[edk2-devel] [PATCH V2 2/2] CryptoPkg/BaseCryptLib: Add MARCO to disable the deprecated SHA1
Gao, Zhichao
zhichao.gao at intel.com
Thu Jun 18 00:41:37 UTC 2020
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1682
SHA1 is deprecated but it is required for compatible issue.
So add a MARCO for the platform to disable the usage of SHA1 for
security.
Cc: Jian J Wang <jian.j.wang at intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu at intel.com>
Cc: Jiewen Yao <jiewen.yao at intel.com>
Cc: Siyuan Fu <siyuan.fu at intel.com>
Cc: Michael D Kinney <michael.d.kinney at intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao at intel.com>
---
CryptoPkg/Driver/Crypto.c | 161 ++++++++++++++++++
CryptoPkg/Include/Library/BaseCryptLib.h | 2 +
.../Library/BaseCryptLib/Hash/CryptSha1.c | 3 +-
.../BaseCryptLibOnProtocolPpi/CryptLib.c | 2 +
4 files changed, 167 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 7e7e31a35e..d9096ea603 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -550,6 +550,156 @@ CryptoServiceMd5HashAll (
}
#endif
+#ifdef DISABLE_SHA1_DEPRECATED_INTERFACES
+/**
+ Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations.
+
+ If this interface is not supported, then return zero.
+
+ @retval 0 This interface is not supported.
+
+**/
+UINTN
+EFIAPI
+DeprecatedCryptoServiceSha1GetContextSize (
+ VOID
+ )
+{
+ return BaseCryptLibServiceDeprecated ("Sha1GetContextSize"), 0;
+}
+
+/**
+ Initializes user-supplied memory pointed by Sha1Context as SHA-1 hash context for
+ subsequent use.
+
+ If Sha1Context is NULL, then return FALSE.
+ If this interface is not supported, then return FALSE.
+
+ @param[out] Sha1Context Pointer to SHA-1 context being initialized.
+
+ @retval TRUE SHA-1 context initialization succeeded.
+ @retval FALSE SHA-1 context initialization failed.
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+DeprecatedCryptoServiceSha1Init (
+ OUT VOID *Sha1Context
+ )
+{
+ return BaseCryptLibServiceDeprecated ("Sha1Init"), FALSE;
+}
+
+/**
+ Makes a copy of an existing SHA-1 context.
+
+ If Sha1Context is NULL, then return FALSE.
+ If NewSha1Context is NULL, then return FALSE.
+ If this interface is not supported, then return FALSE.
+
+ @param[in] Sha1Context Pointer to SHA-1 context being copied.
+ @param[out] NewSha1Context Pointer to new SHA-1 context.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+DeprecatedCryptoServiceSha1Duplicate (
+ IN CONST VOID *Sha1Context,
+ OUT VOID *NewSha1Context
+ )
+{
+ return BaseCryptLibServiceDeprecated ("Sha1Duplicate"), FALSE;
+}
+
+/**
+ Digests the input data and updates SHA-1 context.
+
+ This function performs SHA-1 digest on a data buffer of the specified size.
+ It can be called multiple times to compute the digest of long or discontinuous data streams.
+ SHA-1 context should be already correctly initialized by Sha1Init(), and should not be finalized
+ by Sha1Final(). Behavior with invalid context is undefined.
+
+ If Sha1Context is NULL, then return FALSE.
+ If this interface is not supported, then return FALSE.
+
+ @param[in, out] Sha1Context Pointer to the SHA-1 context.
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+DeprecatedCryptoServiceSha1Update (
+ IN OUT VOID *Sha1Context,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ return BaseCryptLibServiceDeprecated ("Sha1Update"), FALSE;
+}
+
+/**
+ Completes computation of the SHA-1 digest value.
+
+ This function completes SHA-1 hash computation and retrieves the digest value into
+ the specified memory. After this function has been called, the SHA-1 context cannot
+ be used again.
+ SHA-1 context should be already correctly initialized by Sha1Init(), and should not be
+ finalized by Sha1Final(). Behavior with invalid SHA-1 context is undefined.
+
+ If Sha1Context is NULL, then return FALSE.
+ If HashValue is NULL, then return FALSE.
+ If this interface is not supported, then return FALSE.
+
+ @param[in, out] Sha1Context Pointer to the SHA-1 context.
+ @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest
+ value (20 bytes).
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+DeprecatedCryptoServiceSha1Final (
+ IN OUT VOID *Sha1Context,
+ OUT UINT8 *HashValue
+ )
+{
+ return BaseCryptLibServiceDeprecated ("Sha1Final"), FALSE;
+}
+
+/**
+ Computes the SHA-1 message digest of a input data buffer.
+
+ This function performs the SHA-1 message digest of a given data buffer, and places
+ the digest value into the specified memory.
+
+ If this interface is not supported, then return FALSE.
+
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+ @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest
+ value (20 bytes).
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+DeprecatedCryptoServiceSha1HashAll (
+ IN CONST VOID *Data,
+ IN UINTN DataSize,
+ OUT UINT8 *HashValue
+ )
+{
+ return BaseCryptLibServiceDeprecated ("Sha1HashAll"), FALSE;
+}
+#else
/**
Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations.
@@ -707,6 +857,7 @@ CryptoServiceSha1HashAll (
{
return CALL_BASECRYPTLIB (Sha1.Services.HashAll, Sha1HashAll, (Data, DataSize, HashValue), FALSE);
}
+#endif
/**
Retrieves the size, in bytes, of the context buffer required for SHA-256 hash operations.
@@ -4394,6 +4545,15 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
CryptoServiceRsaPkcs1Verify,
CryptoServiceRsaGetPrivateKeyFromPem,
CryptoServiceRsaGetPublicKeyFromX509,
+#ifdef DISABLE_SHA1_DEPRECATED_INTERFACES
+ /// Sha1 - deprecated and unsupported
+ DeprecatedCryptoServiceSha1GetContextSize,
+ DeprecatedCryptoServiceSha1Init,
+ DeprecatedCryptoServiceSha1Duplicate,
+ DeprecatedCryptoServiceSha1Update,
+ DeprecatedCryptoServiceSha1Final,
+ DeprecatedCryptoServiceSha1HashAll,
+#else
/// Sha1
CryptoServiceSha1GetContextSize,
CryptoServiceSha1Init,
@@ -4401,6 +4561,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
CryptoServiceSha1Update,
CryptoServiceSha1Final,
CryptoServiceSha1HashAll,
+#endif
/// Sha256
CryptoServiceSha256GetContextSize,
CryptoServiceSha256Init,
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 36483d1d2d..ae9bde9e37 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -214,6 +214,7 @@ Md5HashAll (
);
#endif
+#ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
/**
Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations.
@@ -353,6 +354,7 @@ Sha1HashAll (
IN UINTN DataSize,
OUT UINT8 *HashValue
);
+#endif
/**
Retrieves the size, in bytes, of the context buffer required for SHA-256 hash operations.
diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1.c
index bf2f5f4ce4..52e767524f 100644
--- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1.c
+++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1.c
@@ -9,7 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include "InternalCryptLib.h"
#include <openssl/sha.h>
-
+#ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
/**
Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations.
@@ -222,3 +222,4 @@ Sha1HashAll (
return TRUE;
}
}
+#endif
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 8897fd25e6..3f14c6d262 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -259,6 +259,7 @@ Md5HashAll (
}
#endif
+#ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
/**
Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations.
@@ -416,6 +417,7 @@ Sha1HashAll (
{
CALL_CRYPTO_SERVICE (Sha1HashAll, (Data, DataSize, HashValue), FALSE);
}
+#endif
/**
Retrieves the size, in bytes, of the context buffer required for SHA-256 hash operations.
--
2.21.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#61452): https://edk2.groups.io/g/devel/message/61452
Mute This Topic: https://groups.io/mt/74950021/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list