From nobody Sat May 11 03:03:56 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+101318+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101318+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1679043721; cv=none; d=zohomail.com; s=zohoarc; b=CgF3QuFsaM6v2ZbFRQEle0Bs2oD+d+TebCVHWd2ROQc4pwxV3t0GyI5gwWATisWr0wvwB0iZdhnSYgBwZPAWl3cOcgSPfE2RD6fDtQWYyBZSUwQvCyti3bWXqjITSFzEO3kLzhprDErAMo/0jO9m7idF6mUJMaGkKTaPbqx53P8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1679043721; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=/FfD3DOwej74c8884HnOpMkgu2XJAoj6WfJxj2suaBI=; b=GshArf/41fGRR6UCBlNLPPTw0KBhsMItGhcBjKCOAPH7p88BHPnSahZqfYfCDqZgSB8l+dCAHCLJupdGs09Fryo6CJmVc8zlf0Qn/AsUBjyopLRdesr89138VxgY19ly8hqCwd0RRrZAbg/ExkU268o8P6Yic2PVVwy/munsyuE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101318+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1679043721693296.8464269464671; Fri, 17 Mar 2023 02:02:01 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id RcEbYY1788612xjIhRY4qjv6; Fri, 17 Mar 2023 02:02:01 -0700 X-Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web10.14911.1679043720870874677 for ; Fri, 17 Mar 2023 02:02:00 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10651"; a="317871116" X-IronPort-AV: E=Sophos;i="5.98,268,1673942400"; d="scan'208";a="317871116" X-Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Mar 2023 02:02:00 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10651"; a="926066801" X-IronPort-AV: E=Sophos;i="5.98,268,1673942400"; d="scan'208";a="926066801" X-Received: from shwdejointd777.ccr.corp.intel.com ([10.239.157.39]) by fmsmga006.fm.intel.com with ESMTP; 17 Mar 2023 02:01:59 -0700 From: "Wenxing Hou" To: devel@edk2.groups.io Cc: Wenxing Hou Subject: [edk2-devel] [edk2-staging/OpenSSL11_EOL PATCH 1/7] Update ReadmeMbedtls Date: Fri, 17 Mar 2023 17:00:47 +0800 Message-Id: <20230317090053.1895-2-wenxing.hou@intel.com> In-Reply-To: <20230317090053.1895-1-wenxing.hou@intel.com> References: <20230317090053.1895-1-wenxing.hou@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,wenxing.hou@intel.com X-Gm-Message-State: 1P6s7HYPi4Qc1rXaeSIMvujhx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1679043721; bh=T+2ucJkCuXyigXhzgw2jdjRBGP4P308/Nzjm/+NAAxE=; h=Cc:Date:From:Reply-To:Subject:To; b=j6XpyYy07a8Ec8yueoXDvdx4C8cBWuuW9iA7Swv1JMmeeNGBGx1H0JfDAt6k+SonVu9 3LK/qQR4klJOgwonTjFAAfIboH0O89JQyumYFHwOtf8XQ9HTAL/t1//x+ahyd875LlXTS skz0xyoDtOmiFMlImvElj11qw3AVW08r3Ng= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1679043723314100002 Content-Type: text/plain; charset="utf-8" Signed-off-by: Wenxing Hou --- CryptoPkg/ReadmeMbedtls.md | 55 +++++++++++++++++++++++++------------- 1 file changed, 36 insertions(+), 19 deletions(-) diff --git a/CryptoPkg/ReadmeMbedtls.md b/CryptoPkg/ReadmeMbedtls.md index 4b5a132fd0..39fc93028c 100644 --- a/CryptoPkg/ReadmeMbedtls.md +++ b/CryptoPkg/ReadmeMbedtls.md @@ -1,21 +1,18 @@ # CryptoMbedTlsPkg(enable mbedtls for EDKII POC) =20 -## background +## Overview This POC is to explore mbedtls as a smaller alternative to OpenSSL. =20 -## MbedTLS version -Depend on Mbedtls 3.3.0. - -## MbedTLS and OpenSSL CryptoPkg size compare +### MbedTLS and OpenSSL CryptoPkg size compare =20 -| Driver | OpenSSL | OpenSSL(no SM3 and Pkcs7) | MbedTLS | -| ---- | ---- | ---- | ---- | -| PEI | 387Kb | 387kb | 162kb | -| PeiPreMem | 31Kb | WIP | WIP | -| DXE | 804Kb | WIP | WIP | -| SMM | 558Kb | WIP | WIP | +| Driver | OpenSSL | MbedTLS | +| ---- | ---- | ---- | +| PEI | 387Kb | 162Kb | +| PeiPreMem | 31Kb | 58Kb | +| DXE | 804Kb | 457Kb | +| SMM | 558Kb | 444Kb | =20 -## Current enabling status +### Current enabling status =20 | FILE | Build Pass | Test Pass | | ---- | ---- | ---- | @@ -33,24 +30,44 @@ Depend on Mbedtls 3.3.0. | Pem/CryptPem.c | YES | YES | | Pk/CryptAuthenticode.c | WIP | WIP | | Pk/CryptDh.c | YES | YES | -| Pk/CryptEc.c | WIP | WIP | +| Pk/CryptEc.c | YES | YES | | Pk/CryptPkcs1Oaep.c | YES | YES | | Pk/CryptPkcs5Pbkdf2.c | YES | YES | | Pk/CryptPkcs7Sign.c | YES | YES | -| Pk/CryptPkcs7VerifyBase.c | YES | WIP | -| Pk/CryptPkcs7VerifyCommon.c | YES | WIP | +| Pk/CryptPkcs7VerifyBase.c | YES | YES | +| Pk/CryptPkcs7VerifyCommon.c | YES | YES | | Pk/CryptPkcs7VerifyEku.c | YES | WIP | | Pk/CryptPkcs7VerifyEkuRuntime.c | YES | YES | | Pk/CryptPkcs7VerifyRuntime.c | YES | YES | | Pk/CryptRsaBasic.c | YES | YES | | Pk/CryptRsaExt.c | YES | YES | -| Pk/CryptTs.c | YES | YES | -| Pk/CryptX509.c | WIP | WIP | - +| Pk/CryptTs.c | YES | WIP | +| Pk/CryptX509.c | YES | YES | =20 ## Build command =20 ``` edksetup.bat Rebuild VS2019 build -a X64 -p CryptoPkg/CryptoPkgMbedTls.dsc -DCRYPTO_IMG_TYPE=3DPEI_= DEFAULT -t VS2019 - ``` \ No newline at end of file + ``` +## Risk + +| Risk | Soluton | Time required | +| ---- | ---- | ---- | +| SM3 and SHA3 are missing in Mbedtls | Wait Mbedtls enable SM3 and SHA3 = | Unkown | +| Following API implementation is WIP | Implement API | 2 weeks | + +### API need to complete +| API | Time required | +| ---- | ---- | +| VerifyEKUsInPkcs7Signature | 3 days | +| AuthenticodeVerify | 3 days | +| EcPointSetCompressedCoordinates | 2 days | +| ImageTimestampVerify | 3 days | + +## Timeline +Target for 2023 Q1 +## Owner +The branch owner: Wenxing Hou =20 +## MbedTls Version +Depend on Mbedtls 3.3.0. --=20 2.26.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101318): https://edk2.groups.io/g/devel/message/101318 Mute This Topic: https://groups.io/mt/97669079/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 11 03:03:56 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+101319+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101319+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1679043724; cv=none; d=zohomail.com; s=zohoarc; b=BNGi46dLEPoUru8htumebvdBFSQJ0qClUxHrdx8k92d29Rt2bnCOQ27C1u/vFbXewdPyIOjqmxnb87m3ENhqppjKQFzH1LFMatw1Nnz13vVRiNYDUdihNPFJDQqeFhQzsqpKQb/W8tM+uQFo+NvjbGtAGxNDolf9fqinATToi5U= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1679043724; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=JlItVB1t2vgjzW7JG8X0OEcwFRCxphOzppCG/Xn1sYU=; b=OdsZ+ie9A8aIMzXfHjv3sMuKC3KD9sYGJwqq8P/fovHLvWdYsBrC12Mr1Lco3K+VFkE9uevywrlwNmRosc9Vo14eKmQOvTY5a3LBXXR6+yDpZ5Alk89x5uMhL3L4MM3LsEe78pP0LSg9XrnVA1FKuwP/6Q51+FOUdjAAQ/LLHAU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101319+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1679043724359199.08050132795984; Fri, 17 Mar 2023 02:02:04 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id qBApYY1788612xOPNkr2U1RY; Fri, 17 Mar 2023 02:02:04 -0700 X-Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web10.14911.1679043720870874677 for ; Fri, 17 Mar 2023 02:02:03 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10651"; a="317871126" X-IronPort-AV: E=Sophos;i="5.98,268,1673942400"; d="scan'208";a="317871126" X-Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Mar 2023 02:02:02 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10651"; a="926066820" X-IronPort-AV: E=Sophos;i="5.98,268,1673942400"; d="scan'208";a="926066820" X-Received: from shwdejointd777.ccr.corp.intel.com ([10.239.157.39]) by fmsmga006.fm.intel.com with ESMTP; 17 Mar 2023 02:02:01 -0700 From: "Wenxing Hou" To: devel@edk2.groups.io Cc: Wenxing Hou Subject: [edk2-devel] [edk2-staging/OpenSSL11_EOL PATCH 2/7] Clear unnecessary API in DH Date: Fri, 17 Mar 2023 17:00:48 +0800 Message-Id: <20230317090053.1895-3-wenxing.hou@intel.com> In-Reply-To: <20230317090053.1895-1-wenxing.hou@intel.com> References: <20230317090053.1895-1-wenxing.hou@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,wenxing.hou@intel.com X-Gm-Message-State: B5zdj7H4QuAFkSgoXpqKPzwEx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1679043724; bh=8vjoJ+vPCJwBI5ps2w+1sj9Y6+CrAK/gnTVzbCOFKa0=; h=Cc:Date:From:Reply-To:Subject:To; b=W+/hTWshi4sJ5yIJkpCQ3BbsqwskZ5qhtT4J9MiyADPc6TFS+vK3xyZs4PpIWeRBHeK G7a0oUUYQ2gqONAtERYJC3jcNZnE21dM+0c357MrcU+etcn/Eu5mdI4TObruhBLmlVTJW keEdaTIrtsTP7SiXMljwn3r4n9eqmoao63M= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1679043725239100005 Content-Type: text/plain; charset="utf-8" Signed-off-by: Wenxing Hou --- .../Library/BaseCryptLibMbedTls/Pk/CryptDh.c | 73 ------------------- 1 file changed, 73 deletions(-) diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptDh.c b/CryptoPkg= /Library/BaseCryptLibMbedTls/Pk/CryptDh.c index cd0f3bd023..a2683721c3 100644 --- a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptDh.c +++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptDh.c @@ -12,13 +12,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include =20 -static const unsigned char mffehde2048_P[] =3D MBEDTLS_DHM_RFC7919_FFDHE20= 48_P_BIN; -static const unsigned char mffehde3072_P[] =3D MBEDTLS_DHM_RFC7919_FFDHE30= 72_P_BIN; -static const unsigned char mffehde4096_P[] =3D MBEDTLS_DHM_RFC7919_FFDHE40= 96_P_BIN; -static const unsigned char mffehde2048_G[] =3D MBEDTLS_DHM_RFC7919_FFDHE20= 48_G_BIN; -static const unsigned char mffehde3072_G[] =3D MBEDTLS_DHM_RFC7919_FFDHE30= 72_G_BIN; -static const unsigned char mffehde4096_G[] =3D MBEDTLS_DHM_RFC7919_FFDHE40= 96_G_BIN; - /** Allocates and Initializes one Diffie-Hellman Context for subsequent use. =20 @@ -44,72 +37,6 @@ DhNew ( return ctx; } =20 -/** - Allocates and Initializes one Diffie-Hellman Context for subsequent use - with the NID. - - @param Nid cipher NID - - @return Pointer to the Diffie-Hellman Context that has been initialized. - If the allocations fails, DhNew() returns NULL. - -**/ -VOID * -EFIAPI -DhNewByNid ( - IN UINTN Nid - ) -{ - mbedtls_dhm_context *ctx; - INT32 Ret; - - ctx =3D AllocateZeroPool (sizeof(mbedtls_dhm_context)); - if (ctx =3D=3D NULL) { - return NULL; - } - - mbedtls_dhm_init (ctx); - - switch (Nid) { - case CRYPTO_NID_FFDHE2048: - Ret =3D mbedtls_mpi_read_binary (&ctx->P, mffehde2048_P, sizeof(mffehd= e2048_P)); - if (Ret !=3D 0) { - goto Error; - } - Ret =3D mbedtls_mpi_read_binary (&ctx->G, mffehde2048_G, sizeof(mffehd= e2048_G)); - if (Ret !=3D 0) { - goto Error; - } - break; - case CRYPTO_NID_FFDHE3072: - Ret =3D mbedtls_mpi_read_binary (&ctx->P, mffehde3072_P, sizeof(mffehd= e3072_P)); - if (Ret !=3D 0) { - goto Error; - } - Ret =3D mbedtls_mpi_read_binary (&ctx->G, mffehde3072_G, sizeof(mffehd= e3072_G)); - if (Ret !=3D 0) { - goto Error; - } - break; - case CRYPTO_NID_FFDHE4096: - Ret =3D mbedtls_mpi_read_binary (&ctx->P, mffehde4096_P, sizeof(mffehd= e4096_P)); - if (Ret !=3D 0) { - goto Error; - } - Ret =3D mbedtls_mpi_read_binary (&ctx->G, mffehde4096_G, sizeof(mffehd= e4096_G)); - if (Ret !=3D 0) { - goto Error; - } - break; - default: - goto Error; - } - return ctx; -Error: - FreePool (ctx); - return NULL; -} - /** Release the specified DH context. =20 --=20 2.26.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101319): https://edk2.groups.io/g/devel/message/101319 Mute This Topic: https://groups.io/mt/97669080/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 11 03:03:56 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+101320+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101320+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1679043726; cv=none; d=zohomail.com; s=zohoarc; b=eWCUUwHkuDhTzsnOieU9tfIFa7sZSGTI94+nCRj1DP2JDdmq7c0w+JtmbrVsGThA/1bOGLI8fNCSe228MY049JR3xCwiLZ+1Bg+uzMAIPgnbfqsIV6IXuG8PN957Ht/QiT4SA+VKTk9Bmi+iaL020YmQioKPSP/4LvNBn7nF0j4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1679043726; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=B6mLNPvtOmhlP+Rd1GjvWjEGdjg1S1ZSKZqPrgVp1ZM=; b=ewkdmbyvBlV38WIeVkjjxi0XN7BAGtTQM0RqL2/hIKsO130ktAftHvuoiEYu3mMfQ4brokA/hQQ90UjC/Z40DAqCFfuYlahcmykUHm1QDMD5pKVyhLNC+BPFvVOtxPDZXp422VtTRAuHiUOO9zyXXXni0OGzB5Pte0VWc/oqB0Q= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101320+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 167904372631776.87343610775486; Fri, 17 Mar 2023 02:02:06 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id APoMYY1788612xb1QR6uO3Fc; Fri, 17 Mar 2023 02:02:05 -0700 X-Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web10.14911.1679043720870874677 for ; Fri, 17 Mar 2023 02:02:05 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10651"; a="317871139" X-IronPort-AV: E=Sophos;i="5.98,268,1673942400"; d="scan'208";a="317871139" X-Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Mar 2023 02:02:05 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10651"; a="926066840" X-IronPort-AV: E=Sophos;i="5.98,268,1673942400"; d="scan'208";a="926066840" X-Received: from shwdejointd777.ccr.corp.intel.com ([10.239.157.39]) by fmsmga006.fm.intel.com with ESMTP; 17 Mar 2023 02:02:04 -0700 From: "Wenxing Hou" To: devel@edk2.groups.io Cc: Wenxing Hou Subject: [edk2-devel] [edk2-staging/OpenSSL11_EOL PATCH 3/7] Make all BaseCryptLibMbedTls inf files consistent with BaseCryptLib Date: Fri, 17 Mar 2023 17:00:49 +0800 Message-Id: <20230317090053.1895-4-wenxing.hou@intel.com> In-Reply-To: <20230317090053.1895-1-wenxing.hou@intel.com> References: <20230317090053.1895-1-wenxing.hou@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,wenxing.hou@intel.com X-Gm-Message-State: 1Dr3dgoDHY219YcI8g9tZP33x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1679043725; bh=X5Kw1DdeDBxB/0ttnEpAABI2DUfiVEq4XUef62W6yAw=; h=Cc:Date:From:Reply-To:Subject:To; b=FvIAEjwxGB9lSPzoXQZRCoag3e7qixR1NXCwFCqqiP4hIuwpSVxSCX3e224ghV6alya INgO6F/M0rKIbOSp0/TdzO5fvIk0dU3EGoMewQiRcfSG8wV3h+WF8M2uBW4LRkr8Fhloz TNcHlYzKNnkubh76U/MjzQpJKnR3zewnHfY= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1679043727524100002 Content-Type: text/plain; charset="utf-8" Signed-off-by: Wenxing Hou --- CryptoPkg/Library/BaseCryptLibMbedTls/BaseCryptLib.inf | 8 ++++++++ CryptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.inf | 2 +- CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.inf | 4 ++-- .../Library/BaseCryptLibMbedTls/TestBaseCryptLib.inf | 4 +++- 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/BaseCryptLib.inf b/Crypt= oPkg/Library/BaseCryptLibMbedTls/BaseCryptLib.inf index 582b6a074f..98b4f5ae2e 100644 --- a/CryptoPkg/Library/BaseCryptLibMbedTls/BaseCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLibMbedTls/BaseCryptLib.inf @@ -32,6 +32,7 @@ Cipher/CryptAes.c Hash/CryptSha256.c Hash/CryptSha512.c + Hash/CryptParallelHashNull.c Hash/CryptSha3.c Hash/CryptSm3.c Hash/CryptMd5.c @@ -46,7 +47,14 @@ Pk/CryptRsaExt.c Pk/CryptPkcs1Oaep.c Pk/CryptPkcs5Pbkdf2.c + Pk/CryptPkcs7Sign.c + Pk/CryptPkcs7VerifyCommon.c + Pk/CryptPkcs7VerifyBase.c + Pk/CryptPkcs7VerifyEku.c + Pk/CryptDh.c Pk/CryptX509.c + Pk/CryptAuthenticode.c + Pk/CryptTs.c Rand/CryptRand.c SysCall/BaseMemAllocation.c SysCall/CrtWrapper.c diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.inf b/Cr= yptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.inf index d7c7100ff3..83862cf6bd 100644 --- a/CryptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.inf @@ -42,7 +42,7 @@ Hash/CryptSm3.c Hash/CryptSha512.c Hash/CryptParallelHashNull.c - # Hmac/CryptHmac.c + Hmac/CryptHmac.c Kdf/CryptHkdf.c Cipher/CryptAes.c Cipher/CryptAeadAesGcmNull.c diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.inf b/Crypto= Pkg/Library/BaseCryptLibMbedTls/SmmCryptLib.inf index 92e89ad0a7..68824f4a2b 100644 --- a/CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.inf @@ -41,9 +41,9 @@ Hash/CryptSha3.c Hash/CryptXkcp.c # Hash/CryptCShake256.c - # Hash/CryptParallelHash.c + Hash/CryptParallelHashNull.c # Hash/CryptDispatchApMm.c - # Hmac/CryptHmac.c + Hmac/CryptHmac.c Kdf/CryptHkdf.c Cipher/CryptAes.c Cipher/CryptAeadAesGcmNull.c diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/TestBaseCryptLib.inf b/C= ryptoPkg/Library/BaseCryptLibMbedTls/TestBaseCryptLib.inf index fd71eb5e18..cf86e0ef68 100644 --- a/CryptoPkg/Library/BaseCryptLibMbedTls/TestBaseCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLibMbedTls/TestBaseCryptLib.inf @@ -46,11 +46,13 @@ Pk/CryptRsaExt.c Pk/CryptPkcs1Oaep.c Pk/CryptPkcs5Pbkdf2.c + Pk/CryptPkcs7VerifyBase.c + Pk/CryptPkcs7Sign.c + Pk/CryptPkcs7VerifyCommon.c Pk/CryptX509.c Rand/CryptRand.c SysCall/BaseMemAllocation.c SysCall/CrtWrapper.c - SysCall/TimerWrapper.c =20 [Packages] MdePkg/MdePkg.dec --=20 2.26.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101320): https://edk2.groups.io/g/devel/message/101320 Mute This Topic: https://groups.io/mt/97669082/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 11 03:03:56 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+101321+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101321+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1679043729; cv=none; d=zohomail.com; s=zohoarc; b=cdy/7MV7pZWKoz4aJsHxRPOgOrD5BSRC2+TLdkTKhVr723p3LodoQaTNpwcOlDPbYPRxMBhwjnX49TYiEVsGgkJO8tzb48J+oB9t7kr7W29in0YSgC4lRDUBsdGAPDA/yJXTHqKPNfxxbh4XGpPNQV8o6cAFiglz/t8N7ktAhl8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1679043729; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=QsdJoRfFQyg9i60L5IE1lQIsVVcDzN04Cq9pdT0WTeU=; b=SaaTILJgNSJkbQIhpzXagHTs4fxq2hdedH925tqB9DVMQemBKxg12J8vlrrxQLacDK/JIhiJMnL2gMEHsiGwEnPNy/H5x5n2dBL+jo4HTv5KkoVfVX5Y2SW0hnFPumc2qtz978SeoY0hxWtEeGyx35XTq/VaCoOHRQPJZs1QT2s= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101321+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1679043729525472.7215867943736; Fri, 17 Mar 2023 02:02:09 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id eIrZYY1788612xalnzGmn2SR; Fri, 17 Mar 2023 02:02:09 -0700 X-Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web10.14911.1679043720870874677 for ; Fri, 17 Mar 2023 02:02:08 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10651"; a="317871153" X-IronPort-AV: E=Sophos;i="5.98,268,1673942400"; d="scan'208";a="317871153" X-Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Mar 2023 02:02:08 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10651"; a="926066877" X-IronPort-AV: E=Sophos;i="5.98,268,1673942400"; d="scan'208";a="926066877" X-Received: from shwdejointd777.ccr.corp.intel.com ([10.239.157.39]) by fmsmga006.fm.intel.com with ESMTP; 17 Mar 2023 02:02:07 -0700 From: "Wenxing Hou" To: devel@edk2.groups.io Cc: Wenxing Hou Subject: [edk2-devel] [edk2-staging/OpenSSL11_EOL PATCH 4/7] Update Pkcs7 api based on MbedTlsLib for CryptoPkg Date: Fri, 17 Mar 2023 17:00:50 +0800 Message-Id: <20230317090053.1895-5-wenxing.hou@intel.com> In-Reply-To: <20230317090053.1895-1-wenxing.hou@intel.com> References: <20230317090053.1895-1-wenxing.hou@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,wenxing.hou@intel.com X-Gm-Message-State: fPST1Cs6VSYE2FzMMPbGfATsx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1679043729; bh=m0t2x1aT29v9KTffkA3V7QE6KmKc8mg/sq7xJ9h6Zzg=; h=Cc:Date:From:Reply-To:Subject:To; b=Fy7j3479fPfVDaOHL/IXuscMGLdgZS71L7dh+tDIGIlR1nuA6n8j94kT6hvBcuqHG1l dL56sw2BtpMmXkxt6bHC2mPy428QnJ1RTzd1GWb/aRAVM2N2Z4raMCCBK10H3qMU090tH WaddDp1YNhay5YC6qjAczXZGBwuhOOTpLc4= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1679043731372100002 Content-Type: text/plain; charset="utf-8" Signed-off-by: Wenxing Hou --- .../BaseCryptLibMbedTls/InternalCryptLib.h | 32 ++ .../BaseCryptLibMbedTls/Pk/CryptPkcs7Sign.c | 5 +- .../Pk/CryptPkcs7VerifyBase.c | 40 +- .../Pk/CryptPkcs7VerifyCommon.c | 338 ++++++++++++- .../Pk/CryptPkcs7VerifyEku.c | 454 ++---------------- CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf | 1 + 6 files changed, 424 insertions(+), 446 deletions(-) diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/InternalCryptLib.h b/Cry= ptoPkg/Library/BaseCryptLibMbedTls/InternalCryptLib.h index 674242cfeb..6871785575 100644 --- a/CryptoPkg/Library/BaseCryptLibMbedTls/InternalCryptLib.h +++ b/CryptoPkg/Library/BaseCryptLibMbedTls/InternalCryptLib.h @@ -24,4 +24,36 @@ SPDX-License-Identifier: BSD-2-Clause-Patent =20 int myrand( void *rng_state, unsigned char *output, size_t len ); =20 +/** + Check input P7Data is a wrapped ContentInfo structure or not. If not con= struct + a new structure to wrap P7Data. + + Caution: This function may receive untrusted input. + UEFI Authenticated Variable is external input, so this function will do = basic + check for PKCS#7 data structure. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] WrapFlag If TRUE P7Data is a ContentInfo structure, othe= rwise + return FALSE. + @param[out] WrapData If return status of this function is TRUE: + 1) when WrapFlag is TRUE, pointer to P7Data. + 2) when WrapFlag is FALSE, pointer to a new Con= tentInfo + structure. It's caller's responsibility to free= this + buffer. + @param[out] WrapDataSize Length of ContentInfo structure in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE The operation is failed due to lack of resource= s. + +**/ +BOOLEAN +WrapPkcs7Data ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT BOOLEAN *WrapFlag, + OUT UINT8 **WrapData, + OUT UINTN *WrapDataSize + ); + #endif diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Sign.c b/Cr= yptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Sign.c index 0c7a1d009f..21d06264d5 100644 --- a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Sign.c +++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Sign.c @@ -388,7 +388,8 @@ Pkcs7Sign ( mbedtls_pk_init (&Pkey); Ret =3D mbedtls_pk_parse_key ( &Pkey, NewPrivateKey, PrivateKeySize, - KeyPassword, KeyPassword =3D=3D NULL ? 0 : AsciiStrLen (KeyPassword) + KeyPassword, KeyPassword =3D=3D NULL ? 0 : AsciiStrLen (KeyPassword), + NULL, NULL ); if (Ret !=3D 0) { Status =3D FALSE; @@ -406,7 +407,7 @@ Pkcs7Sign ( ZeroMem (Signature, MAX_SIGNATURE_SIZE); Ret =3D mbedtls_pk_sign ( &Pkey, MBEDTLS_MD_SHA256, HashValue, SHA256_DIGEST_SIZE, - Signature, &SignatureLen, myrand, NULL); + Signature, MAX_SIGNATURE_SIZE, &SignatureLen, myrand, NULL); if (Ret !=3D 0) { Status =3D FALSE; goto Cleanup; diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyBase.= c b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyBase.c index 01fcba5513..4daea4982f 100644 --- a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyBase.c +++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyBase.c @@ -7,6 +7,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ =20 #include "InternalCryptLib.h" +#include =20 /** Extracts the attached content from a PKCS#7 signed data if existed. The = input signed @@ -38,12 +39,13 @@ Pkcs7GetAttachedContent ( ) { BOOLEAN Status; - PKCS7 *Pkcs7; UINT8 *SignedData; UINTN SignedDataSize; BOOLEAN Wrapped; - CONST UINT8 *Temp; - ASN1_OCTET_STRING *OctStr; + INTN Ret; + mbedtls_pkcs7 Pkcs7; + + mbedtls_pkcs7_init(&Pkcs7); =20 // // Check input parameter. @@ -53,9 +55,7 @@ Pkcs7GetAttachedContent ( } =20 *Content =3D NULL; - Pkcs7 =3D NULL; SignedData =3D NULL; - OctStr =3D NULL; =20 Status =3D WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &Sign= edDataSize); if (!Status || (SignedDataSize > INT_MAX)) { @@ -64,26 +64,23 @@ Pkcs7GetAttachedContent ( =20 Status =3D FALSE; =20 - // - // Decoding PKCS#7 SignedData - // - Temp =3D SignedData; - Pkcs7 =3D d2i_PKCS7 (NULL, (const unsigned char **)&Temp, (int)SignedDat= aSize); - if (Pkcs7 =3D=3D NULL) { - goto _Exit; - } + Ret =3D mbedtls_pkcs7_parse_der(&Pkcs7, SignedData, (INT32)SignedDataSiz= e); =20 // // The type of Pkcs7 must be signedData // - if (!PKCS7_type_is_signed (Pkcs7)) { + if (Ret !=3D MBEDTLS_PKCS7_SIGNED_DATA) { goto _Exit; } =20 // // Check for detached or attached content // - if (PKCS7_get_detached (Pkcs7)) { + + mbedtls_pkcs7_data *MbedtlsContent; + MbedtlsContent =3D &(Pkcs7.signed_data.content); + + if (MbedtlsContent =3D=3D NULL) { // // No Content supplied for PKCS7 detached signedData // @@ -93,15 +90,14 @@ Pkcs7GetAttachedContent ( // // Retrieve the attached content in PKCS7 signedData // - OctStr =3D Pkcs7->d.sign->contents->d.data; - if ((OctStr->length > 0) && (OctStr->data !=3D NULL)) { - *ContentSize =3D OctStr->length; + if ((MbedtlsContent->data.len > 0) && (MbedtlsContent->data.p !=3D NUL= L)) { + *ContentSize =3D MbedtlsContent->data.len; *Content =3D AllocatePool (*ContentSize); if (*Content =3D=3D NULL) { *ContentSize =3D 0; goto _Exit; } - CopyMem (*Content, OctStr->data, *ContentSize); + CopyMem (*Content, MbedtlsContent->data.p, *ContentSize); } } Status =3D TRUE; @@ -110,11 +106,7 @@ _Exit: // // Release Resources // - PKCS7_free (Pkcs7); - - if (!Wrapped) { - OPENSSL_free (SignedData); - } + mbedtls_pkcs7_free (&Pkcs7); =20 return Status; } diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyCommo= n.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyCommon.c index 5291f2454d..14c9d447e6 100644 --- a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyCommon.c +++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyCommon.c @@ -656,7 +656,7 @@ Pkcs7Verify ( =20 Status =3D WrapPkcs7Data (P7Data, P7Length, &Wrapped, &WrapData, &WrapDa= taSize); =20 - if (Status) { + if (!Status) { Ret =3D 0; Status =3D FALSE; } else { @@ -741,5 +741,339 @@ Pkcs7GetSigners ( OUT UINTN *CertLength ) { -return FALSE; + BOOLEAN Status; + UINT8 *SignedData; + UINTN SignedDataSize; + BOOLEAN Wrapped; + INTN Ret; + mbedtls_pkcs7 Pkcs7; + mbedtls_x509_crt *Cert; + UINT8 Index; + UINT8 *CertBuf; + UINT8 *OldBuf; + UINTN BufferSize; + UINTN OldSize; + UINT8 *SingleCert; + UINTN SingleCertSize; + + + mbedtls_pkcs7_init(&Pkcs7); + + // + // Check input parameter. + // + if ((P7Data =3D=3D NULL) || (CertStack =3D=3D NULL) || (StackLength =3D= =3D NULL) || + (TrustedCert =3D=3D NULL) || (CertLength =3D=3D NULL) || (P7Length >= INT_MAX)) + { + return FALSE; + } + + SignedData =3D NULL; + + Status =3D WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &Sign= edDataSize); + if (!Status || (SignedDataSize > INT_MAX)) { + goto _Exit; + } + + Status =3D FALSE; + + // + // Retrieve PKCS#7 Data (DER encoding) + // + if (SignedDataSize > INT_MAX) { + goto _Exit; + } + + Ret =3D mbedtls_pkcs7_parse_der(&Pkcs7, SignedData, (INT32)SignedDataSiz= e); + + // + // The type of Pkcs7 must be signedData + // + if (Ret !=3D MBEDTLS_PKCS7_SIGNED_DATA) { + goto _Exit; + } + + + Cert =3D NULL; + CertBuf =3D NULL; + OldBuf =3D NULL; + SingleCert =3D NULL; + + + Cert =3D &Pkcs7.signed_data.certs; + if (Cert =3D=3D NULL) { + goto _Exit; + } + + // + // Convert CertStack to buffer in following format: + // UINT8 CertNumber; + // UINT32 Cert1Length; + // UINT8 Cert1[]; + // UINT32 Cert2Length; + // UINT8 Cert2[]; + // ... + // UINT32 CertnLength; + // UINT8 Certn[]; + // + BufferSize =3D sizeof (UINT8); + OldSize =3D BufferSize; + + for (Index =3D 0; ; Index++) { + + SingleCertSize =3D Cert->raw.len; + + OldSize =3D BufferSize; + OldBuf =3D CertBuf; + BufferSize =3D OldSize + SingleCertSize + sizeof (UINT32); + CertBuf =3D AllocateZeroPool (BufferSize); + + if (CertBuf =3D=3D NULL) { + goto _Exit; + } + + if (OldBuf !=3D NULL) { + CopyMem (CertBuf, OldBuf, OldSize); + FreePool (OldBuf); + OldBuf =3D NULL; + } + + WriteUnaligned32 ((UINT32 *)(CertBuf + OldSize), (UINT32)SingleCertSiz= e); + CopyMem (CertBuf + OldSize + sizeof (UINT32), SingleCert, SingleCertSi= ze); + + FreePool (SingleCert); + SingleCert =3D NULL; + + if (Cert->next =3D=3D NULL) { + break; + } + } + + if (CertBuf !=3D NULL) { + // + // Update CertNumber. + // + CertBuf[0] =3D Index; + + *CertLength =3D BufferSize - OldSize - sizeof (UINT32); + *TrustedCert =3D AllocateZeroPool (*CertLength); + if (*TrustedCert =3D=3D NULL) { + goto _Exit; + } + + CopyMem (*TrustedCert, CertBuf + OldSize + sizeof (UINT32), *CertLengt= h); + *CertStack =3D CertBuf; + *StackLength =3D BufferSize; + Status =3D TRUE; + } + +_Exit: + // + // Release Resources + // + if (!Wrapped) { + FreePool (SignedData); + } + + mbedtls_pkcs7_free (&Pkcs7); + + if (SingleCert !=3D NULL) { + FreePool (SingleCert); + } + + if (!Status && (CertBuf !=3D NULL)) { + FreePool (CertBuf); + *CertStack =3D NULL; + } + + if (OldBuf !=3D NULL) { + FreePool (OldBuf); + } + + return Status; +} + +/** + Retrieves all embedded certificates from PKCS#7 signed data as described= in "PKCS #7: + Cryptographic Message Syntax Standard", and outputs two certificate list= s chained and + unchained to the signer's certificates. + The input signed data could be wrapped in a ContentInfo structure. + + @param[in] P7Data Pointer to the PKCS#7 message. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] SignerChainCerts Pointer to the certificates list chained t= o signer's + certificate. It's caller's responsibility = to free the buffer + with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] ChainLength Length of the chained certificates list bu= ffer in bytes. + @param[out] UnchainCerts Pointer to the unchained certificates list= s. It's caller's + responsibility to free the buffer with Pkc= s7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] UnchainLength Length of the unchained certificates list = buffer in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE Error occurs during the operation. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetCertificatesList ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **SignerChainCerts, + OUT UINTN *ChainLength, + OUT UINT8 **UnchainCerts, + OUT UINTN *UnchainLength + ) +{ + BOOLEAN Status; + UINT8 *SignedData; + UINTN SignedDataSize; + BOOLEAN Wrapped; + INTN Ret; + mbedtls_pkcs7 Pkcs7; + mbedtls_x509_crt *Cert; + UINT8 Index; + UINT8 *CertBuf; + UINT8 *OldBuf; + UINTN BufferSize; + UINTN OldSize; + UINT8 *SingleCert; + UINTN SingleCertSize; + + + mbedtls_pkcs7_init(&Pkcs7); + + // + // Check input parameter. + // + if ((P7Data =3D=3D NULL) || (SignerChainCerts =3D=3D NULL) || (ChainLeng= th =3D=3D NULL) || + (UnchainCerts =3D=3D NULL) || (UnchainLength =3D=3D NULL) || (P7Leng= th > INT_MAX)) + { + return FALSE; + } + + SignedData =3D NULL; + + Status =3D WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &Sign= edDataSize); + if (!Status || (SignedDataSize > INT_MAX)) { + goto _Exit; + } + + Status =3D FALSE; + + // + // Retrieve PKCS#7 Data (DER encoding) + // + if (SignedDataSize > INT_MAX) { + goto _Exit; + } + + Ret =3D mbedtls_pkcs7_parse_der(&Pkcs7, SignedData, (INT32)SignedDataSiz= e); + + // + // The type of Pkcs7 must be signedData + // + if (Ret !=3D MBEDTLS_PKCS7_SIGNED_DATA) { + goto _Exit; + } + + + Cert =3D NULL; + CertBuf =3D NULL; + OldBuf =3D NULL; + SingleCert =3D NULL; + + + Cert =3D &Pkcs7.signed_data.certs; + if (Cert =3D=3D NULL) { + goto _Exit; + } + + // + // Converts Chained and Untrusted Certificate to Certificate Buffer in f= ollowing format: + // UINT8 CertNumber; + // UINT32 Cert1Length; + // UINT8 Cert1[]; + // UINT32 Cert2Length; + // UINT8 Cert2[]; + // ... + // UINT32 CertnLength; + // UINT8 Certn[]; + // + BufferSize =3D sizeof (UINT8); + OldSize =3D BufferSize; + + for (Index =3D 0; ; Index++) { + + SingleCertSize =3D Cert->raw.len; + + OldSize =3D BufferSize; + OldBuf =3D CertBuf; + BufferSize =3D OldSize + SingleCertSize + sizeof (UINT32); + CertBuf =3D AllocateZeroPool (BufferSize); + + if (CertBuf =3D=3D NULL) { + goto _Exit; + } + + if (OldBuf !=3D NULL) { + CopyMem (CertBuf, OldBuf, OldSize); + FreePool (OldBuf); + OldBuf =3D NULL; + } + + WriteUnaligned32 ((UINT32 *)(CertBuf + OldSize), (UINT32)SingleCertSiz= e); + CopyMem (CertBuf + OldSize + sizeof (UINT32), SingleCert, SingleCertSi= ze); + + FreePool (SingleCert); + SingleCert =3D NULL; + + if (Cert->next =3D=3D NULL) { + break; + } + } + + if (CertBuf !=3D NULL) { + // + // Update CertNumber. + // + CertBuf[0] =3D Index; + + *UnchainLength =3D BufferSize - OldSize - sizeof (UINT32); + *UnchainCerts =3D AllocateZeroPool (*UnchainLength); + if (*UnchainCerts =3D=3D NULL) { + goto _Exit; + } + + CopyMem (*UnchainCerts, CertBuf + OldSize + sizeof (UINT32), *UnchainL= ength); + *SignerChainCerts =3D CertBuf; + *ChainLength =3D BufferSize; + Status =3D TRUE; + } + +_Exit: + // + // Release Resources + // + if (!Wrapped) { + FreePool (SignedData); + } + + mbedtls_pkcs7_free (&Pkcs7); + + if (SingleCert !=3D NULL) { + FreePool (SingleCert); + } + + if (!Status && (CertBuf !=3D NULL)) { + FreePool (CertBuf); + *SignerChainCerts =3D NULL; + } + + if (OldBuf !=3D NULL) { + FreePool (OldBuf); + } + + return Status; } diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEku.c= b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEku.c index 1bc4a5db13..484255830a 100644 --- a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEku.c +++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEku.c @@ -11,311 +11,8 @@ =20 #include #include "InternalCryptLib.h" +#include =20 -/** - This function will return the leaf signer certificate in a chain. This = is - required because certificate chains are not guaranteed to have the - certificates in the order that they were issued. - - A typical certificate chain looks like this: - - - ---------------------------- - | Root | - ---------------------------- - ^ - | - ---------------------------- - | Policy CA | <-- Typical Trust Anchor. - ---------------------------- - ^ - | - ---------------------------- - | Issuing CA | - ---------------------------- - ^ - | - ----------------------------- - / End-Entity (leaf) signer / <-- Bottom certificate. - ----------------------------- EKU: "1.3.6.1.4.1.311.76.9.= 21.1" - (Firmware Signing) - - - @param[in] CertChain Certificate chain. - - @param[out] SignerCert Last certificate in the chain. For PK= CS7 signatures, - this will be the end-entity (leaf) sig= ner cert. - - @retval EFI_SUCCESS The required EKUs were found in the si= gnature. - @retval EFI_INVALID_PARAMETER A parameter was invalid. - @retval EFI_NOT_FOUND The number of signers found was not 1. - -**/ -EFI_STATUS -GetSignerCertificate ( - IN CONST PKCS7 *CertChain, - OUT X509 **SignerCert - ) -{ - EFI_STATUS Status; - STACK_OF(X509) *Signers; - INT32 NumberSigners; - - Status =3D EFI_SUCCESS; - Signers =3D NULL; - NumberSigners =3D 0; - - if (CertChain =3D=3D NULL || SignerCert =3D=3D NULL) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - - // - // Get the signers from the chain. - // - Signers =3D PKCS7_get0_signers ((PKCS7*) CertChain, NULL, PKCS7_BINARY); - if (Signers =3D=3D NULL) { - // - // Fail to get signers form PKCS7 - // - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - - // - // There should only be one signer in the PKCS7 stack. - // - NumberSigners =3D sk_X509_num (Signers); - if (NumberSigners !=3D 1) { - // - // The number of singers should have been 1 - // - Status =3D EFI_NOT_FOUND; - goto Exit; - } - - *SignerCert =3D sk_X509_value (Signers, 0); - -Exit: - // - // Release Resources - // - if (Signers !=3D NULL) { - sk_X509_free (Signers); - } - - return Status; -} - - -/** - Determines if the specified EKU represented in ASN1 form is present - in a given certificate. - - @param[in] Cert The certificate to check. - - @param[in] Asn1ToFind The EKU to look for. - - @retval EFI_SUCCESS We successfully identified the signing= type. - @retval EFI_INVALID_PARAMETER A parameter was invalid. - @retval EFI_NOT_FOUND One or more EKU's were not found in th= e signature. - -**/ -EFI_STATUS -IsEkuInCertificate ( - IN CONST X509 *Cert, - IN ASN1_OBJECT *Asn1ToFind - ) -{ - EFI_STATUS Status; - X509 *ClonedCert; - X509_EXTENSION *Extension; - EXTENDED_KEY_USAGE *Eku; - INT32 ExtensionIndex; - INTN NumExtensions; - ASN1_OBJECT *Asn1InCert; - INTN Index; - - Status =3D EFI_NOT_FOUND; - ClonedCert =3D NULL; - Extension =3D NULL; - Eku =3D NULL; - ExtensionIndex =3D -1; - NumExtensions =3D 0; - Asn1InCert =3D NULL; - - if (Cert =3D=3D NULL || Asn1ToFind =3D=3D NULL) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - - // - // Clone the certificate. This is required because the Extension API's - // only work once per instance of an X509 object. - // - ClonedCert =3D X509_dup ((X509*)Cert); - if (ClonedCert =3D=3D NULL) { - // - // Fail to duplicate cert. - // - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - - // - // Look for the extended key usage. - // - ExtensionIndex =3D X509_get_ext_by_NID (ClonedCert, NID_ext_key_usage, -= 1); - - if (ExtensionIndex < 0) { - // - // Fail to find 'NID_ext_key_usage' in Cert. - // - goto Exit; - } - - Extension =3D X509_get_ext (ClonedCert, ExtensionIndex); - if (Extension =3D=3D NULL) { - // - // Fail to get Extension form cert. - // - goto Exit; - } - - Eku =3D (EXTENDED_KEY_USAGE*)X509V3_EXT_d2i (Extension); - if (Eku =3D=3D NULL) { - // - // Fail to get Eku from extension. - // - goto Exit; - } - - NumExtensions =3D sk_ASN1_OBJECT_num (Eku); - - // - // Now loop through the extensions, looking for the specified Eku. - // - for (Index =3D 0; Index < NumExtensions; Index++) { - Asn1InCert =3D sk_ASN1_OBJECT_value (Eku, (INT32)Index); - if (Asn1InCert =3D=3D NULL) { - // - // Fail to get ASN object from Eku. - // - goto Exit; - } - - if (Asn1InCert->length =3D=3D Asn1ToFind->length && - CompareMem (Asn1InCert->data, Asn1ToFind->data, Asn1InCert->length= ) =3D=3D 0) { - // - // Found Eku in certificate. - // - Status =3D EFI_SUCCESS; - goto Exit; - } - } - -Exit: - - // - // Release Resources - // - if (ClonedCert !=3D NULL) { - X509_free (ClonedCert); - } - - if (Eku !=3D NULL) { - sk_ASN1_OBJECT_pop_free (Eku, ASN1_OBJECT_free); - } - - return Status; -} - - -/** - Determines if the specified EKUs are present in a signing certificate. - - @param[in] SignerCert The certificate to check. - @param[in] RequiredEKUs The EKUs to look for. - @param[in] RequiredEKUsSize The number of EKUs - @param[in] RequireAllPresent If TRUE, then all the specified EKUs - must be present in the certificate. - - @retval EFI_SUCCESS We successfully identified the signing= type. - @retval EFI_INVALID_PARAMETER A parameter was invalid. - @retval EFI_NOT_FOUND One or more EKU's were not found in th= e signature. -**/ -EFI_STATUS -CheckEKUs( - IN CONST X509 *SignerCert, - IN CONST CHAR8 *RequiredEKUs[], - IN CONST UINT32 RequiredEKUsSize, - IN BOOLEAN RequireAllPresent - ) -{ - EFI_STATUS Status; - ASN1_OBJECT *Asn1ToFind; - UINT32 NumEkusFound; - UINT32 Index; - - Status =3D EFI_SUCCESS; - Asn1ToFind =3D NULL; - NumEkusFound =3D 0; - - if (SignerCert =3D=3D NULL || RequiredEKUs =3D=3D NULL || RequiredEKUsSi= ze =3D=3D 0) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - - for (Index =3D 0; Index < RequiredEKUsSize; Index++) { - // - // Finding required EKU in cert. - // - if (Asn1ToFind !=3D NULL) { - ASN1_OBJECT_free(Asn1ToFind); - Asn1ToFind =3D NULL; - } - - Asn1ToFind =3D OBJ_txt2obj (RequiredEKUs[Index], 0); - if (Asn1ToFind =3D=3D NULL) { - // - // Fail to convert required EKU to ASN1. - // - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - - Status =3D IsEkuInCertificate (SignerCert, Asn1ToFind); - if (Status =3D=3D EFI_SUCCESS) { - NumEkusFound++; - if (!RequireAllPresent) { - // - // Found at least one, so we are done. - // - goto Exit; - } - } else { - // - // Fail to find Eku in cert - break; - } - } - -Exit: - - if (Asn1ToFind !=3D NULL) { - ASN1_OBJECT_free(Asn1ToFind); - } - - if (RequireAllPresent && - NumEkusFound =3D=3D RequiredEKUsSize) { - // - // Found all required EKUs in certificate. - // - Status =3D EFI_SUCCESS; - } - - return Status; -} =20 /** This function receives a PKCS#7 formatted signature blob, @@ -357,135 +54,62 @@ VerifyEKUsInPkcs7Signature ( IN BOOLEAN RequireAllPresent ) { - EFI_STATUS Status; - PKCS7 *Pkcs7; - STACK_OF(X509) *CertChain; - INT32 SignatureType; - INT32 NumberCertsInSignature; - X509 *SignerCert; - UINT8 *SignedData; - UINT8 *Temp; - UINTN SignedDataSize; - BOOLEAN IsWrapped; - BOOLEAN Ok; + BOOLEAN Status; + UINT8 *SignedData; + UINTN SignedDataSize; + BOOLEAN Wrapped; + INTN Ret; + mbedtls_pkcs7 Pkcs7; + mbedtls_x509_crt *Cert; + UINT8 *SingleCert; =20 - Status =3D EFI_SUCCESS; - Pkcs7 =3D NULL; - CertChain =3D NULL; - SignatureType =3D 0; - NumberCertsInSignature =3D 0; - SignerCert =3D NULL; - SignedData =3D NULL; - SignedDataSize =3D 0; - IsWrapped =3D FALSE; - Ok =3D FALSE; + mbedtls_pkcs7_init(&Pkcs7); =20 // - //Validate the input parameters. + // Check input parameter. // - if (Pkcs7Signature =3D=3D NULL || - SignatureSize =3D=3D 0 || - RequiredEKUs =3D=3D NULL || - RequiredEKUsSize =3D=3D 0) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; + if ((RequiredEKUs =3D=3D NULL) || (Pkcs7Signature =3D=3D NULL)) + { + return FALSE; } =20 - if (RequiredEKUsSize =3D=3D 1) { - RequireAllPresent =3D TRUE; - } + SignedData =3D NULL; =20 - // - // Wrap the PKCS7 data if needed. - // - Ok =3D WrapPkcs7Data (Pkcs7Signature, - SignatureSize, - &IsWrapped, - &SignedData, - &SignedDataSize); - if (!Ok) { - // - // Fail to Wrap the PKCS7 data. - // - Status =3D EFI_INVALID_PARAMETER; - goto Exit; + Status =3D WrapPkcs7Data (Pkcs7Signature, SignatureSize, &Wrapped, &Sign= edData, &SignedDataSize); + if (!Status || (SignedDataSize > INT_MAX)) { + goto _Exit; } =20 - Temp =3D SignedData; + Status =3D FALSE; =20 // - // Create the PKCS7 object. + // Retrieve PKCS#7 Data (DER encoding) // - Pkcs7 =3D d2i_PKCS7 (NULL, (const unsigned char **)&Temp, (INT32)SignedD= ataSize); - if (Pkcs7 =3D=3D NULL) { - // - // Fail to read PKCS7 data. - // - Status =3D EFI_INVALID_PARAMETER; - goto Exit; + if (SignedDataSize > INT_MAX) { + goto _Exit; } =20 - // - // Get the certificate chain. - // - SignatureType =3D OBJ_obj2nid (Pkcs7->type); - switch (SignatureType) { - case NID_pkcs7_signed: - if (Pkcs7->d.sign !=3D NULL) { - CertChain =3D Pkcs7->d.sign->cert; - } - break; - case NID_pkcs7_signedAndEnveloped: - if (Pkcs7->d.signed_and_enveloped !=3D NULL) { - CertChain =3D Pkcs7->d.signed_and_enveloped->cert; - } - break; - default: - break; - } + Ret =3D mbedtls_pkcs7_parse_der(&Pkcs7, SignedData, (INT32)SignedDataSiz= e); =20 // - // Ensure we have a certificate stack + // The type of Pkcs7 must be signedData // - if (CertChain =3D=3D NULL) { - // - // Fail to get the certificate stack from signature. - // - Status =3D EFI_INVALID_PARAMETER; - goto Exit; + if (Ret !=3D MBEDTLS_PKCS7_SIGNED_DATA) { + goto _Exit; } =20 - // - // Find out how many certificates were in the PKCS7 signature. - // - NumberCertsInSignature =3D sk_X509_num (CertChain); =20 - if (NumberCertsInSignature =3D=3D 0) { - // - // Fail to find any certificates in signature. - // - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } + Cert =3D NULL; + SingleCert =3D NULL; =20 - // - // Get the leaf signer. - // - Status =3D GetSignerCertificate (Pkcs7, &SignerCert); - if (Status !=3D EFI_SUCCESS || SignerCert =3D=3D NULL) { - // - // Fail to get the end-entity leaf signer certificate. - // - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } =20 - Status =3D CheckEKUs (SignerCert, RequiredEKUs, RequiredEKUsSize, Requir= eAllPresent); - if (Status !=3D EFI_SUCCESS) { - goto Exit; + Cert =3D &Pkcs7.signed_data.certs; + if (Cert =3D=3D NULL) { + goto _Exit; } =20 -Exit: + +_Exit: =20 // // Release Resources @@ -493,17 +117,11 @@ Exit: // If the signature was not wrapped, then the call to WrapData() will al= locate // the data and add a header to it // - if (!IsWrapped && SignedData) { - free (SignedData); + if (!Wrapped && SignedData) { + FreePool (SignedData); } =20 - if (SignerCert !=3D NULL) { - X509_free (SignerCert); - } - - if (Pkcs7 !=3D NULL) { - PKCS7_free (Pkcs7); - } + mbedtls_pkcs7_free (&Pkcs7); =20 return Status; } diff --git a/CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf b/CryptoPkg/Librar= y/MbedTlsLib/MbedTlsLib.inf index b735fef49e..69d712b9c6 100644 --- a/CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf +++ b/CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf @@ -108,6 +108,7 @@ mbedtls/library/x509_crl.c mbedtls/library/x509_crt.c mbedtls/library/x509_csr.c + mbedtls/library/pkcs7.c =20 [Packages] MdePkg/MdePkg.dec --=20 2.26.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101321): https://edk2.groups.io/g/devel/message/101321 Mute This Topic: https://groups.io/mt/97669083/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 11 03:03:56 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+101322+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101322+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1679043730; cv=none; d=zohomail.com; s=zohoarc; b=HLdP7eDlX8DJC7MhLaedfXu9lGhoR+y5c4wFCsbtTq6qZrpIAmUY8BC5kh30o6WbLci6e7vMjf/fsCWElZuSpemNuTEazwQYn6lbHkI2v+stIzKF7SAbiwmt9bdIe3kQJKzfJieAmz7kYHqvtNYZnXdWlGUn6ncun9BYJEcr1Us= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1679043730; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=OQxhafREfOun+7JM04GtloyKwb3exZ/Yax/+78+oI+A=; b=DOuNqThWxWBBABiL+cXzDVcDEkORyIEiz58hD6S1fypncowwCND25OUVN7qvLoE6mqGAvpJtWLe/FqkNqn8cg90FeZnnKzTwTCVLfG89tLBEec3BCI8qJwPVeFgF9o0PAFCIzxr2PAP2Tm5BS5M3zgwhB8gQ2T1eTmzJ+vphDNw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101322+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 167904373090376.59715773454911; Fri, 17 Mar 2023 02:02:10 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id nsFSYY1788612xu9OK1NyQ66; Fri, 17 Mar 2023 02:02:10 -0700 X-Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web10.14911.1679043720870874677 for ; Fri, 17 Mar 2023 02:02:10 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10651"; a="317871159" X-IronPort-AV: E=Sophos;i="5.98,268,1673942400"; d="scan'208";a="317871159" X-Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Mar 2023 02:02:09 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10651"; a="926066882" X-IronPort-AV: E=Sophos;i="5.98,268,1673942400"; d="scan'208";a="926066882" X-Received: from shwdejointd777.ccr.corp.intel.com ([10.239.157.39]) by fmsmga006.fm.intel.com with ESMTP; 17 Mar 2023 02:02:08 -0700 From: "Wenxing Hou" To: devel@edk2.groups.io Cc: Wenxing Hou Subject: [edk2-devel] [edk2-staging/OpenSSL11_EOL PATCH 5/7] Update EC api based on MbedTlsLib for CryptoPkg Date: Fri, 17 Mar 2023 17:00:51 +0800 Message-Id: <20230317090053.1895-6-wenxing.hou@intel.com> In-Reply-To: <20230317090053.1895-1-wenxing.hou@intel.com> References: <20230317090053.1895-1-wenxing.hou@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,wenxing.hou@intel.com X-Gm-Message-State: 2ibDVn2Y4cOXed32ayWXL4tAx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1679043730; bh=46YjJvgzWUWs9JJi0hgHFL6njX4/uti2CeE5rl/nM6Y=; h=Cc:Date:From:Reply-To:Subject:To; b=EmoJQhIS55NJ8AJn/NQSXE9w5pamBAN1n7X+PTRR4s7OETvHk7JbR1Sb+Zfox67O7a1 vYfnOe27Qrpc+wOhoUbXDnSG1MPlp326xg8H0qkYlHJ0UXlagWDGc23oEEMr8tl4FeBDZ ZOP8+WP2XHLC304uzswvL0Yn2G5KeYTRtu4= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1679043731367100001 Content-Type: text/plain; charset="utf-8" Signed-off-by: Wenxing Hou --- .../Library/BaseCryptLibMbedTls/Pk/CryptEc.c | 634 +++++++++++++++++- 1 file changed, 621 insertions(+), 13 deletions(-) diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptEc.c b/CryptoPkg= /Library/BaseCryptLibMbedTls/Pk/CryptEc.c index 88684c9fa2..36bc294c20 100644 --- a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptEc.c +++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptEc.c @@ -15,6 +15,532 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include =20 +// =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +// Basic Elliptic Curve Primitives +// =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +/** + Return the Nid of certain ECC curve. + + @param[in] CryptoNid Identifying number for the ECC curve (Defined in + BaseCryptLib.h). + + @retval !=3D-1 On success. + @retval -1 ECC curve not supported. +**/ +STATIC +INT32 +CryptoNidToMbedtlsNid ( + IN UINTN CryptoNid + ) +{ + INT32 Nid; + + switch (CryptoNid) { + case CRYPTO_NID_SECP256R1: + Nid =3D MBEDTLS_ECP_DP_SECP256R1; + break; + case CRYPTO_NID_SECP384R1: + Nid =3D MBEDTLS_ECP_DP_SECP384R1; + break; + case CRYPTO_NID_SECP521R1: + Nid =3D MBEDTLS_ECP_DP_SECP521R1; + break; + default: + return -1; + } + + return Nid; +} + +/** + Initialize new opaque EcGroup object. This object represents an EC curve= and + and is used for calculation within this group. This object should be fre= ed + using EcGroupFree() function. + + @param[in] CryptoNid Identifying number for the ECC curve (Defined in + BaseCryptLib.h). + + @retval EcGroup object On success. + @retval NULL On failure. +**/ +VOID * +EFIAPI +EcGroupInit ( + IN UINTN CryptoNid + ) +{ + INT32 Nid; + mbedtls_ecp_group *grp; + + Nid =3D CryptoNidToMbedtlsNid (CryptoNid); + + if (Nid < 0) { + return NULL; + } + + grp =3D AllocateZeroPool (sizeof(mbedtls_ecp_group)); + if (grp =3D=3D NULL) { + return NULL; + } + + mbedtls_ecp_group_init(grp); + + mbedtls_ecp_group_load(grp, Nid); + + return grp; +} + +/** + Get EC curve parameters. While elliptic curve equation is Y^2 mod P =3D = (X^3 + AX + B) Mod P. + This function will set the provided Big Number objects to the correspon= ding + values. The caller needs to make sure all the "out" BigNumber parameters + are properly initialized. + + @param[in] EcGroup EC group object. + @param[out] BnPrime Group prime number. + @param[out] BnA A coefficient. + @param[out] BnB B coefficient.. + @param[in] BnCtx BN context. + + @retval TRUE On success. + @retval FALSE Otherwise. +**/ +BOOLEAN +EFIAPI +EcGroupGetCurve ( + IN CONST VOID *EcGroup, + OUT VOID *BnPrime, + OUT VOID *BnA, + OUT VOID *BnB, + IN VOID *BnCtx + ) +{ + mbedtls_ecp_group *grp; + + grp =3D ( mbedtls_ecp_group *)EcGroup; + + if (mbedtls_mpi_copy((mbedtls_mpi *)BnPrime, &grp->P) !=3D 0) { + return FALSE; + } + + if (BnA !=3D NULL) { + if (mbedtls_mpi_copy((mbedtls_mpi *)BnA, &grp->A) !=3D 0) { + return FALSE; + } + } + + if (BnB !=3D NULL) { + if (mbedtls_mpi_copy((mbedtls_mpi *)BnB, &grp->B) !=3D 0) { + return FALSE; + } + } + + return TRUE; +} + +/** + Get EC group order. + This function will set the provided Big Number object to the correspondi= ng + value. The caller needs to make sure that the "out" BigNumber parameter + is properly initialized. + + @param[in] EcGroup EC group object. + @param[out] BnOrder Group prime number. + + @retval TRUE On success. + @retval FALSE Otherwise. +**/ +BOOLEAN +EFIAPI +EcGroupGetOrder ( + IN VOID *EcGroup, + OUT VOID *BnOrder + ) +{ + mbedtls_ecp_group *grp; + + grp =3D ( mbedtls_ecp_group *)EcGroup; + + if (mbedtls_mpi_copy((mbedtls_mpi *)BnOrder, &grp->N) !=3D 0) { + return FALSE; + } + + return TRUE; +} + +/** + Free previously allocated EC group object using EcGroupInit(). + + @param[in] EcGroup EC group object to free. +**/ +VOID +EFIAPI +EcGroupFree ( + IN VOID *EcGroup + ) +{ + mbedtls_ecp_group_free(EcGroup); +} + +/** + Initialize new opaque EC Point object. This object represents an EC point + within the given EC group (curve). + + @param[in] EC Group, properly initialized using EcGroupInit(). + + @retval EC Point object On success. + @retval NULL On failure. +**/ +VOID * +EFIAPI +EcPointInit ( + IN CONST VOID *EcGroup + ) +{ + mbedtls_ecp_point *pt; + + pt =3D AllocateZeroPool (sizeof(mbedtls_ecp_point)); + if (pt =3D=3D NULL) { + return NULL; + } + + mbedtls_ecp_point_init (pt); + + return pt; +} + +/** + Free previously allocated EC Point object using EcPointInit(). + + @param[in] EcPoint EC Point to free. + @param[in] Clear TRUE iff the memory should be cleared. +**/ +VOID +EFIAPI +EcPointDeInit ( + IN VOID *EcPoint, + IN BOOLEAN Clear + ) +{ + mbedtls_ecp_point_free(EcPoint); +} + +/** + Get EC point affine (x,y) coordinates. + This function will set the provided Big Number objects to the correspond= ing + values. The caller needs to make sure all the "out" BigNumber parameters + are properly initialized. + + @param[in] EcGroup EC group object. + @param[in] EcPoint EC point object. + @param[out] BnX X coordinate. + @param[out] BnY Y coordinate. + @param[in] BnCtx BN context, created with BigNumNewContext(). + + @retval TRUE On success. + @retval FALSE Otherwise. +**/ +BOOLEAN +EFIAPI +EcPointGetAffineCoordinates ( + IN CONST VOID *EcGroup, + IN CONST VOID *EcPoint, + OUT VOID *BnX, + OUT VOID *BnY, + IN VOID *BnCtx + ) +{ + mbedtls_ecp_point *pt; + + pt =3D ( mbedtls_ecp_point *)EcPoint; + + if (mbedtls_mpi_copy((mbedtls_mpi *)BnX, &pt->X) !=3D 0) { + return FALSE; + } + + if (mbedtls_mpi_copy((mbedtls_mpi *)BnY, &pt->Y) !=3D 0) { + return FALSE; + } + + return TRUE; +} + +/** + Set EC point affine (x,y) coordinates. + + @param[in] EcGroup EC group object. + @param[in] EcPoint EC point object. + @param[in] BnX X coordinate. + @param[in] BnY Y coordinate. + @param[in] BnCtx BN context, created with BigNumNewContext(). + + @retval TRUE On success. + @retval FALSE Otherwise. +**/ +BOOLEAN +EFIAPI +EcPointSetAffineCoordinates ( + IN CONST VOID *EcGroup, + IN VOID *EcPoint, + IN CONST VOID *BnX, + IN CONST VOID *BnY, + IN VOID *BnCtx + ) +{ + mbedtls_ecp_point *pt; + + pt =3D ( mbedtls_ecp_point *)EcPoint; + + if (mbedtls_mpi_copy(&pt->X, (mbedtls_mpi *)BnX) !=3D 0) { + return FALSE; + } + + if (mbedtls_mpi_copy(&pt->Y, (mbedtls_mpi *)BnY) !=3D 0) { + return FALSE; + } + + mbedtls_mpi_lset( &pt->Z , 1); + + return TRUE; +} + +/** + EC Point addition. EcPointResult =3D EcPointA + EcPointB. + + @param[in] EcGroup EC group object. + @param[out] EcPointResult EC point to hold the result. The point shou= ld + be properly initialized. + @param[in] EcPointA EC Point. + @param[in] EcPointB EC Point. + @param[in] BnCtx BN context, created with BigNumNewContext(). + + @retval TRUE On success. + @retval FALSE Otherwise. +**/ +BOOLEAN +EFIAPI +EcPointAdd ( + IN CONST VOID *EcGroup, + OUT VOID *EcPointResult, + IN CONST VOID *EcPointA, + IN CONST VOID *EcPointB, + IN VOID *BnCtx + ) +{ + mbedtls_mpi *m; + mbedtls_mpi *n; + + m =3D AllocateZeroPool(sizeof(mbedtls_mpi)); + n =3D AllocateZeroPool(sizeof(mbedtls_mpi)); + + if(mbedtls_mpi_lset(m, 1) !=3D 0 ) { + FreePool(m); + FreePool(n); + return FALSE; + } + if(mbedtls_mpi_lset(n, 1) !=3D 0 ) { + FreePool(m); + FreePool(n); + return FALSE; + } + + if (mbedtls_ecp_muladd((mbedtls_ecp_group *)EcGroup, (mbedtls_ecp_point = *)EcPointResult, (const mbedtls_mpi *)m, + (const mbedtls_ecp_point *)EcPointA, (const mbedtls_mpi *)n, (const = mbedtls_ecp_point *)EcPointB) !=3D 0) { + return FALSE; + } + + FreePool(m); + FreePool(n); + + return TRUE; +} + +/** + Variable EC point multiplication. EcPointResult =3D EcPoint * BnPScalar. + + @param[in] EcGroup EC group object. + @param[out] EcPointResult EC point to hold the result. The point shou= ld + be properly initialized. + @param[in] EcPoint EC Point. + @param[in] BnPScalar P Scalar. + @param[in] BnCtx BN context, created with BigNumNewContext(). + + @retval TRUE On success. + @retval FALSE Otherwise. +**/ +BOOLEAN +EFIAPI +EcPointMul ( + IN CONST VOID *EcGroup, + OUT VOID *EcPointResult, + IN CONST VOID *EcPoint, + IN CONST VOID *BnPScalar, + IN VOID *BnCtx + ) +{ + return (mbedtls_ecp_mul((mbedtls_ecp_group *)EcGroup, EcPointResult, BnP= Scalar, EcPoint, myrand, NULL) =3D=3D 0); +} + +/** + Calculate the inverse of the supplied EC point. + + @param[in] EcGroup EC group object. + @param[in,out] EcPoint EC point to invert. + @param[in] BnCtx BN context, created with BigNumNewContext(). + + @retval TRUE On success. + @retval FALSE Otherwise. +**/ +BOOLEAN +EFIAPI +EcPointInvert ( + IN CONST VOID *EcGroup, + IN OUT VOID *EcPoint, + IN VOID *BnCtx + ) +{ + mbedtls_ecp_point *pt; + mbedtls_ecp_group *grp; + mbedtls_mpi InvBnY; + + mbedtls_mpi_init(&InvBnY); + + pt =3D ( mbedtls_ecp_point *)EcPoint; + grp =3D ( mbedtls_ecp_group *)EcGroup; + + if (mbedtls_mpi_copy(&InvBnY, &pt->Y) !=3D 0) { + mbedtls_mpi_free(&InvBnY); + return FALSE; + } + + mbedtls_mpi P; + + mbedtls_mpi_init(&P); + + if (mbedtls_mpi_copy(&P, &grp->P) !=3D 0) { + mbedtls_mpi_free(&P); + return FALSE; + } + + + InvBnY.s =3D 0 - InvBnY.s; + + if (mbedtls_mpi_mod_mpi(&InvBnY, &InvBnY, &P) !=3D 0) { + mbedtls_mpi_free(&InvBnY); + return FALSE; + } + + if (mbedtls_mpi_copy(&pt->Y, &InvBnY) !=3D 0) { + mbedtls_mpi_free(&InvBnY); + return FALSE; + } + + mbedtls_mpi_free(&InvBnY); + return TRUE; +} + +/** + Check if the supplied point is on EC curve. + + @param[in] EcGroup EC group object. + @param[in] EcPoint EC point to check. + @param[in] BnCtx BN context, created with BigNumNewContext(). + + @retval TRUE On curve. + @retval FALSE Otherwise. +**/ +BOOLEAN +EFIAPI +EcPointIsOnCurve ( + IN CONST VOID *EcGroup, + IN CONST VOID *EcPoint, + IN VOID *BnCtx + ) +{ + return (mbedtls_ecp_check_pubkey(EcGroup, EcPoint) =3D=3D 0); +} + +/** + Check if the supplied point is at infinity. + + @param[in] EcGroup EC group object. + @param[in] EcPoint EC point to check. + + @retval TRUE At infinity. + @retval FALSE Otherwise. +**/ +BOOLEAN +EFIAPI +EcPointIsAtInfinity ( + IN CONST VOID *EcGroup, + IN CONST VOID *EcPoint + ) +{ + mbedtls_ecp_point *pt; + + pt =3D ( mbedtls_ecp_point *)EcPoint; + + return (mbedtls_ecp_is_zero(pt) =3D=3D 1); +} + +/** + Check if EC points are equal. + + @param[in] EcGroup EC group object. + @param[in] EcPointA EC point A. + @param[in] EcPointB EC point B. + @param[in] BnCtx BN context, created with BigNumNewContext(). + + @retval TRUE A =3D=3D B. + @retval FALSE Otherwise. +**/ +BOOLEAN +EFIAPI +EcPointEqual ( + IN CONST VOID *EcGroup, + IN CONST VOID *EcPointA, + IN CONST VOID *EcPointB, + IN VOID *BnCtx + ) +{ + return mbedtls_ecp_point_cmp (EcPointA, EcPointB) =3D=3D 0; +} + +/** + Set EC point compressed coordinates. Points can be described in terms of + their compressed coordinates. For a point (x, y), for any given value fo= r x + such that the point is on the curve there will only ever be two possible + values for y. Therefore, a point can be set using this function where Bn= X is + the x coordinate and YBit is a value 0 or 1 to identify which of the two + possible values for y should be used. + + @param[in] EcGroup EC group object. + @param[in] EcPoint EC Point. + @param[in] BnX X coordinate. + @param[in] YBit 0 or 1 to identify which Y value is used. + @param[in] BnCtx BN context, created with BigNumNewContext(). + + @retval TRUE On success. + @retval FALSE Otherwise. +**/ +BOOLEAN +EFIAPI +EcPointSetCompressedCoordinates ( + IN CONST VOID *EcGroup, + IN VOID *EcPoint, + IN CONST VOID *BnX, + IN UINT8 YBit, + IN VOID *BnCtx + ) +{ + return FALSE; +} + +// =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +// Elliptic Curve Diffie Hellman Primitives +// =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + /** Allocates and Initializes one Elliptic Curve Context for subsequent use with the NID. @@ -220,26 +746,108 @@ EcGetPubKey ( } =20 /** - Validates key components of EC context. - NOTE: This function performs integrity checks on all the EC key material= , so - the EC key structure must contain all the private key data. - + Computes exchanged common key. + Given peer's public key (X, Y), this function computes the exchanged com= mon key, + based on its own context including value of curve parameter and random s= ecret. + X is the first half of PeerPublic with size being PeerPublicSize / 2, + Y is the second half of PeerPublic with size being PeerPublicSize / 2. + If public key is compressed, the PeerPublic will only contain half key (= X). If EcContext is NULL, then return FALSE. - - @param[in] EcContext Pointer to EC context to check. - - @retval TRUE EC key components are valid. - @retval FALSE EC key components are not valid. - + If PeerPublic is NULL, then return FALSE. + If PeerPublicSize is 0, then return FALSE. + If Key is NULL, then return FALSE. + If KeySize is not large enough, then return FALSE. + For P-256, the PeerPublicSize is 64. First 32-byte is X, Second 32-byte = is Y. + For P-384, the PeerPublicSize is 96. First 48-byte is X, Second 48-byte = is Y. + For P-521, the PeerPublicSize is 132. First 66-byte is X, Second 66-byte= is Y. + @param[in, out] EcContext Pointer to the EC context. + @param[in] PeerPublic Pointer to the peer's public X,Y. + @param[in] PeerPublicSize Size of peer's public X,Y in bytes. + @param[in] CompressFlag Flag of PeerPublic is compressed or = not. + @param[out] Key Pointer to the buffer to receive gen= erated key. + @param[in, out] KeySize On input, the size of Key buffer in = bytes. + On output, the size of data returned= in Key buffer in bytes. + @retval TRUE EC exchanged key generation succeeded. + @retval FALSE EC exchanged key generation failed. + @retval FALSE KeySize is not large enough. **/ BOOLEAN EFIAPI -EcCheckKey ( - IN VOID *EcContext +EcDhComputeKey ( + IN OUT VOID *EcContext, + IN CONST UINT8 *PeerPublic, + IN UINTN PeerPublicSize, + IN CONST INT32 *CompressFlag, + OUT UINT8 *Key, + IN OUT UINTN *KeySize ) { - // TBD + UINTN HalfSize; + mbedtls_ecdh_context *EcdCtx; + INT32 Ret; + + if ((EcContext =3D=3D NULL) || (PeerPublic =3D=3D NULL) || (KeySize =3D= =3D NULL)) { + return FALSE; + } + + if ((Key =3D=3D NULL) && (*KeySize !=3D 0)) { + return FALSE; + } + + if (PeerPublicSize > INT_MAX) { + return FALSE; + } + + EcdCtx =3D EcContext; + switch (EcdCtx->grp.id) { + case MBEDTLS_ECP_DP_SECP256R1: + HalfSize =3D 32; + break; + case MBEDTLS_ECP_DP_SECP384R1: + HalfSize =3D 48; + break; + case MBEDTLS_ECP_DP_SECP521R1: + HalfSize =3D 66; + break; + default: + return FALSE; + } + if (PeerPublicSize !=3D HalfSize * 2) { + return FALSE; + } + + Ret =3D mbedtls_mpi_read_binary(&EcdCtx->Qp.X, PeerPublic, HalfSize); + if (Ret !=3D 0) { + return FALSE; + } + Ret =3D mbedtls_mpi_read_binary(&EcdCtx->Qp.Y, PeerPublic + HalfSize, + HalfSize); + if (Ret !=3D 0) { + return FALSE; + } + Ret =3D mbedtls_mpi_lset(&EcdCtx->Qp.Z, 1); + if (Ret !=3D 0) { + return FALSE; + } + + Ret =3D mbedtls_ecdh_compute_shared(&EcdCtx->grp, &EcdCtx->z, &EcdCtx->Q= p, &EcdCtx->d, + myrand, NULL); + if (Ret !=3D 0) { + return FALSE; + } + + if (mbedtls_mpi_size(&EcdCtx->z) > *KeySize) { + return FALSE; + } + + *KeySize =3D EcdCtx->grp.pbits / 8 + ((EcdCtx->grp.pbits % 8) !=3D 0); + Ret =3D mbedtls_mpi_write_binary(&EcdCtx->z, Key, *KeySize); + if (Ret !=3D 0) { + return FALSE; + } + return TRUE; + } =20 /** --=20 2.26.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101322): https://edk2.groups.io/g/devel/message/101322 Mute This Topic: https://groups.io/mt/97669084/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 11 03:03:56 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+101323+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101323+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1679043732; cv=none; d=zohomail.com; s=zohoarc; b=flmTB2Z3NI2OwuwczO2TbIsQu5scy45McswglF03foEzmVJ1vvfgenHgFSpQm947qdLn0J+nt1b6Aa/kqg4VAsk0+TcD/n+QXb1OBatVd7wqjM4oKHsFGcqIG7xz23T+oxgZ9516zTmk0IlGEz8Rm/2nF1GB8l6pxGdkTu1++9M= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1679043732; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=v4m1/07uSRIiiY6YPygcm21wj8M7hyoXKzK9CIOLwzM=; b=NsBOzRfTpOIhtzc0RJrxYl/LpQwsbyU1C4Q0tnqlWm9wKk8xd36Fz61ul8sbRDTgVv+JGVGk1Mb+OYSqVPcKcCrIeaIG5Y+SL+IG7fbD9lKxSLIdaisQOqdHDMNW8qcqeX9baqFPbjfPgefho1CH+q5RTTjdeblS/i3TdFnlcRc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101323+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1679043732298874.2402753264096; Fri, 17 Mar 2023 02:02:12 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id v3qCYY1788612xGBu7Si8UPG; Fri, 17 Mar 2023 02:02:11 -0700 X-Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web10.14911.1679043720870874677 for ; Fri, 17 Mar 2023 02:02:11 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10651"; a="317871169" X-IronPort-AV: E=Sophos;i="5.98,268,1673942400"; d="scan'208";a="317871169" X-Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Mar 2023 02:02:10 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10651"; a="926066887" X-IronPort-AV: E=Sophos;i="5.98,268,1673942400"; d="scan'208";a="926066887" X-Received: from shwdejointd777.ccr.corp.intel.com ([10.239.157.39]) by fmsmga006.fm.intel.com with ESMTP; 17 Mar 2023 02:02:09 -0700 From: "Wenxing Hou" To: devel@edk2.groups.io Cc: Wenxing Hou Subject: [edk2-devel] [edk2-staging/OpenSSL11_EOL PATCH 6/7] Update X509 api based on MbedTlsLib for CryptoPkg Date: Fri, 17 Mar 2023 17:00:52 +0800 Message-Id: <20230317090053.1895-7-wenxing.hou@intel.com> In-Reply-To: <20230317090053.1895-1-wenxing.hou@intel.com> References: <20230317090053.1895-1-wenxing.hou@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,wenxing.hou@intel.com X-Gm-Message-State: RbJwU3vDiwW5aLPnFg0RqEb0x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1679043731; bh=FAV1jS9FZrMCx441scuqe1uRyTUiz6zdOF5G9sk37T8=; h=Cc:Date:From:Reply-To:Subject:To; b=JmCZn+5V8R5LJoVYzE7jAE3PBLfOutXZ0z8BW3D0on+Kxuaq3Q7PDiMbYJQmmPqcoPQ guNALpL/9HARbCsxKANNF+2amQE5jYfyD8dRTHB4hH9fuUS0zjklZ8YBEz8T/FMTNjQ/0 X2Ahbcilr5uwPvw7M2joXY7tdLOVhOQu7Rw= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1679043733314100009 Content-Type: text/plain; charset="utf-8" Signed-off-by: Wenxing Hou --- .../BaseCryptLibMbedTls/Pk/CryptX509.c | 163 +++++++++++++++++- 1 file changed, 161 insertions(+), 2 deletions(-) diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509.c b/CryptoP= kg/Library/BaseCryptLibMbedTls/Pk/CryptX509.c index 6e4a898572..957703a3eb 100644 --- a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509.c +++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509.c @@ -26,6 +26,9 @@ STATIC CONST UINT8 OID_organizationName[] =3D { STATIC CONST UINT8 OID_extKeyUsage[] =3D { 0x55, 0x1D, 0x25 }; +STATIC CONST UINT8 OID_BasicConstraints[] =3D { + 0x55, 0x1D, 0x13 +}; =20 /** Construct a X509 object from DER-encoded certificate data. @@ -857,9 +860,61 @@ X509GetTBSCert ( OUT UINTN *TBSCertSize ) { - return FALSE; -} + UINTN Length; + UINTN Ret; + UINT8 *Ptr; + CONST UINT8 *Temp; + CONST UINT8 *End; + + // + // Check input parameters. + // + if ((Cert =3D=3D NULL) || (TBSCert =3D=3D NULL) || + (TBSCertSize =3D=3D NULL) || (CertSize > INT_MAX)) + { + return FALSE; + } + + // + // An X.509 Certificate is: (defined in RFC3280) + // Certificate ::=3D SEQUENCE { + // tbsCertificate TBSCertificate, + // signatureAlgorithm AlgorithmIdentifier, + // signature BIT STRING } + // + // and + // + // TBSCertificate ::=3D SEQUENCE { + // version [0] Version DEFAULT v1, + // ... + // } + // + // So we can just ASN1-parse the x.509 DER-encoded data. If we strip + // the first SEQUENCE, the second SEQUENCE is the TBSCertificate. + // + + Length =3D 0; + + Ptr =3D (UINT8 *)Cert; + End =3D Cert + CertSize; + + Ret =3D mbedtls_asn1_get_tag(&Ptr, End, &Length, MBEDTLS_ASN1_CONSTRUCTE= D | MBEDTLS_ASN1_SEQUENCE); + if (Ret !=3D 0) { + return FALSE; + } =20 + Temp =3D Ptr; + End =3D Ptr + Length; + Ret =3D mbedtls_asn1_get_tag(&Ptr, End, &Length, MBEDTLS_ASN1_CONSTRUCTE= D | MBEDTLS_ASN1_SEQUENCE); + if (Ret !=3D 0) { + return FALSE; + } + + *TBSCert =3D (UINT8 *)Temp; + *TBSCertSize =3D Length + (Ptr - Temp); + + return TRUE; +} =20 /** Retrieve the version from one X.509 certificate. @@ -1666,3 +1721,107 @@ X509CompareDateTime ( return 1; } } + +/** + Retrieve the basic constraints from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509= certificate. + @param[in] CertSize size of the X509 certificate in= bytes. + @param[out] BasicConstraints basic constraints bytes. + @param[in, out] BasicConstraintsSize basic constraints buffer sizs i= n bytes. + + @retval TRUE The basic constraints retrieve successf= ully. + @retval FALSE If cert is NULL. + If cert_size is NULL. + If basic_constraints is not NULL and *b= asic_constraints_size is 0. + If cert is invalid. + @retval FALSE The required buffer size is small. + The return buffer size is basic_constra= ints_size parameter. + @retval FALSE If no Extension entry match oid. + @retval FALSE The operation is not supported. + **/ +BOOLEAN +EFIAPI +X509GetExtendedBasicConstraints( + CONST UINT8 *Cert, + UINTN CertSize, + UINT8 *BasicConstraints, + UINTN *BasicConstraintsSize + ) +{ + BOOLEAN Status; + + if ((Cert =3D=3D NULL) || (CertSize =3D=3D 0) || (BasicConstraintsSize = =3D=3D NULL)) { + return FALSE; + } + + Status =3D X509GetExtensionData ( + (UINT8 *)Cert, + CertSize, + OID_BasicConstraints, + sizeof (OID_BasicConstraints), + BasicConstraints, + BasicConstraintsSize + ); + + return Status; +} + +/** + Format a DateTimeStr to DataTime object in DataTime Buffer + + If DateTimeStr is NULL, then return FALSE. + If DateTimeSize is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] DateTimeStr DateTime string like YYYYMMDDhhmmssZ + Ref: https://www.w3.org/TR/NOTE-datetime + Z stand for UTC time + @param[out] DateTime Pointer to a DateTime object. + @param[in,out] DateTimeSize DateTime object buffer size. + + @retval TRUE The DateTime object create successfully. + @retval FALSE If DateTimeStr is NULL. + If DateTimeSize is NULL. + If DateTime is not NULL and *DateTimeSi= ze is 0. + If Year Month Day Hour Minute Second co= mbination is invalid datetime. + @retval FALSE If the DateTime is NULL. The required b= uffer size + (including the final null) is returned = in the + DateTimeSize parameter. + @retval FALSE The operation is not supported. +**/ +BOOLEAN +EFIAPI +X509FormatDateTime ( + IN CONST CHAR8 *DateTimeStr, + OUT VOID *DateTime, + IN OUT UINTN *DateTimeSize + ) +{ + mbedtls_x509_time *tm; + + if (*DateTimeSize < sizeof(mbedtls_x509_time)){ + return FALSE; + } + + if (DateTime =3D=3D NULL) { + return FALSE; + } + + tm =3D (mbedtls_x509_time *)DateTime; + + tm->year =3D (DateTimeStr[0] + '0') * 1000 + (DateTimeStr[1] + '0') * 10= 0 + + (DateTimeStr[2] + '0') * 10 + (DateTimeStr[3] + '0') * 1; + + tm->mon =3D (DateTimeStr[4] + '0') * 10 + (DateTimeStr[5] + '0') * 1; + + tm->day =3D (DateTimeStr[6] + '0') * 10 + (DateTimeStr[7] + '0') * 1; + + tm->hour =3D (DateTimeStr[8] + '0') * 10 + (DateTimeStr[9] + '0') * 1; + + tm->min =3D (DateTimeStr[10] + '0') * 10 + (DateTimeStr[11] + '0') * 1; + + tm->sec =3D (DateTimeStr[12] + '0') * 10 + (DateTimeStr[13] + '0') * 1; + + return TRUE; +} --=20 2.26.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101323): https://edk2.groups.io/g/devel/message/101323 Mute This Topic: https://groups.io/mt/97669085/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 11 03:03:56 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+101324+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101324+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1679043733; cv=none; d=zohomail.com; s=zohoarc; b=mRNIyP7wjPnaQkKwKq9C5qezVAU2zkTlALfVVLRXBwWtUTMXQJOeDbMQdFC8hKnrwkuOJvlUjfD/jedx7+xoDZL4klAa/Q4InB1tCTMOima6TEoy1x7gYUrWBk9vRpCF/GQWJogr2sIHRMwd8LcR0WRz7biMsJjhAlugvum+z84= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1679043733; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=LA7mXWuR8iW6201w0B5Z44nC+A+x6MwCGy1bb09iuEA=; b=dKx3xd8H7N4Xr7na9w5ny9/5MRnp88afwW76e8Iw0hiDEx9P0Tl3dEiX6mL+wMr5aWpVOJUXP3itr+ARl/a3UE9PmB1jBA57rW1NwSGIVZtotIcf/RLq7TXoaN4H0QWlFDxW1TBPTeF6Ljbu8kQ9A3Y2yr9C9ZGCb4LyUwtvMt0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101324+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1679043733306319.7332659549985; Fri, 17 Mar 2023 02:02:13 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id AoHQYY1788612xJdkgbZEU7f; Fri, 17 Mar 2023 02:02:12 -0700 X-Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web10.14911.1679043720870874677 for ; Fri, 17 Mar 2023 02:02:12 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10651"; a="317871173" X-IronPort-AV: E=Sophos;i="5.98,268,1673942400"; d="scan'208";a="317871173" X-Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Mar 2023 02:02:12 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10651"; a="926066896" X-IronPort-AV: E=Sophos;i="5.98,268,1673942400"; d="scan'208";a="926066896" X-Received: from shwdejointd777.ccr.corp.intel.com ([10.239.157.39]) by fmsmga006.fm.intel.com with ESMTP; 17 Mar 2023 02:02:11 -0700 From: "Wenxing Hou" To: devel@edk2.groups.io Cc: Wenxing Hou Subject: [edk2-devel] [edk2-staging/OpenSSL11_EOL PATCH 7/7] Clean SysCall api by adding platform_util.c Date: Fri, 17 Mar 2023 17:00:53 +0800 Message-Id: <20230317090053.1895-8-wenxing.hou@intel.com> In-Reply-To: <20230317090053.1895-1-wenxing.hou@intel.com> References: <20230317090053.1895-1-wenxing.hou@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,wenxing.hou@intel.com X-Gm-Message-State: 1Tivq2hm1j7ohnCXrPgF22Kfx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1679043732; bh=5nPbwJ61k4DosIc8aG38ug+NPxBVh9DzyqhQfu+blMs=; h=Cc:Date:From:Reply-To:Subject:To; b=C6udvXJFjzbsgwIKZebqgokEZmhXLYl9Fo50Hta8P2/ZzM6LUn7DNvnQsKTKz/A5IL7 6UveAYiWmA55drDC5y/z+QYuOugHBH1i1Jx/QicZoxPFQj3cj+7SDY+E+Hwl2mMyoiniL vy7id8vs5KLUgiZPB6JnaAcGf9u+Ke6XiHU= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1679043735293100013 Content-Type: text/plain; charset="utf-8" Signed-off-by: Wenxing Hou --- .../BaseCryptLibMbedTls/Rand/CryptRandTsc.c | 7 +++++++ .../SysCall/ConstantTimeClock.c | 14 -------------- .../BaseCryptLibMbedTls/SysCall/CrtWrapper.c | 5 ----- .../BaseCryptLibMbedTls/SysCall/TimerWrapper.c | 14 -------------- CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf | 1 + 5 files changed, 8 insertions(+), 33 deletions(-) diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Rand/CryptRandTsc.c b/Cr= yptoPkg/Library/BaseCryptLibMbedTls/Rand/CryptRandTsc.c index 96d18eb7aa..a4ece17680 100644 --- a/CryptoPkg/Library/BaseCryptLibMbedTls/Rand/CryptRandTsc.c +++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Rand/CryptRandTsc.c @@ -59,3 +59,10 @@ RandomBytes ( =20 return TRUE; } + +int myrand( void *rng_state, unsigned char *output, size_t len ) +{ + RandomBytes (output, len); + + return 0; +} diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/ConstantTimeCloc= k.c b/CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/ConstantTimeClock.c index 41a1fdd634..6c1d8a400d 100644 --- a/CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/ConstantTimeClock.c +++ b/CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/ConstantTimeClock.c @@ -59,17 +59,3 @@ struct tm * gmtime (const time_t *timer) time_t _time64 (time_t* t) { return time (t); } - -struct tm *mbedtls_platform_gmtime_r( const time_t *tt, - struct tm *tm_buf ) -{ - struct tm * lt; - - lt =3D gmtime (tt); - - if (lt !=3D NULL) { - CopyMem (tm_buf, lt, sizeof(struct tm)); - } - - return ((lt =3D=3D NULL) ? NULL : tm_buf); -} diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/CrtWrapper.c b/C= ryptoPkg/Library/BaseCryptLibMbedTls/SysCall/CrtWrapper.c index c401dae861..25074d3bfb 100644 --- a/CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/CrtWrapper.c +++ b/CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/CrtWrapper.c @@ -31,11 +31,6 @@ int mbedtls_vsnprintf(char *str, size_t size, const char= *format, ...) return 0; } =20 -void mbedtls_platform_zeroize( void *buf, unsigned int len ) -{ - ZeroMem (buf, len); -} - int rand () { // TBD diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/TimerWrapper.c b= /CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/TimerWrapper.c index abb9a2226c..d940abb7f0 100644 --- a/CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/TimerWrapper.c +++ b/CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/TimerWrapper.c @@ -190,17 +190,3 @@ struct tm * gmtime (const time_t *timer) time_t _time64 (time_t* t) { return time (t); } - -struct tm *mbedtls_platform_gmtime_r( const time_t *tt, - struct tm *tm_buf ) -{ - struct tm * lt; - - lt =3D gmtime (tt); - - if (lt !=3D NULL) { - CopyMem (tm_buf, lt, sizeof(struct tm)); - } - - return ((lt =3D=3D NULL) ? NULL : tm_buf); -} diff --git a/CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf b/CryptoPkg/Librar= y/MbedTlsLib/MbedTlsLib.inf index 69d712b9c6..e2fd9e6e1e 100644 --- a/CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf +++ b/CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf @@ -109,6 +109,7 @@ mbedtls/library/x509_crt.c mbedtls/library/x509_csr.c mbedtls/library/pkcs7.c + mbedtls/library/platform_util.c =20 [Packages] MdePkg/MdePkg.dec --=20 2.26.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101324): https://edk2.groups.io/g/devel/message/101324 Mute This Topic: https://groups.io/mt/97669086/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-