat.com>>> 於 2024年2月
> > >     > 8日 週四 上午5:03寫道：
> > >     >
> > >     >     On 2/6/24 08:00, eddie wang wrote:
> > >     >     > Hi all,
> > >     >     > We had an UEFI application that used the EDK2(2023/12/05),
> > >     and  we
> > >     >     would
> > >     >     > like to take advantage of the services in BaseCryptLib
> .However,
> > >     >     the API
> > >     >     > in CryptPkg "*RandomSeed()*"(X64, in CryptRandTsc.c) always
> > >     returned
> > >     >     > false because of  the pseudorandom number generator set up
> > >     failed.
> > >     >     I am
> > >     >     > not sure this issue is from the *openssl configuration in
> > >     >     OpensslLib(we
> > >     >     > use the default configuration)* or is from the *openssl
> 3.0.9*.
> > >     >     >
> > >     >     > Is there any comments about this issue?
> > >     >
> > >     >     Can you narrow it down by inserting DEBUGs starting at
> > >     RandomSeed()
> > >     >     [CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c], and
> then
> > >     digging
> > >     >     down as necessary?
> > >     >
> > >     >     Laszlo
> > >     >
> > >     >
> > >     >
> > >     >
> > >     >
> > >     >
> > >
> >
> >
> >
> >
> >
>
>
>
>
>
>
>
>
> 
>
>
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#116156): https://edk2.groups.io/g/devel/message/116156
Mute This Topic: https://groups.io/mt/104198931/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #1.2: Type: text/html, Size: 11080 bytes --]

[-- Attachment #2: 430.png --]
[-- Type: image/png, Size: 49151 bytes --]

Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly

[Li, Yi]

[-- Attachment #1.1: Type: text/plain, Size: 8261 bytes --]

Hi Eddie,

There will be build error if you didn’t include OpensslLib*.inf but consume openssl BaseCryptLib, are you using BaseCryptLibOnProtocolPpi?
This sounds strange, CryptRand should work fine in non-XIP environments, could you send me .map file of your application?

Regards,
Yi


From: eddie wang <qw1562435@gmail.com>
Sent: Thursday, February 29, 2024 5:49 PM
To: devel@edk2.groups.io; Li, Yi1 <yi1.li@intel.com>
Subject: Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly

Hi and many thanks to all of you,
I'm not entirely sure if it's running in a XIP environment, but I think not. Our application executed on UEFI interactive shell and it was put in an USB device(as the FS0 showed in the screenshot). And here's another question as well, because I found that the drbg implementation counld not be fetched in our case,  and I discovered that our package did not include "OpensslLibCrypto.inf." Could it be connected to our problem?
[cid:image001.png@01DA6B44.21876340]


BR,
Eddie Wang

Li, Yi <yi1.li@intel.com<mailto:yi1.li@intel.com>> 於 2024年2月20日 週二 上午9:49寫道：
Hi Eddie,

> the API in CryptPkg "RandomSeed()"(X64, in CryptRandTsc.c) always returned false

Does your code run in a XIP environment? Such like PreMemory stage or other cases.
The setup of Randlib in OpenSsl 3.0 relies on global variables, so there may be an error if the global variables are read-only.

Regards,
Yi


-----Original Message-----
From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Yao, Jiewen
Sent: Tuesday, February 20, 2024 9:11 AM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; lersek@redhat.com<mailto:lersek@redhat.com>; eddie wang <qw1562435@gmail.com<mailto:qw1562435@gmail.com>>
Subject: Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly

Thanks Laslo and Eddie.

I am just back from Chinese New Year vocation, still checking email.

If you can file a Bugzilla (https://bugzilla.tianocore.org/) with source code of your app, that would be very helpful for us to investigate this issue.


> -----Original Message-----
> From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Laszlo
> Ersek
> Sent: Tuesday, February 20, 2024 4:18 AM
> To: eddie wang <qw1562435@gmail.com<mailto:qw1562435@gmail.com>>
> Cc: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
> Subject: Re: [edk2-devel] The API in BaseCryptLib can't seed the
> pseudorandom number generator properly
>
> On 2/17/24 10:17, eddie wang wrote:
> > Hi Laszlo,
> > After digging dipper,  we found that the *EVP_RAND_fetch *in
> > "rand_new_seed" and "rand_new_drbg" both got NULL in our case. It's
> > meant the DRBG implementation could not be fetched. We also compared
> > it to the case on Linux, and they could both fetched DRBG
> > implementation correctly. Is it possible that the opensslLib 3.0.9
> > caused any compatibility issues with edk2?  Or has anyone else
> > encountered the same problem with these openssl services?
>
> Sorry, I can't say.
>
> If you have a small reproducer UEFI application that works fine when
> built with edk2-stable202305, but does not work when built against
> either edk2-stable202308 or current master, then filing a TianoCore BZ
> (regression) seems justified. (AFAICT it was edk2-stable202308 that
> incorporated the OpenSSL 3.0.9 upgrade, from 1.1.1u.) Attaching the
> source code of the small repro application to the ticket would likely
> be helpful.
>
> Laszlo
>
> > Laszlo Ersek <lersek@redhat.com<mailto:lersek@redhat.com> <mailto:lersek@redhat.com<mailto:lersek@redhat.com>>> 於
> > 2024年2月
> > 15日 週四 下午7:48寫道：
> >
> >     On 2/15/24 12:09, eddie wang wrote:
> >     > Hi Laszlo,
> >     > Thanks for your reply. How can I enable the DEBUGs at RandomSeed()
> >     ? Or
> >     > any suggesting information that I can provide?
> >
> >     Sorry, upon a closer look, I see you had already narrowed it down to
> >     RAND_seed() and RAND_status(), which are direct OpenSSL APIs. So my
> >     suggestion would amount to adding DEBUGs to OpenSSL, such as to
> >     RAND_seed() in
> >     "CryptoPkg/Library/OpensslLib/openssl/crypto/rand/rand_lib.c".
> >
> >     But, I think you may be able to do just that.
> >     "CryptoPkg/Library/Include/CrtLibSupport.h" already includes
> >     <DebugLib.h>, and DebugLib is listed under [LibraryClasses] in each
> >     instance of OpensslLib. So if you modify your
> >     "CryptoPkg/Library/OpensslLib/openssl" submodule directory tree locally,
> >     with the following patch:
> >
> >     | diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
> >     | index 0fcf4fe3bc1e..e5f105268f52 100644
> >     | --- a/crypto/rand/rand_lib.c
> >     | +++ b/crypto/rand/rand_lib.c
> >     | @@ -257,6 +257,8 @@ void RAND_seed(const void *buf, int num)
> >     |      drbg = RAND_get0_primary(NULL);
> >     |      if (drbg != NULL && num > 0)
> >     |          EVP_RAND_reseed(drbg, 0, NULL, 0, buf, num);
> >     | +
> >     | +    DEBUG ((DEBUG_INFO, "%a: hello\n", __func__));
> >     |  }
> >     |
> >     |  void RAND_add(const void *buf, int num, double randomness)
> >
> >     then you should get usable debug messages -- at least it builds for me.
> >
> >     Inserting DEBUGs like this (over multiple rounds of testing / narrowing)
> >     should lead you to the exact location that is responsible for the
> >     initialization failure.
> >
> >     You mention you have encountered the problem with a UEFI application.
> >     That is relevant for choosing your DebugLib instance. If you already
> >     have a function DebugLib instance for your platform (logging to the
> >     serial port, for example), then just use that.
> >
> >     Otherwise, consider building your UEFI application with a module scope
> >     override in the DSC file, one that resolves DebugLib to
> >
> >       MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf
> >
> >     or
> >
> >       MdePkg/Library/UefiDebugLibStdErr/UefiDebugLibStdErr.inf
> >
> >     These will send DEBUG messages to the UEFI console or standard error
> >     devices, respectively.
> >
> >     hth
> >     Laszlo
> >
> >     > Laszlo Ersek <lersek@redhat.com<mailto:lersek@redhat.com> <mailto:lersek@redhat.com<mailto:lersek@redhat.com>>
> >     <mailto:lersek@redhat.com<mailto:lersek@redhat.com> <mailto:lersek@redhat.com<mailto:lersek@redhat.com>>>> 於 2024年2月
> >     > 8日 週四 上午5:03寫道：
> >     >
> >     >     On 2/6/24 08:00, eddie wang wrote:
> >     >     > Hi all,
> >     >     > We had an UEFI application that used the EDK2(2023/12/05),
> >     and  we
> >     >     would
> >     >     > like to take advantage of the services in BaseCryptLib .However,
> >     >     the API
> >     >     > in CryptPkg "*RandomSeed()*"(X64, in CryptRandTsc.c) always
> >     returned
> >     >     > false because of  the pseudorandom number generator set up
> >     failed.
> >     >     I am
> >     >     > not sure this issue is from the *openssl configuration in
> >     >     OpensslLib(we
> >     >     > use the default configuration)* or is from the *openssl 3.0.9*.
> >     >     >
> >     >     > Is there any comments about this issue?
> >     >
> >     >     Can you narrow it down by inserting DEBUGs starting at
> >     RandomSeed()
> >     >     [CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c], and then
> >     digging
> >     >     down as necessary?
> >     >
> >     >     Laszlo
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >
>
>
>
>
>












-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#116160): https://edk2.groups.io/g/devel/message/116160
Mute This Topic: https://groups.io/mt/104198931/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #1.2: Type: text/html, Size: 17053 bytes --]

[-- Attachment #2: image001.png --]
[-- Type: image/png, Size: 49151 bytes --]