I try to understand what is the use case to EvpMdFinal without DigestValue and only Free the EvpMdContext.

A normal usage will be:
1) EvpMdHashAll (Digest) - get digest.
2) EvpMdInit, EvpMdUpdate, EvpMdUpdate, ... , EvpMdFinal (Digest) - get digest

Why we need support the case to use EvpMdFinal (NULL) in the end to free context?


Thank you
Yao Jiewen

On 09/16/20 14:07, Yao, Jiewen wrote:

I overlooked the behavior that NULL DigestValue will take side effect to free Context.

Hi Christopher
May I understand why we need free the context?
This does not align with other existing HASH or HMAC functions.

I requested that.

It makes no sense to keep a finalized context.

In other words, it makes no sense to separate finalization from freeing.
A context that has been finalized is unusable for anything except freeing.

Thanks
Laszlo

Thank you
Yao Jiewen

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, Jiewen
Sent: Wednesday, September 16, 2020 7:45 PM
To: Laszlo Ersek <lersek@...>; devel@edk2.groups.io; Zurcher,
Christopher J <christopher.j.zurcher@...>
Cc: Wang, Jian J <jian.j.wang@...>; Lu, XiaoyuX <xiaoyux.lu@...>
Subject: Re: [edk2-devel] [PATCH v3 1/3] CryptoPkg/BaseCryptLib: Add EVP
(Envelope) Digest interface

Hi Laszlo
I disagree to put OPTIONAL for DigestValue, just because NULL is checked.
If we need follow this, then we need add OPTIONAL to almost all pointer, which
is unnecessary.

+BOOLEAN
+EFIAPI
+EvpMdFinal (
+ IN OUT VOID *EvpMdContext,
+ OUT UINT8 *DigestValue

(3) DigestValue should be marked OPTIONAL in my opinion, as NULL is
deliberately permitted (for just freeing the context).

-----Original Message-----
From: Laszlo Ersek <lersek@...>
Sent: Wednesday, September 16, 2020 7:07 PM
To: devel@edk2.groups.io; Zurcher, Christopher J
<christopher.j.zurcher@...>
Cc: Yao, Jiewen <jiewen.yao@...>; Wang, Jian J

<jian.j.wang@...>;

Lu, XiaoyuX <xiaoyux.lu@...>
Subject: Re: [edk2-devel] [PATCH v3 1/3] CryptoPkg/BaseCryptLib: Add EVP
(Envelope) Digest interface

Hello Christopher,

On 09/16/20 02:59, Zurcher, Christopher J wrote:

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2545

The EVP interface should be used in place of discrete digest function
calls.

Cc: Laszlo Ersek <lersek@...>
Cc: Jiewen Yao <jiewen.yao@...>
Cc: Jian J Wang <jian.j.wang@...>
Cc: Xiaoyu Lu <xiaoyux.lu@...>
Signed-off-by: Christopher J Zurcher <christopher.j.zurcher@...>
---
CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf | 1 +
CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 1 +
CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf | 1 +
CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 1 +
CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf | 1 +
CryptoPkg/Include/Library/BaseCryptLib.h | 129 ++++++++++
CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMd.c | 257

++++++++++++++++++++

CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMdNull.c | 128 ++++++++++
CryptoPkg/Library/BaseCryptLibNull/Evp/CryptEvpMdNull.c | 128

++++++++++

9 files changed, 647 insertions(+)

I agree that "CryptoPkg/Library/BaseCryptLibNull/Evp/CryptEvpMdNull.c"
is necessary. (If I understand correctly, that file was missing from
your v2 posting.)

But "CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMdNull.c" seems
superfluous. This file is never referenced in the INF files.

The point of this file would be to allow *some* of the Base / Pei /
Runtime / Smm instances to "stub out" the EVP MD functions (i.e. provide
only stub implementations). But this isn't what's happening -- all of
the Base / Pei / Runtime / Smm instances are getting the real deal
("CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMd.c").

(1) So I think "CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMdNull.c"
should be dropped. Only the Null instance of the library needs null
versions of the new functions. The Base / Pei / Runtime / Smm instances
don't.

diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf

b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf

index 4aae2aba95..3968f29412 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -50,6 +50,7 @@
Pk/CryptAuthenticode.c
Pk/CryptTs.c
Pem/CryptPem.c
+ Evp/CryptEvpMd.c

SysCall/CrtWrapper.c
SysCall/TimerWrapper.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf

b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf

index dc28e3a11d..d0b91716d0 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -57,6 +57,7 @@
Pk/CryptTsNull.c
Pem/CryptPemNull.c
Rand/CryptRandNull.c
+ Evp/CryptEvpMd.c

SysCall/CrtWrapper.c
SysCall/ConstantTimeClock.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf

b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf

index 5005beed02..9f3accd35b 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -56,6 +56,7 @@
Pk/CryptAuthenticodeNull.c
Pk/CryptTsNull.c
Pem/CryptPem.c
+ Evp/CryptEvpMd.c

SysCall/CrtWrapper.c
SysCall/TimerWrapper.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf

b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf

index 91ec3e03bf..420623cdc6 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -54,6 +54,7 @@
Pk/CryptAuthenticodeNull.c
Pk/CryptTsNull.c
Pem/CryptPem.c
+ Evp/CryptEvpMd.c

SysCall/CrtWrapper.c
SysCall/ConstantTimeClock.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf

b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf

index 689af4fedd..542ac2e2e1 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -50,6 +50,7 @@
Pk/CryptTsNull.c
Pem/CryptPemNull.c
Rand/CryptRandNull.c
+ Evp/CryptEvpMdNull.c

[Packages]
MdePkg/MdePkg.dec
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h

b/CryptoPkg/Include/Library/BaseCryptLib.h

index ae9bde9e37..5e1b408b54 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -1012,6 +1012,135 @@ HmacSha256Final (
OUT UINT8 *HmacValue
);

+//==============================================================

=======================

+// EVP (Envelope) Primitive

+//==============================================================

=======================

+
+/**
+ Allocates and initializes one EVP_MD_CTX context for subsequent EVP_MD

use.

+
+ If DigestName is NULL, then return FALSE.
+
+ @param[in] DigestName Pointer to the digest name as a NULL-

terminated ASCII string.

+ Valid digest names are:
+ MD5, SHA1, SHA224, SHA256, SHA384, SHA512
+ SHA3-224, SHA3-256, SHA3-384, SHA3-512
+ SM3
+
+ @return Pointer to the EVP_MD_CTX context that has been allocated and

initialized.

+ If DigestName is invalid, returns NULL.
+ If the allocations fails, returns NULL.
+ If initialization fails, returns NULL.
+
+**/
+VOID *
+EFIAPI
+EvpMdInit (
+ IN CONST CHAR8 *DigestName
+ );
+
+/**
+ Makes a copy of an existing EVP_MD context.
+
+ If EvpMdContext is NULL, then return FALSE.
+ If NewEvpMdContext is NULL, then return FALSE.
+
+ @param[in] EvpMdContext Pointer to EVP_MD context being copied.
+ @param[out] NewEvpMdContext Pointer to new EVP_MD context.
+
+ @retval TRUE EVP_MD context copy succeeded.
+ @retval FALSE EVP_MD context copy failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdDuplicate (
+ IN CONST VOID *EvpMdContext,
+ OUT VOID *NewEvpMdContext
+ );
+
+/**
+ Digests the input data and updates EVP_MD context.
+
+ This function performs EVP digest on a data buffer of the specified size.
+ It can be called multiple times to compute the digest of long or

discontinuous data streams.

+ EVP_MD context should be already correctly initialized by EvpMdInit(), and

should not

+ be finalized by EvpMdFinal(). Behavior with invalid context is undefined.
+
+ If EvpMdContext is NULL, then return FALSE.
+ If Data is NULL and DataSize is not zero, return FALSE.
+
+ @param[in, out] EvpMdContext Pointer to the EVP_MD context.
+ @param[in] Data Pointer to the buffer containing the data to

be

digested.

+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval TRUE EVP data digest succeeded.
+ @retval FALSE EVP data digest failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdUpdate (
+ IN OUT VOID *EvpMdContext,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ );
+
+/**
+ Completes computation of the EVP digest value.
+ Releases the specified EVP_MD_CTX context.
+
+ This function completes EVP hash computation and retrieves the digest

value into

+ the specified memory. After this function has been called, the EVP context

cannot

+ be used again.
+ EVP context should be already correctly initialized by EvpMdInit(), and

should

+ not be finalized by EvpMdFinal(). Behavior with invalid EVP context is

undefined.

+
+ If EvpMdContext is NULL, then return FALSE.
+ If DigestValue is NULL, free the Context then return FALSE.
+
+ @param[in, out] EvpMdContext Pointer to the EVP context.
+ @param[out] Digest Pointer to a buffer that receives the EVP

digest

value.

(2) Please extend the comment on Digest with the following:

The caller is responsible for providing enough storage for the digest
algorithm selected with EvpMdInit(). Providing EVP_MAX_MD_SIZE bytes
will suffice for storing the digest regardless of the algorithm chosen
in EvpMdInit().

(EVP_MAX_MD_SIZE is a public OpenSSL macro and I think we should openly
advertise it to consumers in edk2.)

+
+ @retval TRUE EVP digest computation succeeded.
+ @retval FALSE EVP digest computation failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdFinal (
+ IN OUT VOID *EvpMdContext,
+ OUT UINT8 *DigestValue

(3) DigestValue should be marked OPTIONAL in my opinion, as NULL is
deliberately permitted (for just freeing the context).

+ );
+
+/**
+ Computes the message digest of an input data buffer.
+
+ This function performs the message digest of a given data buffer, and

places

+ the digest value into the specified memory.
+
+ If DigestName is NULL, return FALSE.
+ If Data is NULL and DataSize is not zero, return FALSE.
+ If HashValue is NULL, return FALSE.
+
+ @param[in] DigestName Pointer to the digest name.
+ @param[in] Data Pointer to the buffer containing the data to be

hashed.

+ @param[in] DataSize Size of Data buffer in bytes.
+ @param[out] HashValue Pointer to a buffer that receives the digest

value.

+
+ @retval TRUE Digest computation succeeded.
+ @retval FALSE Digest computation failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdHashAll (
+ IN CONST CHAR8 *DigestName,
+ IN CONST VOID *Data,
+ IN UINTN DataSize,
+ OUT UINT8 *HashValue
+ );
+

//===============================================================

======================

// Symmetric Cryptography Primitive

//===============================================================

======================

diff --git a/CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMd.c

b/CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMd.c

new file mode 100644
index 0000000000..b2770a9186
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMd.c
@@ -0,0 +1,257 @@
+/** @file
+ EVP MD Wrapper Implementation for OpenSSL.
+
+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+#include <openssl/evp.h>
+
+/**
+ Allocates and initializes one EVP_MD_CTX context for subsequent EVP_MD

use.

+
+ If DigestName is NULL, then return FALSE.
+
+ @param[in] DigestName Pointer to the digest name as a NULL-

terminated ASCII string.

+ Valid digest names are:
+ MD5, SHA1, SHA224, SHA256, SHA384, SHA512
+ SHA3-224, SHA3-256, SHA3-384, SHA3-512
+ SM3
+
+ @return Pointer to the EVP_MD_CTX context that has been allocated and

initialized.

+ If DigestName is invalid, returns NULL.
+ If the allocations fails, returns NULL.
+ If initialization fails, returns NULL.
+
+**/
+VOID *
+EFIAPI
+EvpMdInit (
+ IN CONST CHAR8 *DigestName
+ )
+{
+ EVP_MD *Digest;
+ VOID *EvpMdContext;
+
+ //
+ // Check input parameters.
+ //
+ if (DigestName == NULL) {
+ return NULL;
+ }
+
+ //
+ // Allocate EVP_MD_CTX Context
+ //
+ EvpMdContext = EVP_MD_CTX_new ();
+ if (EvpMdContext == NULL) {
+ return NULL;
+ }
+
+ Digest = EVP_get_digestbyname (DigestName);

I think this may not compile with gcc (and correctly so). The pointer
returned by EVP_get_digestbyname() is const-qualified, but with the
assignment, we're throwing away the const-ness.

(4) Please const-qualify the "Digest" local pointer.

+ if (Digest == NULL) {
+ return NULL;
+ }

(5) This is a memory leak I believe; "EvpMdContext" is leaked.

For keeping the control flow simple, consider moving
EVP_get_digestbyname() above EVP_MD_CTX_new().

+
+ //
+ // Initialize Context
+ //
+ if (EVP_DigestInit_ex (EvpMdContext, Digest, NULL) != 1) {
+ EVP_MD_CTX_free (EvpMdContext);
+ return NULL;
+ }
+
+ return EvpMdContext;
+}
+
+/**
+ Makes a copy of an existing EVP_MD context.
+
+ If EvpMdContext is NULL, then return FALSE.
+ If NewEvpMdContext is NULL, then return FALSE.
+
+ @param[in] EvpMdContext Pointer to EVP_MD context being copied.
+ @param[out] NewEvpMdContext Pointer to new EVP_MD context.
+
+ @retval TRUE EVP_MD context copy succeeded.
+ @retval FALSE EVP_MD context copy failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdDuplicate (
+ IN CONST VOID *EvpMdContext,
+ OUT VOID *NewEvpMdContext
+ )
+{
+ //
+ // Check input parameters.
+ //
+ if (EvpMdContext == NULL || NewEvpMdContext == NULL) {
+ return FALSE;
+ }
+
+ if (EVP_MD_CTX_copy (NewEvpMdContext, EvpMdContext) != 1) {
+ return FALSE;
+ }
+
+ return TRUE;
+}

(6) Can you please confirm that the caller is supposed to initialize
"NewEvpMdContext" with EvpMdInit() first, before calling EvpMdDuplicate()?

+
+/**
+ Digests the input data and updates EVP_MD context.
+
+ This function performs EVP digest on a data buffer of the specified size.
+ It can be called multiple times to compute the digest of long or

discontinuous data streams.

+ EVP_MD context should be already correctly initialized by EvpMdInit(), and

should not

+ be finalized by EvpMdFinal(). Behavior with invalid context is undefined.
+
+ If EvpMdContext is NULL, then return FALSE.
+ If Data is NULL and DataSize is not zero, return FALSE.
+
+ @param[in, out] EvpMdContext Pointer to the EVP_MD context.
+ @param[in] Data Pointer to the buffer containing the data to

be

digested.

+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval TRUE EVP data digest succeeded.
+ @retval FALSE EVP data digest failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdUpdate (
+ IN OUT VOID *EvpMdContext,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ //
+ // Check input parameters.
+ //
+ if (EvpMdContext == NULL) {
+ return FALSE;
+ }
+
+ //
+ // Check invalid parameters, in case only DataLength was checked in

OpenSSL

+ //
+ if (Data == NULL && DataSize != 0) {
+ return FALSE;
+ }
+
+ //
+ // OpenSSL EVP digest update
+ //
+ if (EVP_DigestUpdate (EvpMdContext, Data, DataSize) != 1) {
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+/**
+ Completes computation of the EVP digest value.
+ Releases the specified EVP_MD_CTX context.
+
+ This function completes EVP hash computation and retrieves the digest

value into

+ the specified memory. After this function has been called, the EVP context

cannot

+ be used again.
+ EVP context should be already correctly initialized by EvpMdInit(), and

should

+ not be finalized by EvpMdFinal(). Behavior with invalid EVP context is

undefined.

+
+ If EvpMdContext is NULL, then return FALSE.
+ If DigestValue is NULL, free the Context then return FALSE.
+
+ @param[in, out] EvpMdContext Pointer to the EVP context.
+ @param[out] Digest Pointer to a buffer that receives the EVP

digest

value.

+
+ @retval TRUE EVP digest computation succeeded.
+ @retval FALSE EVP digest computation failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdFinal (
+ IN OUT VOID *EvpMdContext,
+ OUT UINT8 *DigestValue
+ )
+{
+ UINT32 Length;
+ BOOLEAN ReturnValue;
+
+ ReturnValue = TRUE;
+
+ //
+ // Check input parameters.
+ //
+ if (EvpMdContext == NULL) {
+ return FALSE;
+ }
+ if (DigestValue == NULL) {
+ EVP_MD_CTX_free (EvpMdContext);
+ return FALSE;
+ }
+
+ //
+ // OpenSSL EVP digest finalization
+ //
+ if (EVP_DigestFinal_ex (EvpMdContext, DigestValue, &Length) != 1) {
+ ReturnValue = FALSE;
+ }

(7) I suggest dropping the "Length" local variable. EVP_DigestFinal_ex()
deals fine with the third parameter being NULL, according to the docs
(and the code).

+
+ //
+ // Free OpenSSL EVP_MD_CTX Context
+ //
+ EVP_MD_CTX_free (EvpMdContext);
+
+ return ReturnValue;
+}
+
+/**
+ Computes the message digest of an input data buffer.
+
+ This function performs the message digest of a given data buffer, and

places

+ the digest value into the specified memory.
+
+ If DigestName is NULL, return FALSE.
+ If Data is NULL and DataSize is not zero, return FALSE.
+ If HashValue is NULL, return FALSE.
+
+ @param[in] DigestName Pointer to the digest name.
+ @param[in] Data Pointer to the buffer containing the data to be

hashed.

+ @param[in] DataSize Size of Data buffer in bytes.
+ @param[out] HashValue Pointer to a buffer that receives the digest

value.

+
+ @retval TRUE Digest computation succeeded.
+ @retval FALSE Digest computation failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdHashAll (
+ IN CONST CHAR8 *DigestName,
+ IN CONST VOID *Data,
+ IN UINTN DataSize,
+ OUT UINT8 *HashValue
+ )
+{
+ BOOLEAN Result;
+ VOID *EvpMdContext;
+
+ EvpMdContext = EvpMdInit (DigestName);
+ if (EvpMdContext == NULL) {
+ return FALSE;
+ }
+
+ Result = EvpMdUpdate (EvpMdContext, Data, DataSize);
+ if (Result == FALSE) {

(8) Style: please write (!Result).

+ EvpMdFinal (EvpMdContext, NULL);
+ return FALSE;
+ }
+
+ Result = EvpMdFinal (EvpMdContext, HashValue);
+
+ return Result;
+}
diff --git a/CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMdNull.c

b/CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMdNull.c

new file mode 100644
index 0000000000..038f63801f
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMdNull.c
@@ -0,0 +1,128 @@
+/** @file
+ EVP MD Wrapper Null Library.
+
+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Allocates and initializes one EVP_MD_CTX context for subsequent EVP_MD

use.

+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] DigestName Pointer to the digest name as a NULL-

terminated ASCII string.

+ Valid digest names are:
+ MD5, SHA1, SHA224, SHA256, SHA384, SHA512
+ SHA3-224, SHA3-256, SHA3-384, SHA3-512
+ SM3
+
+ @return NULL This interface is not supported.
+
+**/
+VOID *
+EFIAPI
+EvpMdInit (
+ IN CONST CHAR8 *DigestName
+ )
+{
+ ASSERT (FALSE);
+ return NULL;
+}
+
+/**
+ Makes a copy of an existing EVP_MD context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] EvpMdContext Pointer to EVP_MD context being copied.
+ @param[out] NewEvpMdContext Pointer to new EVP_MD context.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdDuplicate (
+ IN CONST VOID *EvpMdContext,
+ OUT VOID *NewEvpMdContext
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Digests the input data and updates EVP_MD context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] EvpMdContext Pointer to the EVP_MD context.
+ @param[in] Data Pointer to the buffer containing the data to

be

digested.

+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdUpdate (
+ IN OUT VOID *EvpMdContext,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Completes computation of the EVP digest value.
+ Releases the specified EVP_MD_CTX context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] EvpMdContext Pointer to the EVP context.
+ @param[out] Digest Pointer to a buffer that receives the EVP

digest

value.

+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdFinal (
+ IN OUT VOID *EvpMdContext,
+ OUT UINT8 *DigestValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Computes the message digest of an input data buffer.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] DigestName Pointer to the digest name.
+ @param[in] Data Pointer to the buffer containing the data to be

hashed.

+ @param[in] DataSize Size of Data buffer in bytes.
+ @param[out] HashValue Pointer to a buffer that receives the digest

value.

+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdHashAll (
+ IN CONST CHAR8 *DigestName,
+ IN CONST VOID *Data,
+ IN UINTN DataSize,
+ OUT UINT8 *HashValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Evp/CryptEvpMdNull.c

b/CryptoPkg/Library/BaseCryptLibNull/Evp/CryptEvpMdNull.c

new file mode 100644
index 0000000000..038f63801f
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibNull/Evp/CryptEvpMdNull.c
@@ -0,0 +1,128 @@
+/** @file
+ EVP MD Wrapper Null Library.
+
+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Allocates and initializes one EVP_MD_CTX context for subsequent EVP_MD

use.

+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] DigestName Pointer to the digest name as a NULL-

terminated ASCII string.

+ Valid digest names are:
+ MD5, SHA1, SHA224, SHA256, SHA384, SHA512
+ SHA3-224, SHA3-256, SHA3-384, SHA3-512
+ SM3
+
+ @return NULL This interface is not supported.
+
+**/
+VOID *
+EFIAPI
+EvpMdInit (
+ IN CONST CHAR8 *DigestName
+ )
+{
+ ASSERT (FALSE);
+ return NULL;
+}
+
+/**
+ Makes a copy of an existing EVP_MD context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] EvpMdContext Pointer to EVP_MD context being copied.
+ @param[out] NewEvpMdContext Pointer to new EVP_MD context.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdDuplicate (
+ IN CONST VOID *EvpMdContext,
+ OUT VOID *NewEvpMdContext
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Digests the input data and updates EVP_MD context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] EvpMdContext Pointer to the EVP_MD context.
+ @param[in] Data Pointer to the buffer containing the data to

be

digested.

+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdUpdate (
+ IN OUT VOID *EvpMdContext,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Completes computation of the EVP digest value.
+ Releases the specified EVP_MD_CTX context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] EvpMdContext Pointer to the EVP context.
+ @param[out] Digest Pointer to a buffer that receives the EVP

digest

value.

+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdFinal (
+ IN OUT VOID *EvpMdContext,
+ OUT UINT8 *DigestValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Computes the message digest of an input data buffer.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] DigestName Pointer to the digest name.
+ @param[in] Data Pointer to the buffer containing the data to be

hashed.

+ @param[in] DataSize Size of Data buffer in bytes.
+ @param[out] HashValue Pointer to a buffer that receives the digest

value.

+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdHashAll (
+ IN CONST CHAR8 *DigestName,
+ IN CONST VOID *Data,
+ IN UINTN DataSize,
+ OUT UINT8 *HashValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}

Thanks,
Laszlo

Right. Now I understand why this is not enforced before - We do support Unicode in some content.

Unfortunately, I don’t think you can enforce the contributor's keyboard device. We sometime write different document with different context, and switch between English and other language. It is not feasible.

We do out best, but we still make mistakes.

I still prefer a tool to do some simple check. For example, dash "-", colon ":", quote "\"", bracket "()" - per my experience.

If you really only care about "REF: ", then we can only add check for "REF :", together with "Cc:", "Reviewed-by:", "Signed-off-by:", etc, to ensure they are using correct ":".

Thank you
Yao Jiewen

Reviewed-by: Chasel Chiu <chasel.chiu@...>

On 09/16/20 11:31, Yao, Jiewen wrote:

Hi Laszlo
Thanks. I agree 1, 2, 3. I take the blame. It is my fault.

For 4, it is out of my scope. I cannot find this by my eyes. Everything works well on my side.
Can we improve patch checker to catch this in CI ?
I don’t think I can find any Unicode in code or commit message easily.
I prefer to let a tool to do that work.

Yes, we could perhaps enhance "BaseTools/Scripts/PatchCheck.py" to
require subjects to be 7-bit ASCII only. (And then some people would
disagree...)

I guess the idea is, unless it's a proper name being inserted in the
subject line, we should stick with 7-bit ASCII. For example, we should
reject U+FF1A (because U+003A is the right code point), but we should
still accept proper names in full UTF-8 (maybe not even restricted to
Latin script only)!

I don't know how this could be implemented in "PatchCheck.py"...

I guess what I would prefer is if contributors' input devices were
configured accordingly. When they press a key that promises to insert a
colon -- that is, when it *looks like* a colon --, then the symbol
should *become* a colon -- that is, U+003A, and not U+FF1A.

Thanks,
Laszlo

-----Original Message-----
From: Laszlo Ersek <lersek@...>
Sent: Wednesday, September 16, 2020 4:43 PM
To: Chiu, Chasel <chasel.chiu@...>; Yao, Jiewen <jiewen.yao@...>
Cc: devel@edk2.groups.io; Zhang, Qi1 <qi1.zhang@...>; Desimone,
Nathaniel L <nathaniel.l.desimone@...>; Zeng, Star
<star.zeng@...>; Wang, Jian J <jian.j.wang@...>
Subject: development process failure [was: remove TPM related ppi from Depex
for Fsp wrapper PEIM driver]

Jiewen, Chasel,

On 09/15/20 08:21, Qi Zhang wrote:

Some open board are TPM disabled. So the boot may hang because
these PPIs can't arrive. And gEdkiiTcgPpiGuid will be notified where
it is used. So we need to remove these PPIs from Depex for Fsp wrapper
PEI and PeiTpmMeasurementLib.

Cc: Chasel Chiu <chasel.chiu@...>
Cc: Nate DeSimone <nathaniel.l.desimone@...>
Cc: Star Zeng <star.zeng@...>
Cc: Jiewen Yao <jiewen.yao@...>
Cc: Jian J Wang <jian.j.wang@...>

Qi Zhang (2):
IntelFsp2WrapperPkg： remove gPeiTpmInitializationDonePpiGuid from
Depex
SecurityPkg/PeiTpmMeasurementLib: remove gEfiTpmDeviceSelectedGuid

IntelFsp2WrapperPkg/FspmWrapperPeim/FspmWrapperPeim.inf | 3 +--
IntelFsp2WrapperPkg/FspsWrapperPeim/FspsWrapperPeim.inf | 3 +--
.../Library/PeiTpmMeasurementLib/PeiTpmMeasurementLib.inf | 3 +--
3 files changed, 3 insertions(+), 6 deletions(-)

Please adopt a *much more* disciplined approach when merging patch series.


(1) When you merge a patch set, please report back on the list. Identify
both the pull request URL, and the commit reange.

In this case, the pull request was

https://github.com/tianocore/edk2/pull/930

and the commit range is a62fb4229d14..7bcb021a6d54.


(2) The associated Bugzilla:

https://bugzilla.tianocore.org/show_bug.cgi?id=2963

has been completely neglected, by both submitter and maintainers.

- The original BZ report is *absolute trash*.

- No URL into the mailing list archive has been captured in the BZ,
about the posted series.

- The BZ status is still CONFIRMED.

- No mention of the pull request, or the resultant commit, range in the
BZ ticket.


(3) The github pull request at
<https://github.com/tianocore/edk2/pull/930> does contain *any*
indication of the bugzilla ticket, or the cover letter on the list.

Basically we have random artifacts in three different places (Bugzilla,
github.com, mailing list), and nobody of the involved parties
(reviewers, maintainers, constributors) on this patch set have made
*any* effort to cross-reference them. We now have to hunt down
everything separately.


(4) Worst of all, the subject line of commit 414d7d11e6ea contains a
Unicode code point called FULLWIDTH COLON (U+FF1A) rather than a normal
colon (U+003A).

Compare:

- bad (current): IntelFsp2WrapperPkg： remove [...]
- good (should have been): IntelFsp2WrapperPkg: remove [...]

It makes absolutely no sense to use non-ASCII code points in subject
lines, for something as trivial as a colon.


I've been here for 8-9 years now and it's incredibly frustrating that I
*still* have to whine about basic stuff like this on a regular basis.

I don't even know whom I should CC at Intel (management or otherwise) to
see an improvement in attitude here.

I guess this community cannot be saved.

Laszlo

I overlooked the behavior that NULL DigestValue will take side effect to free Context.

Hi Christopher
May I understand why we need free the context?
This does not align with other existing HASH or HMAC functions.

Thank you
Yao Jiewen

Hi Laszlo
I disagree to put OPTIONAL for DigestValue, just because NULL is checked.
If we need follow this, then we need add OPTIONAL to almost all pointer, which is unnecessary.

+BOOLEAN
+EFIAPI
+EvpMdFinal (
+ IN OUT VOID *EvpMdContext,
+ OUT UINT8 *DigestValue

(3) DigestValue should be marked OPTIONAL in my opinion, as NULL is
deliberately permitted (for just freeing the context).

-----Original Message-----
From: Laszlo Ersek <lersek@...>
Sent: Wednesday, September 16, 2020 7:07 PM
To: devel@edk2.groups.io; Zurcher, Christopher J
<christopher.j.zurcher@...>
Cc: Yao, Jiewen <jiewen.yao@...>; Wang, Jian J <jian.j.wang@...>;
Lu, XiaoyuX <xiaoyux.lu@...>
Subject: Re: [edk2-devel] [PATCH v3 1/3] CryptoPkg/BaseCryptLib: Add EVP
(Envelope) Digest interface

Hello Christopher,

On 09/16/20 02:59, Zurcher, Christopher J wrote:

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2545

The EVP interface should be used in place of discrete digest function
calls.

Cc: Laszlo Ersek <lersek@...>
Cc: Jiewen Yao <jiewen.yao@...>
Cc: Jian J Wang <jian.j.wang@...>
Cc: Xiaoyu Lu <xiaoyux.lu@...>
Signed-off-by: Christopher J Zurcher <christopher.j.zurcher@...>
---
CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf | 1 +
CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 1 +
CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf | 1 +
CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 1 +
CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf | 1 +
CryptoPkg/Include/Library/BaseCryptLib.h | 129 ++++++++++
CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMd.c | 257

++++++++++++++++++++

CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMdNull.c | 128 ++++++++++
CryptoPkg/Library/BaseCryptLibNull/Evp/CryptEvpMdNull.c | 128 ++++++++++
9 files changed, 647 insertions(+)

I agree that "CryptoPkg/Library/BaseCryptLibNull/Evp/CryptEvpMdNull.c"
is necessary. (If I understand correctly, that file was missing from
your v2 posting.)

But "CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMdNull.c" seems
superfluous. This file is never referenced in the INF files.

The point of this file would be to allow *some* of the Base / Pei /
Runtime / Smm instances to "stub out" the EVP MD functions (i.e. provide
only stub implementations). But this isn't what's happening -- all of
the Base / Pei / Runtime / Smm instances are getting the real deal
("CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMd.c").

(1) So I think "CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMdNull.c"
should be dropped. Only the Null instance of the library needs null
versions of the new functions. The Base / Pei / Runtime / Smm instances
don't.

diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf

b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf

index 4aae2aba95..3968f29412 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -50,6 +50,7 @@
Pk/CryptAuthenticode.c
Pk/CryptTs.c
Pem/CryptPem.c
+ Evp/CryptEvpMd.c

SysCall/CrtWrapper.c
SysCall/TimerWrapper.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf

b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf

index dc28e3a11d..d0b91716d0 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -57,6 +57,7 @@
Pk/CryptTsNull.c
Pem/CryptPemNull.c
Rand/CryptRandNull.c
+ Evp/CryptEvpMd.c

SysCall/CrtWrapper.c
SysCall/ConstantTimeClock.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf

b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf

index 5005beed02..9f3accd35b 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -56,6 +56,7 @@
Pk/CryptAuthenticodeNull.c
Pk/CryptTsNull.c
Pem/CryptPem.c
+ Evp/CryptEvpMd.c

SysCall/CrtWrapper.c
SysCall/TimerWrapper.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf

b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf

index 91ec3e03bf..420623cdc6 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -54,6 +54,7 @@
Pk/CryptAuthenticodeNull.c
Pk/CryptTsNull.c
Pem/CryptPem.c
+ Evp/CryptEvpMd.c

SysCall/CrtWrapper.c
SysCall/ConstantTimeClock.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf

b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf

index 689af4fedd..542ac2e2e1 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -50,6 +50,7 @@
Pk/CryptTsNull.c
Pem/CryptPemNull.c
Rand/CryptRandNull.c
+ Evp/CryptEvpMdNull.c

[Packages]
MdePkg/MdePkg.dec
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h

b/CryptoPkg/Include/Library/BaseCryptLib.h

index ae9bde9e37..5e1b408b54 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -1012,6 +1012,135 @@ HmacSha256Final (
OUT UINT8 *HmacValue
);

+//==============================================================
=======================

+// EVP (Envelope) Primitive

+//==============================================================
=======================

+
+/**
+ Allocates and initializes one EVP_MD_CTX context for subsequent EVP_MD

use.

+
+ If DigestName is NULL, then return FALSE.
+
+ @param[in] DigestName Pointer to the digest name as a NULL-

terminated ASCII string.

+ Valid digest names are:
+ MD5, SHA1, SHA224, SHA256, SHA384, SHA512
+ SHA3-224, SHA3-256, SHA3-384, SHA3-512
+ SM3
+
+ @return Pointer to the EVP_MD_CTX context that has been allocated and

initialized.

+ If DigestName is invalid, returns NULL.
+ If the allocations fails, returns NULL.
+ If initialization fails, returns NULL.
+
+**/
+VOID *
+EFIAPI
+EvpMdInit (
+ IN CONST CHAR8 *DigestName
+ );
+
+/**
+ Makes a copy of an existing EVP_MD context.
+
+ If EvpMdContext is NULL, then return FALSE.
+ If NewEvpMdContext is NULL, then return FALSE.
+
+ @param[in] EvpMdContext Pointer to EVP_MD context being copied.
+ @param[out] NewEvpMdContext Pointer to new EVP_MD context.
+
+ @retval TRUE EVP_MD context copy succeeded.
+ @retval FALSE EVP_MD context copy failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdDuplicate (
+ IN CONST VOID *EvpMdContext,
+ OUT VOID *NewEvpMdContext
+ );
+
+/**
+ Digests the input data and updates EVP_MD context.
+
+ This function performs EVP digest on a data buffer of the specified size.
+ It can be called multiple times to compute the digest of long or

discontinuous data streams.

+ EVP_MD context should be already correctly initialized by EvpMdInit(), and

should not

+ be finalized by EvpMdFinal(). Behavior with invalid context is undefined.
+
+ If EvpMdContext is NULL, then return FALSE.
+ If Data is NULL and DataSize is not zero, return FALSE.
+
+ @param[in, out] EvpMdContext Pointer to the EVP_MD context.
+ @param[in] Data Pointer to the buffer containing the data to be

digested.

+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval TRUE EVP data digest succeeded.
+ @retval FALSE EVP data digest failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdUpdate (
+ IN OUT VOID *EvpMdContext,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ );
+
+/**
+ Completes computation of the EVP digest value.
+ Releases the specified EVP_MD_CTX context.
+
+ This function completes EVP hash computation and retrieves the digest

value into

+ the specified memory. After this function has been called, the EVP context

cannot

+ be used again.
+ EVP context should be already correctly initialized by EvpMdInit(), and

should

+ not be finalized by EvpMdFinal(). Behavior with invalid EVP context is

undefined.

+
+ If EvpMdContext is NULL, then return FALSE.
+ If DigestValue is NULL, free the Context then return FALSE.
+
+ @param[in, out] EvpMdContext Pointer to the EVP context.
+ @param[out] Digest Pointer to a buffer that receives the EVP digest

value.

(2) Please extend the comment on Digest with the following:

The caller is responsible for providing enough storage for the digest
algorithm selected with EvpMdInit(). Providing EVP_MAX_MD_SIZE bytes
will suffice for storing the digest regardless of the algorithm chosen
in EvpMdInit().

(EVP_MAX_MD_SIZE is a public OpenSSL macro and I think we should openly
advertise it to consumers in edk2.)

+
+ @retval TRUE EVP digest computation succeeded.
+ @retval FALSE EVP digest computation failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdFinal (
+ IN OUT VOID *EvpMdContext,
+ OUT UINT8 *DigestValue

(3) DigestValue should be marked OPTIONAL in my opinion, as NULL is
deliberately permitted (for just freeing the context).

+ );
+
+/**
+ Computes the message digest of an input data buffer.
+
+ This function performs the message digest of a given data buffer, and places
+ the digest value into the specified memory.
+
+ If DigestName is NULL, return FALSE.
+ If Data is NULL and DataSize is not zero, return FALSE.
+ If HashValue is NULL, return FALSE.
+
+ @param[in] DigestName Pointer to the digest name.
+ @param[in] Data Pointer to the buffer containing the data to be

hashed.

+ @param[in] DataSize Size of Data buffer in bytes.
+ @param[out] HashValue Pointer to a buffer that receives the digest

value.

+
+ @retval TRUE Digest computation succeeded.
+ @retval FALSE Digest computation failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdHashAll (
+ IN CONST CHAR8 *DigestName,
+ IN CONST VOID *Data,
+ IN UINTN DataSize,
+ OUT UINT8 *HashValue
+ );
+

//===============================================================
======================

// Symmetric Cryptography Primitive

//===============================================================
======================

diff --git a/CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMd.c

b/CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMd.c

new file mode 100644
index 0000000000..b2770a9186
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMd.c
@@ -0,0 +1,257 @@
+/** @file
+ EVP MD Wrapper Implementation for OpenSSL.
+
+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+#include <openssl/evp.h>
+
+/**
+ Allocates and initializes one EVP_MD_CTX context for subsequent EVP_MD

use.

+
+ If DigestName is NULL, then return FALSE.
+
+ @param[in] DigestName Pointer to the digest name as a NULL-

terminated ASCII string.

+ Valid digest names are:
+ MD5, SHA1, SHA224, SHA256, SHA384, SHA512
+ SHA3-224, SHA3-256, SHA3-384, SHA3-512
+ SM3
+
+ @return Pointer to the EVP_MD_CTX context that has been allocated and

initialized.

+ If DigestName is invalid, returns NULL.
+ If the allocations fails, returns NULL.
+ If initialization fails, returns NULL.
+
+**/
+VOID *
+EFIAPI
+EvpMdInit (
+ IN CONST CHAR8 *DigestName
+ )
+{
+ EVP_MD *Digest;
+ VOID *EvpMdContext;
+
+ //
+ // Check input parameters.
+ //
+ if (DigestName == NULL) {
+ return NULL;
+ }
+
+ //
+ // Allocate EVP_MD_CTX Context
+ //
+ EvpMdContext = EVP_MD_CTX_new ();
+ if (EvpMdContext == NULL) {
+ return NULL;
+ }
+
+ Digest = EVP_get_digestbyname (DigestName);

I think this may not compile with gcc (and correctly so). The pointer
returned by EVP_get_digestbyname() is const-qualified, but with the
assignment, we're throwing away the const-ness.

(4) Please const-qualify the "Digest" local pointer.

+ if (Digest == NULL) {
+ return NULL;
+ }

(5) This is a memory leak I believe; "EvpMdContext" is leaked.

For keeping the control flow simple, consider moving
EVP_get_digestbyname() above EVP_MD_CTX_new().

+
+ //
+ // Initialize Context
+ //
+ if (EVP_DigestInit_ex (EvpMdContext, Digest, NULL) != 1) {
+ EVP_MD_CTX_free (EvpMdContext);
+ return NULL;
+ }
+
+ return EvpMdContext;
+}
+
+/**
+ Makes a copy of an existing EVP_MD context.
+
+ If EvpMdContext is NULL, then return FALSE.
+ If NewEvpMdContext is NULL, then return FALSE.
+
+ @param[in] EvpMdContext Pointer to EVP_MD context being copied.
+ @param[out] NewEvpMdContext Pointer to new EVP_MD context.
+
+ @retval TRUE EVP_MD context copy succeeded.
+ @retval FALSE EVP_MD context copy failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdDuplicate (
+ IN CONST VOID *EvpMdContext,
+ OUT VOID *NewEvpMdContext
+ )
+{
+ //
+ // Check input parameters.
+ //
+ if (EvpMdContext == NULL || NewEvpMdContext == NULL) {
+ return FALSE;
+ }
+
+ if (EVP_MD_CTX_copy (NewEvpMdContext, EvpMdContext) != 1) {
+ return FALSE;
+ }
+
+ return TRUE;
+}

(6) Can you please confirm that the caller is supposed to initialize
"NewEvpMdContext" with EvpMdInit() first, before calling EvpMdDuplicate()?

+
+/**
+ Digests the input data and updates EVP_MD context.
+
+ This function performs EVP digest on a data buffer of the specified size.
+ It can be called multiple times to compute the digest of long or

discontinuous data streams.

+ EVP_MD context should be already correctly initialized by EvpMdInit(), and

should not

+ be finalized by EvpMdFinal(). Behavior with invalid context is undefined.
+
+ If EvpMdContext is NULL, then return FALSE.
+ If Data is NULL and DataSize is not zero, return FALSE.
+
+ @param[in, out] EvpMdContext Pointer to the EVP_MD context.
+ @param[in] Data Pointer to the buffer containing the data to be

digested.

+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval TRUE EVP data digest succeeded.
+ @retval FALSE EVP data digest failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdUpdate (
+ IN OUT VOID *EvpMdContext,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ //
+ // Check input parameters.
+ //
+ if (EvpMdContext == NULL) {
+ return FALSE;
+ }
+
+ //
+ // Check invalid parameters, in case only DataLength was checked in

OpenSSL

+ //
+ if (Data == NULL && DataSize != 0) {
+ return FALSE;
+ }
+
+ //
+ // OpenSSL EVP digest update
+ //
+ if (EVP_DigestUpdate (EvpMdContext, Data, DataSize) != 1) {
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+/**
+ Completes computation of the EVP digest value.
+ Releases the specified EVP_MD_CTX context.
+
+ This function completes EVP hash computation and retrieves the digest

value into

+ the specified memory. After this function has been called, the EVP context

cannot

+ be used again.
+ EVP context should be already correctly initialized by EvpMdInit(), and

should

+ not be finalized by EvpMdFinal(). Behavior with invalid EVP context is

undefined.

+
+ If EvpMdContext is NULL, then return FALSE.
+ If DigestValue is NULL, free the Context then return FALSE.
+
+ @param[in, out] EvpMdContext Pointer to the EVP context.
+ @param[out] Digest Pointer to a buffer that receives the EVP digest

value.

+
+ @retval TRUE EVP digest computation succeeded.
+ @retval FALSE EVP digest computation failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdFinal (
+ IN OUT VOID *EvpMdContext,
+ OUT UINT8 *DigestValue
+ )
+{
+ UINT32 Length;
+ BOOLEAN ReturnValue;
+
+ ReturnValue = TRUE;
+
+ //
+ // Check input parameters.
+ //
+ if (EvpMdContext == NULL) {
+ return FALSE;
+ }
+ if (DigestValue == NULL) {
+ EVP_MD_CTX_free (EvpMdContext);
+ return FALSE;
+ }
+
+ //
+ // OpenSSL EVP digest finalization
+ //
+ if (EVP_DigestFinal_ex (EvpMdContext, DigestValue, &Length) != 1) {
+ ReturnValue = FALSE;
+ }

(7) I suggest dropping the "Length" local variable. EVP_DigestFinal_ex()
deals fine with the third parameter being NULL, according to the docs
(and the code).

+
+ //
+ // Free OpenSSL EVP_MD_CTX Context
+ //
+ EVP_MD_CTX_free (EvpMdContext);
+
+ return ReturnValue;
+}
+
+/**
+ Computes the message digest of an input data buffer.
+
+ This function performs the message digest of a given data buffer, and places
+ the digest value into the specified memory.
+
+ If DigestName is NULL, return FALSE.
+ If Data is NULL and DataSize is not zero, return FALSE.
+ If HashValue is NULL, return FALSE.
+
+ @param[in] DigestName Pointer to the digest name.
+ @param[in] Data Pointer to the buffer containing the data to be

hashed.

+ @param[in] DataSize Size of Data buffer in bytes.
+ @param[out] HashValue Pointer to a buffer that receives the digest

value.

+
+ @retval TRUE Digest computation succeeded.
+ @retval FALSE Digest computation failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdHashAll (
+ IN CONST CHAR8 *DigestName,
+ IN CONST VOID *Data,
+ IN UINTN DataSize,
+ OUT UINT8 *HashValue
+ )
+{
+ BOOLEAN Result;
+ VOID *EvpMdContext;
+
+ EvpMdContext = EvpMdInit (DigestName);
+ if (EvpMdContext == NULL) {
+ return FALSE;
+ }
+
+ Result = EvpMdUpdate (EvpMdContext, Data, DataSize);
+ if (Result == FALSE) {

(8) Style: please write (!Result).

+ EvpMdFinal (EvpMdContext, NULL);
+ return FALSE;
+ }
+
+ Result = EvpMdFinal (EvpMdContext, HashValue);
+
+ return Result;
+}
diff --git a/CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMdNull.c

b/CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMdNull.c

new file mode 100644
index 0000000000..038f63801f
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMdNull.c
@@ -0,0 +1,128 @@
+/** @file
+ EVP MD Wrapper Null Library.
+
+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Allocates and initializes one EVP_MD_CTX context for subsequent EVP_MD

use.

+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] DigestName Pointer to the digest name as a NULL-

terminated ASCII string.

+ Valid digest names are:
+ MD5, SHA1, SHA224, SHA256, SHA384, SHA512
+ SHA3-224, SHA3-256, SHA3-384, SHA3-512
+ SM3
+
+ @return NULL This interface is not supported.
+
+**/
+VOID *
+EFIAPI
+EvpMdInit (
+ IN CONST CHAR8 *DigestName
+ )
+{
+ ASSERT (FALSE);
+ return NULL;
+}
+
+/**
+ Makes a copy of an existing EVP_MD context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] EvpMdContext Pointer to EVP_MD context being copied.
+ @param[out] NewEvpMdContext Pointer to new EVP_MD context.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdDuplicate (
+ IN CONST VOID *EvpMdContext,
+ OUT VOID *NewEvpMdContext
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Digests the input data and updates EVP_MD context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] EvpMdContext Pointer to the EVP_MD context.
+ @param[in] Data Pointer to the buffer containing the data to be

digested.

+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdUpdate (
+ IN OUT VOID *EvpMdContext,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Completes computation of the EVP digest value.
+ Releases the specified EVP_MD_CTX context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] EvpMdContext Pointer to the EVP context.
+ @param[out] Digest Pointer to a buffer that receives the EVP digest

value.

+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdFinal (
+ IN OUT VOID *EvpMdContext,
+ OUT UINT8 *DigestValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Computes the message digest of an input data buffer.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] DigestName Pointer to the digest name.
+ @param[in] Data Pointer to the buffer containing the data to be

hashed.

+ @param[in] DataSize Size of Data buffer in bytes.
+ @param[out] HashValue Pointer to a buffer that receives the digest

value.

+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdHashAll (
+ IN CONST CHAR8 *DigestName,
+ IN CONST VOID *Data,
+ IN UINTN DataSize,
+ OUT UINT8 *HashValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Evp/CryptEvpMdNull.c

b/CryptoPkg/Library/BaseCryptLibNull/Evp/CryptEvpMdNull.c

new file mode 100644
index 0000000000..038f63801f
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibNull/Evp/CryptEvpMdNull.c
@@ -0,0 +1,128 @@
+/** @file
+ EVP MD Wrapper Null Library.
+
+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Allocates and initializes one EVP_MD_CTX context for subsequent EVP_MD

use.

+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] DigestName Pointer to the digest name as a NULL-

terminated ASCII string.

+ Valid digest names are:
+ MD5, SHA1, SHA224, SHA256, SHA384, SHA512
+ SHA3-224, SHA3-256, SHA3-384, SHA3-512
+ SM3
+
+ @return NULL This interface is not supported.
+
+**/
+VOID *
+EFIAPI
+EvpMdInit (
+ IN CONST CHAR8 *DigestName
+ )
+{
+ ASSERT (FALSE);
+ return NULL;
+}
+
+/**
+ Makes a copy of an existing EVP_MD context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] EvpMdContext Pointer to EVP_MD context being copied.
+ @param[out] NewEvpMdContext Pointer to new EVP_MD context.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdDuplicate (
+ IN CONST VOID *EvpMdContext,
+ OUT VOID *NewEvpMdContext
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Digests the input data and updates EVP_MD context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] EvpMdContext Pointer to the EVP_MD context.
+ @param[in] Data Pointer to the buffer containing the data to be

digested.

+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdUpdate (
+ IN OUT VOID *EvpMdContext,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Completes computation of the EVP digest value.
+ Releases the specified EVP_MD_CTX context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] EvpMdContext Pointer to the EVP context.
+ @param[out] Digest Pointer to a buffer that receives the EVP digest

value.

+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdFinal (
+ IN OUT VOID *EvpMdContext,
+ OUT UINT8 *DigestValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Computes the message digest of an input data buffer.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] DigestName Pointer to the digest name.
+ @param[in] Data Pointer to the buffer containing the data to be

hashed.

+ @param[in] DataSize Size of Data buffer in bytes.
+ @param[out] HashValue Pointer to a buffer that receives the digest

value.

+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdHashAll (
+ IN CONST CHAR8 *DigestName,
+ IN CONST VOID *Data,
+ IN UINTN DataSize,
+ OUT UINT8 *HashValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}

Thanks,
Laszlo

Hello Christopher,

On 09/16/20 02:59, Zurcher, Christopher J wrote:

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2545

The EVP interface should be used in place of discrete digest function
calls.

Cc: Laszlo Ersek <lersek@...>
Cc: Jiewen Yao <jiewen.yao@...>
Cc: Jian J Wang <jian.j.wang@...>
Cc: Xiaoyu Lu <xiaoyux.lu@...>
Signed-off-by: Christopher J Zurcher <christopher.j.zurcher@...>
---
CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf | 1 +
CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 1 +
CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf | 1 +
CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 1 +
CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf | 1 +
CryptoPkg/Include/Library/BaseCryptLib.h | 129 ++++++++++
CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMd.c | 257 ++++++++++++++++++++
CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMdNull.c | 128 ++++++++++
CryptoPkg/Library/BaseCryptLibNull/Evp/CryptEvpMdNull.c | 128 ++++++++++
9 files changed, 647 insertions(+)

I agree that "CryptoPkg/Library/BaseCryptLibNull/Evp/CryptEvpMdNull.c"
is necessary. (If I understand correctly, that file was missing from
your v2 posting.)

But "CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMdNull.c" seems
superfluous. This file is never referenced in the INF files.

The point of this file would be to allow *some* of the Base / Pei /
Runtime / Smm instances to "stub out" the EVP MD functions (i.e. provide
only stub implementations). But this isn't what's happening -- all of
the Base / Pei / Runtime / Smm instances are getting the real deal
("CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMd.c").

(1) So I think "CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMdNull.c"
should be dropped. Only the Null instance of the library needs null
versions of the new functions. The Base / Pei / Runtime / Smm instances
don't.

diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index 4aae2aba95..3968f29412 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -50,6 +50,7 @@
Pk/CryptAuthenticode.c
Pk/CryptTs.c
Pem/CryptPem.c
+ Evp/CryptEvpMd.c

SysCall/CrtWrapper.c
SysCall/TimerWrapper.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index dc28e3a11d..d0b91716d0 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -57,6 +57,7 @@
Pk/CryptTsNull.c
Pem/CryptPemNull.c
Rand/CryptRandNull.c
+ Evp/CryptEvpMd.c

SysCall/CrtWrapper.c
SysCall/ConstantTimeClock.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index 5005beed02..9f3accd35b 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -56,6 +56,7 @@
Pk/CryptAuthenticodeNull.c
Pk/CryptTsNull.c
Pem/CryptPem.c
+ Evp/CryptEvpMd.c

SysCall/CrtWrapper.c
SysCall/TimerWrapper.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index 91ec3e03bf..420623cdc6 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -54,6 +54,7 @@
Pk/CryptAuthenticodeNull.c
Pk/CryptTsNull.c
Pem/CryptPem.c
+ Evp/CryptEvpMd.c

SysCall/CrtWrapper.c
SysCall/ConstantTimeClock.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
index 689af4fedd..542ac2e2e1 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -50,6 +50,7 @@
Pk/CryptTsNull.c
Pem/CryptPemNull.c
Rand/CryptRandNull.c
+ Evp/CryptEvpMdNull.c

[Packages]
MdePkg/MdePkg.dec
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index ae9bde9e37..5e1b408b54 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -1012,6 +1012,135 @@ HmacSha256Final (
OUT UINT8 *HmacValue
);

+//=====================================================================================
+// EVP (Envelope) Primitive
+//=====================================================================================
+
+/**
+ Allocates and initializes one EVP_MD_CTX context for subsequent EVP_MD use.
+
+ If DigestName is NULL, then return FALSE.
+
+ @param[in] DigestName Pointer to the digest name as a NULL-terminated ASCII string.
+ Valid digest names are:
+ MD5, SHA1, SHA224, SHA256, SHA384, SHA512
+ SHA3-224, SHA3-256, SHA3-384, SHA3-512
+ SM3
+
+ @return Pointer to the EVP_MD_CTX context that has been allocated and initialized.
+ If DigestName is invalid, returns NULL.
+ If the allocations fails, returns NULL.
+ If initialization fails, returns NULL.
+
+**/
+VOID *
+EFIAPI
+EvpMdInit (
+ IN CONST CHAR8 *DigestName
+ );
+
+/**
+ Makes a copy of an existing EVP_MD context.
+
+ If EvpMdContext is NULL, then return FALSE.
+ If NewEvpMdContext is NULL, then return FALSE.
+
+ @param[in] EvpMdContext Pointer to EVP_MD context being copied.
+ @param[out] NewEvpMdContext Pointer to new EVP_MD context.
+
+ @retval TRUE EVP_MD context copy succeeded.
+ @retval FALSE EVP_MD context copy failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdDuplicate (
+ IN CONST VOID *EvpMdContext,
+ OUT VOID *NewEvpMdContext
+ );
+
+/**
+ Digests the input data and updates EVP_MD context.
+
+ This function performs EVP digest on a data buffer of the specified size.
+ It can be called multiple times to compute the digest of long or discontinuous data streams.
+ EVP_MD context should be already correctly initialized by EvpMdInit(), and should not
+ be finalized by EvpMdFinal(). Behavior with invalid context is undefined.
+
+ If EvpMdContext is NULL, then return FALSE.
+ If Data is NULL and DataSize is not zero, return FALSE.
+
+ @param[in, out] EvpMdContext Pointer to the EVP_MD context.
+ @param[in] Data Pointer to the buffer containing the data to be digested.
+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval TRUE EVP data digest succeeded.
+ @retval FALSE EVP data digest failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdUpdate (
+ IN OUT VOID *EvpMdContext,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ );
+
+/**
+ Completes computation of the EVP digest value.
+ Releases the specified EVP_MD_CTX context.
+
+ This function completes EVP hash computation and retrieves the digest value into
+ the specified memory. After this function has been called, the EVP context cannot
+ be used again.
+ EVP context should be already correctly initialized by EvpMdInit(), and should
+ not be finalized by EvpMdFinal(). Behavior with invalid EVP context is undefined.
+
+ If EvpMdContext is NULL, then return FALSE.
+ If DigestValue is NULL, free the Context then return FALSE.
+
+ @param[in, out] EvpMdContext Pointer to the EVP context.
+ @param[out] Digest Pointer to a buffer that receives the EVP digest value.

(2) Please extend the comment on Digest with the following:

The caller is responsible for providing enough storage for the digest
algorithm selected with EvpMdInit(). Providing EVP_MAX_MD_SIZE bytes
will suffice for storing the digest regardless of the algorithm chosen
in EvpMdInit().

(EVP_MAX_MD_SIZE is a public OpenSSL macro and I think we should openly
advertise it to consumers in edk2.)

+
+ @retval TRUE EVP digest computation succeeded.
+ @retval FALSE EVP digest computation failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdFinal (
+ IN OUT VOID *EvpMdContext,
+ OUT UINT8 *DigestValue

(3) DigestValue should be marked OPTIONAL in my opinion, as NULL is
deliberately permitted (for just freeing the context).

+ );
+
+/**
+ Computes the message digest of an input data buffer.
+
+ This function performs the message digest of a given data buffer, and places
+ the digest value into the specified memory.
+
+ If DigestName is NULL, return FALSE.
+ If Data is NULL and DataSize is not zero, return FALSE.
+ If HashValue is NULL, return FALSE.
+
+ @param[in] DigestName Pointer to the digest name.
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+ @param[out] HashValue Pointer to a buffer that receives the digest value.
+
+ @retval TRUE Digest computation succeeded.
+ @retval FALSE Digest computation failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdHashAll (
+ IN CONST CHAR8 *DigestName,
+ IN CONST VOID *Data,
+ IN UINTN DataSize,
+ OUT UINT8 *HashValue
+ );
+
//=====================================================================================
// Symmetric Cryptography Primitive
//=====================================================================================
diff --git a/CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMd.c b/CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMd.c
new file mode 100644
index 0000000000..b2770a9186
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMd.c
@@ -0,0 +1,257 @@
+/** @file
+ EVP MD Wrapper Implementation for OpenSSL.
+
+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+#include <openssl/evp.h>
+
+/**
+ Allocates and initializes one EVP_MD_CTX context for subsequent EVP_MD use.
+
+ If DigestName is NULL, then return FALSE.
+
+ @param[in] DigestName Pointer to the digest name as a NULL-terminated ASCII string.
+ Valid digest names are:
+ MD5, SHA1, SHA224, SHA256, SHA384, SHA512
+ SHA3-224, SHA3-256, SHA3-384, SHA3-512
+ SM3
+
+ @return Pointer to the EVP_MD_CTX context that has been allocated and initialized.
+ If DigestName is invalid, returns NULL.
+ If the allocations fails, returns NULL.
+ If initialization fails, returns NULL.
+
+**/
+VOID *
+EFIAPI
+EvpMdInit (
+ IN CONST CHAR8 *DigestName
+ )
+{
+ EVP_MD *Digest;
+ VOID *EvpMdContext;
+
+ //
+ // Check input parameters.
+ //
+ if (DigestName == NULL) {
+ return NULL;
+ }
+
+ //
+ // Allocate EVP_MD_CTX Context
+ //
+ EvpMdContext = EVP_MD_CTX_new ();
+ if (EvpMdContext == NULL) {
+ return NULL;
+ }
+
+ Digest = EVP_get_digestbyname (DigestName);

I think this may not compile with gcc (and correctly so). The pointer
returned by EVP_get_digestbyname() is const-qualified, but with the
assignment, we're throwing away the const-ness.

(4) Please const-qualify the "Digest" local pointer.

+ if (Digest == NULL) {
+ return NULL;
+ }

(5) This is a memory leak I believe; "EvpMdContext" is leaked.

For keeping the control flow simple, consider moving
EVP_get_digestbyname() above EVP_MD_CTX_new().

+
+ //
+ // Initialize Context
+ //
+ if (EVP_DigestInit_ex (EvpMdContext, Digest, NULL) != 1) {
+ EVP_MD_CTX_free (EvpMdContext);
+ return NULL;
+ }
+
+ return EvpMdContext;
+}
+
+/**
+ Makes a copy of an existing EVP_MD context.
+
+ If EvpMdContext is NULL, then return FALSE.
+ If NewEvpMdContext is NULL, then return FALSE.
+
+ @param[in] EvpMdContext Pointer to EVP_MD context being copied.
+ @param[out] NewEvpMdContext Pointer to new EVP_MD context.
+
+ @retval TRUE EVP_MD context copy succeeded.
+ @retval FALSE EVP_MD context copy failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdDuplicate (
+ IN CONST VOID *EvpMdContext,
+ OUT VOID *NewEvpMdContext
+ )
+{
+ //
+ // Check input parameters.
+ //
+ if (EvpMdContext == NULL || NewEvpMdContext == NULL) {
+ return FALSE;
+ }
+
+ if (EVP_MD_CTX_copy (NewEvpMdContext, EvpMdContext) != 1) {
+ return FALSE;
+ }
+
+ return TRUE;
+}

(6) Can you please confirm that the caller is supposed to initialize
"NewEvpMdContext" with EvpMdInit() first, before calling EvpMdDuplicate()?

+
+/**
+ Digests the input data and updates EVP_MD context.
+
+ This function performs EVP digest on a data buffer of the specified size.
+ It can be called multiple times to compute the digest of long or discontinuous data streams.
+ EVP_MD context should be already correctly initialized by EvpMdInit(), and should not
+ be finalized by EvpMdFinal(). Behavior with invalid context is undefined.
+
+ If EvpMdContext is NULL, then return FALSE.
+ If Data is NULL and DataSize is not zero, return FALSE.
+
+ @param[in, out] EvpMdContext Pointer to the EVP_MD context.
+ @param[in] Data Pointer to the buffer containing the data to be digested.
+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval TRUE EVP data digest succeeded.
+ @retval FALSE EVP data digest failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdUpdate (
+ IN OUT VOID *EvpMdContext,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ //
+ // Check input parameters.
+ //
+ if (EvpMdContext == NULL) {
+ return FALSE;
+ }
+
+ //
+ // Check invalid parameters, in case only DataLength was checked in OpenSSL
+ //
+ if (Data == NULL && DataSize != 0) {
+ return FALSE;
+ }
+
+ //
+ // OpenSSL EVP digest update
+ //
+ if (EVP_DigestUpdate (EvpMdContext, Data, DataSize) != 1) {
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+/**
+ Completes computation of the EVP digest value.
+ Releases the specified EVP_MD_CTX context.
+
+ This function completes EVP hash computation and retrieves the digest value into
+ the specified memory. After this function has been called, the EVP context cannot
+ be used again.
+ EVP context should be already correctly initialized by EvpMdInit(), and should
+ not be finalized by EvpMdFinal(). Behavior with invalid EVP context is undefined.
+
+ If EvpMdContext is NULL, then return FALSE.
+ If DigestValue is NULL, free the Context then return FALSE.
+
+ @param[in, out] EvpMdContext Pointer to the EVP context.
+ @param[out] Digest Pointer to a buffer that receives the EVP digest value.
+
+ @retval TRUE EVP digest computation succeeded.
+ @retval FALSE EVP digest computation failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdFinal (
+ IN OUT VOID *EvpMdContext,
+ OUT UINT8 *DigestValue
+ )
+{
+ UINT32 Length;
+ BOOLEAN ReturnValue;
+
+ ReturnValue = TRUE;
+
+ //
+ // Check input parameters.
+ //
+ if (EvpMdContext == NULL) {
+ return FALSE;
+ }
+ if (DigestValue == NULL) {
+ EVP_MD_CTX_free (EvpMdContext);
+ return FALSE;
+ }
+
+ //
+ // OpenSSL EVP digest finalization
+ //
+ if (EVP_DigestFinal_ex (EvpMdContext, DigestValue, &Length) != 1) {
+ ReturnValue = FALSE;
+ }

(7) I suggest dropping the "Length" local variable. EVP_DigestFinal_ex()
deals fine with the third parameter being NULL, according to the docs
(and the code).

+
+ //
+ // Free OpenSSL EVP_MD_CTX Context
+ //
+ EVP_MD_CTX_free (EvpMdContext);
+
+ return ReturnValue;
+}
+
+/**
+ Computes the message digest of an input data buffer.
+
+ This function performs the message digest of a given data buffer, and places
+ the digest value into the specified memory.
+
+ If DigestName is NULL, return FALSE.
+ If Data is NULL and DataSize is not zero, return FALSE.
+ If HashValue is NULL, return FALSE.
+
+ @param[in] DigestName Pointer to the digest name.
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+ @param[out] HashValue Pointer to a buffer that receives the digest value.
+
+ @retval TRUE Digest computation succeeded.
+ @retval FALSE Digest computation failed.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdHashAll (
+ IN CONST CHAR8 *DigestName,
+ IN CONST VOID *Data,
+ IN UINTN DataSize,
+ OUT UINT8 *HashValue
+ )
+{
+ BOOLEAN Result;
+ VOID *EvpMdContext;
+
+ EvpMdContext = EvpMdInit (DigestName);
+ if (EvpMdContext == NULL) {
+ return FALSE;
+ }
+
+ Result = EvpMdUpdate (EvpMdContext, Data, DataSize);
+ if (Result == FALSE) {

(8) Style: please write (!Result).

+ EvpMdFinal (EvpMdContext, NULL);
+ return FALSE;
+ }
+
+ Result = EvpMdFinal (EvpMdContext, HashValue);
+
+ return Result;
+}
diff --git a/CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMdNull.c b/CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMdNull.c
new file mode 100644
index 0000000000..038f63801f
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMdNull.c
@@ -0,0 +1,128 @@
+/** @file
+ EVP MD Wrapper Null Library.
+
+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Allocates and initializes one EVP_MD_CTX context for subsequent EVP_MD use.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] DigestName Pointer to the digest name as a NULL-terminated ASCII string.
+ Valid digest names are:
+ MD5, SHA1, SHA224, SHA256, SHA384, SHA512
+ SHA3-224, SHA3-256, SHA3-384, SHA3-512
+ SM3
+
+ @return NULL This interface is not supported.
+
+**/
+VOID *
+EFIAPI
+EvpMdInit (
+ IN CONST CHAR8 *DigestName
+ )
+{
+ ASSERT (FALSE);
+ return NULL;
+}
+
+/**
+ Makes a copy of an existing EVP_MD context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] EvpMdContext Pointer to EVP_MD context being copied.
+ @param[out] NewEvpMdContext Pointer to new EVP_MD context.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdDuplicate (
+ IN CONST VOID *EvpMdContext,
+ OUT VOID *NewEvpMdContext
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Digests the input data and updates EVP_MD context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] EvpMdContext Pointer to the EVP_MD context.
+ @param[in] Data Pointer to the buffer containing the data to be digested.
+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdUpdate (
+ IN OUT VOID *EvpMdContext,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Completes computation of the EVP digest value.
+ Releases the specified EVP_MD_CTX context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] EvpMdContext Pointer to the EVP context.
+ @param[out] Digest Pointer to a buffer that receives the EVP digest value.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdFinal (
+ IN OUT VOID *EvpMdContext,
+ OUT UINT8 *DigestValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Computes the message digest of an input data buffer.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] DigestName Pointer to the digest name.
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+ @param[out] HashValue Pointer to a buffer that receives the digest value.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdHashAll (
+ IN CONST CHAR8 *DigestName,
+ IN CONST VOID *Data,
+ IN UINTN DataSize,
+ OUT UINT8 *HashValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Evp/CryptEvpMdNull.c b/CryptoPkg/Library/BaseCryptLibNull/Evp/CryptEvpMdNull.c
new file mode 100644
index 0000000000..038f63801f
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibNull/Evp/CryptEvpMdNull.c
@@ -0,0 +1,128 @@
+/** @file
+ EVP MD Wrapper Null Library.
+
+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Allocates and initializes one EVP_MD_CTX context for subsequent EVP_MD use.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] DigestName Pointer to the digest name as a NULL-terminated ASCII string.
+ Valid digest names are:
+ MD5, SHA1, SHA224, SHA256, SHA384, SHA512
+ SHA3-224, SHA3-256, SHA3-384, SHA3-512
+ SM3
+
+ @return NULL This interface is not supported.
+
+**/
+VOID *
+EFIAPI
+EvpMdInit (
+ IN CONST CHAR8 *DigestName
+ )
+{
+ ASSERT (FALSE);
+ return NULL;
+}
+
+/**
+ Makes a copy of an existing EVP_MD context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] EvpMdContext Pointer to EVP_MD context being copied.
+ @param[out] NewEvpMdContext Pointer to new EVP_MD context.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdDuplicate (
+ IN CONST VOID *EvpMdContext,
+ OUT VOID *NewEvpMdContext
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Digests the input data and updates EVP_MD context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] EvpMdContext Pointer to the EVP_MD context.
+ @param[in] Data Pointer to the buffer containing the data to be digested.
+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdUpdate (
+ IN OUT VOID *EvpMdContext,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Completes computation of the EVP digest value.
+ Releases the specified EVP_MD_CTX context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] EvpMdContext Pointer to the EVP context.
+ @param[out] Digest Pointer to a buffer that receives the EVP digest value.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdFinal (
+ IN OUT VOID *EvpMdContext,
+ OUT UINT8 *DigestValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Computes the message digest of an input data buffer.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] DigestName Pointer to the digest name.
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+ @param[out] HashValue Pointer to a buffer that receives the digest value.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EvpMdHashAll (
+ IN CONST CHAR8 *DigestName,
+ IN CONST VOID *Data,
+ IN UINTN DataSize,
+ OUT UINT8 *HashValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}

Thanks,
Laszlo

IncLines as empty list for the case when InputHeaderFile is not specified.

Cc: Chasel Chiu <chasel.chiu@...>
Cc: Nate DeSimone <nathaniel.l.desimone@...>
Cc: Star Zeng <star.zeng@...>
Signed-off-by: Liming Gao <gaoliming@...>
---
IntelFsp2Pkg/Tools/GenCfgOpt.py | 1 +
1 file changed, 1 insertion(+)

diff --git a/IntelFsp2Pkg/Tools/GenCfgOpt.py b/IntelFsp2Pkg/Tools/GenCfgOpt.py
index e9de128e..bcced590 100644
--- a/IntelFsp2Pkg/Tools/GenCfgOpt.py
+++ b/IntelFsp2Pkg/Tools/GenCfgOpt.py
@@ -1177,6 +1177,7 @@ EndList
UpdSignatureCheck = ['FSPT_UPD_SIGNATURE', 'FSPM_UPD_SIGNATURE', 'FSPS_UPD_SIGNATURE']
ExcludedSpecificUpd = ['FSPT_ARCH_UPD', 'FSPM_ARCH_UPD', 'FSPS_ARCH_UPD']

+ IncLines = []
if InputHeaderFile != '':
if not os.path.exists(InputHeaderFile):
self.Error = "Input header file '%s' does not exist" % InputHeaderFile
--
2.27.0.windows.1

Patch is merged.

The pull request was
https://github.com/tianocore/edk2/pull/930
and the commit range is a62fb4229d14..7bcb021a6d54.

Thank you
Yao Jiewen

Hi Laszlo
Thanks. I agree 1, 2, 3. I take the blame. It is my fault.

For 4, it is out of my scope. I cannot find this by my eyes. Everything works well on my side.
Can we improve patch checker to catch this in CI ?
I don’t think I can find any Unicode in code or commit message easily.
I prefer to let a tool to do that work.

Thank you
Yao Jiewen

Hi Zurcher,

[Jiewen] Since you also add other sha (sha1, sha512) and aesni, I think those
need unit test for them too.

Can you update the status about it?

[Jiewen] I think we need support build with GCC and LLVM, and with X64.

It is better to support the GCC and LLVM.

Thanks
Guomin

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao,
Jiewen
Sent: Tuesday, August 25, 2020 7:36 AM
To: Zurcher, Christopher J <christopher.j.zurcher@...>;
devel@edk2.groups.io
Cc: Wang, Jian J <jian.j.wang@...>; Lu, XiaoyuX
<xiaoyux.lu@...>; Ard Biesheuvel <ard.biesheuvel@...>
Subject: Re: [edk2-devel] [PATCH v2 1/2] CryptoPkg/OpensslLib: Add native
instruction support for X64

Below:

-----Original Message-----
From: Zurcher, Christopher J <christopher.j.zurcher@...>
Sent: Tuesday, August 25, 2020 5:26 AM
To: devel@edk2.groups.io; Zurcher, Christopher J
<christopher.j.zurcher@...>; Yao, Jiewen <jiewen.yao@...>
Cc: Wang, Jian J <jian.j.wang@...>; Lu, XiaoyuX

<xiaoyux.lu@...>;

Ard Biesheuvel <ard.biesheuvel@...>
Subject: RE: [edk2-devel] [PATCH v2 1/2] CryptoPkg/OpensslLib: Add native
instruction support for X64

1) I have confirmed that the ApiHooks.c file is still required even without

the AVX

instructions included. The x86_64 assembly files in OpenSSL set a flag called
$win64 and automatically include calls to the RtlVirtualUnwind function if

NASM

is selected as the assembler scheme.

https://docs.microsoft.com/en-us/windows/win32/api/winnt/nf-winnt-
rtlvirtualunwind

I have submitted an issue against OpenSSL since I don't think using the

NASM

assembler should force the inclusion of Windows-specific API hooks, but

that

change cannot be made in OpenSSL 1.1.1 and we will have to wait for

OpenSSL 3

or later to remove the stub function.

https://github.com/openssl/openssl/issues/12712

[Jiewen] Thanks.

2) So far I have only built with VS.

[Jiewen] I think we need support build with GCC and LLVM, and with X64.

3) The X64 SHA256 implementation was successfully exercised across a

large

number of devices in a production environment as a verification step in a

multi-

GB data transfer scenario.

[Jiewen] Since you also add other sha (sha1, sha512) and aesni, I think those
need unit test for them too.

Thanks,
Christopher Zurcher

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of

Zurcher,

Christopher J
Sent: Tuesday, August 18, 2020 15:50
To: Yao, Jiewen <jiewen.yao@...>; devel@edk2.groups.io
Cc: Wang, Jian J <jian.j.wang@...>; Lu, XiaoyuX

<xiaoyux.lu@...>;

Ard Biesheuvel <ard.biesheuvel@...>
Subject: Re: [edk2-devel] [PATCH v2 1/2] CryptoPkg/OpensslLib: Add

native

instruction support for X64

After further review, the ApiHooks.c file may no longer be needed since

we

are no longer including the AVX instructions. I will look over the
dependencies and send a new patch set if I can eliminate the API hooks

file.

Thanks,
Christopher Zurcher

-----Original Message-----
From: Yao, Jiewen <jiewen.yao@...>
Sent: Thursday, August 13, 2020 08:04
To: Zurcher, Christopher J <christopher.j.zurcher@...>;
devel@edk2.groups.io
Cc: Wang, Jian J <jian.j.wang@...>; Lu, XiaoyuX

<xiaoyux.lu@...>;

Ard Biesheuvel <ard.biesheuvel@...>
Subject: RE: [PATCH v2 1/2] CryptoPkg/OpensslLib: Add native

instruction

support for X64

Hi Christopher
Thanks.

1) Would you please help me understand more on "ApiHooks.c contains

a

stub

function for a Windows API call" ?
Why we need this?
If it is compiler specific in openssl, should we submit patch to openssl to
exclude this with OPENSSL_SYS_UEFI? That should be a cleaner solution

for

UEFI.

2) Would you please describe what compiler you have tried? VS? GCC?

LLVM?

3) Would you please describe what unit test you have done?

Thank you
Yao Jiewen

-----Original Message-----
From: Zurcher, Christopher J <christopher.j.zurcher@...>
Sent: Tuesday, August 4, 2020 8:24 AM
To: devel@edk2.groups.io
Cc: Yao, Jiewen <jiewen.yao@...>; Wang, Jian J

<jian.j.wang@...>;

Lu, XiaoyuX <xiaoyux.lu@...>; Ard Biesheuvel

<ard.biesheuvel@...>

Subject: [PATCH v2 1/2] CryptoPkg/OpensslLib: Add native instruction

support

for X64

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2507

Adding OpensslLibX64.inf and modifying process_files.pl to process

this

file and generate the necessary assembly files.
ApiHooks.c contains a stub function for a Windows API call.
uefi-asm.conf contains the limited assembly configurations for

OpenSSL.

Cc: Jiewen Yao <jiewen.yao@...>
Cc: Jian J Wang <jian.j.wang@...>
Cc: Xiaoyu Lu <xiaoyux.lu@...>
Cc: Ard Biesheuvel <ard.biesheuvel@...>
Signed-off-by: Christopher J Zurcher

<christopher.j.zurcher@...>

---
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 2 +-
CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 2 +-
CryptoPkg/Library/OpensslLib/OpensslLibX64.inf | 656
++++++++++++++++++++
CryptoPkg/Library/Include/openssl/opensslconf.h | 3 -
CryptoPkg/Library/OpensslLib/ApiHooks.c | 18 +
CryptoPkg/Library/OpensslLib/OpensslLibConstructor.c | 34 +
CryptoPkg/Library/OpensslLib/process_files.pl | 223 +++++--
CryptoPkg/Library/OpensslLib/uefi-asm.conf | 15 +
8 files changed, 903 insertions(+), 50 deletions(-)

diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index dbbe5386a1..bd62d86936 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -16,7 +16,7 @@
VERSION_STRING = 1.0

LIBRARY_CLASS = OpensslLib

DEFINE OPENSSL_PATH = openssl

- DEFINE OPENSSL_FLAGS = -DL_ENDIAN -

DOPENSSL_SMALL_FOOTPRINT

-D_CRT_SECURE_NO_DEPRECATE -

D_CRT_NONSTDC_NO_DEPRECATE

+ DEFINE OPENSSL_FLAGS = -DL_ENDIAN -

DOPENSSL_SMALL_FOOTPRINT

-D_CRT_SECURE_NO_DEPRECATE -

D_CRT_NONSTDC_NO_DEPRECATE -

DOPENSSL_NO_ASM



#

# VALID_ARCHITECTURES = IA32 X64 ARM AARCH64

diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index 616ccd9f62..2b7324a990 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -16,7 +16,7 @@
VERSION_STRING = 1.0

LIBRARY_CLASS = OpensslLib

DEFINE OPENSSL_PATH = openssl

- DEFINE OPENSSL_FLAGS = -DL_ENDIAN -

DOPENSSL_SMALL_FOOTPRINT

-D_CRT_SECURE_NO_DEPRECATE -

D_CRT_NONSTDC_NO_DEPRECATE

+ DEFINE OPENSSL_FLAGS = -DL_ENDIAN -

DOPENSSL_SMALL_FOOTPRINT

-D_CRT_SECURE_NO_DEPRECATE -

D_CRT_NONSTDC_NO_DEPRECATE -

DOPENSSL_NO_ASM



#

# VALID_ARCHITECTURES = IA32 X64 ARM AARCH64

diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibX64.inf
b/CryptoPkg/Library/OpensslLib/OpensslLibX64.inf
new file mode 100644
index 0000000000..825eea0254
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibX64.inf
@@ -0,0 +1,656 @@
+## @file

+# This module provides OpenSSL Library implementation.

+#

+# Copyright (c) 2010 - 2020, Intel Corporation. All rights

reserved.<BR>

+# (C) Copyright 2020 Hewlett Packard Enterprise Development

LP<BR>

+# SPDX-License-Identifier: BSD-2-Clause-Patent

+#

+##

+

+[Defines]

+ INF_VERSION = 0x00010005

+ BASE_NAME = OpensslLibX64

+ MODULE_UNI_FILE = OpensslLib.uni

+ FILE_GUID = 18125E50-0117-4DD0-BE54-4784AD995FEF

+ MODULE_TYPE = BASE

+ VERSION_STRING = 1.0

+ LIBRARY_CLASS = OpensslLib

+ DEFINE OPENSSL_PATH = openssl

+ DEFINE OPENSSL_FLAGS = -DL_ENDIAN -

DOPENSSL_SMALL_FOOTPRINT

-D_CRT_SECURE_NO_DEPRECATE -

D_CRT_NONSTDC_NO_DEPRECATE

+ DEFINE OPENSSL_FLAGS_CONFIG = -DOPENSSL_CPUID_OBJ -

DSHA1_ASM -

DSHA256_ASM -DSHA512_ASM -DAESNI_ASM -DVPAES_ASM -

DGHASH_ASM

+ CONSTRUCTOR = OpensslLibConstructor

+

+#

+# VALID_ARCHITECTURES = X64

+#

+

+[Sources]

+ OpensslLibConstructor.c

+ $(OPENSSL_PATH)/e_os.h

+ $(OPENSSL_PATH)/ms/uplink.h

+# Autogenerated files list starts here

+ X64/crypto/aes/aesni-mb-x86_64.nasm

+ X64/crypto/aes/aesni-sha1-x86_64.nasm

+ X64/crypto/aes/aesni-sha256-x86_64.nasm

+ X64/crypto/aes/aesni-x86_64.nasm

+ X64/crypto/aes/vpaes-x86_64.nasm

+ X64/crypto/modes/ghash-x86_64.nasm

+ X64/crypto/sha/sha1-mb-x86_64.nasm

+ X64/crypto/sha/sha1-x86_64.nasm

+ X64/crypto/sha/sha256-mb-x86_64.nasm

+ X64/crypto/sha/sha256-x86_64.nasm

+ X64/crypto/sha/sha512-x86_64.nasm

+ X64/crypto/x86_64cpuid.nasm

+ $(OPENSSL_PATH)/crypto/aes/aes_cbc.c

+ $(OPENSSL_PATH)/crypto/aes/aes_cfb.c

+ $(OPENSSL_PATH)/crypto/aes/aes_core.c

+ $(OPENSSL_PATH)/crypto/aes/aes_ige.c

+ $(OPENSSL_PATH)/crypto/aes/aes_misc.c

+ $(OPENSSL_PATH)/crypto/aes/aes_ofb.c

+ $(OPENSSL_PATH)/crypto/aes/aes_wrap.c

+ $(OPENSSL_PATH)/crypto/aria/aria.c

+ $(OPENSSL_PATH)/crypto/asn1/a_bitstr.c

+ $(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c

+ $(OPENSSL_PATH)/crypto/asn1/a_digest.c

+ $(OPENSSL_PATH)/crypto/asn1/a_dup.c

+ $(OPENSSL_PATH)/crypto/asn1/a_gentm.c

+ $(OPENSSL_PATH)/crypto/asn1/a_i2d_fp.c

+ $(OPENSSL_PATH)/crypto/asn1/a_int.c

+ $(OPENSSL_PATH)/crypto/asn1/a_mbstr.c

+ $(OPENSSL_PATH)/crypto/asn1/a_object.c

+ $(OPENSSL_PATH)/crypto/asn1/a_octet.c

+ $(OPENSSL_PATH)/crypto/asn1/a_print.c

+ $(OPENSSL_PATH)/crypto/asn1/a_sign.c

+ $(OPENSSL_PATH)/crypto/asn1/a_strex.c

+ $(OPENSSL_PATH)/crypto/asn1/a_strnid.c

+ $(OPENSSL_PATH)/crypto/asn1/a_time.c

+ $(OPENSSL_PATH)/crypto/asn1/a_type.c

+ $(OPENSSL_PATH)/crypto/asn1/a_utctm.c

+ $(OPENSSL_PATH)/crypto/asn1/a_utf8.c

+ $(OPENSSL_PATH)/crypto/asn1/a_verify.c

+ $(OPENSSL_PATH)/crypto/asn1/ameth_lib.c

+ $(OPENSSL_PATH)/crypto/asn1/asn1_err.c

+ $(OPENSSL_PATH)/crypto/asn1/asn1_gen.c

+ $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.c

+ $(OPENSSL_PATH)/crypto/asn1/asn1_lib.c

+ $(OPENSSL_PATH)/crypto/asn1/asn1_par.c

+ $(OPENSSL_PATH)/crypto/asn1/asn_mime.c

+ $(OPENSSL_PATH)/crypto/asn1/asn_moid.c

+ $(OPENSSL_PATH)/crypto/asn1/asn_mstbl.c

+ $(OPENSSL_PATH)/crypto/asn1/asn_pack.c

+ $(OPENSSL_PATH)/crypto/asn1/bio_asn1.c

+ $(OPENSSL_PATH)/crypto/asn1/bio_ndef.c

+ $(OPENSSL_PATH)/crypto/asn1/d2i_pr.c

+ $(OPENSSL_PATH)/crypto/asn1/d2i_pu.c

+ $(OPENSSL_PATH)/crypto/asn1/evp_asn1.c

+ $(OPENSSL_PATH)/crypto/asn1/f_int.c

+ $(OPENSSL_PATH)/crypto/asn1/f_string.c

+ $(OPENSSL_PATH)/crypto/asn1/i2d_pr.c

+ $(OPENSSL_PATH)/crypto/asn1/i2d_pu.c

+ $(OPENSSL_PATH)/crypto/asn1/n_pkey.c

+ $(OPENSSL_PATH)/crypto/asn1/nsseq.c

+ $(OPENSSL_PATH)/crypto/asn1/p5_pbe.c

+ $(OPENSSL_PATH)/crypto/asn1/p5_pbev2.c

+ $(OPENSSL_PATH)/crypto/asn1/p5_scrypt.c

+ $(OPENSSL_PATH)/crypto/asn1/p8_pkey.c

+ $(OPENSSL_PATH)/crypto/asn1/t_bitst.c

+ $(OPENSSL_PATH)/crypto/asn1/t_pkey.c

+ $(OPENSSL_PATH)/crypto/asn1/t_spki.c

+ $(OPENSSL_PATH)/crypto/asn1/tasn_dec.c

+ $(OPENSSL_PATH)/crypto/asn1/tasn_enc.c

+ $(OPENSSL_PATH)/crypto/asn1/tasn_fre.c

+ $(OPENSSL_PATH)/crypto/asn1/tasn_new.c

+ $(OPENSSL_PATH)/crypto/asn1/tasn_prn.c

+ $(OPENSSL_PATH)/crypto/asn1/tasn_scn.c

+ $(OPENSSL_PATH)/crypto/asn1/tasn_typ.c

+ $(OPENSSL_PATH)/crypto/asn1/tasn_utl.c

+ $(OPENSSL_PATH)/crypto/asn1/x_algor.c

+ $(OPENSSL_PATH)/crypto/asn1/x_bignum.c

+ $(OPENSSL_PATH)/crypto/asn1/x_info.c

+ $(OPENSSL_PATH)/crypto/asn1/x_int64.c

+ $(OPENSSL_PATH)/crypto/asn1/x_long.c

+ $(OPENSSL_PATH)/crypto/asn1/x_pkey.c

+ $(OPENSSL_PATH)/crypto/asn1/x_sig.c

+ $(OPENSSL_PATH)/crypto/asn1/x_spki.c

+ $(OPENSSL_PATH)/crypto/asn1/x_val.c

+ $(OPENSSL_PATH)/crypto/async/arch/async_null.c

+ $(OPENSSL_PATH)/crypto/async/arch/async_posix.c

+ $(OPENSSL_PATH)/crypto/async/arch/async_win.c

+ $(OPENSSL_PATH)/crypto/async/async.c

+ $(OPENSSL_PATH)/crypto/async/async_err.c

+ $(OPENSSL_PATH)/crypto/async/async_wait.c

+ $(OPENSSL_PATH)/crypto/bio/b_addr.c

+ $(OPENSSL_PATH)/crypto/bio/b_dump.c

+ $(OPENSSL_PATH)/crypto/bio/b_sock.c

+ $(OPENSSL_PATH)/crypto/bio/b_sock2.c

+ $(OPENSSL_PATH)/crypto/bio/bf_buff.c

+ $(OPENSSL_PATH)/crypto/bio/bf_lbuf.c

+ $(OPENSSL_PATH)/crypto/bio/bf_nbio.c

+ $(OPENSSL_PATH)/crypto/bio/bf_null.c

+ $(OPENSSL_PATH)/crypto/bio/bio_cb.c

+ $(OPENSSL_PATH)/crypto/bio/bio_err.c

+ $(OPENSSL_PATH)/crypto/bio/bio_lib.c

+ $(OPENSSL_PATH)/crypto/bio/bio_meth.c

+ $(OPENSSL_PATH)/crypto/bio/bss_acpt.c

+ $(OPENSSL_PATH)/crypto/bio/bss_bio.c

+ $(OPENSSL_PATH)/crypto/bio/bss_conn.c

+ $(OPENSSL_PATH)/crypto/bio/bss_dgram.c

+ $(OPENSSL_PATH)/crypto/bio/bss_fd.c

+ $(OPENSSL_PATH)/crypto/bio/bss_file.c

+ $(OPENSSL_PATH)/crypto/bio/bss_log.c

+ $(OPENSSL_PATH)/crypto/bio/bss_mem.c

+ $(OPENSSL_PATH)/crypto/bio/bss_null.c

+ $(OPENSSL_PATH)/crypto/bio/bss_sock.c

+ $(OPENSSL_PATH)/crypto/bn/bn_add.c

+ $(OPENSSL_PATH)/crypto/bn/bn_asm.c

+ $(OPENSSL_PATH)/crypto/bn/bn_blind.c

+ $(OPENSSL_PATH)/crypto/bn/bn_const.c

+ $(OPENSSL_PATH)/crypto/bn/bn_ctx.c

+ $(OPENSSL_PATH)/crypto/bn/bn_depr.c

+ $(OPENSSL_PATH)/crypto/bn/bn_dh.c

+ $(OPENSSL_PATH)/crypto/bn/bn_div.c

+ $(OPENSSL_PATH)/crypto/bn/bn_err.c

+ $(OPENSSL_PATH)/crypto/bn/bn_exp.c

+ $(OPENSSL_PATH)/crypto/bn/bn_exp2.c

+ $(OPENSSL_PATH)/crypto/bn/bn_gcd.c

+ $(OPENSSL_PATH)/crypto/bn/bn_gf2m.c

+ $(OPENSSL_PATH)/crypto/bn/bn_intern.c

+ $(OPENSSL_PATH)/crypto/bn/bn_kron.c

+ $(OPENSSL_PATH)/crypto/bn/bn_lib.c

+ $(OPENSSL_PATH)/crypto/bn/bn_mod.c

+ $(OPENSSL_PATH)/crypto/bn/bn_mont.c

+ $(OPENSSL_PATH)/crypto/bn/bn_mpi.c

+ $(OPENSSL_PATH)/crypto/bn/bn_mul.c

+ $(OPENSSL_PATH)/crypto/bn/bn_nist.c

+ $(OPENSSL_PATH)/crypto/bn/bn_prime.c

+ $(OPENSSL_PATH)/crypto/bn/bn_print.c

+ $(OPENSSL_PATH)/crypto/bn/bn_rand.c

+ $(OPENSSL_PATH)/crypto/bn/bn_recp.c

+ $(OPENSSL_PATH)/crypto/bn/bn_shift.c

+ $(OPENSSL_PATH)/crypto/bn/bn_sqr.c

+ $(OPENSSL_PATH)/crypto/bn/bn_sqrt.c

+ $(OPENSSL_PATH)/crypto/bn/bn_srp.c

+ $(OPENSSL_PATH)/crypto/bn/bn_word.c

+ $(OPENSSL_PATH)/crypto/bn/bn_x931p.c

+ $(OPENSSL_PATH)/crypto/buffer/buf_err.c

+ $(OPENSSL_PATH)/crypto/buffer/buffer.c

+ $(OPENSSL_PATH)/crypto/cmac/cm_ameth.c

+ $(OPENSSL_PATH)/crypto/cmac/cm_pmeth.c

+ $(OPENSSL_PATH)/crypto/cmac/cmac.c

+ $(OPENSSL_PATH)/crypto/comp/c_zlib.c

+ $(OPENSSL_PATH)/crypto/comp/comp_err.c

+ $(OPENSSL_PATH)/crypto/comp/comp_lib.c

+ $(OPENSSL_PATH)/crypto/conf/conf_api.c

+ $(OPENSSL_PATH)/crypto/conf/conf_def.c

+ $(OPENSSL_PATH)/crypto/conf/conf_err.c

+ $(OPENSSL_PATH)/crypto/conf/conf_lib.c

+ $(OPENSSL_PATH)/crypto/conf/conf_mall.c

+ $(OPENSSL_PATH)/crypto/conf/conf_mod.c

+ $(OPENSSL_PATH)/crypto/conf/conf_sap.c

+ $(OPENSSL_PATH)/crypto/conf/conf_ssl.c

+ $(OPENSSL_PATH)/crypto/cpt_err.c

+ $(OPENSSL_PATH)/crypto/cryptlib.c

+ $(OPENSSL_PATH)/crypto/ctype.c

+ $(OPENSSL_PATH)/crypto/cversion.c

+ $(OPENSSL_PATH)/crypto/dh/dh_ameth.c

+ $(OPENSSL_PATH)/crypto/dh/dh_asn1.c

+ $(OPENSSL_PATH)/crypto/dh/dh_check.c

+ $(OPENSSL_PATH)/crypto/dh/dh_depr.c

+ $(OPENSSL_PATH)/crypto/dh/dh_err.c

+ $(OPENSSL_PATH)/crypto/dh/dh_gen.c

+ $(OPENSSL_PATH)/crypto/dh/dh_kdf.c

+ $(OPENSSL_PATH)/crypto/dh/dh_key.c

+ $(OPENSSL_PATH)/crypto/dh/dh_lib.c

+ $(OPENSSL_PATH)/crypto/dh/dh_meth.c

+ $(OPENSSL_PATH)/crypto/dh/dh_pmeth.c

+ $(OPENSSL_PATH)/crypto/dh/dh_prn.c

+ $(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c

+ $(OPENSSL_PATH)/crypto/dh/dh_rfc7919.c

+ $(OPENSSL_PATH)/crypto/dso/dso_dl.c

+ $(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c

+ $(OPENSSL_PATH)/crypto/dso/dso_err.c

+ $(OPENSSL_PATH)/crypto/dso/dso_lib.c

+ $(OPENSSL_PATH)/crypto/dso/dso_openssl.c

+ $(OPENSSL_PATH)/crypto/dso/dso_vms.c

+ $(OPENSSL_PATH)/crypto/dso/dso_win32.c

+ $(OPENSSL_PATH)/crypto/ebcdic.c

+ $(OPENSSL_PATH)/crypto/err/err.c

+ $(OPENSSL_PATH)/crypto/err/err_prn.c

+ $(OPENSSL_PATH)/crypto/evp/bio_b64.c

+ $(OPENSSL_PATH)/crypto/evp/bio_enc.c

+ $(OPENSSL_PATH)/crypto/evp/bio_md.c

+ $(OPENSSL_PATH)/crypto/evp/bio_ok.c

+ $(OPENSSL_PATH)/crypto/evp/c_allc.c

+ $(OPENSSL_PATH)/crypto/evp/c_alld.c

+ $(OPENSSL_PATH)/crypto/evp/cmeth_lib.c

+ $(OPENSSL_PATH)/crypto/evp/digest.c

+ $(OPENSSL_PATH)/crypto/evp/e_aes.c

+ $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha1.c

+ $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha256.c

+ $(OPENSSL_PATH)/crypto/evp/e_aria.c

+ $(OPENSSL_PATH)/crypto/evp/e_bf.c

+ $(OPENSSL_PATH)/crypto/evp/e_camellia.c

+ $(OPENSSL_PATH)/crypto/evp/e_cast.c

+ $(OPENSSL_PATH)/crypto/evp/e_chacha20_poly1305.c

+ $(OPENSSL_PATH)/crypto/evp/e_des.c

+ $(OPENSSL_PATH)/crypto/evp/e_des3.c

+ $(OPENSSL_PATH)/crypto/evp/e_idea.c

+ $(OPENSSL_PATH)/crypto/evp/e_null.c

+ $(OPENSSL_PATH)/crypto/evp/e_old.c

+ $(OPENSSL_PATH)/crypto/evp/e_rc2.c

+ $(OPENSSL_PATH)/crypto/evp/e_rc4.c

+ $(OPENSSL_PATH)/crypto/evp/e_rc4_hmac_md5.c

+ $(OPENSSL_PATH)/crypto/evp/e_rc5.c

+ $(OPENSSL_PATH)/crypto/evp/e_seed.c

+ $(OPENSSL_PATH)/crypto/evp/e_sm4.c

+ $(OPENSSL_PATH)/crypto/evp/e_xcbc_d.c

+ $(OPENSSL_PATH)/crypto/evp/encode.c

+ $(OPENSSL_PATH)/crypto/evp/evp_cnf.c

+ $(OPENSSL_PATH)/crypto/evp/evp_enc.c

+ $(OPENSSL_PATH)/crypto/evp/evp_err.c

+ $(OPENSSL_PATH)/crypto/evp/evp_key.c

+ $(OPENSSL_PATH)/crypto/evp/evp_lib.c

+ $(OPENSSL_PATH)/crypto/evp/evp_pbe.c

+ $(OPENSSL_PATH)/crypto/evp/evp_pkey.c

+ $(OPENSSL_PATH)/crypto/evp/m_md2.c

+ $(OPENSSL_PATH)/crypto/evp/m_md4.c

+ $(OPENSSL_PATH)/crypto/evp/m_md5.c

+ $(OPENSSL_PATH)/crypto/evp/m_md5_sha1.c

+ $(OPENSSL_PATH)/crypto/evp/m_mdc2.c

+ $(OPENSSL_PATH)/crypto/evp/m_null.c

+ $(OPENSSL_PATH)/crypto/evp/m_ripemd.c

+ $(OPENSSL_PATH)/crypto/evp/m_sha1.c

+ $(OPENSSL_PATH)/crypto/evp/m_sha3.c

+ $(OPENSSL_PATH)/crypto/evp/m_sigver.c

+ $(OPENSSL_PATH)/crypto/evp/m_wp.c

+ $(OPENSSL_PATH)/crypto/evp/names.c

+ $(OPENSSL_PATH)/crypto/evp/p5_crpt.c

+ $(OPENSSL_PATH)/crypto/evp/p5_crpt2.c

+ $(OPENSSL_PATH)/crypto/evp/p_dec.c

+ $(OPENSSL_PATH)/crypto/evp/p_enc.c

+ $(OPENSSL_PATH)/crypto/evp/p_lib.c

+ $(OPENSSL_PATH)/crypto/evp/p_open.c

+ $(OPENSSL_PATH)/crypto/evp/p_seal.c

+ $(OPENSSL_PATH)/crypto/evp/p_sign.c

+ $(OPENSSL_PATH)/crypto/evp/p_verify.c

+ $(OPENSSL_PATH)/crypto/evp/pbe_scrypt.c

+ $(OPENSSL_PATH)/crypto/evp/pmeth_fn.c

+ $(OPENSSL_PATH)/crypto/evp/pmeth_gn.c

+ $(OPENSSL_PATH)/crypto/evp/pmeth_lib.c

+ $(OPENSSL_PATH)/crypto/ex_data.c

+ $(OPENSSL_PATH)/crypto/getenv.c

+ $(OPENSSL_PATH)/crypto/hmac/hm_ameth.c

+ $(OPENSSL_PATH)/crypto/hmac/hm_pmeth.c

+ $(OPENSSL_PATH)/crypto/hmac/hmac.c

+ $(OPENSSL_PATH)/crypto/init.c

+ $(OPENSSL_PATH)/crypto/kdf/hkdf.c

+ $(OPENSSL_PATH)/crypto/kdf/kdf_err.c

+ $(OPENSSL_PATH)/crypto/kdf/scrypt.c

+ $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c

+ $(OPENSSL_PATH)/crypto/lhash/lh_stats.c

+ $(OPENSSL_PATH)/crypto/lhash/lhash.c

+ $(OPENSSL_PATH)/crypto/md5/md5_dgst.c

+ $(OPENSSL_PATH)/crypto/md5/md5_one.c

+ $(OPENSSL_PATH)/crypto/mem.c

+ $(OPENSSL_PATH)/crypto/mem_dbg.c

+ $(OPENSSL_PATH)/crypto/mem_sec.c

+ $(OPENSSL_PATH)/crypto/modes/cbc128.c

+ $(OPENSSL_PATH)/crypto/modes/ccm128.c

+ $(OPENSSL_PATH)/crypto/modes/cfb128.c

+ $(OPENSSL_PATH)/crypto/modes/ctr128.c

+ $(OPENSSL_PATH)/crypto/modes/cts128.c

+ $(OPENSSL_PATH)/crypto/modes/gcm128.c

+ $(OPENSSL_PATH)/crypto/modes/ocb128.c

+ $(OPENSSL_PATH)/crypto/modes/ofb128.c

+ $(OPENSSL_PATH)/crypto/modes/wrap128.c

+ $(OPENSSL_PATH)/crypto/modes/xts128.c

+ $(OPENSSL_PATH)/crypto/o_dir.c

+ $(OPENSSL_PATH)/crypto/o_fips.c

+ $(OPENSSL_PATH)/crypto/o_fopen.c

+ $(OPENSSL_PATH)/crypto/o_init.c

+ $(OPENSSL_PATH)/crypto/o_str.c

+ $(OPENSSL_PATH)/crypto/o_time.c

+ $(OPENSSL_PATH)/crypto/objects/o_names.c

+ $(OPENSSL_PATH)/crypto/objects/obj_dat.c

+ $(OPENSSL_PATH)/crypto/objects/obj_err.c

+ $(OPENSSL_PATH)/crypto/objects/obj_lib.c

+ $(OPENSSL_PATH)/crypto/objects/obj_xref.c

+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_asn.c

+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_cl.c

+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_err.c

+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_ext.c

+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_ht.c

+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_lib.c

+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_prn.c

+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_srv.c

+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_vfy.c

+ $(OPENSSL_PATH)/crypto/ocsp/v3_ocsp.c

+ $(OPENSSL_PATH)/crypto/pem/pem_all.c

+ $(OPENSSL_PATH)/crypto/pem/pem_err.c

+ $(OPENSSL_PATH)/crypto/pem/pem_info.c

+ $(OPENSSL_PATH)/crypto/pem/pem_lib.c

+ $(OPENSSL_PATH)/crypto/pem/pem_oth.c

+ $(OPENSSL_PATH)/crypto/pem/pem_pk8.c

+ $(OPENSSL_PATH)/crypto/pem/pem_pkey.c

+ $(OPENSSL_PATH)/crypto/pem/pem_sign.c

+ $(OPENSSL_PATH)/crypto/pem/pem_x509.c

+ $(OPENSSL_PATH)/crypto/pem/pem_xaux.c

+ $(OPENSSL_PATH)/crypto/pem/pvkfmt.c

+ $(OPENSSL_PATH)/crypto/pkcs12/p12_add.c

+ $(OPENSSL_PATH)/crypto/pkcs12/p12_asn.c

+ $(OPENSSL_PATH)/crypto/pkcs12/p12_attr.c

+ $(OPENSSL_PATH)/crypto/pkcs12/p12_crpt.c

+ $(OPENSSL_PATH)/crypto/pkcs12/p12_crt.c

+ $(OPENSSL_PATH)/crypto/pkcs12/p12_decr.c

+ $(OPENSSL_PATH)/crypto/pkcs12/p12_init.c

+ $(OPENSSL_PATH)/crypto/pkcs12/p12_key.c

+ $(OPENSSL_PATH)/crypto/pkcs12/p12_kiss.c

+ $(OPENSSL_PATH)/crypto/pkcs12/p12_mutl.c

+ $(OPENSSL_PATH)/crypto/pkcs12/p12_npas.c

+ $(OPENSSL_PATH)/crypto/pkcs12/p12_p8d.c

+ $(OPENSSL_PATH)/crypto/pkcs12/p12_p8e.c

+ $(OPENSSL_PATH)/crypto/pkcs12/p12_sbag.c

+ $(OPENSSL_PATH)/crypto/pkcs12/p12_utl.c

+ $(OPENSSL_PATH)/crypto/pkcs12/pk12err.c

+ $(OPENSSL_PATH)/crypto/pkcs7/bio_pk7.c

+ $(OPENSSL_PATH)/crypto/pkcs7/pk7_asn1.c

+ $(OPENSSL_PATH)/crypto/pkcs7/pk7_attr.c

+ $(OPENSSL_PATH)/crypto/pkcs7/pk7_doit.c

+ $(OPENSSL_PATH)/crypto/pkcs7/pk7_lib.c

+ $(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c

+ $(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c

+ $(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c

+ $(OPENSSL_PATH)/crypto/rand/drbg_ctr.c

+ $(OPENSSL_PATH)/crypto/rand/drbg_lib.c

+ $(OPENSSL_PATH)/crypto/rand/rand_egd.c

+ $(OPENSSL_PATH)/crypto/rand/rand_err.c

+ $(OPENSSL_PATH)/crypto/rand/rand_lib.c

+ $(OPENSSL_PATH)/crypto/rand/rand_unix.c

+ $(OPENSSL_PATH)/crypto/rand/rand_vms.c

+ $(OPENSSL_PATH)/crypto/rand/rand_win.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_chk.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_crpt.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_depr.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_err.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_gen.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_lib.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_meth.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_mp.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_none.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_oaep.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_ossl.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_pk1.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_pmeth.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_prn.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_pss.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_saos.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_sign.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_ssl.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_x931.c

+ $(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c

+ $(OPENSSL_PATH)/crypto/sha/keccak1600.c

+ $(OPENSSL_PATH)/crypto/sha/sha1_one.c

+ $(OPENSSL_PATH)/crypto/sha/sha1dgst.c

+ $(OPENSSL_PATH)/crypto/sha/sha256.c

+ $(OPENSSL_PATH)/crypto/sha/sha512.c

+ $(OPENSSL_PATH)/crypto/siphash/siphash.c

+ $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c

+ $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c

+ $(OPENSSL_PATH)/crypto/sm3/m_sm3.c

+ $(OPENSSL_PATH)/crypto/sm3/sm3.c

+ $(OPENSSL_PATH)/crypto/sm4/sm4.c

+ $(OPENSSL_PATH)/crypto/stack/stack.c

+ $(OPENSSL_PATH)/crypto/threads_none.c

+ $(OPENSSL_PATH)/crypto/threads_pthread.c

+ $(OPENSSL_PATH)/crypto/threads_win.c

+ $(OPENSSL_PATH)/crypto/txt_db/txt_db.c

+ $(OPENSSL_PATH)/crypto/ui/ui_err.c

+ $(OPENSSL_PATH)/crypto/ui/ui_lib.c

+ $(OPENSSL_PATH)/crypto/ui/ui_null.c

+ $(OPENSSL_PATH)/crypto/ui/ui_openssl.c

+ $(OPENSSL_PATH)/crypto/ui/ui_util.c

+ $(OPENSSL_PATH)/crypto/uid.c

+ $(OPENSSL_PATH)/crypto/x509/by_dir.c

+ $(OPENSSL_PATH)/crypto/x509/by_file.c

+ $(OPENSSL_PATH)/crypto/x509/t_crl.c

+ $(OPENSSL_PATH)/crypto/x509/t_req.c

+ $(OPENSSL_PATH)/crypto/x509/t_x509.c

+ $(OPENSSL_PATH)/crypto/x509/x509_att.c

+ $(OPENSSL_PATH)/crypto/x509/x509_cmp.c

+ $(OPENSSL_PATH)/crypto/x509/x509_d2.c

+ $(OPENSSL_PATH)/crypto/x509/x509_def.c

+ $(OPENSSL_PATH)/crypto/x509/x509_err.c

+ $(OPENSSL_PATH)/crypto/x509/x509_ext.c

+ $(OPENSSL_PATH)/crypto/x509/x509_lu.c

+ $(OPENSSL_PATH)/crypto/x509/x509_meth.c

+ $(OPENSSL_PATH)/crypto/x509/x509_obj.c

+ $(OPENSSL_PATH)/crypto/x509/x509_r2x.c

+ $(OPENSSL_PATH)/crypto/x509/x509_req.c

+ $(OPENSSL_PATH)/crypto/x509/x509_set.c

+ $(OPENSSL_PATH)/crypto/x509/x509_trs.c

+ $(OPENSSL_PATH)/crypto/x509/x509_txt.c

+ $(OPENSSL_PATH)/crypto/x509/x509_v3.c

+ $(OPENSSL_PATH)/crypto/x509/x509_vfy.c

+ $(OPENSSL_PATH)/crypto/x509/x509_vpm.c

+ $(OPENSSL_PATH)/crypto/x509/x509cset.c

+ $(OPENSSL_PATH)/crypto/x509/x509name.c

+ $(OPENSSL_PATH)/crypto/x509/x509rset.c

+ $(OPENSSL_PATH)/crypto/x509/x509spki.c

+ $(OPENSSL_PATH)/crypto/x509/x509type.c

+ $(OPENSSL_PATH)/crypto/x509/x_all.c

+ $(OPENSSL_PATH)/crypto/x509/x_attrib.c

+ $(OPENSSL_PATH)/crypto/x509/x_crl.c

+ $(OPENSSL_PATH)/crypto/x509/x_exten.c

+ $(OPENSSL_PATH)/crypto/x509/x_name.c

+ $(OPENSSL_PATH)/crypto/x509/x_pubkey.c

+ $(OPENSSL_PATH)/crypto/x509/x_req.c

+ $(OPENSSL_PATH)/crypto/x509/x_x509.c

+ $(OPENSSL_PATH)/crypto/x509/x_x509a.c

+ $(OPENSSL_PATH)/crypto/x509v3/pcy_cache.c

+ $(OPENSSL_PATH)/crypto/x509v3/pcy_data.c

+ $(OPENSSL_PATH)/crypto/x509v3/pcy_lib.c

+ $(OPENSSL_PATH)/crypto/x509v3/pcy_map.c

+ $(OPENSSL_PATH)/crypto/x509v3/pcy_node.c

+ $(OPENSSL_PATH)/crypto/x509v3/pcy_tree.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_addr.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_admis.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_akey.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_akeya.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_alt.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_asid.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_bcons.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_bitst.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_conf.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_cpols.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_crld.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_enum.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_extku.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_genn.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_ia5.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_info.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_int.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_lib.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_ncons.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_pci.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_pcia.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_pcons.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_pku.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_pmaps.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_prn.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_purp.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_skey.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_sxnet.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_tlsf.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3_utl.c

+ $(OPENSSL_PATH)/crypto/x509v3/v3err.c

+ $(OPENSSL_PATH)/crypto/arm_arch.h

+ $(OPENSSL_PATH)/crypto/mips_arch.h

+ $(OPENSSL_PATH)/crypto/ppc_arch.h

+ $(OPENSSL_PATH)/crypto/s390x_arch.h

+ $(OPENSSL_PATH)/crypto/sparc_arch.h

+ $(OPENSSL_PATH)/crypto/vms_rms.h

+ $(OPENSSL_PATH)/crypto/aes/aes_local.h

+ $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h

+ $(OPENSSL_PATH)/crypto/asn1/asn1_local.h

+ $(OPENSSL_PATH)/crypto/asn1/charmap.h

+ $(OPENSSL_PATH)/crypto/asn1/standard_methods.h

+ $(OPENSSL_PATH)/crypto/asn1/tbl_standard.h

+ $(OPENSSL_PATH)/crypto/async/async_local.h

+ $(OPENSSL_PATH)/crypto/async/arch/async_null.h

+ $(OPENSSL_PATH)/crypto/async/arch/async_posix.h

+ $(OPENSSL_PATH)/crypto/async/arch/async_win.h

+ $(OPENSSL_PATH)/crypto/bio/bio_local.h

+ $(OPENSSL_PATH)/crypto/bn/bn_local.h

+ $(OPENSSL_PATH)/crypto/bn/bn_prime.h

+ $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h

+ $(OPENSSL_PATH)/crypto/comp/comp_local.h

+ $(OPENSSL_PATH)/crypto/conf/conf_def.h

+ $(OPENSSL_PATH)/crypto/conf/conf_local.h

+ $(OPENSSL_PATH)/crypto/dh/dh_local.h

+ $(OPENSSL_PATH)/crypto/dso/dso_local.h

+ $(OPENSSL_PATH)/crypto/evp/evp_local.h

+ $(OPENSSL_PATH)/crypto/hmac/hmac_local.h

+ $(OPENSSL_PATH)/crypto/lhash/lhash_local.h

+ $(OPENSSL_PATH)/crypto/md5/md5_local.h

+ $(OPENSSL_PATH)/crypto/modes/modes_local.h

+ $(OPENSSL_PATH)/crypto/objects/obj_dat.h

+ $(OPENSSL_PATH)/crypto/objects/obj_local.h

+ $(OPENSSL_PATH)/crypto/objects/obj_xref.h

+ $(OPENSSL_PATH)/crypto/ocsp/ocsp_local.h

+ $(OPENSSL_PATH)/crypto/pkcs12/p12_local.h

+ $(OPENSSL_PATH)/crypto/rand/rand_local.h

+ $(OPENSSL_PATH)/crypto/rsa/rsa_local.h

+ $(OPENSSL_PATH)/crypto/sha/sha_local.h

+ $(OPENSSL_PATH)/crypto/siphash/siphash_local.h

+ $(OPENSSL_PATH)/crypto/sm3/sm3_local.h

+ $(OPENSSL_PATH)/crypto/store/store_local.h

+ $(OPENSSL_PATH)/crypto/ui/ui_local.h

+ $(OPENSSL_PATH)/crypto/x509/x509_local.h

+ $(OPENSSL_PATH)/crypto/x509v3/ext_dat.h

+ $(OPENSSL_PATH)/crypto/x509v3/pcy_local.h

+ $(OPENSSL_PATH)/crypto/x509v3/standard_exts.h

+ $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h

+ $(OPENSSL_PATH)/ssl/bio_ssl.c

+ $(OPENSSL_PATH)/ssl/d1_lib.c

+ $(OPENSSL_PATH)/ssl/d1_msg.c

+ $(OPENSSL_PATH)/ssl/d1_srtp.c

+ $(OPENSSL_PATH)/ssl/methods.c

+ $(OPENSSL_PATH)/ssl/packet.c

+ $(OPENSSL_PATH)/ssl/pqueue.c

+ $(OPENSSL_PATH)/ssl/record/dtls1_bitmap.c

+ $(OPENSSL_PATH)/ssl/record/rec_layer_d1.c

+ $(OPENSSL_PATH)/ssl/record/rec_layer_s3.c

+ $(OPENSSL_PATH)/ssl/record/ssl3_buffer.c

+ $(OPENSSL_PATH)/ssl/record/ssl3_record.c

+ $(OPENSSL_PATH)/ssl/record/ssl3_record_tls13.c

+ $(OPENSSL_PATH)/ssl/s3_cbc.c

+ $(OPENSSL_PATH)/ssl/s3_enc.c

+ $(OPENSSL_PATH)/ssl/s3_lib.c

+ $(OPENSSL_PATH)/ssl/s3_msg.c

+ $(OPENSSL_PATH)/ssl/ssl_asn1.c

+ $(OPENSSL_PATH)/ssl/ssl_cert.c

+ $(OPENSSL_PATH)/ssl/ssl_ciph.c

+ $(OPENSSL_PATH)/ssl/ssl_conf.c

+ $(OPENSSL_PATH)/ssl/ssl_err.c

+ $(OPENSSL_PATH)/ssl/ssl_init.c

+ $(OPENSSL_PATH)/ssl/ssl_lib.c

+ $(OPENSSL_PATH)/ssl/ssl_mcnf.c

+ $(OPENSSL_PATH)/ssl/ssl_rsa.c

+ $(OPENSSL_PATH)/ssl/ssl_sess.c

+ $(OPENSSL_PATH)/ssl/ssl_stat.c

+ $(OPENSSL_PATH)/ssl/ssl_txt.c

+ $(OPENSSL_PATH)/ssl/ssl_utst.c

+ $(OPENSSL_PATH)/ssl/statem/extensions.c

+ $(OPENSSL_PATH)/ssl/statem/extensions_clnt.c

+ $(OPENSSL_PATH)/ssl/statem/extensions_cust.c

+ $(OPENSSL_PATH)/ssl/statem/extensions_srvr.c

+ $(OPENSSL_PATH)/ssl/statem/statem.c

+ $(OPENSSL_PATH)/ssl/statem/statem_clnt.c

+ $(OPENSSL_PATH)/ssl/statem/statem_dtls.c

+ $(OPENSSL_PATH)/ssl/statem/statem_lib.c

+ $(OPENSSL_PATH)/ssl/statem/statem_srvr.c

+ $(OPENSSL_PATH)/ssl/t1_enc.c

+ $(OPENSSL_PATH)/ssl/t1_lib.c

+ $(OPENSSL_PATH)/ssl/t1_trce.c

+ $(OPENSSL_PATH)/ssl/tls13_enc.c

+ $(OPENSSL_PATH)/ssl/tls_srp.c

+ $(OPENSSL_PATH)/ssl/packet_local.h

+ $(OPENSSL_PATH)/ssl/ssl_cert_table.h

+ $(OPENSSL_PATH)/ssl/ssl_local.h

+ $(OPENSSL_PATH)/ssl/record/record.h

+ $(OPENSSL_PATH)/ssl/record/record_local.h

+ $(OPENSSL_PATH)/ssl/statem/statem.h

+ $(OPENSSL_PATH)/ssl/statem/statem_local.h

+# Autogenerated files list ends here

+ buildinf.h

+ rand_pool_noise.h

+ ossl_store.c

+ rand_pool.c

+

+[Sources.X64]

+ rand_pool_noise_tsc.c

+ ApiHooks.c

+

+[Packages]

+ MdePkg/MdePkg.dec

+ CryptoPkg/CryptoPkg.dec

+

+[LibraryClasses]

+ BaseLib

+ DebugLib

+ TimerLib

+ PrintLib

+

+[BuildOptions]

+ #

+ # Disables the following Visual Studio compiler warnings brought by

openssl

source,

+ # so we do not break the build with /WX option:

+ # C4090: 'function' : different 'const' qualifiers

+ # C4132: 'object' : const object should be initialized (tls13_enc.c)

+ # C4210: nonstandard extension used: function given file scope

+ # C4244: conversion from type1 to type2, possible loss of data

+ # C4245: conversion from type1 to type2, signed/unsigned

mismatch

+ # C4267: conversion from size_t to type, possible loss of data

+ # C4306: 'identifier' : conversion from 'type1' to 'type2' of

greater

size

+ # C4310: cast truncates constant value

+ # C4389: 'operator' : signed/unsigned mismatch (xxxx)

+ # C4700: uninitialized local variable 'name' used. (conf_sap.c(71))

+ # C4702: unreachable code

+ # C4706: assignment within conditional expression

+ # C4819: The file contains a character that cannot be represented

in

the

current code page

+ #

+ MSFT:*_*_X64_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER
$(OPENSSL_FLAGS) $(OPENSSL_FLAGS_CONFIG) /wd4090 /wd4132

/wd4210

/wd4244 /wd4245 /wd4267 /wd4306 /wd4310 /wd4700 /wd4389

/wd4702

/wd4706 /wd4819

+

+ INTEL:*_*_X64_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER -

U__ICC

$(OPENSSL_FLAGS) $(OPENSSL_FLAGS_CONFIG) /w

+

+ #

+ # Suppress the following build warnings in openssl so we don't

break

the

build

with -Werror

+ # -Werror=maybe-uninitialized: there exist some other paths for

which

the

variable is not initialized.

+ # -Werror=format: Check calls to printf and scanf, etc., to make

sure

that the

arguments supplied have

+ # types appropriate to the format string specified.

+ # -Werror=unused-but-set-variable: Warn whenever a local

variable is

assigned to, but otherwise unused (aside from its declaration).

+ #

+ GCC:*_*_X64_CC_FLAGS = -U_WIN32 -U_WIN64

$(OPENSSL_FLAGS)

$(OPENSSL_FLAGS_CONFIG) -Wno-error=maybe-uninitialized -Wno-
error=format -Wno-format -Wno-error=unused-but-set-variable -
DNO_MSABI_VA_FUNCS

+

+ # suppress the following warnings in openssl so we don't break the

build

with

warnings-as-errors:

+ # 1295: Deprecated declaration <entity> - give arg types

+ # 550: <entity> was set but never used

+ # 1293: assignment in condition

+ # 111: statement is unreachable (invariably "break;" after "return

X;"

in case

statement)

+ # 68: integer conversion resulted in a change of sign ("if (Status

==

-1)")

+ # 177: <entity> was declared but never referenced

+ # 223: function <entity> declared implicitly

+ # 144: a value of type <type> cannot be used to initialize an entity

of

type

<type>

+ # 513: a value of type <type> cannot be assigned to an entity of

type

<type>

+ # 188: enumerated type mixed with another type (i.e. passing an

integer

as an

enum without a cast)

+ # 1296: Extended constant initialiser used

+ # 128: loop is not reachable - may be emitted inappropriately if

code

follows

a conditional return

+ # from the function that evaluates to true at compile time

+ # 546: transfer of control bypasses initialization - may be emitted
inappropriately if the uninitialized

+ # variable is never referenced after the jump

+ # 1: ignore "#1-D: last line of file ends without a newline"

+ # 3017: <entity> may be used before being set (NOTE: This was

fixed in

OpenSSL 1.1 HEAD with

+ # commit d9b8b89bec4480de3a10bdaf9425db371c19145b, and

can

be

dropped then.)

+ XCODE:*_*_X64_CC_FLAGS = -mmmx -msse -U_WIN32 -

U_WIN64

$(OPENSSL_FLAGS) $(OPENSSL_FLAGS_CONFIG) -w -std=c99 -Wno-
error=uninitialized

diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h
b/CryptoPkg/Library/Include/openssl/opensslconf.h
index 3a2544ea5c..e8f73c4d10 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -112,9 +112,6 @@ extern "C" {
#ifndef OPENSSL_NO_ASAN

# define OPENSSL_NO_ASAN

#endif

-#ifndef OPENSSL_NO_ASM

-# define OPENSSL_NO_ASM

-#endif

#ifndef OPENSSL_NO_ASYNC

# define OPENSSL_NO_ASYNC

#endif

diff --git a/CryptoPkg/Library/OpensslLib/ApiHooks.c
b/CryptoPkg/Library/OpensslLib/ApiHooks.c
new file mode 100644
index 0000000000..58cff16838
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/ApiHooks.c
@@ -0,0 +1,18 @@
+/** @file

+ OpenSSL Library API hooks.

+

+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>

+SPDX-License-Identifier: BSD-2-Clause-Patent

+

+**/

+

+#include <Uefi.h>

+

+VOID *

+__imp_RtlVirtualUnwind (

+ VOID * Args

+ )

+{

+ return NULL;

+}

+

diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibConstructor.c
b/CryptoPkg/Library/OpensslLib/OpensslLibConstructor.c
new file mode 100644
index 0000000000..ef20d2b84e
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibConstructor.c
@@ -0,0 +1,34 @@
+/** @file

+ Constructor to initialize CPUID data for OpenSSL assembly

operations.

+

+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>

+SPDX-License-Identifier: BSD-2-Clause-Patent

+

+**/

+

+#include <Uefi.h>

+

+extern void OPENSSL_cpuid_setup (void);

+

+/**

+ Constructor routine for OpensslLib.

+

+ The constructor calls an internal OpenSSL function which fetches a

local

copy

+ of the hardware capability flags, used to enable native crypto

instructions.

+

+ @param None

+

+ @retval EFI_SUCCESS The construction succeeded.

+

+**/

+EFI_STATUS

+EFIAPI

+OpensslLibConstructor (

+ VOID

+ )

+{

+ OPENSSL_cpuid_setup ();

+

+ return EFI_SUCCESS;

+}

+

diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl
b/CryptoPkg/Library/OpensslLib/process_files.pl
index 57ce195394..472f59bc8e 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
@@ -9,9 +9,63 @@
# do not need to do this, since the results are stored in the EDK2

# git repository for them.

#

+# Due to the script wrapping required to process the OpenSSL

+# configuration data, each native architecture must be processed

+# individually by the maintainer (in addition to the standard version):

+# ./process_files.pl

+# ./process_files.pl X64

+# ./process_files.pl [Arch]

+

use strict;

use Cwd;

use File::Copy;

+use File::Basename;

+use File::Path qw(make_path remove_tree);

+use Text::Tabs;

+

+#

+# OpenSSL perlasm generator script does not transfer the copyright

header

+#

+sub copy_license_header

+{

+ my @args = split / /, shift; #Separate args by spaces

+ my $source = $args[1]; #Source file is second (after

"perl")

+ my $target = pop @args; #Target file is always last

+ chop ($target); #Remove newline char

+

+ my $temp_file_name = "license.tmp";

+ open (my $source_file, "<" . $source) || die $source;

+ open (my $target_file, "<" . $target) || die $target;

+ open (my $temp_file, ">" . $temp_file_name) || die

$temp_file_name;

+

+ #Add "generated file" warning

+ $source =~ s/^..//; #Remove leading "./"

+ print ($temp_file "; WARNING: do not edit!\r\n");

+ print ($temp_file "; Generated from $source\r\n");

+ print ($temp_file ";\r\n");

+

+ #Copy source file header to temp file

+ while (my $line = <$source_file>) {

+ next if ($line =~ /#!/); #Ignore shebang line

+ $line =~ s/#/;/; #Fix comment character for assembly

+ $line =~ s/\s+$/\r\n/; #Trim trailing whitepsace, fixup

line

endings

+ print ($temp_file $line);

+ last if ($line =~ /http/); #Last line of copyright header

contains a web link

+ }

+ print ($temp_file "\r\n");

+ #Retrieve generated assembly contents

+ while (my $line = <$target_file>) {

+ $line =~ s/\s+$/\r\n/; #Trim trailing whitepsace, fixup

line

endings

+ print ($temp_file expand ($line)); #expand() replaces tabs with

spaces

+ }

+

+ close ($source_file);

+ close ($target_file);

+ close ($temp_file);

+

+ move ($temp_file_name, $target) ||

+ die "Cannot replace \"" . $target . "\"!";

+}



#

# Find the openssl directory name for use lib. We have to do this

@@ -21,10 +75,41 @@ use File::Copy;
#

my $inf_file;

my $OPENSSL_PATH;

+my $uefi_config;

+my $extension;

+my $arch;

my @inf;



BEGIN {

$inf_file = "OpensslLib.inf";

+ $uefi_config = "UEFI";

+ $arch = shift;

+

+ if (defined $arch) {

+ if (uc ($arch) eq "X64") {

+ $arch = "X64";

+ $inf_file = "OpensslLibX64.inf";

+ $uefi_config = "UEFI-x86_64";

+ $extension = "nasm";

+ } else {

+ die "Unsupported architecture \"" . $arch . "\"!";

+ }

+ if ($extension eq "nasm") {

+ if (`nasm -v 2>&1`) {

+ #Presence of nasm executable will trigger inclusion of

AVX

instructions

+ die "\nCannot run assembly generators with NASM in

path!\n\n";

+ }

+ }

+

+ # Prepare assembly folder

+ if (-d $arch) {

+ remove_tree ($arch, {safe => 1}) ||

+ die "Cannot clean assembly folder \"" . $arch . "\"!";

+ } else {

+ mkdir $arch ||

+ die "Cannot create assembly folder \"" . $arch . "\"!";

+ }

+ }



# Read the contents of the inf file

open( FD, "<" . $inf_file ) ||

@@ -47,9 +132,9 @@ BEGIN {
# Configure UEFI

system(

"./Configure",

- "UEFI",

+ "--config=../uefi-asm.conf",

+ "$uefi_config",

"no-afalgeng",

- "no-asm",

"no-async",

"no-autoerrinit",

"no-autoload-config",

@@ -129,23 +214,53 @@ BEGIN {
# Retrieve file lists from OpenSSL configdata

#

use configdata qw/%unified_info/;

+use configdata qw/%config/;

+use configdata qw/%target/;

+

+#

+# Collect build flags from configdata

+#

+my $flags = "";

+foreach my $f (@{$config{lib_defines}}) {

+ $flags .= " -D$f";

+}



my @cryptofilelist = ();

my @sslfilelist = ();

+my @asmfilelist = ();

+my @asmbuild = ();

foreach my $product ((@{$unified_info{libraries}},

@{$unified_info{engines}})) {

foreach my $o (@{$unified_info{sources}->{$product}}) {

foreach my $s (@{$unified_info{sources}->{$o}}) {

- next if ($unified_info{generate}->{$s});

- next if $s =~ "crypto/bio/b_print.c";

-

# No need to add unused files in UEFI.

# So it can reduce porting time, compile time, library size.

+ next if $s =~ "crypto/bio/b_print.c";

next if $s =~ "crypto/rand/randfile.c";

next if $s =~ "crypto/store/";

next if $s =~ "crypto/err/err_all.c";

next if $s =~ "crypto/aes/aes_ecb.c";



+ if ($unified_info{generate}->{$s}) {

+ if (defined $arch) {

+ my $buildstring = "perl";

+ foreach my $arg (@{$unified_info{generate}->{$s}}) {

+ if ($arg =~ ".pl") {

+ $buildstring .= " ./openssl/$arg";

+ } elsif ($arg =~ "PERLASM_SCHEME") {

+ $buildstring .= " $target{perlasm_scheme}";

+ } elsif ($arg =~ "LIB_CFLAGS") {

+ $buildstring .= "$flags";

+ }

+ }

+ ($s, my $path, undef) = fileparse($s, qr/\.[^.]*/);

+ $buildstring .= " ./$arch/$path$s.$extension";

+ make_path ("./$arch/$path");

+ push @asmbuild, "$buildstring\n";

+ push @asmfilelist, " $arch/$path$s.$extension\r\n";

+ }

+ next;

+ }

if ($product =~ "libssl") {

push @sslfilelist, ' $(OPENSSL_PATH)/' . $s . "\r\n";

next;

@@ -183,15 +298,31 @@ foreach (@headers){
}





+#

+# Generate assembly files

+#

+if (@asmbuild) {

+ print "\n--> Generating assembly files ... ";

+ foreach my $buildstring (@asmbuild) {

+ system ("$buildstring");

+ copy_license_header ($buildstring);

+ }

+ print "Done!";

+}

+

#

# Update OpensslLib.inf with autogenerated file list

#

my @new_inf = ();

my $subbing = 0;

-print "\n--> Updating OpensslLib.inf ... ";

+print "\n--> Updating $inf_file ... ";

foreach (@inf) {

+ if ($_ =~ "DEFINE OPENSSL_FLAGS_CONFIG") {

+ push @new_inf, " DEFINE OPENSSL_FLAGS_CONFIG =" . $flags

.

"\r\n";

+ next;

+ }

if ( $_ =~ "# Autogenerated files list starts here" ) {

- push @new_inf, $_, @cryptofilelist, @sslfilelist;

+ push @new_inf, $_, @asmfilelist, @cryptofilelist, @sslfilelist;

$subbing = 1;

next;

}

@@ -216,49 +347,51 @@ rename( $new_inf_file, $inf_file ) ||
die "rename $inf_file";

print "Done!";



-#

-# Update OpensslLibCrypto.inf with auto-generated file list (no libssl)

-#

-$inf_file = "OpensslLibCrypto.inf";

-

-# Read the contents of the inf file

-@inf = ();

-@new_inf = ();

-open( FD, "<" . $inf_file ) ||

- die "Cannot open \"" . $inf_file . "\"!";

-@inf = (<FD>);

-close(FD) ||

- die "Cannot close \"" . $inf_file . "\"!";

+if (!defined $arch) {

+ #

+ # Update OpensslLibCrypto.inf with auto-generated file list (no

libssl)

+ #

+ $inf_file = "OpensslLibCrypto.inf";



-$subbing = 0;

-print "\n--> Updating OpensslLibCrypto.inf ... ";

-foreach (@inf) {

- if ( $_ =~ "# Autogenerated files list starts here" ) {

- push @new_inf, $_, @cryptofilelist;

- $subbing = 1;

- next;

- }

- if ( $_ =~ "# Autogenerated files list ends here" ) {

- push @new_inf, $_;

- $subbing = 0;

- next;

+ # Read the contents of the inf file

+ @inf = ();

+ @new_inf = ();

+ open( FD, "<" . $inf_file ) ||

+ die "Cannot open \"" . $inf_file . "\"!";

+ @inf = (<FD>);

+ close(FD) ||

+ die "Cannot close \"" . $inf_file . "\"!";

+

+ $subbing = 0;

+ print "\n--> Updating OpensslLibCrypto.inf ... ";

+ foreach (@inf) {

+ if ( $_ =~ "# Autogenerated files list starts here" ) {

+ push @new_inf, $_, @cryptofilelist;

+ $subbing = 1;

+ next;

+ }

+ if ( $_ =~ "# Autogenerated files list ends here" ) {

+ push @new_inf, $_;

+ $subbing = 0;

+ next;

+ }

+

+ push @new_inf, $_

+ unless ($subbing);

}



- push @new_inf, $_

- unless ($subbing);

+ $new_inf_file = $inf_file . ".new";

+ open( FD, ">" . $new_inf_file ) ||

+ die $new_inf_file;

+ print( FD @new_inf ) ||

+ die $new_inf_file;

+ close(FD) ||

+ die $new_inf_file;

+ rename( $new_inf_file, $inf_file ) ||

+ die "rename $inf_file";

+ print "Done!";

}



-$new_inf_file = $inf_file . ".new";

-open( FD, ">" . $new_inf_file ) ||

- die $new_inf_file;

-print( FD @new_inf ) ||

- die $new_inf_file;

-close(FD) ||

- die $new_inf_file;

-rename( $new_inf_file, $inf_file ) ||

- die "rename $inf_file";

-print "Done!";

-

#

# Copy opensslconf.h and dso_conf.h generated from OpenSSL

Configuration

#

diff --git a/CryptoPkg/Library/OpensslLib/uefi-asm.conf
b/CryptoPkg/Library/OpensslLib/uefi-asm.conf
new file mode 100644
index 0000000000..55eedbf3ba
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/uefi-asm.conf
@@ -0,0 +1,15 @@
+## -*- mode: perl; -*-

+## UEFI assembly openssl configuration targets.

+

+my %targets = (

+#### UEFI

+ "UEFI-x86_64" => {

+ perlasm_scheme => "nasm",

+ # inherit_from => [ "UEFI", asm("x86_64_asm") ],

+ inherit_from => [ "UEFI" ],

+ cpuid_asm_src => "x86_64cpuid.s",

+ aes_asm_src => "aes_core.c aes_cbc.c vpaes-x86_64.s aesni-

x86_64.s

aesni-sha1-x86_64.s aesni-sha256-x86_64.s aesni-mb-x86_64.s",

+ sha1_asm_src => "sha1-x86_64.s sha256-x86_64.s sha512-

x86_64.s

sha1-mb-x86_64.s sha256-mb-x86_64.s",

+ modes_asm_src => "ghash-x86_64.s",

+ },

+);

--
2.28.0.windows.1