[edk2-devel] [PATCH v4 6/7] CryptoPkg: Upgrade OpenSSL to 1.1.1b
Xiaoyu Lu
xiaoyux.lu at intel.com
Sat May 18 07:16:54 UTC 2019
Laszlo,
>>On 05/17/19 13:14, Lu, XiaoyuX wrote:
>> Laszlo,
>>
>> I think (b) is better and have already done this.
>
>What do you mean by "already done"? In your personal development tree perhaps?
Yes. https://github.com/xiaoyuxlu/edk2/tree/bz_1089_upgrade_to_openssl_1_1_1b_v5_wip
Thanks
Xiaoyu
-----Original Message-----
From: Laszlo Ersek [mailto:lersek at redhat.com]
Sent: Friday, May 17, 2019 9:16 PM
To: Lu, XiaoyuX <xiaoyux.lu at intel.com>; devel at edk2.groups.io; Wang, Jian J <jian.j.wang at intel.com>
Cc: Ye, Ting <ting.ye at intel.com>
Subject: Re: [edk2-devel] [PATCH v4 6/7] CryptoPkg: Upgrade OpenSSL to 1.1.1b
On 05/17/19 13:14, Lu, XiaoyuX wrote:
> Laszlo,
>
> I think (b) is better and have already done this.
What do you mean by "already done"? In your personal development tree perhaps?
> About (b/1):
>
> One the one hand, the implementation still need discuss later.
> On the other hand:
>
> Refer to openssl/INSTALL the meaning of --with-rand-seed=none
>
> > none: Disable automatic seeding. This is the default
> > on some operating systems where no suitable
> > entropy source exists, or no support for it is
> > implemented yet.
>
> I think when --with-rand-seed=none option is set, the best way to implement rand_pool_acquire_entropy should like this:
>
>> size_t rand_pool_acquire_entropy(RAND_POOL *pool) { return
>> rand_pool_entropy_available(pool);
>> }
>>
>> int rand_pool_add_nonce_data(RAND_POOL *pool) { // I think
>> PerformanceCounter is an optional nonce.
>> UINT64 data;
>> data = GetPerformanceCounter();
>>
>> return rand_pool_add(pool, (unsigned char*)&data, sizeof(data),
>> 0);>}
>>
>> int rand_pool_add_additional_data(RAND_POOL *pool) { return 0; }
>
> With this, we handed the Rand_seed work to caller. (caller must provide safe seed).
>
> What do you think?
Sorry, no idea.
Thanks
Laszlo
>
> Thanks,
> Xiaoyu
>
> -----Original Message-----
> From: Laszlo Ersek [mailto:lersek at redhat.com]
> Sent: Friday, May 17, 2019 12:32 AM
> To: devel at edk2.groups.io; Lu, XiaoyuX <xiaoyux.lu at intel.com>; Wang,
> Jian J <jian.j.wang at intel.com>
> Cc: Ye, Ting <ting.ye at intel.com>
> Subject: Re: [edk2-devel] [PATCH v4 6/7] CryptoPkg: Upgrade OpenSSL to
> 1.1.1b
>
> Hi Jian,
>
> On 05/16/19 09:54, Xiaoyu lu wrote:
>> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089
>>
>> * Update OpenSSL submodule to OpenSSL_1_1_1b
>> OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)
>>
>> * Run process_files.pl script to regenerate OpensslLib[Crypto].inf
>> and opensslconf.h
>>
>> * Remove -DNO_SYSLOG from OPENSSL_FLAGS in OpensslLib[Crypto].inf,
>> due to upstream OpenSSL commit cff55b90e95e("Cleaning UEFI
>> Build with additional OPENSSL_SYS_UEFI flags", 2017-03-29),
>> which was first released as part of OpenSSL_1_1_1.
>>
>> * Starting with OpenSSL commit 8a8d9e1905(first release in
>> OpenSSL_1_1_1), the OpenSSL_version() function can no longer
>> return a pointer to the string literal "compiler: information
>> not available", in the case CFLAGS macro is not defined.
>> Instead, the function now has a hard dependency on the global
>> variable 'compiler_flags'. This variable is normally placed
>> by "util/mkbuildinf.pl" into "buildinf.h". In edk2 we don't
>> run that script whenever we build OpenSSL, therefore we
>> must provide our own dummy 'compiler_flags'.
>>
>> * From OpenSSL_1_1_0i(97c0959f27b294fe1eb10b547145ebef2524b896) to
>> OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687), OpenSSL
>> updated DRBG / RAND to request nonce and additional low entropy
>> randomness from system(line 229 openssl/CHANGES).
>>
>> Since OpenSSL_1_1_1b doesn't fully implement rand pool functions
>> for UEFI. We must provide a method to implenet these method.
>> TSC is used as first entropy source if it's availabe otherwise
>> fallback to TimerLib. But we are not sure the amount of randomness
>> they provide. If you really care about the security, one choice is
>> overrided it with hardware generator.
>>
>> Add rand_pool.c to implement these functions required by OpenSSL
>> rand_pool_acquire_entropy
>> rand_pool_add_nonce_data
>> rand_pool_add_additional_data
>> rand_pool_init
>> rand_pool_cleanup
>> rand_pool_keep_random_devices_open
>>
>> And add rand_pool_noise.* for getting entropy noise from different
>> architecture.
>>
>> * We don't need ossl_store functions. We exclude relative files
>> through process_files.pl. And ossl_store_cleanup_int was first
>> added in crypto/init.c OpenSSL_1_1_1(71a5516d).
>> So add a new file(ossl_store.c) to implement ossl_store_cleanup_int
>> function.
>>
>> * BUFSIZ is used by crypto/evp/evp_key.c(OpenSSL_1_1_1b)
>> And it is declared in stdio.h. So add it to CrtLibSupport.h.
>> Here's a discussion about this.
>> Ref: https://github.com/openssl/openssl/issues/8904
>>
>> Cc: Jian J Wang <jian.j.wang at intel.com>
>> Cc: Ting Ye <ting.ye at intel.com>
>> Signed-off-by: Xiaoyu Lu <xiaoyux.lu at intel.com>
>> ---
>> CryptoPkg/Library/OpensslLib/OpensslLib.inf | 60 +++-
>> CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 51 +++-
>> CryptoPkg/Library/Include/CrtLibSupport.h | 13 +-
>> CryptoPkg/Library/Include/openssl/opensslconf.h | 54 +++-
>> CryptoPkg/Library/OpensslLib/buildinf.h | 2 +
>> CryptoPkg/Library/OpensslLib/rand_pool_noise.h | 29 ++
>> CryptoPkg/Library/OpensslLib/ossl_store.c | 17 ++
>> CryptoPkg/Library/OpensslLib/rand_pool.c | 316 +++++++++++++++++++++
>> CryptoPkg/Library/OpensslLib/rand_pool_noise.c | 29 ++
>> CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c | 43 +++
>> CryptoPkg/Library/OpensslLib/openssl | 2 +-
>> 11 files changed, 584 insertions(+), 32 deletions(-) create mode
>> 100644 CryptoPkg/Library/OpensslLib/rand_pool_noise.h
>> create mode 100644 CryptoPkg/Library/OpensslLib/ossl_store.c
>> create mode 100644 CryptoPkg/Library/OpensslLib/rand_pool.c
>> create mode 100644 CryptoPkg/Library/OpensslLib/rand_pool_noise.c
>> create mode 100644
>> CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c
>
> For this patch, I can offer two kinds of reviews:
>
> ---*---
>
> (a) If you prefer to push this patch in the present form (that is, exactly as posted), then I will not give any official feedback tags, due to the crypto contents. I will not block the patch either, so if you and Ting are fine with the patch, it's OK for you to push it, from my side.
>
> ---*---
>
> (b) Alternatively, you could split the patch in two halves, as follows:
>
> (b/1) In the first half, collect all the hunks for the following files:
>
> CryptoPkg/Library/OpensslLib/ossl_store.c
> CryptoPkg/Library/OpensslLib/rand_pool.c
> CryptoPkg/Library/OpensslLib/rand_pool_noise.c
> CryptoPkg/Library/OpensslLib/rand_pool_noise.h
> CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c
>
> plus include the commit message paragraphs about "rand_pool.c" and "ossl_store.c".
>
> For this half (b/1), I will not give any feedback.
>
>
> (b/2) In the second half, collect the rest of the changes, that is,
> the hunks for the following files / submodules, and the rest of the
> commit
> message:
>
> CryptoPkg/Library/Include/CrtLibSupport.h
> CryptoPkg/Library/Include/openssl/opensslconf.h
> CryptoPkg/Library/OpensslLib/OpensslLib.inf
> CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> CryptoPkg/Library/OpensslLib/buildinf.h
> CryptoPkg/Library/OpensslLib/openssl
>
> For the (b/2) half *ONLY*, you can add:
>
> Reviewed-by: Laszlo Ersek <lersek at redhat.com>
>
> ---*---
>
> It's up to you whether you pick (a) or (b).
>
> Normally I would request a v5 series for implementing (b), but we're
> out of time. If the community thinks that splitting up this patch into
> halves (b/1) and (b/2) is too intrusive for a maintainer to do without
> proper review, then I suggest going with (a) -- and then I'll provide
> no feedback tags. (But, I will also not block the patch, see above.)
>
> ... Well, in theory anyway, Xiaoyu could very quickly submit a v5
> series, splitting this patch as explained under (b). In that case, the
> (b/2) half -- and *ONLY* that half -- of this patch could include my R-b at once.
>
> So, please decide.
>
> Thanks!
> Laszlo
>
>>
>> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
>> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
>> index f4d7772c068c..62dd61969cb0 100644
>> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
>> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
>> @@ -1,7 +1,7 @@
>> ## @file
>> # This module provides OpenSSL Library implementation.
>> #
>> -# Copyright (c) 2010 - 2018, Intel Corporation. All rights
>> reserved.<BR>
>> +# Copyright (c) 2010 - 2019, Intel Corporation. All rights
>> +reserved.<BR>
>> # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -15,7
>> +15,7 @@ [Defines]
>> VERSION_STRING = 1.0
>> LIBRARY_CLASS = OpensslLib
>> DEFINE OPENSSL_PATH = openssl
>> - DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DNO_SYSLOG
>> + DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE
>>
>> #
>> # VALID_ARCHITECTURES = IA32 X64 ARM AARCH64
>> @@ -32,6 +32,7 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/aes/aes_misc.c
>> $(OPENSSL_PATH)/crypto/aes/aes_ofb.c
>> $(OPENSSL_PATH)/crypto/aes/aes_wrap.c
>> + $(OPENSSL_PATH)/crypto/aria/aria.c
>> $(OPENSSL_PATH)/crypto/asn1/a_bitstr.c
>> $(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c
>> $(OPENSSL_PATH)/crypto/asn1/a_digest.c
>> @@ -54,6 +55,7 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/asn1/ameth_lib.c
>> $(OPENSSL_PATH)/crypto/asn1/asn1_err.c
>> $(OPENSSL_PATH)/crypto/asn1/asn1_gen.c
>> + $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.c
>> $(OPENSSL_PATH)/crypto/asn1/asn1_lib.c
>> $(OPENSSL_PATH)/crypto/asn1/asn1_par.c
>> $(OPENSSL_PATH)/crypto/asn1/asn_mime.c
>> @@ -172,6 +174,7 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/conf/conf_ssl.c
>> $(OPENSSL_PATH)/crypto/cpt_err.c
>> $(OPENSSL_PATH)/crypto/cryptlib.c
>> + $(OPENSSL_PATH)/crypto/ctype.c
>> $(OPENSSL_PATH)/crypto/cversion.c
>> $(OPENSSL_PATH)/crypto/des/cbc_cksm.c
>> $(OPENSSL_PATH)/crypto/des/cbc_enc.c
>> @@ -189,7 +192,6 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/des/pcbc_enc.c
>> $(OPENSSL_PATH)/crypto/des/qud_cksm.c
>> $(OPENSSL_PATH)/crypto/des/rand_key.c
>> - $(OPENSSL_PATH)/crypto/des/rpc_enc.c
>> $(OPENSSL_PATH)/crypto/des/set_key.c
>> $(OPENSSL_PATH)/crypto/des/str2key.c
>> $(OPENSSL_PATH)/crypto/des/xcbc_enc.c
>> @@ -206,6 +208,7 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/dh/dh_pmeth.c
>> $(OPENSSL_PATH)/crypto/dh/dh_prn.c
>> $(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c
>> + $(OPENSSL_PATH)/crypto/dh/dh_rfc7919.c
>> $(OPENSSL_PATH)/crypto/dso/dso_dl.c
>> $(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c
>> $(OPENSSL_PATH)/crypto/dso/dso_err.c
>> @@ -228,6 +231,7 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/evp/e_aes.c
>> $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha1.c
>> $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha256.c
>> + $(OPENSSL_PATH)/crypto/evp/e_aria.c
>> $(OPENSSL_PATH)/crypto/evp/e_bf.c
>> $(OPENSSL_PATH)/crypto/evp/e_camellia.c
>> $(OPENSSL_PATH)/crypto/evp/e_cast.c
>> @@ -242,6 +246,7 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/evp/e_rc4_hmac_md5.c
>> $(OPENSSL_PATH)/crypto/evp/e_rc5.c
>> $(OPENSSL_PATH)/crypto/evp/e_seed.c
>> + $(OPENSSL_PATH)/crypto/evp/e_sm4.c
>> $(OPENSSL_PATH)/crypto/evp/e_xcbc_d.c
>> $(OPENSSL_PATH)/crypto/evp/encode.c
>> $(OPENSSL_PATH)/crypto/evp/evp_cnf.c
>> @@ -259,6 +264,7 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/evp/m_null.c
>> $(OPENSSL_PATH)/crypto/evp/m_ripemd.c
>> $(OPENSSL_PATH)/crypto/evp/m_sha1.c
>> + $(OPENSSL_PATH)/crypto/evp/m_sha3.c
>> $(OPENSSL_PATH)/crypto/evp/m_sigver.c
>> $(OPENSSL_PATH)/crypto/evp/m_wp.c
>> $(OPENSSL_PATH)/crypto/evp/names.c
>> @@ -271,10 +277,10 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/evp/p_seal.c
>> $(OPENSSL_PATH)/crypto/evp/p_sign.c
>> $(OPENSSL_PATH)/crypto/evp/p_verify.c
>> + $(OPENSSL_PATH)/crypto/evp/pbe_scrypt.c
>> $(OPENSSL_PATH)/crypto/evp/pmeth_fn.c
>> $(OPENSSL_PATH)/crypto/evp/pmeth_gn.c
>> $(OPENSSL_PATH)/crypto/evp/pmeth_lib.c
>> - $(OPENSSL_PATH)/crypto/evp/scrypt.c
>> $(OPENSSL_PATH)/crypto/ex_data.c
>> $(OPENSSL_PATH)/crypto/getenv.c
>> $(OPENSSL_PATH)/crypto/hmac/hm_ameth.c
>> @@ -283,6 +289,7 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/init.c
>> $(OPENSSL_PATH)/crypto/kdf/hkdf.c
>> $(OPENSSL_PATH)/crypto/kdf/kdf_err.c
>> + $(OPENSSL_PATH)/crypto/kdf/scrypt.c
>> $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c
>> $(OPENSSL_PATH)/crypto/lhash/lh_stats.c
>> $(OPENSSL_PATH)/crypto/lhash/lhash.c
>> @@ -360,14 +367,14 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c
>> $(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c
>> $(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c
>> - $(OPENSSL_PATH)/crypto/rand/md_rand.c
>> + $(OPENSSL_PATH)/crypto/rand/drbg_ctr.c
>> + $(OPENSSL_PATH)/crypto/rand/drbg_lib.c
>> $(OPENSSL_PATH)/crypto/rand/rand_egd.c
>> $(OPENSSL_PATH)/crypto/rand/rand_err.c
>> $(OPENSSL_PATH)/crypto/rand/rand_lib.c
>> $(OPENSSL_PATH)/crypto/rand/rand_unix.c
>> $(OPENSSL_PATH)/crypto/rand/rand_vms.c
>> $(OPENSSL_PATH)/crypto/rand/rand_win.c
>> - $(OPENSSL_PATH)/crypto/rand/randfile.c
>> $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
>> $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
>> $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
>> @@ -379,8 +386,8 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/rsa/rsa_gen.c
>> $(OPENSSL_PATH)/crypto/rsa/rsa_lib.c
>> $(OPENSSL_PATH)/crypto/rsa/rsa_meth.c
>> + $(OPENSSL_PATH)/crypto/rsa/rsa_mp.c
>> $(OPENSSL_PATH)/crypto/rsa/rsa_none.c
>> - $(OPENSSL_PATH)/crypto/rsa/rsa_null.c
>> $(OPENSSL_PATH)/crypto/rsa/rsa_oaep.c
>> $(OPENSSL_PATH)/crypto/rsa/rsa_ossl.c
>> $(OPENSSL_PATH)/crypto/rsa/rsa_pk1.c
>> @@ -392,15 +399,27 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/rsa/rsa_ssl.c
>> $(OPENSSL_PATH)/crypto/rsa/rsa_x931.c
>> $(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c
>> + $(OPENSSL_PATH)/crypto/sha/keccak1600.c
>> $(OPENSSL_PATH)/crypto/sha/sha1_one.c
>> $(OPENSSL_PATH)/crypto/sha/sha1dgst.c
>> $(OPENSSL_PATH)/crypto/sha/sha256.c
>> $(OPENSSL_PATH)/crypto/sha/sha512.c
>> + $(OPENSSL_PATH)/crypto/siphash/siphash.c
>> + $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
>> + $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
>> + $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
>> + $(OPENSSL_PATH)/crypto/sm3/sm3.c
>> + $(OPENSSL_PATH)/crypto/sm4/sm4.c
>> $(OPENSSL_PATH)/crypto/stack/stack.c
>> $(OPENSSL_PATH)/crypto/threads_none.c
>> $(OPENSSL_PATH)/crypto/threads_pthread.c
>> $(OPENSSL_PATH)/crypto/threads_win.c
>> $(OPENSSL_PATH)/crypto/txt_db/txt_db.c
>> + $(OPENSSL_PATH)/crypto/ui/ui_err.c
>> + $(OPENSSL_PATH)/crypto/ui/ui_lib.c
>> + $(OPENSSL_PATH)/crypto/ui/ui_null.c
>> + $(OPENSSL_PATH)/crypto/ui/ui_openssl.c
>> + $(OPENSSL_PATH)/crypto/ui/ui_util.c
>> $(OPENSSL_PATH)/crypto/uid.c
>> $(OPENSSL_PATH)/crypto/x509/by_dir.c
>> $(OPENSSL_PATH)/crypto/x509/by_file.c
>> @@ -445,6 +464,7 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/x509v3/pcy_node.c
>> $(OPENSSL_PATH)/crypto/x509v3/pcy_tree.c
>> $(OPENSSL_PATH)/crypto/x509v3/v3_addr.c
>> + $(OPENSSL_PATH)/crypto/x509v3/v3_admis.c
>> $(OPENSSL_PATH)/crypto/x509v3/v3_akey.c
>> $(OPENSSL_PATH)/crypto/x509v3/v3_akeya.c
>> $(OPENSSL_PATH)/crypto/x509v3/v3_alt.c
>> @@ -479,12 +499,14 @@ [Sources]
>> $(OPENSSL_PATH)/ssl/d1_msg.c
>> $(OPENSSL_PATH)/ssl/d1_srtp.c
>> $(OPENSSL_PATH)/ssl/methods.c
>> + $(OPENSSL_PATH)/ssl/packet.c
>> $(OPENSSL_PATH)/ssl/pqueue.c
>> $(OPENSSL_PATH)/ssl/record/dtls1_bitmap.c
>> $(OPENSSL_PATH)/ssl/record/rec_layer_d1.c
>> $(OPENSSL_PATH)/ssl/record/rec_layer_s3.c
>> $(OPENSSL_PATH)/ssl/record/ssl3_buffer.c
>> $(OPENSSL_PATH)/ssl/record/ssl3_record.c
>> + $(OPENSSL_PATH)/ssl/record/ssl3_record_tls13.c
>> $(OPENSSL_PATH)/ssl/s3_cbc.c
>> $(OPENSSL_PATH)/ssl/s3_enc.c
>> $(OPENSSL_PATH)/ssl/s3_lib.c
>> @@ -502,25 +524,45 @@ [Sources]
>> $(OPENSSL_PATH)/ssl/ssl_stat.c
>> $(OPENSSL_PATH)/ssl/ssl_txt.c
>> $(OPENSSL_PATH)/ssl/ssl_utst.c
>> + $(OPENSSL_PATH)/ssl/statem/extensions.c
>> + $(OPENSSL_PATH)/ssl/statem/extensions_clnt.c
>> + $(OPENSSL_PATH)/ssl/statem/extensions_cust.c
>> + $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c
>> $(OPENSSL_PATH)/ssl/statem/statem.c
>> $(OPENSSL_PATH)/ssl/statem/statem_clnt.c
>> $(OPENSSL_PATH)/ssl/statem/statem_dtls.c
>> $(OPENSSL_PATH)/ssl/statem/statem_lib.c
>> $(OPENSSL_PATH)/ssl/statem/statem_srvr.c
>> $(OPENSSL_PATH)/ssl/t1_enc.c
>> - $(OPENSSL_PATH)/ssl/t1_ext.c
>> $(OPENSSL_PATH)/ssl/t1_lib.c
>> - $(OPENSSL_PATH)/ssl/t1_reneg.c
>> $(OPENSSL_PATH)/ssl/t1_trce.c
>> + $(OPENSSL_PATH)/ssl/tls13_enc.c
>> $(OPENSSL_PATH)/ssl/tls_srp.c
>> # Autogenerated files list ends here
>>
>> + ossl_store.c
>> + rand_pool.c
>> +
>> +[Sources.Ia32]
>> + rand_pool_noise_tsc.c
>> +
>> +[Sources.X64]
>> + rand_pool_noise_tsc.c
>> +
>> +[Sources.ARM]
>> + rand_pool_noise.c
>> +
>> +[Sources.AARCH64]
>> + rand_pool_noise.c
>> +
>> [Packages]
>> MdePkg/MdePkg.dec
>> CryptoPkg/CryptoPkg.dec
>>
>> [LibraryClasses]
>> + BaseLib
>> DebugLib
>> + TimerLib
>>
>> [LibraryClasses.ARM]
>> ArmSoftFloatLib
>> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
>> b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
>> index fd12d112edb2..49599a42d180 100644
>> --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
>> +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
>> @@ -1,7 +1,7 @@
>> ## @file
>> # This module provides OpenSSL Library implementation.
>> #
>> -# Copyright (c) 2010 - 2018, Intel Corporation. All rights
>> reserved.<BR>
>> +# Copyright (c) 2010 - 2019, Intel Corporation. All rights
>> +reserved.<BR>
>> # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -15,7
>> +15,7 @@ [Defines]
>> VERSION_STRING = 1.0
>> LIBRARY_CLASS = OpensslLib
>> DEFINE OPENSSL_PATH = openssl
>> - DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DNO_SYSLOG
>> + DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE
>>
>> #
>> # VALID_ARCHITECTURES = IA32 X64 ARM AARCH64
>> @@ -32,6 +32,7 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/aes/aes_misc.c
>> $(OPENSSL_PATH)/crypto/aes/aes_ofb.c
>> $(OPENSSL_PATH)/crypto/aes/aes_wrap.c
>> + $(OPENSSL_PATH)/crypto/aria/aria.c
>> $(OPENSSL_PATH)/crypto/asn1/a_bitstr.c
>> $(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c
>> $(OPENSSL_PATH)/crypto/asn1/a_digest.c
>> @@ -54,6 +55,7 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/asn1/ameth_lib.c
>> $(OPENSSL_PATH)/crypto/asn1/asn1_err.c
>> $(OPENSSL_PATH)/crypto/asn1/asn1_gen.c
>> + $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.c
>> $(OPENSSL_PATH)/crypto/asn1/asn1_lib.c
>> $(OPENSSL_PATH)/crypto/asn1/asn1_par.c
>> $(OPENSSL_PATH)/crypto/asn1/asn_mime.c
>> @@ -172,6 +174,7 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/conf/conf_ssl.c
>> $(OPENSSL_PATH)/crypto/cpt_err.c
>> $(OPENSSL_PATH)/crypto/cryptlib.c
>> + $(OPENSSL_PATH)/crypto/ctype.c
>> $(OPENSSL_PATH)/crypto/cversion.c
>> $(OPENSSL_PATH)/crypto/des/cbc_cksm.c
>> $(OPENSSL_PATH)/crypto/des/cbc_enc.c
>> @@ -189,7 +192,6 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/des/pcbc_enc.c
>> $(OPENSSL_PATH)/crypto/des/qud_cksm.c
>> $(OPENSSL_PATH)/crypto/des/rand_key.c
>> - $(OPENSSL_PATH)/crypto/des/rpc_enc.c
>> $(OPENSSL_PATH)/crypto/des/set_key.c
>> $(OPENSSL_PATH)/crypto/des/str2key.c
>> $(OPENSSL_PATH)/crypto/des/xcbc_enc.c
>> @@ -206,6 +208,7 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/dh/dh_pmeth.c
>> $(OPENSSL_PATH)/crypto/dh/dh_prn.c
>> $(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c
>> + $(OPENSSL_PATH)/crypto/dh/dh_rfc7919.c
>> $(OPENSSL_PATH)/crypto/dso/dso_dl.c
>> $(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c
>> $(OPENSSL_PATH)/crypto/dso/dso_err.c
>> @@ -228,6 +231,7 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/evp/e_aes.c
>> $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha1.c
>> $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha256.c
>> + $(OPENSSL_PATH)/crypto/evp/e_aria.c
>> $(OPENSSL_PATH)/crypto/evp/e_bf.c
>> $(OPENSSL_PATH)/crypto/evp/e_camellia.c
>> $(OPENSSL_PATH)/crypto/evp/e_cast.c
>> @@ -242,6 +246,7 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/evp/e_rc4_hmac_md5.c
>> $(OPENSSL_PATH)/crypto/evp/e_rc5.c
>> $(OPENSSL_PATH)/crypto/evp/e_seed.c
>> + $(OPENSSL_PATH)/crypto/evp/e_sm4.c
>> $(OPENSSL_PATH)/crypto/evp/e_xcbc_d.c
>> $(OPENSSL_PATH)/crypto/evp/encode.c
>> $(OPENSSL_PATH)/crypto/evp/evp_cnf.c
>> @@ -259,6 +264,7 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/evp/m_null.c
>> $(OPENSSL_PATH)/crypto/evp/m_ripemd.c
>> $(OPENSSL_PATH)/crypto/evp/m_sha1.c
>> + $(OPENSSL_PATH)/crypto/evp/m_sha3.c
>> $(OPENSSL_PATH)/crypto/evp/m_sigver.c
>> $(OPENSSL_PATH)/crypto/evp/m_wp.c
>> $(OPENSSL_PATH)/crypto/evp/names.c
>> @@ -271,10 +277,10 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/evp/p_seal.c
>> $(OPENSSL_PATH)/crypto/evp/p_sign.c
>> $(OPENSSL_PATH)/crypto/evp/p_verify.c
>> + $(OPENSSL_PATH)/crypto/evp/pbe_scrypt.c
>> $(OPENSSL_PATH)/crypto/evp/pmeth_fn.c
>> $(OPENSSL_PATH)/crypto/evp/pmeth_gn.c
>> $(OPENSSL_PATH)/crypto/evp/pmeth_lib.c
>> - $(OPENSSL_PATH)/crypto/evp/scrypt.c
>> $(OPENSSL_PATH)/crypto/ex_data.c
>> $(OPENSSL_PATH)/crypto/getenv.c
>> $(OPENSSL_PATH)/crypto/hmac/hm_ameth.c
>> @@ -283,6 +289,7 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/init.c
>> $(OPENSSL_PATH)/crypto/kdf/hkdf.c
>> $(OPENSSL_PATH)/crypto/kdf/kdf_err.c
>> + $(OPENSSL_PATH)/crypto/kdf/scrypt.c
>> $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c
>> $(OPENSSL_PATH)/crypto/lhash/lh_stats.c
>> $(OPENSSL_PATH)/crypto/lhash/lhash.c
>> @@ -360,14 +367,14 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c
>> $(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c
>> $(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c
>> - $(OPENSSL_PATH)/crypto/rand/md_rand.c
>> + $(OPENSSL_PATH)/crypto/rand/drbg_ctr.c
>> + $(OPENSSL_PATH)/crypto/rand/drbg_lib.c
>> $(OPENSSL_PATH)/crypto/rand/rand_egd.c
>> $(OPENSSL_PATH)/crypto/rand/rand_err.c
>> $(OPENSSL_PATH)/crypto/rand/rand_lib.c
>> $(OPENSSL_PATH)/crypto/rand/rand_unix.c
>> $(OPENSSL_PATH)/crypto/rand/rand_vms.c
>> $(OPENSSL_PATH)/crypto/rand/rand_win.c
>> - $(OPENSSL_PATH)/crypto/rand/randfile.c
>> $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
>> $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
>> $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
>> @@ -379,8 +386,8 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/rsa/rsa_gen.c
>> $(OPENSSL_PATH)/crypto/rsa/rsa_lib.c
>> $(OPENSSL_PATH)/crypto/rsa/rsa_meth.c
>> + $(OPENSSL_PATH)/crypto/rsa/rsa_mp.c
>> $(OPENSSL_PATH)/crypto/rsa/rsa_none.c
>> - $(OPENSSL_PATH)/crypto/rsa/rsa_null.c
>> $(OPENSSL_PATH)/crypto/rsa/rsa_oaep.c
>> $(OPENSSL_PATH)/crypto/rsa/rsa_ossl.c
>> $(OPENSSL_PATH)/crypto/rsa/rsa_pk1.c
>> @@ -392,15 +399,27 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/rsa/rsa_ssl.c
>> $(OPENSSL_PATH)/crypto/rsa/rsa_x931.c
>> $(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c
>> + $(OPENSSL_PATH)/crypto/sha/keccak1600.c
>> $(OPENSSL_PATH)/crypto/sha/sha1_one.c
>> $(OPENSSL_PATH)/crypto/sha/sha1dgst.c
>> $(OPENSSL_PATH)/crypto/sha/sha256.c
>> $(OPENSSL_PATH)/crypto/sha/sha512.c
>> + $(OPENSSL_PATH)/crypto/siphash/siphash.c
>> + $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
>> + $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
>> + $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
>> + $(OPENSSL_PATH)/crypto/sm3/sm3.c
>> + $(OPENSSL_PATH)/crypto/sm4/sm4.c
>> $(OPENSSL_PATH)/crypto/stack/stack.c
>> $(OPENSSL_PATH)/crypto/threads_none.c
>> $(OPENSSL_PATH)/crypto/threads_pthread.c
>> $(OPENSSL_PATH)/crypto/threads_win.c
>> $(OPENSSL_PATH)/crypto/txt_db/txt_db.c
>> + $(OPENSSL_PATH)/crypto/ui/ui_err.c
>> + $(OPENSSL_PATH)/crypto/ui/ui_lib.c
>> + $(OPENSSL_PATH)/crypto/ui/ui_null.c
>> + $(OPENSSL_PATH)/crypto/ui/ui_openssl.c
>> + $(OPENSSL_PATH)/crypto/ui/ui_util.c
>> $(OPENSSL_PATH)/crypto/uid.c
>> $(OPENSSL_PATH)/crypto/x509/by_dir.c
>> $(OPENSSL_PATH)/crypto/x509/by_file.c
>> @@ -445,6 +464,7 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/x509v3/pcy_node.c
>> $(OPENSSL_PATH)/crypto/x509v3/pcy_tree.c
>> $(OPENSSL_PATH)/crypto/x509v3/v3_addr.c
>> + $(OPENSSL_PATH)/crypto/x509v3/v3_admis.c
>> $(OPENSSL_PATH)/crypto/x509v3/v3_akey.c
>> $(OPENSSL_PATH)/crypto/x509v3/v3_akeya.c
>> $(OPENSSL_PATH)/crypto/x509v3/v3_alt.c
>> @@ -476,12 +496,29 @@ [Sources]
>> $(OPENSSL_PATH)/crypto/x509v3/v3err.c
>> # Autogenerated files list ends here
>>
>> + ossl_store.c
>> + rand_pool.c
>> +
>> +[Sources.Ia32]
>> + rand_pool_noise_tsc.c
>> +
>> +[Sources.X64]
>> + rand_pool_noise_tsc.c
>> +
>> +[Sources.ARM]
>> + rand_pool_noise.c
>> +
>> +[Sources.AARCH64]
>> + rand_pool_noise.c
>> +
>> [Packages]
>> MdePkg/MdePkg.dec
>> CryptoPkg/CryptoPkg.dec
>>
>> [LibraryClasses]
>> + BaseLib
>> DebugLib
>> + TimerLib
>>
>> [LibraryClasses.ARM]
>> ArmSoftFloatLib
>> diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h
>> b/CryptoPkg/Library/Include/CrtLibSupport.h
>> index b05c5d908ce2..5806f50f7485 100644
>> --- a/CryptoPkg/Library/Include/CrtLibSupport.h
>> +++ b/CryptoPkg/Library/Include/CrtLibSupport.h
>> @@ -2,7 +2,7 @@
>> Root include file of C runtime library to support building the third-party
>> cryptographic library.
>>
>> -Copyright (c) 2010 - 2017, Intel Corporation. All rights
>> reserved.<BR>
>> +Copyright (c) 2010 - 2019, Intel Corporation. All rights
>> +reserved.<BR>
>> SPDX-License-Identifier: BSD-2-Clause-Patent
>>
>> **/
>> @@ -21,6 +21,17 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>> #define MAX_STRING_SIZE 0x1000
>>
>> //
>> +// We already have "no-ui" in out Configure invocation.
>> +// but the code still fails to compile.
>> +// Ref: https://github.com/openssl/openssl/issues/8904
>> +//
>> +// This is defined in CRT library(stdio.h).
>> +//
>> +#ifndef BUFSIZ
>> +#define BUFSIZ 8192
>> +#endif
>> +
>> +//
>> // OpenSSL relies on explicit configuration for word size in
>> crypto/bn, // but we want it to be automatically inferred from the
>> target. So we // bypass what's in <openssl/opensslconf.h> for
>> OPENSSL_SYS_UEFI, and diff --git
>> a/CryptoPkg/Library/Include/openssl/opensslconf.h
>> b/CryptoPkg/Library/Include/openssl/opensslconf.h
>> index 28dd9ab93c61..07fa2d3ce280 100644
>> --- a/CryptoPkg/Library/Include/openssl/opensslconf.h
>> +++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
>> @@ -10,6 +10,8 @@
>> * https://www.openssl.org/source/license.html
>> */
>>
>> +#include <openssl/opensslv.h>
>> +
>> #ifdef __cplusplus
>> extern "C" {
>> #endif
>> @@ -77,18 +79,21 @@ extern "C" {
>> #ifndef OPENSSL_NO_SEED
>> # define OPENSSL_NO_SEED
>> #endif
>> +#ifndef OPENSSL_NO_SM2
>> +# define OPENSSL_NO_SM2
>> +#endif
>> #ifndef OPENSSL_NO_SRP
>> # define OPENSSL_NO_SRP
>> #endif
>> #ifndef OPENSSL_NO_TS
>> # define OPENSSL_NO_TS
>> #endif
>> -#ifndef OPENSSL_NO_UI
>> -# define OPENSSL_NO_UI
>> -#endif
>> #ifndef OPENSSL_NO_WHIRLPOOL
>> # define OPENSSL_NO_WHIRLPOOL
>> #endif
>> +#ifndef OPENSSL_RAND_SEED_NONE
>> +# define OPENSSL_RAND_SEED_NONE
>> +#endif
>> #ifndef OPENSSL_NO_AFALGENG
>> # define OPENSSL_NO_AFALGENG
>> #endif
>> @@ -122,6 +127,9 @@ extern "C" {
>> #ifndef OPENSSL_NO_DEPRECATED
>> # define OPENSSL_NO_DEPRECATED
>> #endif
>> +#ifndef OPENSSL_NO_DEVCRYPTOENG
>> +# define OPENSSL_NO_DEVCRYPTOENG
>> +#endif
>> #ifndef OPENSSL_NO_DGRAM
>> # define OPENSSL_NO_DGRAM
>> #endif
>> @@ -155,6 +163,9 @@ extern "C" {
>> #ifndef OPENSSL_NO_ERR
>> # define OPENSSL_NO_ERR
>> #endif
>> +#ifndef OPENSSL_NO_EXTERNAL_TESTS
>> +# define OPENSSL_NO_EXTERNAL_TESTS
>> +#endif
>> #ifndef OPENSSL_NO_FILENAMES
>> # define OPENSSL_NO_FILENAMES
>> #endif
>> @@ -209,15 +220,24 @@ extern "C" {
>> #ifndef OPENSSL_NO_TESTS
>> # define OPENSSL_NO_TESTS
>> #endif
>> +#ifndef OPENSSL_NO_TLS1_3
>> +# define OPENSSL_NO_TLS1_3
>> +#endif
>> #ifndef OPENSSL_NO_UBSAN
>> # define OPENSSL_NO_UBSAN
>> #endif
>> +#ifndef OPENSSL_NO_UI_CONSOLE
>> +# define OPENSSL_NO_UI_CONSOLE
>> +#endif
>> #ifndef OPENSSL_NO_UNIT_TEST
>> # define OPENSSL_NO_UNIT_TEST
>> #endif
>> #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
>> # define OPENSSL_NO_WEAK_SSL_CIPHERS #endif
>> +#ifndef OPENSSL_NO_DYNAMIC_ENGINE
>> +# define OPENSSL_NO_DYNAMIC_ENGINE
>> +#endif
>> #ifndef OPENSSL_NO_AFALGENG
>> # define OPENSSL_NO_AFALGENG
>> #endif
>> @@ -236,15 +256,11 @@ extern "C" {
>> * functions.
>> */
>> #ifndef DECLARE_DEPRECATED
>> -# if defined(OPENSSL_NO_DEPRECATED)
>> -# define DECLARE_DEPRECATED(f)
>> -# else
>> -# define DECLARE_DEPRECATED(f) f;
>> -# ifdef __GNUC__
>> -# if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0)
>> -# undef DECLARE_DEPRECATED
>> -# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
>> -# endif
>> +# define DECLARE_DEPRECATED(f) f;
>> +# ifdef __GNUC__
>> +# if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0)
>> +# undef DECLARE_DEPRECATED
>> +# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
>> # endif
>> # endif
>> #endif
>> @@ -268,6 +284,18 @@ extern "C" {
>> # define OPENSSL_API_COMPAT OPENSSL_MIN_API #endif
>>
>> +/*
>> + * Do not deprecate things to be deprecated in version 1.2.0 before
>> +the
>> + * OpenSSL version number matches.
>> + */
>> +#if OPENSSL_VERSION_NUMBER < 0x10200000L
>> +# define DEPRECATEDIN_1_2_0(f) f;
>> +#elif OPENSSL_API_COMPAT < 0x10200000L
>> +# define DEPRECATEDIN_1_2_0(f) DECLARE_DEPRECATED(f)
>> +#else
>> +# define DEPRECATEDIN_1_2_0(f)
>> +#endif
>> +
>> #if OPENSSL_API_COMPAT < 0x10100000L
>> # define DEPRECATEDIN_1_1_0(f) DECLARE_DEPRECATED(f)
>> #else
>> @@ -286,8 +314,6 @@ extern "C" {
>> # define DEPRECATEDIN_0_9_8(f)
>> #endif
>>
>> -
>> -
>> /* Generate 80386 code? */
>> #undef I386_ONLY
>>
>> diff --git a/CryptoPkg/Library/OpensslLib/buildinf.h
>> b/CryptoPkg/Library/OpensslLib/buildinf.h
>> index c5ca293c729f..b840c8656a28 100644
>> --- a/CryptoPkg/Library/OpensslLib/buildinf.h
>> +++ b/CryptoPkg/Library/OpensslLib/buildinf.h
>> @@ -1,2 +1,4 @@
>> #define PLATFORM "UEFI"
>> #define DATE "Fri Dec 22 01:23:45 PDT 2017"
>> +
>> +const char * compiler_flags = "compiler: information not available
>> +from edk2";
>> diff --git a/CryptoPkg/Library/OpensslLib/rand_pool_noise.h
>> b/CryptoPkg/Library/OpensslLib/rand_pool_noise.h
>> new file mode 100644
>> index 000000000000..75acc686a9f1
>> --- /dev/null
>> +++ b/CryptoPkg/Library/OpensslLib/rand_pool_noise.h
>> @@ -0,0 +1,29 @@
>> +/** @file
>> + Provide rand noise source.
>> +
>> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
>> +SPDX-License-Identifier: BSD-2-Clause-Patent
>> +
>> +**/
>> +
>> +#ifndef __RAND_POOL_NOISE_H__
>> +#define __RAND_POOL_NOISE_H__
>> +
>> +#include <Uefi/UefiBaseType.h>
>> +
>> +/**
>> + Get 64-bit noise source.
>> +
>> + @param[out] Rand Buffer pointer to store 64-bit noise source
>> +
>> + @retval TRUE Get randomness successfully.
>> + @retval FALSE Failed to generate
>> +**/
>> +BOOLEAN
>> +EFIAPI
>> +GetRandomNoise64 (
>> + OUT UINT64 *Rand
>> + );
>> +
>> +
>> +#endif // __RAND_POOL_NOISE_H__
>> diff --git a/CryptoPkg/Library/OpensslLib/ossl_store.c
>> b/CryptoPkg/Library/OpensslLib/ossl_store.c
>> new file mode 100644
>> index 000000000000..29e1506048e3
>> --- /dev/null
>> +++ b/CryptoPkg/Library/OpensslLib/ossl_store.c
>> @@ -0,0 +1,17 @@
>> +/** @file
>> + Dummy implement ossl_store(Store retrieval functions) for UEFI.
>> +
>> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
>> +SPDX-License-Identifier: BSD-2-Clause-Patent
>> +
>> +**/
>> +
>> +/*
>> + * This function is cleanup ossl store.
>> + *
>> + * Dummy Implement for UEFI
>> + */
>> +void ossl_store_cleanup_int(void)
>> +{
>> +}
>> +
>> diff --git a/CryptoPkg/Library/OpensslLib/rand_pool.c
>> b/CryptoPkg/Library/OpensslLib/rand_pool.c
>> new file mode 100644
>> index 000000000000..9d2a4ad13823
>> --- /dev/null
>> +++ b/CryptoPkg/Library/OpensslLib/rand_pool.c
>> @@ -0,0 +1,316 @@
>> +/** @file
>> + OpenSSL_1_1_1b doesn't implement rand_pool_* functions for UEFI.
>> + The file implement these functions.
>> +
>> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
>> +SPDX-License-Identifier: BSD-2-Clause-Patent
>> +
>> +**/
>> +
>> +#include "internal/rand_int.h"
>> +#include <openssl/aes.h>
>> +
>> +#include <Uefi.h>
>> +#include <Library/TimerLib.h>
>> +
>> +#include "rand_pool_noise.h"
>> +
>> +/**
>> + Get some randomness from low-order bits of GetPerformanceCounter results.
>> + And combine them to the 64-bit value
>> +
>> + @param[out] Rand Buffer pointer to store the 64-bit random value.
>> +
>> + @retval TRUE Random number generated successfully.
>> + @retval FALSE Failed to generate.
>> +**/
>> +STATIC
>> +BOOLEAN
>> +EFIAPI
>> +GetRandNoise64FromPerformanceCounter(
>> + OUT UINT64 *Rand
>> + )
>> +{
>> + UINT32 Index;
>> + UINT32 *RandPtr;
>> +
>> + if (NULL == Rand) {
>> + return FALSE;
>> + }
>> +
>> + RandPtr = (UINT32 *) Rand;
>> +
>> + for (Index = 0; Index < 2; Index ++) {
>> + *RandPtr = (UINT32) (GetPerformanceCounter () & 0xFF);
>> + MicroSecondDelay (10);
>> + RandPtr++;
>> + }
>> +
>> + return TRUE;
>> +}
>> +
>> +/**
>> + Calls RandomNumber64 to fill
>> + a buffer of arbitrary size with random bytes.
>> +
>> + @param[in] Length Size of the buffer, in bytes, to fill with.
>> + @param[out] RandBuffer Pointer to the buffer to store the random result.
>> +
>> + @retval EFI_SUCCESS Random bytes generation succeeded.
>> + @retval EFI_NOT_READY Failed to request random bytes.
>> +
>> +**/
>> +STATIC
>> +BOOLEAN
>> +EFIAPI
>> +RandGetBytes (
>> + IN UINTN Length,
>> + OUT UINT8 *RandBuffer
>> + )
>> +{
>> + BOOLEAN Ret;
>> + UINT64 TempRand;
>> +
>> + Ret = FALSE;
>> +
>> + while (Length > 0) {
>> + //
>> + // Get random noise from platform.
>> + // If it failed, fallback to PerformanceCounter
>> + // If you really care about security, you must override
>> + // GetRandomNoise64FromPlatform.
>> + //
>> + Ret = GetRandomNoise64 (&TempRand);
>> + if (Ret == FALSE) {
>> + Ret = GetRandNoise64FromPerformanceCounter (&TempRand);
>> + }
>> + if (!Ret) {
>> + return Ret;
>> + }
>> + if (Length >= sizeof (TempRand)) {
>> + *((UINT64*) RandBuffer) = TempRand;
>> + RandBuffer += sizeof (UINT64);
>> + Length -= sizeof (TempRand);
>> + } else {
>> + CopyMem (RandBuffer, &TempRand, Length);
>> + Length = 0;
>> + }
>> + }
>> +
>> + return Ret;
>> +}
>> +
>> +/**
>> + Creates a 128bit random value that is fully forward and backward
>> +prediction resistant,
>> + suitable for seeding a NIST SP800-90 Compliant.
>> + This function takes multiple random numbers from
>> +PerformanceCounter to ensure reseeding
>> + and performs AES-CBC-MAC over the data to compute the seed value.
>> +
>> + @param[out] SeedBuffer Pointer to a 128bit buffer to store the random seed.
>> +
>> + @retval TRUE Random seed generation succeeded.
>> + @retval FALSE Failed to request random bytes.
>> +
>> +**/
>> +STATIC
>> +BOOLEAN
>> +EFIAPI
>> +RandGetSeed128 (
>> + OUT UINT8 *SeedBuffer
>> + )
>> +{
>> + BOOLEAN Ret;
>> + UINT8 RandByte[16];
>> + UINT8 Key[16];
>> + UINT8 Ffv[16];
>> + UINT8 Xored[16];
>> + UINT32 Index;
>> + UINT32 Index2;
>> + AES_KEY AESKey;
>> +
>> + //
>> + // Chose an arbitary key and zero the feed_forward_value (FFV) //
>> + for (Index = 0; Index < 16; Index++) {
>> + Key[Index] = (UINT8) Index;
>> + Ffv[Index] = 0;
>> + }
>> +
>> + AES_set_encrypt_key (Key, 16 * 8, &AESKey);
>> +
>> + //
>> + // Perform CBC_MAC over 32 * 128 bit values, with 10us gaps
>> + between
>> + 128 bit value // The 10us gaps will ensure multiple reseeds within
>> + the system time with a large // design margin.
>> + //
>> + for (Index = 0; Index < 32; Index++) {
>> + MicroSecondDelay (10);
>> + Ret = RandGetBytes (16, RandByte);
>> + if (!Ret) {
>> + return Ret;
>> + }
>> +
>> + //
>> + // Perform XOR operations on two 128-bit value.
>> + //
>> + for (Index2 = 0; Index2 < 16; Index2++) {
>> + Xored[Index2] = RandByte[Index2] ^ Ffv[Index2];
>> + }
>> +
>> + AES_encrypt (Xored, Ffv, &AESKey); }
>> +
>> + for (Index = 0; Index < 16; Index++) {
>> + SeedBuffer[Index] = Ffv[Index];
>> + }
>> +
>> + return Ret;
>> +}
>> +
>> +/**
>> + Generate high-quality entropy source.
>> +
>> + @param[in] Length Size of the buffer, in bytes, to fill with.
>> + @param[out] Entropy Pointer to the buffer to store the entropy data.
>> +
>> + @retval EFI_SUCCESS Entropy generation succeeded.
>> + @retval EFI_NOT_READY Failed to request random data.
>> +
>> +**/
>> +STATIC
>> +BOOLEAN
>> +EFIAPI
>> +RandGenerateEntropy (
>> + IN UINTN Length,
>> + OUT UINT8 *Entropy
>> + )
>> +{
>> + BOOLEAN Ret;
>> + UINTN BlockCount;
>> + UINT8 Seed[16];
>> + UINT8 *Ptr;
>> +
>> + BlockCount = Length / 16;
>> + Ptr = (UINT8 *) Entropy;
>> +
>> + //
>> + // Generate high-quality seed for DRBG Entropy // while
>> + (BlockCount > 0) {
>> + Ret = RandGetSeed128 (Seed);
>> + if (!Ret) {
>> + return Ret;
>> + }
>> + CopyMem (Ptr, Seed, 16);
>> +
>> + BlockCount--;
>> + Ptr = Ptr + 16;
>> + }
>> +
>> + //
>> + // Populate the remained data as request.
>> + //
>> + Ret = RandGetSeed128 (Seed);
>> + if (!Ret) {
>> + return Ret;
>> + }
>> + CopyMem (Ptr, Seed, (Length % 16));
>> +
>> + return Ret;
>> +}
>> +
>> +/*
>> + * Add random bytes to the pool to acquire requested amount of
>> +entropy
>> + *
>> + * This function is platform specific and tries to acquire the
>> +requested
>> + * amount of entropy by polling platform specific entropy sources.
>> + *
>> + * This is OpenSSL required interface.
>> + */
>> +size_t rand_pool_acquire_entropy(RAND_POOL *pool) {
>> + BOOLEAN Ret;
>> + size_t bytes_needed;
>> + unsigned char * buffer;
>> +
>> + bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
>> + if (bytes_needed > 0) {
>> + buffer = rand_pool_add_begin(pool, bytes_needed);
>> +
>> + if (buffer != NULL) {
>> + Ret = RandGenerateEntropy(bytes_needed, buffer);
>> + if (FALSE == Ret) {
>> + rand_pool_add_end(pool, 0, 0);
>> + } else {
>> + rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed);
>> + }
>> + }
>> + }
>> +
>> + return rand_pool_entropy_available(pool);
>> +}
>> +
>> +/*
>> + * Implementation for UEFI
>> + *
>> + * This is OpenSSL required interface.
>> + */
>> +int rand_pool_add_nonce_data(RAND_POOL *pool) {
>> + struct {
>> + UINT64 Rand;
>> + UINT64 TimerValue;
>> + } data = { 0 };
>> +
>> + RandGetBytes(8, (UINT8 *)&(data.Rand)); data.TimerValue =
>> + GetPerformanceCounter();
>> +
>> + return rand_pool_add(pool, (unsigned char*)&data, sizeof(data),
>> +0); }
>> +
>> +/*
>> + * Implementation for UEFI
>> + *
>> + * This is OpenSSL required interface.
>> + */
>> +int rand_pool_add_additional_data(RAND_POOL *pool) {
>> + struct {
>> + UINT64 Rand;
>> + UINT64 TimerValue;
>> + } data = { 0 };
>> +
>> + RandGetBytes(8, (UINT8 *)&(data.Rand)); data.TimerValue =
>> + GetPerformanceCounter();
>> +
>> + return rand_pool_add(pool, (unsigned char*)&data, sizeof(data),
>> +0); }
>> +
>> +/*
>> + * Dummy Implememtation for UEFI
>> + *
>> + * This is OpenSSL required interface.
>> + */
>> +int rand_pool_init(void)
>> +{
>> + return 1;
>> +}
>> +
>> +/*
>> + * Dummy Implememtation for UEFI
>> + *
>> + * This is OpenSSL required interface.
>> + */
>> +void rand_pool_cleanup(void)
>> +{
>> +}
>> +
>> +/*
>> + * Dummy Implememtation for UEFI
>> + *
>> + * This is OpenSSL required interface.
>> + */
>> +void rand_pool_keep_random_devices_open(int keep) { }
>> +
>> diff --git a/CryptoPkg/Library/OpensslLib/rand_pool_noise.c
>> b/CryptoPkg/Library/OpensslLib/rand_pool_noise.c
>> new file mode 100644
>> index 000000000000..c16ed8b45496
>> --- /dev/null
>> +++ b/CryptoPkg/Library/OpensslLib/rand_pool_noise.c
>> @@ -0,0 +1,29 @@
>> +/** @file
>> + Provide rand noise source.
>> +
>> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
>> +SPDX-License-Identifier: BSD-2-Clause-Patent
>> +
>> +**/
>> +
>> +#include <Library/BaseLib.h>
>> +
>> +/**
>> + Get 64-bit noise source
>> +
>> + @param[out] Rand Buffer pointer to store 64-bit noise source
>> +
>> + @retval FALSE Failed to generate
>> +**/
>> +BOOLEAN
>> +EFIAPI
>> +GetRandomNoise64 (
>> + OUT UINT64 *Rand
>> + )
>> +{
>> + //
>> + // Return FALSE will fallback to use PerformaceCounter to
>> + // generate noise.
>> + //
>> + return FALSE;
>> +}
>> diff --git a/CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c
>> b/CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c
>> new file mode 100644
>> index 000000000000..4158106231fd
>> --- /dev/null
>> +++ b/CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c
>> @@ -0,0 +1,43 @@
>> +/** @file
>> + Provide rand noise source.
>> +
>> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
>> +SPDX-License-Identifier: BSD-2-Clause-Patent
>> +
>> +**/
>> +
>> +#include <Library/BaseLib.h>
>> +#include <Library/DebugLib.h>
>> +#include <Library/TimerLib.h>
>> +
>> +/**
>> + Get 64-bit noise source
>> +
>> + @param[out] Rand Buffer pointer to store 64-bit noise source
>> +
>> + @retval TRUE Get randomness successfully.
>> + @retval FALSE Failed to generate
>> +**/
>> +BOOLEAN
>> +EFIAPI
>> +GetRandomNoise64 (
>> + OUT UINT64 *Rand
>> + )
>> +{
>> + UINT32 Index;
>> + UINT32 *RandPtr;
>> +
>> + if (NULL == Rand) {
>> + return FALSE;
>> + }
>> +
>> + RandPtr = (UINT32 *)Rand;
>> +
>> + for (Index = 0; Index < 2; Index ++) {
>> + *RandPtr = (UINT32) ((AsmReadTsc ()) & 0xFF);
>> + RandPtr++;
>> + MicroSecondDelay (10);
>> + }
>> +
>> + return TRUE;
>> +}
>> diff --git a/CryptoPkg/Library/OpensslLib/openssl
>> b/CryptoPkg/Library/OpensslLib/openssl
>> index 74f2d9c1ec5f..50eaac9f3337 160000
>> --- a/CryptoPkg/Library/OpensslLib/openssl
>> +++ b/CryptoPkg/Library/OpensslLib/openssl
>> @@ -1 +1 @@
>> -Subproject commit 74f2d9c1ec5f5510e1d3da5a9f03c28df0977762
>> +Subproject commit 50eaac9f3337667259de725451f201e784599687
>>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#40976): https://edk2.groups.io/g/devel/message/40976
Mute This Topic: https://groups.io/mt/31638511/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list