REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1682
Md5 and SHA1 is not secure any longer but uefi spec need to keep them
for backwards compatibility.
Use pcd PcdSHA1Enable to control the SHA1 function enablement.
When disable the SHA1 functions would not be complied.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
CryptoPkg/Driver/Crypto.c | 8 ++++++++
CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf | 1 +
CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c | 3 +++
.../Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c | 3 +++
CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 1 +
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c | 3 +++
CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c | 2 ++
CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c | 2 ++
CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf | 1 +
CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 1 +
.../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c | 4 +++-
.../Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 4 ++++
CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c | 12 ++++++++++++
CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf | 1 +
CryptoPkg/Private/Protocol/Crypto.h | 9 ++++++++-
15 files changed, 53 insertions(+), 2 deletions(-)
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index b53da85bad..f7902205b3 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -266,6 +266,7 @@ CryptoServiceMd5HashAll (
}
#endif
+#if (FixedPcdGetBool (PcdSHA1Enable))
/**
Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations.
@@ -423,6 +424,7 @@ CryptoServiceSha1HashAll (
{
return CALL_BASECRYPTLIB (Sha1.Services.HashAll, Sha1HashAll, (Data, DataSize, HashValue), FALSE);
}
+#endif
/**
Retrieves the size, in bytes, of the context buffer required for SHA-256 hash operations.
@@ -1177,6 +1179,7 @@ CryptoServiceHmacMd5Final (
}
#endif
+#if (FixedPcdGetBool (PcdSHA1Enable))
/**
Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
@@ -1327,6 +1330,7 @@ CryptoServiceHmacSha1Final (
{
return CALL_BASECRYPTLIB (HmacSha1.Services.Final, HmacSha1Final, (HmacSha1Context, HmacValue), FALSE);
}
+#endif
/**
Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use.
@@ -3820,6 +3824,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
CryptoServiceHmacMd5Update,
CryptoServiceHmacMd5Final,
#endif
+#if (FixedPcdGetBool (PcdSHA1Enable))
/// HMAC SHA1
CryptoServiceHmacSha1New,
CryptoServiceHmacSha1Free,
@@ -3827,6 +3832,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
CryptoServiceHmacSha1Duplicate,
CryptoServiceHmacSha1Update,
CryptoServiceHmacSha1Final,
+#endif
/// HMAC SHA256
CryptoServiceHmacSha256New,
CryptoServiceHmacSha256Free,
@@ -3877,6 +3883,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
CryptoServiceRsaPkcs1Verify,
CryptoServiceRsaGetPrivateKeyFromPem,
CryptoServiceRsaGetPublicKeyFromX509,
+#if (FixedPcdGetBool (PcdSHA1Enable))
/// Sha1
CryptoServiceSha1GetContextSize,
CryptoServiceSha1Init,
@@ -3884,6 +3891,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
CryptoServiceSha1Update,
CryptoServiceSha1Final,
CryptoServiceSha1HashAll,
+#endif
/// Sha256
CryptoServiceSha256GetContextSize,
CryptoServiceSha256Init,
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index 5c65ef5892..9ffd98096c 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -85,6 +85,7 @@
[Pcd]
gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable
+ gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable
#
# Remove these [BuildOptions] after this library is cleaned up
diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
index 7593ca55b1..baba6b267c 100644
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
+++ b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
@@ -6,6 +6,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
+#include <Library/PcdLib.h>
+#if (FixedPcdGetBool (PcdSHA1Enable))
#include "InternalCryptLib.h"
#include <openssl/hmac.h>
@@ -214,3 +216,4 @@ HmacSha1Final (
return TRUE;
}
+#endif
diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
index e8c0f341b7..1314fa1a77 100644
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
+++ b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
@@ -6,6 +6,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
+#include <Library/PcdLib.h>
+#if (FixedPcdGetBool (PcdSHA1Enable))
#include "InternalCryptLib.h"
/**
@@ -137,3 +139,4 @@ HmacSha1Final (
ASSERT (FALSE);
return FALSE;
}
+#endif
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index cebc74ccf2..b40e76f243 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -78,6 +78,7 @@
[Pcd]
gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable
+ gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable
#
# Remove these [BuildOptions] after this library is cleaned up
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c
index a89c1525c1..15e6bc2cb4 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c
@@ -7,6 +7,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "InternalCryptLib.h"
+#include <Library/PcdLib.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
@@ -68,9 +69,11 @@ Pkcs5HashPassword (
// Make sure the digest algorithm is supported.
//
switch (DigestSize) {
+#if (FixedPcdGetBool (PcdSHA1Enable))
case SHA1_DIGEST_SIZE:
HashAlg = EVP_sha1();
break;
+#endif
case SHA256_DIGEST_SIZE:
HashAlg = EVP_sha256();
break;
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
index 31b78464d2..549ee1b933 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
@@ -298,9 +298,11 @@ RsaPkcs1Verify (
break;
#endif
+#if (FixedPcdGetBool (PcdSHA1Enable))
case SHA1_DIGEST_SIZE:
DigestType = NID_sha1;
break;
+#endif
case SHA256_DIGEST_SIZE:
DigestType = NID_sha256;
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
index 1a50be1d78..60605e3486 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
@@ -336,9 +336,11 @@ RsaPkcs1Sign (
break;
#endif
+#if (FixedPcdGetBool (PcdSHA1Enable))
case SHA1_DIGEST_SIZE:
DigestType = NID_sha1;
break;
+#endif
case SHA256_DIGEST_SIZE:
DigestType = NID_sha256;
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index 72d4cd03ab..b6c0be70f2 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -90,6 +90,7 @@
[Pcd]
gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable
+ gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable
#
# Remove these [BuildOptions] after this library is cleaned up
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index 21f104c916..7f678eee93 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -89,6 +89,7 @@
[Pcd]
gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable
+ gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable
#
# Remove these [BuildOptions] after this library is cleaned up
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
index e8c0f341b7..3aac798188 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
+++ b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
@@ -5,7 +5,8 @@ Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
-
+#include <Library/PcdLib.h>
+#if (FixedPcdGetBool (PcdSHA1Enable))
#include "InternalCryptLib.h"
/**
@@ -137,3 +138,4 @@ HmacSha1Final (
ASSERT (FALSE);
return FALSE;
}
+#endif
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index cba1e4c8bf..8429fefc0b 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -260,6 +260,7 @@ Md5HashAll (
}
#endif
+#if (FixedPcdGetBool (PcdSHA1Enable))
/**
Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations.
@@ -417,6 +418,7 @@ Sha1HashAll (
{
CALL_CRYPTO_SERVICE (Sha1HashAll, (Data, DataSize, HashValue), FALSE);
}
+#endif
/**
Retrieves the size, in bytes, of the context buffer required for SHA-256 hash operations.
@@ -1171,6 +1173,7 @@ HmacMd5Final (
}
#endif
+#if (FixedPcdGetBool (PcdSHA1Enable))
/**
Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
@@ -1321,6 +1324,7 @@ HmacSha1Final (
{
CALL_CRYPTO_SERVICE (HmacSha1Final, (HmacSha1Context, HmacValue), FALSE);
}
+#endif
/**
Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use.
diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
index f9796b2158..754d75aeb2 100644
--- a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
+++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
@@ -33,9 +33,11 @@ HashApiGetContextSize (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+#if (FixedPcdGetBool (PcdSHA1Enable))
case HASH_ALG_SHA1:
return Sha1GetContextSize ();
break;
+#endif
case HASH_ALG_SHA256:
return Sha256GetContextSize ();
@@ -75,9 +77,11 @@ HashApiInit (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+#if (FixedPcdGetBool (PcdSHA1Enable))
case HASH_ALG_SHA1:
return Sha1Init (HashContext);
break;
+#endif
case HASH_ALG_SHA256:
return Sha256Init (HashContext);
@@ -119,9 +123,11 @@ HashApiDuplicate (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+#if (FixedPcdGetBool (PcdSHA1Enable))
case HASH_ALG_SHA1:
return Sha1Duplicate (HashContext, NewHashContext);
break;
+#endif
case HASH_ALG_SHA256:
return Sha256Duplicate (HashContext, NewHashContext);
@@ -165,9 +171,11 @@ HashApiUpdate (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+#if (FixedPcdGetBool (PcdSHA1Enable))
case HASH_ALG_SHA1:
return Sha1Update (HashContext, DataToHash, DataToHashLen);
break;
+#endif
case HASH_ALG_SHA256:
return Sha256Update (HashContext, DataToHash, DataToHashLen);
@@ -209,9 +217,11 @@ HashApiFinal (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+#if (FixedPcdGetBool (PcdSHA1Enable))
case HASH_ALG_SHA1:
return Sha1Final (HashContext, Digest);
break;
+#endif
case HASH_ALG_SHA256:
return Sha256Final (HashContext, Digest);
@@ -255,9 +265,11 @@ HashApiHashAll (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+#if (FixedPcdGetBool (PcdSHA1Enable))
case HASH_ALG_SHA1:
return Sha1HashAll (DataToHash, DataToHashLen, Digest);
break;
+#endif
case HASH_ALG_SHA256:
return Sha256HashAll (DataToHash, DataToHashLen, Digest);
diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
index b4d8675ddd..29f7d7abfd 100644
--- a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
+++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
@@ -42,3 +42,4 @@
[Pcd]
gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy ## CONSUMES
+ gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable ## CONSUMES
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index 527318dc23..3f8c5751a7 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -179,6 +179,7 @@ BOOLEAN
);
#endif
+#if (FixedPcdGetBool (PcdSHA1Enable))
/**
Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
@@ -315,7 +316,7 @@ BOOLEAN
IN OUT VOID *HmacSha1Context,
OUT UINT8 *HmacValue
);
-
+#endif
/**
Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use.
@@ -1537,6 +1538,7 @@ BOOLEAN
// SHA
//----------------------------------------
+#if (FixedPcdGetBool (PcdSHA1Enable))
/**
Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations.
@@ -1676,6 +1678,7 @@ BOOLEAN
IN UINTN DataSize,
OUT UINT8 *HashValue
);
+#endif
/**
Retrieves the size, in bytes, of the context buffer required for SHA-256 hash operations.
@@ -3453,6 +3456,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
EDKII_CRYPTO_HMAC_MD5_UPDATE HmacMd5Update;
EDKII_CRYPTO_HMAC_MD5_FINAL HmacMd5Final;
#endif
+#if (FixedPcdGetBool (PcdSHA1Enable))
/// HMAC SHA1
EDKII_CRYPTO_HMAC_SHA1_NEW HmacSha1New;
EDKII_CRYPTO_HMAC_SHA1_FREE HmacSha1Free;
@@ -3460,6 +3464,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
EDKII_CRYPTO_HMAC_SHA1_DUPLICATE HmacSha1Duplicate;
EDKII_CRYPTO_HMAC_SHA1_UPDATE HmacSha1Update;
EDKII_CRYPTO_HMAC_SHA1_FINAL HmacSha1Final;
+#endif
/// HMAC SHA256
EDKII_CRYPTO_HMAC_SHA256_NEW HmacSha256New;
EDKII_CRYPTO_HMAC_SHA256_FREE HmacSha256Free;
@@ -3510,6 +3515,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
EDKII_CRYPTO_RSA_PKCS1_VERIFY RsaPkcs1Verify;
EDKII_CRYPTO_RSA_GET_PRIVATE_KEY_FROM_PEM RsaGetPrivateKeyFromPem;
EDKII_CRYPTO_RSA_GET_PUBLIC_KEY_FROM_X509 RsaGetPublicKeyFromX509;
+#if (FixedPcdGetBool (PcdSHA1Enable))
/// Sha1
EDKII_CRYPTO_SHA1_GET_CONTEXT_SIZE Sha1GetContextSize;
EDKII_CRYPTO_SHA1_INIT Sha1Init;
@@ -3517,6 +3523,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
EDKII_CRYPTO_SHA1_UPDATE Sha1Update;
EDKII_CRYPTO_SHA1_FINAL Sha1Final;
EDKII_CRYPTO_SHA1_HASH_ALL Sha1HashAll;
+#endif
/// Sha256
EDKII_CRYPTO_SHA256_GET_CONTEXT_SIZE Sha256GetContextSize;
EDKII_CRYPTO_SHA256_INIT Sha256Init;
--
2.21.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#56448): https://edk2.groups.io/g/devel/message/56448
Mute This Topic: https://groups.io/mt/72579470/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
We should not use #if statements in C code.
Also, we should not be changing the layout of the
structure based on a PCD feature flag.
I agree we need to ability to disable the use of some
Crypto services, but we need to decide what behavior
we want at build time and boot time if there is code
that uses a disabled service.
Mike
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On
> Behalf Of Gao, Zhichao
> Sent: Thursday, March 26, 2020 6:56 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX
> <xiaoyux.lu@intel.com>
> Subject: [edk2-devel] [PATCH 8/8] CryptoPkg/BaseCryptLib:
> Use Pcd to control the SHA1 enablement
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1682
>
> Md5 and SHA1 is not secure any longer but uefi spec need
> to keep them
> for backwards compatibility.
> Use pcd PcdSHA1Enable to control the SHA1 function
> enablement.
> When disable the SHA1 functions would not be complied.
>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
> CryptoPkg/Driver/Crypto.c |
> 8 ++++++++
> CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf |
> 1 +
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c |
> 3 +++
> .../Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c |
> 3 +++
> CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf |
> 1 +
> CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c |
> 3 +++
> CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c |
> 2 ++
> CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c |
> 2 ++
> CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf |
> 1 +
> CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf |
> 1 +
> .../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c |
> 4 +++-
> .../Library/BaseCryptLibOnProtocolPpi/CryptLib.c |
> 4 ++++
> CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c |
> 12 ++++++++++++
> CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf |
> 1 +
> CryptoPkg/Private/Protocol/Crypto.h |
> 9 ++++++++-
> 15 files changed, 53 insertions(+), 2 deletions(-)
>
> diff --git a/CryptoPkg/Driver/Crypto.c
> b/CryptoPkg/Driver/Crypto.c
> index b53da85bad..f7902205b3 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -266,6 +266,7 @@ CryptoServiceMd5HashAll (
> }
> #endif
>
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> /**
> Retrieves the size, in bytes, of the context buffer
> required for SHA-1 hash operations.
>
> @@ -423,6 +424,7 @@ CryptoServiceSha1HashAll (
> {
> return CALL_BASECRYPTLIB (Sha1.Services.HashAll,
> Sha1HashAll, (Data, DataSize, HashValue), FALSE);
> }
> +#endif
>
> /**
> Retrieves the size, in bytes, of the context buffer
> required for SHA-256 hash operations.
> @@ -1177,6 +1179,7 @@ CryptoServiceHmacMd5Final (
> }
> #endif
>
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> /**
> Allocates and initializes one HMAC_CTX context for
> subsequent HMAC-SHA1 use.
>
> @@ -1327,6 +1330,7 @@ CryptoServiceHmacSha1Final (
> {
> return CALL_BASECRYPTLIB (HmacSha1.Services.Final,
> HmacSha1Final, (HmacSha1Context, HmacValue), FALSE);
> }
> +#endif
>
> /**
> Allocates and initializes one HMAC_CTX context for
> subsequent HMAC-SHA256 use.
> @@ -3820,6 +3824,7 @@ const EDKII_CRYPTO_PROTOCOL
> mEdkiiCrypto = {
> CryptoServiceHmacMd5Update,
> CryptoServiceHmacMd5Final,
> #endif
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> /// HMAC SHA1
> CryptoServiceHmacSha1New,
> CryptoServiceHmacSha1Free,
> @@ -3827,6 +3832,7 @@ const EDKII_CRYPTO_PROTOCOL
> mEdkiiCrypto = {
> CryptoServiceHmacSha1Duplicate,
> CryptoServiceHmacSha1Update,
> CryptoServiceHmacSha1Final,
> +#endif
> /// HMAC SHA256
> CryptoServiceHmacSha256New,
> CryptoServiceHmacSha256Free,
> @@ -3877,6 +3883,7 @@ const EDKII_CRYPTO_PROTOCOL
> mEdkiiCrypto = {
> CryptoServiceRsaPkcs1Verify,
> CryptoServiceRsaGetPrivateKeyFromPem,
> CryptoServiceRsaGetPublicKeyFromX509,
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> /// Sha1
> CryptoServiceSha1GetContextSize,
> CryptoServiceSha1Init,
> @@ -3884,6 +3891,7 @@ const EDKII_CRYPTO_PROTOCOL
> mEdkiiCrypto = {
> CryptoServiceSha1Update,
> CryptoServiceSha1Final,
> CryptoServiceSha1HashAll,
> +#endif
> /// Sha256
> CryptoServiceSha256GetContextSize,
> CryptoServiceSha256Init,
> diff --git
> a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> index 5c65ef5892..9ffd98096c 100644
> --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> @@ -85,6 +85,7 @@
>
> [Pcd]
> gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable
> + gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable
>
> #
> # Remove these [BuildOptions] after this library is
> cleaned up
> diff --git
> a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> index 7593ca55b1..baba6b267c 100644
> --- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> +++ b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> @@ -6,6 +6,8 @@ SPDX-License-Identifier: BSD-2-Clause-
> Patent
>
> **/
>
> +#include <Library/PcdLib.h>
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> #include "InternalCryptLib.h"
> #include <openssl/hmac.h>
>
> @@ -214,3 +216,4 @@ HmacSha1Final (
>
> return TRUE;
> }
> +#endif
> diff --git
> a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> index e8c0f341b7..1314fa1a77 100644
> ---
> a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> +++
> b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> @@ -6,6 +6,8 @@ SPDX-License-Identifier: BSD-2-Clause-
> Patent
>
> **/
>
> +#include <Library/PcdLib.h>
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> #include "InternalCryptLib.h"
>
> /**
> @@ -137,3 +139,4 @@ HmacSha1Final (
> ASSERT (FALSE);
> return FALSE;
> }
> +#endif
> diff --git
> a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> index cebc74ccf2..b40e76f243 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> @@ -78,6 +78,7 @@
>
> [Pcd]
> gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable
> + gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable
>
> #
> # Remove these [BuildOptions] after this library is
> cleaned up
> diff --git
> a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c
> b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c
> index a89c1525c1..15e6bc2cb4 100644
> ---
> a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c
> +++
> b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c
> @@ -7,6 +7,7 @@ SPDX-License-Identifier: BSD-2-Clause-
> Patent
> **/
>
> #include "InternalCryptLib.h"
> +#include <Library/PcdLib.h>
> #include <openssl/evp.h>
> #include <openssl/hmac.h>
>
> @@ -68,9 +69,11 @@ Pkcs5HashPassword (
> // Make sure the digest algorithm is supported.
> //
> switch (DigestSize) {
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> case SHA1_DIGEST_SIZE:
> HashAlg = EVP_sha1();
> break;
> +#endif
> case SHA256_DIGEST_SIZE:
> HashAlg = EVP_sha256();
> break;
> diff --git
> a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
> b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
> index 31b78464d2..549ee1b933 100644
> --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
> +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
> @@ -298,9 +298,11 @@ RsaPkcs1Verify (
> break;
> #endif
>
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> case SHA1_DIGEST_SIZE:
> DigestType = NID_sha1;
> break;
> +#endif
>
> case SHA256_DIGEST_SIZE:
> DigestType = NID_sha256;
> diff --git
> a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
> b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
> index 1a50be1d78..60605e3486 100644
> --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
> +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
> @@ -336,9 +336,11 @@ RsaPkcs1Sign (
> break;
> #endif
>
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> case SHA1_DIGEST_SIZE:
> DigestType = NID_sha1;
> break;
> +#endif
>
> case SHA256_DIGEST_SIZE:
> DigestType = NID_sha256;
> diff --git
> a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> index 72d4cd03ab..b6c0be70f2 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> @@ -90,6 +90,7 @@
>
> [Pcd]
> gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable
> + gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable
>
> #
> # Remove these [BuildOptions] after this library is
> cleaned up
> diff --git
> a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> index 21f104c916..7f678eee93 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> @@ -89,6 +89,7 @@
>
> [Pcd]
> gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable
> + gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable
>
> #
> # Remove these [BuildOptions] after this library is
> cleaned up
> diff --git
> a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Nu
> ll.c
> b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Nu
> ll.c
> index e8c0f341b7..3aac798188 100644
> ---
> a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Nu
> ll.c
> +++
> b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Nu
> ll.c
> @@ -5,7 +5,8 @@ Copyright (c) 2012 - 2020, Intel
> Corporation. All rights reserved.<BR>
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
> **/
> -
> +#include <Library/PcdLib.h>
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> #include "InternalCryptLib.h"
>
> /**
> @@ -137,3 +138,4 @@ HmacSha1Final (
> ASSERT (FALSE);
> return FALSE;
> }
> +#endif
> diff --git
> a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> index cba1e4c8bf..8429fefc0b 100644
> ---
> a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> +++
> b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> @@ -260,6 +260,7 @@ Md5HashAll (
> }
> #endif
>
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> /**
> Retrieves the size, in bytes, of the context buffer
> required for SHA-1 hash operations.
>
> @@ -417,6 +418,7 @@ Sha1HashAll (
> {
> CALL_CRYPTO_SERVICE (Sha1HashAll, (Data, DataSize,
> HashValue), FALSE);
> }
> +#endif
>
> /**
> Retrieves the size, in bytes, of the context buffer
> required for SHA-256 hash operations.
> @@ -1171,6 +1173,7 @@ HmacMd5Final (
> }
> #endif
>
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> /**
> Allocates and initializes one HMAC_CTX context for
> subsequent HMAC-SHA1 use.
>
> @@ -1321,6 +1324,7 @@ HmacSha1Final (
> {
> CALL_CRYPTO_SERVICE (HmacSha1Final, (HmacSha1Context,
> HmacValue), FALSE);
> }
> +#endif
>
> /**
> Allocates and initializes one HMAC_CTX context for
> subsequent HMAC-SHA256 use.
> diff --git
> a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> index f9796b2158..754d75aeb2 100644
> --- a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> +++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> @@ -33,9 +33,11 @@ HashApiGetContextSize (
> )
> {
> switch (PcdGet32 (PcdHashApiLibPolicy)) {
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> case HASH_ALG_SHA1:
> return Sha1GetContextSize ();
> break;
> +#endif
>
> case HASH_ALG_SHA256:
> return Sha256GetContextSize ();
> @@ -75,9 +77,11 @@ HashApiInit (
> )
> {
> switch (PcdGet32 (PcdHashApiLibPolicy)) {
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> case HASH_ALG_SHA1:
> return Sha1Init (HashContext);
> break;
> +#endif
>
> case HASH_ALG_SHA256:
> return Sha256Init (HashContext);
> @@ -119,9 +123,11 @@ HashApiDuplicate (
> )
> {
> switch (PcdGet32 (PcdHashApiLibPolicy)) {
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> case HASH_ALG_SHA1:
> return Sha1Duplicate (HashContext,
> NewHashContext);
> break;
> +#endif
>
> case HASH_ALG_SHA256:
> return Sha256Duplicate (HashContext,
> NewHashContext);
> @@ -165,9 +171,11 @@ HashApiUpdate (
> )
> {
> switch (PcdGet32 (PcdHashApiLibPolicy)) {
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> case HASH_ALG_SHA1:
> return Sha1Update (HashContext, DataToHash,
> DataToHashLen);
> break;
> +#endif
>
> case HASH_ALG_SHA256:
> return Sha256Update (HashContext, DataToHash,
> DataToHashLen);
> @@ -209,9 +217,11 @@ HashApiFinal (
> )
> {
> switch (PcdGet32 (PcdHashApiLibPolicy)) {
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> case HASH_ALG_SHA1:
> return Sha1Final (HashContext, Digest);
> break;
> +#endif
>
> case HASH_ALG_SHA256:
> return Sha256Final (HashContext, Digest);
> @@ -255,9 +265,11 @@ HashApiHashAll (
> )
> {
> switch (PcdGet32 (PcdHashApiLibPolicy)) {
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> case HASH_ALG_SHA1:
> return Sha1HashAll (DataToHash, DataToHashLen,
> Digest);
> break;
> +#endif
>
> case HASH_ALG_SHA256:
> return Sha256HashAll (DataToHash, DataToHashLen,
> Digest);
> diff --git
> a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> index b4d8675ddd..29f7d7abfd 100644
> --- a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> +++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> @@ -42,3 +42,4 @@
>
> [Pcd]
> gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy ##
> CONSUMES
> + gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable ##
> CONSUMES
> diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> b/CryptoPkg/Private/Protocol/Crypto.h
> index 527318dc23..3f8c5751a7 100644
> --- a/CryptoPkg/Private/Protocol/Crypto.h
> +++ b/CryptoPkg/Private/Protocol/Crypto.h
> @@ -179,6 +179,7 @@ BOOLEAN
> );
> #endif
>
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> /**
> Allocates and initializes one HMAC_CTX context for
> subsequent HMAC-SHA1 use.
>
> @@ -315,7 +316,7 @@ BOOLEAN
> IN OUT VOID *HmacSha1Context,
> OUT UINT8 *HmacValue
> );
> -
> +#endif
>
> /**
> Allocates and initializes one HMAC_CTX context for
> subsequent HMAC-SHA256 use.
> @@ -1537,6 +1538,7 @@ BOOLEAN
> // SHA
> //----------------------------------------
>
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> /**
> Retrieves the size, in bytes, of the context buffer
> required for SHA-1 hash operations.
>
> @@ -1676,6 +1678,7 @@ BOOLEAN
> IN UINTN DataSize,
> OUT UINT8 *HashValue
> );
> +#endif
>
> /**
> Retrieves the size, in bytes, of the context buffer
> required for SHA-256 hash operations.
> @@ -3453,6 +3456,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
> EDKII_CRYPTO_HMAC_MD5_UPDATE
> HmacMd5Update;
> EDKII_CRYPTO_HMAC_MD5_FINAL
> HmacMd5Final;
> #endif
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> /// HMAC SHA1
> EDKII_CRYPTO_HMAC_SHA1_NEW
> HmacSha1New;
> EDKII_CRYPTO_HMAC_SHA1_FREE
> HmacSha1Free;
> @@ -3460,6 +3464,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
> EDKII_CRYPTO_HMAC_SHA1_DUPLICATE
> HmacSha1Duplicate;
> EDKII_CRYPTO_HMAC_SHA1_UPDATE
> HmacSha1Update;
> EDKII_CRYPTO_HMAC_SHA1_FINAL
> HmacSha1Final;
> +#endif
> /// HMAC SHA256
> EDKII_CRYPTO_HMAC_SHA256_NEW
> HmacSha256New;
> EDKII_CRYPTO_HMAC_SHA256_FREE
> HmacSha256Free;
> @@ -3510,6 +3515,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
> EDKII_CRYPTO_RSA_PKCS1_VERIFY
> RsaPkcs1Verify;
> EDKII_CRYPTO_RSA_GET_PRIVATE_KEY_FROM_PEM
> RsaGetPrivateKeyFromPem;
> EDKII_CRYPTO_RSA_GET_PUBLIC_KEY_FROM_X509
> RsaGetPublicKeyFromX509;
> +#if (FixedPcdGetBool (PcdSHA1Enable))
> /// Sha1
> EDKII_CRYPTO_SHA1_GET_CONTEXT_SIZE
> Sha1GetContextSize;
> EDKII_CRYPTO_SHA1_INIT
> Sha1Init;
> @@ -3517,6 +3523,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
> EDKII_CRYPTO_SHA1_UPDATE
> Sha1Update;
> EDKII_CRYPTO_SHA1_FINAL
> Sha1Final;
> EDKII_CRYPTO_SHA1_HASH_ALL
> Sha1HashAll;
> +#endif
> /// Sha256
> EDKII_CRYPTO_SHA256_GET_CONTEXT_SIZE
> Sha256GetContextSize;
> EDKII_CRYPTO_SHA256_INIT
> Sha256Init;
> --
> 2.21.0.windows.1
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#56451): https://edk2.groups.io/g/devel/message/56451
Mute This Topic: https://groups.io/mt/72579470/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Hi Mike,
It is better to not compile the deprecated function, i.e. disable the function at build time. Is there another way to disable the function at build time except the #if statement?
Thanks,
Zhichao
> -----Original Message-----
> From: Kinney, Michael D
> Sent: Friday, March 27, 2020 10:04 AM
> To: devel@edk2.groups.io; Gao, Zhichao <zhichao.gao@intel.com>; Kinney,
> Michael D <michael.d.kinney@intel.com>
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>
> Subject: RE: [edk2-devel] [PATCH 8/8] CryptoPkg/BaseCryptLib: Use Pcd to
> control the SHA1 enablement
>
> We should not use #if statements in C code.
>
> Also, we should not be changing the layout of the structure based on a PCD
> feature flag.
>
> I agree we need to ability to disable the use of some Crypto services, but we
> need to decide what behavior we want at build time and boot time if there is
> code that uses a disabled service.
>
> Mike
>
>
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Gao,
> > Zhichao
> > Sent: Thursday, March 26, 2020 6:56 PM
> > To: devel@edk2.groups.io
> > Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX
> > <xiaoyux.lu@intel.com>
> > Subject: [edk2-devel] [PATCH 8/8] CryptoPkg/BaseCryptLib:
> > Use Pcd to control the SHA1 enablement
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1682
> >
> > Md5 and SHA1 is not secure any longer but uefi spec need to keep them
> > for backwards compatibility.
> > Use pcd PcdSHA1Enable to control the SHA1 function enablement.
> > When disable the SHA1 functions would not be complied.
> >
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> > Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> > ---
> > CryptoPkg/Driver/Crypto.c |
> > 8 ++++++++
> > CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf |
> > 1 +
> > CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c |
> > 3 +++
> > .../Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c |
> > 3 +++
> > CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf |
> > 1 +
> > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c |
> > 3 +++
> > CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c |
> > 2 ++
> > CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c |
> > 2 ++
> > CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf |
> > 1 +
> > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf |
> > 1 +
> > .../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c |
> > 4 +++-
> > .../Library/BaseCryptLibOnProtocolPpi/CryptLib.c |
> > 4 ++++
> > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c |
> > 12 ++++++++++++
> > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf |
> > 1 +
> > CryptoPkg/Private/Protocol/Crypto.h |
> > 9 ++++++++-
> > 15 files changed, 53 insertions(+), 2 deletions(-)
> >
> > diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> > index b53da85bad..f7902205b3 100644
> > --- a/CryptoPkg/Driver/Crypto.c
> > +++ b/CryptoPkg/Driver/Crypto.c
> > @@ -266,6 +266,7 @@ CryptoServiceMd5HashAll ( } #endif
> >
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > /**
> > Retrieves the size, in bytes, of the context buffer required for
> > SHA-1 hash operations.
> >
> > @@ -423,6 +424,7 @@ CryptoServiceSha1HashAll ( {
> > return CALL_BASECRYPTLIB (Sha1.Services.HashAll, Sha1HashAll,
> > (Data, DataSize, HashValue), FALSE); }
> > +#endif
> >
> > /**
> > Retrieves the size, in bytes, of the context buffer
> > required for SHA-256 hash operations.
> > @@ -1177,6 +1179,7 @@ CryptoServiceHmacMd5Final (
> > }
> > #endif
> >
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > /**
> > Allocates and initializes one HMAC_CTX context for
> > subsequent HMAC-SHA1 use.
> >
> > @@ -1327,6 +1330,7 @@ CryptoServiceHmacSha1Final (
> > {
> > return CALL_BASECRYPTLIB (HmacSha1.Services.Final,
> > HmacSha1Final, (HmacSha1Context, HmacValue), FALSE);
> > }
> > +#endif
> >
> > /**
> > Allocates and initializes one HMAC_CTX context for
> > subsequent HMAC-SHA256 use.
> > @@ -3820,6 +3824,7 @@ const EDKII_CRYPTO_PROTOCOL
> > mEdkiiCrypto = {
> > CryptoServiceHmacMd5Update,
> > CryptoServiceHmacMd5Final,
> > #endif
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > /// HMAC SHA1
> > CryptoServiceHmacSha1New,
> > CryptoServiceHmacSha1Free,
> > @@ -3827,6 +3832,7 @@ const EDKII_CRYPTO_PROTOCOL
> > mEdkiiCrypto = {
> > CryptoServiceHmacSha1Duplicate,
> > CryptoServiceHmacSha1Update,
> > CryptoServiceHmacSha1Final,
> > +#endif
> > /// HMAC SHA256
> > CryptoServiceHmacSha256New,
> > CryptoServiceHmacSha256Free,
> > @@ -3877,6 +3883,7 @@ const EDKII_CRYPTO_PROTOCOL
> > mEdkiiCrypto = {
> > CryptoServiceRsaPkcs1Verify,
> > CryptoServiceRsaGetPrivateKeyFromPem,
> > CryptoServiceRsaGetPublicKeyFromX509,
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > /// Sha1
> > CryptoServiceSha1GetContextSize,
> > CryptoServiceSha1Init,
> > @@ -3884,6 +3891,7 @@ const EDKII_CRYPTO_PROTOCOL
> > mEdkiiCrypto = {
> > CryptoServiceSha1Update,
> > CryptoServiceSha1Final,
> > CryptoServiceSha1HashAll,
> > +#endif
> > /// Sha256
> > CryptoServiceSha256GetContextSize,
> > CryptoServiceSha256Init,
> > diff --git
> > a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> > b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> > index 5c65ef5892..9ffd98096c 100644
> > --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> > +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> > @@ -85,6 +85,7 @@
> >
> > [Pcd]
> > gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable
> > + gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable
> >
> > #
> > # Remove these [BuildOptions] after this library is
> > cleaned up
> > diff --git
> > a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> > b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> > index 7593ca55b1..baba6b267c 100644
> > --- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> > +++ b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> > @@ -6,6 +6,8 @@ SPDX-License-Identifier: BSD-2-Clause-
> > Patent
> >
> > **/
> >
> > +#include <Library/PcdLib.h>
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > #include "InternalCryptLib.h"
> > #include <openssl/hmac.h>
> >
> > @@ -214,3 +216,4 @@ HmacSha1Final (
> >
> > return TRUE;
> > }
> > +#endif
> > diff --git
> > a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> > b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> > index e8c0f341b7..1314fa1a77 100644
> > ---
> > a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> > +++
> > b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> > @@ -6,6 +6,8 @@ SPDX-License-Identifier: BSD-2-Clause-
> > Patent
> >
> > **/
> >
> > +#include <Library/PcdLib.h>
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > #include "InternalCryptLib.h"
> >
> > /**
> > @@ -137,3 +139,4 @@ HmacSha1Final (
> > ASSERT (FALSE);
> > return FALSE;
> > }
> > +#endif
> > diff --git
> > a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> > b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> > index cebc74ccf2..b40e76f243 100644
> > --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> > +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> > @@ -78,6 +78,7 @@
> >
> > [Pcd]
> > gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable
> > + gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable
> >
> > #
> > # Remove these [BuildOptions] after this library is
> > cleaned up
> > diff --git
> > a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c
> > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c
> > index a89c1525c1..15e6bc2cb4 100644
> > ---
> > a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c
> > +++
> > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c
> > @@ -7,6 +7,7 @@ SPDX-License-Identifier: BSD-2-Clause-
> > Patent
> > **/
> >
> > #include "InternalCryptLib.h"
> > +#include <Library/PcdLib.h>
> > #include <openssl/evp.h>
> > #include <openssl/hmac.h>
> >
> > @@ -68,9 +69,11 @@ Pkcs5HashPassword (
> > // Make sure the digest algorithm is supported.
> > //
> > switch (DigestSize) {
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > case SHA1_DIGEST_SIZE:
> > HashAlg = EVP_sha1();
> > break;
> > +#endif
> > case SHA256_DIGEST_SIZE:
> > HashAlg = EVP_sha256();
> > break;
> > diff --git
> > a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
> > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
> > index 31b78464d2..549ee1b933 100644
> > --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
> > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
> > @@ -298,9 +298,11 @@ RsaPkcs1Verify (
> > break;
> > #endif
> >
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > case SHA1_DIGEST_SIZE:
> > DigestType = NID_sha1;
> > break;
> > +#endif
> >
> > case SHA256_DIGEST_SIZE:
> > DigestType = NID_sha256;
> > diff --git
> > a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
> > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
> > index 1a50be1d78..60605e3486 100644
> > --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
> > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
> > @@ -336,9 +336,11 @@ RsaPkcs1Sign (
> > break;
> > #endif
> >
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > case SHA1_DIGEST_SIZE:
> > DigestType = NID_sha1;
> > break;
> > +#endif
> >
> > case SHA256_DIGEST_SIZE:
> > DigestType = NID_sha256;
> > diff --git
> > a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> > b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> > index 72d4cd03ab..b6c0be70f2 100644
> > --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> > +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> > @@ -90,6 +90,7 @@
> >
> > [Pcd]
> > gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable
> > + gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable
> >
> > #
> > # Remove these [BuildOptions] after this library is
> > cleaned up
> > diff --git
> > a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > index 21f104c916..7f678eee93 100644
> > --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > @@ -89,6 +89,7 @@
> >
> > [Pcd]
> > gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable
> > + gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable
> >
> > #
> > # Remove these [BuildOptions] after this library is
> > cleaned up
> > diff --git
> > a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Nu
> > ll.c
> > b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Nu
> > ll.c
> > index e8c0f341b7..3aac798188 100644
> > ---
> > a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Nu
> > ll.c
> > +++
> > b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Nu
> > ll.c
> > @@ -5,7 +5,8 @@ Copyright (c) 2012 - 2020, Intel
> > Corporation. All rights reserved.<BR>
> > SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > **/
> > -
> > +#include <Library/PcdLib.h>
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > #include "InternalCryptLib.h"
> >
> > /**
> > @@ -137,3 +138,4 @@ HmacSha1Final (
> > ASSERT (FALSE);
> > return FALSE;
> > }
> > +#endif
> > diff --git
> > a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> > b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> > index cba1e4c8bf..8429fefc0b 100644
> > ---
> > a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> > +++
> > b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> > @@ -260,6 +260,7 @@ Md5HashAll (
> > }
> > #endif
> >
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > /**
> > Retrieves the size, in bytes, of the context buffer
> > required for SHA-1 hash operations.
> >
> > @@ -417,6 +418,7 @@ Sha1HashAll (
> > {
> > CALL_CRYPTO_SERVICE (Sha1HashAll, (Data, DataSize,
> > HashValue), FALSE);
> > }
> > +#endif
> >
> > /**
> > Retrieves the size, in bytes, of the context buffer
> > required for SHA-256 hash operations.
> > @@ -1171,6 +1173,7 @@ HmacMd5Final (
> > }
> > #endif
> >
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > /**
> > Allocates and initializes one HMAC_CTX context for
> > subsequent HMAC-SHA1 use.
> >
> > @@ -1321,6 +1324,7 @@ HmacSha1Final (
> > {
> > CALL_CRYPTO_SERVICE (HmacSha1Final, (HmacSha1Context,
> > HmacValue), FALSE);
> > }
> > +#endif
> >
> > /**
> > Allocates and initializes one HMAC_CTX context for
> > subsequent HMAC-SHA256 use.
> > diff --git
> > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > index f9796b2158..754d75aeb2 100644
> > --- a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > +++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > @@ -33,9 +33,11 @@ HashApiGetContextSize (
> > )
> > {
> > switch (PcdGet32 (PcdHashApiLibPolicy)) {
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > case HASH_ALG_SHA1:
> > return Sha1GetContextSize ();
> > break;
> > +#endif
> >
> > case HASH_ALG_SHA256:
> > return Sha256GetContextSize ();
> > @@ -75,9 +77,11 @@ HashApiInit (
> > )
> > {
> > switch (PcdGet32 (PcdHashApiLibPolicy)) {
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > case HASH_ALG_SHA1:
> > return Sha1Init (HashContext);
> > break;
> > +#endif
> >
> > case HASH_ALG_SHA256:
> > return Sha256Init (HashContext);
> > @@ -119,9 +123,11 @@ HashApiDuplicate (
> > )
> > {
> > switch (PcdGet32 (PcdHashApiLibPolicy)) {
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > case HASH_ALG_SHA1:
> > return Sha1Duplicate (HashContext,
> > NewHashContext);
> > break;
> > +#endif
> >
> > case HASH_ALG_SHA256:
> > return Sha256Duplicate (HashContext,
> > NewHashContext);
> > @@ -165,9 +171,11 @@ HashApiUpdate (
> > )
> > {
> > switch (PcdGet32 (PcdHashApiLibPolicy)) {
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > case HASH_ALG_SHA1:
> > return Sha1Update (HashContext, DataToHash,
> > DataToHashLen);
> > break;
> > +#endif
> >
> > case HASH_ALG_SHA256:
> > return Sha256Update (HashContext, DataToHash,
> > DataToHashLen);
> > @@ -209,9 +217,11 @@ HashApiFinal (
> > )
> > {
> > switch (PcdGet32 (PcdHashApiLibPolicy)) {
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > case HASH_ALG_SHA1:
> > return Sha1Final (HashContext, Digest);
> > break;
> > +#endif
> >
> > case HASH_ALG_SHA256:
> > return Sha256Final (HashContext, Digest);
> > @@ -255,9 +265,11 @@ HashApiHashAll (
> > )
> > {
> > switch (PcdGet32 (PcdHashApiLibPolicy)) {
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > case HASH_ALG_SHA1:
> > return Sha1HashAll (DataToHash, DataToHashLen,
> > Digest);
> > break;
> > +#endif
> >
> > case HASH_ALG_SHA256:
> > return Sha256HashAll (DataToHash, DataToHashLen,
> > Digest);
> > diff --git
> > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > index b4d8675ddd..29f7d7abfd 100644
> > --- a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > +++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > @@ -42,3 +42,4 @@
> >
> > [Pcd]
> > gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy ##
> > CONSUMES
> > + gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable ##
> > CONSUMES
> > diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> > b/CryptoPkg/Private/Protocol/Crypto.h
> > index 527318dc23..3f8c5751a7 100644
> > --- a/CryptoPkg/Private/Protocol/Crypto.h
> > +++ b/CryptoPkg/Private/Protocol/Crypto.h
> > @@ -179,6 +179,7 @@ BOOLEAN
> > );
> > #endif
> >
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > /**
> > Allocates and initializes one HMAC_CTX context for
> > subsequent HMAC-SHA1 use.
> >
> > @@ -315,7 +316,7 @@ BOOLEAN
> > IN OUT VOID *HmacSha1Context,
> > OUT UINT8 *HmacValue
> > );
> > -
> > +#endif
> >
> > /**
> > Allocates and initializes one HMAC_CTX context for
> > subsequent HMAC-SHA256 use.
> > @@ -1537,6 +1538,7 @@ BOOLEAN
> > // SHA
> > //----------------------------------------
> >
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > /**
> > Retrieves the size, in bytes, of the context buffer
> > required for SHA-1 hash operations.
> >
> > @@ -1676,6 +1678,7 @@ BOOLEAN
> > IN UINTN DataSize,
> > OUT UINT8 *HashValue
> > );
> > +#endif
> >
> > /**
> > Retrieves the size, in bytes, of the context buffer
> > required for SHA-256 hash operations.
> > @@ -3453,6 +3456,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
> > EDKII_CRYPTO_HMAC_MD5_UPDATE
> > HmacMd5Update;
> > EDKII_CRYPTO_HMAC_MD5_FINAL
> > HmacMd5Final;
> > #endif
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > /// HMAC SHA1
> > EDKII_CRYPTO_HMAC_SHA1_NEW
> > HmacSha1New;
> > EDKII_CRYPTO_HMAC_SHA1_FREE
> > HmacSha1Free;
> > @@ -3460,6 +3464,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
> > EDKII_CRYPTO_HMAC_SHA1_DUPLICATE
> > HmacSha1Duplicate;
> > EDKII_CRYPTO_HMAC_SHA1_UPDATE
> > HmacSha1Update;
> > EDKII_CRYPTO_HMAC_SHA1_FINAL
> > HmacSha1Final;
> > +#endif
> > /// HMAC SHA256
> > EDKII_CRYPTO_HMAC_SHA256_NEW
> > HmacSha256New;
> > EDKII_CRYPTO_HMAC_SHA256_FREE
> > HmacSha256Free;
> > @@ -3510,6 +3515,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
> > EDKII_CRYPTO_RSA_PKCS1_VERIFY
> > RsaPkcs1Verify;
> > EDKII_CRYPTO_RSA_GET_PRIVATE_KEY_FROM_PEM
> > RsaGetPrivateKeyFromPem;
> > EDKII_CRYPTO_RSA_GET_PUBLIC_KEY_FROM_X509
> > RsaGetPublicKeyFromX509;
> > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > /// Sha1
> > EDKII_CRYPTO_SHA1_GET_CONTEXT_SIZE
> > Sha1GetContextSize;
> > EDKII_CRYPTO_SHA1_INIT
> > Sha1Init;
> > @@ -3517,6 +3523,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
> > EDKII_CRYPTO_SHA1_UPDATE
> > Sha1Update;
> > EDKII_CRYPTO_SHA1_FINAL
> > Sha1Final;
> > EDKII_CRYPTO_SHA1_HASH_ALL
> > Sha1HashAll;
> > +#endif
> > /// Sha256
> > EDKII_CRYPTO_SHA256_GET_CONTEXT_SIZE
> > Sha256GetContextSize;
> > EDKII_CRYPTO_SHA256_INIT
> > Sha256Init;
> > --
> > 2.21.0.windows.1
> >
> >
> >
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#56457): https://edk2.groups.io/g/devel/message/56457
Mute This Topic: https://groups.io/mt/72579470/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Zhichao,
You can just use the PCD in C code "if (PcdGet...){}" instead of macro #if.
Regards,
Jian
> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Friday, March 27, 2020 10:44 AM
> To: Kinney, Michael D <michael.d.kinney@intel.com>; devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>
> Subject: RE: [edk2-devel] [PATCH 8/8] CryptoPkg/BaseCryptLib: Use Pcd to
> control the SHA1 enablement
>
> Hi Mike,
>
> It is better to not compile the deprecated function, i.e. disable the function at
> build time. Is there another way to disable the function at build time except the
> #if statement?
>
> Thanks,
> Zhichao
>
> > -----Original Message-----
> > From: Kinney, Michael D
> > Sent: Friday, March 27, 2020 10:04 AM
> > To: devel@edk2.groups.io; Gao, Zhichao <zhichao.gao@intel.com>; Kinney,
> > Michael D <michael.d.kinney@intel.com>
> > Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>
> > Subject: RE: [edk2-devel] [PATCH 8/8] CryptoPkg/BaseCryptLib: Use Pcd to
> > control the SHA1 enablement
> >
> > We should not use #if statements in C code.
> >
> > Also, we should not be changing the layout of the structure based on a PCD
> > feature flag.
> >
> > I agree we need to ability to disable the use of some Crypto services, but we
> > need to decide what behavior we want at build time and boot time if there is
> > code that uses a disabled service.
> >
> > Mike
> >
> >
> > > -----Original Message-----
> > > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Gao,
> > > Zhichao
> > > Sent: Thursday, March 26, 2020 6:56 PM
> > > To: devel@edk2.groups.io
> > > Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX
> > > <xiaoyux.lu@intel.com>
> > > Subject: [edk2-devel] [PATCH 8/8] CryptoPkg/BaseCryptLib:
> > > Use Pcd to control the SHA1 enablement
> > >
> > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1682
> > >
> > > Md5 and SHA1 is not secure any longer but uefi spec need to keep them
> > > for backwards compatibility.
> > > Use pcd PcdSHA1Enable to control the SHA1 function enablement.
> > > When disable the SHA1 functions would not be complied.
> > >
> > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> > > Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> > > ---
> > > CryptoPkg/Driver/Crypto.c |
> > > 8 ++++++++
> > > CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf |
> > > 1 +
> > > CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c |
> > > 3 +++
> > > .../Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c |
> > > 3 +++
> > > CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf |
> > > 1 +
> > > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c |
> > > 3 +++
> > > CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c |
> > > 2 ++
> > > CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c |
> > > 2 ++
> > > CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf |
> > > 1 +
> > > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf |
> > > 1 +
> > > .../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c |
> > > 4 +++-
> > > .../Library/BaseCryptLibOnProtocolPpi/CryptLib.c |
> > > 4 ++++
> > > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c |
> > > 12 ++++++++++++
> > > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf |
> > > 1 +
> > > CryptoPkg/Private/Protocol/Crypto.h |
> > > 9 ++++++++-
> > > 15 files changed, 53 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> > > index b53da85bad..f7902205b3 100644
> > > --- a/CryptoPkg/Driver/Crypto.c
> > > +++ b/CryptoPkg/Driver/Crypto.c
> > > @@ -266,6 +266,7 @@ CryptoServiceMd5HashAll ( } #endif
> > >
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > /**
> > > Retrieves the size, in bytes, of the context buffer required for
> > > SHA-1 hash operations.
> > >
> > > @@ -423,6 +424,7 @@ CryptoServiceSha1HashAll ( {
> > > return CALL_BASECRYPTLIB (Sha1.Services.HashAll, Sha1HashAll,
> > > (Data, DataSize, HashValue), FALSE); }
> > > +#endif
> > >
> > > /**
> > > Retrieves the size, in bytes, of the context buffer
> > > required for SHA-256 hash operations.
> > > @@ -1177,6 +1179,7 @@ CryptoServiceHmacMd5Final (
> > > }
> > > #endif
> > >
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > /**
> > > Allocates and initializes one HMAC_CTX context for
> > > subsequent HMAC-SHA1 use.
> > >
> > > @@ -1327,6 +1330,7 @@ CryptoServiceHmacSha1Final (
> > > {
> > > return CALL_BASECRYPTLIB (HmacSha1.Services.Final,
> > > HmacSha1Final, (HmacSha1Context, HmacValue), FALSE);
> > > }
> > > +#endif
> > >
> > > /**
> > > Allocates and initializes one HMAC_CTX context for
> > > subsequent HMAC-SHA256 use.
> > > @@ -3820,6 +3824,7 @@ const EDKII_CRYPTO_PROTOCOL
> > > mEdkiiCrypto = {
> > > CryptoServiceHmacMd5Update,
> > > CryptoServiceHmacMd5Final,
> > > #endif
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > /// HMAC SHA1
> > > CryptoServiceHmacSha1New,
> > > CryptoServiceHmacSha1Free,
> > > @@ -3827,6 +3832,7 @@ const EDKII_CRYPTO_PROTOCOL
> > > mEdkiiCrypto = {
> > > CryptoServiceHmacSha1Duplicate,
> > > CryptoServiceHmacSha1Update,
> > > CryptoServiceHmacSha1Final,
> > > +#endif
> > > /// HMAC SHA256
> > > CryptoServiceHmacSha256New,
> > > CryptoServiceHmacSha256Free,
> > > @@ -3877,6 +3883,7 @@ const EDKII_CRYPTO_PROTOCOL
> > > mEdkiiCrypto = {
> > > CryptoServiceRsaPkcs1Verify,
> > > CryptoServiceRsaGetPrivateKeyFromPem,
> > > CryptoServiceRsaGetPublicKeyFromX509,
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > /// Sha1
> > > CryptoServiceSha1GetContextSize,
> > > CryptoServiceSha1Init,
> > > @@ -3884,6 +3891,7 @@ const EDKII_CRYPTO_PROTOCOL
> > > mEdkiiCrypto = {
> > > CryptoServiceSha1Update,
> > > CryptoServiceSha1Final,
> > > CryptoServiceSha1HashAll,
> > > +#endif
> > > /// Sha256
> > > CryptoServiceSha256GetContextSize,
> > > CryptoServiceSha256Init,
> > > diff --git
> > > a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> > > b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> > > index 5c65ef5892..9ffd98096c 100644
> > > --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> > > +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> > > @@ -85,6 +85,7 @@
> > >
> > > [Pcd]
> > > gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable
> > > + gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable
> > >
> > > #
> > > # Remove these [BuildOptions] after this library is
> > > cleaned up
> > > diff --git
> > > a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> > > b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> > > index 7593ca55b1..baba6b267c 100644
> > > --- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> > > +++ b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> > > @@ -6,6 +6,8 @@ SPDX-License-Identifier: BSD-2-Clause-
> > > Patent
> > >
> > > **/
> > >
> > > +#include <Library/PcdLib.h>
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > #include "InternalCryptLib.h"
> > > #include <openssl/hmac.h>
> > >
> > > @@ -214,3 +216,4 @@ HmacSha1Final (
> > >
> > > return TRUE;
> > > }
> > > +#endif
> > > diff --git
> > > a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> > > b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> > > index e8c0f341b7..1314fa1a77 100644
> > > ---
> > > a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> > > +++
> > > b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> > > @@ -6,6 +6,8 @@ SPDX-License-Identifier: BSD-2-Clause-
> > > Patent
> > >
> > > **/
> > >
> > > +#include <Library/PcdLib.h>
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > #include "InternalCryptLib.h"
> > >
> > > /**
> > > @@ -137,3 +139,4 @@ HmacSha1Final (
> > > ASSERT (FALSE);
> > > return FALSE;
> > > }
> > > +#endif
> > > diff --git
> > > a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> > > b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> > > index cebc74ccf2..b40e76f243 100644
> > > --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> > > +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> > > @@ -78,6 +78,7 @@
> > >
> > > [Pcd]
> > > gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable
> > > + gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable
> > >
> > > #
> > > # Remove these [BuildOptions] after this library is
> > > cleaned up
> > > diff --git
> > > a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c
> > > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c
> > > index a89c1525c1..15e6bc2cb4 100644
> > > ---
> > > a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c
> > > +++
> > > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c
> > > @@ -7,6 +7,7 @@ SPDX-License-Identifier: BSD-2-Clause-
> > > Patent
> > > **/
> > >
> > > #include "InternalCryptLib.h"
> > > +#include <Library/PcdLib.h>
> > > #include <openssl/evp.h>
> > > #include <openssl/hmac.h>
> > >
> > > @@ -68,9 +69,11 @@ Pkcs5HashPassword (
> > > // Make sure the digest algorithm is supported.
> > > //
> > > switch (DigestSize) {
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > case SHA1_DIGEST_SIZE:
> > > HashAlg = EVP_sha1();
> > > break;
> > > +#endif
> > > case SHA256_DIGEST_SIZE:
> > > HashAlg = EVP_sha256();
> > > break;
> > > diff --git
> > > a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
> > > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
> > > index 31b78464d2..549ee1b933 100644
> > > --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
> > > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
> > > @@ -298,9 +298,11 @@ RsaPkcs1Verify (
> > > break;
> > > #endif
> > >
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > case SHA1_DIGEST_SIZE:
> > > DigestType = NID_sha1;
> > > break;
> > > +#endif
> > >
> > > case SHA256_DIGEST_SIZE:
> > > DigestType = NID_sha256;
> > > diff --git
> > > a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
> > > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
> > > index 1a50be1d78..60605e3486 100644
> > > --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
> > > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
> > > @@ -336,9 +336,11 @@ RsaPkcs1Sign (
> > > break;
> > > #endif
> > >
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > case SHA1_DIGEST_SIZE:
> > > DigestType = NID_sha1;
> > > break;
> > > +#endif
> > >
> > > case SHA256_DIGEST_SIZE:
> > > DigestType = NID_sha256;
> > > diff --git
> > > a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> > > b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> > > index 72d4cd03ab..b6c0be70f2 100644
> > > --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> > > +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> > > @@ -90,6 +90,7 @@
> > >
> > > [Pcd]
> > > gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable
> > > + gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable
> > >
> > > #
> > > # Remove these [BuildOptions] after this library is
> > > cleaned up
> > > diff --git
> > > a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > > b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > > index 21f104c916..7f678eee93 100644
> > > --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > > +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > > @@ -89,6 +89,7 @@
> > >
> > > [Pcd]
> > > gEfiCryptoPkgTokenSpaceGuid.PcdMD5Enable
> > > + gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable
> > >
> > > #
> > > # Remove these [BuildOptions] after this library is
> > > cleaned up
> > > diff --git
> > > a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Nu
> > > ll.c
> > > b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Nu
> > > ll.c
> > > index e8c0f341b7..3aac798188 100644
> > > ---
> > > a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Nu
> > > ll.c
> > > +++
> > > b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Nu
> > > ll.c
> > > @@ -5,7 +5,8 @@ Copyright (c) 2012 - 2020, Intel
> > > Corporation. All rights reserved.<BR>
> > > SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > **/
> > > -
> > > +#include <Library/PcdLib.h>
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > #include "InternalCryptLib.h"
> > >
> > > /**
> > > @@ -137,3 +138,4 @@ HmacSha1Final (
> > > ASSERT (FALSE);
> > > return FALSE;
> > > }
> > > +#endif
> > > diff --git
> > > a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> > > b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> > > index cba1e4c8bf..8429fefc0b 100644
> > > ---
> > > a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> > > +++
> > > b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> > > @@ -260,6 +260,7 @@ Md5HashAll (
> > > }
> > > #endif
> > >
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > /**
> > > Retrieves the size, in bytes, of the context buffer
> > > required for SHA-1 hash operations.
> > >
> > > @@ -417,6 +418,7 @@ Sha1HashAll (
> > > {
> > > CALL_CRYPTO_SERVICE (Sha1HashAll, (Data, DataSize,
> > > HashValue), FALSE);
> > > }
> > > +#endif
> > >
> > > /**
> > > Retrieves the size, in bytes, of the context buffer
> > > required for SHA-256 hash operations.
> > > @@ -1171,6 +1173,7 @@ HmacMd5Final (
> > > }
> > > #endif
> > >
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > /**
> > > Allocates and initializes one HMAC_CTX context for
> > > subsequent HMAC-SHA1 use.
> > >
> > > @@ -1321,6 +1324,7 @@ HmacSha1Final (
> > > {
> > > CALL_CRYPTO_SERVICE (HmacSha1Final, (HmacSha1Context,
> > > HmacValue), FALSE);
> > > }
> > > +#endif
> > >
> > > /**
> > > Allocates and initializes one HMAC_CTX context for
> > > subsequent HMAC-SHA256 use.
> > > diff --git
> > > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > index f9796b2158..754d75aeb2 100644
> > > --- a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > +++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > @@ -33,9 +33,11 @@ HashApiGetContextSize (
> > > )
> > > {
> > > switch (PcdGet32 (PcdHashApiLibPolicy)) {
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > case HASH_ALG_SHA1:
> > > return Sha1GetContextSize ();
> > > break;
> > > +#endif
> > >
> > > case HASH_ALG_SHA256:
> > > return Sha256GetContextSize ();
> > > @@ -75,9 +77,11 @@ HashApiInit (
> > > )
> > > {
> > > switch (PcdGet32 (PcdHashApiLibPolicy)) {
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > case HASH_ALG_SHA1:
> > > return Sha1Init (HashContext);
> > > break;
> > > +#endif
> > >
> > > case HASH_ALG_SHA256:
> > > return Sha256Init (HashContext);
> > > @@ -119,9 +123,11 @@ HashApiDuplicate (
> > > )
> > > {
> > > switch (PcdGet32 (PcdHashApiLibPolicy)) {
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > case HASH_ALG_SHA1:
> > > return Sha1Duplicate (HashContext,
> > > NewHashContext);
> > > break;
> > > +#endif
> > >
> > > case HASH_ALG_SHA256:
> > > return Sha256Duplicate (HashContext,
> > > NewHashContext);
> > > @@ -165,9 +171,11 @@ HashApiUpdate (
> > > )
> > > {
> > > switch (PcdGet32 (PcdHashApiLibPolicy)) {
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > case HASH_ALG_SHA1:
> > > return Sha1Update (HashContext, DataToHash,
> > > DataToHashLen);
> > > break;
> > > +#endif
> > >
> > > case HASH_ALG_SHA256:
> > > return Sha256Update (HashContext, DataToHash,
> > > DataToHashLen);
> > > @@ -209,9 +217,11 @@ HashApiFinal (
> > > )
> > > {
> > > switch (PcdGet32 (PcdHashApiLibPolicy)) {
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > case HASH_ALG_SHA1:
> > > return Sha1Final (HashContext, Digest);
> > > break;
> > > +#endif
> > >
> > > case HASH_ALG_SHA256:
> > > return Sha256Final (HashContext, Digest);
> > > @@ -255,9 +265,11 @@ HashApiHashAll (
> > > )
> > > {
> > > switch (PcdGet32 (PcdHashApiLibPolicy)) {
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > case HASH_ALG_SHA1:
> > > return Sha1HashAll (DataToHash, DataToHashLen,
> > > Digest);
> > > break;
> > > +#endif
> > >
> > > case HASH_ALG_SHA256:
> > > return Sha256HashAll (DataToHash, DataToHashLen,
> > > Digest);
> > > diff --git
> > > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > index b4d8675ddd..29f7d7abfd 100644
> > > --- a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > +++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > @@ -42,3 +42,4 @@
> > >
> > > [Pcd]
> > > gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy ##
> > > CONSUMES
> > > + gEfiCryptoPkgTokenSpaceGuid.PcdSHA1Enable ##
> > > CONSUMES
> > > diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> > > b/CryptoPkg/Private/Protocol/Crypto.h
> > > index 527318dc23..3f8c5751a7 100644
> > > --- a/CryptoPkg/Private/Protocol/Crypto.h
> > > +++ b/CryptoPkg/Private/Protocol/Crypto.h
> > > @@ -179,6 +179,7 @@ BOOLEAN
> > > );
> > > #endif
> > >
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > /**
> > > Allocates and initializes one HMAC_CTX context for
> > > subsequent HMAC-SHA1 use.
> > >
> > > @@ -315,7 +316,7 @@ BOOLEAN
> > > IN OUT VOID *HmacSha1Context,
> > > OUT UINT8 *HmacValue
> > > );
> > > -
> > > +#endif
> > >
> > > /**
> > > Allocates and initializes one HMAC_CTX context for
> > > subsequent HMAC-SHA256 use.
> > > @@ -1537,6 +1538,7 @@ BOOLEAN
> > > // SHA
> > > //----------------------------------------
> > >
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > /**
> > > Retrieves the size, in bytes, of the context buffer
> > > required for SHA-1 hash operations.
> > >
> > > @@ -1676,6 +1678,7 @@ BOOLEAN
> > > IN UINTN DataSize,
> > > OUT UINT8 *HashValue
> > > );
> > > +#endif
> > >
> > > /**
> > > Retrieves the size, in bytes, of the context buffer
> > > required for SHA-256 hash operations.
> > > @@ -3453,6 +3456,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
> > > EDKII_CRYPTO_HMAC_MD5_UPDATE
> > > HmacMd5Update;
> > > EDKII_CRYPTO_HMAC_MD5_FINAL
> > > HmacMd5Final;
> > > #endif
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > /// HMAC SHA1
> > > EDKII_CRYPTO_HMAC_SHA1_NEW
> > > HmacSha1New;
> > > EDKII_CRYPTO_HMAC_SHA1_FREE
> > > HmacSha1Free;
> > > @@ -3460,6 +3464,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
> > > EDKII_CRYPTO_HMAC_SHA1_DUPLICATE
> > > HmacSha1Duplicate;
> > > EDKII_CRYPTO_HMAC_SHA1_UPDATE
> > > HmacSha1Update;
> > > EDKII_CRYPTO_HMAC_SHA1_FINAL
> > > HmacSha1Final;
> > > +#endif
> > > /// HMAC SHA256
> > > EDKII_CRYPTO_HMAC_SHA256_NEW
> > > HmacSha256New;
> > > EDKII_CRYPTO_HMAC_SHA256_FREE
> > > HmacSha256Free;
> > > @@ -3510,6 +3515,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
> > > EDKII_CRYPTO_RSA_PKCS1_VERIFY
> > > RsaPkcs1Verify;
> > > EDKII_CRYPTO_RSA_GET_PRIVATE_KEY_FROM_PEM
> > > RsaGetPrivateKeyFromPem;
> > > EDKII_CRYPTO_RSA_GET_PUBLIC_KEY_FROM_X509
> > > RsaGetPublicKeyFromX509;
> > > +#if (FixedPcdGetBool (PcdSHA1Enable))
> > > /// Sha1
> > > EDKII_CRYPTO_SHA1_GET_CONTEXT_SIZE
> > > Sha1GetContextSize;
> > > EDKII_CRYPTO_SHA1_INIT
> > > Sha1Init;
> > > @@ -3517,6 +3523,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
> > > EDKII_CRYPTO_SHA1_UPDATE
> > > Sha1Update;
> > > EDKII_CRYPTO_SHA1_FINAL
> > > Sha1Final;
> > > EDKII_CRYPTO_SHA1_HASH_ALL
> > > Sha1HashAll;
> > > +#endif
> > > /// Sha256
> > > EDKII_CRYPTO_SHA256_GET_CONTEXT_SIZE
> > > Sha256GetContextSize;
> > > EDKII_CRYPTO_SHA256_INIT
> > > Sha256Init;
> > > --
> > > 2.21.0.windows.1
> > >
> > >
> > >
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#56461): https://edk2.groups.io/g/devel/message/56461
Mute This Topic: https://groups.io/mt/72579470/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Hi All,
On 03/27/20 03:51, Wang, Jian J wrote:
> Zhichao,
>
> You can just use the PCD in C code "if (PcdGet...){}" instead of macro
> #if.
I do not have the capacity to contribute useful thoughts to this
discussion right now; I just want to provide three links here, to
previous comments that seem related:
https://edk2.groups.io/g/devel/message/53581
https://edk2.groups.io/g/devel/message/53587
https://edk2.groups.io/g/devel/message/53588
Alternative links to the same:
http://mid.mail-archive.com/e68a3ba1-f469-8ac3-c1e7-78a51bdaf291@redhat.com
http://mid.mail-archive.com/E92EE9817A31E24EB0585FDF735412F5B9E81876@ORSMSX113.amr.corp.intel.com
http://mid.mail-archive.com/b1db8f28-524d-0917-b54d-f6a15c497118@redhat.com
Thanks,
Laszlo
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#56504): https://edk2.groups.io/g/devel/message/56504
Mute This Topic: https://groups.io/mt/72579470/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
© 2016 - 2026 Red Hat, Inc.