From f215e02bf85f68d3a6106c2a1f4f7f063f819064 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Thu, 11 Apr 2024 10:17:27 +0200 Subject: Adding upstream version 7.0.14-dfsg. Signed-off-by: Daniel Baumann --- .../EFI/Firmware/CryptoPkg/CryptoPkg.ci.yaml | 73 + .../Devices/EFI/Firmware/CryptoPkg/CryptoPkg.dec | 85 + .../Devices/EFI/Firmware/CryptoPkg/CryptoPkg.dsc | 302 ++ .../Devices/EFI/Firmware/CryptoPkg/CryptoPkg.uni | 32 + .../EFI/Firmware/CryptoPkg/CryptoPkgExtra.uni | 14 + .../Devices/EFI/Firmware/CryptoPkg/Driver/Crypto.c | 4667 ++++++++++++++++++++ .../EFI/Firmware/CryptoPkg/Driver/Crypto.uni | 13 + .../EFI/Firmware/CryptoPkg/Driver/CryptoDxe.c | 38 + .../EFI/Firmware/CryptoPkg/Driver/CryptoDxe.inf | 49 + .../EFI/Firmware/CryptoPkg/Driver/CryptoPei.c | 99 + .../EFI/Firmware/CryptoPkg/Driver/CryptoPei.inf | 51 + .../EFI/Firmware/CryptoPkg/Driver/CryptoSmm.c | 41 + .../EFI/Firmware/CryptoPkg/Driver/CryptoSmm.inf | 49 + .../CryptoPkg/Include/Library/BaseCryptLib.h | 2402 ++++++++++ .../CryptoPkg/Include/Library/HashApiLib.h | 110 + .../Firmware/CryptoPkg/Include/Library/TlsLib.h | 814 ++++ .../Include/Pcd/PcdCryptoServiceFamilyEnable.h | 293 ++ .../Library/BaseCryptLib/BaseCryptLib.inf | 108 + .../Library/BaseCryptLib/BaseCryptLib.uni | 19 + .../Library/BaseCryptLib/Cipher/CryptAes.c | 203 + .../Library/BaseCryptLib/Cipher/CryptAesNull.c | 107 + .../CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c | 226 + .../Library/BaseCryptLib/Hash/CryptSha1.c | 225 + .../Library/BaseCryptLib/Hash/CryptSha256.c | 223 + .../Library/BaseCryptLib/Hash/CryptSha512.c | 440 ++ .../Library/BaseCryptLib/Hash/CryptSha512Null.c | 275 ++ .../CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3.c | 234 + .../Library/BaseCryptLib/Hmac/CryptHmacSha256.c | 216 + .../BaseCryptLib/Hmac/CryptHmacSha256Null.c | 139 + .../Library/BaseCryptLib/InternalCryptLib.h | 62 + .../CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdf.c | 75 + .../Library/BaseCryptLib/Kdf/CryptHkdfNull.c | 43 + .../CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 98 + .../CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni | 25 + .../CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c | 126 + .../Library/BaseCryptLib/Pem/CryptPemNull.c | 38 + .../Library/BaseCryptLib/Pk/CryptAuthenticode.c | 192 + .../BaseCryptLib/Pk/CryptAuthenticodeNull.c | 45 + .../CryptoPkg/Library/BaseCryptLib/Pk/CryptDh.c | 306 ++ .../Library/BaseCryptLib/Pk/CryptDhNull.c | 150 + .../Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c | 208 + .../Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c | 51 + .../Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c | 95 + .../Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2Null.c | 50 + .../Library/BaseCryptLib/Pk/CryptPkcs7Sign.c | 194 + .../Library/BaseCryptLib/Pk/CryptPkcs7SignNull.c | 54 + .../Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c | 190 + .../BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c | 910 ++++ .../Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c | 517 +++ .../BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c | 57 + .../Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c | 163 + .../BaseCryptLib/Pk/CryptPkcs7VerifyRuntime.c | 39 + .../Library/BaseCryptLib/Pk/CryptRsaBasic.c | 327 ++ .../Library/BaseCryptLib/Pk/CryptRsaExt.c | 364 ++ .../Library/BaseCryptLib/Pk/CryptRsaExtNull.c | 119 + .../Library/BaseCryptLib/Pk/CryptRsaPss.c | 152 + .../Library/BaseCryptLib/Pk/CryptRsaPssNull.c | 46 + .../Library/BaseCryptLib/Pk/CryptRsaPssSign.c | 175 + .../Library/BaseCryptLib/Pk/CryptRsaPssSignNull.c | 60 + .../CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 659 +++ .../Library/BaseCryptLib/Pk/CryptTsNull.c | 42 + .../CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 832 ++++ .../Library/BaseCryptLib/Pk/CryptX509Null.c | 294 ++ .../Library/BaseCryptLib/Rand/CryptRand.c | 104 + .../Library/BaseCryptLib/Rand/CryptRandNull.c | 57 + .../Library/BaseCryptLib/Rand/CryptRandTsc.c | 112 + .../Library/BaseCryptLib/RuntimeCryptLib.inf | 113 + .../Library/BaseCryptLib/RuntimeCryptLib.uni | 24 + .../CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 103 + .../CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni | 24 + .../BaseCryptLib/SysCall/BaseMemAllocation.c | 112 + .../BaseCryptLib/SysCall/ConstantTimeClock.c | 37 + .../Library/BaseCryptLib/SysCall/CrtWrapper.c | 473 ++ .../BaseCryptLib/SysCall/RuntimeMemAllocation.c | 455 ++ .../Library/BaseCryptLib/SysCall/TimerWrapper.c | 168 + .../BaseCryptLib/SysCall/UnitTestHostCrtWrapper.c | 93 + .../Library/BaseCryptLib/SysCall/inet_pton.c | 257 ++ .../BaseCryptLib/UnitTestHostBaseCryptLib.inf | 92 + .../Library/BaseCryptLibNull/BaseCryptLibNull.inf | 61 + .../Library/BaseCryptLibNull/BaseCryptLibNull.uni | 18 + .../Library/BaseCryptLibNull/Cipher/CryptAesNull.c | 107 + .../Library/BaseCryptLibNull/Hash/CryptMd5Null.c | 165 + .../Library/BaseCryptLibNull/Hash/CryptSha1Null.c | 167 + .../BaseCryptLibNull/Hash/CryptSha256Null.c | 162 + .../BaseCryptLibNull/Hash/CryptSha512Null.c | 275 ++ .../Library/BaseCryptLibNull/Hash/CryptSm3Null.c | 164 + .../BaseCryptLibNull/Hmac/CryptHmacSha256Null.c | 139 + .../Library/BaseCryptLibNull/InternalCryptLib.h | 16 + .../Library/BaseCryptLibNull/Kdf/CryptHkdfNull.c | 43 + .../Library/BaseCryptLibNull/Pem/CryptPemNull.c | 38 + .../BaseCryptLibNull/Pk/CryptAuthenticodeNull.c | 45 + .../Library/BaseCryptLibNull/Pk/CryptDhNull.c | 150 + .../BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c | 51 + .../BaseCryptLibNull/Pk/CryptPkcs5Pbkdf2Null.c | 48 + .../BaseCryptLibNull/Pk/CryptPkcs7SignNull.c | 54 + .../BaseCryptLibNull/Pk/CryptPkcs7VerifyEkuNull.c | 156 + .../BaseCryptLibNull/Pk/CryptPkcs7VerifyNull.c | 163 + .../BaseCryptLibNull/Pk/CryptRsaBasicNull.c | 121 + .../Library/BaseCryptLibNull/Pk/CryptRsaExtNull.c | 119 + .../Library/BaseCryptLibNull/Pk/CryptRsaPssNull.c | 46 + .../BaseCryptLibNull/Pk/CryptRsaPssSignNull.c | 60 + .../Library/BaseCryptLibNull/Pk/CryptTsNull.c | 42 + .../Library/BaseCryptLibNull/Pk/CryptX509Null.c | 294 ++ .../Library/BaseCryptLibNull/Rand/CryptRandNull.c | 57 + .../Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 3571 +++++++++++++++ .../Library/BaseCryptLibOnProtocolPpi/CryptLib.uni | 12 + .../BaseCryptLibOnProtocolPpi/DxeCryptLib.c | 77 + .../BaseCryptLibOnProtocolPpi/DxeCryptLib.inf | 45 + .../BaseCryptLibOnProtocolPpi/PeiCryptLib.c | 57 + .../BaseCryptLibOnProtocolPpi/PeiCryptLib.inf | 44 + .../BaseCryptLibOnProtocolPpi/SmmCryptLib.c | 79 + .../BaseCryptLibOnProtocolPpi/SmmCryptLib.inf | 44 + .../Library/BaseHashApiLib/BaseHashApiLib.c | 283 ++ .../Library/BaseHashApiLib/BaseHashApiLib.inf | 44 + .../Library/BaseHashApiLib/BaseHashApiLib.uni | 17 + .../CryptoPkg/Library/Include/CrtLibSupport.h | 221 + .../Firmware/CryptoPkg/Library/Include/arpa/inet.h | 9 + .../CryptoPkg/Library/Include/arpa/nameser.h | 9 + .../Firmware/CryptoPkg/Library/Include/assert.h | 9 + .../CryptoPkg/Library/Include/crypto/dso_conf.h | 16 + .../EFI/Firmware/CryptoPkg/Library/Include/ctype.h | 9 + .../EFI/Firmware/CryptoPkg/Library/Include/errno.h | 9 + .../Firmware/CryptoPkg/Library/Include/limits.h | 9 + .../Firmware/CryptoPkg/Library/Include/memory.h | 9 + .../CryptoPkg/Library/Include/netinet/in.h | 9 + .../Library/Include/openssl/opensslconf.h | 351 ++ .../Firmware/CryptoPkg/Library/Include/stdarg.h | 9 + .../Firmware/CryptoPkg/Library/Include/stddef.h | 9 + .../EFI/Firmware/CryptoPkg/Library/Include/stdio.h | 9 + .../Firmware/CryptoPkg/Library/Include/stdlib.h | 9 + .../Firmware/CryptoPkg/Library/Include/string.h | 9 + .../Firmware/CryptoPkg/Library/Include/strings.h | 9 + .../Firmware/CryptoPkg/Library/Include/sys/param.h | 9 + .../Firmware/CryptoPkg/Library/Include/sys/shm.h | 9 + .../CryptoPkg/Library/Include/sys/socket.h | 9 + .../CryptoPkg/Library/Include/sys/syscall.h | 11 + .../Firmware/CryptoPkg/Library/Include/sys/time.h | 9 + .../Firmware/CryptoPkg/Library/Include/sys/types.h | 9 + .../CryptoPkg/Library/Include/sys/utsname.h | 9 + .../Firmware/CryptoPkg/Library/Include/syslog.h | 9 + .../EFI/Firmware/CryptoPkg/Library/Include/time.h | 9 + .../Firmware/CryptoPkg/Library/Include/unistd.h | 9 + .../Library/IntrinsicLib/BaseIntrinsicLib.uni | 16 + .../CryptoPkg/Library/IntrinsicLib/CopyMem.c | 30 + .../CryptoPkg/Library/IntrinsicLib/Ia32/MathFtol.c | 22 + .../Library/IntrinsicLib/Ia32/MathLShiftS64.c | 48 + .../Library/IntrinsicLib/Ia32/MathLShiftS64.nasm | 42 + .../Library/IntrinsicLib/Ia32/MathRShiftU64.c | 51 + .../Library/IntrinsicLib/Ia32/MathRShiftU64.nasm | 43 + .../Library/IntrinsicLib/IntrinsicLib.inf | 67 + .../Library/IntrinsicLib/MemoryIntrinsics.c | 60 + .../CryptoPkg/Library/OpensslLib/OpenSSL-HOWTO.txt | 39 + .../CryptoPkg/Library/OpensslLib/OpensslLib.inf | 661 +++ .../CryptoPkg/Library/OpensslLib/OpensslLib.uni | 16 + .../Library/OpensslLib/OpensslLibCrypto.inf | 610 +++ .../Library/OpensslLib/OpensslLibCrypto.uni | 16 + .../CryptoPkg/Library/OpensslLib/buildinf.h | 4 + .../CryptoPkg/Library/OpensslLib/ossl_store.c | 17 + .../CryptoPkg/Library/OpensslLib/process_files.pl | 286 ++ .../CryptoPkg/Library/OpensslLib/rand_pool.c | 171 + .../CryptoPkg/Library/TlsLib/InternalTlsLib.h | 41 + .../Firmware/CryptoPkg/Library/TlsLib/TlsConfig.c | 1267 ++++++ .../Firmware/CryptoPkg/Library/TlsLib/TlsInit.c | 263 ++ .../Firmware/CryptoPkg/Library/TlsLib/TlsLib.inf | 50 + .../Firmware/CryptoPkg/Library/TlsLib/TlsLib.uni | 13 + .../Firmware/CryptoPkg/Library/TlsLib/TlsProcess.c | 457 ++ .../CryptoPkg/Library/TlsLibNull/InternalTlsLib.h | 16 + .../CryptoPkg/Library/TlsLibNull/TlsConfigNull.c | 622 +++ .../CryptoPkg/Library/TlsLibNull/TlsInitNull.c | 111 + .../CryptoPkg/Library/TlsLibNull/TlsLibNull.inf | 38 + .../CryptoPkg/Library/TlsLibNull/TlsLibNull.uni | 13 + .../CryptoPkg/Library/TlsLibNull/TlsProcessNull.c | 247 ++ .../EFI/Firmware/CryptoPkg/Private/Ppi/Crypto.h | 21 + .../Firmware/CryptoPkg/Private/Protocol/Crypto.h | 3678 +++++++++++++++ .../CryptoPkg/Private/Protocol/SmmCrypto.h | 21 + .../CryptoPkg/Test/CryptoPkgHostUnitTest.dsc | 42 + .../Library/BaseCryptLib/AuthenticodeTests.c | 1002 +++++ .../Library/BaseCryptLib/BaseCryptLibUnitTests.c | 67 + .../Library/BaseCryptLib/BlockCipherTests.c | 293 ++ .../Test/UnitTest/Library/BaseCryptLib/DhTests.c | 106 + .../Test/UnitTest/Library/BaseCryptLib/HashTests.c | 202 + .../Test/UnitTest/Library/BaseCryptLib/HmacTests.c | 184 + .../Library/BaseCryptLib/OaepEncryptTests.c | 308 ++ .../Library/BaseCryptLib/Pkcs5Pbkdf2Tests.c | 71 + .../Library/BaseCryptLib/Pkcs7EkuTestSignatures.h | 789 ++++ .../UnitTest/Library/BaseCryptLib/Pkcs7EkuTests.c | 524 +++ .../Test/UnitTest/Library/BaseCryptLib/RandTests.c | 51 + .../UnitTest/Library/BaseCryptLib/RsaPkcs7Tests.c | 415 ++ .../UnitTest/Library/BaseCryptLib/RsaPssTests.c | 191 + .../Test/UnitTest/Library/BaseCryptLib/RsaTests.c | 312 ++ .../Test/UnitTest/Library/BaseCryptLib/TSTests.c | 335 ++ .../Library/BaseCryptLib/TestBaseCryptLib.h | 124 + .../Library/BaseCryptLib/TestBaseCryptLibHost.inf | 47 + .../Library/BaseCryptLib/TestBaseCryptLibShell.inf | 50 + .../TestEKUCerts/ChainCreationInstructions.txt | 92 + .../BaseCryptLib/TestEKUCerts/CreateTestCerts.cmd | 11 + .../TestEKUCerts/SignFirmwareWithEKUs.cmd | 76 + .../TestEKUCerts/TestEKUParsingIssuingCA.ini | 45 + .../TestEKUCerts/TestEKUParsingLeafSigner.ini | 25 + .../TestEKUCerts/TestEKUParsingLeafSignerPid1.ini | 24 + .../TestEKUParsingLeafSignerPid12345.ini | 27 + .../TestEKUCerts/TestEKUParsingNoEKUsInSigner.ini | 16 + .../TestEKUCerts/TestEKUParsingPolicyCA.ini | 28 + .../TestEKUCerts/TestEKUParsingRoot.ini | 28 + .../UnitTest/Library/BaseCryptLib/UnitTestMain.c | 81 + 205 files changed, 42992 insertions(+) create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/CryptoPkg.ci.yaml create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/CryptoPkg.dec create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/CryptoPkg.dsc create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/CryptoPkg.uni create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/CryptoPkgExtra.uni create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/Crypto.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/Crypto.uni create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoDxe.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoDxe.inf create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoPei.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoPei.inf create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoSmm.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoSmm.inf create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Include/Library/BaseCryptLib.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Include/Library/HashApiLib.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Include/Library/TlsLib.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.uni create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha256.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha512.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha512Null.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha256.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha256Null.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/InternalCryptLib.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdf.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdfNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pem/CryptPemNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticodeNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptDh.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptDhNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2Null.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7SignNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyRuntime.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExtNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSign.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSignNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptTsNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Rand/CryptRand.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Rand/CryptRandNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/ConstantTimeClock.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/RuntimeMemAllocation.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/TimerWrapper.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/UnitTestHostCrtWrapper.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/UnitTestHostBaseCryptLib.inf create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.uni create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd5Null.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptSha1Null.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptSha256Null.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptSha512Null.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptSm3Null.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha256Null.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/InternalCryptLib.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Kdf/CryptHkdfNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pem/CryptPemNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptAuthenticodeNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptDhNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs5Pbkdf2Null.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs7SignNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs7VerifyEkuNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs7VerifyNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaBasicNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaExtNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssSignNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptTsNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptX509Null.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Rand/CryptRandNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.uni create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/DxeCryptLib.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/DxeCryptLib.inf create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/PeiCryptLib.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/PeiCryptLib.inf create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/SmmCryptLib.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/SmmCryptLib.inf create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/CrtLibSupport.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/arpa/inet.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/arpa/nameser.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/assert.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/crypto/dso_conf.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/ctype.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/errno.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/limits.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/memory.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/netinet/in.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/openssl/opensslconf.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/stdarg.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/stddef.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/stdio.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/stdlib.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/string.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/strings.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/param.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/shm.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/socket.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/syscall.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/time.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/types.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/utsname.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/syslog.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/time.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/unistd.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/BaseIntrinsicLib.uni create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/CopyMem.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/Ia32/MathFtol.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/Ia32/MathLShiftS64.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/Ia32/MathLShiftS64.nasm create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/Ia32/MathRShiftU64.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/Ia32/MathRShiftU64.nasm create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/MemoryIntrinsics.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/OpenSSL-HOWTO.txt create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/OpensslLib.inf create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/OpensslLib.uni create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.uni create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/buildinf.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/ossl_store.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/process_files.pl create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/rand_pool.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/InternalTlsLib.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/TlsConfig.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/TlsInit.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/TlsLib.inf create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/TlsLib.uni create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/TlsProcess.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/InternalTlsLib.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/TlsInitNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/TlsLibNull.inf create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/TlsLibNull.uni create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Private/Ppi/Crypto.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Private/Protocol/Crypto.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Private/Protocol/SmmCrypto.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/CryptoPkgHostUnitTest.dsc create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/AuthenticodeTests.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/BaseCryptLibUnitTests.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/BlockCipherTests.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/DhTests.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/HashTests.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/HmacTests.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/OaepEncryptTests.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/Pkcs5Pbkdf2Tests.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/Pkcs7EkuTestSignatures.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/Pkcs7EkuTests.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RandTests.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RsaPkcs7Tests.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RsaPssTests.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RsaTests.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TSTests.c create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLib.h create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibHost.inf create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibShell.inf create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/CreateTestCerts.cmd create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/SignFirmwareWithEKUs.cmd create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingIssuingCA.ini create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSigner.ini create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid1.ini create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid12345.ini create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingNoEKUsInSigner.ini create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingPolicyCA.ini create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingRoot.ini create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c (limited to 'src/VBox/Devices/EFI/Firmware/CryptoPkg') diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/CryptoPkg.ci.yaml b/src/VBox/Devices/EFI/Firmware/CryptoPkg/CryptoPkg.ci.yaml new file mode 100644 index 00000000..f16db42d --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/CryptoPkg.ci.yaml @@ -0,0 +1,73 @@ +## @file +# CI configuration for CryptoPkg +# +# Copyright (c) Microsoft Corporation +# Copyright (c) 2020, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +## +{ + "LicenseCheck": { + "IgnoreFiles": [] + }, + "EccCheck": { + ## Exception sample looks like below: + ## "ExceptionList": [ + ## "", "" + ## ] + "ExceptionList": [ + ], + ## Both file path and directory path are accepted. + "IgnoreFiles": [ + "Library/OpensslLib/openssl", + # The unit testing folder is not to be checked + "Test/UnitTest", + # This has OpenSSL interfaces that aren't UEFI spec compliant + "Library/BaseCryptLib/SysCall/UnitTestHostCrtWrapper.c", + # this has OpenSSL interfaces that aren't UEFI spec compliant + "Library/OpensslLib/rand_pool.c" + ] + }, + "CompilerPlugin": { + "DscPath": "CryptoPkg.dsc" + }, + ## options defined .pytool/Plugin/HostUnitTestCompilerPlugin + "HostUnitTestCompilerPlugin": { + "DscPath": "Test/CryptoPkgHostUnitTest.dsc" + }, + "CharEncodingCheck": { + "IgnoreFiles": [] + }, + "DependencyCheck": { + "AcceptableDependencies": [ + "MdePkg/MdePkg.dec", + "MdeModulePkg/MdeModulePkg.dec", + "CryptoPkg/CryptoPkg.dec", + ], + # For host based unit tests + "AcceptableDependencies-HOST_APPLICATION":[], + # For UEFI shell based apps + "AcceptableDependencies-UEFI_APPLICATION":[], + "IgnoreInf": [] + }, + "DscCompleteCheck": { + "DscPath": "CryptoPkg.dsc", + "IgnoreInf": [] + }, + "GuidCheck": { + "IgnoreGuidName": [], + "IgnoreGuidValue": [], + "IgnoreFoldersAndFiles": [] + }, + "LibraryClassCheck": { + "IgnoreHeaderFile": [] + }, + + ## options defined ci/Plugin/SpellCheck + "SpellCheck": { + "skip": True, + "IgnoreFiles": [], # use gitignore syntax to ignore errors in matching files + "ExtendWords": [], # words to extend to the dictionary for this package + "IgnoreStandardPaths": [], # Standard Plugin defined paths that should be ignore + "AdditionalIncludePaths": [] # Additional paths to spell check (wildcards supported) + } +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/CryptoPkg.dec b/src/VBox/Devices/EFI/Firmware/CryptoPkg/CryptoPkg.dec new file mode 100644 index 00000000..1bc409b8 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/CryptoPkg.dec @@ -0,0 +1,85 @@ +## @file +# Package for cryptography modules. +# +# This Package provides cryptographic-related libraries for UEFI security modules. +# It also provides a test application to test libraries. +# +# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + DEC_SPECIFICATION = 0x00010005 + PACKAGE_NAME = CryptoPkg + PACKAGE_UNI_FILE = CryptoPkg.uni + PACKAGE_GUID = 36470E80-36F2-4ba0-8CC8-937C7D9FF888 + PACKAGE_VERSION = 0.98 + +[Includes] + Include + +[Includes.Common.Private] + Private + Library/Include + Library/OpensslLib/openssl/include + +[LibraryClasses] + ## @libraryclass Provides basic library functions for cryptographic primitives. + ## + BaseCryptLib|Include/Library/BaseCryptLib.h + + ## @libraryclass Provides TLS library functions for EFI TLS protocol. + ## + TlsLib|Include/Library/TlsLib.h + + ## @libraryclass Provides Unified API for different hash implementations. + # + HashApiLib|Include/Library/HashApiLib.h + +[Protocols] + ## EDK II Crypto DXE protocol + # 2C2275C9-3A7B-426F-BE54-2D22BD9D1092 + gEdkiiCryptoProtocolGuid = { 0x2C2275C9, 0x3A7B, 0x426F, { 0xBE, 0x54, 0x2D, 0x22, 0xBD, 0x9D, 0x10, 0x92 }} + + ## EDK II Crypto SMM protocol + # F46B2EB2-E0D7-4C96-A3B1-CB7C572EB300 + gEdkiiSmmCryptoProtocolGuid = { 0xF46B2EB2, 0xE0D7, 0x4C96, { 0xA3, 0xB1, 0xc, 0x61, 0xbb, 0x24, 0x5c, 0x42 }} + +[Ppis] + ## EDK II Crypto PPI + # 7DCE671B-C223-446A-A705-ED637AAF6771 + gEdkiiCryptoPpiGuid = { 0x7DCE671B, 0xC223, 0x446A, { 0xA7, 0x05, 0xED, 0x63, 0x7A, 0xAF, 0x67, 0x71 }} + +[Guids] + ## Crypto package token space guid. + gEfiCryptoPkgTokenSpaceGuid = { 0x6bd7de60, 0x9ef7, 0x4899, { 0x97, 0xd0, 0xab, 0xff, 0xfd, 0xe9, 0x70, 0xf2 } } + +[PcdsFixedAtBuild] + ## Enable/Disable the families and individual services produced by the + # EDK II Crypto Protocols/PPIs. The default is all services disabled. + # This Structured PCD is associated with PCD_CRYPTO_SERVICE_FAMILY_ENABLE + # structure that is defined in Include/Pcd/PcdCryptoServiceFamilyEnable.h. + # @Prompt Enable/Disable EDK II Crypto Protocol/PPI services + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable|{0x00}|PCD_CRYPTO_SERVICE_FAMILY_ENABLE|0x00000002 { + + CryptoPkg/CryptoPkg.dec + + Pcd/PcdCryptoServiceFamilyEnable.h + } + + ## This PCD indicates the HASH algorithm to calculate hash of data + # Based on the value set, the required algorithm is chosen to calculate + # the hash of data.
+ # The default hashing algorithm for BaseHashApiLib is set to SHA256.
+ # 0x00000001 - HASH_ALG_SHA1.
+ # 0x00000002 - HASH_ALG_SHA256.
+ # 0x00000004 - HASH_ALG_SHA384.
+ # 0x00000008 - HASH_ALG_SHA512.
+ # 0x00000010 - HASH_ALG_SM3_256.
+ # @Prompt Set policy for hashing unsigned image for Secure Boot. + # @ValidList 0x80000001 | 0x00000001, 0x00000002, 0x00000004, 0x00000008, 0x00000010 + gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy|0x00000002|UINT32|0x00000001 + +[UserExtensions.TianoCore."ExtraFiles"] + CryptoPkgExtra.uni diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/CryptoPkg.dsc b/src/VBox/Devices/EFI/Firmware/CryptoPkg/CryptoPkg.dsc new file mode 100644 index 00000000..a5942281 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/CryptoPkg.dsc @@ -0,0 +1,302 @@ +## @file +# Cryptographic Library Package for UEFI Security Implementation. +# PEIM, DXE Driver, and SMM Driver with all crypto services enabled. +# +# Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved.
+# Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +################################################################################ +# +# Defines Section - statements that will be processed to create a Makefile. +# +################################################################################ +[Defines] + PLATFORM_NAME = CryptoPkg + PLATFORM_GUID = E1063286-6C8C-4c25-AEF0-67A9A5B6E6B6 + PLATFORM_VERSION = 0.98 + DSC_SPECIFICATION = 0x00010005 + OUTPUT_DIRECTORY = Build/CryptoPkg + SUPPORTED_ARCHITECTURES = IA32|X64|ARM|AARCH64|RISCV64 + BUILD_TARGETS = DEBUG|RELEASE|NOOPT + SKUID_IDENTIFIER = DEFAULT + + # + # Flavor of PEI, DXE, SMM modules to build. + # Must be one of ALL, NONE, MIN_PEI, MIN_DXE_MIN_SMM. + # Default is ALL that is used for package build verification. + # PACKAGE - Package verification build of all components. Null + # versions of libraries are used to minimize build times. + # ALL - Build PEIM, DXE, and SMM drivers. Protocols and PPIs + # publish all services. + # NONE - Build PEIM, DXE, and SMM drivers. Protocols and PPIs + # publish no services. Used to verify compiler/linker + # optimizations are working correctly. + # MIN_PEI - Build PEIM with PPI that publishes minimum required + # services. + # MIN_DXE_MIN_SMM - Build DXE and SMM drivers with Protocols that publish + # minimum required services. + # + DEFINE CRYPTO_SERVICES = PACKAGE +!if $(CRYPTO_SERVICES) IN "PACKAGE ALL NONE MIN_PEI MIN_DXE_MIN_SMM" +!else + !error CRYPTO_SERVICES must be set to one of PACKAGE ALL NONE MIN_PEI MIN_DXE_MIN_SMM. +!endif + +!include UnitTestFrameworkPkg/UnitTestFrameworkPkgTarget.dsc.inc + +################################################################################ +# +# Library Class section - list of all Library Classes needed by this Platform. +# +################################################################################ + +!include MdePkg/MdeLibs.dsc.inc + +[LibraryClasses] + BaseLib|MdePkg/Library/BaseLib/BaseLib.inf + BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf + PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf + UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf + UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf + TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf + HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf + RngLib|MdePkg/Library/BaseRngLibNull/BaseRngLibNull.inf + +[LibraryClasses.ARM, LibraryClasses.AARCH64] + # + # It is not possible to prevent the ARM compiler for generic intrinsic functions. + # This library provides the instrinsic functions generate by a given compiler. + # [LibraryClasses.ARM, LibraryClasses.AARCH64] and NULL mean link this library + # into all ARM and AARCH64 images. + # + NULL|ArmPkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf + + # Add support for stack protector + NULL|MdePkg/Library/BaseStackCheckLib/BaseStackCheckLib.inf + +[LibraryClasses.common.PEIM] + PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf + MemoryAllocationLib|MdePkg/Library/PeiMemoryAllocationLib/PeiMemoryAllocationLib.inf + PeiServicesTablePointerLib|MdePkg/Library/PeiServicesTablePointerLib/PeiServicesTablePointerLib.inf + PeiServicesLib|MdePkg/Library/PeiServicesLib/PeiServicesLib.inf + HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf + +[LibraryClasses.common.DXE_SMM_DRIVER] + SmmServicesTableLib|MdePkg/Library/SmmServicesTableLib/SmmServicesTableLib.inf + MemoryAllocationLib|MdePkg/Library/SmmMemoryAllocationLib/SmmMemoryAllocationLib.inf + +!if $(CRYPTO_SERVICES) IN "ALL NONE MIN_PEI MIN_DXE_MIN_SMM" +[LibraryClasses] + MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf + DebugLib|MdeModulePkg/Library/PeiDxeDebugLibReportStatusCode/PeiDxeDebugLibReportStatusCode.inf + DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf + OemHookStatusCodeLib|MdeModulePkg/Library/OemHookStatusCodeLibNull/OemHookStatusCodeLibNull.inf + PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf + DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf + PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf + TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf + UefiRuntimeServicesTableLib|MdePkg/Library/UefiRuntimeServicesTableLib/UefiRuntimeServicesTableLib.inf #??? + IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf #??? + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf + +[LibraryClasses.ARM] + ArmSoftFloatLib|ArmPkg/Library/ArmSoftFloatLib/ArmSoftFloatLib.inf + +[LibraryClasses.common.PEIM] + PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf + ReportStatusCodeLib|MdeModulePkg/Library/PeiReportStatusCodeLib/PeiReportStatusCodeLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf + TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf + +[LibraryClasses.IA32.PEIM, LibraryClasses.X64.PEIM] + PeiServicesTablePointerLib|MdePkg/Library/PeiServicesTablePointerLibIdt/PeiServicesTablePointerLibIdt.inf + +[LibraryClasses.ARM.PEIM, LibraryClasses.AARCH64.PEIM] + PeiServicesTablePointerLib|ArmPkg/Library/PeiServicesTablePointerLib/PeiServicesTablePointerLib.inf + +[LibraryClasses.common.DXE_DRIVER] + ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf + +[LibraryClasses.common.DXE_SMM_DRIVER] + ReportStatusCodeLib|MdeModulePkg/Library/SmmReportStatusCodeLib/SmmReportStatusCodeLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf + TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf +!endif + +################################################################################ +# +# Pcd Section - list of all EDK II PCD Entries defined by this Platform +# +################################################################################ +[PcdsFixedAtBuild] + gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x0f + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x80000000 + gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06 + +!if $(CRYPTO_SERVICES) IN "PACKAGE ALL" + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.GetContextSize | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcEncrypt | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcDecrypt | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY +!endif + +!if $(CRYPTO_SERVICES) == MIN_PEI + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Pkcs1Verify | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.New | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Free | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.SetKey | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs5HashPassword | TRUE +!endif + +!if $(CRYPTO_SERVICES) == MIN_DXE_MIN_SMM + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs1v2Encrypt | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs5HashPassword | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs7Verify | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.VerifyEKUsInPkcs7Signature | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs7GetSigners | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs7FreeSigners | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.AuthenticodeVerify | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Pkcs1Verify | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.New | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Free | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.SetKey | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.GetPublicKeyFromX509 | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Services.HashAll | FALSE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Services.GetSubjectName | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Services.GetCommonName | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Services.GetOrganizationName | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Services.GetTBSCert | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcEncrypt | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcDecrypt | TRUE +!endif + +################################################################################################### +# +# Components Section - list of the modules and components that will be processed by compilation +# tools and the EDK II tools to generate PE32/PE32+/Coff image files. +# +# Note: The EDK II DSC file is not used to specify how compiled binary images get placed +# into firmware volume images. This section is just a list of modules to compile from +# source into UEFI-compliant binaries. +# It is the FDF file that contains information on combining binary files into firmware +# volume images, whose concept is beyond UEFI and is described in PI specification. +# Binary modules do not need to be listed in this section, as they should be +# specified in the FDF file. For example: Shell binary (Shell_Full.efi), FAT binary (Fat.efi), +# Logo (Logo.bmp), and etc. +# There may also be modules listed in this section that are not required in the FDF file, +# When a module listed here is excluded from FDF file, then UEFI-compliant binary will be +# generated for it, but the binary will not be put into any firmware volume. +# +################################################################################################### +[Components] + CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibShell.inf + +!if $(CRYPTO_SERVICES) == PACKAGE +[Components] + CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf + CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf + CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf + CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf + CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + CryptoPkg/Library/TlsLib/TlsLib.inf + CryptoPkg/Library/TlsLibNull/TlsLibNull.inf + CryptoPkg/Library/OpensslLib/OpensslLib.inf + CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf + CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf + + CryptoPkg/Library/BaseCryptLibOnProtocolPpi/PeiCryptLib.inf + CryptoPkg/Library/BaseCryptLibOnProtocolPpi/DxeCryptLib.inf + CryptoPkg/Library/BaseCryptLibOnProtocolPpi/SmmCryptLib.inf +!endif + +!if $(CRYPTO_SERVICES) IN "PACKAGE ALL NONE MIN_PEI" +[Components.IA32, Components.X64, Components.ARM, Components.AARCH64] + CryptoPkg/Driver/CryptoPei.inf { + + !if $(CRYPTO_SERVICES) == ALL + FILE_GUID = 8DF53C2E-3380-495F-A8B7-370CFE28E1C6 + !elseif $(CRYPTO_SERVICES) == NONE + FILE_GUID = E5A97EE3-71CC-407F-9DA9-6BE0C8A6C7DF + !elseif $(CRYPTO_SERVICES) == MIN_PEI + FILE_GUID = 0F5827A9-35FD-4F41-8D38-9BAFCE594D31 + !endif + } +!endif + +!if $(CRYPTO_SERVICES) IN "PACKAGE ALL NONE MIN_DXE_MIN_SMM" +[Components.IA32, Components.X64, Components.AARCH64] + CryptoPkg/Driver/CryptoDxe.inf { + + !if $(CRYPTO_SERVICES) == ALL + FILE_GUID = D9444B06-060D-42C5-9344-F04707BE0169 + !elseif $(CRYPTO_SERVICES) == NONE + FILE_GUID = C7A340F4-A6CC-4F95-A2DA-42BEA4C3944A + !elseif $(CRYPTO_SERVICES) == MIN_DXE_MIN_SMM + FILE_GUID = DDF5BE9E-159A-4B77-B6D7-82B84B5763A2 + !endif + } + +[Components.IA32, Components.X64] + CryptoPkg/Driver/CryptoSmm.inf { + + !if $(CRYPTO_SERVICES) == ALL + FILE_GUID = A3542CE8-77F7-49DC-A834-45D37D2EC1FA + !elseif $(CRYPTO_SERVICES) == NONE + FILE_GUID = 6DCB3127-01E7-4131-A487-DC77A965A541 + !elseif $(CRYPTO_SERVICES) == MIN_DXE_MIN_SMM + FILE_GUID = 85F7EA15-3A2B-474A-8875-180542CD6BF3 + !endif + } +!endif + +[BuildOptions] + *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES +!if $(CRYPTO_SERVICES) IN "PACKAGE ALL" + MSFT:*_*_*_CC_FLAGS = /D ENABLE_MD5_DEPRECATED_INTERFACES + INTEL:*_*_*_CC_FLAGS = /D ENABLE_MD5_DEPRECATED_INTERFACES + GCC:*_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES + RVCT:*_*_*_CC_FLAGS = -DENABLE_MD5_DEPRECATED_INTERFACES +!endif diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/CryptoPkg.uni b/src/VBox/Devices/EFI/Firmware/CryptoPkg/CryptoPkg.uni new file mode 100644 index 00000000..28459fca --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/CryptoPkg.uni @@ -0,0 +1,32 @@ +// /** @file +// Package for cryptography modules. +// +// This Package provides cryptographic-related libraries for UEFI security modules. +// It also provides a test application to test libraries. +// +// Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_PACKAGE_ABSTRACT #language en-US "Provides cryptographic-related libraries for UEFI security modules" + +#string STR_PACKAGE_DESCRIPTION #language en-US "This Package provides cryptographic-related libraries for UEFI security modules." + +#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_PROMPT #language en-US "HASH algorithm to calculate hash" + +#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_HELP #language en-US "This PCD indicates the HASH algorithm to calculate hash of data.

\n" + "Based on the value set, the required algorithm is chosen to calculate\n" + "the hash of data.
\n" + "The default hashing algorithm for BaseHashApiLib is set to SHA256.
\n" + "0x00000001 - HASH_ALG_SHA1.
\n" + "0x00000002 - HASH_ALG_SHA256.
\n" + "0x00000004 - HASH_ALG_SHA384.
\n" + "0x00000008 - HASH_ALG_SHA512.
\n" + "0x00000010 - HASH_ALG_SM3.
" + +#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdCryptoServiceFamilyEnable_PROMPT #language en-US "Enable/Disable EDK II Crypto Protocol/PPI services" + +#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdCryptoServiceFamilyEnable_HELP #language en-US "Enable/Disable the families and individual services produced by the EDK II Crypto Protocols/PPIs. The default is all services disabled. This Structured PCD is associated with PCD_CRYPTO_SERVICE_FAMILY_ENABLE structure that is defined in Include/Pcd/PcdCryptoServiceFamilyEnable.h." diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/CryptoPkgExtra.uni b/src/VBox/Devices/EFI/Firmware/CryptoPkg/CryptoPkgExtra.uni new file mode 100644 index 00000000..1c017b28 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/CryptoPkgExtra.uni @@ -0,0 +1,14 @@ +// /** @file +// Crypto Package Localized Strings and Content. +// +// Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + +#string STR_PROPERTIES_PACKAGE_NAME +#language en-US +"Crypto package" + + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/Crypto.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/Crypto.c new file mode 100644 index 00000000..d17fedac --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/Crypto.c @@ -0,0 +1,4667 @@ +/** @file + Implements the EDK II Crypto Protocol/PPI services using the library services + from BaseCryptLib and TlsLib. + + Copyright (C) Microsoft Corporation. All rights reserved. + Copyright (c) 2019 - 2020, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ +#include +#include +#include +#include +#include +#include + +/** + A macro used to retrieve the FixedAtBuild PcdCryptoServiceFamilyEnable with a + typecast to its associcted structure type PCD_CRYPTO_SERVICE_FAMILY_ENABLE. +**/ +#define EDKII_CRYPTO_PCD ((const PCD_CRYPTO_SERVICE_FAMILY_ENABLE *) \ + (FixedPcdGetPtr (PcdCryptoServiceFamilyEnable))) + +/** + A macro used to call a non-void BaseCryptLib function if it is enabled. + + If a BaseCryptLib function is not enabled, there will be no references to it + from this module and will be optimized away reducing the size of this module. + + @param Enable The name of the enable field in PCD + PcdCryptoServiceFamilyEnable for the BaseCryptLib + function being called. If the value of this field + is non-zero, then the BaseCryptLib function is + enabled. + @param Function The name of the BaseCryptLib function. + @param Args The argument list to pass to Function. + @param ErrorReturnValue The value to return if the BaseCryptLib function is + not enabled. + +**/ +#define CALL_BASECRYPTLIB(Enable, Function, Args, ErrorReturnValue) \ + EDKII_CRYPTO_PCD->Enable \ + ? Function Args \ + : (BaseCryptLibServiceNotEnabled (#Function), ErrorReturnValue) + +/** + A macro used to call a void BaseCryptLib function if it is enabled. + + If a BaseCryptLib function is not enabled, there will be no references to it + from this module and will be optimized away reducing the size of this module. + + @param Enable The name of the enable field in PCD + PcdCryptoServiceFamilyEnable for the BaseCryptLib + function being called. If the value of this field + is non-zero, then the BaseCryptLib function is + enabled. + @param Function The name of the BaseCryptLib function. + @param Args The argument list to pass to Function. + +**/ +#define CALL_VOID_BASECRYPTLIB(Enable, Function, Args) \ + EDKII_CRYPTO_PCD->Enable \ + ? Function Args \ + : BaseCryptLibServiceNotEnabled (#Function) + +/** + Internal worker function that prints a debug message and asserts if a call is + made to a BaseCryptLib function that is not enabled in the EDK II Crypto + Protocol/PPI. + + If this debug message and assert are observed, then a module is using + BaseCryptLib function that is not enabled in a Crypto driver. The + PcdCryptoServiceFamilyEnable should be updated to enable the missing service. + + @param[in] FunctionName Null-terminated ASCII string that is the name of an + EDK II Crypto service. + +**/ +static +VOID +BaseCryptLibServiceNotEnabled ( + IN CONST CHAR8 *FunctionName + ) +{ + DEBUG ((DEBUG_ERROR, "[%a] Function %a() is not enabled\n", gEfiCallerBaseName, FunctionName)); + ASSERT_EFI_ERROR (EFI_UNSUPPORTED); +} + +/** + Internal worker function that prints a debug message and asserts if a call is + made to a BaseCryptLib function that is deprecated and unsupported any longer. + + @param[in] FunctionName Null-terminated ASCII string that is the name of an + EDK II Crypto service. + +**/ +static +VOID +BaseCryptLibServiceDeprecated ( + IN CONST CHAR8 *FunctionName + ) +{ + DEBUG ((DEBUG_ERROR, "[%a] Function %a() is deprecated and unsupported any longer\n", gEfiCallerBaseName, FunctionName)); + ASSERT_EFI_ERROR (EFI_UNSUPPORTED); +} + +/** + Returns the version of the EDK II Crypto Protocol. + + @return The version of the EDK II Crypto Protocol. + +**/ +UINTN +EFIAPI +CryptoServiceGetCryptoVersion ( + VOID + ) +{ + return EDKII_CRYPTO_VERSION; +} + +//===================================================================================== +// One-Way Cryptographic Hash Primitives +//===================================================================================== + +/** + MD4 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @retval 0 This interface is not supported. + +**/ +UINTN +EFIAPI +DeprecatedCryptoServiceMd4GetContextSize ( + VOID + ) +{ + return BaseCryptLibServiceDeprecated ("Md4GetContextSize"), 0; +} + +/** + MD4 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[out] Md4Context Pointer to MD4 context being initialized. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceMd4Init ( + OUT VOID *Md4Context + ) +{ + return BaseCryptLibServiceDeprecated ("Md4Init"), FALSE; +} + +/** + MD4 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in] Md4Context Pointer to MD4 context being copied. + @param[out] NewMd4Context Pointer to new MD4 context. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceMd4Duplicate ( + IN CONST VOID *Md4Context, + OUT VOID *NewMd4Context + ) +{ + return BaseCryptLibServiceDeprecated ("Md4Duplicate"), FALSE; +} + +/** + MD4 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in, out] Md4Context Pointer to the MD4 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceMd4Update ( + IN OUT VOID *Md4Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + return BaseCryptLibServiceDeprecated ("Md4Update"), FALSE; +} + +/** + MD4 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in, out] Md4Context Pointer to the MD4 context. + @param[out] HashValue Pointer to a buffer that receives the MD4 digest + value (16 bytes). + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceMd4Final ( + IN OUT VOID *Md4Context, + OUT UINT8 *HashValue + ) +{ + return BaseCryptLibServiceDeprecated ("Md4Final"), FALSE; +} + +/** + MD4 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the MD4 digest + value (16 bytes). + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceMd4HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + return BaseCryptLibServiceDeprecated ("Md4HashAll"), FALSE; +} + +#ifndef ENABLE_MD5_DEPRECATED_INTERFACES +/** + Retrieves the size, in bytes, of the context buffer required for MD5 hash operations. + + If this interface is not supported, then return zero. + + @retval 0 This interface is not supported. + +**/ +UINTN +EFIAPI +DeprecatedCryptoServiceMd5GetContextSize ( + VOID + ) +{ + return BaseCryptLibServiceDeprecated ("Md5GetContextSize"), 0; +} + +/** + Initializes user-supplied memory pointed by Md5Context as MD5 hash context for + subsequent use. + + If Md5Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] Md5Context Pointer to MD5 context being initialized. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceMd5Init ( + OUT VOID *Md5Context + ) +{ + return BaseCryptLibServiceDeprecated ("Md5Init"), FALSE; +} + +/** + Makes a copy of an existing MD5 context. + + If Md5Context is NULL, then return FALSE. + If NewMd5Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Md5Context Pointer to MD5 context being copied. + @param[out] NewMd5Context Pointer to new MD5 context. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceMd5Duplicate ( + IN CONST VOID *Md5Context, + OUT VOID *NewMd5Context + ) +{ + return BaseCryptLibServiceDeprecated ("Md5Init"), FALSE; +} + +/** + Digests the input data and updates MD5 context. + + This function performs MD5 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + MD5 context should be already correctly initialized by Md5Init(), and should not be finalized + by Md5Final(). Behavior with invalid context is undefined. + + If Md5Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Md5Context Pointer to the MD5 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceMd5Update ( + IN OUT VOID *Md5Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + return BaseCryptLibServiceDeprecated ("Md5Init"), FALSE; +} + +/** + Completes computation of the MD5 digest value. + + This function completes MD5 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the MD5 context cannot + be used again. + MD5 context should be already correctly initialized by Md5Init(), and should not be + finalized by Md5Final(). Behavior with invalid MD5 context is undefined. + + If Md5Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Md5Context Pointer to the MD5 context. + @param[out] HashValue Pointer to a buffer that receives the MD5 digest + value (16 bytes). + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceMd5Final ( + IN OUT VOID *Md5Context, + OUT UINT8 *HashValue + ) +{ + return BaseCryptLibServiceDeprecated ("Md5Final"), FALSE; +} + +/** + Computes the MD5 message digest of a input data buffer. + + This function performs the MD5 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the MD5 digest + value (16 bytes). + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceMd5HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + return BaseCryptLibServiceDeprecated ("Md5HashAll"), FALSE; +} +#else +/** + Retrieves the size, in bytes, of the context buffer required for MD5 hash operations. + + If this interface is not supported, then return zero. + + @return The size, in bytes, of the context buffer required for MD5 hash operations. + @retval 0 This interface is not supported. + +**/ +UINTN +EFIAPI +CryptoServiceMd5GetContextSize ( + VOID + ) +{ + return CALL_BASECRYPTLIB (Md5.Services.GetContextSize, Md5GetContextSize, (), 0); +} + +/** + Initializes user-supplied memory pointed by Md5Context as MD5 hash context for + subsequent use. + + If Md5Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] Md5Context Pointer to MD5 context being initialized. + + @retval TRUE MD5 context initialization succeeded. + @retval FALSE MD5 context initialization failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceMd5Init ( + OUT VOID *Md5Context + ) +{ + return CALL_BASECRYPTLIB (Md5.Services.Init, Md5Init, (Md5Context), FALSE); +} + +/** + Makes a copy of an existing MD5 context. + + If Md5Context is NULL, then return FALSE. + If NewMd5Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Md5Context Pointer to MD5 context being copied. + @param[out] NewMd5Context Pointer to new MD5 context. + + @retval TRUE MD5 context copy succeeded. + @retval FALSE MD5 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceMd5Duplicate ( + IN CONST VOID *Md5Context, + OUT VOID *NewMd5Context + ) +{ + return CALL_BASECRYPTLIB (Md5.Services.Duplicate, Md5Duplicate, (Md5Context, NewMd5Context), FALSE); +} + +/** + Digests the input data and updates MD5 context. + + This function performs MD5 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + MD5 context should be already correctly initialized by Md5Init(), and should not be finalized + by Md5Final(). Behavior with invalid context is undefined. + + If Md5Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Md5Context Pointer to the MD5 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE MD5 data digest succeeded. + @retval FALSE MD5 data digest failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceMd5Update ( + IN OUT VOID *Md5Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + return CALL_BASECRYPTLIB (Md5.Services.Update, Md5Update, (Md5Context, Data, DataSize), FALSE); +} + +/** + Completes computation of the MD5 digest value. + + This function completes MD5 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the MD5 context cannot + be used again. + MD5 context should be already correctly initialized by Md5Init(), and should not be + finalized by Md5Final(). Behavior with invalid MD5 context is undefined. + + If Md5Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Md5Context Pointer to the MD5 context. + @param[out] HashValue Pointer to a buffer that receives the MD5 digest + value (16 bytes). + + @retval TRUE MD5 digest computation succeeded. + @retval FALSE MD5 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceMd5Final ( + IN OUT VOID *Md5Context, + OUT UINT8 *HashValue + ) +{ + return CALL_BASECRYPTLIB (Md5.Services.Final, Md5Final, (Md5Context, HashValue), FALSE); +} + +/** + Computes the MD5 message digest of a input data buffer. + + This function performs the MD5 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the MD5 digest + value (16 bytes). + + @retval TRUE MD5 digest computation succeeded. + @retval FALSE MD5 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceMd5HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + return CALL_BASECRYPTLIB (Md5.Services.HashAll, Md5HashAll, (Data, DataSize, HashValue), FALSE); +} +#endif + +#ifdef DISABLE_SHA1_DEPRECATED_INTERFACES +/** + Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations. + + If this interface is not supported, then return zero. + + @retval 0 This interface is not supported. + +**/ +UINTN +EFIAPI +DeprecatedCryptoServiceSha1GetContextSize ( + VOID + ) +{ + return BaseCryptLibServiceDeprecated ("Sha1GetContextSize"), 0; +} + +/** + Initializes user-supplied memory pointed by Sha1Context as SHA-1 hash context for + subsequent use. + + If Sha1Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] Sha1Context Pointer to SHA-1 context being initialized. + + @retval TRUE SHA-1 context initialization succeeded. + @retval FALSE SHA-1 context initialization failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceSha1Init ( + OUT VOID *Sha1Context + ) +{ + return BaseCryptLibServiceDeprecated ("Sha1Init"), FALSE; +} + +/** + Makes a copy of an existing SHA-1 context. + + If Sha1Context is NULL, then return FALSE. + If NewSha1Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sha1Context Pointer to SHA-1 context being copied. + @param[out] NewSha1Context Pointer to new SHA-1 context. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceSha1Duplicate ( + IN CONST VOID *Sha1Context, + OUT VOID *NewSha1Context + ) +{ + return BaseCryptLibServiceDeprecated ("Sha1Duplicate"), FALSE; +} + +/** + Digests the input data and updates SHA-1 context. + + This function performs SHA-1 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-1 context should be already correctly initialized by Sha1Init(), and should not be finalized + by Sha1Final(). Behavior with invalid context is undefined. + + If Sha1Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Sha1Context Pointer to the SHA-1 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceSha1Update ( + IN OUT VOID *Sha1Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + return BaseCryptLibServiceDeprecated ("Sha1Update"), FALSE; +} + +/** + Completes computation of the SHA-1 digest value. + + This function completes SHA-1 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-1 context cannot + be used again. + SHA-1 context should be already correctly initialized by Sha1Init(), and should not be + finalized by Sha1Final(). Behavior with invalid SHA-1 context is undefined. + + If Sha1Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Sha1Context Pointer to the SHA-1 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest + value (20 bytes). + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceSha1Final ( + IN OUT VOID *Sha1Context, + OUT UINT8 *HashValue + ) +{ + return BaseCryptLibServiceDeprecated ("Sha1Final"), FALSE; +} + +/** + Computes the SHA-1 message digest of a input data buffer. + + This function performs the SHA-1 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest + value (20 bytes). + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceSha1HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + return BaseCryptLibServiceDeprecated ("Sha1HashAll"), FALSE; +} +#else +/** + Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations. + + If this interface is not supported, then return zero. + + @return The size, in bytes, of the context buffer required for SHA-1 hash operations. + @retval 0 This interface is not supported. + +**/ +UINTN +EFIAPI +CryptoServiceSha1GetContextSize ( + VOID + ) +{ + return CALL_BASECRYPTLIB (Sha1.Services.GetContextSize, Sha1GetContextSize, (), 0); +} + +/** + Initializes user-supplied memory pointed by Sha1Context as SHA-1 hash context for + subsequent use. + + If Sha1Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] Sha1Context Pointer to SHA-1 context being initialized. + + @retval TRUE SHA-1 context initialization succeeded. + @retval FALSE SHA-1 context initialization failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSha1Init ( + OUT VOID *Sha1Context + ) +{ + return CALL_BASECRYPTLIB (Sha1.Services.Init, Sha1Init, (Sha1Context), FALSE); +} + +/** + Makes a copy of an existing SHA-1 context. + + If Sha1Context is NULL, then return FALSE. + If NewSha1Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sha1Context Pointer to SHA-1 context being copied. + @param[out] NewSha1Context Pointer to new SHA-1 context. + + @retval TRUE SHA-1 context copy succeeded. + @retval FALSE SHA-1 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSha1Duplicate ( + IN CONST VOID *Sha1Context, + OUT VOID *NewSha1Context + ) +{ + return CALL_BASECRYPTLIB (Sha1.Services.Duplicate, Sha1Duplicate, (Sha1Context, NewSha1Context), FALSE); +} + +/** + Digests the input data and updates SHA-1 context. + + This function performs SHA-1 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-1 context should be already correctly initialized by Sha1Init(), and should not be finalized + by Sha1Final(). Behavior with invalid context is undefined. + + If Sha1Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Sha1Context Pointer to the SHA-1 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-1 data digest succeeded. + @retval FALSE SHA-1 data digest failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSha1Update ( + IN OUT VOID *Sha1Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + return CALL_BASECRYPTLIB (Sha1.Services.Update, Sha1Update, (Sha1Context, Data, DataSize), FALSE); +} + +/** + Completes computation of the SHA-1 digest value. + + This function completes SHA-1 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-1 context cannot + be used again. + SHA-1 context should be already correctly initialized by Sha1Init(), and should not be + finalized by Sha1Final(). Behavior with invalid SHA-1 context is undefined. + + If Sha1Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Sha1Context Pointer to the SHA-1 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest + value (20 bytes). + + @retval TRUE SHA-1 digest computation succeeded. + @retval FALSE SHA-1 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSha1Final ( + IN OUT VOID *Sha1Context, + OUT UINT8 *HashValue + ) +{ + return CALL_BASECRYPTLIB (Sha1.Services.Final, Sha1Final, (Sha1Context, HashValue), FALSE); +} + +/** + Computes the SHA-1 message digest of a input data buffer. + + This function performs the SHA-1 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest + value (20 bytes). + + @retval TRUE SHA-1 digest computation succeeded. + @retval FALSE SHA-1 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSha1HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + return CALL_BASECRYPTLIB (Sha1.Services.HashAll, Sha1HashAll, (Data, DataSize, HashValue), FALSE); +} +#endif + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-256 hash operations. + + @return The size, in bytes, of the context buffer required for SHA-256 hash operations. + +**/ +UINTN +EFIAPI +CryptoServiceSha256GetContextSize ( + VOID + ) +{ + return CALL_BASECRYPTLIB (Sha256.Services.GetContextSize, Sha256GetContextSize, (), 0); +} + +/** + Initializes user-supplied memory pointed by Sha256Context as SHA-256 hash context for + subsequent use. + + If Sha256Context is NULL, then return FALSE. + + @param[out] Sha256Context Pointer to SHA-256 context being initialized. + + @retval TRUE SHA-256 context initialization succeeded. + @retval FALSE SHA-256 context initialization failed. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSha256Init ( + OUT VOID *Sha256Context + ) +{ + return CALL_BASECRYPTLIB (Sha256.Services.Init, Sha256Init, (Sha256Context), FALSE); +} + +/** + Makes a copy of an existing SHA-256 context. + + If Sha256Context is NULL, then return FALSE. + If NewSha256Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sha256Context Pointer to SHA-256 context being copied. + @param[out] NewSha256Context Pointer to new SHA-256 context. + + @retval TRUE SHA-256 context copy succeeded. + @retval FALSE SHA-256 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSha256Duplicate ( + IN CONST VOID *Sha256Context, + OUT VOID *NewSha256Context + ) +{ + return CALL_BASECRYPTLIB (Sha256.Services.Duplicate, Sha256Duplicate, (Sha256Context, NewSha256Context), FALSE); +} + +/** + Digests the input data and updates SHA-256 context. + + This function performs SHA-256 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-256 context should be already correctly initialized by Sha256Init(), and should not be finalized + by Sha256Final(). Behavior with invalid context is undefined. + + If Sha256Context is NULL, then return FALSE. + + @param[in, out] Sha256Context Pointer to the SHA-256 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-256 data digest succeeded. + @retval FALSE SHA-256 data digest failed. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSha256Update ( + IN OUT VOID *Sha256Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + return CALL_BASECRYPTLIB (Sha256.Services.Update, Sha256Update, (Sha256Context, Data, DataSize), FALSE); +} + +/** + Completes computation of the SHA-256 digest value. + + This function completes SHA-256 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-256 context cannot + be used again. + SHA-256 context should be already correctly initialized by Sha256Init(), and should not be + finalized by Sha256Final(). Behavior with invalid SHA-256 context is undefined. + + If Sha256Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sha256Context Pointer to the SHA-256 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-256 digest + value (32 bytes). + + @retval TRUE SHA-256 digest computation succeeded. + @retval FALSE SHA-256 digest computation failed. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSha256Final ( + IN OUT VOID *Sha256Context, + OUT UINT8 *HashValue + ) +{ + return CALL_BASECRYPTLIB (Sha256.Services.Final, Sha256Final, (Sha256Context, HashValue), FALSE); +} + +/** + Computes the SHA-256 message digest of a input data buffer. + + This function performs the SHA-256 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-256 digest + value (32 bytes). + + @retval TRUE SHA-256 digest computation succeeded. + @retval FALSE SHA-256 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSha256HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + return CALL_BASECRYPTLIB (Sha256.Services.HashAll, Sha256HashAll, (Data, DataSize, HashValue), FALSE); +} + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-384 hash operations. + + @return The size, in bytes, of the context buffer required for SHA-384 hash operations. + +**/ +UINTN +EFIAPI +CryptoServiceSha384GetContextSize ( + VOID + ) +{ + return CALL_BASECRYPTLIB (Sha384.Services.GetContextSize, Sha384GetContextSize, (), 0); +} + +/** + Initializes user-supplied memory pointed by Sha384Context as SHA-384 hash context for + subsequent use. + + If Sha384Context is NULL, then return FALSE. + + @param[out] Sha384Context Pointer to SHA-384 context being initialized. + + @retval TRUE SHA-384 context initialization succeeded. + @retval FALSE SHA-384 context initialization failed. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSha384Init ( + OUT VOID *Sha384Context + ) +{ + return CALL_BASECRYPTLIB (Sha384.Services.Init, Sha384Init, (Sha384Context), FALSE); +} + +/** + Makes a copy of an existing SHA-384 context. + + If Sha384Context is NULL, then return FALSE. + If NewSha384Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sha384Context Pointer to SHA-384 context being copied. + @param[out] NewSha384Context Pointer to new SHA-384 context. + + @retval TRUE SHA-384 context copy succeeded. + @retval FALSE SHA-384 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSha384Duplicate ( + IN CONST VOID *Sha384Context, + OUT VOID *NewSha384Context + ) +{ + return CALL_BASECRYPTLIB (Sha384.Services.Duplicate, Sha384Duplicate, (Sha384Context, NewSha384Context), FALSE); +} + +/** + Digests the input data and updates SHA-384 context. + + This function performs SHA-384 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-384 context should be already correctly initialized by Sha384Init(), and should not be finalized + by Sha384Final(). Behavior with invalid context is undefined. + + If Sha384Context is NULL, then return FALSE. + + @param[in, out] Sha384Context Pointer to the SHA-384 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-384 data digest succeeded. + @retval FALSE SHA-384 data digest failed. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSha384Update ( + IN OUT VOID *Sha384Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + return CALL_BASECRYPTLIB (Sha384.Services.Update, Sha384Update, (Sha384Context, Data, DataSize), FALSE); +} + +/** + Completes computation of the SHA-384 digest value. + + This function completes SHA-384 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-384 context cannot + be used again. + SHA-384 context should be already correctly initialized by Sha384Init(), and should not be + finalized by Sha384Final(). Behavior with invalid SHA-384 context is undefined. + + If Sha384Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sha384Context Pointer to the SHA-384 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-384 digest + value (48 bytes). + + @retval TRUE SHA-384 digest computation succeeded. + @retval FALSE SHA-384 digest computation failed. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSha384Final ( + IN OUT VOID *Sha384Context, + OUT UINT8 *HashValue + ) +{ + return CALL_BASECRYPTLIB (Sha384.Services.Final, Sha384Final, (Sha384Context, HashValue), FALSE); +} + +/** + Computes the SHA-384 message digest of a input data buffer. + + This function performs the SHA-384 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-384 digest + value (48 bytes). + + @retval TRUE SHA-384 digest computation succeeded. + @retval FALSE SHA-384 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSha384HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + return CALL_BASECRYPTLIB (Sha384.Services.HashAll, Sha384HashAll, (Data, DataSize, HashValue), FALSE); +} + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-512 hash operations. + + @return The size, in bytes, of the context buffer required for SHA-512 hash operations. + +**/ +UINTN +EFIAPI +CryptoServiceSha512GetContextSize ( + VOID + ) +{ + return CALL_BASECRYPTLIB (Sha512.Services.GetContextSize, Sha512GetContextSize, (), 0); +} + +/** + Initializes user-supplied memory pointed by Sha512Context as SHA-512 hash context for + subsequent use. + + If Sha512Context is NULL, then return FALSE. + + @param[out] Sha512Context Pointer to SHA-512 context being initialized. + + @retval TRUE SHA-512 context initialization succeeded. + @retval FALSE SHA-512 context initialization failed. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSha512Init ( + OUT VOID *Sha512Context + ) +{ + return CALL_BASECRYPTLIB (Sha512.Services.Init, Sha512Init, (Sha512Context), FALSE); +} + +/** + Makes a copy of an existing SHA-512 context. + + If Sha512Context is NULL, then return FALSE. + If NewSha512Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sha512Context Pointer to SHA-512 context being copied. + @param[out] NewSha512Context Pointer to new SHA-512 context. + + @retval TRUE SHA-512 context copy succeeded. + @retval FALSE SHA-512 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSha512Duplicate ( + IN CONST VOID *Sha512Context, + OUT VOID *NewSha512Context + ) +{ + return CALL_BASECRYPTLIB (Sha512.Services.Duplicate, Sha512Duplicate, (Sha512Context, NewSha512Context), FALSE); +} + +/** + Digests the input data and updates SHA-512 context. + + This function performs SHA-512 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-512 context should be already correctly initialized by Sha512Init(), and should not be finalized + by Sha512Final(). Behavior with invalid context is undefined. + + If Sha512Context is NULL, then return FALSE. + + @param[in, out] Sha512Context Pointer to the SHA-512 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-512 data digest succeeded. + @retval FALSE SHA-512 data digest failed. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSha512Update ( + IN OUT VOID *Sha512Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + return CALL_BASECRYPTLIB (Sha512.Services.Update, Sha512Update, (Sha512Context, Data, DataSize), FALSE); +} + +/** + Completes computation of the SHA-512 digest value. + + This function completes SHA-512 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-512 context cannot + be used again. + SHA-512 context should be already correctly initialized by Sha512Init(), and should not be + finalized by Sha512Final(). Behavior with invalid SHA-512 context is undefined. + + If Sha512Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sha512Context Pointer to the SHA-512 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-512 digest + value (64 bytes). + + @retval TRUE SHA-512 digest computation succeeded. + @retval FALSE SHA-512 digest computation failed. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSha512Final ( + IN OUT VOID *Sha512Context, + OUT UINT8 *HashValue + ) +{ + return CALL_BASECRYPTLIB (Sha512.Services.Final, Sha512Final, (Sha512Context, HashValue), FALSE); +} + +/** + Computes the SHA-512 message digest of a input data buffer. + + This function performs the SHA-512 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-512 digest + value (64 bytes). + + @retval TRUE SHA-512 digest computation succeeded. + @retval FALSE SHA-512 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSha512HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + return CALL_BASECRYPTLIB (Sha512.Services.HashAll, Sha512HashAll, (Data, DataSize, HashValue), FALSE); +} + +/** + Retrieves the size, in bytes, of the context buffer required for SM3 hash operations. + + @return The size, in bytes, of the context buffer required for SM3 hash operations. + +**/ +UINTN +EFIAPI +CryptoServiceSm3GetContextSize ( + VOID + ) +{ + return CALL_BASECRYPTLIB (Sm3.Services.GetContextSize, Sm3GetContextSize, (), 0); +} + +/** + Initializes user-supplied memory pointed by Sm3Context as SM3 hash context for + subsequent use. + + If Sm3Context is NULL, then return FALSE. + + @param[out] Sm3Context Pointer to SM3 context being initialized. + + @retval TRUE SM3 context initialization succeeded. + @retval FALSE SM3 context initialization failed. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSm3Init ( + OUT VOID *Sm3Context + ) +{ + return CALL_BASECRYPTLIB (Sm3.Services.Init, Sm3Init, (Sm3Context), FALSE); +} + +/** + Makes a copy of an existing SM3 context. + + If Sm3Context is NULL, then return FALSE. + If NewSm3Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sm3Context Pointer to SM3 context being copied. + @param[out] NewSm3Context Pointer to new SM3 context. + + @retval TRUE SM3 context copy succeeded. + @retval FALSE SM3 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSm3Duplicate ( + IN CONST VOID *Sm3Context, + OUT VOID *NewSm3Context + ) +{ + return CALL_BASECRYPTLIB (Sm3.Services.Duplicate, Sm3Duplicate, (Sm3Context, NewSm3Context), FALSE); +} + +/** + Digests the input data and updates SM3 context. + + This function performs SM3 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SM3 context should be already correctly initialized by Sm3Init(), and should not be finalized + by Sm3Final(). Behavior with invalid context is undefined. + + If Sm3Context is NULL, then return FALSE. + + @param[in, out] Sm3Context Pointer to the SM3 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SM3 data digest succeeded. + @retval FALSE SM3 data digest failed. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSm3Update ( + IN OUT VOID *Sm3Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + return CALL_BASECRYPTLIB (Sm3.Services.Update, Sm3Update, (Sm3Context, Data, DataSize), FALSE); +} + +/** + Completes computation of the SM3 digest value. + + This function completes SM3 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SM3 context cannot + be used again. + SM3 context should be already correctly initialized by Sm3Init(), and should not be + finalized by Sm3Final(). Behavior with invalid SM3 context is undefined. + + If Sm3Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sm3Context Pointer to the SM3 context. + @param[out] HashValue Pointer to a buffer that receives the SM3 digest + value (32 bytes). + + @retval TRUE SM3 digest computation succeeded. + @retval FALSE SM3 digest computation failed. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSm3Final ( + IN OUT VOID *Sm3Context, + OUT UINT8 *HashValue + ) +{ + return CALL_BASECRYPTLIB (Sm3.Services.Final, Sm3Final, (Sm3Context, HashValue), FALSE); +} + +/** + Computes the SM3 message digest of a input data buffer. + + This function performs the SM3 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SM3 digest + value (32 bytes). + + @retval TRUE SM3 digest computation succeeded. + @retval FALSE SM3 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceSm3HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + return CALL_BASECRYPTLIB (Sm3.Services.HashAll, Sm3HashAll, (Data, DataSize, HashValue), FALSE); +} + +//===================================================================================== +// MAC (Message Authentication Code) Primitive +//===================================================================================== + +/** + HMAC MD5 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @retval NULL This interface is not supported. + +**/ +VOID * +EFIAPI +DeprecatedCryptoServiceHmacMd5New ( + VOID + ) +{ + return BaseCryptLibServiceDeprecated ("HmacMd5New"), NULL; +} + +/** + HMAC MD5 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in] HmacMd5Ctx Pointer to the HMAC_CTX context to be released. + +**/ +VOID +EFIAPI +DeprecatedCryptoServiceHmacMd5Free ( + IN VOID *HmacMd5Ctx + ) +{ + BaseCryptLibServiceDeprecated ("HmacMd5Free"); +} + +/** + HMAC MD5 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[out] HmacMd5Context Pointer to HMAC-MD5 context. + @param[in] Key Pointer to the user-supplied key. + @param[in] KeySize Key size in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceHmacMd5SetKey ( + OUT VOID *HmacMd5Context, + IN CONST UINT8 *Key, + IN UINTN KeySize + ) +{ + return BaseCryptLibServiceDeprecated ("HmacMd5SetKey"), FALSE; +} + +/** + HMAC MD5 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in] HmacMd5Context Pointer to HMAC-MD5 context being copied. + @param[out] NewHmacMd5Context Pointer to new HMAC-MD5 context. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceHmacMd5Duplicate ( + IN CONST VOID *HmacMd5Context, + OUT VOID *NewHmacMd5Context + ) +{ + return BaseCryptLibServiceDeprecated ("HmacMd5Duplicate"), FALSE; +} + +/** + HMAC MD5 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context. + @param[in] Data Pointer to the buffer containing the data to be digested. + @param[in] DataSize Size of Data buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceHmacMd5Update ( + IN OUT VOID *HmacMd5Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + return BaseCryptLibServiceDeprecated ("HmacMd5Update"), FALSE; +} + +/** + HMAC MD5 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in, out] HmacMd5Context Pointer to the HMAC-MD5 context. + @param[out] HmacValue Pointer to a buffer that receives the HMAC-MD5 digest + value (16 bytes). + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceHmacMd5Final ( + IN OUT VOID *HmacMd5Context, + OUT UINT8 *HmacValue + ) +{ + return BaseCryptLibServiceDeprecated ("HmacMd5Final"), FALSE; +} + +/** + HMAC SHA1 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @return NULL This interface is not supported. + +**/ +VOID * +EFIAPI +DeprecatedCryptoServiceHmacSha1New ( + VOID + ) +{ + return BaseCryptLibServiceDeprecated ("HmacSha1New"), NULL; +} + +/** + HMAC SHA1 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in] HmacSha1Ctx Pointer to the HMAC_CTX context to be released. + +**/ +VOID +EFIAPI +DeprecatedCryptoServiceHmacSha1Free ( + IN VOID *HmacSha1Ctx + ) +{ + BaseCryptLibServiceDeprecated ("HmacSha1Free"); +} + +/** + HMAC SHA1 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[out] HmacSha1Context Pointer to HMAC-SHA1 context. + @param[in] Key Pointer to the user-supplied key. + @param[in] KeySize Key size in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceHmacSha1SetKey ( + OUT VOID *HmacSha1Context, + IN CONST UINT8 *Key, + IN UINTN KeySize + ) +{ + return BaseCryptLibServiceDeprecated ("HmacSha1SetKey"), FALSE; +} + +/** + HMAC SHA1 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in] HmacSha1Context Pointer to HMAC-SHA1 context being copied. + @param[out] NewHmacSha1Context Pointer to new HMAC-SHA1 context. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceHmacSha1Duplicate ( + IN CONST VOID *HmacSha1Context, + OUT VOID *NewHmacSha1Context + ) +{ + return BaseCryptLibServiceDeprecated ("HmacSha1Duplicate"), FALSE; +} + +/** + HMAC SHA1 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context. + @param[in] Data Pointer to the buffer containing the data to be digested. + @param[in] DataSize Size of Data buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceHmacSha1Update ( + IN OUT VOID *HmacSha1Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + return BaseCryptLibServiceDeprecated ("HmacSha1Update"), FALSE; +} + +/** + HMAC SHA1 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in, out] HmacSha1Context Pointer to the HMAC-SHA1 context. + @param[out] HmacValue Pointer to a buffer that receives the HMAC-SHA1 digest + value (20 bytes). + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceHmacSha1Final ( + IN OUT VOID *HmacSha1Context, + OUT UINT8 *HmacValue + ) +{ + return BaseCryptLibServiceDeprecated ("HmacSha1Final"), FALSE; +} + +/** + Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use. + + @return Pointer to the HMAC_CTX context that has been initialized. + If the allocations fails, HmacSha256New() returns NULL. + +**/ +VOID * +EFIAPI +CryptoServiceHmacSha256New ( + VOID + ) +{ + return CALL_BASECRYPTLIB (HmacSha256.Services.New, HmacSha256New, (), NULL); +} + +/** + Release the specified HMAC_CTX context. + + @param[in] HmacSha256Ctx Pointer to the HMAC_CTX context to be released. + +**/ +VOID +EFIAPI +CryptoServiceHmacSha256Free ( + IN VOID *HmacSha256Ctx + ) +{ + CALL_VOID_BASECRYPTLIB (HmacSha256.Services.Free, HmacSha256Free, (HmacSha256Ctx)); +} + +/** + Set user-supplied key for subsequent use. It must be done before any + calling to HmacSha256Update(). + + If HmacSha256Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] HmacSha256Context Pointer to HMAC-SHA256 context. + @param[in] Key Pointer to the user-supplied key. + @param[in] KeySize Key size in bytes. + + @retval TRUE The Key is set successfully. + @retval FALSE The Key is set unsuccessfully. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceHmacSha256SetKey ( + OUT VOID *HmacSha256Context, + IN CONST UINT8 *Key, + IN UINTN KeySize + ) +{ + return CALL_BASECRYPTLIB (HmacSha256.Services.SetKey, HmacSha256SetKey, (HmacSha256Context, Key, KeySize), FALSE); +} + +/** + Makes a copy of an existing HMAC-SHA256 context. + + If HmacSha256Context is NULL, then return FALSE. + If NewHmacSha256Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] HmacSha256Context Pointer to HMAC-SHA256 context being copied. + @param[out] NewHmacSha256Context Pointer to new HMAC-SHA256 context. + + @retval TRUE HMAC-SHA256 context copy succeeded. + @retval FALSE HMAC-SHA256 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceHmacSha256Duplicate ( + IN CONST VOID *HmacSha256Context, + OUT VOID *NewHmacSha256Context + ) +{ + return CALL_BASECRYPTLIB (HmacSha256.Services.Duplicate, HmacSha256Duplicate, (HmacSha256Context, NewHmacSha256Context), FALSE); +} + +/** + Digests the input data and updates HMAC-SHA256 context. + + This function performs HMAC-SHA256 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + HMAC-SHA256 context should be initialized by HmacSha256New(), and should not be finalized + by HmacSha256Final(). Behavior with invalid context is undefined. + + If HmacSha256Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] HmacSha256Context Pointer to the HMAC-SHA256 context. + @param[in] Data Pointer to the buffer containing the data to be digested. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE HMAC-SHA256 data digest succeeded. + @retval FALSE HMAC-SHA256 data digest failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceHmacSha256Update ( + IN OUT VOID *HmacSha256Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + return CALL_BASECRYPTLIB (HmacSha256.Services.Update, HmacSha256Update, (HmacSha256Context, Data, DataSize), FALSE); +} + +/** + Completes computation of the HMAC-SHA256 digest value. + + This function completes HMAC-SHA256 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the HMAC-SHA256 context cannot + be used again. + HMAC-SHA256 context should be initialized by HmacSha256New(), and should not be finalized + by HmacSha256Final(). Behavior with invalid HMAC-SHA256 context is undefined. + + If HmacSha256Context is NULL, then return FALSE. + If HmacValue is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] HmacSha256Context Pointer to the HMAC-SHA256 context. + @param[out] HmacValue Pointer to a buffer that receives the HMAC-SHA256 digest + value (32 bytes). + + @retval TRUE HMAC-SHA256 digest computation succeeded. + @retval FALSE HMAC-SHA256 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceHmacSha256Final ( + IN OUT VOID *HmacSha256Context, + OUT UINT8 *HmacValue + ) +{ + return CALL_BASECRYPTLIB (HmacSha256.Services.Final, HmacSha256Final, (HmacSha256Context, HmacValue), FALSE); +} + +//===================================================================================== +// Symmetric Cryptography Primitive +//===================================================================================== + +/** + TDES is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @retval 0 This interface is not supported. + +**/ +UINTN +EFIAPI +DeprecatedCryptoServiceTdesGetContextSize ( + VOID + ) +{ + return BaseCryptLibServiceDeprecated ("TdesGetContextSize"), 0; +} + +/** + TDES is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[out] TdesContext Pointer to TDES context being initialized. + @param[in] Key Pointer to the user-supplied TDES key. + @param[in] KeyLength Length of TDES key in bits. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceTdesInit ( + OUT VOID *TdesContext, + IN CONST UINT8 *Key, + IN UINTN KeyLength + ) +{ + return BaseCryptLibServiceDeprecated ("TdesInit"), FALSE; +} + +/** + TDES is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in] TdesContext Pointer to the TDES context. + @param[in] Input Pointer to the buffer containing the data to be encrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[out] Output Pointer to a buffer that receives the TDES encryption output. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceTdesEcbEncrypt ( + IN VOID *TdesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + OUT UINT8 *Output + ) +{ + return BaseCryptLibServiceDeprecated ("TdesEcbEncrypt"), FALSE; +} + +/** + TDES is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in] TdesContext Pointer to the TDES context. + @param[in] Input Pointer to the buffer containing the data to be decrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[out] Output Pointer to a buffer that receives the TDES decryption output. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceTdesEcbDecrypt ( + IN VOID *TdesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + OUT UINT8 *Output + ) +{ + return BaseCryptLibServiceDeprecated ("TdesEcbDecrypt"), FALSE; +} + +/** + TDES is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in] TdesContext Pointer to the TDES context. + @param[in] Input Pointer to the buffer containing the data to be encrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[in] Ivec Pointer to initialization vector. + @param[out] Output Pointer to a buffer that receives the TDES encryption output. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceTdesCbcEncrypt ( + IN VOID *TdesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + IN CONST UINT8 *Ivec, + OUT UINT8 *Output + ) +{ + return BaseCryptLibServiceDeprecated ("TdesCbcEncrypt"), FALSE; +} + +/** + TDES is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in] TdesContext Pointer to the TDES context. + @param[in] Input Pointer to the buffer containing the data to be encrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[in] Ivec Pointer to initialization vector. + @param[out] Output Pointer to a buffer that receives the TDES encryption output. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceTdesCbcDecrypt ( + IN VOID *TdesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + IN CONST UINT8 *Ivec, + OUT UINT8 *Output + ) +{ + return BaseCryptLibServiceDeprecated ("TdesCbcDecrypt"), FALSE; +} + +/** + Retrieves the size, in bytes, of the context buffer required for AES operations. + + If this interface is not supported, then return zero. + + @return The size, in bytes, of the context buffer required for AES operations. + @retval 0 This interface is not supported. + +**/ +UINTN +EFIAPI +CryptoServiceAesGetContextSize ( + VOID + ) +{ + return CALL_BASECRYPTLIB (Aes.Services.GetContextSize, AesGetContextSize, (), 0); +} + +/** + Initializes user-supplied memory as AES context for subsequent use. + + This function initializes user-supplied memory pointed by AesContext as AES context. + In addition, it sets up all AES key materials for subsequent encryption and decryption + operations. + There are 3 options for key length, 128 bits, 192 bits, and 256 bits. + + If AesContext is NULL, then return FALSE. + If Key is NULL, then return FALSE. + If KeyLength is not valid, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] AesContext Pointer to AES context being initialized. + @param[in] Key Pointer to the user-supplied AES key. + @param[in] KeyLength Length of AES key in bits. + + @retval TRUE AES context initialization succeeded. + @retval FALSE AES context initialization failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceAesInit ( + OUT VOID *AesContext, + IN CONST UINT8 *Key, + IN UINTN KeyLength + ) +{ + return CALL_BASECRYPTLIB (Aes.Services.Init, AesInit, (AesContext, Key, KeyLength), FALSE); +} + +/** + AES ECB Mode is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in] AesContext Pointer to the AES context. + @param[in] Input Pointer to the buffer containing the data to be encrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[out] Output Pointer to a buffer that receives the AES encryption output. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceAesEcbEncrypt ( + IN VOID *AesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + OUT UINT8 *Output + ) +{ + return BaseCryptLibServiceDeprecated ("AesEcbEncrypt"), FALSE; +} + +/** + AES ECB Mode is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in] AesContext Pointer to the AES context. + @param[in] Input Pointer to the buffer containing the data to be decrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[out] Output Pointer to a buffer that receives the AES decryption output. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceAesEcbDecrypt ( + IN VOID *AesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + OUT UINT8 *Output + ) +{ + return BaseCryptLibServiceDeprecated ("AesEcbDecrypt"), FALSE; +} + +/** + Performs AES encryption on a data buffer of the specified size in CBC mode. + + This function performs AES encryption on data buffer pointed by Input, of specified + size of InputSize, in CBC mode. + InputSize must be multiple of block size (16 bytes). This function does not perform + padding. Caller must perform padding, if necessary, to ensure valid input data size. + Initialization vector should be one block size (16 bytes). + AesContext should be already correctly initialized by AesInit(). Behavior with + invalid AES context is undefined. + + If AesContext is NULL, then return FALSE. + If Input is NULL, then return FALSE. + If InputSize is not multiple of block size (16 bytes), then return FALSE. + If Ivec is NULL, then return FALSE. + If Output is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] AesContext Pointer to the AES context. + @param[in] Input Pointer to the buffer containing the data to be encrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[in] Ivec Pointer to initialization vector. + @param[out] Output Pointer to a buffer that receives the AES encryption output. + + @retval TRUE AES encryption succeeded. + @retval FALSE AES encryption failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceAesCbcEncrypt ( + IN VOID *AesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + IN CONST UINT8 *Ivec, + OUT UINT8 *Output + ) +{ + return CALL_BASECRYPTLIB (Aes.Services.CbcEncrypt, AesCbcEncrypt, (AesContext, Input, InputSize, Ivec, Output), FALSE); +} + +/** + Performs AES decryption on a data buffer of the specified size in CBC mode. + + This function performs AES decryption on data buffer pointed by Input, of specified + size of InputSize, in CBC mode. + InputSize must be multiple of block size (16 bytes). This function does not perform + padding. Caller must perform padding, if necessary, to ensure valid input data size. + Initialization vector should be one block size (16 bytes). + AesContext should be already correctly initialized by AesInit(). Behavior with + invalid AES context is undefined. + + If AesContext is NULL, then return FALSE. + If Input is NULL, then return FALSE. + If InputSize is not multiple of block size (16 bytes), then return FALSE. + If Ivec is NULL, then return FALSE. + If Output is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] AesContext Pointer to the AES context. + @param[in] Input Pointer to the buffer containing the data to be encrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[in] Ivec Pointer to initialization vector. + @param[out] Output Pointer to a buffer that receives the AES encryption output. + + @retval TRUE AES decryption succeeded. + @retval FALSE AES decryption failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceAesCbcDecrypt ( + IN VOID *AesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + IN CONST UINT8 *Ivec, + OUT UINT8 *Output + ) +{ + return CALL_BASECRYPTLIB (Aes.Services.CbcDecrypt, AesCbcDecrypt, (AesContext, Input, InputSize, Ivec, Output), FALSE); +} + +/** + ARC4 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @retval 0 This interface is not supported. + +**/ +UINTN +EFIAPI +DeprecatedCryptoServiceArc4GetContextSize ( + VOID + ) +{ + return BaseCryptLibServiceDeprecated ("Arc4GetContextSize"), 0; +} + +/** + ARC4 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[out] Arc4Context Pointer to ARC4 context being initialized. + @param[in] Key Pointer to the user-supplied ARC4 key. + @param[in] KeySize Size of ARC4 key in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceArc4Init ( + OUT VOID *Arc4Context, + IN CONST UINT8 *Key, + IN UINTN KeySize + ) +{ + return BaseCryptLibServiceDeprecated ("Arc4Init"), FALSE; +} + +/** + ARC4 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in, out] Arc4Context Pointer to the ARC4 context. + @param[in] Input Pointer to the buffer containing the data to be encrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[out] Output Pointer to a buffer that receives the ARC4 encryption output. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceArc4Encrypt ( + IN OUT VOID *Arc4Context, + IN CONST UINT8 *Input, + IN UINTN InputSize, + OUT UINT8 *Output + ) +{ + return BaseCryptLibServiceDeprecated ("Arc4Encrypt"), FALSE; +} + +/** + ARC4 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in, out] Arc4Context Pointer to the ARC4 context. + @param[in] Input Pointer to the buffer containing the data to be decrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[out] Output Pointer to a buffer that receives the ARC4 decryption output. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceArc4Decrypt ( + IN OUT VOID *Arc4Context, + IN UINT8 *Input, + IN UINTN InputSize, + OUT UINT8 *Output + ) +{ + return BaseCryptLibServiceDeprecated ("Arc4Decrypt"), FALSE; +} + +/** + ARC4 is deprecated and unsupported any longer. + Keep the function field for binary compability. + + @param[in, out] Arc4Context Pointer to the ARC4 context. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DeprecatedCryptoServiceArc4Reset ( + IN OUT VOID *Arc4Context + ) +{ + return BaseCryptLibServiceDeprecated ("Arc4Reset"), FALSE; +} + +//===================================================================================== +// Asymmetric Cryptography Primitive +//===================================================================================== + +/** + Allocates and initializes one RSA context for subsequent use. + + @return Pointer to the RSA context that has been initialized. + If the allocations fails, RsaNew() returns NULL. + +**/ +VOID * +EFIAPI +CryptoServiceRsaNew ( + VOID + ) +{ + return CALL_BASECRYPTLIB (Rsa.Services.New, RsaNew, (), NULL); +} + +/** + Release the specified RSA context. + + If RsaContext is NULL, then return FALSE. + + @param[in] RsaContext Pointer to the RSA context to be released. + +**/ +VOID +EFIAPI +CryptoServiceRsaFree ( + IN VOID *RsaContext + ) +{ + CALL_VOID_BASECRYPTLIB (Rsa.Services.Free, RsaFree, (RsaContext)); +} + +/** + Sets the tag-designated key component into the established RSA context. + + This function sets the tag-designated RSA key component into the established + RSA context from the user-specified non-negative integer (octet string format + represented in RSA PKCS#1). + If BigNumber is NULL, then the specified key component in RSA context is cleared. + + If RsaContext is NULL, then return FALSE. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] KeyTag Tag of RSA key component being set. + @param[in] BigNumber Pointer to octet integer buffer. + If NULL, then the specified key component in RSA + context is cleared. + @param[in] BnSize Size of big number buffer in bytes. + If BigNumber is NULL, then it is ignored. + + @retval TRUE RSA key component was set successfully. + @retval FALSE Invalid RSA key component tag. + +**/ +BOOLEAN +EFIAPI +CryptoServiceRsaSetKey ( + IN OUT VOID *RsaContext, + IN RSA_KEY_TAG KeyTag, + IN CONST UINT8 *BigNumber, + IN UINTN BnSize + ) +{ + return CALL_BASECRYPTLIB (Rsa.Services.SetKey, RsaSetKey, (RsaContext, KeyTag, BigNumber, BnSize), FALSE); +} + +/** + Gets the tag-designated RSA key component from the established RSA context. + + This function retrieves the tag-designated RSA key component from the + established RSA context as a non-negative integer (octet string format + represented in RSA PKCS#1). + If specified key component has not been set or has been cleared, then returned + BnSize is set to 0. + If the BigNumber buffer is too small to hold the contents of the key, FALSE + is returned and BnSize is set to the required buffer size to obtain the key. + + If RsaContext is NULL, then return FALSE. + If BnSize is NULL, then return FALSE. + If BnSize is large enough but BigNumber is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] KeyTag Tag of RSA key component being set. + @param[out] BigNumber Pointer to octet integer buffer. + @param[in, out] BnSize On input, the size of big number buffer in bytes. + On output, the size of data returned in big number buffer in bytes. + + @retval TRUE RSA key component was retrieved successfully. + @retval FALSE Invalid RSA key component tag. + @retval FALSE BnSize is too small. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceRsaGetKey ( + IN OUT VOID *RsaContext, + IN RSA_KEY_TAG KeyTag, + OUT UINT8 *BigNumber, + IN OUT UINTN *BnSize + ) +{ + return CALL_BASECRYPTLIB (Rsa.Services.GetKey, RsaGetKey, (RsaContext, KeyTag, BigNumber, BnSize), FALSE); +} + +/** + Generates RSA key components. + + This function generates RSA key components. It takes RSA public exponent E and + length in bits of RSA modulus N as input, and generates all key components. + If PublicExponent is NULL, the default RSA public exponent (0x10001) will be used. + + Before this function can be invoked, pseudorandom number generator must be correctly + initialized by RandomSeed(). + + If RsaContext is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] ModulusLength Length of RSA modulus N in bits. + @param[in] PublicExponent Pointer to RSA public exponent. + @param[in] PublicExponentSize Size of RSA public exponent buffer in bytes. + + @retval TRUE RSA key component was generated successfully. + @retval FALSE Invalid RSA key component tag. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceRsaGenerateKey ( + IN OUT VOID *RsaContext, + IN UINTN ModulusLength, + IN CONST UINT8 *PublicExponent, + IN UINTN PublicExponentSize + ) +{ + return CALL_BASECRYPTLIB (Rsa.Services.GenerateKey, RsaGenerateKey, (RsaContext, ModulusLength, PublicExponent, PublicExponentSize), FALSE); +} + +/** + Validates key components of RSA context. + NOTE: This function performs integrity checks on all the RSA key material, so + the RSA key structure must contain all the private key data. + + This function validates key components of RSA context in following aspects: + - Whether p is a prime + - Whether q is a prime + - Whether n = p * q + - Whether d*e = 1 mod lcm(p-1,q-1) + + If RsaContext is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] RsaContext Pointer to RSA context to check. + + @retval TRUE RSA key components are valid. + @retval FALSE RSA key components are not valid. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceRsaCheckKey ( + IN VOID *RsaContext + ) +{ + return CALL_BASECRYPTLIB (Rsa.Services.CheckKey, RsaCheckKey, (RsaContext), FALSE); +} + +/** + Carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme. + + This function carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme defined in + RSA PKCS#1. + If the Signature buffer is too small to hold the contents of signature, FALSE + is returned and SigSize is set to the required buffer size to obtain the signature. + + If RsaContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then return FALSE. + If SigSize is large enough but Signature is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] RsaContext Pointer to RSA context for signature generation. + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive RSA PKCS1-v1_5 signature. + @param[in, out] SigSize On input, the size of Signature buffer in bytes. + On output, the size of data returned in Signature buffer in bytes. + + @retval TRUE Signature successfully generated in PKCS1-v1_5. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceRsaPkcs1Sign ( + IN VOID *RsaContext, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + return CALL_BASECRYPTLIB (Rsa.Services.Pkcs1Sign, RsaPkcs1Sign, (RsaContext, MessageHash, HashSize, Signature, SigSize), FALSE); +} + +/** + Verifies the RSA-SSA signature with EMSA-PKCS1-v1_5 encoding scheme defined in + RSA PKCS#1. + + If RsaContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize is not equal to the size of MD5, SHA-1, SHA-256 digest, then return FALSE. + + @param[in] RsaContext Pointer to RSA context for signature verification. + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to RSA PKCS1-v1_5 signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in PKCS1-v1_5. + @retval FALSE Invalid signature or invalid RSA context. + +**/ +BOOLEAN +EFIAPI +CryptoServiceRsaPkcs1Verify ( + IN VOID *RsaContext, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ) +{ + return CALL_BASECRYPTLIB (Rsa.Services.Pkcs1Verify, RsaPkcs1Verify, (RsaContext, MessageHash, HashSize, Signature, SigSize), FALSE); +} + +/** + Retrieve the RSA Private Key from the password-protected PEM key data. + + If PemData is NULL, then return FALSE. + If RsaContext is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] PemData Pointer to the PEM-encoded key data to be retrieved. + @param[in] PemSize Size of the PEM key data in bytes. + @param[in] Password NULL-terminated passphrase used for encrypted PEM key data. + @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved + RSA private key component. Use RsaFree() function to free the + resource. + + @retval TRUE RSA Private Key was retrieved successfully. + @retval FALSE Invalid PEM key data or incorrect password. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceRsaGetPrivateKeyFromPem ( + IN CONST UINT8 *PemData, + IN UINTN PemSize, + IN CONST CHAR8 *Password, + OUT VOID **RsaContext + ) +{ + return CALL_BASECRYPTLIB (Rsa.Services.GetPrivateKeyFromPem, RsaGetPrivateKeyFromPem, (PemData, PemSize, Password, RsaContext), FALSE); +} + +/** + Retrieve the RSA Public Key from one DER-encoded X509 certificate. + + If Cert is NULL, then return FALSE. + If RsaContext is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved + RSA public key component. Use RsaFree() function to free the + resource. + + @retval TRUE RSA Public Key was retrieved successfully. + @retval FALSE Fail to retrieve RSA public key from X509 certificate. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceRsaGetPublicKeyFromX509 ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT VOID **RsaContext + ) +{ + return CALL_BASECRYPTLIB (Rsa.Services.GetPublicKeyFromX509, RsaGetPublicKeyFromX509, (Cert, CertSize, RsaContext), FALSE); +} + +/** + Retrieve the subject bytes from one X.509 certificate. + + If Cert is NULL, then return FALSE. + If SubjectSize is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CertSubject Pointer to the retrieved certificate subject bytes. + @param[in, out] SubjectSize The size in bytes of the CertSubject buffer on input, + and the size of buffer returned CertSubject on output. + + @retval TRUE The certificate subject retrieved successfully. + @retval FALSE Invalid certificate, or the SubjectSize is too small for the result. + The SubjectSize will be updated with the required size. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceX509GetSubjectName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 *CertSubject, + IN OUT UINTN *SubjectSize + ) +{ + return CALL_BASECRYPTLIB (X509.Services.GetSubjectName, X509GetSubjectName, (Cert, CertSize, CertSubject, SubjectSize), FALSE); +} + +/** + Retrieve the common name (CN) string from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CommonName Buffer to contain the retrieved certificate common + name string (UTF8). At most CommonNameSize bytes will be + written and the string will be null terminated. May be + NULL in order to determine the size buffer needed. + @param[in,out] CommonNameSize The size in bytes of the CommonName buffer on input, + and the size of buffer returned CommonName on output. + If CommonName is NULL then the amount of space needed + in buffer (including the final null) is returned. + + @retval RETURN_SUCCESS The certificate CommonName retrieved successfully. + @retval RETURN_INVALID_PARAMETER If Cert is NULL. + If CommonNameSize is NULL. + If CommonName is not NULL and *CommonNameSize is 0. + If Certificate is invalid. + @retval RETURN_NOT_FOUND If no CommonName entry exists. + @retval RETURN_BUFFER_TOO_SMALL If the CommonName is NULL. The required buffer size + (including the final null) is returned in the + CommonNameSize parameter. + @retval RETURN_UNSUPPORTED The operation is not supported. + +**/ +RETURN_STATUS +EFIAPI +CryptoServiceX509GetCommonName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *CommonName, OPTIONAL + IN OUT UINTN *CommonNameSize + ) +{ + return CALL_BASECRYPTLIB (X509.Services.GetCommonName, X509GetCommonName, (Cert, CertSize, CommonName, CommonNameSize), RETURN_UNSUPPORTED); +} + +/** + Retrieve the organization name (O) string from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] NameBuffer Buffer to contain the retrieved certificate organization + name string. At most NameBufferSize bytes will be + written and the string will be null terminated. May be + NULL in order to determine the size buffer needed. + @param[in,out] NameBufferSize The size in bytes of the Name buffer on input, + and the size of buffer returned Name on output. + If NameBuffer is NULL then the amount of space needed + in buffer (including the final null) is returned. + + @retval RETURN_SUCCESS The certificate Organization Name retrieved successfully. + @retval RETURN_INVALID_PARAMETER If Cert is NULL. + If NameBufferSize is NULL. + If NameBuffer is not NULL and *CommonNameSize is 0. + If Certificate is invalid. + @retval RETURN_NOT_FOUND If no Organization Name entry exists. + @retval RETURN_BUFFER_TOO_SMALL If the NameBuffer is NULL. The required buffer size + (including the final null) is returned in the + CommonNameSize parameter. + @retval RETURN_UNSUPPORTED The operation is not supported. + +**/ +RETURN_STATUS +EFIAPI +CryptoServiceX509GetOrganizationName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *NameBuffer, OPTIONAL + IN OUT UINTN *NameBufferSize + ) +{ + return CALL_BASECRYPTLIB (X509.Services.GetOrganizationName, X509GetOrganizationName, (Cert, CertSize, NameBuffer, NameBufferSize), RETURN_UNSUPPORTED); +} + +/** + Verify one X509 certificate was issued by the trusted CA. + + If Cert is NULL, then return FALSE. + If CACert is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate to be verified. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[in] CACert Pointer to the DER-encoded trusted CA certificate. + @param[in] CACertSize Size of the CA Certificate in bytes. + + @retval TRUE The certificate was issued by the trusted CA. + @retval FALSE Invalid certificate or the certificate was not issued by the given + trusted CA. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceX509VerifyCert ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + IN CONST UINT8 *CACert, + IN UINTN CACertSize + ) +{ + return CALL_BASECRYPTLIB (X509.Services.VerifyCert, X509VerifyCert, (Cert, CertSize, CACert, CACertSize), FALSE); +} + +/** + Construct a X509 object from DER-encoded certificate data. + + If Cert is NULL, then return FALSE. + If SingleX509Cert is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded certificate data. + @param[in] CertSize The size of certificate data in bytes. + @param[out] SingleX509Cert The generated X509 object. + + @retval TRUE The X509 object generation succeeded. + @retval FALSE The operation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceX509ConstructCertificate ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 **SingleX509Cert + ) +{ + return CALL_BASECRYPTLIB (X509.Services.ConstructCertificate, X509ConstructCertificate, (Cert, CertSize, SingleX509Cert), FALSE); +} + +/** + Construct a X509 stack object from a list of DER-encoded certificate data. + + If X509Stack is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] X509Stack On input, pointer to an existing or NULL X509 stack object. + On output, pointer to the X509 stack object with new + inserted X509 certificate. + @param[in] Args VA_LIST marker for the variable argument list. + A list of DER-encoded single certificate data followed + by certificate size. A NULL terminates the list. The + pairs are the arguments to X509ConstructCertificate(). + + @retval TRUE The X509 stack construction succeeded. + @retval FALSE The construction operation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceX509ConstructCertificateStackV ( + IN OUT UINT8 **X509Stack, + IN VA_LIST Args + ) +{ + return CALL_BASECRYPTLIB (X509.Services.ConstructCertificateStackV, X509ConstructCertificateStackV, (X509Stack, Args), FALSE); +} + +/** + Construct a X509 stack object from a list of DER-encoded certificate data. + + If X509Stack is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] X509Stack On input, pointer to an existing or NULL X509 stack object. + On output, pointer to the X509 stack object with new + inserted X509 certificate. + @param ... A list of DER-encoded single certificate data followed + by certificate size. A NULL terminates the list. The + pairs are the arguments to X509ConstructCertificate(). + + @retval TRUE The X509 stack construction succeeded. + @retval FALSE The construction operation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceX509ConstructCertificateStack ( + IN OUT UINT8 **X509Stack, + ... + ) +{ + VA_LIST Args; + BOOLEAN Result; + + VA_START (Args, X509Stack); + Result = CryptoServiceX509ConstructCertificateStackV (X509Stack, Args); + VA_END (Args); + return Result; +} + +/** + Release the specified X509 object. + + If the interface is not supported, then ASSERT(). + + @param[in] X509Cert Pointer to the X509 object to be released. + +**/ +VOID +EFIAPI +CryptoServiceX509Free ( + IN VOID *X509Cert + ) +{ + CALL_VOID_BASECRYPTLIB (X509.Services.Free, X509Free, (X509Cert)); +} + +/** + Release the specified X509 stack object. + + If the interface is not supported, then ASSERT(). + + @param[in] X509Stack Pointer to the X509 stack object to be released. + +**/ +VOID +EFIAPI +CryptoServiceX509StackFree ( + IN VOID *X509Stack + ) +{ + CALL_VOID_BASECRYPTLIB (X509.Services.StackFree, X509StackFree, (X509Stack)); +} + +/** + Retrieve the TBSCertificate from one given X.509 certificate. + + @param[in] Cert Pointer to the given DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] TBSCert DER-Encoded To-Be-Signed certificate. + @param[out] TBSCertSize Size of the TBS certificate in bytes. + + If Cert is NULL, then return FALSE. + If TBSCert is NULL, then return FALSE. + If TBSCertSize is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @retval TRUE The TBSCertificate was retrieved successfully. + @retval FALSE Invalid X.509 certificate. + +**/ +BOOLEAN +EFIAPI +CryptoServiceX509GetTBSCert ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 **TBSCert, + OUT UINTN *TBSCertSize + ) +{ + return CALL_BASECRYPTLIB (X509.Services.GetTBSCert, X509GetTBSCert, (Cert, CertSize, TBSCert, TBSCertSize), FALSE); +} + +/** + Derives a key from a password using a salt and iteration count, based on PKCS#5 v2.0 + password based encryption key derivation function PBKDF2, as specified in RFC 2898. + + If Password or Salt or OutKey is NULL, then return FALSE. + If the hash algorithm could not be determined, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] PasswordLength Length of input password in bytes. + @param[in] Password Pointer to the array for the password. + @param[in] SaltLength Size of the Salt in bytes. + @param[in] Salt Pointer to the Salt. + @param[in] IterationCount Number of iterations to perform. Its value should be + greater than or equal to 1. + @param[in] DigestSize Size of the message digest to be used (eg. SHA256_DIGEST_SIZE). + NOTE: DigestSize will be used to determine the hash algorithm. + Only SHA1_DIGEST_SIZE or SHA256_DIGEST_SIZE is supported. + @param[in] KeyLength Size of the derived key buffer in bytes. + @param[out] OutKey Pointer to the output derived key buffer. + + @retval TRUE A key was derived successfully. + @retval FALSE One of the pointers was NULL or one of the sizes was too large. + @retval FALSE The hash algorithm could not be determined from the digest size. + @retval FALSE The key derivation operation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServicePkcs5HashPassword ( + IN UINTN PasswordLength, + IN CONST CHAR8 *Password, + IN UINTN SaltLength, + IN CONST UINT8 *Salt, + IN UINTN IterationCount, + IN UINTN DigestSize, + IN UINTN KeyLength, + OUT UINT8 *OutKey + ) +{ + return CALL_BASECRYPTLIB (Pkcs.Services.Pkcs5HashPassword, Pkcs5HashPassword, (PasswordLength, Password, SaltLength, Salt, IterationCount, DigestSize, KeyLength, OutKey), FALSE); +} + +/** + Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the + encrypted message in a newly allocated buffer. + + Things that can cause a failure include: + - X509 key size does not match any known key size. + - Fail to parse X509 certificate. + - Fail to allocate an intermediate buffer. + - Null pointer provided for a non-optional parameter. + - Data size is too large for the provided key size (max size is a function of key size + and hash digest size). + + @param[in] PublicKey A pointer to the DER-encoded X509 certificate that + will be used to encrypt the data. + @param[in] PublicKeySize Size of the X509 cert buffer. + @param[in] InData Data to be encrypted. + @param[in] InDataSize Size of the data buffer. + @param[in] PrngSeed [Optional] If provided, a pointer to a random seed buffer + to be used when initializing the PRNG. NULL otherwise. + @param[in] PrngSeedSize [Optional] If provided, size of the random seed buffer. + 0 otherwise. + @param[out] EncryptedData Pointer to an allocated buffer containing the encrypted + message. + @param[out] EncryptedDataSize Size of the encrypted message buffer. + + @retval TRUE Encryption was successful. + @retval FALSE Encryption failed. + +**/ +BOOLEAN +EFIAPI +CryptoServicePkcs1v2Encrypt ( + IN CONST UINT8 *PublicKey, + IN UINTN PublicKeySize, + IN UINT8 *InData, + IN UINTN InDataSize, + IN CONST UINT8 *PrngSeed, OPTIONAL + IN UINTN PrngSeedSize, OPTIONAL + OUT UINT8 **EncryptedData, + OUT UINTN *EncryptedDataSize + ) +{ + return CALL_BASECRYPTLIB (Pkcs.Services.Pkcs1v2Encrypt, Pkcs1v2Encrypt, (PublicKey, PublicKeySize, InData, InDataSize, PrngSeed, PrngSeedSize, EncryptedData, EncryptedDataSize), FALSE); +} + +/** + Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be wrapped + in a ContentInfo structure. + + If P7Data, CertStack, StackLength, TrustedCert or CertLength is NULL, then + return FALSE. If P7Length overflow, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] CertStack Pointer to Signer's certificates retrieved from P7Data. + It's caller's responsibility to free the buffer with + Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] StackLength Length of signer's certificates in bytes. + @param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates. + It's caller's responsibility to free the buffer with + Pkcs7FreeSigners(). + @param[out] CertLength Length of the trusted certificate in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE Error occurs during the operation. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServicePkcs7GetSigners ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **CertStack, + OUT UINTN *StackLength, + OUT UINT8 **TrustedCert, + OUT UINTN *CertLength + ) +{ + return CALL_BASECRYPTLIB (Pkcs.Services.Pkcs7GetSigners, Pkcs7GetSigners, (P7Data, P7Length, CertStack, StackLength, TrustedCert, CertLength), FALSE); +} + +/** + Wrap function to use free() to free allocated memory for certificates. + + If this interface is not supported, then ASSERT(). + + @param[in] Certs Pointer to the certificates to be freed. + +**/ +VOID +EFIAPI +CryptoServicePkcs7FreeSigners ( + IN UINT8 *Certs + ) +{ + CALL_VOID_BASECRYPTLIB (Pkcs.Services.Pkcs7FreeSigners, Pkcs7FreeSigners, (Certs)); +} + +/** + Retrieves all embedded certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard", and outputs two certificate lists chained and + unchained to the signer's certificates. + The input signed data could be wrapped in a ContentInfo structure. + + @param[in] P7Data Pointer to the PKCS#7 message. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] SignerChainCerts Pointer to the certificates list chained to signer's + certificate. It's caller's responsibility to free the buffer + with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] ChainLength Length of the chained certificates list buffer in bytes. + @param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's + responsibility to free the buffer with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] UnchainLength Length of the unchained certificates list buffer in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE Error occurs during the operation. + +**/ +BOOLEAN +EFIAPI +CryptoServicePkcs7GetCertificatesList ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **SignerChainCerts, + OUT UINTN *ChainLength, + OUT UINT8 **UnchainCerts, + OUT UINTN *UnchainLength + ) +{ + return CALL_BASECRYPTLIB (Pkcs.Services.Pkcs7GetCertificatesList, Pkcs7GetCertificatesList, (P7Data, P7Length, SignerChainCerts, ChainLength, UnchainCerts, UnchainLength), FALSE); +} + +/** + Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message + Syntax Standard, version 1.5". This interface is only intended to be used for + application to perform PKCS#7 functionality validation. + + If this interface is not supported, then return FALSE. + + @param[in] PrivateKey Pointer to the PEM-formatted private key data for + data signing. + @param[in] PrivateKeySize Size of the PEM private key data in bytes. + @param[in] KeyPassword NULL-terminated passphrase used for encrypted PEM + key data. + @param[in] InData Pointer to the content to be signed. + @param[in] InDataSize Size of InData in bytes. + @param[in] SignCert Pointer to signer's DER-encoded certificate to sign with. + @param[in] OtherCerts Pointer to an optional additional set of certificates to + include in the PKCS#7 signedData (e.g. any intermediate + CAs in the chain). + @param[out] SignedData Pointer to output PKCS#7 signedData. It's caller's + responsibility to free the buffer with FreePool(). + @param[out] SignedDataSize Size of SignedData in bytes. + + @retval TRUE PKCS#7 data signing succeeded. + @retval FALSE PKCS#7 data signing failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServicePkcs7Sign ( + IN CONST UINT8 *PrivateKey, + IN UINTN PrivateKeySize, + IN CONST UINT8 *KeyPassword, + IN UINT8 *InData, + IN UINTN InDataSize, + IN UINT8 *SignCert, + IN UINT8 *OtherCerts OPTIONAL, + OUT UINT8 **SignedData, + OUT UINTN *SignedDataSize + ) +{ + return CALL_BASECRYPTLIB (Pkcs.Services.Pkcs7Sign, Pkcs7Sign, (PrivateKey, PrivateKeySize, KeyPassword, InData, InDataSize, SignCert, OtherCerts, SignedData, SignedDataSize), FALSE); +} + +/** + Verifies the validity of a PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be wrapped + in a ContentInfo structure. + + If P7Data, TrustedCert or InData is NULL, then return FALSE. + If P7Length, CertLength or DataLength overflow, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which + is used for certificate chain verification. + @param[in] CertLength Length of the trusted certificate in bytes. + @param[in] InData Pointer to the content to be verified. + @param[in] DataLength Length of InData in bytes. + + @retval TRUE The specified PKCS#7 signed data is valid. + @retval FALSE Invalid PKCS#7 signed data. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServicePkcs7Verify ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + IN CONST UINT8 *TrustedCert, + IN UINTN CertLength, + IN CONST UINT8 *InData, + IN UINTN DataLength + ) +{ + return CALL_BASECRYPTLIB (Pkcs.Services.Pkcs7Verify, Pkcs7Verify, (P7Data, P7Length, TrustedCert, CertLength, InData, DataLength), FALSE); +} + +/** + This function receives a PKCS7 formatted signature, and then verifies that + the specified Enhanced or Extended Key Usages (EKU's) are present in the end-entity + leaf signing certificate. + Note that this function does not validate the certificate chain. + + Applications for custom EKU's are quite flexible. For example, a policy EKU + may be present in an Issuing Certificate Authority (CA), and any sub-ordinate + certificate issued might also contain this EKU, thus constraining the + sub-ordinate certificate. Other applications might allow a certificate + embedded in a device to specify that other Object Identifiers (OIDs) are + present which contains binary data specifying custom capabilities that + the device is able to do. + + @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array + containing the content block with both the signature, + the signer's certificate, and any necessary intermediate + certificates. + @param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature. + @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of + required EKUs that must be present in the signature. + @param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array. + @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's + must be present in the leaf signer. If it is + FALSE, then we will succeed if we find any + of the specified EKU's. + + @retval EFI_SUCCESS The required EKUs were found in the signature. + @retval EFI_INVALID_PARAMETER A parameter was invalid. + @retval EFI_NOT_FOUND One or more EKU's were not found in the signature. + +**/ +RETURN_STATUS +EFIAPI +CryptoServiceVerifyEKUsInPkcs7Signature ( + IN CONST UINT8 *Pkcs7Signature, + IN CONST UINT32 SignatureSize, + IN CONST CHAR8 *RequiredEKUs[], + IN CONST UINT32 RequiredEKUsSize, + IN BOOLEAN RequireAllPresent + ) +{ + return CALL_BASECRYPTLIB (Pkcs.Services.VerifyEKUsInPkcs7Signature, VerifyEKUsInPkcs7Signature, (Pkcs7Signature, SignatureSize, RequiredEKUs, RequiredEKUsSize, RequireAllPresent), FALSE); +} + + +/** + Extracts the attached content from a PKCS#7 signed data if existed. The input signed + data could be wrapped in a ContentInfo structure. + + If P7Data, Content, or ContentSize is NULL, then return FALSE. If P7Length overflow, + then return FALSE. If the P7Data is not correctly formatted, then return FALSE. + + Caution: This function may receive untrusted input. So this function will do + basic check for PKCS#7 data structure. + + @param[in] P7Data Pointer to the PKCS#7 signed data to process. + @param[in] P7Length Length of the PKCS#7 signed data in bytes. + @param[out] Content Pointer to the extracted content from the PKCS#7 signedData. + It's caller's responsibility to free the buffer with FreePool(). + @param[out] ContentSize The size of the extracted content in bytes. + + @retval TRUE The P7Data was correctly formatted for processing. + @retval FALSE The P7Data was not correctly formatted for processing. + +**/ +BOOLEAN +EFIAPI +CryptoServicePkcs7GetAttachedContent ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT VOID **Content, + OUT UINTN *ContentSize + ) +{ + return CALL_BASECRYPTLIB (Pkcs.Services.Pkcs7GetAttachedContent, Pkcs7GetAttachedContent, (P7Data, P7Length, Content, ContentSize), FALSE); +} + +/** + Verifies the validity of a PE/COFF Authenticode Signature as described in "Windows + Authenticode Portable Executable Signature Format". + + If AuthData is NULL, then return FALSE. + If ImageHash is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed + PE/COFF image to be verified. + @param[in] DataSize Size of the Authenticode Signature in bytes. + @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which + is used for certificate chain verification. + @param[in] CertSize Size of the trusted certificate in bytes. + @param[in] ImageHash Pointer to the original image file hash value. The procedure + for calculating the image hash value is described in Authenticode + specification. + @param[in] HashSize Size of Image hash value in bytes. + + @retval TRUE The specified Authenticode Signature is valid. + @retval FALSE Invalid Authenticode Signature. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceAuthenticodeVerify ( + IN CONST UINT8 *AuthData, + IN UINTN DataSize, + IN CONST UINT8 *TrustedCert, + IN UINTN CertSize, + IN CONST UINT8 *ImageHash, + IN UINTN HashSize + ) +{ + return CALL_BASECRYPTLIB (Pkcs.Services.AuthenticodeVerify, AuthenticodeVerify, (AuthData, DataSize, TrustedCert, CertSize, ImageHash, HashSize), FALSE); +} + +/** + Verifies the validity of a RFC3161 Timestamp CounterSignature embedded in PE/COFF Authenticode + signature. + + If AuthData is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed + PE/COFF image to be verified. + @param[in] DataSize Size of the Authenticode Signature in bytes. + @param[in] TsaCert Pointer to a trusted/root TSA certificate encoded in DER, which + is used for TSA certificate chain verification. + @param[in] CertSize Size of the trusted certificate in bytes. + @param[out] SigningTime Return the time of timestamp generation time if the timestamp + signature is valid. + + @retval TRUE The specified Authenticode includes a valid RFC3161 Timestamp CounterSignature. + @retval FALSE No valid RFC3161 Timestamp CounterSignature in the specified Authenticode data. + +**/ +BOOLEAN +EFIAPI +CryptoServiceImageTimestampVerify ( + IN CONST UINT8 *AuthData, + IN UINTN DataSize, + IN CONST UINT8 *TsaCert, + IN UINTN CertSize, + OUT EFI_TIME *SigningTime + ) +{ + return CALL_BASECRYPTLIB (Pkcs.Services.ImageTimestampVerify, ImageTimestampVerify, (AuthData, DataSize, TsaCert, CertSize, SigningTime), FALSE); +} + +//===================================================================================== +// DH Key Exchange Primitive +//===================================================================================== + +/** + Allocates and Initializes one Diffie-Hellman Context for subsequent use. + + @return Pointer to the Diffie-Hellman Context that has been initialized. + If the allocations fails, DhNew() returns NULL. + If the interface is not supported, DhNew() returns NULL. + +**/ +VOID * +EFIAPI +CryptoServiceDhNew ( + VOID + ) +{ + return CALL_BASECRYPTLIB (Dh.Services.New, DhNew, (), NULL); +} + +/** + Release the specified DH context. + + If the interface is not supported, then ASSERT(). + + @param[in] DhContext Pointer to the DH context to be released. + +**/ +VOID +EFIAPI +CryptoServiceDhFree ( + IN VOID *DhContext + ) +{ + CALL_VOID_BASECRYPTLIB (Dh.Services.Free, DhFree, (DhContext)); +} + +/** + Generates DH parameter. + + Given generator g, and length of prime number p in bits, this function generates p, + and sets DH context according to value of g and p. + + Before this function can be invoked, pseudorandom number generator must be correctly + initialized by RandomSeed(). + + If DhContext is NULL, then return FALSE. + If Prime is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] Generator Value of generator. + @param[in] PrimeLength Length in bits of prime to be generated. + @param[out] Prime Pointer to the buffer to receive the generated prime number. + + @retval TRUE DH parameter generation succeeded. + @retval FALSE Value of Generator is not supported. + @retval FALSE PRNG fails to generate random prime number with PrimeLength. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceDhGenerateParameter ( + IN OUT VOID *DhContext, + IN UINTN Generator, + IN UINTN PrimeLength, + OUT UINT8 *Prime + ) +{ + return CALL_BASECRYPTLIB (Dh.Services.GenerateParameter, DhGenerateParameter, (DhContext, Generator, PrimeLength, Prime), FALSE); +} + +/** + Sets generator and prime parameters for DH. + + Given generator g, and prime number p, this function and sets DH + context accordingly. + + If DhContext is NULL, then return FALSE. + If Prime is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] Generator Value of generator. + @param[in] PrimeLength Length in bits of prime to be generated. + @param[in] Prime Pointer to the prime number. + + @retval TRUE DH parameter setting succeeded. + @retval FALSE Value of Generator is not supported. + @retval FALSE Value of Generator is not suitable for the Prime. + @retval FALSE Value of Prime is not a prime number. + @retval FALSE Value of Prime is not a safe prime number. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceDhSetParameter ( + IN OUT VOID *DhContext, + IN UINTN Generator, + IN UINTN PrimeLength, + IN CONST UINT8 *Prime + ) +{ + return CALL_BASECRYPTLIB (Dh.Services.SetParameter, DhSetParameter, (DhContext, Generator, PrimeLength, Prime), FALSE); +} + +/** + Generates DH public key. + + This function generates random secret exponent, and computes the public key, which is + returned via parameter PublicKey and PublicKeySize. DH context is updated accordingly. + If the PublicKey buffer is too small to hold the public key, FALSE is returned and + PublicKeySize is set to the required buffer size to obtain the public key. + + If DhContext is NULL, then return FALSE. + If PublicKeySize is NULL, then return FALSE. + If PublicKeySize is large enough but PublicKey is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] DhContext Pointer to the DH context. + @param[out] PublicKey Pointer to the buffer to receive generated public key. + @param[in, out] PublicKeySize On input, the size of PublicKey buffer in bytes. + On output, the size of data returned in PublicKey buffer in bytes. + + @retval TRUE DH public key generation succeeded. + @retval FALSE DH public key generation failed. + @retval FALSE PublicKeySize is not large enough. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceDhGenerateKey ( + IN OUT VOID *DhContext, + OUT UINT8 *PublicKey, + IN OUT UINTN *PublicKeySize + ) +{ + return CALL_BASECRYPTLIB (Dh.Services.GenerateKey, DhGenerateKey, (DhContext, PublicKey, PublicKeySize), FALSE); +} + +/** + Computes exchanged common key. + + Given peer's public key, this function computes the exchanged common key, based on its own + context including value of prime modulus and random secret exponent. + + If DhContext is NULL, then return FALSE. + If PeerPublicKey is NULL, then return FALSE. + If KeySize is NULL, then return FALSE. + If Key is NULL, then return FALSE. + If KeySize is not large enough, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] PeerPublicKey Pointer to the peer's public key. + @param[in] PeerPublicKeySize Size of peer's public key in bytes. + @param[out] Key Pointer to the buffer to receive generated key. + @param[in, out] KeySize On input, the size of Key buffer in bytes. + On output, the size of data returned in Key buffer in bytes. + + @retval TRUE DH exchanged key generation succeeded. + @retval FALSE DH exchanged key generation failed. + @retval FALSE KeySize is not large enough. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceDhComputeKey ( + IN OUT VOID *DhContext, + IN CONST UINT8 *PeerPublicKey, + IN UINTN PeerPublicKeySize, + OUT UINT8 *Key, + IN OUT UINTN *KeySize + ) +{ + return CALL_BASECRYPTLIB (Dh.Services.ComputeKey, DhComputeKey, (DhContext, PeerPublicKey, PeerPublicKeySize, Key, KeySize), FALSE); +} + +//===================================================================================== +// Pseudo-Random Generation Primitive +//===================================================================================== + +/** + Sets up the seed value for the pseudorandom number generator. + + This function sets up the seed value for the pseudorandom number generator. + If Seed is not NULL, then the seed passed in is used. + If Seed is NULL, then default seed is used. + If this interface is not supported, then return FALSE. + + @param[in] Seed Pointer to seed value. + If NULL, default seed is used. + @param[in] SeedSize Size of seed value. + If Seed is NULL, this parameter is ignored. + + @retval TRUE Pseudorandom number generator has enough entropy for random generation. + @retval FALSE Pseudorandom number generator does not have enough entropy for random generation. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceRandomSeed ( + IN CONST UINT8 *Seed OPTIONAL, + IN UINTN SeedSize + ) +{ + return CALL_BASECRYPTLIB (Random.Services.Seed, RandomSeed, (Seed, SeedSize), FALSE); +} + +/** + Generates a pseudorandom byte stream of the specified size. + + If Output is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] Output Pointer to buffer to receive random value. + @param[in] Size Size of random bytes to generate. + + @retval TRUE Pseudorandom byte stream generated successfully. + @retval FALSE Pseudorandom number generator fails to generate due to lack of entropy. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServiceRandomBytes ( + OUT UINT8 *Output, + IN UINTN Size + ) +{ + return CALL_BASECRYPTLIB (Random.Services.Bytes, RandomBytes, (Output, Size), FALSE); +} + +//===================================================================================== +// Key Derivation Function Primitive +//===================================================================================== + +/** + Derive key data using HMAC-SHA256 based KDF. + + @param[in] Key Pointer to the user-supplied key. + @param[in] KeySize Key size in bytes. + @param[in] Salt Pointer to the salt(non-secret) value. + @param[in] SaltSize Salt size in bytes. + @param[in] Info Pointer to the application specific info. + @param[in] InfoSize Info size in bytes. + @param[out] Out Pointer to buffer to receive hkdf value. + @param[in] OutSize Size of hkdf bytes to generate. + + @retval TRUE Hkdf generated successfully. + @retval FALSE Hkdf generation failed. + +**/ +BOOLEAN +EFIAPI +CryptoServiceHkdfSha256ExtractAndExpand ( + IN CONST UINT8 *Key, + IN UINTN KeySize, + IN CONST UINT8 *Salt, + IN UINTN SaltSize, + IN CONST UINT8 *Info, + IN UINTN InfoSize, + OUT UINT8 *Out, + IN UINTN OutSize + ) +{ + return CALL_BASECRYPTLIB (Hkdf.Services.Sha256ExtractAndExpand, HkdfSha256ExtractAndExpand, (Key, KeySize, Salt, SaltSize, Info, InfoSize, Out, OutSize), FALSE); +} + +/** + Initializes the OpenSSL library. + + This function registers ciphers and digests used directly and indirectly + by SSL/TLS, and initializes the readable error messages. + This function must be called before any other action takes places. + + @retval TRUE The OpenSSL library has been initialized. + @retval FALSE Failed to initialize the OpenSSL library. + +**/ +BOOLEAN +EFIAPI +CryptoServiceTlsInitialize ( + VOID + ) +{ + return CALL_BASECRYPTLIB (Tls.Services.Initialize, TlsInitialize, (), FALSE); +} + +/** + Free an allocated SSL_CTX object. + + @param[in] TlsCtx Pointer to the SSL_CTX object to be released. + +**/ +VOID +EFIAPI +CryptoServiceTlsCtxFree ( + IN VOID *TlsCtx + ) +{ + CALL_VOID_BASECRYPTLIB (Tls.Services.CtxFree, TlsCtxFree, (TlsCtx)); +} + +/** + Creates a new SSL_CTX object as framework to establish TLS/SSL enabled + connections. + + @param[in] MajorVer Major Version of TLS/SSL Protocol. + @param[in] MinorVer Minor Version of TLS/SSL Protocol. + + @return Pointer to an allocated SSL_CTX object. + If the creation failed, TlsCtxNew() returns NULL. + +**/ +VOID * +EFIAPI +CryptoServiceTlsCtxNew ( + IN UINT8 MajorVer, + IN UINT8 MinorVer + ) +{ + return CALL_BASECRYPTLIB (Tls.Services.CtxNew, TlsCtxNew, (MajorVer, MinorVer), NULL); +} + +/** + Free an allocated TLS object. + + This function removes the TLS object pointed to by Tls and frees up the + allocated memory. If Tls is NULL, nothing is done. + + @param[in] Tls Pointer to the TLS object to be freed. + +**/ +VOID +EFIAPI +CryptoServiceTlsFree ( + IN VOID *Tls + ) +{ + CALL_VOID_BASECRYPTLIB (Tls.Services.Free, TlsFree, (Tls)); +} + +/** + Create a new TLS object for a connection. + + This function creates a new TLS object for a connection. The new object + inherits the setting of the underlying context TlsCtx: connection method, + options, verification setting. + + @param[in] TlsCtx Pointer to the SSL_CTX object. + + @return Pointer to an allocated SSL object. + If the creation failed, TlsNew() returns NULL. + +**/ +VOID * +EFIAPI +CryptoServiceTlsNew ( + IN VOID *TlsCtx + ) +{ + return CALL_BASECRYPTLIB (Tls.Services.New, TlsNew, (TlsCtx), NULL); +} + +/** + Checks if the TLS handshake was done. + + This function will check if the specified TLS handshake was done. + + @param[in] Tls Pointer to the TLS object for handshake state checking. + + @retval TRUE The TLS handshake was done. + @retval FALSE The TLS handshake was not done. + +**/ +BOOLEAN +EFIAPI +CryptoServiceTlsInHandshake ( + IN VOID *Tls + ) +{ + return CALL_BASECRYPTLIB (Tls.Services.InHandshake, TlsInHandshake, (Tls), FALSE); +} + +/** + Perform a TLS/SSL handshake. + + This function will perform a TLS/SSL handshake. + + @param[in] Tls Pointer to the TLS object for handshake operation. + @param[in] BufferIn Pointer to the most recently received TLS Handshake packet. + @param[in] BufferInSize Packet size in bytes for the most recently received TLS + Handshake packet. + @param[out] BufferOut Pointer to the buffer to hold the built packet. + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferIn is NULL but BufferInSize is NOT 0. + BufferInSize is 0 but BufferIn is NOT NULL. + BufferOutSize is NULL. + BufferOut is NULL if *BufferOutSize is not zero. + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet. + @retval EFI_ABORTED Something wrong during handshake. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsDoHandshake ( + IN VOID *Tls, + IN UINT8 *BufferIn, OPTIONAL + IN UINTN BufferInSize, OPTIONAL + OUT UINT8 *BufferOut, OPTIONAL + IN OUT UINTN *BufferOutSize + ) +{ + return CALL_BASECRYPTLIB (Tls.Services.DoHandshake, TlsDoHandshake, (Tls, BufferIn, BufferInSize, BufferOut, BufferOutSize), EFI_UNSUPPORTED); +} + +/** + Handle Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero, + TLS session has errors and the response packet needs to be Alert message based on error type. + + @param[in] Tls Pointer to the TLS object for state checking. + @param[in] BufferIn Pointer to the most recently received TLS Alert packet. + @param[in] BufferInSize Packet size in bytes for the most recently received TLS + Alert packet. + @param[out] BufferOut Pointer to the buffer to hold the built packet. + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferIn is NULL but BufferInSize is NOT 0. + BufferInSize is 0 but BufferIn is NOT NULL. + BufferOutSize is NULL. + BufferOut is NULL if *BufferOutSize is not zero. + @retval EFI_ABORTED An error occurred. + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsHandleAlert ( + IN VOID *Tls, + IN UINT8 *BufferIn, OPTIONAL + IN UINTN BufferInSize, OPTIONAL + OUT UINT8 *BufferOut, OPTIONAL + IN OUT UINTN *BufferOutSize + ) +{ + return CALL_BASECRYPTLIB (Tls.Services.HandleAlert, TlsHandleAlert, (Tls, BufferIn, BufferInSize, BufferOut, BufferOutSize), EFI_UNSUPPORTED); +} + +/** + Build the CloseNotify packet. + + @param[in] Tls Pointer to the TLS object for state checking. + @param[in, out] Buffer Pointer to the buffer to hold the built packet. + @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferSize is NULL. + Buffer is NULL if *BufferSize is not zero. + @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsCloseNotify ( + IN VOID *Tls, + IN OUT UINT8 *Buffer, + IN OUT UINTN *BufferSize + ) +{ + return CALL_BASECRYPTLIB (Tls.Services.CloseNotify, TlsCloseNotify, (Tls, Buffer, BufferSize), EFI_UNSUPPORTED); +} + +/** + Attempts to read bytes from one TLS object and places the data in Buffer. + + This function will attempt to read BufferSize bytes from the TLS object + and places the data in Buffer. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] Buffer Pointer to the buffer to store the data. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The amount of data successfully read from the TLS object. + @retval <=0 No data was successfully read. + +**/ +INTN +EFIAPI +CryptoServiceTlsCtrlTrafficOut ( + IN VOID *Tls, + IN OUT VOID *Buffer, + IN UINTN BufferSize + ) +{ + return CALL_BASECRYPTLIB (Tls.Services.CtrlTrafficOut, TlsCtrlTrafficOut, (Tls, Buffer, BufferSize), 0); +} + +/** + Attempts to write data from the buffer to TLS object. + + This function will attempt to write BufferSize bytes data from the Buffer + to the TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[in] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The amount of data successfully written to the TLS object. + @retval <=0 No data was successfully written. + +**/ +INTN +EFIAPI +CryptoServiceTlsCtrlTrafficIn ( + IN VOID *Tls, + IN VOID *Buffer, + IN UINTN BufferSize + ) +{ + return CALL_BASECRYPTLIB (Tls.Services.CtrlTrafficIn, TlsCtrlTrafficIn, (Tls, Buffer, BufferSize), 0); +} + +/** + Attempts to read bytes from the specified TLS connection into the buffer. + + This function tries to read BufferSize bytes data from the specified TLS + connection into the Buffer. + + @param[in] Tls Pointer to the TLS connection for data reading. + @param[in,out] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The read operation was successful, and return value is the + number of bytes actually read from the TLS connection. + @retval <=0 The read operation was not successful. + +**/ +INTN +EFIAPI +CryptoServiceTlsRead ( + IN VOID *Tls, + IN OUT VOID *Buffer, + IN UINTN BufferSize + ) +{ + return CALL_BASECRYPTLIB (Tls.Services.Read, TlsRead, (Tls, Buffer, BufferSize), 0); +} + +/** + Attempts to write data to a TLS connection. + + This function tries to write BufferSize bytes data from the Buffer into the + specified TLS connection. + + @param[in] Tls Pointer to the TLS connection for data writing. + @param[in] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The write operation was successful, and return value is the + number of bytes actually written to the TLS connection. + @retval <=0 The write operation was not successful. + +**/ +INTN +EFIAPI +CryptoServiceTlsWrite ( + IN VOID *Tls, + IN VOID *Buffer, + IN UINTN BufferSize + ) +{ + return CALL_BASECRYPTLIB (Tls.Services.Write, TlsWrite, (Tls, Buffer, BufferSize), 0); +} + +/** + Set a new TLS/SSL method for a particular TLS object. + + This function sets a new TLS/SSL method for a particular TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] MajorVer Major Version of TLS/SSL Protocol. + @param[in] MinorVer Minor Version of TLS/SSL Protocol. + + @retval EFI_SUCCESS The TLS/SSL method was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported TLS/SSL method. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsSetVersion ( + IN VOID *Tls, + IN UINT8 MajorVer, + IN UINT8 MinorVer + ) +{ + return CALL_BASECRYPTLIB (TlsSet.Services.Version, TlsSetVersion, (Tls, MajorVer, MinorVer), EFI_UNSUPPORTED); +} + +/** + Set TLS object to work in client or server mode. + + This function prepares a TLS object to work in client or server mode. + + @param[in] Tls Pointer to a TLS object. + @param[in] IsServer Work in server mode. + + @retval EFI_SUCCESS The TLS/SSL work mode was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsSetConnectionEnd ( + IN VOID *Tls, + IN BOOLEAN IsServer + ) +{ + return CALL_BASECRYPTLIB (TlsSet.Services.ConnectionEnd, TlsSetConnectionEnd, (Tls, IsServer), EFI_UNSUPPORTED); +} + +/** + Set the ciphers list to be used by the TLS object. + + This function sets the ciphers for use by a specified TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] CipherId Array of UINT16 cipher identifiers. Each UINT16 + cipher identifier comes from the TLS Cipher Suite + Registry of the IANA, interpreting Byte1 and Byte2 + in network (big endian) byte order. + @param[in] CipherNum The number of cipher in the list. + + @retval EFI_SUCCESS The ciphers list was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED No supported TLS cipher was found in CipherId. + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsSetCipherList ( + IN VOID *Tls, + IN UINT16 *CipherId, + IN UINTN CipherNum + ) +{ + return CALL_BASECRYPTLIB (TlsSet.Services.CipherList, TlsSetCipherList, (Tls, CipherId, CipherNum), EFI_UNSUPPORTED); +} + +/** + Set the compression method for TLS/SSL operations. + + This function handles TLS/SSL integrated compression methods. + + @param[in] CompMethod The compression method ID. + + @retval EFI_SUCCESS The compression method for the communication was + set successfully. + @retval EFI_UNSUPPORTED Unsupported compression method. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsSetCompressionMethod ( + IN UINT8 CompMethod + ) +{ + return CALL_BASECRYPTLIB (TlsSet.Services.CompressionMethod, TlsSetCompressionMethod, (CompMethod), EFI_UNSUPPORTED); +} + +/** + Set peer certificate verification mode for the TLS connection. + + This function sets the verification mode flags for the TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in] VerifyMode A set of logically or'ed verification mode flags. + +**/ +VOID +EFIAPI +CryptoServiceTlsSetVerify ( + IN VOID *Tls, + IN UINT32 VerifyMode + ) +{ + CALL_VOID_BASECRYPTLIB (TlsSet.Services.Verify, TlsSetVerify, (Tls, VerifyMode)); +} + +/** + Set the specified host name to be verified. + + @param[in] Tls Pointer to the TLS object. + @param[in] Flags The setting flags during the validation. + @param[in] HostName The specified host name to be verified. + + @retval EFI_SUCCESS The HostName setting was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_ABORTED Invalid HostName setting. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsSetVerifyHost ( + IN VOID *Tls, + IN UINT32 Flags, + IN CHAR8 *HostName + ) +{ + return CALL_BASECRYPTLIB (TlsSet.Services.VerifyHost, TlsSetVerifyHost, (Tls, Flags, HostName), EFI_UNSUPPORTED); +} + +/** + Sets a TLS/SSL session ID to be used during TLS/SSL connect. + + This function sets a session ID to be used when the TLS/SSL connection is + to be established. + + @param[in] Tls Pointer to the TLS object. + @param[in] SessionId Session ID data used for session resumption. + @param[in] SessionIdLen Length of Session ID in bytes. + + @retval EFI_SUCCESS Session ID was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED No available session for ID setting. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsSetSessionId ( + IN VOID *Tls, + IN UINT8 *SessionId, + IN UINT16 SessionIdLen + ) +{ + return CALL_BASECRYPTLIB (TlsSet.Services.SessionId, TlsSetSessionId, (Tls, SessionId, SessionIdLen), EFI_UNSUPPORTED); +} + +/** + Adds the CA to the cert store when requesting Server or Client authentication. + + This function adds the CA certificate to the list of CAs when requesting + Server or Client authentication for the chosen TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded binary + X.509 certificate or PEM-encoded X.509 certificate. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated. + @retval EFI_ABORTED Invalid X.509 certificate. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsSetCaCertificate ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ) +{ + return CALL_BASECRYPTLIB (TlsSet.Services.CaCertificate, TlsSetCaCertificate, (Tls, Data, DataSize), EFI_UNSUPPORTED); +} + +/** + Loads the local public certificate into the specified TLS object. + + This function loads the X.509 certificate into the specified TLS object + for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded binary + X.509 certificate or PEM-encoded X.509 certificate. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated. + @retval EFI_ABORTED Invalid X.509 certificate. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsSetHostPublicCert ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ) +{ + return CALL_BASECRYPTLIB (TlsSet.Services.HostPublicCert, TlsSetHostPublicCert, (Tls, Data, DataSize), EFI_UNSUPPORTED); +} + +/** + Adds the local private key to the specified TLS object. + + This function adds the local private key (PEM-encoded RSA or PKCS#8 private + key) into the specified TLS object for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a PEM-encoded RSA + or PKCS#8 private key. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid private key data. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsSetHostPrivateKey ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ) +{ + return CALL_BASECRYPTLIB (TlsSet.Services.HostPrivateKey, TlsSetHostPrivateKey, (Tls, Data, DataSize), EFI_UNSUPPORTED); +} + +/** + Adds the CA-supplied certificate revocation list for certificate validation. + + This function adds the CA-supplied certificate revocation list data for + certificate validity checking. + + @param[in] Data Pointer to the data buffer of a DER-encoded CRL data. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid CRL data. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsSetCertRevocationList ( + IN VOID *Data, + IN UINTN DataSize + ) +{ + return CALL_BASECRYPTLIB (TlsSet.Services.CertRevocationList, TlsSetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED); +} + +/** + Gets the protocol version used by the specified TLS connection. + + This function returns the protocol version used by the specified TLS + connection. + + If Tls is NULL, then ASSERT(). + + @param[in] Tls Pointer to the TLS object. + + @return The protocol version of the specified TLS connection. + +**/ +UINT16 +EFIAPI +CryptoServiceTlsGetVersion ( + IN VOID *Tls + ) +{ + return CALL_BASECRYPTLIB (TlsGet.Services.Version, TlsGetVersion, (Tls), 0); +} + +/** + Gets the connection end of the specified TLS connection. + + This function returns the connection end (as client or as server) used by + the specified TLS connection. + + If Tls is NULL, then ASSERT(). + + @param[in] Tls Pointer to the TLS object. + + @return The connection end used by the specified TLS connection. + +**/ +UINT8 +EFIAPI +CryptoServiceTlsGetConnectionEnd ( + IN VOID *Tls + ) +{ + return CALL_BASECRYPTLIB (TlsGet.Services.ConnectionEnd, TlsGetConnectionEnd, (Tls), 0); +} + +/** + Gets the cipher suite used by the specified TLS connection. + + This function returns current cipher suite used by the specified + TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] CipherId The cipher suite used by the TLS object. + + @retval EFI_SUCCESS The cipher suite was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported cipher suite. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsGetCurrentCipher ( + IN VOID *Tls, + IN OUT UINT16 *CipherId + ) +{ + return CALL_BASECRYPTLIB (TlsGet.Services.CurrentCipher, TlsGetCurrentCipher, (Tls, CipherId), EFI_UNSUPPORTED); +} + +/** + Gets the compression methods used by the specified TLS connection. + + This function returns current integrated compression methods used by + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] CompressionId The current compression method used by + the TLS object. + + @retval EFI_SUCCESS The compression method was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_ABORTED Invalid Compression method. + @retval EFI_UNSUPPORTED This function is not supported. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsGetCurrentCompressionId ( + IN VOID *Tls, + IN OUT UINT8 *CompressionId + ) +{ + return CALL_BASECRYPTLIB (TlsGet.Services.CurrentCompressionId, TlsGetCurrentCompressionId, (Tls, CompressionId), EFI_UNSUPPORTED); +} + +/** + Gets the verification mode currently set in the TLS connection. + + This function returns the peer verification mode currently set in the + specified TLS connection. + + If Tls is NULL, then ASSERT(). + + @param[in] Tls Pointer to the TLS object. + + @return The verification mode set in the specified TLS connection. + +**/ +UINT32 +EFIAPI +CryptoServiceTlsGetVerify ( + IN VOID *Tls + ) +{ + return CALL_BASECRYPTLIB (TlsGet.Services.Verify, TlsGetVerify, (Tls), 0); +} + +/** + Gets the session ID used by the specified TLS connection. + + This function returns the TLS/SSL session ID currently used by the + specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] SessionId Buffer to contain the returned session ID. + @param[in,out] SessionIdLen The length of Session ID in bytes. + + @retval EFI_SUCCESS The Session ID was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Invalid TLS/SSL session. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsGetSessionId ( + IN VOID *Tls, + IN OUT UINT8 *SessionId, + IN OUT UINT16 *SessionIdLen + ) +{ + return CALL_BASECRYPTLIB (TlsGet.Services.SessionId, TlsGetSessionId, (Tls, SessionId, SessionIdLen), EFI_UNSUPPORTED); +} + +/** + Gets the client random data used in the specified TLS connection. + + This function returns the TLS/SSL client random data currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] ClientRandom Buffer to contain the returned client + random data (32 bytes). + +**/ +VOID +EFIAPI +CryptoServiceTlsGetClientRandom ( + IN VOID *Tls, + IN OUT UINT8 *ClientRandom + ) +{ + CALL_VOID_BASECRYPTLIB (TlsGet.Services.ClientRandom, TlsGetClientRandom, (Tls, ClientRandom)); +} + +/** + Gets the server random data used in the specified TLS connection. + + This function returns the TLS/SSL server random data currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] ServerRandom Buffer to contain the returned server + random data (32 bytes). + +**/ +VOID +EFIAPI +CryptoServiceTlsGetServerRandom ( + IN VOID *Tls, + IN OUT UINT8 *ServerRandom + ) +{ + CALL_VOID_BASECRYPTLIB (TlsGet.Services.ServerRandom, TlsGetServerRandom, (Tls, ServerRandom)); +} + +/** + Gets the master key data used in the specified TLS connection. + + This function returns the TLS/SSL master key material currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] KeyMaterial Buffer to contain the returned key material. + + @retval EFI_SUCCESS Key material was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Invalid TLS/SSL session. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsGetKeyMaterial ( + IN VOID *Tls, + IN OUT UINT8 *KeyMaterial + ) +{ + return CALL_BASECRYPTLIB (TlsGet.Services.KeyMaterial, TlsGetKeyMaterial, (Tls, KeyMaterial), EFI_UNSUPPORTED); +} + +/** + Gets the CA Certificate from the cert store. + + This function returns the CA certificate for the chosen + TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the CA + certificate data sent to the client. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsGetCaCertificate ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ) +{ + return CALL_BASECRYPTLIB (TlsGet.Services.CaCertificate, TlsGetCaCertificate, (Tls, Data, DataSize), EFI_UNSUPPORTED); +} + +/** + Gets the local public Certificate set in the specified TLS object. + + This function returns the local public certificate which was currently set + in the specified TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the local + public certificate. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_NOT_FOUND The certificate is not found. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsGetHostPublicCert ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ) +{ + return CALL_BASECRYPTLIB (TlsGet.Services.HostPublicCert, TlsGetHostPublicCert, (Tls, Data, DataSize), EFI_UNSUPPORTED); +} + +/** + Gets the local private key set in the specified TLS object. + + This function returns the local private key data which was currently set + in the specified TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the local + private key data. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsGetHostPrivateKey ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ) +{ + return CALL_BASECRYPTLIB (TlsGet.Services.HostPrivateKey, TlsGetHostPrivateKey, (Tls, Data, DataSize), EFI_UNSUPPORTED); +} + +/** + Gets the CA-supplied certificate revocation list data set in the specified + TLS object. + + This function returns the CA-supplied certificate revocation list data which + was currently set in the specified TLS object. + + @param[out] Data Pointer to the data buffer to receive the CRL data. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +CryptoServiceTlsGetCertRevocationList ( + OUT VOID *Data, + IN OUT UINTN *DataSize + ) +{ + return CALL_BASECRYPTLIB (TlsGet.Services.CertRevocationList, TlsGetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED); +} + +const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = { + /// Version + CryptoServiceGetCryptoVersion, + /// HMAC MD5 - deprecated and unsupported + DeprecatedCryptoServiceHmacMd5New, + DeprecatedCryptoServiceHmacMd5Free, + DeprecatedCryptoServiceHmacMd5SetKey, + DeprecatedCryptoServiceHmacMd5Duplicate, + DeprecatedCryptoServiceHmacMd5Update, + DeprecatedCryptoServiceHmacMd5Final, + /// HMAC SHA1 - deprecated and unsupported + DeprecatedCryptoServiceHmacSha1New, + DeprecatedCryptoServiceHmacSha1Free, + DeprecatedCryptoServiceHmacSha1SetKey, + DeprecatedCryptoServiceHmacSha1Duplicate, + DeprecatedCryptoServiceHmacSha1Update, + DeprecatedCryptoServiceHmacSha1Final, + /// HMAC SHA256 + CryptoServiceHmacSha256New, + CryptoServiceHmacSha256Free, + CryptoServiceHmacSha256SetKey, + CryptoServiceHmacSha256Duplicate, + CryptoServiceHmacSha256Update, + CryptoServiceHmacSha256Final, + /// Md4 - deprecated and unsupported + DeprecatedCryptoServiceMd4GetContextSize, + DeprecatedCryptoServiceMd4Init, + DeprecatedCryptoServiceMd4Duplicate, + DeprecatedCryptoServiceMd4Update, + DeprecatedCryptoServiceMd4Final, + DeprecatedCryptoServiceMd4HashAll, +#ifndef ENABLE_MD5_DEPRECATED_INTERFACES + /// Md5 - deprecated and unsupported + DeprecatedCryptoServiceMd5GetContextSize, + DeprecatedCryptoServiceMd5Init, + DeprecatedCryptoServiceMd5Duplicate, + DeprecatedCryptoServiceMd5Update, + DeprecatedCryptoServiceMd5Final, + DeprecatedCryptoServiceMd5HashAll, +#else + /// Md5 + CryptoServiceMd5GetContextSize, + CryptoServiceMd5Init, + CryptoServiceMd5Duplicate, + CryptoServiceMd5Update, + CryptoServiceMd5Final, + CryptoServiceMd5HashAll, +#endif + /// Pkcs + CryptoServicePkcs1v2Encrypt, + CryptoServicePkcs5HashPassword, + CryptoServicePkcs7Verify, + CryptoServiceVerifyEKUsInPkcs7Signature, + CryptoServicePkcs7GetSigners, + CryptoServicePkcs7FreeSigners, + CryptoServicePkcs7Sign, + CryptoServicePkcs7GetAttachedContent, + CryptoServicePkcs7GetCertificatesList, + CryptoServiceAuthenticodeVerify, + CryptoServiceImageTimestampVerify, + /// DH + CryptoServiceDhNew, + CryptoServiceDhFree, + CryptoServiceDhGenerateParameter, + CryptoServiceDhSetParameter, + CryptoServiceDhGenerateKey, + CryptoServiceDhComputeKey, + /// Random + CryptoServiceRandomSeed, + CryptoServiceRandomBytes, + /// RSA + CryptoServiceRsaPkcs1Verify, + CryptoServiceRsaNew, + CryptoServiceRsaFree, + CryptoServiceRsaSetKey, + CryptoServiceRsaGetKey, + CryptoServiceRsaGenerateKey, + CryptoServiceRsaCheckKey, + CryptoServiceRsaPkcs1Sign, + CryptoServiceRsaPkcs1Verify, + CryptoServiceRsaGetPrivateKeyFromPem, + CryptoServiceRsaGetPublicKeyFromX509, +#ifdef DISABLE_SHA1_DEPRECATED_INTERFACES + /// Sha1 - deprecated and unsupported + DeprecatedCryptoServiceSha1GetContextSize, + DeprecatedCryptoServiceSha1Init, + DeprecatedCryptoServiceSha1Duplicate, + DeprecatedCryptoServiceSha1Update, + DeprecatedCryptoServiceSha1Final, + DeprecatedCryptoServiceSha1HashAll, +#else + /// Sha1 + CryptoServiceSha1GetContextSize, + CryptoServiceSha1Init, + CryptoServiceSha1Duplicate, + CryptoServiceSha1Update, + CryptoServiceSha1Final, + CryptoServiceSha1HashAll, +#endif + /// Sha256 + CryptoServiceSha256GetContextSize, + CryptoServiceSha256Init, + CryptoServiceSha256Duplicate, + CryptoServiceSha256Update, + CryptoServiceSha256Final, + CryptoServiceSha256HashAll, + /// Sha384 + CryptoServiceSha384GetContextSize, + CryptoServiceSha384Init, + CryptoServiceSha384Duplicate, + CryptoServiceSha384Update, + CryptoServiceSha384Final, + CryptoServiceSha384HashAll, + /// Sha512 + CryptoServiceSha512GetContextSize, + CryptoServiceSha512Init, + CryptoServiceSha512Duplicate, + CryptoServiceSha512Update, + CryptoServiceSha512Final, + CryptoServiceSha512HashAll, + /// X509 + CryptoServiceX509GetSubjectName, + CryptoServiceX509GetCommonName, + CryptoServiceX509GetOrganizationName, + CryptoServiceX509VerifyCert, + CryptoServiceX509ConstructCertificate, + CryptoServiceX509ConstructCertificateStack, + CryptoServiceX509Free, + CryptoServiceX509StackFree, + CryptoServiceX509GetTBSCert, + /// TDES - deprecated and unsupported + DeprecatedCryptoServiceTdesGetContextSize, + DeprecatedCryptoServiceTdesInit, + DeprecatedCryptoServiceTdesEcbEncrypt, + DeprecatedCryptoServiceTdesEcbDecrypt, + DeprecatedCryptoServiceTdesCbcEncrypt, + DeprecatedCryptoServiceTdesCbcDecrypt, + /// AES - ECB mode is deprecated and unsupported + CryptoServiceAesGetContextSize, + CryptoServiceAesInit, + DeprecatedCryptoServiceAesEcbEncrypt, + DeprecatedCryptoServiceAesEcbDecrypt, + CryptoServiceAesCbcEncrypt, + CryptoServiceAesCbcDecrypt, + /// Arc4 - deprecated and unsupported + DeprecatedCryptoServiceArc4GetContextSize, + DeprecatedCryptoServiceArc4Init, + DeprecatedCryptoServiceArc4Encrypt, + DeprecatedCryptoServiceArc4Decrypt, + DeprecatedCryptoServiceArc4Reset, + /// SM3 + CryptoServiceSm3GetContextSize, + CryptoServiceSm3Init, + CryptoServiceSm3Duplicate, + CryptoServiceSm3Update, + CryptoServiceSm3Final, + CryptoServiceSm3HashAll, + /// HKDF + CryptoServiceHkdfSha256ExtractAndExpand, + /// X509 (Continued) + CryptoServiceX509ConstructCertificateStackV, + /// TLS + CryptoServiceTlsInitialize, + CryptoServiceTlsCtxFree, + CryptoServiceTlsCtxNew, + CryptoServiceTlsFree, + CryptoServiceTlsNew, + CryptoServiceTlsInHandshake, + CryptoServiceTlsDoHandshake, + CryptoServiceTlsHandleAlert, + CryptoServiceTlsCloseNotify, + CryptoServiceTlsCtrlTrafficOut, + CryptoServiceTlsCtrlTrafficIn, + CryptoServiceTlsRead, + CryptoServiceTlsWrite, + /// TLS Set + CryptoServiceTlsSetVersion, + CryptoServiceTlsSetConnectionEnd, + CryptoServiceTlsSetCipherList, + CryptoServiceTlsSetCompressionMethod, + CryptoServiceTlsSetVerify, + CryptoServiceTlsSetVerifyHost, + CryptoServiceTlsSetSessionId, + CryptoServiceTlsSetCaCertificate, + CryptoServiceTlsSetHostPublicCert, + CryptoServiceTlsSetHostPrivateKey, + CryptoServiceTlsSetCertRevocationList, + /// TLS Get + CryptoServiceTlsGetVersion, + CryptoServiceTlsGetConnectionEnd, + CryptoServiceTlsGetCurrentCipher, + CryptoServiceTlsGetCurrentCompressionId, + CryptoServiceTlsGetVerify, + CryptoServiceTlsGetSessionId, + CryptoServiceTlsGetClientRandom, + CryptoServiceTlsGetServerRandom, + CryptoServiceTlsGetKeyMaterial, + CryptoServiceTlsGetCaCertificate, + CryptoServiceTlsGetHostPublicCert, + CryptoServiceTlsGetHostPrivateKey, + CryptoServiceTlsGetCertRevocationList +}; diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/Crypto.uni b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/Crypto.uni new file mode 100644 index 00000000..3e83f9c2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/Crypto.uni @@ -0,0 +1,13 @@ +// /** @file +// Module that produces the EDK II Crypto Protocol/PPI using the library +// services from BaseCryptLib and TlsLib. +// +// Copyright (c) 2020, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + +#string STR_MODULE_ABSTRACT #language en-US "Module that produces the EDK II Crypto Protocol/PPI using the library services from BaseCryptLib and TlsLib" + +#string STR_MODULE_DESCRIPTION #language en-US "Module that produces the EDK II Crypto Protocol/PPI using the library services from BaseCryptLib and TlsLib." diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoDxe.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoDxe.c new file mode 100644 index 00000000..e06a7552 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoDxe.c @@ -0,0 +1,38 @@ +/** @file + Installs the EDK II Crypto Protocol + + Copyright (C) Microsoft Corporation. All rights reserved. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include + +extern CONST EDKII_CRYPTO_PROTOCOL mEdkiiCrypto; + +/** + The module Entry Point of the Crypto Dxe Driver. + + @param[in] ImageHandle The firmware allocated handle for the EFI image. + @param[in] SystemTable A pointer to the EFI System Table. + + @retval EFI_SUCCESS The entry point is executed successfully. + @retval Other Some error occurs when executing this entry point. + +**/ +EFI_STATUS +EFIAPI +CryptoDxeEntry ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + return gBS->InstallMultipleProtocolInterfaces( + &ImageHandle, + &gEdkiiCryptoProtocolGuid, + (EDKII_CRYPTO_PROTOCOL *) &mEdkiiCrypto, + NULL + ); +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoDxe.inf b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoDxe.inf new file mode 100644 index 00000000..0339fcf3 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoDxe.inf @@ -0,0 +1,49 @@ +## @file +# Produces the EDK II Crypto Protocol using the library services from +# BaseCryptLib and TlsLib. PcdCryptoServiceFamilyEnable is used to enable the +# subset of available services. +# +# Copyright (C) Microsoft Corporation. All rights reserved. +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x0001001B + PI_SPECIFICATION_VERSION = 0x0001000A + BASE_NAME = CryptoDxe + MODULE_UNI_FILE = Crypto.uni + FILE_GUID = FEA01457-E381-4135-9475-C6AFD0076C61 + MODULE_TYPE = DXE_DRIVER + VERSION_STRING = 1.0 + ENTRY_POINT = CryptoDxeEntry + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 +# + +[Sources] + Crypto.c + CryptoDxe.c + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + UefiDriverEntryPoint + UefiBootServicesTableLib + DebugLib + BaseCryptLib + TlsLib + +[Protocols] + gEdkiiCryptoProtocolGuid ## PRODUCES + +[Pcd] + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable #CONSUMES + +[Depex] + TRUE diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoPei.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoPei.c new file mode 100644 index 00000000..8973a1c6 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoPei.c @@ -0,0 +1,99 @@ +/** @file + Installs the EDK II Crypto PPI. If this PEIM is dispatched before memory is + discovered, the RegisterForShadow() feature is used to reload this PEIM into + memory after memory is discovered. + + Copyright (C) Microsoft Corporation. All rights reserved. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include + +extern CONST EDKII_CRYPTO_PROTOCOL mEdkiiCrypto; + +CONST EFI_PEI_PPI_DESCRIPTOR mEdkiiCryptoPpiList = { + (EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST), + &gEdkiiCryptoPpiGuid, + (EDKII_CRYPTO_PPI *) &mEdkiiCrypto +}; + +/** +Entry to CryptoPeiEntry. + +@param FileHandle The image handle. +@param PeiServices The PEI services table. + +@retval Status From internal routine or boot object, should not fail +**/ +EFI_STATUS +EFIAPI +CryptoPeiEntry ( + IN EFI_PEI_FILE_HANDLE FileHandle, + IN CONST EFI_PEI_SERVICES **PeiServices + ) +{ + EFI_STATUS Status; + VOID *MemoryDiscoveredPpi; + EDKII_CRYPTO_PPI *EdkiiCryptoPpi; + EFI_PEI_PPI_DESCRIPTOR *EdkiiCryptoPpiDescriptor; + + // + // Not all Open SSL services support XIP due to use of global variables. + // Use gEfiPeiMemoryDiscoveredPpiGuid to detect Pre-Mem and Post-Mem and + // always shadow this module in memory in Post-Mem. + // + Status = PeiServicesLocatePpi ( + &gEfiPeiMemoryDiscoveredPpiGuid, + 0, + NULL, + (VOID **)&MemoryDiscoveredPpi + ); + if (Status == EFI_NOT_FOUND) { + // + // CryptoPei is dispatched before gEfiPeiMemoryDiscoveredPpiGuid + // + Status = PeiServicesRegisterForShadow (FileHandle); + ASSERT_EFI_ERROR (Status); + if (!EFI_ERROR (Status)) { + // + // First CryptoPpi installation. CryptoPei could come from memory or flash + // it will be re-installed after gEfiPeiMemoryDiscoveredPpiGuid + // + DEBUG ((DEBUG_INFO, "CryptoPeiEntry: Install Pre-Memory Crypto PPI\n")); + Status = PeiServicesInstallPpi (&mEdkiiCryptoPpiList); + ASSERT_EFI_ERROR (Status); + } + } else if (Status == EFI_SUCCESS) { + // + // CryptoPei is dispatched after gEfiPeiMemoryDiscoveredPpiGuid + // + Status = PeiServicesLocatePpi ( + &gEdkiiCryptoPpiGuid, + 0, + &EdkiiCryptoPpiDescriptor, + (VOID **)&EdkiiCryptoPpi + ); + if (!EFI_ERROR (Status)) { + // + // CryptoPei was also dispatched before gEfiPeiMemoryDiscoveredPpiGuid + // + DEBUG((DEBUG_INFO, "CryptoPeiEntry: ReInstall Post-Memmory Crypto PPI\n")); + Status = PeiServicesReInstallPpi ( + EdkiiCryptoPpiDescriptor, + &mEdkiiCryptoPpiList + ); + ASSERT_EFI_ERROR (Status); + } else { + DEBUG ((DEBUG_INFO, "CryptoPeiEntry: Install Post-Memmory Crypto PPI\n")); + Status = PeiServicesInstallPpi (&mEdkiiCryptoPpiList); + } + } else { + ASSERT_EFI_ERROR (Status); + } + + return Status; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoPei.inf b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoPei.inf new file mode 100644 index 00000000..e464677e --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoPei.inf @@ -0,0 +1,51 @@ +## @file +# Produces the EDK II Crypto PPI using the library services from BaseCryptLib +# and TlsLib. PcdCryptoServiceFamilyEnable is used to enable the subset of +# available services. If this PEIM is dispatched before memory is discovered, +# the RegisterForShadow() feature is used to reload this PEIM into memory after +# memory is discovered. +# +# Copyright (C) Microsoft Corporation. All rights reserved. +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x0001001B + BASE_NAME = CryptoPei + MODULE_UNI_FILE = Crypto.uni + FILE_GUID = 0D1CE46B-72D9-4BA7-95DA-23511865E661 + MODULE_TYPE = PEIM + VERSION_STRING = 1.0 + ENTRY_POINT = CryptoPeiEntry + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 +# + +[Sources] + Crypto.c + CryptoPei.c + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + PeimEntryPoint + PeiServicesLib + DebugLib + BaseCryptLib + TlsLib + +[Ppis] + gEfiPeiMemoryDiscoveredPpiGuid ## CONSUMES + gEdkiiCryptoPpiGuid ## PRODUCES + +[Pcd] + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable ## CONSUMES + +[Depex] + TRUE diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoSmm.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoSmm.c new file mode 100644 index 00000000..f7a17f74 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoSmm.c @@ -0,0 +1,41 @@ +/** @file + Installs the EDK II Crypto SMM Protocol + + Copyright (C) Microsoft Corporation. All rights reserved. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include + +extern CONST EDKII_CRYPTO_PROTOCOL mEdkiiCrypto; + +/** + The module Entry Point of the Crypto SMM Driver. + + @param[in] ImageHandle The firmware allocated handle for the EFI image. + @param[in] SystemTable A pointer to the EFI System Table. + + @retval EFI_SUCCESS The entry point is executed successfully. + @retval Other Some error occurs when executing this entry point. + +**/ +EFI_STATUS +EFIAPI +CryptoSmmEntry ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_HANDLE Handle; + + Handle = NULL; + return gSmst->SmmInstallProtocolInterface ( + &Handle, + &gEdkiiSmmCryptoProtocolGuid, + EFI_NATIVE_INTERFACE, + (EDKII_CRYPTO_PROTOCOL *) &mEdkiiCrypto + ); +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoSmm.inf b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoSmm.inf new file mode 100644 index 00000000..4563b345 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Driver/CryptoSmm.inf @@ -0,0 +1,49 @@ +## @file +# Produces the EDK II SMM Crypto Protocol using the library services from +# BaseCryptLib and TlsLib. PcdCryptoServiceFamilyEnable is used to enable the +# subset of available services. +# +# Copyright (C) Microsoft Corporation. All rights reserved. +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x0001001B + PI_SPECIFICATION_VERSION = 0x00010014 + BASE_NAME = CryptoSmm + MODULE_UNI_FILE = Crypto.uni + FILE_GUID = 391B853F-F488-479B-A3D6-870766C7A38F + MODULE_TYPE = DXE_SMM_DRIVER + VERSION_STRING = 1.0 + ENTRY_POINT = CryptoSmmEntry + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 +# + +[Sources] + Crypto.c + CryptoSmm.c + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + UefiDriverEntryPoint + SmmServicesTableLib + DebugLib + BaseCryptLib + TlsLib + +[Protocols] + gEdkiiSmmCryptoProtocolGuid ## PRODUCES + +[Pcd] + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable ## CONSUMES + +[Depex] + TRUE diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Include/Library/BaseCryptLib.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Include/Library/BaseCryptLib.h new file mode 100644 index 00000000..57c3660f --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Include/Library/BaseCryptLib.h @@ -0,0 +1,2402 @@ +/** @file + Defines base cryptographic library APIs. + The Base Cryptographic Library provides implementations of basic cryptography + primitives (Hash Serials, HMAC, RSA, Diffie-Hellman, etc) for UEFI security + functionality enabling. + +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __BASE_CRYPT_LIB_H__ +#define __BASE_CRYPT_LIB_H__ + +#include + +/// +/// MD5 digest size in bytes +/// +#define MD5_DIGEST_SIZE 16 + +/// +/// SHA-1 digest size in bytes. +/// +#define SHA1_DIGEST_SIZE 20 + +/// +/// SHA-256 digest size in bytes +/// +#define SHA256_DIGEST_SIZE 32 + +/// +/// SHA-384 digest size in bytes +/// +#define SHA384_DIGEST_SIZE 48 + +/// +/// SHA-512 digest size in bytes +/// +#define SHA512_DIGEST_SIZE 64 + +/// +/// SM3 digest size in bytes +/// +#define SM3_256_DIGEST_SIZE 32 + +/// +/// TDES block size in bytes +/// +#define TDES_BLOCK_SIZE 8 + +/// +/// AES block size in bytes +/// +#define AES_BLOCK_SIZE 16 + +/// +/// RSA Key Tags Definition used in RsaSetKey() function for key component identification. +/// +typedef enum { + RsaKeyN, ///< RSA public Modulus (N) + RsaKeyE, ///< RSA Public exponent (e) + RsaKeyD, ///< RSA Private exponent (d) + RsaKeyP, ///< RSA secret prime factor of Modulus (p) + RsaKeyQ, ///< RSA secret prime factor of Modules (q) + RsaKeyDp, ///< p's CRT exponent (== d mod (p - 1)) + RsaKeyDq, ///< q's CRT exponent (== d mod (q - 1)) + RsaKeyQInv ///< The CRT coefficient (== 1/q mod p) +} RSA_KEY_TAG; + +//===================================================================================== +// One-Way Cryptographic Hash Primitives +//===================================================================================== + +#ifdef ENABLE_MD5_DEPRECATED_INTERFACES +/** + Retrieves the size, in bytes, of the context buffer required for MD5 hash operations. + + If this interface is not supported, then return zero. + + @return The size, in bytes, of the context buffer required for MD5 hash operations. + @retval 0 This interface is not supported. + +**/ +UINTN +EFIAPI +Md5GetContextSize ( + VOID + ); + +/** + Initializes user-supplied memory pointed by Md5Context as MD5 hash context for + subsequent use. + + If Md5Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] Md5Context Pointer to MD5 context being initialized. + + @retval TRUE MD5 context initialization succeeded. + @retval FALSE MD5 context initialization failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Md5Init ( + OUT VOID *Md5Context + ); + +/** + Makes a copy of an existing MD5 context. + + If Md5Context is NULL, then return FALSE. + If NewMd5Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Md5Context Pointer to MD5 context being copied. + @param[out] NewMd5Context Pointer to new MD5 context. + + @retval TRUE MD5 context copy succeeded. + @retval FALSE MD5 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Md5Duplicate ( + IN CONST VOID *Md5Context, + OUT VOID *NewMd5Context + ); + +/** + Digests the input data and updates MD5 context. + + This function performs MD5 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + MD5 context should be already correctly initialized by Md5Init(), and should not be finalized + by Md5Final(). Behavior with invalid context is undefined. + + If Md5Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Md5Context Pointer to the MD5 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE MD5 data digest succeeded. + @retval FALSE MD5 data digest failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Md5Update ( + IN OUT VOID *Md5Context, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +/** + Completes computation of the MD5 digest value. + + This function completes MD5 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the MD5 context cannot + be used again. + MD5 context should be already correctly initialized by Md5Init(), and should not be + finalized by Md5Final(). Behavior with invalid MD5 context is undefined. + + If Md5Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Md5Context Pointer to the MD5 context. + @param[out] HashValue Pointer to a buffer that receives the MD5 digest + value (16 bytes). + + @retval TRUE MD5 digest computation succeeded. + @retval FALSE MD5 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Md5Final ( + IN OUT VOID *Md5Context, + OUT UINT8 *HashValue + ); + +/** + Computes the MD5 message digest of a input data buffer. + + This function performs the MD5 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the MD5 digest + value (16 bytes). + + @retval TRUE MD5 digest computation succeeded. + @retval FALSE MD5 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Md5HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ); +#endif + +#ifndef DISABLE_SHA1_DEPRECATED_INTERFACES +/** + Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations. + + If this interface is not supported, then return zero. + + @return The size, in bytes, of the context buffer required for SHA-1 hash operations. + @retval 0 This interface is not supported. + +**/ +UINTN +EFIAPI +Sha1GetContextSize ( + VOID + ); + +/** + Initializes user-supplied memory pointed by Sha1Context as SHA-1 hash context for + subsequent use. + + If Sha1Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] Sha1Context Pointer to SHA-1 context being initialized. + + @retval TRUE SHA-1 context initialization succeeded. + @retval FALSE SHA-1 context initialization failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha1Init ( + OUT VOID *Sha1Context + ); + +/** + Makes a copy of an existing SHA-1 context. + + If Sha1Context is NULL, then return FALSE. + If NewSha1Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sha1Context Pointer to SHA-1 context being copied. + @param[out] NewSha1Context Pointer to new SHA-1 context. + + @retval TRUE SHA-1 context copy succeeded. + @retval FALSE SHA-1 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha1Duplicate ( + IN CONST VOID *Sha1Context, + OUT VOID *NewSha1Context + ); + +/** + Digests the input data and updates SHA-1 context. + + This function performs SHA-1 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-1 context should be already correctly initialized by Sha1Init(), and should not be finalized + by Sha1Final(). Behavior with invalid context is undefined. + + If Sha1Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Sha1Context Pointer to the SHA-1 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-1 data digest succeeded. + @retval FALSE SHA-1 data digest failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha1Update ( + IN OUT VOID *Sha1Context, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +/** + Completes computation of the SHA-1 digest value. + + This function completes SHA-1 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-1 context cannot + be used again. + SHA-1 context should be already correctly initialized by Sha1Init(), and should not be + finalized by Sha1Final(). Behavior with invalid SHA-1 context is undefined. + + If Sha1Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Sha1Context Pointer to the SHA-1 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest + value (20 bytes). + + @retval TRUE SHA-1 digest computation succeeded. + @retval FALSE SHA-1 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha1Final ( + IN OUT VOID *Sha1Context, + OUT UINT8 *HashValue + ); + +/** + Computes the SHA-1 message digest of a input data buffer. + + This function performs the SHA-1 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest + value (20 bytes). + + @retval TRUE SHA-1 digest computation succeeded. + @retval FALSE SHA-1 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha1HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ); +#endif + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-256 hash operations. + + @return The size, in bytes, of the context buffer required for SHA-256 hash operations. + +**/ +UINTN +EFIAPI +Sha256GetContextSize ( + VOID + ); + +/** + Initializes user-supplied memory pointed by Sha256Context as SHA-256 hash context for + subsequent use. + + If Sha256Context is NULL, then return FALSE. + + @param[out] Sha256Context Pointer to SHA-256 context being initialized. + + @retval TRUE SHA-256 context initialization succeeded. + @retval FALSE SHA-256 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Sha256Init ( + OUT VOID *Sha256Context + ); + +/** + Makes a copy of an existing SHA-256 context. + + If Sha256Context is NULL, then return FALSE. + If NewSha256Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sha256Context Pointer to SHA-256 context being copied. + @param[out] NewSha256Context Pointer to new SHA-256 context. + + @retval TRUE SHA-256 context copy succeeded. + @retval FALSE SHA-256 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha256Duplicate ( + IN CONST VOID *Sha256Context, + OUT VOID *NewSha256Context + ); + +/** + Digests the input data and updates SHA-256 context. + + This function performs SHA-256 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-256 context should be already correctly initialized by Sha256Init(), and should not be finalized + by Sha256Final(). Behavior with invalid context is undefined. + + If Sha256Context is NULL, then return FALSE. + + @param[in, out] Sha256Context Pointer to the SHA-256 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-256 data digest succeeded. + @retval FALSE SHA-256 data digest failed. + +**/ +BOOLEAN +EFIAPI +Sha256Update ( + IN OUT VOID *Sha256Context, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +/** + Completes computation of the SHA-256 digest value. + + This function completes SHA-256 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-256 context cannot + be used again. + SHA-256 context should be already correctly initialized by Sha256Init(), and should not be + finalized by Sha256Final(). Behavior with invalid SHA-256 context is undefined. + + If Sha256Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sha256Context Pointer to the SHA-256 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-256 digest + value (32 bytes). + + @retval TRUE SHA-256 digest computation succeeded. + @retval FALSE SHA-256 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Sha256Final ( + IN OUT VOID *Sha256Context, + OUT UINT8 *HashValue + ); + +/** + Computes the SHA-256 message digest of a input data buffer. + + This function performs the SHA-256 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-256 digest + value (32 bytes). + + @retval TRUE SHA-256 digest computation succeeded. + @retval FALSE SHA-256 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha256HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ); + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-384 hash operations. + + @return The size, in bytes, of the context buffer required for SHA-384 hash operations. + +**/ +UINTN +EFIAPI +Sha384GetContextSize ( + VOID + ); + +/** + Initializes user-supplied memory pointed by Sha384Context as SHA-384 hash context for + subsequent use. + + If Sha384Context is NULL, then return FALSE. + + @param[out] Sha384Context Pointer to SHA-384 context being initialized. + + @retval TRUE SHA-384 context initialization succeeded. + @retval FALSE SHA-384 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Sha384Init ( + OUT VOID *Sha384Context + ); + +/** + Makes a copy of an existing SHA-384 context. + + If Sha384Context is NULL, then return FALSE. + If NewSha384Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sha384Context Pointer to SHA-384 context being copied. + @param[out] NewSha384Context Pointer to new SHA-384 context. + + @retval TRUE SHA-384 context copy succeeded. + @retval FALSE SHA-384 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha384Duplicate ( + IN CONST VOID *Sha384Context, + OUT VOID *NewSha384Context + ); + +/** + Digests the input data and updates SHA-384 context. + + This function performs SHA-384 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-384 context should be already correctly initialized by Sha384Init(), and should not be finalized + by Sha384Final(). Behavior with invalid context is undefined. + + If Sha384Context is NULL, then return FALSE. + + @param[in, out] Sha384Context Pointer to the SHA-384 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-384 data digest succeeded. + @retval FALSE SHA-384 data digest failed. + +**/ +BOOLEAN +EFIAPI +Sha384Update ( + IN OUT VOID *Sha384Context, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +/** + Completes computation of the SHA-384 digest value. + + This function completes SHA-384 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-384 context cannot + be used again. + SHA-384 context should be already correctly initialized by Sha384Init(), and should not be + finalized by Sha384Final(). Behavior with invalid SHA-384 context is undefined. + + If Sha384Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sha384Context Pointer to the SHA-384 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-384 digest + value (48 bytes). + + @retval TRUE SHA-384 digest computation succeeded. + @retval FALSE SHA-384 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Sha384Final ( + IN OUT VOID *Sha384Context, + OUT UINT8 *HashValue + ); + +/** + Computes the SHA-384 message digest of a input data buffer. + + This function performs the SHA-384 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-384 digest + value (48 bytes). + + @retval TRUE SHA-384 digest computation succeeded. + @retval FALSE SHA-384 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha384HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ); + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-512 hash operations. + + @return The size, in bytes, of the context buffer required for SHA-512 hash operations. + +**/ +UINTN +EFIAPI +Sha512GetContextSize ( + VOID + ); + +/** + Initializes user-supplied memory pointed by Sha512Context as SHA-512 hash context for + subsequent use. + + If Sha512Context is NULL, then return FALSE. + + @param[out] Sha512Context Pointer to SHA-512 context being initialized. + + @retval TRUE SHA-512 context initialization succeeded. + @retval FALSE SHA-512 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Sha512Init ( + OUT VOID *Sha512Context + ); + +/** + Makes a copy of an existing SHA-512 context. + + If Sha512Context is NULL, then return FALSE. + If NewSha512Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sha512Context Pointer to SHA-512 context being copied. + @param[out] NewSha512Context Pointer to new SHA-512 context. + + @retval TRUE SHA-512 context copy succeeded. + @retval FALSE SHA-512 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha512Duplicate ( + IN CONST VOID *Sha512Context, + OUT VOID *NewSha512Context + ); + +/** + Digests the input data and updates SHA-512 context. + + This function performs SHA-512 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-512 context should be already correctly initialized by Sha512Init(), and should not be finalized + by Sha512Final(). Behavior with invalid context is undefined. + + If Sha512Context is NULL, then return FALSE. + + @param[in, out] Sha512Context Pointer to the SHA-512 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-512 data digest succeeded. + @retval FALSE SHA-512 data digest failed. + +**/ +BOOLEAN +EFIAPI +Sha512Update ( + IN OUT VOID *Sha512Context, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +/** + Completes computation of the SHA-512 digest value. + + This function completes SHA-512 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-512 context cannot + be used again. + SHA-512 context should be already correctly initialized by Sha512Init(), and should not be + finalized by Sha512Final(). Behavior with invalid SHA-512 context is undefined. + + If Sha512Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sha512Context Pointer to the SHA-512 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-512 digest + value (64 bytes). + + @retval TRUE SHA-512 digest computation succeeded. + @retval FALSE SHA-512 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Sha512Final ( + IN OUT VOID *Sha512Context, + OUT UINT8 *HashValue + ); + +/** + Computes the SHA-512 message digest of a input data buffer. + + This function performs the SHA-512 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-512 digest + value (64 bytes). + + @retval TRUE SHA-512 digest computation succeeded. + @retval FALSE SHA-512 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha512HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ); + +/** + Retrieves the size, in bytes, of the context buffer required for SM3 hash operations. + + @return The size, in bytes, of the context buffer required for SM3 hash operations. + +**/ +UINTN +EFIAPI +Sm3GetContextSize ( + VOID + ); + +/** + Initializes user-supplied memory pointed by Sm3Context as SM3 hash context for + subsequent use. + + If Sm3Context is NULL, then return FALSE. + + @param[out] Sm3Context Pointer to SM3 context being initialized. + + @retval TRUE SM3 context initialization succeeded. + @retval FALSE SM3 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Sm3Init ( + OUT VOID *Sm3Context + ); + +/** + Makes a copy of an existing SM3 context. + + If Sm3Context is NULL, then return FALSE. + If NewSm3Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sm3Context Pointer to SM3 context being copied. + @param[out] NewSm3Context Pointer to new SM3 context. + + @retval TRUE SM3 context copy succeeded. + @retval FALSE SM3 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sm3Duplicate ( + IN CONST VOID *Sm3Context, + OUT VOID *NewSm3Context + ); + +/** + Digests the input data and updates SM3 context. + + This function performs SM3 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SM3 context should be already correctly initialized by Sm3Init(), and should not be finalized + by Sm3Final(). Behavior with invalid context is undefined. + + If Sm3Context is NULL, then return FALSE. + + @param[in, out] Sm3Context Pointer to the SM3 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SM3 data digest succeeded. + @retval FALSE SM3 data digest failed. + +**/ +BOOLEAN +EFIAPI +Sm3Update ( + IN OUT VOID *Sm3Context, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +/** + Completes computation of the SM3 digest value. + + This function completes SM3 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SM3 context cannot + be used again. + SM3 context should be already correctly initialized by Sm3Init(), and should not be + finalized by Sm3Final(). Behavior with invalid SM3 context is undefined. + + If Sm3Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sm3Context Pointer to the SM3 context. + @param[out] HashValue Pointer to a buffer that receives the SM3 digest + value (32 bytes). + + @retval TRUE SM3 digest computation succeeded. + @retval FALSE SM3 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Sm3Final ( + IN OUT VOID *Sm3Context, + OUT UINT8 *HashValue + ); + +/** + Computes the SM3 message digest of a input data buffer. + + This function performs the SM3 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SM3 digest + value (32 bytes). + + @retval TRUE SM3 digest computation succeeded. + @retval FALSE SM3 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sm3HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ); + +//===================================================================================== +// MAC (Message Authentication Code) Primitive +//===================================================================================== + +/** + Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use. + + @return Pointer to the HMAC_CTX context that has been initialized. + If the allocations fails, HmacSha256New() returns NULL. + +**/ +VOID * +EFIAPI +HmacSha256New ( + VOID + ); + +/** + Release the specified HMAC_CTX context. + + @param[in] HmacSha256Ctx Pointer to the HMAC_CTX context to be released. + +**/ +VOID +EFIAPI +HmacSha256Free ( + IN VOID *HmacSha256Ctx + ); + +/** + Set user-supplied key for subsequent use. It must be done before any + calling to HmacSha256Update(). + + If HmacSha256Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] HmacSha256Context Pointer to HMAC-SHA256 context. + @param[in] Key Pointer to the user-supplied key. + @param[in] KeySize Key size in bytes. + + @retval TRUE The Key is set successfully. + @retval FALSE The Key is set unsuccessfully. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +HmacSha256SetKey ( + OUT VOID *HmacSha256Context, + IN CONST UINT8 *Key, + IN UINTN KeySize + ); + +/** + Makes a copy of an existing HMAC-SHA256 context. + + If HmacSha256Context is NULL, then return FALSE. + If NewHmacSha256Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] HmacSha256Context Pointer to HMAC-SHA256 context being copied. + @param[out] NewHmacSha256Context Pointer to new HMAC-SHA256 context. + + @retval TRUE HMAC-SHA256 context copy succeeded. + @retval FALSE HMAC-SHA256 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +HmacSha256Duplicate ( + IN CONST VOID *HmacSha256Context, + OUT VOID *NewHmacSha256Context + ); + +/** + Digests the input data and updates HMAC-SHA256 context. + + This function performs HMAC-SHA256 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + HMAC-SHA256 context should be initialized by HmacSha256New(), and should not be finalized + by HmacSha256Final(). Behavior with invalid context is undefined. + + If HmacSha256Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] HmacSha256Context Pointer to the HMAC-SHA256 context. + @param[in] Data Pointer to the buffer containing the data to be digested. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE HMAC-SHA256 data digest succeeded. + @retval FALSE HMAC-SHA256 data digest failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +HmacSha256Update ( + IN OUT VOID *HmacSha256Context, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +/** + Completes computation of the HMAC-SHA256 digest value. + + This function completes HMAC-SHA256 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the HMAC-SHA256 context cannot + be used again. + HMAC-SHA256 context should be initialized by HmacSha256New(), and should not be finalized + by HmacSha256Final(). Behavior with invalid HMAC-SHA256 context is undefined. + + If HmacSha256Context is NULL, then return FALSE. + If HmacValue is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] HmacSha256Context Pointer to the HMAC-SHA256 context. + @param[out] HmacValue Pointer to a buffer that receives the HMAC-SHA256 digest + value (32 bytes). + + @retval TRUE HMAC-SHA256 digest computation succeeded. + @retval FALSE HMAC-SHA256 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +HmacSha256Final ( + IN OUT VOID *HmacSha256Context, + OUT UINT8 *HmacValue + ); + +//===================================================================================== +// Symmetric Cryptography Primitive +//===================================================================================== + +/** + Retrieves the size, in bytes, of the context buffer required for AES operations. + + If this interface is not supported, then return zero. + + @return The size, in bytes, of the context buffer required for AES operations. + @retval 0 This interface is not supported. + +**/ +UINTN +EFIAPI +AesGetContextSize ( + VOID + ); + +/** + Initializes user-supplied memory as AES context for subsequent use. + + This function initializes user-supplied memory pointed by AesContext as AES context. + In addition, it sets up all AES key materials for subsequent encryption and decryption + operations. + There are 3 options for key length, 128 bits, 192 bits, and 256 bits. + + If AesContext is NULL, then return FALSE. + If Key is NULL, then return FALSE. + If KeyLength is not valid, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] AesContext Pointer to AES context being initialized. + @param[in] Key Pointer to the user-supplied AES key. + @param[in] KeyLength Length of AES key in bits. + + @retval TRUE AES context initialization succeeded. + @retval FALSE AES context initialization failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +AesInit ( + OUT VOID *AesContext, + IN CONST UINT8 *Key, + IN UINTN KeyLength + ); + +/** + Performs AES encryption on a data buffer of the specified size in CBC mode. + + This function performs AES encryption on data buffer pointed by Input, of specified + size of InputSize, in CBC mode. + InputSize must be multiple of block size (16 bytes). This function does not perform + padding. Caller must perform padding, if necessary, to ensure valid input data size. + Initialization vector should be one block size (16 bytes). + AesContext should be already correctly initialized by AesInit(). Behavior with + invalid AES context is undefined. + + If AesContext is NULL, then return FALSE. + If Input is NULL, then return FALSE. + If InputSize is not multiple of block size (16 bytes), then return FALSE. + If Ivec is NULL, then return FALSE. + If Output is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] AesContext Pointer to the AES context. + @param[in] Input Pointer to the buffer containing the data to be encrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[in] Ivec Pointer to initialization vector. + @param[out] Output Pointer to a buffer that receives the AES encryption output. + + @retval TRUE AES encryption succeeded. + @retval FALSE AES encryption failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +AesCbcEncrypt ( + IN VOID *AesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + IN CONST UINT8 *Ivec, + OUT UINT8 *Output + ); + +/** + Performs AES decryption on a data buffer of the specified size in CBC mode. + + This function performs AES decryption on data buffer pointed by Input, of specified + size of InputSize, in CBC mode. + InputSize must be multiple of block size (16 bytes). This function does not perform + padding. Caller must perform padding, if necessary, to ensure valid input data size. + Initialization vector should be one block size (16 bytes). + AesContext should be already correctly initialized by AesInit(). Behavior with + invalid AES context is undefined. + + If AesContext is NULL, then return FALSE. + If Input is NULL, then return FALSE. + If InputSize is not multiple of block size (16 bytes), then return FALSE. + If Ivec is NULL, then return FALSE. + If Output is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] AesContext Pointer to the AES context. + @param[in] Input Pointer to the buffer containing the data to be encrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[in] Ivec Pointer to initialization vector. + @param[out] Output Pointer to a buffer that receives the AES encryption output. + + @retval TRUE AES decryption succeeded. + @retval FALSE AES decryption failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +AesCbcDecrypt ( + IN VOID *AesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + IN CONST UINT8 *Ivec, + OUT UINT8 *Output + ); + +//===================================================================================== +// Asymmetric Cryptography Primitive +//===================================================================================== + +/** + Allocates and initializes one RSA context for subsequent use. + + @return Pointer to the RSA context that has been initialized. + If the allocations fails, RsaNew() returns NULL. + +**/ +VOID * +EFIAPI +RsaNew ( + VOID + ); + +/** + Release the specified RSA context. + + If RsaContext is NULL, then return FALSE. + + @param[in] RsaContext Pointer to the RSA context to be released. + +**/ +VOID +EFIAPI +RsaFree ( + IN VOID *RsaContext + ); + +/** + Sets the tag-designated key component into the established RSA context. + + This function sets the tag-designated RSA key component into the established + RSA context from the user-specified non-negative integer (octet string format + represented in RSA PKCS#1). + If BigNumber is NULL, then the specified key component in RSA context is cleared. + + If RsaContext is NULL, then return FALSE. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] KeyTag Tag of RSA key component being set. + @param[in] BigNumber Pointer to octet integer buffer. + If NULL, then the specified key component in RSA + context is cleared. + @param[in] BnSize Size of big number buffer in bytes. + If BigNumber is NULL, then it is ignored. + + @retval TRUE RSA key component was set successfully. + @retval FALSE Invalid RSA key component tag. + +**/ +BOOLEAN +EFIAPI +RsaSetKey ( + IN OUT VOID *RsaContext, + IN RSA_KEY_TAG KeyTag, + IN CONST UINT8 *BigNumber, + IN UINTN BnSize + ); + +/** + Gets the tag-designated RSA key component from the established RSA context. + + This function retrieves the tag-designated RSA key component from the + established RSA context as a non-negative integer (octet string format + represented in RSA PKCS#1). + If specified key component has not been set or has been cleared, then returned + BnSize is set to 0. + If the BigNumber buffer is too small to hold the contents of the key, FALSE + is returned and BnSize is set to the required buffer size to obtain the key. + + If RsaContext is NULL, then return FALSE. + If BnSize is NULL, then return FALSE. + If BnSize is large enough but BigNumber is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] KeyTag Tag of RSA key component being set. + @param[out] BigNumber Pointer to octet integer buffer. + @param[in, out] BnSize On input, the size of big number buffer in bytes. + On output, the size of data returned in big number buffer in bytes. + + @retval TRUE RSA key component was retrieved successfully. + @retval FALSE Invalid RSA key component tag. + @retval FALSE BnSize is too small. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaGetKey ( + IN OUT VOID *RsaContext, + IN RSA_KEY_TAG KeyTag, + OUT UINT8 *BigNumber, + IN OUT UINTN *BnSize + ); + +/** + Generates RSA key components. + + This function generates RSA key components. It takes RSA public exponent E and + length in bits of RSA modulus N as input, and generates all key components. + If PublicExponent is NULL, the default RSA public exponent (0x10001) will be used. + + Before this function can be invoked, pseudorandom number generator must be correctly + initialized by RandomSeed(). + + If RsaContext is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] ModulusLength Length of RSA modulus N in bits. + @param[in] PublicExponent Pointer to RSA public exponent. + @param[in] PublicExponentSize Size of RSA public exponent buffer in bytes. + + @retval TRUE RSA key component was generated successfully. + @retval FALSE Invalid RSA key component tag. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaGenerateKey ( + IN OUT VOID *RsaContext, + IN UINTN ModulusLength, + IN CONST UINT8 *PublicExponent, + IN UINTN PublicExponentSize + ); + +/** + Validates key components of RSA context. + NOTE: This function performs integrity checks on all the RSA key material, so + the RSA key structure must contain all the private key data. + + This function validates key components of RSA context in following aspects: + - Whether p is a prime + - Whether q is a prime + - Whether n = p * q + - Whether d*e = 1 mod lcm(p-1,q-1) + + If RsaContext is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] RsaContext Pointer to RSA context to check. + + @retval TRUE RSA key components are valid. + @retval FALSE RSA key components are not valid. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaCheckKey ( + IN VOID *RsaContext + ); + +/** + Carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme. + + This function carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme defined in + RSA PKCS#1. + If the Signature buffer is too small to hold the contents of signature, FALSE + is returned and SigSize is set to the required buffer size to obtain the signature. + + If RsaContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then return FALSE. + If SigSize is large enough but Signature is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] RsaContext Pointer to RSA context for signature generation. + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive RSA PKCS1-v1_5 signature. + @param[in, out] SigSize On input, the size of Signature buffer in bytes. + On output, the size of data returned in Signature buffer in bytes. + + @retval TRUE Signature successfully generated in PKCS1-v1_5. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaPkcs1Sign ( + IN VOID *RsaContext, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ); + +/** + Verifies the RSA-SSA signature with EMSA-PKCS1-v1_5 encoding scheme defined in + RSA PKCS#1. + + If RsaContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize is not equal to the size of MD5, SHA-1, SHA-256 digest, then return FALSE. + + @param[in] RsaContext Pointer to RSA context for signature verification. + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to RSA PKCS1-v1_5 signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in PKCS1-v1_5. + @retval FALSE Invalid signature or invalid RSA context. + +**/ +BOOLEAN +EFIAPI +RsaPkcs1Verify ( + IN VOID *RsaContext, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ); + +/** + Carries out the RSA-SSA signature generation with EMSA-PSS encoding scheme. + + This function carries out the RSA-SSA signature generation with EMSA-PSS encoding scheme defined in + RFC 8017. + Mask generation function is the same as the message digest algorithm. + If the Signature buffer is too small to hold the contents of signature, FALSE + is returned and SigSize is set to the required buffer size to obtain the signature. + + If RsaContext is NULL, then return FALSE. + If Message is NULL, then return FALSE. + If MsgSize is zero or > INT_MAX, then return FALSE. + If DigestLen is NOT 32, 48 or 64, return FALSE. + If SaltLen is < DigestLen, then return FALSE. + If SigSize is large enough but Signature is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] RsaContext Pointer to RSA context for signature generation. + @param[in] Message Pointer to octet message to be signed. + @param[in] MsgSize Size of the message in bytes. + @param[in] DigestLen Length of the digest in bytes to be used for RSA signature operation. + @param[in] SaltLen Length of the salt in bytes to be used for PSS encoding. + @param[out] Signature Pointer to buffer to receive RSA PSS signature. + @param[in, out] SigSize On input, the size of Signature buffer in bytes. + On output, the size of data returned in Signature buffer in bytes. + + @retval TRUE Signature successfully generated in RSASSA-PSS. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaPssSign ( + IN VOID *RsaContext, + IN CONST UINT8 *Message, + IN UINTN MsgSize, + IN UINT16 DigestLen, + IN UINT16 SaltLen, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ); + +/** + Verifies the RSA signature with RSASSA-PSS signature scheme defined in RFC 8017. + Implementation determines salt length automatically from the signature encoding. + Mask generation function is the same as the message digest algorithm. + Salt length should atleast be equal to digest length. + + @param[in] RsaContext Pointer to RSA context for signature verification. + @param[in] Message Pointer to octet message to be verified. + @param[in] MsgSize Size of the message in bytes. + @param[in] Signature Pointer to RSASSA-PSS signature to be verified. + @param[in] SigSize Size of signature in bytes. + @param[in] DigestLen Length of digest for RSA operation. + @param[in] SaltLen Salt length for PSS encoding. + + @retval TRUE Valid signature encoded in RSASSA-PSS. + @retval FALSE Invalid signature or invalid RSA context. + +**/ +BOOLEAN +EFIAPI +RsaPssVerify ( + IN VOID *RsaContext, + IN CONST UINT8 *Message, + IN UINTN MsgSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize, + IN UINT16 DigestLen, + IN UINT16 SaltLen + ); + +/** + Retrieve the RSA Private Key from the password-protected PEM key data. + + If PemData is NULL, then return FALSE. + If RsaContext is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] PemData Pointer to the PEM-encoded key data to be retrieved. + @param[in] PemSize Size of the PEM key data in bytes. + @param[in] Password NULL-terminated passphrase used for encrypted PEM key data. + @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved + RSA private key component. Use RsaFree() function to free the + resource. + + @retval TRUE RSA Private Key was retrieved successfully. + @retval FALSE Invalid PEM key data or incorrect password. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaGetPrivateKeyFromPem ( + IN CONST UINT8 *PemData, + IN UINTN PemSize, + IN CONST CHAR8 *Password, + OUT VOID **RsaContext + ); + +/** + Retrieve the RSA Public Key from one DER-encoded X509 certificate. + + If Cert is NULL, then return FALSE. + If RsaContext is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved + RSA public key component. Use RsaFree() function to free the + resource. + + @retval TRUE RSA Public Key was retrieved successfully. + @retval FALSE Fail to retrieve RSA public key from X509 certificate. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaGetPublicKeyFromX509 ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT VOID **RsaContext + ); + +/** + Retrieve the subject bytes from one X.509 certificate. + + If Cert is NULL, then return FALSE. + If SubjectSize is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CertSubject Pointer to the retrieved certificate subject bytes. + @param[in, out] SubjectSize The size in bytes of the CertSubject buffer on input, + and the size of buffer returned CertSubject on output. + + @retval TRUE The certificate subject retrieved successfully. + @retval FALSE Invalid certificate, or the SubjectSize is too small for the result. + The SubjectSize will be updated with the required size. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509GetSubjectName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 *CertSubject, + IN OUT UINTN *SubjectSize + ); + +/** + Retrieve the common name (CN) string from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CommonName Buffer to contain the retrieved certificate common + name string (UTF8). At most CommonNameSize bytes will be + written and the string will be null terminated. May be + NULL in order to determine the size buffer needed. + @param[in,out] CommonNameSize The size in bytes of the CommonName buffer on input, + and the size of buffer returned CommonName on output. + If CommonName is NULL then the amount of space needed + in buffer (including the final null) is returned. + + @retval RETURN_SUCCESS The certificate CommonName retrieved successfully. + @retval RETURN_INVALID_PARAMETER If Cert is NULL. + If CommonNameSize is NULL. + If CommonName is not NULL and *CommonNameSize is 0. + If Certificate is invalid. + @retval RETURN_NOT_FOUND If no CommonName entry exists. + @retval RETURN_BUFFER_TOO_SMALL If the CommonName is NULL. The required buffer size + (including the final null) is returned in the + CommonNameSize parameter. + @retval RETURN_UNSUPPORTED The operation is not supported. + +**/ +RETURN_STATUS +EFIAPI +X509GetCommonName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *CommonName, OPTIONAL + IN OUT UINTN *CommonNameSize + ); + +/** + Retrieve the organization name (O) string from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] NameBuffer Buffer to contain the retrieved certificate organization + name string. At most NameBufferSize bytes will be + written and the string will be null terminated. May be + NULL in order to determine the size buffer needed. + @param[in,out] NameBufferSize The size in bytes of the Name buffer on input, + and the size of buffer returned Name on output. + If NameBuffer is NULL then the amount of space needed + in buffer (including the final null) is returned. + + @retval RETURN_SUCCESS The certificate Organization Name retrieved successfully. + @retval RETURN_INVALID_PARAMETER If Cert is NULL. + If NameBufferSize is NULL. + If NameBuffer is not NULL and *CommonNameSize is 0. + If Certificate is invalid. + @retval RETURN_NOT_FOUND If no Organization Name entry exists. + @retval RETURN_BUFFER_TOO_SMALL If the NameBuffer is NULL. The required buffer size + (including the final null) is returned in the + CommonNameSize parameter. + @retval RETURN_UNSUPPORTED The operation is not supported. + +**/ +RETURN_STATUS +EFIAPI +X509GetOrganizationName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *NameBuffer, OPTIONAL + IN OUT UINTN *NameBufferSize + ); + +/** + Verify one X509 certificate was issued by the trusted CA. + + If Cert is NULL, then return FALSE. + If CACert is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate to be verified. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[in] CACert Pointer to the DER-encoded trusted CA certificate. + @param[in] CACertSize Size of the CA Certificate in bytes. + + @retval TRUE The certificate was issued by the trusted CA. + @retval FALSE Invalid certificate or the certificate was not issued by the given + trusted CA. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509VerifyCert ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + IN CONST UINT8 *CACert, + IN UINTN CACertSize + ); + +/** + Construct a X509 object from DER-encoded certificate data. + + If Cert is NULL, then return FALSE. + If SingleX509Cert is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded certificate data. + @param[in] CertSize The size of certificate data in bytes. + @param[out] SingleX509Cert The generated X509 object. + + @retval TRUE The X509 object generation succeeded. + @retval FALSE The operation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509ConstructCertificate ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 **SingleX509Cert + ); + +/** + Construct a X509 stack object from a list of DER-encoded certificate data. + + If X509Stack is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] X509Stack On input, pointer to an existing or NULL X509 stack object. + On output, pointer to the X509 stack object with new + inserted X509 certificate. + @param[in] Args VA_LIST marker for the variable argument list. + A list of DER-encoded single certificate data followed + by certificate size. A NULL terminates the list. The + pairs are the arguments to X509ConstructCertificate(). + + @retval TRUE The X509 stack construction succeeded. + @retval FALSE The construction operation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509ConstructCertificateStackV ( + IN OUT UINT8 **X509Stack, + IN VA_LIST Args + ); + +/** + Construct a X509 stack object from a list of DER-encoded certificate data. + + If X509Stack is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] X509Stack On input, pointer to an existing or NULL X509 stack object. + On output, pointer to the X509 stack object with new + inserted X509 certificate. + @param ... A list of DER-encoded single certificate data followed + by certificate size. A NULL terminates the list. The + pairs are the arguments to X509ConstructCertificate(). + + @retval TRUE The X509 stack construction succeeded. + @retval FALSE The construction operation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509ConstructCertificateStack ( + IN OUT UINT8 **X509Stack, + ... + ); + +/** + Release the specified X509 object. + + If the interface is not supported, then ASSERT(). + + @param[in] X509Cert Pointer to the X509 object to be released. + +**/ +VOID +EFIAPI +X509Free ( + IN VOID *X509Cert + ); + +/** + Release the specified X509 stack object. + + If the interface is not supported, then ASSERT(). + + @param[in] X509Stack Pointer to the X509 stack object to be released. + +**/ +VOID +EFIAPI +X509StackFree ( + IN VOID *X509Stack + ); + +/** + Retrieve the TBSCertificate from one given X.509 certificate. + + @param[in] Cert Pointer to the given DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] TBSCert DER-Encoded To-Be-Signed certificate. + @param[out] TBSCertSize Size of the TBS certificate in bytes. + + If Cert is NULL, then return FALSE. + If TBSCert is NULL, then return FALSE. + If TBSCertSize is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @retval TRUE The TBSCertificate was retrieved successfully. + @retval FALSE Invalid X.509 certificate. + +**/ +BOOLEAN +EFIAPI +X509GetTBSCert ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 **TBSCert, + OUT UINTN *TBSCertSize + ); + +/** + Derives a key from a password using a salt and iteration count, based on PKCS#5 v2.0 + password based encryption key derivation function PBKDF2, as specified in RFC 2898. + + If Password or Salt or OutKey is NULL, then return FALSE. + If the hash algorithm could not be determined, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] PasswordLength Length of input password in bytes. + @param[in] Password Pointer to the array for the password. + @param[in] SaltLength Size of the Salt in bytes. + @param[in] Salt Pointer to the Salt. + @param[in] IterationCount Number of iterations to perform. Its value should be + greater than or equal to 1. + @param[in] DigestSize Size of the message digest to be used (eg. SHA256_DIGEST_SIZE). + NOTE: DigestSize will be used to determine the hash algorithm. + Only SHA1_DIGEST_SIZE or SHA256_DIGEST_SIZE is supported. + @param[in] KeyLength Size of the derived key buffer in bytes. + @param[out] OutKey Pointer to the output derived key buffer. + + @retval TRUE A key was derived successfully. + @retval FALSE One of the pointers was NULL or one of the sizes was too large. + @retval FALSE The hash algorithm could not be determined from the digest size. + @retval FALSE The key derivation operation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs5HashPassword ( + IN UINTN PasswordLength, + IN CONST CHAR8 *Password, + IN UINTN SaltLength, + IN CONST UINT8 *Salt, + IN UINTN IterationCount, + IN UINTN DigestSize, + IN UINTN KeyLength, + OUT UINT8 *OutKey + ); + +/** + Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the + encrypted message in a newly allocated buffer. + + Things that can cause a failure include: + - X509 key size does not match any known key size. + - Fail to parse X509 certificate. + - Fail to allocate an intermediate buffer. + - Null pointer provided for a non-optional parameter. + - Data size is too large for the provided key size (max size is a function of key size + and hash digest size). + + @param[in] PublicKey A pointer to the DER-encoded X509 certificate that + will be used to encrypt the data. + @param[in] PublicKeySize Size of the X509 cert buffer. + @param[in] InData Data to be encrypted. + @param[in] InDataSize Size of the data buffer. + @param[in] PrngSeed [Optional] If provided, a pointer to a random seed buffer + to be used when initializing the PRNG. NULL otherwise. + @param[in] PrngSeedSize [Optional] If provided, size of the random seed buffer. + 0 otherwise. + @param[out] EncryptedData Pointer to an allocated buffer containing the encrypted + message. + @param[out] EncryptedDataSize Size of the encrypted message buffer. + + @retval TRUE Encryption was successful. + @retval FALSE Encryption failed. + +**/ +BOOLEAN +EFIAPI +Pkcs1v2Encrypt ( + IN CONST UINT8 *PublicKey, + IN UINTN PublicKeySize, + IN UINT8 *InData, + IN UINTN InDataSize, + IN CONST UINT8 *PrngSeed, OPTIONAL + IN UINTN PrngSeedSize, OPTIONAL + OUT UINT8 **EncryptedData, + OUT UINTN *EncryptedDataSize + ); + +/** + The 3rd parameter of Pkcs7GetSigners will return all embedded + X.509 certificate in one given PKCS7 signature. The format is: + // + // UINT8 CertNumber; + // UINT32 Cert1Length; + // UINT8 Cert1[]; + // UINT32 Cert2Length; + // UINT8 Cert2[]; + // ... + // UINT32 CertnLength; + // UINT8 Certn[]; + // + + The two following C-structure are used for parsing CertStack more clearly. +**/ +#pragma pack(1) + +typedef struct { + UINT32 CertDataLength; // The length in bytes of X.509 certificate. + UINT8 CertDataBuffer[0]; // The X.509 certificate content (DER). +} EFI_CERT_DATA; + +typedef struct { + UINT8 CertNumber; // Number of X.509 certificate. + //EFI_CERT_DATA CertArray[]; // An array of X.509 certificate. +} EFI_CERT_STACK; + +#pragma pack() + +/** + Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be wrapped + in a ContentInfo structure. + + If P7Data, CertStack, StackLength, TrustedCert or CertLength is NULL, then + return FALSE. If P7Length overflow, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] CertStack Pointer to Signer's certificates retrieved from P7Data. + It's caller's responsibility to free the buffer with + Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] StackLength Length of signer's certificates in bytes. + @param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates. + It's caller's responsibility to free the buffer with + Pkcs7FreeSigners(). + @param[out] CertLength Length of the trusted certificate in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE Error occurs during the operation. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetSigners ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **CertStack, + OUT UINTN *StackLength, + OUT UINT8 **TrustedCert, + OUT UINTN *CertLength + ); + +/** + Wrap function to use free() to free allocated memory for certificates. + + If this interface is not supported, then ASSERT(). + + @param[in] Certs Pointer to the certificates to be freed. + +**/ +VOID +EFIAPI +Pkcs7FreeSigners ( + IN UINT8 *Certs + ); + +/** + Retrieves all embedded certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard", and outputs two certificate lists chained and + unchained to the signer's certificates. + The input signed data could be wrapped in a ContentInfo structure. + + @param[in] P7Data Pointer to the PKCS#7 message. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] SignerChainCerts Pointer to the certificates list chained to signer's + certificate. It's caller's responsibility to free the buffer + with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] ChainLength Length of the chained certificates list buffer in bytes. + @param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's + responsibility to free the buffer with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] UnchainLength Length of the unchained certificates list buffer in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE Error occurs during the operation. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetCertificatesList ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **SignerChainCerts, + OUT UINTN *ChainLength, + OUT UINT8 **UnchainCerts, + OUT UINTN *UnchainLength + ); + +/** + Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message + Syntax Standard, version 1.5". This interface is only intended to be used for + application to perform PKCS#7 functionality validation. + + If this interface is not supported, then return FALSE. + + @param[in] PrivateKey Pointer to the PEM-formatted private key data for + data signing. + @param[in] PrivateKeySize Size of the PEM private key data in bytes. + @param[in] KeyPassword NULL-terminated passphrase used for encrypted PEM + key data. + @param[in] InData Pointer to the content to be signed. + @param[in] InDataSize Size of InData in bytes. + @param[in] SignCert Pointer to signer's DER-encoded certificate to sign with. + @param[in] OtherCerts Pointer to an optional additional set of certificates to + include in the PKCS#7 signedData (e.g. any intermediate + CAs in the chain). + @param[out] SignedData Pointer to output PKCS#7 signedData. It's caller's + responsibility to free the buffer with FreePool(). + @param[out] SignedDataSize Size of SignedData in bytes. + + @retval TRUE PKCS#7 data signing succeeded. + @retval FALSE PKCS#7 data signing failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs7Sign ( + IN CONST UINT8 *PrivateKey, + IN UINTN PrivateKeySize, + IN CONST UINT8 *KeyPassword, + IN UINT8 *InData, + IN UINTN InDataSize, + IN UINT8 *SignCert, + IN UINT8 *OtherCerts OPTIONAL, + OUT UINT8 **SignedData, + OUT UINTN *SignedDataSize + ); + +/** + Verifies the validity of a PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be wrapped + in a ContentInfo structure. + + If P7Data, TrustedCert or InData is NULL, then return FALSE. + If P7Length, CertLength or DataLength overflow, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which + is used for certificate chain verification. + @param[in] CertLength Length of the trusted certificate in bytes. + @param[in] InData Pointer to the content to be verified. + @param[in] DataLength Length of InData in bytes. + + @retval TRUE The specified PKCS#7 signed data is valid. + @retval FALSE Invalid PKCS#7 signed data. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs7Verify ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + IN CONST UINT8 *TrustedCert, + IN UINTN CertLength, + IN CONST UINT8 *InData, + IN UINTN DataLength + ); + +/** + This function receives a PKCS7 formatted signature, and then verifies that + the specified Enhanced or Extended Key Usages (EKU's) are present in the end-entity + leaf signing certificate. + Note that this function does not validate the certificate chain. + + Applications for custom EKU's are quite flexible. For example, a policy EKU + may be present in an Issuing Certificate Authority (CA), and any sub-ordinate + certificate issued might also contain this EKU, thus constraining the + sub-ordinate certificate. Other applications might allow a certificate + embedded in a device to specify that other Object Identifiers (OIDs) are + present which contains binary data specifying custom capabilities that + the device is able to do. + + @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array + containing the content block with both the signature, + the signer's certificate, and any necessary intermediate + certificates. + @param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature. + @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of + required EKUs that must be present in the signature. + @param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array. + @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's + must be present in the leaf signer. If it is + FALSE, then we will succeed if we find any + of the specified EKU's. + + @retval EFI_SUCCESS The required EKUs were found in the signature. + @retval EFI_INVALID_PARAMETER A parameter was invalid. + @retval EFI_NOT_FOUND One or more EKU's were not found in the signature. + +**/ +RETURN_STATUS +EFIAPI +VerifyEKUsInPkcs7Signature ( + IN CONST UINT8 *Pkcs7Signature, + IN CONST UINT32 SignatureSize, + IN CONST CHAR8 *RequiredEKUs[], + IN CONST UINT32 RequiredEKUsSize, + IN BOOLEAN RequireAllPresent + ); + +/** + Extracts the attached content from a PKCS#7 signed data if existed. The input signed + data could be wrapped in a ContentInfo structure. + + If P7Data, Content, or ContentSize is NULL, then return FALSE. If P7Length overflow, + then return FALSE. If the P7Data is not correctly formatted, then return FALSE. + + Caution: This function may receive untrusted input. So this function will do + basic check for PKCS#7 data structure. + + @param[in] P7Data Pointer to the PKCS#7 signed data to process. + @param[in] P7Length Length of the PKCS#7 signed data in bytes. + @param[out] Content Pointer to the extracted content from the PKCS#7 signedData. + It's caller's responsibility to free the buffer with FreePool(). + @param[out] ContentSize The size of the extracted content in bytes. + + @retval TRUE The P7Data was correctly formatted for processing. + @retval FALSE The P7Data was not correctly formatted for processing. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetAttachedContent ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT VOID **Content, + OUT UINTN *ContentSize + ); + +/** + Verifies the validity of a PE/COFF Authenticode Signature as described in "Windows + Authenticode Portable Executable Signature Format". + + If AuthData is NULL, then return FALSE. + If ImageHash is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed + PE/COFF image to be verified. + @param[in] DataSize Size of the Authenticode Signature in bytes. + @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which + is used for certificate chain verification. + @param[in] CertSize Size of the trusted certificate in bytes. + @param[in] ImageHash Pointer to the original image file hash value. The procedure + for calculating the image hash value is described in Authenticode + specification. + @param[in] HashSize Size of Image hash value in bytes. + + @retval TRUE The specified Authenticode Signature is valid. + @retval FALSE Invalid Authenticode Signature. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +AuthenticodeVerify ( + IN CONST UINT8 *AuthData, + IN UINTN DataSize, + IN CONST UINT8 *TrustedCert, + IN UINTN CertSize, + IN CONST UINT8 *ImageHash, + IN UINTN HashSize + ); + +/** + Verifies the validity of a RFC3161 Timestamp CounterSignature embedded in PE/COFF Authenticode + signature. + + If AuthData is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed + PE/COFF image to be verified. + @param[in] DataSize Size of the Authenticode Signature in bytes. + @param[in] TsaCert Pointer to a trusted/root TSA certificate encoded in DER, which + is used for TSA certificate chain verification. + @param[in] CertSize Size of the trusted certificate in bytes. + @param[out] SigningTime Return the time of timestamp generation time if the timestamp + signature is valid. + + @retval TRUE The specified Authenticode includes a valid RFC3161 Timestamp CounterSignature. + @retval FALSE No valid RFC3161 Timestamp CounterSignature in the specified Authenticode data. + +**/ +BOOLEAN +EFIAPI +ImageTimestampVerify ( + IN CONST UINT8 *AuthData, + IN UINTN DataSize, + IN CONST UINT8 *TsaCert, + IN UINTN CertSize, + OUT EFI_TIME *SigningTime + ); + +//===================================================================================== +// DH Key Exchange Primitive +//===================================================================================== + +/** + Allocates and Initializes one Diffie-Hellman Context for subsequent use. + + @return Pointer to the Diffie-Hellman Context that has been initialized. + If the allocations fails, DhNew() returns NULL. + If the interface is not supported, DhNew() returns NULL. + +**/ +VOID * +EFIAPI +DhNew ( + VOID + ); + +/** + Release the specified DH context. + + If the interface is not supported, then ASSERT(). + + @param[in] DhContext Pointer to the DH context to be released. + +**/ +VOID +EFIAPI +DhFree ( + IN VOID *DhContext + ); + +/** + Generates DH parameter. + + Given generator g, and length of prime number p in bits, this function generates p, + and sets DH context according to value of g and p. + + Before this function can be invoked, pseudorandom number generator must be correctly + initialized by RandomSeed(). + + If DhContext is NULL, then return FALSE. + If Prime is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] Generator Value of generator. + @param[in] PrimeLength Length in bits of prime to be generated. + @param[out] Prime Pointer to the buffer to receive the generated prime number. + + @retval TRUE DH parameter generation succeeded. + @retval FALSE Value of Generator is not supported. + @retval FALSE PRNG fails to generate random prime number with PrimeLength. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhGenerateParameter ( + IN OUT VOID *DhContext, + IN UINTN Generator, + IN UINTN PrimeLength, + OUT UINT8 *Prime + ); + +/** + Sets generator and prime parameters for DH. + + Given generator g, and prime number p, this function and sets DH + context accordingly. + + If DhContext is NULL, then return FALSE. + If Prime is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] Generator Value of generator. + @param[in] PrimeLength Length in bits of prime to be generated. + @param[in] Prime Pointer to the prime number. + + @retval TRUE DH parameter setting succeeded. + @retval FALSE Value of Generator is not supported. + @retval FALSE Value of Generator is not suitable for the Prime. + @retval FALSE Value of Prime is not a prime number. + @retval FALSE Value of Prime is not a safe prime number. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhSetParameter ( + IN OUT VOID *DhContext, + IN UINTN Generator, + IN UINTN PrimeLength, + IN CONST UINT8 *Prime + ); + +/** + Generates DH public key. + + This function generates random secret exponent, and computes the public key, which is + returned via parameter PublicKey and PublicKeySize. DH context is updated accordingly. + If the PublicKey buffer is too small to hold the public key, FALSE is returned and + PublicKeySize is set to the required buffer size to obtain the public key. + + If DhContext is NULL, then return FALSE. + If PublicKeySize is NULL, then return FALSE. + If PublicKeySize is large enough but PublicKey is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] DhContext Pointer to the DH context. + @param[out] PublicKey Pointer to the buffer to receive generated public key. + @param[in, out] PublicKeySize On input, the size of PublicKey buffer in bytes. + On output, the size of data returned in PublicKey buffer in bytes. + + @retval TRUE DH public key generation succeeded. + @retval FALSE DH public key generation failed. + @retval FALSE PublicKeySize is not large enough. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhGenerateKey ( + IN OUT VOID *DhContext, + OUT UINT8 *PublicKey, + IN OUT UINTN *PublicKeySize + ); + +/** + Computes exchanged common key. + + Given peer's public key, this function computes the exchanged common key, based on its own + context including value of prime modulus and random secret exponent. + + If DhContext is NULL, then return FALSE. + If PeerPublicKey is NULL, then return FALSE. + If KeySize is NULL, then return FALSE. + If Key is NULL, then return FALSE. + If KeySize is not large enough, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] PeerPublicKey Pointer to the peer's public key. + @param[in] PeerPublicKeySize Size of peer's public key in bytes. + @param[out] Key Pointer to the buffer to receive generated key. + @param[in, out] KeySize On input, the size of Key buffer in bytes. + On output, the size of data returned in Key buffer in bytes. + + @retval TRUE DH exchanged key generation succeeded. + @retval FALSE DH exchanged key generation failed. + @retval FALSE KeySize is not large enough. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhComputeKey ( + IN OUT VOID *DhContext, + IN CONST UINT8 *PeerPublicKey, + IN UINTN PeerPublicKeySize, + OUT UINT8 *Key, + IN OUT UINTN *KeySize + ); + +//===================================================================================== +// Pseudo-Random Generation Primitive +//===================================================================================== + +/** + Sets up the seed value for the pseudorandom number generator. + + This function sets up the seed value for the pseudorandom number generator. + If Seed is not NULL, then the seed passed in is used. + If Seed is NULL, then default seed is used. + If this interface is not supported, then return FALSE. + + @param[in] Seed Pointer to seed value. + If NULL, default seed is used. + @param[in] SeedSize Size of seed value. + If Seed is NULL, this parameter is ignored. + + @retval TRUE Pseudorandom number generator has enough entropy for random generation. + @retval FALSE Pseudorandom number generator does not have enough entropy for random generation. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RandomSeed ( + IN CONST UINT8 *Seed OPTIONAL, + IN UINTN SeedSize + ); + +/** + Generates a pseudorandom byte stream of the specified size. + + If Output is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] Output Pointer to buffer to receive random value. + @param[in] Size Size of random bytes to generate. + + @retval TRUE Pseudorandom byte stream generated successfully. + @retval FALSE Pseudorandom number generator fails to generate due to lack of entropy. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RandomBytes ( + OUT UINT8 *Output, + IN UINTN Size + ); + +//===================================================================================== +// Key Derivation Function Primitive +//===================================================================================== + +/** + Derive key data using HMAC-SHA256 based KDF. + + @param[in] Key Pointer to the user-supplied key. + @param[in] KeySize Key size in bytes. + @param[in] Salt Pointer to the salt(non-secret) value. + @param[in] SaltSize Salt size in bytes. + @param[in] Info Pointer to the application specific info. + @param[in] InfoSize Info size in bytes. + @param[out] Out Pointer to buffer to receive hkdf value. + @param[in] OutSize Size of hkdf bytes to generate. + + @retval TRUE Hkdf generated successfully. + @retval FALSE Hkdf generation failed. + +**/ +BOOLEAN +EFIAPI +HkdfSha256ExtractAndExpand ( + IN CONST UINT8 *Key, + IN UINTN KeySize, + IN CONST UINT8 *Salt, + IN UINTN SaltSize, + IN CONST UINT8 *Info, + IN UINTN InfoSize, + OUT UINT8 *Out, + IN UINTN OutSize + ); + +#endif // __BASE_CRYPT_LIB_H__ diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Include/Library/HashApiLib.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Include/Library/HashApiLib.h new file mode 100644 index 00000000..4071808e --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Include/Library/HashApiLib.h @@ -0,0 +1,110 @@ +/** @file + Unified Hash API Defines + + This API when called will calculate the Hash using the + hashing algorithm specified by PcdHashApiLibPolicy. + + Copyright (c) 2020, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __HASH_API_LIB_H_ +#define __HASH_API_LIB_H_ + +typedef VOID *HASH_API_CONTEXT; + +/** + Retrieves the size, in bytes, of the context buffer required for hash operations. + + @return The size, in bytes, of the context buffer required for hash operations. +**/ +UINTN +EFIAPI +HashApiGetContextSize ( + VOID + ); + +/** + Init hash sequence. + + @param[out] HashContext Hash context. + + @retval TRUE Hash start and HashHandle returned. + @retval FALSE Hash Init unsuccessful. +**/ +BOOLEAN +EFIAPI +HashApiInit ( + OUT HASH_API_CONTEXT HashContext + ); + +/** + Makes a copy of an existing hash context. + + @param[in] HashContext Hash context. + @param[out] NewHashContext New copy of hash context. + + @retval TRUE Hash context copy succeeded. + @retval FALSE Hash context copy failed. +**/ +BOOLEAN +EFIAPI +HashApiDuplicate ( + IN HASH_API_CONTEXT HashContext, + OUT HASH_API_CONTEXT NewHashContext + ); + +/** + Update hash data. + + @param[in] HashContext Hash context. + @param[in] DataToHash Data to be hashed. + @param[in] DataToHashLen Data size. + + @retval TRUE Hash updated. + @retval FALSE Hash updated unsuccessful. +**/ +BOOLEAN +EFIAPI +HashApiUpdate ( + IN HASH_API_CONTEXT HashContext, + IN VOID *DataToHash, + IN UINTN DataToHashLen + ); + +/** + Hash complete. + + @param[in] HashContext Hash context. + @param[out] Digest Hash Digest. + + @retval TRUE Hash complete and Digest is returned. + @retval FALSE Hash complete unsuccessful. +**/ +BOOLEAN +EFIAPI +HashApiFinal ( + IN HASH_API_CONTEXT HashContext, + OUT UINT8 *Digest + ); + +/** + Computes hash message digest of a input data buffer. + + @param[in] DataToHash Data to be hashed. + @param[in] DataToHashLen Data size. + @param[out] Digest Hash Digest. + + @retval TRUE Hash digest computation succeeded. + @retval FALSE Hash digest computation failed. +**/ +BOOLEAN +EFIAPI +HashApiHashAll ( + IN CONST VOID *DataToHash, + IN UINTN DataToHashLen, + OUT UINT8 *Digest + ); + +#endif diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Include/Library/TlsLib.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Include/Library/TlsLib.h new file mode 100644 index 00000000..5990b8d3 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Include/Library/TlsLib.h @@ -0,0 +1,814 @@ +/** @file + Defines TLS Library APIs. + +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __TLS_LIB_H__ +#define __TLS_LIB_H__ + +/** + Initializes the OpenSSL library. + + This function registers ciphers and digests used directly and indirectly + by SSL/TLS, and initializes the readable error messages. + This function must be called before any other action takes places. + + @retval TRUE The OpenSSL library has been initialized. + @retval FALSE Failed to initialize the OpenSSL library. + +**/ +BOOLEAN +EFIAPI +TlsInitialize ( + VOID + ); + +/** + Free an allocated SSL_CTX object. + + @param[in] TlsCtx Pointer to the SSL_CTX object to be released. + +**/ +VOID +EFIAPI +TlsCtxFree ( + IN VOID *TlsCtx + ); + +/** + Creates a new SSL_CTX object as framework to establish TLS/SSL enabled + connections. + + @param[in] MajorVer Major Version of TLS/SSL Protocol. + @param[in] MinorVer Minor Version of TLS/SSL Protocol. + + @return Pointer to an allocated SSL_CTX object. + If the creation failed, TlsCtxNew() returns NULL. + +**/ +VOID * +EFIAPI +TlsCtxNew ( + IN UINT8 MajorVer, + IN UINT8 MinorVer + ); + +/** + Free an allocated TLS object. + + This function removes the TLS object pointed to by Tls and frees up the + allocated memory. If Tls is NULL, nothing is done. + + @param[in] Tls Pointer to the TLS object to be freed. + +**/ +VOID +EFIAPI +TlsFree ( + IN VOID *Tls + ); + +/** + Create a new TLS object for a connection. + + This function creates a new TLS object for a connection. The new object + inherits the setting of the underlying context TlsCtx: connection method, + options, verification setting. + + @param[in] TlsCtx Pointer to the SSL_CTX object. + + @return Pointer to an allocated SSL object. + If the creation failed, TlsNew() returns NULL. + +**/ +VOID * +EFIAPI +TlsNew ( + IN VOID *TlsCtx + ); + +/** + Checks if the TLS handshake was done. + + This function will check if the specified TLS handshake was done. + + @param[in] Tls Pointer to the TLS object for handshake state checking. + + @retval TRUE The TLS handshake was done. + @retval FALSE The TLS handshake was not done. + +**/ +BOOLEAN +EFIAPI +TlsInHandshake ( + IN VOID *Tls + ); + +/** + Perform a TLS/SSL handshake. + + This function will perform a TLS/SSL handshake. + + @param[in] Tls Pointer to the TLS object for handshake operation. + @param[in] BufferIn Pointer to the most recently received TLS Handshake packet. + @param[in] BufferInSize Packet size in bytes for the most recently received TLS + Handshake packet. + @param[out] BufferOut Pointer to the buffer to hold the built packet. + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferIn is NULL but BufferInSize is NOT 0. + BufferInSize is 0 but BufferIn is NOT NULL. + BufferOutSize is NULL. + BufferOut is NULL if *BufferOutSize is not zero. + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet. + @retval EFI_ABORTED Something wrong during handshake. + +**/ +EFI_STATUS +EFIAPI +TlsDoHandshake ( + IN VOID *Tls, + IN UINT8 *BufferIn, OPTIONAL + IN UINTN BufferInSize, OPTIONAL + OUT UINT8 *BufferOut, OPTIONAL + IN OUT UINTN *BufferOutSize + ); + +/** + Handle Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero, + TLS session has errors and the response packet needs to be Alert message based on error type. + + @param[in] Tls Pointer to the TLS object for state checking. + @param[in] BufferIn Pointer to the most recently received TLS Alert packet. + @param[in] BufferInSize Packet size in bytes for the most recently received TLS + Alert packet. + @param[out] BufferOut Pointer to the buffer to hold the built packet. + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferIn is NULL but BufferInSize is NOT 0. + BufferInSize is 0 but BufferIn is NOT NULL. + BufferOutSize is NULL. + BufferOut is NULL if *BufferOutSize is not zero. + @retval EFI_ABORTED An error occurred. + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet. + +**/ +EFI_STATUS +EFIAPI +TlsHandleAlert ( + IN VOID *Tls, + IN UINT8 *BufferIn, OPTIONAL + IN UINTN BufferInSize, OPTIONAL + OUT UINT8 *BufferOut, OPTIONAL + IN OUT UINTN *BufferOutSize + ); + +/** + Build the CloseNotify packet. + + @param[in] Tls Pointer to the TLS object for state checking. + @param[in, out] Buffer Pointer to the buffer to hold the built packet. + @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferSize is NULL. + Buffer is NULL if *BufferSize is not zero. + @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet. + +**/ +EFI_STATUS +EFIAPI +TlsCloseNotify ( + IN VOID *Tls, + IN OUT UINT8 *Buffer, + IN OUT UINTN *BufferSize + ); + +/** + Attempts to read bytes from one TLS object and places the data in Buffer. + + This function will attempt to read BufferSize bytes from the TLS object + and places the data in Buffer. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] Buffer Pointer to the buffer to store the data. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The amount of data successfully read from the TLS object. + @retval <=0 No data was successfully read. + +**/ +INTN +EFIAPI +TlsCtrlTrafficOut ( + IN VOID *Tls, + IN OUT VOID *Buffer, + IN UINTN BufferSize + ); + +/** + Attempts to write data from the buffer to TLS object. + + This function will attempt to write BufferSize bytes data from the Buffer + to the TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[in] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The amount of data successfully written to the TLS object. + @retval <=0 No data was successfully written. + +**/ +INTN +EFIAPI +TlsCtrlTrafficIn ( + IN VOID *Tls, + IN VOID *Buffer, + IN UINTN BufferSize + ); + +/** + Attempts to read bytes from the specified TLS connection into the buffer. + + This function tries to read BufferSize bytes data from the specified TLS + connection into the Buffer. + + @param[in] Tls Pointer to the TLS connection for data reading. + @param[in,out] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The read operation was successful, and return value is the + number of bytes actually read from the TLS connection. + @retval <=0 The read operation was not successful. + +**/ +INTN +EFIAPI +TlsRead ( + IN VOID *Tls, + IN OUT VOID *Buffer, + IN UINTN BufferSize + ); + +/** + Attempts to write data to a TLS connection. + + This function tries to write BufferSize bytes data from the Buffer into the + specified TLS connection. + + @param[in] Tls Pointer to the TLS connection for data writing. + @param[in] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The write operation was successful, and return value is the + number of bytes actually written to the TLS connection. + @retval <=0 The write operation was not successful. + +**/ +INTN +EFIAPI +TlsWrite ( + IN VOID *Tls, + IN VOID *Buffer, + IN UINTN BufferSize + ); + +/** + Set a new TLS/SSL method for a particular TLS object. + + This function sets a new TLS/SSL method for a particular TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] MajorVer Major Version of TLS/SSL Protocol. + @param[in] MinorVer Minor Version of TLS/SSL Protocol. + + @retval EFI_SUCCESS The TLS/SSL method was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported TLS/SSL method. + +**/ +EFI_STATUS +EFIAPI +TlsSetVersion ( + IN VOID *Tls, + IN UINT8 MajorVer, + IN UINT8 MinorVer + ); + +/** + Set TLS object to work in client or server mode. + + This function prepares a TLS object to work in client or server mode. + + @param[in] Tls Pointer to a TLS object. + @param[in] IsServer Work in server mode. + + @retval EFI_SUCCESS The TLS/SSL work mode was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode. + +**/ +EFI_STATUS +EFIAPI +TlsSetConnectionEnd ( + IN VOID *Tls, + IN BOOLEAN IsServer + ); + +/** + Set the ciphers list to be used by the TLS object. + + This function sets the ciphers for use by a specified TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] CipherId Array of UINT16 cipher identifiers. Each UINT16 + cipher identifier comes from the TLS Cipher Suite + Registry of the IANA, interpreting Byte1 and Byte2 + in network (big endian) byte order. + @param[in] CipherNum The number of cipher in the list. + + @retval EFI_SUCCESS The ciphers list was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED No supported TLS cipher was found in CipherId. + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +EFI_STATUS +EFIAPI +TlsSetCipherList ( + IN VOID *Tls, + IN UINT16 *CipherId, + IN UINTN CipherNum + ); + +/** + Set the compression method for TLS/SSL operations. + + This function handles TLS/SSL integrated compression methods. + + @param[in] CompMethod The compression method ID. + + @retval EFI_SUCCESS The compression method for the communication was + set successfully. + @retval EFI_UNSUPPORTED Unsupported compression method. + +**/ +EFI_STATUS +EFIAPI +TlsSetCompressionMethod ( + IN UINT8 CompMethod + ); + +/** + Set peer certificate verification mode for the TLS connection. + + This function sets the verification mode flags for the TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in] VerifyMode A set of logically or'ed verification mode flags. + +**/ +VOID +EFIAPI +TlsSetVerify ( + IN VOID *Tls, + IN UINT32 VerifyMode + ); + +/** + Set the specified host name to be verified. + + @param[in] Tls Pointer to the TLS object. + @param[in] Flags The setting flags during the validation. + @param[in] HostName The specified host name to be verified. + + @retval EFI_SUCCESS The HostName setting was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_ABORTED Invalid HostName setting. + +**/ +EFI_STATUS +EFIAPI +TlsSetVerifyHost ( + IN VOID *Tls, + IN UINT32 Flags, + IN CHAR8 *HostName + ); + +/** + Sets a TLS/SSL session ID to be used during TLS/SSL connect. + + This function sets a session ID to be used when the TLS/SSL connection is + to be established. + + @param[in] Tls Pointer to the TLS object. + @param[in] SessionId Session ID data used for session resumption. + @param[in] SessionIdLen Length of Session ID in bytes. + + @retval EFI_SUCCESS Session ID was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED No available session for ID setting. + +**/ +EFI_STATUS +EFIAPI +TlsSetSessionId ( + IN VOID *Tls, + IN UINT8 *SessionId, + IN UINT16 SessionIdLen + ); + +/** + Adds the CA to the cert store when requesting Server or Client authentication. + + This function adds the CA certificate to the list of CAs when requesting + Server or Client authentication for the chosen TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded binary + X.509 certificate or PEM-encoded X.509 certificate. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated. + @retval EFI_ABORTED Invalid X.509 certificate. + +**/ +EFI_STATUS +EFIAPI +TlsSetCaCertificate ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ); + +/** + Loads the local public certificate into the specified TLS object. + + This function loads the X.509 certificate into the specified TLS object + for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded binary + X.509 certificate or PEM-encoded X.509 certificate. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated. + @retval EFI_ABORTED Invalid X.509 certificate. + +**/ +EFI_STATUS +EFIAPI +TlsSetHostPublicCert ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ); + +/** + Adds the local private key to the specified TLS object. + + This function adds the local private key (PEM-encoded RSA or PKCS#8 private + key) into the specified TLS object for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a PEM-encoded RSA + or PKCS#8 private key. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid private key data. + +**/ +EFI_STATUS +EFIAPI +TlsSetHostPrivateKey ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ); + +/** + Adds the CA-supplied certificate revocation list for certificate validation. + + This function adds the CA-supplied certificate revocation list data for + certificate validity checking. + + @param[in] Data Pointer to the data buffer of a DER-encoded CRL data. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid CRL data. + +**/ +EFI_STATUS +EFIAPI +TlsSetCertRevocationList ( + IN VOID *Data, + IN UINTN DataSize + ); + +/** + Gets the protocol version used by the specified TLS connection. + + This function returns the protocol version used by the specified TLS + connection. + + If Tls is NULL, then ASSERT(). + + @param[in] Tls Pointer to the TLS object. + + @return The protocol version of the specified TLS connection. + +**/ +UINT16 +EFIAPI +TlsGetVersion ( + IN VOID *Tls + ); + +/** + Gets the connection end of the specified TLS connection. + + This function returns the connection end (as client or as server) used by + the specified TLS connection. + + If Tls is NULL, then ASSERT(). + + @param[in] Tls Pointer to the TLS object. + + @return The connection end used by the specified TLS connection. + +**/ +UINT8 +EFIAPI +TlsGetConnectionEnd ( + IN VOID *Tls + ); + +/** + Gets the cipher suite used by the specified TLS connection. + + This function returns current cipher suite used by the specified + TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] CipherId The cipher suite used by the TLS object. + + @retval EFI_SUCCESS The cipher suite was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported cipher suite. + +**/ +EFI_STATUS +EFIAPI +TlsGetCurrentCipher ( + IN VOID *Tls, + IN OUT UINT16 *CipherId + ); + +/** + Gets the compression methods used by the specified TLS connection. + + This function returns current integrated compression methods used by + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] CompressionId The current compression method used by + the TLS object. + + @retval EFI_SUCCESS The compression method was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_ABORTED Invalid Compression method. + @retval EFI_UNSUPPORTED This function is not supported. + +**/ +EFI_STATUS +EFIAPI +TlsGetCurrentCompressionId ( + IN VOID *Tls, + IN OUT UINT8 *CompressionId + ); + +/** + Gets the verification mode currently set in the TLS connection. + + This function returns the peer verification mode currently set in the + specified TLS connection. + + If Tls is NULL, then ASSERT(). + + @param[in] Tls Pointer to the TLS object. + + @return The verification mode set in the specified TLS connection. + +**/ +UINT32 +EFIAPI +TlsGetVerify ( + IN VOID *Tls + ); + +/** + Gets the session ID used by the specified TLS connection. + + This function returns the TLS/SSL session ID currently used by the + specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] SessionId Buffer to contain the returned session ID. + @param[in,out] SessionIdLen The length of Session ID in bytes. + + @retval EFI_SUCCESS The Session ID was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Invalid TLS/SSL session. + +**/ +EFI_STATUS +EFIAPI +TlsGetSessionId ( + IN VOID *Tls, + IN OUT UINT8 *SessionId, + IN OUT UINT16 *SessionIdLen + ); + +/** + Gets the client random data used in the specified TLS connection. + + This function returns the TLS/SSL client random data currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] ClientRandom Buffer to contain the returned client + random data (32 bytes). + +**/ +VOID +EFIAPI +TlsGetClientRandom ( + IN VOID *Tls, + IN OUT UINT8 *ClientRandom + ); + +/** + Gets the server random data used in the specified TLS connection. + + This function returns the TLS/SSL server random data currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] ServerRandom Buffer to contain the returned server + random data (32 bytes). + +**/ +VOID +EFIAPI +TlsGetServerRandom ( + IN VOID *Tls, + IN OUT UINT8 *ServerRandom + ); + +/** + Gets the master key data used in the specified TLS connection. + + This function returns the TLS/SSL master key material currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] KeyMaterial Buffer to contain the returned key material. + + @retval EFI_SUCCESS Key material was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Invalid TLS/SSL session. + +**/ +EFI_STATUS +EFIAPI +TlsGetKeyMaterial ( + IN VOID *Tls, + IN OUT UINT8 *KeyMaterial + ); + +/** + Gets the CA Certificate from the cert store. + + This function returns the CA certificate for the chosen + TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the CA + certificate data sent to the client. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetCaCertificate ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ); + +/** + Gets the local public Certificate set in the specified TLS object. + + This function returns the local public certificate which was currently set + in the specified TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the local + public certificate. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_NOT_FOUND The certificate is not found. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetHostPublicCert ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ); + +/** + Gets the local private key set in the specified TLS object. + + This function returns the local private key data which was currently set + in the specified TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the local + private key data. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetHostPrivateKey ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ); + +/** + Gets the CA-supplied certificate revocation list data set in the specified + TLS object. + + This function returns the CA-supplied certificate revocation list data which + was currently set in the specified TLS object. + + @param[out] Data Pointer to the data buffer to receive the CRL data. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetCertRevocationList ( + OUT VOID *Data, + IN OUT UINTN *DataSize + ); + +#endif // __TLS_LIB_H__ + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h new file mode 100644 index 00000000..2f5d2a93 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h @@ -0,0 +1,293 @@ +/** @file + Defines the PCD_CRYPTO_SERVICE_FAMILY_ENABLE structure associated with + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable. + + Copyright (c) 2019 - 2020, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __PCD_CRYPTO_SERVICE_FAMILY_ENABLE_H__ +#define __PCD_CRYPTO_SERVICE_FAMILY_ENABLE_H__ + +/// +/// Define used to enable all the crypto services in a family +/// +#define PCD_CRYPTO_SERVICE_ENABLE_FAMILY 0xFFFFFFFF + +/// +/// PCD_CRYPTO_SERVICE_FAMILY_ENABLE structure. Each field in this structure +/// is associated with a service in the EDK II Crypto Protocol/PPI. This allows +/// each individual service to be enabled/disabled in a DSC file. Services are +/// also grouped into families. Unions are used to support enabling or +/// disabling an entire family in a single DSC statement. +/// +typedef struct { + union { + struct { + UINT8 New:1; + UINT8 Free:1; + UINT8 SetKey:1; + UINT8 Duplicate:1; + UINT8 Update:1; + UINT8 Final:1; + } Services; + UINT32 Family; + } HmacMd5; + union { + struct { + UINT8 New:1; + UINT8 Free:1; + UINT8 SetKey:1; + UINT8 Duplicate:1; + UINT8 Update:1; + UINT8 Final:1; + } Services; + UINT32 Family; + } HmacSha1; + union { + struct { + UINT8 New:1; + UINT8 Free:1; + UINT8 SetKey:1; + UINT8 Duplicate:1; + UINT8 Update:1; + UINT8 Final:1; + } Services; + UINT32 Family; + } HmacSha256; + union { + struct { + UINT8 GetContextSize:1; + UINT8 Init:1; + UINT8 Duplicate:1; + UINT8 Update:1; + UINT8 Final:1; + UINT8 HashAll:1; + } Services; + UINT32 Family; + } Md4; + union { + struct { + UINT8 GetContextSize:1; + UINT8 Init:1; + UINT8 Duplicate:1; + UINT8 Update:1; + UINT8 Final:1; + UINT8 HashAll:1; + } Services; + UINT32 Family; + } Md5; + union { + struct { + UINT8 Pkcs1v2Encrypt:1; + UINT8 Pkcs5HashPassword:1; + UINT8 Pkcs7Verify:1; + UINT8 VerifyEKUsInPkcs7Signature:1; + UINT8 Pkcs7GetSigners:1; + UINT8 Pkcs7FreeSigners:1; + UINT8 Pkcs7Sign:1; + UINT8 Pkcs7GetAttachedContent:1; + UINT8 Pkcs7GetCertificatesList:1; + UINT8 AuthenticodeVerify:1; + UINT8 ImageTimestampVerify:1; + } Services; + UINT32 Family; + } Pkcs; + union { + struct { + UINT8 New:1; + UINT8 Free:1; + UINT8 GenerateParameter:1; + UINT8 SetParameter:1; + UINT8 GenerateKey:1; + UINT8 ComputeKey:1; + } Services; + UINT32 Family; + } Dh; + union { + struct { + UINT8 Seed:1; + UINT8 Bytes:1; + } Services; + UINT32 Family; + } Random; + union { + struct { + UINT8 VerifyPkcs1:1; + UINT8 New:1; + UINT8 Free:1; + UINT8 SetKey:1; + UINT8 GetKey:1; + UINT8 GenerateKey:1; + UINT8 CheckKey:1; + UINT8 Pkcs1Sign:1; + UINT8 Pkcs1Verify:1; + UINT8 GetPrivateKeyFromPem:1; + UINT8 GetPublicKeyFromX509:1; + } Services; + UINT32 Family; + } Rsa; + union { + struct { + UINT8 GetContextSize:1; + UINT8 Init:1; + UINT8 Duplicate:1; + UINT8 Update:1; + UINT8 Final:1; + UINT8 HashAll:1; + } Services; + UINT32 Family; + } Sha1; + union { + struct { + UINT8 GetContextSize:1; + UINT8 Init:1; + UINT8 Duplicate:1; + UINT8 Update:1; + UINT8 Final:1; + UINT8 HashAll:1; + } Services; + UINT32 Family; + } Sha256; + union { + struct { + UINT8 GetContextSize:1; + UINT8 Init:1; + UINT8 Duplicate:1; + UINT8 Update:1; + UINT8 Final:1; + UINT8 HashAll:1; + } Services; + UINT32 Family; + } Sha384; + union { + struct { + UINT8 GetContextSize:1; + UINT8 Init:1; + UINT8 Duplicate:1; + UINT8 Update:1; + UINT8 Final:1; + UINT8 HashAll:1; + } Services; + UINT32 Family; + } Sha512; + union { + struct { + UINT8 GetSubjectName:1; + UINT8 GetCommonName:1; + UINT8 GetOrganizationName:1; + UINT8 VerifyCert:1; + UINT8 ConstructCertificate:1; + UINT8 ConstructCertificateStack:1; + UINT8 ConstructCertificateStackV:1; + UINT8 Free:1; + UINT8 StackFree:1; + UINT8 GetTBSCert:1; + } Services; + UINT32 Family; + } X509; + union { + struct { + UINT8 GetContextSize:1; + UINT8 Init:1; + UINT8 EcbEncrypt:1; + UINT8 EcbDecrypt:1; + UINT8 CbcEncrypt:1; + UINT8 CbcDecrypt:1; + } Services; + UINT32 Family; + } Tdes; + union { + struct { + UINT8 GetContextSize:1; + UINT8 Init:1; + UINT8 EcbEncrypt:1; + UINT8 EcbDecrypt:1; + UINT8 CbcEncrypt:1; + UINT8 CbcDecrypt:1; + } Services; + UINT32 Family; + } Aes; + union { + struct { + UINT8 GetContextSize:1; + UINT8 Init:1; + UINT8 Encrypt:1; + UINT8 Decrypt:1; + UINT8 Reset:1; + } Services; + UINT32 Family; + } Arc4; + union { + struct { + UINT8 GetContextSize:1; + UINT8 Init:1; + UINT8 Duplicate:1; + UINT8 Update:1; + UINT8 Final:1; + UINT8 HashAll:1; + } Services; + UINT32 Family; + } Sm3; + union { + struct { + UINT8 Sha256ExtractAndExpand; + } Services; + UINT32 Family; + } Hkdf; + union { + struct { + UINT8 Initialize:1; + UINT8 CtxFree:1; + UINT8 CtxNew:1; + UINT8 Free:1; + UINT8 New:1; + UINT8 InHandshake:1; + UINT8 DoHandshake:1; + UINT8 HandleAlert:1; + UINT8 CloseNotify:1; + UINT8 CtrlTrafficOut:1; + UINT8 CtrlTrafficIn:1; + UINT8 Read:1; + UINT8 Write:1; + } Services; + UINT32 Family; + } Tls; + union { + struct { + UINT8 Version:1; + UINT8 ConnectionEnd:1; + UINT8 CipherList:1; + UINT8 CompressionMethod:1; + UINT8 Verify:1; + UINT8 VerifyHost:1; + UINT8 SessionId:1; + UINT8 CaCertificate:1; + UINT8 HostPublicCert:1; + UINT8 HostPrivateKey:1; + UINT8 CertRevocationList:1; + } Services; + UINT32 Family; + } TlsSet; + union { + struct { + UINT8 Version:1; + UINT8 ConnectionEnd:1; + UINT8 CurrentCipher:1; + UINT8 CurrentCompressionId:1; + UINT8 Verify:1; + UINT8 SessionId:1; + UINT8 ClientRandom:1; + UINT8 ServerRandom:1; + UINT8 KeyMaterial:1; + UINT8 CaCertificate:1; + UINT8 HostPublicCert:1; + UINT8 HostPrivateKey:1; + UINT8 CertRevocationList:1; + } Services; + UINT32 Family; + } TlsGet; +} PCD_CRYPTO_SERVICE_FAMILY_ENABLE; + +#endif diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf new file mode 100644 index 00000000..e560479f --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf @@ -0,0 +1,108 @@ +## @file +# Cryptographic Library Instance for DXE_DRIVER. +# +# Caution: This module requires additional review when modified. +# This library will have external input - signature. +# This external input must be validated carefully to avoid security issues such as +# buffer overflow or integer overflow. +# +# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
+# Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = BaseCryptLib + MODULE_UNI_FILE = BaseCryptLib.uni + FILE_GUID = be3bb803-91b6-4da0-bd91-a8b21c18ca5d + MODULE_TYPE = DXE_DRIVER + VERSION_STRING = 1.0 + LIBRARY_CLASS = BaseCryptLib|DXE_DRIVER DXE_CORE UEFI_APPLICATION UEFI_DRIVER + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 RISCV64 +# + +[Sources] + InternalCryptLib.h + Hash/CryptMd5.c + Hash/CryptSha1.c + Hash/CryptSha256.c + Hash/CryptSha512.c + Hash/CryptSm3.c + Hmac/CryptHmacSha256.c + Kdf/CryptHkdf.c + Cipher/CryptAes.c + Pk/CryptRsaBasic.c + Pk/CryptRsaExt.c + Pk/CryptPkcs1Oaep.c + Pk/CryptPkcs5Pbkdf2.c + Pk/CryptPkcs7Sign.c + Pk/CryptPkcs7VerifyCommon.c + Pk/CryptPkcs7VerifyBase.c + Pk/CryptPkcs7VerifyEku.c + Pk/CryptDh.c + Pk/CryptX509.c + Pk/CryptAuthenticode.c + Pk/CryptTs.c + Pk/CryptRsaPss.c + Pk/CryptRsaPssSign.c + Pem/CryptPem.c + + SysCall/CrtWrapper.c + SysCall/TimerWrapper.c + SysCall/BaseMemAllocation.c + SysCall/inet_pton.c + +[Sources.Ia32] + Rand/CryptRandTsc.c + +[Sources.X64] + Rand/CryptRandTsc.c + +[Sources.ARM] + Rand/CryptRand.c + +[Sources.AARCH64] + Rand/CryptRand.c + +[Sources.RISCV64] + Rand/CryptRand.c + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + MemoryAllocationLib + UefiRuntimeServicesTableLib + DebugLib + OpensslLib + IntrinsicLib + PrintLib + +# +# Remove these [BuildOptions] after this library is cleaned up +# +[BuildOptions] + # + # suppress the following warnings so we do not break the build with warnings-as-errors: + # C4090: 'function' : different 'const' qualifiers + # + MSFT:*_*_*_CC_FLAGS = /wd4090 + + # -JCryptoPkg/Include : To disable the use of the system includes provided by RVCT + # --diag_remark=1 : Reduce severity of "#1-D: last line of file ends without a newline" + RVCT:*_*_ARM_CC_FLAGS = -JCryptoPkg/Include --diag_remark=1 + + GCC:*_CLANG35_*_CC_FLAGS = -std=c99 + GCC:*_CLANG38_*_CC_FLAGS = -std=c99 + GCC:*_CLANGPDB_*_CC_FLAGS = -std=c99 -Wno-error=incompatible-pointer-types + + XCODE:*_*_*_CC_FLAGS = -std=c99 diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.uni b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.uni new file mode 100644 index 00000000..ed1852ef --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.uni @@ -0,0 +1,19 @@ +// /** @file +// Cryptographic Library Instance for DXE_DRIVER. +// +// Caution: This module requires additional review when modified. +// This library will have external input - signature. +// This external input must be validated carefully to avoid security issues such as +// buffer overflow or integer overflow. +// +// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Cryptographic Library Instance for DXE_DRIVER" + +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow." + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c new file mode 100644 index 00000000..ac561272 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c @@ -0,0 +1,203 @@ +/** @file + AES Wrapper Implementation over OpenSSL. + +Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" +#include + +/** + Retrieves the size, in bytes, of the context buffer required for AES operations. + + @return The size, in bytes, of the context buffer required for AES operations. + +**/ +UINTN +EFIAPI +AesGetContextSize ( + VOID + ) +{ + // + // AES uses different key contexts for encryption and decryption, so here memory + // for 2 copies of AES_KEY is allocated. + // + return (UINTN) (2 * sizeof (AES_KEY)); +} + +/** + Initializes user-supplied memory as AES context for subsequent use. + + This function initializes user-supplied memory pointed by AesContext as AES context. + In addition, it sets up all AES key materials for subsequent encryption and decryption + operations. + There are 3 options for key length, 128 bits, 192 bits, and 256 bits. + + If AesContext is NULL, then return FALSE. + If Key is NULL, then return FALSE. + If KeyLength is not valid, then return FALSE. + + @param[out] AesContext Pointer to AES context being initialized. + @param[in] Key Pointer to the user-supplied AES key. + @param[in] KeyLength Length of AES key in bits. + + @retval TRUE AES context initialization succeeded. + @retval FALSE AES context initialization failed. + +**/ +BOOLEAN +EFIAPI +AesInit ( + OUT VOID *AesContext, + IN CONST UINT8 *Key, + IN UINTN KeyLength + ) +{ + AES_KEY *AesKey; + + // + // Check input parameters. + // + if (AesContext == NULL || Key == NULL || (KeyLength != 128 && KeyLength != 192 && KeyLength != 256)) { + return FALSE; + } + + // + // Initialize AES encryption & decryption key schedule. + // + AesKey = (AES_KEY *) AesContext; + if (AES_set_encrypt_key (Key, (UINT32) KeyLength, AesKey) != 0) { + return FALSE; + } + if (AES_set_decrypt_key (Key, (UINT32) KeyLength, AesKey + 1) != 0) { + return FALSE; + } + return TRUE; +} + +/** + Performs AES encryption on a data buffer of the specified size in CBC mode. + + This function performs AES encryption on data buffer pointed by Input, of specified + size of InputSize, in CBC mode. + InputSize must be multiple of block size (16 bytes). This function does not perform + padding. Caller must perform padding, if necessary, to ensure valid input data size. + Initialization vector should be one block size (16 bytes). + AesContext should be already correctly initialized by AesInit(). Behavior with + invalid AES context is undefined. + + If AesContext is NULL, then return FALSE. + If Input is NULL, then return FALSE. + If InputSize is not multiple of block size (16 bytes), then return FALSE. + If Ivec is NULL, then return FALSE. + If Output is NULL, then return FALSE. + + @param[in] AesContext Pointer to the AES context. + @param[in] Input Pointer to the buffer containing the data to be encrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[in] Ivec Pointer to initialization vector. + @param[out] Output Pointer to a buffer that receives the AES encryption output. + + @retval TRUE AES encryption succeeded. + @retval FALSE AES encryption failed. + +**/ +BOOLEAN +EFIAPI +AesCbcEncrypt ( + IN VOID *AesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + IN CONST UINT8 *Ivec, + OUT UINT8 *Output + ) +{ + AES_KEY *AesKey; + UINT8 IvecBuffer[AES_BLOCK_SIZE]; + + // + // Check input parameters. + // + if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0) { + return FALSE; + } + + if (Ivec == NULL || Output == NULL || InputSize > INT_MAX) { + return FALSE; + } + + AesKey = (AES_KEY *) AesContext; + CopyMem (IvecBuffer, Ivec, AES_BLOCK_SIZE); + + // + // Perform AES data encryption with CBC mode + // + AES_cbc_encrypt (Input, Output, (UINT32) InputSize, AesKey, IvecBuffer, AES_ENCRYPT); + + return TRUE; +} + +/** + Performs AES decryption on a data buffer of the specified size in CBC mode. + + This function performs AES decryption on data buffer pointed by Input, of specified + size of InputSize, in CBC mode. + InputSize must be multiple of block size (16 bytes). This function does not perform + padding. Caller must perform padding, if necessary, to ensure valid input data size. + Initialization vector should be one block size (16 bytes). + AesContext should be already correctly initialized by AesInit(). Behavior with + invalid AES context is undefined. + + If AesContext is NULL, then return FALSE. + If Input is NULL, then return FALSE. + If InputSize is not multiple of block size (16 bytes), then return FALSE. + If Ivec is NULL, then return FALSE. + If Output is NULL, then return FALSE. + + @param[in] AesContext Pointer to the AES context. + @param[in] Input Pointer to the buffer containing the data to be encrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[in] Ivec Pointer to initialization vector. + @param[out] Output Pointer to a buffer that receives the AES encryption output. + + @retval TRUE AES decryption succeeded. + @retval FALSE AES decryption failed. + +**/ +BOOLEAN +EFIAPI +AesCbcDecrypt ( + IN VOID *AesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + IN CONST UINT8 *Ivec, + OUT UINT8 *Output + ) +{ + AES_KEY *AesKey; + UINT8 IvecBuffer[AES_BLOCK_SIZE]; + + // + // Check input parameters. + // + if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0) { + return FALSE; + } + + if (Ivec == NULL || Output == NULL || InputSize > INT_MAX) { + return FALSE; + } + + AesKey = (AES_KEY *) AesContext; + CopyMem (IvecBuffer, Ivec, AES_BLOCK_SIZE); + + // + // Perform AES data decryption with CBC mode + // + AES_cbc_encrypt (Input, Output, (UINT32) InputSize, AesKey + 1, IvecBuffer, AES_DECRYPT); + + return TRUE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c new file mode 100644 index 00000000..40d94c66 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c @@ -0,0 +1,107 @@ +/** @file + AES Wrapper Implementation which does not provide real capabilities. + +Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Retrieves the size, in bytes, of the context buffer required for AES operations. + + Return zero to indicate this interface is not supported. + + @retval 0 This interface is not supported. + +**/ +UINTN +EFIAPI +AesGetContextSize ( + VOID + ) +{ + ASSERT (FALSE); + return 0; +} + +/** + Initializes user-supplied memory as AES context for subsequent use. + + Return FALSE to indicate this interface is not supported. + + @param[out] AesContext Pointer to AES context being initialized. + @param[in] Key Pointer to the user-supplied AES key. + @param[in] KeyLength Length of AES key in bits. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +AesInit ( + OUT VOID *AesContext, + IN CONST UINT8 *Key, + IN UINTN KeyLength + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Performs AES encryption on a data buffer of the specified size in CBC mode. + + Return FALSE to indicate this interface is not supported. + + @param[in] AesContext Pointer to the AES context. + @param[in] Input Pointer to the buffer containing the data to be encrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[in] Ivec Pointer to initialization vector. + @param[out] Output Pointer to a buffer that receives the AES encryption output. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +AesCbcEncrypt ( + IN VOID *AesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + IN CONST UINT8 *Ivec, + OUT UINT8 *Output + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Performs AES decryption on a data buffer of the specified size in CBC mode. + + Return FALSE to indicate this interface is not supported. + + @param[in] AesContext Pointer to the AES context. + @param[in] Input Pointer to the buffer containing the data to be encrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[in] Ivec Pointer to initialization vector. + @param[out] Output Pointer to a buffer that receives the AES encryption output. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +AesCbcDecrypt ( + IN VOID *AesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + IN CONST UINT8 *Ivec, + OUT UINT8 *Output + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c new file mode 100644 index 00000000..2625f049 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c @@ -0,0 +1,226 @@ +/** @file + MD5 Digest Wrapper Implementation over OpenSSL. + +Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" +#include + +#ifdef ENABLE_MD5_DEPRECATED_INTERFACES +/** + Retrieves the size, in bytes, of the context buffer required for MD5 hash operations. + + @return The size, in bytes, of the context buffer required for MD5 hash operations. + +**/ +UINTN +EFIAPI +Md5GetContextSize ( + VOID + ) +{ + // + // Retrieves the OpenSSL MD5 Context Size + // + return (UINTN) (sizeof (MD5_CTX)); +} + + +/** + Initializes user-supplied memory pointed by Md5Context as MD5 hash context for + subsequent use. + + If Md5Context is NULL, then return FALSE. + + @param[out] Md5Context Pointer to MD5 context being initialized. + + @retval TRUE MD5 context initialization succeeded. + @retval FALSE MD5 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Md5Init ( + OUT VOID *Md5Context + ) +{ + // + // Check input parameters. + // + if (Md5Context == NULL) { + return FALSE; + } + + // + // OpenSSL MD5 Context Initialization + // + return (BOOLEAN) (MD5_Init ((MD5_CTX *) Md5Context)); +} + +/** + Makes a copy of an existing MD5 context. + + If Md5Context is NULL, then return FALSE. + If NewMd5Context is NULL, then return FALSE. + + @param[in] Md5Context Pointer to MD5 context being copied. + @param[out] NewMd5Context Pointer to new MD5 context. + + @retval TRUE MD5 context copy succeeded. + @retval FALSE MD5 context copy failed. + +**/ +BOOLEAN +EFIAPI +Md5Duplicate ( + IN CONST VOID *Md5Context, + OUT VOID *NewMd5Context + ) +{ + // + // Check input parameters. + // + if (Md5Context == NULL || NewMd5Context == NULL) { + return FALSE; + } + + CopyMem (NewMd5Context, Md5Context, sizeof (MD5_CTX)); + + return TRUE; +} + +/** + Digests the input data and updates MD5 context. + + This function performs MD5 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + MD5 context should be already correctly initialized by Md5Init(), and should not be finalized + by Md5Final(). Behavior with invalid context is undefined. + + If Md5Context is NULL, then return FALSE. + + @param[in, out] Md5Context Pointer to the MD5 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE MD5 data digest succeeded. + @retval FALSE MD5 data digest failed. + +**/ +BOOLEAN +EFIAPI +Md5Update ( + IN OUT VOID *Md5Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + // + // Check input parameters. + // + if (Md5Context == NULL) { + return FALSE; + } + + // + // Check invalid parameters, in case that only DataLength was checked in OpenSSL + // + if (Data == NULL && (DataSize != 0)) { + return FALSE; + } + + // + // OpenSSL MD5 Hash Update + // + return (BOOLEAN) (MD5_Update ((MD5_CTX *) Md5Context, Data, DataSize)); +} + +/** + Completes computation of the MD5 digest value. + + This function completes MD5 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the MD5 context cannot + be used again. + MD5 context should be already correctly initialized by Md5Init(), and should not be + finalized by Md5Final(). Behavior with invalid MD5 context is undefined. + + If Md5Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Md5Context Pointer to the MD5 context. + @param[out] HashValue Pointer to a buffer that receives the MD5 digest + value (16 bytes). + + @retval TRUE MD5 digest computation succeeded. + @retval FALSE MD5 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Md5Final ( + IN OUT VOID *Md5Context, + OUT UINT8 *HashValue + ) +{ + // + // Check input parameters. + // + if (Md5Context == NULL || HashValue == NULL) { + return FALSE; + } + + // + // OpenSSL MD5 Hash Finalization + // + return (BOOLEAN) (MD5_Final (HashValue, (MD5_CTX *) Md5Context)); +} + +/** + Computes the MD5 message digest of a input data buffer. + + This function performs the MD5 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the MD5 digest + value (16 bytes). + + @retval TRUE MD5 digest computation succeeded. + @retval FALSE MD5 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Md5HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + // + // Check input parameters. + // + if (HashValue == NULL) { + return FALSE; + } + if (Data == NULL && (DataSize != 0)) { + return FALSE; + } + + // + // OpenSSL MD5 Hash Computation. + // + if (MD5 (Data, DataSize, HashValue) == NULL) { + return FALSE; + } else { + return TRUE; + } +} +#endif diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1.c new file mode 100644 index 00000000..5e951621 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1.c @@ -0,0 +1,225 @@ +/** @file + SHA-1 Digest Wrapper Implementation over OpenSSL. + +Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" +#include + +#ifndef DISABLE_SHA1_DEPRECATED_INTERFACES +/** + Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations. + + @return The size, in bytes, of the context buffer required for SHA-1 hash operations. + +**/ +UINTN +EFIAPI +Sha1GetContextSize ( + VOID + ) +{ + // + // Retrieves OpenSSL SHA Context Size + // + return (UINTN) (sizeof (SHA_CTX)); +} + +/** + Initializes user-supplied memory pointed by Sha1Context as SHA-1 hash context for + subsequent use. + + If Sha1Context is NULL, then return FALSE. + + @param[out] Sha1Context Pointer to SHA-1 context being initialized. + + @retval TRUE SHA-1 context initialization succeeded. + @retval FALSE SHA-1 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Sha1Init ( + OUT VOID *Sha1Context + ) +{ + // + // Check input parameters. + // + if (Sha1Context == NULL) { + return FALSE; + } + + // + // OpenSSL SHA-1 Context Initialization + // + return (BOOLEAN) (SHA1_Init ((SHA_CTX *) Sha1Context)); +} + +/** + Makes a copy of an existing SHA-1 context. + + If Sha1Context is NULL, then return FALSE. + If NewSha1Context is NULL, then return FALSE. + + @param[in] Sha1Context Pointer to SHA-1 context being copied. + @param[out] NewSha1Context Pointer to new SHA-1 context. + + @retval TRUE SHA-1 context copy succeeded. + @retval FALSE SHA-1 context copy failed. + +**/ +BOOLEAN +EFIAPI +Sha1Duplicate ( + IN CONST VOID *Sha1Context, + OUT VOID *NewSha1Context + ) +{ + // + // Check input parameters. + // + if (Sha1Context == NULL || NewSha1Context == NULL) { + return FALSE; + } + + CopyMem (NewSha1Context, Sha1Context, sizeof (SHA_CTX)); + + return TRUE; +} + +/** + Digests the input data and updates SHA-1 context. + + This function performs SHA-1 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-1 context should be already correctly initialized by Sha1Init(), and should not be finalized + by Sha1Final(). Behavior with invalid context is undefined. + + If Sha1Context is NULL, then return FALSE. + + @param[in, out] Sha1Context Pointer to the SHA-1 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-1 data digest succeeded. + @retval FALSE SHA-1 data digest failed. + +**/ +BOOLEAN +EFIAPI +Sha1Update ( + IN OUT VOID *Sha1Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + // + // Check input parameters. + // + if (Sha1Context == NULL) { + return FALSE; + } + + // + // Check invalid parameters, in case that only DataLength was checked in OpenSSL + // + if (Data == NULL && DataSize != 0) { + return FALSE; + } + + // + // OpenSSL SHA-1 Hash Update + // + return (BOOLEAN) (SHA1_Update ((SHA_CTX *) Sha1Context, Data, DataSize)); +} + +/** + Completes computation of the SHA-1 digest value. + + This function completes SHA-1 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-1 context cannot + be used again. + SHA-1 context should be already correctly initialized by Sha1Init(), and should not be + finalized by Sha1Final(). Behavior with invalid SHA-1 context is undefined. + + If Sha1Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sha1Context Pointer to the SHA-1 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest + value (20 bytes). + + @retval TRUE SHA-1 digest computation succeeded. + @retval FALSE SHA-1 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Sha1Final ( + IN OUT VOID *Sha1Context, + OUT UINT8 *HashValue + ) +{ + // + // Check input parameters. + // + if (Sha1Context == NULL || HashValue == NULL) { + return FALSE; + } + + // + // OpenSSL SHA-1 Hash Finalization + // + return (BOOLEAN) (SHA1_Final (HashValue, (SHA_CTX *) Sha1Context)); +} + +/** + Computes the SHA-1 message digest of a input data buffer. + + This function performs the SHA-1 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest + value (20 bytes). + + @retval TRUE SHA-1 digest computation succeeded. + @retval FALSE SHA-1 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha1HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + // + // Check input parameters. + // + if (HashValue == NULL) { + return FALSE; + } + if (Data == NULL && DataSize != 0) { + return FALSE; + } + + // + // OpenSSL SHA-1 Hash Computation. + // + if (SHA1 (Data, DataSize, HashValue) == NULL) { + return FALSE; + } else { + return TRUE; + } +} +#endif diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha256.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha256.c new file mode 100644 index 00000000..d65b0619 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha256.c @@ -0,0 +1,223 @@ +/** @file + SHA-256 Digest Wrapper Implementation over OpenSSL. + +Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" +#include + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-256 hash operations. + + @return The size, in bytes, of the context buffer required for SHA-256 hash operations. + +**/ +UINTN +EFIAPI +Sha256GetContextSize ( + VOID + ) +{ + // + // Retrieves OpenSSL SHA-256 Context Size + // + return (UINTN) (sizeof (SHA256_CTX)); +} + +/** + Initializes user-supplied memory pointed by Sha256Context as SHA-256 hash context for + subsequent use. + + If Sha256Context is NULL, then return FALSE. + + @param[out] Sha256Context Pointer to SHA-256 context being initialized. + + @retval TRUE SHA-256 context initialization succeeded. + @retval FALSE SHA-256 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Sha256Init ( + OUT VOID *Sha256Context + ) +{ + // + // Check input parameters. + // + if (Sha256Context == NULL) { + return FALSE; + } + + // + // OpenSSL SHA-256 Context Initialization + // + return (BOOLEAN) (SHA256_Init ((SHA256_CTX *) Sha256Context)); +} + +/** + Makes a copy of an existing SHA-256 context. + + If Sha256Context is NULL, then return FALSE. + If NewSha256Context is NULL, then return FALSE. + + @param[in] Sha256Context Pointer to SHA-256 context being copied. + @param[out] NewSha256Context Pointer to new SHA-256 context. + + @retval TRUE SHA-256 context copy succeeded. + @retval FALSE SHA-256 context copy failed. + +**/ +BOOLEAN +EFIAPI +Sha256Duplicate ( + IN CONST VOID *Sha256Context, + OUT VOID *NewSha256Context + ) +{ + // + // Check input parameters. + // + if (Sha256Context == NULL || NewSha256Context == NULL) { + return FALSE; + } + + CopyMem (NewSha256Context, Sha256Context, sizeof (SHA256_CTX)); + + return TRUE; +} + +/** + Digests the input data and updates SHA-256 context. + + This function performs SHA-256 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-256 context should be already correctly initialized by Sha256Init(), and should not be finalized + by Sha256Final(). Behavior with invalid context is undefined. + + If Sha256Context is NULL, then return FALSE. + + @param[in, out] Sha256Context Pointer to the SHA-256 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-256 data digest succeeded. + @retval FALSE SHA-256 data digest failed. + +**/ +BOOLEAN +EFIAPI +Sha256Update ( + IN OUT VOID *Sha256Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + // + // Check input parameters. + // + if (Sha256Context == NULL) { + return FALSE; + } + + // + // Check invalid parameters, in case that only DataLength was checked in OpenSSL + // + if (Data == NULL && DataSize != 0) { + return FALSE; + } + + // + // OpenSSL SHA-256 Hash Update + // + return (BOOLEAN) (SHA256_Update ((SHA256_CTX *) Sha256Context, Data, DataSize)); +} + +/** + Completes computation of the SHA-256 digest value. + + This function completes SHA-256 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-256 context cannot + be used again. + SHA-256 context should be already correctly initialized by Sha256Init(), and should not be + finalized by Sha256Final(). Behavior with invalid SHA-256 context is undefined. + + If Sha256Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sha256Context Pointer to the SHA-256 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-256 digest + value (32 bytes). + + @retval TRUE SHA-256 digest computation succeeded. + @retval FALSE SHA-256 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Sha256Final ( + IN OUT VOID *Sha256Context, + OUT UINT8 *HashValue + ) +{ + // + // Check input parameters. + // + if (Sha256Context == NULL || HashValue == NULL) { + return FALSE; + } + + // + // OpenSSL SHA-256 Hash Finalization + // + return (BOOLEAN) (SHA256_Final (HashValue, (SHA256_CTX *) Sha256Context)); +} + +/** + Computes the SHA-256 message digest of a input data buffer. + + This function performs the SHA-256 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-256 digest + value (32 bytes). + + @retval TRUE SHA-256 digest computation succeeded. + @retval FALSE SHA-256 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha256HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + // + // Check input parameters. + // + if (HashValue == NULL) { + return FALSE; + } + if (Data == NULL && DataSize != 0) { + return FALSE; + } + + // + // OpenSSL SHA-256 Hash Computation. + // + if (SHA256 (Data, DataSize, HashValue) == NULL) { + return FALSE; + } else { + return TRUE; + } +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha512.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha512.c new file mode 100644 index 00000000..bee25a0a --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha512.c @@ -0,0 +1,440 @@ +/** @file + SHA-384 and SHA-512 Digest Wrapper Implementations over OpenSSL. + +Copyright (c) 2014 - 2016, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" +#include + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-384 hash operations. + + @return The size, in bytes, of the context buffer required for SHA-384 hash operations. + +**/ +UINTN +EFIAPI +Sha384GetContextSize ( + VOID + ) +{ + // + // Retrieves OpenSSL SHA-384 Context Size + // + return (UINTN) (sizeof (SHA512_CTX)); +} + +/** + Initializes user-supplied memory pointed by Sha384Context as SHA-384 hash context for + subsequent use. + + If Sha384Context is NULL, then return FALSE. + + @param[out] Sha384Context Pointer to SHA-384 context being initialized. + + @retval TRUE SHA-384 context initialization succeeded. + @retval FALSE SHA-384 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Sha384Init ( + OUT VOID *Sha384Context + ) +{ + // + // Check input parameters. + // + if (Sha384Context == NULL) { + return FALSE; + } + + // + // OpenSSL SHA-384 Context Initialization + // + return (BOOLEAN) (SHA384_Init ((SHA512_CTX *) Sha384Context)); +} + +/** + Makes a copy of an existing SHA-384 context. + + If Sha384Context is NULL, then return FALSE. + If NewSha384Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sha384Context Pointer to SHA-384 context being copied. + @param[out] NewSha384Context Pointer to new SHA-384 context. + + @retval TRUE SHA-384 context copy succeeded. + @retval FALSE SHA-384 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha384Duplicate ( + IN CONST VOID *Sha384Context, + OUT VOID *NewSha384Context + ) +{ + // + // Check input parameters. + // + if (Sha384Context == NULL || NewSha384Context == NULL) { + return FALSE; + } + + CopyMem (NewSha384Context, Sha384Context, sizeof (SHA512_CTX)); + + return TRUE; +} + +/** + Digests the input data and updates SHA-384 context. + + This function performs SHA-384 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-384 context should be already correctly initialized by Sha384Init(), and should not be finalized + by Sha384Final(). Behavior with invalid context is undefined. + + If Sha384Context is NULL, then return FALSE. + + @param[in, out] Sha384Context Pointer to the SHA-384 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-384 data digest succeeded. + @retval FALSE SHA-384 data digest failed. + +**/ +BOOLEAN +EFIAPI +Sha384Update ( + IN OUT VOID *Sha384Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + // + // Check input parameters. + // + if (Sha384Context == NULL) { + return FALSE; + } + + // + // Check invalid parameters, in case that only DataLength was checked in OpenSSL + // + if (Data == NULL && DataSize != 0) { + return FALSE; + } + + // + // OpenSSL SHA-384 Hash Update + // + return (BOOLEAN) (SHA384_Update ((SHA512_CTX *) Sha384Context, Data, DataSize)); +} + +/** + Completes computation of the SHA-384 digest value. + + This function completes SHA-384 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-384 context cannot + be used again. + SHA-384 context should be already correctly initialized by Sha384Init(), and should not be + finalized by Sha384Final(). Behavior with invalid SHA-384 context is undefined. + + If Sha384Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sha384Context Pointer to the SHA-384 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-384 digest + value (48 bytes). + + @retval TRUE SHA-384 digest computation succeeded. + @retval FALSE SHA-384 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Sha384Final ( + IN OUT VOID *Sha384Context, + OUT UINT8 *HashValue + ) +{ + // + // Check input parameters. + // + if (Sha384Context == NULL || HashValue == NULL) { + return FALSE; + } + + // + // OpenSSL SHA-384 Hash Finalization + // + return (BOOLEAN) (SHA384_Final (HashValue, (SHA512_CTX *) Sha384Context)); +} + +/** + Computes the SHA-384 message digest of a input data buffer. + + This function performs the SHA-384 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-384 digest + value (48 bytes). + + @retval TRUE SHA-384 digest computation succeeded. + @retval FALSE SHA-384 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha384HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + // + // Check input parameters. + // + if (HashValue == NULL) { + return FALSE; + } + if (Data == NULL && DataSize != 0) { + return FALSE; + } + + // + // OpenSSL SHA-384 Hash Computation. + // + if (SHA384 (Data, DataSize, HashValue) == NULL) { + return FALSE; + } else { + return TRUE; + } +} + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-512 hash operations. + + @return The size, in bytes, of the context buffer required for SHA-512 hash operations. + +**/ +UINTN +EFIAPI +Sha512GetContextSize ( + VOID + ) +{ + // + // Retrieves OpenSSL SHA-512 Context Size + // + return (UINTN) (sizeof (SHA512_CTX)); +} + +/** + Initializes user-supplied memory pointed by Sha512Context as SHA-512 hash context for + subsequent use. + + If Sha512Context is NULL, then return FALSE. + + @param[out] Sha512Context Pointer to SHA-512 context being initialized. + + @retval TRUE SHA-512 context initialization succeeded. + @retval FALSE SHA-512 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Sha512Init ( + OUT VOID *Sha512Context + ) +{ + // + // Check input parameters. + // + if (Sha512Context == NULL) { + return FALSE; + } + + // + // OpenSSL SHA-512 Context Initialization + // + return (BOOLEAN) (SHA512_Init ((SHA512_CTX *) Sha512Context)); +} + +/** + Makes a copy of an existing SHA-512 context. + + If Sha512Context is NULL, then return FALSE. + If NewSha512Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sha512Context Pointer to SHA-512 context being copied. + @param[out] NewSha512Context Pointer to new SHA-512 context. + + @retval TRUE SHA-512 context copy succeeded. + @retval FALSE SHA-512 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha512Duplicate ( + IN CONST VOID *Sha512Context, + OUT VOID *NewSha512Context + ) +{ + // + // Check input parameters. + // + if (Sha512Context == NULL || NewSha512Context == NULL) { + return FALSE; + } + + CopyMem (NewSha512Context, Sha512Context, sizeof (SHA512_CTX)); + + return TRUE; +} + +/** + Digests the input data and updates SHA-512 context. + + This function performs SHA-512 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-512 context should be already correctly initialized by Sha512Init(), and should not be finalized + by Sha512Final(). Behavior with invalid context is undefined. + + If Sha512Context is NULL, then return FALSE. + + @param[in, out] Sha512Context Pointer to the SHA-512 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-512 data digest succeeded. + @retval FALSE SHA-512 data digest failed. + +**/ +BOOLEAN +EFIAPI +Sha512Update ( + IN OUT VOID *Sha512Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + // + // Check input parameters. + // + if (Sha512Context == NULL) { + return FALSE; + } + + // + // Check invalid parameters, in case that only DataLength was checked in OpenSSL + // + if (Data == NULL && DataSize != 0) { + return FALSE; + } + + // + // OpenSSL SHA-512 Hash Update + // + return (BOOLEAN) (SHA512_Update ((SHA512_CTX *) Sha512Context, Data, DataSize)); +} + +/** + Completes computation of the SHA-512 digest value. + + This function completes SHA-512 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-512 context cannot + be used again. + SHA-512 context should be already correctly initialized by Sha512Init(), and should not be + finalized by Sha512Final(). Behavior with invalid SHA-512 context is undefined. + + If Sha512Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sha512Context Pointer to the SHA-512 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-512 digest + value (64 bytes). + + @retval TRUE SHA-512 digest computation succeeded. + @retval FALSE SHA-512 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Sha512Final ( + IN OUT VOID *Sha512Context, + OUT UINT8 *HashValue + ) +{ + // + // Check input parameters. + // + if (Sha512Context == NULL || HashValue == NULL) { + return FALSE; + } + + // + // OpenSSL SHA-512 Hash Finalization + // + return (BOOLEAN) (SHA384_Final (HashValue, (SHA512_CTX *) Sha512Context)); +} + +/** + Computes the SHA-512 message digest of a input data buffer. + + This function performs the SHA-512 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-512 digest + value (64 bytes). + + @retval TRUE SHA-512 digest computation succeeded. + @retval FALSE SHA-512 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha512HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + // + // Check input parameters. + // + if (HashValue == NULL) { + return FALSE; + } + if (Data == NULL && DataSize != 0) { + return FALSE; + } + + // + // OpenSSL SHA-512 Hash Computation. + // + if (SHA512 (Data, DataSize, HashValue) == NULL) { + return FALSE; + } else { + return TRUE; + } +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha512Null.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha512Null.c new file mode 100644 index 00000000..321cbf1b --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha512Null.c @@ -0,0 +1,275 @@ +/** @file + SHA-384 and SHA-512 Digest Wrapper Implementations which does not provide real capabilities. + +Copyright (c) 2014 - 2016, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-384 hash operations. + + Return zero to indicate this interface is not supported. + + @retval 0 This interface is not supported. + +**/ +UINTN +EFIAPI +Sha384GetContextSize ( + VOID + ) +{ + ASSERT (FALSE); + return 0; +} + +/** + Initializes user-supplied memory pointed by Sha384Context as SHA-384 hash context for + subsequent use. + + Return FALSE to indicate this interface is not supported. + + @param[out] Sha384Context Pointer to SHA-384 context being initialized. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha384Init ( + OUT VOID *Sha384Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Makes a copy of an existing SHA-384 context. + + Return FALSE to indicate this interface is not supported. + + @param[in] Sha384Context Pointer to SHA-384 context being copied. + @param[out] NewSha384Context Pointer to new SHA-384 context. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha384Duplicate ( + IN CONST VOID *Sha384Context, + OUT VOID *NewSha384Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Digests the input data and updates SHA-384 context. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] Sha384Context Pointer to the SHA-384 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha384Update ( + IN OUT VOID *Sha384Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Completes computation of the SHA-384 digest value. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] Sha384Context Pointer to the SHA-384 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-384 digest + value (48 bytes). + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha384Final ( + IN OUT VOID *Sha384Context, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Computes the SHA-384 message digest of a input data buffer. + + Return FALSE to indicate this interface is not supported. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-384 digest + value (48 bytes). + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha384HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-512 hash operations. + + Return zero to indicate this interface is not supported. + + @retval 0 This interface is not supported. + +**/ +UINTN +EFIAPI +Sha512GetContextSize ( + VOID + ) +{ + ASSERT (FALSE); + return 0; +} + +/** + Initializes user-supplied memory pointed by Sha512Context as SHA-512 hash context for + subsequent use. + + Return FALSE to indicate this interface is not supported. + + @param[out] Sha512Context Pointer to SHA-512 context being initialized. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha512Init ( + OUT VOID *Sha512Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Makes a copy of an existing SHA-512 context. + + Return FALSE to indicate this interface is not supported. + + @param[in] Sha512Context Pointer to SHA-512 context being copied. + @param[out] NewSha512Context Pointer to new SHA-512 context. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha512Duplicate ( + IN CONST VOID *Sha512Context, + OUT VOID *NewSha512Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Digests the input data and updates SHA-512 context. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] Sha512Context Pointer to the SHA-512 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha512Update ( + IN OUT VOID *Sha512Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Completes computation of the SHA-512 digest value. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] Sha512Context Pointer to the SHA-512 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-512 digest + value (64 bytes). + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha512Final ( + IN OUT VOID *Sha512Context, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Computes the SHA-512 message digest of a input data buffer. + + Return FALSE to indicate this interface is not supported. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-512 digest + value (64 bytes). + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha512HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3.c new file mode 100644 index 00000000..470d37ea --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3.c @@ -0,0 +1,234 @@ +/** @file + SM3 Digest Wrapper Implementations over openssl. + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" +#include "crypto/sm3.h" + +/** + Retrieves the size, in bytes, of the context buffer required for SM3 hash operations. + + @return The size, in bytes, of the context buffer required for SM3 hash operations. + +**/ +UINTN +EFIAPI +Sm3GetContextSize ( + VOID + ) +{ + // + // Retrieves Openssl SM3 Context Size + // + return (UINTN) (sizeof (SM3_CTX)); +} + +/** + Initializes user-supplied memory pointed by Sm3Context as SM3 hash context for + subsequent use. + + If Sm3Context is NULL, then return FALSE. + + @param[out] Sm3Context Pointer to SM3 context being initialized. + + @retval TRUE SM3 context initialization succeeded. + @retval FALSE SM3 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Sm3Init ( + OUT VOID *Sm3Context + ) +{ + // + // Check input parameters. + // + if (Sm3Context == NULL) { + return FALSE; + } + + // + // Openssl SM3 Context Initialization + // + sm3_init ((SM3_CTX *) Sm3Context); + return TRUE; +} + +/** + Makes a copy of an existing SM3 context. + + If Sm3Context is NULL, then return FALSE. + If NewSm3Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sm3Context Pointer to SM3 context being copied. + @param[out] NewSm3Context Pointer to new SM3 context. + + @retval TRUE SM3 context copy succeeded. + @retval FALSE SM3 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sm3Duplicate ( + IN CONST VOID *Sm3Context, + OUT VOID *NewSm3Context + ) +{ + // + // Check input parameters. + // + if (Sm3Context == NULL || NewSm3Context == NULL) { + return FALSE; + } + + CopyMem (NewSm3Context, Sm3Context, sizeof (SM3_CTX)); + + return TRUE; +} + +/** + Digests the input data and updates SM3 context. + + This function performs SM3 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SM3 context should be already correctly initialized by Sm3Init(), and should not be finalized + by Sm3Final(). Behavior with invalid context is undefined. + + If Sm3Context is NULL, then return FALSE. + + @param[in, out] Sm3Context Pointer to the SM3 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SM3 data digest succeeded. + @retval FALSE SM3 data digest failed. + +**/ +BOOLEAN +EFIAPI +Sm3Update ( + IN OUT VOID *Sm3Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + // + // Check input parameters. + // + if (Sm3Context == NULL) { + return FALSE; + } + + // + // Check invalid parameters, in case that only DataLength was checked in Openssl + // + if (Data == NULL && DataSize != 0) { + return FALSE; + } + + // + // Openssl SM3 Hash Update + // + sm3_update ((SM3_CTX *) Sm3Context, Data, DataSize); + + return TRUE; +} + +/** + Completes computation of the SM3 digest value. + + This function completes SM3 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SM3 context cannot + be used again. + SM3 context should be already correctly initialized by Sm3Init(), and should not be + finalized by Sm3Final(). Behavior with invalid SM3 context is undefined. + + If Sm3Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sm3Context Pointer to the SM3 context. + @param[out] HashValue Pointer to a buffer that receives the SM3 digest + value (32 bytes). + + @retval TRUE SM3 digest computation succeeded. + @retval FALSE SM3 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Sm3Final ( + IN OUT VOID *Sm3Context, + OUT UINT8 *HashValue + ) +{ + // + // Check input parameters. + // + if (Sm3Context == NULL || HashValue == NULL) { + return FALSE; + } + + // + // Openssl SM3 Hash Finalization + // + sm3_final (HashValue, (SM3_CTX *) Sm3Context); + + return TRUE; +} + +/** + Computes the SM3 message digest of a input data buffer. + + This function performs the SM3 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SM3 digest + value (32 bytes). + + @retval TRUE SM3 digest computation succeeded. + @retval FALSE SM3 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sm3HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + SM3_CTX Ctx; + + // + // Check input parameters. + // + if (HashValue == NULL) { + return FALSE; + } + if (Data == NULL && DataSize != 0) { + return FALSE; + } + + // + // SM3 Hash Computation. + // + sm3_init(&Ctx); + + sm3_update(&Ctx, Data, DataSize); + + sm3_final(HashValue, &Ctx); + + return TRUE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha256.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha256.c new file mode 100644 index 00000000..c4b1f968 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha256.c @@ -0,0 +1,216 @@ +/** @file + HMAC-SHA256 Wrapper Implementation over OpenSSL. + +Copyright (c) 2016 - 2020, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" +#include + +/** + Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use. + + @return Pointer to the HMAC_CTX context that has been initialized. + If the allocations fails, HmacSha256New() returns NULL. + +**/ +VOID * +EFIAPI +HmacSha256New ( + VOID + ) +{ + // + // Allocates & Initializes HMAC_CTX Context by OpenSSL HMAC_CTX_new() + // + return (VOID *) HMAC_CTX_new (); +} + +/** + Release the specified HMAC_CTX context. + + @param[in] HmacSha256Ctx Pointer to the HMAC_CTX context to be released. + +**/ +VOID +EFIAPI +HmacSha256Free ( + IN VOID *HmacSha256Ctx + ) +{ + // + // Free OpenSSL HMAC_CTX Context + // + HMAC_CTX_free ((HMAC_CTX *)HmacSha256Ctx); +} + +/** + Set user-supplied key for subsequent use. It must be done before any + calling to HmacSha256Update(). + + If HmacSha256Context is NULL, then return FALSE. + + @param[out] HmacSha256Context Pointer to HMAC-SHA256 context. + @param[in] Key Pointer to the user-supplied key. + @param[in] KeySize Key size in bytes. + + @retval TRUE The Key is set successfully. + @retval FALSE The Key is set unsuccessfully. + +**/ +BOOLEAN +EFIAPI +HmacSha256SetKey ( + OUT VOID *HmacSha256Context, + IN CONST UINT8 *Key, + IN UINTN KeySize + ) +{ + // + // Check input parameters. + // + if (HmacSha256Context == NULL || KeySize > INT_MAX) { + return FALSE; + } + + if (HMAC_Init_ex ((HMAC_CTX *)HmacSha256Context, Key, (UINT32) KeySize, EVP_sha256(), NULL) != 1) { + return FALSE; + } + + return TRUE; +} + +/** + Makes a copy of an existing HMAC-SHA256 context. + + If HmacSha256Context is NULL, then return FALSE. + If NewHmacSha256Context is NULL, then return FALSE. + + @param[in] HmacSha256Context Pointer to HMAC-SHA256 context being copied. + @param[out] NewHmacSha256Context Pointer to new HMAC-SHA256 context. + + @retval TRUE HMAC-SHA256 context copy succeeded. + @retval FALSE HMAC-SHA256 context copy failed. + +**/ +BOOLEAN +EFIAPI +HmacSha256Duplicate ( + IN CONST VOID *HmacSha256Context, + OUT VOID *NewHmacSha256Context + ) +{ + // + // Check input parameters. + // + if (HmacSha256Context == NULL || NewHmacSha256Context == NULL) { + return FALSE; + } + + if (HMAC_CTX_copy ((HMAC_CTX *)NewHmacSha256Context, (HMAC_CTX *)HmacSha256Context) != 1) { + return FALSE; + } + + return TRUE; +} + +/** + Digests the input data and updates HMAC-SHA256 context. + + This function performs HMAC-SHA256 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + HMAC-SHA256 context should be initialized by HmacSha256New(), and should not be finalized + by HmacSha256Final(). Behavior with invalid context is undefined. + + If HmacSha256Context is NULL, then return FALSE. + + @param[in, out] HmacSha256Context Pointer to the HMAC-SHA256 context. + @param[in] Data Pointer to the buffer containing the data to be digested. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE HMAC-SHA256 data digest succeeded. + @retval FALSE HMAC-SHA256 data digest failed. + +**/ +BOOLEAN +EFIAPI +HmacSha256Update ( + IN OUT VOID *HmacSha256Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + // + // Check input parameters. + // + if (HmacSha256Context == NULL) { + return FALSE; + } + + // + // Check invalid parameters, in case that only DataLength was checked in OpenSSL + // + if (Data == NULL && DataSize != 0) { + return FALSE; + } + + // + // OpenSSL HMAC-SHA256 digest update + // + if (HMAC_Update ((HMAC_CTX *)HmacSha256Context, Data, DataSize) != 1) { + return FALSE; + } + + return TRUE; +} + +/** + Completes computation of the HMAC-SHA256 digest value. + + This function completes HMAC-SHA256 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the HMAC-SHA256 context cannot + be used again. + HMAC-SHA256 context should be initialized by HmacSha256New(), and should not be finalized + by HmacSha256Final(). Behavior with invalid HMAC-SHA256 context is undefined. + + If HmacSha256Context is NULL, then return FALSE. + If HmacValue is NULL, then return FALSE. + + @param[in, out] HmacSha256Context Pointer to the HMAC-SHA256 context. + @param[out] HmacValue Pointer to a buffer that receives the HMAC-SHA256 digest + value (32 bytes). + + @retval TRUE HMAC-SHA256 digest computation succeeded. + @retval FALSE HMAC-SHA256 digest computation failed. + +**/ +BOOLEAN +EFIAPI +HmacSha256Final ( + IN OUT VOID *HmacSha256Context, + OUT UINT8 *HmacValue + ) +{ + UINT32 Length; + + // + // Check input parameters. + // + if (HmacSha256Context == NULL || HmacValue == NULL) { + return FALSE; + } + + // + // OpenSSL HMAC-SHA256 digest finalization + // + if (HMAC_Final ((HMAC_CTX *)HmacSha256Context, HmacValue, &Length) != 1) { + return FALSE; + } + if (HMAC_CTX_reset ((HMAC_CTX *)HmacSha256Context) != 1) { + return FALSE; + } + + return TRUE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha256Null.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha256Null.c new file mode 100644 index 00000000..aef2f8c2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha256Null.c @@ -0,0 +1,139 @@ +/** @file + HMAC-SHA256 Wrapper Implementation which does not provide real capabilities. + +Copyright (c) 2016 - 2020, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use. + + Return NULL to indicate this interface is not supported. + + @return NULL This interface is not supported.. + +**/ +VOID * +EFIAPI +HmacSha256New ( + VOID + ) +{ + ASSERT (FALSE); + return NULL; +} + +/** + Release the specified HMAC_CTX context. + + This function will do nothing. + + @param[in] HmacSha256Ctx Pointer to the HMAC_CTX context to be released. + +**/ +VOID +EFIAPI +HmacSha256Free ( + IN VOID *HmacSha256Ctx + ) +{ + ASSERT (FALSE); + return; +} + +/** + Set user-supplied key for subsequent use. It must be done before any + calling to HmacSha256Update(). + + Return FALSE to indicate this interface is not supported. + + @param[out] HmacSha256Context Pointer to HMAC-SHA256 context. + @param[in] Key Pointer to the user-supplied key. + @param[in] KeySize Key size in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +HmacSha256SetKey ( + OUT VOID *HmacSha256Context, + IN CONST UINT8 *Key, + IN UINTN KeySize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Makes a copy of an existing HMAC-SHA256 context. + + Return FALSE to indicate this interface is not supported. + + @param[in] HmacSha256Context Pointer to HMAC-SHA256 context being copied. + @param[out] NewHmacSha256Context Pointer to new HMAC-SHA256 context. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +HmacSha256Duplicate ( + IN CONST VOID *HmacSha256Context, + OUT VOID *NewHmacSha256Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Digests the input data and updates HMAC-SHA256 context. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] HmacSha256Context Pointer to the HMAC-SHA256 context. + @param[in] Data Pointer to the buffer containing the data to be digested. + @param[in] DataSize Size of Data buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +HmacSha256Update ( + IN OUT VOID *HmacSha256Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Completes computation of the HMAC-SHA256 digest value. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] HmacSha256Context Pointer to the HMAC-SHA256 context. + @param[out] HmacValue Pointer to a buffer that receives the HMAC-SHA256 digest + value (32 bytes). + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +HmacSha256Final ( + IN OUT VOID *HmacSha256Context, + OUT UINT8 *HmacValue + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/InternalCryptLib.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/InternalCryptLib.h new file mode 100644 index 00000000..f5900cfb --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/InternalCryptLib.h @@ -0,0 +1,62 @@ +/** @file + Internal include file for BaseCryptLib. + +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __INTERNAL_CRYPT_LIB_H__ +#define __INTERNAL_CRYPT_LIB_H__ + +#undef _WIN32 +#undef _WIN64 + +#include +#include +#include +#include +#include + +#include "CrtLibSupport.h" + +#include + +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define OBJ_get0_data(o) ((o)->data) +#define OBJ_length(o) ((o)->length) +#endif + +/** + Check input P7Data is a wrapped ContentInfo structure or not. If not construct + a new structure to wrap P7Data. + + Caution: This function may receive untrusted input. + UEFI Authenticated Variable is external input, so this function will do basic + check for PKCS#7 data structure. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] WrapFlag If TRUE P7Data is a ContentInfo structure, otherwise + return FALSE. + @param[out] WrapData If return status of this function is TRUE: + 1) when WrapFlag is TRUE, pointer to P7Data. + 2) when WrapFlag is FALSE, pointer to a new ContentInfo + structure. It's caller's responsibility to free this + buffer. + @param[out] WrapDataSize Length of ContentInfo structure in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE The operation is failed due to lack of resources. + +**/ +BOOLEAN +WrapPkcs7Data ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT BOOLEAN *WrapFlag, + OUT UINT8 **WrapData, + OUT UINTN *WrapDataSize + ); + +#endif diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdf.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdf.c new file mode 100644 index 00000000..9c170656 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdf.c @@ -0,0 +1,75 @@ +/** @file + HMAC-SHA256 KDF Wrapper Implementation over OpenSSL. + +Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include + +/** + Derive HMAC-based Extract-and-Expand Key Derivation Function (HKDF). + + @param[in] Key Pointer to the user-supplied key. + @param[in] KeySize Key size in bytes. + @param[in] Salt Pointer to the salt(non-secret) value. + @param[in] SaltSize Salt size in bytes. + @param[in] Info Pointer to the application specific info. + @param[in] InfoSize Info size in bytes. + @param[out] Out Pointer to buffer to receive hkdf value. + @param[in] OutSize Size of hkdf bytes to generate. + + @retval TRUE Hkdf generated successfully. + @retval FALSE Hkdf generation failed. + +**/ +BOOLEAN +EFIAPI +HkdfSha256ExtractAndExpand ( + IN CONST UINT8 *Key, + IN UINTN KeySize, + IN CONST UINT8 *Salt, + IN UINTN SaltSize, + IN CONST UINT8 *Info, + IN UINTN InfoSize, + OUT UINT8 *Out, + IN UINTN OutSize + ) +{ + EVP_PKEY_CTX *pHkdfCtx; + BOOLEAN Result; + + if (Key == NULL || Salt == NULL || Info == NULL || Out == NULL || + KeySize > INT_MAX || SaltSize > INT_MAX || InfoSize > INT_MAX || OutSize > INT_MAX ) { + return FALSE; + } + + pHkdfCtx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); + if (pHkdfCtx == NULL) { + return FALSE; + } + + Result = EVP_PKEY_derive_init(pHkdfCtx) > 0; + if (Result) { + Result = EVP_PKEY_CTX_set_hkdf_md(pHkdfCtx, EVP_sha256()) > 0; + } + if (Result) { + Result = EVP_PKEY_CTX_set1_hkdf_salt(pHkdfCtx, Salt, (UINT32)SaltSize) > 0; + } + if (Result) { + Result = EVP_PKEY_CTX_set1_hkdf_key(pHkdfCtx, Key, (UINT32)KeySize) > 0; + } + if (Result) { + Result = EVP_PKEY_CTX_add1_hkdf_info(pHkdfCtx, Info, (UINT32)InfoSize) > 0; + } + if (Result) { + Result = EVP_PKEY_derive(pHkdfCtx, Out, &OutSize) > 0; + } + + EVP_PKEY_CTX_free(pHkdfCtx); + pHkdfCtx = NULL; + return Result; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdfNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdfNull.c new file mode 100644 index 00000000..64792476 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdfNull.c @@ -0,0 +1,43 @@ +/** @file + HMAC-SHA256 KDF Wrapper Implementation which does not provide real capabilities. + +Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include + +/** + Derive key data using HMAC-SHA256 based KDF. + + @param[in] Key Pointer to the user-supplied key. + @param[in] KeySize Key size in bytes. + @param[in] Salt Pointer to the salt(non-secret) value. + @param[in] SaltSize Salt size in bytes. + @param[in] Info Pointer to the application specific info. + @param[in] InfoSize Info size in bytes. + @param[out] Out Pointer to buffer to receive hkdf value. + @param[in] OutSize Size of hkdf bytes to generate. + + @retval TRUE Hkdf generated successfully. + @retval FALSE Hkdf generation failed. + +**/ +BOOLEAN +EFIAPI +HkdfSha256ExtractAndExpand ( + IN CONST UINT8 *Key, + IN UINTN KeySize, + IN CONST UINT8 *Salt, + IN UINTN SaltSize, + IN CONST UINT8 *Info, + IN UINTN InfoSize, + OUT UINT8 *Out, + IN UINTN OutSize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf new file mode 100644 index 00000000..d8d965c7 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf @@ -0,0 +1,98 @@ +## @file +# Cryptographic Library Instance for PEIM. +# +# Caution: This module requires additional review when modified. +# This library will have external input - signature. +# This external input must be validated carefully to avoid security issues such as +# buffer overflow or integer overflow. +# +# Note: +# HMAC-SHA256 functions, AES functions, RSA external +# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 +# certificate handler functions, authenticode signature verification functions, +# PEM handler functions, and pseudorandom number generator functions are not +# supported in this instance. +# +# Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = PeiCryptLib + MODULE_UNI_FILE = PeiCryptLib.uni + FILE_GUID = 9a2a4375-194c-4e97-9f67-547ec98d96ca + MODULE_TYPE = PEIM + VERSION_STRING = 1.0 + LIBRARY_CLASS = BaseCryptLib|PEIM PEI_CORE + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 +# + +[Sources] + InternalCryptLib.h + Hash/CryptMd5.c + Hash/CryptSha1.c + Hash/CryptSha256.c + Hash/CryptSm3.c + Hash/CryptSha512.c + Hmac/CryptHmacSha256.c + Kdf/CryptHkdf.c + Cipher/CryptAesNull.c + Pk/CryptRsaBasic.c + Pk/CryptRsaExtNull.c + Pk/CryptPkcs1OaepNull.c + Pk/CryptPkcs5Pbkdf2Null.c + Pk/CryptPkcs7SignNull.c + Pk/CryptPkcs7VerifyCommon.c + Pk/CryptPkcs7VerifyBase.c + Pk/CryptPkcs7VerifyEku.c + Pk/CryptDhNull.c + Pk/CryptX509Null.c + Pk/CryptAuthenticodeNull.c + Pk/CryptTsNull.c + Pk/CryptRsaPss.c + Pk/CryptRsaPssSignNull.c + Pem/CryptPemNull.c + Rand/CryptRandNull.c + + SysCall/CrtWrapper.c + SysCall/ConstantTimeClock.c + SysCall/BaseMemAllocation.c + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + MemoryAllocationLib + DebugLib + OpensslLib + IntrinsicLib + +# +# Remove these [BuildOptions] after this library is cleaned up +# +[BuildOptions] + # + # suppress the following warnings so we do not break the build with warnings-as-errors: + # C4090: 'function' : different 'const' qualifiers + # C4718: 'function call' : recursive call has no side effects, deleting + # + MSFT:*_*_*_CC_FLAGS = /wd4090 /wd4718 + + # -JCryptoPkg/Include : To disable the use of the system includes provided by RVCT + # --diag_remark=1 : Reduce severity of "#1-D: last line of file ends without a newline" + RVCT:*_*_ARM_CC_FLAGS = -JCryptoPkg/Include --diag_remark=1 + + GCC:*_CLANG35_*_CC_FLAGS = -std=c99 + GCC:*_CLANG38_*_CC_FLAGS = -std=c99 + GCC:*_CLANGPDB_*_CC_FLAGS = -std=c99 -Wno-error=incompatible-pointer-types + + XCODE:*_*_*_CC_FLAGS = -std=c99 diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni new file mode 100644 index 00000000..20ae64e8 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni @@ -0,0 +1,25 @@ +// /** @file +// Cryptographic Library Instance for PEIM. +// +// Caution: This module requires additional review when modified. +// This library will have external input - signature. +// This external input must be validated carefully to avoid security issues such as +// buffer overflow or integer overflow. +// +// Note: AES +// functions, RSA external functions, PKCS#7 SignedData sign functions, +// Diffie-Hellman functions, X.509 certificate handler functions, authenticode +// signature verification functions, PEM handler functions, and pseudorandom number +// generator functions are not supported in this instance. +// +// Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Cryptographic Library Instance for PEIM" + +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance." + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c new file mode 100644 index 00000000..287e308d --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c @@ -0,0 +1,126 @@ +/** @file + PEM (Privacy Enhanced Mail) Format Handler Wrapper Implementation over OpenSSL. + +Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" +#include + +/** + Callback function for password phrase conversion used for retrieving the encrypted PEM. + + @param[out] Buf Pointer to the buffer to write the passphrase to. + @param[in] Size Maximum length of the passphrase (i.e. the size of Buf). + @param[in] Flag A flag which is set to 0 when reading and 1 when writing. + @param[in] Key Key data to be passed to the callback routine. + + @retval The number of characters in the passphrase or 0 if an error occurred. + +**/ +INTN +PasswordCallback ( + OUT CHAR8 *Buf, + IN INTN Size, + IN INTN Flag, + IN VOID *Key + ) +{ + INTN KeyLength; + + ZeroMem ((VOID *) Buf, (UINTN) Size); + if (Key != NULL) { + // + // Duplicate key phrase directly. + // + KeyLength = (INTN) AsciiStrLen ((CHAR8 *)Key); + KeyLength = (KeyLength > Size ) ? Size : KeyLength; + CopyMem (Buf, Key, (UINTN) KeyLength); + return KeyLength; + } else { + return 0; + } +} + +/** + Retrieve the RSA Private Key from the password-protected PEM key data. + + @param[in] PemData Pointer to the PEM-encoded key data to be retrieved. + @param[in] PemSize Size of the PEM key data in bytes. + @param[in] Password NULL-terminated passphrase used for encrypted PEM key data. + @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved + RSA private key component. Use RsaFree() function to free the + resource. + + If PemData is NULL, then return FALSE. + If RsaContext is NULL, then return FALSE. + + @retval TRUE RSA Private Key was retrieved successfully. + @retval FALSE Invalid PEM key data or incorrect password. + +**/ +BOOLEAN +EFIAPI +RsaGetPrivateKeyFromPem ( + IN CONST UINT8 *PemData, + IN UINTN PemSize, + IN CONST CHAR8 *Password, + OUT VOID **RsaContext + ) +{ + BOOLEAN Status; + BIO *PemBio; + + // + // Check input parameters. + // + if (PemData == NULL || RsaContext == NULL || PemSize > INT_MAX) { + return FALSE; + } + + // + // Add possible block-cipher descriptor for PEM data decryption. + // NOTE: Only support most popular ciphers AES for the encrypted PEM. + // + if (EVP_add_cipher (EVP_aes_128_cbc ()) == 0) { + return FALSE; + } + if (EVP_add_cipher (EVP_aes_192_cbc ()) == 0) { + return FALSE; + } + if (EVP_add_cipher (EVP_aes_256_cbc ()) == 0) { + return FALSE; + } + + Status = FALSE; + + // + // Read encrypted PEM Data. + // + PemBio = BIO_new (BIO_s_mem ()); + if (PemBio == NULL) { + goto _Exit; + } + + if (BIO_write (PemBio, PemData, (int) PemSize) <= 0) { + goto _Exit; + } + + // + // Retrieve RSA Private Key from encrypted PEM data. + // + *RsaContext = PEM_read_bio_RSAPrivateKey (PemBio, NULL, (pem_password_cb *) &PasswordCallback, (void *) Password); + if (*RsaContext != NULL) { + Status = TRUE; + } + +_Exit: + // + // Release Resources. + // + BIO_free (PemBio); + + return Status; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pem/CryptPemNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pem/CryptPemNull.c new file mode 100644 index 00000000..7a9f6d61 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pem/CryptPemNull.c @@ -0,0 +1,38 @@ +/** @file + PEM (Privacy Enhanced Mail) Format Handler Wrapper Implementation which does + not provide real capabilities. + +Copyright (c) 2012, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Retrieve the RSA Private Key from the password-protected PEM key data. + + Return FALSE to indicate this interface is not supported. + + @param[in] PemData Pointer to the PEM-encoded key data to be retrieved. + @param[in] PemSize Size of the PEM key data in bytes. + @param[in] Password NULL-terminated passphrase used for encrypted PEM key data. + @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved + RSA private key component. Use RsaFree() function to free the + resource. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaGetPrivateKeyFromPem ( + IN CONST UINT8 *PemData, + IN UINTN PemSize, + IN CONST CHAR8 *Password, + OUT VOID **RsaContext + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c new file mode 100644 index 00000000..6421efeb --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c @@ -0,0 +1,192 @@ +/** @file + Authenticode Portable Executable Signature Verification over OpenSSL. + + Caution: This module requires additional review when modified. + This library will have external input - signature (e.g. PE/COFF Authenticode). + This external input must be validated carefully to avoid security issue like + buffer overflow, integer overflow. + + AuthenticodeVerify() will get PE/COFF Authenticode and will do basic check for + data structure. + +Copyright (c) 2011 - 2020, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +#include +#include +#include + +// +// OID ASN.1 Value for SPC_INDIRECT_DATA_OBJID +// +UINT8 mSpcIndirectOidValue[] = { + 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x04 + }; + +/** + Verifies the validity of a PE/COFF Authenticode Signature as described in "Windows + Authenticode Portable Executable Signature Format". + + If AuthData is NULL, then return FALSE. + If ImageHash is NULL, then return FALSE. + + Caution: This function may receive untrusted input. + PE/COFF Authenticode is external input, so this function will do basic check for + Authenticode data structure. + + @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed + PE/COFF image to be verified. + @param[in] DataSize Size of the Authenticode Signature in bytes. + @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which + is used for certificate chain verification. + @param[in] CertSize Size of the trusted certificate in bytes. + @param[in] ImageHash Pointer to the original image file hash value. The procedure + for calculating the image hash value is described in Authenticode + specification. + @param[in] HashSize Size of Image hash value in bytes. + + @retval TRUE The specified Authenticode Signature is valid. + @retval FALSE Invalid Authenticode Signature. + +**/ +BOOLEAN +EFIAPI +AuthenticodeVerify ( + IN CONST UINT8 *AuthData, + IN UINTN DataSize, + IN CONST UINT8 *TrustedCert, + IN UINTN CertSize, + IN CONST UINT8 *ImageHash, + IN UINTN HashSize + ) +{ + BOOLEAN Status; + PKCS7 *Pkcs7; + CONST UINT8 *Temp; + CONST UINT8 *OrigAuthData; + UINT8 *SpcIndirectDataContent; + UINT8 Asn1Byte; + UINTN ContentSize; + CONST UINT8 *SpcIndirectDataOid; + + // + // Check input parameters. + // + if ((AuthData == NULL) || (TrustedCert == NULL) || (ImageHash == NULL)) { + return FALSE; + } + + if ((DataSize > INT_MAX) || (CertSize > INT_MAX) || (HashSize > INT_MAX)) { + return FALSE; + } + + Status = FALSE; + Pkcs7 = NULL; + OrigAuthData = AuthData; + + // + // Retrieve & Parse PKCS#7 Data (DER encoding) from Authenticode Signature + // + Temp = AuthData; + Pkcs7 = d2i_PKCS7 (NULL, &Temp, (int)DataSize); + if (Pkcs7 == NULL) { + goto _Exit; + } + + // + // Check if it's PKCS#7 Signed Data (for Authenticode Scenario) + // + if (!PKCS7_type_is_signed (Pkcs7) || PKCS7_get_detached (Pkcs7)) { + goto _Exit; + } + + // + // NOTE: OpenSSL PKCS7 Decoder didn't work for Authenticode-format signed data due to + // some authenticode-specific structure. Use opaque ASN.1 string to retrieve + // PKCS#7 ContentInfo here. + // + SpcIndirectDataOid = OBJ_get0_data(Pkcs7->d.sign->contents->type); + if (OBJ_length(Pkcs7->d.sign->contents->type) != sizeof(mSpcIndirectOidValue) || + CompareMem ( + SpcIndirectDataOid, + mSpcIndirectOidValue, + sizeof (mSpcIndirectOidValue) + ) != 0) { + // + // Un-matched SPC_INDIRECT_DATA_OBJID. + // + goto _Exit; + } + + + SpcIndirectDataContent = (UINT8 *)(Pkcs7->d.sign->contents->d.other->value.asn1_string->data); + + // + // Retrieve the SEQUENCE data size from ASN.1-encoded SpcIndirectDataContent. + // + Asn1Byte = *(SpcIndirectDataContent + 1); + + if ((Asn1Byte & 0x80) == 0) { + // + // Short Form of Length Encoding (Length < 128) + // + ContentSize = (UINTN) (Asn1Byte & 0x7F); + // + // Skip the SEQUENCE Tag; + // + SpcIndirectDataContent += 2; + + } else if ((Asn1Byte & 0x81) == 0x81) { + // + // Long Form of Length Encoding (128 <= Length < 255, Single Octet) + // + ContentSize = (UINTN) (*(UINT8 *)(SpcIndirectDataContent + 2)); + // + // Skip the SEQUENCE Tag; + // + SpcIndirectDataContent += 3; + + } else if ((Asn1Byte & 0x82) == 0x82) { + // + // Long Form of Length Encoding (Length > 255, Two Octet) + // + ContentSize = (UINTN) (*(UINT8 *)(SpcIndirectDataContent + 2)); + ContentSize = (ContentSize << 8) + (UINTN)(*(UINT8 *)(SpcIndirectDataContent + 3)); + // + // Skip the SEQUENCE Tag; + // + SpcIndirectDataContent += 4; + + } else { + goto _Exit; + } + + // + // Compare the original file hash value to the digest retrieve from SpcIndirectDataContent + // defined in Authenticode + // NOTE: Need to double-check HashLength here! + // + if (CompareMem (SpcIndirectDataContent + ContentSize - HashSize, ImageHash, HashSize) != 0) { + // + // Un-matched PE/COFF Hash Value + // + goto _Exit; + } + + // + // Verifies the PKCS#7 Signed Data in PE/COFF Authenticode Signature + // + Status = (BOOLEAN) Pkcs7Verify (OrigAuthData, DataSize, TrustedCert, CertSize, SpcIndirectDataContent, ContentSize); + +_Exit: + // + // Release Resources + // + PKCS7_free (Pkcs7); + + return Status; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticodeNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticodeNull.c new file mode 100644 index 00000000..60b750d9 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticodeNull.c @@ -0,0 +1,45 @@ +/** @file + Authenticode Portable Executable Signature Verification which does not provide + real capabilities. + +Copyright (c) 2012, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Verifies the validity of a PE/COFF Authenticode Signature as described in "Windows + Authenticode Portable Executable Signature Format". + + Return FALSE to indicate this interface is not supported. + + @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed + PE/COFF image to be verified. + @param[in] DataSize Size of the Authenticode Signature in bytes. + @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which + is used for certificate chain verification. + @param[in] CertSize Size of the trusted certificate in bytes. + @param[in] ImageHash Pointer to the original image file hash value. The procedure + for calculating the image hash value is described in Authenticode + specification. + @param[in] HashSize Size of Image hash value in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +AuthenticodeVerify ( + IN CONST UINT8 *AuthData, + IN UINTN DataSize, + IN CONST UINT8 *TrustedCert, + IN UINTN CertSize, + IN CONST UINT8 *ImageHash, + IN UINTN HashSize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptDh.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptDh.c new file mode 100644 index 00000000..109d6f00 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptDh.c @@ -0,0 +1,306 @@ +/** @file + Diffie-Hellman Wrapper Implementation over OpenSSL. + +Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" +#include +#include + +/** + Allocates and Initializes one Diffie-Hellman Context for subsequent use. + + @return Pointer to the Diffie-Hellman Context that has been initialized. + If the allocations fails, DhNew() returns NULL. + +**/ +VOID * +EFIAPI +DhNew ( + VOID + ) +{ + // + // Allocates & Initializes DH Context by OpenSSL DH_new() + // + return (VOID *) DH_new (); +} + +/** + Release the specified DH context. + + If DhContext is NULL, then return FALSE. + + @param[in] DhContext Pointer to the DH context to be released. + +**/ +VOID +EFIAPI +DhFree ( + IN VOID *DhContext + ) +{ + // + // Free OpenSSL DH Context + // + DH_free ((DH *) DhContext); +} + +/** + Generates DH parameter. + + Given generator g, and length of prime number p in bits, this function generates p, + and sets DH context according to value of g and p. + + Before this function can be invoked, pseudorandom number generator must be correctly + initialized by RandomSeed(). + + If DhContext is NULL, then return FALSE. + If Prime is NULL, then return FALSE. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] Generator Value of generator. + @param[in] PrimeLength Length in bits of prime to be generated. + @param[out] Prime Pointer to the buffer to receive the generated prime number. + + @retval TRUE DH parameter generation succeeded. + @retval FALSE Value of Generator is not supported. + @retval FALSE PRNG fails to generate random prime number with PrimeLength. + +**/ +BOOLEAN +EFIAPI +DhGenerateParameter ( + IN OUT VOID *DhContext, + IN UINTN Generator, + IN UINTN PrimeLength, + OUT UINT8 *Prime + ) +{ + BOOLEAN RetVal; + BIGNUM *BnP; + + // + // Check input parameters. + // + if (DhContext == NULL || Prime == NULL || PrimeLength > INT_MAX) { + return FALSE; + } + + if (Generator != DH_GENERATOR_2 && Generator != DH_GENERATOR_5) { + return FALSE; + } + + RetVal = (BOOLEAN) DH_generate_parameters_ex (DhContext, (UINT32) PrimeLength, (UINT32) Generator, NULL); + if (!RetVal) { + return FALSE; + } + + DH_get0_pqg (DhContext, (const BIGNUM **)&BnP, NULL, NULL); + BN_bn2bin (BnP, Prime); + + return TRUE; +} + +/** + Sets generator and prime parameters for DH. + + Given generator g, and prime number p, this function and sets DH + context accordingly. + + If DhContext is NULL, then return FALSE. + If Prime is NULL, then return FALSE. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] Generator Value of generator. + @param[in] PrimeLength Length in bits of prime to be generated. + @param[in] Prime Pointer to the prime number. + + @retval TRUE DH parameter setting succeeded. + @retval FALSE Value of Generator is not supported. + @retval FALSE Value of Generator is not suitable for the Prime. + @retval FALSE Value of Prime is not a prime number. + @retval FALSE Value of Prime is not a safe prime number. + +**/ +BOOLEAN +EFIAPI +DhSetParameter ( + IN OUT VOID *DhContext, + IN UINTN Generator, + IN UINTN PrimeLength, + IN CONST UINT8 *Prime + ) +{ + DH *Dh; + BIGNUM *BnP; + BIGNUM *BnG; + + // + // Check input parameters. + // + if (DhContext == NULL || Prime == NULL || PrimeLength > INT_MAX) { + return FALSE; + } + + if (Generator != DH_GENERATOR_2 && Generator != DH_GENERATOR_5) { + return FALSE; + } + + // + // Set the generator and prime parameters for DH object. + // + Dh = (DH *)DhContext; + BnP = BN_bin2bn ((const unsigned char *)Prime, (int)(PrimeLength / 8), NULL); + BnG = BN_bin2bn ((const unsigned char *)&Generator, 1, NULL); + if ((BnP == NULL) || (BnG == NULL) || !DH_set0_pqg (Dh, BnP, NULL, BnG)) { + goto Error; + } + + return TRUE; + +Error: + BN_free (BnP); + BN_free (BnG); + + return FALSE; +} + +/** + Generates DH public key. + + This function generates random secret exponent, and computes the public key, which is + returned via parameter PublicKey and PublicKeySize. DH context is updated accordingly. + If the PublicKey buffer is too small to hold the public key, FALSE is returned and + PublicKeySize is set to the required buffer size to obtain the public key. + + If DhContext is NULL, then return FALSE. + If PublicKeySize is NULL, then return FALSE. + If PublicKeySize is large enough but PublicKey is NULL, then return FALSE. + + @param[in, out] DhContext Pointer to the DH context. + @param[out] PublicKey Pointer to the buffer to receive generated public key. + @param[in, out] PublicKeySize On input, the size of PublicKey buffer in bytes. + On output, the size of data returned in PublicKey buffer in bytes. + + @retval TRUE DH public key generation succeeded. + @retval FALSE DH public key generation failed. + @retval FALSE PublicKeySize is not large enough. + +**/ +BOOLEAN +EFIAPI +DhGenerateKey ( + IN OUT VOID *DhContext, + OUT UINT8 *PublicKey, + IN OUT UINTN *PublicKeySize + ) +{ + BOOLEAN RetVal; + DH *Dh; + BIGNUM *DhPubKey; + INTN Size; + + // + // Check input parameters. + // + if (DhContext == NULL || PublicKeySize == NULL) { + return FALSE; + } + + if (PublicKey == NULL && *PublicKeySize != 0) { + return FALSE; + } + + Dh = (DH *) DhContext; + + RetVal = (BOOLEAN) DH_generate_key (DhContext); + if (RetVal) { + DH_get0_key (Dh, (const BIGNUM **)&DhPubKey, NULL); + Size = BN_num_bytes (DhPubKey); + if ((Size > 0) && (*PublicKeySize < (UINTN) Size)) { + *PublicKeySize = Size; + return FALSE; + } + + if (PublicKey != NULL) { + BN_bn2bin (DhPubKey, PublicKey); + } + *PublicKeySize = Size; + } + + return RetVal; +} + +/** + Computes exchanged common key. + + Given peer's public key, this function computes the exchanged common key, based on its own + context including value of prime modulus and random secret exponent. + + If DhContext is NULL, then return FALSE. + If PeerPublicKey is NULL, then return FALSE. + If KeySize is NULL, then return FALSE. + If Key is NULL, then return FALSE. + If KeySize is not large enough, then return FALSE. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] PeerPublicKey Pointer to the peer's public key. + @param[in] PeerPublicKeySize Size of peer's public key in bytes. + @param[out] Key Pointer to the buffer to receive generated key. + @param[in, out] KeySize On input, the size of Key buffer in bytes. + On output, the size of data returned in Key buffer in bytes. + + @retval TRUE DH exchanged key generation succeeded. + @retval FALSE DH exchanged key generation failed. + @retval FALSE KeySize is not large enough. + +**/ +BOOLEAN +EFIAPI +DhComputeKey ( + IN OUT VOID *DhContext, + IN CONST UINT8 *PeerPublicKey, + IN UINTN PeerPublicKeySize, + OUT UINT8 *Key, + IN OUT UINTN *KeySize + ) +{ + BIGNUM *Bn; + INTN Size; + + // + // Check input parameters. + // + if (DhContext == NULL || PeerPublicKey == NULL || KeySize == NULL || Key == NULL) { + return FALSE; + } + + if (PeerPublicKeySize > INT_MAX) { + return FALSE; + } + + Bn = BN_bin2bn (PeerPublicKey, (UINT32) PeerPublicKeySize, NULL); + if (Bn == NULL) { + return FALSE; + } + + Size = DH_compute_key (Key, Bn, DhContext); + if (Size < 0) { + BN_free (Bn); + return FALSE; + } + + if (*KeySize < (UINTN) Size) { + *KeySize = Size; + BN_free (Bn); + return FALSE; + } + + *KeySize = Size; + BN_free (Bn); + return TRUE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptDhNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptDhNull.c new file mode 100644 index 00000000..b7ab9c08 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptDhNull.c @@ -0,0 +1,150 @@ +/** @file + Diffie-Hellman Wrapper Implementation which does not provide + real capabilities. + +Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Allocates and Initializes one Diffie-Hellman Context for subsequent use. + + @return Pointer to the Diffie-Hellman Context that has been initialized. + If the interface is not supported, DhNew() returns NULL. + +**/ +VOID * +EFIAPI +DhNew ( + VOID + ) +{ + ASSERT (FALSE); + return NULL; +} + +/** + Release the specified DH context. + + If the interface is not supported, then ASSERT(). + + @param[in] DhContext Pointer to the DH context to be released. + +**/ +VOID +EFIAPI +DhFree ( + IN VOID *DhContext + ) +{ + ASSERT (FALSE); +} + +/** + Generates DH parameter. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] Generator Value of generator. + @param[in] PrimeLength Length in bits of prime to be generated. + @param[out] Prime Pointer to the buffer to receive the generated prime number. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhGenerateParameter ( + IN OUT VOID *DhContext, + IN UINTN Generator, + IN UINTN PrimeLength, + OUT UINT8 *Prime + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Sets generator and prime parameters for DH. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] Generator Value of generator. + @param[in] PrimeLength Length in bits of prime to be generated. + @param[in] Prime Pointer to the prime number. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhSetParameter ( + IN OUT VOID *DhContext, + IN UINTN Generator, + IN UINTN PrimeLength, + IN CONST UINT8 *Prime + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Generates DH public key. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] DhContext Pointer to the DH context. + @param[out] PublicKey Pointer to the buffer to receive generated public key. + @param[in, out] PublicKeySize On input, the size of PublicKey buffer in bytes. + On output, the size of data returned in PublicKey buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhGenerateKey ( + IN OUT VOID *DhContext, + OUT UINT8 *PublicKey, + IN OUT UINTN *PublicKeySize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Computes exchanged common key. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] PeerPublicKey Pointer to the peer's public key. + @param[in] PeerPublicKeySize Size of peer's public key in bytes. + @param[out] Key Pointer to the buffer to receive generated key. + @param[in, out] KeySize On input, the size of Key buffer in bytes. + On output, the size of data returned in Key buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhComputeKey ( + IN OUT VOID *DhContext, + IN CONST UINT8 *PeerPublicKey, + IN UINTN PeerPublicKeySize, + OUT UINT8 *Key, + IN OUT UINTN *KeySize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c new file mode 100644 index 00000000..d61069bb --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c @@ -0,0 +1,208 @@ +/** @file + This file contains UEFI wrapper functions for RSA PKCS1v2 OAEP encryption routines. + + SPDX-License-Identifier: BSD-2-Clause-Patent + + Copyright (C) 2016 Microsoft Corporation. All Rights Reserved. + Copyright (c) 2019, Intel Corporation. All rights reserved.
+ +**/ + +#include "InternalCryptLib.h" +#include +#include +#include +#include + +/** + Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the + encrypted message in a newly allocated buffer. + + Things that can cause a failure include: + - X509 key size does not match any known key size. + - Fail to parse X509 certificate. + - Fail to allocate an intermediate buffer. + - Null pointer provided for a non-optional parameter. + - Data size is too large for the provided key size (max size is a function of key size + and hash digest size). + + @param[in] PublicKey A pointer to the DER-encoded X509 certificate that + will be used to encrypt the data. + @param[in] PublicKeySize Size of the X509 cert buffer. + @param[in] InData Data to be encrypted. + @param[in] InDataSize Size of the data buffer. + @param[in] PrngSeed [Optional] If provided, a pointer to a random seed buffer + to be used when initializing the PRNG. NULL otherwise. + @param[in] PrngSeedSize [Optional] If provided, size of the random seed buffer. + 0 otherwise. + @param[out] EncryptedData Pointer to an allocated buffer containing the encrypted + message. + @param[out] EncryptedDataSize Size of the encrypted message buffer. + + @retval TRUE Encryption was successful. + @retval FALSE Encryption failed. + +**/ +BOOLEAN +EFIAPI +Pkcs1v2Encrypt ( + IN CONST UINT8 *PublicKey, + IN UINTN PublicKeySize, + IN UINT8 *InData, + IN UINTN InDataSize, + IN CONST UINT8 *PrngSeed, OPTIONAL + IN UINTN PrngSeedSize, OPTIONAL + OUT UINT8 **EncryptedData, + OUT UINTN *EncryptedDataSize + ) +{ + BOOLEAN Result; + CONST UINT8 *TempPointer; + X509 *CertData; + EVP_PKEY *InternalPublicKey; + EVP_PKEY_CTX *PkeyCtx; + UINT8 *OutData; + UINTN OutDataSize; + + // + // Check input parameters. + // + if (PublicKey == NULL || InData == NULL || + EncryptedData == NULL || EncryptedDataSize == NULL) { + return FALSE; + } + + // + // Check public key size. + // + if (PublicKeySize > 0xFFFFFFFF) { + // + // Public key size is too large for implementation. + // + return FALSE; + } + + *EncryptedData = NULL; + *EncryptedDataSize = 0; + Result = FALSE; + TempPointer = NULL; + CertData = NULL; + InternalPublicKey = NULL; + PkeyCtx = NULL; + OutData = NULL; + OutDataSize = 0; + + // + // If it provides a seed then use it. + // Ohterwise, we'll seed with fixed values and hope that the PRNG has already been + // used enough to generate sufficient entropy. + // + if (PrngSeed != NULL) { + RandomSeed (PrngSeed, PrngSeedSize); + } else { + RandomSeed (NULL, 0); + } + + // + // Parse the X509 cert and extract the public key. + // + TempPointer = PublicKey; + CertData = d2i_X509 (&CertData, &TempPointer, (UINT32)PublicKeySize); + if (CertData == NULL) { + // + // Fail to parse X509 cert. + // + goto _Exit; + } + + // + // Extract the public key from the x509 cert in a format that + // OpenSSL can use. + // + InternalPublicKey = X509_get_pubkey (CertData); + if (InternalPublicKey == NULL) { + // + // Fail to extract public key. + // + goto _Exit; + } + + // + // Create a context for the public key operation. + // + PkeyCtx = EVP_PKEY_CTX_new (InternalPublicKey, NULL); + if (PkeyCtx == NULL) { + // + // Fail to create contex. + // + goto _Exit; + } + // + // Initialize the context and set the desired padding. + // + if (EVP_PKEY_encrypt_init (PkeyCtx) <= 0 || + EVP_PKEY_CTX_set_rsa_padding (PkeyCtx, RSA_PKCS1_OAEP_PADDING) <= 0) { + // + // Fail to initialize the context. + // + goto _Exit; + } + + // + // Determine the required buffer length for malloc'ing. + // + if (EVP_PKEY_encrypt (PkeyCtx, NULL, &OutDataSize, InData, InDataSize) <= 0) { + // + // Fail to determine output buffer size. + // + goto _Exit; + } + + // + // Allocate a buffer for the output data. + // + OutData = AllocatePool (OutDataSize); + if (OutData == NULL) { + // + // Fail to allocate the output buffer. + // + goto _Exit; + } + + // + // Encrypt Data. + // + if (EVP_PKEY_encrypt (PkeyCtx, OutData, &OutDataSize, InData, InDataSize) <= 0) { + // + // Fail to encrypt data, need to free the output buffer. + // + FreePool (OutData); + OutData = NULL; + OutDataSize = 0; + goto _Exit; + } + + // + // Encrypt done. + // + *EncryptedData = OutData; + *EncryptedDataSize = OutDataSize; + Result = TRUE; + +_Exit: + // + // Release Resources + // + if (CertData != NULL) { + X509_free (CertData ); + } + if (InternalPublicKey != NULL) { + EVP_PKEY_free (InternalPublicKey); + } + if (PkeyCtx != NULL) { + EVP_PKEY_CTX_free (PkeyCtx); + } + + return Result; +} + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c new file mode 100644 index 00000000..eca1d88f --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c @@ -0,0 +1,51 @@ +/** @file + This file contains UEFI wrapper functions for RSA PKCS1v2 OAEP encryption routines. + + SPDX-License-Identifier: BSD-2-Clause-Patent + + Copyright (C) 2016 Microsoft Corporation. All Rights Reserved. + Copyright (c) 2019, Intel Corporation. All rights reserved.
+ +**/ + +#include "InternalCryptLib.h" + +/** + Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the + encrypted message in a newly allocated buffer. + + Return FALSE to indicate this interface is not supported. + + @param[in] PublicKey A pointer to the DER-encoded X509 certificate that + will be used to encrypt the data. + @param[in] PublicKeySize Size of the X509 cert buffer. + @param[in] InData Data to be encrypted. + @param[in] InDataSize Size of the data buffer. + @param[in] PrngSeed [Optional] If provided, a pointer to a random seed buffer + to be used when initializing the PRNG. NULL otherwise. + @param[in] PrngSeedSize [Optional] If provided, size of the random seed buffer. + 0 otherwise. + @param[out] EncryptedData Pointer to an allocated buffer containing the encrypted + message. + @param[out] EncryptedDataSize Size of the encrypted message buffer. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs1v2Encrypt ( + IN CONST UINT8 *PublicKey, + IN UINTN PublicKeySize, + IN UINT8 *InData, + IN UINTN InDataSize, + IN CONST UINT8 *PrngSeed, OPTIONAL + IN UINTN PrngSeedSize, OPTIONAL + OUT UINT8 **EncryptedData, + OUT UINTN *EncryptedDataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c new file mode 100644 index 00000000..373e8061 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2.c @@ -0,0 +1,95 @@ +/** @file + PBKDF2 Key Derivation Function Wrapper Implementation over OpenSSL. + +Copyright (c) 2016, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" +#include +#include + +/** + Derives a key from a password using a salt and iteration count, based on PKCS#5 v2.0 + password based encryption key derivation function PBKDF2, as specified in RFC 2898. + + If Password or Salt or OutKey is NULL, then return FALSE. + If the hash algorithm could not be determined, then return FALSE. + + @param[in] PasswordLength Length of input password in bytes. + @param[in] Password Pointer to the array for the password. + @param[in] SaltLength Size of the Salt in bytes. + @param[in] Salt Pointer to the Salt. + @param[in] IterationCount Number of iterations to perform. Its value should be + greater than or equal to 1. + @param[in] DigestSize Size of the message digest to be used (eg. SHA256_DIGEST_SIZE). + NOTE: DigestSize will be used to determine the hash algorithm. + Only SHA1_DIGEST_SIZE or SHA256_DIGEST_SIZE is supported. + @param[in] KeyLength Size of the derived key buffer in bytes. + @param[out] OutKey Pointer to the output derived key buffer. + + @retval TRUE A key was derived successfully. + @retval FALSE One of the pointers was NULL or one of the sizes was too large. + @retval FALSE The hash algorithm could not be determined from the digest size. + @retval FALSE The key derivation operation failed. + +**/ +BOOLEAN +EFIAPI +Pkcs5HashPassword ( + IN UINTN PasswordLength, + IN CONST CHAR8 *Password, + IN UINTN SaltLength, + IN CONST UINT8 *Salt, + IN UINTN IterationCount, + IN UINTN DigestSize, + IN UINTN KeyLength, + OUT UINT8 *OutKey + ) +{ + CONST EVP_MD *HashAlg; + + HashAlg = NULL; + + // + // Parameter Checking. + // + if ((Password == NULL) || (Salt == NULL) || (OutKey == NULL)) { + return FALSE; + } + if ((PasswordLength == 0) || (PasswordLength > INT_MAX) || + (SaltLength == 0) || (SaltLength > INT_MAX) || + (KeyLength == 0) || (KeyLength > INT_MAX) || + (IterationCount < 1) || (IterationCount > INT_MAX)) { + return FALSE; + } + // + // Make sure the digest algorithm is supported. + // + switch (DigestSize) { + case SHA1_DIGEST_SIZE: + HashAlg = EVP_sha1(); + break; + case SHA256_DIGEST_SIZE: + HashAlg = EVP_sha256(); + break; + default: + return FALSE; + break; + } + + // + // Perform password-based key derivation routines. + // + return (BOOLEAN)PKCS5_PBKDF2_HMAC ( + (const char *)Password, + (int)PasswordLength, + (const unsigned char *)Salt, + (int)SaltLength, + (int)IterationCount, + HashAlg, + (int)KeyLength, + (unsigned char *)OutKey + ); +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2Null.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2Null.c new file mode 100644 index 00000000..93455cb7 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs5Pbkdf2Null.c @@ -0,0 +1,50 @@ +/** @file + PBKDF2 Key Derivation Function Wrapper Implementation which does not provide real + capabilities. + +Copyright (c) 2016, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" +#include +#include + +/** + Derives a key from a password using a salt and iteration count, based on PKCS#5 v2.0 + password based encryption key derivation function PBKDF2, as specified in RFC 2898. + + Return FALSE to indicate this interface is not supported. + + @param[in] PasswordLength Length of input password in bytes. + @param[in] Password Pointer to the array for the password. + @param[in] SaltLength Size of the Salt in bytes. + @param[in] Salt Pointer to the Salt. + @param[in] IterationCount Number of iterations to perform. Its value should be + greater than or equal to 1. + @param[in] DigestSize Size of the message digest to be used (eg. SHA256_DIGEST_SIZE). + NOTE: DigestSize will be used to determine the hash algorithm. + Only SHA1_DIGEST_SIZE or SHA256_DIGEST_SIZE is supported. + @param[in] KeyLength Size of the derived key buffer in bytes. + @param[out] OutKey Pointer to the output derived key buffer. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs5HashPassword ( + IN UINTN PasswordLength, + IN CONST CHAR8 *Password, + IN UINTN SaltLength, + IN CONST UINT8 *Salt, + IN UINTN IterationCount, + IN UINTN DigestSize, + IN UINTN KeyLength, + OUT UINT8 *OutKey + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c new file mode 100644 index 00000000..e32fc91c --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c @@ -0,0 +1,194 @@ +/** @file + PKCS#7 SignedData Sign Wrapper Implementation over OpenSSL. + +Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +#include +#include +#include + +/** + Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message + Syntax Standard, version 1.5". This interface is only intended to be used for + application to perform PKCS#7 functionality validation. + + @param[in] PrivateKey Pointer to the PEM-formatted private key data for + data signing. + @param[in] PrivateKeySize Size of the PEM private key data in bytes. + @param[in] KeyPassword NULL-terminated passphrase used for encrypted PEM + key data. + @param[in] InData Pointer to the content to be signed. + @param[in] InDataSize Size of InData in bytes. + @param[in] SignCert Pointer to signer's DER-encoded certificate to sign with. + @param[in] OtherCerts Pointer to an optional additional set of certificates to + include in the PKCS#7 signedData (e.g. any intermediate + CAs in the chain). + @param[out] SignedData Pointer to output PKCS#7 signedData. It's caller's + responsibility to free the buffer with FreePool(). + @param[out] SignedDataSize Size of SignedData in bytes. + + @retval TRUE PKCS#7 data signing succeeded. + @retval FALSE PKCS#7 data signing failed. + +**/ +BOOLEAN +EFIAPI +Pkcs7Sign ( + IN CONST UINT8 *PrivateKey, + IN UINTN PrivateKeySize, + IN CONST UINT8 *KeyPassword, + IN UINT8 *InData, + IN UINTN InDataSize, + IN UINT8 *SignCert, + IN UINT8 *OtherCerts OPTIONAL, + OUT UINT8 **SignedData, + OUT UINTN *SignedDataSize + ) +{ + BOOLEAN Status; + EVP_PKEY *Key; + BIO *DataBio; + PKCS7 *Pkcs7; + UINT8 *RsaContext; + UINT8 *P7Data; + UINTN P7DataSize; + UINT8 *Tmp; + + // + // Check input parameters. + // + if (PrivateKey == NULL || KeyPassword == NULL || InData == NULL || + SignCert == NULL || SignedData == NULL || SignedDataSize == NULL || InDataSize > INT_MAX) { + return FALSE; + } + + RsaContext = NULL; + Key = NULL; + Pkcs7 = NULL; + DataBio = NULL; + Status = FALSE; + + // + // Retrieve RSA private key from PEM data. + // + Status = RsaGetPrivateKeyFromPem ( + PrivateKey, + PrivateKeySize, + (CONST CHAR8 *) KeyPassword, + (VOID **) &RsaContext + ); + if (!Status) { + return Status; + } + + Status = FALSE; + + // + // Register & Initialize necessary digest algorithms and PRNG for PKCS#7 Handling + // + if (EVP_add_digest (EVP_md5 ()) == 0) { + goto _Exit; + } + if (EVP_add_digest (EVP_sha1 ()) == 0) { + goto _Exit; + } + if (EVP_add_digest (EVP_sha256 ()) == 0) { + goto _Exit; + } + + RandomSeed (NULL, 0); + + // + // Construct OpenSSL EVP_PKEY for private key. + // + Key = EVP_PKEY_new (); + if (Key == NULL) { + goto _Exit; + } + if (EVP_PKEY_assign_RSA (Key, (RSA *) RsaContext) == 0) { + goto _Exit; + } + + // + // Convert the data to be signed to BIO format. + // + DataBio = BIO_new (BIO_s_mem ()); + if (DataBio == NULL) { + goto _Exit; + } + + if (BIO_write (DataBio, InData, (int) InDataSize) <= 0) { + goto _Exit; + } + + // + // Create the PKCS#7 signedData structure. + // + Pkcs7 = PKCS7_sign ( + (X509 *) SignCert, + Key, + (STACK_OF(X509) *) OtherCerts, + DataBio, + PKCS7_BINARY | PKCS7_NOATTR | PKCS7_DETACHED + ); + if (Pkcs7 == NULL) { + goto _Exit; + } + + // + // Convert PKCS#7 signedData structure into DER-encoded buffer. + // + P7DataSize = i2d_PKCS7 (Pkcs7, NULL); + if (P7DataSize <= 19) { + goto _Exit; + } + + P7Data = malloc (P7DataSize); + if (P7Data == NULL) { + goto _Exit; + } + + Tmp = P7Data; + P7DataSize = i2d_PKCS7 (Pkcs7, (unsigned char **) &Tmp); + ASSERT (P7DataSize > 19); + + // + // Strip ContentInfo to content only for signeddata. The data be trimmed off + // is totally 19 bytes. + // + *SignedDataSize = P7DataSize - 19; + *SignedData = AllocatePool (*SignedDataSize); + if (*SignedData == NULL) { + OPENSSL_free (P7Data); + goto _Exit; + } + + CopyMem (*SignedData, P7Data + 19, *SignedDataSize); + + OPENSSL_free (P7Data); + + Status = TRUE; + +_Exit: + // + // Release Resources + // + if (Key != NULL) { + EVP_PKEY_free (Key); + } + + if (DataBio != NULL) { + BIO_free (DataBio); + } + + if (Pkcs7 != NULL) { + PKCS7_free (Pkcs7); + } + + return Status; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7SignNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7SignNull.c new file mode 100644 index 00000000..f016d04a --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7SignNull.c @@ -0,0 +1,54 @@ +/** @file + PKCS#7 SignedData Sign Wrapper Implementation which does not provide real + capabilities. + +Copyright (c) 2012, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message + Syntax Standard, version 1.5". This interface is only intended to be used for + application to perform PKCS#7 functionality validation. + + Return FALSE to indicate this interface is not supported. + + @param[in] PrivateKey Pointer to the PEM-formatted private key data for + data signing. + @param[in] PrivateKeySize Size of the PEM private key data in bytes. + @param[in] KeyPassword NULL-terminated passphrase used for encrypted PEM + key data. + @param[in] InData Pointer to the content to be signed. + @param[in] InDataSize Size of InData in bytes. + @param[in] SignCert Pointer to signer's DER-encoded certificate to sign with. + @param[in] OtherCerts Pointer to an optional additional set of certificates to + include in the PKCS#7 signedData (e.g. any intermediate + CAs in the chain). + @param[out] SignedData Pointer to output PKCS#7 signedData. It's caller's + responsibility to free the buffer with FreePool(). + @param[out] SignedDataSize Size of SignedData in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs7Sign ( + IN CONST UINT8 *PrivateKey, + IN UINTN PrivateKeySize, + IN CONST UINT8 *KeyPassword, + IN UINT8 *InData, + IN UINTN InDataSize, + IN UINT8 *SignCert, + IN UINT8 *OtherCerts OPTIONAL, + OUT UINT8 **SignedData, + OUT UINTN *SignedDataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c new file mode 100644 index 00000000..0deb7a20 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c @@ -0,0 +1,190 @@ +/** @file + Non-runtime specific implementation of PKCS#7 SignedData Verification Wrapper. + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +#include +#include +#include +#include + +/** + Check the contents of PKCS7 is not data. + + It is copied from PKCS7_type_is_other() in pk7_doit.c. + + @param[in] P7 Pointer to the location at which the PKCS7 is located. + + @retval TRUE If the type is others. + @retval FALSE If the type is expected. +**/ +STATIC +BOOLEAN +Pkcs7TypeIsOther ( + IN PKCS7 *P7 + ) +{ + BOOLEAN Others; + INTN Nid = OBJ_obj2nid (P7->type); + + switch (Nid) { + case NID_pkcs7_data: + case NID_pkcs7_signed: + case NID_pkcs7_enveloped: + case NID_pkcs7_signedAndEnveloped: + case NID_pkcs7_encrypted: + Others = FALSE; + break; + default: + Others = TRUE; + } + + return Others; +} + +/** + Get the ASN.1 string for the PKCS7. + + It is copied from PKCS7_get_octet_string() in pk7_doit.c. + + @param[in] P7 Pointer to the location at which the PKCS7 is located. + + @return ASN1_OCTET_STRING ASN.1 string. +**/ +STATIC +ASN1_OCTET_STRING* +Pkcs7GetOctetString ( + IN PKCS7 *P7 + ) +{ + if (PKCS7_type_is_data (P7)) { + return P7->d.data; + } + + if (Pkcs7TypeIsOther(P7) && (P7->d.other != NULL) && + (P7->d.other->type == V_ASN1_OCTET_STRING)) { + return P7->d.other->value.octet_string; + } + + return NULL; +} + +/** + Extracts the attached content from a PKCS#7 signed data if existed. The input signed + data could be wrapped in a ContentInfo structure. + + If P7Data, Content, or ContentSize is NULL, then return FALSE. If P7Length overflow, + then return FALSE. If the P7Data is not correctly formatted, then return FALSE. + + Caution: This function may receive untrusted input. So this function will do + basic check for PKCS#7 data structure. + + @param[in] P7Data Pointer to the PKCS#7 signed data to process. + @param[in] P7Length Length of the PKCS#7 signed data in bytes. + @param[out] Content Pointer to the extracted content from the PKCS#7 signedData. + It's caller's responsibility to free the buffer with FreePool(). + @param[out] ContentSize The size of the extracted content in bytes. + + @retval TRUE The P7Data was correctly formatted for processing. + @retval FALSE The P7Data was not correctly formatted for processing. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetAttachedContent ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT VOID **Content, + OUT UINTN *ContentSize + ) +{ + BOOLEAN Status; + PKCS7 *Pkcs7; + UINT8 *SignedData; + UINTN SignedDataSize; + BOOLEAN Wrapped; + CONST UINT8 *Temp; + ASN1_OCTET_STRING *OctStr; + + // + // Check input parameter. + // + if ((P7Data == NULL) || (P7Length > INT_MAX) || (Content == NULL) || (ContentSize == NULL)) { + return FALSE; + } + + *Content = NULL; + Pkcs7 = NULL; + SignedData = NULL; + OctStr = NULL; + + Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize); + if (!Status || (SignedDataSize > INT_MAX)) { + goto _Exit; + } + + Status = FALSE; + + // + // Decoding PKCS#7 SignedData + // + Temp = SignedData; + Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **)&Temp, (int)SignedDataSize); + if (Pkcs7 == NULL) { + goto _Exit; + } + + // + // The type of Pkcs7 must be signedData + // + if (!PKCS7_type_is_signed (Pkcs7)) { + goto _Exit; + } + + // + // Check for detached or attached content + // + if (PKCS7_get_detached (Pkcs7)) { + // + // No Content supplied for PKCS7 detached signedData + // + *Content = NULL; + *ContentSize = 0; + } else { + // + // Retrieve the attached content in PKCS7 signedData + // + OctStr = Pkcs7GetOctetString (Pkcs7->d.sign->contents); + if (OctStr == NULL) { + goto _Exit; + } + + if ((OctStr->length > 0) && (OctStr->data != NULL)) { + *ContentSize = OctStr->length; + *Content = AllocatePool (*ContentSize); + if (*Content == NULL) { + *ContentSize = 0; + goto _Exit; + } + CopyMem (*Content, OctStr->data, *ContentSize); + } + } + Status = TRUE; + +_Exit: + // + // Release Resources + // + PKCS7_free (Pkcs7); + + if (!Wrapped) { + OPENSSL_free (SignedData); + } + + return Status; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c new file mode 100644 index 00000000..e4cca018 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c @@ -0,0 +1,910 @@ +/** @file + PKCS#7 SignedData Verification Wrapper Implementation over OpenSSL. + + Caution: This module requires additional review when modified. + This library will have external input - signature (e.g. UEFI Authenticated + Variable). It may by input in SMM mode. + This external input must be validated carefully to avoid security issue like + buffer overflow, integer overflow. + + WrapPkcs7Data(), Pkcs7GetSigners(), Pkcs7Verify() will get UEFI Authenticated + Variable and will do basic check for data structure. + +Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +#include +#include +#include +#include + +UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 }; + +/** + Check input P7Data is a wrapped ContentInfo structure or not. If not construct + a new structure to wrap P7Data. + + Caution: This function may receive untrusted input. + UEFI Authenticated Variable is external input, so this function will do basic + check for PKCS#7 data structure. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] WrapFlag If TRUE P7Data is a ContentInfo structure, otherwise + return FALSE. + @param[out] WrapData If return status of this function is TRUE: + 1) when WrapFlag is TRUE, pointer to P7Data. + 2) when WrapFlag is FALSE, pointer to a new ContentInfo + structure. It's caller's responsibility to free this + buffer. + @param[out] WrapDataSize Length of ContentInfo structure in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE The operation is failed due to lack of resources. + +**/ +BOOLEAN +WrapPkcs7Data ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT BOOLEAN *WrapFlag, + OUT UINT8 **WrapData, + OUT UINTN *WrapDataSize + ) +{ + BOOLEAN Wrapped; + UINT8 *SignedData; + + // + // Check whether input P7Data is a wrapped ContentInfo structure or not. + // + Wrapped = FALSE; + if ((P7Data[4] == 0x06) && (P7Data[5] == 0x09)) { + if (CompareMem (P7Data + 6, mOidValue, sizeof (mOidValue)) == 0) { + if ((P7Data[15] == 0xA0) && (P7Data[16] == 0x82)) { + Wrapped = TRUE; + } + } + } + + if (Wrapped) { + *WrapData = (UINT8 *) P7Data; + *WrapDataSize = P7Length; + } else { + // + // Wrap PKCS#7 signeddata to a ContentInfo structure - add a header in 19 bytes. + // + *WrapDataSize = P7Length + 19; + *WrapData = malloc (*WrapDataSize); + if (*WrapData == NULL) { + *WrapFlag = Wrapped; + return FALSE; + } + + SignedData = *WrapData; + + // + // Part1: 0x30, 0x82. + // + SignedData[0] = 0x30; + SignedData[1] = 0x82; + + // + // Part2: Length1 = P7Length + 19 - 4, in big endian. + // + SignedData[2] = (UINT8) (((UINT16) (*WrapDataSize - 4)) >> 8); + SignedData[3] = (UINT8) (((UINT16) (*WrapDataSize - 4)) & 0xff); + + // + // Part3: 0x06, 0x09. + // + SignedData[4] = 0x06; + SignedData[5] = 0x09; + + // + // Part4: OID value -- 0x2A 0x86 0x48 0x86 0xF7 0x0D 0x01 0x07 0x02. + // + CopyMem (SignedData + 6, mOidValue, sizeof (mOidValue)); + + // + // Part5: 0xA0, 0x82. + // + SignedData[15] = 0xA0; + SignedData[16] = 0x82; + + // + // Part6: Length2 = P7Length, in big endian. + // + SignedData[17] = (UINT8) (((UINT16) P7Length) >> 8); + SignedData[18] = (UINT8) (((UINT16) P7Length) & 0xff); + + // + // Part7: P7Data. + // + CopyMem (SignedData + 19, P7Data, P7Length); + } + + *WrapFlag = Wrapped; + return TRUE; +} + +/** + Pop single certificate from STACK_OF(X509). + + If X509Stack, Cert, or CertSize is NULL, then return FALSE. + + @param[in] X509Stack Pointer to a X509 stack object. + @param[out] Cert Pointer to a X509 certificate. + @param[out] CertSize Length of output X509 certificate in bytes. + + @retval TRUE The X509 stack pop succeeded. + @retval FALSE The pop operation failed. + +**/ +BOOLEAN +X509PopCertificate ( + IN VOID *X509Stack, + OUT UINT8 **Cert, + OUT UINTN *CertSize + ) +{ + BIO *CertBio; + X509 *X509Cert; + STACK_OF(X509) *CertStack; + BOOLEAN Status; + INT32 Result; + BUF_MEM *Ptr; + INT32 Length; + VOID *Buffer; + + Status = FALSE; + + if ((X509Stack == NULL) || (Cert == NULL) || (CertSize == NULL)) { + return Status; + } + + CertStack = (STACK_OF(X509) *) X509Stack; + + X509Cert = sk_X509_pop (CertStack); + + if (X509Cert == NULL) { + return Status; + } + + Buffer = NULL; + + CertBio = BIO_new (BIO_s_mem ()); + if (CertBio == NULL) { + return Status; + } + + Result = i2d_X509_bio (CertBio, X509Cert); + if (Result == 0) { + goto _Exit; + } + + BIO_get_mem_ptr (CertBio, &Ptr); + Length = (INT32)(Ptr->length); + if (Length <= 0) { + goto _Exit; + } + + Buffer = malloc (Length); + if (Buffer == NULL) { + goto _Exit; + } + + Result = BIO_read (CertBio, Buffer, Length); + if (Result != Length) { + goto _Exit; + } + + *Cert = Buffer; + *CertSize = Length; + + Status = TRUE; + +_Exit: + + BIO_free (CertBio); + + if (!Status && (Buffer != NULL)) { + free (Buffer); + } + + return Status; +} + +/** + Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be wrapped + in a ContentInfo structure. + + If P7Data, CertStack, StackLength, TrustedCert or CertLength is NULL, then + return FALSE. If P7Length overflow, then return FALSE. + + Caution: This function may receive untrusted input. + UEFI Authenticated Variable is external input, so this function will do basic + check for PKCS#7 data structure. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] CertStack Pointer to Signer's certificates retrieved from P7Data. + It's caller's responsibility to free the buffer with + Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] StackLength Length of signer's certificates in bytes. + @param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates. + It's caller's responsibility to free the buffer with + Pkcs7FreeSigners(). + @param[out] CertLength Length of the trusted certificate in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE Error occurs during the operation. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetSigners ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **CertStack, + OUT UINTN *StackLength, + OUT UINT8 **TrustedCert, + OUT UINTN *CertLength + ) +{ + PKCS7 *Pkcs7; + BOOLEAN Status; + UINT8 *SignedData; + CONST UINT8 *Temp; + UINTN SignedDataSize; + BOOLEAN Wrapped; + STACK_OF(X509) *Stack; + UINT8 Index; + UINT8 *CertBuf; + UINT8 *OldBuf; + UINTN BufferSize; + UINTN OldSize; + UINT8 *SingleCert; + UINTN SingleCertSize; + + if ((P7Data == NULL) || (CertStack == NULL) || (StackLength == NULL) || + (TrustedCert == NULL) || (CertLength == NULL) || (P7Length > INT_MAX)) { + return FALSE; + } + + Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize); + if (!Status) { + return Status; + } + + Status = FALSE; + Pkcs7 = NULL; + Stack = NULL; + CertBuf = NULL; + OldBuf = NULL; + SingleCert = NULL; + + // + // Retrieve PKCS#7 Data (DER encoding) + // + if (SignedDataSize > INT_MAX) { + goto _Exit; + } + + Temp = SignedData; + Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &Temp, (int) SignedDataSize); + if (Pkcs7 == NULL) { + goto _Exit; + } + + // + // Check if it's PKCS#7 Signed Data (for Authenticode Scenario) + // + if (!PKCS7_type_is_signed (Pkcs7)) { + goto _Exit; + } + + Stack = PKCS7_get0_signers(Pkcs7, NULL, PKCS7_BINARY); + if (Stack == NULL) { + goto _Exit; + } + + // + // Convert CertStack to buffer in following format: + // UINT8 CertNumber; + // UINT32 Cert1Length; + // UINT8 Cert1[]; + // UINT32 Cert2Length; + // UINT8 Cert2[]; + // ... + // UINT32 CertnLength; + // UINT8 Certn[]; + // + BufferSize = sizeof (UINT8); + OldSize = BufferSize; + + for (Index = 0; ; Index++) { + Status = X509PopCertificate (Stack, &SingleCert, &SingleCertSize); + if (!Status) { + break; + } + + OldSize = BufferSize; + OldBuf = CertBuf; + BufferSize = OldSize + SingleCertSize + sizeof (UINT32); + CertBuf = malloc (BufferSize); + + if (CertBuf == NULL) { + goto _Exit; + } + + if (OldBuf != NULL) { + CopyMem (CertBuf, OldBuf, OldSize); + free (OldBuf); + OldBuf = NULL; + } + + WriteUnaligned32 ((UINT32 *) (CertBuf + OldSize), (UINT32) SingleCertSize); + CopyMem (CertBuf + OldSize + sizeof (UINT32), SingleCert, SingleCertSize); + + free (SingleCert); + SingleCert = NULL; + } + + if (CertBuf != NULL) { + // + // Update CertNumber. + // + CertBuf[0] = Index; + + *CertLength = BufferSize - OldSize - sizeof (UINT32); + *TrustedCert = malloc (*CertLength); + if (*TrustedCert == NULL) { + goto _Exit; + } + + CopyMem (*TrustedCert, CertBuf + OldSize + sizeof (UINT32), *CertLength); + *CertStack = CertBuf; + *StackLength = BufferSize; + Status = TRUE; + } + +_Exit: + // + // Release Resources + // + if (!Wrapped) { + free (SignedData); + } + + if (Pkcs7 != NULL) { + PKCS7_free (Pkcs7); + } + + if (Stack != NULL) { + sk_X509_pop_free(Stack, X509_free); + } + + if (SingleCert != NULL) { + free (SingleCert); + } + + if (!Status && (CertBuf != NULL)) { + free (CertBuf); + *CertStack = NULL; + } + + if (OldBuf != NULL) { + free (OldBuf); + } + + return Status; +} + +/** + Wrap function to use free() to free allocated memory for certificates. + + @param[in] Certs Pointer to the certificates to be freed. + +**/ +VOID +EFIAPI +Pkcs7FreeSigners ( + IN UINT8 *Certs + ) +{ + if (Certs == NULL) { + return; + } + + free (Certs); +} + +/** + Retrieves all embedded certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard", and outputs two certificate lists chained and + unchained to the signer's certificates. + The input signed data could be wrapped in a ContentInfo structure. + + @param[in] P7Data Pointer to the PKCS#7 message. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] SignerChainCerts Pointer to the certificates list chained to signer's + certificate. It's caller's responsibility to free the buffer + with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] ChainLength Length of the chained certificates list buffer in bytes. + @param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's + responsibility to free the buffer with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] UnchainLength Length of the unchained certificates list buffer in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE Error occurs during the operation. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetCertificatesList ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **SignerChainCerts, + OUT UINTN *ChainLength, + OUT UINT8 **UnchainCerts, + OUT UINTN *UnchainLength + ) +{ + BOOLEAN Status; + UINT8 *NewP7Data; + UINTN NewP7Length; + BOOLEAN Wrapped; + UINT8 Index; + PKCS7 *Pkcs7; + X509_STORE_CTX *CertCtx; + STACK_OF(X509) *CtxChain; + STACK_OF(X509) *CtxUntrusted; + X509 *CtxCert; + STACK_OF(X509) *Signers; + X509 *Signer; + X509 *Cert; + X509 *Issuer; + X509_NAME *IssuerName; + UINT8 *CertBuf; + UINT8 *OldBuf; + UINTN BufferSize; + UINTN OldSize; + UINT8 *SingleCert; + UINTN CertSize; + + // + // Initializations + // + Status = FALSE; + NewP7Data = NULL; + Pkcs7 = NULL; + CertCtx = NULL; + CtxChain = NULL; + CtxCert = NULL; + CtxUntrusted = NULL; + Cert = NULL; + SingleCert = NULL; + CertBuf = NULL; + OldBuf = NULL; + Signers = NULL; + + ZeroMem (&CertCtx, sizeof (CertCtx)); + + // + // Parameter Checking + // + if ((P7Data == NULL) || (SignerChainCerts == NULL) || (ChainLength == NULL) || + (UnchainCerts == NULL) || (UnchainLength == NULL) || (P7Length > INT_MAX)) { + return Status; + } + + *SignerChainCerts = NULL; + *ChainLength = 0; + *UnchainCerts = NULL; + *UnchainLength = 0; + + // + // Construct a new PKCS#7 data wrapping with ContentInfo structure if needed. + // + Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &NewP7Data, &NewP7Length); + if (!Status || (NewP7Length > INT_MAX)) { + goto _Error; + } + + // + // Decodes PKCS#7 SignedData + // + Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &NewP7Data, (int) NewP7Length); + if ((Pkcs7 == NULL) || (!PKCS7_type_is_signed (Pkcs7))) { + goto _Error; + } + + // + // Obtains Signer's Certificate from PKCS#7 data + // NOTE: Only one signer case will be handled in this function, which means SignerInfos + // should include only one signer's certificate. + // + Signers = PKCS7_get0_signers (Pkcs7, NULL, PKCS7_BINARY); + if ((Signers == NULL) || (sk_X509_num (Signers) != 1)) { + goto _Error; + } + Signer = sk_X509_value (Signers, 0); + + CertCtx = X509_STORE_CTX_new (); + if (CertCtx == NULL) { + goto _Error; + } + if (!X509_STORE_CTX_init (CertCtx, NULL, Signer, Pkcs7->d.sign->cert)) { + goto _Error; + } + // + // Initialize Chained & Untrusted stack + // + CtxChain = X509_STORE_CTX_get0_chain (CertCtx); + CtxCert = X509_STORE_CTX_get0_cert (CertCtx); + if (CtxChain == NULL) { + if (((CtxChain = sk_X509_new_null ()) == NULL) || + (!sk_X509_push (CtxChain, CtxCert))) { + goto _Error; + } + } + CtxUntrusted = X509_STORE_CTX_get0_untrusted (CertCtx); + if (CtxUntrusted != NULL) { + (VOID)sk_X509_delete_ptr (CtxUntrusted, Signer); + } + + // + // Build certificates stack chained from Signer's certificate. + // + Cert = Signer; + for (; ;) { + // + // Self-Issue checking + // + Issuer = NULL; + if (X509_STORE_CTX_get1_issuer (&Issuer, CertCtx, Cert) == 1) { + if (X509_cmp (Issuer, Cert) == 0) { + break; + } + } + + // + // Found the issuer of the current certificate + // + if (CtxUntrusted != NULL) { + Issuer = NULL; + IssuerName = X509_get_issuer_name (Cert); + Issuer = X509_find_by_subject (CtxUntrusted, IssuerName); + if (Issuer != NULL) { + if (!sk_X509_push (CtxChain, Issuer)) { + goto _Error; + } + (VOID)sk_X509_delete_ptr (CtxUntrusted, Issuer); + + Cert = Issuer; + continue; + } + } + + break; + } + + // + // Converts Chained and Untrusted Certificate to Certificate Buffer in following format: + // UINT8 CertNumber; + // UINT32 Cert1Length; + // UINT8 Cert1[]; + // UINT32 Cert2Length; + // UINT8 Cert2[]; + // ... + // UINT32 CertnLength; + // UINT8 Certn[]; + // + + if (CtxChain != NULL) { + BufferSize = sizeof (UINT8); + CertBuf = NULL; + + for (Index = 0; ; Index++) { + Status = X509PopCertificate (CtxChain, &SingleCert, &CertSize); + if (!Status) { + break; + } + + OldSize = BufferSize; + OldBuf = CertBuf; + BufferSize = OldSize + CertSize + sizeof (UINT32); + CertBuf = malloc (BufferSize); + + if (CertBuf == NULL) { + Status = FALSE; + goto _Error; + } + if (OldBuf != NULL) { + CopyMem (CertBuf, OldBuf, OldSize); + free (OldBuf); + OldBuf = NULL; + } + + WriteUnaligned32 ((UINT32 *) (CertBuf + OldSize), (UINT32) CertSize); + CopyMem (CertBuf + OldSize + sizeof (UINT32), SingleCert, CertSize); + + free (SingleCert); + SingleCert = NULL; + } + + if (CertBuf != NULL) { + // + // Update CertNumber. + // + CertBuf[0] = Index; + + *SignerChainCerts = CertBuf; + *ChainLength = BufferSize; + } + } + + if (CtxUntrusted != NULL) { + BufferSize = sizeof (UINT8); + CertBuf = NULL; + + for (Index = 0; ; Index++) { + Status = X509PopCertificate (CtxUntrusted, &SingleCert, &CertSize); + if (!Status) { + break; + } + + OldSize = BufferSize; + OldBuf = CertBuf; + BufferSize = OldSize + CertSize + sizeof (UINT32); + CertBuf = malloc (BufferSize); + + if (CertBuf == NULL) { + Status = FALSE; + goto _Error; + } + if (OldBuf != NULL) { + CopyMem (CertBuf, OldBuf, OldSize); + free (OldBuf); + OldBuf = NULL; + } + + WriteUnaligned32 ((UINT32 *) (CertBuf + OldSize), (UINT32) CertSize); + CopyMem (CertBuf + OldSize + sizeof (UINT32), SingleCert, CertSize); + + free (SingleCert); + SingleCert = NULL; + } + + if (CertBuf != NULL) { + // + // Update CertNumber. + // + CertBuf[0] = Index; + + *UnchainCerts = CertBuf; + *UnchainLength = BufferSize; + } + } + + Status = TRUE; + +_Error: + // + // Release Resources. + // + if (!Wrapped && (NewP7Data != NULL)) { + free (NewP7Data); + } + + if (Pkcs7 != NULL) { + PKCS7_free (Pkcs7); + } + sk_X509_free (Signers); + + if (CertCtx != NULL) { + X509_STORE_CTX_cleanup (CertCtx); + X509_STORE_CTX_free (CertCtx); + } + + if (SingleCert != NULL) { + free (SingleCert); + } + + if (OldBuf != NULL) { + free (OldBuf); + } + + if (!Status && (CertBuf != NULL)) { + free (CertBuf); + *SignerChainCerts = NULL; + *UnchainCerts = NULL; + } + + return Status; +} + +/** + Verifies the validity of a PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be wrapped + in a ContentInfo structure. + + If P7Data, TrustedCert or InData is NULL, then return FALSE. + If P7Length, CertLength or DataLength overflow, then return FALSE. + + Caution: This function may receive untrusted input. + UEFI Authenticated Variable is external input, so this function will do basic + check for PKCS#7 data structure. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which + is used for certificate chain verification. + @param[in] CertLength Length of the trusted certificate in bytes. + @param[in] InData Pointer to the content to be verified. + @param[in] DataLength Length of InData in bytes. + + @retval TRUE The specified PKCS#7 signed data is valid. + @retval FALSE Invalid PKCS#7 signed data. + +**/ +BOOLEAN +EFIAPI +Pkcs7Verify ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + IN CONST UINT8 *TrustedCert, + IN UINTN CertLength, + IN CONST UINT8 *InData, + IN UINTN DataLength + ) +{ + PKCS7 *Pkcs7; + BIO *DataBio; + BOOLEAN Status; + X509 *Cert; + X509_STORE *CertStore; + UINT8 *SignedData; + CONST UINT8 *Temp; + UINTN SignedDataSize; + BOOLEAN Wrapped; + + // + // Check input parameters. + // + if (P7Data == NULL || TrustedCert == NULL || InData == NULL || + P7Length > INT_MAX || CertLength > INT_MAX || DataLength > INT_MAX) { + return FALSE; + } + + Pkcs7 = NULL; + DataBio = NULL; + Cert = NULL; + CertStore = NULL; + + // + // Register & Initialize necessary digest algorithms for PKCS#7 Handling + // + if (EVP_add_digest (EVP_md5 ()) == 0) { + return FALSE; + } + if (EVP_add_digest (EVP_sha1 ()) == 0) { + return FALSE; + } + if (EVP_add_digest (EVP_sha256 ()) == 0) { + return FALSE; + } + if (EVP_add_digest (EVP_sha384 ()) == 0) { + return FALSE; + } + if (EVP_add_digest (EVP_sha512 ()) == 0) { + return FALSE; + } + if (EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA) == 0) { + return FALSE; + } + + Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize); + if (!Status) { + return Status; + } + + Status = FALSE; + + // + // Retrieve PKCS#7 Data (DER encoding) + // + if (SignedDataSize > INT_MAX) { + goto _Exit; + } + + Temp = SignedData; + Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &Temp, (int) SignedDataSize); + if (Pkcs7 == NULL) { + goto _Exit; + } + + // + // Check if it's PKCS#7 Signed Data (for Authenticode Scenario) + // + if (!PKCS7_type_is_signed (Pkcs7)) { + goto _Exit; + } + + // + // Read DER-encoded root certificate and Construct X509 Certificate + // + Temp = TrustedCert; + Cert = d2i_X509 (NULL, &Temp, (long) CertLength); + if (Cert == NULL) { + goto _Exit; + } + + // + // Setup X509 Store for trusted certificate + // + CertStore = X509_STORE_new (); + if (CertStore == NULL) { + goto _Exit; + } + if (!(X509_STORE_add_cert (CertStore, Cert))) { + goto _Exit; + } + + // + // For generic PKCS#7 handling, InData may be NULL if the content is present + // in PKCS#7 structure. So ignore NULL checking here. + // + DataBio = BIO_new (BIO_s_mem ()); + if (DataBio == NULL) { + goto _Exit; + } + + if (BIO_write (DataBio, InData, (int) DataLength) <= 0) { + goto _Exit; + } + + // + // Allow partial certificate chains, terminated by a non-self-signed but + // still trusted intermediate certificate. Also disable time checks. + // + X509_STORE_set_flags (CertStore, + X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME); + + // + // OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and + // doesn't support the extended key usage for Authenticode Code Signing. + // Bypass the certificate purpose checking by enabling any purposes setting. + // + X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY); + + // + // Verifies the PKCS#7 signedData structure + // + Status = (BOOLEAN) PKCS7_verify (Pkcs7, NULL, CertStore, DataBio, NULL, PKCS7_BINARY); + +_Exit: + // + // Release Resources + // + BIO_free (DataBio); + X509_free (Cert); + X509_STORE_free (CertStore); + PKCS7_free (Pkcs7); + + if (!Wrapped) { + OPENSSL_free (SignedData); + } + + return Status; +} + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c new file mode 100644 index 00000000..b5f350b3 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c @@ -0,0 +1,517 @@ +/** @file + This module verifies that Enhanced Key Usages (EKU's) are present within + a PKCS7 signature blob using OpenSSL. + + Copyright (C) Microsoft Corporation. All Rights Reserved. + Copyright (c) 2019, Intel Corporation. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include "InternalCryptLib.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/** + This function will return the leaf signer certificate in a chain. This is + required because certificate chains are not guaranteed to have the + certificates in the order that they were issued. + + A typical certificate chain looks like this: + + + ---------------------------- + | Root | + ---------------------------- + ^ + | + ---------------------------- + | Policy CA | <-- Typical Trust Anchor. + ---------------------------- + ^ + | + ---------------------------- + | Issuing CA | + ---------------------------- + ^ + | + ----------------------------- + / End-Entity (leaf) signer / <-- Bottom certificate. + ----------------------------- EKU: "1.3.6.1.4.1.311.76.9.21.1" + (Firmware Signing) + + + @param[in] CertChain Certificate chain. + + @param[out] SignerCert Last certificate in the chain. For PKCS7 signatures, + this will be the end-entity (leaf) signer cert. + + @retval EFI_SUCCESS The required EKUs were found in the signature. + @retval EFI_INVALID_PARAMETER A parameter was invalid. + @retval EFI_NOT_FOUND The number of signers found was not 1. + +**/ +EFI_STATUS +GetSignerCertificate ( + IN CONST PKCS7 *CertChain, + OUT X509 **SignerCert + ) +{ + EFI_STATUS Status; + STACK_OF(X509) *Signers; + INT32 NumberSigners; + + Status = EFI_SUCCESS; + Signers = NULL; + NumberSigners = 0; + + if (CertChain == NULL || SignerCert == NULL) { + Status = EFI_INVALID_PARAMETER; + goto Exit; + } + + // + // Get the signers from the chain. + // + Signers = PKCS7_get0_signers ((PKCS7*) CertChain, NULL, PKCS7_BINARY); + if (Signers == NULL) { + // + // Fail to get signers form PKCS7 + // + Status = EFI_INVALID_PARAMETER; + goto Exit; + } + + // + // There should only be one signer in the PKCS7 stack. + // + NumberSigners = sk_X509_num (Signers); + if (NumberSigners != 1) { + // + // The number of singers should have been 1 + // + Status = EFI_NOT_FOUND; + goto Exit; + } + + *SignerCert = sk_X509_value (Signers, 0); + +Exit: + // + // Release Resources + // + if (Signers != NULL) { + sk_X509_free (Signers); + } + + return Status; +} + + +/** + Determines if the specified EKU represented in ASN1 form is present + in a given certificate. + + @param[in] Cert The certificate to check. + + @param[in] Asn1ToFind The EKU to look for. + + @retval EFI_SUCCESS We successfully identified the signing type. + @retval EFI_INVALID_PARAMETER A parameter was invalid. + @retval EFI_NOT_FOUND One or more EKU's were not found in the signature. + +**/ +EFI_STATUS +IsEkuInCertificate ( + IN CONST X509 *Cert, + IN ASN1_OBJECT *Asn1ToFind + ) +{ + EFI_STATUS Status; + X509 *ClonedCert; + X509_EXTENSION *Extension; + EXTENDED_KEY_USAGE *Eku; + INT32 ExtensionIndex; + INTN NumExtensions; + ASN1_OBJECT *Asn1InCert; + INTN Index; + + Status = EFI_NOT_FOUND; + ClonedCert = NULL; + Extension = NULL; + Eku = NULL; + ExtensionIndex = -1; + NumExtensions = 0; + Asn1InCert = NULL; + + if (Cert == NULL || Asn1ToFind == NULL) { + Status = EFI_INVALID_PARAMETER; + goto Exit; + } + + // + // Clone the certificate. This is required because the Extension API's + // only work once per instance of an X509 object. + // + ClonedCert = X509_dup ((X509*)Cert); + if (ClonedCert == NULL) { + // + // Fail to duplicate cert. + // + Status = EFI_INVALID_PARAMETER; + goto Exit; + } + + // + // Look for the extended key usage. + // + ExtensionIndex = X509_get_ext_by_NID (ClonedCert, NID_ext_key_usage, -1); + + if (ExtensionIndex < 0) { + // + // Fail to find 'NID_ext_key_usage' in Cert. + // + goto Exit; + } + + Extension = X509_get_ext (ClonedCert, ExtensionIndex); + if (Extension == NULL) { + // + // Fail to get Extension form cert. + // + goto Exit; + } + + Eku = (EXTENDED_KEY_USAGE*)X509V3_EXT_d2i (Extension); + if (Eku == NULL) { + // + // Fail to get Eku from extension. + // + goto Exit; + } + + NumExtensions = sk_ASN1_OBJECT_num (Eku); + + // + // Now loop through the extensions, looking for the specified Eku. + // + for (Index = 0; Index < NumExtensions; Index++) { + Asn1InCert = sk_ASN1_OBJECT_value (Eku, (INT32)Index); + if (Asn1InCert == NULL) { + // + // Fail to get ASN object from Eku. + // + goto Exit; + } + + if (Asn1InCert->length == Asn1ToFind->length && + CompareMem (Asn1InCert->data, Asn1ToFind->data, Asn1InCert->length) == 0) { + // + // Found Eku in certificate. + // + Status = EFI_SUCCESS; + goto Exit; + } + } + +Exit: + + // + // Release Resources + // + if (ClonedCert != NULL) { + X509_free (ClonedCert); + } + + if (Eku != NULL) { + sk_ASN1_OBJECT_pop_free (Eku, ASN1_OBJECT_free); + } + + return Status; +} + + +/** + Determines if the specified EKUs are present in a signing certificate. + + @param[in] SignerCert The certificate to check. + @param[in] RequiredEKUs The EKUs to look for. + @param[in] RequiredEKUsSize The number of EKUs + @param[in] RequireAllPresent If TRUE, then all the specified EKUs + must be present in the certificate. + + @retval EFI_SUCCESS We successfully identified the signing type. + @retval EFI_INVALID_PARAMETER A parameter was invalid. + @retval EFI_NOT_FOUND One or more EKU's were not found in the signature. +**/ +EFI_STATUS +CheckEKUs( + IN CONST X509 *SignerCert, + IN CONST CHAR8 *RequiredEKUs[], + IN CONST UINT32 RequiredEKUsSize, + IN BOOLEAN RequireAllPresent + ) +{ + EFI_STATUS Status; + ASN1_OBJECT *Asn1ToFind; + UINT32 NumEkusFound; + UINT32 Index; + + Status = EFI_SUCCESS; + Asn1ToFind = NULL; + NumEkusFound = 0; + + if (SignerCert == NULL || RequiredEKUs == NULL || RequiredEKUsSize == 0) { + Status = EFI_INVALID_PARAMETER; + goto Exit; + } + + for (Index = 0; Index < RequiredEKUsSize; Index++) { + // + // Finding required EKU in cert. + // + if (Asn1ToFind != NULL) { + ASN1_OBJECT_free(Asn1ToFind); + Asn1ToFind = NULL; + } + + Asn1ToFind = OBJ_txt2obj (RequiredEKUs[Index], 0); + if (Asn1ToFind == NULL) { + // + // Fail to convert required EKU to ASN1. + // + Status = EFI_INVALID_PARAMETER; + goto Exit; + } + + Status = IsEkuInCertificate (SignerCert, Asn1ToFind); + if (Status == EFI_SUCCESS) { + NumEkusFound++; + if (!RequireAllPresent) { + // + // Found at least one, so we are done. + // + goto Exit; + } + } else { + // + // Fail to find Eku in cert + break; + } + } + +Exit: + + if (Asn1ToFind != NULL) { + ASN1_OBJECT_free(Asn1ToFind); + } + + if (RequireAllPresent && + NumEkusFound == RequiredEKUsSize) { + // + // Found all required EKUs in certificate. + // + Status = EFI_SUCCESS; + } + + return Status; +} + +/** + This function receives a PKCS#7 formatted signature blob, + looks for the EKU SEQUENCE blob, and if found then looks + for all the required EKUs. This function was created so that + the Surface team can cut down on the number of Certificate + Authorities (CA's) by checking EKU's on leaf signers for + a specific product. This prevents one product's certificate + from signing another product's firmware or unlock blobs. + + Note that this function does not validate the certificate chain. + That needs to be done before using this function. + + @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array + containing the content block with both the signature, + the signer's certificate, and any necessary intermediate + certificates. + @param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature. + @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of + required EKUs that must be present in the signature. + @param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array. + @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's + must be present in the leaf signer. If it is + FALSE, then we will succeed if we find any + of the specified EKU's. + + @retval EFI_SUCCESS The required EKUs were found in the signature. + @retval EFI_INVALID_PARAMETER A parameter was invalid. + @retval EFI_NOT_FOUND One or more EKU's were not found in the signature. + +**/ +EFI_STATUS +EFIAPI +VerifyEKUsInPkcs7Signature ( + IN CONST UINT8 *Pkcs7Signature, + IN CONST UINT32 SignatureSize, + IN CONST CHAR8 *RequiredEKUs[], + IN CONST UINT32 RequiredEKUsSize, + IN BOOLEAN RequireAllPresent + ) +{ + EFI_STATUS Status; + PKCS7 *Pkcs7; + STACK_OF(X509) *CertChain; + INT32 SignatureType; + INT32 NumberCertsInSignature; + X509 *SignerCert; + UINT8 *SignedData; + UINT8 *Temp; + UINTN SignedDataSize; + BOOLEAN IsWrapped; + BOOLEAN Ok; + + Status = EFI_SUCCESS; + Pkcs7 = NULL; + CertChain = NULL; + SignatureType = 0; + NumberCertsInSignature = 0; + SignerCert = NULL; + SignedData = NULL; + SignedDataSize = 0; + IsWrapped = FALSE; + Ok = FALSE; + + // + //Validate the input parameters. + // + if (Pkcs7Signature == NULL || + SignatureSize == 0 || + RequiredEKUs == NULL || + RequiredEKUsSize == 0) { + Status = EFI_INVALID_PARAMETER; + goto Exit; + } + + if (RequiredEKUsSize == 1) { + RequireAllPresent = TRUE; + } + + // + // Wrap the PKCS7 data if needed. + // + Ok = WrapPkcs7Data (Pkcs7Signature, + SignatureSize, + &IsWrapped, + &SignedData, + &SignedDataSize); + if (!Ok) { + // + // Fail to Wrap the PKCS7 data. + // + Status = EFI_INVALID_PARAMETER; + goto Exit; + } + + Temp = SignedData; + + // + // Create the PKCS7 object. + // + Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **)&Temp, (INT32)SignedDataSize); + if (Pkcs7 == NULL) { + // + // Fail to read PKCS7 data. + // + Status = EFI_INVALID_PARAMETER; + goto Exit; + } + + // + // Get the certificate chain. + // + SignatureType = OBJ_obj2nid (Pkcs7->type); + switch (SignatureType) { + case NID_pkcs7_signed: + if (Pkcs7->d.sign != NULL) { + CertChain = Pkcs7->d.sign->cert; + } + break; + case NID_pkcs7_signedAndEnveloped: + if (Pkcs7->d.signed_and_enveloped != NULL) { + CertChain = Pkcs7->d.signed_and_enveloped->cert; + } + break; + default: + break; + } + + // + // Ensure we have a certificate stack + // + if (CertChain == NULL) { + // + // Fail to get the certificate stack from signature. + // + Status = EFI_INVALID_PARAMETER; + goto Exit; + } + + // + // Find out how many certificates were in the PKCS7 signature. + // + NumberCertsInSignature = sk_X509_num (CertChain); + + if (NumberCertsInSignature == 0) { + // + // Fail to find any certificates in signature. + // + Status = EFI_INVALID_PARAMETER; + goto Exit; + } + + // + // Get the leaf signer. + // + Status = GetSignerCertificate (Pkcs7, &SignerCert); + if (Status != EFI_SUCCESS || SignerCert == NULL) { + // + // Fail to get the end-entity leaf signer certificate. + // + Status = EFI_INVALID_PARAMETER; + goto Exit; + } + + Status = CheckEKUs (SignerCert, RequiredEKUs, RequiredEKUsSize, RequireAllPresent); + if (Status != EFI_SUCCESS) { + goto Exit; + } + +Exit: + + // + // Release Resources + // + // If the signature was not wrapped, then the call to WrapData() will allocate + // the data and add a header to it + // + if (!IsWrapped && SignedData) { + free (SignedData); + } + + if (Pkcs7 != NULL) { + PKCS7_free (Pkcs7); + } + + return Status; +} + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c new file mode 100644 index 00000000..14d6f01b --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c @@ -0,0 +1,57 @@ +/** @file + This module verifies that Enhanced Key Usages (EKU's) are present within + a PKCS7 signature blob using OpenSSL. + + Copyright (C) Microsoft Corporation. All Rights Reserved. + Copyright (c) 2019, Intel Corporation. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + This function receives a PKCS#7 formatted signature blob, + looks for the EKU SEQUENCE blob, and if found then looks + for all the required EKUs. This function was created so that + the Surface team can cut down on the number of Certificate + Authorities (CA's) by checking EKU's on leaf signers for + a specific product. This prevents one product's certificate + from signing another product's firmware or unlock blobs. + + Return RETURN_UNSUPPORTED to indicate this interface is not supported. + + @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array + containing the content block with both the signature, + the signer's certificate, and any necessary intermediate + certificates. + @param[in] Pkcs7SignatureSize Number of bytes in pPkcs7Signature. + @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of + required EKUs that must be present in the signature. + All specified EKU's must be present in order to + succeed. + @param[in] RequiredEKUsSize Number of elements in the rgRequiredEKUs string. + This parameter has a maximum of MAX_EKU_SEARCH. + @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's + must be present in the leaf signer. If it is + FALSE, then we will succeed if we find any + of the specified EKU's. + + @retval RETURN_UNSUPPORTED The operation is not supported. + +**/ +EFI_STATUS +EFIAPI +VerifyEKUsInPkcs7Signature ( + IN CONST UINT8 *Pkcs7Signature, + IN CONST UINT32 SignatureSize, + IN CONST CHAR8 *RequiredEKUs[], + IN CONST UINT32 RequiredEKUsSize, + IN BOOLEAN RequireAllPresent + ) +{ + ASSERT (FALSE); + return RETURN_UNSUPPORTED; +} + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c new file mode 100644 index 00000000..2665fc18 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c @@ -0,0 +1,163 @@ +/** @file + PKCS#7 SignedData Verification Wrapper Implementation which does not provide + real capabilities. + +Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be wrapped + in a ContentInfo structure. + + Return FALSE to indicate this interface is not supported. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] CertStack Pointer to Signer's certificates retrieved from P7Data. + It's caller's responsibility to free the buffer with + Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] StackLength Length of signer's certificates in bytes. + @param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates. + It's caller's responsibility to free the buffer with + Pkcs7FreeSigners(). + @param[out] CertLength Length of the trusted certificate in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetSigners ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **CertStack, + OUT UINTN *StackLength, + OUT UINT8 **TrustedCert, + OUT UINTN *CertLength + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Wrap function to use free() to free allocated memory for certificates. + + If the interface is not supported, then ASSERT(). + + @param[in] Certs Pointer to the certificates to be freed. + +**/ +VOID +EFIAPI +Pkcs7FreeSigners ( + IN UINT8 *Certs + ) +{ + ASSERT (FALSE); +} + +/** + Retrieves all embedded certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard", and outputs two certificate lists chained and + unchained to the signer's certificates. + The input signed data could be wrapped in a ContentInfo structure. + + @param[in] P7Data Pointer to the PKCS#7 message. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] SignerChainCerts Pointer to the certificates list chained to signer's + certificate. It's caller's responsibility to free the buffer + with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] ChainLength Length of the chained certificates list buffer in bytes. + @param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's + responsibility to free the buffer with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] UnchainLength Length of the unchained certificates list buffer in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE Error occurs during the operation. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetCertificatesList ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **SignerChainCerts, + OUT UINTN *ChainLength, + OUT UINT8 **UnchainCerts, + OUT UINTN *UnchainLength + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Verifies the validity of a PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be wrapped + in a ContentInfo structure. + + Return FALSE to indicate this interface is not supported. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which + is used for certificate chain verification. + @param[in] CertLength Length of the trusted certificate in bytes. + @param[in] InData Pointer to the content to be verified. + @param[in] DataLength Length of InData in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs7Verify ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + IN CONST UINT8 *TrustedCert, + IN UINTN CertLength, + IN CONST UINT8 *InData, + IN UINTN DataLength + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Extracts the attached content from a PKCS#7 signed data if existed. The input signed + data could be wrapped in a ContentInfo structure. + + Return FALSE to indicate this interface is not supported. + + @param[in] P7Data Pointer to the PKCS#7 signed data to process. + @param[in] P7Length Length of the PKCS#7 signed data in bytes. + @param[out] Content Pointer to the extracted content from the PKCS#7 signedData. + It's caller's responsibility to free the buffer with FreePool(). + @param[out] ContentSize The size of the extracted content in bytes. + + @retval TRUE The P7Data was correctly formatted for processing. + @retval FALSE The P7Data was not correctly formatted for processing. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetAttachedContent ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT VOID **Content, + OUT UINTN *ContentSize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyRuntime.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyRuntime.c new file mode 100644 index 00000000..8249bb24 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyRuntime.c @@ -0,0 +1,39 @@ +/** @file + Runtime specific implementation of PKCS#7 SignedData Verification Wrapper. + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Extracts the attached content from a PKCS#7 signed data if existed. The input signed + data could be wrapped in a ContentInfo structure. + + Return FALSE to indicate this interface is not supported. + + @param[in] P7Data Pointer to the PKCS#7 signed data to process. + @param[in] P7Length Length of the PKCS#7 signed data in bytes. + @param[out] Content Pointer to the extracted content from the PKCS#7 signedData. + It's caller's responsibility to free the buffer with FreePool(). + @param[out] ContentSize The size of the extracted content in bytes. + + @retval TRUE The P7Data was correctly formatted for processing. + @retval FALSE The P7Data was not correctly formatted for processing. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetAttachedContent ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT VOID **Content, + OUT UINTN *ContentSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c new file mode 100644 index 00000000..4038af3e --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c @@ -0,0 +1,327 @@ +/** @file + RSA Asymmetric Cipher Wrapper Implementation over OpenSSL. + + This file implements following APIs which provide basic capabilities for RSA: + 1) RsaNew + 2) RsaFree + 3) RsaSetKey + 4) RsaPkcs1Verify + +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +#include +#include +#include + +/** + Allocates and initializes one RSA context for subsequent use. + + @return Pointer to the RSA context that has been initialized. + If the allocations fails, RsaNew() returns NULL. + +**/ +VOID * +EFIAPI +RsaNew ( + VOID + ) +{ + // + // Allocates & Initializes RSA Context by OpenSSL RSA_new() + // + return (VOID *) RSA_new (); +} + +/** + Release the specified RSA context. + + @param[in] RsaContext Pointer to the RSA context to be released. + +**/ +VOID +EFIAPI +RsaFree ( + IN VOID *RsaContext + ) +{ + // + // Free OpenSSL RSA Context + // + RSA_free ((RSA *) RsaContext); +} + +/** + Sets the tag-designated key component into the established RSA context. + + This function sets the tag-designated RSA key component into the established + RSA context from the user-specified non-negative integer (octet string format + represented in RSA PKCS#1). + If BigNumber is NULL, then the specified key component in RSA context is cleared. + + If RsaContext is NULL, then return FALSE. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] KeyTag Tag of RSA key component being set. + @param[in] BigNumber Pointer to octet integer buffer. + If NULL, then the specified key component in RSA + context is cleared. + @param[in] BnSize Size of big number buffer in bytes. + If BigNumber is NULL, then it is ignored. + + @retval TRUE RSA key component was set successfully. + @retval FALSE Invalid RSA key component tag. + +**/ +BOOLEAN +EFIAPI +RsaSetKey ( + IN OUT VOID *RsaContext, + IN RSA_KEY_TAG KeyTag, + IN CONST UINT8 *BigNumber, + IN UINTN BnSize + ) +{ + RSA *RsaKey; + BIGNUM *BnN; + BIGNUM *BnE; + BIGNUM *BnD; + BIGNUM *BnP; + BIGNUM *BnQ; + BIGNUM *BnDp; + BIGNUM *BnDq; + BIGNUM *BnQInv; + + // + // Check input parameters. + // + if (RsaContext == NULL || BnSize > INT_MAX) { + return FALSE; + } + + BnN = NULL; + BnE = NULL; + BnD = NULL; + BnP = NULL; + BnQ = NULL; + BnDp = NULL; + BnDq = NULL; + BnQInv = NULL; + + // + // Retrieve the components from RSA object. + // + RsaKey = (RSA *) RsaContext; + RSA_get0_key (RsaKey, (const BIGNUM **)&BnN, (const BIGNUM **)&BnE, (const BIGNUM **)&BnD); + RSA_get0_factors (RsaKey, (const BIGNUM **)&BnP, (const BIGNUM **)&BnQ); + RSA_get0_crt_params (RsaKey, (const BIGNUM **)&BnDp, (const BIGNUM **)&BnDq, (const BIGNUM **)&BnQInv); + + // + // Set RSA Key Components by converting octet string to OpenSSL BN representation. + // NOTE: For RSA public key (used in signature verification), only public components + // (N, e) are needed. + // + switch (KeyTag) { + + // + // RSA Public Modulus (N), Public Exponent (e) and Private Exponent (d) + // + case RsaKeyN: + case RsaKeyE: + case RsaKeyD: + if (BnN == NULL) { + BnN = BN_new (); + } + if (BnE == NULL) { + BnE = BN_new (); + } + if (BnD == NULL) { + BnD = BN_new (); + } + + if ((BnN == NULL) || (BnE == NULL) || (BnD == NULL)) { + return FALSE; + } + + switch (KeyTag) { + case RsaKeyN: + BnN = BN_bin2bn (BigNumber, (UINT32)BnSize, BnN); + break; + case RsaKeyE: + BnE = BN_bin2bn (BigNumber, (UINT32)BnSize, BnE); + break; + case RsaKeyD: + BnD = BN_bin2bn (BigNumber, (UINT32)BnSize, BnD); + break; + default: + return FALSE; + } + if (RSA_set0_key (RsaKey, BN_dup(BnN), BN_dup(BnE), BN_dup(BnD)) == 0) { + return FALSE; + } + + break; + + // + // RSA Secret Prime Factor of Modulus (p and q) + // + case RsaKeyP: + case RsaKeyQ: + if (BnP == NULL) { + BnP = BN_new (); + } + if (BnQ == NULL) { + BnQ = BN_new (); + } + if ((BnP == NULL) || (BnQ == NULL)) { + return FALSE; + } + + switch (KeyTag) { + case RsaKeyP: + BnP = BN_bin2bn (BigNumber, (UINT32)BnSize, BnP); + break; + case RsaKeyQ: + BnQ = BN_bin2bn (BigNumber, (UINT32)BnSize, BnQ); + break; + default: + return FALSE; + } + if (RSA_set0_factors (RsaKey, BN_dup(BnP), BN_dup(BnQ)) == 0) { + return FALSE; + } + + break; + + // + // p's CRT Exponent (== d mod (p - 1)), q's CRT Exponent (== d mod (q - 1)), + // and CRT Coefficient (== 1/q mod p) + // + case RsaKeyDp: + case RsaKeyDq: + case RsaKeyQInv: + if (BnDp == NULL) { + BnDp = BN_new (); + } + if (BnDq == NULL) { + BnDq = BN_new (); + } + if (BnQInv == NULL) { + BnQInv = BN_new (); + } + if ((BnDp == NULL) || (BnDq == NULL) || (BnQInv == NULL)) { + return FALSE; + } + + switch (KeyTag) { + case RsaKeyDp: + BnDp = BN_bin2bn (BigNumber, (UINT32)BnSize, BnDp); + break; + case RsaKeyDq: + BnDq = BN_bin2bn (BigNumber, (UINT32)BnSize, BnDq); + break; + case RsaKeyQInv: + BnQInv = BN_bin2bn (BigNumber, (UINT32)BnSize, BnQInv); + break; + default: + return FALSE; + } + if (RSA_set0_crt_params (RsaKey, BN_dup(BnDp), BN_dup(BnDq), BN_dup(BnQInv)) == 0) { + return FALSE; + } + + break; + + default: + return FALSE; + } + + return TRUE; +} + +/** + Verifies the RSA-SSA signature with EMSA-PKCS1-v1_5 encoding scheme defined in + RSA PKCS#1. + + If RsaContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize is not equal to the size of MD5, SHA-1, SHA-256, SHA-384 or SHA-512 digest, then return FALSE. + + @param[in] RsaContext Pointer to RSA context for signature verification. + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to RSA PKCS1-v1_5 signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in PKCS1-v1_5. + @retval FALSE Invalid signature or invalid RSA context. + +**/ +BOOLEAN +EFIAPI +RsaPkcs1Verify ( + IN VOID *RsaContext, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ) +{ + INT32 DigestType; + UINT8 *SigBuf; + + // + // Check input parameters. + // + if (RsaContext == NULL || MessageHash == NULL || Signature == NULL) { + return FALSE; + } + + if (SigSize > INT_MAX || SigSize == 0) { + return FALSE; + } + + // + // Determine the message digest algorithm according to digest size. + // Only MD5, SHA-1, SHA-256, SHA-384 or SHA-512 algorithm is supported. + // + switch (HashSize) { + case MD5_DIGEST_SIZE: + DigestType = NID_md5; + break; + + case SHA1_DIGEST_SIZE: + DigestType = NID_sha1; + break; + + case SHA256_DIGEST_SIZE: + DigestType = NID_sha256; + break; + + case SHA384_DIGEST_SIZE: + DigestType = NID_sha384; + break; + + case SHA512_DIGEST_SIZE: + DigestType = NID_sha512; + break; + + default: + return FALSE; + } + + SigBuf = (UINT8 *) Signature; + return (BOOLEAN) RSA_verify ( + DigestType, + MessageHash, + (UINT32) HashSize, + SigBuf, + (UINT32) SigSize, + (RSA *) RsaContext + ); +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c new file mode 100644 index 00000000..10d96814 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c @@ -0,0 +1,364 @@ +/** @file + RSA Asymmetric Cipher Wrapper Implementation over OpenSSL. + + This file implements following APIs which provide more capabilities for RSA: + 1) RsaGetKey + 2) RsaGenerateKey + 3) RsaCheckKey + 4) RsaPkcs1Sign + +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +#include +#include +#include +#include + +/** + Gets the tag-designated RSA key component from the established RSA context. + + This function retrieves the tag-designated RSA key component from the + established RSA context as a non-negative integer (octet string format + represented in RSA PKCS#1). + If specified key component has not been set or has been cleared, then returned + BnSize is set to 0. + If the BigNumber buffer is too small to hold the contents of the key, FALSE + is returned and BnSize is set to the required buffer size to obtain the key. + + If RsaContext is NULL, then return FALSE. + If BnSize is NULL, then return FALSE. + If BnSize is large enough but BigNumber is NULL, then return FALSE. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] KeyTag Tag of RSA key component being set. + @param[out] BigNumber Pointer to octet integer buffer. + @param[in, out] BnSize On input, the size of big number buffer in bytes. + On output, the size of data returned in big number buffer in bytes. + + @retval TRUE RSA key component was retrieved successfully. + @retval FALSE Invalid RSA key component tag. + @retval FALSE BnSize is too small. + +**/ +BOOLEAN +EFIAPI +RsaGetKey ( + IN OUT VOID *RsaContext, + IN RSA_KEY_TAG KeyTag, + OUT UINT8 *BigNumber, + IN OUT UINTN *BnSize + ) +{ + RSA *RsaKey; + BIGNUM *BnKey; + UINTN Size; + + // + // Check input parameters. + // + if (RsaContext == NULL || BnSize == NULL) { + return FALSE; + } + + RsaKey = (RSA *) RsaContext; + Size = *BnSize; + *BnSize = 0; + BnKey = NULL; + + switch (KeyTag) { + + // + // RSA Public Modulus (N) + // + case RsaKeyN: + RSA_get0_key (RsaKey, (const BIGNUM **)&BnKey, NULL, NULL); + break; + + // + // RSA Public Exponent (e) + // + case RsaKeyE: + RSA_get0_key (RsaKey, NULL, (const BIGNUM **)&BnKey, NULL); + break; + + // + // RSA Private Exponent (d) + // + case RsaKeyD: + RSA_get0_key (RsaKey, NULL, NULL, (const BIGNUM **)&BnKey); + break; + + // + // RSA Secret Prime Factor of Modulus (p) + // + case RsaKeyP: + RSA_get0_factors (RsaKey, (const BIGNUM **)&BnKey, NULL); + break; + + // + // RSA Secret Prime Factor of Modules (q) + // + case RsaKeyQ: + RSA_get0_factors (RsaKey, NULL, (const BIGNUM **)&BnKey); + break; + + // + // p's CRT Exponent (== d mod (p - 1)) + // + case RsaKeyDp: + RSA_get0_crt_params (RsaKey, (const BIGNUM **)&BnKey, NULL, NULL); + break; + + // + // q's CRT Exponent (== d mod (q - 1)) + // + case RsaKeyDq: + RSA_get0_crt_params (RsaKey, NULL, (const BIGNUM **)&BnKey, NULL); + break; + + // + // The CRT Coefficient (== 1/q mod p) + // + case RsaKeyQInv: + RSA_get0_crt_params (RsaKey, NULL, NULL, (const BIGNUM **)&BnKey); + break; + + default: + return FALSE; + } + + if (BnKey == NULL) { + return FALSE; + } + + *BnSize = Size; + Size = BN_num_bytes (BnKey); + + if (*BnSize < Size) { + *BnSize = Size; + return FALSE; + } + + if (BigNumber == NULL) { + *BnSize = Size; + return TRUE; + } + *BnSize = BN_bn2bin (BnKey, BigNumber) ; + + return TRUE; +} + +/** + Generates RSA key components. + + This function generates RSA key components. It takes RSA public exponent E and + length in bits of RSA modulus N as input, and generates all key components. + If PublicExponent is NULL, the default RSA public exponent (0x10001) will be used. + + Before this function can be invoked, pseudorandom number generator must be correctly + initialized by RandomSeed(). + + If RsaContext is NULL, then return FALSE. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] ModulusLength Length of RSA modulus N in bits. + @param[in] PublicExponent Pointer to RSA public exponent. + @param[in] PublicExponentSize Size of RSA public exponent buffer in bytes. + + @retval TRUE RSA key component was generated successfully. + @retval FALSE Invalid RSA key component tag. + +**/ +BOOLEAN +EFIAPI +RsaGenerateKey ( + IN OUT VOID *RsaContext, + IN UINTN ModulusLength, + IN CONST UINT8 *PublicExponent, + IN UINTN PublicExponentSize + ) +{ + BIGNUM *KeyE; + BOOLEAN RetVal; + + // + // Check input parameters. + // + if (RsaContext == NULL || ModulusLength > INT_MAX || PublicExponentSize > INT_MAX) { + return FALSE; + } + + KeyE = BN_new (); + if (KeyE == NULL) { + return FALSE; + } + + RetVal = FALSE; + + if (PublicExponent == NULL) { + if (BN_set_word (KeyE, 0x10001) == 0) { + goto _Exit; + } + } else { + if (BN_bin2bn (PublicExponent, (UINT32) PublicExponentSize, KeyE) == NULL) { + goto _Exit; + } + } + + if (RSA_generate_key_ex ((RSA *) RsaContext, (UINT32) ModulusLength, KeyE, NULL) == 1) { + RetVal = TRUE; + } + +_Exit: + BN_free (KeyE); + return RetVal; +} + +/** + Validates key components of RSA context. + NOTE: This function performs integrity checks on all the RSA key material, so + the RSA key structure must contain all the private key data. + + This function validates key components of RSA context in following aspects: + - Whether p is a prime + - Whether q is a prime + - Whether n = p * q + - Whether d*e = 1 mod lcm(p-1,q-1) + + If RsaContext is NULL, then return FALSE. + + @param[in] RsaContext Pointer to RSA context to check. + + @retval TRUE RSA key components are valid. + @retval FALSE RSA key components are not valid. + +**/ +BOOLEAN +EFIAPI +RsaCheckKey ( + IN VOID *RsaContext + ) +{ + UINTN Reason; + + // + // Check input parameters. + // + if (RsaContext == NULL) { + return FALSE; + } + + if (RSA_check_key ((RSA *) RsaContext) != 1) { + Reason = ERR_GET_REASON (ERR_peek_last_error ()); + if (Reason == RSA_R_P_NOT_PRIME || + Reason == RSA_R_Q_NOT_PRIME || + Reason == RSA_R_N_DOES_NOT_EQUAL_P_Q || + Reason == RSA_R_D_E_NOT_CONGRUENT_TO_1) { + return FALSE; + } + } + + return TRUE; +} + +/** + Carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme. + + This function carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme defined in + RSA PKCS#1. + If the Signature buffer is too small to hold the contents of signature, FALSE + is returned and SigSize is set to the required buffer size to obtain the signature. + + If RsaContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If HashSize is not equal to the size of MD5, SHA-1, SHA-256, SHA-384 or SHA-512 digest, then return FALSE. + If SigSize is large enough but Signature is NULL, then return FALSE. + + @param[in] RsaContext Pointer to RSA context for signature generation. + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive RSA PKCS1-v1_5 signature. + @param[in, out] SigSize On input, the size of Signature buffer in bytes. + On output, the size of data returned in Signature buffer in bytes. + + @retval TRUE Signature successfully generated in PKCS1-v1_5. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + +**/ +BOOLEAN +EFIAPI +RsaPkcs1Sign ( + IN VOID *RsaContext, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + RSA *Rsa; + UINTN Size; + INT32 DigestType; + + // + // Check input parameters. + // + if (RsaContext == NULL || MessageHash == NULL) { + return FALSE; + } + + Rsa = (RSA *) RsaContext; + Size = RSA_size (Rsa); + + if (*SigSize < Size) { + *SigSize = Size; + return FALSE; + } + + if (Signature == NULL) { + return FALSE; + } + + // + // Determine the message digest algorithm according to digest size. + // Only MD5, SHA-1, SHA-256, SHA-384 or SHA-512 algorithm is supported. + // + switch (HashSize) { + case MD5_DIGEST_SIZE: + DigestType = NID_md5; + break; + + case SHA1_DIGEST_SIZE: + DigestType = NID_sha1; + break; + + case SHA256_DIGEST_SIZE: + DigestType = NID_sha256; + break; + + case SHA384_DIGEST_SIZE: + DigestType = NID_sha384; + break; + + case SHA512_DIGEST_SIZE: + DigestType = NID_sha512; + break; + + default: + return FALSE; + } + + return (BOOLEAN) RSA_sign ( + DigestType, + MessageHash, + (UINT32) HashSize, + Signature, + (UINT32 *) SigSize, + (RSA *) RsaContext + ); +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExtNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExtNull.c new file mode 100644 index 00000000..82982a1f --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExtNull.c @@ -0,0 +1,119 @@ +/** @file + RSA Asymmetric Cipher Wrapper Implementation over OpenSSL. + + This file does not provide real capabilities for following APIs in RSA handling: + 1) RsaGetKey + 2) RsaGenerateKey + 3) RsaCheckKey + 4) RsaPkcs1Sign + +Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Gets the tag-designated RSA key component from the established RSA context. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] KeyTag Tag of RSA key component being set. + @param[out] BigNumber Pointer to octet integer buffer. + @param[in, out] BnSize On input, the size of big number buffer in bytes. + On output, the size of data returned in big number buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaGetKey ( + IN OUT VOID *RsaContext, + IN RSA_KEY_TAG KeyTag, + OUT UINT8 *BigNumber, + IN OUT UINTN *BnSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Generates RSA key components. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] ModulusLength Length of RSA modulus N in bits. + @param[in] PublicExponent Pointer to RSA public exponent. + @param[in] PublicExponentSize Size of RSA public exponent buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaGenerateKey ( + IN OUT VOID *RsaContext, + IN UINTN ModulusLength, + IN CONST UINT8 *PublicExponent, + IN UINTN PublicExponentSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Validates key components of RSA context. + + Return FALSE to indicate this interface is not supported. + + @param[in] RsaContext Pointer to RSA context to check. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaCheckKey ( + IN VOID *RsaContext + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme. + + Return FALSE to indicate this interface is not supported. + + @param[in] RsaContext Pointer to RSA context for signature generation. + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive RSA PKCS1-v1_5 signature. + @param[in, out] SigSize On input, the size of Signature buffer in bytes. + On output, the size of data returned in Signature buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaPkcs1Sign ( + IN VOID *RsaContext, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c new file mode 100644 index 00000000..4c25404c --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c @@ -0,0 +1,152 @@ +/** @file + RSA Asymmetric Cipher Wrapper Implementation over OpenSSL. + + This file implements following APIs which provide basic capabilities for RSA: + 1) RsaPssVerify + +Copyright (c) 2021, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +#include +#include +#include +#include + + +/** + Retrieve a pointer to EVP message digest object. + + @param[in] DigestLen Length of the message digest. + +**/ +STATIC +const +EVP_MD* +GetEvpMD ( + IN UINT16 DigestLen + ) +{ + switch (DigestLen){ + case SHA256_DIGEST_SIZE: + return EVP_sha256(); + break; + case SHA384_DIGEST_SIZE: + return EVP_sha384(); + break; + case SHA512_DIGEST_SIZE: + return EVP_sha512(); + break; + default: + return NULL; + } +} + + +/** + Verifies the RSA signature with RSASSA-PSS signature scheme defined in RFC 8017. + Implementation determines salt length automatically from the signature encoding. + Mask generation function is the same as the message digest algorithm. + Salt length should atleast be equal to digest length. + + @param[in] RsaContext Pointer to RSA context for signature verification. + @param[in] Message Pointer to octet message to be verified. + @param[in] MsgSize Size of the message in bytes. + @param[in] Signature Pointer to RSASSA-PSS signature to be verified. + @param[in] SigSize Size of signature in bytes. + @param[in] DigestLen Length of digest for RSA operation. + @param[in] SaltLen Salt length for PSS encoding. + + @retval TRUE Valid signature encoded in RSASSA-PSS. + @retval FALSE Invalid signature or invalid RSA context. + +**/ +BOOLEAN +EFIAPI +RsaPssVerify ( + IN VOID *RsaContext, + IN CONST UINT8 *Message, + IN UINTN MsgSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize, + IN UINT16 DigestLen, + IN UINT16 SaltLen + ) +{ + BOOLEAN Result; + EVP_PKEY *EvpRsaKey; + EVP_MD_CTX *EvpVerifyCtx; + EVP_PKEY_CTX *KeyCtx; + CONST EVP_MD *HashAlg; + + Result = FALSE; + EvpRsaKey = NULL; + EvpVerifyCtx = NULL; + KeyCtx = NULL; + HashAlg = NULL; + + if (RsaContext == NULL) { + return FALSE; + } + if (Message == NULL || MsgSize == 0 || MsgSize > INT_MAX) { + return FALSE; + } + if (Signature == NULL || SigSize == 0 || SigSize > INT_MAX) { + return FALSE; + } + if (SaltLen < DigestLen) { + return FALSE; + } + + HashAlg = GetEvpMD(DigestLen); + + if (HashAlg == NULL) { + return FALSE; + } + + EvpRsaKey = EVP_PKEY_new(); + if (EvpRsaKey == NULL) { + goto _Exit; + } + + EVP_PKEY_set1_RSA(EvpRsaKey, RsaContext); + + EvpVerifyCtx = EVP_MD_CTX_create(); + if (EvpVerifyCtx == NULL) { + goto _Exit; + } + + Result = EVP_DigestVerifyInit(EvpVerifyCtx, &KeyCtx, HashAlg, NULL, EvpRsaKey) > 0; + if (KeyCtx == NULL) { + goto _Exit; + } + + if (Result) { + Result = EVP_PKEY_CTX_set_rsa_padding(KeyCtx, RSA_PKCS1_PSS_PADDING) > 0; + } + if (Result) { + Result = EVP_PKEY_CTX_set_rsa_pss_saltlen(KeyCtx, SaltLen) > 0; + } + if (Result) { + Result = EVP_PKEY_CTX_set_rsa_mgf1_md(KeyCtx, HashAlg) > 0; + } + if (Result) { + Result = EVP_DigestVerifyUpdate(EvpVerifyCtx, Message, (UINT32)MsgSize) > 0; + } + if (Result) { + Result = EVP_DigestVerifyFinal(EvpVerifyCtx, Signature, (UINT32)SigSize) > 0; + } + +_Exit : + if (EvpRsaKey != NULL) { + EVP_PKEY_free(EvpRsaKey); + } + if (EvpVerifyCtx != NULL) { + EVP_MD_CTX_destroy(EvpVerifyCtx); + } + + return Result; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssNull.c new file mode 100644 index 00000000..ff6d11c8 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssNull.c @@ -0,0 +1,46 @@ +/** @file + RSA-PSS Asymmetric Cipher Wrapper Implementation over OpenSSL. + + This file does not provide real capabilities for following APIs in RSA handling: + 1) RsaPssVerify + +Copyright (c) 2021, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Verifies the RSA signature with RSASSA-PSS signature scheme defined in RFC 8017. + Implementation determines salt length automatically from the signature encoding. + Mask generation function is the same as the message digest algorithm. + Salt length should atleast be equal to digest length. + + @param[in] RsaContext Pointer to RSA context for signature verification. + @param[in] Message Pointer to octet message to be verified. + @param[in] MsgSize Size of the message in bytes. + @param[in] Signature Pointer to RSASSA-PSS signature to be verified. + @param[in] SigSize Size of signature in bytes. + @param[in] DigestLen Length of digest for RSA operation. + @param[in] SaltLen Salt length for PSS encoding. + + @retval TRUE Valid signature encoded in RSASSA-PSS. + @retval FALSE Invalid signature or invalid RSA context. + +**/ +BOOLEAN +EFIAPI +RsaPssVerify ( + IN VOID *RsaContext, + IN CONST UINT8 *Message, + IN UINTN MsgSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize, + IN UINT16 DigestLen, + IN UINT16 SaltLen + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSign.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSign.c new file mode 100644 index 00000000..369648e0 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSign.c @@ -0,0 +1,175 @@ +/** @file + RSA PSS Asymmetric Cipher Wrapper Implementation over OpenSSL. + + This file implements following APIs which provide basic capabilities for RSA: + 1) RsaPssSign + +Copyright (c) 2021, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +#include +#include +#include +#include + + +/** + Retrieve a pointer to EVP message digest object. + + @param[in] DigestLen Length of the message digest. + +**/ +STATIC +const +EVP_MD* +GetEvpMD ( + IN UINT16 DigestLen + ) +{ + switch (DigestLen){ + case SHA256_DIGEST_SIZE: + return EVP_sha256(); + break; + case SHA384_DIGEST_SIZE: + return EVP_sha384(); + break; + case SHA512_DIGEST_SIZE: + return EVP_sha512(); + break; + default: + return NULL; + } +} + + +/** + Carries out the RSA-SSA signature generation with EMSA-PSS encoding scheme. + + This function carries out the RSA-SSA signature generation with EMSA-PSS encoding scheme defined in + RFC 8017. + Mask generation function is the same as the message digest algorithm. + If the Signature buffer is too small to hold the contents of signature, FALSE + is returned and SigSize is set to the required buffer size to obtain the signature. + + If RsaContext is NULL, then return FALSE. + If Message is NULL, then return FALSE. + If MsgSize is zero or > INT_MAX, then return FALSE. + If DigestLen is NOT 32, 48 or 64, return FALSE. + If SaltLen is < DigestLen, then return FALSE. + If SigSize is large enough but Signature is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] RsaContext Pointer to RSA context for signature generation. + @param[in] Message Pointer to octet message to be signed. + @param[in] MsgSize Size of the message in bytes. + @param[in] DigestLen Length of the digest in bytes to be used for RSA signature operation. + @param[in] SaltLen Length of the salt in bytes to be used for PSS encoding. + @param[out] Signature Pointer to buffer to receive RSA PSS signature. + @param[in, out] SigSize On input, the size of Signature buffer in bytes. + On output, the size of data returned in Signature buffer in bytes. + + @retval TRUE Signature successfully generated in RSASSA-PSS. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaPssSign ( + IN VOID *RsaContext, + IN CONST UINT8 *Message, + IN UINTN MsgSize, + IN UINT16 DigestLen, + IN UINT16 SaltLen, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + BOOLEAN Result; + UINTN RsaSigSize; + EVP_PKEY *EvpRsaKey; + EVP_MD_CTX *EvpVerifyCtx; + EVP_PKEY_CTX *KeyCtx; + CONST EVP_MD *HashAlg; + + Result = FALSE; + EvpRsaKey = NULL; + EvpVerifyCtx = NULL; + KeyCtx = NULL; + HashAlg = NULL; + + if (RsaContext == NULL) { + return FALSE; + } + if (Message == NULL || MsgSize == 0 || MsgSize > INT_MAX) { + return FALSE; + } + + RsaSigSize = RSA_size (RsaContext); + if (*SigSize < RsaSigSize) { + *SigSize = RsaSigSize; + return FALSE; + } + + if (Signature == NULL) { + return FALSE; + } + + if (SaltLen < DigestLen) { + return FALSE; + } + + HashAlg = GetEvpMD(DigestLen); + + if (HashAlg == NULL) { + return FALSE; + } + + EvpRsaKey = EVP_PKEY_new(); + if (EvpRsaKey == NULL) { + goto _Exit; + } + + EVP_PKEY_set1_RSA(EvpRsaKey, RsaContext); + + EvpVerifyCtx = EVP_MD_CTX_create(); + if (EvpVerifyCtx == NULL) { + goto _Exit; + } + + Result = EVP_DigestSignInit(EvpVerifyCtx, &KeyCtx, HashAlg, NULL, EvpRsaKey) > 0; + if (KeyCtx == NULL) { + goto _Exit; + } + + if (Result) { + Result = EVP_PKEY_CTX_set_rsa_padding(KeyCtx, RSA_PKCS1_PSS_PADDING) > 0; + } + if (Result) { + Result = EVP_PKEY_CTX_set_rsa_pss_saltlen(KeyCtx, SaltLen) > 0; + } + if (Result) { + Result = EVP_PKEY_CTX_set_rsa_mgf1_md(KeyCtx, HashAlg) > 0; + } + if (Result) { + Result = EVP_DigestSignUpdate(EvpVerifyCtx, Message, (UINT32)MsgSize) > 0; + } + if (Result) { + Result = EVP_DigestSignFinal(EvpVerifyCtx, Signature, SigSize) > 0; + } + +_Exit : + if (EvpRsaKey != NULL) { + EVP_PKEY_free(EvpRsaKey); + } + if (EvpVerifyCtx != NULL) { + EVP_MD_CTX_destroy(EvpVerifyCtx); + } + + return Result; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSignNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSignNull.c new file mode 100644 index 00000000..52cef5eb --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSignNull.c @@ -0,0 +1,60 @@ +/** @file + RSA-PSS Asymmetric Cipher Wrapper Implementation over OpenSSL. + + This file does not provide real capabilities for following APIs in RSA handling: + 1) RsaPssSign + +Copyright (c) 2021, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Carries out the RSA-SSA signature generation with EMSA-PSS encoding scheme. + + This function carries out the RSA-SSA signature generation with EMSA-PSS encoding scheme defined in + RFC 8017. + Mask generation function is the same as the message digest algorithm. + If the Signature buffer is too small to hold the contents of signature, FALSE + is returned and SigSize is set to the required buffer size to obtain the signature. + + If RsaContext is NULL, then return FALSE. + If Message is NULL, then return FALSE. + If MsgSize is zero or > INT_MAX, then return FALSE. + If DigestLen is NOT 32, 48 or 64, return FALSE. + If SaltLen is < DigestLen, then return FALSE. + If SigSize is large enough but Signature is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] RsaContext Pointer to RSA context for signature generation. + @param[in] Message Pointer to octet message to be signed. + @param[in] MsgSize Size of the message in bytes. + @param[in] DigestLen Length of the digest in bytes to be used for RSA signature operation. + @param[in] SaltLen Length of the salt in bytes to be used for PSS encoding. + @param[out] Signature Pointer to buffer to receive RSA PSS signature. + @param[in, out] SigSize On input, the size of Signature buffer in bytes. + On output, the size of data returned in Signature buffer in bytes. + + @retval TRUE Signature successfully generated in RSASSA-PSS. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaPssSign ( + IN VOID *RsaContext, + IN CONST UINT8 *Message, + IN UINTN MsgSize, + IN UINT16 DigestLen, + IN UINT16 SaltLen, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c new file mode 100644 index 00000000..ab6ca633 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c @@ -0,0 +1,659 @@ +/** @file + RFC3161 Timestamp Countersignature Verification over OpenSSL. + The timestamp is generated by a TimeStamping Authority (TSA) and asserts that a + publisher's signature existed before the specified time. The timestamp extends + the lifetime of the signature when a signing certificate expires or is later + revoked. + +Copyright (c) 2014 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +#include +#include +#include +#include +#include + +// +// OID ASN.1 Value for SPC_RFC3161_OBJID ("1.3.6.1.4.1.311.3.3.1") +// +UINT8 mSpcRFC3161OidValue[] = { + 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x03, 0x03, 0x01 + }; + +/// +/// The messageImprint field SHOULD contain the hash of the datum to be +/// time-stamped. The hash is represented as an OCTET STRING. Its +/// length MUST match the length of the hash value for that algorithm +/// (e.g., 20 bytes for SHA-1 or 16 bytes for MD5). +/// +/// MessageImprint ::= SEQUENCE { +/// hashAlgorithm AlgorithmIdentifier, +/// hashedMessage OCTET STRING } +/// +typedef struct { + X509_ALGOR *HashAlgorithm; + ASN1_OCTET_STRING *HashedMessage; +} TS_MESSAGE_IMPRINT; + +// +// ASN.1 Functions for TS_MESSAGE_IMPRINT +// +DECLARE_ASN1_FUNCTIONS (TS_MESSAGE_IMPRINT) +ASN1_SEQUENCE (TS_MESSAGE_IMPRINT) = { + ASN1_SIMPLE (TS_MESSAGE_IMPRINT, HashAlgorithm, X509_ALGOR), + ASN1_SIMPLE (TS_MESSAGE_IMPRINT, HashedMessage, ASN1_OCTET_STRING) +} ASN1_SEQUENCE_END (TS_MESSAGE_IMPRINT) +IMPLEMENT_ASN1_FUNCTIONS (TS_MESSAGE_IMPRINT) + +/// +/// Accuracy represents the time deviation around the UTC time contained +/// in GeneralizedTime of time-stamp token. +/// +/// Accuracy ::= SEQUENCE { +/// seconds INTEGER OPTIONAL, +/// millis [0] INTEGER (1..999) OPTIONAL, +/// micros [1] INTEGER (1..999) OPTIONAL } +/// +typedef struct { + ASN1_INTEGER *Seconds; + ASN1_INTEGER *Millis; + ASN1_INTEGER *Micros; +} TS_ACCURACY; + +// +// ASN.1 Functions for TS_ACCURACY +// +DECLARE_ASN1_FUNCTIONS (TS_ACCURACY) +ASN1_SEQUENCE (TS_ACCURACY) = { + ASN1_OPT (TS_ACCURACY, Seconds, ASN1_INTEGER), + ASN1_IMP_OPT (TS_ACCURACY, Millis, ASN1_INTEGER, 0), + ASN1_IMP_OPT (TS_ACCURACY, Micros, ASN1_INTEGER, 1) +} ASN1_SEQUENCE_END (TS_ACCURACY) +IMPLEMENT_ASN1_FUNCTIONS (TS_ACCURACY) + +/// +/// The timestamp token info resulting from a successful timestamp request, +/// as defined in RFC 3161. +/// +/// TSTInfo ::= SEQUENCE { +/// version INTEGER { v1(1) }, +/// policy TSAPolicyId, +/// messageImprint MessageImprint, +/// -- MUST have the same value as the similar field in +/// -- TimeStampReq +/// serialNumber INTEGER, +/// -- Time-Stamping users MUST be ready to accommodate integers +/// -- up to 160 bits. +/// genTime GeneralizedTime, +/// accuracy Accuracy OPTIONAL, +/// ordering BOOLEAN DEFAULT FALSE, +/// nonce INTEGER OPTIONAL, +/// -- MUST be present if the similar field was present +/// -- in TimeStampReq. In that case it MUST have the same value. +/// tsa [0] GeneralName OPTIONAL, +/// extensions [1] IMPLICIT Extensions OPTIONAL } +/// +typedef struct { + ASN1_INTEGER *Version; + ASN1_OBJECT *Policy; + TS_MESSAGE_IMPRINT *MessageImprint; + ASN1_INTEGER *SerialNumber; + ASN1_GENERALIZEDTIME *GenTime; + TS_ACCURACY *Accuracy; + ASN1_BOOLEAN Ordering; + ASN1_INTEGER *Nonce; + GENERAL_NAME *Tsa; + STACK_OF(X509_EXTENSION) *Extensions; +} TS_TST_INFO; + +// +// ASN.1 Functions for TS_TST_INFO +// +DECLARE_ASN1_FUNCTIONS (TS_TST_INFO) +ASN1_SEQUENCE (TS_TST_INFO) = { + ASN1_SIMPLE (TS_TST_INFO, Version, ASN1_INTEGER), + ASN1_SIMPLE (TS_TST_INFO, Policy, ASN1_OBJECT), + ASN1_SIMPLE (TS_TST_INFO, MessageImprint, TS_MESSAGE_IMPRINT), + ASN1_SIMPLE (TS_TST_INFO, SerialNumber, ASN1_INTEGER), + ASN1_SIMPLE (TS_TST_INFO, GenTime, ASN1_GENERALIZEDTIME), + ASN1_OPT (TS_TST_INFO, Accuracy, TS_ACCURACY), + ASN1_OPT (TS_TST_INFO, Ordering, ASN1_FBOOLEAN), + ASN1_OPT (TS_TST_INFO, Nonce, ASN1_INTEGER), + ASN1_EXP_OPT(TS_TST_INFO, Tsa, GENERAL_NAME, 0), + ASN1_IMP_SEQUENCE_OF_OPT (TS_TST_INFO, Extensions, X509_EXTENSION, 1) +} ASN1_SEQUENCE_END (TS_TST_INFO) +IMPLEMENT_ASN1_FUNCTIONS (TS_TST_INFO) + + +/** + Convert ASN.1 GeneralizedTime to EFI Time. + + @param[in] Asn1Time Pointer to the ASN.1 GeneralizedTime to be converted. + @param[out] SigningTime Return the corresponding EFI Time. + + @retval TRUE The time conversion succeeds. + @retval FALSE Invalid parameters. + +**/ +BOOLEAN +EFIAPI +ConvertAsn1TimeToEfiTime ( + IN ASN1_TIME *Asn1Time, + OUT EFI_TIME *EfiTime + ) +{ + CONST CHAR8 *Str; + UINTN Index; + + if ((Asn1Time == NULL) || (EfiTime == NULL)) { + return FALSE; + } + + Str = (CONST CHAR8*)Asn1Time->data; + SetMem (EfiTime, 0, sizeof (EFI_TIME)); + + Index = 0; + if (Asn1Time->type == V_ASN1_UTCTIME) { /* two digit year */ + EfiTime->Year = (Str[Index++] - '0') * 10; + EfiTime->Year += (Str[Index++] - '0'); + if (EfiTime->Year < 70) { + EfiTime->Year += 100; + } + } else if (Asn1Time->type == V_ASN1_GENERALIZEDTIME) { /* four digit year */ + EfiTime->Year = (Str[Index++] - '0') * 1000; + EfiTime->Year += (Str[Index++] - '0') * 100; + EfiTime->Year += (Str[Index++] - '0') * 10; + EfiTime->Year += (Str[Index++] - '0'); + if ((EfiTime->Year < 1900) || (EfiTime->Year > 9999)) { + return FALSE; + } + } + + EfiTime->Month = (Str[Index++] - '0') * 10; + EfiTime->Month += (Str[Index++] - '0'); + if ((EfiTime->Month < 1) || (EfiTime->Month > 12)) { + return FALSE; + } + + EfiTime->Day = (Str[Index++] - '0') * 10; + EfiTime->Day += (Str[Index++] - '0'); + if ((EfiTime->Day < 1) || (EfiTime->Day > 31)) { + return FALSE; + } + + EfiTime->Hour = (Str[Index++] - '0') * 10; + EfiTime->Hour += (Str[Index++] - '0'); + if (EfiTime->Hour > 23) { + return FALSE; + } + + EfiTime->Minute = (Str[Index++] - '0') * 10; + EfiTime->Minute += (Str[Index++] - '0'); + if (EfiTime->Minute > 59) { + return FALSE; + } + + EfiTime->Second = (Str[Index++] - '0') * 10; + EfiTime->Second += (Str[Index++] - '0'); + if (EfiTime->Second > 59) { + return FALSE; + } + + /* Note: we did not adjust the time based on time zone information */ + + return TRUE; +} + +/** + + Check the validity of TimeStamp Token Information. + + @param[in] TstInfo Pointer to the TS_TST_INFO structure. + @param[in] TimestampedData Pointer to the data to be time-stamped. + @param[in] DataSize Size of timestamped data in bytes. + + @retval TRUE The TimeStamp Token Information is valid. + @retval FALSE Invalid TimeStamp Token Information. + +**/ +BOOLEAN +EFIAPI +CheckTSTInfo ( + IN CONST TS_TST_INFO *TstInfo, + IN CONST UINT8 *TimestampedData, + IN UINTN DataSize + ) +{ + BOOLEAN Status; + TS_MESSAGE_IMPRINT *Imprint; + X509_ALGOR *HashAlgo; + CONST EVP_MD *Md; + EVP_MD_CTX *MdCtx; + UINTN MdSize; + UINT8 *HashedMsg; + + // + // Initialization + // + Status = FALSE; + HashAlgo = NULL; + HashedMsg = NULL; + MdCtx = NULL; + + // + // -- Check version number of Timestamp: + // The version field (currently v1) describes the version of the time-stamp token. + // Conforming time-stamping servers MUST be able to provide version 1 time-stamp tokens. + // + if ((ASN1_INTEGER_get (TstInfo->Version)) != 1) { + return FALSE; + } + + // + // -- Check Policies + // The policy field MUST indicate the TSA's policy under which the response was produced. + // + if (TstInfo->Policy == NULL) { + /// NOTE: Need to check if the requested and returned policies. + /// We have no information about the Requested TSA Policy. + return FALSE; + } + + // + // -- Compute & Check Message Imprint + // + Imprint = TstInfo->MessageImprint; + HashAlgo = X509_ALGOR_dup (Imprint->HashAlgorithm); + + Md = EVP_get_digestbyobj (HashAlgo->algorithm); + if (Md == NULL) { + goto _Exit; + } + + MdSize = EVP_MD_size (Md); + HashedMsg = AllocateZeroPool (MdSize); + if (HashedMsg == NULL) { + goto _Exit; + } + MdCtx = EVP_MD_CTX_new (); + if (MdCtx == NULL) { + goto _Exit; + } + if ((EVP_DigestInit_ex (MdCtx, Md, NULL) != 1) || + (EVP_DigestUpdate (MdCtx, TimestampedData, DataSize) != 1) || + (EVP_DigestFinal (MdCtx, HashedMsg, NULL) != 1)) { + goto _Exit; + } + if ((MdSize == (UINTN)ASN1_STRING_length (Imprint->HashedMessage)) && + (CompareMem (HashedMsg, ASN1_STRING_get0_data (Imprint->HashedMessage), MdSize) != 0)) { + goto _Exit; + } + + // + // -- Check Nonces + // + if (TstInfo->Nonce != NULL) { + // + // Nonces is optional, No error if no nonce is returned; + // + } + + // + // -- Check if the TSA name and signer certificate is matched. + // + if (TstInfo->Tsa != NULL) { + // + // Ignored the optional Tsa field checking. + // + } + + Status = TRUE; + +_Exit: + X509_ALGOR_free (HashAlgo); + EVP_MD_CTX_free (MdCtx); + if (HashedMsg != NULL) { + FreePool (HashedMsg); + } + + return Status; +} + +/** + Verifies the validity of a TimeStamp Token as described in RFC 3161 ("Internet + X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)"). + + If TSToken is NULL, then return FALSE. + If TimestampedData is NULL, then return FALSE. + + @param[in] TSToken Pointer to the RFC3161 TimeStamp Token, which is generated + by a TSA and located in the software publisher's SignerInfo + structure. + @param[in] TokenSize Size of the TimeStamp Token in bytes. + @param[in] TsaCert Pointer to a trusted/root TSA certificate encoded in DER. + @param[in] CertSize Size of the trusted TSA certificate in bytes. + @param[in] TimestampedData Pointer to the data to be time-stamped. + @param[in] DataSize Size of timestamped data in bytes. + @param[out] SigningTime Return the time of timestamp generation time if the timestamp + signature is valid. + + @retval TRUE The specified timestamp token is valid. + @retval FALSE Invalid timestamp token. + +**/ +BOOLEAN +EFIAPI +TimestampTokenVerify ( + IN CONST UINT8 *TSToken, + IN UINTN TokenSize, + IN CONST UINT8 *TsaCert, + IN UINTN CertSize, + IN CONST UINT8 *TimestampedData, + IN UINTN DataSize, + OUT EFI_TIME *SigningTime + ) +{ + BOOLEAN Status; + CONST UINT8 *TokenTemp; + PKCS7 *Pkcs7; + X509 *Cert; + CONST UINT8 *CertTemp; + X509_STORE *CertStore; + BIO *OutBio; + UINT8 *TstData; + UINTN TstSize; + CONST UINT8 *TstTemp; + TS_TST_INFO *TstInfo; + + Status = FALSE; + + // + // Check input parameters + // + if ((TSToken == NULL) || (TsaCert == NULL) || (TimestampedData == NULL) || + (TokenSize > INT_MAX) || (CertSize > INT_MAX) || (DataSize > INT_MAX)) { + return FALSE; + } + + // + // Initializations + // + if (SigningTime != NULL) { + SetMem (SigningTime, sizeof (EFI_TIME), 0); + } + Pkcs7 = NULL; + Cert = NULL; + CertStore = NULL; + OutBio = NULL; + TstData = NULL; + TstInfo = NULL; + + // + // TimeStamp Token should contain one valid DER-encoded ASN.1 PKCS#7 structure. + // + TokenTemp = TSToken; + Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &TokenTemp, (int) TokenSize); + if (Pkcs7 == NULL) { + goto _Exit; + } + + // + // The timestamp signature (TSA's response) will be one PKCS#7 signed data. + // + if (!PKCS7_type_is_signed (Pkcs7)) { + goto _Exit; + } + + // + // Read the trusted TSA certificate (DER-encoded), and Construct X509 Certificate. + // + CertTemp = TsaCert; + Cert = d2i_X509 (NULL, &CertTemp, (long) CertSize); + if (Cert == NULL) { + goto _Exit; + } + + // + // Setup X509 Store for trusted certificate. + // + CertStore = X509_STORE_new (); + if ((CertStore == NULL) || !(X509_STORE_add_cert (CertStore, Cert))) { + goto _Exit; + } + + // + // Allow partial certificate chains, terminated by a non-self-signed but + // still trusted intermediate certificate. Also disable time checks. + // + X509_STORE_set_flags (CertStore, + X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME); + + X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY); + + // + // Verifies the PKCS#7 signedData structure, and output the signed contents. + // + OutBio = BIO_new (BIO_s_mem ()); + if (OutBio == NULL) { + goto _Exit; + } + if (!PKCS7_verify (Pkcs7, NULL, CertStore, NULL, OutBio, PKCS7_BINARY)) { + goto _Exit; + } + + // + // Read the signed contents detached in timestamp signature. + // + TstData = AllocateZeroPool (2048); + if (TstData == NULL) { + goto _Exit; + } + TstSize = BIO_read (OutBio, (void *) TstData, 2048); + + // + // Construct TS_TST_INFO structure from the signed contents. + // + TstTemp = TstData; + TstInfo = d2i_TS_TST_INFO (NULL, (const unsigned char **) &TstTemp, + (int)TstSize); + if (TstInfo == NULL) { + goto _Exit; + } + + // + // Check TS_TST_INFO structure. + // + Status = CheckTSTInfo (TstInfo, TimestampedData, DataSize); + if (!Status) { + goto _Exit; + } + + // + // Retrieve the signing time from TS_TST_INFO structure. + // + if (SigningTime != NULL) { + SetMem (SigningTime, sizeof (EFI_TIME), 0); + Status = ConvertAsn1TimeToEfiTime (TstInfo->GenTime, SigningTime); + } + +_Exit: + // + // Release Resources + // + PKCS7_free (Pkcs7); + X509_free (Cert); + X509_STORE_free (CertStore); + BIO_free (OutBio); + TS_TST_INFO_free (TstInfo); + + if (TstData != NULL) { + FreePool (TstData); + } + + return Status; +} + +/** + Verifies the validity of a RFC3161 Timestamp CounterSignature embedded in PE/COFF Authenticode + signature. + + If AuthData is NULL, then return FALSE. + + @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed + PE/COFF image to be verified. + @param[in] DataSize Size of the Authenticode Signature in bytes. + @param[in] TsaCert Pointer to a trusted/root TSA certificate encoded in DER, which + is used for TSA certificate chain verification. + @param[in] CertSize Size of the trusted certificate in bytes. + @param[out] SigningTime Return the time of timestamp generation time if the timestamp + signature is valid. + + @retval TRUE The specified Authenticode includes a valid RFC3161 Timestamp CounterSignature. + @retval FALSE No valid RFC3161 Timestamp CounterSignature in the specified Authenticode data. + +**/ +BOOLEAN +EFIAPI +ImageTimestampVerify ( + IN CONST UINT8 *AuthData, + IN UINTN DataSize, + IN CONST UINT8 *TsaCert, + IN UINTN CertSize, + OUT EFI_TIME *SigningTime + ) +{ + BOOLEAN Status; + PKCS7 *Pkcs7; + CONST UINT8 *Temp; + STACK_OF(PKCS7_SIGNER_INFO) *SignerInfos; + PKCS7_SIGNER_INFO *SignInfo; + UINTN Index; + STACK_OF(X509_ATTRIBUTE) *Sk; + X509_ATTRIBUTE *Xa; + ASN1_OBJECT *XaObj; + ASN1_TYPE *Asn1Type; + ASN1_OCTET_STRING *EncDigest; + UINT8 *TSToken; + UINTN TokenSize; + + // + // Input Parameters Checking. + // + if ((AuthData == NULL) || (TsaCert == NULL)) { + return FALSE; + } + + if ((DataSize > INT_MAX) || (CertSize > INT_MAX)) { + return FALSE; + } + + // + // Register & Initialize necessary digest algorithms for PKCS#7 Handling. + // + if ((EVP_add_digest (EVP_md5 ()) == 0) || (EVP_add_digest (EVP_sha1 ()) == 0) || + (EVP_add_digest (EVP_sha256 ()) == 0) || (EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) == 0) { + return FALSE; + } + + // + // Initialization. + // + Status = FALSE; + Pkcs7 = NULL; + SignInfo = NULL; + + // + // Decode ASN.1-encoded Authenticode data into PKCS7 structure. + // + Temp = AuthData; + Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &Temp, (int) DataSize); + if (Pkcs7 == NULL) { + goto _Exit; + } + + // + // Check if there is one and only one signer. + // + SignerInfos = PKCS7_get_signer_info (Pkcs7); + if (!SignerInfos || (sk_PKCS7_SIGNER_INFO_num (SignerInfos) != 1)) { + goto _Exit; + } + + // + // Locate the TimeStamp CounterSignature. + // + SignInfo = sk_PKCS7_SIGNER_INFO_value (SignerInfos, 0); + if (SignInfo == NULL) { + goto _Exit; + } + + // + // Locate Message Digest which will be the data to be time-stamped. + // + EncDigest = SignInfo->enc_digest; + if (EncDigest == NULL) { + goto _Exit; + } + + // + // The RFC3161 timestamp counterSignature is contained in unauthenticatedAttributes field + // of SignerInfo. + // + Sk = SignInfo->unauth_attr; + if (Sk == NULL) { // No timestamp counterSignature. + goto _Exit; + } + + Asn1Type = NULL; + for (Index = 0; Index < (UINTN) sk_X509_ATTRIBUTE_num (Sk); Index++) { + // + // Search valid RFC3161 timestamp counterSignature based on OBJID. + // + Xa = sk_X509_ATTRIBUTE_value (Sk, (int)Index); + if (Xa == NULL) { + continue; + } + XaObj = X509_ATTRIBUTE_get0_object(Xa); + if (XaObj == NULL) { + continue; + } + if ((OBJ_length(XaObj) != sizeof (mSpcRFC3161OidValue)) || + (CompareMem (OBJ_get0_data(XaObj), mSpcRFC3161OidValue, sizeof (mSpcRFC3161OidValue)) != 0)) { + continue; + } + Asn1Type = X509_ATTRIBUTE_get0_type(Xa, 0); + } + + if (Asn1Type == NULL) { + Status = FALSE; + goto _Exit; + } + TSToken = Asn1Type->value.octet_string->data; + TokenSize = Asn1Type->value.octet_string->length; + + // + // TimeStamp counterSignature (Token) verification. + // + Status = TimestampTokenVerify ( + TSToken, + TokenSize, + TsaCert, + CertSize, + EncDigest->data, + EncDigest->length, + SigningTime + ); + +_Exit: + // + // Release Resources + // + PKCS7_free (Pkcs7); + + return Status; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptTsNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptTsNull.c new file mode 100644 index 00000000..3535774b --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptTsNull.c @@ -0,0 +1,42 @@ +/** @file + RFC3161 Timestamp Countersignature Verification Wrapper Implementation which does + not provide real capabilities. + +Copyright (c) 2014, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Verifies the validity of a RFC3161 Timestamp CounterSignature embedded in PE/COFF Authenticode + signature. + + Return FALSE to indicate this interface is not supported. + + @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed + PE/COFF image to be verified. + @param[in] DataSize Size of the Authenticode Signature in bytes. + @param[in] TsaCert Pointer to a trusted/root TSA certificate encoded in DER, which + is used for TSA certificate chain verification. + @param[in] CertSize Size of the trusted certificate in bytes. + @param[out] SigningTime Return the time of timestamp generation time if the timestamp + signature is valid. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +ImageTimestampVerify ( + IN CONST UINT8 *AuthData, + IN UINTN DataSize, + IN CONST UINT8 *TsaCert, + IN UINTN CertSize, + OUT EFI_TIME *SigningTime + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c new file mode 100644 index 00000000..5f66a148 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c @@ -0,0 +1,832 @@ +/** @file + X.509 Certificate Handler Wrapper Implementation over OpenSSL. + +Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" +#include +#include + +/** + Construct a X509 object from DER-encoded certificate data. + + If Cert is NULL, then return FALSE. + If SingleX509Cert is NULL, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded certificate data. + @param[in] CertSize The size of certificate data in bytes. + @param[out] SingleX509Cert The generated X509 object. + + @retval TRUE The X509 object generation succeeded. + @retval FALSE The operation failed. + +**/ +BOOLEAN +EFIAPI +X509ConstructCertificate ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 **SingleX509Cert + ) +{ + X509 *X509Cert; + CONST UINT8 *Temp; + + // + // Check input parameters. + // + if (Cert == NULL || SingleX509Cert == NULL || CertSize > INT_MAX) { + return FALSE; + } + + // + // Read DER-encoded X509 Certificate and Construct X509 object. + // + Temp = Cert; + X509Cert = d2i_X509 (NULL, &Temp, (long) CertSize); + if (X509Cert == NULL) { + return FALSE; + } + + *SingleX509Cert = (UINT8 *) X509Cert; + + return TRUE; +} + +/** + Construct a X509 stack object from a list of DER-encoded certificate data. + + If X509Stack is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] X509Stack On input, pointer to an existing or NULL X509 stack object. + On output, pointer to the X509 stack object with new + inserted X509 certificate. + @param[in] Args VA_LIST marker for the variable argument list. + A list of DER-encoded single certificate data followed + by certificate size. A NULL terminates the list. The + pairs are the arguments to X509ConstructCertificate(). + + @retval TRUE The X509 stack construction succeeded. + @retval FALSE The construction operation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509ConstructCertificateStackV ( + IN OUT UINT8 **X509Stack, + IN VA_LIST Args + ) +{ + UINT8 *Cert; + UINTN CertSize; + X509 *X509Cert; + STACK_OF(X509) *CertStack; + BOOLEAN Status; + UINTN Index; + + // + // Check input parameters. + // + if (X509Stack == NULL) { + return FALSE; + } + + Status = FALSE; + + // + // Initialize X509 stack object. + // + CertStack = (STACK_OF(X509) *) (*X509Stack); + if (CertStack == NULL) { + CertStack = sk_X509_new_null (); + if (CertStack == NULL) { + return Status; + } + } + + for (Index = 0; ; Index++) { + // + // If Cert is NULL, then it is the end of the list. + // + Cert = VA_ARG (Args, UINT8 *); + if (Cert == NULL) { + break; + } + + CertSize = VA_ARG (Args, UINTN); + if (CertSize == 0) { + break; + } + + // + // Construct X509 Object from the given DER-encoded certificate data. + // + X509Cert = NULL; + Status = X509ConstructCertificate ( + (CONST UINT8 *) Cert, + CertSize, + (UINT8 **) &X509Cert + ); + if (!Status) { + if (X509Cert != NULL) { + X509_free (X509Cert); + } + break; + } + + // + // Insert the new X509 object into X509 stack object. + // + sk_X509_push (CertStack, X509Cert); + } + + if (!Status) { + sk_X509_pop_free (CertStack, X509_free); + } else { + *X509Stack = (UINT8 *) CertStack; + } + + return Status; +} + +/** + Construct a X509 stack object from a list of DER-encoded certificate data. + + If X509Stack is NULL, then return FALSE. + + @param[in, out] X509Stack On input, pointer to an existing or NULL X509 stack object. + On output, pointer to the X509 stack object with new + inserted X509 certificate. + @param ... A list of DER-encoded single certificate data followed + by certificate size. A NULL terminates the list. The + pairs are the arguments to X509ConstructCertificate(). + + @retval TRUE The X509 stack construction succeeded. + @retval FALSE The construction operation failed. + +**/ +BOOLEAN +EFIAPI +X509ConstructCertificateStack ( + IN OUT UINT8 **X509Stack, + ... + ) +{ + VA_LIST Args; + BOOLEAN Result; + + VA_START (Args, X509Stack); + Result = X509ConstructCertificateStackV (X509Stack, Args); + VA_END (Args); + return Result; +} + +/** + Release the specified X509 object. + + If X509Cert is NULL, then return FALSE. + + @param[in] X509Cert Pointer to the X509 object to be released. + +**/ +VOID +EFIAPI +X509Free ( + IN VOID *X509Cert + ) +{ + // + // Check input parameters. + // + if (X509Cert == NULL) { + return; + } + + // + // Free OpenSSL X509 object. + // + X509_free ((X509 *) X509Cert); +} + +/** + Release the specified X509 stack object. + + If X509Stack is NULL, then return FALSE. + + @param[in] X509Stack Pointer to the X509 stack object to be released. + +**/ +VOID +EFIAPI +X509StackFree ( + IN VOID *X509Stack + ) +{ + // + // Check input parameters. + // + if (X509Stack == NULL) { + return; + } + + // + // Free OpenSSL X509 stack object. + // + sk_X509_pop_free ((STACK_OF(X509) *) X509Stack, X509_free); +} + +/** + Retrieve the subject bytes from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CertSubject Pointer to the retrieved certificate subject bytes. + @param[in, out] SubjectSize The size in bytes of the CertSubject buffer on input, + and the size of buffer returned CertSubject on output. + + If Cert is NULL, then return FALSE. + If SubjectSize is NULL, then return FALSE. + + @retval TRUE The certificate subject retrieved successfully. + @retval FALSE Invalid certificate, or the SubjectSize is too small for the result. + The SubjectSize will be updated with the required size. + +**/ +BOOLEAN +EFIAPI +X509GetSubjectName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 *CertSubject, + IN OUT UINTN *SubjectSize + ) +{ + BOOLEAN Status; + X509 *X509Cert; + X509_NAME *X509Name; + UINTN X509NameSize; + + // + // Check input parameters. + // + if (Cert == NULL || SubjectSize == NULL) { + return FALSE; + } + + X509Cert = NULL; + + // + // Read DER-encoded X509 Certificate and Construct X509 object. + // + Status = X509ConstructCertificate (Cert, CertSize, (UINT8 **) &X509Cert); + if ((X509Cert == NULL) || (!Status)) { + Status = FALSE; + goto _Exit; + } + + Status = FALSE; + + // + // Retrieve subject name from certificate object. + // + X509Name = X509_get_subject_name (X509Cert); + if (X509Name == NULL) { + goto _Exit; + } + + X509NameSize = i2d_X509_NAME(X509Name, NULL); + if (*SubjectSize < X509NameSize) { + *SubjectSize = X509NameSize; + goto _Exit; + } + *SubjectSize = X509NameSize; + if (CertSubject != NULL) { + i2d_X509_NAME(X509Name, &CertSubject); + Status = TRUE; + } + +_Exit: + // + // Release Resources. + // + if (X509Cert != NULL) { + X509_free (X509Cert); + } + + return Status; +} + +/** + Retrieve a string from one X.509 certificate base on the Request_NID. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[in] Request_NID NID of string to obtain + @param[out] CommonName Buffer to contain the retrieved certificate common + name string (UTF8). At most CommonNameSize bytes will be + written and the string will be null terminated. May be + NULL in order to determine the size buffer needed. + @param[in,out] CommonNameSize The size in bytes of the CommonName buffer on input, + and the size of buffer returned CommonName on output. + If CommonName is NULL then the amount of space needed + in buffer (including the final null) is returned. + + @retval RETURN_SUCCESS The certificate CommonName retrieved successfully. + @retval RETURN_INVALID_PARAMETER If Cert is NULL. + If CommonNameSize is NULL. + If CommonName is not NULL and *CommonNameSize is 0. + If Certificate is invalid. + @retval RETURN_NOT_FOUND If no NID Name entry exists. + @retval RETURN_BUFFER_TOO_SMALL If the CommonName is NULL. The required buffer size + (including the final null) is returned in the + CommonNameSize parameter. + @retval RETURN_UNSUPPORTED The operation is not supported. + +**/ +STATIC +RETURN_STATUS +InternalX509GetNIDName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + IN INT32 Request_NID, + OUT CHAR8 *CommonName, OPTIONAL + IN OUT UINTN *CommonNameSize + ) +{ + RETURN_STATUS ReturnStatus; + BOOLEAN Status; + X509 *X509Cert; + X509_NAME *X509Name; + INT32 Index; + INTN Length; + X509_NAME_ENTRY *Entry; + ASN1_STRING *EntryData; + UINT8 *UTF8Name; + + ReturnStatus = RETURN_INVALID_PARAMETER; + UTF8Name = NULL; + + // + // Check input parameters. + // + if ((Cert == NULL) || (CertSize > INT_MAX) || (CommonNameSize == NULL)) { + return ReturnStatus; + } + if ((CommonName != NULL) && (*CommonNameSize == 0)) { + return ReturnStatus; + } + + X509Cert = NULL; + // + // Read DER-encoded X509 Certificate and Construct X509 object. + // + Status = X509ConstructCertificate (Cert, CertSize, (UINT8 **) &X509Cert); + if ((X509Cert == NULL) || (!Status)) { + // + // Invalid X.509 Certificate + // + goto _Exit; + } + + Status = FALSE; + + // + // Retrieve subject name from certificate object. + // + X509Name = X509_get_subject_name (X509Cert); + if (X509Name == NULL) { + // + // Fail to retrieve subject name content + // + goto _Exit; + } + + // + // Retrive the string from X.509 Subject base on the Request_NID + // + Index = X509_NAME_get_index_by_NID (X509Name, Request_NID, -1); + if (Index < 0) { + // + // No Request_NID name entry exists in X509_NAME object + // + *CommonNameSize = 0; + ReturnStatus = RETURN_NOT_FOUND; + goto _Exit; + } + + Entry = X509_NAME_get_entry (X509Name, Index); + if (Entry == NULL) { + // + // Fail to retrieve name entry data + // + *CommonNameSize = 0; + ReturnStatus = RETURN_NOT_FOUND; + goto _Exit; + } + + EntryData = X509_NAME_ENTRY_get_data (Entry); + + Length = ASN1_STRING_to_UTF8 (&UTF8Name, EntryData); + if (Length < 0) { + // + // Fail to convert the Name string + // + *CommonNameSize = 0; + ReturnStatus = RETURN_INVALID_PARAMETER; + goto _Exit; + } + + if (CommonName == NULL) { + *CommonNameSize = Length + 1; + ReturnStatus = RETURN_BUFFER_TOO_SMALL; + } else { + *CommonNameSize = MIN ((UINTN)Length, *CommonNameSize - 1) + 1; + CopyMem (CommonName, UTF8Name, *CommonNameSize - 1); + CommonName[*CommonNameSize - 1] = '\0'; + ReturnStatus = RETURN_SUCCESS; + } + +_Exit: + // + // Release Resources. + // + if (X509Cert != NULL) { + X509_free (X509Cert); + } + if (UTF8Name != NULL) { + OPENSSL_free (UTF8Name); + } + + return ReturnStatus; +} + +/** + Retrieve the common name (CN) string from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CommonName Buffer to contain the retrieved certificate common + name string. At most CommonNameSize bytes will be + written and the string will be null terminated. May be + NULL in order to determine the size buffer needed. + @param[in,out] CommonNameSize The size in bytes of the CommonName buffer on input, + and the size of buffer returned CommonName on output. + If CommonName is NULL then the amount of space needed + in buffer (including the final null) is returned. + + @retval RETURN_SUCCESS The certificate CommonName retrieved successfully. + @retval RETURN_INVALID_PARAMETER If Cert is NULL. + If CommonNameSize is NULL. + If CommonName is not NULL and *CommonNameSize is 0. + If Certificate is invalid. + @retval RETURN_NOT_FOUND If no CommonName entry exists. + @retval RETURN_BUFFER_TOO_SMALL If the CommonName is NULL. The required buffer size + (including the final null) is returned in the + CommonNameSize parameter. + @retval RETURN_UNSUPPORTED The operation is not supported. + +**/ +RETURN_STATUS +EFIAPI +X509GetCommonName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *CommonName, OPTIONAL + IN OUT UINTN *CommonNameSize + ) +{ + return InternalX509GetNIDName (Cert, CertSize, NID_commonName, CommonName, CommonNameSize); +} + +/** + Retrieve the organization name (O) string from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] NameBuffer Buffer to contain the retrieved certificate organization + name string. At most NameBufferSize bytes will be + written and the string will be null terminated. May be + NULL in order to determine the size buffer needed. + @param[in,out] NameBufferSize The size in bytes of the Name buffer on input, + and the size of buffer returned Name on output. + If NameBuffer is NULL then the amount of space needed + in buffer (including the final null) is returned. + + @retval RETURN_SUCCESS The certificate Organization Name retrieved successfully. + @retval RETURN_INVALID_PARAMETER If Cert is NULL. + If NameBufferSize is NULL. + If NameBuffer is not NULL and *CommonNameSize is 0. + If Certificate is invalid. + @retval RETURN_NOT_FOUND If no Organization Name entry exists. + @retval RETURN_BUFFER_TOO_SMALL If the NameBuffer is NULL. The required buffer size + (including the final null) is returned in the + CommonNameSize parameter. + @retval RETURN_UNSUPPORTED The operation is not supported. + +**/ +RETURN_STATUS +EFIAPI +X509GetOrganizationName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *NameBuffer, OPTIONAL + IN OUT UINTN *NameBufferSize + ) +{ + return InternalX509GetNIDName (Cert, CertSize, NID_organizationName, NameBuffer, NameBufferSize); +} + +/** + Retrieve the RSA Public Key from one DER-encoded X509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved + RSA public key component. Use RsaFree() function to free the + resource. + + If Cert is NULL, then return FALSE. + If RsaContext is NULL, then return FALSE. + + @retval TRUE RSA Public Key was retrieved successfully. + @retval FALSE Fail to retrieve RSA public key from X509 certificate. + +**/ +BOOLEAN +EFIAPI +RsaGetPublicKeyFromX509 ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT VOID **RsaContext + ) +{ + BOOLEAN Status; + EVP_PKEY *Pkey; + X509 *X509Cert; + + // + // Check input parameters. + // + if (Cert == NULL || RsaContext == NULL) { + return FALSE; + } + + Pkey = NULL; + X509Cert = NULL; + + // + // Read DER-encoded X509 Certificate and Construct X509 object. + // + Status = X509ConstructCertificate (Cert, CertSize, (UINT8 **) &X509Cert); + if ((X509Cert == NULL) || (!Status)) { + Status = FALSE; + goto _Exit; + } + + Status = FALSE; + + // + // Retrieve and check EVP_PKEY data from X509 Certificate. + // + Pkey = X509_get_pubkey (X509Cert); + if ((Pkey == NULL) || (EVP_PKEY_id (Pkey) != EVP_PKEY_RSA)) { + goto _Exit; + } + + // + // Duplicate RSA Context from the retrieved EVP_PKEY. + // + if ((*RsaContext = RSAPublicKey_dup (EVP_PKEY_get0_RSA (Pkey))) != NULL) { + Status = TRUE; + } + +_Exit: + // + // Release Resources. + // + if (X509Cert != NULL) { + X509_free (X509Cert); + } + + if (Pkey != NULL) { + EVP_PKEY_free (Pkey); + } + + return Status; +} + +/** + Verify one X509 certificate was issued by the trusted CA. + + @param[in] Cert Pointer to the DER-encoded X509 certificate to be verified. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[in] CACert Pointer to the DER-encoded trusted CA certificate. + @param[in] CACertSize Size of the CA Certificate in bytes. + + If Cert is NULL, then return FALSE. + If CACert is NULL, then return FALSE. + + @retval TRUE The certificate was issued by the trusted CA. + @retval FALSE Invalid certificate or the certificate was not issued by the given + trusted CA. + +**/ +BOOLEAN +EFIAPI +X509VerifyCert ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + IN CONST UINT8 *CACert, + IN UINTN CACertSize + ) +{ + BOOLEAN Status; + X509 *X509Cert; + X509 *X509CACert; + X509_STORE *CertStore; + X509_STORE_CTX *CertCtx; + + // + // Check input parameters. + // + if (Cert == NULL || CACert == NULL) { + return FALSE; + } + + Status = FALSE; + X509Cert = NULL; + X509CACert = NULL; + CertStore = NULL; + CertCtx = NULL; + + // + // Register & Initialize necessary digest algorithms for certificate verification. + // + if (EVP_add_digest (EVP_md5 ()) == 0) { + goto _Exit; + } + if (EVP_add_digest (EVP_sha1 ()) == 0) { + goto _Exit; + } + if (EVP_add_digest (EVP_sha256 ()) == 0) { + goto _Exit; + } + + // + // Read DER-encoded certificate to be verified and Construct X509 object. + // + Status = X509ConstructCertificate (Cert, CertSize, (UINT8 **) &X509Cert); + if ((X509Cert == NULL) || (!Status)) { + Status = FALSE; + goto _Exit; + } + + // + // Read DER-encoded root certificate and Construct X509 object. + // + Status = X509ConstructCertificate (CACert, CACertSize, (UINT8 **) &X509CACert); + if ((X509CACert == NULL) || (!Status)) { + Status = FALSE; + goto _Exit; + } + + Status = FALSE; + + // + // Set up X509 Store for trusted certificate. + // + CertStore = X509_STORE_new (); + if (CertStore == NULL) { + goto _Exit; + } + if (!(X509_STORE_add_cert (CertStore, X509CACert))) { + goto _Exit; + } + + // + // Allow partial certificate chains, terminated by a non-self-signed but + // still trusted intermediate certificate. Also disable time checks. + // + X509_STORE_set_flags (CertStore, + X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME); + + // + // Set up X509_STORE_CTX for the subsequent verification operation. + // + CertCtx = X509_STORE_CTX_new (); + if (CertCtx == NULL) { + goto _Exit; + } + if (!X509_STORE_CTX_init (CertCtx, CertStore, X509Cert, NULL)) { + goto _Exit; + } + + // + // X509 Certificate Verification. + // + Status = (BOOLEAN) X509_verify_cert (CertCtx); + X509_STORE_CTX_cleanup (CertCtx); + +_Exit: + // + // Release Resources. + // + if (X509Cert != NULL) { + X509_free (X509Cert); + } + + if (X509CACert != NULL) { + X509_free (X509CACert); + } + + if (CertStore != NULL) { + X509_STORE_free (CertStore); + } + + X509_STORE_CTX_free (CertCtx); + + return Status; +} + +/** + Retrieve the TBSCertificate from one given X.509 certificate. + + @param[in] Cert Pointer to the given DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] TBSCert DER-Encoded To-Be-Signed certificate. + @param[out] TBSCertSize Size of the TBS certificate in bytes. + + If Cert is NULL, then return FALSE. + If TBSCert is NULL, then return FALSE. + If TBSCertSize is NULL, then return FALSE. + + @retval TRUE The TBSCertificate was retrieved successfully. + @retval FALSE Invalid X.509 certificate. + +**/ +BOOLEAN +EFIAPI +X509GetTBSCert ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 **TBSCert, + OUT UINTN *TBSCertSize + ) +{ + CONST UINT8 *Temp; + UINT32 Asn1Tag; + UINT32 ObjClass; + UINTN Length; + + // + // Check input parameters. + // + if ((Cert == NULL) || (TBSCert == NULL) || + (TBSCertSize == NULL) || (CertSize > INT_MAX)) { + return FALSE; + } + + // + // An X.509 Certificate is: (defined in RFC3280) + // Certificate ::= SEQUENCE { + // tbsCertificate TBSCertificate, + // signatureAlgorithm AlgorithmIdentifier, + // signature BIT STRING } + // + // and + // + // TBSCertificate ::= SEQUENCE { + // version [0] Version DEFAULT v1, + // ... + // } + // + // So we can just ASN1-parse the x.509 DER-encoded data. If we strip + // the first SEQUENCE, the second SEQUENCE is the TBSCertificate. + // + Temp = Cert; + Length = 0; + ASN1_get_object (&Temp, (long *)&Length, (int *)&Asn1Tag, (int *)&ObjClass, (long)CertSize); + + if (Asn1Tag != V_ASN1_SEQUENCE) { + return FALSE; + } + + *TBSCert = (UINT8 *)Temp; + + ASN1_get_object (&Temp, (long *)&Length, (int *)&Asn1Tag, (int *)&ObjClass, (long)Length); + // + // Verify the parsed TBSCertificate is one correct SEQUENCE data. + // + if (Asn1Tag != V_ASN1_SEQUENCE) { + return FALSE; + } + + *TBSCertSize = Length + (Temp - *TBSCert); + + return TRUE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c new file mode 100644 index 00000000..fb4c7a36 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c @@ -0,0 +1,294 @@ +/** @file + X.509 Certificate Handler Wrapper Implementation which does not provide + real capabilities. + +Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Construct a X509 object from DER-encoded certificate data. + + Return FALSE to indicate this interface is not supported. + + @param[in] Cert Pointer to the DER-encoded certificate data. + @param[in] CertSize The size of certificate data in bytes. + @param[out] SingleX509Cert The generated X509 object. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509ConstructCertificate ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 **SingleX509Cert + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Construct a X509 stack object from a list of DER-encoded certificate data. + + If X509Stack is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] X509Stack On input, pointer to an existing or NULL X509 stack object. + On output, pointer to the X509 stack object with new + inserted X509 certificate. + @param[in] Args VA_LIST marker for the variable argument list. + A list of DER-encoded single certificate data followed + by certificate size. A NULL terminates the list. The + pairs are the arguments to X509ConstructCertificate(). + + @retval TRUE The X509 stack construction succeeded. + @retval FALSE The construction operation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509ConstructCertificateStackV ( + IN OUT UINT8 **X509Stack, + IN VA_LIST Args + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Construct a X509 stack object from a list of DER-encoded certificate data. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] X509Stack On input, pointer to an existing or NULL X509 stack object. + On output, pointer to the X509 stack object with new + inserted X509 certificate. + @param ... A list of DER-encoded single certificate data followed + by certificate size. A NULL terminates the list. The + pairs are the arguments to X509ConstructCertificate(). + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509ConstructCertificateStack ( + IN OUT UINT8 **X509Stack, + ... + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Release the specified X509 object. + + If the interface is not supported, then ASSERT(). + + @param[in] X509Cert Pointer to the X509 object to be released. + +**/ +VOID +EFIAPI +X509Free ( + IN VOID *X509Cert + ) +{ + ASSERT (FALSE); +} + +/** + Release the specified X509 stack object. + + If the interface is not supported, then ASSERT(). + + @param[in] X509Stack Pointer to the X509 stack object to be released. + +**/ +VOID +EFIAPI +X509StackFree ( + IN VOID *X509Stack + ) +{ + ASSERT (FALSE); +} + +/** + Retrieve the subject bytes from one X.509 certificate. + + Return FALSE to indicate this interface is not supported. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CertSubject Pointer to the retrieved certificate subject bytes. + @param[in, out] SubjectSize The size in bytes of the CertSubject buffer on input, + and the size of buffer returned CertSubject on output. + + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509GetSubjectName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 *CertSubject, + IN OUT UINTN *SubjectSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieve the common name (CN) string from one X.509 certificate. + + Return RETURN_UNSUPPORTED to indicate this interface is not supported. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CommonName Buffer to contain the retrieved certificate common + name string (UTF8). At most CommonNameSize bytes will be + written and the string will be null terminated. May be + NULL in order to determine the size buffer needed. + @param[in,out] CommonNameSize The size in bytes of the CommonName buffer on input, + and the size of buffer returned CommonName on output. + If CommonName is NULL then the amount of space needed + in buffer (including the final null) is returned. + + @retval RETURN_UNSUPPORTED The operation is not supported. + +**/ +RETURN_STATUS +EFIAPI +X509GetCommonName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *CommonName, OPTIONAL + IN OUT UINTN *CommonNameSize + ) +{ + ASSERT (FALSE); + return RETURN_UNSUPPORTED; +} + +/** + Retrieve the organization name (ON) string from one X.509 certificate. + + Return RETURN_UNSUPPORTED to indicate this interface is not supported. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] NameBuffer Buffer to contain the retrieved certificate organization + name string. At most NameBufferSize bytes will be + written and the string will be null terminated. May be + NULL in order to determine the size buffer needed. + @param[in,out] NameBufferSize The size in bytes of the Name buffer on input, + and the size of buffer returned Name on output. + If NameBuffer is NULL then the amount of space needed + in buffer (including the final null) is returned. + + @retval RETURN_UNSUPPORTED The operation is not supported. + +**/ +RETURN_STATUS +EFIAPI +X509GetOrganizationName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *NameBuffer, OPTIONAL + IN OUT UINTN *NameBufferSize + ) +{ + ASSERT (FALSE); + return RETURN_UNSUPPORTED; +} + +/** + Retrieve the RSA Public Key from one DER-encoded X509 certificate. + + Return FALSE to indicate this interface is not supported. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved + RSA public key component. Use RsaFree() function to free the + resource. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaGetPublicKeyFromX509 ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT VOID **RsaContext + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Verify one X509 certificate was issued by the trusted CA. + + Return FALSE to indicate this interface is not supported. + + @param[in] Cert Pointer to the DER-encoded X509 certificate to be verified. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[in] CACert Pointer to the DER-encoded trusted CA certificate. + @param[in] CACertSize Size of the CA Certificate in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509VerifyCert ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + IN CONST UINT8 *CACert, + IN UINTN CACertSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieve the TBSCertificate from one given X.509 certificate. + + Return FALSE to indicate this interface is not supported. + + @param[in] Cert Pointer to the given DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] TBSCert DER-Encoded To-Be-Signed certificate. + @param[out] TBSCertSize Size of the TBS certificate in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509GetTBSCert ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 **TBSCert, + OUT UINTN *TBSCertSize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Rand/CryptRand.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Rand/CryptRand.c new file mode 100644 index 00000000..31b08b7a --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Rand/CryptRand.c @@ -0,0 +1,104 @@ +/** @file + Pseudorandom Number Generator Wrapper Implementation over OpenSSL. + +Copyright (c) 2010 - 2013, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" +#include +#include + +// +// Default seed for UEFI Crypto Library +// +CONST UINT8 DefaultSeed[] = "UEFI Crypto Library default seed"; + +/** + Sets up the seed value for the pseudorandom number generator. + + This function sets up the seed value for the pseudorandom number generator. + If Seed is not NULL, then the seed passed in is used. + If Seed is NULL, then default seed is used. + + @param[in] Seed Pointer to seed value. + If NULL, default seed is used. + @param[in] SeedSize Size of seed value. + If Seed is NULL, this parameter is ignored. + + @retval TRUE Pseudorandom number generator has enough entropy for random generation. + @retval FALSE Pseudorandom number generator does not have enough entropy for random generation. + +**/ +BOOLEAN +EFIAPI +RandomSeed ( + IN CONST UINT8 *Seed OPTIONAL, + IN UINTN SeedSize + ) +{ + if (SeedSize > INT_MAX) { + return FALSE; + } + + // + // The software PRNG implementation built in OpenSSL depends on message digest algorithm. + // Make sure SHA-1 digest algorithm is available here. + // + if (EVP_add_digest (EVP_sha1 ()) == 0) { + return FALSE; + } + + // + // Seed the pseudorandom number generator with user-supplied value. + // NOTE: A cryptographic PRNG must be seeded with unpredictable data. + // + if (Seed != NULL) { + RAND_seed (Seed, (UINT32) SeedSize); + } else { + RAND_seed (DefaultSeed, sizeof (DefaultSeed)); + } + + if (RAND_status () == 1) { + return TRUE; + } + + return FALSE; +} + +/** + Generates a pseudorandom byte stream of the specified size. + + If Output is NULL, then return FALSE. + + @param[out] Output Pointer to buffer to receive random value. + @param[in] Size Size of random bytes to generate. + + @retval TRUE Pseudorandom byte stream generated successfully. + @retval FALSE Pseudorandom number generator fails to generate due to lack of entropy. + +**/ +BOOLEAN +EFIAPI +RandomBytes ( + OUT UINT8 *Output, + IN UINTN Size + ) +{ + // + // Check input parameters. + // + if (Output == NULL || Size > INT_MAX) { + return FALSE; + } + + // + // Generate random data. + // + if (RAND_bytes (Output, (UINT32) Size) != 1) { + return FALSE; + } + + return TRUE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Rand/CryptRandNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Rand/CryptRandNull.c new file mode 100644 index 00000000..7eb080bb --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Rand/CryptRandNull.c @@ -0,0 +1,57 @@ +/** @file + Pseudorandom Number Generator Wrapper Implementation which does not provide + real capabilities. + +Copyright (c) 2012, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + + +/** + Sets up the seed value for the pseudorandom number generator. + + Return FALSE to indicate this interface is not supported. + + @param[in] Seed Pointer to seed value. + If NULL, default seed is used. + @param[in] SeedSize Size of seed value. + If Seed is NULL, this parameter is ignored. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RandomSeed ( + IN CONST UINT8 *Seed OPTIONAL, + IN UINTN SeedSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Generates a pseudorandom byte stream of the specified size. + + Return FALSE to indicate this interface is not supported. + + @param[out] Output Pointer to buffer to receive random value. + @param[in] Size Size of random bytes to generate. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RandomBytes ( + OUT UINT8 *Output, + IN UINTN Size + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c new file mode 100644 index 00000000..696cf935 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c @@ -0,0 +1,112 @@ +/** @file + Pseudorandom Number Generator Wrapper Implementation over OpenSSL. + +Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" +#include +#include +#include + +/** + Sets up the seed value for the pseudorandom number generator. + + This function sets up the seed value for the pseudorandom number generator. + If Seed is not NULL, then the seed passed in is used. + If Seed is NULL, then default seed is used. + + @param[in] Seed Pointer to seed value. + If NULL, default seed is used. + @param[in] SeedSize Size of seed value. + If Seed is NULL, this parameter is ignored. + + @retval TRUE Pseudorandom number generator has enough entropy for random generation. + @retval FALSE Pseudorandom number generator does not have enough entropy for random generation. + +**/ +BOOLEAN +EFIAPI +RandomSeed ( + IN CONST UINT8 *Seed OPTIONAL, + IN UINTN SeedSize + ) +{ + CHAR8 DefaultSeed[128]; + + if (SeedSize > INT_MAX) { + return FALSE; + } + + // + // The software PRNG implementation built in OpenSSL depends on message digest algorithm. + // Make sure SHA-1 digest algorithm is available here. + // + if (EVP_add_digest (EVP_sha1 ()) == 0) { + return FALSE; + } + + // + // Seed the pseudorandom number generator with user-supplied value. + // NOTE: A cryptographic PRNG must be seeded with unpredictable data. + // + if (Seed != NULL) { + RAND_seed (Seed, (UINT32) SeedSize); + } else { + // + // Retrieve current time. + // + AsciiSPrint ( + DefaultSeed, + sizeof (DefaultSeed), + "UEFI Crypto Library default seed (%ld)", + AsmReadTsc () + ); + + RAND_seed (DefaultSeed, sizeof (DefaultSeed)); + } + + if (RAND_status () == 1) { + return TRUE; + } + + return FALSE; +} + +/** + Generates a pseudorandom byte stream of the specified size. + + If Output is NULL, then return FALSE. + + @param[out] Output Pointer to buffer to receive random value. + @param[in] Size Size of random bytes to generate. + + @retval TRUE Pseudorandom byte stream generated successfully. + @retval FALSE Pseudorandom number generator fails to generate due to lack of entropy. + +**/ +BOOLEAN +EFIAPI +RandomBytes ( + OUT UINT8 *Output, + IN UINTN Size + ) +{ + // + // Check input parameters. + // + if (Output == NULL || Size > INT_MAX) { + return FALSE; + } + + // + // Generate random data. + // + if (RAND_bytes (Output, (UINT32) Size) != 1) { + return FALSE; + } + + return TRUE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf new file mode 100644 index 00000000..62d8f60b --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf @@ -0,0 +1,113 @@ +## @file +# Cryptographic Library Instance for DXE_RUNTIME_DRIVER. +# +# Caution: This module requires additional review when modified. +# This library will have external input - signature. +# This external input must be validated carefully to avoid security issues such as +# buffer overflow or integer overflow. +# +# Note: SHA-384 Digest functions, SHA-512 Digest functions, +# HMAC-SHA256 functions, AES functions, RSA external +# functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and +# authenticode signature verification functions are not supported in this instance. +# +# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
+# Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = RuntimeCryptLib + MODULE_UNI_FILE = RuntimeCryptLib.uni + FILE_GUID = 78189cc0-727d-46a4-84ea-f7dd860de64a + MODULE_TYPE = DXE_RUNTIME_DRIVER + VERSION_STRING = 1.0 + LIBRARY_CLASS = BaseCryptLib|DXE_RUNTIME_DRIVER + CONSTRUCTOR = RuntimeCryptLibConstructor + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 +# + +[Sources] + InternalCryptLib.h + Hash/CryptMd5.c + Hash/CryptSha1.c + Hash/CryptSha256.c + Hash/CryptSm3.c + Hash/CryptSha512Null.c + Hmac/CryptHmacSha256.c + Kdf/CryptHkdf.c + Cipher/CryptAes.c + Pk/CryptRsaBasic.c + Pk/CryptRsaExtNull.c + Pk/CryptPkcs1OaepNull.c + Pk/CryptPkcs5Pbkdf2Null.c + Pk/CryptPkcs7SignNull.c + Pk/CryptPkcs7VerifyCommon.c + Pk/CryptPkcs7VerifyRuntime.c + Pk/CryptPkcs7VerifyEkuRuntime.c + Pk/CryptDhNull.c + Pk/CryptX509.c + Pk/CryptAuthenticodeNull.c + Pk/CryptTsNull.c + Pk/CryptRsaPssNull.c + Pk/CryptRsaPssSignNull.c + Pem/CryptPem.c + + SysCall/CrtWrapper.c + SysCall/TimerWrapper.c + SysCall/RuntimeMemAllocation.c + +[Sources.Ia32] + Rand/CryptRandTsc.c + +[Sources.X64] + Rand/CryptRandTsc.c + +[Sources.ARM] + Rand/CryptRand.c + +[Sources.AARCH64] + Rand/CryptRand.c + +[Sources.RISCV64] + Rand/CryptRand.c + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + UefiBootServicesTableLib + UefiRuntimeServicesTableLib + DebugLib + OpensslLib + IntrinsicLib + PrintLib + +# +# Remove these [BuildOptions] after this library is cleaned up +# +[BuildOptions] + # + # suppress the following warnings so we do not break the build with warnings-as-errors: + # C4090: 'function' : different 'const' qualifiers + # + MSFT:*_*_*_CC_FLAGS = /wd4090 + + # -JCryptoPkg/Include : To disable the use of the system includes provided by RVCT + # --diag_remark=1 : Reduce severity of "#1-D: last line of file ends without a newline" + RVCT:*_*_ARM_CC_FLAGS = -JCryptoPkg/Include --diag_remark=1 + + GCC:*_CLANG35_*_CC_FLAGS = -std=c99 + GCC:*_CLANG38_*_CC_FLAGS = -std=c99 + GCC:*_CLANGPDB_*_CC_FLAGS = -std=c99 -Wno-error=incompatible-pointer-types + + XCODE:*_*_*_CC_FLAGS = -std=c99 diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni new file mode 100644 index 00000000..0cf378c5 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni @@ -0,0 +1,24 @@ +// /** @file +// Cryptographic Library Instance for DXE_RUNTIME_DRIVER. +// +// Caution: This module requires additional review when modified. +// This library will have external input - signature. +// This external input must be validated carefully to avoid security issues such as +// buffer overflow or integer overflow. +// +// Note: AES +// functions, RSA external functions, PKCS#7 SignedData sign functions, +// Diffie-Hellman functions, and authenticode signature verification functions are +// not supported in this instance. +// +// Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Cryptographic Library Instance for DXE_RUNTIME_DRIVER" + +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance." + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf new file mode 100644 index 00000000..caa66399 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf @@ -0,0 +1,103 @@ +## @file +# Cryptographic Library Instance for SMM driver. +# +# Caution: This module requires additional review when modified. +# This library will have external input - signature. +# This external input must be validated carefully to avoid security issues such as +# buffer overflow or integer overflow. +# +# Note: SHA-384 Digest functions, SHA-512 Digest functions, +# RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and +# authenticode signature verification functions are not supported in this instance. +# +# Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = SmmCryptLib + MODULE_UNI_FILE = SmmCryptLib.uni + FILE_GUID = 028080a3-8958-4a62-a1a8-0fa1da162007 + MODULE_TYPE = DXE_SMM_DRIVER + VERSION_STRING = 1.0 + PI_SPECIFICATION_VERSION = 0x0001000A + LIBRARY_CLASS = BaseCryptLib|DXE_SMM_DRIVER SMM_CORE MM_STANDALONE + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 +# + +[Sources] + InternalCryptLib.h + Hash/CryptMd5.c + Hash/CryptSha1.c + Hash/CryptSha256.c + Hash/CryptSm3.c + Hash/CryptSha512Null.c + Hmac/CryptHmacSha256.c + Kdf/CryptHkdfNull.c + Cipher/CryptAes.c + Pk/CryptRsaBasic.c + Pk/CryptRsaExtNull.c + Pk/CryptPkcs1Oaep.c + Pk/CryptPkcs5Pbkdf2.c + Pk/CryptPkcs7SignNull.c + Pk/CryptPkcs7VerifyCommon.c + Pk/CryptPkcs7VerifyBase.c + Pk/CryptPkcs7VerifyEku.c + Pk/CryptDhNull.c + Pk/CryptX509.c + Pk/CryptAuthenticodeNull.c + Pk/CryptTsNull.c + Pk/CryptRsaPss.c + Pk/CryptRsaPssSignNull.c + Pem/CryptPem.c + + SysCall/CrtWrapper.c + SysCall/ConstantTimeClock.c + SysCall/BaseMemAllocation.c + +[Sources.Ia32] + Rand/CryptRandTsc.c + +[Sources.X64] + Rand/CryptRandTsc.c + +[Sources.ARM] + Rand/CryptRand.c + +[Sources.AARCH64] + Rand/CryptRand.c + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + IoLib + BaseMemoryLib + MemoryAllocationLib + OpensslLib + IntrinsicLib + PrintLib + +# +# Remove these [BuildOptions] after this library is cleaned up +# +[BuildOptions] + # + # suppress the following warnings so we do not break the build with warnings-as-errors: + # C4090: 'function' : different 'const' qualifiers + # + MSFT:*_*_*_CC_FLAGS = /wd4090 + + XCODE:*_*_*_CC_FLAGS = -mmmx -msse -std=c99 + + GCC:*_CLANG35_*_CC_FLAGS = -std=c99 + GCC:*_CLANG38_*_CC_FLAGS = -std=c99 + GCC:*_CLANGPDB_*_CC_FLAGS = -std=c99 -Wno-error=incompatible-pointer-types diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni new file mode 100644 index 00000000..f0c33abb --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni @@ -0,0 +1,24 @@ +// /** @file +// Cryptographic Library Instance for SMM driver. +// +// Caution: This module requires additional review when modified. +// This library will have external input - signature. +// This external input must be validated carefully to avoid security issues such as +// buffer overflow or integer overflow. +// +// Note: AES +// functions, RSA external functions, PKCS#7 SignedData sign functions, +// Diffie-Hellman functions, and authenticode signature verification functions are +// not supported in this instance. +// +// Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Cryptographic Library Instance for SMM driver" + +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance." + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c new file mode 100644 index 00000000..1b1611f3 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c @@ -0,0 +1,112 @@ +/** @file + Base Memory Allocation Routines Wrapper for Crypto library over OpenSSL + during PEI & DXE phases. + +Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include + +// +// Extra header to record the memory buffer size from malloc routine. +// +#define CRYPTMEM_HEAD_SIGNATURE SIGNATURE_32('c','m','h','d') +typedef struct { + UINT32 Signature; + UINT32 Reserved; + UINTN Size; +} CRYPTMEM_HEAD; + +#define CRYPTMEM_OVERHEAD sizeof(CRYPTMEM_HEAD) + +// +// -- Memory-Allocation Routines -- +// + +/* Allocates memory blocks */ +void *malloc (size_t size) +{ + CRYPTMEM_HEAD *PoolHdr; + UINTN NewSize; + VOID *Data; + + // + // Adjust the size by the buffer header overhead + // + NewSize = (UINTN)(size) + CRYPTMEM_OVERHEAD; + + Data = AllocatePool (NewSize); + if (Data != NULL) { + PoolHdr = (CRYPTMEM_HEAD *)Data; + // + // Record the memory brief information + // + PoolHdr->Signature = CRYPTMEM_HEAD_SIGNATURE; + PoolHdr->Size = size; + + return (VOID *)(PoolHdr + 1); + } else { + // + // The buffer allocation failed. + // + return NULL; + } +} + +/* Reallocate memory blocks */ +void *realloc (void *ptr, size_t size) +{ + CRYPTMEM_HEAD *OldPoolHdr; + CRYPTMEM_HEAD *NewPoolHdr; + UINTN OldSize; + UINTN NewSize; + VOID *Data; + + NewSize = (UINTN)size + CRYPTMEM_OVERHEAD; + Data = AllocatePool (NewSize); + if (Data != NULL) { + NewPoolHdr = (CRYPTMEM_HEAD *)Data; + NewPoolHdr->Signature = CRYPTMEM_HEAD_SIGNATURE; + NewPoolHdr->Size = size; + if (ptr != NULL) { + // + // Retrieve the original size from the buffer header. + // + OldPoolHdr = (CRYPTMEM_HEAD *)ptr - 1; + ASSERT (OldPoolHdr->Signature == CRYPTMEM_HEAD_SIGNATURE); + OldSize = OldPoolHdr->Size; + + // + // Duplicate the buffer content. + // + CopyMem ((VOID *)(NewPoolHdr + 1), ptr, MIN (OldSize, size)); + FreePool ((VOID *)OldPoolHdr); + } + + return (VOID *)(NewPoolHdr + 1); + } else { + // + // The buffer allocation failed. + // + return NULL; + } +} + +/* De-allocates or frees a memory block */ +void free (void *ptr) +{ + CRYPTMEM_HEAD *PoolHdr; + + // + // In Standard C, free() handles a null pointer argument transparently. This + // is not true of FreePool() below, so protect it. + // + if (ptr != NULL) { + PoolHdr = (CRYPTMEM_HEAD *)ptr - 1; + ASSERT (PoolHdr->Signature == CRYPTMEM_HEAD_SIGNATURE); + FreePool (PoolHdr); + } +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/ConstantTimeClock.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/ConstantTimeClock.c new file mode 100644 index 00000000..bf6b4136 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/ConstantTimeClock.c @@ -0,0 +1,37 @@ +/** @file + C Run-Time Libraries (CRT) Time Management Routines Wrapper Implementation + for OpenSSL-based Cryptographic Library. + + This C file implements constant time value for time() and NULL for gmtime() + thus should not be used in library instances which require functionality + of following APIs which need system time support: + 1) RsaGenerateKey + 2) RsaCheckKey + 3) RsaPkcs1Sign + 4) Pkcs7Sign + 5) DhGenerateParameter + 6) DhGenerateKey + +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include + +// +// -- Time Management Routines -- +// + +time_t time (time_t *timer) +{ + if (timer != NULL) { + *timer = 0; + } + return 0; +} + +struct tm * gmtime (const time_t *timer) +{ + return NULL; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c new file mode 100644 index 00000000..0c9ac39e --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c @@ -0,0 +1,473 @@ +/** @file + C Run-Time Libraries (CRT) Wrapper Implementation for OpenSSL-based + Cryptographic Library. + +Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include + +int errno = 0; + +FILE *stderr = NULL; +FILE *stdin = NULL; +FILE *stdout = NULL; + +typedef +int +(*SORT_COMPARE)( + IN VOID *Buffer1, + IN VOID *Buffer2 + ); + +// +// Duplicated from EDKII BaseSortLib for qsort() wrapper +// +STATIC +VOID +QuickSortWorker ( + IN OUT VOID *BufferToSort, + IN CONST UINTN Count, + IN CONST UINTN ElementSize, + IN SORT_COMPARE CompareFunction, + IN VOID *Buffer + ) +{ + VOID *Pivot; + UINTN LoopCount; + UINTN NextSwapLocation; + + ASSERT(BufferToSort != NULL); + ASSERT(CompareFunction != NULL); + ASSERT(Buffer != NULL); + + if (Count < 2 || ElementSize < 1) { + return; + } + + NextSwapLocation = 0; + + // + // Pick a pivot (we choose last element) + // + Pivot = ((UINT8 *)BufferToSort + ((Count - 1) * ElementSize)); + + // + // Now get the pivot such that all on "left" are below it + // and everything "right" are above it + // + for (LoopCount = 0; LoopCount < Count - 1; LoopCount++) + { + // + // If the element is less than the pivot + // + if (CompareFunction ((VOID *)((UINT8 *)BufferToSort + ((LoopCount) * ElementSize)), Pivot) <= 0) { + // + // Swap + // + CopyMem (Buffer, (UINT8 *)BufferToSort + (NextSwapLocation * ElementSize), ElementSize); + CopyMem ((UINT8 *)BufferToSort + (NextSwapLocation * ElementSize), (UINT8 *)BufferToSort + ((LoopCount) * ElementSize), ElementSize); + CopyMem ((UINT8 *)BufferToSort + ((LoopCount) * ElementSize), Buffer, ElementSize); + + // + // Increment NextSwapLocation + // + NextSwapLocation++; + } + } + // + // Swap pivot to its final position (NextSwapLocation) + // + CopyMem (Buffer, Pivot, ElementSize); + CopyMem (Pivot, (UINT8 *)BufferToSort + (NextSwapLocation * ElementSize), ElementSize); + CopyMem ((UINT8 *)BufferToSort + (NextSwapLocation * ElementSize), Buffer, ElementSize); + + // + // Now recurse on 2 partial lists. Neither of these will have the 'pivot' element. + // IE list is sorted left half, pivot element, sorted right half... + // + QuickSortWorker ( + BufferToSort, + NextSwapLocation, + ElementSize, + CompareFunction, + Buffer + ); + + QuickSortWorker ( + (UINT8 *)BufferToSort + (NextSwapLocation + 1) * ElementSize, + Count - NextSwapLocation - 1, + ElementSize, + CompareFunction, + Buffer + ); + + return; +} + +//--------------------------------------------------------- +// Standard C Run-time Library Interface Wrapper +//--------------------------------------------------------- + +// +// -- String Manipulation Routines -- +// + +char *strchr(const char *str, int ch) +{ + return ScanMem8 (str, AsciiStrSize (str), (UINT8)ch); +} + +/* Scan a string for the last occurrence of a character */ +char *strrchr (const char *str, int c) +{ + char * save; + + for (save = NULL; ; ++str) { + if (*str == c) { + save = (char *)str; + } + if (*str == 0) { + return (save); + } + } +} + +/* Compare first n bytes of string s1 with string s2, ignoring case */ +int strncasecmp (const char *s1, const char *s2, size_t n) +{ + int Val; + + ASSERT(s1 != NULL); + ASSERT(s2 != NULL); + + if (n != 0) { + do { + Val = tolower(*s1) - tolower(*s2); + if (Val != 0) { + return Val; + } + ++s1; + ++s2; + if (*s1 == '\0') { + break; + } + } while (--n != 0); + } + return 0; +} + +/* Read formatted data from a string */ +int sscanf (const char *buffer, const char *format, ...) +{ + // + // Null sscanf() function implementation to satisfy the linker, since + // no direct functionality logic dependency in present UEFI cases. + // + return 0; +} + +/* Maps errnum to an error-message string */ +char * strerror (int errnum) +{ + return NULL; +} + +/* Computes the length of the maximum initial segment of the string pointed to by s1 + which consists entirely of characters from the string pointed to by s2. */ +size_t strspn (const char *s1 , const char *s2) +{ + UINT8 Map[32]; + UINT32 Index; + size_t Count; + + for (Index = 0; Index < 32; Index++) { + Map[Index] = 0; + } + + while (*s2) { + Map[*s2 >> 3] |= (1 << (*s2 & 7)); + s2++; + } + + if (*s1) { + Count = 0; + while (Map[*s1 >> 3] & (1 << (*s1 & 7))) { + Count++; + s1++; + } + + return Count; + } + + return 0; +} + +/* Computes the length of the maximum initial segment of the string pointed to by s1 + which consists entirely of characters not from the string pointed to by s2. */ +size_t strcspn (const char *s1, const char *s2) +{ + UINT8 Map[32]; + UINT32 Index; + size_t Count; + + for (Index = 0; Index < 32; Index++) { + Map[Index] = 0; + } + + while (*s2) { + Map[*s2 >> 3] |= (1 << (*s2 & 7)); + s2++; + } + + Map[0] |= 1; + + Count = 0; + while (!(Map[*s1 >> 3] & (1 << (*s1 & 7)))) { + Count ++; + s1++; + } + + return Count; +} + +// +// -- Character Classification Routines -- +// + +/* Determines if a particular character is a decimal-digit character */ +int isdigit (int c) +{ + // + // ::= [0-9] + // + return (('0' <= (c)) && ((c) <= '9')); +} + +/* Determine if an integer represents character that is a hex digit */ +int isxdigit (int c) +{ + // + // ::= [0-9] | [a-f] | [A-F] + // + return ((('0' <= (c)) && ((c) <= '9')) || + (('a' <= (c)) && ((c) <= 'f')) || + (('A' <= (c)) && ((c) <= 'F'))); +} + +/* Determines if a particular character represents a space character */ +int isspace (int c) +{ + // + // ::= [ ] + // + return ((c) == ' '); +} + +/* Determine if a particular character is an alphanumeric character */ +int isalnum (int c) +{ + // + // ::= [0-9] | [a-z] | [A-Z] + // + return ((('0' <= (c)) && ((c) <= '9')) || + (('a' <= (c)) && ((c) <= 'z')) || + (('A' <= (c)) && ((c) <= 'Z'))); +} + +/* Determines if a particular character is in upper case */ +int isupper (int c) +{ + // + // := [A-Z] + // + return (('A' <= (c)) && ((c) <= 'Z')); +} + +// +// -- Data Conversion Routines -- +// + +/* Convert strings to a long-integer value */ +long strtol (const char *nptr, char **endptr, int base) +{ + // + // Null strtol() function implementation to satisfy the linker, since there is + // no direct functionality logic dependency in present UEFI cases. + // + return 0; +} + +/* Convert strings to an unsigned long-integer value */ +unsigned long strtoul (const char *nptr, char **endptr, int base) +{ + // + // Null strtoul() function implementation to satisfy the linker, since there is + // no direct functionality logic dependency in present UEFI cases. + // + return 0; +} + +/* Convert character to lowercase */ +int tolower (int c) +{ + if (('A' <= (c)) && ((c) <= 'Z')) { + return (c - ('A' - 'a')); + } + return (c); +} + +// +// -- Searching and Sorting Routines -- +// + +/* Performs a quick sort */ +void qsort (void *base, size_t num, size_t width, int (*compare)(const void *, const void *)) +{ + VOID *Buffer; + + ASSERT (base != NULL); + ASSERT (compare != NULL); + + // + // Use CRT-style malloc to cover BS and RT memory allocation. + // + Buffer = malloc (width); + ASSERT (Buffer != NULL); + + // + // Re-use PerformQuickSort() function Implementation in EDKII BaseSortLib. + // + QuickSortWorker (base, (UINTN)num, (UINTN)width, (SORT_COMPARE)compare, Buffer); + + free (Buffer); + return; +} + +// +// -- Process and Environment Control Routines -- +// + +/* Get a value from the current environment */ +char *getenv (const char *varname) +{ + // + // Null getenv() function implementation to satisfy the linker, since there is + // no direct functionality logic dependency in present UEFI cases. + // + return NULL; +} + +/* Get a value from the current environment */ +char *secure_getenv (const char *varname) +{ + // + // Null secure_getenv() function implementation to satisfy the linker, since + // there is no direct functionality logic dependency in present UEFI cases. + // + // From the secure_getenv() manual: 'just like getenv() except that it + // returns NULL in cases where "secure execution" is required'. + // + return NULL; +} + +// +// -- Stream I/O Routines -- +// + +/* Write data to a stream */ +size_t fwrite (const void *buffer, size_t size, size_t count, FILE *stream) +{ + return 0; +} + +// +// -- Dummy OpenSSL Support Routines -- +// + +int BIO_printf (void *bio, const char *format, ...) +{ + return 0; +} + +int BIO_snprintf(char *buf, size_t n, const char *format, ...) +{ + return 0; +} + +#ifdef __GNUC__ + +typedef +VOID +(EFIAPI *NoReturnFuncPtr)( + VOID + ) __attribute__((__noreturn__)); + +STATIC +VOID +EFIAPI +NopFunction ( + VOID + ) +{ +} + +void abort (void) +{ + NoReturnFuncPtr NoReturnFunc; + + NoReturnFunc = (NoReturnFuncPtr) NopFunction; + + NoReturnFunc (); +} + +#else + +void abort (void) +{ + // Do nothing +} + +#endif + +int fclose (FILE *f) +{ + return 0; +} + +FILE *fopen (const char *c, const char *m) +{ + return NULL; +} + +size_t fread (void *b, size_t c, size_t i, FILE *f) +{ + return 0; +} + +uid_t getuid (void) +{ + return 0; +} + +uid_t geteuid (void) +{ + return 0; +} + +gid_t getgid (void) +{ + return 0; +} + +gid_t getegid (void) +{ + return 0; +} + +int printf (char const *fmt, ...) +{ + return 0; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/RuntimeMemAllocation.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/RuntimeMemAllocation.c new file mode 100644 index 00000000..d90cdd4d --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/RuntimeMemAllocation.c @@ -0,0 +1,455 @@ +/** @file + Light-weight Memory Management Routines for OpenSSL-based Crypto + Library at Runtime Phase. + +Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include + +//---------------------------------------------------------------- +// Initial version. Needs further optimizations. +//---------------------------------------------------------------- + +// +// Definitions for Runtime Memory Operations +// +#define RT_PAGE_SIZE 0x200 +#define RT_PAGE_MASK 0x1FF +#define RT_PAGE_SHIFT 9 + +#define RT_SIZE_TO_PAGES(a) (((a) >> RT_PAGE_SHIFT) + (((a) & RT_PAGE_MASK) ? 1 : 0)) +#define RT_PAGES_TO_SIZE(a) ((a) << RT_PAGE_SHIFT) + +// +// Page Flag Definitions +// +#define RT_PAGE_FREE 0x00000000 +#define RT_PAGE_USED 0x00000001 + +#define MIN_REQUIRED_BLOCKS 600 + +// +// Memory Page Table +// +typedef struct { + UINTN StartPageOffset; // Offset of the starting page allocated. + // Only available for USED pages. + UINT32 PageFlag; // Page Attributes. +} RT_MEMORY_PAGE_ENTRY; + +typedef struct { + UINTN PageCount; + UINTN LastEmptyPageOffset; + UINT8 *DataAreaBase; // Pointer to data Area. + RT_MEMORY_PAGE_ENTRY Pages[1]; // Page Table Entries. +} RT_MEMORY_PAGE_TABLE; + +// +// Global Page Table for Runtime Cryptographic Provider. +// +RT_MEMORY_PAGE_TABLE *mRTPageTable = NULL; + +// +// Event for Runtime Address Conversion. +// +STATIC EFI_EVENT mVirtualAddressChangeEvent; + + +/** + Initializes pre-allocated memory pointed by ScratchBuffer for subsequent + runtime use. + + @param[in, out] ScratchBuffer Pointer to user-supplied memory buffer. + @param[in] ScratchBufferSize Size of supplied buffer in bytes. + + @retval EFI_SUCCESS Successful initialization. + +**/ +EFI_STATUS +InitializeScratchMemory ( + IN OUT UINT8 *ScratchBuffer, + IN UINTN ScratchBufferSize + ) +{ + UINTN Index; + UINTN MemorySize; + + // + // Parameters Checking + // + if (ScratchBuffer == NULL) { + return EFI_INVALID_PARAMETER; + } + + if (ScratchBufferSize < MIN_REQUIRED_BLOCKS * 1024) { + return EFI_BUFFER_TOO_SMALL; + } + + mRTPageTable = (RT_MEMORY_PAGE_TABLE *)ScratchBuffer; + + // + // Initialize Internal Page Table for Memory Management + // + SetMem (mRTPageTable, ScratchBufferSize, 0xFF); + MemorySize = ScratchBufferSize - sizeof (RT_MEMORY_PAGE_TABLE) + sizeof (RT_MEMORY_PAGE_ENTRY); + + mRTPageTable->PageCount = MemorySize / (RT_PAGE_SIZE + sizeof (RT_MEMORY_PAGE_ENTRY)); + mRTPageTable->LastEmptyPageOffset = 0x0; + + for (Index = 0; Index < mRTPageTable->PageCount; Index++) { + mRTPageTable->Pages[Index].PageFlag = RT_PAGE_FREE; + mRTPageTable->Pages[Index].StartPageOffset = 0; + } + + mRTPageTable->DataAreaBase = ScratchBuffer + sizeof (RT_MEMORY_PAGE_TABLE) + + (mRTPageTable->PageCount - 1) * sizeof (RT_MEMORY_PAGE_ENTRY); + + return EFI_SUCCESS; +} + + +/** + Look-up Free memory Region for object allocation. + + @param[in] AllocationSize Bytes to be allocated. + + @return Return available page offset for object allocation. + +**/ +UINTN +LookupFreeMemRegion ( + IN UINTN AllocationSize + ) +{ + UINTN StartPageIndex; + UINTN Index; + UINTN SubIndex; + UINTN ReqPages; + + StartPageIndex = RT_SIZE_TO_PAGES (mRTPageTable->LastEmptyPageOffset); + ReqPages = RT_SIZE_TO_PAGES (AllocationSize); + if (ReqPages > mRTPageTable->PageCount) { + // + // No enough region for object allocation. + // + return (UINTN)(-1); + } + + // + // Look up the free memory region with in current memory map table. + // + for (Index = StartPageIndex; Index <= (mRTPageTable->PageCount - ReqPages); ) { + // + // Check consecutive ReqPages pages. + // + for (SubIndex = 0; SubIndex < ReqPages; SubIndex++) { + if ((mRTPageTable->Pages[SubIndex + Index].PageFlag & RT_PAGE_USED) != 0) { + break; + } + } + + if (SubIndex == ReqPages) { + // + // Succeed! Return the Starting Offset. + // + return RT_PAGES_TO_SIZE (Index); + } + + // + // Failed! Skip current free memory pages and adjacent Used pages + // + while ((mRTPageTable->Pages[SubIndex + Index].PageFlag & RT_PAGE_USED) != 0) { + SubIndex++; + } + + Index += SubIndex; + } + + // + // Look up the free memory region from the beginning of the memory table + // until the StartCursorOffset + // + if (ReqPages > StartPageIndex) { + // + // No enough region for object allocation. + // + return (UINTN)(-1); + } + for (Index = 0; Index < (StartPageIndex - ReqPages); ) { + // + // Check Consecutive ReqPages Pages. + // + for (SubIndex = 0; SubIndex < ReqPages; SubIndex++) { + if ((mRTPageTable->Pages[SubIndex + Index].PageFlag & RT_PAGE_USED) != 0) { + break; + } + } + + if (SubIndex == ReqPages) { + // + // Succeed! Return the Starting Offset. + // + return RT_PAGES_TO_SIZE (Index); + } + + // + // Failed! Skip current adjacent Used pages + // + while ((SubIndex < (StartPageIndex - ReqPages)) && + ((mRTPageTable->Pages[SubIndex + Index].PageFlag & RT_PAGE_USED) != 0)) { + SubIndex++; + } + + Index += SubIndex; + } + + // + // No available region for object allocation! + // + return (UINTN)(-1); +} + + +/** + Allocates a buffer at runtime phase. + + @param[in] AllocationSize Bytes to be allocated. + + @return A pointer to the allocated buffer or NULL if allocation fails. + +**/ +VOID * +RuntimeAllocateMem ( + IN UINTN AllocationSize + ) +{ + UINT8 *AllocPtr; + UINTN ReqPages; + UINTN Index; + UINTN StartPage; + UINTN AllocOffset; + + AllocPtr = NULL; + ReqPages = 0; + + // + // Look for available consecutive memory region starting from LastEmptyPageOffset. + // If no proper memory region found, look up from the beginning. + // If still not found, return NULL to indicate failed allocation. + // + AllocOffset = LookupFreeMemRegion (AllocationSize); + if (AllocOffset == (UINTN)(-1)) { + return NULL; + } + + // + // Allocates consecutive memory pages with length of Size. Update the page + // table status. Returns the starting address. + // + ReqPages = RT_SIZE_TO_PAGES (AllocationSize); + AllocPtr = mRTPageTable->DataAreaBase + AllocOffset; + StartPage = RT_SIZE_TO_PAGES (AllocOffset); + Index = 0; + while (Index < ReqPages) { + mRTPageTable->Pages[StartPage + Index].PageFlag |= RT_PAGE_USED; + mRTPageTable->Pages[StartPage + Index].StartPageOffset = AllocOffset; + + Index++; + } + + mRTPageTable->LastEmptyPageOffset = AllocOffset + RT_PAGES_TO_SIZE (ReqPages); + + ZeroMem (AllocPtr, AllocationSize); + + // + // Returns a void pointer to the allocated space + // + return AllocPtr; +} + + +/** + Frees a buffer that was previously allocated at runtime phase. + + @param[in] Buffer Pointer to the buffer to free. + +**/ +VOID +RuntimeFreeMem ( + IN VOID *Buffer + ) +{ + UINTN StartOffset; + UINTN StartPageIndex; + + StartOffset = (UINTN)Buffer - (UINTN)mRTPageTable->DataAreaBase; + StartPageIndex = RT_SIZE_TO_PAGES (mRTPageTable->Pages[RT_SIZE_TO_PAGES(StartOffset)].StartPageOffset); + + while (StartPageIndex < mRTPageTable->PageCount) { + if (((mRTPageTable->Pages[StartPageIndex].PageFlag & RT_PAGE_USED) != 0) && + (mRTPageTable->Pages[StartPageIndex].StartPageOffset == StartOffset)) { + // + // Free this page + // + mRTPageTable->Pages[StartPageIndex].PageFlag &= ~RT_PAGE_USED; + mRTPageTable->Pages[StartPageIndex].PageFlag |= RT_PAGE_FREE; + mRTPageTable->Pages[StartPageIndex].StartPageOffset = 0; + + StartPageIndex++; + } else { + break; + } + } + + return; +} + + +/** + Notification function of EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE. + + This is a notification function registered on EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE + event. It converts a pointer to a new virtual address. + + @param[in] Event The event whose notification function is being invoked. + @param[in] Context The pointer to the notification function's context. + +**/ +VOID +EFIAPI +RuntimeCryptLibAddressChangeEvent ( + IN EFI_EVENT Event, + IN VOID *Context + ) +{ + // + // Converts a pointer for runtime memory management to a new virtual address. + // + EfiConvertPointer (0x0, (VOID **) &mRTPageTable->DataAreaBase); + EfiConvertPointer (0x0, (VOID **) &mRTPageTable); +} + + +/** + Constructor routine for runtime crypt library instance. + + The constructor function pre-allocates space for runtime cryptographic operation. + + @param ImageHandle The firmware allocated handle for the EFI image. + @param SystemTable A pointer to the EFI System Table. + + @retval EFI_SUCCESS The construction succeeded. + @retval EFI_OUT_OF_RESOURCE Failed to allocate memory. + +**/ +EFI_STATUS +EFIAPI +RuntimeCryptLibConstructor ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + VOID *Buffer; + + // + // Pre-allocates runtime space for possible cryptographic operations + // + Buffer = AllocateRuntimePool (MIN_REQUIRED_BLOCKS * 1024); + Status = InitializeScratchMemory (Buffer, MIN_REQUIRED_BLOCKS * 1024); + if (EFI_ERROR (Status)) { + return Status; + } + + // + // Create address change event + // + Status = gBS->CreateEventEx ( + EVT_NOTIFY_SIGNAL, + TPL_NOTIFY, + RuntimeCryptLibAddressChangeEvent, + NULL, + &gEfiEventVirtualAddressChangeGuid, + &mVirtualAddressChangeEvent + ); + ASSERT_EFI_ERROR (Status); + + return Status; +} + + +// +// -- Memory-Allocation Routines Wrapper for UEFI-OpenSSL Library -- +// + +/* Allocates memory blocks */ +void *malloc (size_t size) +{ + return RuntimeAllocateMem ((UINTN) size); +} + +/* Reallocate memory blocks */ +void *realloc (void *ptr, size_t size) +{ + VOID *NewPtr; + UINTN StartOffset; + UINTN StartPageIndex; + UINTN PageCount; + + if (ptr == NULL) { + return malloc (size); + } + + // + // Get Original Size of ptr + // + StartOffset = (UINTN)ptr - (UINTN)mRTPageTable->DataAreaBase; + StartPageIndex = RT_SIZE_TO_PAGES (mRTPageTable->Pages[RT_SIZE_TO_PAGES (StartOffset)].StartPageOffset); + PageCount = 0; + while (StartPageIndex < mRTPageTable->PageCount) { + if (((mRTPageTable->Pages[StartPageIndex].PageFlag & RT_PAGE_USED) != 0) && + (mRTPageTable->Pages[StartPageIndex].StartPageOffset == StartOffset)) { + StartPageIndex++; + PageCount++; + } else { + break; + } + } + + if (size <= RT_PAGES_TO_SIZE (PageCount)) { + // + // Return the original pointer, if Caller try to reduce region size; + // + return ptr; + } + + NewPtr = RuntimeAllocateMem ((UINTN) size); + if (NewPtr == NULL) { + return NULL; + } + + CopyMem (NewPtr, ptr, RT_PAGES_TO_SIZE (PageCount)); + + RuntimeFreeMem (ptr); + + return NewPtr; +} + +/* Deallocates or frees a memory block */ +void free (void *ptr) +{ + // + // In Standard C, free() handles a null pointer argument transparently. This + // is not true of RuntimeFreeMem() below, so protect it. + // + if (ptr != NULL) { + RuntimeFreeMem (ptr); + } +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/TimerWrapper.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/TimerWrapper.c new file mode 100644 index 00000000..eea6379a --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/TimerWrapper.c @@ -0,0 +1,168 @@ +/** @file + C Run-Time Libraries (CRT) Time Management Routines Wrapper Implementation + for OpenSSL-based Cryptographic Library (used in DXE & RUNTIME). + +Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include + +// +// -- Time Management Routines -- +// + +#define IsLeap(y) (((y) % 4) == 0 && (((y) % 100) != 0 || ((y) % 400) == 0)) +#define SECSPERMIN (60) +#define SECSPERHOUR (60 * 60) +#define SECSPERDAY (24 * SECSPERHOUR) + +// +// The arrays give the cumulative number of days up to the first of the +// month number used as the index (1 -> 12) for regular and leap years. +// The value at index 13 is for the whole year. +// +UINTN CumulativeDays[2][14] = { + { + 0, + 0, + 31, + 31 + 28, + 31 + 28 + 31, + 31 + 28 + 31 + 30, + 31 + 28 + 31 + 30 + 31, + 31 + 28 + 31 + 30 + 31 + 30, + 31 + 28 + 31 + 30 + 31 + 30 + 31, + 31 + 28 + 31 + 30 + 31 + 30 + 31 + 31, + 31 + 28 + 31 + 30 + 31 + 30 + 31 + 31 + 30, + 31 + 28 + 31 + 30 + 31 + 30 + 31 + 31 + 30 + 31, + 31 + 28 + 31 + 30 + 31 + 30 + 31 + 31 + 30 + 31 + 30, + 31 + 28 + 31 + 30 + 31 + 30 + 31 + 31 + 30 + 31 + 30 + 31 + }, + { + 0, + 0, + 31, + 31 + 29, + 31 + 29 + 31, + 31 + 29 + 31 + 30, + 31 + 29 + 31 + 30 + 31, + 31 + 29 + 31 + 30 + 31 + 30, + 31 + 29 + 31 + 30 + 31 + 30 + 31, + 31 + 29 + 31 + 30 + 31 + 30 + 31 + 31, + 31 + 29 + 31 + 30 + 31 + 30 + 31 + 31 + 30, + 31 + 29 + 31 + 30 + 31 + 30 + 31 + 31 + 30 + 31, + 31 + 29 + 31 + 30 + 31 + 30 + 31 + 31 + 30 + 31 + 30, + 31 + 29 + 31 + 30 + 31 + 30 + 31 + 31 + 30 + 31 + 30 + 31 + } +}; + +/* Get the system time as seconds elapsed since midnight, January 1, 1970. */ +//INTN time( +// INTN *timer +// ) +time_t time (time_t *timer) +{ + EFI_STATUS Status; + EFI_TIME Time; + time_t CalTime; + UINTN Year; + + // + // Get the current time and date information + // + Status = gRT->GetTime (&Time, NULL); + if (EFI_ERROR (Status) || (Time.Year < 1970)) { + return 0; + } + + // + // Years Handling + // UTime should now be set to 00:00:00 on Jan 1 of the current year. + // + for (Year = 1970, CalTime = 0; Year != Time.Year; Year++) { + CalTime = CalTime + (time_t)(CumulativeDays[IsLeap(Year)][13] * SECSPERDAY); + } + + // + // Add in number of seconds for current Month, Day, Hour, Minute, Seconds, and TimeZone adjustment + // + CalTime = CalTime + + (time_t)((Time.TimeZone != EFI_UNSPECIFIED_TIMEZONE) ? (Time.TimeZone * 60) : 0) + + (time_t)(CumulativeDays[IsLeap(Time.Year)][Time.Month] * SECSPERDAY) + + (time_t)(((Time.Day > 0) ? Time.Day - 1 : 0) * SECSPERDAY) + + (time_t)(Time.Hour * SECSPERHOUR) + + (time_t)(Time.Minute * 60) + + (time_t)Time.Second; + + if (timer != NULL) { + *timer = CalTime; + } + + return CalTime; +} + +// +// Convert a time value from type time_t to struct tm. +// +struct tm * gmtime (const time_t *timer) +{ + struct tm *GmTime; + UINT16 DayNo; + UINT16 DayRemainder; + time_t Year; + time_t YearNo; + UINT16 TotalDays; + UINT16 MonthNo; + + if (timer == NULL) { + return NULL; + } + + GmTime = malloc (sizeof (struct tm)); + if (GmTime == NULL) { + return NULL; + } + + ZeroMem ((VOID *) GmTime, (UINTN) sizeof (struct tm)); + + DayNo = (UINT16) (*timer / SECSPERDAY); + DayRemainder = (UINT16) (*timer % SECSPERDAY); + + GmTime->tm_sec = (int) (DayRemainder % SECSPERMIN); + GmTime->tm_min = (int) ((DayRemainder % SECSPERHOUR) / SECSPERMIN); + GmTime->tm_hour = (int) (DayRemainder / SECSPERHOUR); + GmTime->tm_wday = (int) ((DayNo + 4) % 7); + + for (Year = 1970, YearNo = 0; DayNo > 0; Year++) { + TotalDays = (UINT16) (IsLeap (Year) ? 366 : 365); + if (DayNo >= TotalDays) { + DayNo = (UINT16) (DayNo - TotalDays); + YearNo++; + } else { + break; + } + } + + GmTime->tm_year = (int) (YearNo + (1970 - 1900)); + GmTime->tm_yday = (int) DayNo; + + for (MonthNo = 12; MonthNo > 1; MonthNo--) { + if (DayNo >= CumulativeDays[IsLeap(Year)][MonthNo]) { + DayNo = (UINT16) (DayNo - (UINT16) (CumulativeDays[IsLeap(Year)][MonthNo])); + break; + } + } + + GmTime->tm_mon = (int) MonthNo - 1; + GmTime->tm_mday = (int) DayNo + 1; + + GmTime->tm_isdst = 0; + GmTime->tm_gmtoff = 0; + GmTime->tm_zone = NULL; + + return GmTime; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/UnitTestHostCrtWrapper.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/UnitTestHostCrtWrapper.c new file mode 100644 index 00000000..dee33e83 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/UnitTestHostCrtWrapper.c @@ -0,0 +1,93 @@ +/** @file + C Run-Time Libraries (CRT) Wrapper Implementation for OpenSSL-based + Cryptographic Library. + +Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) Microsoft Corporation +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include + +#include +#include + +/* Convert character to lowercase */ +int tolower (int c) +{ + if (('A' <= (c)) && ((c) <= 'Z')) { + return (c - ('A' - 'a')); + } + return (c); +} + +/* Compare first n bytes of string s1 with string s2, ignoring case */ +int strncasecmp (const char *s1, const char *s2, size_t n) +{ + int Val; + + ASSERT(s1 != NULL); + ASSERT(s2 != NULL); + + if (n != 0) { + do { + Val = tolower(*s1) - tolower(*s2); + if (Val != 0) { + return Val; + } + ++s1; + ++s2; + if (*s1 == '\0') { + break; + } + } while (--n != 0); + } + return 0; +} + +/* Read formatted data from a string */ +int sscanf (const char *buffer, const char *format, ...) +{ + // + // Null sscanf() function implementation to satisfy the linker, since + // no direct functionality logic dependency in present UEFI cases. + // + return 0; +} + +// +// -- Dummy OpenSSL Support Routines -- +// + +int BIO_printf (void *bio, const char *format, ...) +{ + return 0; +} + +int BIO_snprintf(char *buf, size_t n, const char *format, ...) +{ + return 0; +} + +uid_t getuid (void) +{ + return 0; +} + +uid_t geteuid (void) +{ + return 0; +} + +gid_t getgid (void) +{ + return 0; +} + +gid_t getegid (void) +{ + return 0; +} + +int errno = 0; diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c new file mode 100644 index 00000000..81640af8 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c @@ -0,0 +1,257 @@ +/* Copyright (c) 1996 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + +/* + * Portions copyright (c) 1999, 2000 + * Intel Corporation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * + * This product includes software developed by Intel Corporation and + * its contributors. + * + * 4. Neither the name of Intel Corporation or its contributors may be + * used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION AND CONTRIBUTORS ``AS IS'' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF + * THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#if defined(LIBC_SCCS) && !defined(lint) +static char rcsid[] = "$Id: inet_pton.c $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include +#include +#include +#include +#include +#include +#include + +/* + * WARNING: Don't even consider trying to compile this on a system where + * sizeof(int) < 4. sizeof(int) > 4 is fine; all the world's not a VAX. + */ + +static int inet_pton4 (const char *src, u_char *dst); +static int inet_pton6 (const char *src, u_char *dst); + +/* int + * inet_pton(af, src, dst) + * convert from presentation format (which usually means ASCII printable) + * to network format (which is usually some kind of binary format). + * return: + * 1 if the address was valid for the specified address family + * 0 if the address wasn't valid (`dst' is untouched in this case) + * -1 if some other error occurred (`dst' is untouched in this case, too) + * author: + * Paul Vixie, 1996. + */ +int +inet_pton( + int af, + const char *src, + void *dst + ) +{ + switch (af) { + case AF_INET: + return (inet_pton4(src, dst)); + case AF_INET6: + return (inet_pton6(src, dst)); + default: + errno = EAFNOSUPPORT; + return (-1); + } + /* NOTREACHED */ +} + +/* int + * inet_pton4(src, dst) + * like inet_aton() but without all the hexadecimal and shorthand. + * return: + * 1 if `src' is a valid dotted quad, else 0. + * notice: + * does not touch `dst' unless it's returning 1. + * author: + * Paul Vixie, 1996. + */ +static int +inet_pton4( + const char *src, + u_char *dst + ) +{ + static const char digits[] = "0123456789"; + int saw_digit, octets, ch; + u_char tmp[NS_INADDRSZ], *tp; + + saw_digit = 0; + octets = 0; + *(tp = tmp) = 0; + while ((ch = *src++) != '\0') { + const char *pch; + + if ((pch = strchr(digits, ch)) != NULL) { + u_int new = *tp * 10 + (u_int)(pch - digits); + + if (new > 255) + return (0); + *tp = (u_char)new; + if (! saw_digit) { + if (++octets > 4) + return (0); + saw_digit = 1; + } + } else if (ch == '.' && saw_digit) { + if (octets == 4) + return (0); + *++tp = 0; + saw_digit = 0; + } else + return (0); + } + if (octets < 4) + return (0); + + memcpy(dst, tmp, NS_INADDRSZ); + return (1); +} + +/* int + * inet_pton6(src, dst) + * convert presentation level address to network order binary form. + * return: + * 1 if `src' is a valid [RFC1884 2.2] address, else 0. + * notice: + * (1) does not touch `dst' unless it's returning 1. + * (2) :: in a full address is silently ignored. + * credit: + * inspired by Mark Andrews. + * author: + * Paul Vixie, 1996. + */ +static int +inet_pton6( + const char *src, + u_char *dst + ) +{ + static const char xdigits_l[] = "0123456789abcdef", + xdigits_u[] = "0123456789ABCDEF"; + u_char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp; + const char *xdigits, *curtok; + int ch, saw_xdigit; + u_int val; + + memset((tp = tmp), '\0', NS_IN6ADDRSZ); + endp = tp + NS_IN6ADDRSZ; + colonp = NULL; + /* Leading :: requires some special handling. */ + if (*src == ':') + if (*++src != ':') + return (0); + curtok = src; + saw_xdigit = 0; + val = 0; + while ((ch = *src++) != '\0') { + const char *pch; + + if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL) + pch = strchr((xdigits = xdigits_u), ch); + if (pch != NULL) { + val <<= 4; + val |= (pch - xdigits); + if (val > 0xffff) + return (0); + saw_xdigit = 1; + continue; + } + if (ch == ':') { + curtok = src; + if (!saw_xdigit) { + if (colonp) + return (0); + colonp = tp; + continue; + } + if (tp + NS_INT16SZ > endp) + return (0); + *tp++ = (u_char) (val >> 8) & 0xff; + *tp++ = (u_char) val & 0xff; + saw_xdigit = 0; + val = 0; + continue; + } + if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) && + inet_pton4(curtok, tp) > 0) { + tp += NS_INADDRSZ; + saw_xdigit = 0; + break; /* '\0' was seen by inet_pton4(). */ + } + return (0); + } + if (saw_xdigit) { + if (tp + NS_INT16SZ > endp) + return (0); + *tp++ = (u_char) (val >> 8) & 0xff; + *tp++ = (u_char) val & 0xff; + } + if (colonp != NULL) { + /* + * Since some memmove()'s erroneously fail to handle + * overlapping regions, we'll do the shift by hand. + */ + const int n = (int)(tp - colonp); + int i; + + for (i = 1; i <= n; i++) { + endp[- i] = colonp[n - i]; + colonp[n - i] = 0; + } + tp = endp; + } + if (tp != endp) + return (0); + memcpy(dst, tmp, NS_IN6ADDRSZ); + return (1); +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/UnitTestHostBaseCryptLib.inf b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/UnitTestHostBaseCryptLib.inf new file mode 100644 index 00000000..b02e6fef --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLib/UnitTestHostBaseCryptLib.inf @@ -0,0 +1,92 @@ +## @file +# Cryptographic Library Instance for host based unit tests +# +# Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
+# Copyright (c) Microsoft Corporation. +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = BaseCryptLib + FILE_GUID = c97d34aa-caf8-42cd-8261-8705f46304b3 + MODULE_TYPE = DXE_DRIVER + VERSION_STRING = 1.0 + LIBRARY_CLASS = BaseCryptLib|HOST_APPLICATION + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 +# + +[Sources] + InternalCryptLib.h + Hash/CryptMd5.c + Hash/CryptSha1.c + Hash/CryptSha256.c + Hash/CryptSha512.c + Hash/CryptSm3.c + Hmac/CryptHmacSha256.c + Kdf/CryptHkdf.c + Cipher/CryptAes.c + Pk/CryptRsaBasic.c + Pk/CryptRsaExt.c + Pk/CryptPkcs1Oaep.c + Pk/CryptPkcs5Pbkdf2.c + Pk/CryptPkcs7Sign.c + Pk/CryptPkcs7VerifyCommon.c + Pk/CryptPkcs7VerifyBase.c + Pk/CryptPkcs7VerifyEku.c + Pk/CryptDh.c + Pk/CryptX509.c + Pk/CryptAuthenticode.c + Pk/CryptTs.c + Pem/CryptPem.c + Pk/CryptRsaPss.c + Pk/CryptRsaPssSign.c + + SysCall/UnitTestHostCrtWrapper.c + +[Sources.Ia32] + Rand/CryptRandTsc.c + +[Sources.X64] + Rand/CryptRandTsc.c + +[Sources.ARM] + Rand/CryptRand.c + +[Sources.AARCH64] + Rand/CryptRand.c + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + MemoryAllocationLib + DebugLib + OpensslLib + +# +# Remove these [BuildOptions] after this library is cleaned up +# +[BuildOptions] + # + # suppress the following warnings so we do not break the build with warnings-as-errors: + # C4090: 'function' : different 'const' qualifiers + # C4018: '>': signed/unsigned mismatch + MSFT:*_*_*_CC_FLAGS = /wd4090 /wd4018 + + # -JCryptoPkg/Include : To disable the use of the system includes provided by RVCT + # --diag_remark=1 : Reduce severity of "#1-D: last line of file ends without a newline" + RVCT:*_*_ARM_CC_FLAGS = -JCryptoPkg/Include --diag_remark=1 + + GCC:*_CLANG35_*_CC_FLAGS = -std=c99 + GCC:*_CLANG38_*_CC_FLAGS = -std=c99 + + XCODE:*_*_*_CC_FLAGS = -std=c99 diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf new file mode 100644 index 00000000..02d1b209 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf @@ -0,0 +1,61 @@ +## @file +# Cryptographic Library Null Instance. +# +# Caution: This module requires additional review when modified. +# This library will have external input - signature. +# This external input must be validated carefully to avoid security issues such as +# buffer overflow or integer overflow. +# +# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
+# Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = BaseCryptLibNull + MODULE_UNI_FILE = BaseCryptLibNull.uni + FILE_GUID = ba4b5ba1-0ea1-415a-896c-6caaf32146f3 + MODULE_TYPE = BASE + VERSION_STRING = 1.0 + LIBRARY_CLASS = BaseCryptLib + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 RISCV64 +# + +[Sources] + InternalCryptLib.h + Hash/CryptMd5Null.c + Hash/CryptSha1Null.c + Hash/CryptSha256Null.c + Hash/CryptSha512Null.c + Hash/CryptSm3Null.c + Hmac/CryptHmacSha256Null.c + Kdf/CryptHkdfNull.c + Cipher/CryptAesNull.c + Pk/CryptRsaBasicNull.c + Pk/CryptRsaExtNull.c + Pk/CryptPkcs1OaepNull.c + Pk/CryptPkcs5Pbkdf2Null.c + Pk/CryptPkcs7SignNull.c + Pk/CryptPkcs7VerifyNull.c + Pk/CryptPkcs7VerifyEkuNull.c + Pk/CryptDhNull.c + Pk/CryptX509Null.c + Pk/CryptAuthenticodeNull.c + Pk/CryptTsNull.c + Pem/CryptPemNull.c + Rand/CryptRandNull.c + Pk/CryptRsaPssNull.c + Pk/CryptRsaPssSignNull.c + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + DebugLib diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.uni b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.uni new file mode 100644 index 00000000..c86f612d --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.uni @@ -0,0 +1,18 @@ +// /** @file +// Cryptographic Library Null Instance. +// +// Caution: This module requires additional review when modified. +// This library will have external input - signature. +// This external input must be validated carefully to avoid security issues such as +// buffer overflow or integer overflow. +// +// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + +#string STR_MODULE_ABSTRACT #language en-US "Cryptographic Library Null Instance" + +#string STR_MODULE_DESCRIPTION #language en-US "Caution: This is a null version of your crypto library and SHOULD NOT be used on any product ever." + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c new file mode 100644 index 00000000..40d94c66 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c @@ -0,0 +1,107 @@ +/** @file + AES Wrapper Implementation which does not provide real capabilities. + +Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Retrieves the size, in bytes, of the context buffer required for AES operations. + + Return zero to indicate this interface is not supported. + + @retval 0 This interface is not supported. + +**/ +UINTN +EFIAPI +AesGetContextSize ( + VOID + ) +{ + ASSERT (FALSE); + return 0; +} + +/** + Initializes user-supplied memory as AES context for subsequent use. + + Return FALSE to indicate this interface is not supported. + + @param[out] AesContext Pointer to AES context being initialized. + @param[in] Key Pointer to the user-supplied AES key. + @param[in] KeyLength Length of AES key in bits. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +AesInit ( + OUT VOID *AesContext, + IN CONST UINT8 *Key, + IN UINTN KeyLength + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Performs AES encryption on a data buffer of the specified size in CBC mode. + + Return FALSE to indicate this interface is not supported. + + @param[in] AesContext Pointer to the AES context. + @param[in] Input Pointer to the buffer containing the data to be encrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[in] Ivec Pointer to initialization vector. + @param[out] Output Pointer to a buffer that receives the AES encryption output. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +AesCbcEncrypt ( + IN VOID *AesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + IN CONST UINT8 *Ivec, + OUT UINT8 *Output + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Performs AES decryption on a data buffer of the specified size in CBC mode. + + Return FALSE to indicate this interface is not supported. + + @param[in] AesContext Pointer to the AES context. + @param[in] Input Pointer to the buffer containing the data to be encrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[in] Ivec Pointer to initialization vector. + @param[out] Output Pointer to a buffer that receives the AES encryption output. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +AesCbcDecrypt ( + IN VOID *AesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + IN CONST UINT8 *Ivec, + OUT UINT8 *Output + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd5Null.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd5Null.c new file mode 100644 index 00000000..1d0d2817 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd5Null.c @@ -0,0 +1,165 @@ +/** @file + +MD5 Digest Wrapper Null Implementation. + +Copyright (c) Microsoft Corporation. All rights reserved. +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + + +/** + Retrieves the size, in bytes, of the context buffer required for MD5 hash operations. + + @return The size, in bytes, of the context buffer required for MD5 hash operations. + +**/ +UINTN +EFIAPI +Md5GetContextSize ( + VOID + ) +{ + ASSERT (FALSE); + return 0; +} + + +/** + Initializes user-supplied memory pointed by Md5Context as MD5 hash context for + subsequent use. + + If Md5Context is NULL, then return FALSE. + + @param[out] Md5Context Pointer to MD5 context being initialized. + + @retval TRUE MD5 context initialization succeeded. + @retval FALSE MD5 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Md5Init ( + OUT VOID *Md5Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Makes a copy of an existing MD5 context. + + If Md5Context is NULL, then return FALSE. + If NewMd5Context is NULL, then return FALSE. + + @param[in] Md5Context Pointer to MD5 context being copied. + @param[out] NewMd5Context Pointer to new MD5 context. + + @retval TRUE MD5 context copy succeeded. + @retval FALSE MD5 context copy failed. + +**/ +BOOLEAN +EFIAPI +Md5Duplicate ( + IN CONST VOID *Md5Context, + OUT VOID *NewMd5Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Digests the input data and updates MD5 context. + + This function performs MD5 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + MD5 context should be already correctly intialized by Md5Init(), and should not be finalized + by Md5Final(). Behavior with invalid context is undefined. + + If Md5Context is NULL, then return FALSE. + + @param[in, out] Md5Context Pointer to the MD5 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE MD5 data digest succeeded. + @retval FALSE MD5 data digest failed. + +**/ +BOOLEAN +EFIAPI +Md5Update ( + IN OUT VOID *Md5Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Completes computation of the MD5 digest value. + + This function completes MD5 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the MD5 context cannot + be used again. + MD5 context should be already correctly intialized by Md5Init(), and should not be + finalized by Md5Final(). Behavior with invalid MD5 context is undefined. + + If Md5Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Md5Context Pointer to the MD5 context. + @param[out] HashValue Pointer to a buffer that receives the MD5 digest + value (16 bytes). + + @retval TRUE MD5 digest computation succeeded. + @retval FALSE MD5 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Md5Final ( + IN OUT VOID *Md5Context, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** +Computes the MD5 message digest of a input data buffer. + +This function performs the MD5 message digest of a given data buffer, and places +the digest value into the specified memory. + +If this interface is not supported, then return FALSE. + +@param[in] Data Pointer to the buffer containing the data to be hashed. +@param[in] DataSize Size of Data buffer in bytes. +@param[out] HashValue Pointer to a buffer that receives the MD5 digest +value (16 bytes). + +@retval TRUE MD5 digest computation succeeded. +@retval FALSE MD5 digest computation failed. +@retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Md5HashAll( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue +) +{ + ASSERT(FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptSha1Null.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptSha1Null.c new file mode 100644 index 00000000..d258ee4d --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptSha1Null.c @@ -0,0 +1,167 @@ +/** @file + SHA-1 Digest Wrapper Null Implementation. + +Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations. + + @return The size, in bytes, of the context buffer required for SHA-1 hash operations. + +**/ +UINTN +EFIAPI +Sha1GetContextSize ( + VOID + ) +{ + // + // Retrieves SHA Context Size + // + ASSERT (FALSE); + return 0; +} + +/** + Initializes user-supplied memory pointed by Sha1Context as SHA-1 hash context for + subsequent use. + + If Sha1Context is NULL, then return FALSE. + + @param[out] Sha1Context Pointer to SHA-1 context being initialized. + + @retval TRUE SHA-1 context initialization succeeded. + @retval FALSE SHA-1 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Sha1Init ( + OUT VOID *Sha1Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Makes a copy of an existing SHA-1 context. + + If Sha1Context is NULL, then return FALSE. + If NewSha1Context is NULL, then return FALSE. + + @param[in] Sha1Context Pointer to SHA-1 context being copied. + @param[out] NewSha1Context Pointer to new SHA-1 context. + + @retval TRUE SHA-1 context copy succeeded. + @retval FALSE SHA-1 context copy failed. + +**/ +BOOLEAN +EFIAPI +Sha1Duplicate ( + IN CONST VOID *Sha1Context, + OUT VOID *NewSha1Context + ) +{ + ASSERT (FALSE); + + return FALSE; +} + +/** + Digests the input data and updates SHA-1 context. + + This function performs SHA-1 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-1 context should be already correctly initialized by Sha1Init(), and should not be finalized + by Sha1Final(). Behavior with invalid context is undefined. + + If Sha1Context is NULL, then return FALSE. + + @param[in, out] Sha1Context Pointer to the SHA-1 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-1 data digest succeeded. + @retval FALSE SHA-1 data digest failed. + +**/ +BOOLEAN +EFIAPI +Sha1Update ( + IN OUT VOID *Sha1Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Completes computation of the SHA-1 digest value. + + This function completes SHA-1 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-1 context cannot + be used again. + SHA-1 context should be already correctly initialized by Sha1Init(), and should not be + finalized by Sha1Final(). Behavior with invalid SHA-1 context is undefined. + + If Sha1Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sha1Context Pointer to the SHA-1 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest + value (20 bytes). + + @retval TRUE SHA-1 digest computation succeeded. + @retval FALSE SHA-1 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Sha1Final ( + IN OUT VOID *Sha1Context, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Computes the SHA-1 message digest of a input data buffer. + + This function performs the SHA-1 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest + value (20 bytes). + + @retval TRUE SHA-1 digest computation succeeded. + @retval FALSE SHA-1 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha1HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptSha256Null.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptSha256Null.c new file mode 100644 index 00000000..3b443128 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptSha256Null.c @@ -0,0 +1,162 @@ +/** @file + SHA-256 Digest Wrapper Null Implementation. + +Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-256 hash operations. + + @return The size, in bytes, of the context buffer required for SHA-256 hash operations. + +**/ +UINTN +EFIAPI +Sha256GetContextSize ( + VOID + ) +{ + ASSERT (FALSE); + return 0; +} + +/** + Initializes user-supplied memory pointed by Sha256Context as SHA-256 hash context for + subsequent use. + + If Sha256Context is NULL, then return FALSE. + + @param[out] Sha256Context Pointer to SHA-256 context being initialized. + + @retval TRUE SHA-256 context initialization succeeded. + @retval FALSE SHA-256 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Sha256Init ( + OUT VOID *Sha256Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Makes a copy of an existing SHA-256 context. + + If Sha256Context is NULL, then return FALSE. + If NewSha256Context is NULL, then return FALSE. + + @param[in] Sha256Context Pointer to SHA-256 context being copied. + @param[out] NewSha256Context Pointer to new SHA-256 context. + + @retval TRUE SHA-256 context copy succeeded. + @retval FALSE SHA-256 context copy failed. + +**/ +BOOLEAN +EFIAPI +Sha256Duplicate ( + IN CONST VOID *Sha256Context, + OUT VOID *NewSha256Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Digests the input data and updates SHA-256 context. + + This function performs SHA-256 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-256 context should be already correctly initialized by Sha256Init(), and should not be finalized + by Sha256Final(). Behavior with invalid context is undefined. + + If Sha256Context is NULL, then return FALSE. + + @param[in, out] Sha256Context Pointer to the SHA-256 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-256 data digest succeeded. + @retval FALSE SHA-256 data digest failed. + +**/ +BOOLEAN +EFIAPI +Sha256Update ( + IN OUT VOID *Sha256Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Completes computation of the SHA-256 digest value. + + This function completes SHA-256 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-256 context cannot + be used again. + SHA-256 context should be already correctly initialized by Sha256Init(), and should not be + finalized by Sha256Final(). Behavior with invalid SHA-256 context is undefined. + + If Sha256Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sha256Context Pointer to the SHA-256 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-256 digest + value (32 bytes). + + @retval TRUE SHA-256 digest computation succeeded. + @retval FALSE SHA-256 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Sha256Final ( + IN OUT VOID *Sha256Context, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Computes the SHA-256 message digest of a input data buffer. + + This function performs the SHA-256 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-256 digest + value (32 bytes). + + @retval TRUE SHA-256 digest computation succeeded. + @retval FALSE SHA-256 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha256HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptSha512Null.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptSha512Null.c new file mode 100644 index 00000000..321cbf1b --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptSha512Null.c @@ -0,0 +1,275 @@ +/** @file + SHA-384 and SHA-512 Digest Wrapper Implementations which does not provide real capabilities. + +Copyright (c) 2014 - 2016, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-384 hash operations. + + Return zero to indicate this interface is not supported. + + @retval 0 This interface is not supported. + +**/ +UINTN +EFIAPI +Sha384GetContextSize ( + VOID + ) +{ + ASSERT (FALSE); + return 0; +} + +/** + Initializes user-supplied memory pointed by Sha384Context as SHA-384 hash context for + subsequent use. + + Return FALSE to indicate this interface is not supported. + + @param[out] Sha384Context Pointer to SHA-384 context being initialized. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha384Init ( + OUT VOID *Sha384Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Makes a copy of an existing SHA-384 context. + + Return FALSE to indicate this interface is not supported. + + @param[in] Sha384Context Pointer to SHA-384 context being copied. + @param[out] NewSha384Context Pointer to new SHA-384 context. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha384Duplicate ( + IN CONST VOID *Sha384Context, + OUT VOID *NewSha384Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Digests the input data and updates SHA-384 context. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] Sha384Context Pointer to the SHA-384 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha384Update ( + IN OUT VOID *Sha384Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Completes computation of the SHA-384 digest value. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] Sha384Context Pointer to the SHA-384 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-384 digest + value (48 bytes). + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha384Final ( + IN OUT VOID *Sha384Context, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Computes the SHA-384 message digest of a input data buffer. + + Return FALSE to indicate this interface is not supported. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-384 digest + value (48 bytes). + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha384HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-512 hash operations. + + Return zero to indicate this interface is not supported. + + @retval 0 This interface is not supported. + +**/ +UINTN +EFIAPI +Sha512GetContextSize ( + VOID + ) +{ + ASSERT (FALSE); + return 0; +} + +/** + Initializes user-supplied memory pointed by Sha512Context as SHA-512 hash context for + subsequent use. + + Return FALSE to indicate this interface is not supported. + + @param[out] Sha512Context Pointer to SHA-512 context being initialized. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha512Init ( + OUT VOID *Sha512Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Makes a copy of an existing SHA-512 context. + + Return FALSE to indicate this interface is not supported. + + @param[in] Sha512Context Pointer to SHA-512 context being copied. + @param[out] NewSha512Context Pointer to new SHA-512 context. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha512Duplicate ( + IN CONST VOID *Sha512Context, + OUT VOID *NewSha512Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Digests the input data and updates SHA-512 context. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] Sha512Context Pointer to the SHA-512 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha512Update ( + IN OUT VOID *Sha512Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Completes computation of the SHA-512 digest value. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] Sha512Context Pointer to the SHA-512 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-512 digest + value (64 bytes). + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha512Final ( + IN OUT VOID *Sha512Context, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Computes the SHA-512 message digest of a input data buffer. + + Return FALSE to indicate this interface is not supported. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-512 digest + value (64 bytes). + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha512HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptSm3Null.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptSm3Null.c new file mode 100644 index 00000000..55fd9c5a --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptSm3Null.c @@ -0,0 +1,164 @@ +/** @file + SM3 Digest Wrapper Null Implementation. + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Retrieves the size, in bytes, of the context buffer required for SM3 hash operations. + + @return The size, in bytes, of the context buffer required for SM3 hash operations. + +**/ +UINTN +EFIAPI +Sm3GetContextSize ( + VOID + ) +{ + ASSERT (FALSE); + return 0; +} + +/** + Initializes user-supplied memory pointed by Sm3Context as SM3 hash context for + subsequent use. + + If Sm3Context is NULL, then return FALSE. + + @param[out] Sm3Context Pointer to SM3 context being initialized. + + @retval TRUE SM3 context initialization succeeded. + @retval FALSE SM3 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Sm3Init ( + OUT VOID *Sm3Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Makes a copy of an existing SM3 context. + + If Sm3Context is NULL, then return FALSE. + If NewSm3Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sm3Context Pointer to SM3 context being copied. + @param[out] NewSm3Context Pointer to new SM3 context. + + @retval TRUE SM3 context copy succeeded. + @retval FALSE SM3 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sm3Duplicate ( + IN CONST VOID *Sm3Context, + OUT VOID *NewSm3Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Digests the input data and updates SM3 context. + + This function performs SM3 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SM3 context should be already correctly initialized by Sm3Init(), and should not be finalized + by Sm3Final(). Behavior with invalid context is undefined. + + If Sm3Context is NULL, then return FALSE. + + @param[in, out] Sm3Context Pointer to the SM3 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SM3 data digest succeeded. + @retval FALSE SM3 data digest failed. + +**/ +BOOLEAN +EFIAPI +Sm3Update ( + IN OUT VOID *Sm3Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Completes computation of the SM3 digest value. + + This function completes SM3 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SM3 context cannot + be used again. + SM3 context should be already correctly initialized by Sm3Init(), and should not be + finalized by Sm3Final(). Behavior with invalid SM3 context is undefined. + + If Sm3Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sm3Context Pointer to the SM3 context. + @param[out] HashValue Pointer to a buffer that receives the SM3 digest + value (32 bytes). + + @retval TRUE SM3 digest computation succeeded. + @retval FALSE SM3 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Sm3Final ( + IN OUT VOID *Sm3Context, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Computes the SM3 message digest of a input data buffer. + + This function performs the SM3 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SM3 digest + value (32 bytes). + + @retval TRUE SM3 digest computation succeeded. + @retval FALSE SM3 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sm3HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha256Null.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha256Null.c new file mode 100644 index 00000000..aef2f8c2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha256Null.c @@ -0,0 +1,139 @@ +/** @file + HMAC-SHA256 Wrapper Implementation which does not provide real capabilities. + +Copyright (c) 2016 - 2020, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use. + + Return NULL to indicate this interface is not supported. + + @return NULL This interface is not supported.. + +**/ +VOID * +EFIAPI +HmacSha256New ( + VOID + ) +{ + ASSERT (FALSE); + return NULL; +} + +/** + Release the specified HMAC_CTX context. + + This function will do nothing. + + @param[in] HmacSha256Ctx Pointer to the HMAC_CTX context to be released. + +**/ +VOID +EFIAPI +HmacSha256Free ( + IN VOID *HmacSha256Ctx + ) +{ + ASSERT (FALSE); + return; +} + +/** + Set user-supplied key for subsequent use. It must be done before any + calling to HmacSha256Update(). + + Return FALSE to indicate this interface is not supported. + + @param[out] HmacSha256Context Pointer to HMAC-SHA256 context. + @param[in] Key Pointer to the user-supplied key. + @param[in] KeySize Key size in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +HmacSha256SetKey ( + OUT VOID *HmacSha256Context, + IN CONST UINT8 *Key, + IN UINTN KeySize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Makes a copy of an existing HMAC-SHA256 context. + + Return FALSE to indicate this interface is not supported. + + @param[in] HmacSha256Context Pointer to HMAC-SHA256 context being copied. + @param[out] NewHmacSha256Context Pointer to new HMAC-SHA256 context. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +HmacSha256Duplicate ( + IN CONST VOID *HmacSha256Context, + OUT VOID *NewHmacSha256Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Digests the input data and updates HMAC-SHA256 context. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] HmacSha256Context Pointer to the HMAC-SHA256 context. + @param[in] Data Pointer to the buffer containing the data to be digested. + @param[in] DataSize Size of Data buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +HmacSha256Update ( + IN OUT VOID *HmacSha256Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Completes computation of the HMAC-SHA256 digest value. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] HmacSha256Context Pointer to the HMAC-SHA256 context. + @param[out] HmacValue Pointer to a buffer that receives the HMAC-SHA256 digest + value (32 bytes). + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +HmacSha256Final ( + IN OUT VOID *HmacSha256Context, + OUT UINT8 *HmacValue + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/InternalCryptLib.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/InternalCryptLib.h new file mode 100644 index 00000000..f501a938 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/InternalCryptLib.h @@ -0,0 +1,16 @@ +/** @file + Internal include file for BaseCryptLibNull. + +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __INTERNAL_CRYPT_LIB_H__ +#define __INTERNAL_CRYPT_LIB_H__ + +#include +#include +#include + +#endif diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Kdf/CryptHkdfNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Kdf/CryptHkdfNull.c new file mode 100644 index 00000000..64792476 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Kdf/CryptHkdfNull.c @@ -0,0 +1,43 @@ +/** @file + HMAC-SHA256 KDF Wrapper Implementation which does not provide real capabilities. + +Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include + +/** + Derive key data using HMAC-SHA256 based KDF. + + @param[in] Key Pointer to the user-supplied key. + @param[in] KeySize Key size in bytes. + @param[in] Salt Pointer to the salt(non-secret) value. + @param[in] SaltSize Salt size in bytes. + @param[in] Info Pointer to the application specific info. + @param[in] InfoSize Info size in bytes. + @param[out] Out Pointer to buffer to receive hkdf value. + @param[in] OutSize Size of hkdf bytes to generate. + + @retval TRUE Hkdf generated successfully. + @retval FALSE Hkdf generation failed. + +**/ +BOOLEAN +EFIAPI +HkdfSha256ExtractAndExpand ( + IN CONST UINT8 *Key, + IN UINTN KeySize, + IN CONST UINT8 *Salt, + IN UINTN SaltSize, + IN CONST UINT8 *Info, + IN UINTN InfoSize, + OUT UINT8 *Out, + IN UINTN OutSize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pem/CryptPemNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pem/CryptPemNull.c new file mode 100644 index 00000000..7a9f6d61 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pem/CryptPemNull.c @@ -0,0 +1,38 @@ +/** @file + PEM (Privacy Enhanced Mail) Format Handler Wrapper Implementation which does + not provide real capabilities. + +Copyright (c) 2012, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Retrieve the RSA Private Key from the password-protected PEM key data. + + Return FALSE to indicate this interface is not supported. + + @param[in] PemData Pointer to the PEM-encoded key data to be retrieved. + @param[in] PemSize Size of the PEM key data in bytes. + @param[in] Password NULL-terminated passphrase used for encrypted PEM key data. + @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved + RSA private key component. Use RsaFree() function to free the + resource. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaGetPrivateKeyFromPem ( + IN CONST UINT8 *PemData, + IN UINTN PemSize, + IN CONST CHAR8 *Password, + OUT VOID **RsaContext + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptAuthenticodeNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptAuthenticodeNull.c new file mode 100644 index 00000000..60b750d9 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptAuthenticodeNull.c @@ -0,0 +1,45 @@ +/** @file + Authenticode Portable Executable Signature Verification which does not provide + real capabilities. + +Copyright (c) 2012, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Verifies the validity of a PE/COFF Authenticode Signature as described in "Windows + Authenticode Portable Executable Signature Format". + + Return FALSE to indicate this interface is not supported. + + @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed + PE/COFF image to be verified. + @param[in] DataSize Size of the Authenticode Signature in bytes. + @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which + is used for certificate chain verification. + @param[in] CertSize Size of the trusted certificate in bytes. + @param[in] ImageHash Pointer to the original image file hash value. The procedure + for calculating the image hash value is described in Authenticode + specification. + @param[in] HashSize Size of Image hash value in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +AuthenticodeVerify ( + IN CONST UINT8 *AuthData, + IN UINTN DataSize, + IN CONST UINT8 *TrustedCert, + IN UINTN CertSize, + IN CONST UINT8 *ImageHash, + IN UINTN HashSize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptDhNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptDhNull.c new file mode 100644 index 00000000..b7ab9c08 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptDhNull.c @@ -0,0 +1,150 @@ +/** @file + Diffie-Hellman Wrapper Implementation which does not provide + real capabilities. + +Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Allocates and Initializes one Diffie-Hellman Context for subsequent use. + + @return Pointer to the Diffie-Hellman Context that has been initialized. + If the interface is not supported, DhNew() returns NULL. + +**/ +VOID * +EFIAPI +DhNew ( + VOID + ) +{ + ASSERT (FALSE); + return NULL; +} + +/** + Release the specified DH context. + + If the interface is not supported, then ASSERT(). + + @param[in] DhContext Pointer to the DH context to be released. + +**/ +VOID +EFIAPI +DhFree ( + IN VOID *DhContext + ) +{ + ASSERT (FALSE); +} + +/** + Generates DH parameter. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] Generator Value of generator. + @param[in] PrimeLength Length in bits of prime to be generated. + @param[out] Prime Pointer to the buffer to receive the generated prime number. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhGenerateParameter ( + IN OUT VOID *DhContext, + IN UINTN Generator, + IN UINTN PrimeLength, + OUT UINT8 *Prime + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Sets generator and prime parameters for DH. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] Generator Value of generator. + @param[in] PrimeLength Length in bits of prime to be generated. + @param[in] Prime Pointer to the prime number. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhSetParameter ( + IN OUT VOID *DhContext, + IN UINTN Generator, + IN UINTN PrimeLength, + IN CONST UINT8 *Prime + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Generates DH public key. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] DhContext Pointer to the DH context. + @param[out] PublicKey Pointer to the buffer to receive generated public key. + @param[in, out] PublicKeySize On input, the size of PublicKey buffer in bytes. + On output, the size of data returned in PublicKey buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhGenerateKey ( + IN OUT VOID *DhContext, + OUT UINT8 *PublicKey, + IN OUT UINTN *PublicKeySize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Computes exchanged common key. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] PeerPublicKey Pointer to the peer's public key. + @param[in] PeerPublicKeySize Size of peer's public key in bytes. + @param[out] Key Pointer to the buffer to receive generated key. + @param[in, out] KeySize On input, the size of Key buffer in bytes. + On output, the size of data returned in Key buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhComputeKey ( + IN OUT VOID *DhContext, + IN CONST UINT8 *PeerPublicKey, + IN UINTN PeerPublicKeySize, + OUT UINT8 *Key, + IN OUT UINTN *KeySize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c new file mode 100644 index 00000000..eca1d88f --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c @@ -0,0 +1,51 @@ +/** @file + This file contains UEFI wrapper functions for RSA PKCS1v2 OAEP encryption routines. + + SPDX-License-Identifier: BSD-2-Clause-Patent + + Copyright (C) 2016 Microsoft Corporation. All Rights Reserved. + Copyright (c) 2019, Intel Corporation. All rights reserved.
+ +**/ + +#include "InternalCryptLib.h" + +/** + Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the + encrypted message in a newly allocated buffer. + + Return FALSE to indicate this interface is not supported. + + @param[in] PublicKey A pointer to the DER-encoded X509 certificate that + will be used to encrypt the data. + @param[in] PublicKeySize Size of the X509 cert buffer. + @param[in] InData Data to be encrypted. + @param[in] InDataSize Size of the data buffer. + @param[in] PrngSeed [Optional] If provided, a pointer to a random seed buffer + to be used when initializing the PRNG. NULL otherwise. + @param[in] PrngSeedSize [Optional] If provided, size of the random seed buffer. + 0 otherwise. + @param[out] EncryptedData Pointer to an allocated buffer containing the encrypted + message. + @param[out] EncryptedDataSize Size of the encrypted message buffer. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs1v2Encrypt ( + IN CONST UINT8 *PublicKey, + IN UINTN PublicKeySize, + IN UINT8 *InData, + IN UINTN InDataSize, + IN CONST UINT8 *PrngSeed, OPTIONAL + IN UINTN PrngSeedSize, OPTIONAL + OUT UINT8 **EncryptedData, + OUT UINTN *EncryptedDataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs5Pbkdf2Null.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs5Pbkdf2Null.c new file mode 100644 index 00000000..71d3e510 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs5Pbkdf2Null.c @@ -0,0 +1,48 @@ +/** @file + PBKDF2 Key Derivation Function Wrapper Implementation which does not provide real + capabilities. + +Copyright (c) 2016, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Derives a key from a password using a salt and iteration count, based on PKCS#5 v2.0 + password based encryption key derivation function PBKDF2, as specified in RFC 2898. + + Return FALSE to indicate this interface is not supported. + + @param[in] PasswordLength Length of input password in bytes. + @param[in] Password Pointer to the array for the password. + @param[in] SaltLength Size of the Salt in bytes. + @param[in] Salt Pointer to the Salt. + @param[in] IterationCount Number of iterations to perform. Its value should be + greater than or equal to 1. + @param[in] DigestSize Size of the message digest to be used (eg. SHA256_DIGEST_SIZE). + NOTE: DigestSize will be used to determine the hash algorithm. + Only SHA1_DIGEST_SIZE or SHA256_DIGEST_SIZE is supported. + @param[in] KeyLength Size of the derived key buffer in bytes. + @param[out] OutKey Pointer to the output derived key buffer. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs5HashPassword ( + IN UINTN PasswordLength, + IN CONST CHAR8 *Password, + IN UINTN SaltLength, + IN CONST UINT8 *Salt, + IN UINTN IterationCount, + IN UINTN DigestSize, + IN UINTN KeyLength, + OUT UINT8 *OutKey + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs7SignNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs7SignNull.c new file mode 100644 index 00000000..f016d04a --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs7SignNull.c @@ -0,0 +1,54 @@ +/** @file + PKCS#7 SignedData Sign Wrapper Implementation which does not provide real + capabilities. + +Copyright (c) 2012, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message + Syntax Standard, version 1.5". This interface is only intended to be used for + application to perform PKCS#7 functionality validation. + + Return FALSE to indicate this interface is not supported. + + @param[in] PrivateKey Pointer to the PEM-formatted private key data for + data signing. + @param[in] PrivateKeySize Size of the PEM private key data in bytes. + @param[in] KeyPassword NULL-terminated passphrase used for encrypted PEM + key data. + @param[in] InData Pointer to the content to be signed. + @param[in] InDataSize Size of InData in bytes. + @param[in] SignCert Pointer to signer's DER-encoded certificate to sign with. + @param[in] OtherCerts Pointer to an optional additional set of certificates to + include in the PKCS#7 signedData (e.g. any intermediate + CAs in the chain). + @param[out] SignedData Pointer to output PKCS#7 signedData. It's caller's + responsibility to free the buffer with FreePool(). + @param[out] SignedDataSize Size of SignedData in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs7Sign ( + IN CONST UINT8 *PrivateKey, + IN UINTN PrivateKeySize, + IN CONST UINT8 *KeyPassword, + IN UINT8 *InData, + IN UINTN InDataSize, + IN UINT8 *SignCert, + IN UINT8 *OtherCerts OPTIONAL, + OUT UINT8 **SignedData, + OUT UINTN *SignedDataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs7VerifyEkuNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs7VerifyEkuNull.c new file mode 100644 index 00000000..db1692e6 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs7VerifyEkuNull.c @@ -0,0 +1,156 @@ +/** @file + PKCS7 Verify Null implementation. + + Copyright (C) Microsoft Corporation. All Rights Reserved. + Copyright (c) 2019, Intel Corporation. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + This function will return the leaf signer certificate in a chain. This is + required because certificate chains are not guaranteed to have the + certificates in the order that they were issued. + + A typical certificate chain looks like this: + + + ---------------------------- + | Root | + ---------------------------- + ^ + | + ---------------------------- + | Policy CA | <-- Typical Trust Anchor. + ---------------------------- + ^ + | + ---------------------------- + | Issuing CA | + ---------------------------- + ^ + | + ----------------------------- + / End-Entity (leaf) signer / <-- Bottom certificate. + ----------------------------- EKU: "1.3.6.1.4.1.311.76.9.21.1" + (Firmware Signing) + + + @param[in] CertChain Certificate chain. + + @param[out] SignerCert Last certificate in the chain. For PKCS7 signatures, + this will be the end-entity (leaf) signer cert. + + @retval EFI_SUCCESS The required EKUs were found in the signature. + @retval EFI_INVALID_PARAMETER A parameter was invalid. + @retval EFI_NOT_FOUND The number of signers found was not 1. + +**/ +EFI_STATUS +GetSignerCertificate ( + IN CONST VOID *CertChain, + OUT VOID **SignerCert + ) +{ + ASSERT(FALSE); + return EFI_NOT_READY; + +} + + +/** + Determines if the specified EKU represented in ASN1 form is present + in a given certificate. + + @param[in] Cert The certificate to check. + + @param[in] Asn1ToFind The EKU to look for. + + @retval EFI_SUCCESS We successfully identified the signing type. + @retval EFI_INVALID_PARAMETER A parameter was invalid. + @retval EFI_NOT_FOUND One or more EKU's were not found in the signature. + +**/ +EFI_STATUS +IsEkuInCertificate ( + IN CONST VOID *Cert, + IN VOID *Asn1ToFind + ) +{ + ASSERT(FALSE); + return EFI_NOT_READY; +} + + +/** + Determines if the specified EKUs are present in a signing certificate. + + @param[in] SignerCert The certificate to check. + @param[in] RequiredEKUs The EKUs to look for. + @param[in] RequiredEKUsSize The number of EKUs + @param[in] RequireAllPresent If TRUE, then all the specified EKUs + must be present in the certificate. + + @retval EFI_SUCCESS We successfully identified the signing type. + @retval EFI_INVALID_PARAMETER A parameter was invalid. + @retval EFI_NOT_FOUND One or more EKU's were not found in the signature. +**/ +EFI_STATUS +CheckEKUs( + IN CONST VOID *SignerCert, + IN CONST CHAR8 *RequiredEKUs[], + IN CONST UINT32 RequiredEKUsSize, + IN BOOLEAN RequireAllPresent + ) +{ + ASSERT(FALSE); + return EFI_NOT_READY; +} + +/** + This function receives a PKCS#7 formatted signature blob, + looks for the EKU SEQUENCE blob, and if found then looks + for all the required EKUs. This function was created so that + the Surface team can cut down on the number of Certificate + Authorities (CA's) by checking EKU's on leaf signers for + a specific product. This prevents one product's certificate + from signing another product's firmware or unlock blobs. + + Note that this function does not validate the certificate chain. + That needs to be done before using this function. + + @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array + containing the content block with both the signature, + the signer's certificate, and any necessary intermediate + certificates. + @param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature. + @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of + required EKUs that must be present in the signature. + @param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array. + @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's + must be present in the leaf signer. If it is + FALSE, then we will succeed if we find any + of the specified EKU's. + + @retval EFI_SUCCESS The required EKUs were found in the signature. + @retval EFI_INVALID_PARAMETER A parameter was invalid. + @retval EFI_NOT_FOUND One or more EKU's were not found in the signature. + +**/ +EFI_STATUS +EFIAPI +VerifyEKUsInPkcs7Signature ( + IN CONST UINT8 *Pkcs7Signature, + IN CONST UINT32 SignatureSize, + IN CONST CHAR8 *RequiredEKUs[], + IN CONST UINT32 RequiredEKUsSize, + IN BOOLEAN RequireAllPresent + ) +{ + ASSERT(FALSE); + return EFI_NOT_READY; +} + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs7VerifyNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs7VerifyNull.c new file mode 100644 index 00000000..2665fc18 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs7VerifyNull.c @@ -0,0 +1,163 @@ +/** @file + PKCS#7 SignedData Verification Wrapper Implementation which does not provide + real capabilities. + +Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be wrapped + in a ContentInfo structure. + + Return FALSE to indicate this interface is not supported. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] CertStack Pointer to Signer's certificates retrieved from P7Data. + It's caller's responsibility to free the buffer with + Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] StackLength Length of signer's certificates in bytes. + @param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates. + It's caller's responsibility to free the buffer with + Pkcs7FreeSigners(). + @param[out] CertLength Length of the trusted certificate in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetSigners ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **CertStack, + OUT UINTN *StackLength, + OUT UINT8 **TrustedCert, + OUT UINTN *CertLength + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Wrap function to use free() to free allocated memory for certificates. + + If the interface is not supported, then ASSERT(). + + @param[in] Certs Pointer to the certificates to be freed. + +**/ +VOID +EFIAPI +Pkcs7FreeSigners ( + IN UINT8 *Certs + ) +{ + ASSERT (FALSE); +} + +/** + Retrieves all embedded certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard", and outputs two certificate lists chained and + unchained to the signer's certificates. + The input signed data could be wrapped in a ContentInfo structure. + + @param[in] P7Data Pointer to the PKCS#7 message. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] SignerChainCerts Pointer to the certificates list chained to signer's + certificate. It's caller's responsibility to free the buffer + with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] ChainLength Length of the chained certificates list buffer in bytes. + @param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's + responsibility to free the buffer with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] UnchainLength Length of the unchained certificates list buffer in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE Error occurs during the operation. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetCertificatesList ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **SignerChainCerts, + OUT UINTN *ChainLength, + OUT UINT8 **UnchainCerts, + OUT UINTN *UnchainLength + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Verifies the validity of a PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be wrapped + in a ContentInfo structure. + + Return FALSE to indicate this interface is not supported. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which + is used for certificate chain verification. + @param[in] CertLength Length of the trusted certificate in bytes. + @param[in] InData Pointer to the content to be verified. + @param[in] DataLength Length of InData in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs7Verify ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + IN CONST UINT8 *TrustedCert, + IN UINTN CertLength, + IN CONST UINT8 *InData, + IN UINTN DataLength + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Extracts the attached content from a PKCS#7 signed data if existed. The input signed + data could be wrapped in a ContentInfo structure. + + Return FALSE to indicate this interface is not supported. + + @param[in] P7Data Pointer to the PKCS#7 signed data to process. + @param[in] P7Length Length of the PKCS#7 signed data in bytes. + @param[out] Content Pointer to the extracted content from the PKCS#7 signedData. + It's caller's responsibility to free the buffer with FreePool(). + @param[out] ContentSize The size of the extracted content in bytes. + + @retval TRUE The P7Data was correctly formatted for processing. + @retval FALSE The P7Data was not correctly formatted for processing. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetAttachedContent ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT VOID **Content, + OUT UINTN *ContentSize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaBasicNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaBasicNull.c new file mode 100644 index 00000000..5b4b54de --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaBasicNull.c @@ -0,0 +1,121 @@ +/** @file + RSA Asymmetric Cipher Wrapper Null Implementation. + + This file implements following APIs which provide basic capabilities for RSA: + 1) RsaNew + 2) RsaFree + 3) RsaSetKey + 4) RsaPkcs1Verify + +Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Allocates and initializes one RSA context for subsequent use. + + @return Pointer to the RSA context that has been initialized. + If the allocations fails, RsaNew() returns NULL. + +**/ +VOID * +EFIAPI +RsaNew ( + VOID + ) +{ + // + // Allocates & Initializes RSA Context + // + ASSERT (FALSE); + return NULL; +} + +/** + Release the specified RSA context. + + @param[in] RsaContext Pointer to the RSA context to be released. + +**/ +VOID +EFIAPI +RsaFree ( + IN VOID *RsaContext + ) +{ + // + // Free RSA Context + // + ASSERT (FALSE); +} + +/** + Sets the tag-designated key component into the established RSA context. + + This function sets the tag-designated RSA key component into the established + RSA context from the user-specified non-negative integer (octet string format + represented in RSA PKCS#1). + If BigNumber is NULL, then the specified key component in RSA context is cleared. + + If RsaContext is NULL, then return FALSE. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] KeyTag Tag of RSA key component being set. + @param[in] BigNumber Pointer to octet integer buffer. + If NULL, then the specified key component in RSA + context is cleared. + @param[in] BnSize Size of big number buffer in bytes. + If BigNumber is NULL, then it is ignored. + + @retval TRUE RSA key component was set successfully. + @retval FALSE Invalid RSA key component tag. + +**/ +BOOLEAN +EFIAPI +RsaSetKey ( + IN OUT VOID *RsaContext, + IN RSA_KEY_TAG KeyTag, + IN CONST UINT8 *BigNumber, + IN UINTN BnSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Verifies the RSA-SSA signature with EMSA-PKCS1-v1_5 encoding scheme defined in + RSA PKCS#1. + + If RsaContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then return FALSE. + + @param[in] RsaContext Pointer to RSA context for signature verification. + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to RSA PKCS1-v1_5 signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in PKCS1-v1_5. + @retval FALSE Invalid signature or invalid RSA context. + +**/ +BOOLEAN +EFIAPI +RsaPkcs1Verify ( + IN VOID *RsaContext, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaExtNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaExtNull.c new file mode 100644 index 00000000..8f5f35fc --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaExtNull.c @@ -0,0 +1,119 @@ +/** @file + RSA Asymmetric Cipher Wrapper Null Implementation. + + This file does not provide real capabilities for following APIs in RSA handling: + 1) RsaGetKey + 2) RsaGenerateKey + 3) RsaCheckKey + 4) RsaPkcs1Sign + +Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Gets the tag-designated RSA key component from the established RSA context. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] KeyTag Tag of RSA key component being set. + @param[out] BigNumber Pointer to octet integer buffer. + @param[in, out] BnSize On input, the size of big number buffer in bytes. + On output, the size of data returned in big number buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaGetKey ( + IN OUT VOID *RsaContext, + IN RSA_KEY_TAG KeyTag, + OUT UINT8 *BigNumber, + IN OUT UINTN *BnSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Generates RSA key components. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] ModulusLength Length of RSA modulus N in bits. + @param[in] PublicExponent Pointer to RSA public exponent. + @param[in] PublicExponentSize Size of RSA public exponent buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaGenerateKey ( + IN OUT VOID *RsaContext, + IN UINTN ModulusLength, + IN CONST UINT8 *PublicExponent, + IN UINTN PublicExponentSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Validates key components of RSA context. + + Return FALSE to indicate this interface is not supported. + + @param[in] RsaContext Pointer to RSA context to check. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaCheckKey ( + IN VOID *RsaContext + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme. + + Return FALSE to indicate this interface is not supported. + + @param[in] RsaContext Pointer to RSA context for signature generation. + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive RSA PKCS1-v1_5 signature. + @param[in, out] SigSize On input, the size of Signature buffer in bytes. + On output, the size of data returned in Signature buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaPkcs1Sign ( + IN VOID *RsaContext, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssNull.c new file mode 100644 index 00000000..ff6d11c8 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssNull.c @@ -0,0 +1,46 @@ +/** @file + RSA-PSS Asymmetric Cipher Wrapper Implementation over OpenSSL. + + This file does not provide real capabilities for following APIs in RSA handling: + 1) RsaPssVerify + +Copyright (c) 2021, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Verifies the RSA signature with RSASSA-PSS signature scheme defined in RFC 8017. + Implementation determines salt length automatically from the signature encoding. + Mask generation function is the same as the message digest algorithm. + Salt length should atleast be equal to digest length. + + @param[in] RsaContext Pointer to RSA context for signature verification. + @param[in] Message Pointer to octet message to be verified. + @param[in] MsgSize Size of the message in bytes. + @param[in] Signature Pointer to RSASSA-PSS signature to be verified. + @param[in] SigSize Size of signature in bytes. + @param[in] DigestLen Length of digest for RSA operation. + @param[in] SaltLen Salt length for PSS encoding. + + @retval TRUE Valid signature encoded in RSASSA-PSS. + @retval FALSE Invalid signature or invalid RSA context. + +**/ +BOOLEAN +EFIAPI +RsaPssVerify ( + IN VOID *RsaContext, + IN CONST UINT8 *Message, + IN UINTN MsgSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize, + IN UINT16 DigestLen, + IN UINT16 SaltLen + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssSignNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssSignNull.c new file mode 100644 index 00000000..52cef5eb --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssSignNull.c @@ -0,0 +1,60 @@ +/** @file + RSA-PSS Asymmetric Cipher Wrapper Implementation over OpenSSL. + + This file does not provide real capabilities for following APIs in RSA handling: + 1) RsaPssSign + +Copyright (c) 2021, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Carries out the RSA-SSA signature generation with EMSA-PSS encoding scheme. + + This function carries out the RSA-SSA signature generation with EMSA-PSS encoding scheme defined in + RFC 8017. + Mask generation function is the same as the message digest algorithm. + If the Signature buffer is too small to hold the contents of signature, FALSE + is returned and SigSize is set to the required buffer size to obtain the signature. + + If RsaContext is NULL, then return FALSE. + If Message is NULL, then return FALSE. + If MsgSize is zero or > INT_MAX, then return FALSE. + If DigestLen is NOT 32, 48 or 64, return FALSE. + If SaltLen is < DigestLen, then return FALSE. + If SigSize is large enough but Signature is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] RsaContext Pointer to RSA context for signature generation. + @param[in] Message Pointer to octet message to be signed. + @param[in] MsgSize Size of the message in bytes. + @param[in] DigestLen Length of the digest in bytes to be used for RSA signature operation. + @param[in] SaltLen Length of the salt in bytes to be used for PSS encoding. + @param[out] Signature Pointer to buffer to receive RSA PSS signature. + @param[in, out] SigSize On input, the size of Signature buffer in bytes. + On output, the size of data returned in Signature buffer in bytes. + + @retval TRUE Signature successfully generated in RSASSA-PSS. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaPssSign ( + IN VOID *RsaContext, + IN CONST UINT8 *Message, + IN UINTN MsgSize, + IN UINT16 DigestLen, + IN UINT16 SaltLen, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptTsNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptTsNull.c new file mode 100644 index 00000000..3535774b --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptTsNull.c @@ -0,0 +1,42 @@ +/** @file + RFC3161 Timestamp Countersignature Verification Wrapper Implementation which does + not provide real capabilities. + +Copyright (c) 2014, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Verifies the validity of a RFC3161 Timestamp CounterSignature embedded in PE/COFF Authenticode + signature. + + Return FALSE to indicate this interface is not supported. + + @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed + PE/COFF image to be verified. + @param[in] DataSize Size of the Authenticode Signature in bytes. + @param[in] TsaCert Pointer to a trusted/root TSA certificate encoded in DER, which + is used for TSA certificate chain verification. + @param[in] CertSize Size of the trusted certificate in bytes. + @param[out] SigningTime Return the time of timestamp generation time if the timestamp + signature is valid. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +ImageTimestampVerify ( + IN CONST UINT8 *AuthData, + IN UINTN DataSize, + IN CONST UINT8 *TsaCert, + IN UINTN CertSize, + OUT EFI_TIME *SigningTime + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptX509Null.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptX509Null.c new file mode 100644 index 00000000..fb4c7a36 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptX509Null.c @@ -0,0 +1,294 @@ +/** @file + X.509 Certificate Handler Wrapper Implementation which does not provide + real capabilities. + +Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Construct a X509 object from DER-encoded certificate data. + + Return FALSE to indicate this interface is not supported. + + @param[in] Cert Pointer to the DER-encoded certificate data. + @param[in] CertSize The size of certificate data in bytes. + @param[out] SingleX509Cert The generated X509 object. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509ConstructCertificate ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 **SingleX509Cert + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Construct a X509 stack object from a list of DER-encoded certificate data. + + If X509Stack is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] X509Stack On input, pointer to an existing or NULL X509 stack object. + On output, pointer to the X509 stack object with new + inserted X509 certificate. + @param[in] Args VA_LIST marker for the variable argument list. + A list of DER-encoded single certificate data followed + by certificate size. A NULL terminates the list. The + pairs are the arguments to X509ConstructCertificate(). + + @retval TRUE The X509 stack construction succeeded. + @retval FALSE The construction operation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509ConstructCertificateStackV ( + IN OUT UINT8 **X509Stack, + IN VA_LIST Args + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Construct a X509 stack object from a list of DER-encoded certificate data. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] X509Stack On input, pointer to an existing or NULL X509 stack object. + On output, pointer to the X509 stack object with new + inserted X509 certificate. + @param ... A list of DER-encoded single certificate data followed + by certificate size. A NULL terminates the list. The + pairs are the arguments to X509ConstructCertificate(). + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509ConstructCertificateStack ( + IN OUT UINT8 **X509Stack, + ... + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Release the specified X509 object. + + If the interface is not supported, then ASSERT(). + + @param[in] X509Cert Pointer to the X509 object to be released. + +**/ +VOID +EFIAPI +X509Free ( + IN VOID *X509Cert + ) +{ + ASSERT (FALSE); +} + +/** + Release the specified X509 stack object. + + If the interface is not supported, then ASSERT(). + + @param[in] X509Stack Pointer to the X509 stack object to be released. + +**/ +VOID +EFIAPI +X509StackFree ( + IN VOID *X509Stack + ) +{ + ASSERT (FALSE); +} + +/** + Retrieve the subject bytes from one X.509 certificate. + + Return FALSE to indicate this interface is not supported. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CertSubject Pointer to the retrieved certificate subject bytes. + @param[in, out] SubjectSize The size in bytes of the CertSubject buffer on input, + and the size of buffer returned CertSubject on output. + + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509GetSubjectName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 *CertSubject, + IN OUT UINTN *SubjectSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieve the common name (CN) string from one X.509 certificate. + + Return RETURN_UNSUPPORTED to indicate this interface is not supported. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CommonName Buffer to contain the retrieved certificate common + name string (UTF8). At most CommonNameSize bytes will be + written and the string will be null terminated. May be + NULL in order to determine the size buffer needed. + @param[in,out] CommonNameSize The size in bytes of the CommonName buffer on input, + and the size of buffer returned CommonName on output. + If CommonName is NULL then the amount of space needed + in buffer (including the final null) is returned. + + @retval RETURN_UNSUPPORTED The operation is not supported. + +**/ +RETURN_STATUS +EFIAPI +X509GetCommonName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *CommonName, OPTIONAL + IN OUT UINTN *CommonNameSize + ) +{ + ASSERT (FALSE); + return RETURN_UNSUPPORTED; +} + +/** + Retrieve the organization name (ON) string from one X.509 certificate. + + Return RETURN_UNSUPPORTED to indicate this interface is not supported. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] NameBuffer Buffer to contain the retrieved certificate organization + name string. At most NameBufferSize bytes will be + written and the string will be null terminated. May be + NULL in order to determine the size buffer needed. + @param[in,out] NameBufferSize The size in bytes of the Name buffer on input, + and the size of buffer returned Name on output. + If NameBuffer is NULL then the amount of space needed + in buffer (including the final null) is returned. + + @retval RETURN_UNSUPPORTED The operation is not supported. + +**/ +RETURN_STATUS +EFIAPI +X509GetOrganizationName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *NameBuffer, OPTIONAL + IN OUT UINTN *NameBufferSize + ) +{ + ASSERT (FALSE); + return RETURN_UNSUPPORTED; +} + +/** + Retrieve the RSA Public Key from one DER-encoded X509 certificate. + + Return FALSE to indicate this interface is not supported. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved + RSA public key component. Use RsaFree() function to free the + resource. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaGetPublicKeyFromX509 ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT VOID **RsaContext + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Verify one X509 certificate was issued by the trusted CA. + + Return FALSE to indicate this interface is not supported. + + @param[in] Cert Pointer to the DER-encoded X509 certificate to be verified. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[in] CACert Pointer to the DER-encoded trusted CA certificate. + @param[in] CACertSize Size of the CA Certificate in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509VerifyCert ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + IN CONST UINT8 *CACert, + IN UINTN CACertSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieve the TBSCertificate from one given X.509 certificate. + + Return FALSE to indicate this interface is not supported. + + @param[in] Cert Pointer to the given DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] TBSCert DER-Encoded To-Be-Signed certificate. + @param[out] TBSCertSize Size of the TBS certificate in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509GetTBSCert ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 **TBSCert, + OUT UINTN *TBSCertSize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Rand/CryptRandNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Rand/CryptRandNull.c new file mode 100644 index 00000000..7eb080bb --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibNull/Rand/CryptRandNull.c @@ -0,0 +1,57 @@ +/** @file + Pseudorandom Number Generator Wrapper Implementation which does not provide + real capabilities. + +Copyright (c) 2012, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + + +/** + Sets up the seed value for the pseudorandom number generator. + + Return FALSE to indicate this interface is not supported. + + @param[in] Seed Pointer to seed value. + If NULL, default seed is used. + @param[in] SeedSize Size of seed value. + If Seed is NULL, this parameter is ignored. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RandomSeed ( + IN CONST UINT8 *Seed OPTIONAL, + IN UINTN SeedSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Generates a pseudorandom byte stream of the specified size. + + Return FALSE to indicate this interface is not supported. + + @param[out] Output Pointer to buffer to receive random value. + @param[in] Size Size of random bytes to generate. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RandomBytes ( + OUT UINT8 *Output, + IN UINTN Size + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c new file mode 100644 index 00000000..7524006c --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c @@ -0,0 +1,3571 @@ +/** @file + Implements the BaseCryptLib and TlsLib using the services of the EDK II Crypto + Protocol/PPI. + + Copyright (C) Microsoft Corporation. All rights reserved. + Copyright (c) 2019 - 2020, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include + +/** + A macro used to call a non-void service in an EDK II Crypto Protocol. + If the protocol is NULL or the service in the protocol is NULL, then a debug + message and assert is generated and an appropriate return value is returned. + + @param Function Name of the EDK II Crypto Protocol service to call. + @param Args The argument list to pass to Function. + @param ErrorReturnValue The value to return if the protocol is NULL or the + service in the protocol is NULL. + +**/ +#define CALL_CRYPTO_SERVICE(Function, Args, ErrorReturnValue) \ + do { \ + EDKII_CRYPTO_PROTOCOL *CryptoServices; \ + \ + CryptoServices = (EDKII_CRYPTO_PROTOCOL *)GetCryptoServices (); \ + if (CryptoServices != NULL && CryptoServices->Function != NULL) { \ + return (CryptoServices->Function) Args; \ + } \ + CryptoServiceNotAvailable (#Function); \ + return ErrorReturnValue; \ + } while (FALSE); + +/** + A macro used to call a void service in an EDK II Crypto Protocol. + If the protocol is NULL or the service in the protocol is NULL, then a debug + message and assert is generated. + + @param Function Name of the EDK II Crypto Protocol service to call. + @param Args The argument list to pass to Function. + +**/ +#define CALL_VOID_CRYPTO_SERVICE(Function, Args) \ + do { \ + EDKII_CRYPTO_PROTOCOL *CryptoServices; \ + \ + CryptoServices = (EDKII_CRYPTO_PROTOCOL *)GetCryptoServices (); \ + if (CryptoServices != NULL && CryptoServices->Function != NULL) { \ + (CryptoServices->Function) Args; \ + return; \ + } \ + CryptoServiceNotAvailable (#Function); \ + return; \ + } while (FALSE); + +/** + Internal worker function that returns the pointer to an EDK II Crypto + Protocol/PPI. The layout of the PPI, DXE Protocol, and SMM Protocol are + identical which allows the implementation of the BaseCryptLib functions that + call through a Protocol/PPI to be shared for the PEI, DXE, and SMM + implementations. +**/ +VOID * +GetCryptoServices ( + VOID + ); + +/** + Internal worker function that prints a debug message and asserts if a crypto + service is not available. This should never occur because library instances + have a dependency expression for the for the EDK II Crypto Protocol/PPI so + a module that uses these library instances are not dispatched until the EDK II + Crypto Protocol/PPI is available. The only case that this function handles is + if the EDK II Crypto Protocol/PPI installed is NULL or a function pointer in + the EDK II Protocol/PPI is NULL. + + @param[in] FunctionName Null-terminated ASCII string that is the name of an + EDK II Crypto service. + +**/ +static +VOID +CryptoServiceNotAvailable ( + IN CONST CHAR8 *FunctionName + ) +{ + DEBUG ((DEBUG_ERROR, "[%a] Function %a is not available\n", gEfiCallerBaseName, FunctionName)); + ASSERT_EFI_ERROR (EFI_UNSUPPORTED); +} + +//===================================================================================== +// One-Way Cryptographic Hash Primitives +//===================================================================================== + +#ifdef ENABLE_MD5_DEPRECATED_INTERFACES +/** + Retrieves the size, in bytes, of the context buffer required for MD5 hash operations. + + If this interface is not supported, then return zero. + + @return The size, in bytes, of the context buffer required for MD5 hash operations. + @retval 0 This interface is not supported. + +**/ +UINTN +EFIAPI +Md5GetContextSize ( + VOID + ) +{ + CALL_CRYPTO_SERVICE (Md5GetContextSize, (), 0); +} + +/** + Initializes user-supplied memory pointed by Md5Context as MD5 hash context for + subsequent use. + + If Md5Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] Md5Context Pointer to MD5 context being initialized. + + @retval TRUE MD5 context initialization succeeded. + @retval FALSE MD5 context initialization failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Md5Init ( + OUT VOID *Md5Context + ) +{ + CALL_CRYPTO_SERVICE (Md5Init, (Md5Context), FALSE); +} + +/** + Makes a copy of an existing MD5 context. + + If Md5Context is NULL, then return FALSE. + If NewMd5Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Md5Context Pointer to MD5 context being copied. + @param[out] NewMd5Context Pointer to new MD5 context. + + @retval TRUE MD5 context copy succeeded. + @retval FALSE MD5 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Md5Duplicate ( + IN CONST VOID *Md5Context, + OUT VOID *NewMd5Context + ) +{ + CALL_CRYPTO_SERVICE (Md5Duplicate, (Md5Context, NewMd5Context), FALSE); +} + +/** + Digests the input data and updates MD5 context. + + This function performs MD5 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + MD5 context should be already correctly initialized by Md5Init(), and should not be finalized + by Md5Final(). Behavior with invalid context is undefined. + + If Md5Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Md5Context Pointer to the MD5 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE MD5 data digest succeeded. + @retval FALSE MD5 data digest failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Md5Update ( + IN OUT VOID *Md5Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + CALL_CRYPTO_SERVICE (Md5Update, (Md5Context, Data, DataSize), FALSE); +} + +/** + Completes computation of the MD5 digest value. + + This function completes MD5 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the MD5 context cannot + be used again. + MD5 context should be already correctly initialized by Md5Init(), and should not be + finalized by Md5Final(). Behavior with invalid MD5 context is undefined. + + If Md5Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Md5Context Pointer to the MD5 context. + @param[out] HashValue Pointer to a buffer that receives the MD5 digest + value (16 bytes). + + @retval TRUE MD5 digest computation succeeded. + @retval FALSE MD5 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Md5Final ( + IN OUT VOID *Md5Context, + OUT UINT8 *HashValue + ) +{ + CALL_CRYPTO_SERVICE (Md5Final, (Md5Context, HashValue), FALSE); +} + +/** + Computes the MD5 message digest of a input data buffer. + + This function performs the MD5 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the MD5 digest + value (16 bytes). + + @retval TRUE MD5 digest computation succeeded. + @retval FALSE MD5 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Md5HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + CALL_CRYPTO_SERVICE (Md5HashAll, (Data, DataSize, HashValue), FALSE); +} +#endif + +#ifndef DISABLE_SHA1_DEPRECATED_INTERFACES +/** + Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations. + + If this interface is not supported, then return zero. + + @return The size, in bytes, of the context buffer required for SHA-1 hash operations. + @retval 0 This interface is not supported. + +**/ +UINTN +EFIAPI +Sha1GetContextSize ( + VOID + ) +{ + CALL_CRYPTO_SERVICE (Sha1GetContextSize, (), 0); +} + +/** + Initializes user-supplied memory pointed by Sha1Context as SHA-1 hash context for + subsequent use. + + If Sha1Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] Sha1Context Pointer to SHA-1 context being initialized. + + @retval TRUE SHA-1 context initialization succeeded. + @retval FALSE SHA-1 context initialization failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha1Init ( + OUT VOID *Sha1Context + ) +{ + CALL_CRYPTO_SERVICE (Sha1Init, (Sha1Context), FALSE); +} + +/** + Makes a copy of an existing SHA-1 context. + + If Sha1Context is NULL, then return FALSE. + If NewSha1Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sha1Context Pointer to SHA-1 context being copied. + @param[out] NewSha1Context Pointer to new SHA-1 context. + + @retval TRUE SHA-1 context copy succeeded. + @retval FALSE SHA-1 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha1Duplicate ( + IN CONST VOID *Sha1Context, + OUT VOID *NewSha1Context + ) +{ + CALL_CRYPTO_SERVICE (Sha1Duplicate, (Sha1Context, NewSha1Context), FALSE); +} + +/** + Digests the input data and updates SHA-1 context. + + This function performs SHA-1 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-1 context should be already correctly initialized by Sha1Init(), and should not be finalized + by Sha1Final(). Behavior with invalid context is undefined. + + If Sha1Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Sha1Context Pointer to the SHA-1 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-1 data digest succeeded. + @retval FALSE SHA-1 data digest failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha1Update ( + IN OUT VOID *Sha1Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + CALL_CRYPTO_SERVICE (Sha1Update, (Sha1Context, Data, DataSize), FALSE); +} + +/** + Completes computation of the SHA-1 digest value. + + This function completes SHA-1 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-1 context cannot + be used again. + SHA-1 context should be already correctly initialized by Sha1Init(), and should not be + finalized by Sha1Final(). Behavior with invalid SHA-1 context is undefined. + + If Sha1Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Sha1Context Pointer to the SHA-1 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest + value (20 bytes). + + @retval TRUE SHA-1 digest computation succeeded. + @retval FALSE SHA-1 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha1Final ( + IN OUT VOID *Sha1Context, + OUT UINT8 *HashValue + ) +{ + CALL_CRYPTO_SERVICE (Sha1Final, (Sha1Context, HashValue), FALSE); +} + +/** + Computes the SHA-1 message digest of a input data buffer. + + This function performs the SHA-1 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest + value (20 bytes). + + @retval TRUE SHA-1 digest computation succeeded. + @retval FALSE SHA-1 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha1HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + CALL_CRYPTO_SERVICE (Sha1HashAll, (Data, DataSize, HashValue), FALSE); +} +#endif + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-256 hash operations. + + @return The size, in bytes, of the context buffer required for SHA-256 hash operations. + +**/ +UINTN +EFIAPI +Sha256GetContextSize ( + VOID + ) +{ + CALL_CRYPTO_SERVICE (Sha256GetContextSize, (), 0); +} + +/** + Initializes user-supplied memory pointed by Sha256Context as SHA-256 hash context for + subsequent use. + + If Sha256Context is NULL, then return FALSE. + + @param[out] Sha256Context Pointer to SHA-256 context being initialized. + + @retval TRUE SHA-256 context initialization succeeded. + @retval FALSE SHA-256 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Sha256Init ( + OUT VOID *Sha256Context + ) +{ + CALL_CRYPTO_SERVICE (Sha256Init, (Sha256Context), FALSE); +} + +/** + Makes a copy of an existing SHA-256 context. + + If Sha256Context is NULL, then return FALSE. + If NewSha256Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sha256Context Pointer to SHA-256 context being copied. + @param[out] NewSha256Context Pointer to new SHA-256 context. + + @retval TRUE SHA-256 context copy succeeded. + @retval FALSE SHA-256 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha256Duplicate ( + IN CONST VOID *Sha256Context, + OUT VOID *NewSha256Context + ) +{ + CALL_CRYPTO_SERVICE (Sha256Duplicate, (Sha256Context, NewSha256Context), FALSE); +} + +/** + Digests the input data and updates SHA-256 context. + + This function performs SHA-256 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-256 context should be already correctly initialized by Sha256Init(), and should not be finalized + by Sha256Final(). Behavior with invalid context is undefined. + + If Sha256Context is NULL, then return FALSE. + + @param[in, out] Sha256Context Pointer to the SHA-256 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-256 data digest succeeded. + @retval FALSE SHA-256 data digest failed. + +**/ +BOOLEAN +EFIAPI +Sha256Update ( + IN OUT VOID *Sha256Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + CALL_CRYPTO_SERVICE (Sha256Update, (Sha256Context, Data, DataSize), FALSE); +} + +/** + Completes computation of the SHA-256 digest value. + + This function completes SHA-256 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-256 context cannot + be used again. + SHA-256 context should be already correctly initialized by Sha256Init(), and should not be + finalized by Sha256Final(). Behavior with invalid SHA-256 context is undefined. + + If Sha256Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sha256Context Pointer to the SHA-256 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-256 digest + value (32 bytes). + + @retval TRUE SHA-256 digest computation succeeded. + @retval FALSE SHA-256 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Sha256Final ( + IN OUT VOID *Sha256Context, + OUT UINT8 *HashValue + ) +{ + CALL_CRYPTO_SERVICE (Sha256Final, (Sha256Context, HashValue), FALSE); +} + +/** + Computes the SHA-256 message digest of a input data buffer. + + This function performs the SHA-256 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-256 digest + value (32 bytes). + + @retval TRUE SHA-256 digest computation succeeded. + @retval FALSE SHA-256 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha256HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + CALL_CRYPTO_SERVICE (Sha256HashAll, (Data, DataSize, HashValue), FALSE); +} + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-384 hash operations. + + @return The size, in bytes, of the context buffer required for SHA-384 hash operations. + +**/ +UINTN +EFIAPI +Sha384GetContextSize ( + VOID + ) +{ + CALL_CRYPTO_SERVICE (Sha384GetContextSize, (), 0); +} + +/** + Initializes user-supplied memory pointed by Sha384Context as SHA-384 hash context for + subsequent use. + + If Sha384Context is NULL, then return FALSE. + + @param[out] Sha384Context Pointer to SHA-384 context being initialized. + + @retval TRUE SHA-384 context initialization succeeded. + @retval FALSE SHA-384 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Sha384Init ( + OUT VOID *Sha384Context + ) +{ + CALL_CRYPTO_SERVICE (Sha384Init, (Sha384Context), FALSE); +} + +/** + Makes a copy of an existing SHA-384 context. + + If Sha384Context is NULL, then return FALSE. + If NewSha384Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sha384Context Pointer to SHA-384 context being copied. + @param[out] NewSha384Context Pointer to new SHA-384 context. + + @retval TRUE SHA-384 context copy succeeded. + @retval FALSE SHA-384 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha384Duplicate ( + IN CONST VOID *Sha384Context, + OUT VOID *NewSha384Context + ) +{ + CALL_CRYPTO_SERVICE (Sha384Duplicate, (Sha384Context, NewSha384Context), FALSE); +} + +/** + Digests the input data and updates SHA-384 context. + + This function performs SHA-384 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-384 context should be already correctly initialized by Sha384Init(), and should not be finalized + by Sha384Final(). Behavior with invalid context is undefined. + + If Sha384Context is NULL, then return FALSE. + + @param[in, out] Sha384Context Pointer to the SHA-384 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-384 data digest succeeded. + @retval FALSE SHA-384 data digest failed. + +**/ +BOOLEAN +EFIAPI +Sha384Update ( + IN OUT VOID *Sha384Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + CALL_CRYPTO_SERVICE (Sha384Update, (Sha384Context, Data, DataSize), FALSE); +} + +/** + Completes computation of the SHA-384 digest value. + + This function completes SHA-384 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-384 context cannot + be used again. + SHA-384 context should be already correctly initialized by Sha384Init(), and should not be + finalized by Sha384Final(). Behavior with invalid SHA-384 context is undefined. + + If Sha384Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sha384Context Pointer to the SHA-384 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-384 digest + value (48 bytes). + + @retval TRUE SHA-384 digest computation succeeded. + @retval FALSE SHA-384 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Sha384Final ( + IN OUT VOID *Sha384Context, + OUT UINT8 *HashValue + ) +{ + CALL_CRYPTO_SERVICE (Sha384Final, (Sha384Context, HashValue), FALSE); +} + +/** + Computes the SHA-384 message digest of a input data buffer. + + This function performs the SHA-384 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-384 digest + value (48 bytes). + + @retval TRUE SHA-384 digest computation succeeded. + @retval FALSE SHA-384 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha384HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + CALL_CRYPTO_SERVICE (Sha384HashAll, (Data, DataSize, HashValue), FALSE); +} + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-512 hash operations. + + @return The size, in bytes, of the context buffer required for SHA-512 hash operations. + +**/ +UINTN +EFIAPI +Sha512GetContextSize ( + VOID + ) +{ + CALL_CRYPTO_SERVICE (Sha512GetContextSize, (), 0); +} + +/** + Initializes user-supplied memory pointed by Sha512Context as SHA-512 hash context for + subsequent use. + + If Sha512Context is NULL, then return FALSE. + + @param[out] Sha512Context Pointer to SHA-512 context being initialized. + + @retval TRUE SHA-512 context initialization succeeded. + @retval FALSE SHA-512 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Sha512Init ( + OUT VOID *Sha512Context + ) +{ + CALL_CRYPTO_SERVICE (Sha512Init, (Sha512Context), FALSE); +} + +/** + Makes a copy of an existing SHA-512 context. + + If Sha512Context is NULL, then return FALSE. + If NewSha512Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sha512Context Pointer to SHA-512 context being copied. + @param[out] NewSha512Context Pointer to new SHA-512 context. + + @retval TRUE SHA-512 context copy succeeded. + @retval FALSE SHA-512 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha512Duplicate ( + IN CONST VOID *Sha512Context, + OUT VOID *NewSha512Context + ) +{ + CALL_CRYPTO_SERVICE (Sha512Duplicate, (Sha512Context, NewSha512Context), FALSE); +} + +/** + Digests the input data and updates SHA-512 context. + + This function performs SHA-512 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-512 context should be already correctly initialized by Sha512Init(), and should not be finalized + by Sha512Final(). Behavior with invalid context is undefined. + + If Sha512Context is NULL, then return FALSE. + + @param[in, out] Sha512Context Pointer to the SHA-512 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-512 data digest succeeded. + @retval FALSE SHA-512 data digest failed. + +**/ +BOOLEAN +EFIAPI +Sha512Update ( + IN OUT VOID *Sha512Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + CALL_CRYPTO_SERVICE (Sha512Update, (Sha512Context, Data, DataSize), FALSE); +} + +/** + Completes computation of the SHA-512 digest value. + + This function completes SHA-512 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-512 context cannot + be used again. + SHA-512 context should be already correctly initialized by Sha512Init(), and should not be + finalized by Sha512Final(). Behavior with invalid SHA-512 context is undefined. + + If Sha512Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sha512Context Pointer to the SHA-512 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-512 digest + value (64 bytes). + + @retval TRUE SHA-512 digest computation succeeded. + @retval FALSE SHA-512 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Sha512Final ( + IN OUT VOID *Sha512Context, + OUT UINT8 *HashValue + ) +{ + CALL_CRYPTO_SERVICE (Sha512Final, (Sha512Context, HashValue), FALSE); +} + +/** + Computes the SHA-512 message digest of a input data buffer. + + This function performs the SHA-512 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-512 digest + value (64 bytes). + + @retval TRUE SHA-512 digest computation succeeded. + @retval FALSE SHA-512 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha512HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + CALL_CRYPTO_SERVICE (Sha512HashAll, (Data, DataSize, HashValue), FALSE); +} + +/** + Retrieves the size, in bytes, of the context buffer required for SM3 hash operations. + + @return The size, in bytes, of the context buffer required for SM3 hash operations. + +**/ +UINTN +EFIAPI +Sm3GetContextSize ( + VOID + ) +{ + CALL_CRYPTO_SERVICE (Sm3GetContextSize, (), 0); +} + +/** + Initializes user-supplied memory pointed by Sm3Context as SM3 hash context for + subsequent use. + + If Sm3Context is NULL, then return FALSE. + + @param[out] Sm3Context Pointer to SM3 context being initialized. + + @retval TRUE SM3 context initialization succeeded. + @retval FALSE SM3 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Sm3Init ( + OUT VOID *Sm3Context + ) +{ + CALL_CRYPTO_SERVICE (Sm3Init, (Sm3Context), FALSE); +} + +/** + Makes a copy of an existing SM3 context. + + If Sm3Context is NULL, then return FALSE. + If NewSm3Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sm3Context Pointer to SM3 context being copied. + @param[out] NewSm3Context Pointer to new SM3 context. + + @retval TRUE SM3 context copy succeeded. + @retval FALSE SM3 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sm3Duplicate ( + IN CONST VOID *Sm3Context, + OUT VOID *NewSm3Context + ) +{ + CALL_CRYPTO_SERVICE (Sm3Duplicate, (Sm3Context, NewSm3Context), FALSE); +} + +/** + Digests the input data and updates SM3 context. + + This function performs SM3 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SM3 context should be already correctly initialized by Sm3Init(), and should not be finalized + by Sm3Final(). Behavior with invalid context is undefined. + + If Sm3Context is NULL, then return FALSE. + + @param[in, out] Sm3Context Pointer to the SM3 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SM3 data digest succeeded. + @retval FALSE SM3 data digest failed. + +**/ +BOOLEAN +EFIAPI +Sm3Update ( + IN OUT VOID *Sm3Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + CALL_CRYPTO_SERVICE (Sm3Update, (Sm3Context, Data, DataSize), FALSE); +} + +/** + Completes computation of the SM3 digest value. + + This function completes SM3 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SM3 context cannot + be used again. + SM3 context should be already correctly initialized by Sm3Init(), and should not be + finalized by Sm3Final(). Behavior with invalid SM3 context is undefined. + + If Sm3Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sm3Context Pointer to the SM3 context. + @param[out] HashValue Pointer to a buffer that receives the SM3 digest + value (32 bytes). + + @retval TRUE SM3 digest computation succeeded. + @retval FALSE SM3 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Sm3Final ( + IN OUT VOID *Sm3Context, + OUT UINT8 *HashValue + ) +{ + CALL_CRYPTO_SERVICE (Sm3Final, (Sm3Context, HashValue), FALSE); +} + +/** + Computes the SM3 message digest of a input data buffer. + + This function performs the SM3 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SM3 digest + value (32 bytes). + + @retval TRUE SM3 digest computation succeeded. + @retval FALSE SM3 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sm3HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + CALL_CRYPTO_SERVICE (Sm3HashAll, (Data, DataSize, HashValue), FALSE); +} + +//===================================================================================== +// MAC (Message Authentication Code) Primitive +//===================================================================================== + +/** + Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use. + + @return Pointer to the HMAC_CTX context that has been initialized. + If the allocations fails, HmacSha256New() returns NULL. + +**/ +VOID * +EFIAPI +HmacSha256New ( + VOID + ) +{ + CALL_CRYPTO_SERVICE (HmacSha256New, (), NULL); +} + +/** + Release the specified HMAC_CTX context. + + @param[in] HmacSha256Ctx Pointer to the HMAC_CTX context to be released. + +**/ +VOID +EFIAPI +HmacSha256Free ( + IN VOID *HmacSha256Ctx + ) +{ + CALL_VOID_CRYPTO_SERVICE (HmacSha256Free, (HmacSha256Ctx)); +} + +/** + Set user-supplied key for subsequent use. It must be done before any + calling to HmacSha256Update(). + + If HmacSha256Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] HmacSha256Context Pointer to HMAC-SHA256 context. + @param[in] Key Pointer to the user-supplied key. + @param[in] KeySize Key size in bytes. + + @retval TRUE The Key is set successfully. + @retval FALSE The Key is set unsuccessfully. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +HmacSha256SetKey ( + OUT VOID *HmacSha256Context, + IN CONST UINT8 *Key, + IN UINTN KeySize + ) +{ + CALL_CRYPTO_SERVICE (HmacSha256SetKey, (HmacSha256Context, Key, KeySize), FALSE); +} + +/** + Makes a copy of an existing HMAC-SHA256 context. + + If HmacSha256Context is NULL, then return FALSE. + If NewHmacSha256Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] HmacSha256Context Pointer to HMAC-SHA256 context being copied. + @param[out] NewHmacSha256Context Pointer to new HMAC-SHA256 context. + + @retval TRUE HMAC-SHA256 context copy succeeded. + @retval FALSE HMAC-SHA256 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +HmacSha256Duplicate ( + IN CONST VOID *HmacSha256Context, + OUT VOID *NewHmacSha256Context + ) +{ + CALL_CRYPTO_SERVICE (HmacSha256Duplicate, (HmacSha256Context, NewHmacSha256Context), FALSE); +} + +/** + Digests the input data and updates HMAC-SHA256 context. + + This function performs HMAC-SHA256 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + HMAC-SHA256 context should be initialized by HmacSha256New(), and should not be finalized + by HmacSha256Final(). Behavior with invalid context is undefined. + + If HmacSha256Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] HmacSha256Context Pointer to the HMAC-SHA256 context. + @param[in] Data Pointer to the buffer containing the data to be digested. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE HMAC-SHA256 data digest succeeded. + @retval FALSE HMAC-SHA256 data digest failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +HmacSha256Update ( + IN OUT VOID *HmacSha256Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + CALL_CRYPTO_SERVICE (HmacSha256Update, (HmacSha256Context, Data, DataSize), FALSE); +} + +/** + Completes computation of the HMAC-SHA256 digest value. + + This function completes HMAC-SHA256 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the HMAC-SHA256 context cannot + be used again. + HMAC-SHA256 context should be initialized by HmacSha256New(), and should not be finalized + by HmacSha256Final(). Behavior with invalid HMAC-SHA256 context is undefined. + + If HmacSha256Context is NULL, then return FALSE. + If HmacValue is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] HmacSha256Context Pointer to the HMAC-SHA256 context. + @param[out] HmacValue Pointer to a buffer that receives the HMAC-SHA256 digest + value (32 bytes). + + @retval TRUE HMAC-SHA256 digest computation succeeded. + @retval FALSE HMAC-SHA256 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +HmacSha256Final ( + IN OUT VOID *HmacSha256Context, + OUT UINT8 *HmacValue + ) +{ + CALL_CRYPTO_SERVICE (HmacSha256Final, (HmacSha256Context, HmacValue), FALSE); +} + +//===================================================================================== +// Symmetric Cryptography Primitive +//===================================================================================== + +/** + Retrieves the size, in bytes, of the context buffer required for AES operations. + + If this interface is not supported, then return zero. + + @return The size, in bytes, of the context buffer required for AES operations. + @retval 0 This interface is not supported. + +**/ +UINTN +EFIAPI +AesGetContextSize ( + VOID + ) +{ + CALL_CRYPTO_SERVICE (AesGetContextSize, (), 0); +} + +/** + Initializes user-supplied memory as AES context for subsequent use. + + This function initializes user-supplied memory pointed by AesContext as AES context. + In addition, it sets up all AES key materials for subsequent encryption and decryption + operations. + There are 3 options for key length, 128 bits, 192 bits, and 256 bits. + + If AesContext is NULL, then return FALSE. + If Key is NULL, then return FALSE. + If KeyLength is not valid, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] AesContext Pointer to AES context being initialized. + @param[in] Key Pointer to the user-supplied AES key. + @param[in] KeyLength Length of AES key in bits. + + @retval TRUE AES context initialization succeeded. + @retval FALSE AES context initialization failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +AesInit ( + OUT VOID *AesContext, + IN CONST UINT8 *Key, + IN UINTN KeyLength + ) +{ + CALL_CRYPTO_SERVICE (AesInit, (AesContext, Key, KeyLength), FALSE); +} + +/** + Performs AES encryption on a data buffer of the specified size in CBC mode. + + This function performs AES encryption on data buffer pointed by Input, of specified + size of InputSize, in CBC mode. + InputSize must be multiple of block size (16 bytes). This function does not perform + padding. Caller must perform padding, if necessary, to ensure valid input data size. + Initialization vector should be one block size (16 bytes). + AesContext should be already correctly initialized by AesInit(). Behavior with + invalid AES context is undefined. + + If AesContext is NULL, then return FALSE. + If Input is NULL, then return FALSE. + If InputSize is not multiple of block size (16 bytes), then return FALSE. + If Ivec is NULL, then return FALSE. + If Output is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] AesContext Pointer to the AES context. + @param[in] Input Pointer to the buffer containing the data to be encrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[in] Ivec Pointer to initialization vector. + @param[out] Output Pointer to a buffer that receives the AES encryption output. + + @retval TRUE AES encryption succeeded. + @retval FALSE AES encryption failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +AesCbcEncrypt ( + IN VOID *AesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + IN CONST UINT8 *Ivec, + OUT UINT8 *Output + ) +{ + CALL_CRYPTO_SERVICE (AesCbcEncrypt, (AesContext, Input, InputSize, Ivec, Output), FALSE); +} + +/** + Performs AES decryption on a data buffer of the specified size in CBC mode. + + This function performs AES decryption on data buffer pointed by Input, of specified + size of InputSize, in CBC mode. + InputSize must be multiple of block size (16 bytes). This function does not perform + padding. Caller must perform padding, if necessary, to ensure valid input data size. + Initialization vector should be one block size (16 bytes). + AesContext should be already correctly initialized by AesInit(). Behavior with + invalid AES context is undefined. + + If AesContext is NULL, then return FALSE. + If Input is NULL, then return FALSE. + If InputSize is not multiple of block size (16 bytes), then return FALSE. + If Ivec is NULL, then return FALSE. + If Output is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] AesContext Pointer to the AES context. + @param[in] Input Pointer to the buffer containing the data to be encrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[in] Ivec Pointer to initialization vector. + @param[out] Output Pointer to a buffer that receives the AES encryption output. + + @retval TRUE AES decryption succeeded. + @retval FALSE AES decryption failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +AesCbcDecrypt ( + IN VOID *AesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + IN CONST UINT8 *Ivec, + OUT UINT8 *Output + ) +{ + CALL_CRYPTO_SERVICE (AesCbcDecrypt, (AesContext, Input, InputSize, Ivec, Output), FALSE); +} + +//===================================================================================== +// Asymmetric Cryptography Primitive +//===================================================================================== + +/** + Allocates and initializes one RSA context for subsequent use. + + @return Pointer to the RSA context that has been initialized. + If the allocations fails, RsaNew() returns NULL. + +**/ +VOID * +EFIAPI +RsaNew ( + VOID + ) +{ + CALL_CRYPTO_SERVICE (RsaNew, (), NULL); +} + +/** + Release the specified RSA context. + + If RsaContext is NULL, then return FALSE. + + @param[in] RsaContext Pointer to the RSA context to be released. + +**/ +VOID +EFIAPI +RsaFree ( + IN VOID *RsaContext + ) +{ + CALL_VOID_CRYPTO_SERVICE (RsaFree, (RsaContext)); +} + +/** + Sets the tag-designated key component into the established RSA context. + + This function sets the tag-designated RSA key component into the established + RSA context from the user-specified non-negative integer (octet string format + represented in RSA PKCS#1). + If BigNumber is NULL, then the specified key component in RSA context is cleared. + + If RsaContext is NULL, then return FALSE. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] KeyTag Tag of RSA key component being set. + @param[in] BigNumber Pointer to octet integer buffer. + If NULL, then the specified key component in RSA + context is cleared. + @param[in] BnSize Size of big number buffer in bytes. + If BigNumber is NULL, then it is ignored. + + @retval TRUE RSA key component was set successfully. + @retval FALSE Invalid RSA key component tag. + +**/ +BOOLEAN +EFIAPI +RsaSetKey ( + IN OUT VOID *RsaContext, + IN RSA_KEY_TAG KeyTag, + IN CONST UINT8 *BigNumber, + IN UINTN BnSize + ) +{ + CALL_CRYPTO_SERVICE (RsaSetKey, (RsaContext, KeyTag, BigNumber, BnSize), FALSE); +} + +/** + Gets the tag-designated RSA key component from the established RSA context. + + This function retrieves the tag-designated RSA key component from the + established RSA context as a non-negative integer (octet string format + represented in RSA PKCS#1). + If specified key component has not been set or has been cleared, then returned + BnSize is set to 0. + If the BigNumber buffer is too small to hold the contents of the key, FALSE + is returned and BnSize is set to the required buffer size to obtain the key. + + If RsaContext is NULL, then return FALSE. + If BnSize is NULL, then return FALSE. + If BnSize is large enough but BigNumber is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] KeyTag Tag of RSA key component being set. + @param[out] BigNumber Pointer to octet integer buffer. + @param[in, out] BnSize On input, the size of big number buffer in bytes. + On output, the size of data returned in big number buffer in bytes. + + @retval TRUE RSA key component was retrieved successfully. + @retval FALSE Invalid RSA key component tag. + @retval FALSE BnSize is too small. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaGetKey ( + IN OUT VOID *RsaContext, + IN RSA_KEY_TAG KeyTag, + OUT UINT8 *BigNumber, + IN OUT UINTN *BnSize + ) +{ + CALL_CRYPTO_SERVICE (RsaGetKey, (RsaContext, KeyTag, BigNumber, BnSize), FALSE); +} + +/** + Generates RSA key components. + + This function generates RSA key components. It takes RSA public exponent E and + length in bits of RSA modulus N as input, and generates all key components. + If PublicExponent is NULL, the default RSA public exponent (0x10001) will be used. + + Before this function can be invoked, pseudorandom number generator must be correctly + initialized by RandomSeed(). + + If RsaContext is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] ModulusLength Length of RSA modulus N in bits. + @param[in] PublicExponent Pointer to RSA public exponent. + @param[in] PublicExponentSize Size of RSA public exponent buffer in bytes. + + @retval TRUE RSA key component was generated successfully. + @retval FALSE Invalid RSA key component tag. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaGenerateKey ( + IN OUT VOID *RsaContext, + IN UINTN ModulusLength, + IN CONST UINT8 *PublicExponent, + IN UINTN PublicExponentSize + ) +{ + CALL_CRYPTO_SERVICE (RsaGenerateKey, (RsaContext, ModulusLength, PublicExponent, PublicExponentSize), FALSE); +} + +/** + Validates key components of RSA context. + NOTE: This function performs integrity checks on all the RSA key material, so + the RSA key structure must contain all the private key data. + + This function validates key components of RSA context in following aspects: + - Whether p is a prime + - Whether q is a prime + - Whether n = p * q + - Whether d*e = 1 mod lcm(p-1,q-1) + + If RsaContext is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] RsaContext Pointer to RSA context to check. + + @retval TRUE RSA key components are valid. + @retval FALSE RSA key components are not valid. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaCheckKey ( + IN VOID *RsaContext + ) +{ + CALL_CRYPTO_SERVICE (RsaCheckKey, (RsaContext), FALSE); +} + +/** + Carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme. + + This function carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme defined in + RSA PKCS#1. + If the Signature buffer is too small to hold the contents of signature, FALSE + is returned and SigSize is set to the required buffer size to obtain the signature. + + If RsaContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then return FALSE. + If SigSize is large enough but Signature is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] RsaContext Pointer to RSA context for signature generation. + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive RSA PKCS1-v1_5 signature. + @param[in, out] SigSize On input, the size of Signature buffer in bytes. + On output, the size of data returned in Signature buffer in bytes. + + @retval TRUE Signature successfully generated in PKCS1-v1_5. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaPkcs1Sign ( + IN VOID *RsaContext, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + CALL_CRYPTO_SERVICE (RsaPkcs1Sign, (RsaContext, MessageHash, HashSize, Signature, SigSize), FALSE); +} + +/** + Verifies the RSA-SSA signature with EMSA-PKCS1-v1_5 encoding scheme defined in + RSA PKCS#1. + + If RsaContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize is not equal to the size of MD5, SHA-1, SHA-256 digest, then return FALSE. + + @param[in] RsaContext Pointer to RSA context for signature verification. + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to RSA PKCS1-v1_5 signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in PKCS1-v1_5. + @retval FALSE Invalid signature or invalid RSA context. + +**/ +BOOLEAN +EFIAPI +RsaPkcs1Verify ( + IN VOID *RsaContext, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ) +{ + CALL_CRYPTO_SERVICE (RsaPkcs1Verify, (RsaContext, MessageHash, HashSize, Signature, SigSize), FALSE); +} + +/** + Verifies the RSA signature with RSASSA-PSS signature scheme defined in RFC 8017. + Implementation determines salt length automatically from the signature encoding. + Mask generation function is the same as the message digest algorithm. + Salt length should atleast be equal to digest length. + + @param[in] RsaContext Pointer to RSA context for signature verification. + @param[in] Message Pointer to octet message to be verified. + @param[in] MsgSize Size of the message in bytes. + @param[in] Signature Pointer to RSASSA-PSS signature to be verified. + @param[in] SigSize Size of signature in bytes. + @param[in] DigestLen Length of digest for RSA operation. + @param[in] SaltLen Salt length for PSS encoding. + + @retval TRUE Valid signature encoded in RSASSA-PSS. + @retval FALSE Invalid signature or invalid RSA context. + +**/ +BOOLEAN +EFIAPI +RsaPssVerify ( + IN VOID *RsaContext, + IN CONST UINT8 *Message, + IN UINTN MsgSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize, + IN UINT16 DigestLen, + IN UINT16 SaltLen + ) +{ + CALL_CRYPTO_SERVICE (RsaPssVerify, (RsaContext, Message, MsgSize, Signature, SigSize, DigestLen, SaltLen), FALSE); +} + +/** + This function carries out the RSA-SSA signature generation with EMSA-PSS encoding scheme defined in + RFC 8017. + Mask generation function is the same as the message digest algorithm. + If the Signature buffer is too small to hold the contents of signature, FALSE + is returned and SigSize is set to the required buffer size to obtain the signature. + + @param[in] RsaContext Pointer to RSA context for signature generation. + @param[in] Message Pointer to octet message to be signed. + @param[in] MsgSize Size of the message in bytes. + @param[in] DigestLen Length of the digest in bytes to be used for RSA signature operation. + @param[in] SaltLen Length of the salt in bytes to be used for PSS encoding. + @param[out] Signature Pointer to buffer to receive RSA PSS signature. + @param[in, out] SigSize On input, the size of Signature buffer in bytes. + On output, the size of data returned in Signature buffer in bytes. + + @retval TRUE Signature successfully generated in RSASSA-PSS. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaPssSign ( + IN VOID *RsaContext, + IN CONST UINT8 *Message, + IN UINTN MsgSize, + IN UINT16 DigestLen, + IN UINT16 SaltLen, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + CALL_CRYPTO_SERVICE (RsaPssSign, (RsaContext, Message, MsgSize, DigestLen, SaltLen, Signature, SigSize), FALSE); +} + +/** + Retrieve the RSA Private Key from the password-protected PEM key data. + + If PemData is NULL, then return FALSE. + If RsaContext is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] PemData Pointer to the PEM-encoded key data to be retrieved. + @param[in] PemSize Size of the PEM key data in bytes. + @param[in] Password NULL-terminated passphrase used for encrypted PEM key data. + @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved + RSA private key component. Use RsaFree() function to free the + resource. + + @retval TRUE RSA Private Key was retrieved successfully. + @retval FALSE Invalid PEM key data or incorrect password. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaGetPrivateKeyFromPem ( + IN CONST UINT8 *PemData, + IN UINTN PemSize, + IN CONST CHAR8 *Password, + OUT VOID **RsaContext + ) +{ + CALL_CRYPTO_SERVICE (RsaGetPrivateKeyFromPem, (PemData, PemSize, Password, RsaContext), FALSE); +} + +/** + Retrieve the RSA Public Key from one DER-encoded X509 certificate. + + If Cert is NULL, then return FALSE. + If RsaContext is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved + RSA public key component. Use RsaFree() function to free the + resource. + + @retval TRUE RSA Public Key was retrieved successfully. + @retval FALSE Fail to retrieve RSA public key from X509 certificate. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaGetPublicKeyFromX509 ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT VOID **RsaContext + ) +{ + CALL_CRYPTO_SERVICE (RsaGetPublicKeyFromX509, (Cert, CertSize, RsaContext), FALSE); +} + +/** + Retrieve the subject bytes from one X.509 certificate. + + If Cert is NULL, then return FALSE. + If SubjectSize is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CertSubject Pointer to the retrieved certificate subject bytes. + @param[in, out] SubjectSize The size in bytes of the CertSubject buffer on input, + and the size of buffer returned CertSubject on output. + + @retval TRUE The certificate subject retrieved successfully. + @retval FALSE Invalid certificate, or the SubjectSize is too small for the result. + The SubjectSize will be updated with the required size. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509GetSubjectName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 *CertSubject, + IN OUT UINTN *SubjectSize + ) +{ + CALL_CRYPTO_SERVICE (X509GetSubjectName, (Cert, CertSize, CertSubject, SubjectSize), FALSE); +} + +/** + Retrieve the common name (CN) string from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CommonName Buffer to contain the retrieved certificate common + name string (UTF8). At most CommonNameSize bytes will be + written and the string will be null terminated. May be + NULL in order to determine the size buffer needed. + @param[in,out] CommonNameSize The size in bytes of the CommonName buffer on input, + and the size of buffer returned CommonName on output. + If CommonName is NULL then the amount of space needed + in buffer (including the final null) is returned. + + @retval RETURN_SUCCESS The certificate CommonName retrieved successfully. + @retval RETURN_INVALID_PARAMETER If Cert is NULL. + If CommonNameSize is NULL. + If CommonName is not NULL and *CommonNameSize is 0. + If Certificate is invalid. + @retval RETURN_NOT_FOUND If no CommonName entry exists. + @retval RETURN_BUFFER_TOO_SMALL If the CommonName is NULL. The required buffer size + (including the final null) is returned in the + CommonNameSize parameter. + @retval RETURN_UNSUPPORTED The operation is not supported. + +**/ +RETURN_STATUS +EFIAPI +X509GetCommonName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *CommonName, OPTIONAL + IN OUT UINTN *CommonNameSize + ) +{ + CALL_CRYPTO_SERVICE (X509GetCommonName, (Cert, CertSize, CommonName, CommonNameSize), RETURN_UNSUPPORTED); +} + +/** + Retrieve the organization name (O) string from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] NameBuffer Buffer to contain the retrieved certificate organization + name string. At most NameBufferSize bytes will be + written and the string will be null terminated. May be + NULL in order to determine the size buffer needed. + @param[in,out] NameBufferSize The size in bytes of the Name buffer on input, + and the size of buffer returned Name on output. + If NameBuffer is NULL then the amount of space needed + in buffer (including the final null) is returned. + + @retval RETURN_SUCCESS The certificate Organization Name retrieved successfully. + @retval RETURN_INVALID_PARAMETER If Cert is NULL. + If NameBufferSize is NULL. + If NameBuffer is not NULL and *CommonNameSize is 0. + If Certificate is invalid. + @retval RETURN_NOT_FOUND If no Organization Name entry exists. + @retval RETURN_BUFFER_TOO_SMALL If the NameBuffer is NULL. The required buffer size + (including the final null) is returned in the + CommonNameSize parameter. + @retval RETURN_UNSUPPORTED The operation is not supported. + +**/ +RETURN_STATUS +EFIAPI +X509GetOrganizationName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *NameBuffer, OPTIONAL + IN OUT UINTN *NameBufferSize + ) +{ + CALL_CRYPTO_SERVICE (X509GetOrganizationName, (Cert, CertSize, NameBuffer, NameBufferSize), RETURN_UNSUPPORTED); +} + +/** + Verify one X509 certificate was issued by the trusted CA. + + If Cert is NULL, then return FALSE. + If CACert is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate to be verified. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[in] CACert Pointer to the DER-encoded trusted CA certificate. + @param[in] CACertSize Size of the CA Certificate in bytes. + + @retval TRUE The certificate was issued by the trusted CA. + @retval FALSE Invalid certificate or the certificate was not issued by the given + trusted CA. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509VerifyCert ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + IN CONST UINT8 *CACert, + IN UINTN CACertSize + ) +{ + CALL_CRYPTO_SERVICE (X509VerifyCert, (Cert, CertSize, CACert, CACertSize), FALSE); +} + +/** + Construct a X509 object from DER-encoded certificate data. + + If Cert is NULL, then return FALSE. + If SingleX509Cert is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded certificate data. + @param[in] CertSize The size of certificate data in bytes. + @param[out] SingleX509Cert The generated X509 object. + + @retval TRUE The X509 object generation succeeded. + @retval FALSE The operation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509ConstructCertificate ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 **SingleX509Cert + ) +{ + CALL_CRYPTO_SERVICE (X509ConstructCertificate, (Cert, CertSize, SingleX509Cert), FALSE); +} + +/** + Construct a X509 stack object from a list of DER-encoded certificate data. + + If X509Stack is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] X509Stack On input, pointer to an existing or NULL X509 stack object. + On output, pointer to the X509 stack object with new + inserted X509 certificate. + @param[in] Args VA_LIST marker for the variable argument list. + ... A list of DER-encoded single certificate data followed + by certificate size. A NULL terminates the list. The + pairs are the arguments to X509ConstructCertificate(). + + @retval TRUE The X509 stack construction succeeded. + @retval FALSE The construction operation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509ConstructCertificateStack ( + IN OUT UINT8 **X509Stack, + ... + ) +{ + VA_LIST Args; + BOOLEAN Result; + + VA_START (Args, X509Stack); + Result = X509ConstructCertificateStackV (X509Stack, Args); + VA_END (Args); + return Result; +} + +/** + Construct a X509 stack object from a list of DER-encoded certificate data. + + If X509Stack is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] X509Stack On input, pointer to an existing or NULL X509 stack object. + On output, pointer to the X509 stack object with new + inserted X509 certificate. + @param[in] Args VA_LIST marker for the variable argument list. + A list of DER-encoded single certificate data followed + by certificate size. A NULL terminates the list. The + pairs are the arguments to X509ConstructCertificate(). + + @retval TRUE The X509 stack construction succeeded. + @retval FALSE The construction operation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509ConstructCertificateStackV ( + IN OUT UINT8 **X509Stack, + IN VA_LIST Args + ) +{ + CALL_CRYPTO_SERVICE (X509ConstructCertificateStackV, (X509Stack, Args), FALSE); +} + +/** + Release the specified X509 object. + + If the interface is not supported, then ASSERT(). + + @param[in] X509Cert Pointer to the X509 object to be released. + +**/ +VOID +EFIAPI +X509Free ( + IN VOID *X509Cert + ) +{ + CALL_VOID_CRYPTO_SERVICE (X509Free, (X509Cert)); +} + +/** + Release the specified X509 stack object. + + If the interface is not supported, then ASSERT(). + + @param[in] X509Stack Pointer to the X509 stack object to be released. + +**/ +VOID +EFIAPI +X509StackFree ( + IN VOID *X509Stack + ) +{ + CALL_VOID_CRYPTO_SERVICE (X509StackFree, (X509Stack)); +} + +/** + Retrieve the TBSCertificate from one given X.509 certificate. + + @param[in] Cert Pointer to the given DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] TBSCert DER-Encoded To-Be-Signed certificate. + @param[out] TBSCertSize Size of the TBS certificate in bytes. + + If Cert is NULL, then return FALSE. + If TBSCert is NULL, then return FALSE. + If TBSCertSize is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @retval TRUE The TBSCertificate was retrieved successfully. + @retval FALSE Invalid X.509 certificate. + +**/ +BOOLEAN +EFIAPI +X509GetTBSCert ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 **TBSCert, + OUT UINTN *TBSCertSize + ) +{ + CALL_CRYPTO_SERVICE (X509GetTBSCert, (Cert, CertSize, TBSCert, TBSCertSize), FALSE); +} + +/** + Derives a key from a password using a salt and iteration count, based on PKCS#5 v2.0 + password based encryption key derivation function PBKDF2, as specified in RFC 2898. + + If Password or Salt or OutKey is NULL, then return FALSE. + If the hash algorithm could not be determined, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] PasswordLength Length of input password in bytes. + @param[in] Password Pointer to the array for the password. + @param[in] SaltLength Size of the Salt in bytes. + @param[in] Salt Pointer to the Salt. + @param[in] IterationCount Number of iterations to perform. Its value should be + greater than or equal to 1. + @param[in] DigestSize Size of the message digest to be used (eg. SHA256_DIGEST_SIZE). + NOTE: DigestSize will be used to determine the hash algorithm. + Only SHA1_DIGEST_SIZE or SHA256_DIGEST_SIZE is supported. + @param[in] KeyLength Size of the derived key buffer in bytes. + @param[out] OutKey Pointer to the output derived key buffer. + + @retval TRUE A key was derived successfully. + @retval FALSE One of the pointers was NULL or one of the sizes was too large. + @retval FALSE The hash algorithm could not be determined from the digest size. + @retval FALSE The key derivation operation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs5HashPassword ( + IN UINTN PasswordLength, + IN CONST CHAR8 *Password, + IN UINTN SaltLength, + IN CONST UINT8 *Salt, + IN UINTN IterationCount, + IN UINTN DigestSize, + IN UINTN KeyLength, + OUT UINT8 *OutKey + ) +{ + CALL_CRYPTO_SERVICE (Pkcs5HashPassword, (PasswordLength, Password, SaltLength, Salt, IterationCount, DigestSize, KeyLength, OutKey), FALSE); +} + +/** + Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the + encrypted message in a newly allocated buffer. + + Things that can cause a failure include: + - X509 key size does not match any known key size. + - Fail to parse X509 certificate. + - Fail to allocate an intermediate buffer. + - Null pointer provided for a non-optional parameter. + - Data size is too large for the provided key size (max size is a function of key size + and hash digest size). + + @param[in] PublicKey A pointer to the DER-encoded X509 certificate that + will be used to encrypt the data. + @param[in] PublicKeySize Size of the X509 cert buffer. + @param[in] InData Data to be encrypted. + @param[in] InDataSize Size of the data buffer. + @param[in] PrngSeed [Optional] If provided, a pointer to a random seed buffer + to be used when initializing the PRNG. NULL otherwise. + @param[in] PrngSeedSize [Optional] If provided, size of the random seed buffer. + 0 otherwise. + @param[out] EncryptedData Pointer to an allocated buffer containing the encrypted + message. + @param[out] EncryptedDataSize Size of the encrypted message buffer. + + @retval TRUE Encryption was successful. + @retval FALSE Encryption failed. + +**/ +BOOLEAN +EFIAPI +Pkcs1v2Encrypt ( + IN CONST UINT8 *PublicKey, + IN UINTN PublicKeySize, + IN UINT8 *InData, + IN UINTN InDataSize, + IN CONST UINT8 *PrngSeed, OPTIONAL + IN UINTN PrngSeedSize, OPTIONAL + OUT UINT8 **EncryptedData, + OUT UINTN *EncryptedDataSize + ) +{ + CALL_CRYPTO_SERVICE (Pkcs1v2Encrypt, (PublicKey, PublicKeySize, InData, InDataSize, PrngSeed, PrngSeedSize, EncryptedData, EncryptedDataSize), FALSE); +} + +/** + Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be wrapped + in a ContentInfo structure. + + If P7Data, CertStack, StackLength, TrustedCert or CertLength is NULL, then + return FALSE. If P7Length overflow, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] CertStack Pointer to Signer's certificates retrieved from P7Data. + It's caller's responsibility to free the buffer with + Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] StackLength Length of signer's certificates in bytes. + @param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates. + It's caller's responsibility to free the buffer with + Pkcs7FreeSigners(). + @param[out] CertLength Length of the trusted certificate in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE Error occurs during the operation. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetSigners ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **CertStack, + OUT UINTN *StackLength, + OUT UINT8 **TrustedCert, + OUT UINTN *CertLength + ) +{ + CALL_CRYPTO_SERVICE (Pkcs7GetSigners, (P7Data, P7Length, CertStack, StackLength, TrustedCert, CertLength), FALSE); +} + +/** + Wrap function to use free() to free allocated memory for certificates. + + If this interface is not supported, then ASSERT(). + + @param[in] Certs Pointer to the certificates to be freed. + +**/ +VOID +EFIAPI +Pkcs7FreeSigners ( + IN UINT8 *Certs + ) +{ + CALL_VOID_CRYPTO_SERVICE (Pkcs7FreeSigners, (Certs)); +} + +/** + Retrieves all embedded certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard", and outputs two certificate lists chained and + unchained to the signer's certificates. + The input signed data could be wrapped in a ContentInfo structure. + + @param[in] P7Data Pointer to the PKCS#7 message. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] SignerChainCerts Pointer to the certificates list chained to signer's + certificate. It's caller's responsibility to free the buffer + with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] ChainLength Length of the chained certificates list buffer in bytes. + @param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's + responsibility to free the buffer with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] UnchainLength Length of the unchained certificates list buffer in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE Error occurs during the operation. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetCertificatesList ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **SignerChainCerts, + OUT UINTN *ChainLength, + OUT UINT8 **UnchainCerts, + OUT UINTN *UnchainLength + ) +{ + CALL_CRYPTO_SERVICE (Pkcs7GetCertificatesList, (P7Data, P7Length, SignerChainCerts, ChainLength, UnchainCerts, UnchainLength), FALSE); +} + +/** + Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message + Syntax Standard, version 1.5". This interface is only intended to be used for + application to perform PKCS#7 functionality validation. + + If this interface is not supported, then return FALSE. + + @param[in] PrivateKey Pointer to the PEM-formatted private key data for + data signing. + @param[in] PrivateKeySize Size of the PEM private key data in bytes. + @param[in] KeyPassword NULL-terminated passphrase used for encrypted PEM + key data. + @param[in] InData Pointer to the content to be signed. + @param[in] InDataSize Size of InData in bytes. + @param[in] SignCert Pointer to signer's DER-encoded certificate to sign with. + @param[in] OtherCerts Pointer to an optional additional set of certificates to + include in the PKCS#7 signedData (e.g. any intermediate + CAs in the chain). + @param[out] SignedData Pointer to output PKCS#7 signedData. It's caller's + responsibility to free the buffer with FreePool(). + @param[out] SignedDataSize Size of SignedData in bytes. + + @retval TRUE PKCS#7 data signing succeeded. + @retval FALSE PKCS#7 data signing failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs7Sign ( + IN CONST UINT8 *PrivateKey, + IN UINTN PrivateKeySize, + IN CONST UINT8 *KeyPassword, + IN UINT8 *InData, + IN UINTN InDataSize, + IN UINT8 *SignCert, + IN UINT8 *OtherCerts OPTIONAL, + OUT UINT8 **SignedData, + OUT UINTN *SignedDataSize + ) +{ + CALL_CRYPTO_SERVICE (Pkcs7Sign, (PrivateKey, PrivateKeySize, KeyPassword, InData, InDataSize, SignCert, OtherCerts, SignedData, SignedDataSize), FALSE); +} + +/** + Verifies the validity of a PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be wrapped + in a ContentInfo structure. + + If P7Data, TrustedCert or InData is NULL, then return FALSE. + If P7Length, CertLength or DataLength overflow, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which + is used for certificate chain verification. + @param[in] CertLength Length of the trusted certificate in bytes. + @param[in] InData Pointer to the content to be verified. + @param[in] DataLength Length of InData in bytes. + + @retval TRUE The specified PKCS#7 signed data is valid. + @retval FALSE Invalid PKCS#7 signed data. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs7Verify ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + IN CONST UINT8 *TrustedCert, + IN UINTN CertLength, + IN CONST UINT8 *InData, + IN UINTN DataLength + ) +{ + CALL_CRYPTO_SERVICE (Pkcs7Verify, (P7Data, P7Length, TrustedCert, CertLength, InData, DataLength), FALSE); +} + +/** + This function receives a PKCS7 formatted signature, and then verifies that + the specified Enhanced or Extended Key Usages (EKU's) are present in the end-entity + leaf signing certificate. + Note that this function does not validate the certificate chain. + + Applications for custom EKU's are quite flexible. For example, a policy EKU + may be present in an Issuing Certificate Authority (CA), and any sub-ordinate + certificate issued might also contain this EKU, thus constraining the + sub-ordinate certificate. Other applications might allow a certificate + embedded in a device to specify that other Object Identifiers (OIDs) are + present which contains binary data specifying custom capabilities that + the device is able to do. + + @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array + containing the content block with both the signature, + the signer's certificate, and any necessary intermediate + certificates. + @param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature. + @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of + required EKUs that must be present in the signature. + @param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array. + @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's + must be present in the leaf signer. If it is + FALSE, then we will succeed if we find any + of the specified EKU's. + + @retval EFI_SUCCESS The required EKUs were found in the signature. + @retval EFI_INVALID_PARAMETER A parameter was invalid. + @retval EFI_NOT_FOUND One or more EKU's were not found in the signature. + +**/ +RETURN_STATUS +EFIAPI +VerifyEKUsInPkcs7Signature ( + IN CONST UINT8 *Pkcs7Signature, + IN CONST UINT32 SignatureSize, + IN CONST CHAR8 *RequiredEKUs[], + IN CONST UINT32 RequiredEKUsSize, + IN BOOLEAN RequireAllPresent + ) +{ + CALL_CRYPTO_SERVICE (VerifyEKUsInPkcs7Signature, (Pkcs7Signature, SignatureSize, RequiredEKUs, RequiredEKUsSize, RequireAllPresent), FALSE); +} + + +/** + Extracts the attached content from a PKCS#7 signed data if existed. The input signed + data could be wrapped in a ContentInfo structure. + + If P7Data, Content, or ContentSize is NULL, then return FALSE. If P7Length overflow, + then return FALSE. If the P7Data is not correctly formatted, then return FALSE. + + Caution: This function may receive untrusted input. So this function will do + basic check for PKCS#7 data structure. + + @param[in] P7Data Pointer to the PKCS#7 signed data to process. + @param[in] P7Length Length of the PKCS#7 signed data in bytes. + @param[out] Content Pointer to the extracted content from the PKCS#7 signedData. + It's caller's responsibility to free the buffer with FreePool(). + @param[out] ContentSize The size of the extracted content in bytes. + + @retval TRUE The P7Data was correctly formatted for processing. + @retval FALSE The P7Data was not correctly formatted for processing. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetAttachedContent ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT VOID **Content, + OUT UINTN *ContentSize + ) +{ + CALL_CRYPTO_SERVICE (Pkcs7GetAttachedContent, (P7Data, P7Length, Content, ContentSize), FALSE); +} + +/** + Verifies the validity of a PE/COFF Authenticode Signature as described in "Windows + Authenticode Portable Executable Signature Format". + + If AuthData is NULL, then return FALSE. + If ImageHash is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed + PE/COFF image to be verified. + @param[in] DataSize Size of the Authenticode Signature in bytes. + @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which + is used for certificate chain verification. + @param[in] CertSize Size of the trusted certificate in bytes. + @param[in] ImageHash Pointer to the original image file hash value. The procedure + for calculating the image hash value is described in Authenticode + specification. + @param[in] HashSize Size of Image hash value in bytes. + + @retval TRUE The specified Authenticode Signature is valid. + @retval FALSE Invalid Authenticode Signature. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +AuthenticodeVerify ( + IN CONST UINT8 *AuthData, + IN UINTN DataSize, + IN CONST UINT8 *TrustedCert, + IN UINTN CertSize, + IN CONST UINT8 *ImageHash, + IN UINTN HashSize + ) +{ + CALL_CRYPTO_SERVICE (AuthenticodeVerify, (AuthData, DataSize, TrustedCert, CertSize, ImageHash, HashSize), FALSE); +} + +/** + Verifies the validity of a RFC3161 Timestamp CounterSignature embedded in PE/COFF Authenticode + signature. + + If AuthData is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed + PE/COFF image to be verified. + @param[in] DataSize Size of the Authenticode Signature in bytes. + @param[in] TsaCert Pointer to a trusted/root TSA certificate encoded in DER, which + is used for TSA certificate chain verification. + @param[in] CertSize Size of the trusted certificate in bytes. + @param[out] SigningTime Return the time of timestamp generation time if the timestamp + signature is valid. + + @retval TRUE The specified Authenticode includes a valid RFC3161 Timestamp CounterSignature. + @retval FALSE No valid RFC3161 Timestamp CounterSignature in the specified Authenticode data. + +**/ +BOOLEAN +EFIAPI +ImageTimestampVerify ( + IN CONST UINT8 *AuthData, + IN UINTN DataSize, + IN CONST UINT8 *TsaCert, + IN UINTN CertSize, + OUT EFI_TIME *SigningTime + ) +{ + CALL_CRYPTO_SERVICE (ImageTimestampVerify, (AuthData, DataSize, TsaCert, CertSize, SigningTime), FALSE); +} + +//===================================================================================== +// DH Key Exchange Primitive +//===================================================================================== + +/** + Allocates and Initializes one Diffie-Hellman Context for subsequent use. + + @return Pointer to the Diffie-Hellman Context that has been initialized. + If the allocations fails, DhNew() returns NULL. + If the interface is not supported, DhNew() returns NULL. + +**/ +VOID * +EFIAPI +DhNew ( + VOID + ) +{ + CALL_CRYPTO_SERVICE (DhNew, (), NULL); +} + +/** + Release the specified DH context. + + If the interface is not supported, then ASSERT(). + + @param[in] DhContext Pointer to the DH context to be released. + +**/ +VOID +EFIAPI +DhFree ( + IN VOID *DhContext + ) +{ + CALL_VOID_CRYPTO_SERVICE (DhFree, (DhContext)); +} + +/** + Generates DH parameter. + + Given generator g, and length of prime number p in bits, this function generates p, + and sets DH context according to value of g and p. + + Before this function can be invoked, pseudorandom number generator must be correctly + initialized by RandomSeed(). + + If DhContext is NULL, then return FALSE. + If Prime is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] Generator Value of generator. + @param[in] PrimeLength Length in bits of prime to be generated. + @param[out] Prime Pointer to the buffer to receive the generated prime number. + + @retval TRUE DH parameter generation succeeded. + @retval FALSE Value of Generator is not supported. + @retval FALSE PRNG fails to generate random prime number with PrimeLength. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhGenerateParameter ( + IN OUT VOID *DhContext, + IN UINTN Generator, + IN UINTN PrimeLength, + OUT UINT8 *Prime + ) +{ + CALL_CRYPTO_SERVICE (DhGenerateParameter, (DhContext, Generator, PrimeLength, Prime), FALSE); +} + +/** + Sets generator and prime parameters for DH. + + Given generator g, and prime number p, this function and sets DH + context accordingly. + + If DhContext is NULL, then return FALSE. + If Prime is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] Generator Value of generator. + @param[in] PrimeLength Length in bits of prime to be generated. + @param[in] Prime Pointer to the prime number. + + @retval TRUE DH parameter setting succeeded. + @retval FALSE Value of Generator is not supported. + @retval FALSE Value of Generator is not suitable for the Prime. + @retval FALSE Value of Prime is not a prime number. + @retval FALSE Value of Prime is not a safe prime number. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhSetParameter ( + IN OUT VOID *DhContext, + IN UINTN Generator, + IN UINTN PrimeLength, + IN CONST UINT8 *Prime + ) +{ + CALL_CRYPTO_SERVICE (DhSetParameter, (DhContext, Generator, PrimeLength, Prime), FALSE); +} + +/** + Generates DH public key. + + This function generates random secret exponent, and computes the public key, which is + returned via parameter PublicKey and PublicKeySize. DH context is updated accordingly. + If the PublicKey buffer is too small to hold the public key, FALSE is returned and + PublicKeySize is set to the required buffer size to obtain the public key. + + If DhContext is NULL, then return FALSE. + If PublicKeySize is NULL, then return FALSE. + If PublicKeySize is large enough but PublicKey is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] DhContext Pointer to the DH context. + @param[out] PublicKey Pointer to the buffer to receive generated public key. + @param[in, out] PublicKeySize On input, the size of PublicKey buffer in bytes. + On output, the size of data returned in PublicKey buffer in bytes. + + @retval TRUE DH public key generation succeeded. + @retval FALSE DH public key generation failed. + @retval FALSE PublicKeySize is not large enough. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhGenerateKey ( + IN OUT VOID *DhContext, + OUT UINT8 *PublicKey, + IN OUT UINTN *PublicKeySize + ) +{ + CALL_CRYPTO_SERVICE (DhGenerateKey, (DhContext, PublicKey, PublicKeySize), FALSE); +} + +/** + Computes exchanged common key. + + Given peer's public key, this function computes the exchanged common key, based on its own + context including value of prime modulus and random secret exponent. + + If DhContext is NULL, then return FALSE. + If PeerPublicKey is NULL, then return FALSE. + If KeySize is NULL, then return FALSE. + If Key is NULL, then return FALSE. + If KeySize is not large enough, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] PeerPublicKey Pointer to the peer's public key. + @param[in] PeerPublicKeySize Size of peer's public key in bytes. + @param[out] Key Pointer to the buffer to receive generated key. + @param[in, out] KeySize On input, the size of Key buffer in bytes. + On output, the size of data returned in Key buffer in bytes. + + @retval TRUE DH exchanged key generation succeeded. + @retval FALSE DH exchanged key generation failed. + @retval FALSE KeySize is not large enough. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhComputeKey ( + IN OUT VOID *DhContext, + IN CONST UINT8 *PeerPublicKey, + IN UINTN PeerPublicKeySize, + OUT UINT8 *Key, + IN OUT UINTN *KeySize + ) +{ + CALL_CRYPTO_SERVICE (DhComputeKey, (DhContext, PeerPublicKey, PeerPublicKeySize, Key, KeySize), FALSE); +} + +//===================================================================================== +// Pseudo-Random Generation Primitive +//===================================================================================== + +/** + Sets up the seed value for the pseudorandom number generator. + + This function sets up the seed value for the pseudorandom number generator. + If Seed is not NULL, then the seed passed in is used. + If Seed is NULL, then default seed is used. + If this interface is not supported, then return FALSE. + + @param[in] Seed Pointer to seed value. + If NULL, default seed is used. + @param[in] SeedSize Size of seed value. + If Seed is NULL, this parameter is ignored. + + @retval TRUE Pseudorandom number generator has enough entropy for random generation. + @retval FALSE Pseudorandom number generator does not have enough entropy for random generation. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RandomSeed ( + IN CONST UINT8 *Seed OPTIONAL, + IN UINTN SeedSize + ) +{ + CALL_CRYPTO_SERVICE (RandomSeed, (Seed, SeedSize), FALSE); +} + +/** + Generates a pseudorandom byte stream of the specified size. + + If Output is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] Output Pointer to buffer to receive random value. + @param[in] Size Size of random bytes to generate. + + @retval TRUE Pseudorandom byte stream generated successfully. + @retval FALSE Pseudorandom number generator fails to generate due to lack of entropy. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RandomBytes ( + OUT UINT8 *Output, + IN UINTN Size + ) +{ + CALL_CRYPTO_SERVICE (RandomBytes, (Output, Size), FALSE); +} + +//===================================================================================== +// Key Derivation Function Primitive +//===================================================================================== + +/** + Derive key data using HMAC-SHA256 based KDF. + + @param[in] Key Pointer to the user-supplied key. + @param[in] KeySize Key size in bytes. + @param[in] Salt Pointer to the salt(non-secret) value. + @param[in] SaltSize Salt size in bytes. + @param[in] Info Pointer to the application specific info. + @param[in] InfoSize Info size in bytes. + @param[out] Out Pointer to buffer to receive hkdf value. + @param[in] OutSize Size of hkdf bytes to generate. + + @retval TRUE Hkdf generated successfully. + @retval FALSE Hkdf generation failed. + +**/ +BOOLEAN +EFIAPI +HkdfSha256ExtractAndExpand ( + IN CONST UINT8 *Key, + IN UINTN KeySize, + IN CONST UINT8 *Salt, + IN UINTN SaltSize, + IN CONST UINT8 *Info, + IN UINTN InfoSize, + OUT UINT8 *Out, + IN UINTN OutSize + ) +{ + CALL_CRYPTO_SERVICE (HkdfSha256ExtractAndExpand, (Key, KeySize, Salt, SaltSize, Info, InfoSize, Out, OutSize), FALSE); +} + +/** + Initializes the OpenSSL library. + + This function registers ciphers and digests used directly and indirectly + by SSL/TLS, and initializes the readable error messages. + This function must be called before any other action takes places. + + @retval TRUE The OpenSSL library has been initialized. + @retval FALSE Failed to initialize the OpenSSL library. + +**/ +BOOLEAN +EFIAPI +TlsInitialize ( + VOID + ) +{ + CALL_CRYPTO_SERVICE (TlsInitialize, (), FALSE); +} + +/** + Free an allocated SSL_CTX object. + + @param[in] TlsCtx Pointer to the SSL_CTX object to be released. + +**/ +VOID +EFIAPI +TlsCtxFree ( + IN VOID *TlsCtx + ) +{ + CALL_VOID_CRYPTO_SERVICE (TlsCtxFree, (TlsCtx)); +} + +/** + Creates a new SSL_CTX object as framework to establish TLS/SSL enabled + connections. + + @param[in] MajorVer Major Version of TLS/SSL Protocol. + @param[in] MinorVer Minor Version of TLS/SSL Protocol. + + @return Pointer to an allocated SSL_CTX object. + If the creation failed, TlsCtxNew() returns NULL. + +**/ +VOID * +EFIAPI +TlsCtxNew ( + IN UINT8 MajorVer, + IN UINT8 MinorVer + ) +{ + CALL_CRYPTO_SERVICE (TlsCtxNew, (MajorVer, MinorVer), NULL); +} + +/** + Free an allocated TLS object. + + This function removes the TLS object pointed to by Tls and frees up the + allocated memory. If Tls is NULL, nothing is done. + + @param[in] Tls Pointer to the TLS object to be freed. + +**/ +VOID +EFIAPI +TlsFree ( + IN VOID *Tls + ) +{ + CALL_VOID_CRYPTO_SERVICE (TlsFree, (Tls)); +} + +/** + Create a new TLS object for a connection. + + This function creates a new TLS object for a connection. The new object + inherits the setting of the underlying context TlsCtx: connection method, + options, verification setting. + + @param[in] TlsCtx Pointer to the SSL_CTX object. + + @return Pointer to an allocated SSL object. + If the creation failed, TlsNew() returns NULL. + +**/ +VOID * +EFIAPI +TlsNew ( + IN VOID *TlsCtx + ) +{ + CALL_CRYPTO_SERVICE (TlsNew, (TlsCtx), NULL); +} + +/** + Checks if the TLS handshake was done. + + This function will check if the specified TLS handshake was done. + + @param[in] Tls Pointer to the TLS object for handshake state checking. + + @retval TRUE The TLS handshake was done. + @retval FALSE The TLS handshake was not done. + +**/ +BOOLEAN +EFIAPI +TlsInHandshake ( + IN VOID *Tls + ) +{ + CALL_CRYPTO_SERVICE (TlsInHandshake, (Tls), FALSE); +} + +/** + Perform a TLS/SSL handshake. + + This function will perform a TLS/SSL handshake. + + @param[in] Tls Pointer to the TLS object for handshake operation. + @param[in] BufferIn Pointer to the most recently received TLS Handshake packet. + @param[in] BufferInSize Packet size in bytes for the most recently received TLS + Handshake packet. + @param[out] BufferOut Pointer to the buffer to hold the built packet. + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferIn is NULL but BufferInSize is NOT 0. + BufferInSize is 0 but BufferIn is NOT NULL. + BufferOutSize is NULL. + BufferOut is NULL if *BufferOutSize is not zero. + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet. + @retval EFI_ABORTED Something wrong during handshake. + +**/ +EFI_STATUS +EFIAPI +TlsDoHandshake ( + IN VOID *Tls, + IN UINT8 *BufferIn, OPTIONAL + IN UINTN BufferInSize, OPTIONAL + OUT UINT8 *BufferOut, OPTIONAL + IN OUT UINTN *BufferOutSize + ) +{ + CALL_CRYPTO_SERVICE (TlsDoHandshake, (Tls, BufferIn, BufferInSize, BufferOut, BufferOutSize), EFI_UNSUPPORTED); +} + +/** + Handle Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero, + TLS session has errors and the response packet needs to be Alert message based on error type. + + @param[in] Tls Pointer to the TLS object for state checking. + @param[in] BufferIn Pointer to the most recently received TLS Alert packet. + @param[in] BufferInSize Packet size in bytes for the most recently received TLS + Alert packet. + @param[out] BufferOut Pointer to the buffer to hold the built packet. + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferIn is NULL but BufferInSize is NOT 0. + BufferInSize is 0 but BufferIn is NOT NULL. + BufferOutSize is NULL. + BufferOut is NULL if *BufferOutSize is not zero. + @retval EFI_ABORTED An error occurred. + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet. + +**/ +EFI_STATUS +EFIAPI +TlsHandleAlert ( + IN VOID *Tls, + IN UINT8 *BufferIn, OPTIONAL + IN UINTN BufferInSize, OPTIONAL + OUT UINT8 *BufferOut, OPTIONAL + IN OUT UINTN *BufferOutSize + ) +{ + CALL_CRYPTO_SERVICE (TlsHandleAlert, (Tls, BufferIn, BufferInSize, BufferOut, BufferOutSize), EFI_UNSUPPORTED); +} + +/** + Build the CloseNotify packet. + + @param[in] Tls Pointer to the TLS object for state checking. + @param[in, out] Buffer Pointer to the buffer to hold the built packet. + @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferSize is NULL. + Buffer is NULL if *BufferSize is not zero. + @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet. + +**/ +EFI_STATUS +EFIAPI +TlsCloseNotify ( + IN VOID *Tls, + IN OUT UINT8 *Buffer, + IN OUT UINTN *BufferSize + ) +{ + CALL_CRYPTO_SERVICE (TlsCloseNotify, (Tls, Buffer, BufferSize), EFI_UNSUPPORTED); +} + +/** + Attempts to read bytes from one TLS object and places the data in Buffer. + + This function will attempt to read BufferSize bytes from the TLS object + and places the data in Buffer. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] Buffer Pointer to the buffer to store the data. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The amount of data successfully read from the TLS object. + @retval <=0 No data was successfully read. + +**/ +INTN +EFIAPI +TlsCtrlTrafficOut ( + IN VOID *Tls, + IN OUT VOID *Buffer, + IN UINTN BufferSize + ) +{ + CALL_CRYPTO_SERVICE (TlsCtrlTrafficOut, (Tls, Buffer, BufferSize), 0); +} + +/** + Attempts to write data from the buffer to TLS object. + + This function will attempt to write BufferSize bytes data from the Buffer + to the TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[in] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The amount of data successfully written to the TLS object. + @retval <=0 No data was successfully written. + +**/ +INTN +EFIAPI +TlsCtrlTrafficIn ( + IN VOID *Tls, + IN VOID *Buffer, + IN UINTN BufferSize + ) +{ + CALL_CRYPTO_SERVICE (TlsCtrlTrafficIn, (Tls, Buffer, BufferSize), 0); +} + +/** + Attempts to read bytes from the specified TLS connection into the buffer. + + This function tries to read BufferSize bytes data from the specified TLS + connection into the Buffer. + + @param[in] Tls Pointer to the TLS connection for data reading. + @param[in,out] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The read operation was successful, and return value is the + number of bytes actually read from the TLS connection. + @retval <=0 The read operation was not successful. + +**/ +INTN +EFIAPI +TlsRead ( + IN VOID *Tls, + IN OUT VOID *Buffer, + IN UINTN BufferSize + ) +{ + CALL_CRYPTO_SERVICE (TlsRead, (Tls, Buffer, BufferSize), 0); +} + +/** + Attempts to write data to a TLS connection. + + This function tries to write BufferSize bytes data from the Buffer into the + specified TLS connection. + + @param[in] Tls Pointer to the TLS connection for data writing. + @param[in] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The write operation was successful, and return value is the + number of bytes actually written to the TLS connection. + @retval <=0 The write operation was not successful. + +**/ +INTN +EFIAPI +TlsWrite ( + IN VOID *Tls, + IN VOID *Buffer, + IN UINTN BufferSize + ) +{ + CALL_CRYPTO_SERVICE (TlsWrite, (Tls, Buffer, BufferSize), 0); +} + +/** + Set a new TLS/SSL method for a particular TLS object. + + This function sets a new TLS/SSL method for a particular TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] MajorVer Major Version of TLS/SSL Protocol. + @param[in] MinorVer Minor Version of TLS/SSL Protocol. + + @retval EFI_SUCCESS The TLS/SSL method was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported TLS/SSL method. + +**/ +EFI_STATUS +EFIAPI +TlsSetVersion ( + IN VOID *Tls, + IN UINT8 MajorVer, + IN UINT8 MinorVer + ) +{ + CALL_CRYPTO_SERVICE (TlsSetVersion, (Tls, MajorVer, MinorVer), EFI_UNSUPPORTED); +} + +/** + Set TLS object to work in client or server mode. + + This function prepares a TLS object to work in client or server mode. + + @param[in] Tls Pointer to a TLS object. + @param[in] IsServer Work in server mode. + + @retval EFI_SUCCESS The TLS/SSL work mode was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode. + +**/ +EFI_STATUS +EFIAPI +TlsSetConnectionEnd ( + IN VOID *Tls, + IN BOOLEAN IsServer + ) +{ + CALL_CRYPTO_SERVICE (TlsSetConnectionEnd, (Tls, IsServer), EFI_UNSUPPORTED); +} + +/** + Set the ciphers list to be used by the TLS object. + + This function sets the ciphers for use by a specified TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] CipherId Array of UINT16 cipher identifiers. Each UINT16 + cipher identifier comes from the TLS Cipher Suite + Registry of the IANA, interpreting Byte1 and Byte2 + in network (big endian) byte order. + @param[in] CipherNum The number of cipher in the list. + + @retval EFI_SUCCESS The ciphers list was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED No supported TLS cipher was found in CipherId. + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +EFI_STATUS +EFIAPI +TlsSetCipherList ( + IN VOID *Tls, + IN UINT16 *CipherId, + IN UINTN CipherNum + ) +{ + CALL_CRYPTO_SERVICE (TlsSetCipherList, (Tls, CipherId, CipherNum), EFI_UNSUPPORTED); +} + +/** + Set the compression method for TLS/SSL operations. + + This function handles TLS/SSL integrated compression methods. + + @param[in] CompMethod The compression method ID. + + @retval EFI_SUCCESS The compression method for the communication was + set successfully. + @retval EFI_UNSUPPORTED Unsupported compression method. + +**/ +EFI_STATUS +EFIAPI +TlsSetCompressionMethod ( + IN UINT8 CompMethod + ) +{ + CALL_CRYPTO_SERVICE (TlsSetCompressionMethod, (CompMethod), EFI_UNSUPPORTED); +} + +/** + Set peer certificate verification mode for the TLS connection. + + This function sets the verification mode flags for the TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in] VerifyMode A set of logically or'ed verification mode flags. + +**/ +VOID +EFIAPI +TlsSetVerify ( + IN VOID *Tls, + IN UINT32 VerifyMode + ) +{ + CALL_VOID_CRYPTO_SERVICE (TlsSetVerify, (Tls, VerifyMode)); +} + +/** + Set the specified host name to be verified. + + @param[in] Tls Pointer to the TLS object. + @param[in] Flags The setting flags during the validation. + @param[in] HostName The specified host name to be verified. + + @retval EFI_SUCCESS The HostName setting was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_ABORTED Invalid HostName setting. + +**/ +EFI_STATUS +EFIAPI +TlsSetVerifyHost ( + IN VOID *Tls, + IN UINT32 Flags, + IN CHAR8 *HostName + ) +{ + CALL_CRYPTO_SERVICE (TlsSetVerifyHost, (Tls, Flags, HostName), EFI_UNSUPPORTED); +} + +/** + Sets a TLS/SSL session ID to be used during TLS/SSL connect. + + This function sets a session ID to be used when the TLS/SSL connection is + to be established. + + @param[in] Tls Pointer to the TLS object. + @param[in] SessionId Session ID data used for session resumption. + @param[in] SessionIdLen Length of Session ID in bytes. + + @retval EFI_SUCCESS Session ID was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED No available session for ID setting. + +**/ +EFI_STATUS +EFIAPI +TlsSetSessionId ( + IN VOID *Tls, + IN UINT8 *SessionId, + IN UINT16 SessionIdLen + ) +{ + CALL_CRYPTO_SERVICE (TlsSetSessionId, (Tls, SessionId, SessionIdLen), EFI_UNSUPPORTED); +} + +/** + Adds the CA to the cert store when requesting Server or Client authentication. + + This function adds the CA certificate to the list of CAs when requesting + Server or Client authentication for the chosen TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded binary + X.509 certificate or PEM-encoded X.509 certificate. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated. + @retval EFI_ABORTED Invalid X.509 certificate. + +**/ +EFI_STATUS +EFIAPI +TlsSetCaCertificate ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ) +{ + CALL_CRYPTO_SERVICE (TlsSetCaCertificate, (Tls, Data, DataSize), EFI_UNSUPPORTED); +} + +/** + Loads the local public certificate into the specified TLS object. + + This function loads the X.509 certificate into the specified TLS object + for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded binary + X.509 certificate or PEM-encoded X.509 certificate. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated. + @retval EFI_ABORTED Invalid X.509 certificate. + +**/ +EFI_STATUS +EFIAPI +TlsSetHostPublicCert ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ) +{ + CALL_CRYPTO_SERVICE (TlsSetHostPublicCert, (Tls, Data, DataSize), EFI_UNSUPPORTED); +} + +/** + Adds the local private key to the specified TLS object. + + This function adds the local private key (PEM-encoded RSA or PKCS#8 private + key) into the specified TLS object for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a PEM-encoded RSA + or PKCS#8 private key. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid private key data. + +**/ +EFI_STATUS +EFIAPI +TlsSetHostPrivateKey ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ) +{ + CALL_CRYPTO_SERVICE (TlsSetHostPrivateKey, (Tls, Data, DataSize), EFI_UNSUPPORTED); +} + +/** + Adds the CA-supplied certificate revocation list for certificate validation. + + This function adds the CA-supplied certificate revocation list data for + certificate validity checking. + + @param[in] Data Pointer to the data buffer of a DER-encoded CRL data. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid CRL data. + +**/ +EFI_STATUS +EFIAPI +TlsSetCertRevocationList ( + IN VOID *Data, + IN UINTN DataSize + ) +{ + CALL_CRYPTO_SERVICE (TlsSetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED); +} + +/** + Gets the protocol version used by the specified TLS connection. + + This function returns the protocol version used by the specified TLS + connection. + + If Tls is NULL, then ASSERT(). + + @param[in] Tls Pointer to the TLS object. + + @return The protocol version of the specified TLS connection. + +**/ +UINT16 +EFIAPI +TlsGetVersion ( + IN VOID *Tls + ) +{ + CALL_CRYPTO_SERVICE (TlsGetVersion, (Tls), 0); +} + +/** + Gets the connection end of the specified TLS connection. + + This function returns the connection end (as client or as server) used by + the specified TLS connection. + + If Tls is NULL, then ASSERT(). + + @param[in] Tls Pointer to the TLS object. + + @return The connection end used by the specified TLS connection. + +**/ +UINT8 +EFIAPI +TlsGetConnectionEnd ( + IN VOID *Tls + ) +{ + CALL_CRYPTO_SERVICE (TlsGetConnectionEnd, (Tls), 0); +} + +/** + Gets the cipher suite used by the specified TLS connection. + + This function returns current cipher suite used by the specified + TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] CipherId The cipher suite used by the TLS object. + + @retval EFI_SUCCESS The cipher suite was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported cipher suite. + +**/ +EFI_STATUS +EFIAPI +TlsGetCurrentCipher ( + IN VOID *Tls, + IN OUT UINT16 *CipherId + ) +{ + CALL_CRYPTO_SERVICE (TlsGetCurrentCipher, (Tls, CipherId), EFI_UNSUPPORTED); +} + +/** + Gets the compression methods used by the specified TLS connection. + + This function returns current integrated compression methods used by + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] CompressionId The current compression method used by + the TLS object. + + @retval EFI_SUCCESS The compression method was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_ABORTED Invalid Compression method. + @retval EFI_UNSUPPORTED This function is not supported. + +**/ +EFI_STATUS +EFIAPI +TlsGetCurrentCompressionId ( + IN VOID *Tls, + IN OUT UINT8 *CompressionId + ) +{ + CALL_CRYPTO_SERVICE (TlsGetCurrentCompressionId, (Tls, CompressionId), EFI_UNSUPPORTED); +} + +/** + Gets the verification mode currently set in the TLS connection. + + This function returns the peer verification mode currently set in the + specified TLS connection. + + If Tls is NULL, then ASSERT(). + + @param[in] Tls Pointer to the TLS object. + + @return The verification mode set in the specified TLS connection. + +**/ +UINT32 +EFIAPI +TlsGetVerify ( + IN VOID *Tls + ) +{ + CALL_CRYPTO_SERVICE (TlsGetVerify, (Tls), 0); +} + +/** + Gets the session ID used by the specified TLS connection. + + This function returns the TLS/SSL session ID currently used by the + specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] SessionId Buffer to contain the returned session ID. + @param[in,out] SessionIdLen The length of Session ID in bytes. + + @retval EFI_SUCCESS The Session ID was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Invalid TLS/SSL session. + +**/ +EFI_STATUS +EFIAPI +TlsGetSessionId ( + IN VOID *Tls, + IN OUT UINT8 *SessionId, + IN OUT UINT16 *SessionIdLen + ) +{ + CALL_CRYPTO_SERVICE (TlsGetSessionId, (Tls, SessionId, SessionIdLen), EFI_UNSUPPORTED); +} + +/** + Gets the client random data used in the specified TLS connection. + + This function returns the TLS/SSL client random data currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] ClientRandom Buffer to contain the returned client + random data (32 bytes). + +**/ +VOID +EFIAPI +TlsGetClientRandom ( + IN VOID *Tls, + IN OUT UINT8 *ClientRandom + ) +{ + CALL_VOID_CRYPTO_SERVICE (TlsGetClientRandom, (Tls, ClientRandom)); +} + +/** + Gets the server random data used in the specified TLS connection. + + This function returns the TLS/SSL server random data currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] ServerRandom Buffer to contain the returned server + random data (32 bytes). + +**/ +VOID +EFIAPI +TlsGetServerRandom ( + IN VOID *Tls, + IN OUT UINT8 *ServerRandom + ) +{ + CALL_VOID_CRYPTO_SERVICE (TlsGetServerRandom, (Tls, ServerRandom)); +} + +/** + Gets the master key data used in the specified TLS connection. + + This function returns the TLS/SSL master key material currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] KeyMaterial Buffer to contain the returned key material. + + @retval EFI_SUCCESS Key material was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Invalid TLS/SSL session. + +**/ +EFI_STATUS +EFIAPI +TlsGetKeyMaterial ( + IN VOID *Tls, + IN OUT UINT8 *KeyMaterial + ) +{ + CALL_CRYPTO_SERVICE (TlsGetKeyMaterial, (Tls, KeyMaterial), EFI_UNSUPPORTED); +} + +/** + Gets the CA Certificate from the cert store. + + This function returns the CA certificate for the chosen + TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the CA + certificate data sent to the client. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetCaCertificate ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ) +{ + CALL_CRYPTO_SERVICE (TlsGetCaCertificate, (Tls, Data, DataSize), EFI_UNSUPPORTED); +} + +/** + Gets the local public Certificate set in the specified TLS object. + + This function returns the local public certificate which was currently set + in the specified TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the local + public certificate. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_NOT_FOUND The certificate is not found. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetHostPublicCert ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ) +{ + CALL_CRYPTO_SERVICE (TlsGetHostPublicCert, (Tls, Data, DataSize), EFI_UNSUPPORTED); +} + +/** + Gets the local private key set in the specified TLS object. + + This function returns the local private key data which was currently set + in the specified TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the local + private key data. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetHostPrivateKey ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ) +{ + CALL_CRYPTO_SERVICE (TlsGetHostPrivateKey, (Tls, Data, DataSize), EFI_UNSUPPORTED); +} + +/** + Gets the CA-supplied certificate revocation list data set in the specified + TLS object. + + This function returns the CA-supplied certificate revocation list data which + was currently set in the specified TLS object. + + @param[out] Data Pointer to the data buffer to receive the CRL data. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetCertRevocationList ( + OUT VOID *Data, + IN OUT UINTN *DataSize + ) +{ + CALL_CRYPTO_SERVICE (TlsGetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED); +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.uni b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.uni new file mode 100644 index 00000000..fb9f3ca8 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.uni @@ -0,0 +1,12 @@ +// /** @file +// BaseCryptLib and TlsLib using the services of the EDK II Crypto Protocol/PPI. +// +// Copyright (c) 2020, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + +#string STR_MODULE_ABSTRACT #language en-US "BaseCryptLib and TlsLib using the services of the EDK II Crypto Protocol/PPI" + +#string STR_MODULE_DESCRIPTION #language en-US "BaseCryptLib and TlsLib using the services of the EDK II Crypto Protocol/PPI." diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/DxeCryptLib.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/DxeCryptLib.c new file mode 100644 index 00000000..400d8925 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/DxeCryptLib.c @@ -0,0 +1,77 @@ +/** @file + Implements the GetCryptoServices() API that retuns a pointer to the EDK II + Crypto Protocol. + + Copyright (C) Microsoft Corporation. All rights reserved. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ +#include +#include +#include +#include +#include + +EDKII_CRYPTO_PROTOCOL *mCryptoProtocol = NULL; + +/** + Internal worker function that returns the pointer to an EDK II Crypto + Protocol/PPI. The layout of the PPI, DXE Protocol, and SMM Protocol are + identical which allows the implementation of the BaseCryptLib functions that + call through a Protocol/PPI to be shared for the PEI, DXE, and SMM + implementations. + + This DXE implementation returns the pointer to the EDK II Crypto Protocol + that was found in the library constructor DxeCryptLibConstructor(). +**/ +VOID * +GetCryptoServices ( + VOID + ) +{ + return (VOID *)mCryptoProtocol; +} + +/** + Locate the valid Crypto Protocol. + + @param ImageHandle The firmware allocated handle for the EFI image. + @param SystemTable A pointer to the EFI System Table. + + @retval EFI_SUCCESS The constructor executed correctly. + @retval EFI_NOT_FOUND Found no valid Crypto Protocol. +**/ +EFI_STATUS +EFIAPI +DxeCryptLibConstructor ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + UINTN Version; + + Status = gBS->LocateProtocol ( + &gEdkiiCryptoProtocolGuid, + NULL, + (VOID **)&mCryptoProtocol + ); + + if (EFI_ERROR (Status) || mCryptoProtocol == NULL) { + DEBUG((DEBUG_ERROR, "[DxeCryptLib] Failed to locate Crypto Protocol. Status = %r\n", Status)); + ASSERT_EFI_ERROR (Status); + ASSERT (mCryptoProtocol != NULL); + mCryptoProtocol = NULL; + return EFI_NOT_FOUND; + } + + Version = mCryptoProtocol->GetVersion (); + if (Version < EDKII_CRYPTO_VERSION) { + DEBUG((DEBUG_ERROR, "[DxeCryptLib] Crypto Protocol unsupported version %d\n", Version)); + ASSERT (Version >= EDKII_CRYPTO_VERSION); + mCryptoProtocol = NULL; + return EFI_NOT_FOUND; + } + + return EFI_SUCCESS; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/DxeCryptLib.inf b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/DxeCryptLib.inf new file mode 100644 index 00000000..6ce46daa --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/DxeCryptLib.inf @@ -0,0 +1,45 @@ +## @file +# Implements the BaseCryptLib and TlsLib using the services of the EDK II Crypto +# Protocol. +# +# Copyright (C) Microsoft Corporation. All rights reserved. +# Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x0001001B + BASE_NAME = DxeCryptLib + MODULE_UNI_FILE = CryptLib.uni + FILE_GUID = B38CBDA6-8017-4111-8232-9E8328DE82F6 + VERSION_STRING = 1.0 + MODULE_TYPE = DXE_DRIVER + LIBRARY_CLASS = BaseCryptLib | DXE_DRIVER UEFI_DRIVER UEFI_APPLICATION + LIBRARY_CLASS = TlsLib | DXE_DRIVER UEFI_DRIVER UEFI_APPLICATION + CONSTRUCTOR = DxeCryptLibConstructor + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 RISCV64 +# + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + DebugLib + UefiBootServicesTableLib + +[Sources] + DxeCryptLib.c + CryptLib.c + +[Protocols] + gEdkiiCryptoProtocolGuid ## CONSUMES + +[Depex] + gEdkiiCryptoProtocolGuid diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/PeiCryptLib.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/PeiCryptLib.c new file mode 100644 index 00000000..ff415f44 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/PeiCryptLib.c @@ -0,0 +1,57 @@ +/** @file + Implements the GetCryptoServices() API that retuns a pointer to the EDK II + Crypto PPI. + + Copyright (C) Microsoft Corporation. All rights reserved. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ +#include +#include +#include +#include +#include + +/** + Internal worker function that returns the pointer to an EDK II Crypto + Protocol/PPI. The layout of the PPI, DXE Protocol, and SMM Protocol are + identical which allows the implementation of the BaseCryptLib functions that + call through a Protocol/PPI to be shared for the PEI, DXE, and SMM + implementations. + + This PEI implementation looks up the EDK II Crypto PPI and verifies the + version each time a crypto service is called, so it is compatible with XIP + PEIMs. +**/ +VOID * +GetCryptoServices ( + VOID + ) +{ + EFI_STATUS Status; + EDKII_CRYPTO_PPI *CryptoPpi; + UINTN Version; + + CryptoPpi = NULL; + Status = PeiServicesLocatePpi ( + &gEdkiiCryptoPpiGuid, + 0, + NULL, + (VOID **)&CryptoPpi + ); + if (EFI_ERROR (Status) || CryptoPpi == NULL) { + DEBUG((DEBUG_ERROR, "[PeiCryptLib] Failed to locate Crypto PPI. Status = %r\n", Status)); + ASSERT_EFI_ERROR (Status); + ASSERT (CryptoPpi != NULL); + return NULL; + } + + Version = CryptoPpi->GetVersion (); + if (Version < EDKII_CRYPTO_VERSION) { + DEBUG((DEBUG_ERROR, "[PeiCryptLib] Crypto PPI unsupported version %d\n", Version)); + ASSERT (Version >= EDKII_CRYPTO_VERSION); + return NULL; + } + + return (VOID *)CryptoPpi; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/PeiCryptLib.inf b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/PeiCryptLib.inf new file mode 100644 index 00000000..97269b5b --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/PeiCryptLib.inf @@ -0,0 +1,44 @@ +## @file +# Implements the BaseCryptLib and TlsLib using the services of the EDK II Crypto +# PPI. +# +# Copyright (C) Microsoft Corporation. All rights reserved. +# Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x0001001B + BASE_NAME = PeiCryptLib + MODULE_UNI_FILE = CryptLib.uni + FILE_GUID = 3E8B50C6-F68C-4212-B903-94A10FE02399 + VERSION_STRING = 1.0 + MODULE_TYPE = PEIM + LIBRARY_CLASS = BaseCryptLib | PEIM + LIBRARY_CLASS = TlsLib | PEIM + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 RISCV64 +# + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + DebugLib + PeiServicesLib + +[Sources] + PeiCryptLib.c + CryptLib.c + +[Ppis] + gEdkiiCryptoPpiGuid ## CONSUMES + +[Depex] + gEdkiiCryptoPpiGuid diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/SmmCryptLib.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/SmmCryptLib.c new file mode 100644 index 00000000..20f2141e --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/SmmCryptLib.c @@ -0,0 +1,79 @@ +/** @file + Implements the GetCryptoServices() API that retuns a pointer to the EDK II + SMM Crypto Protocol. + + Copyright (C) Microsoft Corporation. All rights reserved. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include + +EDKII_SMM_CRYPTO_PROTOCOL *mSmmCryptoProtocol = NULL; + +/** + Internal worker function that returns the pointer to an EDK II Crypto + Protocol/PPI. The layout of the PPI, DXE Protocol, and SMM Protocol are + identical which allows the implementation of the BaseCryptLib functions that + call through a Protocol/PPI to be shared for the PEI, DXE, and SMM + implementations. + + This SMM implementation returns the pointer to the EDK II SMM Crypto Protocol + that was found in the library constructor SmmCryptLibConstructor(). +**/ +VOID * +GetCryptoServices ( + VOID + ) +{ + return (VOID *)mSmmCryptoProtocol; +} + +/** + Constructor looks up the EDK II SMM Crypto Protocol and verifies that it is + not NULL and has a high enough version value to support all the BaseCryptLib + functions. + + @param ImageHandle The firmware allocated handle for the EFI image. + @param SystemTable A pointer to the EFI System Table. + + @retval EFI_SUCCESS The EDK II SMM Crypto Protocol was found. + @retval EFI_NOT_FOUND The EDK II SMM Crypto Protocol was not found. +**/ +EFI_STATUS +EFIAPI +SmmCryptLibConstructor ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + UINTN Version; + + Status = gSmst->SmmLocateProtocol ( + &gEdkiiSmmCryptoProtocolGuid, + NULL, + (VOID **)&mSmmCryptoProtocol + ); + if (EFI_ERROR (Status) || mSmmCryptoProtocol == NULL) { + DEBUG((DEBUG_ERROR, "[SmmCryptLib] Failed to locate Crypto SMM Protocol. Status = %r\n", Status)); + ASSERT_EFI_ERROR (Status); + ASSERT (mSmmCryptoProtocol != NULL); + mSmmCryptoProtocol = NULL; + return EFI_NOT_FOUND; + } + + Version = mSmmCryptoProtocol->GetVersion (); + if (Version < EDKII_CRYPTO_VERSION) { + DEBUG((DEBUG_ERROR, "[SmmCryptLib] Crypto SMM Protocol unsupported version %d\n", Version)); + ASSERT (Version >= EDKII_CRYPTO_VERSION); + mSmmCryptoProtocol = NULL; + return EFI_NOT_FOUND; + } + + return EFI_SUCCESS; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/SmmCryptLib.inf b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/SmmCryptLib.inf new file mode 100644 index 00000000..1a3a3d35 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/SmmCryptLib.inf @@ -0,0 +1,44 @@ +## @file +# Implements the BaseCryptLib and TlsLib using the services of the EDK II Crypto +# SMM Protocol. +# +# Copyright (C) Microsoft Corporation. All rights reserved. +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x0001001B + BASE_NAME = SmmCryptLib + MODULE_UNI_FILE = CryptLib.uni + FILE_GUID = 5CC6ECC9-E961-46A9-8D5C-6581A060DC0D + VERSION_STRING = 1.0 + MODULE_TYPE = DXE_SMM_DRIVER + LIBRARY_CLASS = BaseCryptLib | DXE_SMM_DRIVER + LIBRARY_CLASS = TlsLib | DXE_SMM_DRIVER + CONSTRUCTOR = SmmCryptLibConstructor + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 +# + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + DebugLib + SmmServicesTableLib + +[Sources] + SmmCryptLib.c + CryptLib.c + +[Protocols] + gEdkiiSmmCryptoProtocolGuid ## CONSUMES + +[Depex] + gEdkiiSmmCryptoProtocolGuid diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c new file mode 100644 index 00000000..6e89200d --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c @@ -0,0 +1,283 @@ +/** @file + Unified Hash API Implementation + + This file implements the Unified Hash API. + + This API, when called, will calculate the Hash using the + hashing algorithm specified by PcdHashApiLibPolicy. + + Copyright (c) 2020, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/** + Retrieves the size, in bytes, of the context buffer required for hash operations. + + @return The size, in bytes, of the context buffer required for hash operations. +**/ +UINTN +EFIAPI +HashApiGetContextSize ( + VOID + ) +{ + switch (PcdGet32 (PcdHashApiLibPolicy)) { + case HASH_ALG_SHA1: + return Sha1GetContextSize (); + break; + + case HASH_ALG_SHA256: + return Sha256GetContextSize (); + break; + + case HASH_ALG_SHA384: + return Sha384GetContextSize (); + break; + + case HASH_ALG_SHA512: + return Sha512GetContextSize (); + break; + + case HASH_ALG_SM3_256: + return Sm3GetContextSize (); + break; + + default: + ASSERT (FALSE); + return 0; + break; + } +} + +/** + Init hash sequence. + + @param[out] HashContext Hash context. + + @retval TRUE Hash start and HashHandle returned. + @retval FALSE Hash Init unsuccessful. +**/ +BOOLEAN +EFIAPI +HashApiInit ( + OUT HASH_API_CONTEXT HashContext + ) +{ + switch (PcdGet32 (PcdHashApiLibPolicy)) { + case HASH_ALG_SHA1: + return Sha1Init (HashContext); + break; + + case HASH_ALG_SHA256: + return Sha256Init (HashContext); + break; + + case HASH_ALG_SHA384: + return Sha384Init (HashContext); + break; + + case HASH_ALG_SHA512: + return Sha512Init (HashContext); + break; + + case HASH_ALG_SM3_256: + return Sm3Init (HashContext); + break; + + default: + ASSERT (FALSE); + return FALSE; + break; + } +} + +/** + Makes a copy of an existing hash context. + + @param[in] HashContext Hash context. + @param[out] NewHashContext New copy of hash context. + + @retval TRUE Hash context copy succeeded. + @retval FALSE Hash context copy failed. +**/ +BOOLEAN +EFIAPI +HashApiDuplicate ( + IN HASH_API_CONTEXT HashContext, + OUT HASH_API_CONTEXT NewHashContext + ) +{ + switch (PcdGet32 (PcdHashApiLibPolicy)) { + case HASH_ALG_SHA1: + return Sha1Duplicate (HashContext, NewHashContext); + break; + + case HASH_ALG_SHA256: + return Sha256Duplicate (HashContext, NewHashContext); + break; + + case HASH_ALG_SHA384: + return Sha384Duplicate (HashContext, NewHashContext); + break; + + case HASH_ALG_SHA512: + return Sha512Duplicate (HashContext, NewHashContext); + break; + + case HASH_ALG_SM3_256: + return Sm3Duplicate (HashContext, NewHashContext); + break; + + default: + ASSERT (FALSE); + return FALSE; + break; + } +} + +/** + Update hash data. + + @param[in] HashContext Hash context. + @param[in] DataToHash Data to be hashed. + @param[in] DataToHashLen Data size. + + @retval TRUE Hash updated. + @retval FALSE Hash updated unsuccessful. +**/ +BOOLEAN +EFIAPI +HashApiUpdate ( + IN HASH_API_CONTEXT HashContext, + IN VOID *DataToHash, + IN UINTN DataToHashLen + ) +{ + switch (PcdGet32 (PcdHashApiLibPolicy)) { + case HASH_ALG_SHA1: + return Sha1Update (HashContext, DataToHash, DataToHashLen); + break; + + case HASH_ALG_SHA256: + return Sha256Update (HashContext, DataToHash, DataToHashLen); + break; + + case HASH_ALG_SHA384: + return Sha384Update (HashContext, DataToHash, DataToHashLen); + break; + + case HASH_ALG_SHA512: + return Sha512Update (HashContext, DataToHash, DataToHashLen); + break; + + case HASH_ALG_SM3_256: + return Sm3Update (HashContext, DataToHash, DataToHashLen); + break; + + default: + ASSERT (FALSE); + return FALSE; + break; + } +} + +/** + Hash complete. + + @param[in] HashContext Hash context. + @param[out] Digest Hash Digest. + + @retval TRUE Hash complete and Digest is returned. + @retval FALSE Hash complete unsuccessful. +**/ +BOOLEAN +EFIAPI +HashApiFinal ( + IN HASH_API_CONTEXT HashContext, + OUT UINT8 *Digest + ) +{ + switch (PcdGet32 (PcdHashApiLibPolicy)) { + case HASH_ALG_SHA1: + return Sha1Final (HashContext, Digest); + break; + + case HASH_ALG_SHA256: + return Sha256Final (HashContext, Digest); + break; + + case HASH_ALG_SHA384: + return Sha384Final (HashContext, Digest); + break; + + case HASH_ALG_SHA512: + return Sha512Final (HashContext, Digest); + break; + + case HASH_ALG_SM3_256: + return Sm3Final (HashContext, Digest); + break; + + default: + ASSERT (FALSE); + return FALSE; + break; + } +} + +/** + Computes hash message digest of a input data buffer. + + @param[in] DataToHash Data to be hashed. + @param[in] DataToHashLen Data size. + @param[out] Digest Hash Digest. + + @retval TRUE Hash digest computation succeeded. + @retval FALSE Hash digest computation failed. +**/ +BOOLEAN +EFIAPI +HashApiHashAll ( + IN CONST VOID *DataToHash, + IN UINTN DataToHashLen, + OUT UINT8 *Digest + ) +{ + switch (PcdGet32 (PcdHashApiLibPolicy)) { + case HASH_ALG_SHA1: + return Sha1HashAll (DataToHash, DataToHashLen, Digest); + break; + + case HASH_ALG_SHA256: + return Sha256HashAll (DataToHash, DataToHashLen, Digest); + break; + + case HASH_ALG_SHA384: + return Sha384HashAll (DataToHash, DataToHashLen, Digest); + break; + + case HASH_ALG_SHA512: + return Sha512HashAll (DataToHash, DataToHashLen, Digest); + break; + + case HASH_ALG_SM3_256: + return Sm3HashAll (DataToHash, DataToHashLen, Digest); + break; + + default: + ASSERT (FALSE); + return FALSE; + break; + } +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf new file mode 100644 index 00000000..116b7dc8 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf @@ -0,0 +1,44 @@ +## @file +# Provides Unified API for Hash Calculation +# +# This library is BaseHashApiLib. It will redirect hash request to +# each individual hash API, such as SHA1, SHA256, SHA384, SM3 based +# on hashing algorithm specified by PcdHashApiLibPolicy. +# +# Copyright (c) 2020, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = BaseHashApiLib + MODULE_UNI_FILE = BaseHashApiLib.uni + FILE_GUID = B1E566DD-DE7C-4F04-BDA0-B1295D3BE927 + MODULE_TYPE = BASE + VERSION_STRING = 1.0 + LIBRARY_CLASS = HashApiLib + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 +# + +[Sources] + BaseHashApiLib.c + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + MemoryAllocationLib + BaseCryptLib + PcdLib + +[Pcd] + gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy ## CONSUMES diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni new file mode 100644 index 00000000..49ba82e8 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni @@ -0,0 +1,17 @@ +// /** @file +// Provides Unified API for Hash Calculation +// +// This library is BaseHashApiLib. It will redirect hash request to +// each individual hash API, such as SHA1, SHA256, SHA384, SM3 based +// on hashing algorithm specified by PcdHashApiLibPolicy. +// +// Copyright (c) 2020, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Provides hash service by specified hash handler" + +#string STR_MODULE_DESCRIPTION #language en-US "This library is Unified Hash API. It will redirect hash request to the hash handler specified by PcdHashApiLibPolicy." diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/CrtLibSupport.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/CrtLibSupport.h new file mode 100644 index 00000000..fd098c50 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/CrtLibSupport.h @@ -0,0 +1,221 @@ +/** @file + Root include file of C runtime library to support building the third-party + cryptographic library. + +Copyright (c) 2010 - 2021, Intel Corporation. All rights reserved.
+Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __CRT_LIB_SUPPORT_H__ +#define __CRT_LIB_SUPPORT_H__ + +#include +#include +#include +#include + +#define OPENSSLDIR "" +#define ENGINESDIR "" + +#define MAX_STRING_SIZE 0x1000 + +// +// We already have "no-ui" in out Configure invocation. +// but the code still fails to compile. +// Ref: https://github.com/openssl/openssl/issues/8904 +// +// This is defined in CRT library(stdio.h). +// +#ifndef BUFSIZ +#define BUFSIZ 8192 +#endif + +// +// OpenSSL relies on explicit configuration for word size in crypto/bn, +// but we want it to be automatically inferred from the target. So we +// bypass what's in for OPENSSL_SYS_UEFI, and +// define our own here. +// +#ifdef CONFIG_HEADER_BN_H +#error CONFIG_HEADER_BN_H already defined +#endif + +#define CONFIG_HEADER_BN_H + +#if !defined(SIXTY_FOUR_BIT) && !defined (THIRTY_TWO_BIT) +#if defined(MDE_CPU_X64) || defined(MDE_CPU_AARCH64) || defined(MDE_CPU_IA64) || defined(MDE_CPU_RISCV64) +// +// With GCC we would normally use SIXTY_FOUR_BIT_LONG, but MSVC needs +// SIXTY_FOUR_BIT, because 'long' is 32-bit and only 'long long' is +// 64-bit. Since using 'long long' works fine on GCC too, just do that. +// +#define SIXTY_FOUR_BIT +#elif defined(MDE_CPU_IA32) || defined(MDE_CPU_ARM) || defined(MDE_CPU_EBC) +#define THIRTY_TWO_BIT +#else +#error Unknown target architecture +#endif +#endif + +// +// Map all va_xxxx elements to VA_xxx defined in MdePkg/Include/Base.h +// +#if !defined(__CC_ARM) // if va_list is not already defined +#define va_list VA_LIST +#define va_arg VA_ARG +#define va_start VA_START +#define va_end VA_END +#else // __CC_ARM +#define va_start(Marker, Parameter) __va_start(Marker, Parameter) +#define va_arg(Marker, TYPE) __va_arg(Marker, TYPE) +#define va_end(Marker) ((void)0) +#endif + +// +// Definitions for global constants used by CRT library routines +// +#define EINVAL 22 /* Invalid argument */ +#define EAFNOSUPPORT 47 /* Address family not supported by protocol family */ +#define INT_MAX 0x7FFFFFFF /* Maximum (signed) int value */ +#define LONG_MAX 0X7FFFFFFFL /* max value for a long */ +#define LONG_MIN (-LONG_MAX-1) /* min value for a long */ +#define ULONG_MAX 0xFFFFFFFF /* Maximum unsigned long value */ +#define CHAR_BIT 8 /* Number of bits in a char */ + +// +// Address families. +// +#define AF_INET 2 /* internetwork: UDP, TCP, etc. */ +#define AF_INET6 24 /* IP version 6 */ + +// +// Define constants based on RFC0883, RFC1034, RFC 1035 +// +#define NS_INT16SZ 2 /*%< #/bytes of data in a u_int16_t */ +#define NS_INADDRSZ 4 /*%< IPv4 T_A */ +#define NS_IN6ADDRSZ 16 /*%< IPv6 T_AAAA */ + +// +// Basic types mapping +// +typedef UINTN size_t; +typedef UINTN u_int; +typedef INTN ssize_t; +typedef INT32 time_t; +typedef UINT8 __uint8_t; +typedef UINT8 sa_family_t; +typedef UINT8 u_char; +typedef UINT32 uid_t; +typedef UINT32 gid_t; + +// +// File operations are not required for EFI building, +// so FILE is mapped to VOID * to pass build +// +typedef VOID *FILE; + +// +// Structures Definitions +// +struct tm { + int tm_sec; /* seconds after the minute [0-60] */ + int tm_min; /* minutes after the hour [0-59] */ + int tm_hour; /* hours since midnight [0-23] */ + int tm_mday; /* day of the month [1-31] */ + int tm_mon; /* months since January [0-11] */ + int tm_year; /* years since 1900 */ + int tm_wday; /* days since Sunday [0-6] */ + int tm_yday; /* days since January 1 [0-365] */ + int tm_isdst; /* Daylight Savings Time flag */ + long tm_gmtoff; /* offset from CUT in seconds */ + char *tm_zone; /* timezone abbreviation */ +}; + +struct timeval { + long tv_sec; /* time value, in seconds */ + long tv_usec; /* time value, in microseconds */ +}; + +struct sockaddr { + __uint8_t sa_len; /* total length */ + sa_family_t sa_family; /* address family */ + char sa_data[14]; /* actually longer; address value */ +}; + +// +// Global variables +// +extern int errno; +extern FILE *stderr; + +// +// Function prototypes of CRT Library routines +// +void *malloc (size_t); +void *realloc (void *, size_t); +void free (void *); +void *memset (void *, int, size_t); +int memcmp (const void *, const void *, size_t); +int isdigit (int); +int isspace (int); +int isxdigit (int); +int isalnum (int); +int isupper (int); +int tolower (int); +int strcmp (const char *, const char *); +int strncasecmp (const char *, const char *, size_t); +char *strchr (const char *, int); +char *strrchr (const char *, int); +unsigned long strtoul (const char *, char **, int); +long strtol (const char *, char **, int); +char *strerror (int); +size_t strspn (const char *, const char *); +size_t strcspn (const char *, const char *); +int printf (const char *, ...); +int sscanf (const char *, const char *, ...); +FILE *fopen (const char *, const char *); +size_t fread (void *, size_t, size_t, FILE *); +size_t fwrite (const void *, size_t, size_t, FILE *); +int fclose (FILE *); +int fprintf (FILE *, const char *, ...); +time_t time (time_t *); +struct tm *gmtime (const time_t *); +uid_t getuid (void); +uid_t geteuid (void); +gid_t getgid (void); +gid_t getegid (void); +int issetugid (void); +void qsort (void *, size_t, size_t, int (*)(const void *, const void *)); +char *getenv (const char *); +char *secure_getenv (const char *); +#if defined(__GNUC__) && (__GNUC__ >= 2) +void abort (void) __attribute__((__noreturn__)); +#else +void abort (void); +#endif +int inet_pton (int, const char *, void *); + +// +// Macros that directly map functions to BaseLib, BaseMemoryLib, and DebugLib functions +// +#define memcpy(dest,source,count) CopyMem(dest,source,(UINTN)(count)) +#define memset(dest,ch,count) SetMem(dest,(UINTN)(count),(UINT8)(ch)) +#define memchr(buf,ch,count) ScanMem8(buf,(UINTN)(count),(UINT8)ch) +#define memcmp(buf1,buf2,count) (int)(CompareMem(buf1,buf2,(UINTN)(count))) +#define memmove(dest,source,count) CopyMem(dest,source,(UINTN)(count)) +#define strlen(str) (size_t)(AsciiStrnLenS(str,MAX_STRING_SIZE)) +#define strcpy(strDest,strSource) AsciiStrCpyS(strDest,MAX_STRING_SIZE,strSource) +#define strncpy(strDest,strSource,count) AsciiStrnCpyS(strDest,MAX_STRING_SIZE,strSource,(UINTN)count) +#define strcat(strDest,strSource) AsciiStrCatS(strDest,MAX_STRING_SIZE,strSource) +#define strncmp(string1,string2,count) (int)(AsciiStrnCmp(string1,string2,(UINTN)(count))) +#define strcasecmp(str1,str2) (int)AsciiStriCmp(str1,str2) +#define sprintf(buf,...) AsciiSPrint(buf,MAX_STRING_SIZE,__VA_ARGS__) +#define localtime(timer) NULL +#define assert(expression) +#define offsetof(type,member) OFFSET_OF(type,member) +#define atoi(nptr) AsciiStrDecimalToUintn(nptr) +#define gettimeofday(tvp,tz) do { (tvp)->tv_sec = time(NULL); (tvp)->tv_usec = 0; } while (0) + +#endif diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/arpa/inet.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/arpa/inet.h new file mode 100644 index 00000000..e51dc867 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/arpa/inet.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building third-party standard C / BSD sockets code. + + Copyright (C) 2019, Red Hat, Inc. + + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/arpa/nameser.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/arpa/nameser.h new file mode 100644 index 00000000..e51dc867 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/arpa/nameser.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building third-party standard C / BSD sockets code. + + Copyright (C) 2019, Red Hat, Inc. + + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/assert.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/assert.h new file mode 100644 index 00000000..22247bb2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/assert.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building the third-party cryptographic library. + +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/crypto/dso_conf.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/crypto/dso_conf.h new file mode 100644 index 00000000..abbbf62c --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/crypto/dso_conf.h @@ -0,0 +1,16 @@ +/* WARNING: do not edit! */ +/* Generated from include/crypto/dso_conf.h.in */ +/* + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef OSSL_CRYPTO_DSO_CONF_H +# define OSSL_CRYPTO_DSO_CONF_H +# define DSO_NONE +# define DSO_EXTENSION ".so" +#endif diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/ctype.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/ctype.h new file mode 100644 index 00000000..22247bb2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/ctype.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building the third-party cryptographic library. + +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/errno.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/errno.h new file mode 100644 index 00000000..22247bb2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/errno.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building the third-party cryptographic library. + +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/limits.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/limits.h new file mode 100644 index 00000000..22247bb2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/limits.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building the third-party cryptographic library. + +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/memory.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/memory.h new file mode 100644 index 00000000..22247bb2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/memory.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building the third-party cryptographic library. + +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/netinet/in.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/netinet/in.h new file mode 100644 index 00000000..e51dc867 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/netinet/in.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building third-party standard C / BSD sockets code. + + Copyright (C) 2019, Red Hat, Inc. + + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/openssl/opensslconf.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/openssl/opensslconf.h new file mode 100644 index 00000000..500318c3 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/openssl/opensslconf.h @@ -0,0 +1,351 @@ +/* + * WARNING: do not edit! + * Generated from include/openssl/opensslconf.h.in + * + * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +#ifdef OPENSSL_ALGORITHM_DEFINES +# error OPENSSL_ALGORITHM_DEFINES no longer supported +#endif + +/* + * OpenSSL was configured with the following options: + */ + +#ifndef OPENSSL_SYS_UEFI +# define OPENSSL_SYS_UEFI 1 +#endif +#define OPENSSL_MIN_API 0x10100000L +#ifndef OPENSSL_NO_BF +# define OPENSSL_NO_BF +#endif +#ifndef OPENSSL_NO_BLAKE2 +# define OPENSSL_NO_BLAKE2 +#endif +#ifndef OPENSSL_NO_CAMELLIA +# define OPENSSL_NO_CAMELLIA +#endif +#ifndef OPENSSL_NO_CAST +# define OPENSSL_NO_CAST +#endif +#ifndef OPENSSL_NO_CHACHA +# define OPENSSL_NO_CHACHA +#endif +#ifndef OPENSSL_NO_CMS +# define OPENSSL_NO_CMS +#endif +#ifndef OPENSSL_NO_CT +# define OPENSSL_NO_CT +#endif +#ifndef OPENSSL_NO_DES +# define OPENSSL_NO_DES +#endif +#ifndef OPENSSL_NO_DSA +# define OPENSSL_NO_DSA +#endif +#ifndef OPENSSL_NO_EC +# define OPENSSL_NO_EC +#endif +#ifndef OPENSSL_NO_IDEA +# define OPENSSL_NO_IDEA +#endif +#ifndef OPENSSL_NO_MD2 +# define OPENSSL_NO_MD2 +#endif +#ifndef OPENSSL_NO_MD4 +# define OPENSSL_NO_MD4 +#endif +#ifndef OPENSSL_NO_MDC2 +# define OPENSSL_NO_MDC2 +#endif +#ifndef OPENSSL_NO_POLY1305 +# define OPENSSL_NO_POLY1305 +#endif +#ifndef OPENSSL_NO_RC2 +# define OPENSSL_NO_RC2 +#endif +#ifndef OPENSSL_NO_RC4 +# define OPENSSL_NO_RC4 +#endif +#ifndef OPENSSL_NO_RC5 +# define OPENSSL_NO_RC5 +#endif +#ifndef OPENSSL_NO_RMD160 +# define OPENSSL_NO_RMD160 +#endif +#ifndef OPENSSL_NO_SEED +# define OPENSSL_NO_SEED +#endif +#ifndef OPENSSL_NO_SM2 +# define OPENSSL_NO_SM2 +#endif +#ifndef OPENSSL_NO_SRP +# define OPENSSL_NO_SRP +#endif +#ifndef OPENSSL_NO_TS +# define OPENSSL_NO_TS +#endif +#ifndef OPENSSL_NO_WHIRLPOOL +# define OPENSSL_NO_WHIRLPOOL +#endif +#ifndef OPENSSL_RAND_SEED_NONE +# define OPENSSL_RAND_SEED_NONE +#endif +#ifndef OPENSSL_NO_AFALGENG +# define OPENSSL_NO_AFALGENG +#endif +#ifndef OPENSSL_NO_APPS +# define OPENSSL_NO_APPS +#endif +#ifndef OPENSSL_NO_ASAN +# define OPENSSL_NO_ASAN +#endif +#ifndef OPENSSL_NO_ASM +# define OPENSSL_NO_ASM +#endif +#ifndef OPENSSL_NO_ASYNC +# define OPENSSL_NO_ASYNC +#endif +#ifndef OPENSSL_NO_AUTOERRINIT +# define OPENSSL_NO_AUTOERRINIT +#endif +#ifndef OPENSSL_NO_AUTOLOAD_CONFIG +# define OPENSSL_NO_AUTOLOAD_CONFIG +#endif +#ifndef OPENSSL_NO_CAPIENG +# define OPENSSL_NO_CAPIENG +#endif +#ifndef OPENSSL_NO_CRYPTO_MDEBUG +# define OPENSSL_NO_CRYPTO_MDEBUG +#endif +#ifndef OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE +# define OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE +#endif +#ifndef OPENSSL_NO_DEPRECATED +# define OPENSSL_NO_DEPRECATED +#endif +#ifndef OPENSSL_NO_DEVCRYPTOENG +# define OPENSSL_NO_DEVCRYPTOENG +#endif +#ifndef OPENSSL_NO_DGRAM +# define OPENSSL_NO_DGRAM +#endif +#ifndef OPENSSL_NO_DTLS +# define OPENSSL_NO_DTLS +#endif +#ifndef OPENSSL_NO_DTLS1 +# define OPENSSL_NO_DTLS1 +#endif +#ifndef OPENSSL_NO_DTLS1_2 +# define OPENSSL_NO_DTLS1_2 +#endif +#ifndef OPENSSL_NO_EC2M +# define OPENSSL_NO_EC2M +#endif +#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 +# define OPENSSL_NO_EC_NISTP_64_GCC_128 +#endif +#ifndef OPENSSL_NO_ECDH +# define OPENSSL_NO_ECDH +#endif +#ifndef OPENSSL_NO_ECDSA +# define OPENSSL_NO_ECDSA +#endif +#ifndef OPENSSL_NO_EGD +# define OPENSSL_NO_EGD +#endif +#ifndef OPENSSL_NO_ENGINE +# define OPENSSL_NO_ENGINE +#endif +#ifndef OPENSSL_NO_ERR +# define OPENSSL_NO_ERR +#endif +#ifndef OPENSSL_NO_EXTERNAL_TESTS +# define OPENSSL_NO_EXTERNAL_TESTS +#endif +#ifndef OPENSSL_NO_FILENAMES +# define OPENSSL_NO_FILENAMES +#endif +#ifndef OPENSSL_NO_FUZZ_AFL +# define OPENSSL_NO_FUZZ_AFL +#endif +#ifndef OPENSSL_NO_FUZZ_LIBFUZZER +# define OPENSSL_NO_FUZZ_LIBFUZZER +#endif +#ifndef OPENSSL_NO_GOST +# define OPENSSL_NO_GOST +#endif +#ifndef OPENSSL_NO_HEARTBEATS +# define OPENSSL_NO_HEARTBEATS +#endif +#ifndef OPENSSL_NO_HW +# define OPENSSL_NO_HW +#endif +#ifndef OPENSSL_NO_MSAN +# define OPENSSL_NO_MSAN +#endif +#ifndef OPENSSL_NO_OCB +# define OPENSSL_NO_OCB +#endif +#ifndef OPENSSL_NO_POSIX_IO +# define OPENSSL_NO_POSIX_IO +#endif +#ifndef OPENSSL_NO_RFC3779 +# define OPENSSL_NO_RFC3779 +#endif +#ifndef OPENSSL_NO_SCRYPT +# define OPENSSL_NO_SCRYPT +#endif +#ifndef OPENSSL_NO_SCTP +# define OPENSSL_NO_SCTP +#endif +#ifndef OPENSSL_NO_SOCK +# define OPENSSL_NO_SOCK +#endif +#ifndef OPENSSL_NO_SSL_TRACE +# define OPENSSL_NO_SSL_TRACE +#endif +#ifndef OPENSSL_NO_SSL3 +# define OPENSSL_NO_SSL3 +#endif +#ifndef OPENSSL_NO_SSL3_METHOD +# define OPENSSL_NO_SSL3_METHOD +#endif +#ifndef OPENSSL_NO_STDIO +# define OPENSSL_NO_STDIO +#endif +#ifndef OPENSSL_NO_TESTS +# define OPENSSL_NO_TESTS +#endif +#ifndef OPENSSL_NO_TLS1_3 +# define OPENSSL_NO_TLS1_3 +#endif +#ifndef OPENSSL_NO_UBSAN +# define OPENSSL_NO_UBSAN +#endif +#ifndef OPENSSL_NO_UI_CONSOLE +# define OPENSSL_NO_UI_CONSOLE +#endif +#ifndef OPENSSL_NO_UNIT_TEST +# define OPENSSL_NO_UNIT_TEST +#endif +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS +# define OPENSSL_NO_WEAK_SSL_CIPHERS +#endif +#ifndef OPENSSL_NO_DYNAMIC_ENGINE +# define OPENSSL_NO_DYNAMIC_ENGINE +#endif + + +/* + * Sometimes OPENSSSL_NO_xxx ends up with an empty file and some compilers + * don't like that. This will hopefully silence them. + */ +#define NON_EMPTY_TRANSLATION_UNIT static void *dummy = &dummy; + +/* + * Applications should use -DOPENSSL_API_COMPAT= to suppress the + * declarations of functions deprecated in or before . Otherwise, they + * still won't see them if the library has been built to disable deprecated + * functions. + */ +#ifndef DECLARE_DEPRECATED +# define DECLARE_DEPRECATED(f) f; +# ifdef __GNUC__ +# if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0) +# undef DECLARE_DEPRECATED +# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated)); +# endif +#elif defined(__SUNPRO_C) +#if (__SUNPRO_C >= 0x5130) +#undef DECLARE_DEPRECATED +#define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated)); +#endif +# endif +#endif + +#ifndef OPENSSL_FILE +# ifdef OPENSSL_NO_FILENAMES +# define OPENSSL_FILE "" +# define OPENSSL_LINE 0 +# else +# define OPENSSL_FILE __FILE__ +# define OPENSSL_LINE __LINE__ +# endif +#endif + +#ifndef OPENSSL_MIN_API +# define OPENSSL_MIN_API 0 +#endif + +#if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < OPENSSL_MIN_API +# undef OPENSSL_API_COMPAT +# define OPENSSL_API_COMPAT OPENSSL_MIN_API +#endif + +/* + * Do not deprecate things to be deprecated in version 1.2.0 before the + * OpenSSL version number matches. + */ +#if OPENSSL_VERSION_NUMBER < 0x10200000L +# define DEPRECATEDIN_1_2_0(f) f; +#elif OPENSSL_API_COMPAT < 0x10200000L +# define DEPRECATEDIN_1_2_0(f) DECLARE_DEPRECATED(f) +#else +# define DEPRECATEDIN_1_2_0(f) +#endif + +#if OPENSSL_API_COMPAT < 0x10100000L +# define DEPRECATEDIN_1_1_0(f) DECLARE_DEPRECATED(f) +#else +# define DEPRECATEDIN_1_1_0(f) +#endif + +#if OPENSSL_API_COMPAT < 0x10000000L +# define DEPRECATEDIN_1_0_0(f) DECLARE_DEPRECATED(f) +#else +# define DEPRECATEDIN_1_0_0(f) +#endif + +#if OPENSSL_API_COMPAT < 0x00908000L +# define DEPRECATEDIN_0_9_8(f) DECLARE_DEPRECATED(f) +#else +# define DEPRECATEDIN_0_9_8(f) +#endif + +/* Generate 80386 code? */ +#undef I386_ONLY + +#undef OPENSSL_UNISTD +#define OPENSSL_UNISTD + +#undef OPENSSL_EXPORT_VAR_AS_FUNCTION + +/* + * The following are cipher-specific, but are part of the public API. + */ +#if !defined(OPENSSL_SYS_UEFI) +# undef BN_LLONG +/* Only one for the following should be defined */ +# undef SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# define THIRTY_TWO_BIT +#endif + +#define RC4_INT unsigned int + +#ifdef __cplusplus +} +#endif diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/stdarg.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/stdarg.h new file mode 100644 index 00000000..22247bb2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/stdarg.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building the third-party cryptographic library. + +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/stddef.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/stddef.h new file mode 100644 index 00000000..22247bb2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/stddef.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building the third-party cryptographic library. + +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/stdio.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/stdio.h new file mode 100644 index 00000000..22247bb2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/stdio.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building the third-party cryptographic library. + +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/stdlib.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/stdlib.h new file mode 100644 index 00000000..22247bb2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/stdlib.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building the third-party cryptographic library. + +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/string.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/string.h new file mode 100644 index 00000000..22247bb2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/string.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building the third-party cryptographic library. + +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/strings.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/strings.h new file mode 100644 index 00000000..22247bb2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/strings.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building the third-party cryptographic library. + +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/param.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/param.h new file mode 100644 index 00000000..e51dc867 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/param.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building third-party standard C / BSD sockets code. + + Copyright (C) 2019, Red Hat, Inc. + + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/shm.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/shm.h new file mode 100644 index 00000000..1091db03 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/shm.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building the third-party cryptographic library. + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/socket.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/socket.h new file mode 100644 index 00000000..e51dc867 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/socket.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building third-party standard C / BSD sockets code. + + Copyright (C) 2019, Red Hat, Inc. + + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/syscall.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/syscall.h new file mode 100644 index 00000000..058bb137 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/syscall.h @@ -0,0 +1,11 @@ +/** @file + Include file to support building the third-party cryptographic library. + +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2019, Red Hat, Inc. +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/time.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/time.h new file mode 100644 index 00000000..22247bb2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/time.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building the third-party cryptographic library. + +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/types.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/types.h new file mode 100644 index 00000000..22247bb2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/types.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building the third-party cryptographic library. + +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/utsname.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/utsname.h new file mode 100644 index 00000000..1091db03 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/sys/utsname.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building the third-party cryptographic library. + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/syslog.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/syslog.h new file mode 100644 index 00000000..22247bb2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/syslog.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building the third-party cryptographic library. + +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/time.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/time.h new file mode 100644 index 00000000..22247bb2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/time.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building the third-party cryptographic library. + +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/unistd.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/unistd.h new file mode 100644 index 00000000..22247bb2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/Include/unistd.h @@ -0,0 +1,9 @@ +/** @file + Include file to support building the third-party cryptographic library. + +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/BaseIntrinsicLib.uni b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/BaseIntrinsicLib.uni new file mode 100644 index 00000000..47f19d40 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/BaseIntrinsicLib.uni @@ -0,0 +1,16 @@ +// /** @file +// Intrinsic Routines Wrapper Library Instance. +// +// This module is intrinsic routines wrapper library instance. +// +// Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Intrinsic Routines Wrapper Library Instance" + +#string STR_MODULE_DESCRIPTION #language en-US "This module is intrinsic routines wrapper library instance." + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/CopyMem.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/CopyMem.c new file mode 100644 index 00000000..d196296a --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/CopyMem.c @@ -0,0 +1,30 @@ +/** @file + Intrinsic Memory Routines Wrapper Implementation for OpenSSL-based + Cryptographic Library. + +Copyright (c) 2010, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include + +#if defined(__clang__) && !defined(__APPLE__) + +/* Copies bytes between buffers */ +static __attribute__((__used__)) +void * __memcpy (void *dest, const void *src, unsigned int count) +{ + return CopyMem (dest, src, (UINTN)count); +} +__attribute__((__alias__("__memcpy"))) +void * memcpy (void *dest, const void *src, unsigned int count); + +#else +/* Copies bytes between buffers */ +void * memcpy (void *dest, const void *src, unsigned int count) +{ + return CopyMem (dest, src, (UINTN)count); +} +#endif diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/Ia32/MathFtol.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/Ia32/MathFtol.c new file mode 100644 index 00000000..02df0e8d --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/Ia32/MathFtol.c @@ -0,0 +1,22 @@ +/** @file + 64-bit Math Worker Function. + The 32-bit versions of C compiler generate calls to library routines + to handle 64-bit math. These functions use non-standard calling conventions. + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +/* + * Floating point to integer conversion. + */ +__declspec(naked) void _ftol2 (void) +{ + _asm { + fistp qword ptr [esp-8] + mov edx, [esp-4] + mov eax, [esp-8] + ret + } +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/Ia32/MathLShiftS64.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/Ia32/MathLShiftS64.c new file mode 100644 index 00000000..3b1255db --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/Ia32/MathLShiftS64.c @@ -0,0 +1,48 @@ +/** @file + 64-bit Math Worker Function. + The 32-bit versions of C compiler generate calls to library routines + to handle 64-bit math. These functions use non-standard calling conventions. + +Copyright (c) 2014, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + + +/* + * Shifts a 64-bit signed value left by a particular number of bits. + */ +__declspec(naked) void __cdecl _allshl (void) +{ + _asm { + ; + ; Handle shifting of 64 or more bits (return 0) + ; + cmp cl, 64 + jae short ReturnZero + + ; + ; Handle shifting of between 0 and 31 bits + ; + cmp cl, 32 + jae short More32 + shld edx, eax, cl + shl eax, cl + ret + + ; + ; Handle shifting of between 32 and 63 bits + ; +More32: + mov edx, eax + xor eax, eax + and cl, 31 + shl edx, cl + ret + +ReturnZero: + xor eax,eax + xor edx,edx + ret + } +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/Ia32/MathLShiftS64.nasm b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/Ia32/MathLShiftS64.nasm new file mode 100644 index 00000000..110ffec4 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/Ia32/MathLShiftS64.nasm @@ -0,0 +1,42 @@ +;------------------------------------------------------------------------------ +; +; Copyright (c) 2016, Intel Corporation. All rights reserved.
+; SPDX-License-Identifier: BSD-2-Clause-Patent +; +; Module Name: +; +; MathLShiftS64.nasm +; +; Abstract: +; +; 64-bit Math Worker Function. +; Shifts a 64-bit signed value left by a certain number of bits. +; +;------------------------------------------------------------------------------ + + SECTION .text + +global ASM_PFX(__ashldi3) +;------------------------------------------------------------------------------ +; +; void __cdecl __ashldi3 (void) +; +;------------------------------------------------------------------------------ +ASM_PFX(__ashldi3): + cmp cl,0x40 + jnc ReturnZero + cmp cl,0x20 + jnc More32 + shld edx,eax,cl + shl eax,cl + ret +More32: + mov edx,eax + xor eax,eax + and cl,0x1f + shl edx,cl + ret +ReturnZero: + xor eax,eax + xor edx,edx + ret diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/Ia32/MathRShiftU64.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/Ia32/MathRShiftU64.c new file mode 100644 index 00000000..29497692 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/Ia32/MathRShiftU64.c @@ -0,0 +1,51 @@ +/** @file + 64-bit Math Worker Function. + The 32-bit versions of C compiler generate calls to library routines + to handle 64-bit math. These functions use non-standard calling conventions. + +Copyright (c) 2014, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + + +/* + * Shifts a 64-bit unsigned value right by a certain number of bits. + */ +__declspec(naked) void __cdecl _aullshr (void) +{ + _asm { + ; + ; Checking: Only handle 64bit shifting or more + ; + cmp cl, 64 + jae _Exit + + ; + ; Handle shifting between 0 and 31 bits + ; + cmp cl, 32 + jae More32 + shrd eax, edx, cl + shr edx, cl + ret + + ; + ; Handle shifting of 32-63 bits + ; +More32: + mov eax, edx + xor edx, edx + and cl, 31 + shr eax, cl + ret + + ; + ; Invalid number (less then 32bits), return 0 + ; +_Exit: + xor eax, eax + xor edx, edx + ret + } +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/Ia32/MathRShiftU64.nasm b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/Ia32/MathRShiftU64.nasm new file mode 100644 index 00000000..2939aad4 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/Ia32/MathRShiftU64.nasm @@ -0,0 +1,43 @@ +;------------------------------------------------------------------------------ +; +; Copyright (c) 2016, Intel Corporation. All rights reserved.
+; SPDX-License-Identifier: BSD-2-Clause-Patent +; +; Module Name: +; +; MathRShiftU64.nasm +; +; Abstract: +; +; 64-bit Math Worker Function. +; Shifts a 64-bit unsigned value right by a certain number of bits. +; +;------------------------------------------------------------------------------ + + SECTION .text + +;------------------------------------------------------------------------------ +; +; void __cdecl __ashrdi3 (void) +; +;------------------------------------------------------------------------------ +global ASM_PFX(__ashrdi3) +ASM_PFX(__ashrdi3): + cmp cl,0x40 + jnc _Exit + cmp cl,0x20 + jnc More32 + shrd eax,edx,cl + shr edx,cl + ret +More32: + mov eax,edx + xor edx,edx + and cl,0x1f + shr eax,cl + ret +_Exit: + xor eax,eax + xor edx,edx + ret + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf new file mode 100644 index 00000000..aa7aa1e5 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf @@ -0,0 +1,67 @@ +## @file +# Intrinsic Routines Wrapper Library Instance. +# +# Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = BaseIntrinsicLib + MODULE_UNI_FILE = BaseIntrinsicLib.uni + FILE_GUID = 63850097-3E97-4c4f-A52D-C811A0106105 + MODULE_TYPE = BASE + VERSION_STRING = 1.0 + LIBRARY_CLASS = IntrinsicLib + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 +# + +[Sources] + MemoryIntrinsics.c + +[Sources.IA32] + CopyMem.c + + Ia32/MathLShiftS64.c | MSFT + Ia32/MathRShiftU64.c | MSFT + Ia32/MathFtol.c | MSFT + + Ia32/MathLShiftS64.c | INTEL + Ia32/MathRShiftU64.c | INTEL + Ia32/MathFtol.c | INTEL + + Ia32/MathLShiftS64.nasm | GCC + Ia32/MathRShiftU64.nasm | GCC + +[Sources.X64] + CopyMem.c + +[Packages] + MdePkg/MdePkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + +[BuildOptions] + # + # Override MSFT build option to remove /Oi and /GL + # + MSFT:DEBUG_VS2003_IA32_CC_FLAGS == /nologo /c /WX /W4 /Gs32768 /Gy /D UNICODE /O1b2 /FIAutoGen.h /EHs-c- /GR- /GF /GX- /Zi /Gm + MSFT:RELEASE_VS2003_IA32_CC_FLAGS == /nologo /c /WX /W4 /Gs32768 /Gy /D UNICODE /O1b2 /FIAutoGen.h /EHs-c- /GR- /GF /GX- + MSFT:DEBUG_VS2003xASL_IA32_CC_FLAGS == /nologo /c /WX /W4 /Gs32768 /Gy /D UNICODE /O1b2 /FIAutoGen.h /EHs-c- /GR- /GF /GX- /Zi /Gm + MSFT:RELEASE_VS2003xASL_IA32_CC_FLAGS == /nologo /c /WX /W4 /Gs32768 /Gy /D UNICODE /O1b2 /FIAutoGen.h /EHs-c- /GR- /GF /GX- + MSFT:DEBUG_DDK3790_IA32_CC_FLAGS == /nologo /c /WX /Gy /Gs32768 /D UNICODE /O1b2 /FIAutoGen.h /EHs-c- /GR- /GF /Zi /Gm + MSFT:RELEASE_DDK3790_IA32_CC_FLAGS == /nologo /c /WX /Gy /Gs32768 /D UNICODE /O1b2 /FIAutoGen.h /EHs-c- /GR- /GF + MSFT:DEBUG_DDK3790xASL_IA32_CC_FLAGS == /nologo /c /WX /Gy /Gs32768 /D UNICODE /O1b2 /FIAutoGen.h /EHs-c- /GR- /GF /Zi /Gm + MSFT:RELEASE_DDK3790xASL_IA32_CC_FLAGS == /nologo /c /WX /Gy /Gs32768 /D UNICODE /O1b2 /FIAutoGen.h /EHs-c- /GR- /GF + MSFT:DEBUG_*_IA32_CC_FLAGS == /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gm + MSFT:RELEASE_*_IA32_CC_FLAGS == /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /FIAutoGen.h /EHs-c- /GR- /GF + MSFT:DEBUG_*_X64_CC_FLAGS == /nologo /c /WX /GS- /X /W4 /Gs32768 /D UNICODE /O1b2s /Gy /FIAutoGen.h /EHs-c- /GR- /GF /Zi /Gm + MSFT:RELEASE_*_X64_CC_FLAGS == /nologo /c /WX /GS- /X /W4 /Gs32768 /D UNICODE /O1b2s /Gy /FIAutoGen.h /EHs-c- /GR- /GF + INTEL:*_*_*_CC_FLAGS = /Oi- diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/MemoryIntrinsics.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/MemoryIntrinsics.c new file mode 100644 index 00000000..25c3cc35 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/IntrinsicLib/MemoryIntrinsics.c @@ -0,0 +1,60 @@ +/** @file + Intrinsic Memory Routines Wrapper Implementation for OpenSSL-based + Cryptographic Library. + +Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include + +typedef UINTN size_t; + +#if defined(__GNUC__) || defined(__clang__) + #define GLOBAL_USED __attribute__((used)) +#else + #define GLOBAL_USED +#endif + +/* OpenSSL will use floating point support, and C compiler produces the _fltused + symbol by default. Simply define this symbol here to satisfy the linker. */ +int GLOBAL_USED _fltused = 1; + +/* Sets buffers to a specified character */ +void * memset (void *dest, int ch, size_t count) +{ + // + // NOTE: Here we use one base implementation for memset, instead of the direct + // optimized SetMem() wrapper. Because the IntrinsicLib has to be built + // without whole program optimization option, and there will be some + // potential register usage errors when calling other optimized codes. + // + + // + // Declare the local variables that actually move the data elements as + // volatile to prevent the optimizer from replacing this function with + // the intrinsic memset() + // + volatile UINT8 *Pointer; + + Pointer = (UINT8 *)dest; + while (count-- != 0) { + *(Pointer++) = (UINT8)ch; + } + + return dest; +} + +/* Compare bytes in two buffers. */ +int memcmp (const void *buf1, const void *buf2, size_t count) +{ + return (int)CompareMem(buf1, buf2, count); +} + +int strcmp (const char *s1, const char *s2) +{ + return (int)AsciiStrCmp(s1, s2); +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/OpenSSL-HOWTO.txt b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/OpenSSL-HOWTO.txt new file mode 100644 index 00000000..bb7c8780 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/OpenSSL-HOWTO.txt @@ -0,0 +1,39 @@ + +============================================================================= + Introduction +============================================================================= + OpenSSL is a well-known open source implementation of SSL/TLS protocols. +The core library implements the cryptographic and SSL/TLS functions and +also provides various utility functions. The OpenSSL library is widely used +in variety of security products development as base crypto provider. +(See http://www.openssl.org/ for more information about OpenSSL). + UEFI (Unified Extensible Firmware Interface) is a specification detailing +the interfaces between OS and platform firmware. Several security features +were introduced (e.g. Authenticated Variable Service, Driver Signing, etc) +from UEFI 2.2 (http://www.uefi.org/). These security features highly depend +on the cryptography. + This HOWTO documents OpenSSL building under UEFI/EDKII environment. + +============================================================================= + OpenSSL-Version +============================================================================= + EDKII supports building with the latest release of OpenSSL. + NOTE: Only latest release version was fully validated. + And no guarantees on build & functionality if using other versions. + +============================================================================= + HOW to Install OpenSSL for UEFI Building +============================================================================= + OpenSSL repository was added as one submodule of EDKII project. Please +refer to edk2/Readme.md for how to clone the code. + +============================================================================= + About process_files.pl +============================================================================= + "process_files.pl" is one Perl script which runs the OpenSSL Configure, +then processes the resulting file list into our local OpensslLib.inf and +OpensslLibCrypto.inf. + This only needs to be done once by the maintainer / developer when +updating to a new version of OpenSSL (or changing options, etc.). +Normal users do not need do this, since the results are already stored in +the EDKII git repository for them. diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/OpensslLib.inf new file mode 100644 index 00000000..5300ea32 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/OpensslLib.inf @@ -0,0 +1,661 @@ +## @file +# This module provides OpenSSL Library implementation. +# +# Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.
+# (C) Copyright 2020 Hewlett Packard Enterprise Development LP
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = OpensslLib + MODULE_UNI_FILE = OpensslLib.uni + FILE_GUID = C873A7D0-9824-409f-9B42-2C158B992E69 + MODULE_TYPE = BASE + VERSION_STRING = 1.0 + LIBRARY_CLASS = OpensslLib + DEFINE OPENSSL_PATH = openssl + DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE + +# +# VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 +# + +[Sources] + $(OPENSSL_PATH)/e_os.h + $(OPENSSL_PATH)/ms/uplink.h +# Autogenerated files list starts here + $(OPENSSL_PATH)/crypto/aes/aes_cbc.c + $(OPENSSL_PATH)/crypto/aes/aes_cfb.c + $(OPENSSL_PATH)/crypto/aes/aes_core.c + $(OPENSSL_PATH)/crypto/aes/aes_ige.c + $(OPENSSL_PATH)/crypto/aes/aes_misc.c + $(OPENSSL_PATH)/crypto/aes/aes_ofb.c + $(OPENSSL_PATH)/crypto/aes/aes_wrap.c + $(OPENSSL_PATH)/crypto/aria/aria.c + $(OPENSSL_PATH)/crypto/asn1/a_bitstr.c + $(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c + $(OPENSSL_PATH)/crypto/asn1/a_digest.c + $(OPENSSL_PATH)/crypto/asn1/a_dup.c + $(OPENSSL_PATH)/crypto/asn1/a_gentm.c + $(OPENSSL_PATH)/crypto/asn1/a_i2d_fp.c + $(OPENSSL_PATH)/crypto/asn1/a_int.c + $(OPENSSL_PATH)/crypto/asn1/a_mbstr.c + $(OPENSSL_PATH)/crypto/asn1/a_object.c + $(OPENSSL_PATH)/crypto/asn1/a_octet.c + $(OPENSSL_PATH)/crypto/asn1/a_print.c + $(OPENSSL_PATH)/crypto/asn1/a_sign.c + $(OPENSSL_PATH)/crypto/asn1/a_strex.c + $(OPENSSL_PATH)/crypto/asn1/a_strnid.c + $(OPENSSL_PATH)/crypto/asn1/a_time.c + $(OPENSSL_PATH)/crypto/asn1/a_type.c + $(OPENSSL_PATH)/crypto/asn1/a_utctm.c + $(OPENSSL_PATH)/crypto/asn1/a_utf8.c + $(OPENSSL_PATH)/crypto/asn1/a_verify.c + $(OPENSSL_PATH)/crypto/asn1/ameth_lib.c + $(OPENSSL_PATH)/crypto/asn1/asn1_err.c + $(OPENSSL_PATH)/crypto/asn1/asn1_gen.c + $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.c + $(OPENSSL_PATH)/crypto/asn1/asn1_lib.c + $(OPENSSL_PATH)/crypto/asn1/asn1_par.c + $(OPENSSL_PATH)/crypto/asn1/asn_mime.c + $(OPENSSL_PATH)/crypto/asn1/asn_moid.c + $(OPENSSL_PATH)/crypto/asn1/asn_mstbl.c + $(OPENSSL_PATH)/crypto/asn1/asn_pack.c + $(OPENSSL_PATH)/crypto/asn1/bio_asn1.c + $(OPENSSL_PATH)/crypto/asn1/bio_ndef.c + $(OPENSSL_PATH)/crypto/asn1/d2i_pr.c + $(OPENSSL_PATH)/crypto/asn1/d2i_pu.c + $(OPENSSL_PATH)/crypto/asn1/evp_asn1.c + $(OPENSSL_PATH)/crypto/asn1/f_int.c + $(OPENSSL_PATH)/crypto/asn1/f_string.c + $(OPENSSL_PATH)/crypto/asn1/i2d_pr.c + $(OPENSSL_PATH)/crypto/asn1/i2d_pu.c + $(OPENSSL_PATH)/crypto/asn1/n_pkey.c + $(OPENSSL_PATH)/crypto/asn1/nsseq.c + $(OPENSSL_PATH)/crypto/asn1/p5_pbe.c + $(OPENSSL_PATH)/crypto/asn1/p5_pbev2.c + $(OPENSSL_PATH)/crypto/asn1/p5_scrypt.c + $(OPENSSL_PATH)/crypto/asn1/p8_pkey.c + $(OPENSSL_PATH)/crypto/asn1/t_bitst.c + $(OPENSSL_PATH)/crypto/asn1/t_pkey.c + $(OPENSSL_PATH)/crypto/asn1/t_spki.c + $(OPENSSL_PATH)/crypto/asn1/tasn_dec.c + $(OPENSSL_PATH)/crypto/asn1/tasn_enc.c + $(OPENSSL_PATH)/crypto/asn1/tasn_fre.c + $(OPENSSL_PATH)/crypto/asn1/tasn_new.c + $(OPENSSL_PATH)/crypto/asn1/tasn_prn.c + $(OPENSSL_PATH)/crypto/asn1/tasn_scn.c + $(OPENSSL_PATH)/crypto/asn1/tasn_typ.c + $(OPENSSL_PATH)/crypto/asn1/tasn_utl.c + $(OPENSSL_PATH)/crypto/asn1/x_algor.c + $(OPENSSL_PATH)/crypto/asn1/x_bignum.c + $(OPENSSL_PATH)/crypto/asn1/x_info.c + $(OPENSSL_PATH)/crypto/asn1/x_int64.c + $(OPENSSL_PATH)/crypto/asn1/x_long.c + $(OPENSSL_PATH)/crypto/asn1/x_pkey.c + $(OPENSSL_PATH)/crypto/asn1/x_sig.c + $(OPENSSL_PATH)/crypto/asn1/x_spki.c + $(OPENSSL_PATH)/crypto/asn1/x_val.c + $(OPENSSL_PATH)/crypto/async/arch/async_null.c + $(OPENSSL_PATH)/crypto/async/arch/async_posix.c + $(OPENSSL_PATH)/crypto/async/arch/async_win.c + $(OPENSSL_PATH)/crypto/async/async.c + $(OPENSSL_PATH)/crypto/async/async_err.c + $(OPENSSL_PATH)/crypto/async/async_wait.c + $(OPENSSL_PATH)/crypto/bio/b_addr.c + $(OPENSSL_PATH)/crypto/bio/b_dump.c + $(OPENSSL_PATH)/crypto/bio/b_sock.c + $(OPENSSL_PATH)/crypto/bio/b_sock2.c + $(OPENSSL_PATH)/crypto/bio/bf_buff.c + $(OPENSSL_PATH)/crypto/bio/bf_lbuf.c + $(OPENSSL_PATH)/crypto/bio/bf_nbio.c + $(OPENSSL_PATH)/crypto/bio/bf_null.c + $(OPENSSL_PATH)/crypto/bio/bio_cb.c + $(OPENSSL_PATH)/crypto/bio/bio_err.c + $(OPENSSL_PATH)/crypto/bio/bio_lib.c + $(OPENSSL_PATH)/crypto/bio/bio_meth.c + $(OPENSSL_PATH)/crypto/bio/bss_acpt.c + $(OPENSSL_PATH)/crypto/bio/bss_bio.c + $(OPENSSL_PATH)/crypto/bio/bss_conn.c + $(OPENSSL_PATH)/crypto/bio/bss_dgram.c + $(OPENSSL_PATH)/crypto/bio/bss_fd.c + $(OPENSSL_PATH)/crypto/bio/bss_file.c + $(OPENSSL_PATH)/crypto/bio/bss_log.c + $(OPENSSL_PATH)/crypto/bio/bss_mem.c + $(OPENSSL_PATH)/crypto/bio/bss_null.c + $(OPENSSL_PATH)/crypto/bio/bss_sock.c + $(OPENSSL_PATH)/crypto/bn/bn_add.c + $(OPENSSL_PATH)/crypto/bn/bn_asm.c + $(OPENSSL_PATH)/crypto/bn/bn_blind.c + $(OPENSSL_PATH)/crypto/bn/bn_const.c + $(OPENSSL_PATH)/crypto/bn/bn_ctx.c + $(OPENSSL_PATH)/crypto/bn/bn_depr.c + $(OPENSSL_PATH)/crypto/bn/bn_dh.c + $(OPENSSL_PATH)/crypto/bn/bn_div.c + $(OPENSSL_PATH)/crypto/bn/bn_err.c + $(OPENSSL_PATH)/crypto/bn/bn_exp.c + $(OPENSSL_PATH)/crypto/bn/bn_exp2.c + $(OPENSSL_PATH)/crypto/bn/bn_gcd.c + $(OPENSSL_PATH)/crypto/bn/bn_gf2m.c + $(OPENSSL_PATH)/crypto/bn/bn_intern.c + $(OPENSSL_PATH)/crypto/bn/bn_kron.c + $(OPENSSL_PATH)/crypto/bn/bn_lib.c + $(OPENSSL_PATH)/crypto/bn/bn_mod.c + $(OPENSSL_PATH)/crypto/bn/bn_mont.c + $(OPENSSL_PATH)/crypto/bn/bn_mpi.c + $(OPENSSL_PATH)/crypto/bn/bn_mul.c + $(OPENSSL_PATH)/crypto/bn/bn_nist.c + $(OPENSSL_PATH)/crypto/bn/bn_prime.c + $(OPENSSL_PATH)/crypto/bn/bn_print.c + $(OPENSSL_PATH)/crypto/bn/bn_rand.c + $(OPENSSL_PATH)/crypto/bn/bn_recp.c + $(OPENSSL_PATH)/crypto/bn/bn_shift.c + $(OPENSSL_PATH)/crypto/bn/bn_sqr.c + $(OPENSSL_PATH)/crypto/bn/bn_sqrt.c + $(OPENSSL_PATH)/crypto/bn/bn_srp.c + $(OPENSSL_PATH)/crypto/bn/bn_word.c + $(OPENSSL_PATH)/crypto/bn/bn_x931p.c + $(OPENSSL_PATH)/crypto/buffer/buf_err.c + $(OPENSSL_PATH)/crypto/buffer/buffer.c + $(OPENSSL_PATH)/crypto/cmac/cm_ameth.c + $(OPENSSL_PATH)/crypto/cmac/cm_pmeth.c + $(OPENSSL_PATH)/crypto/cmac/cmac.c + $(OPENSSL_PATH)/crypto/comp/c_zlib.c + $(OPENSSL_PATH)/crypto/comp/comp_err.c + $(OPENSSL_PATH)/crypto/comp/comp_lib.c + $(OPENSSL_PATH)/crypto/conf/conf_api.c + $(OPENSSL_PATH)/crypto/conf/conf_def.c + $(OPENSSL_PATH)/crypto/conf/conf_err.c + $(OPENSSL_PATH)/crypto/conf/conf_lib.c + $(OPENSSL_PATH)/crypto/conf/conf_mall.c + $(OPENSSL_PATH)/crypto/conf/conf_mod.c + $(OPENSSL_PATH)/crypto/conf/conf_sap.c + $(OPENSSL_PATH)/crypto/conf/conf_ssl.c + $(OPENSSL_PATH)/crypto/cpt_err.c + $(OPENSSL_PATH)/crypto/cryptlib.c + $(OPENSSL_PATH)/crypto/ctype.c + $(OPENSSL_PATH)/crypto/cversion.c + $(OPENSSL_PATH)/crypto/dh/dh_ameth.c + $(OPENSSL_PATH)/crypto/dh/dh_asn1.c + $(OPENSSL_PATH)/crypto/dh/dh_check.c + $(OPENSSL_PATH)/crypto/dh/dh_depr.c + $(OPENSSL_PATH)/crypto/dh/dh_err.c + $(OPENSSL_PATH)/crypto/dh/dh_gen.c + $(OPENSSL_PATH)/crypto/dh/dh_kdf.c + $(OPENSSL_PATH)/crypto/dh/dh_key.c + $(OPENSSL_PATH)/crypto/dh/dh_lib.c + $(OPENSSL_PATH)/crypto/dh/dh_meth.c + $(OPENSSL_PATH)/crypto/dh/dh_pmeth.c + $(OPENSSL_PATH)/crypto/dh/dh_prn.c + $(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c + $(OPENSSL_PATH)/crypto/dh/dh_rfc7919.c + $(OPENSSL_PATH)/crypto/dso/dso_dl.c + $(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c + $(OPENSSL_PATH)/crypto/dso/dso_err.c + $(OPENSSL_PATH)/crypto/dso/dso_lib.c + $(OPENSSL_PATH)/crypto/dso/dso_openssl.c + $(OPENSSL_PATH)/crypto/dso/dso_vms.c + $(OPENSSL_PATH)/crypto/dso/dso_win32.c + $(OPENSSL_PATH)/crypto/ebcdic.c + $(OPENSSL_PATH)/crypto/err/err.c + $(OPENSSL_PATH)/crypto/err/err_prn.c + $(OPENSSL_PATH)/crypto/evp/bio_b64.c + $(OPENSSL_PATH)/crypto/evp/bio_enc.c + $(OPENSSL_PATH)/crypto/evp/bio_md.c + $(OPENSSL_PATH)/crypto/evp/bio_ok.c + $(OPENSSL_PATH)/crypto/evp/c_allc.c + $(OPENSSL_PATH)/crypto/evp/c_alld.c + $(OPENSSL_PATH)/crypto/evp/cmeth_lib.c + $(OPENSSL_PATH)/crypto/evp/digest.c + $(OPENSSL_PATH)/crypto/evp/e_aes.c + $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha1.c + $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha256.c + $(OPENSSL_PATH)/crypto/evp/e_aria.c + $(OPENSSL_PATH)/crypto/evp/e_bf.c + $(OPENSSL_PATH)/crypto/evp/e_camellia.c + $(OPENSSL_PATH)/crypto/evp/e_cast.c + $(OPENSSL_PATH)/crypto/evp/e_chacha20_poly1305.c + $(OPENSSL_PATH)/crypto/evp/e_des.c + $(OPENSSL_PATH)/crypto/evp/e_des3.c + $(OPENSSL_PATH)/crypto/evp/e_idea.c + $(OPENSSL_PATH)/crypto/evp/e_null.c + $(OPENSSL_PATH)/crypto/evp/e_old.c + $(OPENSSL_PATH)/crypto/evp/e_rc2.c + $(OPENSSL_PATH)/crypto/evp/e_rc4.c + $(OPENSSL_PATH)/crypto/evp/e_rc4_hmac_md5.c + $(OPENSSL_PATH)/crypto/evp/e_rc5.c + $(OPENSSL_PATH)/crypto/evp/e_seed.c + $(OPENSSL_PATH)/crypto/evp/e_sm4.c + $(OPENSSL_PATH)/crypto/evp/e_xcbc_d.c + $(OPENSSL_PATH)/crypto/evp/encode.c + $(OPENSSL_PATH)/crypto/evp/evp_cnf.c + $(OPENSSL_PATH)/crypto/evp/evp_enc.c + $(OPENSSL_PATH)/crypto/evp/evp_err.c + $(OPENSSL_PATH)/crypto/evp/evp_key.c + $(OPENSSL_PATH)/crypto/evp/evp_lib.c + $(OPENSSL_PATH)/crypto/evp/evp_pbe.c + $(OPENSSL_PATH)/crypto/evp/evp_pkey.c + $(OPENSSL_PATH)/crypto/evp/m_md2.c + $(OPENSSL_PATH)/crypto/evp/m_md4.c + $(OPENSSL_PATH)/crypto/evp/m_md5.c + $(OPENSSL_PATH)/crypto/evp/m_md5_sha1.c + $(OPENSSL_PATH)/crypto/evp/m_mdc2.c + $(OPENSSL_PATH)/crypto/evp/m_null.c + $(OPENSSL_PATH)/crypto/evp/m_ripemd.c + $(OPENSSL_PATH)/crypto/evp/m_sha1.c + $(OPENSSL_PATH)/crypto/evp/m_sha3.c + $(OPENSSL_PATH)/crypto/evp/m_sigver.c + $(OPENSSL_PATH)/crypto/evp/m_wp.c + $(OPENSSL_PATH)/crypto/evp/names.c + $(OPENSSL_PATH)/crypto/evp/p5_crpt.c + $(OPENSSL_PATH)/crypto/evp/p5_crpt2.c + $(OPENSSL_PATH)/crypto/evp/p_dec.c + $(OPENSSL_PATH)/crypto/evp/p_enc.c + $(OPENSSL_PATH)/crypto/evp/p_lib.c + $(OPENSSL_PATH)/crypto/evp/p_open.c + $(OPENSSL_PATH)/crypto/evp/p_seal.c + $(OPENSSL_PATH)/crypto/evp/p_sign.c + $(OPENSSL_PATH)/crypto/evp/p_verify.c + $(OPENSSL_PATH)/crypto/evp/pbe_scrypt.c + $(OPENSSL_PATH)/crypto/evp/pmeth_fn.c + $(OPENSSL_PATH)/crypto/evp/pmeth_gn.c + $(OPENSSL_PATH)/crypto/evp/pmeth_lib.c + $(OPENSSL_PATH)/crypto/ex_data.c + $(OPENSSL_PATH)/crypto/getenv.c + $(OPENSSL_PATH)/crypto/hmac/hm_ameth.c + $(OPENSSL_PATH)/crypto/hmac/hm_pmeth.c + $(OPENSSL_PATH)/crypto/hmac/hmac.c + $(OPENSSL_PATH)/crypto/init.c + $(OPENSSL_PATH)/crypto/kdf/hkdf.c + $(OPENSSL_PATH)/crypto/kdf/kdf_err.c + $(OPENSSL_PATH)/crypto/kdf/scrypt.c + $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c + $(OPENSSL_PATH)/crypto/lhash/lh_stats.c + $(OPENSSL_PATH)/crypto/lhash/lhash.c + $(OPENSSL_PATH)/crypto/md5/md5_dgst.c + $(OPENSSL_PATH)/crypto/md5/md5_one.c + $(OPENSSL_PATH)/crypto/mem.c + $(OPENSSL_PATH)/crypto/mem_clr.c + $(OPENSSL_PATH)/crypto/mem_dbg.c + $(OPENSSL_PATH)/crypto/mem_sec.c + $(OPENSSL_PATH)/crypto/modes/cbc128.c + $(OPENSSL_PATH)/crypto/modes/ccm128.c + $(OPENSSL_PATH)/crypto/modes/cfb128.c + $(OPENSSL_PATH)/crypto/modes/ctr128.c + $(OPENSSL_PATH)/crypto/modes/cts128.c + $(OPENSSL_PATH)/crypto/modes/gcm128.c + $(OPENSSL_PATH)/crypto/modes/ocb128.c + $(OPENSSL_PATH)/crypto/modes/ofb128.c + $(OPENSSL_PATH)/crypto/modes/wrap128.c + $(OPENSSL_PATH)/crypto/modes/xts128.c + $(OPENSSL_PATH)/crypto/o_dir.c + $(OPENSSL_PATH)/crypto/o_fips.c + $(OPENSSL_PATH)/crypto/o_fopen.c + $(OPENSSL_PATH)/crypto/o_init.c + $(OPENSSL_PATH)/crypto/o_str.c + $(OPENSSL_PATH)/crypto/o_time.c + $(OPENSSL_PATH)/crypto/objects/o_names.c + $(OPENSSL_PATH)/crypto/objects/obj_dat.c + $(OPENSSL_PATH)/crypto/objects/obj_err.c + $(OPENSSL_PATH)/crypto/objects/obj_lib.c + $(OPENSSL_PATH)/crypto/objects/obj_xref.c + $(OPENSSL_PATH)/crypto/ocsp/ocsp_asn.c + $(OPENSSL_PATH)/crypto/ocsp/ocsp_cl.c + $(OPENSSL_PATH)/crypto/ocsp/ocsp_err.c + $(OPENSSL_PATH)/crypto/ocsp/ocsp_ext.c + $(OPENSSL_PATH)/crypto/ocsp/ocsp_ht.c + $(OPENSSL_PATH)/crypto/ocsp/ocsp_lib.c + $(OPENSSL_PATH)/crypto/ocsp/ocsp_prn.c + $(OPENSSL_PATH)/crypto/ocsp/ocsp_srv.c + $(OPENSSL_PATH)/crypto/ocsp/ocsp_vfy.c + $(OPENSSL_PATH)/crypto/ocsp/v3_ocsp.c + $(OPENSSL_PATH)/crypto/pem/pem_all.c + $(OPENSSL_PATH)/crypto/pem/pem_err.c + $(OPENSSL_PATH)/crypto/pem/pem_info.c + $(OPENSSL_PATH)/crypto/pem/pem_lib.c + $(OPENSSL_PATH)/crypto/pem/pem_oth.c + $(OPENSSL_PATH)/crypto/pem/pem_pk8.c + $(OPENSSL_PATH)/crypto/pem/pem_pkey.c + $(OPENSSL_PATH)/crypto/pem/pem_sign.c + $(OPENSSL_PATH)/crypto/pem/pem_x509.c + $(OPENSSL_PATH)/crypto/pem/pem_xaux.c + $(OPENSSL_PATH)/crypto/pem/pvkfmt.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_add.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_asn.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_attr.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_crpt.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_crt.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_decr.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_init.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_key.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_kiss.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_mutl.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_npas.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_p8d.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_p8e.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_sbag.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_utl.c + $(OPENSSL_PATH)/crypto/pkcs12/pk12err.c + $(OPENSSL_PATH)/crypto/pkcs7/bio_pk7.c + $(OPENSSL_PATH)/crypto/pkcs7/pk7_asn1.c + $(OPENSSL_PATH)/crypto/pkcs7/pk7_attr.c + $(OPENSSL_PATH)/crypto/pkcs7/pk7_doit.c + $(OPENSSL_PATH)/crypto/pkcs7/pk7_lib.c + $(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c + $(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c + $(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c + $(OPENSSL_PATH)/crypto/rand/drbg_ctr.c + $(OPENSSL_PATH)/crypto/rand/drbg_lib.c + $(OPENSSL_PATH)/crypto/rand/rand_egd.c + $(OPENSSL_PATH)/crypto/rand/rand_err.c + $(OPENSSL_PATH)/crypto/rand/rand_lib.c + $(OPENSSL_PATH)/crypto/rand/rand_unix.c + $(OPENSSL_PATH)/crypto/rand/rand_vms.c + $(OPENSSL_PATH)/crypto/rand/rand_win.c + $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c + $(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c + $(OPENSSL_PATH)/crypto/rsa/rsa_chk.c + $(OPENSSL_PATH)/crypto/rsa/rsa_crpt.c + $(OPENSSL_PATH)/crypto/rsa/rsa_depr.c + $(OPENSSL_PATH)/crypto/rsa/rsa_err.c + $(OPENSSL_PATH)/crypto/rsa/rsa_gen.c + $(OPENSSL_PATH)/crypto/rsa/rsa_lib.c + $(OPENSSL_PATH)/crypto/rsa/rsa_meth.c + $(OPENSSL_PATH)/crypto/rsa/rsa_mp.c + $(OPENSSL_PATH)/crypto/rsa/rsa_none.c + $(OPENSSL_PATH)/crypto/rsa/rsa_oaep.c + $(OPENSSL_PATH)/crypto/rsa/rsa_ossl.c + $(OPENSSL_PATH)/crypto/rsa/rsa_pk1.c + $(OPENSSL_PATH)/crypto/rsa/rsa_pmeth.c + $(OPENSSL_PATH)/crypto/rsa/rsa_prn.c + $(OPENSSL_PATH)/crypto/rsa/rsa_pss.c + $(OPENSSL_PATH)/crypto/rsa/rsa_saos.c + $(OPENSSL_PATH)/crypto/rsa/rsa_sign.c + $(OPENSSL_PATH)/crypto/rsa/rsa_ssl.c + $(OPENSSL_PATH)/crypto/rsa/rsa_x931.c + $(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c + $(OPENSSL_PATH)/crypto/sha/keccak1600.c + $(OPENSSL_PATH)/crypto/sha/sha1_one.c + $(OPENSSL_PATH)/crypto/sha/sha1dgst.c + $(OPENSSL_PATH)/crypto/sha/sha256.c + $(OPENSSL_PATH)/crypto/sha/sha512.c + $(OPENSSL_PATH)/crypto/siphash/siphash.c + $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c + $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c + $(OPENSSL_PATH)/crypto/sm3/m_sm3.c + $(OPENSSL_PATH)/crypto/sm3/sm3.c + $(OPENSSL_PATH)/crypto/sm4/sm4.c + $(OPENSSL_PATH)/crypto/stack/stack.c + $(OPENSSL_PATH)/crypto/threads_none.c + $(OPENSSL_PATH)/crypto/threads_pthread.c + $(OPENSSL_PATH)/crypto/threads_win.c + $(OPENSSL_PATH)/crypto/txt_db/txt_db.c + $(OPENSSL_PATH)/crypto/ui/ui_err.c + $(OPENSSL_PATH)/crypto/ui/ui_lib.c + $(OPENSSL_PATH)/crypto/ui/ui_null.c + $(OPENSSL_PATH)/crypto/ui/ui_openssl.c + $(OPENSSL_PATH)/crypto/ui/ui_util.c + $(OPENSSL_PATH)/crypto/uid.c + $(OPENSSL_PATH)/crypto/x509/by_dir.c + $(OPENSSL_PATH)/crypto/x509/by_file.c + $(OPENSSL_PATH)/crypto/x509/t_crl.c + $(OPENSSL_PATH)/crypto/x509/t_req.c + $(OPENSSL_PATH)/crypto/x509/t_x509.c + $(OPENSSL_PATH)/crypto/x509/x509_att.c + $(OPENSSL_PATH)/crypto/x509/x509_cmp.c + $(OPENSSL_PATH)/crypto/x509/x509_d2.c + $(OPENSSL_PATH)/crypto/x509/x509_def.c + $(OPENSSL_PATH)/crypto/x509/x509_err.c + $(OPENSSL_PATH)/crypto/x509/x509_ext.c + $(OPENSSL_PATH)/crypto/x509/x509_lu.c + $(OPENSSL_PATH)/crypto/x509/x509_meth.c + $(OPENSSL_PATH)/crypto/x509/x509_obj.c + $(OPENSSL_PATH)/crypto/x509/x509_r2x.c + $(OPENSSL_PATH)/crypto/x509/x509_req.c + $(OPENSSL_PATH)/crypto/x509/x509_set.c + $(OPENSSL_PATH)/crypto/x509/x509_trs.c + $(OPENSSL_PATH)/crypto/x509/x509_txt.c + $(OPENSSL_PATH)/crypto/x509/x509_v3.c + $(OPENSSL_PATH)/crypto/x509/x509_vfy.c + $(OPENSSL_PATH)/crypto/x509/x509_vpm.c + $(OPENSSL_PATH)/crypto/x509/x509cset.c + $(OPENSSL_PATH)/crypto/x509/x509name.c + $(OPENSSL_PATH)/crypto/x509/x509rset.c + $(OPENSSL_PATH)/crypto/x509/x509spki.c + $(OPENSSL_PATH)/crypto/x509/x509type.c + $(OPENSSL_PATH)/crypto/x509/x_all.c + $(OPENSSL_PATH)/crypto/x509/x_attrib.c + $(OPENSSL_PATH)/crypto/x509/x_crl.c + $(OPENSSL_PATH)/crypto/x509/x_exten.c + $(OPENSSL_PATH)/crypto/x509/x_name.c + $(OPENSSL_PATH)/crypto/x509/x_pubkey.c + $(OPENSSL_PATH)/crypto/x509/x_req.c + $(OPENSSL_PATH)/crypto/x509/x_x509.c + $(OPENSSL_PATH)/crypto/x509/x_x509a.c + $(OPENSSL_PATH)/crypto/x509v3/pcy_cache.c + $(OPENSSL_PATH)/crypto/x509v3/pcy_data.c + $(OPENSSL_PATH)/crypto/x509v3/pcy_lib.c + $(OPENSSL_PATH)/crypto/x509v3/pcy_map.c + $(OPENSSL_PATH)/crypto/x509v3/pcy_node.c + $(OPENSSL_PATH)/crypto/x509v3/pcy_tree.c + $(OPENSSL_PATH)/crypto/x509v3/v3_addr.c + $(OPENSSL_PATH)/crypto/x509v3/v3_admis.c + $(OPENSSL_PATH)/crypto/x509v3/v3_akey.c + $(OPENSSL_PATH)/crypto/x509v3/v3_akeya.c + $(OPENSSL_PATH)/crypto/x509v3/v3_alt.c + $(OPENSSL_PATH)/crypto/x509v3/v3_asid.c + $(OPENSSL_PATH)/crypto/x509v3/v3_bcons.c + $(OPENSSL_PATH)/crypto/x509v3/v3_bitst.c + $(OPENSSL_PATH)/crypto/x509v3/v3_conf.c + $(OPENSSL_PATH)/crypto/x509v3/v3_cpols.c + $(OPENSSL_PATH)/crypto/x509v3/v3_crld.c + $(OPENSSL_PATH)/crypto/x509v3/v3_enum.c + $(OPENSSL_PATH)/crypto/x509v3/v3_extku.c + $(OPENSSL_PATH)/crypto/x509v3/v3_genn.c + $(OPENSSL_PATH)/crypto/x509v3/v3_ia5.c + $(OPENSSL_PATH)/crypto/x509v3/v3_info.c + $(OPENSSL_PATH)/crypto/x509v3/v3_int.c + $(OPENSSL_PATH)/crypto/x509v3/v3_lib.c + $(OPENSSL_PATH)/crypto/x509v3/v3_ncons.c + $(OPENSSL_PATH)/crypto/x509v3/v3_pci.c + $(OPENSSL_PATH)/crypto/x509v3/v3_pcia.c + $(OPENSSL_PATH)/crypto/x509v3/v3_pcons.c + $(OPENSSL_PATH)/crypto/x509v3/v3_pku.c + $(OPENSSL_PATH)/crypto/x509v3/v3_pmaps.c + $(OPENSSL_PATH)/crypto/x509v3/v3_prn.c + $(OPENSSL_PATH)/crypto/x509v3/v3_purp.c + $(OPENSSL_PATH)/crypto/x509v3/v3_skey.c + $(OPENSSL_PATH)/crypto/x509v3/v3_sxnet.c + $(OPENSSL_PATH)/crypto/x509v3/v3_tlsf.c + $(OPENSSL_PATH)/crypto/x509v3/v3_utl.c + $(OPENSSL_PATH)/crypto/x509v3/v3err.c + $(OPENSSL_PATH)/crypto/arm_arch.h + $(OPENSSL_PATH)/crypto/mips_arch.h + $(OPENSSL_PATH)/crypto/ppc_arch.h + $(OPENSSL_PATH)/crypto/s390x_arch.h + $(OPENSSL_PATH)/crypto/sparc_arch.h + $(OPENSSL_PATH)/crypto/vms_rms.h + $(OPENSSL_PATH)/crypto/aes/aes_local.h + $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h + $(OPENSSL_PATH)/crypto/asn1/asn1_local.h + $(OPENSSL_PATH)/crypto/asn1/charmap.h + $(OPENSSL_PATH)/crypto/asn1/standard_methods.h + $(OPENSSL_PATH)/crypto/asn1/tbl_standard.h + $(OPENSSL_PATH)/crypto/async/async_local.h + $(OPENSSL_PATH)/crypto/async/arch/async_null.h + $(OPENSSL_PATH)/crypto/async/arch/async_posix.h + $(OPENSSL_PATH)/crypto/async/arch/async_win.h + $(OPENSSL_PATH)/crypto/bio/bio_local.h + $(OPENSSL_PATH)/crypto/bn/bn_local.h + $(OPENSSL_PATH)/crypto/bn/bn_prime.h + $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h + $(OPENSSL_PATH)/crypto/comp/comp_local.h + $(OPENSSL_PATH)/crypto/conf/conf_def.h + $(OPENSSL_PATH)/crypto/conf/conf_local.h + $(OPENSSL_PATH)/crypto/dh/dh_local.h + $(OPENSSL_PATH)/crypto/dso/dso_local.h + $(OPENSSL_PATH)/crypto/evp/evp_local.h + $(OPENSSL_PATH)/crypto/hmac/hmac_local.h + $(OPENSSL_PATH)/crypto/lhash/lhash_local.h + $(OPENSSL_PATH)/crypto/md5/md5_local.h + $(OPENSSL_PATH)/crypto/modes/modes_local.h + $(OPENSSL_PATH)/crypto/objects/obj_dat.h + $(OPENSSL_PATH)/crypto/objects/obj_local.h + $(OPENSSL_PATH)/crypto/objects/obj_xref.h + $(OPENSSL_PATH)/crypto/ocsp/ocsp_local.h + $(OPENSSL_PATH)/crypto/pkcs12/p12_local.h + $(OPENSSL_PATH)/crypto/rand/rand_local.h + $(OPENSSL_PATH)/crypto/rsa/rsa_local.h + $(OPENSSL_PATH)/crypto/sha/sha_local.h + $(OPENSSL_PATH)/crypto/siphash/siphash_local.h + $(OPENSSL_PATH)/crypto/sm3/sm3_local.h + $(OPENSSL_PATH)/crypto/store/store_local.h + $(OPENSSL_PATH)/crypto/ui/ui_local.h + $(OPENSSL_PATH)/crypto/x509/x509_local.h + $(OPENSSL_PATH)/crypto/x509v3/ext_dat.h + $(OPENSSL_PATH)/crypto/x509v3/pcy_local.h + $(OPENSSL_PATH)/crypto/x509v3/standard_exts.h + $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h + $(OPENSSL_PATH)/ssl/bio_ssl.c + $(OPENSSL_PATH)/ssl/d1_lib.c + $(OPENSSL_PATH)/ssl/d1_msg.c + $(OPENSSL_PATH)/ssl/d1_srtp.c + $(OPENSSL_PATH)/ssl/methods.c + $(OPENSSL_PATH)/ssl/packet.c + $(OPENSSL_PATH)/ssl/pqueue.c + $(OPENSSL_PATH)/ssl/record/dtls1_bitmap.c + $(OPENSSL_PATH)/ssl/record/rec_layer_d1.c + $(OPENSSL_PATH)/ssl/record/rec_layer_s3.c + $(OPENSSL_PATH)/ssl/record/ssl3_buffer.c + $(OPENSSL_PATH)/ssl/record/ssl3_record.c + $(OPENSSL_PATH)/ssl/record/ssl3_record_tls13.c + $(OPENSSL_PATH)/ssl/s3_cbc.c + $(OPENSSL_PATH)/ssl/s3_enc.c + $(OPENSSL_PATH)/ssl/s3_lib.c + $(OPENSSL_PATH)/ssl/s3_msg.c + $(OPENSSL_PATH)/ssl/ssl_asn1.c + $(OPENSSL_PATH)/ssl/ssl_cert.c + $(OPENSSL_PATH)/ssl/ssl_ciph.c + $(OPENSSL_PATH)/ssl/ssl_conf.c + $(OPENSSL_PATH)/ssl/ssl_err.c + $(OPENSSL_PATH)/ssl/ssl_init.c + $(OPENSSL_PATH)/ssl/ssl_lib.c + $(OPENSSL_PATH)/ssl/ssl_mcnf.c + $(OPENSSL_PATH)/ssl/ssl_rsa.c + $(OPENSSL_PATH)/ssl/ssl_sess.c + $(OPENSSL_PATH)/ssl/ssl_stat.c + $(OPENSSL_PATH)/ssl/ssl_txt.c + $(OPENSSL_PATH)/ssl/ssl_utst.c + $(OPENSSL_PATH)/ssl/statem/extensions.c + $(OPENSSL_PATH)/ssl/statem/extensions_clnt.c + $(OPENSSL_PATH)/ssl/statem/extensions_cust.c + $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c + $(OPENSSL_PATH)/ssl/statem/statem.c + $(OPENSSL_PATH)/ssl/statem/statem_clnt.c + $(OPENSSL_PATH)/ssl/statem/statem_dtls.c + $(OPENSSL_PATH)/ssl/statem/statem_lib.c + $(OPENSSL_PATH)/ssl/statem/statem_srvr.c + $(OPENSSL_PATH)/ssl/t1_enc.c + $(OPENSSL_PATH)/ssl/t1_lib.c + $(OPENSSL_PATH)/ssl/t1_trce.c + $(OPENSSL_PATH)/ssl/tls13_enc.c + $(OPENSSL_PATH)/ssl/tls_srp.c + $(OPENSSL_PATH)/ssl/packet_local.h + $(OPENSSL_PATH)/ssl/ssl_cert_table.h + $(OPENSSL_PATH)/ssl/ssl_local.h + $(OPENSSL_PATH)/ssl/record/record.h + $(OPENSSL_PATH)/ssl/record/record_local.h + $(OPENSSL_PATH)/ssl/statem/statem.h + $(OPENSSL_PATH)/ssl/statem/statem_local.h +# Autogenerated files list ends here + buildinf.h + ossl_store.c + rand_pool.c + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + DebugLib + RngLib + PrintLib + +[LibraryClasses.ARM] + ArmSoftFloatLib + +[BuildOptions] + # + # Disables the following Visual Studio compiler warnings brought by openssl source, + # so we do not break the build with /WX option: + # C4090: 'function' : different 'const' qualifiers + # C4132: 'object' : const object should be initialized (tls13_enc.c) + # C4244: conversion from type1 to type2, possible loss of data + # C4245: conversion from type1 to type2, signed/unsigned mismatch + # C4267: conversion from size_t to type, possible loss of data + # C4306: 'identifier' : conversion from 'type1' to 'type2' of greater size + # C4310: cast truncates constant value + # C4389: 'operator' : signed/unsigned mismatch (xxxx) + # C4700: uninitialized local variable 'name' used. (conf_sap.c(71)) + # C4702: unreachable code + # C4706: assignment within conditional expression + # C4819: The file contains a character that cannot be represented in the current code page + # + MSFT:*_*_IA32_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) /wd4090 /wd4132 /wd4244 /wd4245 /wd4267 /wd4310 /wd4389 /wd4700 /wd4702 /wd4706 /wd4819 + MSFT:*_*_X64_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) /wd4090 /wd4132 /wd4244 /wd4245 /wd4267 /wd4306 /wd4310 /wd4700 /wd4389 /wd4702 /wd4706 /wd4819 + + INTEL:*_*_IA32_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER -U__ICC $(OPENSSL_FLAGS) /w + INTEL:*_*_X64_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER -U__ICC $(OPENSSL_FLAGS) /w + + # + # Suppress the following build warnings in openssl so we don't break the build with -Werror + # -Werror=maybe-uninitialized: there exist some other paths for which the variable is not initialized. + # -Werror=format: Check calls to printf and scanf, etc., to make sure that the arguments supplied have + # types appropriate to the format string specified. + # -Werror=unused-but-set-variable: Warn whenever a local variable is assigned to, but otherwise unused (aside from its declaration). + # + GCC:*_*_IA32_CC_FLAGS = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-error=unused-but-set-variable + GCC:*_*_X64_CC_FLAGS = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-error=format -Wno-format -Wno-error=unused-but-set-variable -DNO_MSABI_VA_FUNCS + GCC:*_*_ARM_CC_FLAGS = $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-error=unused-but-set-variable + GCC:*_*_AARCH64_CC_FLAGS = $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-format -Wno-error=unused-but-set-variable + GCC:*_*_RISCV64_CC_FLAGS = $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-format -Wno-error=unused-but-set-variable + GCC:*_CLANG35_*_CC_FLAGS = -std=c99 -Wno-error=uninitialized + GCC:*_CLANG38_*_CC_FLAGS = -std=c99 -Wno-error=uninitialized + GCC:*_CLANGPDB_*_CC_FLAGS = -std=c99 -Wno-error=uninitialized -Wno-error=incompatible-pointer-types -Wno-error=pointer-sign -Wno-error=implicit-function-declaration -Wno-error=ignored-pragma-optimize + + # suppress the following warnings in openssl so we don't break the build with warnings-as-errors: + # 1295: Deprecated declaration - give arg types + # 550: was set but never used + # 1293: assignment in condition + # 111: statement is unreachable (invariably "break;" after "return X;" in case statement) + # 68: integer conversion resulted in a change of sign ("if (Status == -1)") + # 177: was declared but never referenced + # 223: function declared implicitly + # 144: a value of type cannot be used to initialize an entity of type + # 513: a value of type cannot be assigned to an entity of type + # 188: enumerated type mixed with another type (i.e. passing an integer as an enum without a cast) + # 1296: Extended constant initialiser used + # 128: loop is not reachable - may be emitted inappropriately if code follows a conditional return + # from the function that evaluates to true at compile time + # 546: transfer of control bypasses initialization - may be emitted inappropriately if the uninitialized + # variable is never referenced after the jump + # 1: ignore "#1-D: last line of file ends without a newline" + # 3017: may be used before being set (NOTE: This was fixed in OpenSSL 1.1 HEAD with + # commit d9b8b89bec4480de3a10bdaf9425db371c19145b, and can be dropped then.) + RVCT:*_*_ARM_CC_FLAGS = $(OPENSSL_FLAGS) --library_interface=aeabi_clib99 --diag_suppress=1296,1295,550,1293,111,68,177,223,144,513,188,128,546,1,3017 -JCryptoPkg/Include + XCODE:*_*_IA32_CC_FLAGS = -mmmx -msse -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) -w -std=c99 -Wno-error=uninitialized + XCODE:*_*_X64_CC_FLAGS = -mmmx -msse -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) -w -std=c99 -Wno-error=uninitialized + + # + # AARCH64 uses strict alignment and avoids SIMD registers for code that may execute + # with the MMU off. This involves SEC, PEI_CORE and PEIM modules as well as BASE + # libraries, given that they may be included into such modules. + # This library, even though of the BASE type, is never used in such cases, and + # avoiding the SIMD register file (which is shared with the FPU) prevents the + # compiler from successfully building some of the OpenSSL source files that + # use floating point types, so clear the flags here. + # + GCC:*_*_AARCH64_CC_XIPFLAGS == diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/OpensslLib.uni b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/OpensslLib.uni new file mode 100644 index 00000000..abaff8a3 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/OpensslLib.uni @@ -0,0 +1,16 @@ +// /** @file +// This module provides openSSL Library implementation. +// +// This module provides OpenSSL Library implementation. +// +// Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "OpenSSL Library implementation" + +#string STR_MODULE_DESCRIPTION #language en-US "This module provides OpenSSL Library implementation." + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf new file mode 100644 index 00000000..1b1d46b0 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf @@ -0,0 +1,610 @@ +## @file +# This module provides OpenSSL Library implementation. +# +# Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.
+# (C) Copyright 2020 Hewlett Packard Enterprise Development LP
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = OpensslLibCrypto + MODULE_UNI_FILE = OpensslLibCrypto.uni + FILE_GUID = E29FC209-8B64-4500-BD20-AF4EAE47EA0E + MODULE_TYPE = BASE + VERSION_STRING = 1.0 + LIBRARY_CLASS = OpensslLib + DEFINE OPENSSL_PATH = openssl + DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE + +# +# VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 +# + +[Sources] + $(OPENSSL_PATH)/e_os.h + $(OPENSSL_PATH)/ms/uplink.h +# Autogenerated files list starts here + $(OPENSSL_PATH)/crypto/aes/aes_cbc.c + $(OPENSSL_PATH)/crypto/aes/aes_cfb.c + $(OPENSSL_PATH)/crypto/aes/aes_core.c + $(OPENSSL_PATH)/crypto/aes/aes_ige.c + $(OPENSSL_PATH)/crypto/aes/aes_misc.c + $(OPENSSL_PATH)/crypto/aes/aes_ofb.c + $(OPENSSL_PATH)/crypto/aes/aes_wrap.c + $(OPENSSL_PATH)/crypto/aria/aria.c + $(OPENSSL_PATH)/crypto/asn1/a_bitstr.c + $(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c + $(OPENSSL_PATH)/crypto/asn1/a_digest.c + $(OPENSSL_PATH)/crypto/asn1/a_dup.c + $(OPENSSL_PATH)/crypto/asn1/a_gentm.c + $(OPENSSL_PATH)/crypto/asn1/a_i2d_fp.c + $(OPENSSL_PATH)/crypto/asn1/a_int.c + $(OPENSSL_PATH)/crypto/asn1/a_mbstr.c + $(OPENSSL_PATH)/crypto/asn1/a_object.c + $(OPENSSL_PATH)/crypto/asn1/a_octet.c + $(OPENSSL_PATH)/crypto/asn1/a_print.c + $(OPENSSL_PATH)/crypto/asn1/a_sign.c + $(OPENSSL_PATH)/crypto/asn1/a_strex.c + $(OPENSSL_PATH)/crypto/asn1/a_strnid.c + $(OPENSSL_PATH)/crypto/asn1/a_time.c + $(OPENSSL_PATH)/crypto/asn1/a_type.c + $(OPENSSL_PATH)/crypto/asn1/a_utctm.c + $(OPENSSL_PATH)/crypto/asn1/a_utf8.c + $(OPENSSL_PATH)/crypto/asn1/a_verify.c + $(OPENSSL_PATH)/crypto/asn1/ameth_lib.c + $(OPENSSL_PATH)/crypto/asn1/asn1_err.c + $(OPENSSL_PATH)/crypto/asn1/asn1_gen.c + $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.c + $(OPENSSL_PATH)/crypto/asn1/asn1_lib.c + $(OPENSSL_PATH)/crypto/asn1/asn1_par.c + $(OPENSSL_PATH)/crypto/asn1/asn_mime.c + $(OPENSSL_PATH)/crypto/asn1/asn_moid.c + $(OPENSSL_PATH)/crypto/asn1/asn_mstbl.c + $(OPENSSL_PATH)/crypto/asn1/asn_pack.c + $(OPENSSL_PATH)/crypto/asn1/bio_asn1.c + $(OPENSSL_PATH)/crypto/asn1/bio_ndef.c + $(OPENSSL_PATH)/crypto/asn1/d2i_pr.c + $(OPENSSL_PATH)/crypto/asn1/d2i_pu.c + $(OPENSSL_PATH)/crypto/asn1/evp_asn1.c + $(OPENSSL_PATH)/crypto/asn1/f_int.c + $(OPENSSL_PATH)/crypto/asn1/f_string.c + $(OPENSSL_PATH)/crypto/asn1/i2d_pr.c + $(OPENSSL_PATH)/crypto/asn1/i2d_pu.c + $(OPENSSL_PATH)/crypto/asn1/n_pkey.c + $(OPENSSL_PATH)/crypto/asn1/nsseq.c + $(OPENSSL_PATH)/crypto/asn1/p5_pbe.c + $(OPENSSL_PATH)/crypto/asn1/p5_pbev2.c + $(OPENSSL_PATH)/crypto/asn1/p5_scrypt.c + $(OPENSSL_PATH)/crypto/asn1/p8_pkey.c + $(OPENSSL_PATH)/crypto/asn1/t_bitst.c + $(OPENSSL_PATH)/crypto/asn1/t_pkey.c + $(OPENSSL_PATH)/crypto/asn1/t_spki.c + $(OPENSSL_PATH)/crypto/asn1/tasn_dec.c + $(OPENSSL_PATH)/crypto/asn1/tasn_enc.c + $(OPENSSL_PATH)/crypto/asn1/tasn_fre.c + $(OPENSSL_PATH)/crypto/asn1/tasn_new.c + $(OPENSSL_PATH)/crypto/asn1/tasn_prn.c + $(OPENSSL_PATH)/crypto/asn1/tasn_scn.c + $(OPENSSL_PATH)/crypto/asn1/tasn_typ.c + $(OPENSSL_PATH)/crypto/asn1/tasn_utl.c + $(OPENSSL_PATH)/crypto/asn1/x_algor.c + $(OPENSSL_PATH)/crypto/asn1/x_bignum.c + $(OPENSSL_PATH)/crypto/asn1/x_info.c + $(OPENSSL_PATH)/crypto/asn1/x_int64.c + $(OPENSSL_PATH)/crypto/asn1/x_long.c + $(OPENSSL_PATH)/crypto/asn1/x_pkey.c + $(OPENSSL_PATH)/crypto/asn1/x_sig.c + $(OPENSSL_PATH)/crypto/asn1/x_spki.c + $(OPENSSL_PATH)/crypto/asn1/x_val.c + $(OPENSSL_PATH)/crypto/async/arch/async_null.c + $(OPENSSL_PATH)/crypto/async/arch/async_posix.c + $(OPENSSL_PATH)/crypto/async/arch/async_win.c + $(OPENSSL_PATH)/crypto/async/async.c + $(OPENSSL_PATH)/crypto/async/async_err.c + $(OPENSSL_PATH)/crypto/async/async_wait.c + $(OPENSSL_PATH)/crypto/bio/b_addr.c + $(OPENSSL_PATH)/crypto/bio/b_dump.c + $(OPENSSL_PATH)/crypto/bio/b_sock.c + $(OPENSSL_PATH)/crypto/bio/b_sock2.c + $(OPENSSL_PATH)/crypto/bio/bf_buff.c + $(OPENSSL_PATH)/crypto/bio/bf_lbuf.c + $(OPENSSL_PATH)/crypto/bio/bf_nbio.c + $(OPENSSL_PATH)/crypto/bio/bf_null.c + $(OPENSSL_PATH)/crypto/bio/bio_cb.c + $(OPENSSL_PATH)/crypto/bio/bio_err.c + $(OPENSSL_PATH)/crypto/bio/bio_lib.c + $(OPENSSL_PATH)/crypto/bio/bio_meth.c + $(OPENSSL_PATH)/crypto/bio/bss_acpt.c + $(OPENSSL_PATH)/crypto/bio/bss_bio.c + $(OPENSSL_PATH)/crypto/bio/bss_conn.c + $(OPENSSL_PATH)/crypto/bio/bss_dgram.c + $(OPENSSL_PATH)/crypto/bio/bss_fd.c + $(OPENSSL_PATH)/crypto/bio/bss_file.c + $(OPENSSL_PATH)/crypto/bio/bss_log.c + $(OPENSSL_PATH)/crypto/bio/bss_mem.c + $(OPENSSL_PATH)/crypto/bio/bss_null.c + $(OPENSSL_PATH)/crypto/bio/bss_sock.c + $(OPENSSL_PATH)/crypto/bn/bn_add.c + $(OPENSSL_PATH)/crypto/bn/bn_asm.c + $(OPENSSL_PATH)/crypto/bn/bn_blind.c + $(OPENSSL_PATH)/crypto/bn/bn_const.c + $(OPENSSL_PATH)/crypto/bn/bn_ctx.c + $(OPENSSL_PATH)/crypto/bn/bn_depr.c + $(OPENSSL_PATH)/crypto/bn/bn_dh.c + $(OPENSSL_PATH)/crypto/bn/bn_div.c + $(OPENSSL_PATH)/crypto/bn/bn_err.c + $(OPENSSL_PATH)/crypto/bn/bn_exp.c + $(OPENSSL_PATH)/crypto/bn/bn_exp2.c + $(OPENSSL_PATH)/crypto/bn/bn_gcd.c + $(OPENSSL_PATH)/crypto/bn/bn_gf2m.c + $(OPENSSL_PATH)/crypto/bn/bn_intern.c + $(OPENSSL_PATH)/crypto/bn/bn_kron.c + $(OPENSSL_PATH)/crypto/bn/bn_lib.c + $(OPENSSL_PATH)/crypto/bn/bn_mod.c + $(OPENSSL_PATH)/crypto/bn/bn_mont.c + $(OPENSSL_PATH)/crypto/bn/bn_mpi.c + $(OPENSSL_PATH)/crypto/bn/bn_mul.c + $(OPENSSL_PATH)/crypto/bn/bn_nist.c + $(OPENSSL_PATH)/crypto/bn/bn_prime.c + $(OPENSSL_PATH)/crypto/bn/bn_print.c + $(OPENSSL_PATH)/crypto/bn/bn_rand.c + $(OPENSSL_PATH)/crypto/bn/bn_recp.c + $(OPENSSL_PATH)/crypto/bn/bn_shift.c + $(OPENSSL_PATH)/crypto/bn/bn_sqr.c + $(OPENSSL_PATH)/crypto/bn/bn_sqrt.c + $(OPENSSL_PATH)/crypto/bn/bn_srp.c + $(OPENSSL_PATH)/crypto/bn/bn_word.c + $(OPENSSL_PATH)/crypto/bn/bn_x931p.c + $(OPENSSL_PATH)/crypto/buffer/buf_err.c + $(OPENSSL_PATH)/crypto/buffer/buffer.c + $(OPENSSL_PATH)/crypto/cmac/cm_ameth.c + $(OPENSSL_PATH)/crypto/cmac/cm_pmeth.c + $(OPENSSL_PATH)/crypto/cmac/cmac.c + $(OPENSSL_PATH)/crypto/comp/c_zlib.c + $(OPENSSL_PATH)/crypto/comp/comp_err.c + $(OPENSSL_PATH)/crypto/comp/comp_lib.c + $(OPENSSL_PATH)/crypto/conf/conf_api.c + $(OPENSSL_PATH)/crypto/conf/conf_def.c + $(OPENSSL_PATH)/crypto/conf/conf_err.c + $(OPENSSL_PATH)/crypto/conf/conf_lib.c + $(OPENSSL_PATH)/crypto/conf/conf_mall.c + $(OPENSSL_PATH)/crypto/conf/conf_mod.c + $(OPENSSL_PATH)/crypto/conf/conf_sap.c + $(OPENSSL_PATH)/crypto/conf/conf_ssl.c + $(OPENSSL_PATH)/crypto/cpt_err.c + $(OPENSSL_PATH)/crypto/cryptlib.c + $(OPENSSL_PATH)/crypto/ctype.c + $(OPENSSL_PATH)/crypto/cversion.c + $(OPENSSL_PATH)/crypto/dh/dh_ameth.c + $(OPENSSL_PATH)/crypto/dh/dh_asn1.c + $(OPENSSL_PATH)/crypto/dh/dh_check.c + $(OPENSSL_PATH)/crypto/dh/dh_depr.c + $(OPENSSL_PATH)/crypto/dh/dh_err.c + $(OPENSSL_PATH)/crypto/dh/dh_gen.c + $(OPENSSL_PATH)/crypto/dh/dh_kdf.c + $(OPENSSL_PATH)/crypto/dh/dh_key.c + $(OPENSSL_PATH)/crypto/dh/dh_lib.c + $(OPENSSL_PATH)/crypto/dh/dh_meth.c + $(OPENSSL_PATH)/crypto/dh/dh_pmeth.c + $(OPENSSL_PATH)/crypto/dh/dh_prn.c + $(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c + $(OPENSSL_PATH)/crypto/dh/dh_rfc7919.c + $(OPENSSL_PATH)/crypto/dso/dso_dl.c + $(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c + $(OPENSSL_PATH)/crypto/dso/dso_err.c + $(OPENSSL_PATH)/crypto/dso/dso_lib.c + $(OPENSSL_PATH)/crypto/dso/dso_openssl.c + $(OPENSSL_PATH)/crypto/dso/dso_vms.c + $(OPENSSL_PATH)/crypto/dso/dso_win32.c + $(OPENSSL_PATH)/crypto/ebcdic.c + $(OPENSSL_PATH)/crypto/err/err.c + $(OPENSSL_PATH)/crypto/err/err_prn.c + $(OPENSSL_PATH)/crypto/evp/bio_b64.c + $(OPENSSL_PATH)/crypto/evp/bio_enc.c + $(OPENSSL_PATH)/crypto/evp/bio_md.c + $(OPENSSL_PATH)/crypto/evp/bio_ok.c + $(OPENSSL_PATH)/crypto/evp/c_allc.c + $(OPENSSL_PATH)/crypto/evp/c_alld.c + $(OPENSSL_PATH)/crypto/evp/cmeth_lib.c + $(OPENSSL_PATH)/crypto/evp/digest.c + $(OPENSSL_PATH)/crypto/evp/e_aes.c + $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha1.c + $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha256.c + $(OPENSSL_PATH)/crypto/evp/e_aria.c + $(OPENSSL_PATH)/crypto/evp/e_bf.c + $(OPENSSL_PATH)/crypto/evp/e_camellia.c + $(OPENSSL_PATH)/crypto/evp/e_cast.c + $(OPENSSL_PATH)/crypto/evp/e_chacha20_poly1305.c + $(OPENSSL_PATH)/crypto/evp/e_des.c + $(OPENSSL_PATH)/crypto/evp/e_des3.c + $(OPENSSL_PATH)/crypto/evp/e_idea.c + $(OPENSSL_PATH)/crypto/evp/e_null.c + $(OPENSSL_PATH)/crypto/evp/e_old.c + $(OPENSSL_PATH)/crypto/evp/e_rc2.c + $(OPENSSL_PATH)/crypto/evp/e_rc4.c + $(OPENSSL_PATH)/crypto/evp/e_rc4_hmac_md5.c + $(OPENSSL_PATH)/crypto/evp/e_rc5.c + $(OPENSSL_PATH)/crypto/evp/e_seed.c + $(OPENSSL_PATH)/crypto/evp/e_sm4.c + $(OPENSSL_PATH)/crypto/evp/e_xcbc_d.c + $(OPENSSL_PATH)/crypto/evp/encode.c + $(OPENSSL_PATH)/crypto/evp/evp_cnf.c + $(OPENSSL_PATH)/crypto/evp/evp_enc.c + $(OPENSSL_PATH)/crypto/evp/evp_err.c + $(OPENSSL_PATH)/crypto/evp/evp_key.c + $(OPENSSL_PATH)/crypto/evp/evp_lib.c + $(OPENSSL_PATH)/crypto/evp/evp_pbe.c + $(OPENSSL_PATH)/crypto/evp/evp_pkey.c + $(OPENSSL_PATH)/crypto/evp/m_md2.c + $(OPENSSL_PATH)/crypto/evp/m_md4.c + $(OPENSSL_PATH)/crypto/evp/m_md5.c + $(OPENSSL_PATH)/crypto/evp/m_md5_sha1.c + $(OPENSSL_PATH)/crypto/evp/m_mdc2.c + $(OPENSSL_PATH)/crypto/evp/m_null.c + $(OPENSSL_PATH)/crypto/evp/m_ripemd.c + $(OPENSSL_PATH)/crypto/evp/m_sha1.c + $(OPENSSL_PATH)/crypto/evp/m_sha3.c + $(OPENSSL_PATH)/crypto/evp/m_sigver.c + $(OPENSSL_PATH)/crypto/evp/m_wp.c + $(OPENSSL_PATH)/crypto/evp/names.c + $(OPENSSL_PATH)/crypto/evp/p5_crpt.c + $(OPENSSL_PATH)/crypto/evp/p5_crpt2.c + $(OPENSSL_PATH)/crypto/evp/p_dec.c + $(OPENSSL_PATH)/crypto/evp/p_enc.c + $(OPENSSL_PATH)/crypto/evp/p_lib.c + $(OPENSSL_PATH)/crypto/evp/p_open.c + $(OPENSSL_PATH)/crypto/evp/p_seal.c + $(OPENSSL_PATH)/crypto/evp/p_sign.c + $(OPENSSL_PATH)/crypto/evp/p_verify.c + $(OPENSSL_PATH)/crypto/evp/pbe_scrypt.c + $(OPENSSL_PATH)/crypto/evp/pmeth_fn.c + $(OPENSSL_PATH)/crypto/evp/pmeth_gn.c + $(OPENSSL_PATH)/crypto/evp/pmeth_lib.c + $(OPENSSL_PATH)/crypto/ex_data.c + $(OPENSSL_PATH)/crypto/getenv.c + $(OPENSSL_PATH)/crypto/hmac/hm_ameth.c + $(OPENSSL_PATH)/crypto/hmac/hm_pmeth.c + $(OPENSSL_PATH)/crypto/hmac/hmac.c + $(OPENSSL_PATH)/crypto/init.c + $(OPENSSL_PATH)/crypto/kdf/hkdf.c + $(OPENSSL_PATH)/crypto/kdf/kdf_err.c + $(OPENSSL_PATH)/crypto/kdf/scrypt.c + $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c + $(OPENSSL_PATH)/crypto/lhash/lh_stats.c + $(OPENSSL_PATH)/crypto/lhash/lhash.c + $(OPENSSL_PATH)/crypto/md5/md5_dgst.c + $(OPENSSL_PATH)/crypto/md5/md5_one.c + $(OPENSSL_PATH)/crypto/mem.c + $(OPENSSL_PATH)/crypto/mem_clr.c + $(OPENSSL_PATH)/crypto/mem_dbg.c + $(OPENSSL_PATH)/crypto/mem_sec.c + $(OPENSSL_PATH)/crypto/modes/cbc128.c + $(OPENSSL_PATH)/crypto/modes/ccm128.c + $(OPENSSL_PATH)/crypto/modes/cfb128.c + $(OPENSSL_PATH)/crypto/modes/ctr128.c + $(OPENSSL_PATH)/crypto/modes/cts128.c + $(OPENSSL_PATH)/crypto/modes/gcm128.c + $(OPENSSL_PATH)/crypto/modes/ocb128.c + $(OPENSSL_PATH)/crypto/modes/ofb128.c + $(OPENSSL_PATH)/crypto/modes/wrap128.c + $(OPENSSL_PATH)/crypto/modes/xts128.c + $(OPENSSL_PATH)/crypto/o_dir.c + $(OPENSSL_PATH)/crypto/o_fips.c + $(OPENSSL_PATH)/crypto/o_fopen.c + $(OPENSSL_PATH)/crypto/o_init.c + $(OPENSSL_PATH)/crypto/o_str.c + $(OPENSSL_PATH)/crypto/o_time.c + $(OPENSSL_PATH)/crypto/objects/o_names.c + $(OPENSSL_PATH)/crypto/objects/obj_dat.c + $(OPENSSL_PATH)/crypto/objects/obj_err.c + $(OPENSSL_PATH)/crypto/objects/obj_lib.c + $(OPENSSL_PATH)/crypto/objects/obj_xref.c + $(OPENSSL_PATH)/crypto/ocsp/ocsp_asn.c + $(OPENSSL_PATH)/crypto/ocsp/ocsp_cl.c + $(OPENSSL_PATH)/crypto/ocsp/ocsp_err.c + $(OPENSSL_PATH)/crypto/ocsp/ocsp_ext.c + $(OPENSSL_PATH)/crypto/ocsp/ocsp_ht.c + $(OPENSSL_PATH)/crypto/ocsp/ocsp_lib.c + $(OPENSSL_PATH)/crypto/ocsp/ocsp_prn.c + $(OPENSSL_PATH)/crypto/ocsp/ocsp_srv.c + $(OPENSSL_PATH)/crypto/ocsp/ocsp_vfy.c + $(OPENSSL_PATH)/crypto/ocsp/v3_ocsp.c + $(OPENSSL_PATH)/crypto/pem/pem_all.c + $(OPENSSL_PATH)/crypto/pem/pem_err.c + $(OPENSSL_PATH)/crypto/pem/pem_info.c + $(OPENSSL_PATH)/crypto/pem/pem_lib.c + $(OPENSSL_PATH)/crypto/pem/pem_oth.c + $(OPENSSL_PATH)/crypto/pem/pem_pk8.c + $(OPENSSL_PATH)/crypto/pem/pem_pkey.c + $(OPENSSL_PATH)/crypto/pem/pem_sign.c + $(OPENSSL_PATH)/crypto/pem/pem_x509.c + $(OPENSSL_PATH)/crypto/pem/pem_xaux.c + $(OPENSSL_PATH)/crypto/pem/pvkfmt.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_add.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_asn.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_attr.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_crpt.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_crt.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_decr.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_init.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_key.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_kiss.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_mutl.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_npas.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_p8d.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_p8e.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_sbag.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_utl.c + $(OPENSSL_PATH)/crypto/pkcs12/pk12err.c + $(OPENSSL_PATH)/crypto/pkcs7/bio_pk7.c + $(OPENSSL_PATH)/crypto/pkcs7/pk7_asn1.c + $(OPENSSL_PATH)/crypto/pkcs7/pk7_attr.c + $(OPENSSL_PATH)/crypto/pkcs7/pk7_doit.c + $(OPENSSL_PATH)/crypto/pkcs7/pk7_lib.c + $(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c + $(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c + $(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c + $(OPENSSL_PATH)/crypto/rand/drbg_ctr.c + $(OPENSSL_PATH)/crypto/rand/drbg_lib.c + $(OPENSSL_PATH)/crypto/rand/rand_egd.c + $(OPENSSL_PATH)/crypto/rand/rand_err.c + $(OPENSSL_PATH)/crypto/rand/rand_lib.c + $(OPENSSL_PATH)/crypto/rand/rand_unix.c + $(OPENSSL_PATH)/crypto/rand/rand_vms.c + $(OPENSSL_PATH)/crypto/rand/rand_win.c + $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c + $(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c + $(OPENSSL_PATH)/crypto/rsa/rsa_chk.c + $(OPENSSL_PATH)/crypto/rsa/rsa_crpt.c + $(OPENSSL_PATH)/crypto/rsa/rsa_depr.c + $(OPENSSL_PATH)/crypto/rsa/rsa_err.c + $(OPENSSL_PATH)/crypto/rsa/rsa_gen.c + $(OPENSSL_PATH)/crypto/rsa/rsa_lib.c + $(OPENSSL_PATH)/crypto/rsa/rsa_meth.c + $(OPENSSL_PATH)/crypto/rsa/rsa_mp.c + $(OPENSSL_PATH)/crypto/rsa/rsa_none.c + $(OPENSSL_PATH)/crypto/rsa/rsa_oaep.c + $(OPENSSL_PATH)/crypto/rsa/rsa_ossl.c + $(OPENSSL_PATH)/crypto/rsa/rsa_pk1.c + $(OPENSSL_PATH)/crypto/rsa/rsa_pmeth.c + $(OPENSSL_PATH)/crypto/rsa/rsa_prn.c + $(OPENSSL_PATH)/crypto/rsa/rsa_pss.c + $(OPENSSL_PATH)/crypto/rsa/rsa_saos.c + $(OPENSSL_PATH)/crypto/rsa/rsa_sign.c + $(OPENSSL_PATH)/crypto/rsa/rsa_ssl.c + $(OPENSSL_PATH)/crypto/rsa/rsa_x931.c + $(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c + $(OPENSSL_PATH)/crypto/sha/keccak1600.c + $(OPENSSL_PATH)/crypto/sha/sha1_one.c + $(OPENSSL_PATH)/crypto/sha/sha1dgst.c + $(OPENSSL_PATH)/crypto/sha/sha256.c + $(OPENSSL_PATH)/crypto/sha/sha512.c + $(OPENSSL_PATH)/crypto/siphash/siphash.c + $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c + $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c + $(OPENSSL_PATH)/crypto/sm3/m_sm3.c + $(OPENSSL_PATH)/crypto/sm3/sm3.c + $(OPENSSL_PATH)/crypto/sm4/sm4.c + $(OPENSSL_PATH)/crypto/stack/stack.c + $(OPENSSL_PATH)/crypto/threads_none.c + $(OPENSSL_PATH)/crypto/threads_pthread.c + $(OPENSSL_PATH)/crypto/threads_win.c + $(OPENSSL_PATH)/crypto/txt_db/txt_db.c + $(OPENSSL_PATH)/crypto/ui/ui_err.c + $(OPENSSL_PATH)/crypto/ui/ui_lib.c + $(OPENSSL_PATH)/crypto/ui/ui_null.c + $(OPENSSL_PATH)/crypto/ui/ui_openssl.c + $(OPENSSL_PATH)/crypto/ui/ui_util.c + $(OPENSSL_PATH)/crypto/uid.c + $(OPENSSL_PATH)/crypto/x509/by_dir.c + $(OPENSSL_PATH)/crypto/x509/by_file.c + $(OPENSSL_PATH)/crypto/x509/t_crl.c + $(OPENSSL_PATH)/crypto/x509/t_req.c + $(OPENSSL_PATH)/crypto/x509/t_x509.c + $(OPENSSL_PATH)/crypto/x509/x509_att.c + $(OPENSSL_PATH)/crypto/x509/x509_cmp.c + $(OPENSSL_PATH)/crypto/x509/x509_d2.c + $(OPENSSL_PATH)/crypto/x509/x509_def.c + $(OPENSSL_PATH)/crypto/x509/x509_err.c + $(OPENSSL_PATH)/crypto/x509/x509_ext.c + $(OPENSSL_PATH)/crypto/x509/x509_lu.c + $(OPENSSL_PATH)/crypto/x509/x509_meth.c + $(OPENSSL_PATH)/crypto/x509/x509_obj.c + $(OPENSSL_PATH)/crypto/x509/x509_r2x.c + $(OPENSSL_PATH)/crypto/x509/x509_req.c + $(OPENSSL_PATH)/crypto/x509/x509_set.c + $(OPENSSL_PATH)/crypto/x509/x509_trs.c + $(OPENSSL_PATH)/crypto/x509/x509_txt.c + $(OPENSSL_PATH)/crypto/x509/x509_v3.c + $(OPENSSL_PATH)/crypto/x509/x509_vfy.c + $(OPENSSL_PATH)/crypto/x509/x509_vpm.c + $(OPENSSL_PATH)/crypto/x509/x509cset.c + $(OPENSSL_PATH)/crypto/x509/x509name.c + $(OPENSSL_PATH)/crypto/x509/x509rset.c + $(OPENSSL_PATH)/crypto/x509/x509spki.c + $(OPENSSL_PATH)/crypto/x509/x509type.c + $(OPENSSL_PATH)/crypto/x509/x_all.c + $(OPENSSL_PATH)/crypto/x509/x_attrib.c + $(OPENSSL_PATH)/crypto/x509/x_crl.c + $(OPENSSL_PATH)/crypto/x509/x_exten.c + $(OPENSSL_PATH)/crypto/x509/x_name.c + $(OPENSSL_PATH)/crypto/x509/x_pubkey.c + $(OPENSSL_PATH)/crypto/x509/x_req.c + $(OPENSSL_PATH)/crypto/x509/x_x509.c + $(OPENSSL_PATH)/crypto/x509/x_x509a.c + $(OPENSSL_PATH)/crypto/x509v3/pcy_cache.c + $(OPENSSL_PATH)/crypto/x509v3/pcy_data.c + $(OPENSSL_PATH)/crypto/x509v3/pcy_lib.c + $(OPENSSL_PATH)/crypto/x509v3/pcy_map.c + $(OPENSSL_PATH)/crypto/x509v3/pcy_node.c + $(OPENSSL_PATH)/crypto/x509v3/pcy_tree.c + $(OPENSSL_PATH)/crypto/x509v3/v3_addr.c + $(OPENSSL_PATH)/crypto/x509v3/v3_admis.c + $(OPENSSL_PATH)/crypto/x509v3/v3_akey.c + $(OPENSSL_PATH)/crypto/x509v3/v3_akeya.c + $(OPENSSL_PATH)/crypto/x509v3/v3_alt.c + $(OPENSSL_PATH)/crypto/x509v3/v3_asid.c + $(OPENSSL_PATH)/crypto/x509v3/v3_bcons.c + $(OPENSSL_PATH)/crypto/x509v3/v3_bitst.c + $(OPENSSL_PATH)/crypto/x509v3/v3_conf.c + $(OPENSSL_PATH)/crypto/x509v3/v3_cpols.c + $(OPENSSL_PATH)/crypto/x509v3/v3_crld.c + $(OPENSSL_PATH)/crypto/x509v3/v3_enum.c + $(OPENSSL_PATH)/crypto/x509v3/v3_extku.c + $(OPENSSL_PATH)/crypto/x509v3/v3_genn.c + $(OPENSSL_PATH)/crypto/x509v3/v3_ia5.c + $(OPENSSL_PATH)/crypto/x509v3/v3_info.c + $(OPENSSL_PATH)/crypto/x509v3/v3_int.c + $(OPENSSL_PATH)/crypto/x509v3/v3_lib.c + $(OPENSSL_PATH)/crypto/x509v3/v3_ncons.c + $(OPENSSL_PATH)/crypto/x509v3/v3_pci.c + $(OPENSSL_PATH)/crypto/x509v3/v3_pcia.c + $(OPENSSL_PATH)/crypto/x509v3/v3_pcons.c + $(OPENSSL_PATH)/crypto/x509v3/v3_pku.c + $(OPENSSL_PATH)/crypto/x509v3/v3_pmaps.c + $(OPENSSL_PATH)/crypto/x509v3/v3_prn.c + $(OPENSSL_PATH)/crypto/x509v3/v3_purp.c + $(OPENSSL_PATH)/crypto/x509v3/v3_skey.c + $(OPENSSL_PATH)/crypto/x509v3/v3_sxnet.c + $(OPENSSL_PATH)/crypto/x509v3/v3_tlsf.c + $(OPENSSL_PATH)/crypto/x509v3/v3_utl.c + $(OPENSSL_PATH)/crypto/x509v3/v3err.c + $(OPENSSL_PATH)/crypto/arm_arch.h + $(OPENSSL_PATH)/crypto/mips_arch.h + $(OPENSSL_PATH)/crypto/ppc_arch.h + $(OPENSSL_PATH)/crypto/s390x_arch.h + $(OPENSSL_PATH)/crypto/sparc_arch.h + $(OPENSSL_PATH)/crypto/vms_rms.h + $(OPENSSL_PATH)/crypto/aes/aes_local.h + $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h + $(OPENSSL_PATH)/crypto/asn1/asn1_local.h + $(OPENSSL_PATH)/crypto/asn1/charmap.h + $(OPENSSL_PATH)/crypto/asn1/standard_methods.h + $(OPENSSL_PATH)/crypto/asn1/tbl_standard.h + $(OPENSSL_PATH)/crypto/async/async_local.h + $(OPENSSL_PATH)/crypto/async/arch/async_null.h + $(OPENSSL_PATH)/crypto/async/arch/async_posix.h + $(OPENSSL_PATH)/crypto/async/arch/async_win.h + $(OPENSSL_PATH)/crypto/bio/bio_local.h + $(OPENSSL_PATH)/crypto/bn/bn_local.h + $(OPENSSL_PATH)/crypto/bn/bn_prime.h + $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h + $(OPENSSL_PATH)/crypto/comp/comp_local.h + $(OPENSSL_PATH)/crypto/conf/conf_def.h + $(OPENSSL_PATH)/crypto/conf/conf_local.h + $(OPENSSL_PATH)/crypto/dh/dh_local.h + $(OPENSSL_PATH)/crypto/dso/dso_local.h + $(OPENSSL_PATH)/crypto/evp/evp_local.h + $(OPENSSL_PATH)/crypto/hmac/hmac_local.h + $(OPENSSL_PATH)/crypto/lhash/lhash_local.h + $(OPENSSL_PATH)/crypto/md5/md5_local.h + $(OPENSSL_PATH)/crypto/modes/modes_local.h + $(OPENSSL_PATH)/crypto/objects/obj_dat.h + $(OPENSSL_PATH)/crypto/objects/obj_local.h + $(OPENSSL_PATH)/crypto/objects/obj_xref.h + $(OPENSSL_PATH)/crypto/ocsp/ocsp_local.h + $(OPENSSL_PATH)/crypto/pkcs12/p12_local.h + $(OPENSSL_PATH)/crypto/rand/rand_local.h + $(OPENSSL_PATH)/crypto/rsa/rsa_local.h + $(OPENSSL_PATH)/crypto/sha/sha_local.h + $(OPENSSL_PATH)/crypto/siphash/siphash_local.h + $(OPENSSL_PATH)/crypto/sm3/sm3_local.h + $(OPENSSL_PATH)/crypto/store/store_local.h + $(OPENSSL_PATH)/crypto/ui/ui_local.h + $(OPENSSL_PATH)/crypto/x509/x509_local.h + $(OPENSSL_PATH)/crypto/x509v3/ext_dat.h + $(OPENSSL_PATH)/crypto/x509v3/pcy_local.h + $(OPENSSL_PATH)/crypto/x509v3/standard_exts.h + $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h +# Autogenerated files list ends here + buildinf.h + ossl_store.c + rand_pool.c + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + DebugLib + RngLib + PrintLib + +[LibraryClasses.ARM] + ArmSoftFloatLib + +[BuildOptions] + # + # Disables the following Visual Studio compiler warnings brought by openssl source, + # so we do not break the build with /WX option: + # C4090: 'function' : different 'const' qualifiers + # C4132: 'object' : const object should be initialized (tls13_enc.c) + # C4244: conversion from type1 to type2, possible loss of data + # C4245: conversion from type1 to type2, signed/unsigned mismatch + # C4267: conversion from size_t to type, possible loss of data + # C4306: 'identifier' : conversion from 'type1' to 'type2' of greater size + # C4310: cast truncates constant value + # C4389: 'operator' : signed/unsigned mismatch (xxxx) + # C4700: uninitialized local variable 'name' used. (conf_sap.c(71)) + # C4702: unreachable code + # C4706: assignment within conditional expression + # C4819: The file contains a character that cannot be represented in the current code page + # + MSFT:*_*_IA32_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) /wd4090 /wd4132 /wd4244 /wd4245 /wd4267 /wd4310 /wd4389 /wd4700 /wd4702 /wd4706 /wd4819 + MSFT:*_*_X64_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) /wd4090 /wd4132 /wd4244 /wd4245 /wd4267 /wd4306 /wd4310 /wd4700 /wd4389 /wd4702 /wd4706 /wd4819 + + INTEL:*_*_IA32_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER -U__ICC $(OPENSSL_FLAGS) /w + INTEL:*_*_X64_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER -U__ICC $(OPENSSL_FLAGS) /w + + # + # Suppress the following build warnings in openssl so we don't break the build with -Werror + # -Werror=maybe-uninitialized: there exist some other paths for which the variable is not initialized. + # -Werror=format: Check calls to printf and scanf, etc., to make sure that the arguments supplied have + # types appropriate to the format string specified. + # -Werror=unused-but-set-variable: Warn whenever a local variable is assigned to, but otherwise unused (aside from its declaration). + # + GCC:*_*_IA32_CC_FLAGS = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-error=unused-but-set-variable + GCC:*_*_X64_CC_FLAGS = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-error=format -Wno-format -Wno-error=unused-but-set-variable -DNO_MSABI_VA_FUNCS + GCC:*_*_ARM_CC_FLAGS = $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-error=unused-but-set-variable + GCC:*_*_AARCH64_CC_FLAGS = $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-format -Wno-error=unused-but-set-variable + GCC:*_*_RISCV64_CC_FLAGS = $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-format -Wno-error=unused-but-set-variable + GCC:*_CLANG35_*_CC_FLAGS = -std=c99 -Wno-error=uninitialized + GCC:*_CLANG38_*_CC_FLAGS = -std=c99 -Wno-error=uninitialized + GCC:*_CLANGPDB_*_CC_FLAGS = -std=c99 -Wno-error=uninitialized -Wno-error=incompatible-pointer-types -Wno-error=pointer-sign -Wno-error=implicit-function-declaration -Wno-error=ignored-pragma-optimize + + # suppress the following warnings in openssl so we don't break the build with warnings-as-errors: + # 1295: Deprecated declaration - give arg types + # 550: was set but never used + # 1293: assignment in condition + # 111: statement is unreachable (invariably "break;" after "return X;" in case statement) + # 68: integer conversion resulted in a change of sign ("if (Status == -1)") + # 177: was declared but never referenced + # 223: function declared implicitly + # 144: a value of type cannot be used to initialize an entity of type + # 513: a value of type cannot be assigned to an entity of type + # 188: enumerated type mixed with another type (i.e. passing an integer as an enum without a cast) + # 1296: Extended constant initialiser used + # 128: loop is not reachable - may be emitted inappropriately if code follows a conditional return + # from the function that evaluates to true at compile time + # 546: transfer of control bypasses initialization - may be emitted inappropriately if the uninitialized + # variable is never referenced after the jump + # 1: ignore "#1-D: last line of file ends without a newline" + # 3017: may be used before being set (NOTE: This was fixed in OpenSSL 1.1 HEAD with + # commit d9b8b89bec4480de3a10bdaf9425db371c19145b, and can be dropped then.) + RVCT:*_*_ARM_CC_FLAGS = $(OPENSSL_FLAGS) --library_interface=aeabi_clib99 --diag_suppress=1296,1295,550,1293,111,68,177,223,144,513,188,128,546,1,3017 -JCryptoPkg/Include + XCODE:*_*_IA32_CC_FLAGS = -mmmx -msse -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) -w -std=c99 -Wno-error=uninitialized + XCODE:*_*_X64_CC_FLAGS = -mmmx -msse -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) -w -std=c99 -Wno-error=uninitialized + + # + # AARCH64 uses strict alignment and avoids SIMD registers for code that may execute + # with the MMU off. This involves SEC, PEI_CORE and PEIM modules as well as BASE + # libraries, given that they may be included into such modules. + # This library, even though of the BASE type, is never used in such cases, and + # avoiding the SIMD register file (which is shared with the FPU) prevents the + # compiler from successfully building some of the OpenSSL source files that + # use floating point types, so clear the flags here. + # + GCC:*_*_AARCH64_CC_XIPFLAGS == diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.uni b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.uni new file mode 100644 index 00000000..d3f12e17 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.uni @@ -0,0 +1,16 @@ +// /** @file +// This module provides openSSL Library implementation (libcrypto only, no libssl). +// +// This module provides OpenSSL Library implementation (libcrypto only, no libssl). +// +// Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "OpenSSL Library implementation (libcrypto only, no libssl)" + +#string STR_MODULE_DESCRIPTION #language en-US "This module provides OpenSSL Library implementation (libcrypto only, no libssl)." + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/buildinf.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/buildinf.h new file mode 100644 index 00000000..7fc648b9 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/buildinf.h @@ -0,0 +1,4 @@ +#define PLATFORM "UEFI" +#define DATE "Fri Dec 22 01:23:45 PDT 2017" + +const char * compiler_flags = "compiler: information not available from edk2"; diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/ossl_store.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/ossl_store.c new file mode 100644 index 00000000..7a17e035 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/ossl_store.c @@ -0,0 +1,17 @@ +/** @file + Dummy implement ossl_store(Store retrieval functions) for UEFI. + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +/* + * This function is cleanup ossl store. + * + * Dummy Implement for UEFI + */ +void ossl_store_cleanup_int(void) +{ +} + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/process_files.pl b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/process_files.pl new file mode 100644 index 00000000..5b0749fa --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/process_files.pl @@ -0,0 +1,286 @@ +#!/usr/bin/perl -w +# +# This script runs the OpenSSL Configure script, then processes the +# resulting file list into our local OpensslLib[Crypto].inf and also +# takes copies of opensslconf.h and dso_conf.h. +# +# This only needs to be done once by a developer when updating to a +# new version of OpenSSL (or changing options, etc.). Normal users +# do not need to do this, since the results are stored in the EDK2 +# git repository for them. +# +use strict; +use Cwd; +use File::Copy; + +# +# Find the openssl directory name for use lib. We have to do this +# inside of BEGIN. The variables we create here, however, don't seem +# to be available to the main script, so we have to repeat the +# exercise. +# +my $inf_file; +my $OPENSSL_PATH; +my @inf; + +BEGIN { + $inf_file = "OpensslLib.inf"; + + # Read the contents of the inf file + open( FD, "<" . $inf_file ) || + die "Cannot open \"" . $inf_file . "\"!"; + @inf = (); + close(FD) || + die "Cannot close \"" . $inf_file . "\"!"; + + foreach (@inf) { + if (/DEFINE\s+OPENSSL_PATH\s*=\s*([a-z]+)/) { + + # We need to run Configure before we can include its result... + $OPENSSL_PATH = $1; + + my $basedir = getcwd(); + + chdir($OPENSSL_PATH) || + die "Cannot change to OpenSSL directory \"" . $OPENSSL_PATH . "\""; + + # Configure UEFI + system( + "./Configure", + "UEFI", + "no-afalgeng", + "no-asm", + "no-async", + "no-autoerrinit", + "no-autoload-config", + "no-bf", + "no-blake2", + "no-camellia", + "no-capieng", + "no-cast", + "no-chacha", + "no-cms", + "no-ct", + "no-deprecated", + "no-des", + "no-dgram", + "no-dsa", + "no-dynamic-engine", + "no-ec", + "no-ec2m", + "no-engine", + "no-err", + "no-filenames", + "no-gost", + "no-hw", + "no-idea", + "no-md4", + "no-mdc2", + "no-pic", + "no-ocb", + "no-poly1305", + "no-posix-io", + "no-rc2", + "no-rc4", + "no-rfc3779", + "no-rmd160", + "no-scrypt", + "no-seed", + "no-sock", + "no-srp", + "no-ssl", + "no-stdio", + "no-threads", + "no-ts", + "no-ui", + "no-whirlpool", + # OpenSSL1_1_1b doesn't support default rand-seed-os for UEFI + # UEFI only support --with-rand-seed=none + "--with-rand-seed=none" + ) == 0 || + die "OpenSSL Configure failed!\n"; + + # Generate opensslconf.h per config data + system( + "perl -I. -Mconfigdata util/dofile.pl " . + "include/openssl/opensslconf.h.in " . + "> include/openssl/opensslconf.h" + ) == 0 || + die "Failed to generate opensslconf.h!\n"; + + # Generate dso_conf.h per config data + system( + "perl -I. -Mconfigdata util/dofile.pl " . + "include/crypto/dso_conf.h.in " . + "> include/crypto/dso_conf.h" + ) == 0 || + die "Failed to generate dso_conf.h!\n"; + + chdir($basedir) || + die "Cannot change to base directory \"" . $basedir . "\""; + + push @INC, $1; + last; + } + } +} + +# +# Retrieve file lists from OpenSSL configdata +# +use configdata qw/%unified_info/; + +my @cryptofilelist = (); +my @sslfilelist = (); +foreach my $product ((@{$unified_info{libraries}}, + @{$unified_info{engines}})) { + foreach my $o (@{$unified_info{sources}->{$product}}) { + foreach my $s (@{$unified_info{sources}->{$o}}) { + next if ($unified_info{generate}->{$s}); + next if $s =~ "crypto/bio/b_print.c"; + + # No need to add unused files in UEFI. + # So it can reduce porting time, compile time, library size. + next if $s =~ "crypto/rand/randfile.c"; + next if $s =~ "crypto/store/"; + next if $s =~ "crypto/err/err_all.c"; + next if $s =~ "crypto/aes/aes_ecb.c"; + + if ($product =~ "libssl") { + push @sslfilelist, ' $(OPENSSL_PATH)/' . $s . "\r\n"; + next; + } + push @cryptofilelist, ' $(OPENSSL_PATH)/' . $s . "\r\n"; + } + } +} + + +# +# Update the perl script to generate the missing header files +# +my @dir_list = (); +for (sort keys %{$unified_info{dirinfo}}){ + push @dir_list,$_; +} + +my $dir = getcwd(); +my @files = (); +my @headers = (); +chdir ("openssl"); +foreach(@dir_list){ + @files = glob($_."/*.h"); + push @headers, @files; +} +chdir ($dir); + +foreach (@headers){ + if(/ssl/){ + push @sslfilelist, ' $(OPENSSL_PATH)/' . $_ . "\r\n"; + next; + } + push @cryptofilelist, ' $(OPENSSL_PATH)/' . $_ . "\r\n"; +} + + +# +# Update OpensslLib.inf with autogenerated file list +# +my @new_inf = (); +my $subbing = 0; +print "\n--> Updating OpensslLib.inf ... "; +foreach (@inf) { + if ( $_ =~ "# Autogenerated files list starts here" ) { + push @new_inf, $_, @cryptofilelist, @sslfilelist; + $subbing = 1; + next; + } + if ( $_ =~ "# Autogenerated files list ends here" ) { + push @new_inf, $_; + $subbing = 0; + next; + } + + push @new_inf, $_ + unless ($subbing); +} + +my $new_inf_file = $inf_file . ".new"; +open( FD, ">" . $new_inf_file ) || + die $new_inf_file; +print( FD @new_inf ) || + die $new_inf_file; +close(FD) || + die $new_inf_file; +rename( $new_inf_file, $inf_file ) || + die "rename $inf_file"; +print "Done!"; + +# +# Update OpensslLibCrypto.inf with auto-generated file list (no libssl) +# +$inf_file = "OpensslLibCrypto.inf"; + +# Read the contents of the inf file +@inf = (); +@new_inf = (); +open( FD, "<" . $inf_file ) || + die "Cannot open \"" . $inf_file . "\"!"; +@inf = (); +close(FD) || + die "Cannot close \"" . $inf_file . "\"!"; + +$subbing = 0; +print "\n--> Updating OpensslLibCrypto.inf ... "; +foreach (@inf) { + if ( $_ =~ "# Autogenerated files list starts here" ) { + push @new_inf, $_, @cryptofilelist; + $subbing = 1; + next; + } + if ( $_ =~ "# Autogenerated files list ends here" ) { + push @new_inf, $_; + $subbing = 0; + next; + } + + push @new_inf, $_ + unless ($subbing); +} + +$new_inf_file = $inf_file . ".new"; +open( FD, ">" . $new_inf_file ) || + die $new_inf_file; +print( FD @new_inf ) || + die $new_inf_file; +close(FD) || + die $new_inf_file; +rename( $new_inf_file, $inf_file ) || + die "rename $inf_file"; +print "Done!"; + +# +# Copy opensslconf.h and dso_conf.h generated from OpenSSL Configuration +# +print "\n--> Duplicating opensslconf.h into Include/openssl ... "; +system( + "perl -pe 's/\\n/\\r\\n/' " . + "< " . $OPENSSL_PATH . "/include/openssl/opensslconf.h " . + "> " . $OPENSSL_PATH . "/../../Include/openssl/opensslconf.h" + ) == 0 || + die "Cannot copy opensslconf.h!"; +print "Done!"; + +print "\n--> Duplicating dso_conf.h into Include/crypto ... "; +system( + "perl -pe 's/\\n/\\r\\n/' " . + "< " . $OPENSSL_PATH . "/include/crypto/dso_conf.h" . + "> " . $OPENSSL_PATH . "/../../Include/crypto/dso_conf.h" + ) == 0 || + die "Cannot copy dso_conf.h!"; +print "Done!\n"; + +print "\nProcessing Files Done!\n"; + +exit(0); + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/rand_pool.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/rand_pool.c new file mode 100644 index 00000000..1b0a26a8 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/OpensslLib/rand_pool.c @@ -0,0 +1,171 @@ +/** @file + OpenSSL_1_1_1b doesn't implement rand_pool_* functions for UEFI. + The file implement these functions. + + Copyright (c) 2019, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "crypto/rand.h" +#include + +#include +#include + +/** + Calls RandomNumber64 to fill + a buffer of arbitrary size with random bytes. + This is a shim layer to RngLib. + + @param[in] Length Size of the buffer, in bytes, to fill with. + @param[out] RandBuffer Pointer to the buffer to store the random result. + + @retval TRUE Random bytes generation succeeded. + @retval FALSE Failed to request random bytes. + +**/ +STATIC +BOOLEAN +EFIAPI +RandGetBytes ( + IN UINTN Length, + OUT UINT8 *RandBuffer + ) +{ + BOOLEAN Ret; + UINT64 TempRand; + + Ret = FALSE; + + if (RandBuffer == NULL) { + DEBUG((DEBUG_ERROR, "[OPENSSL_RAND_POOL] NULL RandBuffer. No random numbers are generated and your system is not secure\n")); + ASSERT (RandBuffer != NULL); // Since we can't generate random numbers, we should assert. Otherwise we will just blow up later. + return Ret; + } + + + while (Length > 0) { + // Use RngLib to get random number + Ret = GetRandomNumber64 (&TempRand); + + if (!Ret) { + return Ret; + } + if (Length >= sizeof (TempRand)) { + *((UINT64*) RandBuffer) = TempRand; + RandBuffer += sizeof (UINT64); + Length -= sizeof (TempRand); + } + else { + CopyMem (RandBuffer, &TempRand, Length); + Length = 0; + } + } + + return Ret; +} + +/* + * Add random bytes to the pool to acquire requested amount of entropy + * + * This function is platform specific and tries to acquire the requested + * amount of entropy by polling platform specific entropy sources. + * + * This is OpenSSL required interface. + */ +size_t +rand_pool_acquire_entropy ( + RAND_POOL *pool + ) +{ + BOOLEAN Ret; + size_t Bytes_needed; + unsigned char *Buffer; + + Bytes_needed = rand_pool_bytes_needed (pool, 1 /*entropy_factor*/); + if (Bytes_needed > 0) { + Buffer = rand_pool_add_begin (pool, Bytes_needed); + + if (Buffer != NULL) { + Ret = RandGetBytes (Bytes_needed, Buffer); + if (FALSE == Ret) { + rand_pool_add_end (pool, 0, 0); + } + else { + rand_pool_add_end (pool, Bytes_needed, 8 * Bytes_needed); + } + } + } + + return rand_pool_entropy_available (pool); +} + +/* + * Implementation for UEFI + * + * This is OpenSSL required interface. + */ +int +rand_pool_add_nonce_data ( + RAND_POOL *pool + ) +{ + UINT8 data[16]; + RandGetBytes (sizeof(data), data); + + return rand_pool_add (pool, (unsigned char*)&data, sizeof(data), 0); +} + +/* + * Implementation for UEFI + * + * This is OpenSSL required interface. + */ +int +rand_pool_add_additional_data ( + RAND_POOL *pool + ) +{ + UINT8 data[16]; + RandGetBytes (sizeof(data), data); + + return rand_pool_add (pool, (unsigned char*)&data, sizeof(data), 0); +} + +/* + * Dummy Implementation for UEFI + * + * This is OpenSSL required interface. + */ +int +rand_pool_init ( + VOID + ) +{ + return 1; +} + +/* + * Dummy Implementation for UEFI + * + * This is OpenSSL required interface. + */ +VOID +rand_pool_cleanup( + VOID + ) +{ +} + +/* + * Dummy Implementation for UEFI + * + * This is OpenSSL required interface. + */ +VOID +rand_pool_keep_random_devices_open ( + int keep + ) +{ +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/InternalTlsLib.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/InternalTlsLib.h new file mode 100644 index 00000000..f88c6f35 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/InternalTlsLib.h @@ -0,0 +1,41 @@ +/** @file + Internal include file for TlsLib. + +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __INTERNAL_TLS_LIB_H__ +#define __INTERNAL_TLS_LIB_H__ + +#undef _WIN32 +#undef _WIN64 + +#include +#include +#include +#include +#include +#include +#include +#include + +typedef struct { + // + // Main SSL Connection which is created by a server or a client + // per established connection. + // + SSL *Ssl; + // + // Memory BIO for the TLS/SSL Reading operations. + // + BIO *InBio; + // + // Memory BIO for the TLS/SSL Writing operations. + // + BIO *OutBio; +} TLS_CONNECTION; + +#endif + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/TlsConfig.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/TlsConfig.c new file mode 100644 index 00000000..8654c739 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -0,0 +1,1267 @@ +/** @file + SSL/TLS Configuration Library Wrapper Implementation over OpenSSL. + +Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalTlsLib.h" + +typedef struct { + // + // IANA/IETF defined Cipher Suite ID + // + UINT16 IanaCipher; + // + // OpenSSL-used Cipher Suite String + // + CONST CHAR8 *OpensslCipher; + // + // Length of OpensslCipher + // + UINTN OpensslCipherLength; +} TLS_CIPHER_MAPPING; + +// +// Create a TLS_CIPHER_MAPPING initializer from IanaCipher and OpensslCipher so +// that OpensslCipherLength is filled in automatically. IanaCipher must be an +// integer constant expression, and OpensslCipher must be a string literal. +// +#define MAP(IanaCipher, OpensslCipher) \ + { (IanaCipher), (OpensslCipher), sizeof (OpensslCipher) - 1 } + +// +// The mapping table between IANA/IETF Cipher Suite definitions and +// OpenSSL-used Cipher Suite name. +// +// Keep the table uniquely sorted by the IanaCipher field, in increasing order. +// +STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] = { + MAP ( 0x0001, "NULL-MD5" ), /// TLS_RSA_WITH_NULL_MD5 + MAP ( 0x0002, "NULL-SHA" ), /// TLS_RSA_WITH_NULL_SHA + MAP ( 0x0004, "RC4-MD5" ), /// TLS_RSA_WITH_RC4_128_MD5 + MAP ( 0x0005, "RC4-SHA" ), /// TLS_RSA_WITH_RC4_128_SHA + MAP ( 0x000A, "DES-CBC3-SHA" ), /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1 + MAP ( 0x0016, "DHE-RSA-DES-CBC3-SHA" ), /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA + MAP ( 0x002F, "AES128-SHA" ), /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2 + MAP ( 0x0030, "DH-DSS-AES128-SHA" ), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA + MAP ( 0x0031, "DH-RSA-AES128-SHA" ), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA + MAP ( 0x0033, "DHE-RSA-AES128-SHA" ), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA + MAP ( 0x0035, "AES256-SHA" ), /// TLS_RSA_WITH_AES_256_CBC_SHA + MAP ( 0x0036, "DH-DSS-AES256-SHA" ), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA + MAP ( 0x0037, "DH-RSA-AES256-SHA" ), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA + MAP ( 0x0039, "DHE-RSA-AES256-SHA" ), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA + MAP ( 0x003B, "NULL-SHA256" ), /// TLS_RSA_WITH_NULL_SHA256 + MAP ( 0x003C, "AES128-SHA256" ), /// TLS_RSA_WITH_AES_128_CBC_SHA256 + MAP ( 0x003D, "AES256-SHA256" ), /// TLS_RSA_WITH_AES_256_CBC_SHA256 + MAP ( 0x003E, "DH-DSS-AES128-SHA256" ), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256 + MAP ( 0x003F, "DH-RSA-AES128-SHA256" ), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256 + MAP ( 0x0067, "DHE-RSA-AES128-SHA256" ), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + MAP ( 0x0068, "DH-DSS-AES256-SHA256" ), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256 + MAP ( 0x0069, "DH-RSA-AES256-SHA256" ), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256 + MAP ( 0x006B, "DHE-RSA-AES256-SHA256" ), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 +}; + +/** + Gets the OpenSSL cipher suite mapping for the supplied IANA TLS cipher suite. + + @param[in] CipherId The supplied IANA TLS cipher suite ID. + + @return The corresponding OpenSSL cipher suite mapping if found, + NULL otherwise. + +**/ +STATIC +CONST TLS_CIPHER_MAPPING * +TlsGetCipherMapping ( + IN UINT16 CipherId + ) +{ + INTN Left; + INTN Right; + INTN Middle; + + // + // Binary Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation + // + Left = 0; + Right = ARRAY_SIZE (TlsCipherMappingTable) - 1; + + while (Right >= Left) { + Middle = (Left + Right) / 2; + + if (CipherId == TlsCipherMappingTable[Middle].IanaCipher) { + // + // Translate IANA cipher suite ID to OpenSSL name. + // + return &TlsCipherMappingTable[Middle]; + } + + if (CipherId < TlsCipherMappingTable[Middle].IanaCipher) { + Right = Middle - 1; + } else { + Left = Middle + 1; + } + } + + // + // No Cipher Mapping found, return NULL. + // + return NULL; +} + +/** + Set a new TLS/SSL method for a particular TLS object. + + This function sets a new TLS/SSL method for a particular TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] MajorVer Major Version of TLS/SSL Protocol. + @param[in] MinorVer Minor Version of TLS/SSL Protocol. + + @retval EFI_SUCCESS The TLS/SSL method was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported TLS/SSL method. + +**/ +EFI_STATUS +EFIAPI +TlsSetVersion ( + IN VOID *Tls, + IN UINT8 MajorVer, + IN UINT8 MinorVer + ) +{ + TLS_CONNECTION *TlsConn; + UINT16 ProtoVersion; + + TlsConn = (TLS_CONNECTION *)Tls; + if (TlsConn == NULL || TlsConn->Ssl == NULL) { + return EFI_INVALID_PARAMETER; + } + + ProtoVersion = (MajorVer << 8) | MinorVer; + + // + // Bound TLS method to the particular specified version. + // + switch (ProtoVersion) { + case TLS1_VERSION: + // + // TLS 1.0 + // + SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION); + SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION); + break; + case TLS1_1_VERSION: + // + // TLS 1.1 + // + SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION); + SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION); + break; + case TLS1_2_VERSION: + // + // TLS 1.2 + // + SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION); + SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION); + break; + default: + // + // Unsupported Protocol Version + // + return EFI_UNSUPPORTED; + } + + return EFI_SUCCESS;; +} + +/** + Set TLS object to work in client or server mode. + + This function prepares a TLS object to work in client or server mode. + + @param[in] Tls Pointer to a TLS object. + @param[in] IsServer Work in server mode. + + @retval EFI_SUCCESS The TLS/SSL work mode was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode. + +**/ +EFI_STATUS +EFIAPI +TlsSetConnectionEnd ( + IN VOID *Tls, + IN BOOLEAN IsServer + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + if (TlsConn == NULL || TlsConn->Ssl == NULL) { + return EFI_INVALID_PARAMETER; + } + + if (!IsServer) { + // + // Set TLS to work in Client mode. + // + SSL_set_connect_state (TlsConn->Ssl); + } else { + // + // Set TLS to work in Server mode. + // It is unsupported for UEFI version currently. + // + //SSL_set_accept_state (TlsConn->Ssl); + return EFI_UNSUPPORTED; + } + + return EFI_SUCCESS; +} + +/** + Set the ciphers list to be used by the TLS object. + + This function sets the ciphers for use by a specified TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] CipherId Array of UINT16 cipher identifiers. Each UINT16 + cipher identifier comes from the TLS Cipher Suite + Registry of the IANA, interpreting Byte1 and Byte2 + in network (big endian) byte order. + @param[in] CipherNum The number of cipher in the list. + + @retval EFI_SUCCESS The ciphers list was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED No supported TLS cipher was found in CipherId. + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +EFI_STATUS +EFIAPI +TlsSetCipherList ( + IN VOID *Tls, + IN UINT16 *CipherId, + IN UINTN CipherNum + ) +{ + TLS_CONNECTION *TlsConn; + EFI_STATUS Status; + CONST TLS_CIPHER_MAPPING **MappedCipher; + UINTN MappedCipherBytes; + UINTN MappedCipherCount; + UINTN CipherStringSize; + UINTN Index; + CONST TLS_CIPHER_MAPPING *Mapping; + CHAR8 *CipherString; + CHAR8 *CipherStringPosition; + + TlsConn = (TLS_CONNECTION *) Tls; + if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) { + return EFI_INVALID_PARAMETER; + } + + // + // Allocate the MappedCipher array for recording the mappings that we find + // for the input IANA identifiers in CipherId. + // + Status = SafeUintnMult (CipherNum, sizeof (*MappedCipher), + &MappedCipherBytes); + if (EFI_ERROR (Status)) { + return EFI_OUT_OF_RESOURCES; + } + MappedCipher = AllocatePool (MappedCipherBytes); + if (MappedCipher == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + // + // Map the cipher IDs, and count the number of bytes for the full + // CipherString. + // + MappedCipherCount = 0; + CipherStringSize = 0; + for (Index = 0; Index < CipherNum; Index++) { + // + // Look up the IANA-to-OpenSSL mapping. + // + Mapping = TlsGetCipherMapping (CipherId[Index]); + if (Mapping == NULL) { + DEBUG ((DEBUG_VERBOSE, "%a:%a: skipping CipherId=0x%04x\n", + gEfiCallerBaseName, __FUNCTION__, CipherId[Index])); + // + // Skipping the cipher is valid because CipherId is an ordered + // preference list of ciphers, thus we can filter it as long as we + // don't change the relative order of elements on it. + // + continue; + } + // + // Accumulate Mapping->OpensslCipherLength into CipherStringSize. If this + // is not the first successful mapping, account for a colon (":") prefix + // too. + // + if (MappedCipherCount > 0) { + Status = SafeUintnAdd (CipherStringSize, 1, &CipherStringSize); + if (EFI_ERROR (Status)) { + Status = EFI_OUT_OF_RESOURCES; + goto FreeMappedCipher; + } + } + Status = SafeUintnAdd (CipherStringSize, Mapping->OpensslCipherLength, + &CipherStringSize); + if (EFI_ERROR (Status)) { + Status = EFI_OUT_OF_RESOURCES; + goto FreeMappedCipher; + } + // + // Record the mapping. + // + MappedCipher[MappedCipherCount++] = Mapping; + } + + // + // Verify that at least one IANA cipher ID could be mapped; account for the + // terminating NUL character in CipherStringSize; allocate CipherString. + // + if (MappedCipherCount == 0) { + DEBUG ((DEBUG_ERROR, "%a:%a: no CipherId could be mapped\n", + gEfiCallerBaseName, __FUNCTION__)); + Status = EFI_UNSUPPORTED; + goto FreeMappedCipher; + } + Status = SafeUintnAdd (CipherStringSize, 1, &CipherStringSize); + if (EFI_ERROR (Status)) { + Status = EFI_OUT_OF_RESOURCES; + goto FreeMappedCipher; + } + CipherString = AllocatePool (CipherStringSize); + if (CipherString == NULL) { + Status = EFI_OUT_OF_RESOURCES; + goto FreeMappedCipher; + } + + // + // Go over the collected mappings and populate CipherString. + // + CipherStringPosition = CipherString; + for (Index = 0; Index < MappedCipherCount; Index++) { + Mapping = MappedCipher[Index]; + // + // Append the colon (":") prefix except for the first mapping, then append + // Mapping->OpensslCipher. + // + if (Index > 0) { + *(CipherStringPosition++) = ':'; + } + CopyMem (CipherStringPosition, Mapping->OpensslCipher, + Mapping->OpensslCipherLength); + CipherStringPosition += Mapping->OpensslCipherLength; + } + + // + // NUL-terminate CipherString. + // + *(CipherStringPosition++) = '\0'; + ASSERT (CipherStringPosition == CipherString + CipherStringSize); + + // + // Log CipherString for debugging. CipherString can be very long if the + // caller provided a large CipherId array, so log CipherString in segments of + // 79 non-newline characters. (MAX_DEBUG_MESSAGE_LENGTH is usually 0x100 in + // DebugLib instances.) + // + DEBUG_CODE ( + UINTN FullLength; + UINTN SegmentLength; + + FullLength = CipherStringSize - 1; + DEBUG ((DEBUG_VERBOSE, "%a:%a: CipherString={\n", gEfiCallerBaseName, + __FUNCTION__)); + for (CipherStringPosition = CipherString; + CipherStringPosition < CipherString + FullLength; + CipherStringPosition += SegmentLength) { + SegmentLength = FullLength - (CipherStringPosition - CipherString); + if (SegmentLength > 79) { + SegmentLength = 79; + } + DEBUG ((DEBUG_VERBOSE, "%.*a\n", SegmentLength, CipherStringPosition)); + } + DEBUG ((DEBUG_VERBOSE, "}\n")); + // + // Restore the pre-debug value of CipherStringPosition by skipping over the + // trailing NUL. + // + CipherStringPosition++; + ASSERT (CipherStringPosition == CipherString + CipherStringSize); + ); + + // + // Sets the ciphers for use by the Tls object. + // + if (SSL_set_cipher_list (TlsConn->Ssl, CipherString) <= 0) { + Status = EFI_UNSUPPORTED; + goto FreeCipherString; + } + + Status = EFI_SUCCESS; + +FreeCipherString: + FreePool (CipherString); + +FreeMappedCipher: + FreePool (MappedCipher); + + return Status; +} + +/** + Set the compression method for TLS/SSL operations. + + This function handles TLS/SSL integrated compression methods. + + @param[in] CompMethod The compression method ID. + + @retval EFI_SUCCESS The compression method for the communication was + set successfully. + @retval EFI_UNSUPPORTED Unsupported compression method. + +**/ +EFI_STATUS +EFIAPI +TlsSetCompressionMethod ( + IN UINT8 CompMethod + ) +{ + COMP_METHOD *Cm; + INTN Ret; + + Cm = NULL; + Ret = 0; + + if (CompMethod == 0) { + // + // TLS defines one standard compression method, CompressionMethod.null (0), + // which specifies that data exchanged via the record protocol will not be compressed. + // So, return EFI_SUCCESS directly (RFC 3749). + // + return EFI_SUCCESS; + } else if (CompMethod == 1) { + Cm = COMP_zlib(); + } else { + return EFI_UNSUPPORTED; + } + + // + // Adds the compression method to the list of available + // compression methods. + // + Ret = SSL_COMP_add_compression_method (CompMethod, Cm); + if (Ret != 0) { + return EFI_UNSUPPORTED; + } + + return EFI_SUCCESS; +} + +/** + Set peer certificate verification mode for the TLS connection. + + This function sets the verification mode flags for the TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in] VerifyMode A set of logically or'ed verification mode flags. + +**/ +VOID +EFIAPI +TlsSetVerify ( + IN VOID *Tls, + IN UINT32 VerifyMode + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + if (TlsConn == NULL || TlsConn->Ssl == NULL) { + return; + } + + // + // Set peer certificate verification parameters with NULL callback. + // + SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL); +} + +/** + Set the specified host name to be verified. + + @param[in] Tls Pointer to the TLS object. + @param[in] Flags The setting flags during the validation. + @param[in] HostName The specified host name to be verified. + + @retval EFI_SUCCESS The HostName setting was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_ABORTED Invalid HostName setting. + +**/ +EFI_STATUS +EFIAPI +TlsSetVerifyHost ( + IN VOID *Tls, + IN UINT32 Flags, + IN CHAR8 *HostName + ) +{ + TLS_CONNECTION *TlsConn; + X509_VERIFY_PARAM *VerifyParam; + UINTN BinaryAddressSize; + UINT8 BinaryAddress[MAX (NS_INADDRSZ, NS_IN6ADDRSZ)]; + INTN ParamStatus; + + TlsConn = (TLS_CONNECTION *) Tls; + if (TlsConn == NULL || TlsConn->Ssl == NULL || HostName == NULL) { + return EFI_INVALID_PARAMETER; + } + + SSL_set_hostflags(TlsConn->Ssl, Flags); + + VerifyParam = SSL_get0_param (TlsConn->Ssl); + ASSERT (VerifyParam != NULL); + + BinaryAddressSize = 0; + if (inet_pton (AF_INET6, HostName, BinaryAddress) == 1) { + BinaryAddressSize = NS_IN6ADDRSZ; + } else if (inet_pton (AF_INET, HostName, BinaryAddress) == 1) { + BinaryAddressSize = NS_INADDRSZ; + } + + if (BinaryAddressSize > 0) { + DEBUG ((DEBUG_VERBOSE, "%a:%a: parsed \"%a\" as an IPv%c address " + "literal\n", gEfiCallerBaseName, __FUNCTION__, HostName, + (UINTN)((BinaryAddressSize == NS_IN6ADDRSZ) ? '6' : '4'))); + ParamStatus = X509_VERIFY_PARAM_set1_ip (VerifyParam, BinaryAddress, + BinaryAddressSize); + } else { + ParamStatus = X509_VERIFY_PARAM_set1_host (VerifyParam, HostName, 0); + } + + return (ParamStatus == 1) ? EFI_SUCCESS : EFI_ABORTED; +} + +/** + Sets a TLS/SSL session ID to be used during TLS/SSL connect. + + This function sets a session ID to be used when the TLS/SSL connection is + to be established. + + @param[in] Tls Pointer to the TLS object. + @param[in] SessionId Session ID data used for session resumption. + @param[in] SessionIdLen Length of Session ID in bytes. + + @retval EFI_SUCCESS Session ID was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED No available session for ID setting. + +**/ +EFI_STATUS +EFIAPI +TlsSetSessionId ( + IN VOID *Tls, + IN UINT8 *SessionId, + IN UINT16 SessionIdLen + ) +{ + TLS_CONNECTION *TlsConn; + SSL_SESSION *Session; + + TlsConn = (TLS_CONNECTION *) Tls; + Session = NULL; + + if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL) { + return EFI_INVALID_PARAMETER; + } + + Session = SSL_get_session (TlsConn->Ssl); + if (Session == NULL) { + return EFI_UNSUPPORTED; + } + + SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId, SessionIdLen); + + return EFI_SUCCESS; +} + +/** + Adds the CA to the cert store when requesting Server or Client authentication. + + This function adds the CA certificate to the list of CAs when requesting + Server or Client authentication for the chosen TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded binary + X.509 certificate or PEM-encoded X.509 certificate. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated. + @retval EFI_ABORTED Invalid X.509 certificate. + +**/ +EFI_STATUS +EFIAPI +TlsSetCaCertificate ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ) +{ + BIO *BioCert; + X509 *Cert; + X509_STORE *X509Store; + EFI_STATUS Status; + TLS_CONNECTION *TlsConn; + SSL_CTX *SslCtx; + INTN Ret; + UINTN ErrorCode; + + BioCert = NULL; + Cert = NULL; + X509Store = NULL; + Status = EFI_SUCCESS; + TlsConn = (TLS_CONNECTION *) Tls; + Ret = 0; + + if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) { + return EFI_INVALID_PARAMETER; + } + + // + // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate. + // Determine whether certificate is from DER encoding, if so, translate it to X509 structure. + // + Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize); + if (Cert == NULL) { + // + // Certificate is from PEM encoding. + // + BioCert = BIO_new (BIO_s_mem ()); + if (BioCert == NULL) { + Status = EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) { + Status = EFI_ABORTED; + goto ON_EXIT; + } + + Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL); + if (Cert == NULL) { + Status = EFI_ABORTED; + goto ON_EXIT; + } + } + + SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl); + X509Store = SSL_CTX_get_cert_store (SslCtx); + if (X509Store == NULL) { + Status = EFI_ABORTED; + goto ON_EXIT; + } + + // + // Add certificate to X509 store + // + Ret = X509_STORE_add_cert (X509Store, Cert); + if (Ret != 1) { + ErrorCode = ERR_peek_last_error (); + // + // Ignore "already in table" errors + // + if (!(ERR_GET_FUNC (ErrorCode) == X509_F_X509_STORE_ADD_CERT && + ERR_GET_REASON (ErrorCode) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) { + Status = EFI_ABORTED; + goto ON_EXIT; + } + } + +ON_EXIT: + if (BioCert != NULL) { + BIO_free (BioCert); + } + + if (Cert != NULL) { + X509_free (Cert); + } + + return Status; +} + +/** + Loads the local public certificate into the specified TLS object. + + This function loads the X.509 certificate into the specified TLS object + for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded binary + X.509 certificate or PEM-encoded X.509 certificate. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated. + @retval EFI_ABORTED Invalid X.509 certificate. + +**/ +EFI_STATUS +EFIAPI +TlsSetHostPublicCert ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ) +{ + BIO *BioCert; + X509 *Cert; + EFI_STATUS Status; + TLS_CONNECTION *TlsConn; + + BioCert = NULL; + Cert = NULL; + Status = EFI_SUCCESS; + TlsConn = (TLS_CONNECTION *) Tls; + + if (TlsConn == NULL || TlsConn->Ssl == NULL || Data == NULL || DataSize == 0) { + return EFI_INVALID_PARAMETER; + } + + // + // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate. + // Determine whether certificate is from DER encoding, if so, translate it to X509 structure. + // + Cert = d2i_X509 (NULL, (const unsigned char ** )&Data, (long) DataSize); + if (Cert == NULL) { + // + // Certificate is from PEM encoding. + // + BioCert = BIO_new (BIO_s_mem ()); + if (BioCert == NULL) { + Status = EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + if (BIO_write (BioCert, Data, (UINT32) DataSize) <= 0) { + Status = EFI_ABORTED; + goto ON_EXIT; + } + + Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL); + if (Cert == NULL) { + Status = EFI_ABORTED; + goto ON_EXIT; + } + } + + if (SSL_use_certificate (TlsConn->Ssl, Cert) != 1) { + Status = EFI_ABORTED; + goto ON_EXIT; + } + +ON_EXIT: + if (BioCert != NULL) { + BIO_free (BioCert); + } + + if (Cert != NULL) { + X509_free (Cert); + } + + return Status; +} + +/** + Adds the local private key to the specified TLS object. + + This function adds the local private key (PEM-encoded RSA or PKCS#8 private + key) into the specified TLS object for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a PEM-encoded RSA + or PKCS#8 private key. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid private key data. + +**/ +EFI_STATUS +EFIAPI +TlsSetHostPrivateKey ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ) +{ + return EFI_UNSUPPORTED; +} + +/** + Adds the CA-supplied certificate revocation list for certificate validation. + + This function adds the CA-supplied certificate revocation list data for + certificate validity checking. + + @param[in] Data Pointer to the data buffer of a DER-encoded CRL data. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid CRL data. + +**/ +EFI_STATUS +EFIAPI +TlsSetCertRevocationList ( + IN VOID *Data, + IN UINTN DataSize + ) +{ + return EFI_UNSUPPORTED; +} + +/** + Gets the protocol version used by the specified TLS connection. + + This function returns the protocol version used by the specified TLS + connection. + + If Tls is NULL, then ASSERT(). + + @param[in] Tls Pointer to the TLS object. + + @return The protocol version of the specified TLS connection. + +**/ +UINT16 +EFIAPI +TlsGetVersion ( + IN VOID *Tls + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + + ASSERT (TlsConn != NULL); + + return (UINT16)(SSL_version (TlsConn->Ssl)); +} + +/** + Gets the connection end of the specified TLS connection. + + This function returns the connection end (as client or as server) used by + the specified TLS connection. + + If Tls is NULL, then ASSERT(). + + @param[in] Tls Pointer to the TLS object. + + @return The connection end used by the specified TLS connection. + +**/ +UINT8 +EFIAPI +TlsGetConnectionEnd ( + IN VOID *Tls + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + + ASSERT (TlsConn != NULL); + + return (UINT8)SSL_is_server (TlsConn->Ssl); +} + +/** + Gets the cipher suite used by the specified TLS connection. + + This function returns current cipher suite used by the specified + TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] CipherId The cipher suite used by the TLS object. + + @retval EFI_SUCCESS The cipher suite was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported cipher suite. + +**/ +EFI_STATUS +EFIAPI +TlsGetCurrentCipher ( + IN VOID *Tls, + IN OUT UINT16 *CipherId + ) +{ + TLS_CONNECTION *TlsConn; + CONST SSL_CIPHER *Cipher; + + TlsConn = (TLS_CONNECTION *) Tls; + Cipher = NULL; + + if (TlsConn == NULL || TlsConn->Ssl == NULL || CipherId == NULL) { + return EFI_INVALID_PARAMETER; + } + + Cipher = SSL_get_current_cipher (TlsConn->Ssl); + if (Cipher == NULL) { + return EFI_UNSUPPORTED; + } + + *CipherId = (SSL_CIPHER_get_id (Cipher)) & 0xFFFF; + + return EFI_SUCCESS; +} + +/** + Gets the compression methods used by the specified TLS connection. + + This function returns current integrated compression methods used by + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] CompressionId The current compression method used by + the TLS object. + + @retval EFI_SUCCESS The compression method was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_ABORTED Invalid Compression method. + @retval EFI_UNSUPPORTED This function is not supported. + +**/ +EFI_STATUS +EFIAPI +TlsGetCurrentCompressionId ( + IN VOID *Tls, + IN OUT UINT8 *CompressionId + ) +{ + return EFI_UNSUPPORTED; +} + +/** + Gets the verification mode currently set in the TLS connection. + + This function returns the peer verification mode currently set in the + specified TLS connection. + + If Tls is NULL, then ASSERT(). + + @param[in] Tls Pointer to the TLS object. + + @return The verification mode set in the specified TLS connection. + +**/ +UINT32 +EFIAPI +TlsGetVerify ( + IN VOID *Tls + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + + ASSERT (TlsConn != NULL); + + return SSL_get_verify_mode (TlsConn->Ssl); +} + +/** + Gets the session ID used by the specified TLS connection. + + This function returns the TLS/SSL session ID currently used by the + specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] SessionId Buffer to contain the returned session ID. + @param[in,out] SessionIdLen The length of Session ID in bytes. + + @retval EFI_SUCCESS The Session ID was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Invalid TLS/SSL session. + +**/ +EFI_STATUS +EFIAPI +TlsGetSessionId ( + IN VOID *Tls, + IN OUT UINT8 *SessionId, + IN OUT UINT16 *SessionIdLen + ) +{ + TLS_CONNECTION *TlsConn; + SSL_SESSION *Session; + CONST UINT8 *SslSessionId; + + TlsConn = (TLS_CONNECTION *) Tls; + Session = NULL; + + if (TlsConn == NULL || TlsConn->Ssl == NULL || SessionId == NULL || SessionIdLen == NULL) { + return EFI_INVALID_PARAMETER; + } + + Session = SSL_get_session (TlsConn->Ssl); + if (Session == NULL) { + return EFI_UNSUPPORTED; + } + + SslSessionId = SSL_SESSION_get_id (Session, (unsigned int *)SessionIdLen); + CopyMem (SessionId, SslSessionId, *SessionIdLen); + + return EFI_SUCCESS; +} + +/** + Gets the client random data used in the specified TLS connection. + + This function returns the TLS/SSL client random data currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] ClientRandom Buffer to contain the returned client + random data (32 bytes). + +**/ +VOID +EFIAPI +TlsGetClientRandom ( + IN VOID *Tls, + IN OUT UINT8 *ClientRandom + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + + if (TlsConn == NULL || TlsConn->Ssl == NULL || ClientRandom == NULL) { + return; + } + + SSL_get_client_random (TlsConn->Ssl, ClientRandom, SSL3_RANDOM_SIZE); +} + +/** + Gets the server random data used in the specified TLS connection. + + This function returns the TLS/SSL server random data currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] ServerRandom Buffer to contain the returned server + random data (32 bytes). + +**/ +VOID +EFIAPI +TlsGetServerRandom ( + IN VOID *Tls, + IN OUT UINT8 *ServerRandom + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + + if (TlsConn == NULL || TlsConn->Ssl == NULL || ServerRandom == NULL) { + return; + } + + SSL_get_server_random (TlsConn->Ssl, ServerRandom, SSL3_RANDOM_SIZE); +} + +/** + Gets the master key data used in the specified TLS connection. + + This function returns the TLS/SSL master key material currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] KeyMaterial Buffer to contain the returned key material. + + @retval EFI_SUCCESS Key material was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Invalid TLS/SSL session. + +**/ +EFI_STATUS +EFIAPI +TlsGetKeyMaterial ( + IN VOID *Tls, + IN OUT UINT8 *KeyMaterial + ) +{ + TLS_CONNECTION *TlsConn; + SSL_SESSION *Session; + + TlsConn = (TLS_CONNECTION *) Tls; + Session = NULL; + + if (TlsConn == NULL || TlsConn->Ssl == NULL || KeyMaterial == NULL) { + return EFI_INVALID_PARAMETER; + } + + Session = SSL_get_session (TlsConn->Ssl); + + if (Session == NULL) { + return EFI_UNSUPPORTED; + } + + SSL_SESSION_get_master_key (Session, KeyMaterial, SSL3_MASTER_SECRET_SIZE); + + return EFI_SUCCESS; +} + +/** + Gets the CA Certificate from the cert store. + + This function returns the CA certificate for the chosen + TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the CA + certificate data sent to the client. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetCaCertificate ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ) +{ + return EFI_UNSUPPORTED; +} + +/** + Gets the local public Certificate set in the specified TLS object. + + This function returns the local public certificate which was currently set + in the specified TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the local + public certificate. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_NOT_FOUND The certificate is not found. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetHostPublicCert ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ) +{ + X509 *Cert; + TLS_CONNECTION *TlsConn; + + Cert = NULL; + TlsConn = (TLS_CONNECTION *) Tls; + + if (TlsConn == NULL || TlsConn->Ssl == NULL || DataSize == NULL || (*DataSize != 0 && Data == NULL)) { + return EFI_INVALID_PARAMETER; + } + + Cert = SSL_get_certificate(TlsConn->Ssl); + if (Cert == NULL) { + return EFI_NOT_FOUND; + } + + // + // Only DER encoding is supported currently. + // + if (*DataSize < (UINTN) i2d_X509 (Cert, NULL)) { + *DataSize = (UINTN) i2d_X509 (Cert, NULL); + return EFI_BUFFER_TOO_SMALL; + } + + *DataSize = (UINTN) i2d_X509 (Cert, (unsigned char **) &Data); + + return EFI_SUCCESS; +} + +/** + Gets the local private key set in the specified TLS object. + + This function returns the local private key data which was currently set + in the specified TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the local + private key data. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetHostPrivateKey ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ) +{ + return EFI_UNSUPPORTED; +} + +/** + Gets the CA-supplied certificate revocation list data set in the specified + TLS object. + + This function returns the CA-supplied certificate revocation list data which + was currently set in the specified TLS object. + + @param[out] Data Pointer to the data buffer to receive the CRL data. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetCertRevocationList ( + OUT VOID *Data, + IN OUT UINTN *DataSize + ) +{ + return EFI_UNSUPPORTED; +} + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/TlsInit.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/TlsInit.c new file mode 100644 index 00000000..875e6719 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/TlsInit.c @@ -0,0 +1,263 @@ +/** @file + SSL/TLS Initialization Library Wrapper Implementation over OpenSSL. + +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalTlsLib.h" + +/** + Initializes the OpenSSL library. + + This function registers ciphers and digests used directly and indirectly + by SSL/TLS, and initializes the readable error messages. + This function must be called before any other action takes places. + + @retval TRUE The OpenSSL library has been initialized. + @retval FALSE Failed to initialize the OpenSSL library. + +**/ +BOOLEAN +EFIAPI +TlsInitialize ( + VOID + ) +{ + INTN Ret; + + // + // Performs initialization of crypto and ssl library, and loads required + // algorithms. + // + Ret = OPENSSL_init_ssl ( + OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, + NULL + ); + if (Ret != 1) { + return FALSE; + } + + // + // Initialize the pseudorandom number generator. + // + return RandomSeed (NULL, 0); +} + +/** + Free an allocated SSL_CTX object. + + @param[in] TlsCtx Pointer to the SSL_CTX object to be released. + +**/ +VOID +EFIAPI +TlsCtxFree ( + IN VOID *TlsCtx + ) +{ + if (TlsCtx == NULL) { + return; + } + + if (TlsCtx != NULL) { + SSL_CTX_free ((SSL_CTX *) (TlsCtx)); + } +} + +/** + Creates a new SSL_CTX object as framework to establish TLS/SSL enabled + connections. + + @param[in] MajorVer Major Version of TLS/SSL Protocol. + @param[in] MinorVer Minor Version of TLS/SSL Protocol. + + @return Pointer to an allocated SSL_CTX object. + If the creation failed, TlsCtxNew() returns NULL. + +**/ +VOID * +EFIAPI +TlsCtxNew ( + IN UINT8 MajorVer, + IN UINT8 MinorVer + ) +{ + SSL_CTX *TlsCtx; + UINT16 ProtoVersion; + + ProtoVersion = (MajorVer << 8) | MinorVer; + + TlsCtx = SSL_CTX_new (SSLv23_client_method ()); + if (TlsCtx == NULL) { + return NULL; + } + + // + // Ensure SSLv3 is disabled + // + SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3); + + // + // Treat as minimum accepted versions by setting the minimal bound. + // Client can use higher TLS version if server supports it + // + SSL_CTX_set_min_proto_version (TlsCtx, ProtoVersion); + + return (VOID *) TlsCtx; +} + +/** + Free an allocated TLS object. + + This function removes the TLS object pointed to by Tls and frees up the + allocated memory. If Tls is NULL, nothing is done. + + @param[in] Tls Pointer to the TLS object to be freed. + +**/ +VOID +EFIAPI +TlsFree ( + IN VOID *Tls + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + if (TlsConn == NULL) { + return; + } + + // + // Free the internal TLS and related BIO objects. + // + if (TlsConn->Ssl != NULL) { + SSL_free (TlsConn->Ssl); + } + + OPENSSL_free (Tls); +} + +/** + Create a new TLS object for a connection. + + This function creates a new TLS object for a connection. The new object + inherits the setting of the underlying context TlsCtx: connection method, + options, verification setting. + + @param[in] TlsCtx Pointer to the SSL_CTX object. + + @return Pointer to an allocated SSL object. + If the creation failed, TlsNew() returns NULL. + +**/ +VOID * +EFIAPI +TlsNew ( + IN VOID *TlsCtx + ) +{ + TLS_CONNECTION *TlsConn; + SSL_CTX *SslCtx; + X509_STORE *X509Store; + + TlsConn = NULL; + + // + // Allocate one new TLS_CONNECTION object + // + TlsConn = (TLS_CONNECTION *) OPENSSL_malloc (sizeof (TLS_CONNECTION)); + if (TlsConn == NULL) { + return NULL; + } + + TlsConn->Ssl = NULL; + + // + // Create a new SSL Object + // + TlsConn->Ssl = SSL_new ((SSL_CTX *) TlsCtx); + if (TlsConn->Ssl == NULL) { + TlsFree ((VOID *) TlsConn); + return NULL; + } + + // + // This retains compatibility with previous version of OpenSSL. + // + SSL_set_security_level (TlsConn->Ssl, 0); + + // + // Initialize the created SSL Object + // + SSL_set_info_callback (TlsConn->Ssl, NULL); + + TlsConn->InBio = NULL; + + // + // Set up Reading BIO for TLS connection + // + TlsConn->InBio = BIO_new (BIO_s_mem ()); + if (TlsConn->InBio == NULL) { + TlsFree ((VOID *) TlsConn); + return NULL; + } + + // + // Sets the behaviour of memory BIO when it is empty. It will set the + // read retry flag. + // + BIO_set_mem_eof_return (TlsConn->InBio, -1); + + TlsConn->OutBio = NULL; + + // + // Set up Writing BIO for TLS connection + // + TlsConn->OutBio = BIO_new (BIO_s_mem ()); + if (TlsConn->OutBio == NULL) { + TlsFree ((VOID *) TlsConn); + return NULL; + } + + // + // Sets the behaviour of memory BIO when it is empty. It will set the + // write retry flag. + // + BIO_set_mem_eof_return (TlsConn->OutBio, -1); + + ASSERT (TlsConn->Ssl != NULL && TlsConn->InBio != NULL && TlsConn->OutBio != NULL); + + // + // Connects the InBio and OutBio for the read and write operations. + // + SSL_set_bio (TlsConn->Ssl, TlsConn->InBio, TlsConn->OutBio); + + // + // Create new X509 store if needed + // + SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl); + X509Store = SSL_CTX_get_cert_store (SslCtx); + if (X509Store == NULL) { + X509Store = X509_STORE_new (); + if (X509Store == NULL) { + TlsFree ((VOID *) TlsConn); + return NULL; + } + SSL_CTX_set1_verify_cert_store (SslCtx, X509Store); + X509_STORE_free (X509Store); + } + + // + // Set X509_STORE flags used in certificate validation + // + X509_STORE_set_flags ( + X509Store, + X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME + ); + return (VOID *) TlsConn; +} + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/TlsLib.inf b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/TlsLib.inf new file mode 100644 index 00000000..bc32b041 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/TlsLib.inf @@ -0,0 +1,50 @@ +## @file +# SSL/TLS Wrapper Library Instance based on OpenSSL. +# +# Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
+# (C) Copyright 2016-2020 Hewlett Packard Enterprise Development LP
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = TlsLib + MODULE_UNI_FILE = TlsLib.uni + FILE_GUID = CC729DC5-4E21-0B36-1A00-3A8E1B86A155 + MODULE_TYPE = DXE_DRIVER + VERSION_STRING = 1.0 + LIBRARY_CLASS = TlsLib|DXE_DRIVER DXE_CORE UEFI_APPLICATION UEFI_DRIVER + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 RISCV64 +# + +[Sources] + InternalTlsLib.h + TlsInit.c + TlsConfig.c + TlsProcess.c + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseCryptLib + BaseMemoryLib + DebugLib + IntrinsicLib + MemoryAllocationLib + OpensslLib + SafeIntLib + +[BuildOptions] + # + # suppress the following warnings so we do not break the build with warnings-as-errors: + # C4090: 'function' : different 'const' qualifiers + # + MSFT:*_*_*_CC_FLAGS = /wd4090 + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/TlsLib.uni b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/TlsLib.uni new file mode 100644 index 00000000..fe854217 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/TlsLib.uni @@ -0,0 +1,13 @@ +// /** @file +// SSL/TLS Wrapper Library Instance based on OpenSSL. +// +// Copyright (c) 2016, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "SSL/TLS Wrapper Library Instance" + +#string STR_MODULE_DESCRIPTION #language en-US "This module provides SSL/TLS Wrapper Library Instance." diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/TlsProcess.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/TlsProcess.c new file mode 100644 index 00000000..de55a5ec --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLib/TlsProcess.c @@ -0,0 +1,457 @@ +/** @file + SSL/TLS Process Library Wrapper Implementation over OpenSSL. + The process includes the TLS handshake and packet I/O. + +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalTlsLib.h" + +#define MAX_BUFFER_SIZE 32768 + +/** + Checks if the TLS handshake was done. + + This function will check if the specified TLS handshake was done. + + @param[in] Tls Pointer to the TLS object for handshake state checking. + + @retval TRUE The TLS handshake was done. + @retval FALSE The TLS handshake was not done. + +**/ +BOOLEAN +EFIAPI +TlsInHandshake ( + IN VOID *Tls + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + if (TlsConn == NULL || TlsConn->Ssl == NULL) { + return FALSE; + } + + // + // Return the status which indicates if the TLS handshake was done. + // + return !SSL_is_init_finished (TlsConn->Ssl); +} + +/** + Perform a TLS/SSL handshake. + + This function will perform a TLS/SSL handshake. + + @param[in] Tls Pointer to the TLS object for handshake operation. + @param[in] BufferIn Pointer to the most recently received TLS Handshake packet. + @param[in] BufferInSize Packet size in bytes for the most recently received TLS + Handshake packet. + @param[out] BufferOut Pointer to the buffer to hold the built packet. + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferIn is NULL but BufferInSize is NOT 0. + BufferInSize is 0 but BufferIn is NOT NULL. + BufferOutSize is NULL. + BufferOut is NULL if *BufferOutSize is not zero. + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet. + @retval EFI_ABORTED Something wrong during handshake. + +**/ +EFI_STATUS +EFIAPI +TlsDoHandshake ( + IN VOID *Tls, + IN UINT8 *BufferIn, OPTIONAL + IN UINTN BufferInSize, OPTIONAL + OUT UINT8 *BufferOut, OPTIONAL + IN OUT UINTN *BufferOutSize + ) +{ + TLS_CONNECTION *TlsConn; + UINTN PendingBufferSize; + INTN Ret; + UINTN ErrorCode; + + TlsConn = (TLS_CONNECTION *) Tls; + PendingBufferSize = 0; + Ret = 1; + + if (TlsConn == NULL || \ + TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \ + BufferOutSize == NULL || \ + (BufferIn == NULL && BufferInSize != 0) || \ + (BufferIn != NULL && BufferInSize == 0) || \ + (BufferOut == NULL && *BufferOutSize != 0)) { + return EFI_INVALID_PARAMETER; + } + + if(BufferIn == NULL && BufferInSize == 0) { + // + // If RequestBuffer is NULL and RequestSize is 0, and TLS session + // status is EfiTlsSessionNotStarted, the TLS session will be initiated + // and the response packet needs to be ClientHello. + // + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); + if (PendingBufferSize == 0) { + SSL_set_connect_state (TlsConn->Ssl); + Ret = SSL_do_handshake (TlsConn->Ssl); + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); + } + } else { + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); + if (PendingBufferSize == 0) { + BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize); + Ret = SSL_do_handshake (TlsConn->Ssl); + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); + } + } + + if (Ret < 1) { + Ret = SSL_get_error (TlsConn->Ssl, (int) Ret); + if (Ret == SSL_ERROR_SSL || + Ret == SSL_ERROR_SYSCALL || + Ret == SSL_ERROR_ZERO_RETURN) { + DEBUG (( + DEBUG_ERROR, + "%a SSL_HANDSHAKE_ERROR State=0x%x SSL_ERROR_%a\n", + __FUNCTION__, + SSL_get_state (TlsConn->Ssl), + Ret == SSL_ERROR_SSL ? "SSL" : Ret == SSL_ERROR_SYSCALL ? "SYSCALL" : "ZERO_RETURN" + )); + DEBUG_CODE_BEGIN (); + while (TRUE) { + ErrorCode = ERR_get_error (); + if (ErrorCode == 0) { + break; + } + DEBUG (( + DEBUG_ERROR, + "%a ERROR 0x%x=L%x:F%x:R%x\n", + __FUNCTION__, + ErrorCode, + ERR_GET_LIB (ErrorCode), + ERR_GET_FUNC (ErrorCode), + ERR_GET_REASON (ErrorCode) + )); + } + DEBUG_CODE_END (); + return EFI_ABORTED; + } + } + + if (PendingBufferSize > *BufferOutSize) { + *BufferOutSize = PendingBufferSize; + return EFI_BUFFER_TOO_SMALL; + } + + if (PendingBufferSize > 0) { + *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32) PendingBufferSize); + } else { + *BufferOutSize = 0; + } + + return EFI_SUCCESS; +} + +/** + Handle Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero, + TLS session has errors and the response packet needs to be Alert message based on error type. + + @param[in] Tls Pointer to the TLS object for state checking. + @param[in] BufferIn Pointer to the most recently received TLS Alert packet. + @param[in] BufferInSize Packet size in bytes for the most recently received TLS + Alert packet. + @param[out] BufferOut Pointer to the buffer to hold the built packet. + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferIn is NULL but BufferInSize is NOT 0. + BufferInSize is 0 but BufferIn is NOT NULL. + BufferOutSize is NULL. + BufferOut is NULL if *BufferOutSize is not zero. + @retval EFI_ABORTED An error occurred. + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet. + +**/ +EFI_STATUS +EFIAPI +TlsHandleAlert ( + IN VOID *Tls, + IN UINT8 *BufferIn, OPTIONAL + IN UINTN BufferInSize, OPTIONAL + OUT UINT8 *BufferOut, OPTIONAL + IN OUT UINTN *BufferOutSize + ) +{ + TLS_CONNECTION *TlsConn; + UINTN PendingBufferSize; + UINT8 *TempBuffer; + INTN Ret; + + TlsConn = (TLS_CONNECTION *) Tls; + PendingBufferSize = 0; + TempBuffer = NULL; + Ret = 0; + + if (TlsConn == NULL || \ + TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \ + BufferOutSize == NULL || \ + (BufferIn == NULL && BufferInSize != 0) || \ + (BufferIn != NULL && BufferInSize == 0) || \ + (BufferOut == NULL && *BufferOutSize != 0)) { + return EFI_INVALID_PARAMETER; + } + + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); + if (PendingBufferSize == 0 && BufferIn != NULL && BufferInSize != 0) { + Ret = BIO_write (TlsConn->InBio, BufferIn, (UINT32) BufferInSize); + if (Ret != (INTN) BufferInSize) { + return EFI_ABORTED; + } + + TempBuffer = (UINT8 *) OPENSSL_malloc (MAX_BUFFER_SIZE); + + // + // ssl3_send_alert() will be called in ssl3_read_bytes() function. + // TempBuffer is invalid since it's a Alert message, so just ignore it. + // + SSL_read (TlsConn->Ssl, TempBuffer, MAX_BUFFER_SIZE); + + OPENSSL_free (TempBuffer); + + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); + } + + if (PendingBufferSize > *BufferOutSize) { + *BufferOutSize = PendingBufferSize; + return EFI_BUFFER_TOO_SMALL; + } + + if (PendingBufferSize > 0) { + *BufferOutSize = BIO_read (TlsConn->OutBio, BufferOut, (UINT32) PendingBufferSize); + } else { + *BufferOutSize = 0; + } + + return EFI_SUCCESS; +} + +/** + Build the CloseNotify packet. + + @param[in] Tls Pointer to the TLS object for state checking. + @param[in, out] Buffer Pointer to the buffer to hold the built packet. + @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferSize is NULL. + Buffer is NULL if *BufferSize is not zero. + @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet. + +**/ +EFI_STATUS +EFIAPI +TlsCloseNotify ( + IN VOID *Tls, + IN OUT UINT8 *Buffer, + IN OUT UINTN *BufferSize + ) +{ + TLS_CONNECTION *TlsConn; + UINTN PendingBufferSize; + + TlsConn = (TLS_CONNECTION *) Tls; + PendingBufferSize = 0; + + if (TlsConn == NULL || \ + TlsConn->Ssl == NULL || TlsConn->InBio == NULL || TlsConn->OutBio == NULL || \ + BufferSize == NULL || \ + (Buffer == NULL && *BufferSize != 0)) { + return EFI_INVALID_PARAMETER; + } + + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); + if (PendingBufferSize == 0) { + // + // ssl3_send_alert() and ssl3_dispatch_alert() function will be called. + // + SSL_shutdown (TlsConn->Ssl); + PendingBufferSize = (UINTN) BIO_ctrl_pending (TlsConn->OutBio); + } + + if (PendingBufferSize > *BufferSize) { + *BufferSize = PendingBufferSize; + return EFI_BUFFER_TOO_SMALL; + } + + if (PendingBufferSize > 0) { + *BufferSize = BIO_read (TlsConn->OutBio, Buffer, (UINT32) PendingBufferSize); + } else { + *BufferSize = 0; + } + + return EFI_SUCCESS; +} + +/** + Attempts to read bytes from one TLS object and places the data in Buffer. + + This function will attempt to read BufferSize bytes from the TLS object + and places the data in Buffer. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] Buffer Pointer to the buffer to store the data. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The amount of data successfully read from the TLS object. + @retval <=0 No data was successfully read. + +**/ +INTN +EFIAPI +TlsCtrlTrafficOut ( + IN VOID *Tls, + IN OUT VOID *Buffer, + IN UINTN BufferSize + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + if (TlsConn == NULL || TlsConn->OutBio == 0) { + return -1; + } + + // + // Read and return the amount of data from the BIO. + // + return BIO_read (TlsConn->OutBio, Buffer, (UINT32) BufferSize); +} + +/** + Attempts to write data from the buffer to TLS object. + + This function will attempt to write BufferSize bytes data from the Buffer + to the TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[in] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The amount of data successfully written to the TLS object. + @retval <=0 No data was successfully written. + +**/ +INTN +EFIAPI +TlsCtrlTrafficIn ( + IN VOID *Tls, + IN VOID *Buffer, + IN UINTN BufferSize + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + if (TlsConn == NULL || TlsConn->InBio == 0) { + return -1; + } + + // + // Write and return the amount of data to the BIO. + // + return BIO_write (TlsConn->InBio, Buffer, (UINT32) BufferSize); +} +/** + Attempts to read bytes from the specified TLS connection into the buffer. + + This function tries to read BufferSize bytes data from the specified TLS + connection into the Buffer. + + @param[in] Tls Pointer to the TLS connection for data reading. + @param[in,out] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The read operation was successful, and return value is the + number of bytes actually read from the TLS connection. + @retval <=0 The read operation was not successful. + +**/ +INTN +EFIAPI +TlsRead ( + IN VOID *Tls, + IN OUT VOID *Buffer, + IN UINTN BufferSize + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + if (TlsConn == NULL || TlsConn->Ssl == NULL) { + return -1; + } + + // + // Read bytes from the specified TLS connection. + // + return SSL_read (TlsConn->Ssl, Buffer, (UINT32) BufferSize); +} + +/** + Attempts to write data to a TLS connection. + + This function tries to write BufferSize bytes data from the Buffer into the + specified TLS connection. + + @param[in] Tls Pointer to the TLS connection for data writing. + @param[in] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The write operation was successful, and return value is the + number of bytes actually written to the TLS connection. + @retval <=0 The write operation was not successful. + +**/ +INTN +EFIAPI +TlsWrite ( + IN VOID *Tls, + IN VOID *Buffer, + IN UINTN BufferSize + ) +{ + TLS_CONNECTION *TlsConn; + + TlsConn = (TLS_CONNECTION *) Tls; + if (TlsConn == NULL || TlsConn->Ssl == NULL) { + return -1; + } + + // + // Write bytes to the specified TLS connection. + // + return SSL_write (TlsConn->Ssl, Buffer, (UINT32) BufferSize); +} + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/InternalTlsLib.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/InternalTlsLib.h new file mode 100644 index 00000000..138c5d78 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/InternalTlsLib.h @@ -0,0 +1,16 @@ +/** @file + Internal include file for TlsLibNull. + +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __INTERNAL_TLS_LIB_NULL_H__ +#define __INTERNAL_TLS_LIB_NULL_H__ + +#include +#include +#include + +#endif diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c new file mode 100644 index 00000000..09ac7fb2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c @@ -0,0 +1,622 @@ +/** @file + SSL/TLS Configuration Null Library Wrapper Implementation. + +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalTlsLib.h" + +/** + Set a new TLS/SSL method for a particular TLS object. + + This function sets a new TLS/SSL method for a particular TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] MajorVer Major Version of TLS/SSL Protocol. + @param[in] MinorVer Minor Version of TLS/SSL Protocol. + + @retval EFI_SUCCESS The TLS/SSL method was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported TLS/SSL method. + +**/ +EFI_STATUS +EFIAPI +TlsSetVersion ( + IN VOID *Tls, + IN UINT8 MajorVer, + IN UINT8 MinorVer + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} + +/** + Set TLS object to work in client or server mode. + + This function prepares a TLS object to work in client or server mode. + + @param[in] Tls Pointer to a TLS object. + @param[in] IsServer Work in server mode. + + @retval EFI_SUCCESS The TLS/SSL work mode was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode. + +**/ +EFI_STATUS +EFIAPI +TlsSetConnectionEnd ( + IN VOID *Tls, + IN BOOLEAN IsServer + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} + +/** + Set the ciphers list to be used by the TLS object. + + This function sets the ciphers for use by a specified TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] CipherId Array of UINT16 cipher identifiers. Each UINT16 + cipher identifier comes from the TLS Cipher Suite + Registry of the IANA, interpreting Byte1 and Byte2 + in network (big endian) byte order. + @param[in] CipherNum The number of cipher in the list. + + @retval EFI_SUCCESS The ciphers list was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED No supported TLS cipher was found in CipherId. + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +EFI_STATUS +EFIAPI +TlsSetCipherList ( + IN VOID *Tls, + IN UINT16 *CipherId, + IN UINTN CipherNum + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} + +/** + Set the compression method for TLS/SSL operations. + + This function handles TLS/SSL integrated compression methods. + + @param[in] CompMethod The compression method ID. + + @retval EFI_SUCCESS The compression method for the communication was + set successfully. + @retval EFI_UNSUPPORTED Unsupported compression method. + +**/ +EFI_STATUS +EFIAPI +TlsSetCompressionMethod ( + IN UINT8 CompMethod + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} + +/** + Set peer certificate verification mode for the TLS connection. + + This function sets the verification mode flags for the TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in] VerifyMode A set of logically or'ed verification mode flags. + +**/ +VOID +EFIAPI +TlsSetVerify ( + IN VOID *Tls, + IN UINT32 VerifyMode + ) +{ + ASSERT(FALSE); +} + +// MU_CHANGE - Proposed fixes for TCBZ960, invalid domain name (CN) accepted. [BEGIN] +/** + Set the specified host name to be verified. + + @param[in] Tls Pointer to the TLS object. + @param[in] Flags The setting flags during the validation. + @param[in] HostName The specified host name to be verified. + + @retval EFI_SUCCESS The HostName setting was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_ABORTED Invalid HostName setting. + +**/ +EFI_STATUS +EFIAPI +TlsSetVerifyHost ( + IN VOID *Tls, + IN UINT32 Flags, + IN CHAR8 *HostName + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} + +// MU_CHANGE - Proposed fixes for TCBZ960, invalid domain name (CN) accepted. [END] + +/** + Sets a TLS/SSL session ID to be used during TLS/SSL connect. + + This function sets a session ID to be used when the TLS/SSL connection is + to be established. + + @param[in] Tls Pointer to the TLS object. + @param[in] SessionId Session ID data used for session resumption. + @param[in] SessionIdLen Length of Session ID in bytes. + + @retval EFI_SUCCESS Session ID was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED No available session for ID setting. + +**/ +EFI_STATUS +EFIAPI +TlsSetSessionId ( + IN VOID *Tls, + IN UINT8 *SessionId, + IN UINT16 SessionIdLen + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} + +/** + Adds the CA to the cert store when requesting Server or Client authentication. + + This function adds the CA certificate to the list of CAs when requesting + Server or Client authentication for the chosen TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded binary + X.509 certificate or PEM-encoded X.509 certificate. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated. + @retval EFI_ABORTED Invalid X.509 certificate. + +**/ +EFI_STATUS +EFIAPI +TlsSetCaCertificate ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} + +/** + Loads the local public certificate into the specified TLS object. + + This function loads the X.509 certificate into the specified TLS object + for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded binary + X.509 certificate or PEM-encoded X.509 certificate. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated. + @retval EFI_ABORTED Invalid X.509 certificate. + +**/ +EFI_STATUS +EFIAPI +TlsSetHostPublicCert ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} + +/** + Adds the local private key to the specified TLS object. + + This function adds the local private key (PEM-encoded RSA or PKCS#8 private + key) into the specified TLS object for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a PEM-encoded RSA + or PKCS#8 private key. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid private key data. + +**/ +EFI_STATUS +EFIAPI +TlsSetHostPrivateKey ( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} + +/** + Adds the CA-supplied certificate revocation list for certificate validation. + + This function adds the CA-supplied certificate revocation list data for + certificate validity checking. + + @param[in] Data Pointer to the data buffer of a DER-encoded CRL data. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid CRL data. + +**/ +EFI_STATUS +EFIAPI +TlsSetCertRevocationList ( + IN VOID *Data, + IN UINTN DataSize + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} + +/** + Gets the protocol version used by the specified TLS connection. + + This function returns the protocol version used by the specified TLS + connection. + + If Tls is NULL, then ASSERT(). + + @param[in] Tls Pointer to the TLS object. + + @return The protocol version of the specified TLS connection. + +**/ +UINT16 +EFIAPI +TlsGetVersion ( + IN VOID *Tls + ) +{ + ASSERT(FALSE); + return 0; +} + +/** + Gets the connection end of the specified TLS connection. + + This function returns the connection end (as client or as server) used by + the specified TLS connection. + + If Tls is NULL, then ASSERT(). + + @param[in] Tls Pointer to the TLS object. + + @return The connection end used by the specified TLS connection. + +**/ +UINT8 +EFIAPI +TlsGetConnectionEnd ( + IN VOID *Tls + ) +{ + ASSERT(FALSE); + return 0; +} + +/** + Gets the cipher suite used by the specified TLS connection. + + This function returns current cipher suite used by the specified + TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] CipherId The cipher suite used by the TLS object. + + @retval EFI_SUCCESS The cipher suite was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported cipher suite. + +**/ +EFI_STATUS +EFIAPI +TlsGetCurrentCipher ( + IN VOID *Tls, + IN OUT UINT16 *CipherId + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} + +/** + Gets the compression methods used by the specified TLS connection. + + This function returns current integrated compression methods used by + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] CompressionId The current compression method used by + the TLS object. + + @retval EFI_SUCCESS The compression method was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_ABORTED Invalid Compression method. + @retval EFI_UNSUPPORTED This function is not supported. + +**/ +EFI_STATUS +EFIAPI +TlsGetCurrentCompressionId ( + IN VOID *Tls, + IN OUT UINT8 *CompressionId + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} + +/** + Gets the verification mode currently set in the TLS connection. + + This function returns the peer verification mode currently set in the + specified TLS connection. + + If Tls is NULL, then ASSERT(). + + @param[in] Tls Pointer to the TLS object. + + @return The verification mode set in the specified TLS connection. + +**/ +UINT32 +EFIAPI +TlsGetVerify ( + IN VOID *Tls + ) +{ + ASSERT(FALSE); + return 0; +} + +/** + Gets the session ID used by the specified TLS connection. + + This function returns the TLS/SSL session ID currently used by the + specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] SessionId Buffer to contain the returned session ID. + @param[in,out] SessionIdLen The length of Session ID in bytes. + + @retval EFI_SUCCESS The Session ID was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Invalid TLS/SSL session. + +**/ +EFI_STATUS +EFIAPI +TlsGetSessionId ( + IN VOID *Tls, + IN OUT UINT8 *SessionId, + IN OUT UINT16 *SessionIdLen + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} + +/** + Gets the client random data used in the specified TLS connection. + + This function returns the TLS/SSL client random data currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] ClientRandom Buffer to contain the returned client + random data (32 bytes). + +**/ +VOID +EFIAPI +TlsGetClientRandom ( + IN VOID *Tls, + IN OUT UINT8 *ClientRandom + ) +{ + ASSERT(FALSE); +} + +/** + Gets the server random data used in the specified TLS connection. + + This function returns the TLS/SSL server random data currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] ServerRandom Buffer to contain the returned server + random data (32 bytes). + +**/ +VOID +EFIAPI +TlsGetServerRandom ( + IN VOID *Tls, + IN OUT UINT8 *ServerRandom + ) +{ + ASSERT(FALSE); +} + +/** + Gets the master key data used in the specified TLS connection. + + This function returns the TLS/SSL master key material currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] KeyMaterial Buffer to contain the returned key material. + + @retval EFI_SUCCESS Key material was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Invalid TLS/SSL session. + +**/ +EFI_STATUS +EFIAPI +TlsGetKeyMaterial ( + IN VOID *Tls, + IN OUT UINT8 *KeyMaterial + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} + +/** + Gets the CA Certificate from the cert store. + + This function returns the CA certificate for the chosen + TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the CA + certificate data sent to the client. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetCaCertificate ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} + +/** + Gets the local public Certificate set in the specified TLS object. + + This function returns the local public certificate which was currently set + in the specified TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the local + public certificate. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_NOT_FOUND The certificate is not found. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetHostPublicCert ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} + +/** + Gets the local private key set in the specified TLS object. + + This function returns the local private key data which was currently set + in the specified TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the local + private key data. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetHostPrivateKey ( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} + +/** + Gets the CA-supplied certificate revocation list data set in the specified + TLS object. + + This function returns the CA-supplied certificate revocation list data which + was currently set in the specified TLS object. + + @param[out] Data Pointer to the data buffer to receive the CRL data. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +EFI_STATUS +EFIAPI +TlsGetCertRevocationList ( + OUT VOID *Data, + IN OUT UINTN *DataSize + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/TlsInitNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/TlsInitNull.c new file mode 100644 index 00000000..a250bc44 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/TlsInitNull.c @@ -0,0 +1,111 @@ +/** @file + SSL/TLS Initialization Null Library Wrapper Implementation. + +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalTlsLib.h" + +/** + Initializes the library. + + This function registers ciphers and digests used directly and indirectly + by SSL/TLS, and initializes the readable error messages. + This function must be called before any other action takes places. + + @retval TRUE The library has been initialized. + @retval FALSE Failed to initialize the library. + +**/ +BOOLEAN +EFIAPI +TlsInitialize ( + VOID + ) +{ + ASSERT(FALSE); + return FALSE; +} + +/** + Free an allocated SSL_CTX object. + + @param[in] TlsCtx Pointer to the SSL_CTX object to be released. + +**/ +VOID +EFIAPI +TlsCtxFree ( + IN VOID *TlsCtx + ) +{ + ASSERT(FALSE); + return; +} + +/** + Creates a new SSL_CTX object as framework to establish TLS/SSL enabled + connections. + + @param[in] MajorVer Major Version of TLS/SSL Protocol. + @param[in] MinorVer Minor Version of TLS/SSL Protocol. + + @return Pointer to an allocated SSL_CTX object. + If the creation failed, TlsCtxNew() returns NULL. + +**/ +VOID * +EFIAPI +TlsCtxNew ( + IN UINT8 MajorVer, + IN UINT8 MinorVer + ) +{ + ASSERT(FALSE); + return NULL; +} + +/** + Free an allocated TLS object. + + This function removes the TLS object pointed to by Tls and frees up the + allocated memory. If Tls is NULL, nothing is done. + + @param[in] Tls Pointer to the TLS object to be freed. + +**/ +VOID +EFIAPI +TlsFree ( + IN VOID *Tls + ) +{ + ASSERT(FALSE); +} + +/** + Create a new TLS object for a connection. + + This function creates a new TLS object for a connection. The new object + inherits the setting of the underlying context TlsCtx: connection method, + options, verification setting. + + @param[in] TlsCtx Pointer to the SSL_CTX object. + + @return Pointer to an allocated SSL object. + If the creation failed, TlsNew() returns NULL. + +**/ +VOID * +EFIAPI +TlsNew ( + IN VOID *TlsCtx + ) +{ + ASSERT(FALSE); + return NULL; +} + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/TlsLibNull.inf b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/TlsLibNull.inf new file mode 100644 index 00000000..efcf65ce --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/TlsLibNull.inf @@ -0,0 +1,38 @@ +## @file +# SSL/TLS Wrapper Null Library Instance. +# +# Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
+# (C) Copyright 2016-2020 Hewlett Packard Enterprise Development LP
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = TlsLibNull + MODULE_UNI_FILE = TlsLibNull.uni + FILE_GUID = 705a5b3b-cfa5-42ea-87f0-f2b8d44ec521 + MODULE_TYPE = BASE + VERSION_STRING = 1.0 + LIBRARY_CLASS = TlsLib + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 RISCV64 +# + +[Sources] + InternalTlsLib.h + TlsInitNull.c + TlsConfigNull.c + TlsProcessNull.c + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseCryptLib + DebugLib + BaseLib diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/TlsLibNull.uni b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/TlsLibNull.uni new file mode 100644 index 00000000..869f3fcf --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/TlsLibNull.uni @@ -0,0 +1,13 @@ +// /** @file +// SSL/TLS Wrapper Null Library Instance. +// +// Copyright (c) 2016, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "SSL/TLS Wrapper Null Library Instance" + +#string STR_MODULE_DESCRIPTION #language en-US "This module provides SSL/TLS Wrapper Null Library Instance." diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c new file mode 100644 index 00000000..44c883bd --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Library/TlsLibNull/TlsProcessNull.c @@ -0,0 +1,247 @@ +/** @file + SSL/TLS Process Null Library Wrapper Implementation. + The process includes the TLS handshake and packet I/O. + +Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalTlsLib.h" + +/** + Checks if the TLS handshake was done. + + This function will check if the specified TLS handshake was done. + + @param[in] Tls Pointer to the TLS object for handshake state checking. + + @retval TRUE The TLS handshake was done. + @retval FALSE The TLS handshake was not done. + +**/ +BOOLEAN +EFIAPI +TlsInHandshake ( + IN VOID *Tls + ) +{ + ASSERT(FALSE); + return FALSE; +} + +/** + Perform a TLS/SSL handshake. + + This function will perform a TLS/SSL handshake. + + @param[in] Tls Pointer to the TLS object for handshake operation. + @param[in] BufferIn Pointer to the most recently received TLS Handshake packet. + @param[in] BufferInSize Packet size in bytes for the most recently received TLS + Handshake packet. + @param[out] BufferOut Pointer to the buffer to hold the built packet. + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferIn is NULL but BufferInSize is NOT 0. + BufferInSize is 0 but BufferIn is NOT NULL. + BufferOutSize is NULL. + BufferOut is NULL if *BufferOutSize is not zero. + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet. + @retval EFI_ABORTED Something wrong during handshake. + +**/ +EFI_STATUS +EFIAPI +TlsDoHandshake ( + IN VOID *Tls, + IN UINT8 *BufferIn, OPTIONAL + IN UINTN BufferInSize, OPTIONAL + OUT UINT8 *BufferOut, OPTIONAL + IN OUT UINTN *BufferOutSize + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} + +/** + Handle Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero, + TLS session has errors and the response packet needs to be Alert message based on error type. + + @param[in] Tls Pointer to the TLS object for state checking. + @param[in] BufferIn Pointer to the most recently received TLS Alert packet. + @param[in] BufferInSize Packet size in bytes for the most recently received TLS + Alert packet. + @param[out] BufferOut Pointer to the buffer to hold the built packet. + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferIn is NULL but BufferInSize is NOT 0. + BufferInSize is 0 but BufferIn is NOT NULL. + BufferOutSize is NULL. + BufferOut is NULL if *BufferOutSize is not zero. + @retval EFI_ABORTED An error occurred. + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet. + +**/ +EFI_STATUS +EFIAPI +TlsHandleAlert ( + IN VOID *Tls, + IN UINT8 *BufferIn, OPTIONAL + IN UINTN BufferInSize, OPTIONAL + OUT UINT8 *BufferOut, OPTIONAL + IN OUT UINTN *BufferOutSize + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} + +/** + Build the CloseNotify packet. + + @param[in] Tls Pointer to the TLS object for state checking. + @param[in, out] Buffer Pointer to the buffer to hold the built packet. + @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferSize is NULL. + Buffer is NULL if *BufferSize is not zero. + @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet. + +**/ +EFI_STATUS +EFIAPI +TlsCloseNotify ( + IN VOID *Tls, + IN OUT UINT8 *Buffer, + IN OUT UINTN *BufferSize + ) +{ + ASSERT(FALSE); + return EFI_UNSUPPORTED; +} + +/** + Attempts to read bytes from one TLS object and places the data in Buffer. + + This function will attempt to read BufferSize bytes from the TLS object + and places the data in Buffer. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] Buffer Pointer to the buffer to store the data. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The amount of data successfully read from the TLS object. + @retval <=0 No data was successfully read. + +**/ +INTN +EFIAPI +TlsCtrlTrafficOut ( + IN VOID *Tls, + IN OUT VOID *Buffer, + IN UINTN BufferSize + ) +{ + ASSERT(FALSE); + return 0; +} + +/** + Attempts to write data from the buffer to TLS object. + + This function will attempt to write BufferSize bytes data from the Buffer + to the TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[in] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The amount of data successfully written to the TLS object. + @retval <=0 No data was successfully written. + +**/ +INTN +EFIAPI +TlsCtrlTrafficIn ( + IN VOID *Tls, + IN VOID *Buffer, + IN UINTN BufferSize + ) +{ + ASSERT(FALSE); + return 0; +} +/** + Attempts to read bytes from the specified TLS connection into the buffer. + + This function tries to read BufferSize bytes data from the specified TLS + connection into the Buffer. + + @param[in] Tls Pointer to the TLS connection for data reading. + @param[in,out] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The read operation was successful, and return value is the + number of bytes actually read from the TLS connection. + @retval <=0 The read operation was not successful. + +**/ +INTN +EFIAPI +TlsRead ( + IN VOID *Tls, + IN OUT VOID *Buffer, + IN UINTN BufferSize + ) +{ + ASSERT(FALSE); + return 0; +} + +/** + Attempts to write data to a TLS connection. + + This function tries to write BufferSize bytes data from the Buffer into the + specified TLS connection. + + @param[in] Tls Pointer to the TLS connection for data writing. + @param[in] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The write operation was successful, and return value is the + number of bytes actually written to the TLS connection. + @retval <=0 The write operation was not successful. + +**/ +INTN +EFIAPI +TlsWrite ( + IN VOID *Tls, + IN VOID *Buffer, + IN UINTN BufferSize + ) +{ + ASSERT(FALSE); + return 0; +} + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Private/Ppi/Crypto.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Private/Ppi/Crypto.h new file mode 100644 index 00000000..ac94dbf6 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Private/Ppi/Crypto.h @@ -0,0 +1,21 @@ +/** @file + This PPI provides Crypto services to PEIMs + + Copyright (C) Microsoft Corporation. All rights reserved. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __EDKII_CRYPTO_PPI_H__ +#define __EDKII_CRYPTO_PPI_H__ + +#include + +/// +/// EDK II Crypto PPI is identical to EDK II Crypto Protocol +/// +typedef EDKII_CRYPTO_PROTOCOL EDKII_CRYPTO_PPI; + +extern GUID gEdkiiCryptoPpiGuid; + +#endif diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Private/Protocol/Crypto.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Private/Protocol/Crypto.h new file mode 100644 index 00000000..fbd2d963 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Private/Protocol/Crypto.h @@ -0,0 +1,3678 @@ +/** @file + This Protocol provides Crypto services to DXE modules + + Copyright (C) Microsoft Corporation. All rights reserved. + Copyright (c) 2020 - 2021, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __EDKII_CRYPTO_PROTOCOL_H__ +#define __EDKII_CRYPTO_PROTOCOL_H__ + +#include +#include +#include + +/// +/// The version of the EDK II Crypto Protocol. +/// As APIs are added to BaseCryptLib, the EDK II Crypto Protocol is extended +/// with new APIs at the end of the EDK II Crypto Protocol structure. Each time +/// the EDK II Crypto Protocol is extended, this version define must be +/// increased. +/// +#define EDKII_CRYPTO_VERSION 7 + +/// +/// EDK II Crypto Protocol forward declaration +/// +typedef struct _EDKII_CRYPTO_PROTOCOL EDKII_CRYPTO_PROTOCOL; + +/** + Returns the version of the EDK II Crypto Protocol. + + @return The version of the EDK II Crypto Protocol. + +**/ +typedef +UINTN +(EFIAPI *EDKII_CRYPTO_GET_VERSION) ( + VOID + ); + +//===================================================================================== +// MAC (Message Authentication Code) Primitive +//===================================================================================== +/** + HMAC MD5 is deprecated and unsupported any longer. + Keep the function field for binary compability. + +**/ +typedef +VOID* +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_NEW) ( + VOID + ); + +typedef +VOID +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FREE) ( + IN VOID *HmacMd5Ctx + ); + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_SET_KEY) ( + OUT VOID *HmacMd5Context, + IN CONST UINT8 *Key, + IN UINTN KeySize + ); + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_DUPLICATE) ( + IN CONST VOID *HmacMd5Context, + OUT VOID *NewHmacMd5Context + ); + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_UPDATE) ( + IN OUT VOID *HmacMd5Context, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FINAL) ( + IN OUT VOID *HmacMd5Context, + OUT UINT8 *HmacValue + ); + +/** + HMAC SHA1 is deprecated and unsupported any longer. + Keep the function field for binary compability. + +**/ +typedef +VOID* +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_NEW) ( + VOID + ); + +typedef +VOID +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FREE) ( + IN VOID *HmacSha1Ctx + ); + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_SET_KEY) ( + OUT VOID *HmacSha1Context, + IN CONST UINT8 *Key, + IN UINTN KeySize + ); + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_DUPLICATE) ( + IN CONST VOID *HmacSha1Context, + OUT VOID *NewHmacSha1Context + ); + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_UPDATE) ( + IN OUT VOID *HmacSha1Context, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FINAL) ( + IN OUT VOID *HmacSha1Context, + OUT UINT8 *HmacValue + ); + + +/** + Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use. + + @return Pointer to the HMAC_CTX context that has been initialized. + If the allocations fails, HmacSha256New() returns NULL. + +**/ +typedef +VOID * +(EFIAPI *EDKII_CRYPTO_HMAC_SHA256_NEW) ( + VOID + ); + +/** + Release the specified HMAC_CTX context. + + @param[in] HmacSha256Ctx Pointer to the HMAC_CTX context to be released. + +**/ +typedef +VOID +(EFIAPI *EDKII_CRYPTO_HMAC_SHA256_FREE) ( + IN VOID *HmacSha256Ctx + ); + + +/** + Set user-supplied key for subsequent use. It must be done before any + calling to HmacSha256Update(). + + If HmacSha256Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] HmacSha256Context Pointer to HMAC-SHA256 context. + @param[in] Key Pointer to the user-supplied key. + @param[in] KeySize Key size in bytes. + + @retval TRUE The Key is set successfully. + @retval FALSE The Key is set unsuccessfully. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_HMAC_SHA256_SET_KEY) ( + OUT VOID *HmacSha256Context, + IN CONST UINT8 *Key, + IN UINTN KeySize + ); + +/** + Makes a copy of an existing HMAC-SHA256 context. + + If HmacSha256Context is NULL, then return FALSE. + If NewHmacSha256Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] HmacSha256Context Pointer to HMAC-SHA256 context being copied. + @param[out] NewHmacSha256Context Pointer to new HMAC-SHA256 context. + + @retval TRUE HMAC-SHA256 context copy succeeded. + @retval FALSE HMAC-SHA256 context copy failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_HMAC_SHA256_DUPLICATE) ( + IN CONST VOID *HmacSha256Context, + OUT VOID *NewHmacSha256Context + ); + + +/** + Digests the input data and updates HMAC-SHA256 context. + + This function performs HMAC-SHA256 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + HMAC-SHA256 context should be initialized by HmacSha256New(), and should not be finalized + by HmacSha256Final(). Behavior with invalid context is undefined. + + If HmacSha256Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] HmacSha256Context Pointer to the HMAC-SHA256 context. + @param[in] Data Pointer to the buffer containing the data to be digested. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE HMAC-SHA256 data digest succeeded. + @retval FALSE HMAC-SHA256 data digest failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_HMAC_SHA256_UPDATE) ( + IN OUT VOID *HmacSha256Context, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +/** + Completes computation of the HMAC-SHA256 digest value. + + This function completes HMAC-SHA256 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the HMAC-SHA256 context cannot + be used again. + HMAC-SHA256 context should be initialized by HmacSha256New(), and should not be finalized + by HmacSha256Final(). Behavior with invalid HMAC-SHA256 context is undefined. + + If HmacSha256Context is NULL, then return FALSE. + If HmacValue is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] HmacSha256Context Pointer to the HMAC-SHA256 context. + @param[out] HmacValue Pointer to a buffer that receives the HMAC-SHA256 digest + value (32 bytes). + + @retval TRUE HMAC-SHA256 digest computation succeeded. + @retval FALSE HMAC-SHA256 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_HMAC_SHA256_FINAL) ( + IN OUT VOID *HmacSha256Context, + OUT UINT8 *HmacValue + ); + + +//===================================================================================== +// One-Way Cryptographic Hash Primitives +//===================================================================================== + +/** + MD4 is deprecated and unsupported any longer. + Keep the function field for binary compability. + +**/ +typedef +UINTN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE) ( + VOID + ); + + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_INIT) ( + OUT VOID *Md4Context + ); + + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_DUPLICATE) ( + IN CONST VOID *Md4Context, + OUT VOID *NewMd4Context + ); + + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_UPDATE) ( + IN OUT VOID *Md4Context, + IN CONST VOID *Data, + IN UINTN DataSize + ); + + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_FINAL) ( + IN OUT VOID *Md4Context, + OUT UINT8 *HashValue + ); + + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_HASH_ALL) ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ); + +// ---------------------------------------------------------------------------- + +/** + Retrieves the size, in bytes, of the context buffer required for MD5 hash operations. + + If this interface is not supported, then return zero. + + @return The size, in bytes, of the context buffer required for MD5 hash operations. + @retval 0 This interface is not supported. + +**/ +typedef +UINTN +(EFIAPI* EDKII_CRYPTO_MD5_GET_CONTEXT_SIZE)( + VOID + ); + +/** + Initializes user-supplied memory pointed by Md5Context as MD5 hash context for + subsequent use. + + If Md5Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] Md5Context Pointer to MD5 context being initialized. + + @retval TRUE MD5 context initialization succeeded. + @retval FALSE MD5 context initialization failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI* EDKII_CRYPTO_MD5_INIT)( + OUT VOID *Md5Context); + +/** + Makes a copy of an existing MD5 context. + + If Md5Context is NULL, then return FALSE. + If NewMd5Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Md5Context Pointer to MD5 context being copied. + @param[out] NewMd5Context Pointer to new MD5 context. + + @retval TRUE MD5 context copy succeeded. + @retval FALSE MD5 context copy failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI* EDKII_CRYPTO_MD5_DUPLICATE) ( + IN CONST VOID *Md5Context, + OUT VOID *NewMd5Context); + + +/** + Digests the input data and updates MD5 context. + + This function performs MD5 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + MD5 context should be already correctly initialized by Md5Init(), and should not be finalized + by Md5Final(). Behavior with invalid context is undefined. + + If Md5Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Md5Context Pointer to the MD5 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE MD5 data digest succeeded. + @retval FALSE MD5 data digest failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI* EDKII_CRYPTO_MD5_UPDATE)( + IN OUT VOID *Md5Context, + IN CONST VOID *Data, + IN UINTN DataSize); + + +/** + Completes computation of the MD5 digest value. + + This function completes MD5 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the MD5 context cannot + be used again. + MD5 context should be already correctly initialized by Md5Init(), and should not be + finalized by Md5Final(). Behavior with invalid MD5 context is undefined. + + If Md5Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Md5Context Pointer to the MD5 context. + @param[out] HashValue Pointer to a buffer that receives the MD5 digest + value (16 bytes). + + @retval TRUE MD5 digest computation succeeded. + @retval FALSE MD5 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI* EDKII_CRYPTO_MD5_FINAL)( + IN OUT VOID *Md5Context, + OUT UINT8 *HashValue); + + +/** + Computes the MD5 message digest of a input data buffer. + + This function performs the MD5 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the MD5 digest + value (16 bytes). + + @retval TRUE MD5 digest computation succeeded. + @retval FALSE MD5 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI* EDKII_CRYPTO_MD5_HASH_ALL)( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue); + + +//===================================================================================== +// PKCS +//===================================================================================== + + +/** + Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the encrypted message in + in a newly allocated buffer. + + Things that can cause a failure include: + - X509 key size does not match any known key size. + - Fail to parse X509 certificate. + - Fail to allocate an intermediate buffer. + - NULL pointer provided for a non-optional parameter. + - Data size is too large for the provided key size (max size is a function of key size and hash digest size). + + @param[in] PublicKey A pointer to the DER-encoded X509 certificate that will be used to encrypt the data. + @param[in] PublicKeySize Size of the X509 cert buffer. + @param[in] InData Data to be encrypted. + @param[in] InDataSize Size of the data buffer. + @param[in] PrngSeed [Optional] If provided, a pointer to a random seed buffer to be used when initializing the PRNG. NULL otherwise. + @param[in] PrngSeedSize [Optional] If provided, size of the random seed buffer. 0 otherwise. + @param[out] EncryptedData Pointer to an allocated buffer containing the encrypted message. + @param[out] EncryptedDataSize Size of the encrypted message buffer. + + @retval TRUE Encryption was successful. + @retval FALSE Encryption failed. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_PKCS1_ENCRYPT_V2) ( +IN CONST UINT8 *PublicKey, +IN UINTN PublicKeySize, +IN UINT8 *InData, +IN UINTN InDataSize, +IN CONST UINT8 *PrngSeed OPTIONAL, +IN UINTN PrngSeedSize OPTIONAL, +OUT UINT8 **EncryptedData, +OUT UINTN *EncryptedDataSize +); + + + + +// --------------------------------------------- +// PKCS5 + +/** + Derives a key from a password using a salt and iteration count, based on PKCS#5 v2.0 + password based encryption key derivation function PBKDF2, as specified in RFC 2898. + + If Password or Salt or OutKey is NULL, then return FALSE. + If the hash algorithm could not be determined, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] PasswordLength Length of input password in bytes. + @param[in] Password Pointer to the array for the password. + @param[in] SaltLength Size of the Salt in bytes. + @param[in] Salt Pointer to the Salt. + @param[in] IterationCount Number of iterations to perform. Its value should be + greater than or equal to 1. + @param[in] DigestSize Size of the message digest to be used (eg. SHA256_DIGEST_SIZE). + NOTE: DigestSize will be used to determine the hash algorithm. + Only SHA1_DIGEST_SIZE or SHA256_DIGEST_SIZE is supported. + @param[in] KeyLength Size of the derived key buffer in bytes. + @param[out] OutKey Pointer to the output derived key buffer. + + @retval TRUE A key was derived successfully. + @retval FALSE One of the pointers was NULL or one of the sizes was too large. + @retval FALSE The hash algorithm could not be determined from the digest size. + @retval FALSE The key derivation operation failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_PKCS5_PW_HASH) ( + IN UINTN PasswordSize, + IN CONST CHAR8 *Password, + IN UINTN SaltSize, + IN CONST UINT8 *Salt, + IN UINTN IterationCount, + IN UINTN DigestSize, + IN UINTN OutputSize, + OUT UINT8 *Output + ); + + + +// --------------------------------------------- +// PKCS7 + +/** + Verifies the validity of a PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be wrapped + in a ContentInfo structure. + + If P7Data, TrustedCert or InData is NULL, then return FALSE. + If P7Length, CertLength or DataLength overflow, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which + is used for certificate chain verification. + @param[in] CertLength Length of the trusted certificate in bytes. + @param[in] InData Pointer to the content to be verified. + @param[in] DataLength Length of InData in bytes. + + @retval TRUE The specified PKCS#7 signed data is valid. + @retval FALSE Invalid PKCS#7 signed data. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_PKCS7_VERIFY) ( +IN CONST UINT8 *P7Data, +IN UINTN P7DataLength, +IN CONST UINT8 *TrustedCert, +IN UINTN TrustedCertLength, +IN CONST UINT8 *Data, +IN UINTN DataLength +); + +/** + VerifyEKUsInPkcs7Signature() + + This function receives a PKCS7 formatted signature, and then verifies that + the specified Enhanced or Extended Key Usages (EKU's) are present in the end-entity + leaf signing certificate. + + Note that this function does not validate the certificate chain. + + Applications for custom EKU's are quite flexible. For example, a policy EKU + may be present in an Issuing Certificate Authority (CA), and any sub-ordinate + certificate issued might also contain this EKU, thus constraining the + sub-ordinate certificate. Other applications might allow a certificate + embedded in a device to specify that other Object Identifiers (OIDs) are + present which contains binary data specifying custom capabilities that + the device is able to do. + + @param[in] Pkcs7Signature - The PKCS#7 signed information content block. An array + containing the content block with both the signature, + the signer's certificate, and any necessary intermediate + certificates. + + @param[in] Pkcs7SignatureSize - Number of bytes in Pkcs7Signature. + + @param[in] RequiredEKUs - Array of null-terminated strings listing OIDs of + required EKUs that must be present in the signature. + + @param[in] RequiredEKUsSize - Number of elements in the RequiredEKUs string array. + + @param[in] RequireAllPresent - If this is TRUE, then all of the specified EKU's + must be present in the leaf signer. If it is + FALSE, then we will succeed if we find any + of the specified EKU's. + + @retval EFI_SUCCESS - The required EKUs were found in the signature. + @retval EFI_INVALID_PARAMETER - A parameter was invalid. + @retval EFI_NOT_FOUND - One or more EKU's were not found in the signature. + +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_CRYPTO_PKCS7_VERIFY_EKU) ( +IN CONST UINT8 *Pkcs7Signature, +IN CONST UINT32 SignatureSize, +IN CONST CHAR8 *RequiredEKUs[], +IN CONST UINT32 RequiredEKUsSize, +IN BOOLEAN RequireAllPresent +); + +/** + Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be wrapped + in a ContentInfo structure. + + If P7Data, CertStack, StackLength, TrustedCert or CertLength is NULL, then + return FALSE. If P7Length overflow, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] CertStack Pointer to Signer's certificates retrieved from P7Data. + It's caller's responsibility to free the buffer with + Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] StackLength Length of signer's certificates in bytes. + @param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates. + It's caller's responsibility to free the buffer with + Pkcs7FreeSigners(). + @param[out] CertLength Length of the trusted certificate in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE Error occurs during the operation. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_PKCS7_GET_SIGNERS) ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **CertStack, + OUT UINTN *StackLength, + OUT UINT8 **TrustedCert, + OUT UINTN *CertLength + ); + +/** + Wrap function to use free() to free allocated memory for certificates. + + If this interface is not supported, then ASSERT(). + + @param[in] Certs Pointer to the certificates to be freed. + +**/ +typedef +VOID +(EFIAPI *EDKII_CRYPTO_PKCS7_FREE_SIGNERS) ( + IN UINT8 *Certs + ); + +/** + Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message + Syntax Standard, version 1.5". This interface is only intended to be used for + application to perform PKCS#7 functionality validation. + + If this interface is not supported, then return FALSE. + + @param[in] PrivateKey Pointer to the PEM-formatted private key data for + data signing. + @param[in] PrivateKeySize Size of the PEM private key data in bytes. + @param[in] KeyPassword NULL-terminated passphrase used for encrypted PEM + key data. + @param[in] InData Pointer to the content to be signed. + @param[in] InDataSize Size of InData in bytes. + @param[in] SignCert Pointer to signer's DER-encoded certificate to sign with. + @param[in] OtherCerts Pointer to an optional additional set of certificates to + include in the PKCS#7 signedData (e.g. any intermediate + CAs in the chain). + @param[out] SignedData Pointer to output PKCS#7 signedData. It's caller's + responsibility to free the buffer with FreePool(). + @param[out] SignedDataSize Size of SignedData in bytes. + + @retval TRUE PKCS#7 data signing succeeded. + @retval FALSE PKCS#7 data signing failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_PKCS7_SIGN) ( + IN CONST UINT8 *PrivateKey, + IN UINTN PrivateKeySize, + IN CONST UINT8 *KeyPassword, + IN UINT8 *InData, + IN UINTN InDataSize, + IN UINT8 *SignCert, + IN UINT8 *OtherCerts OPTIONAL, + OUT UINT8 **SignedData, + OUT UINTN *SignedDataSize + ); + +/** + Extracts the attached content from a PKCS#7 signed data if existed. The input signed + data could be wrapped in a ContentInfo structure. + + If P7Data, Content, or ContentSize is NULL, then return FALSE. If P7Length overflow, + then return FALSE. If the P7Data is not correctly formatted, then return FALSE. + + Caution: This function may receive untrusted input. So this function will do + basic check for PKCS#7 data structure. + + @param[in] P7Data Pointer to the PKCS#7 signed data to process. + @param[in] P7Length Length of the PKCS#7 signed data in bytes. + @param[out] Content Pointer to the extracted content from the PKCS#7 signedData. + It's caller's responsibility to free the buffer with FreePool(). + @param[out] ContentSize The size of the extracted content in bytes. + + @retval TRUE The P7Data was correctly formatted for processing. + @retval FALSE The P7Data was not correctly formatted for processing. + + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_PKCS7_GET_ATTACHED_CONTENT) ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT VOID **Content, + OUT UINTN *ContentSize + ); + +/** + Retrieves all embedded certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard", and outputs two certificate lists chained and + unchained to the signer's certificates. + The input signed data could be wrapped in a ContentInfo structure. + + @param[in] P7Data Pointer to the PKCS#7 message. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] SignerChainCerts Pointer to the certificates list chained to signer's + certificate. It's caller's responsibility to free the buffer + with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] ChainLength Length of the chained certificates list buffer in bytes. + @param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's + responsibility to free the buffer with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. + @param[out] UnchainLength Length of the unchained certificates list buffer in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE Error occurs during the operation. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_PKCS7_GET_CERTIFICATES_LIST) ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **SignerChainCerts, + OUT UINTN *ChainLength, + OUT UINT8 **UnchainCerts, + OUT UINTN *UnchainLength + ); + +/** + Verifies the validity of a PE/COFF Authenticode Signature as described in "Windows + Authenticode Portable Executable Signature Format". + + If AuthData is NULL, then return FALSE. + If ImageHash is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed + PE/COFF image to be verified. + @param[in] DataSize Size of the Authenticode Signature in bytes. + @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which + is used for certificate chain verification. + @param[in] CertSize Size of the trusted certificate in bytes. + @param[in] ImageHash Pointer to the original image file hash value. The procedure + for calculating the image hash value is described in Authenticode + specification. + @param[in] HashSize Size of Image hash value in bytes. + + @retval TRUE The specified Authenticode Signature is valid. + @retval FALSE Invalid Authenticode Signature. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_AUTHENTICODE_VERIFY) ( + IN CONST UINT8 *AuthData, + IN UINTN DataSize, + IN CONST UINT8 *TrustedCert, + IN UINTN CertSize, + IN CONST UINT8 *ImageHash, + IN UINTN HashSize + ); + +/** + Verifies the validity of a RFC3161 Timestamp CounterSignature embedded in PE/COFF Authenticode + signature. + + If AuthData is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed + PE/COFF image to be verified. + @param[in] DataSize Size of the Authenticode Signature in bytes. + @param[in] TsaCert Pointer to a trusted/root TSA certificate encoded in DER, which + is used for TSA certificate chain verification. + @param[in] CertSize Size of the trusted certificate in bytes. + @param[out] SigningTime Return the time of timestamp generation time if the timestamp + signature is valid. + + @retval TRUE The specified Authenticode includes a valid RFC3161 Timestamp CounterSignature. + @retval FALSE No valid RFC3161 Timestamp CounterSignature in the specified Authenticode data. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_IMAGE_TIMESTAMP_VERIFY) ( + IN CONST UINT8 *AuthData, + IN UINTN DataSize, + IN CONST UINT8 *TsaCert, + IN UINTN CertSize, + OUT EFI_TIME *SigningTime + ); + + +//===================================================================================== +// DH Key Exchange Primitive +//===================================================================================== + +/** + Allocates and Initializes one Diffie-Hellman Context for subsequent use. + + @return Pointer to the Diffie-Hellman Context that has been initialized. + If the allocations fails, DhNew() returns NULL. + If the interface is not supported, DhNew() returns NULL. + +**/ +typedef +VOID* +(EFIAPI *EDKII_CRYPTO_DH_NEW) ( + VOID + ); + +/** + Release the specified DH context. + + If the interface is not supported, then ASSERT(). + + @param[in] DhContext Pointer to the DH context to be released. + +**/ +typedef +VOID +(EFIAPI *EDKII_CRYPTO_DH_FREE) ( + IN VOID *DhContext + ); + +/** + Generates DH parameter. + + Given generator g, and length of prime number p in bits, this function generates p, + and sets DH context according to value of g and p. + + Before this function can be invoked, pseudorandom number generator must be correctly + initialized by RandomSeed(). + + If DhContext is NULL, then return FALSE. + If Prime is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] Generator Value of generator. + @param[in] PrimeLength Length in bits of prime to be generated. + @param[out] Prime Pointer to the buffer to receive the generated prime number. + + @retval TRUE DH parameter generation succeeded. + @retval FALSE Value of Generator is not supported. + @retval FALSE PRNG fails to generate random prime number with PrimeLength. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_DH_GENERATE_PARAMETER) ( + IN OUT VOID *DhContext, + IN UINTN Generator, + IN UINTN PrimeLength, + OUT UINT8 *Prime + ); + +/** + Sets generator and prime parameters for DH. + + Given generator g, and prime number p, this function and sets DH + context accordingly. + + If DhContext is NULL, then return FALSE. + If Prime is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] Generator Value of generator. + @param[in] PrimeLength Length in bits of prime to be generated. + @param[in] Prime Pointer to the prime number. + + @retval TRUE DH parameter setting succeeded. + @retval FALSE Value of Generator is not supported. + @retval FALSE Value of Generator is not suitable for the Prime. + @retval FALSE Value of Prime is not a prime number. + @retval FALSE Value of Prime is not a safe prime number. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_DH_SET_PARAMETER) ( + IN OUT VOID *DhContext, + IN UINTN Generator, + IN UINTN PrimeLength, + IN CONST UINT8 *Prime + ); + +/** + Generates DH public key. + + This function generates random secret exponent, and computes the public key, which is + returned via parameter PublicKey and PublicKeySize. DH context is updated accordingly. + If the PublicKey buffer is too small to hold the public key, FALSE is returned and + PublicKeySize is set to the required buffer size to obtain the public key. + + If DhContext is NULL, then return FALSE. + If PublicKeySize is NULL, then return FALSE. + If PublicKeySize is large enough but PublicKey is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] DhContext Pointer to the DH context. + @param[out] PublicKey Pointer to the buffer to receive generated public key. + @param[in, out] PublicKeySize On input, the size of PublicKey buffer in bytes. + On output, the size of data returned in PublicKey buffer in bytes. + + @retval TRUE DH public key generation succeeded. + @retval FALSE DH public key generation failed. + @retval FALSE PublicKeySize is not large enough. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_DH_GENERATE_KEY) ( + IN OUT VOID *DhContext, + OUT UINT8 *PublicKey, + IN OUT UINTN *PublicKeySize + ); + +/** + Computes exchanged common key. + + Given peer's public key, this function computes the exchanged common key, based on its own + context including value of prime modulus and random secret exponent. + + If DhContext is NULL, then return FALSE. + If PeerPublicKey is NULL, then return FALSE. + If KeySize is NULL, then return FALSE. + If Key is NULL, then return FALSE. + If KeySize is not large enough, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] PeerPublicKey Pointer to the peer's public key. + @param[in] PeerPublicKeySize Size of peer's public key in bytes. + @param[out] Key Pointer to the buffer to receive generated key. + @param[in, out] KeySize On input, the size of Key buffer in bytes. + On output, the size of data returned in Key buffer in bytes. + + @retval TRUE DH exchanged key generation succeeded. + @retval FALSE DH exchanged key generation failed. + @retval FALSE KeySize is not large enough. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_DH_COMPUTE_KEY) ( + IN OUT VOID *DhContext, + IN CONST UINT8 *PeerPublicKey, + IN UINTN PeerPublicKeySize, + OUT UINT8 *Key, + IN OUT UINTN *KeySize + ); + +//===================================================================================== +// Pseudo-Random Generation Primitive +//===================================================================================== + +/** + Sets up the seed value for the pseudorandom number generator. + + This function sets up the seed value for the pseudorandom number generator. + If Seed is not NULL, then the seed passed in is used. + If Seed is NULL, then default seed is used. + If this interface is not supported, then return FALSE. + + @param[in] Seed Pointer to seed value. + If NULL, default seed is used. + @param[in] SeedSize Size of seed value. + If Seed is NULL, this parameter is ignored. + + @retval TRUE Pseudorandom number generator has enough entropy for random generation. + @retval FALSE Pseudorandom number generator does not have enough entropy for random generation. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_RANDOM_SEED) ( + IN CONST UINT8 *Seed OPTIONAL, + IN UINTN SeedSize + ); + +/** + Generates a pseudorandom byte stream of the specified size. + + If Output is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] Output Pointer to buffer to receive random value. + @param[in] Size Size of random bytes to generate. + + @retval TRUE Pseudorandom byte stream generated successfully. + @retval FALSE Pseudorandom number generator fails to generate due to lack of entropy. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_RANDOM_BYTES) ( + OUT UINT8 *Output, + IN UINTN Size + ); + +/** + Verifies the RSA-SSA signature with EMSA-PKCS1-v1_5 encoding scheme defined in + RSA PKCS#1. + + If RsaContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize is not equal to the size of MD5, SHA-1, SHA-256 digest, then return FALSE. + + @param[in] RsaContext Pointer to RSA context for signature verification. + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to RSA PKCS1-v1_5 signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in PKCS1-v1_5. + @retval FALSE Invalid signature or invalid RSA context. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_RSA_VERIFY_PKCS1) ( + IN VOID *RsaContext, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ); + +/** + Allocates and initializes one RSA context for subsequent use. + + @return Pointer to the RSA context that has been initialized. + If the allocations fails, RsaNew() returns NULL. + +**/ +typedef +VOID* +(EFIAPI *EDKII_CRYPTO_RSA_NEW) ( + VOID + ); + +/** + Release the specified RSA context. + + If RsaContext is NULL, then return FALSE. + + @param[in] RsaContext Pointer to the RSA context to be released. + +**/ +typedef +VOID +(EFIAPI *EDKII_CRYPTO_RSA_FREE) ( + IN VOID *RsaContext + ); + +/** + Sets the tag-designated key component into the established RSA context. + + This function sets the tag-designated RSA key component into the established + RSA context from the user-specified non-negative integer (octet string format + represented in RSA PKCS#1). + If BigNumber is NULL, then the specified key component in RSA context is cleared. + + If RsaContext is NULL, then return FALSE. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] KeyTag Tag of RSA key component being set. + @param[in] BigNumber Pointer to octet integer buffer. + If NULL, then the specified key component in RSA + context is cleared. + @param[in] BnSize Size of big number buffer in bytes. + If BigNumber is NULL, then it is ignored. + + @retval TRUE RSA key component was set successfully. + @retval FALSE Invalid RSA key component tag. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_RSA_SET_KEY) ( + IN OUT VOID *RsaContext, + IN RSA_KEY_TAG KeyTag, + IN CONST UINT8 *BigNumber, + IN UINTN BnSize + ); + +/** + Gets the tag-designated RSA key component from the established RSA context. + + This function retrieves the tag-designated RSA key component from the + established RSA context as a non-negative integer (octet string format + represented in RSA PKCS#1). + If specified key component has not been set or has been cleared, then returned + BnSize is set to 0. + If the BigNumber buffer is too small to hold the contents of the key, FALSE + is returned and BnSize is set to the required buffer size to obtain the key. + + If RsaContext is NULL, then return FALSE. + If BnSize is NULL, then return FALSE. + If BnSize is large enough but BigNumber is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] KeyTag Tag of RSA key component being set. + @param[out] BigNumber Pointer to octet integer buffer. + @param[in, out] BnSize On input, the size of big number buffer in bytes. + On output, the size of data returned in big number buffer in bytes. + + @retval TRUE RSA key component was retrieved successfully. + @retval FALSE Invalid RSA key component tag. + @retval FALSE BnSize is too small. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_RSA_GET_KEY) ( + IN OUT VOID *RsaContext, + IN RSA_KEY_TAG KeyTag, + OUT UINT8 *BigNumber, + IN OUT UINTN *BnSize + ); + +/** + Generates RSA key components. + + This function generates RSA key components. It takes RSA public exponent E and + length in bits of RSA modulus N as input, and generates all key components. + If PublicExponent is NULL, the default RSA public exponent (0x10001) will be used. + + Before this function can be invoked, pseudorandom number generator must be correctly + initialized by RandomSeed(). + + If RsaContext is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] ModulusLength Length of RSA modulus N in bits. + @param[in] PublicExponent Pointer to RSA public exponent. + @param[in] PublicExponentSize Size of RSA public exponent buffer in bytes. + + @retval TRUE RSA key component was generated successfully. + @retval FALSE Invalid RSA key component tag. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_RSA_GENERATE_KEY) ( + IN OUT VOID *RsaContext, + IN UINTN ModulusLength, + IN CONST UINT8 *PublicExponent, + IN UINTN PublicExponentSize + ); + +/** + Validates key components of RSA context. + NOTE: This function performs integrity checks on all the RSA key material, so + the RSA key structure must contain all the private key data. + + This function validates key components of RSA context in following aspects: + - Whether p is a prime + - Whether q is a prime + - Whether n = p * q + - Whether d*e = 1 mod lcm(p-1,q-1) + + If RsaContext is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] RsaContext Pointer to RSA context to check. + + @retval TRUE RSA key components are valid. + @retval FALSE RSA key components are not valid. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_RSA_CHECK_KEY) ( + IN VOID *RsaContext + ); + +/** + Carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme. + + This function carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme defined in + RSA PKCS#1. + If the Signature buffer is too small to hold the contents of signature, FALSE + is returned and SigSize is set to the required buffer size to obtain the signature. + + If RsaContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then return FALSE. + If SigSize is large enough but Signature is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] RsaContext Pointer to RSA context for signature generation. + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive RSA PKCS1-v1_5 signature. + @param[in, out] SigSize On input, the size of Signature buffer in bytes. + On output, the size of data returned in Signature buffer in bytes. + + @retval TRUE Signature successfully generated in PKCS1-v1_5. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_RSA_PKCS1_SIGN) ( + IN VOID *RsaContext, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ); + +/** + Verifies the RSA-SSA signature with EMSA-PKCS1-v1_5 encoding scheme defined in + RSA PKCS#1. + + If RsaContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize is not equal to the size of MD5, SHA-1, SHA-256 digest, then return FALSE. + + @param[in] RsaContext Pointer to RSA context for signature verification. + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to RSA PKCS1-v1_5 signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in PKCS1-v1_5. + @retval FALSE Invalid signature or invalid RSA context. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_RSA_PKCS1_VERIFY) ( + IN VOID *RsaContext, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ); + +/** + Retrieve the RSA Private Key from the password-protected PEM key data. + + If PemData is NULL, then return FALSE. + If RsaContext is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] PemData Pointer to the PEM-encoded key data to be retrieved. + @param[in] PemSize Size of the PEM key data in bytes. + @param[in] Password NULL-terminated passphrase used for encrypted PEM key data. + @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved + RSA private key component. Use RsaFree() function to free the + resource. + + @retval TRUE RSA Private Key was retrieved successfully. + @retval FALSE Invalid PEM key data or incorrect password. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_RSA_GET_PRIVATE_KEY_FROM_PEM) ( + IN CONST UINT8 *PemData, + IN UINTN PemSize, + IN CONST CHAR8 *Password, + OUT VOID **RsaContext + ); + +/** + Retrieve the RSA Public Key from one DER-encoded X509 certificate. + + If Cert is NULL, then return FALSE. + If RsaContext is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved + RSA public key component. Use RsaFree() function to free the + resource. + + @retval TRUE RSA Public Key was retrieved successfully. + @retval FALSE Fail to retrieve RSA public key from X509 certificate. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_RSA_GET_PUBLIC_KEY_FROM_X509) ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT VOID **RsaContext + ); + +//---------------------------------------- +// SHA +//---------------------------------------- + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations. + + If this interface is not supported, then return zero. + + @return The size, in bytes, of the context buffer required for SHA-1 hash operations. + @retval 0 This interface is not supported. + +**/ +typedef +UINTN +(EFIAPI *EDKII_CRYPTO_SHA1_GET_CONTEXT_SIZE ) ( + VOID + ); + +/** + Initializes user-supplied memory pointed by Sha1Context as SHA-1 hash context for + subsequent use. + + If Sha1Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] Sha1Context Pointer to SHA-1 context being initialized. + + @retval TRUE SHA-1 context initialization succeeded. + @retval FALSE SHA-1 context initialization failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_SHA1_INIT ) ( + OUT VOID *Sha1Context + ); + +/** + Makes a copy of an existing SHA-1 context. + + If Sha1Context is NULL, then return FALSE. + If NewSha1Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sha1Context Pointer to SHA-1 context being copied. + @param[out] NewSha1Context Pointer to new SHA-1 context. + + @retval TRUE SHA-1 context copy succeeded. + @retval FALSE SHA-1 context copy failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_SHA1_DUPLICATE ) ( + IN CONST VOID *Sha1Context, + OUT VOID *NewSha1Context + ); + +/** + Digests the input data and updates SHA-1 context. + + This function performs SHA-1 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-1 context should be already correctly initialized by Sha1Init(), and should not be finalized + by Sha1Final(). Behavior with invalid context is undefined. + + If Sha1Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Sha1Context Pointer to the SHA-1 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-1 data digest succeeded. + @retval FALSE SHA-1 data digest failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_SHA1_UPDATE ) ( + IN OUT VOID *Sha1Context, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +/** + Completes computation of the SHA-1 digest value. + + This function completes SHA-1 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-1 context cannot + be used again. + SHA-1 context should be already correctly initialized by Sha1Init(), and should not be + finalized by Sha1Final(). Behavior with invalid SHA-1 context is undefined. + + If Sha1Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Sha1Context Pointer to the SHA-1 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest + value (20 bytes). + + @retval TRUE SHA-1 digest computation succeeded. + @retval FALSE SHA-1 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_SHA1_FINAL ) ( + IN OUT VOID *Sha1Context, + OUT UINT8 *HashValue + ); + +/** + Computes the SHA-1 message digest of a input data buffer. + + This function performs the SHA-1 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest + value (20 bytes). + + @retval TRUE SHA-1 digest computation succeeded. + @retval FALSE SHA-1 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_SHA1_HASH_ALL ) ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ); + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-256 hash operations. + + @return The size, in bytes, of the context buffer required for SHA-256 hash operations. + +**/ +typedef +UINTN +(EFIAPI *EDKII_CRYPTO_SHA256_GET_CONTEXT_SIZE ) ( + VOID +); + +/** + Initializes user-supplied memory pointed by Sha256Context as SHA-256 hash context for + subsequent use. + + If Sha256Context is NULL, then return FALSE. + + @param[out] Sha256Context Pointer to SHA-256 context being initialized. + + @retval TRUE SHA-256 context initialization succeeded. + @retval FALSE SHA-256 context initialization failed. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_SHA256_INIT ) ( + OUT VOID *Sha256Context + ); + +/** + Makes a copy of an existing SHA-256 context. + + If Sha256Context is NULL, then return FALSE. + If NewSha256Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sha256Context Pointer to SHA-256 context being copied. + @param[out] NewSha256Context Pointer to new SHA-256 context. + + @retval TRUE SHA-256 context copy succeeded. + @retval FALSE SHA-256 context copy failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_SHA256_DUPLICATE ) ( + IN CONST VOID *Sha256Context, + OUT VOID *NewSha256Context + ); + +/** + Digests the input data and updates SHA-256 context. + + This function performs SHA-256 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-256 context should be already correctly initialized by Sha256Init(), and should not be finalized + by Sha256Final(). Behavior with invalid context is undefined. + + If Sha256Context is NULL, then return FALSE. + + @param[in, out] Sha256Context Pointer to the SHA-256 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-256 data digest succeeded. + @retval FALSE SHA-256 data digest failed. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_SHA256_UPDATE ) ( + IN OUT VOID *Sha256Context, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +/** + Completes computation of the SHA-256 digest value. + + This function completes SHA-256 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-256 context cannot + be used again. + SHA-256 context should be already correctly initialized by Sha256Init(), and should not be + finalized by Sha256Final(). Behavior with invalid SHA-256 context is undefined. + + If Sha256Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sha256Context Pointer to the SHA-256 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-256 digest + value (32 bytes). + + @retval TRUE SHA-256 digest computation succeeded. + @retval FALSE SHA-256 digest computation failed. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_SHA256_FINAL ) ( + IN OUT VOID *Sha256Context, + OUT UINT8 *HashValue + ); + +/** + Computes the SHA-256 message digest of a input data buffer. + + This function performs the SHA-256 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-256 digest + value (32 bytes). + + @retval TRUE SHA-256 digest computation succeeded. + @retval FALSE SHA-256 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_SHA256_HASH_ALL ) ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ); + + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-384 hash operations. + If this interface is not supported, then return zero. + + @return The size, in bytes, of the context buffer required for SHA-384 hash operations. + @retval 0 This interface is not supported. + +**/ +typedef +UINTN +(EFIAPI *EDKII_CRYPTO_SHA384_GET_CONTEXT_SIZE) ( + VOID + ); + + +/** + Initializes user-supplied memory pointed by Sha384Context as SHA-384 hash context for + subsequent use. + + If Sha384Context is NULL, then return FALSE. + + @param[out] Sha384Context Pointer to SHA-384 context being initialized. + + @retval TRUE SHA-384 context initialization succeeded. + @retval FALSE SHA-384 context initialization failed. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_SHA384_INIT) ( + OUT VOID *Sha384Context + ); + + +/** + Makes a copy of an existing SHA-384 context. + + If Sha384Context is NULL, then return FALSE. + If NewSha384Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sha384Context Pointer to SHA-384 context being copied. + @param[out] NewSha384Context Pointer to new SHA-384 context. + + @retval TRUE SHA-384 context copy succeeded. + @retval FALSE SHA-384 context copy failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_SHA384_DUPLICATE) ( + IN CONST VOID *Sha384Context, + OUT VOID *NewSha384Context + ); + + +/** + Digests the input data and updates SHA-384 context. + + This function performs SHA-384 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-384 context should be already correctly initialized by Sha384Init(), and should not be finalized + by Sha384Final(). Behavior with invalid context is undefined. + + If Sha384Context is NULL, then return FALSE. + + @param[in, out] Sha384Context Pointer to the SHA-384 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-384 data digest succeeded. + @retval FALSE SHA-384 data digest failed. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_SHA384_UPDATE) ( + IN OUT VOID *Sha384Context, + IN CONST VOID *Data, + IN UINTN DataSize + ); + + +/** + Completes computation of the SHA-384 digest value. + + This function completes SHA-384 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-384 context cannot + be used again. + SHA-384 context should be already correctly initialized by Sha384Init(), and should not be + finalized by Sha384Final(). Behavior with invalid SHA-384 context is undefined. + + If Sha384Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sha384Context Pointer to the SHA-384 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-384 digest + value (48 bytes). + + @retval TRUE SHA-384 digest computation succeeded. + @retval FALSE SHA-384 digest computation failed. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_SHA384_FINAL) ( + IN OUT VOID *Sha384Context, + OUT UINT8 *HashValue + ); + + +/** + Computes the SHA-384 message digest of a input data buffer. + + This function performs the SHA-384 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-384 digest + value (48 bytes). + + @retval TRUE SHA-384 digest computation succeeded. + @retval FALSE SHA-384 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_SHA384_HASH_ALL) ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ); + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-512 hash operations. + + @return The size, in bytes, of the context buffer required for SHA-512 hash operations. + +**/ +typedef +UINTN +(EFIAPI *EDKII_CRYPTO_SHA512_GET_CONTEXT_SIZE) ( + VOID + ); + + +/** + Initializes user-supplied memory pointed by Sha512Context as SHA-512 hash context for + subsequent use. + + If Sha512Context is NULL, then return FALSE. + + @param[out] Sha512Context Pointer to SHA-512 context being initialized. + + @retval TRUE SHA-512 context initialization succeeded. + @retval FALSE SHA-512 context initialization failed. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_SHA512_INIT) ( + OUT VOID *Sha512Context + ); + + +/** + Makes a copy of an existing SHA-512 context. + + If Sha512Context is NULL, then return FALSE. + If NewSha512Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sha512Context Pointer to SHA-512 context being copied. + @param[out] NewSha512Context Pointer to new SHA-512 context. + + @retval TRUE SHA-512 context copy succeeded. + @retval FALSE SHA-512 context copy failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_SHA512_DUPLICATE) ( + IN CONST VOID *Sha512Context, + OUT VOID *NewSha512Context + ); + +/** + Digests the input data and updates SHA-512 context. + + This function performs SHA-512 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-512 context should be already correctly initialized by Sha512Init(), and should not be finalized + by Sha512Final(). Behavior with invalid context is undefined. + + If Sha512Context is NULL, then return FALSE. + + @param[in, out] Sha512Context Pointer to the SHA-512 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-512 data digest succeeded. + @retval FALSE SHA-512 data digest failed. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_SHA512_UPDATE) ( + IN OUT VOID *Sha512Context, + IN CONST VOID *Data, + IN UINTN DataSize + ); + + +/** + Completes computation of the SHA-512 digest value. + + This function completes SHA-512 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-512 context cannot + be used again. + SHA-512 context should be already correctly initialized by Sha512Init(), and should not be + finalized by Sha512Final(). Behavior with invalid SHA-512 context is undefined. + + If Sha512Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sha512Context Pointer to the SHA-512 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-512 digest + value (64 bytes). + + @retval TRUE SHA-512 digest computation succeeded. + @retval FALSE SHA-512 digest computation failed. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_SHA512_FINAL) ( + IN OUT VOID *Sha512Context, + OUT UINT8 *HashValue + ); + +/** + Computes the SHA-512 message digest of a input data buffer. + + This function performs the SHA-512 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-512 digest + value (64 bytes). + + @retval TRUE SHA-512 digest computation succeeded. + @retval FALSE SHA-512 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_SHA512_HASH_ALL) ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ); + +//---------------------------------------------------------------------------- +// X509 +//---------------------------------------------------------------------------- + +/** + Retrieve the subject bytes from one X.509 certificate. + + If Cert is NULL, then return FALSE. + If SubjectSize is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CertSubject Pointer to the retrieved certificate subject bytes. + @param[in, out] SubjectSize The size in bytes of the CertSubject buffer on input, + and the size of buffer returned CertSubject on output. + + @retval TRUE The certificate subject retrieved successfully. + @retval FALSE Invalid certificate, or the SubjectSize is too small for the result. + The SubjectSize will be updated with the required size. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_X509_GET_SUBJECT_NAME) ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 *CertSubject, + IN OUT UINTN *SubjectSize + ); + +/** + Retrieve the common name (CN) string from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CommonName Buffer to contain the retrieved certificate common + name string (UTF8). At most CommonNameSize bytes will be + written and the string will be null terminated. May be + NULL in order to determine the size buffer needed. + @param[in,out] CommonNameSize The size in bytes of the CommonName buffer on input, + and the size of buffer returned CommonName on output. + If CommonName is NULL then the amount of space needed + in buffer (including the final null) is returned. + + @retval RETURN_SUCCESS The certificate CommonName retrieved successfully. + @retval RETURN_INVALID_PARAMETER If Cert is NULL. + If CommonNameSize is NULL. + If CommonName is not NULL and *CommonNameSize is 0. + If Certificate is invalid. + @retval RETURN_NOT_FOUND If no CommonName entry exists. + @retval RETURN_BUFFER_TOO_SMALL If the CommonName is NULL. The required buffer size + (including the final null) is returned in the + CommonNameSize parameter. + @retval RETURN_UNSUPPORTED The operation is not supported. + +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_CRYPTO_X509_GET_COMMON_NAME) ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *CommonName, OPTIONAL + IN OUT UINTN *CommonNameSize + ); + +/** + Retrieve the organization name (O) string from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] NameBuffer Buffer to contain the retrieved certificate organization + name string. At most NameBufferSize bytes will be + written and the string will be null terminated. May be + NULL in order to determine the size buffer needed. + @param[in,out] NameBufferSiz e The size in bytes of the Name buffer on input, + and the size of buffer returned Name on output. + If NameBuffer is NULL then the amount of space needed + in buffer (including the final null) is returned. + + @retval RETURN_SUCCESS The certificate Organization Name retrieved successfully. + @retval RETURN_INVALID_PARAMETER If Cert is NULL. + If NameBufferSize is NULL. + If NameBuffer is not NULL and *CommonNameSize is 0. + If Certificate is invalid. + @retval RETURN_NOT_FOUND If no Organization Name entry exists. + @retval RETURN_BUFFER_TOO_SMALL If the NameBuffer is NULL. The required buffer size + (including the final null) is returned in the + CommonNameSize parameter. + @retval RETURN_UNSUPPORTED The operation is not supported. + +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_CRYPTO_X509_GET_ORGANIZATION_NAME) ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *NameBuffer, OPTIONAL + IN OUT UINTN *NameBufferSize + ); + +/** + Verify one X509 certificate was issued by the trusted CA. + + If Cert is NULL, then return FALSE. + If CACert is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate to be verified. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[in] CACert Pointer to the DER-encoded trusted CA certificate. + @param[in] CACertSize Size of the CA Certificate in bytes. + + @retval TRUE The certificate was issued by the trusted CA. + @retval FALSE Invalid certificate or the certificate was not issued by the given + trusted CA. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_X509_VERIFY_CERT) ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + IN CONST UINT8 *CACert, + IN UINTN CACertSize + ); + +/** + Construct a X509 object from DER-encoded certificate data. + + If Cert is NULL, then return FALSE. + If SingleX509Cert is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded certificate data. + @param[in] CertSize The size of certificate data in bytes. + @param[out] SingleX509Cert The generated X509 object. + + @retval TRUE The X509 object generation succeeded. + @retval FALSE The operation failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_X509_CONSTRUCT_CERTIFICATE) ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 **SingleX509Cert + ); + +/** + Construct a X509 stack object from a list of DER-encoded certificate data. + + If X509Stack is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] X509Stack On input, pointer to an existing or NULL X509 stack object. + On output, pointer to the X509 stack object with new + inserted X509 certificate. + @param ... A list of DER-encoded single certificate data followed + by certificate size. A NULL terminates the list. The + pairs are the arguments to X509ConstructCertificate(). + + @retval TRUE The X509 stack construction succeeded. + @retval FALSE The construction operation failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_X509_CONSTRUCT_CERTIFICATE_STACK) ( + IN OUT UINT8 **X509Stack, + ... + ); + +/** + Construct a X509 stack object from a list of DER-encoded certificate data. + + If X509Stack is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] X509Stack On input, pointer to an existing or NULL X509 stack object. + On output, pointer to the X509 stack object with new + inserted X509 certificate. + @param[in] Args VA_LIST marker for the variable argument list. + A list of DER-encoded single certificate data followed + by certificate size. A NULL terminates the list. The + pairs are the arguments to X509ConstructCertificate(). + + @retval TRUE The X509 stack construction succeeded. + @retval FALSE The construction operation failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_X509_CONSTRUCT_CERTIFICATE_STACK_V) ( + IN OUT UINT8 **X509Stack, + IN VA_LIST Args + ); + +/** + Release the specified X509 object. + + If the interface is not supported, then ASSERT(). + + @param[in] X509Cert Pointer to the X509 object to be released. + +**/ +typedef +VOID +(EFIAPI *EDKII_CRYPTO_X509_FREE) ( + IN VOID *X509Cert + ); + +/** + Release the specified X509 stack object. + + If the interface is not supported, then ASSERT(). + + @param[in] X509Stack Pointer to the X509 stack object to be released. + +**/ +typedef +VOID +(EFIAPI *EDKII_CRYPTO_X509_STACK_FREE) ( + IN VOID *X509Stack + ); + +/** + Retrieve the TBSCertificate from one given X.509 certificate. + + @param[in] Cert Pointer to the given DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] TBSCert DER-Encoded To-Be-Signed certificate. + @param[out] TBSCertSize Size of the TBS certificate in bytes. + + If Cert is NULL, then return FALSE. + If TBSCert is NULL, then return FALSE. + If TBSCertSize is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @retval TRUE The TBSCertificate was retrieved successfully. + @retval FALSE Invalid X.509 certificate. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_X509_GET_TBS_CERT) ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 **TBSCert, + OUT UINTN *TBSCertSize + ); + + + +//===================================================================================== +// Symmetric Cryptography Primitive +//===================================================================================== + +/** + TDES is deprecated and unsupported any longer. + Keep the function field for binary compability. + +**/ +typedef +UINTN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE) ( + VOID + ); + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_INIT) ( + OUT VOID *TdesContext, + IN CONST UINT8 *Key, + IN UINTN KeyLength + ); + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_ECB_ENCRYPT) ( + IN VOID *TdesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + OUT UINT8 *Output + ); + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT) ( + IN VOID *TdesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + OUT UINT8 *Output + ); + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT) ( + IN VOID *TdesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + IN CONST UINT8 *Ivec, + OUT UINT8 *Output + ); + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT) ( + IN VOID *TdesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + IN CONST UINT8 *Ivec, + OUT UINT8 *Output + ); + +/** + Retrieves the size, in bytes, of the context buffer required for AES operations. + + If this interface is not supported, then return zero. + + @return The size, in bytes, of the context buffer required for AES operations. + @retval 0 This interface is not supported. + +**/ +typedef +UINTN +(EFIAPI *EDKII_CRYPTO_AES_GET_CONTEXT_SIZE) ( + VOID + ); + +/** + Initializes user-supplied memory as AES context for subsequent use. + + This function initializes user-supplied memory pointed by AesContext as AES context. + In addition, it sets up all AES key materials for subsequent encryption and decryption + operations. + There are 3 options for key length, 128 bits, 192 bits, and 256 bits. + + If AesContext is NULL, then return FALSE. + If Key is NULL, then return FALSE. + If KeyLength is not valid, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] AesContext Pointer to AES context being initialized. + @param[in] Key Pointer to the user-supplied AES key. + @param[in] KeyLength Length of AES key in bits. + + @retval TRUE AES context initialization succeeded. + @retval FALSE AES context initialization failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_AES_INIT) ( + OUT VOID *AesContext, + IN CONST UINT8 *Key, + IN UINTN KeyLength + ); + +/** + AES ECB Mode is deprecated and unsupported any longer. + Keep the function field for binary compability. + +**/ +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_AES_ECB_ENCRYPT) ( + IN VOID *AesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + OUT UINT8 *Output + ); + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_AES_ECB_DECRYPT) ( + IN VOID *AesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + OUT UINT8 *Output + ); + +/** + Performs AES encryption on a data buffer of the specified size in CBC mode. + + This function performs AES encryption on data buffer pointed by Input, of specified + size of InputSize, in CBC mode. + InputSize must be multiple of block size (16 bytes). This function does not perform + padding. Caller must perform padding, if necessary, to ensure valid input data size. + Initialization vector should be one block size (16 bytes). + AesContext should be already correctly initialized by AesInit(). Behavior with + invalid AES context is undefined. + + If AesContext is NULL, then return FALSE. + If Input is NULL, then return FALSE. + If InputSize is not multiple of block size (16 bytes), then return FALSE. + If Ivec is NULL, then return FALSE. + If Output is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] AesContext Pointer to the AES context. + @param[in] Input Pointer to the buffer containing the data to be encrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[in] Ivec Pointer to initialization vector. + @param[out] Output Pointer to a buffer that receives the AES encryption output. + + @retval TRUE AES encryption succeeded. + @retval FALSE AES encryption failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_AES_CBC_ENCRYPT) ( + IN VOID *AesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + IN CONST UINT8 *Ivec, + OUT UINT8 *Output + ); + +/** + Performs AES decryption on a data buffer of the specified size in CBC mode. + + This function performs AES decryption on data buffer pointed by Input, of specified + size of InputSize, in CBC mode. + InputSize must be multiple of block size (16 bytes). This function does not perform + padding. Caller must perform padding, if necessary, to ensure valid input data size. + Initialization vector should be one block size (16 bytes). + AesContext should be already correctly initialized by AesInit(). Behavior with + invalid AES context is undefined. + + If AesContext is NULL, then return FALSE. + If Input is NULL, then return FALSE. + If InputSize is not multiple of block size (16 bytes), then return FALSE. + If Ivec is NULL, then return FALSE. + If Output is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] AesContext Pointer to the AES context. + @param[in] Input Pointer to the buffer containing the data to be encrypted. + @param[in] InputSize Size of the Input buffer in bytes. + @param[in] Ivec Pointer to initialization vector. + @param[out] Output Pointer to a buffer that receives the AES encryption output. + + @retval TRUE AES decryption succeeded. + @retval FALSE AES decryption failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_AES_CBC_DECRYPT) ( + IN VOID *AesContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + IN CONST UINT8 *Ivec, + OUT UINT8 *Output + ); + +/** + ARC4 is deprecated and unsupported any longer. + Keep the function field for binary compability. + +**/ +typedef +UINTN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE) ( + VOID + ); + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_INIT) ( + OUT VOID *Arc4Context, + IN CONST UINT8 *Key, + IN UINTN KeySize + ); + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_ENCRYPT) ( + IN OUT VOID *Arc4Context, + IN CONST UINT8 *Input, + IN UINTN InputSize, + OUT UINT8 *Output + ); + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_DECRYPT) ( + IN OUT VOID *Arc4Context, + IN UINT8 *Input, + IN UINTN InputSize, + OUT UINT8 *Output + ); + +typedef +BOOLEAN +(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_RESET) ( + IN OUT VOID *Arc4Context + ); + + +/** + Retrieves the size, in bytes, of the context buffer required for SM3 hash operations. + + If this interface is not supported, then return zero. + + @return The size, in bytes, of the context buffer required for SM3 hash operations. + @retval 0 This interface is not supported. + +**/ +typedef +UINTN +(EFIAPI* EDKII_CRYPTO_SM3_GET_CONTEXT_SIZE)( + VOID + ); + +/** + Initializes user-supplied memory pointed by Sm3Context as SM3 hash context for + subsequent use. + + If Sm3Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] Sm3Context Pointer to SM3 context being initialized. + + @retval TRUE SM3 context initialization succeeded. + @retval FALSE SM3 context initialization failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI* EDKII_CRYPTO_SM3_INIT)( + OUT VOID *Sm3Context); + +/** + Makes a copy of an existing SM3 context. + + If Sm3Context is NULL, then return FALSE. + If NewSm3Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sm3Context Pointer to SM3 context being copied. + @param[out] NewSm3Context Pointer to new SM3 context. + + @retval TRUE SM3 context copy succeeded. + @retval FALSE SM3 context copy failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI* EDKII_CRYPTO_SM3_DUPLICATE) ( + IN CONST VOID *Sm3Context, + OUT VOID *NewSm3Context); + + +/** + Digests the input data and updates SM3 context. + + This function performs SM3 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SM3 context should be already correctly initialized by Sm3Init(), and should not be finalized + by Sm3Final(). Behavior with invalid context is undefined. + + If Sm3Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Sm3Context Pointer to the SM3 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SM3 data digest succeeded. + @retval FALSE SM3 data digest failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI* EDKII_CRYPTO_SM3_UPDATE)( + IN OUT VOID *Sm3Context, + IN CONST VOID *Data, + IN UINTN DataSize); + + +/** + Completes computation of the SM3 digest value. + + This function completes SM3 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SM3 context cannot + be used again. + SM3 context should be already correctly initialized by Sm3Init(), and should not be + finalized by Sm3Final(). Behavior with invalid SM3 context is undefined. + + If Sm3Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] Sm3Context Pointer to the SM3 context. + @param[out] HashValue Pointer to a buffer that receives the SM3 digest + value (16 bytes). + + @retval TRUE SM3 digest computation succeeded. + @retval FALSE SM3 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI* EDKII_CRYPTO_SM3_FINAL)( + IN OUT VOID *Sm3Context, + OUT UINT8 *HashValue); + + +/** + Computes the SM3 message digest of a input data buffer. + + This function performs the SM3 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SM3 digest + value (16 bytes). + + @retval TRUE SM3 digest computation succeeded. + @retval FALSE SM3 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI* EDKII_CRYPTO_SM3_HASH_ALL)( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue); + + +/** + Derive key data using HMAC-SHA256 based KDF. + + @param[in] Key Pointer to the user-supplied key. + @param[in] KeySize Key size in bytes. + @param[in] Salt Pointer to the salt(non-secret) value. + @param[in] SaltSize Salt size in bytes. + @param[in] Info Pointer to the application specific info. + @param[in] InfoSize Info size in bytes. + @param[out] Out Pointer to buffer to receive hkdf value. + @param[in] OutSize Size of hkdf bytes to generate. + + @retval TRUE Hkdf generated successfully. + @retval FALSE Hkdf generation failed. + +**/ +typedef +BOOLEAN +(EFIAPI* EDKII_CRYPTO_HKDF_SHA_256_EXTRACT_AND_EXPAND)( + IN CONST UINT8 *Key, + IN UINTN KeySize, + IN CONST UINT8 *Salt, + IN UINTN SaltSize, + IN CONST UINT8 *Info, + IN UINTN InfoSize, + OUT UINT8 *Out, + IN UINTN OutSize + ); + +/** + Initializes the OpenSSL library. + + This function registers ciphers and digests used directly and indirectly + by SSL/TLS, and initializes the readable error messages. + This function must be called before any other action takes places. + + @retval TRUE The OpenSSL library has been initialized. + @retval FALSE Failed to initialize the OpenSSL library. + +**/ +typedef +BOOLEAN +(EFIAPI* EDKII_CRYPTO_TLS_INITIALIZE)( + VOID + ); + +/** + Free an allocated SSL_CTX object. + + @param[in] TlsCtx Pointer to the SSL_CTX object to be released. + +**/ +typedef +VOID +(EFIAPI* EDKII_CRYPTO_TLS_CTX_FREE)( + IN VOID *TlsCtx + ); + +/** + Creates a new SSL_CTX object as framework to establish TLS/SSL enabled + connections. + + @param[in] MajorVer Major Version of TLS/SSL Protocol. + @param[in] MinorVer Minor Version of TLS/SSL Protocol. + + @return Pointer to an allocated SSL_CTX object. + If the creation failed, TlsCtxNew() returns NULL. + +**/ +typedef +VOID * +(EFIAPI* EDKII_CRYPTO_TLS_CTX_NEW)( + IN UINT8 MajorVer, + IN UINT8 MinorVer + ); + +/** + Free an allocated TLS object. + + This function removes the TLS object pointed to by Tls and frees up the + allocated memory. If Tls is NULL, nothing is done. + + @param[in] Tls Pointer to the TLS object to be freed. + +**/ +typedef +VOID +(EFIAPI* EDKII_CRYPTO_TLS_FREE)( + IN VOID *Tls + ); + +/** + Create a new TLS object for a connection. + + This function creates a new TLS object for a connection. The new object + inherits the setting of the underlying context TlsCtx: connection method, + options, verification setting. + + @param[in] TlsCtx Pointer to the SSL_CTX object. + + @return Pointer to an allocated SSL object. + If the creation failed, TlsNew() returns NULL. + +**/ +typedef +VOID * +(EFIAPI* EDKII_CRYPTO_TLS_NEW)( + IN VOID *TlsCtx + ); + +/** + Checks if the TLS handshake was done. + + This function will check if the specified TLS handshake was done. + + @param[in] Tls Pointer to the TLS object for handshake state checking. + + @retval TRUE The TLS handshake was done. + @retval FALSE The TLS handshake was not done. + +**/ +typedef +BOOLEAN +(EFIAPI* EDKII_CRYPTO_TLS_IN_HANDSHAKE)( + IN VOID *Tls + ); + +/** + Perform a TLS/SSL handshake. + + This function will perform a TLS/SSL handshake. + + @param[in] Tls Pointer to the TLS object for handshake operation. + @param[in] BufferIn Pointer to the most recently received TLS Handshake packet. + @param[in] BufferInSize Packet size in bytes for the most recently received TLS + Handshake packet. + @param[out] BufferOut Pointer to the buffer to hold the built packet. + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferIn is NULL but BufferInSize is NOT 0. + BufferInSize is 0 but BufferIn is NOT NULL. + BufferOutSize is NULL. + BufferOut is NULL if *BufferOutSize is not zero. + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet. + @retval EFI_ABORTED Something wrong during handshake. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_DO_HANDSHAKE)( + IN VOID *Tls, + IN UINT8 *BufferIn, OPTIONAL + IN UINTN BufferInSize, OPTIONAL + OUT UINT8 *BufferOut, OPTIONAL + IN OUT UINTN *BufferOutSize + ); + +/** + Handle Alert message recorded in BufferIn. If BufferIn is NULL and BufferInSize is zero, + TLS session has errors and the response packet needs to be Alert message based on error type. + + @param[in] Tls Pointer to the TLS object for state checking. + @param[in] BufferIn Pointer to the most recently received TLS Alert packet. + @param[in] BufferInSize Packet size in bytes for the most recently received TLS + Alert packet. + @param[out] BufferOut Pointer to the buffer to hold the built packet. + @param[in, out] BufferOutSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferIn is NULL but BufferInSize is NOT 0. + BufferInSize is 0 but BufferIn is NOT NULL. + BufferOutSize is NULL. + BufferOut is NULL if *BufferOutSize is not zero. + @retval EFI_ABORTED An error occurred. + @retval EFI_BUFFER_TOO_SMALL BufferOutSize is too small to hold the response packet. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_HANDLE_ALERT)( + IN VOID *Tls, + IN UINT8 *BufferIn, OPTIONAL + IN UINTN BufferInSize, OPTIONAL + OUT UINT8 *BufferOut, OPTIONAL + IN OUT UINTN *BufferOutSize + ); + +/** + Build the CloseNotify packet. + + @param[in] Tls Pointer to the TLS object for state checking. + @param[in, out] Buffer Pointer to the buffer to hold the built packet. + @param[in, out] BufferSize Pointer to the buffer size in bytes. On input, it is + the buffer size provided by the caller. On output, it + is the buffer size in fact needed to contain the + packet. + + @retval EFI_SUCCESS The required TLS packet is built successfully. + @retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE: + Tls is NULL. + BufferSize is NULL. + Buffer is NULL if *BufferSize is not zero. + @retval EFI_BUFFER_TOO_SMALL BufferSize is too small to hold the response packet. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_CLOSE_NOTIFY)( + IN VOID *Tls, + IN OUT UINT8 *Buffer, + IN OUT UINTN *BufferSize + ); + +/** + Attempts to read bytes from one TLS object and places the data in Buffer. + + This function will attempt to read BufferSize bytes from the TLS object + and places the data in Buffer. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] Buffer Pointer to the buffer to store the data. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The amount of data successfully read from the TLS object. + @retval <=0 No data was successfully read. + +**/ +typedef +INTN +(EFIAPI* EDKII_CRYPTO_TLS_CTRL_TRAFFIC_OUT)( + IN VOID *Tls, + IN OUT VOID *Buffer, + IN UINTN BufferSize + ); + +/** + Attempts to write data from the buffer to TLS object. + + This function will attempt to write BufferSize bytes data from the Buffer + to the TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[in] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The amount of data successfully written to the TLS object. + @retval <=0 No data was successfully written. + +**/ +typedef +INTN +(EFIAPI* EDKII_CRYPTO_TLS_CTRL_TRAFFIC_IN)( + IN VOID *Tls, + IN VOID *Buffer, + IN UINTN BufferSize + ); + +/** + Attempts to read bytes from the specified TLS connection into the buffer. + + This function tries to read BufferSize bytes data from the specified TLS + connection into the Buffer. + + @param[in] Tls Pointer to the TLS connection for data reading. + @param[in,out] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The read operation was successful, and return value is the + number of bytes actually read from the TLS connection. + @retval <=0 The read operation was not successful. + +**/ +typedef +INTN +(EFIAPI* EDKII_CRYPTO_TLS_READ)( + IN VOID *Tls, + IN OUT VOID *Buffer, + IN UINTN BufferSize + ); + +/** + Attempts to write data to a TLS connection. + + This function tries to write BufferSize bytes data from the Buffer into the + specified TLS connection. + + @param[in] Tls Pointer to the TLS connection for data writing. + @param[in] Buffer Pointer to the data buffer. + @param[in] BufferSize The size of Buffer in bytes. + + @retval >0 The write operation was successful, and return value is the + number of bytes actually written to the TLS connection. + @retval <=0 The write operation was not successful. + +**/ +typedef +INTN +(EFIAPI* EDKII_CRYPTO_TLS_WRITE)( + IN VOID *Tls, + IN VOID *Buffer, + IN UINTN BufferSize + ); + +/** + Set a new TLS/SSL method for a particular TLS object. + + This function sets a new TLS/SSL method for a particular TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] MajorVer Major Version of TLS/SSL Protocol. + @param[in] MinorVer Minor Version of TLS/SSL Protocol. + + @retval EFI_SUCCESS The TLS/SSL method was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported TLS/SSL method. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_SET_VERSION)( + IN VOID *Tls, + IN UINT8 MajorVer, + IN UINT8 MinorVer + ); + +/** + Set TLS object to work in client or server mode. + + This function prepares a TLS object to work in client or server mode. + + @param[in] Tls Pointer to a TLS object. + @param[in] IsServer Work in server mode. + + @retval EFI_SUCCESS The TLS/SSL work mode was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_SET_CONNECTION_END)( + IN VOID *Tls, + IN BOOLEAN IsServer + ); + +/** + Set the ciphers list to be used by the TLS object. + + This function sets the ciphers for use by a specified TLS object. + + @param[in] Tls Pointer to a TLS object. + @param[in] CipherId Array of UINT16 cipher identifiers. Each UINT16 + cipher identifier comes from the TLS Cipher Suite + Registry of the IANA, interpreting Byte1 and Byte2 + in network (big endian) byte order. + @param[in] CipherNum The number of cipher in the list. + + @retval EFI_SUCCESS The ciphers list was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED No supported TLS cipher was found in CipherId. + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_SET_CIPHER_LIST)( + IN VOID *Tls, + IN UINT16 *CipherId, + IN UINTN CipherNum + ); + +/** + Set the compression method for TLS/SSL operations. + + This function handles TLS/SSL integrated compression methods. + + @param[in] CompMethod The compression method ID. + + @retval EFI_SUCCESS The compression method for the communication was + set successfully. + @retval EFI_UNSUPPORTED Unsupported compression method. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_SET_COMPRESSION_METHOD)( + IN UINT8 CompMethod + ); + +/** + Set peer certificate verification mode for the TLS connection. + + This function sets the verification mode flags for the TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in] VerifyMode A set of logically or'ed verification mode flags. + +**/ +typedef +VOID +(EFIAPI* EDKII_CRYPTO_TLS_SET_VERIFY)( + IN VOID *Tls, + IN UINT32 VerifyMode + ); + +/** + Set the specified host name to be verified. + + @param[in] Tls Pointer to the TLS object. + @param[in] Flags The setting flags during the validation. + @param[in] HostName The specified host name to be verified. + + @retval EFI_SUCCESS The HostName setting was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_ABORTED Invalid HostName setting. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_SET_VERIFY_HOST)( + IN VOID *Tls, + IN UINT32 Flags, + IN CHAR8 *HostName + ); + +/** + Sets a TLS/SSL session ID to be used during TLS/SSL connect. + + This function sets a session ID to be used when the TLS/SSL connection is + to be established. + + @param[in] Tls Pointer to the TLS object. + @param[in] SessionId Session ID data used for session resumption. + @param[in] SessionIdLen Length of Session ID in bytes. + + @retval EFI_SUCCESS Session ID was set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED No available session for ID setting. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_SET_SESSIONID)( + IN VOID *Tls, + IN UINT8 *SessionId, + IN UINT16 SessionIdLen + ); + +/** + Adds the CA to the cert store when requesting Server or Client authentication. + + This function adds the CA certificate to the list of CAs when requesting + Server or Client authentication for the chosen TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded binary + X.509 certificate or PEM-encoded X.509 certificate. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated. + @retval EFI_ABORTED Invalid X.509 certificate. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_SET_CA_CERTIFICATE)( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ); + +/** + Loads the local public certificate into the specified TLS object. + + This function loads the X.509 certificate into the specified TLS object + for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a DER-encoded binary + X.509 certificate or PEM-encoded X.509 certificate. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated. + @retval EFI_ABORTED Invalid X.509 certificate. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_SET_HOST_PUBLIC_CERT)( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ); + +/** + Adds the local private key to the specified TLS object. + + This function adds the local private key (PEM-encoded RSA or PKCS#8 private + key) into the specified TLS object for TLS negotiation. + + @param[in] Tls Pointer to the TLS object. + @param[in] Data Pointer to the data buffer of a PEM-encoded RSA + or PKCS#8 private key. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid private key data. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_SET_HOST_PRIVATE_KEY)( + IN VOID *Tls, + IN VOID *Data, + IN UINTN DataSize + ); + +/** + Adds the CA-supplied certificate revocation list for certificate validation. + + This function adds the CA-supplied certificate revocation list data for + certificate validity checking. + + @param[in] Data Pointer to the data buffer of a DER-encoded CRL data. + @param[in] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_ABORTED Invalid CRL data. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_SET_CERT_REVOCATION_LIST)( + IN VOID *Data, + IN UINTN DataSize + ); + +/** + Gets the protocol version used by the specified TLS connection. + + This function returns the protocol version used by the specified TLS + connection. + + If Tls is NULL, then ASSERT(). + + @param[in] Tls Pointer to the TLS object. + + @return The protocol version of the specified TLS connection. + +**/ +typedef +UINT16 +(EFIAPI* EDKII_CRYPTO_TLS_GET_VERSION)( + IN VOID *Tls + ); + +/** + Gets the connection end of the specified TLS connection. + + This function returns the connection end (as client or as server) used by + the specified TLS connection. + + If Tls is NULL, then ASSERT(). + + @param[in] Tls Pointer to the TLS object. + + @return The connection end used by the specified TLS connection. + +**/ +typedef +UINT8 +(EFIAPI* EDKII_CRYPTO_TLS_GET_CONNECTION_END)( + IN VOID *Tls + ); + +/** + Gets the cipher suite used by the specified TLS connection. + + This function returns current cipher suite used by the specified + TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] CipherId The cipher suite used by the TLS object. + + @retval EFI_SUCCESS The cipher suite was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported cipher suite. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_GET_CURRENT_CIPHER)( + IN VOID *Tls, + IN OUT UINT16 *CipherId + ); + +/** + Gets the compression methods used by the specified TLS connection. + + This function returns current integrated compression methods used by + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] CompressionId The current compression method used by + the TLS object. + + @retval EFI_SUCCESS The compression method was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_ABORTED Invalid Compression method. + @retval EFI_UNSUPPORTED This function is not supported. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_GET_CURRENT_COMPRESSION_ID)( + IN VOID *Tls, + IN OUT UINT8 *CompressionId + ); + +/** + Gets the verification mode currently set in the TLS connection. + + This function returns the peer verification mode currently set in the + specified TLS connection. + + If Tls is NULL, then ASSERT(). + + @param[in] Tls Pointer to the TLS object. + + @return The verification mode set in the specified TLS connection. + +**/ +typedef +UINT32 +(EFIAPI* EDKII_CRYPTO_TLS_GET_VERIFY)( + IN VOID *Tls + ); + +/** + Gets the session ID used by the specified TLS connection. + + This function returns the TLS/SSL session ID currently used by the + specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] SessionId Buffer to contain the returned session ID. + @param[in,out] SessionIdLen The length of Session ID in bytes. + + @retval EFI_SUCCESS The Session ID was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Invalid TLS/SSL session. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_GET_SESSION_ID)( + IN VOID *Tls, + IN OUT UINT8 *SessionId, + IN OUT UINT16 *SessionIdLen + ); + +/** + Gets the client random data used in the specified TLS connection. + + This function returns the TLS/SSL client random data currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] ClientRandom Buffer to contain the returned client + random data (32 bytes). + +**/ +typedef +VOID +(EFIAPI* EDKII_CRYPTO_TLS_GET_CLIENT_RANDOM)( + IN VOID *Tls, + IN OUT UINT8 *ClientRandom + ); + +/** + Gets the server random data used in the specified TLS connection. + + This function returns the TLS/SSL server random data currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] ServerRandom Buffer to contain the returned server + random data (32 bytes). + +**/ +typedef +VOID +(EFIAPI* EDKII_CRYPTO_TLS_GET_SERVER_RANDOM)( + IN VOID *Tls, + IN OUT UINT8 *ServerRandom + ); + +/** + Gets the master key data used in the specified TLS connection. + + This function returns the TLS/SSL master key material currently used in + the specified TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[in,out] KeyMaterial Buffer to contain the returned key material. + + @retval EFI_SUCCESS Key material was returned successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Invalid TLS/SSL session. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_GET_KEY_MATERIAL)( + IN VOID *Tls, + IN OUT UINT8 *KeyMaterial + ); + +/** + Gets the CA Certificate from the cert store. + + This function returns the CA certificate for the chosen + TLS connection. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the CA + certificate data sent to the client. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_GET_CA_CERTIFICATE)( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ); + +/** + Gets the local public Certificate set in the specified TLS object. + + This function returns the local public certificate which was currently set + in the specified TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the local + public certificate. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_NOT_FOUND The certificate is not found. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_GET_HOST_PUBLIC_CERT)( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ); + +/** + Gets the local private key set in the specified TLS object. + + This function returns the local private key data which was currently set + in the specified TLS object. + + @param[in] Tls Pointer to the TLS object. + @param[out] Data Pointer to the data buffer to receive the local + private key data. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_GET_HOST_PRIVATE_KEY)( + IN VOID *Tls, + OUT VOID *Data, + IN OUT UINTN *DataSize + ); + +/** + Gets the CA-supplied certificate revocation list data set in the specified + TLS object. + + This function returns the CA-supplied certificate revocation list data which + was currently set in the specified TLS object. + + @param[out] Data Pointer to the data buffer to receive the CRL data. + @param[in,out] DataSize The size of data buffer in bytes. + + @retval EFI_SUCCESS The operation succeeded. + @retval EFI_UNSUPPORTED This function is not supported. + @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data. + +**/ +typedef +EFI_STATUS +(EFIAPI* EDKII_CRYPTO_TLS_GET_CERT_REVOCATION_LIST)( + OUT VOID *DATA, + IN OUT UINTN *DataSize + ); + +/** + Carries out the RSA-SSA signature generation with EMSA-PSS encoding scheme. + + This function carries out the RSA-SSA signature generation with EMSA-PSS encoding scheme defined in + RFC 8017. + Mask generation function is the same as the message digest algorithm. + If the Signature buffer is too small to hold the contents of signature, FALSE + is returned and SigSize is set to the required buffer size to obtain the signature. + + If RsaContext is NULL, then return FALSE. + If Message is NULL, then return FALSE. + If MsgSize is zero or > INT_MAX, then return FALSE. + If DigestLen is NOT 32, 48 or 64, return FALSE. + If SaltLen is < DigestLen, then return FALSE. + If SigSize is large enough but Signature is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] RsaContext Pointer to RSA context for signature generation. + @param[in] Message Pointer to octet message to be signed. + @param[in] MsgSize Size of the message in bytes. + @param[in] DigestLen Length of the digest in bytes to be used for RSA signature operation. + @param[in] SaltLen Length of the salt in bytes to be used for PSS encoding. + @param[out] Signature Pointer to buffer to receive RSA PSS signature. + @param[in, out] SigSize On input, the size of Signature buffer in bytes. + On output, the size of data returned in Signature buffer in bytes. + + @retval TRUE Signature successfully generated in RSASSA-PSS. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI* EDKII_CRYPTO_RSA_PSS_SIGN)( + IN VOID *RsaContext, + IN CONST UINT8 *Message, + IN UINTN MsgSize, + IN UINT16 DigestLen, + IN UINT16 SaltLen, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ); + +/** + Verifies the RSA signature with RSASSA-PSS signature scheme defined in RFC 8017. + Implementation determines salt length automatically from the signature encoding. + Mask generation function is the same as the message digest algorithm. + Salt length should atleast be equal to digest length. + + @param[in] RsaContext Pointer to RSA context for signature verification. + @param[in] Message Pointer to octet message to be verified. + @param[in] MsgSize Size of the message in bytes. + @param[in] Signature Pointer to RSASSA-PSS signature to be verified. + @param[in] SigSize Size of signature in bytes. + @param[in] DigestLen Length of digest for RSA operation. + @param[in] SaltLen Salt length for PSS encoding. + + @retval TRUE Valid signature encoded in RSASSA-PSS. + @retval FALSE Invalid signature or invalid RSA context. + +**/ +typedef +BOOLEAN +(EFIAPI* EDKII_CRYPTO_RSA_PSS_VERIFY)( + IN VOID *RsaContext, + IN CONST UINT8 *Message, + IN UINTN MsgSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize, + IN UINT16 DigestLen, + IN UINT16 SaltLen + ); + + + +/// +/// EDK II Crypto Protocol +/// +struct _EDKII_CRYPTO_PROTOCOL { + /// Version + EDKII_CRYPTO_GET_VERSION GetVersion; + /// HMAC MD5 - deprecated and unsupported + DEPRECATED_EDKII_CRYPTO_HMAC_MD5_NEW DeprecatedHmacMd5New; + DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FREE DeprecatedHmacMd5Free; + DEPRECATED_EDKII_CRYPTO_HMAC_MD5_SET_KEY DeprecatedHmacMd5SetKey; + DEPRECATED_EDKII_CRYPTO_HMAC_MD5_DUPLICATE DeprecatedHmacMd5Duplicate; + DEPRECATED_EDKII_CRYPTO_HMAC_MD5_UPDATE DeprecatedHmacMd5Update; + DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FINAL DeprecatedHmacMd5Final; + /// HMAC SHA1 - deprecated and unsupported + DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_NEW DeprecatedHmacSha1New; + DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FREE DeprecatedHmacSha1Free; + DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_SET_KEY DeprecatedHmacSha1SetKey; + DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_DUPLICATE DeprecatedHmacSha1Duplicate; + DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_UPDATE DeprecatedHmacSha1Update; + DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FINAL DeprecatedHmacSha1Final; + /// HMAC SHA256 + EDKII_CRYPTO_HMAC_SHA256_NEW HmacSha256New; + EDKII_CRYPTO_HMAC_SHA256_FREE HmacSha256Free; + EDKII_CRYPTO_HMAC_SHA256_SET_KEY HmacSha256SetKey; + EDKII_CRYPTO_HMAC_SHA256_DUPLICATE HmacSha256Duplicate; + EDKII_CRYPTO_HMAC_SHA256_UPDATE HmacSha256Update; + EDKII_CRYPTO_HMAC_SHA256_FINAL HmacSha256Final; + /// Md4 - deprecated and unsupported + DEPRECATED_EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE DeprecatedMd4GetContextSize; + DEPRECATED_EDKII_CRYPTO_MD4_INIT DeprecatedMd4Init; + DEPRECATED_EDKII_CRYPTO_MD4_DUPLICATE DeprecatedMd4Duplicate; + DEPRECATED_EDKII_CRYPTO_MD4_UPDATE DeprecatedMd4Update; + DEPRECATED_EDKII_CRYPTO_MD4_FINAL DeprecatedMd4Final; + DEPRECATED_EDKII_CRYPTO_MD4_HASH_ALL DeprecatedMd4HashAll; + /// Md5 + EDKII_CRYPTO_MD5_GET_CONTEXT_SIZE Md5GetContextSize; + EDKII_CRYPTO_MD5_INIT Md5Init; + EDKII_CRYPTO_MD5_DUPLICATE Md5Duplicate; + EDKII_CRYPTO_MD5_UPDATE Md5Update; + EDKII_CRYPTO_MD5_FINAL Md5Final; + EDKII_CRYPTO_MD5_HASH_ALL Md5HashAll; + /// Pkcs + EDKII_CRYPTO_PKCS1_ENCRYPT_V2 Pkcs1v2Encrypt; + EDKII_CRYPTO_PKCS5_PW_HASH Pkcs5HashPassword; + EDKII_CRYPTO_PKCS7_VERIFY Pkcs7Verify; + EDKII_CRYPTO_PKCS7_VERIFY_EKU VerifyEKUsInPkcs7Signature; + EDKII_CRYPTO_PKCS7_GET_SIGNERS Pkcs7GetSigners; + EDKII_CRYPTO_PKCS7_FREE_SIGNERS Pkcs7FreeSigners; + EDKII_CRYPTO_PKCS7_SIGN Pkcs7Sign; + EDKII_CRYPTO_PKCS7_GET_ATTACHED_CONTENT Pkcs7GetAttachedContent; + EDKII_CRYPTO_PKCS7_GET_CERTIFICATES_LIST Pkcs7GetCertificatesList; + EDKII_CRYPTO_AUTHENTICODE_VERIFY AuthenticodeVerify; + EDKII_CRYPTO_IMAGE_TIMESTAMP_VERIFY ImageTimestampVerify; + /// DH + EDKII_CRYPTO_DH_NEW DhNew; + EDKII_CRYPTO_DH_FREE DhFree; + EDKII_CRYPTO_DH_GENERATE_PARAMETER DhGenerateParameter; + EDKII_CRYPTO_DH_SET_PARAMETER DhSetParameter; + EDKII_CRYPTO_DH_GENERATE_KEY DhGenerateKey; + EDKII_CRYPTO_DH_COMPUTE_KEY DhComputeKey; + /// Random + EDKII_CRYPTO_RANDOM_SEED RandomSeed; + EDKII_CRYPTO_RANDOM_BYTES RandomBytes; + /// RSA + EDKII_CRYPTO_RSA_VERIFY_PKCS1 RsaVerifyPkcs1; + EDKII_CRYPTO_RSA_NEW RsaNew; + EDKII_CRYPTO_RSA_FREE RsaFree; + EDKII_CRYPTO_RSA_SET_KEY RsaSetKey; + EDKII_CRYPTO_RSA_GET_KEY RsaGetKey; + EDKII_CRYPTO_RSA_GENERATE_KEY RsaGenerateKey; + EDKII_CRYPTO_RSA_CHECK_KEY RsaCheckKey; + EDKII_CRYPTO_RSA_PKCS1_SIGN RsaPkcs1Sign; + EDKII_CRYPTO_RSA_PKCS1_VERIFY RsaPkcs1Verify; + EDKII_CRYPTO_RSA_GET_PRIVATE_KEY_FROM_PEM RsaGetPrivateKeyFromPem; + EDKII_CRYPTO_RSA_GET_PUBLIC_KEY_FROM_X509 RsaGetPublicKeyFromX509; + /// Sha1 + EDKII_CRYPTO_SHA1_GET_CONTEXT_SIZE Sha1GetContextSize; + EDKII_CRYPTO_SHA1_INIT Sha1Init; + EDKII_CRYPTO_SHA1_DUPLICATE Sha1Duplicate; + EDKII_CRYPTO_SHA1_UPDATE Sha1Update; + EDKII_CRYPTO_SHA1_FINAL Sha1Final; + EDKII_CRYPTO_SHA1_HASH_ALL Sha1HashAll; + /// Sha256 + EDKII_CRYPTO_SHA256_GET_CONTEXT_SIZE Sha256GetContextSize; + EDKII_CRYPTO_SHA256_INIT Sha256Init; + EDKII_CRYPTO_SHA256_DUPLICATE Sha256Duplicate; + EDKII_CRYPTO_SHA256_UPDATE Sha256Update; + EDKII_CRYPTO_SHA256_FINAL Sha256Final; + EDKII_CRYPTO_SHA256_HASH_ALL Sha256HashAll; + /// Sha384 + EDKII_CRYPTO_SHA384_GET_CONTEXT_SIZE Sha384GetContextSize; + EDKII_CRYPTO_SHA384_INIT Sha384Init; + EDKII_CRYPTO_SHA384_DUPLICATE Sha384Duplicate; + EDKII_CRYPTO_SHA384_UPDATE Sha384Update; + EDKII_CRYPTO_SHA384_FINAL Sha384Final; + EDKII_CRYPTO_SHA384_HASH_ALL Sha384HashAll; + /// Sha512 + EDKII_CRYPTO_SHA512_GET_CONTEXT_SIZE Sha512GetContextSize; + EDKII_CRYPTO_SHA512_INIT Sha512Init; + EDKII_CRYPTO_SHA512_DUPLICATE Sha512Duplicate; + EDKII_CRYPTO_SHA512_UPDATE Sha512Update; + EDKII_CRYPTO_SHA512_FINAL Sha512Final; + EDKII_CRYPTO_SHA512_HASH_ALL Sha512HashAll; + /// X509 + EDKII_CRYPTO_X509_GET_SUBJECT_NAME X509GetSubjectName; + EDKII_CRYPTO_X509_GET_COMMON_NAME X509GetCommonName; + EDKII_CRYPTO_X509_GET_ORGANIZATION_NAME X509GetOrganizationName; + EDKII_CRYPTO_X509_VERIFY_CERT X509VerifyCert; + EDKII_CRYPTO_X509_CONSTRUCT_CERTIFICATE X509ConstructCertificate; + EDKII_CRYPTO_X509_CONSTRUCT_CERTIFICATE_STACK X509ConstructCertificateStack; + EDKII_CRYPTO_X509_FREE X509Free; + EDKII_CRYPTO_X509_STACK_FREE X509StackFree; + EDKII_CRYPTO_X509_GET_TBS_CERT X509GetTBSCert; + /// TDES - deprecated and unsupported + DEPRECATED_EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE DeprecatedTdesGetContextSize; + DEPRECATED_EDKII_CRYPTO_TDES_INIT DeprecatedTdesInit; + DEPRECATED_EDKII_CRYPTO_TDES_ECB_ENCRYPT DeprecatedTdesEcbEncrypt; + DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT DeprecatedTdesEcbDecrypt; + DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT DeprecatedTdesCbcEncrypt; + DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT DeprecatedTdesCbcDecrypt; + /// AES - ECB Mode is deprecated and unsupported + EDKII_CRYPTO_AES_GET_CONTEXT_SIZE AesGetContextSize; + EDKII_CRYPTO_AES_INIT AesInit; + DEPRECATED_EDKII_CRYPTO_AES_ECB_ENCRYPT DeprecatedAesEcbEncrypt; + DEPRECATED_EDKII_CRYPTO_AES_ECB_DECRYPT DeprecatedAesEcbDecrypt; + EDKII_CRYPTO_AES_CBC_ENCRYPT AesCbcEncrypt; + EDKII_CRYPTO_AES_CBC_DECRYPT AesCbcDecrypt; + /// Arc4 - deprecated and unsupported + DEPRECATED_EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE DeprecatedArc4GetContextSize; + DEPRECATED_EDKII_CRYPTO_ARC4_INIT DeprecatedArc4Init; + DEPRECATED_EDKII_CRYPTO_ARC4_ENCRYPT DeprecatedArc4Encrypt; + DEPRECATED_EDKII_CRYPTO_ARC4_DECRYPT DeprecatedArc4Decrypt; + DEPRECATED_EDKII_CRYPTO_ARC4_RESET DeprecatedArc4Reset; + /// SM3 + EDKII_CRYPTO_SM3_GET_CONTEXT_SIZE Sm3GetContextSize; + EDKII_CRYPTO_SM3_INIT Sm3Init; + EDKII_CRYPTO_SM3_DUPLICATE Sm3Duplicate; + EDKII_CRYPTO_SM3_UPDATE Sm3Update; + EDKII_CRYPTO_SM3_FINAL Sm3Final; + EDKII_CRYPTO_SM3_HASH_ALL Sm3HashAll; + /// HKDF + EDKII_CRYPTO_HKDF_SHA_256_EXTRACT_AND_EXPAND HkdfSha256ExtractAndExpand; + /// X509 (Continued) + EDKII_CRYPTO_X509_CONSTRUCT_CERTIFICATE_STACK_V X509ConstructCertificateStackV; + /// TLS + EDKII_CRYPTO_TLS_INITIALIZE TlsInitialize; + EDKII_CRYPTO_TLS_CTX_FREE TlsCtxFree; + EDKII_CRYPTO_TLS_CTX_NEW TlsCtxNew; + EDKII_CRYPTO_TLS_FREE TlsFree; + EDKII_CRYPTO_TLS_NEW TlsNew; + EDKII_CRYPTO_TLS_IN_HANDSHAKE TlsInHandshake; + EDKII_CRYPTO_TLS_DO_HANDSHAKE TlsDoHandshake; + EDKII_CRYPTO_TLS_HANDLE_ALERT TlsHandleAlert; + EDKII_CRYPTO_TLS_CLOSE_NOTIFY TlsCloseNotify; + EDKII_CRYPTO_TLS_CTRL_TRAFFIC_OUT TlsCtrlTrafficOut; + EDKII_CRYPTO_TLS_CTRL_TRAFFIC_IN TlsCtrlTrafficIn; + EDKII_CRYPTO_TLS_READ TlsRead; + EDKII_CRYPTO_TLS_WRITE TlsWrite; + /// TLS Set + EDKII_CRYPTO_TLS_SET_VERSION TlsSetVersion; + EDKII_CRYPTO_TLS_SET_CONNECTION_END TlsSetConnectionEnd; + EDKII_CRYPTO_TLS_SET_CIPHER_LIST TlsSetCipherList; + EDKII_CRYPTO_TLS_SET_COMPRESSION_METHOD TlsSetCompressionMethod; + EDKII_CRYPTO_TLS_SET_VERIFY TlsSetVerify; + EDKII_CRYPTO_TLS_SET_VERIFY_HOST TlsSetVerifyHost; + EDKII_CRYPTO_TLS_SET_SESSIONID TlsSetSessionId; + EDKII_CRYPTO_TLS_SET_CA_CERTIFICATE TlsSetCaCertificate; + EDKII_CRYPTO_TLS_SET_HOST_PUBLIC_CERT TlsSetHostPublicCert; + EDKII_CRYPTO_TLS_SET_HOST_PRIVATE_KEY TlsSetHostPrivateKey; + EDKII_CRYPTO_TLS_SET_CERT_REVOCATION_LIST TlsSetCertRevocationList; + /// TLS Get + EDKII_CRYPTO_TLS_GET_VERSION TlsGetVersion; + EDKII_CRYPTO_TLS_GET_CONNECTION_END TlsGetConnectionEnd; + EDKII_CRYPTO_TLS_GET_CURRENT_CIPHER TlsGetCurrentCipher; + EDKII_CRYPTO_TLS_GET_CURRENT_COMPRESSION_ID TlsGetCurrentCompressionId; + EDKII_CRYPTO_TLS_GET_VERIFY TlsGetVerify; + EDKII_CRYPTO_TLS_GET_SESSION_ID TlsGetSessionId; + EDKII_CRYPTO_TLS_GET_CLIENT_RANDOM TlsGetClientRandom; + EDKII_CRYPTO_TLS_GET_SERVER_RANDOM TlsGetServerRandom; + EDKII_CRYPTO_TLS_GET_KEY_MATERIAL TlsGetKeyMaterial; + EDKII_CRYPTO_TLS_GET_CA_CERTIFICATE TlsGetCaCertificate; + EDKII_CRYPTO_TLS_GET_HOST_PUBLIC_CERT TlsGetHostPublicCert; + EDKII_CRYPTO_TLS_GET_HOST_PRIVATE_KEY TlsGetHostPrivateKey; + EDKII_CRYPTO_TLS_GET_CERT_REVOCATION_LIST TlsGetCertRevocationList; + /// RSA PSS + EDKII_CRYPTO_RSA_PSS_SIGN RsaPssSign; + EDKII_CRYPTO_RSA_PSS_VERIFY RsaPssVerify; +}; + +extern GUID gEdkiiCryptoProtocolGuid; + +#endif diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Private/Protocol/SmmCrypto.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Private/Protocol/SmmCrypto.h new file mode 100644 index 00000000..691cb5e1 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Private/Protocol/SmmCrypto.h @@ -0,0 +1,21 @@ +/** @file + This Protocol provides Crypto services to SMM modules + + Copyright (C) Microsoft Corporation. All rights reserved. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __EDKII_SMM_CRYPTO_PROTOCOL_H__ +#define __EDKII_SMM_CRYPTO_PROTOCOL_H__ + +#include + +/// +/// EDK II SMM Crypto Protocol is identical to EDK II Crypto Protocol +/// +typedef EDKII_CRYPTO_PROTOCOL EDKII_SMM_CRYPTO_PROTOCOL; + +extern GUID gEdkiiSmmCryptoProtocolGuid; + +#endif diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/CryptoPkgHostUnitTest.dsc b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/CryptoPkgHostUnitTest.dsc new file mode 100644 index 00000000..9a85d8e2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/CryptoPkgHostUnitTest.dsc @@ -0,0 +1,42 @@ +## @file +# CryptoPkg DSC file used to build host-based unit tests. +# +# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + PLATFORM_NAME = CryptoPkgHostTest + PLATFORM_GUID = C7F97D6D-54AC-45A9-8197-CC99B20CC7EC + PLATFORM_VERSION = 0.1 + DSC_SPECIFICATION = 0x00010005 + OUTPUT_DIRECTORY = Build/CryptoPkg/HostTest + SUPPORTED_ARCHITECTURES = IA32|X64 + BUILD_TARGETS = NOOPT + SKUID_IDENTIFIER = DEFAULT + +!include UnitTestFrameworkPkg/UnitTestFrameworkPkgHost.dsc.inc + +[LibraryClasses] + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/UnitTestHostBaseCryptLib.inf + +[LibraryClasses.AARCH64, LibraryClasses.ARM] + RngLib|MdePkg/Library/BaseRngLibNull/BaseRngLibNull.inf + +[LibraryClasses.X64, LibraryClasses.IA32] + RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf + +[Components] + # + # Build HOST_APPLICATION that tests the SampleUnitTest + # + CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibHost.inf + +[BuildOptions] + *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES + MSFT:*_*_*_CC_FLAGS = /D ENABLE_MD5_DEPRECATED_INTERFACES + INTEL:*_*_*_CC_FLAGS = /D ENABLE_MD5_DEPRECATED_INTERFACES + GCC:*_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES + RVCT:*_*_*_CC_FLAGS = -DENABLE_MD5_DEPRECATED_INTERFACES diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/AuthenticodeTests.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/AuthenticodeTests.c new file mode 100644 index 00000000..1a2d3d18 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/AuthenticodeTests.c @@ -0,0 +1,1002 @@ +/** @file + Sample Implementation for Microsoft Authenticode Verification. + +Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "TestBaseCryptLib.h" + +// +// Sample PE/COFF Image Hash Value (Digested by SHA-1). +// This value should be calculated following MSFT's Authenticode Specification +// +GLOBAL_REMOVE_IF_UNREFERENCED UINT8 PeSha1Hash[] = { + 0x44, 0xFD, 0x4F, 0xA9, 0x17, 0xEE, 0xAC, 0xCF, 0x1F, 0x0B, 0xE3, 0xA1, 0x4D, 0x5B, 0xA6, 0x61, + 0x82, 0x97, 0xC4, 0xB6 + }; + +// +// Sample PE/COFF Image Hash Value (Digested by SHA-256). +// +GLOBAL_REMOVE_IF_UNREFERENCED UINT8 PeSha256Hash[] = { + 0x61, 0x82, 0xB7, 0xF8, 0x8C, 0xFF, 0xC2, 0xEB, 0x79, 0x6E, 0x9D, 0xA9, 0xDD, 0x39, 0x52, 0xDD, + 0x36, 0xDD, 0xF1, 0x43, 0x27, 0x58, 0x8C, 0xA7, 0xCC, 0xAE, 0xDE, 0xDD, 0x3C, 0x02, 0x12, 0x49 + }; + +// +// Sample Authenticode Data with SHA-1 hash algorithm. +// This data should be retrieved from signed PE/COFF image according to SECURITY +// directory in PE/COFF Header. +// +GLOBAL_REMOVE_IF_UNREFERENCED UINT8 AuthenticodeWithSha1[] = { + 0x30, 0x82, 0x1C, 0x43, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02, 0xA0, + 0x82, 0x1C, 0x34, 0x30, 0x82, 0x1C, 0x30, 0x02, 0x01, 0x01, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x05, + 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x30, 0x68, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, + 0x82, 0x37, 0x02, 0x01, 0x04, 0xA0, 0x5A, 0x30, 0x58, 0x30, 0x33, 0x06, 0x0A, 0x2B, 0x06, 0x01, + 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0F, 0x30, 0x25, 0x03, 0x01, 0x00, 0xA0, 0x20, 0xA2, 0x1E, + 0x80, 0x1C, 0x00, 0x3C, 0x00, 0x3C, 0x00, 0x3C, 0x00, 0x4F, 0x00, 0x62, 0x00, 0x73, 0x00, 0x6F, + 0x00, 0x6C, 0x00, 0x65, 0x00, 0x74, 0x00, 0x65, 0x00, 0x3E, 0x00, 0x3E, 0x00, 0x3E, 0x30, 0x21, + 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14, 0x44, 0xFD, 0x4F, + 0xA9, 0x17, 0xEE, 0xAC, 0xCF, 0x1F, 0x0B, 0xE3, 0xA1, 0x4D, 0x5B, 0xA6, 0x61, 0x82, 0x97, 0xC4, + 0xB6, 0xA0, 0x82, 0x17, 0x18, 0x30, 0x82, 0x04, 0xCA, 0x30, 0x82, 0x03, 0xB2, 0xA0, 0x03, 0x02, + 0x01, 0x02, 0x02, 0x0A, 0x61, 0x03, 0xDC, 0xF6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0C, 0x30, 0x0D, + 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x77, 0x31, + 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, + 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, + 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6D, + 0x6F, 0x6E, 0x64, 0x31, 0x1E, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x15, 0x4D, 0x69, + 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x43, 0x6F, 0x72, 0x70, 0x6F, 0x72, 0x61, 0x74, + 0x69, 0x6F, 0x6E, 0x31, 0x21, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x18, 0x4D, 0x69, + 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x54, 0x69, 0x6D, 0x65, 0x2D, 0x53, 0x74, 0x61, + 0x6D, 0x70, 0x20, 0x50, 0x43, 0x41, 0x30, 0x1E, 0x17, 0x0D, 0x30, 0x38, 0x30, 0x37, 0x32, 0x35, + 0x31, 0x39, 0x31, 0x32, 0x35, 0x30, 0x5A, 0x17, 0x0D, 0x31, 0x31, 0x30, 0x37, 0x32, 0x35, 0x31, + 0x39, 0x32, 0x32, 0x35, 0x30, 0x5A, 0x30, 0x81, 0xB3, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, + 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, + 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, + 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6D, 0x6F, 0x6E, 0x64, 0x31, 0x1E, 0x30, + 0x1C, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x15, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, + 0x74, 0x20, 0x43, 0x6F, 0x72, 0x70, 0x6F, 0x72, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x31, 0x0D, 0x30, + 0x0B, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13, 0x04, 0x4D, 0x4F, 0x50, 0x52, 0x31, 0x27, 0x30, 0x25, + 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13, 0x1E, 0x6E, 0x43, 0x69, 0x70, 0x68, 0x65, 0x72, 0x20, 0x44, + 0x53, 0x45, 0x20, 0x45, 0x53, 0x4E, 0x3A, 0x31, 0x35, 0x39, 0x43, 0x2D, 0x41, 0x33, 0x46, 0x37, + 0x2D, 0x32, 0x35, 0x37, 0x30, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x1C, + 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x54, 0x69, 0x6D, 0x65, 0x2D, 0x53, + 0x74, 0x61, 0x6D, 0x70, 0x20, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x30, 0x82, 0x01, 0x22, + 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, + 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0xC0, 0xED, 0x81, + 0x14, 0xA1, 0x5E, 0x77, 0xC0, 0x5B, 0xF4, 0x76, 0x89, 0x62, 0xFA, 0xAD, 0x7C, 0x68, 0x14, 0xB4, + 0xF7, 0xBD, 0x35, 0xD8, 0x13, 0x79, 0x5A, 0x17, 0xCA, 0xD9, 0x6C, 0x51, 0x45, 0x62, 0x26, 0x7A, + 0x2F, 0x1F, 0xD8, 0xEA, 0xC1, 0x6E, 0x01, 0x17, 0xF9, 0xC3, 0xA6, 0x1F, 0x67, 0xDB, 0x51, 0xB0, + 0x2C, 0xDE, 0x8A, 0x17, 0xED, 0xFF, 0x20, 0xAD, 0x34, 0xEA, 0x98, 0xFB, 0xA5, 0xD6, 0x2A, 0xD2, + 0xF1, 0x44, 0x27, 0x07, 0x5A, 0x2D, 0x3A, 0x93, 0xFF, 0x56, 0x53, 0xB0, 0xC8, 0xF5, 0xF3, 0x03, + 0xF2, 0x49, 0xCC, 0x16, 0xD0, 0xF5, 0x00, 0x4C, 0x58, 0xF8, 0x9B, 0xF5, 0x07, 0x25, 0xB1, 0x66, + 0x17, 0xC0, 0xBD, 0xC8, 0xD2, 0x52, 0x85, 0x8D, 0xC2, 0x2B, 0x38, 0xB2, 0xC3, 0x36, 0xBE, 0xF9, + 0x87, 0xDA, 0xF4, 0x8E, 0x5D, 0x43, 0xD7, 0x06, 0xBF, 0x99, 0x05, 0x9F, 0xA4, 0xCE, 0xFE, 0xAB, + 0x8D, 0x61, 0x63, 0xE7, 0x39, 0xC5, 0xF3, 0x18, 0xF6, 0xD8, 0xFC, 0x31, 0x36, 0x69, 0x72, 0x5A, + 0xA2, 0x1A, 0x4C, 0x3E, 0xEA, 0x87, 0x25, 0x42, 0x9D, 0xD1, 0x3E, 0xF1, 0x97, 0xD2, 0x18, 0x32, + 0x93, 0x70, 0x55, 0x53, 0x81, 0x1E, 0xE3, 0x3B, 0x0D, 0xE8, 0xBE, 0x82, 0x78, 0x6D, 0xE6, 0xFA, + 0xCD, 0x98, 0xA4, 0x6F, 0xDB, 0xEE, 0x66, 0xF4, 0x95, 0xC8, 0xCD, 0x35, 0xC9, 0x9E, 0xBB, 0x36, + 0x0D, 0x83, 0x96, 0x94, 0x26, 0xA7, 0x90, 0xE0, 0xA9, 0x34, 0x3B, 0xD5, 0xC0, 0x9E, 0x3E, 0xF0, + 0xD4, 0x47, 0x8D, 0x86, 0x0C, 0x82, 0xA4, 0x58, 0x30, 0x3A, 0x1C, 0x76, 0xE3, 0xAD, 0x95, 0x66, + 0xB4, 0xB7, 0xFD, 0x09, 0x8A, 0x05, 0x60, 0x0F, 0xA3, 0x0F, 0xE2, 0x93, 0x96, 0x58, 0x22, 0x9C, + 0x9D, 0x2B, 0xDB, 0xA2, 0x94, 0x18, 0x90, 0x95, 0x02, 0xBD, 0x06, 0x40, 0x95, 0x02, 0x03, 0x01, + 0x00, 0x01, 0xA3, 0x82, 0x01, 0x19, 0x30, 0x82, 0x01, 0x15, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, + 0x0E, 0x04, 0x16, 0x04, 0x14, 0xD2, 0xED, 0x0D, 0x1E, 0x24, 0xBB, 0x37, 0xA9, 0xD8, 0x20, 0x6A, + 0x4D, 0x1D, 0xD2, 0x16, 0xD5, 0x2E, 0xBE, 0x9E, 0xEB, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, + 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x23, 0x34, 0xF8, 0xD9, 0x52, 0x46, 0x70, 0x0A, 0xED, 0x40, + 0xFB, 0x76, 0xFB, 0xB3, 0x2B, 0xB0, 0xC3, 0x35, 0xB3, 0x0F, 0x30, 0x54, 0x06, 0x03, 0x55, 0x1D, + 0x1F, 0x04, 0x4D, 0x30, 0x4B, 0x30, 0x49, 0xA0, 0x47, 0xA0, 0x45, 0x86, 0x43, 0x68, 0x74, 0x74, + 0x70, 0x3A, 0x2F, 0x2F, 0x63, 0x72, 0x6C, 0x2E, 0x6D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, + 0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x6B, 0x69, 0x2F, 0x63, 0x72, 0x6C, 0x2F, 0x70, 0x72, + 0x6F, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2F, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, + 0x54, 0x69, 0x6D, 0x65, 0x53, 0x74, 0x61, 0x6D, 0x70, 0x50, 0x43, 0x41, 0x2E, 0x63, 0x72, 0x6C, + 0x30, 0x58, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x4C, 0x30, 0x4A, + 0x30, 0x48, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3C, 0x68, 0x74, + 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x77, 0x77, 0x77, 0x2E, 0x6D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, + 0x66, 0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x6B, 0x69, 0x2F, 0x63, 0x65, 0x72, 0x74, 0x73, + 0x2F, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x54, 0x69, 0x6D, 0x65, 0x53, 0x74, + 0x61, 0x6D, 0x70, 0x50, 0x43, 0x41, 0x2E, 0x63, 0x72, 0x74, 0x30, 0x13, 0x06, 0x03, 0x55, 0x1D, + 0x25, 0x04, 0x0C, 0x30, 0x0A, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x08, 0x30, + 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x06, 0xC0, 0x30, + 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, + 0x01, 0x01, 0x00, 0x9C, 0x0A, 0x55, 0xC8, 0xCC, 0x44, 0x13, 0x34, 0x0C, 0xD8, 0x63, 0x27, 0x76, + 0x7D, 0x3E, 0xFA, 0x38, 0x32, 0x83, 0x53, 0x9D, 0xF2, 0x08, 0xF9, 0x32, 0xF5, 0xC5, 0x6E, 0x70, + 0xA1, 0xC9, 0xB1, 0x63, 0x6B, 0x19, 0x9D, 0x09, 0x67, 0xD9, 0x9D, 0xEB, 0x8A, 0x6A, 0xDB, 0x60, + 0x66, 0xE9, 0xE9, 0x52, 0x26, 0xF3, 0x3B, 0xC6, 0x6A, 0xD3, 0xC2, 0x52, 0xBE, 0xA8, 0xB9, 0xEB, + 0x6A, 0xAA, 0x78, 0x8C, 0xC9, 0x16, 0x7D, 0x90, 0x95, 0xA0, 0xCC, 0x21, 0xB3, 0x9E, 0x81, 0xBD, + 0xCD, 0xC1, 0x8B, 0x29, 0xBD, 0x62, 0x25, 0xEF, 0x09, 0x57, 0xE7, 0x86, 0x4E, 0x2A, 0xEC, 0x80, + 0xCA, 0xBB, 0xFC, 0x21, 0x16, 0xC4, 0x3F, 0x4E, 0x52, 0x19, 0xE6, 0x0E, 0xB1, 0xD8, 0xC1, 0xC2, + 0x79, 0x90, 0x64, 0xB4, 0x50, 0x73, 0x10, 0x35, 0x5E, 0x5D, 0x11, 0xC1, 0xB8, 0xBA, 0xAA, 0xCF, + 0x52, 0xF6, 0x80, 0x91, 0x00, 0xE6, 0xEF, 0x51, 0x43, 0x46, 0xE9, 0xD0, 0xE8, 0x94, 0xF6, 0x2C, + 0x24, 0x0D, 0x8A, 0xC6, 0xB2, 0x31, 0x8A, 0xA3, 0x7E, 0x36, 0x6C, 0xA4, 0x05, 0x4C, 0x67, 0x07, + 0x2A, 0xBB, 0xBB, 0x10, 0xA5, 0xA5, 0x30, 0x1A, 0x72, 0xD0, 0x06, 0x20, 0x3B, 0x24, 0x93, 0x5B, + 0x15, 0xD9, 0x39, 0x93, 0xD3, 0x73, 0x2D, 0x1A, 0xC4, 0xD4, 0x6C, 0x1E, 0xA1, 0x08, 0xEC, 0xF6, + 0x31, 0xB8, 0x6B, 0x4B, 0xEC, 0xEE, 0x5C, 0x33, 0x02, 0x14, 0x32, 0x8C, 0x7C, 0x11, 0x20, 0x2F, + 0x20, 0x03, 0x7F, 0xF9, 0x0C, 0x9D, 0xB8, 0xD3, 0x9E, 0x5F, 0xD6, 0x08, 0xFC, 0x81, 0xA0, 0x99, + 0xB8, 0xBB, 0x55, 0x6E, 0xCD, 0x42, 0x4B, 0x3A, 0x4D, 0x8C, 0x14, 0x2B, 0xCA, 0xC8, 0x12, 0xD3, + 0x62, 0x6E, 0xEA, 0x0D, 0x0A, 0x9D, 0x09, 0xA3, 0x66, 0xD9, 0x79, 0x4F, 0x8E, 0x1A, 0xA2, 0xFF, + 0xCC, 0x98, 0x04, 0x30, 0x82, 0x05, 0x96, 0x30, 0x82, 0x04, 0x7E, 0xA0, 0x03, 0x02, 0x01, 0x02, + 0x02, 0x0A, 0x61, 0x01, 0xC6, 0xC1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x30, 0x0D, 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x81, 0x81, 0x31, 0x0B, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, + 0x03, 0x55, 0x04, 0x08, 0x13, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, + 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6D, 0x6F, + 0x6E, 0x64, 0x31, 0x1E, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x15, 0x4D, 0x69, 0x63, + 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x43, 0x6F, 0x72, 0x70, 0x6F, 0x72, 0x61, 0x74, 0x69, + 0x6F, 0x6E, 0x31, 0x2B, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4D, 0x69, 0x63, + 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, 0x20, 0x56, + 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x50, 0x43, 0x41, 0x30, + 0x1E, 0x17, 0x0D, 0x30, 0x38, 0x31, 0x30, 0x32, 0x32, 0x32, 0x30, 0x33, 0x39, 0x32, 0x32, 0x5A, + 0x17, 0x0D, 0x31, 0x30, 0x30, 0x31, 0x32, 0x32, 0x32, 0x30, 0x34, 0x39, 0x32, 0x32, 0x5A, 0x30, + 0x7F, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, + 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, + 0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, + 0x64, 0x6D, 0x6F, 0x6E, 0x64, 0x31, 0x1E, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x15, + 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x43, 0x6F, 0x72, 0x70, 0x6F, 0x72, + 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x31, 0x0D, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13, 0x04, + 0x4D, 0x4F, 0x50, 0x52, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x11, 0x4D, + 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, + 0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, + 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, + 0x00, 0xDC, 0x3A, 0xD3, 0x44, 0xF4, 0x6E, 0x20, 0x9F, 0xDD, 0xA4, 0x0E, 0x82, 0x4E, 0xC7, 0x86, + 0x5E, 0x63, 0xCC, 0xCA, 0xE5, 0x42, 0x53, 0x4B, 0x85, 0xFA, 0x5D, 0x71, 0x6C, 0xCF, 0x76, 0x0C, + 0x18, 0x8B, 0xA6, 0x0D, 0xF5, 0x4A, 0xF7, 0xFE, 0x17, 0xF2, 0x90, 0xCC, 0x62, 0xC7, 0x24, 0xAD, + 0x9B, 0x9A, 0xE1, 0x45, 0x3B, 0x61, 0xD8, 0x0D, 0x05, 0x69, 0xC7, 0xCD, 0x88, 0x2A, 0xB8, 0xB9, + 0x18, 0x1E, 0x60, 0x10, 0x5F, 0x88, 0xC6, 0xD2, 0x82, 0x4E, 0x6D, 0x49, 0xC5, 0xBE, 0x5C, 0x12, + 0x86, 0x48, 0x85, 0x89, 0x91, 0x81, 0xCD, 0x1B, 0xAD, 0x1F, 0xB7, 0x2D, 0x67, 0x79, 0xF1, 0x7B, + 0x9F, 0x25, 0x87, 0x14, 0x76, 0x5F, 0xE3, 0x0E, 0x64, 0xA1, 0x72, 0x61, 0x25, 0xE5, 0x75, 0x69, + 0xC5, 0x14, 0xF1, 0x5F, 0x07, 0x56, 0xA4, 0x0D, 0x70, 0x06, 0x23, 0xA7, 0x6C, 0xDD, 0x82, 0xAE, + 0xD9, 0x9B, 0x47, 0xA4, 0xA5, 0x6C, 0x08, 0xB0, 0x58, 0xF1, 0x53, 0x6A, 0x4F, 0xDA, 0x85, 0x61, + 0xCB, 0x02, 0x7B, 0x49, 0xAF, 0x1F, 0xBB, 0xE0, 0xD7, 0xB9, 0x5E, 0xDB, 0x73, 0x89, 0x76, 0xC1, + 0x3A, 0xBB, 0x0D, 0xF5, 0x97, 0xF0, 0x88, 0x5D, 0x69, 0x77, 0x80, 0xCF, 0xF1, 0x7E, 0x03, 0x9F, + 0x73, 0x6D, 0xDE, 0x05, 0xB8, 0x2F, 0x77, 0xB5, 0x54, 0x55, 0x45, 0xD0, 0xD2, 0x38, 0xBD, 0x96, + 0xE3, 0xF7, 0xEA, 0x40, 0xE5, 0xAC, 0x19, 0xFC, 0x71, 0xCB, 0x28, 0x27, 0xAA, 0x71, 0xA1, 0x72, + 0xB5, 0x12, 0x27, 0xC1, 0x51, 0xF6, 0x36, 0xC5, 0xC0, 0xC7, 0x7B, 0x3A, 0x3A, 0x93, 0x37, 0x04, + 0xCC, 0xEE, 0x0B, 0x69, 0x78, 0x64, 0x75, 0x41, 0xB6, 0x78, 0x22, 0x0F, 0x77, 0x84, 0xF7, 0x4B, + 0x8D, 0x46, 0x65, 0x92, 0x5B, 0x4D, 0x56, 0x6B, 0x75, 0x04, 0x46, 0x3F, 0x0B, 0x1B, 0xB4, 0x19, + 0xBF, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x02, 0x0F, 0x30, 0x82, 0x02, 0x0B, 0x30, 0x1F, + 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04, 0x18, 0x30, 0x16, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, + 0x07, 0x03, 0x03, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x0A, 0x03, 0x06, 0x30, + 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0xA1, 0xE6, 0xC3, 0x65, 0xD0, 0xE6, + 0xE8, 0x28, 0x62, 0xC2, 0xF3, 0xC2, 0x23, 0xA6, 0x1C, 0x49, 0x82, 0x0B, 0xD5, 0x53, 0x30, 0x0E, + 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x1F, + 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x90, 0x8B, 0x11, + 0xA5, 0x70, 0xED, 0xE0, 0xF9, 0xA9, 0xC0, 0xAC, 0x08, 0xC7, 0xB5, 0xF4, 0x82, 0xB1, 0x3C, 0xC5, + 0x4A, 0x30, 0x7B, 0x06, 0x03, 0x55, 0x1D, 0x1F, 0x04, 0x74, 0x30, 0x72, 0x30, 0x70, 0xA0, 0x6E, + 0xA0, 0x6C, 0x86, 0x34, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x63, 0x72, 0x6C, 0x2E, 0x6D, + 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x6B, 0x69, + 0x2F, 0x63, 0x72, 0x6C, 0x2F, 0x70, 0x72, 0x6F, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2F, 0x57, 0x69, + 0x6E, 0x50, 0x43, 0x41, 0x2E, 0x63, 0x72, 0x6C, 0x86, 0x34, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, + 0x2F, 0x77, 0x77, 0x77, 0x2E, 0x6D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x2E, 0x63, + 0x6F, 0x6D, 0x2F, 0x70, 0x6B, 0x69, 0x2F, 0x63, 0x72, 0x6C, 0x2F, 0x70, 0x72, 0x6F, 0x64, 0x75, + 0x63, 0x74, 0x73, 0x2F, 0x57, 0x69, 0x6E, 0x50, 0x43, 0x41, 0x2E, 0x63, 0x72, 0x6C, 0x30, 0x52, + 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x46, 0x30, 0x44, 0x30, 0x42, + 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x36, 0x68, 0x74, 0x74, 0x70, + 0x3A, 0x2F, 0x2F, 0x77, 0x77, 0x77, 0x2E, 0x6D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, + 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x6B, 0x69, 0x2F, 0x63, 0x65, 0x72, 0x74, 0x73, 0x2F, 0x4D, + 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x57, 0x69, 0x6E, 0x50, 0x43, 0x41, 0x2E, 0x63, + 0x72, 0x74, 0x30, 0x81, 0xC6, 0x06, 0x03, 0x55, 0x1D, 0x20, 0x04, 0x81, 0xBE, 0x30, 0x81, 0xBB, + 0x30, 0x81, 0xB8, 0x06, 0x09, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x2F, 0x30, 0x81, + 0xAA, 0x30, 0x40, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x34, 0x68, + 0x74, 0x74, 0x70, 0x73, 0x3A, 0x2F, 0x2F, 0x77, 0x77, 0x77, 0x2E, 0x6D, 0x69, 0x63, 0x72, 0x6F, + 0x73, 0x6F, 0x66, 0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x6B, 0x69, 0x2F, 0x73, 0x73, 0x6C, + 0x2F, 0x63, 0x70, 0x73, 0x2F, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, 0x50, 0x43, 0x41, 0x2E, + 0x68, 0x74, 0x6D, 0x30, 0x66, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x02, 0x30, + 0x5A, 0x1E, 0x58, 0x00, 0x43, 0x00, 0x6F, 0x00, 0x70, 0x00, 0x79, 0x00, 0x72, 0x00, 0x69, 0x00, + 0x67, 0x00, 0x68, 0x00, 0x74, 0x00, 0x20, 0x00, 0xA9, 0x00, 0x20, 0x00, 0x31, 0x00, 0x39, 0x00, + 0x39, 0x00, 0x39, 0x00, 0x2D, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x35, 0x00, 0x20, 0x00, + 0x4D, 0x00, 0x69, 0x00, 0x63, 0x00, 0x72, 0x00, 0x6F, 0x00, 0x73, 0x00, 0x6F, 0x00, 0x66, 0x00, + 0x74, 0x00, 0x20, 0x00, 0x43, 0x00, 0x6F, 0x00, 0x72, 0x00, 0x70, 0x00, 0x6F, 0x00, 0x72, 0x00, + 0x61, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x2E, 0x30, 0x0D, 0x06, 0x09, 0x2A, + 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x73, + 0x5F, 0xCA, 0x80, 0x1C, 0x60, 0x46, 0x6F, 0xB9, 0x34, 0x9D, 0x88, 0xE3, 0xBE, 0x22, 0x8C, 0xFA, + 0xE6, 0x58, 0x9A, 0xAB, 0x7B, 0x1A, 0x97, 0xFD, 0xED, 0x2E, 0x39, 0xCC, 0x59, 0x5B, 0x1D, 0x7A, + 0x06, 0x8A, 0xBB, 0x43, 0x93, 0x7B, 0x1E, 0xA1, 0x88, 0x53, 0xDF, 0x44, 0xF8, 0x53, 0xA9, 0xEA, + 0xF6, 0x67, 0x1B, 0x3A, 0x78, 0x84, 0x11, 0x6A, 0x6F, 0x29, 0x47, 0x90, 0x0A, 0x0C, 0x7B, 0x22, + 0x77, 0x4E, 0x6F, 0xB8, 0x64, 0x29, 0xDF, 0x06, 0xC7, 0xC8, 0x73, 0x84, 0xD6, 0x66, 0xA0, 0xCA, + 0xD9, 0x5A, 0x26, 0x82, 0x57, 0xF9, 0xE3, 0x4F, 0x39, 0xAF, 0x2E, 0x8E, 0xB1, 0x06, 0x5B, 0x72, + 0xF2, 0x37, 0x32, 0xAE, 0x4E, 0xCE, 0x3C, 0x7D, 0xB0, 0x12, 0x2B, 0x9E, 0xA5, 0x75, 0xE3, 0x43, + 0xA6, 0x12, 0x8B, 0x06, 0x14, 0x98, 0x77, 0xE3, 0x58, 0x32, 0x25, 0x60, 0x07, 0x8C, 0x59, 0x71, + 0xA7, 0x71, 0x41, 0xB3, 0x06, 0x8D, 0x5C, 0xEF, 0x9C, 0x7F, 0x5A, 0x22, 0x6D, 0xB7, 0xD3, 0xD9, + 0xF5, 0xA6, 0x1B, 0x52, 0xDE, 0xF5, 0x7E, 0x76, 0x7C, 0xFE, 0xF4, 0xC8, 0x23, 0x1A, 0x4B, 0x25, + 0xEB, 0xE4, 0xEE, 0xAF, 0x10, 0x0B, 0x55, 0xC3, 0xD8, 0xC1, 0x17, 0x85, 0x61, 0x6F, 0xD3, 0x3F, + 0xB6, 0xE9, 0xEC, 0x84, 0xA5, 0xEE, 0x6D, 0xB2, 0xFF, 0xE8, 0x6C, 0x95, 0xAB, 0x2B, 0x5E, 0xC8, + 0x85, 0xC3, 0x11, 0x60, 0xAC, 0xFA, 0x02, 0x05, 0xF1, 0x7B, 0xDA, 0xC3, 0x69, 0x49, 0x96, 0xA5, + 0x70, 0xF9, 0x65, 0x66, 0x46, 0x10, 0x8D, 0x34, 0xE9, 0x21, 0x94, 0x3C, 0x0F, 0x71, 0x4A, 0x1C, + 0xEA, 0x1F, 0xF7, 0x23, 0xA6, 0x87, 0x60, 0x34, 0xE9, 0x14, 0xE1, 0xDE, 0x03, 0x59, 0xB4, 0x02, + 0x1D, 0x3A, 0xAF, 0xE3, 0x55, 0x05, 0xF5, 0xED, 0xC1, 0xF4, 0xE4, 0x5D, 0x0E, 0xD3, 0x97, 0x30, + 0x82, 0x06, 0x07, 0x30, 0x82, 0x03, 0xEF, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x0A, 0x61, 0x16, + 0x68, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1C, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, + 0xF7, 0x0D, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x5F, 0x31, 0x13, 0x30, 0x11, 0x06, 0x0A, 0x09, + 0x92, 0x26, 0x89, 0x93, 0xF2, 0x2C, 0x64, 0x01, 0x19, 0x16, 0x03, 0x63, 0x6F, 0x6D, 0x31, 0x19, + 0x30, 0x17, 0x06, 0x0A, 0x09, 0x92, 0x26, 0x89, 0x93, 0xF2, 0x2C, 0x64, 0x01, 0x19, 0x16, 0x09, + 0x6D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x31, 0x2D, 0x30, 0x2B, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x13, 0x24, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x52, 0x6F, + 0x6F, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, + 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1E, 0x17, 0x0D, 0x30, 0x37, 0x30, 0x34, + 0x30, 0x33, 0x31, 0x32, 0x35, 0x33, 0x30, 0x39, 0x5A, 0x17, 0x0D, 0x32, 0x31, 0x30, 0x34, 0x30, + 0x33, 0x31, 0x33, 0x30, 0x33, 0x30, 0x39, 0x5A, 0x30, 0x77, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, + 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, + 0x13, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, + 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6D, 0x6F, 0x6E, 0x64, 0x31, 0x1E, + 0x30, 0x1C, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x15, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, + 0x66, 0x74, 0x20, 0x43, 0x6F, 0x72, 0x70, 0x6F, 0x72, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x31, 0x21, + 0x30, 0x1F, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x18, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, + 0x66, 0x74, 0x20, 0x54, 0x69, 0x6D, 0x65, 0x2D, 0x53, 0x74, 0x61, 0x6D, 0x70, 0x20, 0x50, 0x43, + 0x41, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, + 0x01, 0x00, 0x9F, 0xA1, 0x6C, 0xB1, 0xDF, 0xDB, 0x48, 0x92, 0x2A, 0x7C, 0x6B, 0x2E, 0x19, 0xE1, + 0xBD, 0xE2, 0xE3, 0xC5, 0x99, 0x51, 0x23, 0x50, 0xAD, 0xCE, 0xDD, 0x18, 0x4E, 0x24, 0x0F, 0xEE, + 0xD1, 0xA7, 0xD1, 0x4C, 0xAD, 0x74, 0x30, 0x20, 0x11, 0xEB, 0x07, 0xD5, 0x54, 0x95, 0x15, 0x49, + 0x94, 0x1B, 0x42, 0x92, 0xAE, 0x98, 0x5C, 0x30, 0x26, 0xDA, 0x00, 0x6B, 0xE8, 0x7B, 0xBD, 0xEC, + 0x89, 0x07, 0x0F, 0xF7, 0x0E, 0x04, 0x98, 0xF0, 0x89, 0xCC, 0x1F, 0xCB, 0x33, 0x24, 0x87, 0x9D, + 0xF2, 0xF4, 0x67, 0x1C, 0x2C, 0xFC, 0x7B, 0xE7, 0x88, 0x1D, 0xEA, 0xE7, 0x4E, 0xA3, 0xA1, 0xC1, + 0x23, 0x53, 0xCA, 0x8D, 0xFA, 0x45, 0xCF, 0x09, 0xD0, 0x5E, 0xAF, 0xD0, 0xB0, 0x42, 0x04, 0xA2, + 0xF9, 0xA6, 0x6C, 0x93, 0x67, 0xD7, 0x28, 0xDC, 0x46, 0x53, 0xB0, 0x86, 0xD0, 0xE5, 0x28, 0x46, + 0x2E, 0x27, 0xAC, 0x86, 0x4F, 0x55, 0x52, 0x0C, 0xE4, 0x03, 0x2C, 0xFB, 0x6A, 0x90, 0x90, 0x30, + 0x6E, 0x87, 0xF3, 0x59, 0x30, 0x9D, 0xFA, 0x7E, 0xD6, 0x97, 0xB3, 0xE8, 0x21, 0x97, 0x7E, 0xF8, + 0xD2, 0x13, 0xF3, 0x08, 0xB7, 0x53, 0x6D, 0x52, 0xB4, 0x45, 0x90, 0x9F, 0x48, 0x00, 0x4A, 0x47, + 0x66, 0x11, 0x27, 0x29, 0x66, 0xA8, 0x97, 0xE4, 0xD3, 0x06, 0x81, 0x4A, 0xA2, 0xF9, 0x84, 0xA7, + 0x11, 0x47, 0x14, 0x09, 0x82, 0x9F, 0x84, 0xED, 0x55, 0x78, 0xFE, 0x01, 0x9A, 0x1D, 0x50, 0x08, + 0x85, 0x00, 0x10, 0x30, 0x46, 0xED, 0xB7, 0xDE, 0x23, 0x46, 0xBB, 0xC4, 0x2D, 0x54, 0x9F, 0xAF, + 0x1E, 0x78, 0x41, 0x31, 0x77, 0xCC, 0x9B, 0xDF, 0x3B, 0x83, 0x93, 0xA1, 0x61, 0x02, 0xB5, 0x1D, + 0x0D, 0xB1, 0xFC, 0xF7, 0x9B, 0xB2, 0x01, 0xCE, 0x22, 0x4B, 0x54, 0xFF, 0xF9, 0x05, 0xC3, 0xC2, + 0x20, 0x0B, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0xAB, 0x30, 0x82, 0x01, 0xA7, 0x30, + 0x0F, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, + 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x23, 0x34, 0xF8, 0xD9, 0x52, + 0x46, 0x70, 0x0A, 0xED, 0x40, 0xFB, 0x76, 0xFB, 0xB3, 0x2B, 0xB0, 0xC3, 0x35, 0xB3, 0x0F, 0x30, + 0x0B, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x10, 0x06, 0x09, + 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x81, + 0x98, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x81, 0x90, 0x30, 0x81, 0x8D, 0x80, 0x14, 0x0E, 0xAC, + 0x82, 0x60, 0x40, 0x56, 0x27, 0x97, 0xE5, 0x25, 0x13, 0xFC, 0x2A, 0xE1, 0x0A, 0x53, 0x95, 0x59, + 0xE4, 0xA4, 0xA1, 0x63, 0xA4, 0x61, 0x30, 0x5F, 0x31, 0x13, 0x30, 0x11, 0x06, 0x0A, 0x09, 0x92, + 0x26, 0x89, 0x93, 0xF2, 0x2C, 0x64, 0x01, 0x19, 0x16, 0x03, 0x63, 0x6F, 0x6D, 0x31, 0x19, 0x30, + 0x17, 0x06, 0x0A, 0x09, 0x92, 0x26, 0x89, 0x93, 0xF2, 0x2C, 0x64, 0x01, 0x19, 0x16, 0x09, 0x6D, + 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x31, 0x2D, 0x30, 0x2B, 0x06, 0x03, 0x55, 0x04, + 0x03, 0x13, 0x24, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x52, 0x6F, 0x6F, + 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, + 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x82, 0x10, 0x79, 0xAD, 0x16, 0xA1, 0x4A, 0xA0, 0xA5, + 0xAD, 0x4C, 0x73, 0x58, 0xF4, 0x07, 0x13, 0x2E, 0x65, 0x30, 0x50, 0x06, 0x03, 0x55, 0x1D, 0x1F, + 0x04, 0x49, 0x30, 0x47, 0x30, 0x45, 0xA0, 0x43, 0xA0, 0x41, 0x86, 0x3F, 0x68, 0x74, 0x74, 0x70, + 0x3A, 0x2F, 0x2F, 0x63, 0x72, 0x6C, 0x2E, 0x6D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, + 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x6B, 0x69, 0x2F, 0x63, 0x72, 0x6C, 0x2F, 0x70, 0x72, 0x6F, + 0x64, 0x75, 0x63, 0x74, 0x73, 0x2F, 0x6D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x72, + 0x6F, 0x6F, 0x74, 0x63, 0x65, 0x72, 0x74, 0x2E, 0x63, 0x72, 0x6C, 0x30, 0x54, 0x06, 0x08, 0x2B, + 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x48, 0x30, 0x46, 0x30, 0x44, 0x06, 0x08, 0x2B, + 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x38, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, + 0x77, 0x77, 0x77, 0x2E, 0x6D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x2E, 0x63, 0x6F, + 0x6D, 0x2F, 0x70, 0x6B, 0x69, 0x2F, 0x63, 0x65, 0x72, 0x74, 0x73, 0x2F, 0x4D, 0x69, 0x63, 0x72, + 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x52, 0x6F, 0x6F, 0x74, 0x43, 0x65, 0x72, 0x74, 0x2E, 0x63, 0x72, + 0x74, 0x30, 0x13, 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04, 0x0C, 0x30, 0x0A, 0x06, 0x08, 0x2B, 0x06, + 0x01, 0x05, 0x05, 0x07, 0x03, 0x08, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, + 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x10, 0x97, 0x8A, 0xC3, 0x5C, 0x03, + 0x44, 0x36, 0xDD, 0xE9, 0xB4, 0xAD, 0x77, 0xDB, 0xCE, 0x79, 0x51, 0x4D, 0x01, 0xB1, 0x2E, 0x74, + 0x71, 0x5B, 0x6D, 0x0C, 0x13, 0xAB, 0xCE, 0xBE, 0x7B, 0x8F, 0xB8, 0x2E, 0xD4, 0x12, 0xA2, 0x8C, + 0x6D, 0x62, 0xB8, 0x57, 0x02, 0xCB, 0x4E, 0x20, 0x13, 0x50, 0x99, 0xDD, 0x7A, 0x40, 0xE2, 0x57, + 0xBB, 0xAF, 0x58, 0x9A, 0x1C, 0xE1, 0x1D, 0x01, 0x86, 0xAC, 0xBB, 0x78, 0xF2, 0x8B, 0xD0, 0xEC, + 0x3B, 0x01, 0xEE, 0xE2, 0xBE, 0x8F, 0x0A, 0x05, 0xC8, 0x8D, 0x48, 0xE2, 0xF0, 0x53, 0x15, 0xDD, + 0x4F, 0xAB, 0x92, 0xE4, 0xE7, 0x8D, 0x6A, 0xD5, 0x80, 0xC1, 0xE6, 0x94, 0xF2, 0x06, 0x2F, 0x85, + 0x03, 0xE9, 0x91, 0x2A, 0x24, 0x22, 0x70, 0xFB, 0xF6, 0xFC, 0xE4, 0x78, 0x99, 0x2E, 0x0D, 0xF7, + 0x07, 0xE2, 0x70, 0xBC, 0x18, 0x4E, 0x9D, 0x8E, 0x6B, 0x0A, 0x72, 0x95, 0xB8, 0xA1, 0x39, 0x9C, + 0x67, 0x2D, 0xC5, 0x51, 0x0E, 0xEA, 0x62, 0x5C, 0x3F, 0x16, 0x98, 0x8B, 0x20, 0x3F, 0xE2, 0x07, + 0x1A, 0x32, 0xF9, 0xCC, 0x31, 0x4A, 0x76, 0x31, 0x3D, 0x2B, 0x72, 0x0B, 0xC8, 0xEA, 0x70, 0x3D, + 0xFF, 0x85, 0x0A, 0x13, 0xDF, 0xC2, 0x0A, 0x61, 0x8E, 0xF0, 0xD7, 0xB8, 0x17, 0xEB, 0x4E, 0x8B, + 0x7F, 0xC5, 0x35, 0x2B, 0x5E, 0xA3, 0xBF, 0xEB, 0xBC, 0x7D, 0x0B, 0x42, 0x7B, 0xD4, 0x53, 0x72, + 0x21, 0xEE, 0x30, 0xCA, 0xBB, 0x78, 0x65, 0x5C, 0x5B, 0x01, 0x17, 0x0A, 0x14, 0x0E, 0xD2, 0xDA, + 0x14, 0x98, 0xF5, 0x3C, 0xB9, 0x66, 0x58, 0xB3, 0x2D, 0x2F, 0xE7, 0xF9, 0x85, 0x86, 0xCC, 0x51, + 0x56, 0xE8, 0x9D, 0x70, 0x94, 0x6C, 0xAC, 0x39, 0x4C, 0xD4, 0xF6, 0x79, 0xBF, 0xAA, 0x18, 0x7A, + 0x62, 0x29, 0xEF, 0xA2, 0x9B, 0x29, 0x34, 0x06, 0x77, 0x1A, 0x62, 0xC9, 0x3D, 0x1E, 0x6D, 0x1F, + 0x82, 0xF0, 0x0B, 0xC7, 0x2C, 0xBB, 0xCF, 0x43, 0xB3, 0xE5, 0xF9, 0xEC, 0x7D, 0xB5, 0xE3, 0xA4, + 0xA8, 0x74, 0x35, 0xB8, 0x4E, 0xC5, 0x71, 0x23, 0x12, 0x26, 0x76, 0x0B, 0x3C, 0x52, 0x8C, 0x71, + 0x5A, 0x46, 0x43, 0x14, 0xBC, 0xB3, 0xB3, 0xB0, 0x4D, 0x67, 0xC8, 0x9F, 0x42, 0xFF, 0x80, 0x79, + 0x21, 0x80, 0x9E, 0x15, 0x30, 0x66, 0xE8, 0x42, 0x12, 0x5E, 0x1A, 0xC8, 0x9E, 0x22, 0x21, 0xD0, + 0x43, 0xE9, 0x2B, 0xE9, 0xBB, 0xF4, 0x48, 0xCC, 0x2C, 0xD4, 0xD8, 0x32, 0x80, 0x4C, 0x26, 0x2A, + 0x48, 0x24, 0x5F, 0x5A, 0xEA, 0x56, 0xEF, 0xA6, 0xDE, 0x99, 0x9D, 0xCA, 0x3A, 0x6F, 0xBD, 0x81, + 0x27, 0x74, 0x06, 0x11, 0xEE, 0x76, 0x21, 0xBF, 0x9B, 0x82, 0xC1, 0x27, 0x54, 0xB6, 0xB1, 0x6A, + 0x3D, 0x89, 0xA1, 0x76, 0x61, 0xB4, 0x6E, 0xA1, 0x13, 0xA6, 0xBF, 0xAA, 0x47, 0xF0, 0x12, 0x6F, + 0xFD, 0x8A, 0x32, 0x6C, 0xB2, 0xFE, 0xDF, 0x51, 0xC8, 0x8C, 0x23, 0xC9, 0x66, 0xBD, 0x9D, 0x1D, + 0x87, 0x12, 0x64, 0x02, 0x3D, 0x2D, 0xAF, 0x59, 0x8F, 0xB8, 0xE4, 0x21, 0xE5, 0xB5, 0xB0, 0xCA, + 0x63, 0xB4, 0x78, 0x54, 0x05, 0xD4, 0x41, 0x2E, 0x50, 0xAC, 0x94, 0xB0, 0xA5, 0x78, 0xAB, 0xB3, + 0xA0, 0x96, 0x75, 0x1A, 0xD9, 0x92, 0x87, 0x13, 0x75, 0x22, 0x2F, 0x32, 0xA8, 0x08, 0x6E, 0xA0, + 0x5B, 0x8C, 0x25, 0xBF, 0xA0, 0xEF, 0x84, 0xCA, 0x21, 0xD6, 0xEB, 0x1E, 0x4F, 0xC9, 0x9A, 0xEE, + 0x49, 0xE0, 0xF7, 0x01, 0x65, 0x6F, 0x89, 0x0B, 0x7D, 0xC8, 0x69, 0xC8, 0xE6, 0x6E, 0xEA, 0xA7, + 0x97, 0xCE, 0x31, 0x29, 0xFF, 0x0E, 0xC5, 0x5B, 0x5C, 0xD8, 0x4D, 0x1B, 0xA1, 0xD8, 0xFA, 0x2F, + 0x9E, 0x3F, 0x2E, 0x55, 0x16, 0x6B, 0xC9, 0x13, 0xA3, 0xFD, 0x30, 0x82, 0x06, 0xA1, 0x30, 0x82, + 0x04, 0x89, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x0A, 0x61, 0x07, 0x02, 0xDC, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x0B, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05, + 0x05, 0x00, 0x30, 0x5F, 0x31, 0x13, 0x30, 0x11, 0x06, 0x0A, 0x09, 0x92, 0x26, 0x89, 0x93, 0xF2, + 0x2C, 0x64, 0x01, 0x19, 0x16, 0x03, 0x63, 0x6F, 0x6D, 0x31, 0x19, 0x30, 0x17, 0x06, 0x0A, 0x09, + 0x92, 0x26, 0x89, 0x93, 0xF2, 0x2C, 0x64, 0x01, 0x19, 0x16, 0x09, 0x6D, 0x69, 0x63, 0x72, 0x6F, + 0x73, 0x6F, 0x66, 0x74, 0x31, 0x2D, 0x30, 0x2B, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x24, 0x4D, + 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x52, 0x6F, 0x6F, 0x74, 0x20, 0x43, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, + 0x69, 0x74, 0x79, 0x30, 0x1E, 0x17, 0x0D, 0x30, 0x35, 0x30, 0x39, 0x31, 0x35, 0x32, 0x31, 0x35, + 0x35, 0x34, 0x31, 0x5A, 0x17, 0x0D, 0x31, 0x36, 0x30, 0x33, 0x31, 0x35, 0x32, 0x32, 0x30, 0x35, + 0x34, 0x31, 0x5A, 0x30, 0x81, 0x81, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, + 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0A, 0x57, 0x61, + 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, + 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6D, 0x6F, 0x6E, 0x64, 0x31, 0x1E, 0x30, 0x1C, 0x06, 0x03, + 0x55, 0x04, 0x0A, 0x13, 0x15, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x43, + 0x6F, 0x72, 0x70, 0x6F, 0x72, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x31, 0x2B, 0x30, 0x29, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x13, 0x22, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x57, + 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, 0x20, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, + 0x69, 0x6F, 0x6E, 0x20, 0x50, 0x43, 0x41, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, + 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, + 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0xC5, 0xAC, 0x93, 0x4E, 0xE6, 0x4A, 0x11, 0x9E, + 0x37, 0xD0, 0x35, 0xD2, 0xB0, 0x06, 0x5C, 0x83, 0x14, 0xA5, 0x61, 0x92, 0xFC, 0xFE, 0xB3, 0x89, + 0xC1, 0xE6, 0xCD, 0xC8, 0x1F, 0x31, 0x84, 0x09, 0x91, 0x34, 0x46, 0x92, 0x2C, 0xB8, 0xEE, 0x2C, + 0xC5, 0x20, 0x73, 0xC4, 0xE8, 0x1A, 0xD8, 0x8D, 0xCE, 0x7A, 0x68, 0xB5, 0x66, 0x78, 0x8B, 0xE5, + 0x60, 0x15, 0xA2, 0xF6, 0x29, 0x5A, 0x1D, 0x5E, 0x5D, 0xFC, 0x62, 0xD3, 0xC1, 0x5C, 0x29, 0x89, + 0xFB, 0x33, 0xF8, 0x16, 0x95, 0x36, 0xDD, 0xB1, 0x46, 0x74, 0x69, 0x72, 0x53, 0xD5, 0xAA, 0xE8, + 0x8A, 0x99, 0x1A, 0xD8, 0xF7, 0x67, 0x09, 0xD9, 0x09, 0x20, 0x22, 0x38, 0x7A, 0xD6, 0x03, 0x23, + 0xD7, 0x89, 0x9F, 0x1C, 0x01, 0xB7, 0x51, 0xDF, 0x98, 0x66, 0x2A, 0x02, 0x8B, 0x06, 0xEC, 0xE4, + 0x29, 0xEF, 0x5B, 0x42, 0x17, 0x15, 0x97, 0x51, 0x8D, 0x7D, 0x25, 0x0A, 0xAF, 0x25, 0xE8, 0xDE, + 0xDC, 0x9B, 0x67, 0x16, 0x0A, 0x56, 0x73, 0x9D, 0xB3, 0x1D, 0x85, 0x83, 0x0B, 0x7E, 0x33, 0x2B, + 0x62, 0x33, 0xCE, 0x1C, 0x20, 0x81, 0x4B, 0x5E, 0xD3, 0xC6, 0x49, 0xB8, 0xF6, 0x2E, 0xD3, 0x4E, + 0xB0, 0x71, 0x44, 0x46, 0x64, 0x3E, 0xDE, 0x43, 0x66, 0x04, 0xB9, 0xCC, 0x83, 0x48, 0x3A, 0xC5, + 0x36, 0x7A, 0x04, 0x48, 0x0B, 0x89, 0x02, 0x3D, 0x63, 0xA2, 0x01, 0x76, 0x29, 0x97, 0x75, 0xE9, + 0x01, 0xE6, 0x00, 0x97, 0x09, 0x92, 0xF8, 0xE2, 0x27, 0xF0, 0x29, 0x67, 0x43, 0x77, 0xC3, 0x50, + 0x96, 0x53, 0x31, 0xE1, 0xB6, 0x71, 0x8B, 0xEC, 0x77, 0xC7, 0x7C, 0x31, 0x48, 0xD5, 0xB8, 0x25, + 0x22, 0x8C, 0x00, 0xF7, 0x28, 0x38, 0x7A, 0xBD, 0x7C, 0xC7, 0x3F, 0xCD, 0x40, 0x26, 0x77, 0xDD, + 0x00, 0x00, 0x11, 0x9A, 0x95, 0xBE, 0x1F, 0xDB, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x02, + 0x3A, 0x30, 0x82, 0x02, 0x36, 0x30, 0x10, 0x06, 0x09, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, + 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, + 0x04, 0x14, 0x90, 0x8B, 0x11, 0xA5, 0x70, 0xED, 0xE0, 0xF9, 0xA9, 0xC0, 0xAC, 0x08, 0xC7, 0xB5, + 0xF4, 0x82, 0xB1, 0x3C, 0xC5, 0x4A, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x04, 0x04, 0x03, + 0x02, 0x01, 0xC6, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x30, + 0x03, 0x01, 0x01, 0xFF, 0x30, 0x81, 0x98, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x81, 0x90, 0x30, + 0x81, 0x8D, 0x80, 0x14, 0x0E, 0xAC, 0x82, 0x60, 0x40, 0x56, 0x27, 0x97, 0xE5, 0x25, 0x13, 0xFC, + 0x2A, 0xE1, 0x0A, 0x53, 0x95, 0x59, 0xE4, 0xA4, 0xA1, 0x63, 0xA4, 0x61, 0x30, 0x5F, 0x31, 0x13, + 0x30, 0x11, 0x06, 0x0A, 0x09, 0x92, 0x26, 0x89, 0x93, 0xF2, 0x2C, 0x64, 0x01, 0x19, 0x16, 0x03, + 0x63, 0x6F, 0x6D, 0x31, 0x19, 0x30, 0x17, 0x06, 0x0A, 0x09, 0x92, 0x26, 0x89, 0x93, 0xF2, 0x2C, + 0x64, 0x01, 0x19, 0x16, 0x09, 0x6D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x31, 0x2D, + 0x30, 0x2B, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x24, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, + 0x66, 0x74, 0x20, 0x52, 0x6F, 0x6F, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, + 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x82, 0x10, 0x79, + 0xAD, 0x16, 0xA1, 0x4A, 0xA0, 0xA5, 0xAD, 0x4C, 0x73, 0x58, 0xF4, 0x07, 0x13, 0x2E, 0x65, 0x30, + 0x50, 0x06, 0x03, 0x55, 0x1D, 0x1F, 0x04, 0x49, 0x30, 0x47, 0x30, 0x45, 0xA0, 0x43, 0xA0, 0x41, + 0x86, 0x3F, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x63, 0x72, 0x6C, 0x2E, 0x6D, 0x69, 0x63, + 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x6B, 0x69, 0x2F, 0x63, + 0x72, 0x6C, 0x2F, 0x70, 0x72, 0x6F, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2F, 0x6D, 0x69, 0x63, 0x72, + 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x72, 0x6F, 0x6F, 0x74, 0x63, 0x65, 0x72, 0x74, 0x2E, 0x63, 0x72, + 0x6C, 0x30, 0x54, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x48, 0x30, + 0x46, 0x30, 0x44, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x38, 0x68, + 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x77, 0x77, 0x77, 0x2E, 0x6D, 0x69, 0x63, 0x72, 0x6F, 0x73, + 0x6F, 0x66, 0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x6B, 0x69, 0x2F, 0x63, 0x65, 0x72, 0x74, + 0x73, 0x2F, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x52, 0x6F, 0x6F, 0x74, 0x43, + 0x65, 0x72, 0x74, 0x2E, 0x63, 0x72, 0x74, 0x30, 0x81, 0x80, 0x06, 0x03, 0x55, 0x1D, 0x20, 0x04, + 0x79, 0x30, 0x77, 0x30, 0x75, 0x06, 0x09, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x2F, + 0x30, 0x68, 0x30, 0x66, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x02, 0x30, 0x5A, + 0x1E, 0x58, 0x00, 0x43, 0x00, 0x6F, 0x00, 0x70, 0x00, 0x79, 0x00, 0x72, 0x00, 0x69, 0x00, 0x67, + 0x00, 0x68, 0x00, 0x74, 0x00, 0x20, 0x00, 0xA9, 0x00, 0x20, 0x00, 0x31, 0x00, 0x39, 0x00, 0x39, + 0x00, 0x39, 0x00, 0x2D, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x35, 0x00, 0x20, 0x00, 0x4D, + 0x00, 0x69, 0x00, 0x63, 0x00, 0x72, 0x00, 0x6F, 0x00, 0x73, 0x00, 0x6F, 0x00, 0x66, 0x00, 0x74, + 0x00, 0x20, 0x00, 0x43, 0x00, 0x6F, 0x00, 0x72, 0x00, 0x70, 0x00, 0x6F, 0x00, 0x72, 0x00, 0x61, + 0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x2E, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, + 0x25, 0x04, 0x18, 0x30, 0x16, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03, 0x06, + 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x0A, 0x03, 0x06, 0x30, 0x0D, 0x06, 0x09, 0x2A, + 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x25, + 0x31, 0xA1, 0x58, 0xEA, 0x52, 0xE5, 0xE1, 0x17, 0x0C, 0xE6, 0xF1, 0x3F, 0x78, 0xA3, 0x3F, 0x72, + 0xAF, 0xA7, 0x57, 0x10, 0x53, 0x89, 0x10, 0x5E, 0x32, 0x9C, 0xB6, 0x70, 0xC3, 0x15, 0x2B, 0x4D, + 0x15, 0x30, 0x34, 0xE8, 0xC0, 0x6A, 0xE4, 0x1C, 0xD3, 0x2E, 0x20, 0x65, 0x48, 0xD7, 0x1B, 0x98, + 0x62, 0x21, 0xBA, 0x45, 0x9F, 0x4A, 0xEC, 0xDB, 0x2F, 0x09, 0x19, 0x51, 0xE5, 0xED, 0x32, 0x19, + 0x51, 0x2F, 0xE1, 0xDD, 0xFB, 0xC6, 0x52, 0xFD, 0xEB, 0xC6, 0x82, 0x25, 0x42, 0x03, 0x09, 0xA6, + 0x38, 0xB6, 0x36, 0x1F, 0xCC, 0xC9, 0x80, 0xBB, 0x5A, 0x69, 0x18, 0x31, 0xC3, 0xB3, 0xA0, 0xB3, + 0x67, 0x47, 0xBE, 0x9D, 0xC7, 0xE2, 0x3F, 0x96, 0xB3, 0x88, 0xF8, 0x19, 0xBE, 0x39, 0xB9, 0xE9, + 0x95, 0xCE, 0xFC, 0x7C, 0xAF, 0xA8, 0xCD, 0xD0, 0x41, 0x90, 0xE0, 0xD5, 0xB3, 0x1C, 0x2F, 0x68, + 0xBB, 0xDB, 0x0F, 0x6C, 0x6A, 0xDD, 0xF2, 0xAF, 0xDE, 0xF2, 0xB5, 0xDE, 0x0D, 0xB6, 0xA6, 0x5A, + 0xF0, 0x86, 0x0A, 0xB9, 0x6D, 0x99, 0x4B, 0x3F, 0x7B, 0x2D, 0x01, 0x84, 0x6C, 0x8F, 0x87, 0xDC, + 0x7F, 0x8F, 0xAB, 0x14, 0x88, 0xD0, 0x06, 0x91, 0x34, 0xBE, 0x1B, 0x82, 0x22, 0xA4, 0xBC, 0x55, + 0x8A, 0xAD, 0x9B, 0xFC, 0x73, 0x14, 0x10, 0xC4, 0xC9, 0x19, 0x1E, 0x07, 0x7D, 0x9B, 0x0E, 0xC0, + 0x95, 0x26, 0x5D, 0xC6, 0x1F, 0xAC, 0xB4, 0xF2, 0x7E, 0xBA, 0x25, 0x70, 0x4A, 0x7B, 0xD7, 0x8E, + 0xD1, 0x9D, 0xA0, 0x13, 0x49, 0x7A, 0xB0, 0x02, 0x52, 0x52, 0x24, 0xF4, 0xAF, 0xDD, 0x40, 0x2D, + 0xE5, 0x3E, 0x32, 0x58, 0xB3, 0x4A, 0x6A, 0xDD, 0x11, 0x59, 0xAA, 0x2D, 0xBC, 0xA4, 0xA0, 0x73, + 0x38, 0xF9, 0x40, 0x77, 0x6B, 0x34, 0x19, 0x57, 0xCD, 0x38, 0x68, 0x27, 0x82, 0xF8, 0xD1, 0x6F, + 0xEB, 0x23, 0xC0, 0x3F, 0x52, 0xF3, 0x4E, 0xD5, 0x02, 0x3E, 0x6A, 0x9A, 0x2B, 0xC1, 0xF5, 0x31, + 0x71, 0xDB, 0x41, 0x4D, 0x3B, 0xDE, 0xEF, 0xAD, 0xAF, 0x1F, 0x88, 0x65, 0x43, 0x1B, 0x51, 0xB7, + 0x9A, 0x75, 0xCA, 0x8E, 0x69, 0x49, 0x10, 0x8F, 0x78, 0x8A, 0x74, 0x45, 0xB9, 0x09, 0x8E, 0x73, + 0x77, 0x07, 0x32, 0x4A, 0x4B, 0xD7, 0x68, 0x2B, 0x98, 0xC5, 0xBA, 0x54, 0xEA, 0x3F, 0xCB, 0xA2, + 0x00, 0x8C, 0xBB, 0xD8, 0x10, 0x58, 0xF2, 0xDB, 0xDC, 0x9B, 0xCD, 0xD8, 0xEA, 0x48, 0x43, 0xE2, + 0x4A, 0x7E, 0x65, 0xB2, 0xDC, 0xF5, 0x2D, 0x4E, 0x25, 0x67, 0xA8, 0xE0, 0xB5, 0xBA, 0xA7, 0xDD, + 0x7E, 0x5E, 0xC1, 0x4C, 0x02, 0x74, 0xC9, 0xB3, 0x6E, 0xE3, 0xF8, 0xF0, 0x0B, 0xED, 0xFC, 0xB9, + 0x29, 0xC5, 0x5B, 0xC9, 0x36, 0x51, 0x90, 0xDB, 0x78, 0x7D, 0xB9, 0x32, 0x0F, 0x5E, 0x76, 0xD2, + 0x15, 0x5C, 0x3B, 0x37, 0x21, 0xC6, 0xDB, 0xC9, 0x19, 0x6E, 0xED, 0x74, 0x2A, 0x5C, 0x2C, 0x0B, + 0x51, 0x49, 0x45, 0x53, 0xB0, 0xB2, 0xB3, 0x23, 0xD4, 0xA1, 0xB0, 0x5F, 0x0D, 0x19, 0xCD, 0x14, + 0xA7, 0xE3, 0x3C, 0x9B, 0x97, 0x72, 0x94, 0x14, 0xDF, 0xFF, 0xC1, 0x90, 0x1B, 0xA5, 0xDF, 0xF5, + 0xA9, 0xF3, 0x1B, 0x17, 0xDA, 0xB5, 0xFC, 0x44, 0xE0, 0xE8, 0xE2, 0x3C, 0xA2, 0x7A, 0xBB, 0xBB, + 0x65, 0xE6, 0x4D, 0xB1, 0xB5, 0x15, 0xA1, 0xD9, 0x67, 0x3B, 0xB0, 0x0C, 0x7D, 0x3B, 0xE9, 0xEE, + 0x51, 0x2A, 0x47, 0xF5, 0x15, 0x0F, 0x8C, 0xAD, 0x5D, 0x2E, 0x35, 0xDF, 0xF4, 0xA4, 0x2E, 0xF6, + 0x13, 0x37, 0x5A, 0x2B, 0xE8, 0x55, 0x9A, 0x49, 0x2C, 0x97, 0xCE, 0x9D, 0x01, 0x9E, 0x97, 0x46, + 0x5C, 0xD9, 0x2D, 0xBC, 0x24, 0x5A, 0x95, 0x59, 0x6F, 0x4D, 0xCA, 0x9D, 0xD6, 0x57, 0x26, 0x31, + 0x82, 0x04, 0x96, 0x30, 0x82, 0x04, 0x92, 0x02, 0x01, 0x01, 0x30, 0x81, 0x90, 0x30, 0x81, 0x81, + 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, + 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, + 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, + 0x6D, 0x6F, 0x6E, 0x64, 0x31, 0x1E, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x15, 0x4D, + 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x43, 0x6F, 0x72, 0x70, 0x6F, 0x72, 0x61, + 0x74, 0x69, 0x6F, 0x6E, 0x31, 0x2B, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4D, + 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, + 0x20, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x50, 0x43, + 0x41, 0x02, 0x0A, 0x61, 0x01, 0xC6, 0xC1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x30, 0x09, 0x06, + 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0xA0, 0x81, 0xBA, 0x30, 0x19, 0x06, 0x09, 0x2A, + 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x03, 0x31, 0x0C, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, + 0x01, 0x82, 0x37, 0x02, 0x01, 0x04, 0x30, 0x1C, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, + 0x37, 0x02, 0x01, 0x0B, 0x31, 0x0E, 0x30, 0x0C, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, + 0x37, 0x02, 0x01, 0x15, 0x30, 0x23, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, + 0x04, 0x31, 0x16, 0x04, 0x14, 0xC5, 0xC5, 0xC1, 0xC3, 0x46, 0xC4, 0x12, 0xB9, 0x38, 0xED, 0xE5, + 0x7E, 0x66, 0x78, 0x4E, 0x8F, 0x55, 0x10, 0x7D, 0xAC, 0x30, 0x5A, 0x06, 0x0A, 0x2B, 0x06, 0x01, + 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0C, 0x31, 0x4C, 0x30, 0x4A, 0xA0, 0x24, 0x80, 0x22, 0x00, + 0x4D, 0x00, 0x69, 0x00, 0x63, 0x00, 0x72, 0x00, 0x6F, 0x00, 0x73, 0x00, 0x6F, 0x00, 0x66, 0x00, + 0x74, 0x00, 0x20, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x64, 0x00, 0x6F, 0x00, 0x77, 0x00, + 0x73, 0xA1, 0x22, 0x80, 0x20, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x77, 0x77, 0x77, 0x2E, + 0x6D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x77, 0x69, + 0x6E, 0x64, 0x6F, 0x77, 0x73, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xC0, 0x53, 0x19, 0xE7, 0x27, 0xE6, 0xD6, 0xD7, + 0xA8, 0xAE, 0xA0, 0xE6, 0x4C, 0xEF, 0x9A, 0xBC, 0x1D, 0x19, 0xD4, 0xC5, 0x7F, 0x7C, 0x71, 0xFF, + 0x14, 0x7C, 0xAD, 0x7A, 0x8F, 0x2D, 0x0F, 0x40, 0x38, 0x9B, 0x83, 0x09, 0xEE, 0xF5, 0x34, 0x92, + 0xB4, 0x85, 0x34, 0x7C, 0xBA, 0x9B, 0x58, 0x5D, 0xA6, 0x15, 0xDE, 0x99, 0xBF, 0x25, 0x89, 0xDB, + 0xC0, 0x3A, 0x98, 0x21, 0x1C, 0x25, 0x09, 0xBD, 0x41, 0xAA, 0x0F, 0x90, 0x6C, 0x62, 0xE9, 0xBD, + 0x1D, 0xDD, 0x7C, 0xA4, 0x1F, 0x19, 0x3F, 0xC8, 0x11, 0xF5, 0x1C, 0x9E, 0xEA, 0x2E, 0x1A, 0xCE, + 0x5A, 0x61, 0x8A, 0x77, 0xFA, 0x65, 0x1F, 0x03, 0xB4, 0x45, 0x02, 0x0F, 0xB4, 0x0E, 0xB9, 0x44, + 0xF6, 0x75, 0xF6, 0x67, 0x91, 0xAD, 0xFA, 0xF9, 0xC3, 0xFA, 0x63, 0x91, 0x58, 0xFE, 0x40, 0xDF, + 0x92, 0x6B, 0x59, 0x42, 0x44, 0x66, 0xD2, 0x88, 0x49, 0x59, 0x29, 0x1D, 0x6A, 0xF9, 0x93, 0x9B, + 0xD5, 0x38, 0x84, 0x96, 0xD7, 0xAF, 0xBA, 0xEC, 0x29, 0x8D, 0x06, 0x8C, 0x8B, 0xF4, 0xA1, 0x56, + 0x0F, 0x78, 0x3F, 0x35, 0xCB, 0x12, 0x8A, 0x85, 0xD5, 0x7C, 0xFC, 0x63, 0xDD, 0x72, 0xA1, 0x13, + 0xD3, 0x25, 0x4A, 0x59, 0x21, 0xD0, 0xC6, 0x47, 0x9F, 0x22, 0xF7, 0xF8, 0x32, 0xA2, 0x05, 0x2B, + 0x53, 0xC5, 0x96, 0x98, 0x0D, 0x39, 0x02, 0xAD, 0x85, 0xF7, 0x18, 0x73, 0x34, 0x12, 0x7F, 0x5A, + 0xCB, 0xE1, 0xA2, 0xFB, 0x4E, 0x25, 0x81, 0xF0, 0x9F, 0x7A, 0x79, 0xDB, 0x4F, 0x4B, 0x66, 0x44, + 0x30, 0x8E, 0x0D, 0x57, 0x23, 0xD3, 0x7F, 0x60, 0x87, 0xDE, 0xD0, 0x4C, 0x90, 0x90, 0x84, 0x64, + 0x70, 0xE8, 0x15, 0x65, 0xCA, 0x18, 0xF8, 0x9A, 0xB6, 0x0C, 0x24, 0xF5, 0xDF, 0xC3, 0x47, 0xE2, + 0x7C, 0xAD, 0x91, 0x70, 0x6D, 0xF8, 0x43, 0xE9, 0xA1, 0x82, 0x02, 0x1D, 0x30, 0x82, 0x02, 0x19, + 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x06, 0x31, 0x82, 0x02, 0x0A, 0x30, + 0x82, 0x02, 0x06, 0x02, 0x01, 0x01, 0x30, 0x81, 0x85, 0x30, 0x77, 0x31, 0x0B, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, + 0x08, 0x13, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, + 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6D, 0x6F, 0x6E, 0x64, 0x31, + 0x1E, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x15, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, + 0x6F, 0x66, 0x74, 0x20, 0x43, 0x6F, 0x72, 0x70, 0x6F, 0x72, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x31, + 0x21, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x18, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, + 0x6F, 0x66, 0x74, 0x20, 0x54, 0x69, 0x6D, 0x65, 0x2D, 0x53, 0x74, 0x61, 0x6D, 0x70, 0x20, 0x50, + 0x43, 0x41, 0x02, 0x0A, 0x61, 0x03, 0xDC, 0xF6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0C, 0x30, 0x07, + 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0xA0, 0x5D, 0x30, 0x18, 0x06, 0x09, 0x2A, 0x86, 0x48, + 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x03, 0x31, 0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, + 0x01, 0x07, 0x01, 0x30, 0x1C, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x05, + 0x31, 0x0F, 0x17, 0x0D, 0x30, 0x39, 0x30, 0x34, 0x32, 0x32, 0x30, 0x35, 0x35, 0x34, 0x33, 0x34, + 0x5A, 0x30, 0x23, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x04, 0x31, 0x16, + 0x04, 0x14, 0x74, 0xD7, 0x54, 0xA0, 0xC0, 0x9E, 0x62, 0xF0, 0xDD, 0x92, 0xDC, 0xD6, 0x96, 0x34, + 0xA1, 0x0B, 0xF0, 0xD5, 0xB5, 0x3A, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, + 0x01, 0x01, 0x05, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0x8D, 0x16, 0xB5, 0xC8, 0x3D, 0xBC, 0x8A, + 0xB5, 0xC3, 0x23, 0xF3, 0x33, 0xB0, 0xFA, 0x75, 0xAD, 0xAC, 0x53, 0x0D, 0x5C, 0xF4, 0xD9, 0xBE, + 0x63, 0xEB, 0x0D, 0x6F, 0x69, 0x63, 0x91, 0xF8, 0x8E, 0x67, 0x03, 0xE1, 0xC6, 0x2E, 0xCD, 0x9C, + 0xEB, 0xDD, 0x9C, 0xCA, 0x65, 0x4A, 0xBB, 0xF2, 0xF4, 0x1C, 0x85, 0x44, 0xD6, 0x58, 0x70, 0x2E, + 0x3B, 0xFE, 0x97, 0xD0, 0xEC, 0x72, 0x77, 0x20, 0xA8, 0x20, 0xAC, 0xF0, 0xED, 0x86, 0xC4, 0xFF, + 0x3A, 0x3D, 0x40, 0xD9, 0xF6, 0xD5, 0x99, 0xBE, 0xCC, 0xD2, 0xD8, 0xBA, 0x71, 0x51, 0x60, 0xAA, + 0x72, 0x36, 0x13, 0x8B, 0x0A, 0xA9, 0xD6, 0xF5, 0x36, 0xE0, 0x44, 0x6B, 0xC1, 0x44, 0x42, 0x43, + 0x56, 0x1A, 0xD6, 0xF1, 0x5A, 0x98, 0xCC, 0xBA, 0xA9, 0x4C, 0xCF, 0xC9, 0x86, 0xC3, 0x5B, 0x1C, + 0xDF, 0x75, 0x22, 0x54, 0x6A, 0xF0, 0x18, 0x34, 0x0B, 0x29, 0xB0, 0x26, 0x07, 0x59, 0xB6, 0x52, + 0x7B, 0x69, 0x74, 0x11, 0x1B, 0xB8, 0x29, 0x19, 0x36, 0x0E, 0xB7, 0x65, 0xCB, 0x87, 0x09, 0x9E, + 0x03, 0x28, 0x6C, 0xDB, 0xA7, 0xFB, 0xDF, 0xC7, 0xF7, 0xCE, 0x0D, 0xC2, 0xBA, 0xEA, 0x3C, 0xE8, + 0x43, 0x1E, 0x7F, 0xF2, 0x64, 0xDA, 0x87, 0x89, 0xC0, 0xCD, 0x67, 0xE4, 0x84, 0x9B, 0xA7, 0x77, + 0xFA, 0x6C, 0x69, 0x19, 0x5B, 0xD1, 0xF7, 0xD9, 0x07, 0x91, 0x50, 0xDD, 0x98, 0x26, 0x10, 0xE3, + 0x2E, 0x39, 0x62, 0xF0, 0x56, 0xE9, 0xD9, 0x5C, 0x85, 0x67, 0x9B, 0x2F, 0xDE, 0xD1, 0x00, 0x45, + 0x0E, 0x99, 0x1F, 0xDF, 0x7E, 0xC9, 0x10, 0x56, 0xC7, 0x00, 0x6D, 0x5F, 0x23, 0x57, 0x12, 0x84, + 0xCD, 0xAC, 0x82, 0xAE, 0x39, 0x52, 0xA5, 0x19, 0x23, 0xA3, 0x6B, 0xE7, 0x49, 0x8F, 0x86, 0x74, + 0x46, 0x41, 0x2A, 0x0F, 0x3D, 0x29, 0xB7, 0xAE, 0x8C, 0x00 + }; + +// +// Sample Authenticode Data with SHA-256 hash algorithm. +// This data should be retrieved from signed PE/COFF image according to SECURITY +// directory in PE/COFF Header. +// +GLOBAL_REMOVE_IF_UNREFERENCED UINT8 AuthenticodeWithSha256[] = { + 0x30, 0x82, 0x0e, 0xd1, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, + 0x82, 0x0e, 0xc2, 0x30, 0x82, 0x0e, 0xbe, 0x02, 0x01, 0x01, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x5c, 0x06, 0x0a, 0x2b, + 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x04, 0xa0, 0x4e, 0x30, 0x4c, 0x30, 0x17, 0x06, + 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0f, 0x30, 0x09, 0x03, 0x01, 0x00, + 0xa0, 0x04, 0xa2, 0x02, 0x80, 0x00, 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, + 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20, 0x61, 0x82, 0xb7, 0xf8, 0x8c, 0xff, 0xc2, + 0xeb, 0x79, 0x6e, 0x9d, 0xa9, 0xdd, 0x39, 0x52, 0xdd, 0x36, 0xdd, 0xf1, 0x43, 0x27, 0x58, 0x8c, + 0xa7, 0xcc, 0xae, 0xde, 0xdd, 0x3c, 0x02, 0x12, 0x49, 0xa0, 0x82, 0x0c, 0x0a, 0x30, 0x82, 0x05, + 0xe5, 0x30, 0x82, 0x03, 0xcd, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x0a, 0x61, 0x03, 0x5f, 0x09, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x90, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, + 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a, + 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, + 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, + 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, + 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3a, 0x30, 0x38, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x31, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, + 0x20, 0x54, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, + 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x30, 0x30, 0x36, + 0x32, 0x31, 0x32, 0x32, 0x35, 0x35, 0x30, 0x31, 0x5a, 0x17, 0x0d, 0x31, 0x34, 0x30, 0x36, 0x32, + 0x31, 0x32, 0x33, 0x30, 0x35, 0x30, 0x31, 0x5a, 0x30, 0x81, 0x81, 0x31, 0x13, 0x30, 0x11, 0x06, + 0x0a, 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, 0x19, 0x16, 0x03, 0x63, 0x6f, 0x6d, + 0x31, 0x19, 0x30, 0x17, 0x06, 0x0a, 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, 0x19, + 0x16, 0x09, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x31, 0x14, 0x30, 0x12, 0x06, + 0x0a, 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, 0x19, 0x16, 0x04, 0x63, 0x6f, 0x72, + 0x70, 0x31, 0x17, 0x30, 0x15, 0x06, 0x0a, 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, + 0x19, 0x16, 0x07, 0x72, 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x20, 0x30, 0x1e, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x13, 0x17, 0x4d, 0x53, 0x49, 0x54, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, + 0x6f, 0x64, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x43, 0x41, 0x20, 0x33, 0x30, 0x82, 0x01, 0x22, + 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, + 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0x9b, 0x71, 0xdd, + 0x0d, 0x32, 0x2d, 0x08, 0xe8, 0x2d, 0x01, 0x90, 0x9c, 0xdf, 0x9f, 0x32, 0x58, 0x8b, 0x47, 0xd0, + 0xfe, 0x9a, 0x6b, 0x40, 0x5e, 0x76, 0xa2, 0x10, 0x00, 0x0e, 0xd2, 0x8f, 0xce, 0xa1, 0x5f, 0x42, + 0xa7, 0x0b, 0x5e, 0x83, 0xc2, 0xe9, 0x06, 0xa6, 0x0a, 0xb4, 0x3d, 0x30, 0x50, 0xdb, 0x35, 0x43, + 0x2c, 0xd3, 0xc3, 0xc6, 0x3c, 0xc9, 0xb5, 0x88, 0xfc, 0x0b, 0xe6, 0xa3, 0x71, 0x47, 0xce, 0xfd, + 0x88, 0x62, 0xa4, 0x25, 0xe2, 0x4e, 0x1b, 0x79, 0x3d, 0xe3, 0xbf, 0x8b, 0x84, 0x2d, 0x64, 0x25, + 0xa5, 0xfa, 0x8e, 0x30, 0xae, 0xe3, 0x34, 0x7d, 0x27, 0xf3, 0x5e, 0xf4, 0x05, 0x60, 0xc6, 0x0f, + 0x1a, 0x1b, 0x9e, 0xaf, 0x21, 0x37, 0xa9, 0xd9, 0xb6, 0xb7, 0x6a, 0x54, 0x4b, 0x5e, 0xa0, 0x75, + 0xb5, 0x9a, 0xc4, 0xb6, 0xbe, 0x28, 0xe3, 0x3b, 0xf7, 0x5a, 0x08, 0x77, 0xd9, 0x39, 0x4a, 0x2a, + 0x7a, 0xf8, 0xf4, 0xfe, 0xe8, 0x12, 0x54, 0x41, 0x11, 0x55, 0xc8, 0xc7, 0x98, 0x3e, 0x64, 0xa5, + 0xbb, 0xda, 0x6b, 0xa4, 0xaa, 0x29, 0x8c, 0x9f, 0x27, 0x55, 0x25, 0xe7, 0xfd, 0x31, 0x70, 0x60, + 0x1d, 0xd3, 0xc4, 0xf2, 0xb9, 0xef, 0x92, 0x4a, 0x9f, 0xc8, 0x4c, 0x93, 0xe7, 0x19, 0xa8, 0x4e, + 0xbc, 0xe3, 0x62, 0xf4, 0xe0, 0x6e, 0xec, 0x45, 0x6e, 0x61, 0x4e, 0xad, 0x58, 0xe0, 0xf0, 0xea, + 0xf7, 0x74, 0x2c, 0xdf, 0x1b, 0xf6, 0x43, 0x3c, 0x84, 0xc2, 0x8c, 0x0b, 0xb4, 0xbd, 0x4a, 0x57, + 0xa6, 0x0c, 0x4e, 0x9e, 0x73, 0x43, 0x5f, 0x2d, 0xaf, 0x22, 0xf4, 0xa6, 0xfd, 0x5a, 0x87, 0xb9, + 0xbe, 0x6f, 0x9e, 0x1d, 0x99, 0xc8, 0xdf, 0x95, 0xc2, 0x02, 0xad, 0x7d, 0x4a, 0xf3, 0xba, 0x5d, + 0xe8, 0x7b, 0x6e, 0x57, 0xe5, 0x3a, 0x02, 0xf8, 0xd3, 0x01, 0x15, 0xae, 0x4f, 0x02, 0x03, 0x01, + 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4c, 0x30, 0x82, 0x01, 0x48, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, + 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, + 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x4e, 0xfe, 0x61, 0x39, 0x6f, 0xca, 0xc5, 0x64, 0xe0, + 0x20, 0xb6, 0xda, 0xc1, 0xb9, 0x52, 0x0e, 0xca, 0xdf, 0x8e, 0xfe, 0x30, 0x19, 0x06, 0x09, 0x2b, + 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, + 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, + 0x02, 0x01, 0x86, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x08, 0x30, + 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x00, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, + 0x30, 0x16, 0x80, 0x14, 0xa3, 0x01, 0x04, 0x7e, 0x30, 0x88, 0x33, 0xeb, 0xb9, 0x31, 0x9c, 0xca, + 0xeb, 0x85, 0x76, 0x67, 0xfc, 0x65, 0xb4, 0xd1, 0x30, 0x59, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, + 0x52, 0x30, 0x50, 0x30, 0x4e, 0xa0, 0x4c, 0xa0, 0x4a, 0x86, 0x48, 0x68, 0x74, 0x74, 0x70, 0x3a, + 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, + 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, + 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x54, 0x65, 0x73, 0x52, 0x6f, 0x6f, 0x43, 0x65, + 0x72, 0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x31, 0x37, 0x2e, + 0x63, 0x72, 0x6c, 0x30, 0x5d, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, + 0x51, 0x30, 0x4f, 0x30, 0x4d, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, + 0x41, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, + 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, + 0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x54, 0x65, 0x73, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, + 0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x31, 0x37, 0x2e, 0x63, + 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, + 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x91, 0x2d, 0x11, 0x36, 0xd1, 0x2c, 0x5e, 0x21, 0x77, 0x62, + 0x1a, 0xa1, 0xcf, 0x9a, 0x7e, 0x62, 0x2d, 0xc9, 0x90, 0xb9, 0x0e, 0x3d, 0x71, 0x0d, 0xa0, 0x4a, + 0x48, 0xad, 0xe1, 0xd6, 0xb0, 0x73, 0x4a, 0x51, 0x4b, 0x4c, 0xb2, 0x6b, 0x88, 0x0a, 0x5a, 0xb7, + 0xe9, 0x55, 0x67, 0x43, 0x8b, 0xf1, 0x9d, 0xcc, 0x52, 0x03, 0xaf, 0xac, 0x85, 0xe9, 0xd3, 0x75, + 0xce, 0xe5, 0x6f, 0x8b, 0x3c, 0x80, 0x81, 0xab, 0xd1, 0xd1, 0x73, 0x0d, 0x6b, 0xb0, 0x51, 0xb8, + 0xa2, 0x5e, 0x0c, 0x09, 0xe5, 0xa6, 0xbc, 0x54, 0x49, 0xe5, 0x54, 0x38, 0x5a, 0xb7, 0x43, 0xd2, + 0x75, 0x34, 0x52, 0xdd, 0x35, 0x79, 0x95, 0x98, 0xd5, 0x3c, 0xc6, 0xda, 0x46, 0xb2, 0xd8, 0xa0, + 0xa7, 0xcc, 0x30, 0x31, 0x0f, 0x4b, 0xeb, 0xb7, 0x02, 0xab, 0x2b, 0x38, 0xd2, 0xb7, 0x27, 0xc2, + 0xc7, 0x0d, 0x62, 0xa4, 0xc0, 0x48, 0xf4, 0x1a, 0x48, 0x79, 0x7d, 0xe1, 0x31, 0xa4, 0x5d, 0x19, + 0xd0, 0x18, 0x17, 0x00, 0xca, 0xe3, 0x5d, 0x0b, 0xc1, 0x85, 0x7f, 0xf1, 0xbe, 0xd3, 0xcb, 0x97, + 0xf4, 0x1b, 0x62, 0x0f, 0xd7, 0x14, 0x38, 0x8d, 0xb2, 0x2e, 0x98, 0xd4, 0x41, 0x6a, 0xb0, 0xb5, + 0x84, 0xee, 0xd8, 0x2c, 0x2d, 0x13, 0xfc, 0x50, 0x1d, 0x9a, 0x6f, 0x31, 0x87, 0x1c, 0xe0, 0xd0, + 0xd0, 0xd3, 0x24, 0x52, 0xdf, 0x12, 0x8d, 0xfb, 0xf7, 0x7f, 0x33, 0x04, 0x17, 0x7a, 0x8b, 0xe3, + 0xbd, 0x7c, 0x1e, 0xa2, 0x2a, 0x91, 0x76, 0xd9, 0xfc, 0x43, 0x17, 0xa7, 0x0a, 0xa1, 0xd9, 0xc6, + 0x3c, 0x3a, 0x42, 0xed, 0xb7, 0x12, 0xcd, 0x9e, 0xdd, 0xfe, 0x91, 0x9d, 0x98, 0xb5, 0x35, 0xe8, + 0x94, 0xdd, 0x9a, 0xce, 0xd4, 0xf4, 0xac, 0xca, 0xa6, 0xcd, 0x59, 0x3d, 0xde, 0x44, 0xbf, 0x0e, + 0x82, 0xe5, 0xdf, 0x5c, 0xe3, 0x49, 0xcb, 0x01, 0xa0, 0x7f, 0x7b, 0xe2, 0x25, 0x21, 0xab, 0x95, + 0x50, 0x1e, 0x9f, 0xea, 0x77, 0x56, 0x47, 0x74, 0x73, 0xf2, 0x25, 0x1b, 0x0e, 0x36, 0xb9, 0xa2, + 0x57, 0xbf, 0x2c, 0x57, 0xbc, 0xe4, 0xfb, 0x88, 0xb1, 0x83, 0x56, 0xd8, 0x3c, 0xe0, 0x7c, 0xfd, + 0x11, 0x9f, 0xde, 0xe1, 0xb7, 0xd4, 0xc6, 0x23, 0xaf, 0xae, 0xc7, 0x5e, 0x4f, 0xc5, 0x23, 0x74, + 0x98, 0x38, 0x74, 0x9d, 0x0d, 0x0d, 0x6d, 0xf4, 0xde, 0x28, 0x44, 0x41, 0xd8, 0x22, 0x68, 0xe7, + 0x57, 0xa7, 0x66, 0x74, 0xb5, 0xc3, 0x31, 0x24, 0xe2, 0x7c, 0xd5, 0x52, 0x5d, 0x8a, 0xd2, 0x4e, + 0x14, 0xbb, 0x08, 0xd3, 0x1a, 0x31, 0x12, 0x04, 0x58, 0x9b, 0x3a, 0x99, 0x78, 0x93, 0x51, 0x3f, + 0x0b, 0x85, 0xce, 0xde, 0x09, 0x58, 0xf9, 0x96, 0x1b, 0x91, 0x11, 0xa0, 0x68, 0x53, 0x33, 0xcb, + 0xbe, 0x08, 0x89, 0xcc, 0x95, 0x55, 0xae, 0x06, 0x78, 0x27, 0x99, 0xa2, 0x56, 0xef, 0xae, 0x95, + 0x0a, 0x7f, 0x0d, 0xeb, 0x43, 0x0c, 0xc6, 0x9e, 0x3f, 0x80, 0xbb, 0xc4, 0x74, 0x03, 0x9d, 0xb8, + 0x1a, 0xaa, 0xbc, 0xcb, 0x1e, 0x03, 0xfb, 0xd8, 0x49, 0x89, 0x9d, 0x20, 0xaa, 0x25, 0x4b, 0x47, + 0x67, 0xf4, 0xa7, 0x0d, 0x8d, 0x76, 0x30, 0xc6, 0x48, 0xce, 0xdd, 0x8d, 0xfa, 0xbe, 0xda, 0xb4, + 0xeb, 0x3d, 0xd8, 0x0c, 0x3b, 0x15, 0x9a, 0xd1, 0x83, 0x85, 0xe5, 0xe3, 0x92, 0xaa, 0x3b, 0xad, + 0x34, 0x0c, 0x39, 0xf1, 0x7f, 0x75, 0xae, 0xe8, 0x70, 0xb0, 0xfd, 0xf2, 0x8e, 0x29, 0xda, 0xdc, + 0x09, 0x4f, 0x8a, 0x7b, 0x63, 0xbe, 0x1e, 0x8a, 0xc3, 0x58, 0xd1, 0x03, 0xbe, 0x37, 0xe9, 0xed, + 0x32, 0x26, 0xa8, 0x0c, 0xfe, 0xed, 0x12, 0xa7, 0x63, 0x04, 0xb3, 0x92, 0x97, 0xd9, 0x46, 0xa3, + 0x33, 0x33, 0x9c, 0x5b, 0xbc, 0x54, 0x30, 0x82, 0x06, 0x1d, 0x30, 0x82, 0x05, 0x05, 0xa0, 0x03, + 0x02, 0x01, 0x02, 0x02, 0x0a, 0x4e, 0x30, 0xa5, 0xbb, 0x00, 0x00, 0x00, 0x12, 0x7b, 0xf2, 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, + 0x81, 0x31, 0x13, 0x30, 0x11, 0x06, 0x0a, 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, + 0x19, 0x16, 0x03, 0x63, 0x6f, 0x6d, 0x31, 0x19, 0x30, 0x17, 0x06, 0x0a, 0x09, 0x92, 0x26, 0x89, + 0x93, 0xf2, 0x2c, 0x64, 0x01, 0x19, 0x16, 0x09, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, + 0x74, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, + 0x19, 0x16, 0x04, 0x63, 0x6f, 0x72, 0x70, 0x31, 0x17, 0x30, 0x15, 0x06, 0x0a, 0x09, 0x92, 0x26, + 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, 0x19, 0x16, 0x07, 0x72, 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, + 0x31, 0x20, 0x30, 0x1e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x17, 0x4d, 0x53, 0x49, 0x54, 0x20, + 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x6f, 0x64, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x43, 0x41, + 0x20, 0x33, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30, 0x34, 0x32, 0x31, 0x30, 0x33, 0x33, 0x33, + 0x34, 0x39, 0x5a, 0x17, 0x0d, 0x31, 0x33, 0x30, 0x34, 0x32, 0x30, 0x30, 0x33, 0x33, 0x33, 0x34, + 0x39, 0x5a, 0x30, 0x70, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, + 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, + 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, + 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, + 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, + 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, + 0x03, 0x13, 0x11, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6e, + 0x64, 0x6f, 0x77, 0x73, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, + 0x02, 0x82, 0x01, 0x01, 0x00, 0xca, 0x9f, 0xcb, 0x8c, 0x5e, 0x61, 0x19, 0xb5, 0x37, 0x72, 0xd1, + 0xe2, 0x88, 0x1f, 0x37, 0x56, 0xce, 0xa8, 0x88, 0x05, 0x3e, 0xe8, 0xa6, 0x8d, 0xfd, 0x0b, 0x30, + 0x63, 0x54, 0x89, 0x1d, 0xda, 0x11, 0x70, 0x5a, 0x06, 0x00, 0x86, 0xd7, 0x7f, 0xe6, 0x21, 0x70, + 0x41, 0x81, 0x26, 0x4b, 0x6e, 0xc7, 0x02, 0xe2, 0xbf, 0x61, 0x45, 0x04, 0x2f, 0x45, 0xbc, 0xd2, + 0x0d, 0xf6, 0xac, 0xda, 0x91, 0x6d, 0xc6, 0x60, 0xad, 0xb3, 0x0b, 0x32, 0xe5, 0x13, 0x95, 0x96, + 0x02, 0x4e, 0x10, 0xad, 0x2e, 0x6c, 0xb0, 0xc7, 0x65, 0x6d, 0xea, 0x89, 0x91, 0x67, 0x73, 0x5d, + 0x05, 0x12, 0x9f, 0x95, 0x74, 0x6a, 0x6d, 0xb0, 0x6a, 0xd8, 0x94, 0x9b, 0xb0, 0x70, 0x79, 0xb0, + 0x85, 0x42, 0xe7, 0xd7, 0x19, 0xc4, 0x33, 0xfd, 0xac, 0xbe, 0x2b, 0xd5, 0x7e, 0x5a, 0xa9, 0xc7, + 0xa7, 0x68, 0x53, 0xed, 0xaa, 0x51, 0x2a, 0x6b, 0xac, 0x5a, 0xd7, 0x6e, 0xcf, 0x68, 0x60, 0x90, + 0xc7, 0xda, 0xd1, 0xe7, 0xf2, 0x53, 0x4a, 0x01, 0xaf, 0xe8, 0xb1, 0x29, 0x91, 0xab, 0x4c, 0x58, + 0x64, 0xe6, 0xb6, 0xcc, 0xdc, 0x0f, 0x43, 0xf2, 0x87, 0x15, 0xf8, 0x73, 0x06, 0xb8, 0x1f, 0xaa, + 0xf2, 0x66, 0x49, 0x82, 0xca, 0xf0, 0xdd, 0x4c, 0x7c, 0xd5, 0xe7, 0x59, 0xb7, 0xc6, 0xd3, 0x81, + 0x29, 0x5c, 0xce, 0xe4, 0xfd, 0xf7, 0xeb, 0x58, 0x6b, 0x50, 0x79, 0x72, 0x83, 0x4d, 0x59, 0xec, + 0xd1, 0xd2, 0xfc, 0x3a, 0x10, 0xc5, 0x7a, 0xba, 0x90, 0xea, 0xfd, 0x54, 0xc7, 0xc8, 0x58, 0x2d, + 0x84, 0xe5, 0x5b, 0x51, 0x98, 0x2c, 0x36, 0x7c, 0x42, 0x2b, 0xb1, 0x62, 0x4b, 0x0f, 0xf9, 0x72, + 0xd3, 0x3f, 0x99, 0xc8, 0xb4, 0x02, 0x17, 0x39, 0xe5, 0x0b, 0xf2, 0x5d, 0x2d, 0x7f, 0x23, 0x41, + 0xcd, 0x58, 0x3a, 0x25, 0x75, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x02, 0xa5, 0x30, 0x82, + 0x02, 0xa1, 0x30, 0x3d, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x07, 0x04, + 0x30, 0x30, 0x2e, 0x06, 0x26, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x08, 0x83, 0xcf, + 0x89, 0x4d, 0xad, 0xf2, 0x02, 0x85, 0xa1, 0x9f, 0x0c, 0x82, 0xfa, 0xca, 0x7d, 0x81, 0xe1, 0xfb, + 0x74, 0x81, 0x4f, 0x84, 0x9a, 0xf1, 0x69, 0x85, 0xa1, 0xad, 0x1d, 0x02, 0x01, 0x64, 0x02, 0x01, + 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x29, + 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x0a, 0x04, 0x1c, 0x30, 0x1a, 0x30, + 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x0a, 0x03, 0x06, 0x30, 0x0a, 0x06, + 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x25, + 0x04, 0x18, 0x30, 0x16, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x0a, 0x03, 0x06, + 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, + 0x0e, 0x04, 0x16, 0x04, 0x14, 0xc9, 0x5a, 0xb3, 0x11, 0x02, 0x66, 0x71, 0x8c, 0x5b, 0x06, 0x80, + 0x8a, 0x6d, 0x4f, 0x5b, 0xf2, 0xb5, 0x67, 0x45, 0xb5, 0x30, 0x30, 0x06, 0x03, 0x55, 0x1d, 0x11, + 0x04, 0x29, 0x30, 0x27, 0xa0, 0x25, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, + 0x02, 0x03, 0xa0, 0x17, 0x0c, 0x15, 0x77, 0x69, 0x6e, 0x63, 0x62, 0x6c, 0x64, 0x40, 0x6d, 0x69, + 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1f, 0x06, 0x03, 0x55, + 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x4e, 0xfe, 0x61, 0x39, 0x6f, 0xca, 0xc5, 0x64, + 0xe0, 0x20, 0xb6, 0xda, 0xc1, 0xb9, 0x52, 0x0e, 0xca, 0xdf, 0x8e, 0xfe, 0x30, 0x81, 0xe8, 0x06, + 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x81, 0xe0, 0x30, 0x81, 0xdd, 0x30, 0x81, 0xda, 0xa0, 0x81, 0xd7, + 0xa0, 0x81, 0xd4, 0x86, 0x36, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x6f, 0x72, 0x70, + 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x4d, 0x53, 0x49, 0x54, 0x25, 0x32, 0x30, 0x54, + 0x65, 0x73, 0x74, 0x25, 0x32, 0x30, 0x43, 0x6f, 0x64, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x25, 0x32, + 0x30, 0x43, 0x41, 0x25, 0x32, 0x30, 0x33, 0x2e, 0x63, 0x72, 0x6c, 0x86, 0x4d, 0x68, 0x74, 0x74, + 0x70, 0x3a, 0x2f, 0x2f, 0x6d, 0x73, 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, + 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x6d, 0x73, 0x63, 0x6f, + 0x72, 0x70, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x4d, 0x53, 0x49, 0x54, 0x25, 0x32, 0x30, 0x54, 0x65, + 0x73, 0x74, 0x25, 0x32, 0x30, 0x43, 0x6f, 0x64, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x25, 0x32, 0x30, + 0x43, 0x41, 0x25, 0x32, 0x30, 0x33, 0x2e, 0x63, 0x72, 0x6c, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, + 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x6d, 0x73, 0x63, 0x6f, 0x72, 0x70, 0x2f, + 0x63, 0x72, 0x6c, 0x2f, 0x4d, 0x53, 0x49, 0x54, 0x25, 0x32, 0x30, 0x54, 0x65, 0x73, 0x74, 0x25, + 0x32, 0x30, 0x43, 0x6f, 0x64, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x25, 0x32, 0x30, 0x43, 0x41, 0x25, + 0x32, 0x30, 0x33, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x81, 0xa9, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, + 0x05, 0x07, 0x01, 0x01, 0x04, 0x81, 0x9c, 0x30, 0x81, 0x99, 0x30, 0x42, 0x06, 0x08, 0x2b, 0x06, + 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x36, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, + 0x6f, 0x72, 0x70, 0x70, 0x6b, 0x69, 0x2f, 0x61, 0x69, 0x61, 0x2f, 0x4d, 0x53, 0x49, 0x54, 0x25, + 0x32, 0x30, 0x54, 0x65, 0x73, 0x74, 0x25, 0x32, 0x30, 0x43, 0x6f, 0x64, 0x65, 0x53, 0x69, 0x67, + 0x6e, 0x25, 0x32, 0x30, 0x43, 0x41, 0x25, 0x32, 0x30, 0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x53, + 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x47, 0x68, 0x74, 0x74, 0x70, + 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x6d, 0x73, 0x63, 0x6f, 0x72, 0x70, 0x2f, + 0x4d, 0x53, 0x49, 0x54, 0x25, 0x32, 0x30, 0x54, 0x65, 0x73, 0x74, 0x25, 0x32, 0x30, 0x43, 0x6f, + 0x64, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x25, 0x32, 0x30, 0x43, 0x41, 0x25, 0x32, 0x30, 0x33, 0x2e, + 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, + 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x97, 0x6d, 0x52, 0x46, 0x65, 0x08, 0x60, 0x01, 0x12, + 0x7a, 0x26, 0xaa, 0xd9, 0xc3, 0x15, 0xec, 0xc6, 0xae, 0x0b, 0x75, 0xe4, 0xd5, 0xe0, 0x31, 0xf6, + 0xda, 0xc0, 0xb1, 0x1b, 0x7b, 0x8a, 0x07, 0xda, 0x2f, 0x82, 0x4a, 0x21, 0x89, 0xe6, 0x61, 0x97, + 0xe4, 0x3a, 0x38, 0xd8, 0x0a, 0x26, 0x4e, 0x83, 0x54, 0xbf, 0x32, 0xe3, 0x64, 0x36, 0x61, 0x40, + 0x75, 0x55, 0xf1, 0xaa, 0x34, 0xb2, 0xd3, 0x45, 0x8d, 0x79, 0x9a, 0x93, 0x0b, 0x9f, 0x5a, 0xb3, + 0x5b, 0xcf, 0x0d, 0x28, 0x00, 0x46, 0x68, 0xe7, 0x36, 0xc9, 0xe6, 0xd2, 0x03, 0x2d, 0x1c, 0x2b, + 0x24, 0x79, 0x32, 0xfb, 0xd8, 0x43, 0xb4, 0x0e, 0xd0, 0x37, 0x3b, 0x5e, 0x15, 0xbf, 0x8a, 0x00, + 0x56, 0x00, 0x95, 0x00, 0xd4, 0x71, 0x09, 0xe1, 0x84, 0xfa, 0x6e, 0xc5, 0x75, 0x2f, 0xe1, 0x83, + 0x7b, 0x66, 0xe2, 0x22, 0x75, 0x23, 0x6a, 0xf3, 0x83, 0xfc, 0x94, 0xf8, 0x51, 0x6d, 0x40, 0x6d, + 0x20, 0x7e, 0xb0, 0xe9, 0xac, 0xa8, 0x28, 0x04, 0xa0, 0x1a, 0x3c, 0x88, 0x7e, 0x7e, 0x3b, 0x96, + 0xe9, 0xd0, 0x4b, 0xfa, 0xfa, 0x34, 0x4a, 0x4f, 0xe7, 0xe8, 0x76, 0x16, 0x20, 0xc0, 0x10, 0xca, + 0x1f, 0x7a, 0xde, 0x54, 0xfd, 0xb7, 0xf0, 0xea, 0x8f, 0xe2, 0xcb, 0xa5, 0x1c, 0x58, 0x18, 0x57, + 0x6c, 0x7d, 0x06, 0xde, 0x8c, 0xbd, 0x45, 0xd7, 0x28, 0x86, 0x13, 0x42, 0xaa, 0x4a, 0x9a, 0x50, + 0xc5, 0x76, 0x7f, 0x63, 0x99, 0xd0, 0x90, 0x92, 0xd6, 0xc9, 0x21, 0xf2, 0xb8, 0x66, 0x9c, 0x96, + 0x53, 0xd2, 0xe5, 0xc4, 0xdd, 0x3a, 0x7c, 0x06, 0xae, 0xb1, 0x7a, 0xb4, 0x36, 0x04, 0x9d, 0xe6, + 0x2a, 0xe4, 0x6a, 0x56, 0xd0, 0x9a, 0x98, 0xa2, 0xbf, 0x6f, 0x43, 0xf2, 0xb0, 0x5b, 0xfd, 0xd9, + 0xfa, 0x08, 0x17, 0xc8, 0x3c, 0x61, 0xf1, 0x31, 0x82, 0x02, 0x3a, 0x30, 0x82, 0x02, 0x36, 0x02, + 0x01, 0x01, 0x30, 0x81, 0x90, 0x30, 0x81, 0x81, 0x31, 0x13, 0x30, 0x11, 0x06, 0x0a, 0x09, 0x92, + 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, 0x19, 0x16, 0x03, 0x63, 0x6f, 0x6d, 0x31, 0x19, 0x30, + 0x17, 0x06, 0x0a, 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, 0x19, 0x16, 0x09, 0x6d, + 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x09, 0x92, + 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, 0x19, 0x16, 0x04, 0x63, 0x6f, 0x72, 0x70, 0x31, 0x17, + 0x30, 0x15, 0x06, 0x0a, 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, 0x19, 0x16, 0x07, + 0x72, 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x20, 0x30, 0x1e, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x13, 0x17, 0x4d, 0x53, 0x49, 0x54, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x6f, 0x64, 0x65, + 0x53, 0x69, 0x67, 0x6e, 0x20, 0x43, 0x41, 0x20, 0x33, 0x02, 0x0a, 0x4e, 0x30, 0xa5, 0xbb, 0x00, + 0x00, 0x00, 0x12, 0x7b, 0xf2, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, + 0x02, 0x01, 0x05, 0x00, 0xa0, 0x7c, 0x30, 0x10, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, + 0x37, 0x02, 0x01, 0x0c, 0x31, 0x02, 0x30, 0x00, 0x30, 0x19, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x09, 0x03, 0x31, 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, + 0x02, 0x01, 0x04, 0x30, 0x1c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, + 0x0b, 0x31, 0x0e, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, + 0x15, 0x30, 0x2f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x04, 0x31, 0x22, + 0x04, 0x20, 0x25, 0x60, 0x6e, 0xc8, 0x66, 0x72, 0x73, 0xb0, 0x71, 0x7b, 0x82, 0x09, 0x8c, 0x27, + 0xe8, 0xb1, 0x4a, 0x36, 0x1c, 0x81, 0x36, 0xb4, 0x1b, 0x44, 0xdf, 0x09, 0x82, 0x8b, 0xf9, 0xb6, + 0x1c, 0x65, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, + 0x00, 0x04, 0x82, 0x01, 0x00, 0x01, 0xb7, 0x8e, 0x46, 0x9b, 0xb4, 0x18, 0xcd, 0xf6, 0x39, 0x8f, + 0x82, 0x79, 0xbc, 0x96, 0x55, 0x7e, 0xd7, 0x84, 0x8f, 0x18, 0x37, 0x48, 0x4e, 0x8f, 0x25, 0x6f, + 0x1a, 0x6c, 0x60, 0xe9, 0xc1, 0x5f, 0x65, 0xec, 0xb0, 0x4b, 0x35, 0x98, 0x8a, 0x31, 0x6b, 0xfd, + 0xa9, 0xd2, 0x28, 0xa7, 0x00, 0xd0, 0x5c, 0x97, 0x2e, 0x3d, 0x19, 0x96, 0x75, 0xc2, 0x9a, 0xa7, + 0x4e, 0x2d, 0x3c, 0x6a, 0xd7, 0xd1, 0x81, 0x96, 0x2e, 0x06, 0x54, 0x82, 0xe9, 0x87, 0xa2, 0x53, + 0x63, 0x6a, 0xda, 0x72, 0xa3, 0x41, 0x4f, 0x14, 0xc5, 0x3d, 0x41, 0x7d, 0xbb, 0xd7, 0x29, 0x11, + 0x96, 0x14, 0x60, 0x5f, 0xb9, 0xd3, 0x47, 0xb6, 0x23, 0x97, 0x64, 0xf6, 0xe1, 0xac, 0x6c, 0x4d, + 0xa9, 0x58, 0xc2, 0x35, 0xbf, 0x02, 0xee, 0x29, 0xd4, 0x52, 0x80, 0x25, 0xa1, 0x7e, 0xbe, 0x21, + 0xcd, 0x04, 0x3c, 0x4d, 0x7d, 0xdb, 0x9b, 0x13, 0x71, 0x35, 0x13, 0x8d, 0x16, 0x0a, 0x40, 0x7b, + 0x63, 0x45, 0x00, 0x11, 0xc5, 0x3e, 0xc8, 0x21, 0x37, 0xc9, 0xbc, 0xd2, 0x0f, 0x82, 0x21, 0xf9, + 0x2f, 0xde, 0xb3, 0x1c, 0x9b, 0x67, 0xb6, 0x5a, 0xb8, 0x74, 0xa0, 0x30, 0xd8, 0x86, 0x1f, 0xd9, + 0x08, 0x45, 0xf9, 0x6b, 0xe8, 0x57, 0xda, 0xb7, 0x14, 0xf7, 0x63, 0x97, 0xfd, 0x87, 0x61, 0x1e, + 0x95, 0x6f, 0xba, 0x53, 0x40, 0x5e, 0x9f, 0x49, 0xf6, 0xe7, 0x3c, 0x59, 0xd9, 0x78, 0x08, 0x4c, + 0xa6, 0x4a, 0xa2, 0x05, 0x42, 0xa7, 0x77, 0xbc, 0x44, 0x7b, 0xed, 0xdb, 0x77, 0x63, 0x4c, 0x63, + 0x22, 0xb6, 0x17, 0x3f, 0x4f, 0x33, 0xed, 0xa6, 0xd9, 0x0f, 0x74, 0xfa, 0x97, 0x8d, 0x98, 0x55, + 0x42, 0x14, 0x76, 0xd4, 0x89, 0x07, 0xf2, 0x30, 0x5a, 0x27, 0x96, 0x1b, 0x92, 0x70, 0x5a, 0x83, + 0x89, 0x0f, 0xdb, 0x47, 0x7a, 0x00, 0x00, 0x00, 0x0a + }; + +// +// Sample root certificate for code signing. +// A trusted certificate with self-signing, will be used to construct the certificate chains for +// authority checking. +// +GLOBAL_REMOVE_IF_UNREFERENCED UINT8 TestRootCert1[] = { + 0x30, 0x82, 0x05, 0x99, 0x30, 0x82, 0x03, 0x81, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x79, + 0xAD, 0x16, 0xA1, 0x4A, 0xA0, 0xA5, 0xAD, 0x4C, 0x73, 0x58, 0xF4, 0x07, 0x13, 0x2E, 0x65, 0x30, + 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x5F, + 0x31, 0x13, 0x30, 0x11, 0x06, 0x0A, 0x09, 0x92, 0x26, 0x89, 0x93, 0xF2, 0x2C, 0x64, 0x01, 0x19, + 0x16, 0x03, 0x63, 0x6F, 0x6D, 0x31, 0x19, 0x30, 0x17, 0x06, 0x0A, 0x09, 0x92, 0x26, 0x89, 0x93, + 0xF2, 0x2C, 0x64, 0x01, 0x19, 0x16, 0x09, 0x6D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, + 0x31, 0x2D, 0x30, 0x2B, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x24, 0x4D, 0x69, 0x63, 0x72, 0x6F, + 0x73, 0x6F, 0x66, 0x74, 0x20, 0x52, 0x6F, 0x6F, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x30, + 0x1E, 0x17, 0x0D, 0x30, 0x31, 0x30, 0x35, 0x30, 0x39, 0x32, 0x33, 0x31, 0x39, 0x32, 0x32, 0x5A, + 0x17, 0x0D, 0x32, 0x31, 0x30, 0x35, 0x30, 0x39, 0x32, 0x33, 0x32, 0x38, 0x31, 0x33, 0x5A, 0x30, + 0x5F, 0x31, 0x13, 0x30, 0x11, 0x06, 0x0A, 0x09, 0x92, 0x26, 0x89, 0x93, 0xF2, 0x2C, 0x64, 0x01, + 0x19, 0x16, 0x03, 0x63, 0x6F, 0x6D, 0x31, 0x19, 0x30, 0x17, 0x06, 0x0A, 0x09, 0x92, 0x26, 0x89, + 0x93, 0xF2, 0x2C, 0x64, 0x01, 0x19, 0x16, 0x09, 0x6D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, + 0x74, 0x31, 0x2D, 0x30, 0x2B, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x24, 0x4D, 0x69, 0x63, 0x72, + 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x52, 0x6F, 0x6F, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, + 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, + 0x30, 0x82, 0x02, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, + 0x01, 0x05, 0x00, 0x03, 0x82, 0x02, 0x0F, 0x00, 0x30, 0x82, 0x02, 0x0A, 0x02, 0x82, 0x02, 0x01, + 0x00, 0xF3, 0x5D, 0xFA, 0x80, 0x67, 0xD4, 0x5A, 0xA7, 0xA9, 0x0C, 0x2C, 0x90, 0x20, 0xD0, 0x35, + 0x08, 0x3C, 0x75, 0x84, 0xCD, 0xB7, 0x07, 0x89, 0x9C, 0x89, 0xDA, 0xDE, 0xCE, 0xC3, 0x60, 0xFA, + 0x91, 0x68, 0x5A, 0x9E, 0x94, 0x71, 0x29, 0x18, 0x76, 0x7C, 0xC2, 0xE0, 0xC8, 0x25, 0x76, 0x94, + 0x0E, 0x58, 0xFA, 0x04, 0x34, 0x36, 0xE6, 0xDF, 0xAF, 0xF7, 0x80, 0xBA, 0xE9, 0x58, 0x0B, 0x2B, + 0x93, 0xE5, 0x9D, 0x05, 0xE3, 0x77, 0x22, 0x91, 0xF7, 0x34, 0x64, 0x3C, 0x22, 0x91, 0x1D, 0x5E, + 0xE1, 0x09, 0x90, 0xBC, 0x14, 0xFE, 0xFC, 0x75, 0x58, 0x19, 0xE1, 0x79, 0xB7, 0x07, 0x92, 0xA3, + 0xAE, 0x88, 0x59, 0x08, 0xD8, 0x9F, 0x07, 0xCA, 0x03, 0x58, 0xFC, 0x68, 0x29, 0x6D, 0x32, 0xD7, + 0xD2, 0xA8, 0xCB, 0x4B, 0xFC, 0xE1, 0x0B, 0x48, 0x32, 0x4F, 0xE6, 0xEB, 0xB8, 0xAD, 0x4F, 0xE4, + 0x5C, 0x6F, 0x13, 0x94, 0x99, 0xDB, 0x95, 0xD5, 0x75, 0xDB, 0xA8, 0x1A, 0xB7, 0x94, 0x91, 0xB4, + 0x77, 0x5B, 0xF5, 0x48, 0x0C, 0x8F, 0x6A, 0x79, 0x7D, 0x14, 0x70, 0x04, 0x7D, 0x6D, 0xAF, 0x90, + 0xF5, 0xDA, 0x70, 0xD8, 0x47, 0xB7, 0xBF, 0x9B, 0x2F, 0x6C, 0xE7, 0x05, 0xB7, 0xE1, 0x11, 0x60, + 0xAC, 0x79, 0x91, 0x14, 0x7C, 0xC5, 0xD6, 0xA6, 0xE4, 0xE1, 0x7E, 0xD5, 0xC3, 0x7E, 0xE5, 0x92, + 0xD2, 0x3C, 0x00, 0xB5, 0x36, 0x82, 0xDE, 0x79, 0xE1, 0x6D, 0xF3, 0xB5, 0x6E, 0xF8, 0x9F, 0x33, + 0xC9, 0xCB, 0x52, 0x7D, 0x73, 0x98, 0x36, 0xDB, 0x8B, 0xA1, 0x6B, 0xA2, 0x95, 0x97, 0x9B, 0xA3, + 0xDE, 0xC2, 0x4D, 0x26, 0xFF, 0x06, 0x96, 0x67, 0x25, 0x06, 0xC8, 0xE7, 0xAC, 0xE4, 0xEE, 0x12, + 0x33, 0x95, 0x31, 0x99, 0xC8, 0x35, 0x08, 0x4E, 0x34, 0xCA, 0x79, 0x53, 0xD5, 0xB5, 0xBE, 0x63, + 0x32, 0x59, 0x40, 0x36, 0xC0, 0xA5, 0x4E, 0x04, 0x4D, 0x3D, 0xDB, 0x5B, 0x07, 0x33, 0xE4, 0x58, + 0xBF, 0xEF, 0x3F, 0x53, 0x64, 0xD8, 0x42, 0x59, 0x35, 0x57, 0xFD, 0x0F, 0x45, 0x7C, 0x24, 0x04, + 0x4D, 0x9E, 0xD6, 0x38, 0x74, 0x11, 0x97, 0x22, 0x90, 0xCE, 0x68, 0x44, 0x74, 0x92, 0x6F, 0xD5, + 0x4B, 0x6F, 0xB0, 0x86, 0xE3, 0xC7, 0x36, 0x42, 0xA0, 0xD0, 0xFC, 0xC1, 0xC0, 0x5A, 0xF9, 0xA3, + 0x61, 0xB9, 0x30, 0x47, 0x71, 0x96, 0x0A, 0x16, 0xB0, 0x91, 0xC0, 0x42, 0x95, 0xEF, 0x10, 0x7F, + 0x28, 0x6A, 0xE3, 0x2A, 0x1F, 0xB1, 0xE4, 0xCD, 0x03, 0x3F, 0x77, 0x71, 0x04, 0xC7, 0x20, 0xFC, + 0x49, 0x0F, 0x1D, 0x45, 0x88, 0xA4, 0xD7, 0xCB, 0x7E, 0x88, 0xAD, 0x8E, 0x2D, 0xEC, 0x45, 0xDB, + 0xC4, 0x51, 0x04, 0xC9, 0x2A, 0xFC, 0xEC, 0x86, 0x9E, 0x9A, 0x11, 0x97, 0x5B, 0xDE, 0xCE, 0x53, + 0x88, 0xE6, 0xE2, 0xB7, 0xFD, 0xAC, 0x95, 0xC2, 0x28, 0x40, 0xDB, 0xEF, 0x04, 0x90, 0xDF, 0x81, + 0x33, 0x39, 0xD9, 0xB2, 0x45, 0xA5, 0x23, 0x87, 0x06, 0xA5, 0x55, 0x89, 0x31, 0xBB, 0x06, 0x2D, + 0x60, 0x0E, 0x41, 0x18, 0x7D, 0x1F, 0x2E, 0xB5, 0x97, 0xCB, 0x11, 0xEB, 0x15, 0xD5, 0x24, 0xA5, + 0x94, 0xEF, 0x15, 0x14, 0x89, 0xFD, 0x4B, 0x73, 0xFA, 0x32, 0x5B, 0xFC, 0xD1, 0x33, 0x00, 0xF9, + 0x59, 0x62, 0x70, 0x07, 0x32, 0xEA, 0x2E, 0xAB, 0x40, 0x2D, 0x7B, 0xCA, 0xDD, 0x21, 0x67, 0x1B, + 0x30, 0x99, 0x8F, 0x16, 0xAA, 0x23, 0xA8, 0x41, 0xD1, 0xB0, 0x6E, 0x11, 0x9B, 0x36, 0xC4, 0xDE, + 0x40, 0x74, 0x9C, 0xE1, 0x58, 0x65, 0xC1, 0x60, 0x1E, 0x7A, 0x5B, 0x38, 0xC8, 0x8F, 0xBB, 0x04, + 0x26, 0x7C, 0xD4, 0x16, 0x40, 0xE5, 0xB6, 0x6B, 0x6C, 0xAA, 0x86, 0xFD, 0x00, 0xBF, 0xCE, 0xC1, + 0x35, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x51, 0x30, 0x4F, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x1D, + 0x0F, 0x04, 0x04, 0x03, 0x02, 0x01, 0xC6, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x01, 0x01, + 0xFF, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, + 0x16, 0x04, 0x14, 0x0E, 0xAC, 0x82, 0x60, 0x40, 0x56, 0x27, 0x97, 0xE5, 0x25, 0x13, 0xFC, 0x2A, + 0xE1, 0x0A, 0x53, 0x95, 0x59, 0xE4, 0xA4, 0x30, 0x10, 0x06, 0x09, 0x2B, 0x06, 0x01, 0x04, 0x01, + 0x82, 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, + 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0xC5, 0x11, 0x4D, + 0x03, 0x3A, 0x60, 0xDD, 0x5D, 0x52, 0x11, 0x77, 0x8F, 0xB2, 0xBB, 0x36, 0xC8, 0xB2, 0x05, 0xBF, + 0xB4, 0xB7, 0xA8, 0xD8, 0x20, 0x9D, 0x5C, 0x13, 0x03, 0xB6, 0x1C, 0x22, 0xFA, 0x06, 0x13, 0x35, + 0xB6, 0xC8, 0x63, 0xD4, 0x9A, 0x47, 0x6F, 0x26, 0x57, 0xD2, 0x55, 0xF1, 0x04, 0xB1, 0x26, 0x5F, + 0xD6, 0xA9, 0x50, 0x68, 0xA0, 0xBC, 0xD2, 0xB8, 0x6E, 0xCC, 0xC3, 0xE9, 0xAC, 0xDF, 0x19, 0xCD, + 0x78, 0xAC, 0x59, 0x74, 0xAC, 0x66, 0x34, 0x36, 0xC4, 0x1B, 0x3E, 0x6C, 0x38, 0x4C, 0x33, 0x0E, + 0x30, 0x12, 0x0D, 0xA3, 0x26, 0xFE, 0x51, 0x53, 0x00, 0xFF, 0xAF, 0x5A, 0x4E, 0x84, 0x0D, 0x0F, + 0x1F, 0xE4, 0x6D, 0x05, 0x2E, 0x4E, 0x85, 0x4B, 0x8D, 0x6C, 0x33, 0x6F, 0x54, 0xD2, 0x64, 0xAB, + 0xBF, 0x50, 0xAF, 0x7D, 0x7A, 0x39, 0xA0, 0x37, 0xED, 0x63, 0x03, 0x0F, 0xFC, 0x13, 0x06, 0xCE, + 0x16, 0x36, 0xD4, 0x54, 0x3B, 0x95, 0x1B, 0x51, 0x62, 0x3A, 0xE5, 0x4D, 0x17, 0xD4, 0x05, 0x39, + 0x92, 0x9A, 0x27, 0xA8, 0x5B, 0xAA, 0xBD, 0xEC, 0xBB, 0xBE, 0xE3, 0x20, 0x89, 0x60, 0x71, 0x6C, + 0x56, 0xB3, 0xA5, 0x13, 0xD0, 0x6D, 0x0E, 0x23, 0x7E, 0x95, 0x03, 0xED, 0x68, 0x3D, 0xF2, 0xD8, + 0x63, 0xB8, 0x6B, 0x4D, 0xB6, 0xE8, 0x30, 0xB5, 0xE1, 0xCA, 0x94, 0x4B, 0xF7, 0xA2, 0xAA, 0x5D, + 0x99, 0x30, 0xB2, 0x3D, 0xA7, 0xC2, 0x51, 0x6C, 0x28, 0x20, 0x01, 0x24, 0x27, 0x2B, 0x4B, 0x00, + 0xB7, 0x9D, 0x11, 0x6B, 0x70, 0xBE, 0xB2, 0x10, 0x82, 0xBC, 0x0C, 0x9B, 0x68, 0xD0, 0x8D, 0x3B, + 0x24, 0x87, 0xAA, 0x99, 0x28, 0x72, 0x9D, 0x33, 0x5F, 0x59, 0x90, 0xBD, 0xF5, 0xDE, 0x93, 0x9E, + 0x3A, 0x62, 0x5A, 0x34, 0x39, 0xE2, 0x88, 0x55, 0x1D, 0xB9, 0x06, 0xB0, 0xC1, 0x89, 0x6B, 0x2D, + 0xD7, 0x69, 0xC3, 0x19, 0x12, 0x36, 0x84, 0xD0, 0xC9, 0xA0, 0xDA, 0xFF, 0x2F, 0x69, 0x78, 0xB2, + 0xE5, 0x7A, 0xDA, 0xEB, 0xD7, 0x0C, 0xC0, 0xF7, 0xBD, 0x63, 0x17, 0xB8, 0x39, 0x13, 0x38, 0xA2, + 0x36, 0x5B, 0x7B, 0xF2, 0x85, 0x56, 0x6A, 0x1D, 0x64, 0x62, 0xC1, 0x38, 0xE2, 0xAA, 0xBF, 0x51, + 0x66, 0xA2, 0x94, 0xF5, 0x12, 0x9C, 0x66, 0x22, 0x10, 0x6B, 0xF2, 0xB7, 0x30, 0x92, 0x2D, 0xF2, + 0x29, 0xF0, 0x3D, 0x3B, 0x14, 0x43, 0x68, 0xA2, 0xF1, 0x9C, 0x29, 0x37, 0xCB, 0xCE, 0x38, 0x20, + 0x25, 0x6D, 0x7C, 0x67, 0xF3, 0x7E, 0x24, 0x12, 0x24, 0x03, 0x08, 0x81, 0x47, 0xEC, 0xA5, 0x9E, + 0x97, 0xF5, 0x18, 0xD7, 0xCF, 0xBB, 0xD5, 0xEF, 0x76, 0x96, 0xEF, 0xFD, 0xCE, 0xDB, 0x56, 0x9D, + 0x95, 0xA0, 0x42, 0xF9, 0x97, 0x58, 0xE1, 0xD7, 0x31, 0x22, 0xD3, 0x5F, 0x59, 0xE6, 0x3E, 0x6E, + 0x22, 0x00, 0xEA, 0x43, 0x84, 0xB6, 0x25, 0xDB, 0xD9, 0xF3, 0x08, 0x56, 0x68, 0xC0, 0x64, 0x6B, + 0x1D, 0x7C, 0xEC, 0xB6, 0x93, 0xA2, 0x62, 0x57, 0x6E, 0x2E, 0xD8, 0xE7, 0x58, 0x8F, 0xC4, 0x31, + 0x49, 0x26, 0xDD, 0xDE, 0x29, 0x35, 0x87, 0xF5, 0x30, 0x71, 0x70, 0x5B, 0x14, 0x3C, 0x69, 0xBD, + 0x89, 0x12, 0x7D, 0xEB, 0x2E, 0xA3, 0xFE, 0xD8, 0x7F, 0x9E, 0x82, 0x5A, 0x52, 0x0A, 0x2B, 0xC1, + 0x43, 0x2B, 0xD9, 0x30, 0x88, 0x9F, 0xC8, 0x10, 0xFB, 0x89, 0x8D, 0xE6, 0xA1, 0x85, 0x75, 0x33, + 0x7E, 0x6C, 0x9E, 0xDB, 0x73, 0x13, 0x64, 0x62, 0x69, 0xA5, 0x2F, 0x7D, 0xCA, 0x96, 0x6D, 0x9F, + 0xF8, 0x04, 0x4D, 0x30, 0x92, 0x3D, 0x6E, 0x21, 0x14, 0x21, 0xC9, 0x3D, 0xE0, 0xC3, 0xFD, 0x8A, + 0x6B, 0x9D, 0x4A, 0xFD, 0xD1, 0xA1, 0x9D, 0x99, 0x43, 0x77, 0x3F, 0xB0, 0xDA +}; + +GLOBAL_REMOVE_IF_UNREFERENCED UINT8 TestRootCert2[] = { + 0x30, 0x82, 0x05, 0xfd, 0x30, 0x82, 0x03, 0xe5, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x74, + 0x45, 0xc8, 0x78, 0x4e, 0x0c, 0xc9, 0x96, 0x4a, 0xb4, 0x2f, 0xbc, 0xda, 0x29, 0xe1, 0xbc, 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, + 0x90, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, + 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, + 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, + 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, + 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3a, 0x30, 0x38, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x31, + 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x54, 0x65, 0x73, 0x74, 0x69, 0x6e, + 0x67, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, + 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, + 0x30, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x30, 0x30, 0x36, 0x31, 0x37, 0x32, 0x30, 0x35, 0x38, 0x30, + 0x32, 0x5a, 0x17, 0x0d, 0x33, 0x35, 0x30, 0x36, 0x31, 0x37, 0x32, 0x31, 0x30, 0x34, 0x31, 0x31, + 0x5a, 0x30, 0x81, 0x90, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, + 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, + 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, + 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, + 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, + 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3a, 0x30, 0x38, 0x06, 0x03, 0x55, 0x04, + 0x03, 0x13, 0x31, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x54, 0x65, 0x73, + 0x74, 0x69, 0x6e, 0x67, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, + 0x32, 0x30, 0x31, 0x30, 0x30, 0x82, 0x02, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x02, 0x0f, 0x00, 0x30, 0x82, 0x02, 0x0a, + 0x02, 0x82, 0x02, 0x01, 0x00, 0x95, 0xe3, 0xa8, 0xc1, 0xb9, 0x9c, 0x26, 0x54, 0xb0, 0x99, 0xef, + 0x26, 0x1f, 0xac, 0x1e, 0xc7, 0x30, 0x80, 0xbb, 0xf5, 0x3f, 0xf2, 0xe4, 0xbb, 0xf8, 0xfe, 0x06, + 0x6a, 0x0a, 0xa6, 0x88, 0xbc, 0xb4, 0x8c, 0x45, 0xe0, 0x70, 0x55, 0x19, 0x88, 0xb4, 0x05, 0xcb, + 0xb5, 0xc1, 0xa1, 0xfa, 0xd4, 0x7c, 0xc2, 0x42, 0x53, 0x07, 0x9c, 0x54, 0x56, 0xa8, 0x97, 0xe0, + 0x94, 0x69, 0xbe, 0x13, 0x24, 0xef, 0xe5, 0x8a, 0x29, 0x9c, 0xa6, 0xd0, 0x2b, 0x2f, 0x8a, 0xa6, + 0xe8, 0x79, 0x44, 0x2e, 0x8b, 0xea, 0xc9, 0xbe, 0xb8, 0x54, 0x86, 0x53, 0xbe, 0x07, 0x24, 0x34, + 0x54, 0x15, 0x22, 0x20, 0x01, 0x7b, 0x8a, 0x46, 0xfb, 0xd2, 0x91, 0x07, 0x95, 0x09, 0xb0, 0x56, + 0x11, 0xcc, 0x76, 0xb2, 0xd0, 0x1f, 0x44, 0x79, 0x52, 0x34, 0x28, 0xec, 0x4f, 0x49, 0xc2, 0xcb, + 0x61, 0xd3, 0x86, 0xdc, 0xe4, 0xa3, 0x7e, 0x55, 0x9e, 0x9f, 0xee, 0x10, 0x6f, 0xcf, 0xe1, 0x3d, + 0xf8, 0xb7, 0x84, 0x79, 0xa2, 0x3b, 0x8d, 0x1c, 0xb0, 0x81, 0x7c, 0xe4, 0x44, 0x07, 0xe4, 0xce, + 0x46, 0xb0, 0x98, 0x83, 0x8d, 0x87, 0x8f, 0xe5, 0xf5, 0xae, 0x40, 0x7a, 0xf1, 0xed, 0x3d, 0x9b, + 0x9a, 0x7c, 0x4a, 0xd1, 0xb9, 0xc3, 0x94, 0x05, 0x7b, 0xdc, 0xda, 0xb8, 0xce, 0xdc, 0x1e, 0x6c, + 0xcf, 0xd9, 0x9e, 0x37, 0xef, 0xc3, 0x5a, 0x36, 0x7b, 0x90, 0x86, 0x45, 0xdc, 0xf6, 0x2e, 0xca, + 0xdd, 0xee, 0xde, 0x27, 0xd9, 0x74, 0x9a, 0x69, 0xf5, 0xd9, 0x5d, 0x09, 0x2d, 0x45, 0x41, 0xcc, + 0xb7, 0xc2, 0x82, 0xd4, 0x2a, 0x8c, 0x16, 0x25, 0x92, 0x97, 0x3d, 0x94, 0x4e, 0x89, 0x33, 0x7e, + 0x5b, 0x03, 0x54, 0xcd, 0xb0, 0x83, 0xa0, 0x8e, 0x41, 0xb7, 0x87, 0x8d, 0xd9, 0x05, 0x63, 0x52, + 0xf6, 0xee, 0xe6, 0x4e, 0x13, 0x9d, 0x54, 0xcd, 0x49, 0xfe, 0xe3, 0x8b, 0x3b, 0x50, 0x9b, 0x48, + 0xbb, 0xb2, 0xe5, 0x92, 0xd4, 0xab, 0xa0, 0xc5, 0x10, 0xaf, 0x3e, 0xb1, 0x45, 0x21, 0x34, 0x90, + 0xdc, 0xad, 0xb9, 0xf7, 0xfe, 0x21, 0xae, 0xee, 0x50, 0x58, 0x7a, 0x3a, 0xe5, 0xaa, 0xd8, 0xe3, + 0x82, 0xd6, 0xcf, 0x6d, 0x4d, 0xc9, 0x15, 0xac, 0x9c, 0x31, 0x17, 0xa5, 0x16, 0xa7, 0x42, 0xf6, + 0xda, 0x12, 0x78, 0xa7, 0x66, 0x90, 0xec, 0xfc, 0xcd, 0x01, 0x63, 0xff, 0xf0, 0x0e, 0xba, 0xe1, + 0xcd, 0xf0, 0xdb, 0x6b, 0x9a, 0x0f, 0xf6, 0x0f, 0x04, 0x01, 0x09, 0xbc, 0x9f, 0xce, 0xb7, 0x6c, + 0x51, 0x70, 0x57, 0x08, 0x1b, 0xff, 0x79, 0x9a, 0x52, 0x5d, 0xba, 0xac, 0x14, 0xe5, 0x3b, 0x67, + 0xcf, 0x2c, 0x52, 0xde, 0x27, 0x9a, 0x34, 0x03, 0x6e, 0x25, 0x48, 0xb0, 0x19, 0x74, 0xfc, 0x4d, + 0x98, 0xc2, 0x4b, 0x8c, 0x92, 0xe1, 0x88, 0xae, 0x48, 0x2a, 0xab, 0xab, 0xcd, 0x14, 0x4d, 0xb6, + 0x61, 0x0e, 0xa1, 0x09, 0x8f, 0x2c, 0xdb, 0x45, 0xaf, 0x7d, 0x3b, 0x81, 0x56, 0x08, 0xc9, 0x3b, + 0x41, 0xb7, 0x64, 0x9f, 0x5d, 0x2e, 0x12, 0x7f, 0xb9, 0x69, 0x29, 0x1f, 0x52, 0x45, 0x4a, 0x23, + 0xc6, 0xaf, 0xb6, 0xb2, 0x38, 0x72, 0x9d, 0x08, 0x33, 0xff, 0xd0, 0xcf, 0x89, 0xb6, 0xea, 0x6e, + 0x85, 0x44, 0x94, 0x3e, 0x91, 0x59, 0xeb, 0xef, 0x9e, 0xbd, 0x9b, 0x9c, 0x1a, 0x47, 0x03, 0x4e, + 0xa2, 0x17, 0x96, 0xfa, 0x62, 0x0b, 0xe8, 0x53, 0xb6, 0x4e, 0xe3, 0xe8, 0x2a, 0x73, 0x59, 0xe2, + 0x13, 0xb8, 0xf8, 0x5a, 0x7e, 0xc6, 0xe2, 0x0a, 0xdd, 0x4a, 0x43, 0xcc, 0xc3, 0x77, 0x3b, 0x7a, + 0x31, 0x04, 0x0a, 0xc1, 0x84, 0x96, 0x3a, 0x63, 0x6e, 0x1a, 0x3e, 0x0a, 0x0c, 0x25, 0xb8, 0x7e, + 0xb5, 0x52, 0x0c, 0xb9, 0xab, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x51, 0x30, 0x4f, 0x30, 0x0b, + 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, + 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, + 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xa3, 0x01, 0x04, 0x7e, 0x30, 0x88, 0x33, 0xeb, 0xb9, + 0x31, 0x9c, 0xca, 0xeb, 0x85, 0x76, 0x67, 0xfc, 0x65, 0xb4, 0xd1, 0x30, 0x10, 0x06, 0x09, 0x2b, + 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, + 0x00, 0x49, 0x8b, 0xc1, 0xfc, 0x4f, 0xe8, 0xe4, 0x2d, 0x67, 0x92, 0x9a, 0x76, 0x05, 0xba, 0xd1, + 0xbc, 0x98, 0xe4, 0x2b, 0xba, 0x1f, 0x66, 0x5f, 0x66, 0x23, 0xcf, 0x1c, 0x27, 0xeb, 0xb4, 0xaa, + 0xdd, 0xa0, 0x17, 0x20, 0x55, 0x72, 0x33, 0xb1, 0x76, 0xde, 0xc9, 0x6d, 0x0d, 0x3c, 0x2d, 0x0a, + 0x08, 0x24, 0x2d, 0xec, 0x38, 0x96, 0x7a, 0x83, 0xf1, 0x27, 0x50, 0x3c, 0x86, 0x09, 0xdd, 0x0d, + 0x41, 0xce, 0xaa, 0x5e, 0xf3, 0x8f, 0x7a, 0x3e, 0x3e, 0xf1, 0xf0, 0xba, 0x8b, 0x72, 0xdd, 0x36, + 0xa1, 0x69, 0x05, 0x5b, 0x7c, 0xec, 0xe7, 0x70, 0x63, 0x8d, 0x1d, 0x6e, 0xc0, 0xfd, 0x3a, 0x03, + 0xf1, 0x10, 0x3e, 0x90, 0xd7, 0x7b, 0x7a, 0xdc, 0xea, 0x60, 0xec, 0x2f, 0x53, 0xfd, 0x19, 0x1d, + 0x3a, 0xa1, 0x74, 0x08, 0xc2, 0x7b, 0x3c, 0xe0, 0x50, 0xac, 0x21, 0xd7, 0xb6, 0xdd, 0xdd, 0x3c, + 0x44, 0x1b, 0xf7, 0xf3, 0x44, 0x3e, 0x6c, 0x96, 0xe0, 0xc0, 0x9f, 0xe6, 0xef, 0xdd, 0xdd, 0xb1, + 0xa6, 0x68, 0x61, 0x6c, 0x5e, 0x9e, 0xf9, 0xff, 0x9a, 0x06, 0xa4, 0x6a, 0xcd, 0x9e, 0x75, 0x43, + 0x89, 0x9b, 0xcb, 0x85, 0xf6, 0xdc, 0x0c, 0x46, 0x4a, 0x8c, 0x9b, 0xac, 0x11, 0xa6, 0x63, 0x45, + 0xfb, 0xfc, 0xde, 0x20, 0xee, 0xce, 0x67, 0x9f, 0x3d, 0xd0, 0x93, 0xdb, 0x39, 0xfb, 0xea, 0x5e, + 0x4b, 0xfc, 0xd6, 0x20, 0xf1, 0x95, 0x36, 0x08, 0x8c, 0xb2, 0xb3, 0xa1, 0x97, 0x1b, 0x41, 0x19, + 0xb0, 0xac, 0xfe, 0xe2, 0xd5, 0xab, 0x7d, 0xd9, 0x26, 0xd4, 0xdc, 0xbd, 0x1f, 0x38, 0xc0, 0xe3, + 0x86, 0xdf, 0x24, 0xe7, 0xf5, 0x3e, 0x09, 0xca, 0x4d, 0xa1, 0xba, 0x16, 0xc3, 0x4a, 0xb1, 0xfc, + 0x72, 0x98, 0xcf, 0x0e, 0x92, 0xfa, 0x57, 0x45, 0xe9, 0x48, 0x4d, 0xc6, 0xa2, 0x7c, 0x3b, 0x72, + 0x63, 0xac, 0x4e, 0xf4, 0x74, 0xe9, 0x2b, 0x57, 0xac, 0xab, 0x32, 0x88, 0x0b, 0xa9, 0x10, 0x67, + 0x53, 0x7e, 0xd2, 0x62, 0xd2, 0xfa, 0x68, 0xe8, 0x9d, 0x5b, 0xae, 0xcd, 0xe0, 0xe5, 0xe2, 0x06, + 0x96, 0x0c, 0x34, 0x32, 0xf6, 0xbc, 0x25, 0xad, 0x98, 0xf3, 0x32, 0x60, 0xbe, 0x14, 0xd3, 0x78, + 0xd1, 0x10, 0x6f, 0xff, 0x32, 0xe3, 0x9e, 0x3d, 0x88, 0xda, 0xb3, 0x32, 0x0a, 0xcf, 0x20, 0x65, + 0x47, 0x78, 0xaa, 0xa5, 0x4b, 0x87, 0x6a, 0x83, 0xdc, 0x1a, 0x5a, 0x2a, 0xdf, 0x70, 0x61, 0xaf, + 0x35, 0x32, 0xe0, 0x59, 0xa1, 0x9f, 0x0b, 0x14, 0x7a, 0xaa, 0xab, 0x42, 0x0b, 0x6b, 0xff, 0xfb, + 0x34, 0xcb, 0x9d, 0x96, 0xd7, 0x26, 0x2a, 0x13, 0x3b, 0xe3, 0xdf, 0x11, 0xe6, 0x86, 0x7d, 0x0d, + 0x09, 0x11, 0x93, 0x4b, 0xa4, 0xf6, 0xd2, 0x07, 0xc2, 0xcd, 0xc8, 0xbe, 0xf5, 0x67, 0xf7, 0xae, + 0x05, 0xce, 0x16, 0xfe, 0x90, 0xc9, 0x4a, 0x98, 0x1b, 0x24, 0x69, 0x78, 0x90, 0xf9, 0x34, 0x8e, + 0x37, 0xe8, 0x6e, 0x1d, 0xdc, 0xcf, 0x4f, 0xe7, 0xd2, 0x64, 0x40, 0x1d, 0xc4, 0x30, 0xba, 0xd5, + 0x08, 0x88, 0x67, 0x4b, 0x0f, 0xb8, 0xe5, 0x59, 0xe9, 0x18, 0xd8, 0x0c, 0x60, 0x68, 0xae, 0x7f, + 0xea, 0x91, 0x55, 0xbe, 0xeb, 0xf1, 0xa7, 0x8e, 0xd8, 0x5d, 0x50, 0x3e, 0xbf, 0xd5, 0x69, 0x57, + 0x95, 0x8f, 0xa7, 0xff, 0xe4, 0x09, 0x3f, 0x08, 0x80, 0x97, 0x32, 0x42, 0xb8, 0x82, 0x43, 0x82, + 0x6f, 0x8b, 0x0b, 0x93, 0xda, 0x19, 0xbf, 0x63, 0x4e, 0x5f, 0x9f, 0xed, 0x2c, 0x22, 0xb6, 0x20, + 0x5f, 0x70, 0x44, 0xfa, 0x89, 0x59, 0x93, 0xb0, 0x7b, 0x12, 0x0f, 0x5e, 0x62, 0x62, 0x51, 0x11, + 0xbd, 0xba, 0x5a, 0xd0, 0xce, 0xa1, 0xb6, 0xef, 0x80, 0x20, 0xe6, 0x73, 0x4b, 0x11, 0x06, 0x56, + 0xe2, 0x0a + }; + +// +// OID ASN.1 Value for Hash Algorithms +// +GLOBAL_REMOVE_IF_UNREFERENCED UINT8 HashOidValue[] = { + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, // OBJ_md5 + 0x2B, 0x0E, 0x03, 0x02, 0x1A, // OBJ_sha1 + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, // OBJ_sha224 + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, // OBJ_sha256 + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, // OBJ_sha384 + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, // OBJ_sha512 + }; + +UNIT_TEST_STATUS +EFIAPI +TestVerifyAuthenticodeVerify ( + IN UNIT_TEST_CONTEXT Context + ) +{ + BOOLEAN Status; + + // + // Sample Code: Demonstrate how to check the Hash algorithm in PE/COFF Authenticode. + // According to PKCS#7 Definition: + // SignedData ::= SEQUENCE { + // version Version, + // digestAlgorithms DigestAlgorithmIdentifiers, + // contentInfo ContentInfo, + // .... } + // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing + // This field has the fixed offset (+32) in final Authenticode ASN.1 data. + // + if (CompareMem (AuthenticodeWithSha1 + 32, &HashOidValue[8], 5) == 0) { + // + // Verify Authenticode signature. + // The PeHash value should be calculated following MSFT's Authenticode Specification. + // + Status = AuthenticodeVerify ( + AuthenticodeWithSha1, + sizeof (AuthenticodeWithSha1), + TestRootCert1, + sizeof (TestRootCert1), + PeSha1Hash, + SHA1_DIGEST_SIZE + ); + UT_ASSERT_TRUE (Status); + } + + if (CompareMem (AuthenticodeWithSha256 + 32, &HashOidValue[22], 9) == 0) { + Status = AuthenticodeVerify ( + AuthenticodeWithSha256, + sizeof (AuthenticodeWithSha256), + TestRootCert2, + sizeof (TestRootCert2), + PeSha256Hash, + SHA256_DIGEST_SIZE + ); + UT_ASSERT_TRUE (Status); + } + + return UNIT_TEST_PASSED; +} + +TEST_DESC mAuthenticodeTest[] = { + // + // -----Description--------------------------------------Class----------------------Function-----------------Pre---Post--Context + // + {"TestVerifyAuthenticodeVerify()", "CryptoPkg.BaseCryptLib.Authenticode", TestVerifyAuthenticodeVerify, NULL, NULL, NULL}, +}; + +UINTN mAuthenticodeTestNum = ARRAY_SIZE(mAuthenticodeTest); diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/BaseCryptLibUnitTests.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/BaseCryptLibUnitTests.c new file mode 100644 index 00000000..ffb46160 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/BaseCryptLibUnitTests.c @@ -0,0 +1,67 @@ +/** @file + This is defines the tests that will run on BaseCryptLib + + Copyright (c) Microsoft Corporation.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ +#include "TestBaseCryptLib.h" + +SUITE_DESC mSuiteDesc[] = { + // + // Title--------------------------Package-------------------Sup--Tdn----TestNum------------TestDesc + // + {"EKU verify tests", "CryptoPkg.BaseCryptLib", NULL, NULL, &mPkcs7EkuTestNum, mPkcs7EkuTest}, + {"HASH verify tests", "CryptoPkg.BaseCryptLib", NULL, NULL, &mHashTestNum, mHashTest}, + {"HMAC verify tests", "CryptoPkg.BaseCryptLib", NULL, NULL, &mHmacTestNum, mHmacTest}, + {"BlockCipher verify tests", "CryptoPkg.BaseCryptLib", NULL, NULL, &mBlockCipherTestNum, mBlockCipherTest}, + {"RSA verify tests", "CryptoPkg.BaseCryptLib", NULL, NULL, &mRsaTestNum, mRsaTest}, + {"RSA PSS verify tests", "CryptoPkg.BaseCryptLib", NULL, NULL, &mRsaPssTestNum, mRsaPssTest}, + {"RSACert verify tests", "CryptoPkg.BaseCryptLib", NULL, NULL, &mRsaCertTestNum, mRsaCertTest}, + {"PKCS7 verify tests", "CryptoPkg.BaseCryptLib", NULL, NULL, &mPkcs7TestNum, mPkcs7Test}, + {"PKCS5 verify tests", "CryptoPkg.BaseCryptLib", NULL, NULL, &mPkcs5TestNum, mPkcs5Test}, + {"Authenticode verify tests", "CryptoPkg.BaseCryptLib", NULL, NULL, &mAuthenticodeTestNum, mAuthenticodeTest}, + {"ImageTimestamp verify tests", "CryptoPkg.BaseCryptLib", NULL, NULL, &mImageTimestampTestNum, mImageTimestampTest}, + {"DH verify tests", "CryptoPkg.BaseCryptLib", NULL, NULL, &mDhTestNum, mDhTest}, + {"PRNG verify tests", "CryptoPkg.BaseCryptLib", NULL, NULL, &mPrngTestNum, mPrngTest}, + {"OAEP encrypt verify tests", "CryptoPkg.BaseCryptLib", NULL, NULL, &mOaepTestNum, mOaepTest}, +}; + +EFI_STATUS +EFIAPI +CreateUnitTest ( + IN CHAR8* UnitTestName, + IN CHAR8* UnitTestVersion, + IN OUT UNIT_TEST_FRAMEWORK_HANDLE* Framework +) { + EFI_STATUS Status; + UINTN SuiteIndex; + UINTN TestIndex; + + if ( Framework == NULL || UnitTestVersion == NULL || UnitTestName == NULL) { + return EFI_INVALID_PARAMETER; + } + Status = EFI_SUCCESS; + // + // Start setting up the test framework for running the tests. + // + Status = InitUnitTestFramework (Framework, UnitTestName, gEfiCallerBaseName, UnitTestVersion); + if (EFI_ERROR (Status)) { + DEBUG((DEBUG_ERROR, "Failed in InitUnitTestFramework. Status = %r\n", Status)); + goto EXIT; + } + + for (SuiteIndex = 0; SuiteIndex < ARRAY_SIZE(mSuiteDesc); SuiteIndex++) { + UNIT_TEST_SUITE_HANDLE Suite = NULL; + Status = CreateUnitTestSuite (&Suite, *Framework, mSuiteDesc[SuiteIndex].Title, mSuiteDesc[SuiteIndex].Package, mSuiteDesc[SuiteIndex].Sup, mSuiteDesc[SuiteIndex].Tdn); + if (EFI_ERROR (Status)) { + Status = EFI_OUT_OF_RESOURCES; + goto EXIT; + } + for (TestIndex = 0; TestIndex < *mSuiteDesc[SuiteIndex].TestNum; TestIndex++) { + AddTestCase (Suite, (mSuiteDesc[SuiteIndex].TestDesc + TestIndex)->Description, (mSuiteDesc[SuiteIndex].TestDesc + TestIndex)->ClassName, (mSuiteDesc[SuiteIndex].TestDesc + TestIndex)->Func, (mSuiteDesc[SuiteIndex].TestDesc + TestIndex)->PreReq, (mSuiteDesc[SuiteIndex].TestDesc + TestIndex)->CleanUp, (mSuiteDesc[SuiteIndex].TestDesc + TestIndex)->Context); + } + } + EXIT: + return Status; +} diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/BlockCipherTests.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/BlockCipherTests.c new file mode 100644 index 00000000..441218da --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/BlockCipherTests.c @@ -0,0 +1,293 @@ +/** @file + Application for Block Cipher Primitives Validation. + +Copyright (c) 2010, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "TestBaseCryptLib.h" + +// +// TDES test vectors are extracted from OpenSSL 0.9.8l, crypto\des\destest.c +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 TdesEcbData[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 TdesEcbKey[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 TdesEcbCipher[] = { + 0x8C, 0xA6, 0x4D, 0xE9, 0xC1, 0xB1, 0x23, 0xA7, + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 TdesEcb2Cipher[] = { + 0x92, 0x95, 0xB5, 0x9B, 0xB3, 0x84, 0x73, 0x6E, + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 TdesCbcData[] = { + 0x37, 0x36, 0x35, 0x34, 0x33, 0x32, 0x31, 0x20, + 0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74, + 0x68, 0x65, 0x20, 0x74, 0x69, 0x6D, 0x65, 0x20 + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 TdesCbcKey[] = { + 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, + 0xf1, 0xe0, 0xd3, 0xc2, 0xb5, 0xa4, 0x97, 0x86, + 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 + }; + +GLOBAL_REMOVE_IF_UNREFERENCED UINT8 TdesCbcIvec[] = { + 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 TdesCbc3Cipher[] = { + 0x3F, 0xE3, 0x01, 0xC9, 0x62, 0xAC, 0x01, 0xD0, + 0x22, 0x13, 0x76, 0x3C, 0x1C, 0xBD, 0x4C, 0xDC, + 0x79, 0x96, 0x57, 0xC0, 0x64, 0xEC, 0xF5, 0xD4 + }; + +// +// AES test vectors are from NIST KAT of AES +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Aes128EcbData[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Aes128EcbKey[] = { + 0x10, 0xa5, 0x88, 0x69, 0xd7, 0x4b, 0xe5, 0xa3, 0x74, 0xcf, 0x86, 0x7c, 0xfb, 0x47, 0x38, 0x59 + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Aes128EcbCipher[] = { + 0x6d, 0x25, 0x1e, 0x69, 0x44, 0xb0, 0x51, 0xe0, 0x4e, 0xaa, 0x6f, 0xb4, 0xdb, 0xf7, 0x84, 0x65 + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Aes192EcbData[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Aes192EcbKey[] = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Aes192EcbCipher[] = { + 0xdd, 0x8a, 0x49, 0x35, 0x14, 0x23, 0x1c, 0xbf, 0x56, 0xec, 0xce, 0xe4, 0xc4, 0x08, 0x89, 0xfb + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Aes256EcbData[] = { + 0x01, 0x47, 0x30, 0xf8, 0x0a, 0xc6, 0x25, 0xfe, 0x84, 0xf0, 0x26, 0xc6, 0x0b, 0xfd, 0x54, 0x7d + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Aes256EcbKey[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Aes256EcbCipher[] = { + 0x5c, 0x9d, 0x84, 0x4e, 0xd4, 0x6f, 0x98, 0x85, 0x08, 0x5e, 0x5d, 0x6a, 0x4f, 0x94, 0xc7, 0xd7 + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Aes128CbcData[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Aes128CbcKey[] = { + 0xc2, 0x86, 0x69, 0x6d, 0x88, 0x7c, 0x9a, 0xa0, 0x61, 0x1b, 0xbb, 0x3e, 0x20, 0x25, 0xa4, 0x5a + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Aes128CbcIvec[] = { + 0x56, 0x2e, 0x17, 0x99, 0x6d, 0x09, 0x3d, 0x28, 0xdd, 0xb3, 0xba, 0x69, 0x5a, 0x2e, 0x6f, 0x58 + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Aes128CbcCipher[] = { + 0xd2, 0x96, 0xcd, 0x94, 0xc2, 0xcc, 0xcf, 0x8a, 0x3a, 0x86, 0x30, 0x28, 0xb5, 0xe1, 0xdc, 0x0a, + 0x75, 0x86, 0x60, 0x2d, 0x25, 0x3c, 0xff, 0xf9, 0x1b, 0x82, 0x66, 0xbe, 0xa6, 0xd6, 0x1a, 0xb1 + }; + +// +// ARC4 Test Vector defined in "Appendix A.1 Test Vectors from [CRYPTLIB]" of +// IETF Draft draft-kaukonen-cipher-arcfour-03 ("A Stream Cipher Encryption Algorithm 'Arcfour'"). +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Arc4Data[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Arc4Key[] = { + 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Arc4Cipher[] = { + 0x74, 0x94, 0xC2, 0xE7, 0x10, 0x4B, 0x08, 0x79 + }; + + +typedef +UINTN +(EFIAPI *EFI_BLOCK_CIPHER_GET_CONTEXT_SIZE) ( + VOID + ); + +typedef +BOOLEAN +(EFIAPI *EFI_BLOCK_CIPHER_INIT) ( + OUT VOID *BlockCipherContext, + IN CONST UINT8 *Key, + IN UINTN KeyLength + ); + +typedef +BOOLEAN +(EFIAPI *EFI_BLOCK_CIPHER_ECB_ENCRYPT_DECRYPT) ( + IN VOID *BlockCipherContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + OUT UINT8 *Output + ); + +typedef +BOOLEAN +(EFIAPI *EFI_BLOCK_CIPHER_CBC_ENCRYPT_DECRYPT) ( + IN VOID *BlockCipherContext, + IN CONST UINT8 *Input, + IN UINTN InputSize, + IN CONST UINT8 *Ivec, + OUT UINT8 *Output + ); + +typedef +BOOLEAN +(EFIAPI *EFI_BLOCK_CIPHER_RESET) ( + IN OUT VOID *BlockCipherContext + ); + +typedef struct { + EFI_BLOCK_CIPHER_GET_CONTEXT_SIZE GetContextSize; + EFI_BLOCK_CIPHER_INIT Init; + EFI_BLOCK_CIPHER_ECB_ENCRYPT_DECRYPT EcbEncrypt; + EFI_BLOCK_CIPHER_ECB_ENCRYPT_DECRYPT EcbDecrypt; + EFI_BLOCK_CIPHER_CBC_ENCRYPT_DECRYPT CbcEncrypt; + EFI_BLOCK_CIPHER_CBC_ENCRYPT_DECRYPT CbcDecrypt; + EFI_BLOCK_CIPHER_RESET Reset; + CONST UINT8 *Key; + UINTN KeySize; + CONST UINT8 *Ivec; + CONST UINT8 *Data; + UINTN DataSize; + CONST UINT8 *Cipher; + UINTN CipherSize; + VOID *Ctx; +} BLOCK_CIPHER_TEST_CONTEXT; + +// These are commented out as they are deprecated, but are left in should they be used again +//BLOCK_CIPHER_TEST_CONTEXT mTdesEcbTestCtx = {TdesGetContextSize, TdesInit, TdesEcbEncrypt, TdesEcbDecrypt, NULL, NULL, NULL, TdesEcbKey, 64, NULL, TdesEcbData, 8, TdesEcbCipher, 8}; +//BLOCK_CIPHER_TEST_CONTEXT mTdesCbcTestCtx = {TdesGetContextSize, TdesInit, NULL, NULL, TdesCbcEncrypt, TdesCbcDecrypt, NULL, TdesCbcKey, 192, TdesCbcIvec, TdesCbcData, sizeof(TdesCbcData), TdesCbc3Cipher, sizeof(TdesCbc3Cipher)}; +//BLOCK_CIPHER_TEST_CONTEXT mAes128EcbTestCtx = {AesGetContextSize, AesInit, AesEcbEncrypt, AesEcbDecrypt, NULL, NULL, NULL, Aes128EcbKey, 128, NULL, Aes128EcbData, sizeof(Aes128EcbData), Aes128EcbCipher, sizeof(Aes128EcbCipher)}; +//BLOCK_CIPHER_TEST_CONTEXT mAes192EcbTestCtx = {AesGetContextSize, AesInit, AesEcbEncrypt, AesEcbDecrypt, NULL, NULL, NULL, Aes192EcbKey, 192, NULL, Aes192EcbData, sizeof(Aes192EcbData), Aes192EcbCipher, sizeof(Aes192EcbCipher)}; +//BLOCK_CIPHER_TEST_CONTEXT mAes256EcbTestCtx = {AesGetContextSize, AesInit, AesEcbEncrypt, AesEcbDecrypt, NULL, NULL, NULL, Aes256EcbKey, 256, NULL, Aes256EcbData, sizeof(Aes256EcbData), Aes256EcbCipher, sizeof(Aes256EcbCipher)}; +//BLOCK_CIPHER_TEST_CONTEXT mArc4TestCtx = {Arc4GetContextSize, Arc4Init, Arc4Encrypt, (EFI_BLOCK_CIPHER_ECB_ENCRYPT_DECRYPT), Arc4Decrypt, NULL, NULL, Arc4Reset, Arc4Key, sizeof(Arc4Key), NULL, Arc4Data, sizeof(Arc4Data), Arc4Cipher, sizeof(Arc4Cipher)}; +BLOCK_CIPHER_TEST_CONTEXT mAes128CbcTestCtx = {AesGetContextSize, AesInit, NULL, NULL, AesCbcEncrypt, AesCbcDecrypt, NULL, Aes128CbcKey, 128, Aes128CbcIvec, Aes128CbcData, sizeof(Aes128CbcData), Aes128CbcCipher, sizeof(Aes128CbcCipher)}; + + +UNIT_TEST_STATUS +EFIAPI +TestVerifyBLockCiperPreReq ( + UNIT_TEST_CONTEXT Context + ) +{ + BLOCK_CIPHER_TEST_CONTEXT *TestContext; + UINTN CtxSize; + + TestContext = Context; + CtxSize = TestContext->GetContextSize (); + TestContext->Ctx = AllocatePool (CtxSize); + if (TestContext->Ctx == NULL) { + return UNIT_TEST_ERROR_TEST_FAILED; + } + + return UNIT_TEST_PASSED; +} + +VOID +EFIAPI +TestVerifyBLockCiperCleanUp ( + UNIT_TEST_CONTEXT Context + ) +{ + BLOCK_CIPHER_TEST_CONTEXT *TestContext; + + TestContext = Context; + if (TestContext->Ctx != NULL) { + FreePool (TestContext->Ctx); + } +} + +UNIT_TEST_STATUS +EFIAPI +TestVerifyBLockCiper ( + UNIT_TEST_CONTEXT Context + ) +{ + UINT8 Encrypt[256]; + UINT8 Decrypt[256]; + BOOLEAN Status; + BLOCK_CIPHER_TEST_CONTEXT *TestContext; + + TestContext = Context; + + ZeroMem (Encrypt, sizeof (Encrypt)); + ZeroMem (Decrypt, sizeof (Decrypt)); + + Status = TestContext->Init (TestContext->Ctx, TestContext->Key, TestContext->KeySize); + UT_ASSERT_TRUE (Status); + + if (TestContext->Ivec == NULL) { + Status = TestContext->EcbEncrypt (TestContext->Ctx, TestContext->Data, TestContext->DataSize, Encrypt); + UT_ASSERT_TRUE (Status); + + if (TestContext->Reset != NULL) { + Status = TestContext->Reset (TestContext->Ctx); + UT_ASSERT_TRUE (Status); + } + + Status = TestContext->EcbDecrypt (TestContext->Ctx, Encrypt, TestContext->DataSize, Decrypt); + UT_ASSERT_TRUE (Status); + + } else { + Status = TestContext->CbcEncrypt (TestContext->Ctx, TestContext->Data, TestContext->DataSize, TestContext->Ivec, Encrypt); + UT_ASSERT_TRUE (Status); + + if (TestContext->Reset != NULL) { + Status = TestContext->Reset (TestContext->Ctx); + UT_ASSERT_TRUE (Status); + } + + Status = TestContext->CbcDecrypt (TestContext->Ctx, Encrypt, TestContext->DataSize, TestContext->Ivec, Decrypt); + UT_ASSERT_TRUE (Status); + } + + UT_ASSERT_MEM_EQUAL (Encrypt, TestContext->Cipher, TestContext->CipherSize); + UT_ASSERT_MEM_EQUAL (Decrypt, TestContext->Data, TestContext->DataSize); + + return UNIT_TEST_PASSED; +} + +TEST_DESC mBlockCipherTest[] = { + // + // -----Description-------------------------Class-------------------------Function---------------Pre---------------------------Post------------------Context + // + {"TestVerifyAes128Cbc()", "CryptoPkg.BaseCryptLib.BlockCipher", TestVerifyBLockCiper, TestVerifyBLockCiperPreReq, TestVerifyBLockCiperCleanUp, &mAes128CbcTestCtx}, + // These are commented out as these functions have been deprecated, but they have been left in for future reference + //{"TestVerifyTdesEcb()", "CryptoPkg.BaseCryptLib.BlockCipher", TestVerifyBLockCiper, TestVerifyBLockCiperPreReq, TestVerifyBLockCiperCleanUp, &mTdesEcbTestCtx}, + //{"TestVerifyTdesCbc()", "CryptoPkg.BaseCryptLib.BlockCipher", TestVerifyBLockCiper, TestVerifyBLockCiperPreReq, TestVerifyBLockCiperCleanUp, &mTdesCbcTestCtx}, + //{"TestVerifyAes128Ecb()", "CryptoPkg.BaseCryptLib.BlockCipher", TestVerifyBLockCiper, TestVerifyBLockCiperPreReq, TestVerifyBLockCiperCleanUp, &mAes128EcbTestCtx}, + //{"TestVerifyAes192Ecb()", "CryptoPkg.BaseCryptLib.BlockCipher", TestVerifyBLockCiper, TestVerifyBLockCiperPreReq, TestVerifyBLockCiperCleanUp, &mAes192EcbTestCtx}, + //{"TestVerifyAes256Ecb()", "CryptoPkg.BaseCryptLib.BlockCipher", TestVerifyBLockCiper, TestVerifyBLockCiperPreReq, TestVerifyBLockCiperCleanUp, &mAes256EcbTestCtx}, + //{"TestVerifyArc4()", "CryptoPkg.BaseCryptLib.BlockCipher", TestVerifyBLockCiper, TestVerifyBLockCiperPreReq, TestVerifyBLockCiperCleanUp, &mArc4TestCtx}, +}; + +UINTN mBlockCipherTestNum = ARRAY_SIZE(mBlockCipherTest); diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/DhTests.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/DhTests.c new file mode 100644 index 00000000..7f3ec1a3 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/DhTests.c @@ -0,0 +1,106 @@ +/** @file + Application for Diffie-Hellman Primitives Validation. + +Copyright (c) 2010 - 2014, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "TestBaseCryptLib.h" + +VOID *mDh1; +VOID *mDh2; + +UNIT_TEST_STATUS +EFIAPI +TestVerifyDhPreReq ( + UNIT_TEST_CONTEXT Context + ) +{ + mDh1 = DhNew (); + if (mDh1 == NULL) { + return UNIT_TEST_ERROR_TEST_FAILED; + } + + mDh2 = DhNew (); + if (mDh2 == NULL) { + return UNIT_TEST_ERROR_TEST_FAILED; + } + + return UNIT_TEST_PASSED; +} + +VOID +EFIAPI +TestVerifyDhCleanUp ( + UNIT_TEST_CONTEXT Context + ) +{ + if (mDh1 != NULL) { + DhFree (mDh1); + mDh1 = NULL; + } + if (mDh2 != NULL) { + DhFree (mDh2); + mDh2 = NULL; + } +} + +UNIT_TEST_STATUS +EFIAPI +TestVerifyDhGenerateKey ( + UNIT_TEST_CONTEXT Context + ) +{ + UINT8 Prime[64]; + UINT8 PublicKey1[64]; + UINTN PublicKey1Length; + UINT8 PublicKey2[64]; + UINTN PublicKey2Length; + UINT8 Key1[64]; + UINTN Key1Length; + UINT8 Key2[64]; + UINTN Key2Length; + BOOLEAN Status; + + // + // Initialize Key Length + // + PublicKey1Length = sizeof (PublicKey1); + PublicKey2Length = sizeof (PublicKey2); + Key1Length = sizeof (Key1); + Key2Length = sizeof (Key2); + + Status = DhGenerateParameter (mDh1, 2, 64, Prime); + UT_ASSERT_TRUE (Status); + + Status = DhSetParameter (mDh2, 2, 64, Prime); + UT_ASSERT_TRUE (Status); + + Status = DhGenerateKey (mDh1, PublicKey1, &PublicKey1Length); + UT_ASSERT_TRUE (Status); + + Status = DhGenerateKey (mDh2, PublicKey2, &PublicKey2Length); + UT_ASSERT_TRUE (Status); + + Status = DhComputeKey (mDh1, PublicKey2, PublicKey2Length, Key1, &Key1Length); + UT_ASSERT_TRUE (Status); + + Status = DhComputeKey (mDh2, PublicKey1, PublicKey1Length, Key2, &Key2Length); + UT_ASSERT_TRUE (Status); + + UT_ASSERT_EQUAL (Key1Length, Key2Length); + + UT_ASSERT_MEM_EQUAL (Key1, Key2, Key1Length); + + return UNIT_TEST_PASSED; +} + +TEST_DESC mDhTest[] = { + // + // -----Description--------------------------------Class---------------------Function----------------Pre-----------------Post------------Context + // + {"TestVerifyDhGenerateKey()", "CryptoPkg.BaseCryptLib.Dh", TestVerifyDhGenerateKey, TestVerifyDhPreReq, TestVerifyDhCleanUp, NULL}, +}; + +UINTN mDhTestNum = ARRAY_SIZE(mDhTest); diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/HashTests.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/HashTests.c new file mode 100644 index 00000000..1b71f2bf --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/HashTests.c @@ -0,0 +1,202 @@ +/** @file + Application for Hash Primitives Validation. + +Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "TestBaseCryptLib.h" + +// +// Max Known Digest Size is SHA512 Output (64 bytes) by far +// +#define MAX_DIGEST_SIZE 64 + +// +// Message string for digest validation +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST CHAR8 *HashData = "abc"; + +// +// Result for MD5("abc"). (From "A.5 Test suite" of IETF RFC1321) +// +#ifdef ENABLE_MD5_DEPRECATED_INTERFACES +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Md5Digest[MD5_DIGEST_SIZE] = { + 0x90, 0x01, 0x50, 0x98, 0x3c, 0xd2, 0x4f, 0xb0, 0xd6, 0x96, 0x3f, 0x7d, 0x28, 0xe1, 0x7f, 0x72 + }; +#endif + +// +// Result for SHA-1("abc"). (From "A.1 SHA-1 Example" of NIST FIPS 180-2) +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Sha1Digest[SHA1_DIGEST_SIZE] = { + 0xa9, 0x99, 0x3e, 0x36, 0x47, 0x06, 0x81, 0x6a, 0xba, 0x3e, 0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, + 0x9c, 0xd0, 0xd8, 0x9d + }; + +// +// Result for SHA-256("abc"). (From "B.1 SHA-256 Example" of NIST FIPS 180-2) +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Sha256Digest[SHA256_DIGEST_SIZE] = { + 0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, + 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad + }; + +// +// Result for SHA-384("abc"). (From "D.1 SHA-384 Example" of NIST FIPS 180-2) +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Sha384Digest[SHA384_DIGEST_SIZE] = { + 0xcb, 0x00, 0x75, 0x3f, 0x45, 0xa3, 0x5e, 0x8b, 0xb5, 0xa0, 0x3d, 0x69, 0x9a, 0xc6, 0x50, 0x07, + 0x27, 0x2c, 0x32, 0xab, 0x0e, 0xde, 0xd1, 0x63, 0x1a, 0x8b, 0x60, 0x5a, 0x43, 0xff, 0x5b, 0xed, + 0x80, 0x86, 0x07, 0x2b, 0xa1, 0xe7, 0xcc, 0x23, 0x58, 0xba, 0xec, 0xa1, 0x34, 0xc8, 0x25, 0xa7 + }; + +// +// Result for SHA-512("abc"). (From "C.1 SHA-512 Example" of NIST FIPS 180-2) +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Sha512Digest[SHA512_DIGEST_SIZE] = { + 0xdd, 0xaf, 0x35, 0xa1, 0x93, 0x61, 0x7a, 0xba, 0xcc, 0x41, 0x73, 0x49, 0xae, 0x20, 0x41, 0x31, + 0x12, 0xe6, 0xfa, 0x4e, 0x89, 0xa9, 0x7e, 0xa2, 0x0a, 0x9e, 0xee, 0xe6, 0x4b, 0x55, 0xd3, 0x9a, + 0x21, 0x92, 0x99, 0x2a, 0x27, 0x4f, 0xc1, 0xa8, 0x36, 0xba, 0x3c, 0x23, 0xa3, 0xfe, 0xeb, 0xbd, + 0x45, 0x4d, 0x44, 0x23, 0x64, 0x3c, 0xe8, 0x0e, 0x2a, 0x9a, 0xc9, 0x4f, 0xa5, 0x4c, 0xa4, 0x9f + }; + +typedef +UINTN +(EFIAPI *EFI_HASH_GET_CONTEXT_SIZE) ( + VOID + ); + +typedef +BOOLEAN +(EFIAPI *EFI_HASH_INIT) ( + OUT VOID *HashContext + ); + +typedef +BOOLEAN +(EFIAPI *EFI_HASH_UPDATE) ( + IN OUT VOID *HashContext, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +typedef +BOOLEAN +(EFIAPI *EFI_HASH_FINAL) ( + IN OUT VOID *HashContext, + OUT UINT8 *HashValue + ); + +typedef +BOOLEAN +(EFIAPI *EFI_HASH_ALL) ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ); + +typedef struct { + UINT32 DigestSize; + EFI_HASH_GET_CONTEXT_SIZE GetContextSize; + EFI_HASH_INIT HashInit; + EFI_HASH_UPDATE HashUpdate; + EFI_HASH_FINAL HashFinal; + EFI_HASH_ALL HashAll; + CONST UINT8 *Digest; + VOID *HashCtx; +} HASH_TEST_CONTEXT; + +#ifdef ENABLE_MD5_DEPRECATED_INTERFACES +HASH_TEST_CONTEXT mMd5TestCtx = {MD5_DIGEST_SIZE, Md5GetContextSize, Md5Init, Md5Update, Md5Final, Md5HashAll, Md5Digest}; +#endif +HASH_TEST_CONTEXT mSha1TestCtx = {SHA1_DIGEST_SIZE, Sha1GetContextSize, Sha1Init, Sha1Update, Sha1Final, Sha1HashAll, Sha1Digest}; +HASH_TEST_CONTEXT mSha256TestCtx = {SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final, Sha256HashAll, Sha256Digest}; +HASH_TEST_CONTEXT mSha384TestCtx = {SHA384_DIGEST_SIZE, Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final, Sha384HashAll, Sha384Digest}; +HASH_TEST_CONTEXT mSha512TestCtx = {SHA512_DIGEST_SIZE, Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Final, Sha512HashAll, Sha512Digest}; + +UNIT_TEST_STATUS +EFIAPI +TestVerifyHashPreReq ( + UNIT_TEST_CONTEXT Context + ) +{ + HASH_TEST_CONTEXT *HashTestContext; + UINTN CtxSize; + + HashTestContext = Context; + CtxSize = HashTestContext->GetContextSize (); + HashTestContext->HashCtx = AllocatePool (CtxSize); + if (HashTestContext->HashCtx == NULL) { + return UNIT_TEST_ERROR_TEST_FAILED; + } + + return UNIT_TEST_PASSED; +} + +VOID +EFIAPI +TestVerifyHashCleanUp ( + UNIT_TEST_CONTEXT Context + ) +{ + HASH_TEST_CONTEXT *HashTestContext; + + HashTestContext = Context; + if (HashTestContext->HashCtx != NULL) { + FreePool (HashTestContext->HashCtx); + } +} + +UNIT_TEST_STATUS +EFIAPI +TestVerifyHash ( + IN UNIT_TEST_CONTEXT Context + ) +{ + UINTN DataSize; + UINT8 Digest[MAX_DIGEST_SIZE]; + BOOLEAN Status; + HASH_TEST_CONTEXT *HashTestContext; + + HashTestContext = Context; + + DataSize = AsciiStrLen (HashData); + + ZeroMem (Digest, MAX_DIGEST_SIZE); + + Status = HashTestContext->HashInit (HashTestContext->HashCtx); + UT_ASSERT_TRUE (Status); + + Status = HashTestContext->HashUpdate (HashTestContext->HashCtx, HashData, DataSize); + UT_ASSERT_TRUE (Status); + + Status = HashTestContext->HashFinal (HashTestContext->HashCtx, Digest); + UT_ASSERT_TRUE (Status); + + UT_ASSERT_MEM_EQUAL (Digest, HashTestContext->Digest, HashTestContext->DigestSize); + + ZeroMem (Digest, MAX_DIGEST_SIZE); + Status = HashTestContext->HashAll (HashData, DataSize, Digest); + UT_ASSERT_TRUE (Status); + + UT_ASSERT_MEM_EQUAL (Digest, HashTestContext->Digest, HashTestContext->DigestSize); + + return UNIT_TEST_PASSED; +} + +TEST_DESC mHashTest[] = { + // + // -----Description----------------Class---------------------Function---------------Pre------------------Post------------Context + // +#ifdef ENABLE_MD5_DEPRECATED_INTERFACES + {"TestVerifyMd5()", "CryptoPkg.BaseCryptLib.Hash", TestVerifyHash, TestVerifyHashPreReq, TestVerifyHashCleanUp, &mMd5TestCtx}, +#endif + {"TestVerifySha1()", "CryptoPkg.BaseCryptLib.Hash", TestVerifyHash, TestVerifyHashPreReq, TestVerifyHashCleanUp, &mSha1TestCtx}, + {"TestVerifySha256()", "CryptoPkg.BaseCryptLib.Hash", TestVerifyHash, TestVerifyHashPreReq, TestVerifyHashCleanUp, &mSha256TestCtx}, + {"TestVerifySha384()", "CryptoPkg.BaseCryptLib.Hash", TestVerifyHash, TestVerifyHashPreReq, TestVerifyHashCleanUp, &mSha384TestCtx}, + {"TestVerifySha512()", "CryptoPkg.BaseCryptLib.Hash", TestVerifyHash, TestVerifyHashPreReq, TestVerifyHashCleanUp, &mSha512TestCtx}, +}; + +UINTN mHashTestNum = ARRAY_SIZE(mHashTest); diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/HmacTests.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/HmacTests.c new file mode 100644 index 00000000..777a6945 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/HmacTests.c @@ -0,0 +1,184 @@ +/** @file + Application for HMAC Primitives Validation. + +Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "TestBaseCryptLib.h" + +// +// Max Known Digest Size is SHA512 Output (64 bytes) by far +// +#define MAX_DIGEST_SIZE 64 + +// +// Data string for HMAC validation +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST CHAR8 *HmacData = "Hi There"; + +// +// Key value for HMAC-MD5 validation. (From "2. Test Cases for HMAC-MD5" of IETF RFC2202) +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 HmacMd5Key[16] = { + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b + }; + +// +// Result for HMAC-MD5("Hi There"). (From "2. Test Cases for HMAC-MD5" of IETF RFC2202) +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 HmacMd5Digest[] = { + 0x92, 0x94, 0x72, 0x7a, 0x36, 0x38, 0xbb, 0x1c, 0x13, 0xf4, 0x8e, 0xf8, 0x15, 0x8b, 0xfc, 0x9d + }; + +// +// Key value for HMAC-SHA-1 validation. (From "3. Test Cases for HMAC-SHA-1" of IETF RFC2202) +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 HmacSha1Key[20] = { + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + 0x0b, 0x0b, 0x0b, 0x0b + }; + +// +// Result for HMAC-SHA-1 ("Hi There"). (From "3. Test Cases for HMAC-SHA-1" of IETF RFC2202) +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 HmacSha1Digest[] = { + 0xb6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64, 0xe2, 0x8b, 0xc0, 0xb6, 0xfb, 0x37, 0x8c, 0x8e, + 0xf1, 0x46, 0xbe, 0x00 + }; + +// +// Key value for HMAC-SHA-256 validation. (From "4. Test Vectors" of IETF RFC4231) +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 HmacSha256Key[20] = { + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + 0x0b, 0x0b, 0x0b, 0x0b + }; + +// +// Result for HMAC-SHA-256 ("Hi There"). (From "4. Test Vectors" of IETF RFC4231) +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 HmacSha256Digest[] = { + 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, + 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7 + }; + +typedef +VOID* +(EFIAPI *EFI_HMAC_NEW) ( + VOID + ); + +typedef +BOOLEAN +(EFIAPI *EFI_HMAC_INIT) ( + IN OUT VOID *HashContext, + IN CONST UINT8 *Key, + IN UINTN KeySize + ); + +typedef +BOOLEAN +(EFIAPI *EFI_HMAC_UPDATE) ( + IN OUT VOID *HashContext, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +typedef +BOOLEAN +(EFIAPI *EFI_HMAC_FINAL) ( + IN OUT VOID *HashContext, + OUT UINT8 *HashValue + ); + +typedef struct { + UINT32 DigestSize; + EFI_HMAC_NEW HmacNew; + EFI_HMAC_INIT HmacInit; + EFI_HMAC_UPDATE HmacUpdate; + EFI_HMAC_FINAL HmacFinal; + CONST UINT8 *Key; + UINTN KeySize; + CONST UINT8 *Digest; + VOID *HmacCtx; +} HMAC_TEST_CONTEXT; + +// These functions have been deprecated but they've been left commented out for future reference +//HMAC_TEST_CONTEXT mHmacMd5TestCtx = {MD5_DIGEST_SIZE, HmacMd5New, HmacMd5SetKey, HmacMd5Update, HmacMd5Final, HmacMd5Key, sizeof(HmacMd5Key), HmacMd5Digest}; +//HMAC_TEST_CONTEXT mHmacSha1TestCtx = {SHA1_DIGEST_SIZE, HmacSha1New, HmacSha1SetKey, HmacSha1Update, HmacSha1Final, HmacSha1Key, sizeof(HmacSha1Key), HmacSha1Digest}; +HMAC_TEST_CONTEXT mHmacSha256TestCtx = {SHA256_DIGEST_SIZE, HmacSha256New, HmacSha256SetKey, HmacSha256Update, HmacSha256Final, HmacSha256Key, sizeof(HmacSha256Key), HmacSha256Digest}; + + +UNIT_TEST_STATUS +EFIAPI +TestVerifyHmacPreReq ( + UNIT_TEST_CONTEXT Context + ) +{ + HMAC_TEST_CONTEXT *HmacTestContext; + + HmacTestContext = Context; + HmacTestContext->HmacCtx = HmacTestContext->HmacNew(); + if (HmacTestContext->HmacCtx == NULL) { + return UNIT_TEST_ERROR_TEST_FAILED; + } + + return UNIT_TEST_PASSED; +} + +VOID +EFIAPI +TestVerifyHmacCleanUp ( + UNIT_TEST_CONTEXT Context + ) +{ + HMAC_TEST_CONTEXT *HmacTestContext; + + HmacTestContext = Context; + if (HmacTestContext->HmacCtx != NULL) { + FreePool (HmacTestContext->HmacCtx); + } +} + +UNIT_TEST_STATUS +EFIAPI +TestVerifyHmac ( + IN UNIT_TEST_CONTEXT Context + ) +{ + UINT8 Digest[MAX_DIGEST_SIZE]; + BOOLEAN Status; + HMAC_TEST_CONTEXT *HmacTestContext; + + HmacTestContext = Context; + + ZeroMem (Digest, MAX_DIGEST_SIZE); + + Status = HmacTestContext->HmacInit (HmacTestContext->HmacCtx, HmacTestContext->Key, HmacTestContext->KeySize); + UT_ASSERT_TRUE (Status); + + Status = HmacTestContext->HmacUpdate (HmacTestContext->HmacCtx, HmacData, 8); + UT_ASSERT_TRUE (Status); + + Status = HmacTestContext->HmacFinal (HmacTestContext->HmacCtx, Digest); + UT_ASSERT_TRUE (Status); + + UT_ASSERT_MEM_EQUAL (Digest, HmacTestContext->Digest, HmacTestContext->DigestSize); + + return UNIT_TEST_PASSED; +} + +TEST_DESC mHmacTest[] = { + // + // -----Description---------------------Class---------------------Function---------------Pre------------------Post------------Context + // + {"TestVerifyHmacSha256()", "CryptoPkg.BaseCryptLib.Hmac", TestVerifyHmac, TestVerifyHmacPreReq, TestVerifyHmacCleanUp, &mHmacSha256TestCtx}, + // These functions have been deprecated but they've been left commented out for future reference + //{"TestVerifyHmacMd5()", "CryptoPkg.BaseCryptLib.Hmac", TestVerifyHmac, TestVerifyHmacPreReq, TestVerifyHmacCleanUp, &mHmacMd5TestCtx}, + //{"TestVerifyHmacSha1()", "CryptoPkg.BaseCryptLib.Hmac", TestVerifyHmac, TestVerifyHmacPreReq, TestVerifyHmacCleanUp, &mHmacSha1TestCtx}, + +}; + +UINTN mHmacTestNum = ARRAY_SIZE(mHmacTest); diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/OaepEncryptTests.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/OaepEncryptTests.c new file mode 100644 index 00000000..d67c4895 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/OaepEncryptTests.c @@ -0,0 +1,308 @@ +/** @file + This is a unit test for RSA OAEP encrypt. + + Copyright (c) 2019, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#include "TestBaseCryptLib.h" + +CONST UINT8 RandSeed[] = "This is the random seed for PRNG verification."; + +// +// Self signed X509 certificate +// CN = ca.self +// O = Intel +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 SelfTestCert[] = { + 0x30, 0x82, 0x03, 0x90, 0x30, 0x82, 0x02, 0x78, 0x02, 0x09, 0x00, 0xE4, 0xDF, 0x47, 0x80, 0xEF, + 0x4B, 0x3C, 0x6D, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, + 0x05, 0x00, 0x30, 0x81, 0x89, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x43, 0x4E, 0x31, 0x11, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x08, 0x53, 0x68, 0x61, + 0x6E, 0x67, 0x48, 0x61, 0x69, 0x31, 0x11, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x08, + 0x53, 0x68, 0x61, 0x6E, 0x67, 0x48, 0x61, 0x69, 0x31, 0x0E, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x04, + 0x0A, 0x0C, 0x05, 0x49, 0x6E, 0x74, 0x65, 0x6C, 0x31, 0x0C, 0x30, 0x0A, 0x06, 0x03, 0x55, 0x04, + 0x0B, 0x0C, 0x03, 0x46, 0x49, 0x45, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, + 0x07, 0x63, 0x61, 0x2E, 0x73, 0x65, 0x6C, 0x66, 0x31, 0x24, 0x30, 0x22, 0x06, 0x09, 0x2A, 0x86, + 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x15, 0x7A, 0x68, 0x69, 0x63, 0x68, 0x61, 0x6F, + 0x2E, 0x67, 0x61, 0x6F, 0x40, 0x69, 0x6E, 0x74, 0x65, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x1E, + 0x17, 0x0D, 0x31, 0x39, 0x30, 0x33, 0x32, 0x37, 0x30, 0x35, 0x35, 0x37, 0x30, 0x39, 0x5A, 0x17, + 0x0D, 0x32, 0x30, 0x30, 0x33, 0x32, 0x36, 0x30, 0x35, 0x35, 0x37, 0x30, 0x39, 0x5A, 0x30, 0x81, + 0x89, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x4E, 0x31, 0x11, + 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x08, 0x53, 0x68, 0x61, 0x6E, 0x67, 0x48, 0x61, + 0x69, 0x31, 0x11, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x08, 0x53, 0x68, 0x61, 0x6E, + 0x67, 0x48, 0x61, 0x69, 0x31, 0x0E, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x05, 0x49, + 0x6E, 0x74, 0x65, 0x6C, 0x31, 0x0C, 0x30, 0x0A, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x03, 0x46, + 0x49, 0x45, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x07, 0x63, 0x61, 0x2E, + 0x73, 0x65, 0x6C, 0x66, 0x31, 0x24, 0x30, 0x22, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, + 0x01, 0x09, 0x01, 0x16, 0x15, 0x7A, 0x68, 0x69, 0x63, 0x68, 0x61, 0x6F, 0x2E, 0x67, 0x61, 0x6F, + 0x40, 0x69, 0x6E, 0x74, 0x65, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, + 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, + 0x0F, 0x00, 0x30, 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0xBC, 0xE4, 0x67, 0xDC, 0xC7, + 0xEA, 0x6F, 0x8A, 0xA7, 0xCC, 0xB2, 0x54, 0x47, 0x48, 0x6A, 0xE2, 0x39, 0xFF, 0xC2, 0x48, 0x58, + 0x34, 0x07, 0x03, 0x6D, 0x39, 0xB3, 0x67, 0x46, 0x4C, 0xBC, 0xA0, 0xFA, 0x4E, 0x64, 0x23, 0x56, + 0x47, 0x7B, 0xC9, 0x1A, 0x2A, 0x55, 0x42, 0x54, 0x10, 0x18, 0x30, 0x92, 0x60, 0x30, 0x5B, 0x9E, + 0xC0, 0x65, 0xD2, 0xD4, 0x05, 0x4A, 0xA6, 0x10, 0x66, 0x04, 0xA9, 0x54, 0x4E, 0xEE, 0x49, 0x39, + 0x43, 0x65, 0x1E, 0x2E, 0x28, 0xDE, 0x79, 0x24, 0xA9, 0x7E, 0xD8, 0x5B, 0xBC, 0x2F, 0x46, 0x6A, + 0xB7, 0xB6, 0x0D, 0x17, 0x88, 0x37, 0x52, 0x5C, 0xFE, 0x93, 0xC0, 0xE2, 0xFD, 0x6A, 0x08, 0x1B, + 0xFB, 0xD1, 0x87, 0xBD, 0xBD, 0x58, 0x57, 0x2C, 0x06, 0x5D, 0xD2, 0x7D, 0x52, 0xE2, 0x49, 0x8E, + 0xDC, 0xE5, 0x26, 0xBD, 0x92, 0x60, 0xB0, 0x3F, 0x58, 0x5E, 0x52, 0xD7, 0x91, 0xDA, 0x93, 0x62, + 0x8D, 0x71, 0x80, 0x53, 0xBA, 0x15, 0xC4, 0x1F, 0xF3, 0xBD, 0xE0, 0xC5, 0xA4, 0xB8, 0xD3, 0x64, + 0x12, 0x14, 0x1B, 0x11, 0x6B, 0x7B, 0xC2, 0x92, 0xC7, 0xE2, 0x94, 0x0B, 0xB8, 0x67, 0x38, 0x48, + 0x63, 0x11, 0x74, 0x25, 0x7C, 0x37, 0xC3, 0xB2, 0xAE, 0xD9, 0xA7, 0x17, 0x9C, 0x4B, 0x9D, 0x6C, + 0x27, 0xB0, 0x87, 0x16, 0x6B, 0xF2, 0x96, 0xE5, 0x1D, 0x37, 0x27, 0xDE, 0xF2, 0x98, 0xB7, 0x81, + 0x08, 0xD9, 0x7A, 0xBA, 0x84, 0x14, 0x61, 0x60, 0x48, 0xCE, 0xCE, 0x51, 0x73, 0xF4, 0xDB, 0xF1, + 0x5F, 0x7A, 0x17, 0x71, 0x4F, 0xC1, 0x0B, 0xCE, 0xC7, 0x31, 0xC1, 0x4E, 0xA3, 0xEE, 0x6F, 0x72, + 0x97, 0x90, 0xFB, 0x8B, 0x54, 0x9F, 0x82, 0x5B, 0x48, 0x5A, 0xF1, 0xAD, 0x8B, 0x3A, 0xCD, 0xCA, + 0xB2, 0x8B, 0x7A, 0x53, 0xD4, 0xF7, 0x71, 0x16, 0x75, 0xA7, 0x35, 0x02, 0x03, 0x01, 0x00, 0x01, + 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, + 0x82, 0x01, 0x01, 0x00, 0x78, 0x64, 0xCD, 0x6F, 0xC0, 0xF9, 0xE7, 0xAB, 0x19, 0x0B, 0xA4, 0x92, + 0x88, 0xD7, 0xE3, 0xC4, 0x9C, 0xCF, 0xF2, 0x49, 0xFC, 0xCE, 0x8C, 0xEC, 0x33, 0x3F, 0x24, 0x6F, + 0xF7, 0xBC, 0x7C, 0x28, 0xEF, 0xAE, 0xAB, 0x7B, 0xAF, 0x84, 0xE3, 0x4E, 0x38, 0xAB, 0x66, 0x20, + 0x7C, 0xB9, 0xE0, 0x37, 0xFD, 0x84, 0x28, 0x3C, 0xEE, 0x35, 0xC4, 0x75, 0x04, 0x43, 0xCA, 0x4F, + 0x36, 0x60, 0xC4, 0x06, 0x16, 0x54, 0x3C, 0xF9, 0x47, 0x78, 0xBD, 0xE9, 0x7F, 0xF1, 0xE3, 0x0B, + 0xC7, 0x7E, 0x30, 0xA4, 0xCB, 0x3A, 0xC7, 0xCD, 0x50, 0x9A, 0x6C, 0xC1, 0xE3, 0xF8, 0xF8, 0x16, + 0xAA, 0x67, 0x7F, 0x92, 0xEE, 0x1D, 0x47, 0xF2, 0x96, 0xDF, 0xD7, 0x43, 0x64, 0x78, 0xA7, 0xD9, + 0xF6, 0xA1, 0xD9, 0xEB, 0x5B, 0x2E, 0xC6, 0x9E, 0xEA, 0xD5, 0x04, 0x52, 0xA4, 0x73, 0x97, 0xC8, + 0xB3, 0xFD, 0xE1, 0x7E, 0xB1, 0xA4, 0x3F, 0xF4, 0x56, 0x66, 0x8E, 0x6B, 0xBC, 0xD8, 0xF0, 0x7C, + 0xBF, 0x58, 0xA4, 0xE0, 0x45, 0xDC, 0x2B, 0x0B, 0x2C, 0x40, 0x52, 0x4D, 0x4B, 0xA9, 0x8A, 0x77, + 0x87, 0x31, 0xF8, 0x45, 0xD9, 0x60, 0xBB, 0xAD, 0x28, 0x29, 0x14, 0x0D, 0x0D, 0x8F, 0x0F, 0x34, + 0x76, 0x88, 0xF3, 0x5A, 0x65, 0x00, 0x54, 0x22, 0x35, 0xBF, 0x3A, 0x2B, 0xE9, 0xB0, 0x24, 0xE5, + 0xBE, 0xDF, 0x08, 0xA0, 0x02, 0xB2, 0x81, 0x01, 0xE8, 0x14, 0xBE, 0x6E, 0x7E, 0xBD, 0x60, 0x0C, + 0x4A, 0xD8, 0x57, 0xA4, 0x50, 0xD3, 0xD0, 0x59, 0xCE, 0x57, 0x27, 0xE9, 0xA6, 0x16, 0x15, 0x5F, + 0xF2, 0x6C, 0xCC, 0x57, 0x36, 0x20, 0x06, 0xE6, 0xA7, 0x24, 0x22, 0xB0, 0xB1, 0xC4, 0xBC, 0x2C, + 0x5C, 0xCE, 0x92, 0x11, 0xFF, 0x6F, 0x8C, 0x14, 0x7E, 0xC4, 0x10, 0x02, 0xF6, 0x69, 0x86, 0x6D, + 0x5B, 0x64, 0x81, 0x13, + }; + +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 PrivateKey[] = { + 0x30, 0x82, 0x04, 0xA4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xBC, 0xE4, 0x67, 0xDC, + 0xC7, 0xEA, 0x6F, 0x8A, 0xA7, 0xCC, 0xB2, 0x54, 0x47, 0x48, 0x6A, 0xE2, 0x39, 0xFF, 0xC2, 0x48, + 0x58, 0x34, 0x07, 0x03, 0x6D, 0x39, 0xB3, 0x67, 0x46, 0x4C, 0xBC, 0xA0, 0xFA, 0x4E, 0x64, 0x23, + 0x56, 0x47, 0x7B, 0xC9, 0x1A, 0x2A, 0x55, 0x42, 0x54, 0x10, 0x18, 0x30, 0x92, 0x60, 0x30, 0x5B, + 0x9E, 0xC0, 0x65, 0xD2, 0xD4, 0x05, 0x4A, 0xA6, 0x10, 0x66, 0x04, 0xA9, 0x54, 0x4E, 0xEE, 0x49, + 0x39, 0x43, 0x65, 0x1E, 0x2E, 0x28, 0xDE, 0x79, 0x24, 0xA9, 0x7E, 0xD8, 0x5B, 0xBC, 0x2F, 0x46, + 0x6A, 0xB7, 0xB6, 0x0D, 0x17, 0x88, 0x37, 0x52, 0x5C, 0xFE, 0x93, 0xC0, 0xE2, 0xFD, 0x6A, 0x08, + 0x1B, 0xFB, 0xD1, 0x87, 0xBD, 0xBD, 0x58, 0x57, 0x2C, 0x06, 0x5D, 0xD2, 0x7D, 0x52, 0xE2, 0x49, + 0x8E, 0xDC, 0xE5, 0x26, 0xBD, 0x92, 0x60, 0xB0, 0x3F, 0x58, 0x5E, 0x52, 0xD7, 0x91, 0xDA, 0x93, + 0x62, 0x8D, 0x71, 0x80, 0x53, 0xBA, 0x15, 0xC4, 0x1F, 0xF3, 0xBD, 0xE0, 0xC5, 0xA4, 0xB8, 0xD3, + 0x64, 0x12, 0x14, 0x1B, 0x11, 0x6B, 0x7B, 0xC2, 0x92, 0xC7, 0xE2, 0x94, 0x0B, 0xB8, 0x67, 0x38, + 0x48, 0x63, 0x11, 0x74, 0x25, 0x7C, 0x37, 0xC3, 0xB2, 0xAE, 0xD9, 0xA7, 0x17, 0x9C, 0x4B, 0x9D, + 0x6C, 0x27, 0xB0, 0x87, 0x16, 0x6B, 0xF2, 0x96, 0xE5, 0x1D, 0x37, 0x27, 0xDE, 0xF2, 0x98, 0xB7, + 0x81, 0x08, 0xD9, 0x7A, 0xBA, 0x84, 0x14, 0x61, 0x60, 0x48, 0xCE, 0xCE, 0x51, 0x73, 0xF4, 0xDB, + 0xF1, 0x5F, 0x7A, 0x17, 0x71, 0x4F, 0xC1, 0x0B, 0xCE, 0xC7, 0x31, 0xC1, 0x4E, 0xA3, 0xEE, 0x6F, + 0x72, 0x97, 0x90, 0xFB, 0x8B, 0x54, 0x9F, 0x82, 0x5B, 0x48, 0x5A, 0xF1, 0xAD, 0x8B, 0x3A, 0xCD, + 0xCA, 0xB2, 0x8B, 0x7A, 0x53, 0xD4, 0xF7, 0x71, 0x16, 0x75, 0xA7, 0x35, 0x02, 0x03, 0x01, 0x00, + 0x01, 0x02, 0x82, 0x01, 0x00, 0x13, 0xF7, 0xD1, 0x42, 0xF5, 0x9F, 0x42, 0xCB, 0x55, 0x91, 0xBE, + 0x08, 0x4A, 0xC0, 0xCD, 0x0B, 0xBD, 0x35, 0xDC, 0x43, 0xE9, 0x8F, 0x16, 0x6E, 0xB6, 0x4D, 0x33, + 0x39, 0xE7, 0xA4, 0x95, 0x0C, 0x2F, 0x69, 0xBA, 0x0C, 0x42, 0x42, 0xAC, 0x43, 0x46, 0x10, 0xD3, + 0x92, 0x7F, 0x70, 0x74, 0x1E, 0x2E, 0x5B, 0x1C, 0xC1, 0x92, 0xB6, 0xA4, 0x0C, 0xF5, 0x7C, 0xD9, + 0xB7, 0x54, 0x64, 0x74, 0x79, 0xB1, 0xFF, 0xE6, 0x10, 0xB7, 0x8C, 0xF8, 0x53, 0x88, 0x6D, 0xA9, + 0x97, 0x04, 0xD9, 0x26, 0x1F, 0x99, 0x12, 0xFB, 0xAC, 0x65, 0xFB, 0xA5, 0xB3, 0x1C, 0x99, 0xB9, + 0xBF, 0x6B, 0x35, 0x3E, 0x49, 0x55, 0xB5, 0x94, 0x4F, 0xE7, 0x25, 0x67, 0xB1, 0x01, 0xCD, 0xD2, + 0x58, 0xE4, 0xBE, 0x87, 0x8C, 0x88, 0xD3, 0x0A, 0x38, 0xDC, 0x71, 0x5D, 0x88, 0x0A, 0xE2, 0x3E, + 0x76, 0x63, 0x3B, 0xE4, 0x3C, 0x8F, 0x2F, 0x29, 0x1D, 0xD1, 0x66, 0x8D, 0xC0, 0x4A, 0x68, 0x15, + 0x90, 0x4C, 0x95, 0x61, 0xF4, 0xFD, 0xE8, 0xFA, 0x9C, 0x6C, 0x00, 0x22, 0x23, 0xD5, 0x17, 0x6E, + 0xEE, 0xA8, 0xD8, 0x70, 0xC5, 0x74, 0xEA, 0x09, 0x13, 0x7F, 0x0C, 0x37, 0x4D, 0x50, 0xCD, 0xE9, + 0x16, 0xC2, 0xD5, 0xDE, 0x5E, 0xC3, 0xFC, 0x46, 0x08, 0xF1, 0x99, 0xC0, 0xB4, 0x28, 0xFD, 0x2B, + 0x29, 0xEF, 0x76, 0xD7, 0x04, 0x4F, 0x02, 0x54, 0x16, 0x54, 0x55, 0x20, 0xEC, 0xBC, 0xBF, 0x85, + 0x5F, 0x12, 0xCC, 0xFC, 0x0D, 0xF2, 0xEF, 0xFC, 0x4D, 0x3E, 0xA2, 0x5E, 0x97, 0xFE, 0x35, 0x10, + 0x0F, 0x53, 0x1F, 0x80, 0xD5, 0xC0, 0xB4, 0xE9, 0xE9, 0x31, 0x4C, 0x89, 0x14, 0x72, 0x39, 0x65, + 0x89, 0xEF, 0x7A, 0x51, 0x4A, 0xB9, 0xA9, 0xCC, 0x1B, 0x52, 0xB0, 0x02, 0x52, 0x65, 0x2F, 0x0B, + 0x89, 0x41, 0x70, 0x1E, 0x01, 0x02, 0x81, 0x81, 0x00, 0xDB, 0xE8, 0x21, 0x9E, 0xDB, 0x58, 0x42, + 0x0B, 0x02, 0x35, 0x87, 0xDF, 0x35, 0xF4, 0xC1, 0xEE, 0xD5, 0x72, 0x2C, 0xDC, 0x4D, 0xC7, 0xDA, + 0x6D, 0x18, 0x0F, 0x68, 0x6F, 0xE7, 0xB0, 0x6C, 0xA0, 0xB2, 0x9E, 0xB8, 0x5E, 0x4A, 0x86, 0x81, + 0x97, 0xBD, 0x78, 0xFC, 0x06, 0xD5, 0xBE, 0x98, 0x42, 0x38, 0x78, 0x78, 0x16, 0xAE, 0x39, 0x56, + 0xFB, 0x67, 0x6B, 0xED, 0x7F, 0xB3, 0xC3, 0x7D, 0x95, 0x86, 0x05, 0x0C, 0xF1, 0x4C, 0xC2, 0x67, + 0x94, 0x93, 0x1B, 0xB7, 0x91, 0x0A, 0x80, 0xE2, 0x85, 0xA7, 0x75, 0x20, 0x61, 0xCD, 0x40, 0x5B, + 0x39, 0x13, 0x32, 0xF7, 0xB8, 0xD7, 0x0C, 0x39, 0x4C, 0x82, 0x4B, 0xA3, 0x9F, 0x5E, 0xB1, 0xB0, + 0x38, 0x81, 0x8B, 0x1E, 0xBD, 0x2B, 0xC2, 0x9F, 0x3A, 0x68, 0x72, 0xC2, 0x90, 0xCB, 0xA2, 0xE2, + 0xAC, 0x86, 0xFF, 0xC8, 0xD7, 0xB8, 0x97, 0x0E, 0x69, 0x02, 0x81, 0x81, 0x00, 0xDB, 0xE5, 0x21, + 0x1F, 0x4C, 0x83, 0xD9, 0x7A, 0x56, 0x87, 0x82, 0xF1, 0x40, 0x1A, 0xD3, 0x5B, 0xC5, 0xB4, 0x4D, + 0x18, 0x8A, 0xE3, 0x6B, 0xC9, 0x7E, 0x8F, 0x5D, 0x00, 0x33, 0x66, 0xEB, 0xAE, 0x8E, 0x54, 0x49, + 0xD7, 0xEA, 0xF3, 0xF9, 0xED, 0xD7, 0xEE, 0x2C, 0xC8, 0xD6, 0x8F, 0x40, 0x0A, 0x53, 0xCB, 0x5D, + 0x16, 0xB7, 0xEB, 0x4E, 0xFB, 0x11, 0x18, 0x1B, 0x4B, 0x6B, 0x43, 0x04, 0xD6, 0x1D, 0x8F, 0x6D, + 0x4D, 0x48, 0x8B, 0x6C, 0x82, 0x52, 0xB4, 0x8D, 0x58, 0x9B, 0x19, 0x8D, 0xE0, 0x0D, 0xFD, 0x15, + 0x9D, 0x35, 0xDF, 0x5E, 0xED, 0xDB, 0x8F, 0x8C, 0x44, 0x11, 0xC9, 0x9A, 0xD9, 0x3F, 0xD4, 0xA5, + 0xEE, 0x68, 0x3B, 0x38, 0xD1, 0x66, 0xB0, 0x62, 0x7E, 0xA5, 0x04, 0xD1, 0x67, 0xA4, 0x1D, 0x93, + 0xD6, 0x2A, 0xFB, 0xF6, 0xC1, 0xB2, 0xC4, 0x02, 0x8A, 0xB2, 0xA8, 0xD0, 0xED, 0x02, 0x81, 0x81, + 0x00, 0xD1, 0x1D, 0x98, 0x43, 0x09, 0x10, 0x8F, 0x95, 0x0A, 0x5F, 0xBF, 0x3A, 0x1A, 0x84, 0x0A, + 0x9B, 0x44, 0x6C, 0x53, 0x8E, 0x97, 0x84, 0x72, 0x08, 0x85, 0xF5, 0xB8, 0xF9, 0x99, 0x58, 0x22, + 0xA4, 0x59, 0xD7, 0x27, 0x39, 0xBB, 0x22, 0xD7, 0x3F, 0x65, 0x95, 0x14, 0x0C, 0xA7, 0xDB, 0x9B, + 0xCC, 0x75, 0x08, 0xD2, 0x21, 0xB7, 0x41, 0x9D, 0x9E, 0x6A, 0x85, 0xAE, 0x8E, 0x5E, 0x72, 0x8B, + 0x0C, 0xD2, 0x2A, 0x21, 0x59, 0xA1, 0x05, 0xC9, 0x1B, 0xF7, 0x1C, 0x47, 0x5E, 0x6C, 0x9F, 0x8D, + 0x49, 0x4D, 0xA9, 0xCA, 0xC6, 0x56, 0x39, 0x59, 0xC6, 0x17, 0xA4, 0xC2, 0xFF, 0x09, 0xB8, 0x7D, + 0x10, 0x6D, 0x62, 0xE2, 0x50, 0x9D, 0xEA, 0xD8, 0xC9, 0x93, 0x1E, 0xA9, 0x77, 0x78, 0x92, 0x95, + 0x7A, 0x24, 0x72, 0xE4, 0xE4, 0x6E, 0x51, 0x11, 0xBE, 0xC0, 0x8D, 0xA1, 0xFE, 0xC9, 0x71, 0x13, + 0xE9, 0x02, 0x81, 0x80, 0x38, 0xE5, 0x3F, 0x3D, 0xB6, 0xF1, 0x82, 0x8A, 0xD9, 0xEA, 0xB4, 0x21, + 0xB1, 0xE1, 0x7F, 0x00, 0x86, 0xD6, 0x11, 0x00, 0xA1, 0xA7, 0x18, 0x53, 0x89, 0x50, 0x94, 0xD2, + 0xA1, 0x7A, 0x26, 0xCF, 0x02, 0x7A, 0xA2, 0xA4, 0xA0, 0x61, 0x42, 0x30, 0x9D, 0x27, 0x3E, 0x25, + 0x35, 0x06, 0xD9, 0x9E, 0x12, 0x72, 0x53, 0x02, 0xB6, 0xD1, 0xC6, 0x9C, 0xC5, 0x9E, 0x84, 0x29, + 0x6E, 0x76, 0x67, 0xC0, 0xF2, 0xE3, 0x12, 0x77, 0xE5, 0xA6, 0x55, 0x8C, 0x1E, 0xD4, 0x22, 0xA2, + 0x63, 0x77, 0x28, 0x33, 0x69, 0xCB, 0x2B, 0x15, 0x83, 0x43, 0xE9, 0x6F, 0x07, 0xD9, 0x4B, 0x84, + 0xAD, 0x49, 0x89, 0xAC, 0x5E, 0x8C, 0xA9, 0xE6, 0x56, 0xC7, 0xC3, 0xFA, 0xC2, 0x64, 0x2F, 0x07, + 0xEF, 0xB0, 0xA0, 0x71, 0xFD, 0x8F, 0xBD, 0x99, 0xB3, 0x83, 0x80, 0x24, 0x3C, 0x19, 0xE5, 0x42, + 0x77, 0xD9, 0xA0, 0x3D, 0x02, 0x81, 0x81, 0x00, 0xB7, 0x35, 0xE9, 0x66, 0x4A, 0xCD, 0x5F, 0x5C, + 0x44, 0x9A, 0x7F, 0x23, 0xAE, 0xC2, 0x7F, 0xF0, 0x8D, 0xE4, 0xDB, 0xCD, 0x1A, 0x8A, 0x40, 0xD7, + 0x0A, 0xC4, 0x3E, 0xC5, 0x03, 0xFB, 0x47, 0xAB, 0x72, 0xDF, 0xD7, 0x68, 0x27, 0x6E, 0x86, 0x94, + 0x2A, 0x2A, 0xDA, 0x25, 0x9E, 0xF6, 0x5E, 0xE0, 0x6D, 0x7C, 0x7D, 0xFE, 0x72, 0xDD, 0xC7, 0xBC, + 0x74, 0xC7, 0xAD, 0xEA, 0x44, 0xBE, 0x5C, 0x8A, 0x03, 0xCD, 0x35, 0x74, 0x6F, 0x4E, 0x92, 0x31, + 0xBE, 0x57, 0x9A, 0x02, 0x0C, 0xFC, 0xD1, 0xD5, 0xE7, 0x3E, 0x53, 0x0C, 0x47, 0x12, 0x39, 0x45, + 0x6E, 0x35, 0x24, 0xA6, 0xDA, 0x42, 0x63, 0xC6, 0xBF, 0xCA, 0xE8, 0x32, 0xFD, 0x61, 0xC0, 0x80, + 0x39, 0xD2, 0xB7, 0x0D, 0xF3, 0xA2, 0xF3, 0xE4, 0x49, 0x26, 0x89, 0xD0, 0xA0, 0x24, 0xC8, 0x27, + 0x86, 0x10, 0x09, 0x88, 0x6C, 0x35, 0x60, 0xF2, + }; + +UNIT_TEST_STATUS +EFIAPI +TestVerifyOaepEncrypt ( + IN UNIT_TEST_CONTEXT Context + ) +{ + BOOLEAN Status; + UINT8 File[4]; + UINT8 *OutBuffer; + UINTN OutBufferSize; + UINT8 *OutBuffer2; + UINTN OutBuffer2Size; + + // Create a file and add content '123' in it + File[0] = '1'; + File[1] = '2'; + File[2] = '3'; + File[3] = 0; + + OutBuffer = NULL; + OutBufferSize = 0; + OutBuffer2 = NULL; + OutBuffer2Size = 0; + + Status = Pkcs1v2Encrypt ( + SelfTestCert, + (UINTN)sizeof (SelfTestCert), + File, + (UINTN)sizeof (File), + NULL, + 0, + &OutBuffer, + (UINTN *)&OutBufferSize + ); + UT_ASSERT_TRUE (Status); + + Status = Pkcs1v2Encrypt ( + SelfTestCert, + (UINTN)sizeof (SelfTestCert), + File, + (UINTN)4, + NULL, + 0, + &OutBuffer2, + (UINTN *)&OutBuffer2Size + ); + UT_ASSERT_TRUE (Status); + + // TRUE - the two OutBuffers are indentical. That means the Oaep encrypt result is incorrect. + Status = (CompareMem (OutBuffer, OutBuffer2, OutBufferSize >= OutBuffer2Size ? OutBufferSize : OutBuffer2Size) == 0); + UT_ASSERT_FALSE (Status); + + if (OutBuffer) { + FreePool (OutBuffer); + OutBuffer = NULL; + OutBufferSize = 0; + } + + if (OutBuffer2) { + FreePool (OutBuffer2); + OutBuffer2 = NULL; + OutBuffer2Size = 0; + } + + Status = Pkcs1v2Encrypt ( + SelfTestCert, + (UINTN)sizeof (SelfTestCert), + File, + (UINTN)4, + RandSeed, + (UINTN)sizeof (RandSeed), + &OutBuffer, + (UINTN *)&OutBufferSize + ); + UT_ASSERT_TRUE (Status); + + Status = Pkcs1v2Encrypt ( + SelfTestCert, + (UINTN)sizeof (SelfTestCert), + File, + (UINTN)4, + RandSeed, + (UINTN)sizeof (RandSeed), + &OutBuffer2, + (UINTN *)&OutBuffer2Size + ); + UT_ASSERT_TRUE (Status); + + // TRUE - the two OutBuffers are indentical. That means the Oaep encrypt result is incorrect. + Status = (CompareMem (OutBuffer, OutBuffer2, OutBufferSize >= OutBuffer2Size ? OutBufferSize : OutBuffer2Size) == 0); + UT_ASSERT_FALSE (Status); + + if (OutBuffer) { + FreePool (OutBuffer); + OutBuffer = NULL; + OutBufferSize = 0; + } + + if (OutBuffer2) { + FreePool (OutBuffer2); + OutBuffer2 = NULL; + OutBuffer2Size = 0; + } + + Status = Pkcs1v2Encrypt ( + NULL, + (UINTN)sizeof (SelfTestCert), + File, + (UINTN)4, + NULL, + 0, + &OutBuffer, + (UINTN *)&OutBufferSize + ); + UT_ASSERT_FALSE (Status); + + Status = Pkcs1v2Encrypt ( + SelfTestCert, + (UINTN)sizeof (SelfTestCert), + File, + (UINTN)4, + NULL, + 0, + (UINT8 **)NULL, + (UINTN *)&OutBufferSize + ); + UT_ASSERT_FALSE (Status); + + Status = Pkcs1v2Encrypt ( + SelfTestCert, + (UINTN)sizeof (SelfTestCert), + File, + (UINTN)4, + NULL, + 0, + &OutBuffer, + (UINTN *)NULL + ); + UT_ASSERT_FALSE (Status); + + return UNIT_TEST_PASSED; +} + +TEST_DESC mOaepTest[] = { + // + // -----Description--------------------------------------Class----------------------Function-----------------Pre---Post--Context + // + {"TestVerifyOaepEncrypt()", "CryptoPkg.BaseCryptLib.Pkcs1v2Encrypt", TestVerifyOaepEncrypt, NULL, NULL, NULL}, +}; + +UINTN mOaepTestNum = ARRAY_SIZE(mOaepTest); + + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/Pkcs5Pbkdf2Tests.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/Pkcs5Pbkdf2Tests.c new file mode 100644 index 00000000..b2f4cc4f --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/Pkcs5Pbkdf2Tests.c @@ -0,0 +1,71 @@ +/** @file + Application for PKCS#5 PBKDF2 Function Validation. + +Copyright (c) 2016, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "TestBaseCryptLib.h" + +// +// PBKDF2 HMAC-SHA1 Test Vector from RFC6070 +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST CHAR8 *Password = "password"; // Input Password +GLOBAL_REMOVE_IF_UNREFERENCED UINTN PassLen = 8; // Length of Input Password +GLOBAL_REMOVE_IF_UNREFERENCED CONST CHAR8 *Salt = "salt"; // Input Salt +GLOBAL_REMOVE_IF_UNREFERENCED UINTN SaltLen = 4; // Length of Input Salt +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINTN Count = 2; // InterationCount +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINTN KeyLen = 20; // Length of derived key +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 DerivedKey[] = { // Expected output key + 0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c, 0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0, + 0xd8, 0xde, 0x89, 0x57 + }; + +UNIT_TEST_STATUS +EFIAPI +TestVerifyPkcs5Pbkdf2 ( + IN UNIT_TEST_CONTEXT Context + ) +{ + BOOLEAN Status; + UINT8 *OutKey; + + OutKey = AllocatePool (KeyLen); + + // + // Verify PKCS#5 PBKDF2 Key Derivation Function + // + Status = Pkcs5HashPassword ( + PassLen, + Password, + SaltLen, + (CONST UINT8 *)Salt, + Count, + SHA1_DIGEST_SIZE, + KeyLen, + OutKey + ); + UT_ASSERT_TRUE (Status); + + // + // Check the output key with the expected key result + // + UT_ASSERT_MEM_EQUAL (OutKey, DerivedKey, KeyLen); + + // + // Release Resources + // + FreePool (OutKey); + + return EFI_SUCCESS; +} + +TEST_DESC mPkcs5Test[] = { + // + // -----Description------------------------------Class----------------------Function-----------------Pre---Post--Context + // + {"TestVerifyPkcs5Pbkdf2()", "CryptoPkg.BaseCryptLib.Pkcs5", TestVerifyPkcs5Pbkdf2, NULL, NULL, NULL}, +}; + +UINTN mPkcs5TestNum = ARRAY_SIZE(mPkcs5Test); diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/Pkcs7EkuTestSignatures.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/Pkcs7EkuTestSignatures.h new file mode 100644 index 00000000..6a0c3f27 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/Pkcs7EkuTestSignatures.h @@ -0,0 +1,789 @@ +/*++ + +Copyright (C) Microsoft Corporation. All Rights Reserved. +SPDX-License-Identifier: BSD-2-Clause-Patent + +Module Name: + AllTestSignatures.h + +Abstract: + This file has test signatures in byte array format for Unit-Testing the + Enhanced Key Usage (EKU) parsing function. + + EFI_STATUS + EFIAPI + VerifyEKUsInPkcs7Signature ( + IN CONST UINT8 *Pkcs7Signature, + IN CONST UINT32 SignatureSize, + IN CONST CHAR8 *RequiredEKUs[], + IN CONST UINT32 RequiredEKUsSize, + IN BOOLEAN RequireAllPresent + ); + + Note: These byte arrays were created by running BinToH.exe on the P7B + signature files. +--*/ + + +// +// This is the ProductionECCSignature.p7b in byte array format. It has one +// EKU in it. (Firmware signing) +// "1.3.6.1.4.1.311.76.9.21.1" +// +CONST UINT8 ProductionECCSignature[] = +{ + 0x30, 0x82, 0x04, 0xC0, 0x02, 0x01, 0x01, 0x31, 0x0F, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, + 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, + 0xF7, 0x0D, 0x01, 0x07, 0x01, 0xA0, 0x82, 0x03, 0x80, 0x30, 0x82, 0x03, 0x7C, 0x30, 0x82, 0x03, + 0x22, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x13, 0x33, 0x00, 0x00, 0x00, 0x03, 0x7E, 0x2E, 0x8F, + 0xBD, 0xA5, 0xC9, 0x2C, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30, 0x0A, 0x06, 0x08, 0x2A, + 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x81, 0x8F, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, + 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, + 0x13, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, + 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6D, 0x6F, 0x6E, 0x64, 0x31, 0x1E, + 0x30, 0x1C, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x15, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, + 0x66, 0x74, 0x20, 0x43, 0x6F, 0x72, 0x70, 0x6F, 0x72, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x31, 0x39, + 0x30, 0x37, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x30, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, + 0x66, 0x74, 0x20, 0x45, 0x43, 0x43, 0x20, 0x53, 0x75, 0x72, 0x66, 0x61, 0x63, 0x65, 0x20, 0x41, + 0x63, 0x63, 0x65, 0x73, 0x73, 0x6F, 0x72, 0x79, 0x20, 0x46, 0x69, 0x72, 0x6D, 0x77, 0x61, 0x72, + 0x65, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x38, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x38, 0x30, + 0x37, 0x31, 0x32, 0x31, 0x38, 0x33, 0x37, 0x30, 0x37, 0x5A, 0x17, 0x0D, 0x31, 0x39, 0x30, 0x37, + 0x31, 0x32, 0x31, 0x38, 0x33, 0x37, 0x30, 0x37, 0x5A, 0x30, 0x3A, 0x31, 0x38, 0x30, 0x36, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x13, 0x2F, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, + 0x45, 0x43, 0x43, 0x20, 0x53, 0x75, 0x72, 0x66, 0x61, 0x63, 0x65, 0x20, 0x41, 0x63, 0x63, 0x65, + 0x73, 0x73, 0x6F, 0x72, 0x79, 0x20, 0x46, 0x69, 0x72, 0x6D, 0x77, 0x61, 0x72, 0x65, 0x20, 0x53, + 0x69, 0x67, 0x6E, 0x65, 0x72, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, + 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, + 0x7D, 0xDF, 0xDE, 0xFA, 0xEE, 0xA5, 0x66, 0x33, 0xAA, 0xCC, 0xA4, 0x18, 0x65, 0x9E, 0x3A, 0xC6, + 0x4B, 0xCB, 0xD5, 0x78, 0x94, 0x14, 0xEE, 0xAA, 0xF3, 0x9D, 0xCB, 0x38, 0x6C, 0x5D, 0xFE, 0x3F, + 0x8A, 0xA9, 0x8D, 0x04, 0xD2, 0xFE, 0xAA, 0x38, 0xF3, 0xD6, 0x4A, 0x7E, 0xCF, 0x12, 0x95, 0xCF, + 0xAD, 0x92, 0x33, 0xF7, 0x38, 0x83, 0xC5, 0xFD, 0xCF, 0xD0, 0x96, 0x08, 0xCA, 0x62, 0x7D, 0x22, + 0xA3, 0x82, 0x01, 0xAF, 0x30, 0x82, 0x01, 0xAB, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, + 0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x16, 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04, + 0x0F, 0x30, 0x0D, 0x06, 0x0B, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x4C, 0x09, 0x15, 0x01, + 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x01, 0x01, 0xFF, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1D, + 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0xE7, 0xD1, 0xD4, 0x74, 0x71, 0xF4, 0xC9, + 0x35, 0x04, 0xA7, 0x9A, 0x1E, 0x0C, 0xDD, 0xF4, 0x8D, 0x5C, 0x1E, 0xF2, 0x29, 0x30, 0x37, 0x06, + 0x03, 0x55, 0x1D, 0x11, 0x04, 0x30, 0x30, 0x2E, 0xA4, 0x2C, 0x30, 0x2A, 0x31, 0x10, 0x30, 0x0E, + 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13, 0x07, 0x53, 0x75, 0x72, 0x66, 0x61, 0x63, 0x65, 0x31, 0x16, + 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x05, 0x13, 0x0D, 0x34, 0x34, 0x30, 0x38, 0x31, 0x31, 0x2B, + 0x34, 0x34, 0x30, 0x38, 0x36, 0x32, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0x6F, 0x3A, 0xCC, 0x1B, 0x2F, 0x17, 0x5C, 0xED, 0xEB, 0xC8, 0xBF, 0x93, 0xA7, + 0xB5, 0x93, 0xD1, 0x4D, 0x40, 0xAA, 0x03, 0x30, 0x75, 0x06, 0x03, 0x55, 0x1D, 0x1F, 0x04, 0x6E, + 0x30, 0x6C, 0x30, 0x6A, 0xA0, 0x68, 0xA0, 0x66, 0x86, 0x64, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, + 0x2F, 0x77, 0x77, 0x77, 0x2E, 0x6D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x2E, 0x63, + 0x6F, 0x6D, 0x2F, 0x70, 0x6B, 0x69, 0x6F, 0x70, 0x73, 0x2F, 0x63, 0x72, 0x6C, 0x2F, 0x4D, 0x69, + 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x25, 0x32, 0x30, 0x45, 0x43, 0x43, 0x25, 0x32, 0x30, + 0x53, 0x75, 0x72, 0x66, 0x61, 0x63, 0x65, 0x25, 0x32, 0x30, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, + 0x6F, 0x72, 0x79, 0x25, 0x32, 0x30, 0x46, 0x69, 0x72, 0x6D, 0x77, 0x61, 0x72, 0x65, 0x25, 0x32, + 0x30, 0x43, 0x41, 0x25, 0x32, 0x30, 0x32, 0x30, 0x31, 0x38, 0x2E, 0x63, 0x72, 0x6C, 0x30, 0x81, + 0x82, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x76, 0x30, 0x74, 0x30, + 0x72, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x66, 0x68, 0x74, 0x74, + 0x70, 0x3A, 0x2F, 0x2F, 0x77, 0x77, 0x77, 0x2E, 0x6D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, + 0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x6B, 0x69, 0x6F, 0x70, 0x73, 0x2F, 0x63, 0x65, 0x72, + 0x74, 0x73, 0x2F, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x25, 0x32, 0x30, 0x45, + 0x43, 0x43, 0x25, 0x32, 0x30, 0x53, 0x75, 0x72, 0x66, 0x61, 0x63, 0x65, 0x25, 0x32, 0x30, 0x41, + 0x63, 0x63, 0x65, 0x73, 0x73, 0x6F, 0x72, 0x79, 0x25, 0x32, 0x30, 0x46, 0x69, 0x72, 0x6D, 0x77, + 0x61, 0x72, 0x65, 0x25, 0x32, 0x30, 0x43, 0x41, 0x25, 0x32, 0x30, 0x32, 0x30, 0x31, 0x38, 0x2E, + 0x63, 0x72, 0x74, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x03, + 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x3D, 0xCF, 0xEF, 0xB8, 0xF0, 0x87, 0xEE, 0x7E, 0x80, 0x71, + 0x04, 0x77, 0x68, 0xDC, 0x66, 0x2F, 0x09, 0xA7, 0xF0, 0x76, 0x57, 0x7C, 0x12, 0x5A, 0xE4, 0x80, + 0x5A, 0xA0, 0xF2, 0x2C, 0x45, 0x1B, 0x02, 0x21, 0x00, 0xEB, 0x5F, 0x89, 0xD5, 0xEB, 0x03, 0x46, + 0x9E, 0x08, 0x95, 0x2A, 0x39, 0x30, 0x5D, 0x49, 0xB6, 0x24, 0xCE, 0x78, 0x1B, 0xB8, 0x1D, 0x0F, + 0xD1, 0x24, 0xD0, 0xA9, 0x18, 0x0F, 0x45, 0x4F, 0xF6, 0x31, 0x82, 0x01, 0x17, 0x30, 0x82, 0x01, + 0x13, 0x02, 0x01, 0x01, 0x30, 0x81, 0xA7, 0x30, 0x81, 0x8F, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, + 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, + 0x13, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, + 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6D, 0x6F, 0x6E, 0x64, 0x31, 0x1E, + 0x30, 0x1C, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x15, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, + 0x66, 0x74, 0x20, 0x43, 0x6F, 0x72, 0x70, 0x6F, 0x72, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x31, 0x39, + 0x30, 0x37, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x30, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, + 0x66, 0x74, 0x20, 0x45, 0x43, 0x43, 0x20, 0x53, 0x75, 0x72, 0x66, 0x61, 0x63, 0x65, 0x20, 0x41, + 0x63, 0x63, 0x65, 0x73, 0x73, 0x6F, 0x72, 0x79, 0x20, 0x46, 0x69, 0x72, 0x6D, 0x77, 0x61, 0x72, + 0x65, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x38, 0x02, 0x13, 0x33, 0x00, 0x00, 0x00, 0x03, + 0x7E, 0x2E, 0x8F, 0xBD, 0xA5, 0xC9, 0x2C, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30, 0x0D, + 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0B, 0x06, + 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x05, 0x00, 0x04, 0x48, 0x30, 0x46, 0x02, 0x21, + 0x00, 0x85, 0xC7, 0x25, 0x5C, 0xF8, 0x5A, 0x13, 0xB7, 0xB6, 0x3A, 0xF1, 0x04, 0x72, 0xAC, 0xB3, + 0xF8, 0xC3, 0xE0, 0xE3, 0xD7, 0x98, 0x1B, 0xCF, 0x04, 0xA8, 0x0C, 0x7B, 0xBB, 0x7D, 0x40, 0xC2, + 0x99, 0x02, 0x21, 0x00, 0xA3, 0x83, 0x12, 0xE4, 0xB6, 0x3C, 0xC9, 0x3F, 0x05, 0xCF, 0x70, 0x57, + 0x54, 0x74, 0x0E, 0xEC, 0x14, 0xAD, 0x2C, 0x66, 0x9D, 0x72, 0x73, 0x62, 0x41, 0xA6, 0xC7, 0x90, + 0x05, 0x35, 0xF5, 0x80, +}; + +// +// This is the TestSignedWithMultipleCerts.bin.Signature.p7b in byte array +// format. It has two certs in it, and the leaf has an EKU of +// "1.3.6.1.4.1.311.76.9.21.1" +// +CONST UINT8 TestSignedMultipleCerts[] = +{ + 0x30, 0x82, 0x04, 0x90, 0x02, 0x01, 0x01, 0x31, 0x0F, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, + 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, + 0xF7, 0x0D, 0x01, 0x07, 0x01, 0xA0, 0x82, 0x03, 0xC2, 0x30, 0x82, 0x01, 0xC5, 0x30, 0x82, 0x01, + 0x6A, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x16, 0x2F, 0xD8, 0x2B, 0x8A, 0x98, 0x6A, 0x8A, + 0x43, 0xC2, 0x22, 0xA5, 0x47, 0xA1, 0x18, 0xDD, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, + 0x3D, 0x04, 0x03, 0x02, 0x30, 0x26, 0x31, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, + 0x1B, 0x53, 0x75, 0x72, 0x66, 0x61, 0x63, 0x65, 0x54, 0x65, 0x73, 0x74, 0x46, 0x69, 0x72, 0x6D, + 0x77, 0x61, 0x72, 0x65, 0x53, 0x69, 0x67, 0x6E, 0x65, 0x72, 0x43, 0x41, 0x30, 0x1E, 0x17, 0x0D, + 0x31, 0x38, 0x30, 0x37, 0x31, 0x38, 0x32, 0x33, 0x31, 0x36, 0x31, 0x32, 0x5A, 0x17, 0x0D, 0x33, + 0x38, 0x30, 0x37, 0x31, 0x38, 0x32, 0x33, 0x32, 0x36, 0x31, 0x32, 0x5A, 0x30, 0x28, 0x31, 0x26, + 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x1D, 0x53, 0x75, 0x72, 0x66, 0x61, 0x63, 0x65, + 0x54, 0x65, 0x73, 0x74, 0x46, 0x69, 0x72, 0x6D, 0x77, 0x61, 0x72, 0x65, 0x53, 0x69, 0x67, 0x6E, + 0x65, 0x72, 0x4C, 0x65, 0x61, 0x66, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, + 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, + 0x04, 0x2E, 0x4C, 0x85, 0xFD, 0x86, 0x85, 0x4C, 0x55, 0x96, 0x17, 0xE3, 0x0C, 0xC1, 0xCB, 0xD9, + 0x95, 0xCF, 0xC7, 0xEA, 0x57, 0x02, 0x5C, 0x4F, 0x92, 0x7C, 0x35, 0xBF, 0x2B, 0x3D, 0xBA, 0x14, + 0xE5, 0x39, 0x9D, 0x9B, 0x64, 0x4A, 0x25, 0x29, 0xD5, 0x61, 0xDA, 0xFD, 0x51, 0x24, 0xB3, 0xE2, + 0x4E, 0x00, 0x59, 0xDF, 0xB4, 0x96, 0x42, 0x59, 0xA4, 0xBC, 0xA7, 0x64, 0x8F, 0x3A, 0x17, 0x33, + 0x55, 0xA3, 0x78, 0x30, 0x76, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, + 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x16, 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04, 0x0F, 0x30, 0x0D, + 0x06, 0x0B, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x4C, 0x09, 0x15, 0x01, 0x30, 0x0C, 0x06, + 0x03, 0x55, 0x1D, 0x13, 0x01, 0x01, 0xFF, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1F, 0x06, 0x03, 0x55, + 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x63, 0x69, 0x95, 0xE3, 0xDD, 0xF4, 0xF8, 0x42, + 0xEA, 0x55, 0x95, 0x54, 0x07, 0xC4, 0xC5, 0x2A, 0xD2, 0xA9, 0x2D, 0x2F, 0x30, 0x1D, 0x06, 0x03, + 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0xD6, 0x4A, 0xF8, 0x77, 0x21, 0x34, 0xEC, 0xC0, 0xAE, + 0x4D, 0x8F, 0x17, 0x86, 0xFF, 0xEA, 0xE3, 0x83, 0x42, 0x32, 0x83, 0x30, 0x0A, 0x06, 0x08, 0x2A, + 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x03, 0x49, 0x00, 0x30, 0x46, 0x02, 0x21, 0x00, 0x9A, + 0xAB, 0xE3, 0x6F, 0xD7, 0xB3, 0x0F, 0x83, 0x8A, 0xA1, 0x64, 0x70, 0xC1, 0xAC, 0x54, 0xE2, 0x59, + 0x7C, 0x8B, 0x11, 0x8F, 0x76, 0xB1, 0x9C, 0x5F, 0xDA, 0x7D, 0x04, 0x3C, 0x73, 0xB5, 0xCF, 0x02, + 0x21, 0x00, 0xB3, 0x31, 0xC1, 0x48, 0x3C, 0xEE, 0xA1, 0x6D, 0xA9, 0xF7, 0xF5, 0x9F, 0xD3, 0x6F, + 0x7D, 0x6F, 0xAB, 0x76, 0x12, 0xEE, 0x01, 0x4D, 0xFC, 0xE6, 0x87, 0xEA, 0xAB, 0x09, 0x98, 0xD8, + 0x97, 0x6F, 0x30, 0x82, 0x01, 0xF5, 0x30, 0x82, 0x01, 0x58, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, + 0x10, 0x4D, 0x88, 0xBF, 0x04, 0xDF, 0x10, 0x57, 0xBA, 0x43, 0x53, 0x6C, 0xFD, 0xA5, 0x90, 0xA7, + 0x6F, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x28, 0x31, + 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x1D, 0x53, 0x75, 0x72, 0x66, 0x61, 0x63, + 0x65, 0x54, 0x65, 0x73, 0x74, 0x46, 0x69, 0x72, 0x6D, 0x77, 0x61, 0x72, 0x65, 0x53, 0x69, 0x67, + 0x6E, 0x65, 0x72, 0x52, 0x6F, 0x6F, 0x74, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x38, 0x30, 0x31, 0x31, + 0x36, 0x32, 0x33, 0x32, 0x31, 0x31, 0x33, 0x5A, 0x17, 0x0D, 0x33, 0x38, 0x30, 0x31, 0x31, 0x36, + 0x32, 0x33, 0x33, 0x31, 0x31, 0x33, 0x5A, 0x30, 0x26, 0x31, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x0C, 0x1B, 0x53, 0x75, 0x72, 0x66, 0x61, 0x63, 0x65, 0x54, 0x65, 0x73, 0x74, 0x46, + 0x69, 0x72, 0x6D, 0x77, 0x61, 0x72, 0x65, 0x53, 0x69, 0x67, 0x6E, 0x65, 0x72, 0x43, 0x41, 0x30, + 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, + 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x0E, 0x58, 0xA3, 0xDB, 0xD3, 0x9C, + 0x21, 0xFC, 0x63, 0x6F, 0xBD, 0xB9, 0xA7, 0x8A, 0xB3, 0xBF, 0x40, 0x87, 0x43, 0x06, 0x53, 0x91, + 0x54, 0x31, 0x11, 0x0D, 0x3B, 0x50, 0x32, 0xEA, 0x11, 0xA3, 0x3D, 0x77, 0x08, 0x9E, 0xBC, 0x06, + 0x5C, 0x21, 0x48, 0x9D, 0x9B, 0x7C, 0x45, 0xFD, 0x4B, 0xD7, 0x0C, 0x04, 0xD4, 0xE0, 0x0C, 0xB7, + 0x6C, 0xBF, 0x22, 0xE1, 0x00, 0x99, 0x75, 0x39, 0x27, 0x59, 0xA3, 0x66, 0x30, 0x64, 0x30, 0x0E, + 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x02, 0x04, 0x30, 0x12, + 0x06, 0x03, 0x55, 0x1D, 0x13, 0x01, 0x01, 0xFF, 0x04, 0x08, 0x30, 0x06, 0x01, 0x01, 0xFF, 0x02, + 0x01, 0x00, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x6D, + 0x8B, 0x24, 0xBF, 0x20, 0x9D, 0x54, 0xAF, 0x04, 0x5B, 0x84, 0x91, 0x96, 0xAE, 0x99, 0xC1, 0x23, + 0x1C, 0x0E, 0xAC, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x63, 0x69, + 0x95, 0xE3, 0xDD, 0xF4, 0xF8, 0x42, 0xEA, 0x55, 0x95, 0x54, 0x07, 0xC4, 0xC5, 0x2A, 0xD2, 0xA9, + 0x2D, 0x2F, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x03, 0x81, + 0x8A, 0x00, 0x30, 0x81, 0x86, 0x02, 0x41, 0x2A, 0xD4, 0xFC, 0x35, 0x28, 0x73, 0x9F, 0xB3, 0x8A, + 0xE3, 0x13, 0x7F, 0xCA, 0x36, 0x88, 0x1E, 0xD0, 0x95, 0xDC, 0xE9, 0x8A, 0x9D, 0xC0, 0x27, 0x8C, + 0xD8, 0x57, 0x57, 0x5F, 0xDC, 0x13, 0x53, 0x68, 0xED, 0x2F, 0x4D, 0x6A, 0x77, 0xA2, 0x55, 0x48, + 0xCB, 0x24, 0x55, 0x3A, 0x30, 0x32, 0xE5, 0x5C, 0xDF, 0x96, 0xF1, 0x15, 0xD4, 0xE7, 0xCD, 0x6A, + 0x26, 0xBD, 0x7B, 0x92, 0x50, 0x74, 0xE4, 0x56, 0x02, 0x41, 0x46, 0x33, 0x61, 0x30, 0xFF, 0xA8, + 0x53, 0x31, 0x38, 0xCA, 0x6B, 0x77, 0x88, 0x36, 0x9A, 0x0B, 0x57, 0xC3, 0xD1, 0xB2, 0xA7, 0x40, + 0x53, 0x6A, 0xD1, 0x6C, 0x8A, 0x8B, 0x3C, 0x29, 0xC1, 0x2B, 0x82, 0x61, 0x2F, 0x1A, 0x9F, 0x2C, + 0x9A, 0x81, 0xD0, 0x2B, 0x3E, 0x0D, 0x99, 0xB7, 0xD4, 0x7E, 0xA7, 0xEA, 0x0C, 0x8E, 0x13, 0x0E, + 0x53, 0x65, 0x48, 0x17, 0xE5, 0xFA, 0x91, 0x79, 0x98, 0xC7, 0xA1, 0x31, 0x81, 0xA6, 0x30, 0x81, + 0xA3, 0x02, 0x01, 0x01, 0x30, 0x3A, 0x30, 0x26, 0x31, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x04, + 0x03, 0x0C, 0x1B, 0x53, 0x75, 0x72, 0x66, 0x61, 0x63, 0x65, 0x54, 0x65, 0x73, 0x74, 0x46, 0x69, + 0x72, 0x6D, 0x77, 0x61, 0x72, 0x65, 0x53, 0x69, 0x67, 0x6E, 0x65, 0x72, 0x43, 0x41, 0x02, 0x10, + 0x16, 0x2F, 0xD8, 0x2B, 0x8A, 0x98, 0x6A, 0x8A, 0x43, 0xC2, 0x22, 0xA5, 0x47, 0xA1, 0x18, 0xDD, + 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, + 0x0B, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x05, 0x00, 0x04, 0x46, 0x30, 0x44, + 0x02, 0x20, 0x40, 0xD4, 0xD4, 0xAF, 0x89, 0xFA, 0x83, 0x44, 0x7B, 0x59, 0xB4, 0x2B, 0x99, 0xF0, + 0xD4, 0xB0, 0x75, 0x2E, 0x56, 0xAA, 0x0A, 0xDA, 0xCC, 0x82, 0xD5, 0xBC, 0x8D, 0xC4, 0x00, 0xF6, + 0x46, 0xA4, 0x02, 0x20, 0x6F, 0xA7, 0xE1, 0x32, 0xB2, 0xF2, 0x5A, 0x69, 0xC5, 0x45, 0xB6, 0x35, + 0x04, 0x05, 0x9B, 0xAC, 0x44, 0xB4, 0xA0, 0xE1, 0x25, 0x92, 0xE8, 0x3E, 0x8F, 0x85, 0xA3, 0xBE, + 0x34, 0xFE, 0x78, 0x31, +}; + +// +// This is the TestSignedWithMultipleEKUsInCert.bin.Signature.p7b signature in +// byte array format. It has two EKU's in it: +// "1.3.6.1.4.1.311.76.9.21.1" +// "1.3.6.1.4.1.311.76.9.21.2" +// +CONST UINT8 TestSignedWithMultipleEKUsInCert[] = +{ + 0x30, 0x82, 0x06, 0x2C, 0x02, 0x01, 0x01, 0x31, 0x0F, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, + 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, + 0xF7, 0x0D, 0x01, 0x07, 0x01, 0xA0, 0x82, 0x04, 0x9E, 0x30, 0x82, 0x01, 0xF5, 0x30, 0x82, 0x01, + 0x58, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x4D, 0x88, 0xBF, 0x04, 0xDF, 0x10, 0x57, 0xBA, + 0x43, 0x53, 0x6C, 0xFD, 0xA5, 0x90, 0xA7, 0x6F, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, + 0x3D, 0x04, 0x03, 0x02, 0x30, 0x28, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, + 0x1D, 0x53, 0x75, 0x72, 0x66, 0x61, 0x63, 0x65, 0x54, 0x65, 0x73, 0x74, 0x46, 0x69, 0x72, 0x6D, + 0x77, 0x61, 0x72, 0x65, 0x53, 0x69, 0x67, 0x6E, 0x65, 0x72, 0x52, 0x6F, 0x6F, 0x74, 0x30, 0x1E, + 0x17, 0x0D, 0x31, 0x38, 0x30, 0x31, 0x31, 0x36, 0x32, 0x33, 0x32, 0x31, 0x31, 0x33, 0x5A, 0x17, + 0x0D, 0x33, 0x38, 0x30, 0x31, 0x31, 0x36, 0x32, 0x33, 0x33, 0x31, 0x31, 0x33, 0x5A, 0x30, 0x26, + 0x31, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x1B, 0x53, 0x75, 0x72, 0x66, 0x61, + 0x63, 0x65, 0x54, 0x65, 0x73, 0x74, 0x46, 0x69, 0x72, 0x6D, 0x77, 0x61, 0x72, 0x65, 0x53, 0x69, + 0x67, 0x6E, 0x65, 0x72, 0x43, 0x41, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, + 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, + 0x04, 0x0E, 0x58, 0xA3, 0xDB, 0xD3, 0x9C, 0x21, 0xFC, 0x63, 0x6F, 0xBD, 0xB9, 0xA7, 0x8A, 0xB3, + 0xBF, 0x40, 0x87, 0x43, 0x06, 0x53, 0x91, 0x54, 0x31, 0x11, 0x0D, 0x3B, 0x50, 0x32, 0xEA, 0x11, + 0xA3, 0x3D, 0x77, 0x08, 0x9E, 0xBC, 0x06, 0x5C, 0x21, 0x48, 0x9D, 0x9B, 0x7C, 0x45, 0xFD, 0x4B, + 0xD7, 0x0C, 0x04, 0xD4, 0xE0, 0x0C, 0xB7, 0x6C, 0xBF, 0x22, 0xE1, 0x00, 0x99, 0x75, 0x39, 0x27, + 0x59, 0xA3, 0x66, 0x30, 0x64, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, + 0x04, 0x03, 0x02, 0x02, 0x04, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x01, 0x01, 0xFF, 0x04, + 0x08, 0x30, 0x06, 0x01, 0x01, 0xFF, 0x02, 0x01, 0x00, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, + 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x6D, 0x8B, 0x24, 0xBF, 0x20, 0x9D, 0x54, 0xAF, 0x04, 0x5B, + 0x84, 0x91, 0x96, 0xAE, 0x99, 0xC1, 0x23, 0x1C, 0x0E, 0xAC, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, + 0x0E, 0x04, 0x16, 0x04, 0x14, 0x63, 0x69, 0x95, 0xE3, 0xDD, 0xF4, 0xF8, 0x42, 0xEA, 0x55, 0x95, + 0x54, 0x07, 0xC4, 0xC5, 0x2A, 0xD2, 0xA9, 0x2D, 0x2F, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, + 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x03, 0x81, 0x8A, 0x00, 0x30, 0x81, 0x86, 0x02, 0x41, 0x2A, 0xD4, + 0xFC, 0x35, 0x28, 0x73, 0x9F, 0xB3, 0x8A, 0xE3, 0x13, 0x7F, 0xCA, 0x36, 0x88, 0x1E, 0xD0, 0x95, + 0xDC, 0xE9, 0x8A, 0x9D, 0xC0, 0x27, 0x8C, 0xD8, 0x57, 0x57, 0x5F, 0xDC, 0x13, 0x53, 0x68, 0xED, + 0x2F, 0x4D, 0x6A, 0x77, 0xA2, 0x55, 0x48, 0xCB, 0x24, 0x55, 0x3A, 0x30, 0x32, 0xE5, 0x5C, 0xDF, + 0x96, 0xF1, 0x15, 0xD4, 0xE7, 0xCD, 0x6A, 0x26, 0xBD, 0x7B, 0x92, 0x50, 0x74, 0xE4, 0x56, 0x02, + 0x41, 0x46, 0x33, 0x61, 0x30, 0xFF, 0xA8, 0x53, 0x31, 0x38, 0xCA, 0x6B, 0x77, 0x88, 0x36, 0x9A, + 0x0B, 0x57, 0xC3, 0xD1, 0xB2, 0xA7, 0x40, 0x53, 0x6A, 0xD1, 0x6C, 0x8A, 0x8B, 0x3C, 0x29, 0xC1, + 0x2B, 0x82, 0x61, 0x2F, 0x1A, 0x9F, 0x2C, 0x9A, 0x81, 0xD0, 0x2B, 0x3E, 0x0D, 0x99, 0xB7, 0xD4, + 0x7E, 0xA7, 0xEA, 0x0C, 0x8E, 0x13, 0x0E, 0x53, 0x65, 0x48, 0x17, 0xE5, 0xFA, 0x91, 0x79, 0x98, + 0xC7, 0xA1, 0x30, 0x82, 0x02, 0xA1, 0x30, 0x82, 0x02, 0x47, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, + 0x10, 0x29, 0xBB, 0x52, 0x25, 0xED, 0x34, 0xB7, 0xBA, 0x40, 0xF8, 0xC3, 0x14, 0xB5, 0xC8, 0x86, + 0x9E, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x26, 0x31, + 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x1B, 0x53, 0x75, 0x72, 0x66, 0x61, 0x63, + 0x65, 0x54, 0x65, 0x73, 0x74, 0x46, 0x69, 0x72, 0x6D, 0x77, 0x61, 0x72, 0x65, 0x53, 0x69, 0x67, + 0x6E, 0x65, 0x72, 0x43, 0x41, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x38, 0x30, 0x37, 0x32, 0x37, 0x32, + 0x30, 0x33, 0x34, 0x31, 0x31, 0x5A, 0x17, 0x0D, 0x32, 0x33, 0x30, 0x37, 0x32, 0x37, 0x32, 0x30, + 0x34, 0x34, 0x31, 0x31, 0x5A, 0x30, 0x3A, 0x31, 0x38, 0x30, 0x36, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x0C, 0x2F, 0x54, 0x65, 0x73, 0x74, 0x53, 0x75, 0x72, 0x66, 0x61, 0x63, 0x65, 0x46, 0x69, 0x72, + 0x6D, 0x77, 0x61, 0x72, 0x65, 0x4C, 0x65, 0x61, 0x66, 0x53, 0x69, 0x67, 0x6E, 0x65, 0x72, 0x4D, + 0x75, 0x6C, 0x74, 0x69, 0x70, 0x6C, 0x65, 0x45, 0x4B, 0x55, 0x73, 0x49, 0x6E, 0x43, 0x65, 0x72, + 0x74, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, + 0x01, 0x00, 0xD0, 0x61, 0xA5, 0xCD, 0x49, 0x4B, 0x5C, 0x88, 0x89, 0x09, 0xCA, 0xE7, 0xEB, 0x58, + 0x91, 0x8F, 0x59, 0xBE, 0xE8, 0x16, 0xC0, 0xEF, 0x75, 0xE5, 0x18, 0x88, 0xE8, 0xCE, 0xFA, 0xD2, + 0xB0, 0x77, 0xC1, 0xD2, 0xF2, 0x9E, 0x65, 0xE8, 0xDB, 0x6B, 0x8C, 0x93, 0xE5, 0x39, 0x1D, 0xF9, + 0x37, 0x2A, 0x52, 0x7F, 0xC3, 0x93, 0xD7, 0x9F, 0x03, 0x83, 0xBC, 0x6E, 0xC6, 0x83, 0x64, 0x15, + 0x1A, 0x5C, 0x74, 0x41, 0x40, 0x21, 0xC9, 0x25, 0xF0, 0x14, 0xA3, 0x29, 0x97, 0x29, 0x8C, 0x5D, + 0xED, 0xE9, 0x8D, 0x66, 0xCC, 0xD1, 0xD1, 0xE0, 0x08, 0x52, 0xA5, 0x93, 0x07, 0xCB, 0xF8, 0x95, + 0x2C, 0x8D, 0x29, 0x84, 0x10, 0x5F, 0x57, 0x52, 0x10, 0x75, 0x35, 0x8A, 0x84, 0xE3, 0xAE, 0x10, + 0x57, 0x29, 0xE9, 0xEB, 0x6E, 0xD2, 0xC7, 0x6D, 0x35, 0x43, 0x67, 0x82, 0xE3, 0x98, 0x29, 0x9C, + 0x59, 0x77, 0xA0, 0x00, 0x27, 0xB2, 0x5D, 0xB9, 0x84, 0x31, 0x89, 0x2F, 0x77, 0xC5, 0xB9, 0x23, + 0xE0, 0x14, 0x94, 0x6F, 0x33, 0xD5, 0x3B, 0x58, 0xFB, 0xD6, 0xB6, 0xE5, 0xD4, 0x09, 0x3D, 0xB2, + 0xE7, 0x87, 0xC6, 0xEA, 0x73, 0x61, 0x6D, 0xDA, 0xFA, 0x95, 0x2B, 0x2B, 0x8A, 0xEC, 0x7E, 0x68, + 0x0F, 0x98, 0x16, 0x08, 0xFF, 0xB2, 0xC1, 0xBF, 0xAB, 0x3D, 0xB0, 0xC2, 0xD5, 0x16, 0xAE, 0x71, + 0x54, 0x48, 0xD1, 0x52, 0x72, 0xFD, 0x42, 0x09, 0x66, 0xAF, 0x50, 0xDE, 0x4C, 0x3C, 0x6A, 0xBC, + 0x1F, 0xC5, 0x0A, 0xA0, 0xC5, 0x9A, 0xF1, 0xB2, 0xB2, 0x3F, 0x14, 0xE1, 0x93, 0x07, 0xF0, 0x00, + 0x04, 0xEF, 0x16, 0x76, 0x18, 0x10, 0x65, 0x63, 0x42, 0x42, 0x12, 0xD0, 0x65, 0xF5, 0xA2, 0xCF, + 0x90, 0xBE, 0x65, 0x57, 0x25, 0x8C, 0xAC, 0x5E, 0x05, 0x31, 0x91, 0x9E, 0x4D, 0x18, 0xBC, 0x15, + 0x30, 0x7B, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x78, 0x30, 0x76, 0x30, 0x0E, 0x06, 0x03, 0x55, + 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x24, 0x06, 0x03, 0x55, + 0x1D, 0x25, 0x04, 0x1D, 0x30, 0x1B, 0x06, 0x0B, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x4C, + 0x09, 0x15, 0x01, 0x06, 0x0C, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x4C, 0x09, 0x15, 0x01, + 0x02, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x63, 0x69, + 0x95, 0xE3, 0xDD, 0xF4, 0xF8, 0x42, 0xEA, 0x55, 0x95, 0x54, 0x07, 0xC4, 0xC5, 0x2A, 0xD2, 0xA9, + 0x2D, 0x2F, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0xC0, 0xDC, 0xCB, + 0x76, 0x52, 0x84, 0x91, 0xF5, 0x37, 0x0D, 0x85, 0xB6, 0x45, 0x23, 0xFA, 0xA0, 0xAD, 0xC1, 0x1D, + 0x92, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, + 0x30, 0x45, 0x02, 0x21, 0x00, 0xF4, 0xB0, 0x8A, 0x91, 0x96, 0x61, 0xDF, 0xC3, 0x54, 0xA5, 0xB3, + 0x1A, 0x3C, 0x28, 0x06, 0xC0, 0xA1, 0xF5, 0x72, 0xD1, 0x02, 0x5C, 0x69, 0xB6, 0x6C, 0xA8, 0xDC, + 0x6B, 0x78, 0xD9, 0x0C, 0x9A, 0x02, 0x20, 0x37, 0x2C, 0x61, 0x9E, 0x6E, 0x5F, 0xC6, 0xFA, 0x92, + 0x52, 0xB0, 0x4E, 0x52, 0xC7, 0xF1, 0xE9, 0x0F, 0xB6, 0xD5, 0x08, 0x10, 0x41, 0x3A, 0x61, 0xFD, + 0xC5, 0x70, 0x87, 0xBB, 0x49, 0x82, 0xEA, 0x31, 0x82, 0x01, 0x65, 0x30, 0x82, 0x01, 0x61, 0x02, + 0x01, 0x01, 0x30, 0x3A, 0x30, 0x26, 0x31, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, + 0x1B, 0x53, 0x75, 0x72, 0x66, 0x61, 0x63, 0x65, 0x54, 0x65, 0x73, 0x74, 0x46, 0x69, 0x72, 0x6D, + 0x77, 0x61, 0x72, 0x65, 0x53, 0x69, 0x67, 0x6E, 0x65, 0x72, 0x43, 0x41, 0x02, 0x10, 0x29, 0xBB, + 0x52, 0x25, 0xED, 0x34, 0xB7, 0xBA, 0x40, 0xF8, 0xC3, 0x14, 0xB5, 0xC8, 0x86, 0x9E, 0x30, 0x0D, + 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0D, 0x06, + 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, + 0xBB, 0x51, 0xDD, 0x8F, 0xB4, 0x99, 0x37, 0x13, 0x94, 0x6F, 0x09, 0x05, 0xBA, 0x5B, 0x8D, 0x86, + 0x9A, 0xB0, 0x51, 0xEB, 0x6B, 0x10, 0xD7, 0xD1, 0x95, 0x4A, 0x4D, 0x23, 0xA3, 0x37, 0x82, 0xDF, + 0x1F, 0x24, 0xE4, 0x62, 0x4F, 0xD4, 0x52, 0x73, 0xF8, 0x39, 0x2B, 0x46, 0xF4, 0x61, 0xCE, 0xF1, + 0x64, 0xD7, 0x60, 0xC9, 0xCC, 0xCA, 0x8D, 0x94, 0xA5, 0x67, 0x68, 0x2B, 0xE4, 0xB0, 0xD7, 0x64, + 0xC8, 0xF3, 0x9C, 0x98, 0x2C, 0x0A, 0x69, 0x56, 0xD6, 0x59, 0xDF, 0x4D, 0x38, 0xE7, 0xD4, 0x63, + 0x2B, 0x74, 0xA1, 0xA3, 0xF9, 0xE1, 0x1A, 0x12, 0x2B, 0x04, 0x46, 0x11, 0xA8, 0x26, 0x00, 0x15, + 0x4F, 0x14, 0x7F, 0xB1, 0xB4, 0x25, 0x0C, 0x87, 0xB0, 0x56, 0x8C, 0xBE, 0x0D, 0xFA, 0x66, 0x6F, + 0x8A, 0xCB, 0x0A, 0x88, 0x3B, 0xF6, 0x52, 0xCD, 0xBB, 0xA2, 0xA9, 0xAD, 0xAD, 0x09, 0x0D, 0xDA, + 0x79, 0x8A, 0xAE, 0xE5, 0x9D, 0xCE, 0x5C, 0x60, 0x99, 0x67, 0x26, 0xC4, 0xAF, 0xD4, 0x01, 0xB1, + 0x6D, 0xD1, 0x8C, 0x4D, 0x1D, 0xBD, 0xAB, 0x42, 0x2C, 0xF2, 0xD8, 0x07, 0x3F, 0xDC, 0x5E, 0x68, + 0x4C, 0xD9, 0xDB, 0xC0, 0x93, 0xBB, 0x8E, 0xA0, 0xA2, 0x09, 0x5F, 0x03, 0x58, 0x48, 0x54, 0xF6, + 0xF0, 0xDA, 0x7A, 0x7F, 0xC4, 0xD2, 0x9F, 0x64, 0xF5, 0x85, 0x86, 0x48, 0xDF, 0x7F, 0x86, 0x14, + 0x7C, 0x62, 0x77, 0x1D, 0x22, 0xE5, 0x34, 0x42, 0xE4, 0x49, 0x38, 0xB4, 0xE4, 0x22, 0xFB, 0x5F, + 0xB5, 0xEA, 0xBA, 0x90, 0x51, 0xC0, 0xC6, 0x94, 0x09, 0xE4, 0xB7, 0x15, 0x3F, 0x07, 0x23, 0xE8, + 0x46, 0x93, 0xA5, 0x7B, 0x7A, 0x91, 0xDA, 0x8E, 0x7C, 0xAF, 0xBD, 0x41, 0xB9, 0xDE, 0x85, 0x04, + 0xBC, 0x08, 0x6C, 0x08, 0x56, 0x16, 0xDB, 0xB5, 0xEE, 0x65, 0x76, 0xE9, 0x78, 0xD3, 0xDD, 0xD8, + +}; + +// +// This is the TestSignedWithProductId10001.bin.p7b in byte array format. +// It has two EKU's in it: (Product ID is 10001) +// "1.3.6.1.4.1.311.76.9.21.1" +// "1.3.6.1.4.1.311.76.9.21.1.10001" +// +CONST UINT8 TestSignedWithProductId10001[] = +{ + 0x30, 0x82, 0x06, 0x1E, 0x02, 0x01, 0x01, 0x31, 0x0F, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, + 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, + 0xF7, 0x0D, 0x01, 0x07, 0x01, 0xA0, 0x82, 0x04, 0x90, 0x30, 0x82, 0x01, 0xF5, 0x30, 0x82, 0x01, + 0x58, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x4D, 0x88, 0xBF, 0x04, 0xDF, 0x10, 0x57, 0xBA, + 0x43, 0x53, 0x6C, 0xFD, 0xA5, 0x90, 0xA7, 0x6F, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, + 0x3D, 0x04, 0x03, 0x02, 0x30, 0x28, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, + 0x1D, 0x53, 0x75, 0x72, 0x66, 0x61, 0x63, 0x65, 0x54, 0x65, 0x73, 0x74, 0x46, 0x69, 0x72, 0x6D, + 0x77, 0x61, 0x72, 0x65, 0x53, 0x69, 0x67, 0x6E, 0x65, 0x72, 0x52, 0x6F, 0x6F, 0x74, 0x30, 0x1E, + 0x17, 0x0D, 0x31, 0x38, 0x30, 0x31, 0x31, 0x36, 0x32, 0x33, 0x32, 0x31, 0x31, 0x33, 0x5A, 0x17, + 0x0D, 0x33, 0x38, 0x30, 0x31, 0x31, 0x36, 0x32, 0x33, 0x33, 0x31, 0x31, 0x33, 0x5A, 0x30, 0x26, + 0x31, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x1B, 0x53, 0x75, 0x72, 0x66, 0x61, + 0x63, 0x65, 0x54, 0x65, 0x73, 0x74, 0x46, 0x69, 0x72, 0x6D, 0x77, 0x61, 0x72, 0x65, 0x53, 0x69, + 0x67, 0x6E, 0x65, 0x72, 0x43, 0x41, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, + 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, + 0x04, 0x0E, 0x58, 0xA3, 0xDB, 0xD3, 0x9C, 0x21, 0xFC, 0x63, 0x6F, 0xBD, 0xB9, 0xA7, 0x8A, 0xB3, + 0xBF, 0x40, 0x87, 0x43, 0x06, 0x53, 0x91, 0x54, 0x31, 0x11, 0x0D, 0x3B, 0x50, 0x32, 0xEA, 0x11, + 0xA3, 0x3D, 0x77, 0x08, 0x9E, 0xBC, 0x06, 0x5C, 0x21, 0x48, 0x9D, 0x9B, 0x7C, 0x45, 0xFD, 0x4B, + 0xD7, 0x0C, 0x04, 0xD4, 0xE0, 0x0C, 0xB7, 0x6C, 0xBF, 0x22, 0xE1, 0x00, 0x99, 0x75, 0x39, 0x27, + 0x59, 0xA3, 0x66, 0x30, 0x64, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, + 0x04, 0x03, 0x02, 0x02, 0x04, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x01, 0x01, 0xFF, 0x04, + 0x08, 0x30, 0x06, 0x01, 0x01, 0xFF, 0x02, 0x01, 0x00, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, + 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x6D, 0x8B, 0x24, 0xBF, 0x20, 0x9D, 0x54, 0xAF, 0x04, 0x5B, + 0x84, 0x91, 0x96, 0xAE, 0x99, 0xC1, 0x23, 0x1C, 0x0E, 0xAC, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, + 0x0E, 0x04, 0x16, 0x04, 0x14, 0x63, 0x69, 0x95, 0xE3, 0xDD, 0xF4, 0xF8, 0x42, 0xEA, 0x55, 0x95, + 0x54, 0x07, 0xC4, 0xC5, 0x2A, 0xD2, 0xA9, 0x2D, 0x2F, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, + 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x03, 0x81, 0x8A, 0x00, 0x30, 0x81, 0x86, 0x02, 0x41, 0x2A, 0xD4, + 0xFC, 0x35, 0x28, 0x73, 0x9F, 0xB3, 0x8A, 0xE3, 0x13, 0x7F, 0xCA, 0x36, 0x88, 0x1E, 0xD0, 0x95, + 0xDC, 0xE9, 0x8A, 0x9D, 0xC0, 0x27, 0x8C, 0xD8, 0x57, 0x57, 0x5F, 0xDC, 0x13, 0x53, 0x68, 0xED, + 0x2F, 0x4D, 0x6A, 0x77, 0xA2, 0x55, 0x48, 0xCB, 0x24, 0x55, 0x3A, 0x30, 0x32, 0xE5, 0x5C, 0xDF, + 0x96, 0xF1, 0x15, 0xD4, 0xE7, 0xCD, 0x6A, 0x26, 0xBD, 0x7B, 0x92, 0x50, 0x74, 0xE4, 0x56, 0x02, + 0x41, 0x46, 0x33, 0x61, 0x30, 0xFF, 0xA8, 0x53, 0x31, 0x38, 0xCA, 0x6B, 0x77, 0x88, 0x36, 0x9A, + 0x0B, 0x57, 0xC3, 0xD1, 0xB2, 0xA7, 0x40, 0x53, 0x6A, 0xD1, 0x6C, 0x8A, 0x8B, 0x3C, 0x29, 0xC1, + 0x2B, 0x82, 0x61, 0x2F, 0x1A, 0x9F, 0x2C, 0x9A, 0x81, 0xD0, 0x2B, 0x3E, 0x0D, 0x99, 0xB7, 0xD4, + 0x7E, 0xA7, 0xEA, 0x0C, 0x8E, 0x13, 0x0E, 0x53, 0x65, 0x48, 0x17, 0xE5, 0xFA, 0x91, 0x79, 0x98, + 0xC7, 0xA1, 0x30, 0x82, 0x02, 0x93, 0x30, 0x82, 0x02, 0x39, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, + 0x10, 0x1F, 0x65, 0xF1, 0x29, 0x3B, 0x89, 0x6A, 0xBF, 0x43, 0xAF, 0xC7, 0x30, 0x36, 0xD1, 0x0D, + 0x2B, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x26, 0x31, + 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x1B, 0x53, 0x75, 0x72, 0x66, 0x61, 0x63, + 0x65, 0x54, 0x65, 0x73, 0x74, 0x46, 0x69, 0x72, 0x6D, 0x77, 0x61, 0x72, 0x65, 0x53, 0x69, 0x67, + 0x6E, 0x65, 0x72, 0x43, 0x41, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x38, 0x30, 0x38, 0x30, 0x32, 0x31, + 0x36, 0x34, 0x32, 0x32, 0x33, 0x5A, 0x17, 0x0D, 0x32, 0x33, 0x30, 0x38, 0x30, 0x32, 0x31, 0x36, + 0x35, 0x32, 0x32, 0x33, 0x5A, 0x30, 0x2B, 0x31, 0x29, 0x30, 0x27, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x0C, 0x20, 0x54, 0x65, 0x73, 0x74, 0x46, 0x69, 0x72, 0x6D, 0x77, 0x61, 0x72, 0x65, 0x53, 0x69, + 0x67, 0x6E, 0x65, 0x72, 0x50, 0x72, 0x6F, 0x64, 0x75, 0x63, 0x74, 0x49, 0x44, 0x31, 0x30, 0x30, + 0x30, 0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, + 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82, 0x01, 0x0A, 0x02, 0x82, + 0x01, 0x01, 0x00, 0x8C, 0x26, 0x35, 0xBC, 0x18, 0x06, 0x44, 0x65, 0xF6, 0x55, 0x29, 0x78, 0x26, + 0xCA, 0x57, 0xD0, 0x4C, 0x31, 0x84, 0x5B, 0x64, 0xDE, 0x8E, 0x34, 0x84, 0x45, 0x12, 0xE8, 0x5A, + 0x86, 0x4B, 0x5A, 0x61, 0x4C, 0xD8, 0xE2, 0x7D, 0x3B, 0xBD, 0x25, 0x58, 0x30, 0x1D, 0x5E, 0x65, + 0x50, 0xC3, 0x07, 0xF2, 0x50, 0xE1, 0x48, 0x2A, 0xD9, 0x70, 0x5F, 0xF3, 0x2B, 0xF1, 0x1F, 0x21, + 0x06, 0x62, 0x81, 0xE9, 0x8E, 0xDA, 0xDC, 0x69, 0xA3, 0x6E, 0x2F, 0xD2, 0x3A, 0x79, 0x01, 0xAF, + 0xA1, 0x2A, 0x28, 0xDD, 0x32, 0x4E, 0xCE, 0x40, 0xB8, 0x41, 0xA4, 0x7D, 0x3D, 0x70, 0x3F, 0xC4, + 0xDA, 0x61, 0x18, 0xBF, 0xFC, 0xAB, 0x16, 0xE3, 0x65, 0x3F, 0x6D, 0x76, 0x37, 0xAD, 0x1F, 0x11, + 0x05, 0x0F, 0xC2, 0x56, 0xD1, 0x45, 0xBD, 0x25, 0xCC, 0x19, 0xC4, 0x2A, 0x03, 0xED, 0x3B, 0x05, + 0xA7, 0x87, 0x30, 0xE6, 0x84, 0x11, 0x88, 0xD0, 0x91, 0x4E, 0x52, 0xB5, 0x97, 0xDF, 0x57, 0xEF, + 0x5E, 0x72, 0x68, 0x49, 0x85, 0xC8, 0x7F, 0xA7, 0x5F, 0x7B, 0xE7, 0xCE, 0xA1, 0x53, 0xBA, 0xF8, + 0xA9, 0xDF, 0x8C, 0x8C, 0x72, 0xD2, 0xA9, 0x7A, 0xF5, 0x07, 0x4A, 0x75, 0x1A, 0x0F, 0x50, 0x9E, + 0xEA, 0x4C, 0xFC, 0xC7, 0x74, 0xE2, 0x4D, 0xD1, 0x01, 0xC4, 0xB6, 0xCA, 0xA5, 0xCC, 0x23, 0xFA, + 0xDE, 0xF2, 0x9C, 0x8B, 0xA6, 0x32, 0x8D, 0xED, 0x97, 0xCC, 0x50, 0xB0, 0xB6, 0x1C, 0x89, 0x64, + 0xFC, 0xD7, 0xD0, 0x19, 0x01, 0x50, 0xD9, 0xBC, 0x78, 0xB1, 0x76, 0x6D, 0x01, 0xF8, 0xEC, 0x68, + 0x97, 0x20, 0x32, 0xD0, 0x57, 0x76, 0x93, 0x73, 0xC9, 0x2B, 0x68, 0x9D, 0x5E, 0xE1, 0x70, 0xDD, + 0x6F, 0x3A, 0x09, 0x20, 0x63, 0xE9, 0xD9, 0x30, 0x05, 0x14, 0x4A, 0x76, 0xA7, 0x3E, 0x61, 0xCD, + 0x2F, 0x6D, 0xE3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x79, 0x30, 0x77, 0x30, 0x0E, 0x06, 0x03, + 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x25, 0x06, 0x03, + 0x55, 0x1D, 0x25, 0x04, 0x1E, 0x30, 0x1C, 0x06, 0x0B, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, + 0x4C, 0x09, 0x15, 0x01, 0x06, 0x0D, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x4C, 0x09, 0x15, + 0x01, 0xCE, 0x11, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, + 0x63, 0x69, 0x95, 0xE3, 0xDD, 0xF4, 0xF8, 0x42, 0xEA, 0x55, 0x95, 0x54, 0x07, 0xC4, 0xC5, 0x2A, + 0xD2, 0xA9, 0x2D, 0x2F, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x09, + 0x10, 0xEE, 0x7B, 0xB0, 0x56, 0xB0, 0xCE, 0x42, 0x83, 0x84, 0x90, 0x70, 0xAF, 0x8D, 0x58, 0x1B, + 0x77, 0x43, 0x0E, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x03, + 0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00, 0xEE, 0x2A, 0x00, 0x7E, 0xC6, 0x4E, 0x6F, 0x22, 0xCC, + 0x16, 0xEA, 0xAC, 0x90, 0x3D, 0xD7, 0x6E, 0xAA, 0xBF, 0x7E, 0xC7, 0x45, 0x3F, 0x36, 0x22, 0x81, + 0xC6, 0x38, 0xD3, 0x1E, 0xDF, 0x5F, 0x2C, 0x02, 0x20, 0x21, 0xEC, 0xCF, 0x78, 0x1D, 0xDB, 0x4F, + 0x50, 0xE8, 0xD6, 0x07, 0xB0, 0x6A, 0xE9, 0x1E, 0xBF, 0x9C, 0xE8, 0xB9, 0xF7, 0xC6, 0xEA, 0x04, + 0x7B, 0x5E, 0xD8, 0x67, 0xAB, 0xD2, 0xDE, 0x77, 0xB9, 0x31, 0x82, 0x01, 0x65, 0x30, 0x82, 0x01, + 0x61, 0x02, 0x01, 0x01, 0x30, 0x3A, 0x30, 0x26, 0x31, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x04, + 0x03, 0x0C, 0x1B, 0x53, 0x75, 0x72, 0x66, 0x61, 0x63, 0x65, 0x54, 0x65, 0x73, 0x74, 0x46, 0x69, + 0x72, 0x6D, 0x77, 0x61, 0x72, 0x65, 0x53, 0x69, 0x67, 0x6E, 0x65, 0x72, 0x43, 0x41, 0x02, 0x10, + 0x1F, 0x65, 0xF1, 0x29, 0x3B, 0x89, 0x6A, 0xBF, 0x43, 0xAF, 0xC7, 0x30, 0x36, 0xD1, 0x0D, 0x2B, + 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, + 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, + 0x01, 0x00, 0x1F, 0x7F, 0x30, 0xDC, 0xD4, 0x12, 0x9D, 0x0B, 0x71, 0x30, 0x69, 0x91, 0xCC, 0x8A, + 0xFB, 0xF6, 0x54, 0x14, 0x4C, 0x0B, 0x78, 0xCE, 0xD3, 0xC6, 0xCE, 0x3E, 0xAC, 0xCC, 0x0F, 0xCE, + 0x3A, 0xFC, 0x63, 0x96, 0xD2, 0x7B, 0xDB, 0xF7, 0xE7, 0x6D, 0x64, 0x52, 0x5C, 0x5D, 0x19, 0xBF, + 0xE3, 0x04, 0x71, 0x8A, 0xD1, 0x2A, 0xB6, 0x5A, 0x8C, 0xFC, 0xE2, 0x51, 0x27, 0x64, 0x9B, 0xA8, + 0x84, 0x69, 0x60, 0x4E, 0x56, 0x83, 0x91, 0x4F, 0xEB, 0x5A, 0xB7, 0x73, 0xE1, 0xAC, 0x24, 0xD2, + 0x60, 0xD8, 0x58, 0x21, 0x51, 0x7B, 0x87, 0x93, 0x5B, 0x5F, 0x91, 0x4B, 0x8C, 0xFE, 0xA5, 0x16, + 0x2E, 0x33, 0x4D, 0xBB, 0x0C, 0x95, 0x5C, 0xC3, 0x9C, 0x3D, 0xBB, 0x58, 0x17, 0x39, 0x1E, 0x10, + 0x47, 0xCD, 0xEE, 0xD3, 0xE7, 0x73, 0x44, 0x7D, 0x35, 0xD9, 0x9F, 0xC3, 0xAC, 0x11, 0x2E, 0x29, + 0x54, 0x80, 0x8F, 0x19, 0xDC, 0xC3, 0x11, 0x3D, 0x75, 0xF0, 0x3B, 0x34, 0x63, 0xB1, 0x59, 0x1D, + 0x4B, 0x66, 0xBE, 0xB8, 0xAC, 0x36, 0x71, 0x63, 0xD4, 0x41, 0xCF, 0x24, 0x2A, 0x3F, 0xC5, 0x25, + 0xD2, 0x45, 0x9B, 0xD3, 0x77, 0xD8, 0xD8, 0x1A, 0xC6, 0xAE, 0xE3, 0xF5, 0xC5, 0xEB, 0xF3, 0x92, + 0x27, 0x3C, 0x3F, 0x48, 0x96, 0xF2, 0xB4, 0x66, 0x0A, 0xFB, 0xBF, 0x76, 0xDC, 0x1E, 0xC5, 0xC6, + 0x4D, 0xA1, 0x5C, 0x13, 0x22, 0xF8, 0x89, 0xE2, 0x15, 0x43, 0x84, 0xEF, 0xC8, 0x30, 0xE5, 0xF0, + 0xBA, 0x51, 0x96, 0x3E, 0xF9, 0xCB, 0x41, 0xE6, 0x36, 0xD4, 0xE3, 0xDA, 0x71, 0xC8, 0x5E, 0x43, + 0x7A, 0xBE, 0x8E, 0xC0, 0xA5, 0xEF, 0x66, 0xFD, 0x63, 0xD3, 0xF1, 0xBF, 0x66, 0x4F, 0x35, 0x24, + 0x66, 0xC9, 0xCD, 0x1E, 0x3D, 0x71, 0x19, 0x84, 0x1A, 0x9D, 0xA5, 0x56, 0xF4, 0xF9, 0xE0, 0x88, + 0x7C, 0x52, +}; + +// +// This is TestSignEKUsWith1CertInSignature.bin.p7b in byte array format. +// It has one EKU in it: +// "1.3.6.1.4.1.311.76.9.21.1" +// +CONST UINT8 TestSignEKUsWith1CertInSignature[] = +{ + 0x30, 0x82, 0x02, 0x7D, 0x02, 0x01, 0x01, 0x31, 0x0F, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, + 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, + 0xF7, 0x0D, 0x01, 0x07, 0x01, 0xA0, 0x82, 0x01, 0xB2, 0x30, 0x82, 0x01, 0xAE, 0x30, 0x82, 0x01, + 0x53, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x3E, 0xEE, 0x4B, 0xFB, 0x00, 0x35, 0xC8, 0x96, + 0x41, 0xF4, 0xF6, 0x57, 0x16, 0xAD, 0x20, 0xCB, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, + 0x3D, 0x04, 0x03, 0x02, 0x30, 0x22, 0x31, 0x20, 0x30, 0x1E, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, + 0x17, 0x54, 0x65, 0x73, 0x74, 0x45, 0x4B, 0x55, 0x50, 0x61, 0x72, 0x73, 0x69, 0x6E, 0x67, 0x49, + 0x73, 0x73, 0x75, 0x69, 0x6E, 0x67, 0x43, 0x41, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x38, 0x30, 0x38, + 0x31, 0x35, 0x31, 0x37, 0x33, 0x35, 0x35, 0x30, 0x5A, 0x17, 0x0D, 0x33, 0x38, 0x30, 0x38, 0x31, + 0x35, 0x31, 0x37, 0x34, 0x35, 0x35, 0x30, 0x5A, 0x30, 0x23, 0x31, 0x21, 0x30, 0x1F, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x0C, 0x18, 0x54, 0x65, 0x73, 0x74, 0x45, 0x4B, 0x55, 0x50, 0x61, 0x72, 0x73, + 0x69, 0x6E, 0x67, 0x4C, 0x65, 0x61, 0x66, 0x53, 0x69, 0x67, 0x6E, 0x65, 0x72, 0x30, 0x59, 0x30, + 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, + 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xF6, 0xEA, 0x5E, 0x14, 0x20, 0x6D, 0x11, 0xC0, + 0xFD, 0xF9, 0xB9, 0xB5, 0x8F, 0xBB, 0x3E, 0x8B, 0xE8, 0x21, 0x21, 0x3A, 0xC2, 0xBA, 0x37, 0x24, + 0x61, 0x14, 0x7E, 0xA8, 0x86, 0x0A, 0x5C, 0xD3, 0x5F, 0xA8, 0xDC, 0x3A, 0x06, 0x30, 0x53, 0xFC, + 0x85, 0xBC, 0x60, 0x5C, 0x28, 0x07, 0xCA, 0x12, 0x40, 0xE8, 0x97, 0x6A, 0x63, 0x30, 0xF7, 0x37, + 0x25, 0x76, 0x4D, 0xA9, 0x1A, 0x8C, 0x36, 0xAA, 0xA3, 0x6A, 0x30, 0x68, 0x30, 0x0E, 0x06, 0x03, + 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x16, 0x06, 0x03, + 0x55, 0x1D, 0x25, 0x04, 0x0F, 0x30, 0x0D, 0x06, 0x0B, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, + 0x4C, 0x09, 0x15, 0x01, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, + 0x14, 0xA4, 0x21, 0xA5, 0x99, 0x40, 0x41, 0xF7, 0x1B, 0xFF, 0x35, 0xD0, 0x40, 0x3C, 0x3E, 0x9C, + 0x7C, 0xD1, 0xCC, 0xD1, 0xD1, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, + 0xE8, 0x47, 0x05, 0xA2, 0x59, 0xE9, 0x89, 0x81, 0xF4, 0xC8, 0x0D, 0x4C, 0x0A, 0xD3, 0xD4, 0xDE, + 0x9F, 0xA6, 0xC7, 0x79, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, + 0x03, 0x49, 0x00, 0x30, 0x46, 0x02, 0x21, 0x00, 0x8C, 0x39, 0xC6, 0x6C, 0xD6, 0x8F, 0x20, 0xA5, + 0x85, 0x97, 0x27, 0xF9, 0xB5, 0x26, 0xA2, 0xAB, 0xEC, 0x2E, 0x1B, 0x6F, 0x6F, 0x79, 0x9F, 0x8D, + 0xCE, 0x9D, 0x12, 0x23, 0x5F, 0x04, 0xFA, 0xBE, 0x02, 0x21, 0x00, 0xC5, 0xD8, 0x49, 0xD1, 0x40, + 0xE3, 0x2C, 0xDF, 0xC3, 0xD4, 0x11, 0xF9, 0x5E, 0x10, 0x8A, 0x3C, 0x4E, 0xA0, 0xD6, 0x6B, 0x8C, + 0x0E, 0x7B, 0xF1, 0x2B, 0x20, 0x9C, 0x68, 0x53, 0x43, 0x4B, 0x35, 0x31, 0x81, 0xA3, 0x30, 0x81, + 0xA0, 0x02, 0x01, 0x01, 0x30, 0x36, 0x30, 0x22, 0x31, 0x20, 0x30, 0x1E, 0x06, 0x03, 0x55, 0x04, + 0x03, 0x0C, 0x17, 0x54, 0x65, 0x73, 0x74, 0x45, 0x4B, 0x55, 0x50, 0x61, 0x72, 0x73, 0x69, 0x6E, + 0x67, 0x49, 0x73, 0x73, 0x75, 0x69, 0x6E, 0x67, 0x43, 0x41, 0x02, 0x10, 0x3E, 0xEE, 0x4B, 0xFB, + 0x00, 0x35, 0xC8, 0x96, 0x41, 0xF4, 0xF6, 0x57, 0x16, 0xAD, 0x20, 0xCB, 0x30, 0x0D, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0B, 0x06, 0x07, 0x2A, + 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x05, 0x00, 0x04, 0x47, 0x30, 0x45, 0x02, 0x21, 0x00, 0xB8, + 0xCC, 0x0F, 0xD2, 0x50, 0x47, 0x3A, 0x11, 0x8D, 0xAE, 0x6C, 0xE9, 0x03, 0x64, 0xA7, 0x44, 0xE6, + 0x0F, 0xF8, 0x6F, 0x7E, 0xE7, 0x61, 0x25, 0x8C, 0x67, 0xE8, 0xC2, 0xD6, 0x33, 0x91, 0x62, 0x02, + 0x20, 0x78, 0xF8, 0x94, 0x0F, 0x46, 0xD2, 0xE2, 0x2B, 0x33, 0xAF, 0xBD, 0x38, 0xA4, 0x43, 0xA6, + 0x6F, 0x8A, 0xBE, 0x26, 0xDC, 0xD0, 0x82, 0x01, 0x3D, 0x00, 0xF3, 0xC2, 0x07, 0x8A, 0xE8, 0xFD, + 0x18, +}; + +// +// This is TestSignEKUsWith2CertsInSignature.bin.p7b in byte array format. +// It has one EKU in it: +// "1.3.6.1.4.1.311.76.9.21.1" +// +CONST UINT8 TestSignEKUsWith2CertsInSignature[] = +{ + 0x30, 0x82, 0x04, 0x61, 0x02, 0x01, 0x01, 0x31, 0x0F, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, + 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, + 0xF7, 0x0D, 0x01, 0x07, 0x01, 0xA0, 0x82, 0x03, 0x96, 0x30, 0x82, 0x01, 0xAE, 0x30, 0x82, 0x01, + 0x53, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x3E, 0xEE, 0x4B, 0xFB, 0x00, 0x35, 0xC8, 0x96, + 0x41, 0xF4, 0xF6, 0x57, 0x16, 0xAD, 0x20, 0xCB, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, + 0x3D, 0x04, 0x03, 0x02, 0x30, 0x22, 0x31, 0x20, 0x30, 0x1E, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, + 0x17, 0x54, 0x65, 0x73, 0x74, 0x45, 0x4B, 0x55, 0x50, 0x61, 0x72, 0x73, 0x69, 0x6E, 0x67, 0x49, + 0x73, 0x73, 0x75, 0x69, 0x6E, 0x67, 0x43, 0x41, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x38, 0x30, 0x38, + 0x31, 0x35, 0x31, 0x37, 0x33, 0x35, 0x35, 0x30, 0x5A, 0x17, 0x0D, 0x33, 0x38, 0x30, 0x38, 0x31, + 0x35, 0x31, 0x37, 0x34, 0x35, 0x35, 0x30, 0x5A, 0x30, 0x23, 0x31, 0x21, 0x30, 0x1F, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x0C, 0x18, 0x54, 0x65, 0x73, 0x74, 0x45, 0x4B, 0x55, 0x50, 0x61, 0x72, 0x73, + 0x69, 0x6E, 0x67, 0x4C, 0x65, 0x61, 0x66, 0x53, 0x69, 0x67, 0x6E, 0x65, 0x72, 0x30, 0x59, 0x30, + 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, + 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xF6, 0xEA, 0x5E, 0x14, 0x20, 0x6D, 0x11, 0xC0, + 0xFD, 0xF9, 0xB9, 0xB5, 0x8F, 0xBB, 0x3E, 0x8B, 0xE8, 0x21, 0x21, 0x3A, 0xC2, 0xBA, 0x37, 0x24, + 0x61, 0x14, 0x7E, 0xA8, 0x86, 0x0A, 0x5C, 0xD3, 0x5F, 0xA8, 0xDC, 0x3A, 0x06, 0x30, 0x53, 0xFC, + 0x85, 0xBC, 0x60, 0x5C, 0x28, 0x07, 0xCA, 0x12, 0x40, 0xE8, 0x97, 0x6A, 0x63, 0x30, 0xF7, 0x37, + 0x25, 0x76, 0x4D, 0xA9, 0x1A, 0x8C, 0x36, 0xAA, 0xA3, 0x6A, 0x30, 0x68, 0x30, 0x0E, 0x06, 0x03, + 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x16, 0x06, 0x03, + 0x55, 0x1D, 0x25, 0x04, 0x0F, 0x30, 0x0D, 0x06, 0x0B, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, + 0x4C, 0x09, 0x15, 0x01, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, + 0x14, 0xA4, 0x21, 0xA5, 0x99, 0x40, 0x41, 0xF7, 0x1B, 0xFF, 0x35, 0xD0, 0x40, 0x3C, 0x3E, 0x9C, + 0x7C, 0xD1, 0xCC, 0xD1, 0xD1, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, + 0xE8, 0x47, 0x05, 0xA2, 0x59, 0xE9, 0x89, 0x81, 0xF4, 0xC8, 0x0D, 0x4C, 0x0A, 0xD3, 0xD4, 0xDE, + 0x9F, 0xA6, 0xC7, 0x79, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, + 0x03, 0x49, 0x00, 0x30, 0x46, 0x02, 0x21, 0x00, 0x8C, 0x39, 0xC6, 0x6C, 0xD6, 0x8F, 0x20, 0xA5, + 0x85, 0x97, 0x27, 0xF9, 0xB5, 0x26, 0xA2, 0xAB, 0xEC, 0x2E, 0x1B, 0x6F, 0x6F, 0x79, 0x9F, 0x8D, + 0xCE, 0x9D, 0x12, 0x23, 0x5F, 0x04, 0xFA, 0xBE, 0x02, 0x21, 0x00, 0xC5, 0xD8, 0x49, 0xD1, 0x40, + 0xE3, 0x2C, 0xDF, 0xC3, 0xD4, 0x11, 0xF9, 0x5E, 0x10, 0x8A, 0x3C, 0x4E, 0xA0, 0xD6, 0x6B, 0x8C, + 0x0E, 0x7B, 0xF1, 0x2B, 0x20, 0x9C, 0x68, 0x53, 0x43, 0x4B, 0x35, 0x30, 0x82, 0x01, 0xE0, 0x30, + 0x82, 0x01, 0x65, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x79, 0x28, 0x1A, 0xE8, 0x7F, 0x21, + 0x4F, 0xBB, 0x47, 0x2F, 0x74, 0x75, 0xE6, 0x98, 0x60, 0xD6, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, + 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x21, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x04, + 0x03, 0x0C, 0x16, 0x54, 0x65, 0x73, 0x74, 0x45, 0x4B, 0x55, 0x50, 0x61, 0x72, 0x73, 0x69, 0x6E, + 0x67, 0x50, 0x6F, 0x6C, 0x69, 0x63, 0x79, 0x43, 0x41, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x38, 0x30, + 0x38, 0x31, 0x35, 0x31, 0x37, 0x33, 0x32, 0x35, 0x34, 0x5A, 0x17, 0x0D, 0x33, 0x38, 0x30, 0x38, + 0x31, 0x35, 0x31, 0x37, 0x34, 0x32, 0x35, 0x34, 0x5A, 0x30, 0x22, 0x31, 0x20, 0x30, 0x1E, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0C, 0x17, 0x54, 0x65, 0x73, 0x74, 0x45, 0x4B, 0x55, 0x50, 0x61, 0x72, + 0x73, 0x69, 0x6E, 0x67, 0x49, 0x73, 0x73, 0x75, 0x69, 0x6E, 0x67, 0x43, 0x41, 0x30, 0x59, 0x30, + 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, + 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x66, 0x41, 0xE6, 0x86, 0x7D, 0x5B, 0x96, 0x6C, + 0x99, 0x2A, 0x82, 0x53, 0x58, 0xA3, 0x6F, 0x59, 0xFC, 0x1C, 0x9F, 0xEB, 0xBE, 0x9D, 0x53, 0xBA, + 0x50, 0x0F, 0x66, 0xBC, 0xE5, 0x90, 0x7E, 0xAA, 0xA2, 0x6C, 0xC2, 0xC9, 0xAA, 0x99, 0x0B, 0x04, + 0xA0, 0x6A, 0xB4, 0xC1, 0xF7, 0x55, 0x60, 0x58, 0xE3, 0xDE, 0x22, 0x57, 0xB1, 0x8A, 0x5C, 0xBC, + 0xDF, 0x22, 0x8A, 0x2B, 0x04, 0x7D, 0x7A, 0x6C, 0xA3, 0x7E, 0x30, 0x7C, 0x30, 0x0E, 0x06, 0x03, + 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x02, 0x04, 0x30, 0x16, 0x06, 0x03, + 0x55, 0x1D, 0x25, 0x04, 0x0F, 0x30, 0x0D, 0x06, 0x0B, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, + 0x4C, 0x09, 0x15, 0x01, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x01, 0x01, 0xFF, 0x04, 0x08, + 0x30, 0x06, 0x01, 0x01, 0xFF, 0x02, 0x01, 0x00, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, + 0x18, 0x30, 0x16, 0x80, 0x14, 0x0B, 0x8A, 0xC7, 0xA8, 0x53, 0x07, 0x40, 0x74, 0x75, 0x0F, 0x85, + 0xCE, 0x5D, 0x5C, 0xC2, 0x23, 0x32, 0xC0, 0xFC, 0xC9, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, + 0x04, 0x16, 0x04, 0x14, 0xA4, 0x21, 0xA5, 0x99, 0x40, 0x41, 0xF7, 0x1B, 0xFF, 0x35, 0xD0, 0x40, + 0x3C, 0x3E, 0x9C, 0x7C, 0xD1, 0xCC, 0xD1, 0xD1, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, + 0x3D, 0x04, 0x03, 0x02, 0x03, 0x69, 0x00, 0x30, 0x66, 0x02, 0x31, 0x00, 0xEE, 0x78, 0xDB, 0x74, + 0x56, 0xA3, 0xC2, 0x44, 0x25, 0x0F, 0xA1, 0x89, 0xC0, 0x76, 0xD1, 0xE4, 0xFE, 0xAA, 0xA4, 0xC3, + 0x7D, 0x40, 0xE3, 0x28, 0x1B, 0x0D, 0xAB, 0x32, 0x6B, 0x9A, 0x60, 0x37, 0x2F, 0xB6, 0xF4, 0xCB, + 0xEA, 0xC8, 0x65, 0xB6, 0xDC, 0x24, 0x90, 0x10, 0xFB, 0xD2, 0x42, 0x05, 0x02, 0x31, 0x00, 0x9E, + 0x91, 0xF9, 0x96, 0x8A, 0x41, 0x2C, 0x5E, 0x6B, 0xBC, 0x36, 0x05, 0x3B, 0x50, 0x11, 0x91, 0x9A, + 0xFA, 0x6B, 0x7F, 0x01, 0xF4, 0x6A, 0x7E, 0xCD, 0x98, 0x7E, 0x7D, 0xFD, 0xA8, 0xE3, 0xB2, 0x4F, + 0x71, 0x91, 0xF5, 0xE0, 0x82, 0xA5, 0xE7, 0x5A, 0xE8, 0x19, 0x09, 0xF6, 0x22, 0xBE, 0xC4, 0x31, + 0x81, 0xA3, 0x30, 0x81, 0xA0, 0x02, 0x01, 0x01, 0x30, 0x36, 0x30, 0x22, 0x31, 0x20, 0x30, 0x1E, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x17, 0x54, 0x65, 0x73, 0x74, 0x45, 0x4B, 0x55, 0x50, 0x61, + 0x72, 0x73, 0x69, 0x6E, 0x67, 0x49, 0x73, 0x73, 0x75, 0x69, 0x6E, 0x67, 0x43, 0x41, 0x02, 0x10, + 0x3E, 0xEE, 0x4B, 0xFB, 0x00, 0x35, 0xC8, 0x96, 0x41, 0xF4, 0xF6, 0x57, 0x16, 0xAD, 0x20, 0xCB, + 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, + 0x0B, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x05, 0x00, 0x04, 0x47, 0x30, 0x45, + 0x02, 0x20, 0x4A, 0xFD, 0xAE, 0xDD, 0x5D, 0xC5, 0x86, 0x48, 0xDC, 0xC1, 0xC3, 0xA7, 0xE6, 0x4E, + 0x7F, 0x8B, 0x7B, 0xAB, 0x2C, 0x60, 0xDD, 0x79, 0x4C, 0xF2, 0x45, 0xED, 0x7A, 0xA5, 0x24, 0xE6, + 0x0E, 0x60, 0x02, 0x21, 0x00, 0xAD, 0xCA, 0x3C, 0x29, 0x2F, 0xF9, 0xB1, 0x8E, 0x58, 0x29, 0x3F, + 0x97, 0x20, 0x03, 0x6A, 0x14, 0xDA, 0x83, 0x4A, 0x8F, 0x3E, 0x95, 0x37, 0xC3, 0xF0, 0x12, 0x2A, + 0x7B, 0x24, 0x59, 0x69, 0x27, +}; + +// +// This is TestSignEKUsWith3CertsInSignature.bin.p7b +// It has one EKU in it: +// "1.3.6.1.4.1.311.76.9.21.1" +// +const UINT8 TestSignEKUsWith3CertsInSignature[] = +{ + 0x30, 0x82, 0x06, 0x65, 0x02, 0x01, 0x01, 0x31, 0x0F, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, + 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, + 0xF7, 0x0D, 0x01, 0x07, 0x01, 0xA0, 0x82, 0x05, 0x9B, 0x30, 0x82, 0x01, 0xAE, 0x30, 0x82, 0x01, + 0x53, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x3E, 0xEE, 0x4B, 0xFB, 0x00, 0x35, 0xC8, 0x96, + 0x41, 0xF4, 0xF6, 0x57, 0x16, 0xAD, 0x20, 0xCB, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, + 0x3D, 0x04, 0x03, 0x02, 0x30, 0x22, 0x31, 0x20, 0x30, 0x1E, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, + 0x17, 0x54, 0x65, 0x73, 0x74, 0x45, 0x4B, 0x55, 0x50, 0x61, 0x72, 0x73, 0x69, 0x6E, 0x67, 0x49, + 0x73, 0x73, 0x75, 0x69, 0x6E, 0x67, 0x43, 0x41, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x38, 0x30, 0x38, + 0x31, 0x35, 0x31, 0x37, 0x33, 0x35, 0x35, 0x30, 0x5A, 0x17, 0x0D, 0x33, 0x38, 0x30, 0x38, 0x31, + 0x35, 0x31, 0x37, 0x34, 0x35, 0x35, 0x30, 0x5A, 0x30, 0x23, 0x31, 0x21, 0x30, 0x1F, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x0C, 0x18, 0x54, 0x65, 0x73, 0x74, 0x45, 0x4B, 0x55, 0x50, 0x61, 0x72, 0x73, + 0x69, 0x6E, 0x67, 0x4C, 0x65, 0x61, 0x66, 0x53, 0x69, 0x67, 0x6E, 0x65, 0x72, 0x30, 0x59, 0x30, + 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, + 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xF6, 0xEA, 0x5E, 0x14, 0x20, 0x6D, 0x11, 0xC0, + 0xFD, 0xF9, 0xB9, 0xB5, 0x8F, 0xBB, 0x3E, 0x8B, 0xE8, 0x21, 0x21, 0x3A, 0xC2, 0xBA, 0x37, 0x24, + 0x61, 0x14, 0x7E, 0xA8, 0x86, 0x0A, 0x5C, 0xD3, 0x5F, 0xA8, 0xDC, 0x3A, 0x06, 0x30, 0x53, 0xFC, + 0x85, 0xBC, 0x60, 0x5C, 0x28, 0x07, 0xCA, 0x12, 0x40, 0xE8, 0x97, 0x6A, 0x63, 0x30, 0xF7, 0x37, + 0x25, 0x76, 0x4D, 0xA9, 0x1A, 0x8C, 0x36, 0xAA, 0xA3, 0x6A, 0x30, 0x68, 0x30, 0x0E, 0x06, 0x03, + 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x16, 0x06, 0x03, + 0x55, 0x1D, 0x25, 0x04, 0x0F, 0x30, 0x0D, 0x06, 0x0B, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, + 0x4C, 0x09, 0x15, 0x01, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, + 0x14, 0xA4, 0x21, 0xA5, 0x99, 0x40, 0x41, 0xF7, 0x1B, 0xFF, 0x35, 0xD0, 0x40, 0x3C, 0x3E, 0x9C, + 0x7C, 0xD1, 0xCC, 0xD1, 0xD1, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, + 0xE8, 0x47, 0x05, 0xA2, 0x59, 0xE9, 0x89, 0x81, 0xF4, 0xC8, 0x0D, 0x4C, 0x0A, 0xD3, 0xD4, 0xDE, + 0x9F, 0xA6, 0xC7, 0x79, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, + 0x03, 0x49, 0x00, 0x30, 0x46, 0x02, 0x21, 0x00, 0x8C, 0x39, 0xC6, 0x6C, 0xD6, 0x8F, 0x20, 0xA5, + 0x85, 0x97, 0x27, 0xF9, 0xB5, 0x26, 0xA2, 0xAB, 0xEC, 0x2E, 0x1B, 0x6F, 0x6F, 0x79, 0x9F, 0x8D, + 0xCE, 0x9D, 0x12, 0x23, 0x5F, 0x04, 0xFA, 0xBE, 0x02, 0x21, 0x00, 0xC5, 0xD8, 0x49, 0xD1, 0x40, + 0xE3, 0x2C, 0xDF, 0xC3, 0xD4, 0x11, 0xF9, 0x5E, 0x10, 0x8A, 0x3C, 0x4E, 0xA0, 0xD6, 0x6B, 0x8C, + 0x0E, 0x7B, 0xF1, 0x2B, 0x20, 0x9C, 0x68, 0x53, 0x43, 0x4B, 0x35, 0x30, 0x82, 0x01, 0xE0, 0x30, + 0x82, 0x01, 0x65, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x79, 0x28, 0x1A, 0xE8, 0x7F, 0x21, + 0x4F, 0xBB, 0x47, 0x2F, 0x74, 0x75, 0xE6, 0x98, 0x60, 0xD6, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, + 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x21, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x04, + 0x03, 0x0C, 0x16, 0x54, 0x65, 0x73, 0x74, 0x45, 0x4B, 0x55, 0x50, 0x61, 0x72, 0x73, 0x69, 0x6E, + 0x67, 0x50, 0x6F, 0x6C, 0x69, 0x63, 0x79, 0x43, 0x41, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x38, 0x30, + 0x38, 0x31, 0x35, 0x31, 0x37, 0x33, 0x32, 0x35, 0x34, 0x5A, 0x17, 0x0D, 0x33, 0x38, 0x30, 0x38, + 0x31, 0x35, 0x31, 0x37, 0x34, 0x32, 0x35, 0x34, 0x5A, 0x30, 0x22, 0x31, 0x20, 0x30, 0x1E, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0C, 0x17, 0x54, 0x65, 0x73, 0x74, 0x45, 0x4B, 0x55, 0x50, 0x61, 0x72, + 0x73, 0x69, 0x6E, 0x67, 0x49, 0x73, 0x73, 0x75, 0x69, 0x6E, 0x67, 0x43, 0x41, 0x30, 0x59, 0x30, + 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, + 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x66, 0x41, 0xE6, 0x86, 0x7D, 0x5B, 0x96, 0x6C, + 0x99, 0x2A, 0x82, 0x53, 0x58, 0xA3, 0x6F, 0x59, 0xFC, 0x1C, 0x9F, 0xEB, 0xBE, 0x9D, 0x53, 0xBA, + 0x50, 0x0F, 0x66, 0xBC, 0xE5, 0x90, 0x7E, 0xAA, 0xA2, 0x6C, 0xC2, 0xC9, 0xAA, 0x99, 0x0B, 0x04, + 0xA0, 0x6A, 0xB4, 0xC1, 0xF7, 0x55, 0x60, 0x58, 0xE3, 0xDE, 0x22, 0x57, 0xB1, 0x8A, 0x5C, 0xBC, + 0xDF, 0x22, 0x8A, 0x2B, 0x04, 0x7D, 0x7A, 0x6C, 0xA3, 0x7E, 0x30, 0x7C, 0x30, 0x0E, 0x06, 0x03, + 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x02, 0x04, 0x30, 0x16, 0x06, 0x03, + 0x55, 0x1D, 0x25, 0x04, 0x0F, 0x30, 0x0D, 0x06, 0x0B, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, + 0x4C, 0x09, 0x15, 0x01, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x01, 0x01, 0xFF, 0x04, 0x08, + 0x30, 0x06, 0x01, 0x01, 0xFF, 0x02, 0x01, 0x00, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, + 0x18, 0x30, 0x16, 0x80, 0x14, 0x0B, 0x8A, 0xC7, 0xA8, 0x53, 0x07, 0x40, 0x74, 0x75, 0x0F, 0x85, + 0xCE, 0x5D, 0x5C, 0xC2, 0x23, 0x32, 0xC0, 0xFC, 0xC9, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, + 0x04, 0x16, 0x04, 0x14, 0xA4, 0x21, 0xA5, 0x99, 0x40, 0x41, 0xF7, 0x1B, 0xFF, 0x35, 0xD0, 0x40, + 0x3C, 0x3E, 0x9C, 0x7C, 0xD1, 0xCC, 0xD1, 0xD1, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, + 0x3D, 0x04, 0x03, 0x02, 0x03, 0x69, 0x00, 0x30, 0x66, 0x02, 0x31, 0x00, 0xEE, 0x78, 0xDB, 0x74, + 0x56, 0xA3, 0xC2, 0x44, 0x25, 0x0F, 0xA1, 0x89, 0xC0, 0x76, 0xD1, 0xE4, 0xFE, 0xAA, 0xA4, 0xC3, + 0x7D, 0x40, 0xE3, 0x28, 0x1B, 0x0D, 0xAB, 0x32, 0x6B, 0x9A, 0x60, 0x37, 0x2F, 0xB6, 0xF4, 0xCB, + 0xEA, 0xC8, 0x65, 0xB6, 0xDC, 0x24, 0x90, 0x10, 0xFB, 0xD2, 0x42, 0x05, 0x02, 0x31, 0x00, 0x9E, + 0x91, 0xF9, 0x96, 0x8A, 0x41, 0x2C, 0x5E, 0x6B, 0xBC, 0x36, 0x05, 0x3B, 0x50, 0x11, 0x91, 0x9A, + 0xFA, 0x6B, 0x7F, 0x01, 0xF4, 0x6A, 0x7E, 0xCD, 0x98, 0x7E, 0x7D, 0xFD, 0xA8, 0xE3, 0xB2, 0x4F, + 0x71, 0x91, 0xF5, 0xE0, 0x82, 0xA5, 0xE7, 0x5A, 0xE8, 0x19, 0x09, 0xF6, 0x22, 0xBE, 0xC4, 0x30, + 0x82, 0x02, 0x01, 0x30, 0x82, 0x01, 0x62, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x41, 0x02, + 0xBA, 0xF9, 0x87, 0x65, 0x6C, 0xB8, 0x4C, 0xD9, 0xA1, 0x04, 0x1C, 0x46, 0x4F, 0xE4, 0x30, 0x0A, + 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x1D, 0x31, 0x1B, 0x30, 0x19, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x12, 0x54, 0x65, 0x73, 0x74, 0x45, 0x4B, 0x55, 0x50, 0x61, + 0x72, 0x73, 0x69, 0x6E, 0x67, 0x52, 0x6F, 0x6F, 0x74, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x38, 0x30, + 0x38, 0x31, 0x35, 0x31, 0x37, 0x32, 0x39, 0x32, 0x39, 0x5A, 0x17, 0x0D, 0x33, 0x38, 0x30, 0x38, + 0x31, 0x35, 0x31, 0x37, 0x33, 0x39, 0x32, 0x39, 0x5A, 0x30, 0x21, 0x31, 0x1F, 0x30, 0x1D, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0C, 0x16, 0x54, 0x65, 0x73, 0x74, 0x45, 0x4B, 0x55, 0x50, 0x61, 0x72, + 0x73, 0x69, 0x6E, 0x67, 0x50, 0x6F, 0x6C, 0x69, 0x63, 0x79, 0x43, 0x41, 0x30, 0x76, 0x30, 0x10, + 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22, + 0x03, 0x62, 0x00, 0x04, 0xF9, 0xDC, 0xB9, 0x3F, 0xA8, 0xB5, 0x2B, 0x2E, 0xA7, 0xFC, 0x88, 0xC6, + 0xEF, 0x9C, 0x36, 0x61, 0x3E, 0xFF, 0x8A, 0x5A, 0x52, 0xFF, 0x5A, 0xD0, 0x2C, 0x08, 0xD6, 0x73, + 0x12, 0xF9, 0x62, 0x1E, 0x73, 0x76, 0x83, 0x49, 0xC8, 0xDE, 0xEB, 0x29, 0xA4, 0x78, 0x2A, 0xC1, + 0x30, 0x11, 0x0B, 0x2F, 0x38, 0x00, 0xB7, 0x6B, 0x6B, 0x8E, 0x8C, 0x4B, 0x33, 0x09, 0xF1, 0xEA, + 0xA4, 0x9E, 0x10, 0x4F, 0xC3, 0xBC, 0x30, 0x16, 0x1A, 0x8B, 0xD7, 0x9C, 0x14, 0x11, 0x4E, 0x56, + 0x64, 0x7E, 0x51, 0xE7, 0xDA, 0x26, 0x40, 0xB0, 0xD0, 0xF8, 0xF2, 0xB2, 0x5D, 0x8C, 0x8B, 0x49, + 0x0C, 0x4E, 0x58, 0xB0, 0xA3, 0x63, 0x30, 0x61, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, + 0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x02, 0x04, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x01, + 0x01, 0xFF, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, + 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x04, 0xA6, 0xCD, 0x4D, 0xAE, 0x9C, 0x17, 0xDB, 0xC8, 0x13, + 0x57, 0x2D, 0x72, 0x48, 0xAC, 0xBB, 0x6B, 0x1F, 0xFF, 0x61, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, + 0x0E, 0x04, 0x16, 0x04, 0x14, 0x0B, 0x8A, 0xC7, 0xA8, 0x53, 0x07, 0x40, 0x74, 0x75, 0x0F, 0x85, + 0xCE, 0x5D, 0x5C, 0xC2, 0x23, 0x32, 0xC0, 0xFC, 0xC9, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, + 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x03, 0x81, 0x8C, 0x00, 0x30, 0x81, 0x88, 0x02, 0x42, 0x01, 0xB4, + 0x75, 0x0B, 0x2F, 0x2A, 0xAA, 0x77, 0x03, 0x08, 0xD9, 0x95, 0x13, 0x2C, 0xE8, 0x47, 0x69, 0x97, + 0xD1, 0x6B, 0xE0, 0x23, 0x94, 0xD5, 0x34, 0x8F, 0x80, 0x20, 0xE3, 0x72, 0x07, 0x7C, 0x6A, 0x52, + 0xE6, 0xF2, 0xC7, 0x85, 0xBD, 0xB6, 0x65, 0x8F, 0x61, 0x73, 0xF9, 0xE7, 0x3A, 0x31, 0x46, 0xC6, + 0xF2, 0xCE, 0xA7, 0x9E, 0xD0, 0xE2, 0xEF, 0x07, 0x59, 0xD0, 0xF1, 0xC4, 0xF6, 0x58, 0x9A, 0x16, + 0x02, 0x42, 0x00, 0x86, 0xE0, 0x25, 0xC1, 0x48, 0xD0, 0x33, 0x30, 0x55, 0xA8, 0x60, 0x44, 0xCA, + 0x47, 0x04, 0x93, 0x46, 0x81, 0xE9, 0x13, 0xE9, 0x67, 0x26, 0x23, 0x2A, 0xBD, 0xEF, 0xC4, 0xCC, + 0x12, 0x99, 0xB3, 0x9E, 0x3D, 0x78, 0xC8, 0x42, 0x06, 0x40, 0x48, 0xCA, 0x3D, 0xCC, 0xD7, 0xA2, + 0x35, 0x37, 0x76, 0x12, 0xDB, 0x9C, 0x90, 0xA4, 0xE4, 0x16, 0xAC, 0x5E, 0xD8, 0x04, 0xF1, 0x59, + 0x66, 0x85, 0xE2, 0x68, 0x31, 0x81, 0xA2, 0x30, 0x81, 0x9F, 0x02, 0x01, 0x01, 0x30, 0x36, 0x30, + 0x22, 0x31, 0x20, 0x30, 0x1E, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x17, 0x54, 0x65, 0x73, 0x74, + 0x45, 0x4B, 0x55, 0x50, 0x61, 0x72, 0x73, 0x69, 0x6E, 0x67, 0x49, 0x73, 0x73, 0x75, 0x69, 0x6E, + 0x67, 0x43, 0x41, 0x02, 0x10, 0x3E, 0xEE, 0x4B, 0xFB, 0x00, 0x35, 0xC8, 0x96, 0x41, 0xF4, 0xF6, + 0x57, 0x16, 0xAD, 0x20, 0xCB, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, + 0x02, 0x01, 0x05, 0x00, 0x30, 0x0B, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x05, + 0x00, 0x04, 0x46, 0x30, 0x44, 0x02, 0x20, 0x52, 0x90, 0x02, 0x9E, 0xE8, 0xBF, 0xE8, 0x7E, 0x05, + 0x3B, 0xA3, 0x93, 0xDD, 0x6C, 0x35, 0x31, 0xA3, 0x29, 0x4F, 0x9A, 0x78, 0xEF, 0xD1, 0xAD, 0x07, + 0x37, 0x2D, 0x9A, 0x81, 0xFD, 0x7D, 0xFC, 0x02, 0x20, 0x4C, 0x8A, 0xA4, 0xBD, 0x63, 0x7B, 0x8A, + 0x2C, 0x9E, 0xFC, 0x2A, 0x0F, 0x91, 0xF4, 0x97, 0xB5, 0x3B, 0xC9, 0xD1, 0xCA, 0xEB, 0x02, 0x6A, + 0xB6, 0xFF, 0xE1, 0x15, 0xF5, 0xA2, 0x11, 0xF4, 0xD9, +}; + +// +// This signature was signed with a leaf that has no EKU's present in the certificate. +// +CONST UINT8 TestSignatureWithNoEKUsPresent[] = +{ + 0x30, 0x82, 0x07, 0xDB, 0x02, 0x01, 0x01, 0x31, 0x0F, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, + 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, + 0xF7, 0x0D, 0x01, 0x07, 0x01, 0xA0, 0x82, 0x06, 0x51, 0x30, 0x82, 0x01, 0xE0, 0x30, 0x82, 0x01, + 0x65, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x79, 0x28, 0x1A, 0xE8, 0x7F, 0x21, 0x4F, 0xBB, + 0x47, 0x2F, 0x74, 0x75, 0xE6, 0x98, 0x60, 0xD6, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, + 0x3D, 0x04, 0x03, 0x02, 0x30, 0x21, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, + 0x16, 0x54, 0x65, 0x73, 0x74, 0x45, 0x4B, 0x55, 0x50, 0x61, 0x72, 0x73, 0x69, 0x6E, 0x67, 0x50, + 0x6F, 0x6C, 0x69, 0x63, 0x79, 0x43, 0x41, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x38, 0x30, 0x38, 0x31, + 0x35, 0x31, 0x37, 0x33, 0x32, 0x35, 0x34, 0x5A, 0x17, 0x0D, 0x33, 0x38, 0x30, 0x38, 0x31, 0x35, + 0x31, 0x37, 0x34, 0x32, 0x35, 0x34, 0x5A, 0x30, 0x22, 0x31, 0x20, 0x30, 0x1E, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x0C, 0x17, 0x54, 0x65, 0x73, 0x74, 0x45, 0x4B, 0x55, 0x50, 0x61, 0x72, 0x73, 0x69, + 0x6E, 0x67, 0x49, 0x73, 0x73, 0x75, 0x69, 0x6E, 0x67, 0x43, 0x41, 0x30, 0x59, 0x30, 0x13, 0x06, + 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, + 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x66, 0x41, 0xE6, 0x86, 0x7D, 0x5B, 0x96, 0x6C, 0x99, 0x2A, + 0x82, 0x53, 0x58, 0xA3, 0x6F, 0x59, 0xFC, 0x1C, 0x9F, 0xEB, 0xBE, 0x9D, 0x53, 0xBA, 0x50, 0x0F, + 0x66, 0xBC, 0xE5, 0x90, 0x7E, 0xAA, 0xA2, 0x6C, 0xC2, 0xC9, 0xAA, 0x99, 0x0B, 0x04, 0xA0, 0x6A, + 0xB4, 0xC1, 0xF7, 0x55, 0x60, 0x58, 0xE3, 0xDE, 0x22, 0x57, 0xB1, 0x8A, 0x5C, 0xBC, 0xDF, 0x22, + 0x8A, 0x2B, 0x04, 0x7D, 0x7A, 0x6C, 0xA3, 0x7E, 0x30, 0x7C, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, + 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x02, 0x04, 0x30, 0x16, 0x06, 0x03, 0x55, 0x1D, + 0x25, 0x04, 0x0F, 0x30, 0x0D, 0x06, 0x0B, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x4C, 0x09, + 0x15, 0x01, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x01, 0x01, 0xFF, 0x04, 0x08, 0x30, 0x06, + 0x01, 0x01, 0xFF, 0x02, 0x01, 0x00, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0x0B, 0x8A, 0xC7, 0xA8, 0x53, 0x07, 0x40, 0x74, 0x75, 0x0F, 0x85, 0xCE, 0x5D, + 0x5C, 0xC2, 0x23, 0x32, 0xC0, 0xFC, 0xC9, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, + 0x04, 0x14, 0xA4, 0x21, 0xA5, 0x99, 0x40, 0x41, 0xF7, 0x1B, 0xFF, 0x35, 0xD0, 0x40, 0x3C, 0x3E, + 0x9C, 0x7C, 0xD1, 0xCC, 0xD1, 0xD1, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, + 0x03, 0x02, 0x03, 0x69, 0x00, 0x30, 0x66, 0x02, 0x31, 0x00, 0xEE, 0x78, 0xDB, 0x74, 0x56, 0xA3, + 0xC2, 0x44, 0x25, 0x0F, 0xA1, 0x89, 0xC0, 0x76, 0xD1, 0xE4, 0xFE, 0xAA, 0xA4, 0xC3, 0x7D, 0x40, + 0xE3, 0x28, 0x1B, 0x0D, 0xAB, 0x32, 0x6B, 0x9A, 0x60, 0x37, 0x2F, 0xB6, 0xF4, 0xCB, 0xEA, 0xC8, + 0x65, 0xB6, 0xDC, 0x24, 0x90, 0x10, 0xFB, 0xD2, 0x42, 0x05, 0x02, 0x31, 0x00, 0x9E, 0x91, 0xF9, + 0x96, 0x8A, 0x41, 0x2C, 0x5E, 0x6B, 0xBC, 0x36, 0x05, 0x3B, 0x50, 0x11, 0x91, 0x9A, 0xFA, 0x6B, + 0x7F, 0x01, 0xF4, 0x6A, 0x7E, 0xCD, 0x98, 0x7E, 0x7D, 0xFD, 0xA8, 0xE3, 0xB2, 0x4F, 0x71, 0x91, + 0xF5, 0xE0, 0x82, 0xA5, 0xE7, 0x5A, 0xE8, 0x19, 0x09, 0xF6, 0x22, 0xBE, 0xC4, 0x30, 0x82, 0x02, + 0x01, 0x30, 0x82, 0x01, 0x62, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x41, 0x02, 0xBA, 0xF9, + 0x87, 0x65, 0x6C, 0xB8, 0x4C, 0xD9, 0xA1, 0x04, 0x1C, 0x46, 0x4F, 0xE4, 0x30, 0x0A, 0x06, 0x08, + 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x1D, 0x31, 0x1B, 0x30, 0x19, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x0C, 0x12, 0x54, 0x65, 0x73, 0x74, 0x45, 0x4B, 0x55, 0x50, 0x61, 0x72, 0x73, + 0x69, 0x6E, 0x67, 0x52, 0x6F, 0x6F, 0x74, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x38, 0x30, 0x38, 0x31, + 0x35, 0x31, 0x37, 0x32, 0x39, 0x32, 0x39, 0x5A, 0x17, 0x0D, 0x33, 0x38, 0x30, 0x38, 0x31, 0x35, + 0x31, 0x37, 0x33, 0x39, 0x32, 0x39, 0x5A, 0x30, 0x21, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x0C, 0x16, 0x54, 0x65, 0x73, 0x74, 0x45, 0x4B, 0x55, 0x50, 0x61, 0x72, 0x73, 0x69, + 0x6E, 0x67, 0x50, 0x6F, 0x6C, 0x69, 0x63, 0x79, 0x43, 0x41, 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, + 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, + 0x00, 0x04, 0xF9, 0xDC, 0xB9, 0x3F, 0xA8, 0xB5, 0x2B, 0x2E, 0xA7, 0xFC, 0x88, 0xC6, 0xEF, 0x9C, + 0x36, 0x61, 0x3E, 0xFF, 0x8A, 0x5A, 0x52, 0xFF, 0x5A, 0xD0, 0x2C, 0x08, 0xD6, 0x73, 0x12, 0xF9, + 0x62, 0x1E, 0x73, 0x76, 0x83, 0x49, 0xC8, 0xDE, 0xEB, 0x29, 0xA4, 0x78, 0x2A, 0xC1, 0x30, 0x11, + 0x0B, 0x2F, 0x38, 0x00, 0xB7, 0x6B, 0x6B, 0x8E, 0x8C, 0x4B, 0x33, 0x09, 0xF1, 0xEA, 0xA4, 0x9E, + 0x10, 0x4F, 0xC3, 0xBC, 0x30, 0x16, 0x1A, 0x8B, 0xD7, 0x9C, 0x14, 0x11, 0x4E, 0x56, 0x64, 0x7E, + 0x51, 0xE7, 0xDA, 0x26, 0x40, 0xB0, 0xD0, 0xF8, 0xF2, 0xB2, 0x5D, 0x8C, 0x8B, 0x49, 0x0C, 0x4E, + 0x58, 0xB0, 0xA3, 0x63, 0x30, 0x61, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, + 0x04, 0x04, 0x03, 0x02, 0x02, 0x04, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x01, 0x01, 0xFF, + 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, + 0x30, 0x16, 0x80, 0x14, 0x04, 0xA6, 0xCD, 0x4D, 0xAE, 0x9C, 0x17, 0xDB, 0xC8, 0x13, 0x57, 0x2D, + 0x72, 0x48, 0xAC, 0xBB, 0x6B, 0x1F, 0xFF, 0x61, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, + 0x16, 0x04, 0x14, 0x0B, 0x8A, 0xC7, 0xA8, 0x53, 0x07, 0x40, 0x74, 0x75, 0x0F, 0x85, 0xCE, 0x5D, + 0x5C, 0xC2, 0x23, 0x32, 0xC0, 0xFC, 0xC9, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, + 0x04, 0x03, 0x02, 0x03, 0x81, 0x8C, 0x00, 0x30, 0x81, 0x88, 0x02, 0x42, 0x01, 0xB4, 0x75, 0x0B, + 0x2F, 0x2A, 0xAA, 0x77, 0x03, 0x08, 0xD9, 0x95, 0x13, 0x2C, 0xE8, 0x47, 0x69, 0x97, 0xD1, 0x6B, + 0xE0, 0x23, 0x94, 0xD5, 0x34, 0x8F, 0x80, 0x20, 0xE3, 0x72, 0x07, 0x7C, 0x6A, 0x52, 0xE6, 0xF2, + 0xC7, 0x85, 0xBD, 0xB6, 0x65, 0x8F, 0x61, 0x73, 0xF9, 0xE7, 0x3A, 0x31, 0x46, 0xC6, 0xF2, 0xCE, + 0xA7, 0x9E, 0xD0, 0xE2, 0xEF, 0x07, 0x59, 0xD0, 0xF1, 0xC4, 0xF6, 0x58, 0x9A, 0x16, 0x02, 0x42, + 0x00, 0x86, 0xE0, 0x25, 0xC1, 0x48, 0xD0, 0x33, 0x30, 0x55, 0xA8, 0x60, 0x44, 0xCA, 0x47, 0x04, + 0x93, 0x46, 0x81, 0xE9, 0x13, 0xE9, 0x67, 0x26, 0x23, 0x2A, 0xBD, 0xEF, 0xC4, 0xCC, 0x12, 0x99, + 0xB3, 0x9E, 0x3D, 0x78, 0xC8, 0x42, 0x06, 0x40, 0x48, 0xCA, 0x3D, 0xCC, 0xD7, 0xA2, 0x35, 0x37, + 0x76, 0x12, 0xDB, 0x9C, 0x90, 0xA4, 0xE4, 0x16, 0xAC, 0x5E, 0xD8, 0x04, 0xF1, 0x59, 0x66, 0x85, + 0xE2, 0x68, 0x30, 0x82, 0x02, 0x64, 0x30, 0x82, 0x02, 0x0A, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, + 0x10, 0x2B, 0x7B, 0xDA, 0xCD, 0x87, 0xA0, 0xFD, 0x81, 0x49, 0x5E, 0x0E, 0xDD, 0x4F, 0x81, 0x48, + 0x2D, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x22, 0x31, + 0x20, 0x30, 0x1E, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x17, 0x54, 0x65, 0x73, 0x74, 0x45, 0x4B, + 0x55, 0x50, 0x61, 0x72, 0x73, 0x69, 0x6E, 0x67, 0x49, 0x73, 0x73, 0x75, 0x69, 0x6E, 0x67, 0x43, + 0x41, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x38, 0x30, 0x38, 0x32, 0x33, 0x31, 0x39, 0x33, 0x30, 0x30, + 0x32, 0x5A, 0x17, 0x0D, 0x33, 0x38, 0x30, 0x38, 0x32, 0x33, 0x31, 0x39, 0x34, 0x30, 0x30, 0x32, + 0x5A, 0x30, 0x27, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x1C, 0x54, 0x65, + 0x73, 0x74, 0x45, 0x4B, 0x55, 0x50, 0x61, 0x72, 0x73, 0x69, 0x6E, 0x67, 0x4E, 0x6F, 0x45, 0x4B, + 0x55, 0x73, 0x49, 0x6E, 0x53, 0x69, 0x67, 0x6E, 0x65, 0x72, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, + 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, + 0x0F, 0x00, 0x30, 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0xA5, 0x9B, 0x95, 0xF0, 0x63, + 0x88, 0xC3, 0x74, 0x26, 0x08, 0x68, 0x25, 0xAA, 0x16, 0xBB, 0x2A, 0x15, 0xC1, 0xA2, 0xAF, 0x72, + 0x06, 0x51, 0x37, 0xE1, 0x4F, 0x6D, 0x6A, 0xFC, 0x17, 0xCE, 0x82, 0x7B, 0x79, 0xFF, 0x2A, 0x84, + 0x0F, 0xCB, 0xA9, 0x65, 0x70, 0xC9, 0xF9, 0xE7, 0x61, 0x90, 0x28, 0x03, 0x6E, 0x41, 0x25, 0xFF, + 0xC2, 0x3A, 0x60, 0x1A, 0x42, 0x37, 0x80, 0x9F, 0x6B, 0x99, 0x11, 0x5A, 0x1F, 0xAE, 0x7B, 0x3F, + 0xF3, 0x2B, 0x45, 0xDD, 0xDA, 0xC4, 0x32, 0xD7, 0xD8, 0xB5, 0x3D, 0x46, 0x0C, 0x8A, 0x11, 0xEE, + 0x94, 0x8C, 0xB5, 0x69, 0xD3, 0x91, 0x4F, 0x4E, 0xE5, 0xBB, 0x93, 0xDD, 0x1E, 0xA7, 0x20, 0x03, + 0xFD, 0xD6, 0x8F, 0x76, 0x91, 0x9A, 0x2B, 0x41, 0x91, 0xD8, 0x35, 0x7A, 0x0D, 0x80, 0xB9, 0xD4, + 0xD2, 0x56, 0xF1, 0xF9, 0xC5, 0xE6, 0xF2, 0xAE, 0x10, 0x7E, 0xD7, 0x6C, 0x40, 0x86, 0x37, 0x99, + 0x85, 0xF4, 0xCA, 0x1D, 0x6D, 0x90, 0x63, 0xF7, 0x63, 0xC6, 0x00, 0xA1, 0xA9, 0x79, 0x7D, 0x88, + 0x05, 0xA2, 0x92, 0x64, 0xA7, 0x8E, 0xA8, 0x9E, 0xC3, 0x1F, 0x63, 0xEE, 0x6C, 0xE3, 0x9B, 0xA6, + 0xD7, 0x9D, 0x9C, 0x9F, 0x0D, 0x7A, 0xF7, 0x00, 0x92, 0x16, 0xE8, 0x64, 0x36, 0x07, 0x66, 0x8E, + 0x6E, 0x51, 0x09, 0x3F, 0x2A, 0xD6, 0x6D, 0x4E, 0xCC, 0x49, 0xE1, 0xC3, 0x59, 0x63, 0xDC, 0x51, + 0xAA, 0xD1, 0xE7, 0x42, 0x2F, 0x72, 0x25, 0x46, 0x83, 0x7D, 0x23, 0xCE, 0xF7, 0x96, 0x2F, 0x04, + 0xE8, 0xAE, 0xF6, 0x19, 0x6D, 0x2D, 0xB2, 0x64, 0xDB, 0x69, 0x33, 0x96, 0x58, 0xA0, 0x6C, 0x77, + 0xF0, 0xD0, 0x5E, 0x36, 0xB1, 0x28, 0x89, 0x83, 0xB6, 0xA5, 0x13, 0x0E, 0x6B, 0x6E, 0x73, 0x2C, + 0x6F, 0xDA, 0xF9, 0x6C, 0x11, 0x4F, 0xCC, 0xF7, 0x89, 0x77, 0x83, 0x02, 0x03, 0x01, 0x00, 0x01, + 0xA3, 0x52, 0x30, 0x50, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x04, + 0x03, 0x02, 0x01, 0x86, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, + 0x14, 0xA4, 0x21, 0xA5, 0x99, 0x40, 0x41, 0xF7, 0x1B, 0xFF, 0x35, 0xD0, 0x40, 0x3C, 0x3E, 0x9C, + 0x7C, 0xD1, 0xCC, 0xD1, 0xD1, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, + 0xB6, 0xAF, 0x0D, 0xC1, 0xBE, 0xD1, 0xE4, 0x21, 0x37, 0xFF, 0xAC, 0x7D, 0x2D, 0xD4, 0x51, 0x8A, + 0x61, 0x95, 0x50, 0x7F, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, + 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x74, 0x7D, 0xF5, 0xAF, 0xC3, 0xA7, 0x06, 0x99, 0x1F, + 0x2C, 0xAF, 0x69, 0xAA, 0x40, 0x97, 0xE9, 0xF8, 0x4C, 0xD2, 0x71, 0x17, 0x25, 0x85, 0xB7, 0xA6, + 0x97, 0x61, 0x89, 0x82, 0xED, 0xF0, 0xF6, 0x02, 0x21, 0x00, 0xA6, 0xF4, 0x59, 0x85, 0x53, 0x31, + 0xEF, 0x6F, 0x37, 0xB6, 0x8E, 0xA2, 0xDE, 0xC3, 0xFD, 0xD6, 0xFB, 0x50, 0x63, 0x4E, 0xB4, 0xBB, + 0xC1, 0xB1, 0x07, 0x82, 0x80, 0x14, 0x28, 0x6A, 0x94, 0x94, 0x31, 0x82, 0x01, 0x61, 0x30, 0x82, + 0x01, 0x5D, 0x02, 0x01, 0x01, 0x30, 0x36, 0x30, 0x22, 0x31, 0x20, 0x30, 0x1E, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x0C, 0x17, 0x54, 0x65, 0x73, 0x74, 0x45, 0x4B, 0x55, 0x50, 0x61, 0x72, 0x73, 0x69, + 0x6E, 0x67, 0x49, 0x73, 0x73, 0x75, 0x69, 0x6E, 0x67, 0x43, 0x41, 0x02, 0x10, 0x2B, 0x7B, 0xDA, + 0xCD, 0x87, 0xA0, 0xFD, 0x81, 0x49, 0x5E, 0x0E, 0xDD, 0x4F, 0x81, 0x48, 0x2D, 0x30, 0x0D, 0x06, + 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0D, 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0x39, + 0xEC, 0xA8, 0x00, 0x4F, 0x7E, 0x2C, 0x3C, 0x48, 0xDF, 0x6F, 0x6A, 0x37, 0x69, 0xA4, 0xB1, 0xEB, + 0x7D, 0xD2, 0x3B, 0xC5, 0xEE, 0x57, 0x1F, 0x8F, 0xCA, 0x60, 0x80, 0x88, 0x24, 0x29, 0xB5, 0x00, + 0x28, 0xFF, 0x8F, 0x0A, 0x1E, 0xB0, 0x9E, 0x90, 0x09, 0xF1, 0x46, 0xC1, 0x53, 0xE8, 0x27, 0x29, + 0xFA, 0xFE, 0xA3, 0x84, 0x79, 0xB2, 0x27, 0x46, 0x9B, 0xD8, 0x33, 0xBD, 0x8F, 0x41, 0x06, 0xEE, + 0xD6, 0xE7, 0x49, 0xAF, 0x48, 0xD0, 0xD4, 0xF1, 0x06, 0xCC, 0xD3, 0x26, 0x47, 0xAE, 0x03, 0x7A, + 0xA5, 0xAF, 0xDE, 0x7F, 0x57, 0x32, 0x51, 0x49, 0x8C, 0x18, 0xD2, 0x4D, 0x50, 0x27, 0xAC, 0x7C, + 0x33, 0xB8, 0xB8, 0x1C, 0xF8, 0x0C, 0x49, 0xEB, 0xF5, 0xD7, 0xA0, 0x35, 0x77, 0x61, 0xC0, 0x60, + 0xAF, 0x23, 0x8C, 0xCC, 0xB0, 0x58, 0xB3, 0x08, 0x89, 0x2B, 0xC0, 0x61, 0x0C, 0xA6, 0x40, 0x7A, + 0x37, 0x6D, 0x6D, 0x44, 0xFF, 0xF1, 0xCE, 0xDE, 0x7A, 0x0C, 0xC4, 0x51, 0x61, 0xE6, 0x72, 0x6B, + 0xA9, 0x6A, 0x7B, 0xCF, 0xAA, 0x9A, 0x28, 0x74, 0x87, 0x30, 0xBA, 0xED, 0x40, 0xF0, 0x75, 0x2B, + 0xD7, 0xE6, 0x9F, 0xDD, 0x6B, 0xB7, 0xEA, 0x08, 0x0D, 0x9F, 0xA3, 0x25, 0x27, 0xB7, 0xBF, 0x41, + 0xC2, 0x64, 0xB5, 0x6F, 0x8F, 0xB1, 0x5F, 0xE5, 0xDF, 0xCA, 0x16, 0x04, 0x61, 0xFF, 0x74, 0x25, + 0xEE, 0xF6, 0x69, 0xF1, 0x7F, 0xE5, 0x97, 0x72, 0x58, 0xD8, 0x9F, 0xA5, 0x19, 0x32, 0x46, 0x95, + 0x67, 0x63, 0x23, 0x54, 0x46, 0x05, 0x15, 0xC3, 0x3E, 0x04, 0x7E, 0x88, 0xD0, 0xB5, 0x52, 0xF0, + 0x38, 0x3C, 0x8B, 0xD4, 0x3D, 0x9A, 0x55, 0x1B, 0x14, 0xE5, 0x37, 0x8D, 0xB7, 0x6C, 0x39, 0x91, + 0x23, 0x31, 0x63, 0x89, 0x7C, 0x75, 0x02, 0x79, 0xCC, 0x95, 0x58, 0x99, 0x3A, 0xDB, 0xF5, +}; diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/Pkcs7EkuTests.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/Pkcs7EkuTests.c new file mode 100644 index 00000000..4e09c993 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/Pkcs7EkuTests.c @@ -0,0 +1,524 @@ +/** @file -- Pkcs7EkuVerify.c + * Copyright (c) Microsoft Corporation. + * SPDX-License-Identifier: BSD-2-Clause-Patent + + This is an test code which verifies specified + Enhanced Key Usages (EKU)'s are present in the leaf signer + of a PKCS7 formatted signature. + + + A typical signing certificate chain looks like this: (Could be RSA or ECC). + + ------------------------------------------ + | | // Root of trust. ECDSA P521 curve + | TestEKUParsingRoot | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE + | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE + ------------------------------------------ + ^ + | + ------------------------------------------ + | | // Policy CA. Issues subordinate CAs. ECC P384 curve. + | TestEKUParsingPolicyCA | // SHA 256 Key Usage: + | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE + ------------------------------------------ + ^ + | + ------------------------------------------ + | | // Issues end-entity (leaf) signers. ECC P256 curve. + | TestEKUParsingIssuingCA | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE + | | // Enhanced Key Usage: + ------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing) + ^ + | + -------------------------------------- + / TestEKUParsingLeafSigner && / // Leaf signer, ECC P256 curve. + / TestEKUParsingLeafSignerPid12345 / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE + / / // Enhanced Key usages: + -------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing) + // 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID. + + + + + +**/ + +#include "TestBaseCryptLib.h" + +#include "Pkcs7EkuTestSignatures.h" + +EFI_STATUS +EFIAPI +VerifyEKUsInPkcs7Signature ( + IN CONST UINT8 *Pkcs7Signature, + IN CONST UINT32 SignatureSize, + IN CONST CHAR8 *RequiredEKUs[], + IN CONST UINT32 RequiredEKUsSize, + IN BOOLEAN RequireAllPresent + ); + +///================================================================================================ +///================================================================================================ +/// +/// TEST CASES +/// +///================================================================================================ +///================================================================================================ + +CONST CHAR8 FIRMWARE_SIGNER_EKU[] = "1.3.6.1.4.1.311.76.9.21.1"; + + +/** + TestVerifyEKUsInSignature() + + Verify that "1.3.6.1.4.1.311.76.9.21.1" (Firmware signature) is in the + leaf signer certificate. + + + @param[in] Framework - Unit-test framework handle. + @param[in] Context - Optional context pointer for this test. + + @retval UNIT_TEST_PASSED - The required EKUs were found in the signature. + @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output. +**/ +static +UNIT_TEST_STATUS +EFIAPI +TestVerifyEKUsInSignature ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status = EFI_SUCCESS; + + CONST CHAR8* RequiredEKUs[] = { FIRMWARE_SIGNER_EKU }; + + Status = VerifyEKUsInPkcs7Signature(ProductionECCSignature, + ARRAY_SIZE(ProductionECCSignature), + (CONST CHAR8**)RequiredEKUs, + ARRAY_SIZE(RequiredEKUs), + TRUE); + UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS); + + return UNIT_TEST_PASSED; +}// TestVerifyEKUsInSignature() + + +/** + TestVerifyEKUsWith3CertsInSignature() + + This PKCS7 signature has 3 certificates in it. (Policy CA, Issuing CA + and leaf signer). It has one firmware signing EKU in it. + "1.3.6.1.4.1.311.76.9.21.1" + + @param[in] Framework - Unit-test framework handle. + @param[in] Context - Optional context pointer for this test. + + @retval UNIT_TEST_PASSED - The required EKUs were found in the signature. + @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output. +**/ +static +UNIT_TEST_STATUS +EFIAPI +TestVerifyEKUsWith3CertsInSignature ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status = EFI_SUCCESS; + + CONST CHAR8* RequiredEKUs[] = { FIRMWARE_SIGNER_EKU }; + + Status = VerifyEKUsInPkcs7Signature(TestSignEKUsWith3CertsInSignature, + ARRAY_SIZE(TestSignEKUsWith3CertsInSignature), + (CONST CHAR8**)RequiredEKUs, + ARRAY_SIZE(RequiredEKUs), + TRUE); + UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS); + + return UNIT_TEST_PASSED; +}// TestVerifyEKUsWith3CertsInSignature() + +/** + TestVerifyEKUsWith2CertsInSignature() + + This PKCS7 signature has 2 certificates in it. (Issuing CA and leaf signer). + It has one firmware signing EKU in it. "1.3.6.1.4.1.311.76.9.21.1" + + @param[in] Framework - Unit-test framework handle. + @param[in] Context - Optional context pointer for this test. + + @retval UNIT_TEST_PASSED - The required EKUs were found in the signature. + @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output. +**/ +static +UNIT_TEST_STATUS +EFIAPI +TestVerifyEKUsWith2CertsInSignature ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status = EFI_SUCCESS; + + CONST CHAR8* RequiredEKUs[] = { FIRMWARE_SIGNER_EKU }; + + Status = VerifyEKUsInPkcs7Signature(TestSignEKUsWith2CertsInSignature, + ARRAY_SIZE(TestSignEKUsWith2CertsInSignature), + (CONST CHAR8**)RequiredEKUs, + ARRAY_SIZE(RequiredEKUs), + TRUE); + UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS); + + return UNIT_TEST_PASSED; +}// TestVerifyEKUsWith2CertsInSignature() + + +/** + TestVerifyEKUsWith1CertInSignature() + + This PKCS7 signature only has the leaf signer in it. + It has one firmware signing EKU in it. "1.3.6.1.4.1.311.76.9.21.1" + + @param[in] Framework - Unit-test framework handle. + @param[in] Context - Optional context pointer for this test. + + @retval UNIT_TEST_PASSED - The required EKUs were found in the signature. + @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output. +**/ +static +UNIT_TEST_STATUS +EFIAPI +TestVerifyEKUsWith1CertInSignature ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status = EFI_SUCCESS; + + CONST CHAR8* RequiredEKUs[] = { FIRMWARE_SIGNER_EKU }; + + Status = VerifyEKUsInPkcs7Signature(TestSignEKUsWith1CertInSignature, + ARRAY_SIZE(TestSignEKUsWith1CertInSignature), + (CONST CHAR8**)RequiredEKUs, + ARRAY_SIZE(RequiredEKUs), + TRUE); + UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS); + + return UNIT_TEST_PASSED; +}// TestVerifyEKUsWith1CertInSignature() + + +/** + TestVerifyEKUsWithMultipleEKUsInCert() + + + This signature has two EKU's in it: + "1.3.6.1.4.1.311.76.9.21.1" + "1.3.6.1.4.1.311.76.9.21.2" + We verify that both EKU's were present in the leaf signer. + + @param[in] Framework - Unit-test framework handle. + @param[in] Context - Optional context pointer for this test. + + @retval UNIT_TEST_PASSED - The required EKUs were found in the signature. + @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output. +**/ +static +UNIT_TEST_STATUS +EFIAPI +TestVerifyEKUsWithMultipleEKUsInCert ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status = EFI_SUCCESS; + + CONST CHAR8* RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.1", + "1.3.6.1.4.1.311.76.9.21.1.2" }; + + Status = VerifyEKUsInPkcs7Signature(TestSignedWithMultipleEKUsInCert, + ARRAY_SIZE(TestSignedWithMultipleEKUsInCert), + (CONST CHAR8**)RequiredEKUs, + ARRAY_SIZE(RequiredEKUs), + TRUE); + UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS); + + return UNIT_TEST_PASSED; +}// TestVerifyEKUsWithMultipleEKUsInCert() + + +/** + TestEkusNotPresentInSignature() + + This test verifies that if we send an EKU that is not in the signature, + that we get back an error. + + @param[in] Framework - Unit-test framework handle. + @param[in] Context - Optional context pointer for this test. + + @retval UNIT_TEST_PASSED - The required EKUs were found in the signature. + @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output. +**/ +static +UNIT_TEST_STATUS +EFIAPI +TestEkusNotPresentInSignature ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status = EFI_SUCCESS; + + // + // This EKU is not in the signature. + // + CONST CHAR8* RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.3" }; + + Status = VerifyEKUsInPkcs7Signature(TestSignedWithMultipleEKUsInCert, + ARRAY_SIZE(TestSignedWithMultipleEKUsInCert), + (CONST CHAR8**)RequiredEKUs, + ARRAY_SIZE(RequiredEKUs), + TRUE); + UT_ASSERT_NOT_EQUAL (Status, EFI_SUCCESS); + + return UNIT_TEST_PASSED; +}// TestEkusNotPresentInSignature() + +/** + TestEkusNotPresentInSignature() + + This test signature has two EKU's in it: (Product ID is 10001) + "1.3.6.1.4.1.311.76.9.21.1" + "1.3.6.1.4.1.311.76.9.21.1.10001" + + @param[in] Framework - Unit-test framework handle. + @param[in] Context - Optional context pointer for this test. + + @retval UNIT_TEST_PASSED - The required EKUs were found in the signature. + @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output. +**/ + +static +UNIT_TEST_STATUS +EFIAPI +TestProductId10001PresentInSignature( + IN UNIT_TEST_CONTEXT Context +) +{ + EFI_STATUS Status = EFI_SUCCESS; + + // + // These EKU's are present in the leaf signer certificate. + // + CONST CHAR8* RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.1", + "1.3.6.1.4.1.311.76.9.21.1.10001" }; + + Status = VerifyEKUsInPkcs7Signature(TestSignedWithProductId10001, + ARRAY_SIZE(TestSignedWithProductId10001), + (CONST CHAR8**)RequiredEKUs, + ARRAY_SIZE(RequiredEKUs), + TRUE); + UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS); + + return UNIT_TEST_PASSED; +}// TestProductId10001PresentInSignature() + + +/** + TestOnlyOneEkuInListRequired() + + This test will check the BOOLEAN RequireAllPresent parameter in the + call to VerifyEKUsInPkcs7Signature() behaves properly. The signature + has two EKU's in it: + + "1.3.6.1.4.1.311.76.9.21.1" + "1.3.6.1.4.1.311.76.9.21.1.10001" + + but we only pass in one of them, and set RequireAllPresent to FALSE. + + @param[in] Framework - Unit-test framework handle. + @param[in] Context - Optional context pointer for this test. + + @retval UNIT_TEST_PASSED - The required EKUs were found in the signature. + @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output. +**/ + +static +UNIT_TEST_STATUS +EFIAPI +TestOnlyOneEkuInListRequired( + IN UNIT_TEST_CONTEXT Context +) +{ + EFI_STATUS Status = EFI_SUCCESS; + + // + // This will test the flag that specifies it is OK to succeed if + // any one of the EKU's passed in is found. + // + CONST CHAR8* RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.1.10001" }; + + Status = VerifyEKUsInPkcs7Signature(TestSignedWithProductId10001, + ARRAY_SIZE(TestSignedWithProductId10001), + (CONST CHAR8**)RequiredEKUs, + ARRAY_SIZE(RequiredEKUs), + FALSE); + UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS); + + return UNIT_TEST_PASSED; +}// TestOnlyOneEkuInListRequired() + +/** + TestNoEKUsInSignature() + + This test uses a signature that was signed with a certificate that does + not contain any EKUs. + + + @param[in] Framework - Unit-test framework handle. + @param[in] Context - Optional context pointer for this test. + + @retval UNIT_TEST_PASSED - The required EKUs were found in the signature. + @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output. +**/ + +static +UNIT_TEST_STATUS +EFIAPI +TestNoEKUsInSignature( + IN UNIT_TEST_CONTEXT Context +) +{ + EFI_STATUS Status = EFI_SUCCESS; + + // + // This EKU is not in the certificate, so it should fail. + // + CONST CHAR8* RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.1" }; + + Status = VerifyEKUsInPkcs7Signature(TestSignatureWithNoEKUsPresent, + ARRAY_SIZE(TestSignatureWithNoEKUsPresent), + (CONST CHAR8**)RequiredEKUs, + ARRAY_SIZE(RequiredEKUs), + TRUE); + UT_ASSERT_NOT_EQUAL (Status, EFI_SUCCESS); + + return UNIT_TEST_PASSED; +}// TestNoEKUsInSignature() + + +/** + TestInvalidParameters() + + Passes the API invalid parameters, and ensures that it does not succeed. + + @param[in] Framework - Unit-test framework handle. + @param[in] Context - Optional context pointer for this test. + + @retval UNIT_TEST_PASSED - The required EKUs were found in the signature. + @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output. +**/ +static +UNIT_TEST_STATUS +EFIAPI +TestInvalidParameters( + IN UNIT_TEST_CONTEXT Context +) +{ + EFI_STATUS Status = EFI_SUCCESS; + + CONST CHAR8* RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.1" }; + + // + // Check bad signature. + // + Status = VerifyEKUsInPkcs7Signature(NULL, + 0, + (CONST CHAR8**)RequiredEKUs, + ARRAY_SIZE(RequiredEKUs), + TRUE); + UT_ASSERT_STATUS_EQUAL (Status, EFI_INVALID_PARAMETER); + + // + // Check invalid EKU's + // + Status = VerifyEKUsInPkcs7Signature(TestSignatureWithNoEKUsPresent, + ARRAY_SIZE(TestSignatureWithNoEKUsPresent), + (CONST CHAR8**)NULL, + 0, + TRUE); + UT_ASSERT_STATUS_EQUAL (Status, EFI_INVALID_PARAMETER); + + return UNIT_TEST_PASSED; +}// TestInvalidParameters() + + +/** + TestEKUSubStringFails() + + Pass the API a sub set and super set of an EKU and ensure that they + don't pass. + + @param[in] Framework - Unit-test framework handle. + @param[in] Context - Optional context pointer for this test. + + @retval UNIT_TEST_PASSED - The required EKUs were found in the signature. + @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output. +**/ +static +UNIT_TEST_STATUS +EFIAPI +TestEKUSubsetSupersetFails( + IN UNIT_TEST_CONTEXT Context +) +{ + EFI_STATUS Status = EFI_SUCCESS; + + // + // This signature has an EKU of: + // "1.3.6.1.4.1.311.76.9.21.1.10001" + // so ensure that + // "1.3.6.1.4.1.311.76.9.21" + // does not pass. + // + CONST CHAR8* RequiredEKUs1[] = { "1.3.6.1.4.1.311.76.9.21" }; + + Status = VerifyEKUsInPkcs7Signature(TestSignedWithProductId10001, + ARRAY_SIZE(TestSignedWithProductId10001), + (CONST CHAR8**)RequiredEKUs1, + ARRAY_SIZE(RequiredEKUs1), + TRUE); + UT_ASSERT_NOT_EQUAL (Status, EFI_SUCCESS); + + // + // This signature has an EKU of: + // "1.3.6.1.4.1.311.76.9.21.1.10001" + // so ensure that a super set + // "1.3.6.1.4.1.311.76.9.21.1.10001.1" + // does not pass. + // + CONST CHAR8* RequiredEKUs2[] = { "1.3.6.1.4.1.311.76.9.21.1.10001.1" }; + + Status = VerifyEKUsInPkcs7Signature(TestSignedWithProductId10001, + ARRAY_SIZE(TestSignedWithProductId10001), + (CONST CHAR8**)RequiredEKUs2, + ARRAY_SIZE(RequiredEKUs2), + TRUE); + UT_ASSERT_NOT_EQUAL (Status, EFI_SUCCESS); + + return UNIT_TEST_PASSED; +}// TestEKUSubsetSupersetFails() + +TEST_DESC mPkcs7EkuTest[] = { + // + // -----Description--------------------------------Class----------------------------Function------------------------------Pre---Post--Context + // + {"TestVerifyEKUsInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsInSignature, NULL, NULL, NULL}, + {"TestVerifyEKUsWith3CertsInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsWith3CertsInSignature, NULL, NULL, NULL}, + {"TestVerifyEKUsWith2CertsInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsWith2CertsInSignature, NULL, NULL, NULL}, + {"TestVerifyEKUsWith1CertInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsWith1CertInSignature, NULL, NULL, NULL}, + {"TestVerifyEKUsWithMultipleEKUsInCert()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsWithMultipleEKUsInCert, NULL, NULL, NULL}, + {"TestEkusNotPresentInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestEkusNotPresentInSignature, NULL, NULL, NULL}, + {"TestProductId10001PresentInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestProductId10001PresentInSignature, NULL, NULL, NULL}, + {"TestOnlyOneEkuInListRequired()", "CryptoPkg.BaseCryptLib.Eku", TestOnlyOneEkuInListRequired, NULL, NULL, NULL}, + {"TestNoEKUsInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestNoEKUsInSignature, NULL, NULL, NULL}, + {"TestInvalidParameters()", "CryptoPkg.BaseCryptLib.Eku", TestInvalidParameters, NULL, NULL, NULL}, + {"TestEKUSubsetSupersetFails()", "CryptoPkg.BaseCryptLib.Eku", TestEKUSubsetSupersetFails, NULL, NULL, NULL}, +}; + +UINTN mPkcs7EkuTestNum = ARRAY_SIZE(mPkcs7EkuTest); diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RandTests.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RandTests.c new file mode 100644 index 00000000..05343612 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RandTests.c @@ -0,0 +1,51 @@ +/** @file + Application for Pseudorandom Number Generator Validation. + +Copyright (c) 2010, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "TestBaseCryptLib.h" + +#define RANDOM_NUMBER_SIZE 256 + +CONST UINT8 SeedString[] = "This is the random seed for PRNG verification."; + +UINT8 PreviousRandomBuffer[RANDOM_NUMBER_SIZE] = { 0x0 }; + +UINT8 RandomBuffer[RANDOM_NUMBER_SIZE] = { 0x0 }; + +UNIT_TEST_STATUS +EFIAPI +TestVerifyPrngGeneration ( + UNIT_TEST_CONTEXT Context + ) +{ + UINTN Index; + BOOLEAN Status; + + Status = RandomSeed (SeedString, sizeof (SeedString)); + UT_ASSERT_TRUE (Status); + + for (Index = 0; Index < 10; Index ++) { + Status = RandomBytes (RandomBuffer, RANDOM_NUMBER_SIZE); + UT_ASSERT_TRUE (Status); + + Status = (CompareMem (PreviousRandomBuffer, RandomBuffer, RANDOM_NUMBER_SIZE) == 0); + UT_ASSERT_FALSE (Status); + + CopyMem (PreviousRandomBuffer, RandomBuffer, RANDOM_NUMBER_SIZE); + } + + return UNIT_TEST_PASSED; +} + +TEST_DESC mPrngTest[] = { + // + // -----Description--------------------------------Class--------------------Function----------------Pre---Post--Context + // + {"TestVerifyPrngGeneration()", "CryptoPkg.BaseCryptLib.Prng", TestVerifyPrngGeneration, NULL, NULL, NULL}, +}; + +UINTN mPrngTestNum = ARRAY_SIZE(mPrngTest); diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RsaPkcs7Tests.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RsaPkcs7Tests.c new file mode 100644 index 00000000..fc3bbfa4 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RsaPkcs7Tests.c @@ -0,0 +1,415 @@ +/** @file + Application for RSA Key Retrieving (from PEM and X509) & Signature Validation. + + Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.
+ Copyright (c) Microsoft Corporation. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "TestBaseCryptLib.h" + + +// +// Password-protected PEM Key data for RSA Private Key Retrieving (encryption key is "client"). +// (Generated by OpenSSL utility). +// $ openssl genrsa -aes256 -out TestKeyPem -passout pass:client 1024 +// password should match PemPass in this file +// $ xxd --include TestKeyPem +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 TestKeyPem[] = { + 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x42, 0x45, 0x47, 0x49, 0x4e, 0x20, 0x52, + 0x53, 0x41, 0x20, 0x50, 0x52, 0x49, 0x56, 0x41, 0x54, 0x45, 0x20, 0x4b, + 0x45, 0x59, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a, 0x50, 0x72, 0x6f, 0x63, + 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x34, 0x2c, 0x45, 0x4e, 0x43, + 0x52, 0x59, 0x50, 0x54, 0x45, 0x44, 0x0a, 0x44, 0x45, 0x4b, 0x2d, 0x49, + 0x6e, 0x66, 0x6f, 0x3a, 0x20, 0x41, 0x45, 0x53, 0x2d, 0x32, 0x35, 0x36, + 0x2d, 0x43, 0x42, 0x43, 0x2c, 0x34, 0x42, 0x44, 0x31, 0x30, 0x45, 0x39, + 0x35, 0x42, 0x38, 0x33, 0x39, 0x42, 0x30, 0x44, 0x33, 0x35, 0x36, 0x31, + 0x38, 0x41, 0x44, 0x36, 0x45, 0x46, 0x44, 0x36, 0x34, 0x32, 0x34, 0x44, + 0x36, 0x0a, 0x0a, 0x42, 0x50, 0x39, 0x49, 0x32, 0x42, 0x30, 0x6c, 0x50, + 0x7a, 0x4c, 0x50, 0x50, 0x38, 0x2f, 0x4b, 0x71, 0x35, 0x34, 0x2f, 0x56, + 0x68, 0x75, 0x4b, 0x35, 0x5a, 0x63, 0x72, 0x32, 0x55, 0x6c, 0x32, 0x75, + 0x43, 0x57, 0x4a, 0x62, 0x59, 0x33, 0x50, 0x77, 0x39, 0x6e, 0x4c, 0x6d, + 0x45, 0x41, 0x6a, 0x47, 0x74, 0x4a, 0x68, 0x57, 0x46, 0x66, 0x50, 0x47, + 0x38, 0x62, 0x6d, 0x41, 0x6f, 0x73, 0x56, 0x0a, 0x47, 0x76, 0x42, 0x30, + 0x6d, 0x2b, 0x7a, 0x5a, 0x43, 0x2b, 0x30, 0x6c, 0x57, 0x6c, 0x72, 0x59, + 0x7a, 0x51, 0x4b, 0x6a, 0x57, 0x79, 0x44, 0x6e, 0x4d, 0x58, 0x72, 0x33, + 0x51, 0x39, 0x69, 0x57, 0x32, 0x4b, 0x33, 0x68, 0x4d, 0x6b, 0x71, 0x51, + 0x4c, 0x31, 0x68, 0x65, 0x71, 0x52, 0x66, 0x66, 0x74, 0x47, 0x57, 0x51, + 0x5a, 0x36, 0x78, 0x4e, 0x6a, 0x72, 0x30, 0x7a, 0x6f, 0x51, 0x59, 0x73, + 0x0a, 0x34, 0x76, 0x69, 0x55, 0x46, 0x72, 0x7a, 0x2b, 0x52, 0x76, 0x4b, + 0x43, 0x2f, 0x33, 0x69, 0x71, 0x57, 0x59, 0x78, 0x55, 0x35, 0x4c, 0x6a, + 0x45, 0x74, 0x63, 0x5a, 0x4f, 0x2b, 0x53, 0x6d, 0x39, 0x42, 0x4c, 0x62, + 0x66, 0x58, 0x49, 0x71, 0x56, 0x72, 0x53, 0x6a, 0x54, 0x79, 0x58, 0x49, + 0x39, 0x70, 0x76, 0x78, 0x6f, 0x67, 0x50, 0x39, 0x38, 0x6b, 0x2b, 0x6c, + 0x41, 0x66, 0x37, 0x47, 0x36, 0x0a, 0x75, 0x39, 0x2b, 0x30, 0x31, 0x4d, + 0x47, 0x5a, 0x69, 0x36, 0x6b, 0x53, 0x73, 0x67, 0x48, 0x57, 0x7a, 0x43, + 0x41, 0x49, 0x51, 0x75, 0x38, 0x72, 0x6a, 0x4d, 0x34, 0x65, 0x74, 0x64, + 0x50, 0x62, 0x4a, 0x49, 0x77, 0x34, 0x65, 0x47, 0x6f, 0x32, 0x45, 0x49, + 0x44, 0x45, 0x54, 0x61, 0x52, 0x70, 0x73, 0x76, 0x47, 0x6a, 0x54, 0x6f, + 0x30, 0x51, 0x56, 0x69, 0x79, 0x79, 0x4a, 0x4f, 0x48, 0x32, 0x0a, 0x61, + 0x32, 0x71, 0x69, 0x2f, 0x47, 0x7a, 0x2f, 0x64, 0x48, 0x61, 0x62, 0x68, + 0x4d, 0x4e, 0x35, 0x4e, 0x53, 0x58, 0x56, 0x4d, 0x31, 0x54, 0x2f, 0x6d, + 0x69, 0x6f, 0x74, 0x68, 0x78, 0x59, 0x72, 0x2f, 0x4a, 0x69, 0x37, 0x6d, + 0x4e, 0x45, 0x75, 0x4a, 0x57, 0x38, 0x74, 0x6d, 0x75, 0x55, 0x4b, 0x58, + 0x33, 0x66, 0x63, 0x39, 0x42, 0x39, 0x32, 0x51, 0x6e, 0x54, 0x68, 0x43, + 0x69, 0x49, 0x2f, 0x0a, 0x79, 0x4f, 0x31, 0x32, 0x4c, 0x46, 0x58, 0x38, + 0x74, 0x4b, 0x4a, 0x37, 0x4b, 0x7a, 0x6f, 0x6b, 0x36, 0x44, 0x74, 0x6d, + 0x35, 0x73, 0x41, 0x74, 0x2b, 0x65, 0x4b, 0x76, 0x6f, 0x61, 0x47, 0x62, + 0x75, 0x4a, 0x78, 0x62, 0x52, 0x63, 0x36, 0x63, 0x4d, 0x58, 0x57, 0x46, + 0x36, 0x4d, 0x72, 0x4d, 0x30, 0x53, 0x78, 0x65, 0x4e, 0x6b, 0x5a, 0x77, + 0x5a, 0x36, 0x6c, 0x62, 0x4d, 0x39, 0x63, 0x55, 0x0a, 0x6c, 0x75, 0x34, + 0x4c, 0x56, 0x64, 0x34, 0x73, 0x56, 0x4c, 0x61, 0x76, 0x68, 0x75, 0x32, + 0x58, 0x48, 0x48, 0x53, 0x56, 0x30, 0x32, 0x32, 0x6d, 0x51, 0x72, 0x73, + 0x32, 0x69, 0x68, 0x74, 0x58, 0x44, 0x2b, 0x6c, 0x4d, 0x63, 0x2f, 0x35, + 0x62, 0x54, 0x41, 0x55, 0x6b, 0x4b, 0x4f, 0x42, 0x73, 0x43, 0x69, 0x4f, + 0x4b, 0x42, 0x56, 0x2b, 0x66, 0x70, 0x49, 0x62, 0x2b, 0x6d, 0x44, 0x33, + 0x58, 0x0a, 0x39, 0x37, 0x66, 0x36, 0x54, 0x66, 0x68, 0x37, 0x4f, 0x4f, + 0x6a, 0x74, 0x44, 0x79, 0x31, 0x6f, 0x52, 0x36, 0x70, 0x68, 0x48, 0x47, + 0x6e, 0x73, 0x43, 0x78, 0x72, 0x53, 0x72, 0x64, 0x48, 0x73, 0x2f, 0x34, + 0x33, 0x72, 0x61, 0x65, 0x42, 0x78, 0x59, 0x45, 0x41, 0x42, 0x4e, 0x59, + 0x68, 0x54, 0x47, 0x57, 0x49, 0x4d, 0x4a, 0x6b, 0x50, 0x63, 0x54, 0x53, + 0x73, 0x76, 0x77, 0x46, 0x37, 0x6d, 0x0a, 0x33, 0x6c, 0x38, 0x6b, 0x44, + 0x50, 0x48, 0x43, 0x4e, 0x68, 0x6e, 0x6e, 0x42, 0x69, 0x7a, 0x36, 0x2f, + 0x43, 0x38, 0x56, 0x31, 0x37, 0x78, 0x57, 0x34, 0x50, 0x2b, 0x79, 0x71, + 0x4a, 0x78, 0x58, 0x63, 0x49, 0x53, 0x72, 0x7a, 0x57, 0x53, 0x55, 0x72, + 0x34, 0x74, 0x71, 0x6b, 0x55, 0x58, 0x43, 0x57, 0x4c, 0x43, 0x66, 0x76, + 0x57, 0x7a, 0x4e, 0x65, 0x5a, 0x34, 0x4f, 0x34, 0x34, 0x54, 0x65, 0x0a, + 0x74, 0x31, 0x59, 0x65, 0x36, 0x77, 0x2b, 0x71, 0x4f, 0x55, 0x38, 0x50, + 0x42, 0x68, 0x72, 0x65, 0x4d, 0x38, 0x75, 0x32, 0x32, 0x42, 0x4f, 0x31, + 0x65, 0x2b, 0x44, 0x7a, 0x63, 0x74, 0x6c, 0x67, 0x43, 0x43, 0x6c, 0x38, + 0x79, 0x69, 0x37, 0x6f, 0x43, 0x56, 0x74, 0x66, 0x75, 0x59, 0x2f, 0x4c, + 0x72, 0x42, 0x61, 0x31, 0x74, 0x69, 0x43, 0x41, 0x37, 0x6c, 0x34, 0x75, + 0x58, 0x6b, 0x73, 0x4c, 0x0a, 0x2b, 0x31, 0x51, 0x79, 0x69, 0x4b, 0x31, + 0x6e, 0x43, 0x4f, 0x76, 0x74, 0x30, 0x46, 0x7a, 0x71, 0x62, 0x71, 0x78, + 0x54, 0x37, 0x53, 0x35, 0x4c, 0x56, 0x33, 0x5a, 0x33, 0x74, 0x34, 0x4a, + 0x46, 0x4f, 0x50, 0x62, 0x67, 0x63, 0x7a, 0x4e, 0x6b, 0x58, 0x55, 0x2b, + 0x4f, 0x74, 0x50, 0x6b, 0x6e, 0x45, 0x45, 0x76, 0x67, 0x57, 0x64, 0x76, + 0x31, 0x4f, 0x30, 0x6d, 0x52, 0x4a, 0x50, 0x31, 0x4e, 0x0a, 0x71, 0x43, + 0x32, 0x33, 0x4a, 0x6a, 0x36, 0x38, 0x4c, 0x30, 0x46, 0x63, 0x46, 0x4c, + 0x56, 0x56, 0x59, 0x76, 0x61, 0x44, 0x53, 0x76, 0x54, 0x45, 0x64, 0x50, + 0x54, 0x34, 0x62, 0x2f, 0x7a, 0x66, 0x64, 0x36, 0x51, 0x52, 0x6b, 0x38, + 0x70, 0x4d, 0x36, 0x77, 0x66, 0x61, 0x32, 0x50, 0x63, 0x75, 0x57, 0x65, + 0x79, 0x38, 0x48, 0x38, 0x76, 0x4e, 0x4b, 0x67, 0x2f, 0x65, 0x76, 0x34, + 0x77, 0x37, 0x0a, 0x6b, 0x6f, 0x6f, 0x4e, 0x59, 0x64, 0x77, 0x59, 0x69, + 0x6c, 0x37, 0x41, 0x50, 0x76, 0x42, 0x50, 0x4d, 0x63, 0x6c, 0x51, 0x76, + 0x63, 0x64, 0x71, 0x7a, 0x52, 0x7a, 0x4a, 0x6e, 0x4a, 0x74, 0x37, 0x70, + 0x35, 0x7a, 0x69, 0x2b, 0x2b, 0x4c, 0x43, 0x59, 0x55, 0x4d, 0x3d, 0x0a, + 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x45, 0x4e, 0x44, 0x20, 0x52, 0x53, 0x41, + 0x20, 0x50, 0x52, 0x49, 0x56, 0x41, 0x54, 0x45, 0x20, 0x4b, 0x45, 0x59, + 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a + }; + +// +// Password for private key retrieving from encrypted PEM ("TestKeyPem"). +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST CHAR8 *PemPass = "client"; + +// +// Test CA X509 Certificate for X509 Verification Routine (Generated by OpenSSL utility). +// $ openssl req -x509 -days 10000 -key TestKeyPem -out TestCACert -outform DER -subj "/C=US/ST=WA/L=Seattle/O=Tianocore/OU=EDK2/CN=UEFI" +// use password from PemPass variable in this file +// $ xxd --include TestCACert +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 TestCACert[] = { + 0x30, 0x82, 0x02, 0x98, 0x30, 0x82, 0x02, 0x01, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x14, 0x39, 0xde, 0x9e, 0xce, 0x3a, 0x36, 0x11, 0x38, 0x6f, + 0x64, 0xb4, 0x69, 0xa7, 0x93, 0xdd, 0xff, 0xbd, 0x3e, 0x75, 0x6a, 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, + 0x05, 0x00, 0x30, 0x5e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, + 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, + 0x04, 0x08, 0x0c, 0x02, 0x57, 0x41, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, + 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, + 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x09, 0x54, + 0x69, 0x61, 0x6e, 0x6f, 0x63, 0x6f, 0x72, 0x65, 0x31, 0x0d, 0x30, 0x0b, + 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x04, 0x45, 0x44, 0x4b, 0x32, 0x31, + 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x04, 0x55, 0x45, + 0x46, 0x49, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x30, 0x30, 0x36, 0x32, 0x39, + 0x32, 0x32, 0x34, 0x37, 0x33, 0x36, 0x5a, 0x17, 0x0d, 0x34, 0x37, 0x31, + 0x31, 0x31, 0x35, 0x32, 0x32, 0x34, 0x37, 0x33, 0x36, 0x5a, 0x30, 0x5e, + 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, + 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, + 0x57, 0x41, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, + 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x12, 0x30, 0x10, + 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x09, 0x54, 0x69, 0x61, 0x6e, 0x6f, + 0x63, 0x6f, 0x72, 0x65, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, + 0x0b, 0x0c, 0x04, 0x45, 0x44, 0x4b, 0x32, 0x31, 0x0d, 0x30, 0x0b, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x04, 0x55, 0x45, 0x46, 0x49, 0x30, 0x81, + 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, + 0x81, 0x81, 0x00, 0x9f, 0xef, 0x1b, 0x46, 0x45, 0x55, 0x33, 0x4b, 0xee, + 0x95, 0x14, 0xd3, 0x5a, 0x3e, 0xd9, 0x29, 0xfb, 0xd9, 0x29, 0x4e, 0x8b, + 0xf1, 0xf5, 0x68, 0x7c, 0x58, 0x86, 0x0c, 0xda, 0xd7, 0xe0, 0xd2, 0x9a, + 0xe8, 0x37, 0x16, 0x4d, 0x54, 0x92, 0x18, 0x20, 0x4c, 0x09, 0xa1, 0xcf, + 0xe1, 0xaa, 0x7a, 0x5a, 0x64, 0x7e, 0x5c, 0xeb, 0x4e, 0x15, 0x8e, 0x40, + 0xd1, 0xcb, 0x7d, 0x01, 0x71, 0x15, 0x11, 0xd2, 0xc7, 0xdb, 0x6b, 0x00, + 0xdc, 0x02, 0xcb, 0x5a, 0x6d, 0x2b, 0x2a, 0x75, 0xb6, 0x3f, 0xec, 0xc1, + 0x9d, 0xbf, 0xda, 0xe5, 0x3a, 0x77, 0x4b, 0x21, 0x1c, 0x99, 0x42, 0x84, + 0x5e, 0x27, 0x53, 0x9b, 0xe6, 0xc1, 0xa1, 0x95, 0x58, 0xba, 0xbe, 0x62, + 0x58, 0xd5, 0x09, 0xa8, 0xe6, 0xb6, 0x1b, 0xb1, 0x18, 0x28, 0x13, 0xc7, + 0x89, 0x1c, 0x68, 0xce, 0x15, 0xaf, 0x2e, 0x68, 0xac, 0x1c, 0xf7, 0x02, + 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, + 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x50, 0xe5, 0x05, 0xa3, 0x6e, + 0x8f, 0x00, 0xf7, 0x93, 0x30, 0xe5, 0x25, 0x20, 0xdc, 0x8a, 0xc3, 0xad, + 0x14, 0x6d, 0x90, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, + 0x30, 0x16, 0x80, 0x14, 0x50, 0xe5, 0x05, 0xa3, 0x6e, 0x8f, 0x00, 0xf7, + 0x93, 0x30, 0xe5, 0x25, 0x20, 0xdc, 0x8a, 0xc3, 0xad, 0x14, 0x6d, 0x90, + 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, + 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, + 0x8e, 0xe4, 0x27, 0x42, 0x16, 0x6e, 0xbd, 0x28, 0x47, 0x09, 0x99, 0xc1, + 0x55, 0x02, 0x82, 0x1a, 0xe1, 0xd0, 0xf3, 0xef, 0x4d, 0xaf, 0x30, 0x9a, + 0x29, 0x4b, 0x74, 0x03, 0x6a, 0x95, 0x28, 0xf1, 0xbe, 0x62, 0x68, 0x9f, + 0x82, 0x59, 0x7a, 0x49, 0x91, 0xb6, 0xaf, 0x6b, 0x23, 0x30, 0xb4, 0xf4, + 0xdd, 0xfa, 0x30, 0x3f, 0xb6, 0xed, 0x74, 0x3f, 0x91, 0xe8, 0xd7, 0x84, + 0x1a, 0xf3, 0xc6, 0x3d, 0xd8, 0x59, 0x8d, 0x68, 0x6e, 0xb3, 0x66, 0x9e, + 0xe8, 0xeb, 0x1a, 0x8b, 0x1e, 0x92, 0x71, 0x73, 0x8c, 0x4f, 0x63, 0xce, + 0x71, 0x7b, 0x97, 0x3b, 0x59, 0xd2, 0x9b, 0xe4, 0xd0, 0xef, 0x31, 0x9f, + 0x0d, 0x61, 0x27, 0x97, 0x9d, 0xe8, 0xe0, 0xcd, 0x8d, 0xc1, 0x4d, 0xad, + 0xf7, 0x3a, 0x8d, 0xb8, 0x86, 0x8c, 0x23, 0x1d, 0x4c, 0x02, 0x5c, 0x53, + 0x46, 0x84, 0xb2, 0x97, 0x0c, 0xd3, 0x35, 0x6b +}; + +// +// X509 Cert Data for RSA Public Key Retrieving and X509 Verification (Generated by OpenSSL utility). +// $ openssl req -new -key TestKeyPem -out TestCertCsr -subj "/C=US/ST=WA/L=Seattle/O=Tianocore/OU=EDK2CHILD/CN=UEFI" +// $ openssl x509 -days 10000 -CA TestCACert.pem -CAkey TestKeyPem -req -out TestCert -set_serial 3432 --outform DER -in TestCertCsr +// password should be in the PemPass variable +// $ xxd --include TestCert +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 TestCert[] = { + 0x30, 0x82, 0x02, 0x31, 0x30, 0x82, 0x01, 0x9a, 0x02, 0x02, 0x0d, 0x68, + 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, + 0x0b, 0x05, 0x00, 0x30, 0x5e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, + 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, + 0x55, 0x04, 0x08, 0x0c, 0x02, 0x57, 0x41, 0x31, 0x10, 0x30, 0x0e, 0x06, + 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, + 0x65, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x09, + 0x54, 0x69, 0x61, 0x6e, 0x6f, 0x63, 0x6f, 0x72, 0x65, 0x31, 0x0d, 0x30, + 0x0b, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x04, 0x45, 0x44, 0x4b, 0x32, + 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x04, 0x55, + 0x45, 0x46, 0x49, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x30, 0x30, 0x36, 0x32, + 0x39, 0x32, 0x33, 0x31, 0x35, 0x33, 0x36, 0x5a, 0x17, 0x0d, 0x34, 0x37, + 0x31, 0x31, 0x31, 0x35, 0x32, 0x33, 0x31, 0x35, 0x33, 0x36, 0x5a, 0x30, + 0x63, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x55, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, + 0x02, 0x57, 0x41, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, + 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x12, 0x30, + 0x10, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x09, 0x54, 0x69, 0x61, 0x6e, + 0x6f, 0x63, 0x6f, 0x72, 0x65, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, + 0x04, 0x0b, 0x0c, 0x09, 0x45, 0x44, 0x4b, 0x32, 0x43, 0x48, 0x49, 0x4c, + 0x44, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x04, + 0x55, 0x45, 0x46, 0x49, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, + 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0x9f, 0xef, 0x1b, + 0x46, 0x45, 0x55, 0x33, 0x4b, 0xee, 0x95, 0x14, 0xd3, 0x5a, 0x3e, 0xd9, + 0x29, 0xfb, 0xd9, 0x29, 0x4e, 0x8b, 0xf1, 0xf5, 0x68, 0x7c, 0x58, 0x86, + 0x0c, 0xda, 0xd7, 0xe0, 0xd2, 0x9a, 0xe8, 0x37, 0x16, 0x4d, 0x54, 0x92, + 0x18, 0x20, 0x4c, 0x09, 0xa1, 0xcf, 0xe1, 0xaa, 0x7a, 0x5a, 0x64, 0x7e, + 0x5c, 0xeb, 0x4e, 0x15, 0x8e, 0x40, 0xd1, 0xcb, 0x7d, 0x01, 0x71, 0x15, + 0x11, 0xd2, 0xc7, 0xdb, 0x6b, 0x00, 0xdc, 0x02, 0xcb, 0x5a, 0x6d, 0x2b, + 0x2a, 0x75, 0xb6, 0x3f, 0xec, 0xc1, 0x9d, 0xbf, 0xda, 0xe5, 0x3a, 0x77, + 0x4b, 0x21, 0x1c, 0x99, 0x42, 0x84, 0x5e, 0x27, 0x53, 0x9b, 0xe6, 0xc1, + 0xa1, 0x95, 0x58, 0xba, 0xbe, 0x62, 0x58, 0xd5, 0x09, 0xa8, 0xe6, 0xb6, + 0x1b, 0xb1, 0x18, 0x28, 0x13, 0xc7, 0x89, 0x1c, 0x68, 0xce, 0x15, 0xaf, + 0x2e, 0x68, 0xac, 0x1c, 0xf7, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, + 0x00, 0x03, 0x81, 0x81, 0x00, 0x0d, 0xa4, 0x18, 0xa2, 0xb6, 0x09, 0xe1, + 0x77, 0x22, 0x97, 0x46, 0x29, 0x1b, 0xd8, 0x67, 0x0a, 0xc0, 0x91, 0x36, + 0x53, 0xe1, 0x4c, 0x73, 0x1b, 0xc1, 0x90, 0x6d, 0x98, 0x46, 0x7e, 0x65, + 0x71, 0x1c, 0xf0, 0x62, 0x9f, 0x9e, 0x62, 0x0b, 0x8b, 0x73, 0x35, 0x4c, + 0x2d, 0xc3, 0x5d, 0x38, 0x22, 0xfe, 0x43, 0x0f, 0xf2, 0x57, 0x17, 0x75, + 0xa8, 0x76, 0x79, 0xab, 0x4e, 0x33, 0xa5, 0x91, 0xbd, 0x55, 0x5b, 0xc0, + 0x7e, 0xfb, 0x1d, 0xc9, 0xf3, 0x5f, 0x12, 0x6f, 0x7c, 0xdc, 0x24, 0x5a, + 0x84, 0x16, 0x28, 0x5b, 0xf9, 0xcc, 0x8b, 0xfe, 0x11, 0xe6, 0x29, 0xcf, + 0xac, 0x90, 0x66, 0xc0, 0x70, 0x25, 0xf8, 0x71, 0xdb, 0x29, 0xcb, 0x6b, + 0x10, 0xa7, 0xbe, 0x3e, 0x9d, 0x61, 0xd8, 0x04, 0xe0, 0x71, 0x63, 0x83, + 0xa3, 0xca, 0x26, 0x6d, 0x7f, 0xf3, 0xaa, 0x8e, 0xb2, 0x66, 0x98, 0x41, + 0xd6 +}; + +// +// Message Hash for Signing & Verification Validation. +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 MsgHash[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09 + }; + +// +// Payload for PKCS#7 Signing & Verification Validation. +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST CHAR8 *Payload = "Payload Data for PKCS#7 Signing"; + + +UNIT_TEST_STATUS +EFIAPI +TestVerifyRsaCertPkcs1SignVerify ( + IN UNIT_TEST_CONTEXT Context + ) +{ + BOOLEAN Status; + VOID *RsaPrivKey; + VOID *RsaPubKey; + UINT8 *Signature; + UINTN SigSize; + UINT8 *Subject; + UINTN SubjectSize; + RETURN_STATUS ReturnStatus; + CHAR8 CommonName[64]; + UINTN CommonNameSize; + CHAR8 OrgName[64]; + UINTN OrgNameSize; + + // + // Retrieve RSA private key from encrypted PEM data. + // + Status = RsaGetPrivateKeyFromPem (TestKeyPem, sizeof (TestKeyPem), PemPass, &RsaPrivKey); + UT_ASSERT_TRUE (Status); + + // + // Retrieve RSA public key from X509 Certificate. + // + RsaPubKey = NULL; + Status = RsaGetPublicKeyFromX509 (TestCert, sizeof (TestCert), &RsaPubKey); + UT_ASSERT_TRUE (Status); + + // + // Generate RSA PKCS#1 Signature. + // + SigSize = 0; + Status = RsaPkcs1Sign (RsaPrivKey, MsgHash, SHA1_DIGEST_SIZE, NULL, &SigSize); + UT_ASSERT_FALSE (Status); + UT_ASSERT_NOT_EQUAL (SigSize, 0); + + Signature = AllocatePool (SigSize); + Status = RsaPkcs1Sign (RsaPrivKey, MsgHash, SHA1_DIGEST_SIZE, Signature, &SigSize); + UT_ASSERT_TRUE (Status); + + // + // Verify RSA PKCS#1-encoded Signature. + // + Status = RsaPkcs1Verify (RsaPubKey, MsgHash, SHA1_DIGEST_SIZE, Signature, SigSize); + UT_ASSERT_TRUE (Status); + + // + // X509 Certificate Subject Retrieving. + // + SubjectSize = 0; + Status = X509GetSubjectName (TestCert, sizeof (TestCert), NULL, &SubjectSize); + Subject = (UINT8 *)AllocatePool (SubjectSize); + Status = X509GetSubjectName (TestCert, sizeof (TestCert), Subject, &SubjectSize); + UT_ASSERT_TRUE (Status); + + // + // Get CommonName from X509 Certificate Subject + // + CommonNameSize = 64; + ZeroMem (CommonName, CommonNameSize); + ReturnStatus = X509GetCommonName (TestCert, sizeof (TestCert), CommonName, &CommonNameSize); + UT_ASSERT_NOT_EFI_ERROR (ReturnStatus); + + UT_ASSERT_EQUAL (CommonNameSize, 5); + UT_ASSERT_MEM_EQUAL (CommonName, "UEFI", 5); + + OrgNameSize = 64; + ZeroMem (OrgName, OrgNameSize); + ReturnStatus = X509GetOrganizationName (TestCert, sizeof (TestCert), OrgName, &OrgNameSize); + UT_ASSERT_NOT_EFI_ERROR (ReturnStatus); + + UT_ASSERT_EQUAL (OrgNameSize, 10); + UT_ASSERT_MEM_EQUAL (OrgName, "Tianocore", 10); + + // + // X509 Certificate Verification. + // + Status = X509VerifyCert (TestCert, sizeof (TestCert), TestCACert, sizeof (TestCACert)); + UT_ASSERT_TRUE (Status); + + // + // Release Resources. + // + RsaFree (RsaPubKey); + RsaFree (RsaPrivKey); + FreePool (Signature); + FreePool (Subject); + + return UNIT_TEST_PASSED; +} + +UNIT_TEST_STATUS +EFIAPI +TestVerifyPkcs7SignVerify ( + IN UNIT_TEST_CONTEXT Context + ) +{ + BOOLEAN Status; + UINT8 *P7SignedData; + UINTN P7SignedDataSize; + UINT8 *SignCert; + + P7SignedData = NULL; + SignCert = NULL; + + // + // Construct Signer Certificate from RAW data. + // + Status = X509ConstructCertificate (TestCert, sizeof (TestCert), (UINT8 **) &SignCert); + UT_ASSERT_TRUE (Status); + UT_ASSERT_NOT_NULL (SignCert); + + // + // Create PKCS#7 signedData on Payload. + // Note: Caller should release P7SignedData manually. + // + Status = Pkcs7Sign ( + TestKeyPem, + sizeof (TestKeyPem), + (CONST UINT8 *) PemPass, + (UINT8 *) Payload, + AsciiStrLen (Payload), + SignCert, + NULL, + &P7SignedData, + &P7SignedDataSize + ); + UT_ASSERT_TRUE (Status); + UT_ASSERT_NOT_EQUAL (P7SignedDataSize, 0); + + Status = Pkcs7Verify ( + P7SignedData, + P7SignedDataSize, + TestCACert, + sizeof (TestCACert), + (UINT8 *) Payload, + AsciiStrLen (Payload) + ); + UT_ASSERT_TRUE (Status); + + if (P7SignedData != NULL) { + FreePool (P7SignedData); + } + if (SignCert != NULL) { + X509Free (SignCert); + } + + return UNIT_TEST_PASSED; +} + +TEST_DESC mRsaCertTest[] = { + // + // -----Description--------------------------------------Class----------------------Function-----------------Pre---Post--Context + // + {"TestVerifyRsaCertPkcs1SignVerify()", "CryptoPkg.BaseCryptLib.RsaCert", TestVerifyRsaCertPkcs1SignVerify, NULL, NULL, NULL}, +}; + +UINTN mRsaCertTestNum = ARRAY_SIZE(mRsaCertTest); + +TEST_DESC mPkcs7Test[] = { + // + // -----Description--------------------------------------Class----------------------Function-----------------Pre---Post--Context + // + {"TestVerifyPkcs7SignVerify()", "CryptoPkg.BaseCryptLib.Pkcs7", TestVerifyPkcs7SignVerify, NULL, NULL, NULL}, +}; + +UINTN mPkcs7TestNum = ARRAY_SIZE(mPkcs7Test); diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RsaPssTests.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RsaPssTests.c new file mode 100644 index 00000000..c2f15122 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RsaPssTests.c @@ -0,0 +1,191 @@ +/** @file + Application for RSA PSS Primitives Validation. + +Copyright (c) 2021, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "TestBaseCryptLib.h" + +// +// RSA PSS test vectors from NIST FIPS 186-3 RSA files +// + +// +// Public Modulus of RSA Key +// +UINT8 RsaPssN[]={ + 0xa4, 0x7d, 0x04, 0xe7, 0xca, 0xcd, 0xba, 0x4e, 0xa2, 0x6e, 0xca, 0x8a, 0x4c, 0x6e, 0x14, 0x56, + 0x3c, 0x2c, 0xe0, 0x3b, 0x62, 0x3b, 0x76, 0x8c, 0x0d, 0x49, 0x86, 0x8a, 0x57, 0x12, 0x13, 0x01, + 0xdb, 0xf7, 0x83, 0xd8, 0x2f, 0x4c, 0x05, 0x5e, 0x73, 0x96, 0x0e, 0x70, 0x55, 0x01, 0x87, 0xd0, + 0xaf, 0x62, 0xac, 0x34, 0x96, 0xf0, 0xa3, 0xd9, 0x10, 0x3c, 0x2e, 0xb7, 0x91, 0x9a, 0x72, 0x75, + 0x2f, 0xa7, 0xce, 0x8c, 0x68, 0x8d, 0x81, 0xe3, 0xae, 0xe9, 0x94, 0x68, 0x88, 0x7a, 0x15, 0x28, + 0x8a, 0xfb, 0xb7, 0xac, 0xb8, 0x45, 0xb7, 0xc5, 0x22, 0xb5, 0xc6, 0x4e, 0x67, 0x8f, 0xcd, 0x3d, + 0x22, 0xfe, 0xb8, 0x4b, 0x44, 0x27, 0x27, 0x00, 0xbe, 0x52, 0x7d, 0x2b, 0x20, 0x25, 0xa3, 0xf8, + 0x3c, 0x23, 0x83, 0xbf, 0x6a, 0x39, 0xcf, 0x5b, 0x4e, 0x48, 0xb3, 0xcf, 0x2f, 0x56, 0xee, 0xf0, + 0xdf, 0xff, 0x18, 0x55, 0x5e, 0x31, 0x03, 0x7b, 0x91, 0x52, 0x48, 0x69, 0x48, 0x76, 0xf3, 0x04, + 0x78, 0x14, 0x41, 0x51, 0x64, 0xf2, 0xc6, 0x60, 0x88, 0x1e, 0x69, 0x4b, 0x58, 0xc2, 0x80, 0x38, + 0xa0, 0x32, 0xad, 0x25, 0x63, 0x4a, 0xad, 0x7b, 0x39, 0x17, 0x1d, 0xee, 0x36, 0x8e, 0x3d, 0x59, + 0xbf, 0xb7, 0x29, 0x9e, 0x46, 0x01, 0xd4, 0x58, 0x7e, 0x68, 0xca, 0xaf, 0x8d, 0xb4, 0x57, 0xb7, + 0x5a, 0xf4, 0x2f, 0xc0, 0xcf, 0x1a, 0xe7, 0xca, 0xce, 0xd2, 0x86, 0xd7, 0x7f, 0xac, 0x6c, 0xed, + 0xb0, 0x3a, 0xd9, 0x4f, 0x14, 0x33, 0xd2, 0xc9, 0x4d, 0x08, 0xe6, 0x0b, 0xc1, 0xfd, 0xef, 0x05, + 0x43, 0xcd, 0x29, 0x51, 0xe7, 0x65, 0xb3, 0x82, 0x30, 0xfd, 0xd1, 0x8d, 0xe5, 0xd2, 0xca, 0x62, + 0x7d, 0xdc, 0x03, 0x2f, 0xe0, 0x5b, 0xbd, 0x2f, 0xf2, 0x1e, 0x2d, 0xb1, 0xc2, 0xf9, 0x4d, 0x8b, + }; + +// +// Public Exponent of RSA Key +// +UINT8 RsaPssE[]={ 0x10, 0xe4, 0x3f }; + +// +// Private Exponent of RSA Key +// +UINT8 RsaPssD[]={ + 0x11, 0xa0, 0xdd, 0x28, 0x5f, 0x66, 0x47, 0x1a, 0x8d, 0xa3, 0x0b, 0xcb, 0x8c, 0x24, 0xa1, 0xd5, + 0xc8, 0xdb, 0x94, 0x2f, 0xc9, 0x92, 0x07, 0x97, 0xca, 0x44, 0x24, 0x60, 0xa8, 0x00, 0xb7, 0x5b, + 0xbc, 0x73, 0x8b, 0xeb, 0x8e, 0xe0, 0xe8, 0x74, 0xb0, 0x53, 0xe6, 0x47, 0x07, 0xdf, 0x4c, 0xfc, + 0x78, 0x37, 0xc4, 0x0e, 0x5b, 0xe6, 0x8b, 0x8a, 0x8e, 0x1d, 0x01, 0x45, 0x16, 0x9c, 0xa6, 0x27, + 0x1d, 0x81, 0x88, 0x7e, 0x19, 0xa1, 0xcd, 0x95, 0xb2, 0xfd, 0x0d, 0xe0, 0xdb, 0xa3, 0x47, 0xfe, + 0x63, 0x7b, 0xcc, 0x6c, 0xdc, 0x24, 0xee, 0xbe, 0x03, 0xc2, 0x4d, 0x4c, 0xf3, 0xa5, 0xc6, 0x15, + 0x4d, 0x78, 0xf1, 0x41, 0xfe, 0x34, 0x16, 0x99, 0x24, 0xd0, 0xf8, 0x95, 0x33, 0x65, 0x8e, 0xac, + 0xfd, 0xea, 0xe9, 0x9c, 0xe1, 0xa8, 0x80, 0x27, 0xc1, 0x8f, 0xf9, 0x26, 0x53, 0xa8, 0x35, 0xaa, + 0x38, 0x91, 0xbf, 0xff, 0xcd, 0x38, 0x8f, 0xfc, 0x23, 0x88, 0xce, 0x2b, 0x10, 0x56, 0x85, 0x43, + 0x75, 0x05, 0x02, 0xcc, 0xbc, 0x69, 0xc0, 0x08, 0x8f, 0x1d, 0x69, 0x0e, 0x97, 0xa5, 0xf5, 0xbd, + 0xd1, 0x88, 0x8c, 0xd2, 0xfa, 0xa4, 0x3c, 0x04, 0xae, 0x24, 0x53, 0x95, 0x22, 0xdd, 0xe2, 0xd9, + 0xc2, 0x02, 0xf6, 0x55, 0xfc, 0x55, 0x75, 0x44, 0x40, 0xb5, 0x3a, 0x15, 0x32, 0xaa, 0xb4, 0x78, + 0x51, 0xf6, 0x0b, 0x7a, 0x06, 0x7e, 0x24, 0x0b, 0x73, 0x8e, 0x1b, 0x1d, 0xaa, 0xe6, 0xca, 0x0d, + 0x59, 0xee, 0xae, 0x27, 0x68, 0x6c, 0xd8, 0x88, 0x57, 0xe9, 0xad, 0xad, 0xc2, 0xd4, 0xb8, 0x2b, + 0x07, 0xa6, 0x1a, 0x35, 0x84, 0x56, 0xaa, 0xf8, 0x07, 0x66, 0x96, 0x93, 0xff, 0xb1, 0x3c, 0x99, + 0x64, 0xa6, 0x36, 0x54, 0xca, 0xdc, 0x81, 0xee, 0x59, 0xdf, 0x51, 0x1c, 0xa3, 0xa4, 0xbd, 0x67, + }; + +// +// Binary message to be signed and verified +// +UINT8 PssMessage[]={ + 0xe0, 0x02, 0x37, 0x7a, 0xff, 0xb0, 0x4f, 0x0f, 0xe4, 0x59, 0x8d, 0xe9, 0xd9, 0x2d, 0x31, 0xd6, + 0xc7, 0x86, 0x04, 0x0d, 0x57, 0x76, 0x97, 0x65, 0x56, 0xa2, 0xcf, 0xc5, 0x5e, 0x54, 0xa1, 0xdc, + 0xb3, 0xcb, 0x1b, 0x12, 0x6b, 0xd6, 0xa4, 0xbe, 0xd2, 0xa1, 0x84, 0x99, 0x0c, 0xce, 0xa7, 0x73, + 0xfc, 0xc7, 0x9d, 0x24, 0x65, 0x53, 0xe6, 0xc6, 0x4f, 0x68, 0x6d, 0x21, 0xad, 0x41, 0x52, 0x67, + 0x3c, 0xaf, 0xec, 0x22, 0xae, 0xb4, 0x0f, 0x6a, 0x08, 0x4e, 0x8a, 0x5b, 0x49, 0x91, 0xf4, 0xc6, + 0x4c, 0xf8, 0xa9, 0x27, 0xef, 0xfd, 0x0f, 0xd7, 0x75, 0xe7, 0x1e, 0x83, 0x29, 0xe4, 0x1f, 0xdd, + 0x44, 0x57, 0xb3, 0x91, 0x11, 0x73, 0x18, 0x7b, 0x4f, 0x09, 0xa8, 0x17, 0xd7, 0x9e, 0xa2, 0x39, + 0x7f, 0xc1, 0x2d, 0xfe, 0x3d, 0x9c, 0x9a, 0x02, 0x90, 0xc8, 0xea, 0xd3, 0x1b, 0x66, 0x90, 0xa6, + }; + +// +// Binary message to be signed and verified +// +UINT8 PssSalt[]={ + 0xd6, 0x6f, 0x72, 0xf1, 0x0b, 0x69, 0x00, 0x1a, 0x5b, 0x59, 0xcf, 0x10, 0x92, 0xad, 0x27, 0x4d, + 0x50, 0x56, 0xc4, 0xe9, 0x5c, 0xcc, 0xcf, 0xbe, 0x3b, 0x53, 0x0d, 0xcb, 0x02, 0x7e, 0x57, 0xd6 + }; + +// +// RSASSA-PSS Signature over above message using above keys, salt and SHA256 digest(and MGF1) algo. +// +UINT8 TestVectorSignature[]={ + 0x4f, 0x9b, 0x42, 0x5c, 0x20, 0x58, 0x46, 0x0e, 0x4a, 0xb2, 0xf5, 0xc9, 0x63, 0x84, 0xda, 0x23, + 0x27, 0xfd, 0x29, 0x15, 0x0f, 0x01, 0x95, 0x5a, 0x76, 0xb4, 0xef, 0xe9, 0x56, 0xaf, 0x06, 0xdc, + 0x08, 0x77, 0x9a, 0x37, 0x4e, 0xe4, 0x60, 0x7e, 0xab, 0x61, 0xa9, 0x3a, 0xdc, 0x56, 0x08, 0xf4, + 0xec, 0x36, 0xe4, 0x7f, 0x2a, 0x0f, 0x75, 0x4e, 0x8f, 0xf8, 0x39, 0xa8, 0xa1, 0x9b, 0x1d, 0xb1, + 0xe8, 0x84, 0xea, 0x4c, 0xf3, 0x48, 0xcd, 0x45, 0x50, 0x69, 0xeb, 0x87, 0xaf, 0xd5, 0x36, 0x45, + 0xb4, 0x4e, 0x28, 0xa0, 0xa5, 0x68, 0x08, 0xf5, 0x03, 0x1d, 0xa5, 0xba, 0x91, 0x12, 0x76, 0x8d, + 0xfb, 0xfc, 0xa4, 0x4e, 0xbe, 0x63, 0xa0, 0xc0, 0x57, 0x2b, 0x73, 0x1d, 0x66, 0x12, 0x2f, 0xb7, + 0x16, 0x09, 0xbe, 0x14, 0x80, 0xfa, 0xa4, 0xe4, 0xf7, 0x5e, 0x43, 0x95, 0x51, 0x59, 0xd7, 0x0f, + 0x08, 0x1e, 0x2a, 0x32, 0xfb, 0xb1, 0x9a, 0x48, 0xb9, 0xf1, 0x62, 0xcf, 0x6b, 0x2f, 0xb4, 0x45, + 0xd2, 0xd6, 0x99, 0x4b, 0xc5, 0x89, 0x10, 0xa2, 0x6b, 0x59, 0x43, 0x47, 0x78, 0x03, 0xcd, 0xaa, + 0xa1, 0xbd, 0x74, 0xb0, 0xda, 0x0a, 0x5d, 0x05, 0x3d, 0x8b, 0x1d, 0xc5, 0x93, 0x09, 0x1d, 0xb5, + 0x38, 0x83, 0x83, 0xc2, 0x60, 0x79, 0xf3, 0x44, 0xe2, 0xae, 0xa6, 0x00, 0xd0, 0xe3, 0x24, 0x16, + 0x4b, 0x45, 0x0f, 0x7b, 0x9b, 0x46, 0x51, 0x11, 0xb7, 0x26, 0x5f, 0x3b, 0x1b, 0x06, 0x30, 0x89, + 0xae, 0x7e, 0x26, 0x23, 0xfc, 0x0f, 0xda, 0x80, 0x52, 0xcf, 0x4b, 0xf3, 0x37, 0x91, 0x02, 0xfb, + 0xf7, 0x1d, 0x7c, 0x98, 0xe8, 0x25, 0x86, 0x64, 0xce, 0xed, 0x63, 0x7d, 0x20, 0xf9, 0x5f, 0xf0, + 0x11, 0x18, 0x81, 0xe6, 0x50, 0xce, 0x61, 0xf2, 0x51, 0xd9, 0xc3, 0xa6, 0x29, 0xef, 0x22, 0x2d, + }; + + +STATIC VOID *mRsa; + +UNIT_TEST_STATUS +EFIAPI +TestVerifyRsaPssPreReq ( + UNIT_TEST_CONTEXT Context + ) +{ + mRsa = RsaNew (); + + if (mRsa == NULL) { + return UNIT_TEST_ERROR_TEST_FAILED; + } + + return UNIT_TEST_PASSED; +} + +VOID +EFIAPI +TestVerifyRsaPssCleanUp ( + UNIT_TEST_CONTEXT Context + ) +{ + if (mRsa != NULL) { + RsaFree (mRsa); + mRsa = NULL; + } +} + + +UNIT_TEST_STATUS +EFIAPI +TestVerifyRsaPssSignVerify ( + IN UNIT_TEST_CONTEXT Context + ) +{ + UINT8 *Signature; + UINTN SigSize; + BOOLEAN Status; + + Status = RsaSetKey (mRsa, RsaKeyN, RsaPssN, sizeof (RsaPssN)); + UT_ASSERT_TRUE (Status); + + Status = RsaSetKey (mRsa, RsaKeyE, RsaPssE, sizeof (RsaPssE)); + UT_ASSERT_TRUE (Status); + + Status = RsaSetKey (mRsa, RsaKeyD, RsaPssD, sizeof (RsaPssD)); + UT_ASSERT_TRUE (Status); + + SigSize = 0; + Status = RsaPssSign (mRsa, PssMessage, sizeof(PssMessage), SHA256_DIGEST_SIZE, SHA256_DIGEST_SIZE, NULL, &SigSize); + UT_ASSERT_FALSE (Status); + UT_ASSERT_NOT_EQUAL (SigSize, 0); + + Signature = AllocatePool (SigSize); + Status = RsaPssSign (mRsa, PssMessage, sizeof(PssMessage), SHA256_DIGEST_SIZE, SHA256_DIGEST_SIZE, Signature, &SigSize); + UT_ASSERT_TRUE (Status); + + // + // Verify RSA PSS encoded Signature generated in above step + // + Status = RsaPssVerify (mRsa, PssMessage, sizeof(PssMessage), Signature, SigSize, SHA256_DIGEST_SIZE, SHA256_DIGEST_SIZE); + UT_ASSERT_TRUE (Status); + + // + // Verify NIST FIPS 186-3 RSA test vector signature + // + Status = RsaPssVerify (mRsa, PssMessage, sizeof(PssMessage), TestVectorSignature, sizeof(TestVectorSignature), SHA256_DIGEST_SIZE, SHA256_DIGEST_SIZE); + UT_ASSERT_TRUE (Status); + + FreePool(Signature); + return UNIT_TEST_PASSED; +} + + +TEST_DESC mRsaPssTest[] = { + // + // -----Description--------------------------------------Class----------------------Function---------------------------------Pre---------------------Post---------Context + // + {"TestVerifyRsaPssSignVerify()", "CryptoPkg.BaseCryptLib.Rsa", TestVerifyRsaPssSignVerify, TestVerifyRsaPssPreReq, TestVerifyRsaPssCleanUp, NULL}, +}; + +UINTN mRsaPssTestNum = ARRAY_SIZE(mRsaPssTest); diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RsaTests.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RsaTests.c new file mode 100644 index 00000000..4186c706 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RsaTests.c @@ -0,0 +1,312 @@ +/** @file + Application for RSA Primitives Validation. + +Copyright (c) 2010, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "TestBaseCryptLib.h" + +#define RSA_MODULUS_LENGTH 512 + +// +// RSA PKCS#1 Validation Data from OpenSSL "Fips_rsa_selftest.c" +// + +// +// Public Modulus of RSA Key +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 RsaN[] = { + 0xBB, 0xF8, 0x2F, 0x09, 0x06, 0x82, 0xCE, 0x9C, 0x23, 0x38, 0xAC, 0x2B, 0x9D, 0xA8, 0x71, 0xF7, + 0x36, 0x8D, 0x07, 0xEE, 0xD4, 0x10, 0x43, 0xA4, 0x40, 0xD6, 0xB6, 0xF0, 0x74, 0x54, 0xF5, 0x1F, + 0xB8, 0xDF, 0xBA, 0xAF, 0x03, 0x5C, 0x02, 0xAB, 0x61, 0xEA, 0x48, 0xCE, 0xEB, 0x6F, 0xCD, 0x48, + 0x76, 0xED, 0x52, 0x0D, 0x60, 0xE1, 0xEC, 0x46, 0x19, 0x71, 0x9D, 0x8A, 0x5B, 0x8B, 0x80, 0x7F, + 0xAF, 0xB8, 0xE0, 0xA3, 0xDF, 0xC7, 0x37, 0x72, 0x3E, 0xE6, 0xB4, 0xB7, 0xD9, 0x3A, 0x25, 0x84, + 0xEE, 0x6A, 0x64, 0x9D, 0x06, 0x09, 0x53, 0x74, 0x88, 0x34, 0xB2, 0x45, 0x45, 0x98, 0x39, 0x4E, + 0xE0, 0xAA, 0xB1, 0x2D, 0x7B, 0x61, 0xA5, 0x1F, 0x52, 0x7A, 0x9A, 0x41, 0xF6, 0xC1, 0x68, 0x7F, + 0xE2, 0x53, 0x72, 0x98, 0xCA, 0x2A, 0x8F, 0x59, 0x46, 0xF8, 0xE5, 0xFD, 0x09, 0x1D, 0xBD, 0xCB + }; + +// +// Public Exponent of RSA Key +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 RsaE[] = { 0x11 }; + +// +// Private Exponent of RSA Key +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 RsaD[] = { + 0xA5, 0xDA, 0xFC, 0x53, 0x41, 0xFA, 0xF2, 0x89, 0xC4, 0xB9, 0x88, 0xDB, 0x30, 0xC1, 0xCD, 0xF8, + 0x3F, 0x31, 0x25, 0x1E, 0x06, 0x68, 0xB4, 0x27, 0x84, 0x81, 0x38, 0x01, 0x57, 0x96, 0x41, 0xB2, + 0x94, 0x10, 0xB3, 0xC7, 0x99, 0x8D, 0x6B, 0xC4, 0x65, 0x74, 0x5E, 0x5C, 0x39, 0x26, 0x69, 0xD6, + 0x87, 0x0D, 0xA2, 0xC0, 0x82, 0xA9, 0x39, 0xE3, 0x7F, 0xDC, 0xB8, 0x2E, 0xC9, 0x3E, 0xDA, 0xC9, + 0x7F, 0xF3, 0xAD, 0x59, 0x50, 0xAC, 0xCF, 0xBC, 0x11, 0x1C, 0x76, 0xF1, 0xA9, 0x52, 0x94, 0x44, + 0xE5, 0x6A, 0xAF, 0x68, 0xC5, 0x6C, 0x09, 0x2C, 0xD3, 0x8D, 0xC3, 0xBE, 0xF5, 0xD2, 0x0A, 0x93, + 0x99, 0x26, 0xED, 0x4F, 0x74, 0xA1, 0x3E, 0xDD, 0xFB, 0xE1, 0xA1, 0xCE, 0xCC, 0x48, 0x94, 0xAF, + 0x94, 0x28, 0xC2, 0xB7, 0xB8, 0x88, 0x3F, 0xE4, 0x46, 0x3A, 0x4B, 0xC8, 0x5B, 0x1C, 0xB3, 0xC1 + }; + +// +// Known Answer Test (KAT) Data for RSA PKCS#1 Signing +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST CHAR8 RsaSignData[] = "OpenSSL FIPS 140-2 Public Key RSA KAT"; + +// +// Known Signature for the above message, under SHA-1 Digest +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 RsaPkcs1Signature[] = { + 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C, 0x4A, 0xFD, 0x1A, 0x05, + 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B, 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, + 0x55, 0x77, 0x90, 0xCF, 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8, + 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1, 0x20, 0x22, 0xBE, 0x59, + 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA, 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, + 0x4E, 0xCA, 0x2E, 0x4E, 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F, + 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F, 0x72, 0x05, 0xDE, 0xE6, + 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95, 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4 + }; + +// +// Default public key 0x10001 = 65537 +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 DefaultPublicKey[] = { + 0x01, 0x00, 0x01 +}; + +VOID *mRsa; + +UNIT_TEST_STATUS +EFIAPI +TestVerifyRsaPreReq ( + UNIT_TEST_CONTEXT Context + ) +{ + mRsa = RsaNew (); + + if (mRsa == NULL) { + return UNIT_TEST_ERROR_TEST_FAILED; + } + + return UNIT_TEST_PASSED; +} + +VOID +EFIAPI +TestVerifyRsaCleanUp ( + UNIT_TEST_CONTEXT Context + ) +{ + if (mRsa != NULL) { + RsaFree (mRsa); + mRsa = NULL; + } +} + +UNIT_TEST_STATUS +EFIAPI +TestVerifyRsaSetGetKeyComponents ( + IN UNIT_TEST_CONTEXT Context + ) +{ + BOOLEAN Status; + UINTN KeySize; + UINT8 *KeyBuffer; + + // + // Set/Get RSA Key Components + // + + // + // Set/Get RSA Key N + // + Status = RsaSetKey (mRsa, RsaKeyN, RsaN, sizeof (RsaN)); + UT_ASSERT_TRUE (Status); + + KeySize = 0; + Status = RsaGetKey (mRsa, RsaKeyN, NULL, &KeySize); + UT_ASSERT_FALSE (Status); + UT_ASSERT_EQUAL (KeySize, sizeof (RsaN)); + + KeyBuffer = AllocatePool (KeySize); + Status = RsaGetKey (mRsa, RsaKeyN, KeyBuffer, &KeySize); + UT_ASSERT_TRUE (Status); + UT_ASSERT_EQUAL (KeySize, sizeof (RsaN)); + + UT_ASSERT_MEM_EQUAL (KeyBuffer, RsaN, KeySize); + + FreePool (KeyBuffer); + + // + // Set/Get RSA Key E + // + Status = RsaSetKey (mRsa, RsaKeyE, RsaE, sizeof (RsaE)); + UT_ASSERT_TRUE (Status); + + KeySize = 0; + Status = RsaGetKey (mRsa, RsaKeyE, NULL, &KeySize); + UT_ASSERT_FALSE (Status); + UT_ASSERT_EQUAL (KeySize, sizeof (RsaE)); + + KeyBuffer = AllocatePool (KeySize); + Status = RsaGetKey (mRsa, RsaKeyE, KeyBuffer, &KeySize); + UT_ASSERT_TRUE (Status); + UT_ASSERT_EQUAL (KeySize, sizeof (RsaE)); + + UT_ASSERT_MEM_EQUAL (KeyBuffer, RsaE, KeySize); + + FreePool (KeyBuffer); + + // + // Clear/Get RSA Key Components + // + + // + // Clear/Get RSA Key N + // + Status = RsaSetKey (mRsa, RsaKeyN, NULL, 0); + UT_ASSERT_TRUE (Status); + + KeySize = 1; + Status = RsaGetKey (mRsa, RsaKeyN, NULL, &KeySize); + UT_ASSERT_TRUE (Status); + UT_ASSERT_EQUAL (KeySize, 0); + + // + // Clear/Get RSA Key E + // + Status = RsaSetKey (mRsa, RsaKeyE, NULL, 0); + UT_ASSERT_TRUE (Status); + + KeySize = 1; + Status = RsaGetKey (mRsa, RsaKeyE, NULL, &KeySize); + UT_ASSERT_TRUE (Status); + UT_ASSERT_EQUAL (KeySize, 0); + + return UNIT_TEST_PASSED; +} + +UNIT_TEST_STATUS +EFIAPI +TestVerifyRsaGenerateKeyComponents ( + IN UNIT_TEST_CONTEXT Context + ) +{ + BOOLEAN Status; + UINTN KeySize; + UINT8 *KeyBuffer; + + // + // Generate RSA Key Components + // + + Status = RsaGenerateKey (mRsa, RSA_MODULUS_LENGTH, NULL, 0); + UT_ASSERT_TRUE (Status); + + KeySize = RSA_MODULUS_LENGTH / 8; + KeyBuffer = AllocatePool (KeySize); + Status = RsaGetKey (mRsa, RsaKeyE, KeyBuffer, &KeySize); + UT_ASSERT_TRUE (Status); + UT_ASSERT_EQUAL (KeySize, 3); + UT_ASSERT_MEM_EQUAL (KeyBuffer, DefaultPublicKey, 3); + + KeySize = RSA_MODULUS_LENGTH / 8; + Status = RsaGetKey (mRsa, RsaKeyN, KeyBuffer, &KeySize); + UT_ASSERT_TRUE (Status); + UT_ASSERT_EQUAL (KeySize, RSA_MODULUS_LENGTH / 8); + + Status = RsaCheckKey (mRsa); + UT_ASSERT_TRUE (Status); + + // + // Check invalid RSA key components + // + Status = RsaSetKey (mRsa, RsaKeyN, RsaN, sizeof (RsaN)); + UT_ASSERT_TRUE (Status); + + Status = RsaCheckKey (mRsa); + UT_ASSERT_FALSE (Status); + + Status = RsaSetKey (mRsa, RsaKeyN, KeyBuffer, KeySize); + UT_ASSERT_TRUE (Status); + + Status = RsaCheckKey (mRsa); + UT_ASSERT_TRUE (Status); + + Status = RsaSetKey (mRsa, RsaKeyE, RsaE, sizeof (RsaE)); + UT_ASSERT_TRUE (Status); + + Status = RsaCheckKey (mRsa); + UT_ASSERT_FALSE (Status); + + FreePool (KeyBuffer); + + return UNIT_TEST_PASSED; +} + +UNIT_TEST_STATUS +EFIAPI +TestVerifyRsaPkcs1SignVerify ( + IN UNIT_TEST_CONTEXT Context + ) +{ + UINT8 HashValue[SHA1_DIGEST_SIZE]; + UINTN HashSize; + UINT8 *Signature; + UINTN SigSize; + BOOLEAN Status; + + // + // SHA-1 Digest Message for PKCS#1 Signature + // + HashSize = SHA1_DIGEST_SIZE; + ZeroMem (HashValue, HashSize); + + Status = Sha1HashAll (RsaSignData, AsciiStrLen (RsaSignData), HashValue); + UT_ASSERT_TRUE (Status); + + // + // Sign RSA PKCS#1-encoded Signature + // + + Status = RsaSetKey (mRsa, RsaKeyN, RsaN, sizeof (RsaN)); + UT_ASSERT_TRUE (Status); + + Status = RsaSetKey (mRsa, RsaKeyE, RsaE, sizeof (RsaE)); + UT_ASSERT_TRUE (Status); + + Status = RsaSetKey (mRsa, RsaKeyD, RsaD, sizeof (RsaD)); + UT_ASSERT_TRUE (Status); + + SigSize = 0; + Status = RsaPkcs1Sign (mRsa, HashValue, HashSize, NULL, &SigSize); + UT_ASSERT_FALSE (Status); + UT_ASSERT_NOT_EQUAL (SigSize, 0); + + Signature = AllocatePool (SigSize); + Status = RsaPkcs1Sign (mRsa, HashValue, HashSize, Signature, &SigSize); + UT_ASSERT_TRUE (Status); + UT_ASSERT_EQUAL (SigSize, sizeof (RsaPkcs1Signature)); + + UT_ASSERT_MEM_EQUAL (Signature, RsaPkcs1Signature, SigSize); + + // + // Verify RSA PKCS#1-encoded Signature + // + Status = RsaPkcs1Verify (mRsa, HashValue, HashSize, Signature, SigSize); + UT_ASSERT_TRUE (Status); + + FreePool(Signature); + + return UNIT_TEST_PASSED; +} + +TEST_DESC mRsaTest[] = { + // + // -----Description--------------------------------------Class----------------------Function---------------------------------Pre---------------------Post---------Context + // + {"TestVerifyRsaSetGetKeyComponents()", "CryptoPkg.BaseCryptLib.Rsa", TestVerifyRsaSetGetKeyComponents, TestVerifyRsaPreReq, TestVerifyRsaCleanUp, NULL}, + {"TestVerifyRsaGenerateKeyComponents()", "CryptoPkg.BaseCryptLib.Rsa", TestVerifyRsaGenerateKeyComponents, TestVerifyRsaPreReq, TestVerifyRsaCleanUp, NULL}, + {"TestVerifyRsaPkcs1SignVerify()", "CryptoPkg.BaseCryptLib.Rsa", TestVerifyRsaPkcs1SignVerify, TestVerifyRsaPreReq, TestVerifyRsaCleanUp, NULL}, +}; + +UINTN mRsaTestNum = ARRAY_SIZE(mRsaTest); diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TSTests.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TSTests.c new file mode 100644 index 00000000..c326ce18 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TSTests.c @@ -0,0 +1,335 @@ +/** @file + Sample Implementation for RFC3161 Time Stamping Verification. + +Copyright (c) 2014, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "TestBaseCryptLib.h" + +// +// Sample Authenticode Data with RFC3161 time stamping signature. +// The data retrieved from one signed sample UEFI image, which is generated by MSFT's signtool +// utility in conjunction with RFC3161 timestamping, as the following command: +// signtool sign /ac / f /p /fd +// /tr http://timestamp.comodoca.com/rfc3161 sample.efi +// +GLOBAL_REMOVE_IF_UNREFERENCED UINT8 AuthenticodeWithTS[] = { + 0x30, 0x82, 0x0c, 0x00, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, + 0x82, 0x0b, 0xf1, 0x30, 0x82, 0x0b, 0xed, 0x02, 0x01, 0x01, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x78, 0x06, 0x0a, 0x2b, + 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x04, 0xa0, 0x6a, 0x30, 0x68, 0x30, 0x33, 0x06, + 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0f, 0x30, 0x25, 0x03, 0x01, 0x00, + 0xa0, 0x20, 0xa2, 0x1e, 0x80, 0x1c, 0x00, 0x3c, 0x00, 0x3c, 0x00, 0x3c, 0x00, 0x4f, 0x00, 0x62, + 0x00, 0x73, 0x00, 0x6f, 0x00, 0x6c, 0x00, 0x65, 0x00, 0x74, 0x00, 0x65, 0x00, 0x3e, 0x00, 0x3e, + 0x00, 0x3e, 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, + 0x01, 0x05, 0x00, 0x04, 0x20, 0x1e, 0x9e, 0x74, 0x31, 0xe1, 0x3e, 0x51, 0x46, 0xab, 0xce, 0x10, + 0x0d, 0x7c, 0x38, 0x66, 0x34, 0xd4, 0xdd, 0x04, 0xa5, 0xe7, 0x75, 0x40, 0xdd, 0x99, 0x73, 0xf3, + 0x2a, 0x54, 0x3e, 0xa8, 0x18, 0xa0, 0x82, 0x01, 0xee, 0x30, 0x82, 0x01, 0xea, 0x30, 0x82, 0x01, + 0x57, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x2c, 0x65, 0xcf, 0xcf, 0xdd, 0x61, 0x7b, 0xa4, + 0x41, 0xad, 0x26, 0x1b, 0x63, 0xce, 0x91, 0x0f, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, + 0x1d, 0x05, 0x00, 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x08, + 0x54, 0x65, 0x73, 0x74, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x30, 0x37, + 0x32, 0x38, 0x30, 0x37, 0x33, 0x38, 0x35, 0x39, 0x5a, 0x17, 0x0d, 0x33, 0x39, 0x31, 0x32, 0x33, + 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x12, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x13, 0x07, 0x54, 0x65, 0x73, 0x74, 0x53, 0x75, 0x62, 0x30, 0x81, 0x9f, 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, + 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0x94, 0xa6, 0x02, 0x15, 0x87, 0xd6, 0xbf, + 0x71, 0xe8, 0xc6, 0x68, 0xf6, 0x9f, 0x66, 0x09, 0x6c, 0xe7, 0x39, 0x52, 0xf4, 0x4e, 0xaf, 0xf5, + 0xe0, 0xba, 0x0f, 0xfd, 0xe6, 0x77, 0xa9, 0x71, 0x5b, 0x5c, 0x92, 0x50, 0x1d, 0xfd, 0x9b, 0x6e, + 0x52, 0x92, 0x9e, 0x3a, 0x75, 0x86, 0x41, 0x2a, 0x41, 0x30, 0x1b, 0x67, 0x66, 0x91, 0xde, 0x71, + 0x84, 0xe0, 0x90, 0xc3, 0x50, 0x36, 0x78, 0xb5, 0xa0, 0x1e, 0x72, 0xde, 0xe7, 0x66, 0x42, 0x4f, + 0x59, 0x5e, 0x3d, 0xf3, 0x85, 0x82, 0x0b, 0xa8, 0x26, 0x2d, 0xd9, 0xe3, 0x14, 0xda, 0x9d, 0x2e, + 0x3f, 0x53, 0x4d, 0x8d, 0x10, 0xbf, 0xa4, 0x7c, 0xe5, 0xaf, 0x3a, 0xa6, 0xaf, 0x49, 0x64, 0xb0, + 0x60, 0x17, 0x87, 0x71, 0x77, 0x59, 0x52, 0xe5, 0x5a, 0xed, 0x96, 0x7d, 0x7e, 0x5d, 0xc1, 0xef, + 0x6b, 0xfb, 0x80, 0xc5, 0x2b, 0x10, 0xfe, 0xe7, 0xd3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x48, + 0x30, 0x46, 0x30, 0x44, 0x06, 0x03, 0x55, 0x1d, 0x01, 0x04, 0x3d, 0x30, 0x3b, 0x80, 0x10, 0x19, + 0x8d, 0x48, 0xa1, 0xb9, 0xf3, 0x5e, 0x3c, 0x13, 0xb4, 0x08, 0xb6, 0xd9, 0xf3, 0x4f, 0x0a, 0xa1, + 0x15, 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x08, 0x54, 0x65, + 0x73, 0x74, 0x52, 0x6f, 0x6f, 0x74, 0x82, 0x10, 0x27, 0xcb, 0x16, 0x33, 0x8b, 0xed, 0x4d, 0xa8, + 0x47, 0xf0, 0x86, 0x47, 0x10, 0xef, 0x15, 0xd9, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, + 0x1d, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x51, 0x94, 0xed, 0x7a, 0x5c, 0x0b, 0x34, 0x16, 0x9c, + 0xf4, 0x5f, 0x88, 0x16, 0xa8, 0x4b, 0x13, 0xfc, 0xa4, 0x0a, 0xc7, 0xd9, 0x20, 0xb1, 0x93, 0xc5, + 0x81, 0x4f, 0x35, 0x3a, 0x89, 0x10, 0x04, 0xc4, 0xcc, 0x10, 0x34, 0xc3, 0x15, 0x57, 0x06, 0x97, + 0xee, 0x06, 0x2f, 0xf3, 0x24, 0xa1, 0xe6, 0x3a, 0x89, 0x4d, 0xb4, 0x7b, 0x12, 0x87, 0x90, 0x8c, + 0xfc, 0x5b, 0xb0, 0xf0, 0xdd, 0xaa, 0x3a, 0x24, 0x6d, 0x55, 0x47, 0x8a, 0xf2, 0x61, 0x08, 0x7a, + 0x59, 0x5f, 0x6e, 0x7b, 0xcb, 0x34, 0xbe, 0xb6, 0x5d, 0xcb, 0x60, 0xae, 0xc4, 0xda, 0x62, 0xbb, + 0x7f, 0x17, 0x1e, 0x73, 0xd1, 0x4e, 0x9f, 0x6e, 0xd3, 0xc8, 0x35, 0x58, 0x30, 0xd2, 0x89, 0xe5, + 0x22, 0x5e, 0x86, 0xac, 0x7a, 0x56, 0xd6, 0x70, 0xdb, 0x54, 0x10, 0x6c, 0xd3, 0xd5, 0x38, 0xfb, + 0x69, 0xcb, 0x4f, 0x36, 0x83, 0xc2, 0xe8, 0x31, 0x82, 0x09, 0x69, 0x30, 0x82, 0x09, 0x65, 0x02, + 0x01, 0x01, 0x30, 0x27, 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, + 0x08, 0x54, 0x65, 0x73, 0x74, 0x52, 0x6f, 0x6f, 0x74, 0x02, 0x10, 0x2c, 0x65, 0xcf, 0xcf, 0xdd, + 0x61, 0x7b, 0xa4, 0x41, 0xad, 0x26, 0x1b, 0x63, 0xce, 0x91, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, + 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa0, 0x5e, 0x30, 0x10, 0x06, 0x0a, + 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0c, 0x31, 0x02, 0x30, 0x00, 0x30, 0x19, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x03, 0x31, 0x0c, 0x06, 0x0a, 0x2b, + 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x04, 0x30, 0x2f, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x04, 0x31, 0x22, 0x04, 0x20, 0x97, 0x6e, 0x29, 0x47, 0xc4, 0x03, + 0x68, 0x70, 0x1c, 0x99, 0x2c, 0x61, 0xb0, 0xbc, 0xde, 0x77, 0xe1, 0xa1, 0xeb, 0x4c, 0x1c, 0xac, + 0x4c, 0x64, 0xf6, 0x43, 0x96, 0x94, 0x0b, 0xc0, 0xbb, 0x03, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x81, 0x80, 0x85, 0x93, 0xad, 0x93, + 0x92, 0x9e, 0xa4, 0x94, 0x30, 0x02, 0xe1, 0xc8, 0xcd, 0x37, 0xb2, 0xe1, 0xcb, 0xb2, 0x0f, 0x1c, + 0x67, 0xd1, 0xc9, 0xeb, 0x4d, 0x68, 0x85, 0x97, 0x5a, 0xa6, 0x0c, 0x03, 0xc7, 0x86, 0xae, 0xb3, + 0x35, 0xb4, 0x1d, 0x0e, 0x95, 0x5f, 0xed, 0x37, 0x13, 0x6b, 0x1e, 0x94, 0x80, 0xf1, 0xac, 0x55, + 0x73, 0xd1, 0x31, 0xf9, 0xad, 0x13, 0x7b, 0x26, 0xbf, 0xe7, 0x55, 0x7b, 0xb2, 0xf9, 0x21, 0x42, + 0x23, 0x64, 0xe6, 0x45, 0x03, 0x67, 0xcb, 0x42, 0xd3, 0x71, 0x3f, 0xd5, 0x29, 0x17, 0x4b, 0x49, + 0x45, 0x0e, 0x8b, 0xba, 0x1f, 0x15, 0x5a, 0x7f, 0x7b, 0x5e, 0x9b, 0x22, 0x46, 0xa7, 0x9c, 0x0d, + 0x25, 0x9c, 0x76, 0x25, 0x02, 0xc8, 0x15, 0x00, 0x51, 0xe6, 0x73, 0x39, 0xac, 0x8d, 0x41, 0x7b, + 0xc8, 0x42, 0xc9, 0xdb, 0x1b, 0x16, 0x13, 0xf6, 0x44, 0x32, 0xef, 0x17, 0xa1, 0x82, 0x08, 0x34, + 0x30, 0x82, 0x08, 0x30, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x03, 0x03, 0x01, + 0x31, 0x82, 0x08, 0x20, + 0x30, 0x82, 0x08, 0x1c, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, + 0x82, 0x08, 0x0d, 0x30, 0x82, 0x08, 0x09, 0x02, 0x01, 0x03, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x05, + 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x30, 0x81, 0xf6, 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x09, 0x10, 0x01, 0x04, 0xa0, 0x81, 0xe6, 0x04, 0x81, 0xe3, 0x30, 0x81, 0xe0, + 0x02, 0x01, 0x01, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xb2, 0x31, 0x02, 0x01, 0x01, 0x30, + 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14, 0xcd, 0x06, + 0xf0, 0xbd, 0x8b, 0xcd, 0x5c, 0x2e, 0x5a, 0x7c, 0x42, 0x56, 0x2c, 0x20, 0x4a, 0x15, 0xcb, 0x1d, + 0x8b, 0x0e, 0x02, 0x15, 0x00, 0xb6, 0xff, 0x47, 0x05, 0xb6, 0x2d, 0x15, 0xac, 0x3f, 0x5d, 0xd9, + 0xcf, 0x9d, 0x54, 0x35, 0x56, 0x7c, 0xc1, 0x6e, 0x8b, 0x18, 0x0f, 0x32, 0x30, 0x31, 0x34, 0x30, + 0x37, 0x32, 0x38, 0x30, 0x38, 0x35, 0x30, 0x30, 0x33, 0x5a, 0xa0, 0x81, 0x83, 0xa4, 0x81, 0x80, + 0x30, 0x7e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x47, 0x42, 0x31, + 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x12, 0x47, 0x72, 0x65, 0x61, 0x74, 0x65, + 0x72, 0x20, 0x4d, 0x61, 0x6e, 0x63, 0x68, 0x65, 0x73, 0x74, 0x65, 0x72, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x53, 0x61, 0x6c, 0x66, 0x6f, 0x72, 0x64, 0x31, 0x1a, + 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x11, 0x43, 0x4f, 0x4d, 0x4f, 0x44, 0x4f, 0x20, + 0x43, 0x41, 0x20, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x65, 0x64, 0x31, 0x24, 0x30, 0x22, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x13, 0x1b, 0x43, 0x4f, 0x4d, 0x4f, 0x44, 0x4f, 0x20, 0x54, 0x69, 0x6d, 0x65, + 0x20, 0x53, 0x74, 0x61, 0x6d, 0x70, 0x69, 0x6e, 0x67, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x65, 0x72, + 0xa0, 0x82, 0x04, 0x97, 0x30, 0x82, 0x04, 0x93, 0x30, 0x82, 0x03, 0x7b, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x10, 0x47, 0x8a, 0x8e, 0xfb, 0x59, 0xe1, 0xd8, 0x3f, 0x0c, 0xe1, 0x42, 0xd2, 0xa2, + 0x87, 0x07, 0xbe, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, + 0x05, 0x00, 0x30, 0x81, 0x95, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x55, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x02, 0x55, 0x54, 0x31, + 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x0e, 0x53, 0x61, 0x6c, 0x74, 0x20, 0x4c, + 0x61, 0x6b, 0x65, 0x20, 0x43, 0x69, 0x74, 0x79, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, + 0x0a, 0x13, 0x15, 0x54, 0x68, 0x65, 0x20, 0x55, 0x53, 0x45, 0x52, 0x54, 0x52, 0x55, 0x53, 0x54, + 0x20, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, + 0x0b, 0x13, 0x18, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x75, 0x73, + 0x65, 0x72, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x31, 0x1d, 0x30, 0x1b, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x13, 0x14, 0x55, 0x54, 0x4e, 0x2d, 0x55, 0x53, 0x45, 0x52, 0x46, 0x69, + 0x72, 0x73, 0x74, 0x2d, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x30, + 0x30, 0x35, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x31, 0x35, 0x30, + 0x35, 0x31, 0x30, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x7e, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x47, 0x42, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, + 0x04, 0x08, 0x13, 0x12, 0x47, 0x72, 0x65, 0x61, 0x74, 0x65, 0x72, 0x20, 0x4d, 0x61, 0x6e, 0x63, + 0x68, 0x65, 0x73, 0x74, 0x65, 0x72, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, + 0x07, 0x53, 0x61, 0x6c, 0x66, 0x6f, 0x72, 0x64, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, + 0x0a, 0x13, 0x11, 0x43, 0x4f, 0x4d, 0x4f, 0x44, 0x4f, 0x20, 0x43, 0x41, 0x20, 0x4c, 0x69, 0x6d, + 0x69, 0x74, 0x65, 0x64, 0x31, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x1b, 0x43, + 0x4f, 0x4d, 0x4f, 0x44, 0x4f, 0x20, 0x54, 0x69, 0x6d, 0x65, 0x20, 0x53, 0x74, 0x61, 0x6d, 0x70, + 0x69, 0x6e, 0x67, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x65, 0x72, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, + 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbc, 0x35, 0xa0, 0x36, 0x70, + 0x22, 0x81, 0x11, 0xc3, 0xb2, 0x83, 0xb9, 0xd3, 0x28, 0xc6, 0x36, 0xcd, 0x25, 0x6b, 0xa9, 0x7b, + 0xb2, 0x1c, 0xf6, 0x9b, 0x51, 0x9c, 0xef, 0x35, 0xf4, 0xed, 0x08, 0x8e, 0x5e, 0x38, 0x08, 0xf8, + 0x77, 0x3c, 0x0a, 0x42, 0xe0, 0xf3, 0x70, 0xdc, 0xa3, 0xd7, 0xca, 0xf5, 0x4c, 0x0b, 0xcf, 0xff, + 0x22, 0x9c, 0x0a, 0x7e, 0x68, 0xd6, 0x09, 0xa2, 0x2a, 0x84, 0x7b, 0xa6, 0x9d, 0xb4, 0xa9, 0xc1, + 0x33, 0xe2, 0xef, 0x1f, 0x17, 0x48, 0xca, 0x3a, 0xcd, 0x46, 0xe6, 0xc5, 0xaa, 0x77, 0xbd, 0xe3, + 0x77, 0x9a, 0xfa, 0x47, 0x53, 0x40, 0x28, 0x59, 0x43, 0x93, 0xf1, 0xa4, 0x81, 0xea, 0xef, 0x80, + 0xb5, 0x4f, 0xa7, 0x08, 0xce, 0xba, 0x6e, 0xbc, 0xca, 0x76, 0x0c, 0x97, 0x64, 0x59, 0x86, 0x24, + 0xbb, 0x3d, 0x82, 0x90, 0xa8, 0x55, 0xb1, 0x92, 0xd3, 0xa0, 0xa7, 0x05, 0xac, 0x9f, 0x53, 0x25, + 0x08, 0x10, 0x47, 0x99, 0xcd, 0x98, 0xde, 0x68, 0xe5, 0xb4, 0x50, 0x78, 0xa3, 0xaf, 0x01, 0xcc, + 0x59, 0x43, 0x58, 0xe4, 0x76, 0x6e, 0x7e, 0xac, 0xc7, 0xe2, 0x9e, 0x1f, 0x4f, 0xb0, 0x47, 0x2d, + 0xc8, 0x0c, 0xa3, 0x49, 0x27, 0x80, 0x75, 0x8c, 0xbb, 0x06, 0x91, 0x65, 0x0f, 0x90, 0x9b, 0xf4, + 0xba, 0xd1, 0x81, 0xc8, 0x5c, 0x6a, 0xec, 0x14, 0xe9, 0x25, 0x09, 0xbf, 0x23, 0x16, 0xf4, 0x95, + 0x46, 0x40, 0x40, 0x21, 0xbb, 0x83, 0x96, 0xfd, 0x86, 0x1f, 0x7a, 0xc8, 0x0d, 0x10, 0x8e, 0xa2, + 0xf8, 0x19, 0x07, 0x58, 0x7f, 0x9f, 0xbd, 0x37, 0x02, 0x60, 0xf2, 0xa4, 0xe9, 0x9d, 0x44, 0x3f, + 0x30, 0x05, 0xe4, 0xa7, 0x70, 0x99, 0x51, 0x9a, 0xe8, 0x17, 0xf1, 0x55, 0xca, 0xb2, 0x61, 0x89, + 0x65, 0x46, 0xa7, 0x6a, 0xf2, 0x58, 0x46, 0x7e, 0xaa, 0xa0, 0x07, 0x02, 0x03, 0x01, 0x00, 0x01, + 0xa3, 0x81, 0xf4, 0x30, 0x81, 0xf1, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0xda, 0xed, 0x64, 0x74, 0x14, 0x9c, 0x14, 0x3c, 0xab, 0xdd, 0x99, 0xa9, 0xbd, + 0x5b, 0x28, 0x4d, 0x8b, 0x3c, 0xc9, 0xd8, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, + 0x04, 0x14, 0x2e, 0x2d, 0xb0, 0x0a, 0x44, 0x4a, 0xd3, 0x87, 0xc0, 0x02, 0x07, 0xce, 0x97, 0x7d, + 0x50, 0x62, 0x20, 0xfd, 0x0f, 0x83, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, + 0x04, 0x04, 0x03, 0x02, 0x06, 0xc0, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, + 0x04, 0x02, 0x30, 0x00, 0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff, 0x04, 0x0c, + 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x08, 0x30, 0x42, 0x06, 0x03, + 0x55, 0x1d, 0x1f, 0x04, 0x3b, 0x30, 0x39, 0x30, 0x37, 0xa0, 0x35, 0xa0, 0x33, 0x86, 0x31, 0x68, + 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x75, 0x73, 0x65, 0x72, 0x74, 0x72, + 0x75, 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x55, 0x54, 0x4e, 0x2d, 0x55, 0x53, 0x45, 0x52, + 0x46, 0x69, 0x72, 0x73, 0x74, 0x2d, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x2e, 0x63, 0x72, 0x6c, + 0x30, 0x35, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x29, 0x30, 0x27, + 0x30, 0x25, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x19, 0x68, 0x74, + 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x75, 0x73, 0x65, 0x72, 0x74, 0x72, + 0x75, 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0xc8, 0xfb, 0x63, 0xf8, 0x0b, + 0x75, 0x75, 0x2c, 0x3a, 0xf1, 0xf2, 0x13, 0xa7, 0x2d, 0xb6, 0xa3, 0x1a, 0x9c, 0xad, 0x01, 0x07, + 0xd3, 0x34, 0x8e, 0x77, 0xe0, 0xc2, 0x6e, 0xae, 0x02, 0x5d, 0x48, 0x4f, 0xa4, 0xd2, 0x21, 0xb6, + 0x36, 0xfd, 0x2a, 0x35, 0x43, 0x7c, 0x6b, 0xdf, 0x80, 0x87, 0x0b, 0x15, 0xf0, 0x76, 0x32, 0x00, + 0xb4, 0xce, 0xb5, 0x67, 0xa4, 0x2f, 0x2f, 0x20, 0x1b, 0x9c, 0x54, 0x9e, 0x83, 0x3f, 0x1f, 0x5f, + 0x14, 0x95, 0x62, 0x82, 0x0f, 0x22, 0x41, 0x22, 0x1f, 0x70, 0xb3, 0xf3, 0xf7, 0x42, 0xde, 0x6c, + 0x51, 0xcd, 0x4b, 0xf8, 0x21, 0xac, 0x9b, 0x3b, 0x8c, 0xb1, 0xe5, 0xe6, 0x28, 0x8f, 0xce, 0x2a, + 0x8a, 0xf9, 0xaa, 0x52, 0x4d, 0x8c, 0x5b, 0x77, 0xba, 0x4d, 0x5a, 0x58, 0xdb, 0xbb, 0x6a, 0x04, + 0xcc, 0x52, 0x1e, 0x9d, 0xe2, 0x28, 0x37, 0x0e, 0xbb, 0xe7, 0x0e, 0x91, 0xc7, 0xf8, 0xdb, 0xf1, + 0x81, 0x98, 0xeb, 0xcd, 0x37, 0xb3, 0x0e, 0xab, 0x65, 0xd3, 0x62, 0xec, 0x3a, 0xa5, 0x76, 0xeb, + 0x13, 0xa8, 0x35, 0x93, 0xc9, 0x2e, 0x0a, 0x01, 0xec, 0xc0, 0xe8, 0xcc, 0x3d, 0x7e, 0xb6, 0xeb, + 0xe2, 0xc1, 0xec, 0xd3, 0x14, 0x92, 0x82, 0x66, 0x87, 0x50, 0xdc, 0xfd, 0x50, 0x97, 0xac, 0xb3, + 0x4a, 0x76, 0x73, 0x06, 0xc4, 0x86, 0x11, 0x3a, 0xb3, 0x5f, 0x43, 0x04, 0x52, 0x6f, 0xea, 0xb3, + 0xd0, 0x74, 0x36, 0x4c, 0xca, 0xf1, 0x1b, 0x79, 0x84, 0x37, 0x70, 0x63, 0xad, 0x74, 0xb9, 0xaa, + 0x0e, 0xf3, 0x98, 0xb0, 0x86, 0x08, 0xeb, 0xdb, 0xe0, 0x1f, 0x8c, 0x10, 0xf2, 0x39, 0x64, 0x9b, + 0xae, 0x4f, 0x0a, 0x2c, 0x92, 0x8a, 0x4f, 0x18, 0xb5, 0x91, 0xe5, 0x8d, 0x1a, 0x93, 0x5f, 0x1f, + 0xae, 0xf1, 0xa6, 0xf0, 0x2e, 0x97, 0xd0, 0xd2, 0xf6, 0x2b, 0x3c, 0x31, 0x82, 0x02, 0x61, 0x30, + 0x82, 0x02, 0x5d, 0x02, 0x01, 0x01, 0x30, 0x81, 0xaa, 0x30, 0x81, 0x95, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, + 0x04, 0x08, 0x13, 0x02, 0x55, 0x54, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, + 0x0e, 0x53, 0x61, 0x6c, 0x74, 0x20, 0x4c, 0x61, 0x6b, 0x65, 0x20, 0x43, 0x69, 0x74, 0x79, 0x31, + 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, 0x54, 0x68, 0x65, 0x20, 0x55, 0x53, + 0x45, 0x52, 0x54, 0x52, 0x55, 0x53, 0x54, 0x20, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x31, + 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x18, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, + 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x75, 0x73, 0x65, 0x72, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x63, + 0x6f, 0x6d, 0x31, 0x1d, 0x30, 0x1b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x14, 0x55, 0x54, 0x4e, + 0x2d, 0x55, 0x53, 0x45, 0x52, 0x46, 0x69, 0x72, 0x73, 0x74, 0x2d, 0x4f, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x02, 0x10, 0x47, 0x8a, 0x8e, 0xfb, 0x59, 0xe1, 0xd8, 0x3f, 0x0c, 0xe1, 0x42, 0xd2, 0xa2, + 0x87, 0x07, 0xbe, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0xa0, 0x81, + 0x8c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x03, 0x31, 0x0d, + 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x10, 0x01, 0x04, 0x30, 0x1c, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x05, 0x31, 0x0f, 0x17, 0x0d, 0x31, 0x34, + 0x30, 0x37, 0x32, 0x38, 0x30, 0x38, 0x35, 0x30, 0x30, 0x33, 0x5a, 0x30, 0x23, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x04, 0x31, 0x16, 0x04, 0x14, 0x7a, 0xad, 0x35, 0xdc, + 0x5b, 0xd6, 0x00, 0xd7, 0x44, 0xac, 0x80, 0x8f, 0x4f, 0xb6, 0xb4, 0x03, 0x62, 0x34, 0x53, 0xdc, + 0x30, 0x2b, 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x10, 0x02, 0x0c, 0x31, + 0x1c, 0x30, 0x1a, 0x30, 0x18, 0x30, 0x16, 0x04, 0x14, 0x3d, 0xbb, 0x6d, 0xb5, 0x08, 0x5c, 0x6d, + 0xd5, 0xa1, 0xca, 0x7f, 0x9c, 0xf8, 0x4e, 0xcb, 0x1a, 0x39, 0x10, 0xca, 0xc8, 0x30, 0x0d, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, + 0x73, 0x64, 0xb9, 0xa3, 0x54, 0x6f, 0x50, 0x97, 0x01, 0xa7, 0xf6, 0x0d, 0xb8, 0xce, 0x4b, 0xaa, + 0x43, 0xa2, 0x8f, 0xa3, 0xea, 0x93, 0xf2, 0xa3, 0xd0, 0x46, 0xde, 0xdd, 0x45, 0xe5, 0x94, 0x5a, + 0x45, 0xc2, 0x13, 0x1b, 0x90, 0x9b, 0xcf, 0x73, 0xcd, 0x28, 0x70, 0xf0, 0xf4, 0x54, 0xb5, 0x2d, + 0x31, 0xf9, 0xf3, 0x2d, 0x38, 0x78, 0xfe, 0x68, 0xea, 0x3c, 0xc0, 0xbe, 0x0b, 0x5a, 0x91, 0x49, + 0x63, 0xeb, 0x26, 0x32, 0x5b, 0x86, 0xcf, 0xe5, 0x8a, 0xa5, 0x9d, 0xe6, 0x4b, 0x57, 0x91, 0x8f, + 0x3c, 0xdc, 0xa6, 0x53, 0xd8, 0xdb, 0x8a, 0xfd, 0x3e, 0x7e, 0x19, 0x6f, 0x27, 0x72, 0x95, 0xc2, + 0x79, 0x73, 0xdf, 0xfb, 0x08, 0x5c, 0x5b, 0xc8, 0xb7, 0x94, 0x75, 0x88, 0x7a, 0x9a, 0x85, 0x9f, + 0x1b, 0xa3, 0x98, 0x30, 0x91, 0xee, 0xc0, 0x52, 0xd2, 0x75, 0x9c, 0xcb, 0x45, 0x0d, 0x94, 0x43, + 0x67, 0x7a, 0x49, 0x1c, 0xb1, 0x89, 0x9d, 0x6e, 0xfa, 0x87, 0xd2, 0x4d, 0x6e, 0x74, 0x90, 0xf5, + 0x80, 0x8c, 0x92, 0xda, 0xd9, 0xa1, 0x48, 0x20, 0x31, 0x02, 0x79, 0xde, 0xe3, 0xbd, 0x09, 0x04, + 0xa8, 0xd4, 0x99, 0xd7, 0x3b, 0xea, 0xf8, 0xdf, 0xb3, 0xb9, 0xd7, 0xa3, 0x36, 0xa1, 0xdb, 0xd3, + 0xec, 0x65, 0x8c, 0xb8, 0x8f, 0xfb, 0xd6, 0xef, 0x9c, 0x32, 0x3e, 0xab, 0x20, 0x74, 0xb9, 0x65, + 0x4c, 0xc6, 0x15, 0x2f, 0x31, 0x2a, 0x34, 0x3e, 0x84, 0x09, 0xb4, 0x75, 0xbc, 0xbe, 0xaf, 0xb3, + 0x9e, 0x85, 0xf1, 0xbb, 0x99, 0x1a, 0x07, 0xbd, 0x20, 0xa6, 0xed, 0xcf, 0xd1, 0xa6, 0x9a, 0x22, + 0xb2, 0x6d, 0x75, 0xf4, 0x23, 0x58, 0x13, 0x78, 0x73, 0x1a, 0xb2, 0x84, 0xde, 0xad, 0xe8, 0x6d, + 0xe6, 0xe7, 0x5c, 0xb6, 0xe6, 0x5b, 0x10, 0x37, 0x1f, 0xe3, 0x6e, 0xbd, 0x83, 0xd7, 0x51, 0xb1, + 0x00, 0x00, 0x00, 0x00, 0x0a + }; + +// +// The Comodo Time Stamping Signer Certificate Used for the verification of TimeStamp signature. +// +GLOBAL_REMOVE_IF_UNREFERENCED UINT8 TSTrustedCert[] = { + 0x30, 0x82, 0x04, 0x93, 0x30, 0x82, 0x03, 0x7b, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x47, + 0x8a, 0x8e, 0xfb, 0x59, 0xe1, 0xd8, 0x3f, 0x0c, 0xe1, 0x42, 0xd2, 0xa2, 0x87, 0x07, 0xbe, 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x81, + 0x95, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x0b, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x02, 0x55, 0x54, 0x31, 0x17, 0x30, 0x15, 0x06, + 0x03, 0x55, 0x04, 0x07, 0x13, 0x0e, 0x53, 0x61, 0x6c, 0x74, 0x20, 0x4c, 0x61, 0x6b, 0x65, 0x20, + 0x43, 0x69, 0x74, 0x79, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, 0x54, + 0x68, 0x65, 0x20, 0x55, 0x53, 0x45, 0x52, 0x54, 0x52, 0x55, 0x53, 0x54, 0x20, 0x4e, 0x65, 0x74, + 0x77, 0x6f, 0x72, 0x6b, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x18, 0x68, + 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x75, 0x73, 0x65, 0x72, 0x74, 0x72, + 0x75, 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x31, 0x1d, 0x30, 0x1b, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x13, 0x14, 0x55, 0x54, 0x4e, 0x2d, 0x55, 0x53, 0x45, 0x52, 0x46, 0x69, 0x72, 0x73, 0x74, 0x2d, + 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x30, 0x30, 0x35, 0x31, 0x30, + 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x31, 0x35, 0x30, 0x35, 0x31, 0x30, 0x32, + 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x7e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, + 0x06, 0x13, 0x02, 0x47, 0x42, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x12, + 0x47, 0x72, 0x65, 0x61, 0x74, 0x65, 0x72, 0x20, 0x4d, 0x61, 0x6e, 0x63, 0x68, 0x65, 0x73, 0x74, + 0x65, 0x72, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x53, 0x61, 0x6c, + 0x66, 0x6f, 0x72, 0x64, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x11, 0x43, + 0x4f, 0x4d, 0x4f, 0x44, 0x4f, 0x20, 0x43, 0x41, 0x20, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x65, 0x64, + 0x31, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x1b, 0x43, 0x4f, 0x4d, 0x4f, 0x44, + 0x4f, 0x20, 0x54, 0x69, 0x6d, 0x65, 0x20, 0x53, 0x74, 0x61, 0x6d, 0x70, 0x69, 0x6e, 0x67, 0x20, + 0x53, 0x69, 0x67, 0x6e, 0x65, 0x72, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, + 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbc, 0x35, 0xa0, 0x36, 0x70, 0x22, 0x81, 0x11, 0xc3, + 0xb2, 0x83, 0xb9, 0xd3, 0x28, 0xc6, 0x36, 0xcd, 0x25, 0x6b, 0xa9, 0x7b, 0xb2, 0x1c, 0xf6, 0x9b, + 0x51, 0x9c, 0xef, 0x35, 0xf4, 0xed, 0x08, 0x8e, 0x5e, 0x38, 0x08, 0xf8, 0x77, 0x3c, 0x0a, 0x42, + 0xe0, 0xf3, 0x70, 0xdc, 0xa3, 0xd7, 0xca, 0xf5, 0x4c, 0x0b, 0xcf, 0xff, 0x22, 0x9c, 0x0a, 0x7e, + 0x68, 0xd6, 0x09, 0xa2, 0x2a, 0x84, 0x7b, 0xa6, 0x9d, 0xb4, 0xa9, 0xc1, 0x33, 0xe2, 0xef, 0x1f, + 0x17, 0x48, 0xca, 0x3a, 0xcd, 0x46, 0xe6, 0xc5, 0xaa, 0x77, 0xbd, 0xe3, 0x77, 0x9a, 0xfa, 0x47, + 0x53, 0x40, 0x28, 0x59, 0x43, 0x93, 0xf1, 0xa4, 0x81, 0xea, 0xef, 0x80, 0xb5, 0x4f, 0xa7, 0x08, + 0xce, 0xba, 0x6e, 0xbc, 0xca, 0x76, 0x0c, 0x97, 0x64, 0x59, 0x86, 0x24, 0xbb, 0x3d, 0x82, 0x90, + 0xa8, 0x55, 0xb1, 0x92, 0xd3, 0xa0, 0xa7, 0x05, 0xac, 0x9f, 0x53, 0x25, 0x08, 0x10, 0x47, 0x99, + 0xcd, 0x98, 0xde, 0x68, 0xe5, 0xb4, 0x50, 0x78, 0xa3, 0xaf, 0x01, 0xcc, 0x59, 0x43, 0x58, 0xe4, + 0x76, 0x6e, 0x7e, 0xac, 0xc7, 0xe2, 0x9e, 0x1f, 0x4f, 0xb0, 0x47, 0x2d, 0xc8, 0x0c, 0xa3, 0x49, + 0x27, 0x80, 0x75, 0x8c, 0xbb, 0x06, 0x91, 0x65, 0x0f, 0x90, 0x9b, 0xf4, 0xba, 0xd1, 0x81, 0xc8, + 0x5c, 0x6a, 0xec, 0x14, 0xe9, 0x25, 0x09, 0xbf, 0x23, 0x16, 0xf4, 0x95, 0x46, 0x40, 0x40, 0x21, + 0xbb, 0x83, 0x96, 0xfd, 0x86, 0x1f, 0x7a, 0xc8, 0x0d, 0x10, 0x8e, 0xa2, 0xf8, 0x19, 0x07, 0x58, + 0x7f, 0x9f, 0xbd, 0x37, 0x02, 0x60, 0xf2, 0xa4, 0xe9, 0x9d, 0x44, 0x3f, 0x30, 0x05, 0xe4, 0xa7, + 0x70, 0x99, 0x51, 0x9a, 0xe8, 0x17, 0xf1, 0x55, 0xca, 0xb2, 0x61, 0x89, 0x65, 0x46, 0xa7, 0x6a, + 0xf2, 0x58, 0x46, 0x7e, 0xaa, 0xa0, 0x07, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0xf4, 0x30, + 0x81, 0xf1, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xda, + 0xed, 0x64, 0x74, 0x14, 0x9c, 0x14, 0x3c, 0xab, 0xdd, 0x99, 0xa9, 0xbd, 0x5b, 0x28, 0x4d, 0x8b, + 0x3c, 0xc9, 0xd8, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x2e, 0x2d, + 0xb0, 0x0a, 0x44, 0x4a, 0xd3, 0x87, 0xc0, 0x02, 0x07, 0xce, 0x97, 0x7d, 0x50, 0x62, 0x20, 0xfd, + 0x0f, 0x83, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, + 0x06, 0xc0, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, + 0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff, 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, + 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x08, 0x30, 0x42, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, + 0x3b, 0x30, 0x39, 0x30, 0x37, 0xa0, 0x35, 0xa0, 0x33, 0x86, 0x31, 0x68, 0x74, 0x74, 0x70, 0x3a, + 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x75, 0x73, 0x65, 0x72, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, + 0x63, 0x6f, 0x6d, 0x2f, 0x55, 0x54, 0x4e, 0x2d, 0x55, 0x53, 0x45, 0x52, 0x46, 0x69, 0x72, 0x73, + 0x74, 0x2d, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x35, 0x06, 0x08, + 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x29, 0x30, 0x27, 0x30, 0x25, 0x06, 0x08, + 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x19, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, + 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x75, 0x73, 0x65, 0x72, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, + 0x63, 0x6f, 0x6d, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, + 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0xc8, 0xfb, 0x63, 0xf8, 0x0b, 0x75, 0x75, 0x2c, 0x3a, + 0xf1, 0xf2, 0x13, 0xa7, 0x2d, 0xb6, 0xa3, 0x1a, 0x9c, 0xad, 0x01, 0x07, 0xd3, 0x34, 0x8e, 0x77, + 0xe0, 0xc2, 0x6e, 0xae, 0x02, 0x5d, 0x48, 0x4f, 0xa4, 0xd2, 0x21, 0xb6, 0x36, 0xfd, 0x2a, 0x35, + 0x43, 0x7c, 0x6b, 0xdf, 0x80, 0x87, 0x0b, 0x15, 0xf0, 0x76, 0x32, 0x00, 0xb4, 0xce, 0xb5, 0x67, + 0xa4, 0x2f, 0x2f, 0x20, 0x1b, 0x9c, 0x54, 0x9e, 0x83, 0x3f, 0x1f, 0x5f, 0x14, 0x95, 0x62, 0x82, + 0x0f, 0x22, 0x41, 0x22, 0x1f, 0x70, 0xb3, 0xf3, 0xf7, 0x42, 0xde, 0x6c, 0x51, 0xcd, 0x4b, 0xf8, + 0x21, 0xac, 0x9b, 0x3b, 0x8c, 0xb1, 0xe5, 0xe6, 0x28, 0x8f, 0xce, 0x2a, 0x8a, 0xf9, 0xaa, 0x52, + 0x4d, 0x8c, 0x5b, 0x77, 0xba, 0x4d, 0x5a, 0x58, 0xdb, 0xbb, 0x6a, 0x04, 0xcc, 0x52, 0x1e, 0x9d, + 0xe2, 0x28, 0x37, 0x0e, 0xbb, 0xe7, 0x0e, 0x91, 0xc7, 0xf8, 0xdb, 0xf1, 0x81, 0x98, 0xeb, 0xcd, + 0x37, 0xb3, 0x0e, 0xab, 0x65, 0xd3, 0x62, 0xec, 0x3a, 0xa5, 0x76, 0xeb, 0x13, 0xa8, 0x35, 0x93, + 0xc9, 0x2e, 0x0a, 0x01, 0xec, 0xc0, 0xe8, 0xcc, 0x3d, 0x7e, 0xb6, 0xeb, 0xe2, 0xc1, 0xec, 0xd3, + 0x14, 0x92, 0x82, 0x66, 0x87, 0x50, 0xdc, 0xfd, 0x50, 0x97, 0xac, 0xb3, 0x4a, 0x76, 0x73, 0x06, + 0xc4, 0x86, 0x11, 0x3a, 0xb3, 0x5f, 0x43, 0x04, 0x52, 0x6f, 0xea, 0xb3, 0xd0, 0x74, 0x36, 0x4c, + 0xca, 0xf1, 0x1b, 0x79, 0x84, 0x37, 0x70, 0x63, 0xad, 0x74, 0xb9, 0xaa, 0x0e, 0xf3, 0x98, 0xb0, + 0x86, 0x08, 0xeb, 0xdb, 0xe0, 0x1f, 0x8c, 0x10, 0xf2, 0x39, 0x64, 0x9b, 0xae, 0x4f, 0x0a, 0x2c, + 0x92, 0x8a, 0x4f, 0x18, 0xb5, 0x91, 0xe5, 0x8d, 0x1a, 0x93, 0x5f, 0x1f, 0xae, 0xf1, 0xa6, 0xf0, + 0x2e, 0x97, 0xd0, 0xd2, 0xf6, 0x2b, 0x3c, 0x0a + }; + +UNIT_TEST_STATUS +EFIAPI +TestVerifyImageTimestampVerify ( + IN UNIT_TEST_CONTEXT Context + ) +{ + BOOLEAN Status; + EFI_TIME SigningTime; + + Status = FALSE; + + // + // Verify RFC3161 Timestamp CounterSignature. + // + Status = ImageTimestampVerify ( + AuthenticodeWithTS, + sizeof (AuthenticodeWithTS), + TSTrustedCert, + sizeof (TSTrustedCert), + &SigningTime + ); + UT_ASSERT_TRUE (Status); + + UT_ASSERT_EQUAL (SigningTime.Year, 2014); + UT_ASSERT_EQUAL (SigningTime.Month, 7); + UT_ASSERT_EQUAL (SigningTime.Day, 28); + UT_ASSERT_EQUAL (SigningTime.Hour, 8); + UT_ASSERT_EQUAL (SigningTime.Minute, 50); + UT_ASSERT_EQUAL (SigningTime.Second, 3); + + return Status; +} + +TEST_DESC mImageTimestampTest[] = { + // + // -----Description--------------------------------------Class----------------------------Function-----------------Pre---Post--Context + // + {"TestVerifyImageTimestampVerify()", "CryptoPkg.BaseCryptLib.ImageTimestamp", TestVerifyImageTimestampVerify, NULL, NULL, NULL}, +}; + +UINTN mImageTimestampTestNum = ARRAY_SIZE(mImageTimestampTest); diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLib.h b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLib.h new file mode 100644 index 00000000..b44ab357 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLib.h @@ -0,0 +1,124 @@ +/** @file + Application for Cryptographic Primitives Validation. + +Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __CRYPTEST_H__ +#define __CRYPTEST_H__ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +//#include +#include +//#include + +#define UNIT_TEST_NAME "BaseCryptLib Unit Test" +#define UNIT_TEST_VERSION "1.0" + +typedef struct { + CHAR8 *Description; + CHAR8 *ClassName; + UNIT_TEST_FUNCTION Func; + UNIT_TEST_PREREQUISITE PreReq; + UNIT_TEST_CLEANUP CleanUp; + UNIT_TEST_CONTEXT Context; +} TEST_DESC; + +typedef struct { + CHAR8 *Title; + CHAR8 *Package; + UNIT_TEST_SUITE_SETUP Sup; + UNIT_TEST_SUITE_TEARDOWN Tdn; + UINTN *TestNum; + TEST_DESC *TestDesc; +} SUITE_DESC; + +extern UINTN mPkcs7EkuTestNum; +extern TEST_DESC mPkcs7EkuTest[]; + +extern UINTN mHashTestNum; +extern TEST_DESC mHashTest[]; + +extern UINTN mHmacTestNum; +extern TEST_DESC mHmacTest[]; + +extern UINTN mBlockCipherTestNum; +extern TEST_DESC mBlockCipherTest[]; + +extern UINTN mRsaTestNum; +extern TEST_DESC mRsaTest[]; + +extern UINTN mRsaCertTestNum; +extern TEST_DESC mRsaCertTest[]; + +extern UINTN mPkcs7TestNum; +extern TEST_DESC mPkcs7Test[]; + +extern UINTN mPkcs5TestNum; +extern TEST_DESC mPkcs5Test[]; + +extern UINTN mAuthenticodeTestNum; +extern TEST_DESC mAuthenticodeTest[]; + +extern UINTN mImageTimestampTestNum; +extern TEST_DESC mImageTimestampTest[]; + +extern UINTN mDhTestNum; +extern TEST_DESC mDhTest[]; + +extern UINTN mPrngTestNum; +extern TEST_DESC mPrngTest[]; + +extern UINTN mOaepTestNum; +extern TEST_DESC mOaepTest[]; + +extern UINTN mRsaPssTestNum; +extern TEST_DESC mRsaPssTest[]; + +/** Creates a framework you can use */ +EFI_STATUS +EFIAPI +CreateUnitTest ( + IN CHAR8* UnitTestName, + IN CHAR8* UnitTestVersion, + IN OUT UNIT_TEST_FRAMEWORK_HANDLE* Framework +); + +/** + Validate UEFI-OpenSSL DH Interfaces. + + @retval EFI_SUCCESS Validation succeeded. + @retval EFI_ABORTED Validation failed. + +**/ +EFI_STATUS +ValidateCryptDh ( + VOID + ); + +/** + Validate UEFI-OpenSSL pseudorandom number generator interfaces. + + @retval EFI_SUCCESS Validation succeeded. + @retval EFI_ABORTED Validation failed. + +**/ +EFI_STATUS +ValidateCryptPrng ( + VOID + ); + + + +#endif diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibHost.inf b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibHost.inf new file mode 100644 index 00000000..b28e0b9f --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibHost.inf @@ -0,0 +1,47 @@ +## @file +# Host-based UnitTest for BaseCryptLib +# +# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = BaseCryptLibUnitTestHost + FILE_GUID = 0cb84598-824b-4833-b705-bdefdcbba1d5 + MODULE_TYPE = HOST_APPLICATION + VERSION_STRING = 1.0 + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 +# + +[Sources] + UnitTestMain.c + BaseCryptLibUnitTests.c + TestBaseCryptLib.h + HashTests.c + HmacTests.c + BlockCipherTests.c + RsaTests.c + RsaPkcs7Tests.c + Pkcs5Pbkdf2Tests.c + AuthenticodeTests.c + TSTests.c + DhTests.c + RandTests.c + Pkcs7EkuTests.c + OaepEncryptTests.c + RsaPssTests.c + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + DebugLib + BaseCryptLib + UnitTestLib diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibShell.inf b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibShell.inf new file mode 100644 index 00000000..49683660 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibShell.inf @@ -0,0 +1,50 @@ +## @file +# BaseCryptLib UnitTest built for execution in UEFI Shell. +# +# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +## + +[Defines] + INF_VERSION = 0x00010006 + BASE_NAME = BaseCryptLibUnitTestShell + FILE_GUID = ed54ee8c-ef7a-41f2-83d5-0e0d4cd88c21 + MODULE_TYPE = UEFI_APPLICATION + VERSION_STRING = 1.0 + ENTRY_POINT = DxeEntryPoint + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 +# + +[Sources] + UnitTestMain.c + BaseCryptLibUnitTests.c + TestBaseCryptLib.h + HashTests.c + HmacTests.c + BlockCipherTests.c + RsaTests.c + RsaPkcs7Tests.c + Pkcs5Pbkdf2Tests.c + AuthenticodeTests.c + TSTests.c + DhTests.c + RandTests.c + Pkcs7EkuTests.c + OaepEncryptTests.c + RsaPssTests.c + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + UefiApplicationEntryPoint + BaseLib + DebugLib + UnitTestLib + PrintLib + BaseCryptLib diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt new file mode 100644 index 00000000..10bff431 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt @@ -0,0 +1,92 @@ +-------------------------------------------------------------------------------- +File: ChainCreationInstructions.txt + +Description: This folder contains INI files that are required to generate + the following test cert chains. Certs will be copied onto the + file system AND MY store when they are generated by certreq.exe. + +Note that typically certreq.exe operates on INF files, but in this folder +we use INI files so that our build system does not complain about INF's being +in the tree, but not in the CryptoPkg.dsc file. + +To create your own certificates and signatures for testing, this file demonstrates +how the test certificate chains and signatures were created. + +To create test signatures, run SignFirmwareWithEKUs.cmd (with SignTool.exe in +your path). You can then use your favorite BinaryToHex converter to convert +the binary into a byte array that you can include in unit tests. + +Copyright (C) Microsoft Corporation. All Rights Reserved. +-------------------------------------------------------------------------------- +Cert Chain: + + ------------------------------------------ + | | // Root of trust. ECDSA P521 curve + | TestEKUParsingRoot | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE + | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE + ------------------------------------------ + ^ + | + ------------------------------------------ + | | // Issues subordinate CAs. ECC P384 curve. + | TestEKUParsingPolicyCA | // SHA 256 Key Usage: + | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE + ------------------------------------------ + ^ + | + ------------------------------------------ + | | // Issues end-entity (leaf) signers. ECC P256 curve. + | TestEKUParsingIssuingCA | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE + | | // Enhanced Key Usage: + ------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing) + ^ + | + -------------------------------------- + / / // Leaf signer, ECC P256 curve. + / TestEKUParsingLeafSigner / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE + / / // Enhanced Key usages: + -------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing) + // 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID. + + + + +--------------------------------------------------------------------------------- + + +--- files required --- + +TestEKUParsingRoot.ini - This certificate is the root CA under which all CAs live. +TestEKUParsingPolicyCA.ini - This policy CA will issue subordinate CA's with EKU constraints. +TestEKUParsingIssuingCA.ini - CA to issue end-entity leafs. +TestEKUParsingLeafSigner.ini - End-Entity leaf signer. +TestEKUParsingLeafSignerPid12345.ini - End-Entity, with EKU: 1.3.6.1.4.1.311.76.9.21.1.12345. +TestEKUParsingNoEKUsInSigner.ini - Leaf with no EKU's specified. +TestEKUParsingLeafSignerPid1.ini - Test with naming files ini, to get around build complaints. +--- Commands to execute --- + +certreq.exe -new TestEKUParsingRoot.ini TestEKUParsingRoot.cer +certreq.exe -new -q -cert "TestEKUParsingRoot" TestEKUParsingPolicyCA.ini TestEKUParsingPolicyCA.cer +certreq.exe -new -q -cert "TestEKUParsingPolicyCA" TestEKUParsingIssuingCA.ini TestEKUParsingIssuingCA.cer +certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSigner.ini TestEKUParsingLeafSigner.cer +certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid12345.ini TestEKUParsingLeafSignerPid12345.cer +certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingNoEKUsInSigner.ini TestEKUParsingNoEKUsInSigner.cer +certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid1.ini TestEKUParsingLeafSignerPid1.cer + +--------------------------------------------------------------------------------- + +Then start mmc->Add certificates, Local Computer/open Personal/Certs and export the keys into the pfx files below. +Note: You should see a little key on the top left of each cert icon, which means you have the private key + for this cert. If you don't see it something is wrong. For each cert, right-click and do all tasks, + export. Yes, Export the private key. PCKS#12 format, include all certs in path if possible. + + If we automated the call to certreq above, there is a PowerShell "PKI" cmdlet which has + an Export-PfxCertificate command. + +Passwords: TestEKUParsingRoot.pfx == TestEKUParsingRoot + TestEKUParsingPolicyCA.pfx == TestEKUParsingPolicyCA + TestEKUParsingIssuingCA.pfx == TestEKUParsingIssuingCA + TestEKUParsingLeafSigner.pfx == TestEKUParsingLeafSigner + TestEKUParsingLeafSignerPid12345.pfx == TestEKUParsingLeafSignerPid12345 + TestEKUParsingNoEKUsInSigner.pfx == TestEKUParsingNoEKUsInSigner + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/CreateTestCerts.cmd b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/CreateTestCerts.cmd new file mode 100644 index 00000000..6d68afda --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/CreateTestCerts.cmd @@ -0,0 +1,11 @@ +@ECHO OFF +REM +REM Use this file to create test certificates. +REM +call certreq.exe -new TestEKUParsingRoot.ini TestEKUParsingRoot.cer +call certreq.exe -new -q -cert "TestEKUParsingRoot" TestEKUParsingPolicyCA.ini TestEKUParsingPolicyCA.cer +call certreq.exe -new -q -cert "TestEKUParsingPolicyCA" TestEKUParsingIssuingCA.ini TestEKUParsingIssuingCA.cer +call certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSigner.ini TestEKUParsingLeafSigner.cer +call certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid12345.ini TestEKUParsingLeafSignerPid12345.cer +call certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingNoEKUsInSigner.ini TestEKUParsingNoEKUsInSigner.cer +call certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid1.ini TestEKUParsingLeafSignerPid1.cer diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/SignFirmwareWithEKUs.cmd b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/SignFirmwareWithEKUs.cmd new file mode 100644 index 00000000..ce03e33a --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/SignFirmwareWithEKUs.cmd @@ -0,0 +1,76 @@ +@ECHO OFF +REM This script will use various certificates to sign blobs for testing purposes. +REM +REM +REM Our EKU test certificate chain: +REM ------------------------------------------ +REM | | // Root of trust. ECDSA P521 curve +REM | TestEKUParsingRoot | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE +REM | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE +REM ------------------------------------------ +REM ^ +REM | +REM ------------------------------------------ +REM | | // Issues subordinate CAs. ECC P384 curve. +REM | TestEKUParsingPolicyCA | // SHA 256 Key Usage: +REM | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE +REM ------------------------------------------ +REM ^ +REM | +REM ------------------------------------------ +REM | | // Issues end-entity (leaf) signers. ECC P256 curve. +REM | TestEKUParsingIssuingCA | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE +REM | | // Enhanced Key Usage: +REM ------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing) +REM ^ +REM | +REM -------------------------------------- +REM / TestEKUParsingLeafSigner && / // Leaf signer, ECC P256 curve. +REM / TestEKUParsingLeafSignerPid12345 / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE +REM / / // Enhanced Key usages: +REM -------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing) +REM // 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID. +REM +REM +REM +REM Dev Note: SignTool.exe must be in your path when running this script. + +del *.p7b +ECHO ------------------------------------------------------------------- +ECHO Press any key 4 times to append time to the test blobs to sign. +time >> TestSignWithOneEKUInLeafSigner.bin +time >> TestSignWithTwoEKUsInLeafSignerPid1.bin +time >> TestSignWithTwoEKUsInLeafSignerPid12345.bin +time >> TestSignWithNoEKUsInLeafSigner.bin + + +REM +REM Create a signature with TestEKUParsingLeafSigner.cer which has one EKU in it, +REM and add the Policy CA in the signature. +REM +call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSigner.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1 /ac TestEKUParsingPolicyCA.cer /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithOneEKUInLeafSigner.bin + +REM +REM Create a signature with two EKU's in the leaf signer. (1.3.6.1.4.1.311.76.9.21.1, and 1.3.6.1.4.1.311.76.9.21.1.1) +REM +call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSignerPid1.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1.1 /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithTwoEKUsInLeafSignerPid1.bin + +REM +REM Create a signature with two EKUs in the leaf (1.3.6.1.4.1.311.76.9.21.1, and 1.3.6.1.4.1.311.76.9.21.1.12345) +REM +call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSignerPid12345.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1.12345 /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithTwoEKUsInLeafSignerPid12345.bin + + +REM +REM Create a signature with a leaf that does not have any EKUs in the signture. +REM +call signtool.exe sign /fd sha256 /f TestEKUParsingNoEKUsInSigner.cer /p7 . /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithNoEKUsInLeafSigner.bin + +REM +REM Rename *.p7 to *.p7b +REM +rename *.p7 *.p7b +ECHO --------------------------------------------------------------------------- +ECHO Now you can use your favorite "Binary To Hex" converter to convert the +ECHO signatures (P7B files) to byte arrays and add them to AllTestSignatures.h +ECHO --------------------------------------------------------------------------- diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingIssuingCA.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingIssuingCA.ini new file mode 100644 index 00000000..b8683039 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingIssuingCA.ini @@ -0,0 +1,45 @@ +[Version] +Signature="$Windows NT$ +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; 2.5.29.19 == Basic Constraints for CA +[Strings] +szOID_BASIC_CONSTRAINTS2 = "2.5.29.19" + +[EnhancedKeyUsageExtension] +OID = 1.3.6.1.4.1.311.76.9.21.1 + +[NewRequest] +Subject = "CN=TestEKUParsingIssuingCA" +Exportable = true +KeyLength = 256 +HashAlgorithm = sha256 +KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 20 +ValidityPeriod = Years +ProviderName = "Microsoft Software Key Storage Provider" +KeyAlgorithm = "ECDSA_P256" + + +[Extensions] +%szOID_BASIC_CONSTRAINTS2% = "{text}" + _continue_ = "ca=True" + +Critical=%szOID_BASIC_CONSTRAINTS2% + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; This extension is so the this CA is only allowed to +; issue end-entity certs. +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +[BasicConstraintsExtension] +PathLength=0 + +; +; Surface Firmware Signing EKU +; +[Extensions] + 2.5.29.37 = "{text}" + _continue_ = "1.3.6.1.4.1.311.76.9.21.1" + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSigner.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSigner.ini new file mode 100644 index 00000000..20135ba9 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSigner.ini @@ -0,0 +1,25 @@ +[Version] +Signature="$Windows NT$ + +[EnhancedKeyUsageExtension] +OID = 1.3.6.1.4.1.311.76.9.21.1 + +[NewRequest] +Subject = "CN=TestEKUParsingLeafSigner" +Exportable = true +KeyLength = 256 +HashAlgorithm = sha256 +KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 20 +ValidityPeriod = Years +ProviderName = "Microsoft Software Key Storage Provider" +KeyAlgorithm = "ECDSA_P256" + +; +; Surface test firwmare signing EKU +; +[Extensions] + _continue_ = "1.3.6.1.4.1.311.76.9.21.1" diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid1.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid1.ini new file mode 100644 index 00000000..1f9957ce --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid1.ini @@ -0,0 +1,24 @@ +[Version] +Signature="$Windows NT$ + +[EnhancedKeyUsageExtension] +OID = 1.3.6.1.4.1.311.76.9.21.1 +OID = 1.3.6.1.4.1.311.76.9.21.1.1 + +[NewRequest] +Subject = "CN=TestEKUParsingLeafSignerPid1" +Exportable = true +KeyLength = 2048 +HashAlgorithm = sha256 +KeySpec = AT_SIGNATURE +KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 5 +ValidityPeriod = Years + +[Extensions] + 2.5.29.37 = "{text}" + _continue_ = "1.3.6.1.4.1.311.76.9.21.1," + _continue_ = "1.3.6.1.4.1.311.76.9.21.1.1" diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid12345.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid12345.ini new file mode 100644 index 00000000..7f17d8e1 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid12345.ini @@ -0,0 +1,27 @@ +[Version] +Signature="$Windows NT$ + +[EnhancedKeyUsageExtension] +OID = 1.3.6.1.4.1.311.76.9.21.1 +OID = 1.3.6.1.4.1.311.76.9.21.1.12345 + +[NewRequest] +Subject = "CN=TestEKUParsingLeafSignerPid12345" +Exportable = true +KeyLength = 2048 +HashAlgorithm = sha256 +KeySpec = AT_SIGNATURE +KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 5 +ValidityPeriod = Years + +[Extensions] + 2.5.29.37 = "{text}" + _continue_ = "1.3.6.1.4.1.311.76.9.21.1," + _continue_ = "1.3.6.1.4.1.311.76.9.21.1.12345" + + + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingNoEKUsInSigner.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingNoEKUsInSigner.ini new file mode 100644 index 00000000..266360d2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingNoEKUsInSigner.ini @@ -0,0 +1,16 @@ +[Version] +Signature="$Windows NT$ + + +[NewRequest] +Subject = "CN=TestEKUParsingNoEKUsInSigner" +Exportable = true +KeyLength = 2048 +HashAlgorithm = sha256 +KeySpec = AT_SIGNATURE +KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 20 +ValidityPeriod = Years diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingPolicyCA.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingPolicyCA.ini new file mode 100644 index 00000000..1b0dcefb --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingPolicyCA.ini @@ -0,0 +1,28 @@ +[Version] +Signature="$Windows NT$ +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; 2.5.29.19 == Basic Constraints for CA +[Strings] +szOID_BASIC_CONSTRAINTS2 = "2.5.29.19" + +[NewRequest] +Subject = "CN=TestEKUParsingPolicyCA" +Exportable = true +KeyLength = 384 +HashAlgorithm = sha256 +KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 20 +ValidityPeriod = Years +ProviderName = "Microsoft Software Key Storage Provider" +KeyAlgorithm = "ECDSA_P384" + + +[Extensions] +%szOID_BASIC_CONSTRAINTS2% = "{text}" + _continue_ = "ca=True" + +Critical=%szOID_BASIC_CONSTRAINTS2% + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingRoot.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingRoot.ini new file mode 100644 index 00000000..124e1e39 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingRoot.ini @@ -0,0 +1,28 @@ +[Version] +Signature="$Windows NT$ + +[Strings] +szOID_BASIC_CONSTRAINTS2 = "2.5.29.19" + +[NewRequest] +Subject = "CN=TestEKUParsingRoot" +Exportable = true +KeyLength = 521 +HashAlgorithm = sha256 +KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 30 +ValidityPeriod = Years +ProviderName = "Microsoft Software Key Storage Provider" +KeyAlgorithm = ECDSA_P521 + + + + +[Extensions] +%szOID_BASIC_CONSTRAINTS2% = "{text}" + _continue_ = "ca=True" + +Critical=%szOID_BASIC_CONSTRAINTS2% diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c new file mode 100644 index 00000000..f13bb6b5 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c @@ -0,0 +1,81 @@ +/** @file + This is a sample to demostrate the usage of the Unit Test Library that + supports the PEI, DXE, SMM, UEFI SHell, and host execution environments. + + Copyright (c) Microsoft Corporation.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ +#include "TestBaseCryptLib.h" + + +/** + Initialize the unit test framework, suite, and unit tests for the + sample unit tests and run the unit tests. + + @retval EFI_SUCCESS All test cases were dispatched. + @retval EFI_OUT_OF_RESOURCES There are not enough resources available to + initialize the unit tests. +**/ +EFI_STATUS +EFIAPI +UefiTestMain ( + VOID + ) +{ + EFI_STATUS Status; + UNIT_TEST_FRAMEWORK_HANDLE Framework; + + DEBUG(( DEBUG_INFO, "%a v%a\n", UNIT_TEST_NAME, UNIT_TEST_VERSION )); + CreateUnitTest(UNIT_TEST_NAME, UNIT_TEST_VERSION, &Framework); + + // + // Execute the tests. + // + Status = RunAllTestSuites (Framework); + + if (Framework) { + FreeUnitTestFramework (Framework); + } + + return Status; +} + +/** + Standard PEIM entry point for target based unit test execution from PEI. +**/ +EFI_STATUS +EFIAPI +PeiEntryPoint ( + IN EFI_PEI_FILE_HANDLE FileHandle, + IN CONST EFI_PEI_SERVICES **PeiServices + ) +{ + return UefiTestMain (); +} + +/** + Standard UEFI entry point for target based unit test execution from DXE, SMM, + UEFI Shell. +**/ +EFI_STATUS +EFIAPI +DxeEntryPoint ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + return UefiTestMain (); +} + +/** + Standard POSIX C entry point for host based unit test execution. +**/ +int +main ( + int argc, + char *argv[] + ) +{ + return UefiTestMain (); +} -- cgit v1.2.3