Changeset 105670 in vbox for trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg

Timestamp:

Aug 14, 2024 1:16:30 PM (6 months ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

164367

Message:

Devices/EFI/FirmwareNew: Merge edk2-stable-202405 and make it build on aarch64, bugref:4643

Location:

trunk/src/VBox/Devices/EFI/FirmwareNew

Files:

• . (modified) (1 prop)
• CryptoPkg/CryptoPkg.ci.yaml (modified) (2 diffs)
• CryptoPkg/CryptoPkg.dec (modified) (2 diffs)
• CryptoPkg/CryptoPkg.dsc (modified) (1 diff)
• CryptoPkg/CryptoPkgMbedTls.dsc (added)
• CryptoPkg/Driver/Crypto.c (modified) (2 diffs)
• CryptoPkg/Include/Library/BaseCryptLib.h (modified) (2 diffs)
• CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h (modified) (3 diffs)
• CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c (modified) (12 diffs)
• CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c (modified) (2 diffs)
• CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c (modified) (1 diff)
• CryptoPkg/Library/BaseCryptLibMbedTls (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/BaseCryptLib.inf (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Bn (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Bn/CryptBnNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Cipher (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAeadAesGcmNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAes.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAesNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptMd5.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptMd5Null.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptParallelHashNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha1.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha1Null.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha256.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha256Null.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha512.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha512Null.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSm3Null.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hmac (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hmac/CryptHmac.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hmac/CryptHmacNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/InternalCryptLib.h (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Kdf (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Kdf/CryptHkdf.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Kdf/CryptHkdfNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/PeiCryptLib.inf (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/PeiCryptLib.uni (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pem (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pem/CryptPemNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptAuthenticodeNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptDhNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptEcNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs1OaepNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs5Pbkdf2Null.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Internal.h (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7SignNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEkuNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEkuRuntime.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyRuntime.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaBasic.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaBasicNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaExtNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPss.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPssNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPssSignNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptTsNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509Null.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Rand (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Rand/CryptRandNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.inf (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.uni (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/SecCryptLib.inf (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/SecCryptLib.uni (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.inf (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.uni (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/SysCall (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/ConstantTimeClock.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/CrtWrapper.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/RuntimeMemAllocation.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/TimerWrapper.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/TestBaseCryptLib.inf (added)
• CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c (modified) (2 diffs)
• CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c (modified) (2 diffs)
• CryptoPkg/Library/Include/inttypes.h (added)
• CryptoPkg/Library/Include/stdint.h (added)
• CryptoPkg/Library/Include/stubs-32.h (added)
• CryptoPkg/Library/MbedTlsLib (added)
• CryptoPkg/Library/MbedTlsLib/CrtWrapper.c (added)
• CryptoPkg/Library/MbedTlsLib/EcSm2Null.c (added)
• CryptoPkg/Library/MbedTlsLib/Include (added)
• CryptoPkg/Library/MbedTlsLib/Include/mbedtls (added)
• CryptoPkg/Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h (added)
• CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf (added)
• CryptoPkg/Library/MbedTlsLib/MbedTlsLibFull.inf (added)
• CryptoPkg/Library/MbedTlsLib/mbedtls (added)
• CryptoPkg/Library/TlsLib/TlsConfig.c (modified) (10 diffs)
• CryptoPkg/Private/Library/MbedTlsLib.h (added)
• CryptoPkg/Private/Protocol/Crypto.h (modified) (3 diffs)
• CryptoPkg/Readme.md (modified) (2 diffs)
• CryptoPkg/Test/UnitTest/Library/BaseCryptLib/HashTests.c (modified) (5 diffs)
• CryptoPkg/Test/UnitTest/Library/BaseCryptLib/HmacTests.c (modified) (10 diffs)
• CryptoPkg/Test/UnitTest/Library/BaseCryptLib/OaepEncryptTests.c (modified) (10 diffs)
• CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RsaTests.c (modified) (2 diffs)

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/CryptoPkg.ci.yaml

@@ -7 +7 @@
 ##
 {
+    "PrEval": {
+        "DscPath": "CryptoPkg.dsc",
+    },
     "LicenseCheck": {
         "IgnoreFiles": [
@@ -39 +42 @@
             "Library/BaseCryptLib/Hash/CryptParallelHash.h",
             "Library/Include/fcntl.h",
+            # This has Mbedtls interfaces that aren't UEFI spec compliant
+            "Library/Include/stdint.h",
+            "Library/Include/stubs-32.h",
+            "Library/Include/inttypes.h",
             # These directories contain auto-generated OpenSSL content
             "Library/OpensslLib",
             "Library/IntrinsicLib",
-            "Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c"
+            "Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c",
+            # mbedtls
+            "Library/MbedTlsLib/mbedtls",
+            # This has mbedtls interfaces that aren't UEFI spec compliant
+            "Library/MbedTlsLib/EcSm2Null.c",
+            "Library/MbedTlsLib/CrtWrapper.c",
+            "Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h",
+            "Library/BaseCryptLibMbedTls/SysCall"
         ]
     },

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/CryptoPkg.dec

@@ -28 +28 @@
   Library/OpensslLib/OpensslGen/include
   Library/OpensslLib/OpensslGen/providers/common/include
+#  Library/MbedTlsLib/Include
+#  Library/MbedTlsLib/mbedtls/include
+#  Library/MbedTlsLib/mbedtls/include/mbedtls
+#  Library/MbedTlsLib/mbedtls/library
 
 [LibraryClasses]
@@ -46 +50 @@
   #
   OpensslLib|Private/Library/OpensslLib.h
+  MbedTlsLib|Private/Library/MbedTlsLib.h
 
   ##  @libraryclass  Provides compiler intrinsic functions required to link openssl project.

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/CryptoPkg.dsc

@@ -365 +365 @@
   CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
   CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+  CryptoPkg/Library/BaseCryptLibMbedTls/BaseCryptLib.inf
+  CryptoPkg/Library/BaseCryptLibMbedTls/SecCryptLib.inf
+  CryptoPkg/Library/BaseCryptLibMbedTls/PeiCryptLib.inf
+  CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.inf
+  CryptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.inf
+  CryptoPkg/Library/BaseCryptLibMbedTls/TestBaseCryptLib.inf
+  CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf
+  CryptoPkg/Library/MbedTlsLib/MbedTlsLibFull.inf
   CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
   CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Driver/Crypto.c

@@ -3588 +3588 @@
 {
   return CALL_BASECRYPTLIB (Pkcs.Services.Pkcs1v2Encrypt, Pkcs1v2Encrypt, (PublicKey, PublicKeySize, InData, InDataSize, PrngSeed, PrngSeedSize, EncryptedData, EncryptedDataSize), FALSE);
+}
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+CryptoServiceRsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  return CALL_BASECRYPTLIB (Rsa.Services.RsaOaepEncrypt, RsaOaepEncrypt, (RsaContext, InData, InDataSize, PrngSeed, PrngSeedSize, DigestLen, EncryptedData, EncryptedDataSize), FALSE);
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+CryptoServicePkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  return CALL_BASECRYPTLIB (Pkcs.Services.Pkcs1v2Decrypt, Pkcs1v2Decrypt, (PrivateKey, PrivateKeySize, EncryptedData, EncryptedDataSize, OutData, OutDataSize), FALSE);
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+CryptoServiceRsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  return CALL_BASECRYPTLIB (Rsa.Services.RsaOaepDecrypt, RsaOaepDecrypt, (RsaContext, EncryptedData, EncryptedDataSize, DigestLen, OutData, OutDataSize), FALSE);
 }
 
@@ -6988 +7113 @@
   CryptoServiceX509GetCertFromCertChain,
   CryptoServiceAsn1GetTag,
-  CryptoServiceX509GetExtendedBasicConstraints
+  CryptoServiceX509GetExtendedBasicConstraints,
+  CryptoServicePkcs1v2Decrypt,
+  CryptoServiceRsaOaepEncrypt,
+  CryptoServiceRsaOaepDecrypt,
 };

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Include/Library/BaseCryptLib.h

@@ -6 +6 @@
 
 Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation. All rights reserved.
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
@@ -2146 +2147 @@
   OUT  UINT8        **EncryptedData,
   OUT  UINTN        *EncryptedDataSize
+  );
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  );
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  );
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
   );
 

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h

@@ -24 +24 @@
 
   Copyright (c) 2019 - 2022, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) Microsoft Corporation. All rights reserved.
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
@@ -125 +126 @@
       UINT8    AuthenticodeVerify         : 1;
       UINT8    ImageTimestampVerify       : 1;
+      UINT8    Pkcs1v2Decrypt             : 1;
     } Services;
     UINT32    Family;
@@ -159 +161 @@
       UINT8    GetPrivateKeyFromPem : 1;
       UINT8    GetPublicKeyFromX509 : 1;
+      UINT8    RsaOaepEncrypt       : 1;
+      UINT8    RsaOaepDecrypt       : 1;
     } Services;
     UINT32    Family;

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c

@@ -4 +4 @@
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
-  Copyright (C) 2016 Microsoft Corporation. All Rights Reserved.
+  Copyright (C) Microsoft Corporation. All Rights Reserved.
   Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
 
@@ -14 +14 @@
 #include <openssl/x509.h>
 #include <Library/MemoryAllocationLib.h>
+
+/**
+  Retrieve a pointer to EVP message digest object.
+
+  @param[in]  DigestLen   Length of the message digest.
+
+**/
+STATIC
+const
+EVP_MD *
+GetEvpMD (
+  IN UINT16  DigestLen
+  )
+{
+  switch (DigestLen) {
+    case SHA1_DIGEST_SIZE:
+      return EVP_sha1 ();
+      break;
+    case SHA256_DIGEST_SIZE:
+      return EVP_sha256 ();
+      break;
+    case SHA384_DIGEST_SIZE:
+      return EVP_sha384 ();
+      break;
+    case SHA512_DIGEST_SIZE:
+      return EVP_sha512 ();
+      break;
+    default:
+      return NULL;
+  }
+}
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to parse X509 certificate.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  Pkey                A pointer to an EVP_PKEY struct that
+                                  will be used to encrypt the data.
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+InternalPkcs1v2Encrypt (
+  EVP_PKEY          *Pkey,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  BOOLEAN       Result;
+  EVP_PKEY_CTX  *PkeyCtx;
+  UINT8         *OutData;
+  UINTN         OutDataSize;
+  CONST EVP_MD  *HashAlg;
+
+  //
+  // Check input parameters.
+  //
+  if ((Pkey == NULL) || (InData == NULL) ||
+      (EncryptedData == NULL) || (EncryptedDataSize == NULL))
+  {
+    return FALSE;
+  }
+
+  *EncryptedData     = NULL;
+  *EncryptedDataSize = 0;
+  Result             = FALSE;
+  PkeyCtx            = NULL;
+  OutData            = NULL;
+  OutDataSize        = 0;
+
+  //
+  // If it provides a seed then use it.
+  // Ohterwise, we'll seed with fixed values and hope that the PRNG has already been
+  // used enough to generate sufficient entropy.
+  //
+  if (PrngSeed != NULL) {
+    RandomSeed (PrngSeed, PrngSeedSize);
+  } else {
+    RandomSeed (NULL, 0);
+  }
+
+  //
+  // Create a context for the public key operation.
+  //
+  PkeyCtx = EVP_PKEY_CTX_new (Pkey, NULL);
+  if (PkeyCtx == NULL) {
+    //
+    // Fail to create contex.
+    //
+    goto _Exit;
+  }
+
+  //
+  // Initialize the context and set the desired padding.
+  //
+  if ((EVP_PKEY_encrypt_init (PkeyCtx) <= 0) ||
+      (EVP_PKEY_CTX_set_rsa_padding (PkeyCtx, RSA_PKCS1_OAEP_PADDING) <= 0))
+  {
+    //
+    // Fail to initialize the context.
+    //
+    goto _Exit;
+  }
+
+  if (DigestLen != 0) {
+    HashAlg = GetEvpMD (DigestLen);
+    if (HashAlg == NULL) {
+      goto _Exit;
+    }
+
+    if (EVP_PKEY_CTX_set_rsa_oaep_md (PkeyCtx, HashAlg) <= 0) {
+      goto _Exit;
+    }
+
+    if (EVP_PKEY_CTX_set_rsa_mgf1_md (PkeyCtx, HashAlg) <= 0) {
+      goto _Exit;
+    }
+  }
+
+  //
+  // Determine the required buffer length for malloc'ing.
+  //
+  if (EVP_PKEY_encrypt (PkeyCtx, NULL, &OutDataSize, InData, InDataSize) <= 0) {
+    //
+    // Fail to determine output buffer size.
+    //
+    goto _Exit;
+  }
+
+  //
+  // Allocate a buffer for the output data.
+  //
+  OutData = AllocatePool (OutDataSize);
+  if (OutData == NULL) {
+    //
+    // Fail to allocate the output buffer.
+    //
+    goto _Exit;
+  }
+
+  //
+  // Encrypt Data.
+  //
+  if (EVP_PKEY_encrypt (PkeyCtx, OutData, &OutDataSize, InData, InDataSize) <= 0) {
+    //
+    // Fail to encrypt data, need to free the output buffer.
+    //
+    FreePool (OutData);
+    OutData     = NULL;
+    OutDataSize = 0;
+    goto _Exit;
+  }
+
+  //
+  // Encrypt done.
+  //
+  *EncryptedData     = OutData;
+  *EncryptedDataSize = OutDataSize;
+  Result             = TRUE;
+
+_Exit:
+  //
+  // Release Resources
+  //
+  if (PkeyCtx != NULL) {
+    EVP_PKEY_CTX_free (PkeyCtx);
+  }
+
+  return Result;
+}
 
 /**
@@ -57 +258 @@
   )
 {
-  BOOLEAN       Result;
-  CONST UINT8   *TempPointer;
-  X509          *CertData;
-  EVP_PKEY      *InternalPublicKey;
-  EVP_PKEY_CTX  *PkeyCtx;
-  UINT8         *OutData;
-  UINTN         OutDataSize;
+  BOOLEAN      Result;
+  CONST UINT8  *TempPointer;
+  X509         *CertData;
+  EVP_PKEY     *Pkey;
 
   //
@@ -89 +287 @@
   TempPointer        = NULL;
   CertData           = NULL;
-  InternalPublicKey  = NULL;
-  PkeyCtx            = NULL;
-  OutData            = NULL;
-  OutDataSize        = 0;
-
-  //
-  // If it provides a seed then use it.
-  // Ohterwise, we'll seed with fixed values and hope that the PRNG has already been
-  // used enough to generate sufficient entropy.
-  //
-  if (PrngSeed != NULL) {
-    RandomSeed (PrngSeed, PrngSeedSize);
-  } else {
-    RandomSeed (NULL, 0);
-  }
+  Pkey               = NULL;
 
   //
@@ -121 +305 @@
   // OpenSSL can use.
   //
-  InternalPublicKey = X509_get_pubkey (CertData);
-  if (InternalPublicKey == NULL) {
+  Pkey = X509_get_pubkey (CertData);
+  if (Pkey == NULL) {
     //
     // Fail to extract public key.
@@ -129 +313 @@
   }
 
-  //
-  // Create a context for the public key operation.
-  //
-  PkeyCtx = EVP_PKEY_CTX_new (InternalPublicKey, NULL);
+  Result = InternalPkcs1v2Encrypt (Pkey, InData, InDataSize, PrngSeed, PrngSeedSize, 0, EncryptedData, EncryptedDataSize);
+
+_Exit:
+  //
+  // Release Resources
+  //
+  if (CertData != NULL) {
+    X509_free (CertData);
+  }
+
+  if (Pkey != NULL) {
+    EVP_PKEY_free (Pkey);
+  }
+
+  return Result;
+}
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  BOOLEAN   Result;
+  EVP_PKEY  *Pkey;
+
+  //
+  // Check input parameters.
+  //
+  if (((RsaContext == NULL) || (InData == NULL)) ||
+      (EncryptedData == NULL) || (EncryptedDataSize == NULL))
+  {
+    return FALSE;
+  }
+
+  *EncryptedData     = NULL;
+  *EncryptedDataSize = 0;
+  Result             = FALSE;
+  Pkey               = NULL;
+
+  Pkey = EVP_PKEY_new ();
+  if (Pkey == NULL) {
+    goto _Exit;
+  }
+
+  if (EVP_PKEY_set1_RSA (Pkey, (RSA *)RsaContext) == 0) {
+    goto _Exit;
+  }
+
+  Result = InternalPkcs1v2Encrypt (Pkey, InData, InDataSize, PrngSeed, PrngSeedSize, DigestLen, EncryptedData, EncryptedDataSize);
+
+_Exit:
+  //
+  // Release Resources
+  //
+  if (Pkey != NULL) {
+    EVP_PKEY_free (Pkey);
+  }
+
+  return Result;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  Pkey                A pointer to an EVP_PKEY which will decrypt that data.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+InternalPkcs1v2Decrypt (
+  EVP_PKEY     *Pkey,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  BOOLEAN       Result;
+  EVP_PKEY_CTX  *PkeyCtx;
+  UINT8         *TempData;
+  UINTN         TempDataSize;
+  INTN          ReturnCode;
+  CONST EVP_MD  *HashAlg;
+
+  //
+  // Check input parameters.
+  //
+  if ((Pkey == NULL) || (EncryptedData == NULL) ||
+      (OutData == NULL) || (OutDataSize == NULL))
+  {
+    return FALSE;
+  }
+
+  Result       = FALSE;
+  PkeyCtx      = NULL;
+  TempData     = NULL;
+  TempDataSize = 0;
+
+  //
+  // Create a context for the decryption operation.
+  //
+  PkeyCtx = EVP_PKEY_CTX_new (Pkey, NULL);
   if (PkeyCtx == NULL) {
     //
     // Fail to create contex.
     //
+    DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_CTK_new() failed\n", __func__));
     goto _Exit;
   }
@@ -143 +487 @@
   // Initialize the context and set the desired padding.
   //
-  if ((EVP_PKEY_encrypt_init (PkeyCtx) <= 0) ||
+  if ((EVP_PKEY_decrypt_init (PkeyCtx) <= 0) ||
       (EVP_PKEY_CTX_set_rsa_padding (PkeyCtx, RSA_PKCS1_OAEP_PADDING) <= 0))
   {
@@ -149 +493 @@
     // Fail to initialize the context.
     //
-    goto _Exit;
+    DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_decrypt_init() failed\n", __func__));
+    goto _Exit;
+  }
+
+  if (DigestLen != 0) {
+    HashAlg = GetEvpMD (DigestLen);
+    if (HashAlg == NULL) {
+      goto _Exit;
+    }
+
+    if (EVP_PKEY_CTX_set_rsa_oaep_md (PkeyCtx, HashAlg) <= 0) {
+      goto _Exit;
+    }
+
+    if (EVP_PKEY_CTX_set_rsa_mgf1_md (PkeyCtx, HashAlg) <= 0) {
+      goto _Exit;
+    }
   }
 
@@ -155 +515 @@
   // Determine the required buffer length for malloc'ing.
   //
-  if (EVP_PKEY_encrypt (PkeyCtx, NULL, &OutDataSize, InData, InDataSize) <= 0) {
+  ReturnCode = EVP_PKEY_decrypt (PkeyCtx, NULL, &TempDataSize, EncryptedData, EncryptedDataSize);
+  if (ReturnCode <= 0) {
     //
     // Fail to determine output buffer size.
     //
+    DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_decrypt() failed to determine output buffer size (rc=%d)\n", __func__, ReturnCode));
     goto _Exit;
   }
@@ -165 +527 @@
   // Allocate a buffer for the output data.
   //
-  OutData = AllocatePool (OutDataSize);
-  if (OutData == NULL) {
+  TempData = AllocatePool (TempDataSize);
+  if (TempData == NULL) {
     //
     // Fail to allocate the output buffer.
@@ -174 +536 @@
 
   //
-  // Encrypt Data.
-  //
-  if (EVP_PKEY_encrypt (PkeyCtx, OutData, &OutDataSize, InData, InDataSize) <= 0) {
-    //
-    // Fail to encrypt data, need to free the output buffer.
-    //
-    FreePool (OutData);
-    OutData     = NULL;
-    OutDataSize = 0;
-    goto _Exit;
-  }
-
-  //
-  // Encrypt done.
-  //
-  *EncryptedData     = OutData;
-  *EncryptedDataSize = OutDataSize;
-  Result             = TRUE;
+  // Decrypt Data.
+  //
+  ReturnCode = EVP_PKEY_decrypt (PkeyCtx, TempData, &TempDataSize, EncryptedData, EncryptedDataSize);
+  if (ReturnCode <= 0) {
+    //
+    // Fail to decrypt data, need to free the output buffer.
+    //
+    FreePool (TempData);
+    TempData     = NULL;
+    TempDataSize = 0;
+
+    DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_decrypt(TempData) failed to decrypt (rc=%d)\n", __func__, ReturnCode));
+    goto _Exit;
+  }
+
+  //
+  // Decrypt done.
+  //
+  *OutData     = TempData;
+  *OutDataSize = TempDataSize;
+  Result       = TRUE;
 
 _Exit:
-  //
-  // Release Resources
-  //
-  if (CertData != NULL) {
-    X509_free (CertData);
-  }
-
-  if (InternalPublicKey != NULL) {
-    EVP_PKEY_free (InternalPublicKey);
-  }
-
   if (PkeyCtx != NULL) {
     EVP_PKEY_CTX_free (PkeyCtx);
@@ -211 +565 @@
   return Result;
 }
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  BOOLEAN      Result;
+  EVP_PKEY     *Pkey;
+  CONST UINT8  *TempPointer;
+
+  //
+  // Check input parameters.
+  //
+  if ((PrivateKey == NULL) || (EncryptedData == NULL) ||
+      (OutData == NULL) || (OutDataSize == NULL))
+  {
+    return FALSE;
+  }
+
+  Result      = FALSE;
+  Pkey        = NULL;
+  TempPointer = NULL;
+
+  //
+  // Parse the private key.
+  //
+  TempPointer = PrivateKey;
+  Pkey        = d2i_PrivateKey (EVP_PKEY_RSA, &Pkey, &TempPointer, (UINT32)PrivateKeySize);
+  if (Pkey == NULL) {
+    //
+    // Fail to parse private key.
+    //
+    DEBUG ((DEBUG_ERROR, "[%a] d2i_PrivateKey() failed\n", __func__));
+    goto _Exit;
+  }
+
+  Result = InternalPkcs1v2Decrypt (Pkey, EncryptedData, EncryptedDataSize, 0, OutData, OutDataSize);
+
+_Exit:
+  if (Pkey != NULL) {
+    EVP_PKEY_free (Pkey);
+  }
+
+  return Result;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  BOOLEAN   Result;
+  EVP_PKEY  *Pkey;
+
+  //
+  // Check input parameters.
+  //
+  if ((RsaContext == NULL) || (EncryptedData == NULL) ||
+      (OutData == NULL) || (OutDataSize == NULL))
+  {
+    return FALSE;
+  }
+
+  Result = FALSE;
+  Pkey   = NULL;
+
+  //
+  // Create a context for the decryption operation.
+  //
+
+  Pkey = EVP_PKEY_new ();
+  if (Pkey == NULL) {
+    goto _Exit;
+  }
+
+  if (EVP_PKEY_set1_RSA (Pkey, (RSA *)RsaContext) == 0) {
+    goto _Exit;
+  }
+
+  Result = InternalPkcs1v2Decrypt (Pkey, EncryptedData, EncryptedDataSize, DigestLen, OutData, OutDataSize);
+
+_Exit:
+  if (Pkey != NULL) {
+    EVP_PKEY_free (Pkey);
+  }
+
+  return Result;
+}

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c

@@ -4 +4 @@
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
-  Copyright (C) 2016 Microsoft Corporation. All Rights Reserved.
+  Copyright (C) Microsoft Corporation. All Rights Reserved.
   Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
 
@@ -49 +49 @@
   return FALSE;
 }
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c

@@ -592 +592 @@
   //
   if ((EVP_add_digest (EVP_md5 ()) == 0) || (EVP_add_digest (EVP_sha1 ()) == 0) ||
-      (EVP_add_digest (EVP_sha256 ()) == 0) || ((EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) == 0))
+      (EVP_add_digest (EVP_sha256 ()) == 0) || (EVP_add_digest (EVP_sha384 ()) == 0) ||
+      (EVP_add_digest (EVP_sha512 ()) == 0) || ((EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) == 0))
   {
     return FALSE;

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c

@@ -4 +4 @@
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
-  Copyright (C) 2016 Microsoft Corporation. All Rights Reserved.
+  Copyright (C) Microsoft Corporation. All Rights Reserved.
   Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
 
@@ -49 +49 @@
   return FALSE;
 }
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c

@@ -2827 +2827 @@
 
 /**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  CALL_CRYPTO_SERVICE (Pkcs1v2Decrypt, (PrivateKey, PrivateKeySize, EncryptedData, EncryptedDataSize, OutData, OutDataSize), FALSE);
+}
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  CALL_CRYPTO_SERVICE (RsaOaepEncrypt, (RsaContext, InData, InDataSize, PrngSeed, PrngSeedSize, DigestLen, EncryptedData, EncryptedDataSize), FALSE);
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  CALL_CRYPTO_SERVICE (RsaOaepDecrypt, (RsaContext, EncryptedData, EncryptedDataSize, DigestLen, OutData, OutDataSize), FALSE);
+}
+
+/**
   Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7:
   Cryptographic Message Syntax Standard". The input signed data could be wrapped
@@ -2850 +2963 @@
   @retval  FALSE           Error occurs during the operation.
   @retval  FALSE           This interface is not supported.
+
 
 **/

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/TlsLib/TlsConfig.c

@@ -9 +9 @@
 
 #include "InternalTlsLib.h"
-
-typedef struct {
-  //
-  // IANA/IETF defined Cipher Suite ID
-  //
-  UINT16         IanaCipher;
-  //
-  // OpenSSL-used Cipher Suite String
-  //
-  CONST CHAR8    *OpensslCipher;
-  //
-  // Length of OpensslCipher
-  //
-  UINTN          OpensslCipherLength;
-} TLS_CIPHER_MAPPING;
-
-//
-// Create a TLS_CIPHER_MAPPING initializer from IanaCipher and OpensslCipher so
-// that OpensslCipherLength is filled in automatically. IanaCipher must be an
-// integer constant expression, and OpensslCipher must be a string literal.
-//
-#define MAP(IanaCipher, OpensslCipher) \
-  { (IanaCipher), (OpensslCipher), sizeof (OpensslCipher) - 1 }
-
-//
-// The mapping table between IANA/IETF Cipher Suite definitions and
-// OpenSSL-used Cipher Suite name.
-//
-// Keep the table uniquely sorted by the IanaCipher field, in increasing order.
-//
-STATIC CONST TLS_CIPHER_MAPPING  TlsCipherMappingTable[] = {
-  MAP (0x0001, "NULL-MD5"),                         /// TLS_RSA_WITH_NULL_MD5
-  MAP (0x0002, "NULL-SHA"),                         /// TLS_RSA_WITH_NULL_SHA
-  MAP (0x0004, "RC4-MD5"),                          /// TLS_RSA_WITH_RC4_128_MD5
-  MAP (0x0005, "RC4-SHA"),                          /// TLS_RSA_WITH_RC4_128_SHA
-  MAP (0x000A, "DES-CBC3-SHA"),                     /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1
-  MAP (0x0016, "DHE-RSA-DES-CBC3-SHA"),             /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
-  MAP (0x002F, "AES128-SHA"),                       /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2
-  MAP (0x0030, "DH-DSS-AES128-SHA"),                /// TLS_DH_DSS_WITH_AES_128_CBC_SHA
-  MAP (0x0031, "DH-RSA-AES128-SHA"),                /// TLS_DH_RSA_WITH_AES_128_CBC_SHA
-  MAP (0x0033, "DHE-RSA-AES128-SHA"),               /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA
-  MAP (0x0035, "AES256-SHA"),                       /// TLS_RSA_WITH_AES_256_CBC_SHA
-  MAP (0x0036, "DH-DSS-AES256-SHA"),                /// TLS_DH_DSS_WITH_AES_256_CBC_SHA
-  MAP (0x0037, "DH-RSA-AES256-SHA"),                /// TLS_DH_RSA_WITH_AES_256_CBC_SHA
-  MAP (0x0039, "DHE-RSA-AES256-SHA"),               /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA
-  MAP (0x003B, "NULL-SHA256"),                      /// TLS_RSA_WITH_NULL_SHA256
-  MAP (0x003C, "AES128-SHA256"),                    /// TLS_RSA_WITH_AES_128_CBC_SHA256
-  MAP (0x003D, "AES256-SHA256"),                    /// TLS_RSA_WITH_AES_256_CBC_SHA256
-  MAP (0x003E, "DH-DSS-AES128-SHA256"),             /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256
-  MAP (0x003F, "DH-RSA-AES128-SHA256"),             /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256
-  MAP (0x0067, "DHE-RSA-AES128-SHA256"),            /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-  MAP (0x0068, "DH-DSS-AES256-SHA256"),             /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256
-  MAP (0x0069, "DH-RSA-AES256-SHA256"),             /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256
-  MAP (0x006B, "DHE-RSA-AES256-SHA256"),            /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
-  MAP (0x009F, "DHE-RSA-AES256-GCM-SHA384"),        /// TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
-  MAP (0xC02B, "ECDHE-ECDSA-AES128-GCM-SHA256"),    /// TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-  MAP (0xC02C, "ECDHE-ECDSA-AES256-GCM-SHA384"),    /// TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-  MAP (0xC030, "ECDHE-RSA-AES256-GCM-SHA384"),      /// TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-};
 
 typedef struct {
@@ -96 +37 @@
   { TlsSignatureAlgoEcdsa,     "ECDSA" },
 };
-
-/**
-  Gets the OpenSSL cipher suite mapping for the supplied IANA TLS cipher suite.
-
-  @param[in]  CipherId    The supplied IANA TLS cipher suite ID.
-
-  @return  The corresponding OpenSSL cipher suite mapping if found,
-           NULL otherwise.
-
-**/
-STATIC
-CONST TLS_CIPHER_MAPPING *
-TlsGetCipherMapping (
-  IN     UINT16  CipherId
-  )
-{
-  INTN  Left;
-  INTN  Right;
-  INTN  Middle;
-
-  //
-  // Binary Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation
-  //
-  Left  = 0;
-  Right = ARRAY_SIZE (TlsCipherMappingTable) - 1;
-
-  while (Right >= Left) {
-    Middle = (Left + Right) / 2;
-
-    if (CipherId == TlsCipherMappingTable[Middle].IanaCipher) {
-      //
-      // Translate IANA cipher suite ID to OpenSSL name.
-      //
-      return &TlsCipherMappingTable[Middle];
-    }
-
-    if (CipherId < TlsCipherMappingTable[Middle].IanaCipher) {
-      Right = Middle - 1;
-    } else {
-      Left = Middle + 1;
-    }
-  }
-
-  //
-  // No Cipher Mapping found, return NULL.
-  //
-  return NULL;
-}
 
 /**
@@ -282 +175 @@
   )
 {
-  TLS_CONNECTION            *TlsConn;
-  EFI_STATUS                Status;
-  CONST TLS_CIPHER_MAPPING  **MappedCipher;
-  UINTN                     MappedCipherBytes;
-  UINTN                     MappedCipherCount;
-  UINTN                     CipherStringSize;
-  UINTN                     Index;
-  CONST TLS_CIPHER_MAPPING  *Mapping;
-  CHAR8                     *CipherString;
-  CHAR8                     *CipherStringPosition;
+  TLS_CONNECTION    *TlsConn;
+  EFI_STATUS        Status;
+  CONST SSL_CIPHER  **MappedCipher;
+  UINTN             MappedCipherBytes;
+  UINTN             MappedCipherCount;
+  UINTN             CipherStringSize;
+  UINTN             Index;
+  INT32             StackIdx;
+  CHAR8             *CipherString;
+  CHAR8             *CipherStringPosition;
+
+  STACK_OF (SSL_CIPHER)      *OpensslCipherStack;
+  CONST SSL_CIPHER  *OpensslCipher;
+  CONST CHAR8       *OpensslCipherName;
+  UINTN             OpensslCipherNameLength;
 
   TlsConn = (TLS_CONNECTION *)Tls;
@@ -316 +214 @@
   }
 
+  OpensslCipherStack = SSL_get_ciphers (TlsConn->Ssl);
+
   //
   // Map the cipher IDs, and count the number of bytes for the full
@@ -322 +222 @@
   MappedCipherCount = 0;
   CipherStringSize  = 0;
-  for (Index = 0; Index < CipherNum; Index++) {
+  for (Index = 0; OpensslCipherStack != NULL && Index < CipherNum; Index++) {
     //
     // Look up the IANA-to-OpenSSL mapping.
     //
-    Mapping = TlsGetCipherMapping (CipherId[Index]);
-    if (Mapping == NULL) {
+    for (StackIdx = 0; StackIdx < sk_SSL_CIPHER_num (OpensslCipherStack); StackIdx++) {
+      OpensslCipher = sk_SSL_CIPHER_value (OpensslCipherStack, StackIdx);
+      if (CipherId[Index] == SSL_CIPHER_get_protocol_id (OpensslCipher)) {
+        break;
+      }
+    }
+
+    if (StackIdx == sk_SSL_CIPHER_num (OpensslCipherStack)) {
       DEBUG ((
         DEBUG_VERBOSE,
@@ -344 +250 @@
 
     //
-    // Accumulate Mapping->OpensslCipherLength into CipherStringSize. If this
+    // Accumulate cipher name string length into CipherStringSize. If this
     // is not the first successful mapping, account for a colon (":") prefix
     // too.
@@ -358 +264 @@
     Status = SafeUintnAdd (
                CipherStringSize,
-               Mapping->OpensslCipherLength,
+               AsciiStrLen (SSL_CIPHER_get_name (OpensslCipher)),
                &CipherStringSize
                );
@@ -369 +275 @@
     // Record the mapping.
     //
-    MappedCipher[MappedCipherCount++] = Mapping;
+    MappedCipher[MappedCipherCount++] = OpensslCipher;
   }
 
@@ -404 +310 @@
   CipherStringPosition = CipherString;
   for (Index = 0; Index < MappedCipherCount; Index++) {
-    Mapping = MappedCipher[Index];
+    OpensslCipher           = MappedCipher[Index];
+    OpensslCipherName       = SSL_CIPHER_get_name (OpensslCipher);
+    OpensslCipherNameLength = AsciiStrLen (OpensslCipherName);
     //
     // Append the colon (":") prefix except for the first mapping, then append
-    // Mapping->OpensslCipher.
+    // OpensslCipherName.
     //
     if (Index > 0) {
@@ -415 +323 @@
     CopyMem (
       CipherStringPosition,
-      Mapping->OpensslCipher,
-      Mapping->OpensslCipherLength
+      OpensslCipherName,
+      OpensslCipherNameLength
       );
-    CipherStringPosition += Mapping->OpensslCipherLength;
+    CipherStringPosition += OpensslCipherNameLength;
   }
 

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Private/Protocol/Crypto.h

@@ -22 +22 @@
 /// increased.
 ///
-#define EDKII_CRYPTO_VERSION  16
+#define EDKII_CRYPTO_VERSION  17
 
 ///
@@ -687 +687 @@
   OUT  UINT8                        **EncryptedData,
   OUT  UINTN                         *EncryptedDataSize
+  );
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+typedef
+BOOLEAN
+(EFIAPI *EDKII_CRYPTO_PKCS1V2_DECRYPT)(
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  );
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+typedef
+BOOLEAN
+(EFIAPI *EDKII_CRYPTO_RSA_OAEP_ENCRYPT)(
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  );
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+typedef
+BOOLEAN
+(EFIAPI *EDKII_CRYPTO_RSA_OAEP_DECRYPT)(
+  IN   VOID         *RsaContext,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
   );
 
@@ -5604 +5708 @@
   EDKII_CRYPTO_ASN1_GET_TAG                           Asn1GetTag;
   EDKII_CRYPTO_X509_GET_EXTENDED_BASIC_CONSTRAINTS    X509GetExtendedBasicConstraints;
+  EDKII_CRYPTO_PKCS1V2_DECRYPT                        Pkcs1v2Decrypt;
+  EDKII_CRYPTO_RSA_OAEP_ENCRYPT                       RsaOaepEncrypt;
+  EDKII_CRYPTO_RSA_OAEP_DECRYPT                       RsaOaepDecrypt;
 };
 

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Readme.md

@@ -4 +4 @@
 features such as UEFI Secure Boot, Measured Boot, firmware image authentication,
 and network boot. The cryptographic service implementation in this package uses
-services from the [OpenSSL](https://www.openssl.org/) project.
+services from the [OpenSSL](https://www.openssl.org/) project and
+[MbedTLS](https://www.trustedfirmware.org/projects/mbed-tls/) project.
 
 EDK II firmware modules/libraries that requires the use of cryptographic
@@ -19 +20 @@
 # Public Library Classes
 
-* **BaseCryptLib** - Provides library functions for cryptographic primitives.
-* **TlsLib**       - Provides TLS library functions for EFI TLS protocol.
-* **HashApiLib**   - Provides Unified API for different hash implementations.
+* **BaseCryptLib**        - Provides library functions based on OpenSSL for
+                            cryptographic primitives.
+* **BaseCryptLibMbedTls** - Provides library functions based on MbedTLS for
+                            cryptographic primitives.
+* **TlsLib**              - Provides TLS library functions for EFI TLS protocol.
+* **HashApiLib**          - Provides Unified API for different hash implementations.
 
 # Private Library Classes
 
 * **OpensslLib**   - Provides library functions from the openssl project.
-* **IntrinsicLib** - Provides C runtime library (CRT) required by openssl.
+* **MbedTlsLib**   - Provides library functions from the mbedtls project.
+* **IntrinsicLib** - Provides C runtime library (CRT) required by openssl
+                     and mbedtls.
 
 # Private Protocols and PPIs

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/HashTests.c

@@ -85 +85 @@
 typedef
 BOOLEAN
+(EFIAPI *EFI_HASH_DUP)(
+  IN      CONST VOID  *HashContext,
+  OUT     VOID        *NewHashContext
+  );
+
+typedef
+BOOLEAN
 (EFIAPI *EFI_HASH_FINAL)(
   IN OUT  VOID   *HashContext,
@@ -103 +110 @@
   EFI_HASH_INIT                HashInit;
   EFI_HASH_UPDATE              HashUpdate;
+  EFI_HASH_DUP                 HashDup;
   EFI_HASH_FINAL               HashFinal;
   EFI_HASH_ALL                 HashAll;
@@ -110 +118 @@
 
 #ifdef ENABLE_MD5_DEPRECATED_INTERFACES
-HASH_TEST_CONTEXT  mMd5TestCtx = { MD5_DIGEST_SIZE, Md5GetContextSize, Md5Init, Md5Update, Md5Final, Md5HashAll, Md5Digest };
+HASH_TEST_CONTEXT  mMd5TestCtx = { MD5_DIGEST_SIZE, Md5GetContextSize, Md5Init, Md5Update, Md5Duplicate, Md5Final, Md5HashAll, Md5Digest };
 #endif
-HASH_TEST_CONTEXT  mSha1TestCtx   = { SHA1_DIGEST_SIZE, Sha1GetContextSize, Sha1Init, Sha1Update, Sha1Final, Sha1HashAll, Sha1Digest };
-HASH_TEST_CONTEXT  mSha256TestCtx = { SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final, Sha256HashAll, Sha256Digest };
-HASH_TEST_CONTEXT  mSha384TestCtx = { SHA384_DIGEST_SIZE, Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final, Sha384HashAll, Sha384Digest };
-HASH_TEST_CONTEXT  mSha512TestCtx = { SHA512_DIGEST_SIZE, Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Final, Sha512HashAll, Sha512Digest };
+HASH_TEST_CONTEXT  mSha1TestCtx   = { SHA1_DIGEST_SIZE, Sha1GetContextSize, Sha1Init, Sha1Update, Sha1Duplicate, Sha1Final, Sha1HashAll, Sha1Digest };
+HASH_TEST_CONTEXT  mSha256TestCtx = { SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Duplicate, Sha256Final, Sha256HashAll, Sha256Digest };
+HASH_TEST_CONTEXT  mSha384TestCtx = { SHA384_DIGEST_SIZE, Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Duplicate, Sha384Final, Sha384HashAll, Sha384Digest };
+HASH_TEST_CONTEXT  mSha512TestCtx = { SHA512_DIGEST_SIZE, Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Duplicate, Sha512Final, Sha512HashAll, Sha512Digest };
 
 UNIT_TEST_STATUS
@@ -158 +166 @@
   UINTN              DataSize;
   UINT8              Digest[MAX_DIGEST_SIZE];
+  UINT8              DigestCopy[MAX_DIGEST_SIZE];
   BOOLEAN            Status;
   HASH_TEST_CONTEXT  *HashTestContext;
+  VOID               *HashCopyContext;
 
   HashTestContext = Context;
@@ -166 +176 @@
 
   ZeroMem (Digest, MAX_DIGEST_SIZE);
+  ZeroMem (DigestCopy, MAX_DIGEST_SIZE);
+
+  HashCopyContext = AllocatePool (HashTestContext->GetContextSize ());
 
   Status = HashTestContext->HashInit (HashTestContext->HashCtx);
   UT_ASSERT_TRUE (Status);
 
+  Status = HashTestContext->HashInit (HashCopyContext);
+  UT_ASSERT_TRUE (Status);
+
   Status = HashTestContext->HashUpdate (HashTestContext->HashCtx, HashData, DataSize);
   UT_ASSERT_TRUE (Status);
 
+  Status = HashTestContext->HashDup (HashTestContext->HashCtx, HashCopyContext);
+  UT_ASSERT_TRUE (Status);
+
   Status = HashTestContext->HashFinal (HashTestContext->HashCtx, Digest);
   UT_ASSERT_TRUE (Status);
 
+  Status = HashTestContext->HashFinal (HashCopyContext, DigestCopy);
+  UT_ASSERT_TRUE (Status);
+
   UT_ASSERT_MEM_EQUAL (Digest, HashTestContext->Digest, HashTestContext->DigestSize);
+  UT_ASSERT_MEM_EQUAL (Digest, DigestCopy, HashTestContext->DigestSize);
 
   ZeroMem (Digest, MAX_DIGEST_SIZE);

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/HmacTests.c

@@ -83 +83 @@
 
 typedef
-VOID *
+  VOID *
 (EFIAPI *EFI_HMAC_NEW)(
   VOID
@@ -89 +89 @@
 
 typedef
-VOID
+  VOID
 (EFIAPI *EFI_HMAC_FREE)(
   IN VOID  *HashContext
@@ -95 +95 @@
 
 typedef
-BOOLEAN
+  BOOLEAN
 (EFIAPI *EFI_HMAC_INIT)(
   IN OUT  VOID        *HashContext,
@@ -103 +103 @@
 
 typedef
-BOOLEAN
+  BOOLEAN
+(EFIAPI *EFI_HMAC_DUP)(
+  IN   CONST  VOID    *HashContext,
+  OUT  VOID           *NewHashContext
+  );
+
+typedef
+  BOOLEAN
 (EFIAPI *EFI_HMAC_UPDATE)(
   IN OUT  VOID        *HashContext,
@@ -111 +118 @@
 
 typedef
-BOOLEAN
+  BOOLEAN
 (EFIAPI *EFI_HMAC_FINAL)(
   IN OUT  VOID   *HashContext,
   OUT     UINT8  *HashValue
+  );
+
+typedef
+  BOOLEAN
+(EFIAPI *EFI_HMAC_ALL)(
+  IN   CONST VOID     *Data,
+  IN   UINTN          DataSize,
+  IN   CONST UINT8    *Key,
+  IN   UINTN          KeySize,
+  OUT  UINT8          *HashValue
   );
 
@@ -122 +139 @@
   EFI_HMAC_FREE      HmacFree;
   EFI_HMAC_INIT      HmacInit;
+  EFI_HMAC_DUP       HmacDup;
   EFI_HMAC_UPDATE    HmacUpdate;
   EFI_HMAC_FINAL     HmacFinal;
+  EFI_HMAC_ALL       HmacAll;
   CONST UINT8        *Key;
   UINTN              KeySize;
@@ -130 +149 @@
 } HMAC_TEST_CONTEXT;
 
-// These functions have been deprecated but they've been left commented out for future reference
-// HMAC_TEST_CONTEXT       mHmacMd5TestCtx    = {MD5_DIGEST_SIZE,    HmacMd5New,    HmacMd5Free,  HmacMd5SetKey,    HmacMd5Update,    HmacMd5Final,    HmacMd5Key,    sizeof(HmacMd5Key),    HmacMd5Digest};
-// HMAC_TEST_CONTEXT       mHmacSha1TestCtx   = {SHA1_DIGEST_SIZE,   HmacSha1New,   HmacSha1Free, HmacSha1SetKey,   HmacSha1Update,   HmacSha1Final,   HmacSha1Key,   sizeof(HmacSha1Key),   HmacSha1Digest};
-HMAC_TEST_CONTEXT  mHmacSha256TestCtx = { SHA256_DIGEST_SIZE, HmacSha256New, HmacSha256Free, HmacSha256SetKey, HmacSha256Update, HmacSha256Final, HmacSha256Key, sizeof (HmacSha256Key), HmacSha256Digest };
-HMAC_TEST_CONTEXT  mHmacSha384TestCtx = { SHA384_DIGEST_SIZE, HmacSha384New, HmacSha384Free, HmacSha384SetKey, HmacSha384Update, HmacSha384Final, HmacSha384Key, sizeof (HmacSha384Key), HmacSha384Digest };
+HMAC_TEST_CONTEXT  mHmacSha256TestCtx = { SHA256_DIGEST_SIZE, HmacSha256New, HmacSha256Free, HmacSha256SetKey, HmacSha256Duplicate, HmacSha256Update, HmacSha256Final, HmacSha256All, HmacSha256Key, sizeof (HmacSha256Key), HmacSha256Digest };
+HMAC_TEST_CONTEXT  mHmacSha384TestCtx = { SHA384_DIGEST_SIZE, HmacSha384New, HmacSha384Free, HmacSha384SetKey, HmacSha384Duplicate, HmacSha384Update, HmacSha384Final, HmacSha384All, HmacSha384Key, sizeof (HmacSha384Key), HmacSha384Digest };
 
 UNIT_TEST_STATUS
@@ -174 +190 @@
 {
   UINT8              Digest[MAX_DIGEST_SIZE];
+  UINT8              DigestCopy[MAX_DIGEST_SIZE];
+  UINT8              DigestByAll[MAX_DIGEST_SIZE];
+  VOID               *HmacCopyContext;
   BOOLEAN            Status;
   HMAC_TEST_CONTEXT  *HmacTestContext;
@@ -180 +199 @@
 
   ZeroMem (Digest, MAX_DIGEST_SIZE);
+  ZeroMem (DigestCopy, MAX_DIGEST_SIZE);
+  ZeroMem (DigestByAll, MAX_DIGEST_SIZE);
+
+  HmacCopyContext = HmacTestContext->HmacNew ();
 
   Status = HmacTestContext->HmacInit (HmacTestContext->HmacCtx, HmacTestContext->Key, HmacTestContext->KeySize);
   UT_ASSERT_TRUE (Status);
 
+  Status = HmacTestContext->HmacInit (HmacCopyContext, HmacTestContext->Key, HmacTestContext->KeySize);
+  UT_ASSERT_TRUE (Status);
+
   Status = HmacTestContext->HmacUpdate (HmacTestContext->HmacCtx, HmacData, 8);
   UT_ASSERT_TRUE (Status);
 
+  Status = HmacTestContext->HmacDup (HmacTestContext->HmacCtx, HmacCopyContext);
+  UT_ASSERT_TRUE (Status);
+
   Status = HmacTestContext->HmacFinal (HmacTestContext->HmacCtx, Digest);
   UT_ASSERT_TRUE (Status);
 
+  Status = HmacTestContext->HmacFinal (HmacCopyContext, DigestCopy);
+  UT_ASSERT_TRUE (Status);
+
+  Status = HmacTestContext->HmacAll (HmacData, 8, HmacTestContext->Key, HmacTestContext->KeySize, DigestByAll);
+  UT_ASSERT_TRUE (Status);
+
   UT_ASSERT_MEM_EQUAL (Digest, HmacTestContext->Digest, HmacTestContext->DigestSize);
+  UT_ASSERT_MEM_EQUAL (Digest, DigestCopy, HmacTestContext->DigestSize);
+  UT_ASSERT_MEM_EQUAL (Digest, DigestByAll, HmacTestContext->DigestSize);
 
   return UNIT_TEST_PASSED;
@@ -201 +238 @@
   { "TestVerifyHmacSha256()", "CryptoPkg.BaseCryptLib.Hmac", TestVerifyHmac, TestVerifyHmacPreReq, TestVerifyHmacCleanUp, &mHmacSha256TestCtx },
   { "TestVerifyHmacSha384()", "CryptoPkg.BaseCryptLib.Hmac", TestVerifyHmac, TestVerifyHmacPreReq, TestVerifyHmacCleanUp, &mHmacSha384TestCtx },
-  // These functions have been deprecated but they've been left commented out for future reference
-  // {"TestVerifyHmacMd5()",    "CryptoPkg.BaseCryptLib.Hmac",   TestVerifyHmac, TestVerifyHmacPreReq, TestVerifyHmacCleanUp, &mHmacMd5TestCtx},
-  // {"TestVerifyHmacSha1()",   "CryptoPkg.BaseCryptLib.Hmac",   TestVerifyHmac, TestVerifyHmacPreReq, TestVerifyHmacCleanUp, &mHmacSha1TestCtx},
 };
 

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/OaepEncryptTests.c

@@ -1 +1 @@
 /** @file
-  This is a unit test for RSA OAEP encrypt.
+  This is a unit test for RSA OAEP encrypt/decrypt.
 
   Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) Microsoft Corporation. All rights reserved.
   SPDX-License-Identifier: BSD-2-Clause-Patent
 **/
@@ -8 +9 @@
 #include "TestBaseCryptLib.h"
 
-CONST  UINT8  RandSeed[] = "This is the random seed for PRNG verification.";
+STATIC CONST  UINT8  RandSeed[] = "This is the random seed for PRNG verification.";
 
 //
@@ -15 +16 @@
 // O = Intel
 //
-GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8  SelfTestCert[] = {
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  SelfTestCert[] = {
   0x30, 0x82, 0x03, 0x90, 0x30, 0x82, 0x02, 0x78, 0x02, 0x09, 0x00, 0xE4, 0xDF, 0x47, 0x80, 0xEF,
   0x4B, 0x3C, 0x6D, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B,
@@ -76 +77 @@
 };
 
-GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8  PrivateKey[] = {
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  PrivateKey[] = {
   0x30, 0x82, 0x04, 0xA4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xBC, 0xE4, 0x67, 0xDC,
   0xC7, 0xEA, 0x6F, 0x8A, 0xA7, 0xCC, 0xB2, 0x54, 0x47, 0x48, 0x6A, 0xE2, 0x39, 0xFF, 0xC2, 0x48,
@@ -154 +155 @@
 };
 
+// The following RSA key componets were extracted from the above private key with openssl.
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  RsaN[] = {
+  0x00,
+  0xbc,0xe4,  0x67, 0xdc, 0xc7, 0xea, 0x6f, 0x8a, 0xa7, 0xcc, 0xb2, 0x54, 0x47, 0x48, 0x6a, 0xe2,
+  0x39,0xff,  0xc2, 0x48, 0x58, 0x34, 0x07, 0x03, 0x6d, 0x39, 0xb3, 0x67, 0x46, 0x4c, 0xbc, 0xa0,
+  0xfa,0x4e,  0x64, 0x23, 0x56, 0x47, 0x7b, 0xc9, 0x1a, 0x2a, 0x55, 0x42, 0x54, 0x10, 0x18, 0x30,
+  0x92,0x60,  0x30, 0x5b, 0x9e, 0xc0, 0x65, 0xd2, 0xd4, 0x05, 0x4a, 0xa6, 0x10, 0x66, 0x04, 0xa9,
+  0x54,0x4e,  0xee, 0x49, 0x39, 0x43, 0x65, 0x1e, 0x2e, 0x28, 0xde, 0x79, 0x24, 0xa9, 0x7e, 0xd8,
+  0x5b,0xbc,  0x2f, 0x46, 0x6a, 0xb7, 0xb6, 0x0d, 0x17, 0x88, 0x37, 0x52, 0x5c, 0xfe, 0x93, 0xc0,
+  0xe2,0xfd,  0x6a, 0x08, 0x1b, 0xfb, 0xd1, 0x87, 0xbd, 0xbd, 0x58, 0x57, 0x2c, 0x06, 0x5d, 0xd2,
+  0x7d,0x52,  0xe2, 0x49, 0x8e, 0xdc, 0xe5, 0x26, 0xbd, 0x92, 0x60, 0xb0, 0x3f, 0x58, 0x5e, 0x52,
+  0xd7,0x91,  0xda, 0x93, 0x62, 0x8d, 0x71, 0x80, 0x53, 0xba, 0x15, 0xc4, 0x1f, 0xf3, 0xbd, 0xe0,
+  0xc5,0xa4,  0xb8, 0xd3, 0x64, 0x12, 0x14, 0x1b, 0x11, 0x6b, 0x7b, 0xc2, 0x92, 0xc7, 0xe2, 0x94,
+  0x0b,0xb8,  0x67, 0x38, 0x48, 0x63, 0x11, 0x74, 0x25, 0x7c, 0x37, 0xc3, 0xb2, 0xae, 0xd9, 0xa7,
+  0x17,0x9c,  0x4b, 0x9d, 0x6c, 0x27, 0xb0, 0x87, 0x16, 0x6b, 0xf2, 0x96, 0xe5, 0x1d, 0x37, 0x27,
+  0xde,0xf2,  0x98, 0xb7, 0x81, 0x08, 0xd9, 0x7a, 0xba, 0x84, 0x14, 0x61, 0x60, 0x48, 0xce, 0xce,
+  0x51,0x73,  0xf4, 0xdb, 0xf1, 0x5f, 0x7a, 0x17, 0x71, 0x4f, 0xc1, 0x0b, 0xce, 0xc7, 0x31, 0xc1,
+  0x4e,0xa3,  0xee, 0x6f, 0x72, 0x97, 0x90, 0xfb, 0x8b, 0x54, 0x9f, 0x82, 0x5b, 0x48, 0x5a, 0xf1,
+  0xad,0x8b,  0x3a, 0xcd, 0xca, 0xb2, 0x8b, 0x7a, 0x53, 0xd4, 0xf7, 0x71, 0x16, 0x75, 0xa7, 0x35,
+};
+
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  RsaE[] = {
+  0x01, 0x00, 0x01
+};
+
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  RsaD[] = {
+  0x13, 0xf7, 0xd1, 0x42, 0xf5, 0x9f, 0x42, 0xcb, 0x55, 0x91, 0xbe, 0x08, 0x4a, 0xc0, 0xcd, 0x0b,
+  0xbd, 0x35, 0xdc, 0x43, 0xe9, 0x8f, 0x16, 0x6e, 0xb6, 0x4d, 0x33, 0x39, 0xe7, 0xa4, 0x95, 0x0c,
+  0x2f, 0x69, 0xba, 0x0c, 0x42, 0x42, 0xac, 0x43, 0x46, 0x10, 0xd3, 0x92, 0x7f, 0x70, 0x74, 0x1e,
+  0x2e, 0x5b, 0x1c, 0xc1, 0x92, 0xb6, 0xa4, 0x0c, 0xf5, 0x7c, 0xd9, 0xb7, 0x54, 0x64, 0x74, 0x79,
+  0xb1, 0xff, 0xe6, 0x10, 0xb7, 0x8c, 0xf8, 0x53, 0x88, 0x6d, 0xa9, 0x97, 0x04, 0xd9, 0x26, 0x1f,
+  0x99, 0x12, 0xfb, 0xac, 0x65, 0xfb, 0xa5, 0xb3, 0x1c, 0x99, 0xb9, 0xbf, 0x6b, 0x35, 0x3e, 0x49,
+  0x55, 0xb5, 0x94, 0x4f, 0xe7, 0x25, 0x67, 0xb1, 0x01, 0xcd, 0xd2, 0x58, 0xe4, 0xbe, 0x87, 0x8c,
+  0x88, 0xd3, 0x0a, 0x38, 0xdc, 0x71, 0x5d, 0x88, 0x0a, 0xe2, 0x3e, 0x76, 0x63, 0x3b, 0xe4, 0x3c,
+  0x8f, 0x2f, 0x29, 0x1d, 0xd1, 0x66, 0x8d, 0xc0, 0x4a, 0x68, 0x15, 0x90, 0x4c, 0x95, 0x61, 0xf4,
+  0xfd, 0xe8, 0xfa, 0x9c, 0x6c, 0x00, 0x22, 0x23, 0xd5, 0x17, 0x6e, 0xee, 0xa8, 0xd8, 0x70, 0xc5,
+  0x74, 0xea, 0x09, 0x13, 0x7f, 0x0c, 0x37, 0x4d, 0x50, 0xcd, 0xe9, 0x16, 0xc2, 0xd5, 0xde, 0x5e,
+  0xc3, 0xfc, 0x46, 0x08, 0xf1, 0x99, 0xc0, 0xb4, 0x28, 0xfd, 0x2b, 0x29, 0xef, 0x76, 0xd7, 0x04,
+  0x4f, 0x02, 0x54, 0x16, 0x54, 0x55, 0x20, 0xec, 0xbc, 0xbf, 0x85, 0x5f, 0x12, 0xcc, 0xfc, 0x0d,
+  0xf2, 0xef, 0xfc, 0x4d, 0x3e, 0xa2, 0x5e, 0x97, 0xfe, 0x35, 0x10, 0x0f, 0x53, 0x1f, 0x80, 0xd5,
+  0xc0, 0xb4, 0xe9, 0xe9, 0x31, 0x4c, 0x89, 0x14, 0x72, 0x39, 0x65, 0x89, 0xef, 0x7a, 0x51, 0x4a,
+  0xb9, 0xa9, 0xcc, 0x1b, 0x52, 0xb0, 0x02, 0x52, 0x65, 0x2f, 0x0b, 0x89, 0x41, 0x70, 0x1e, 0x01,
+};
+
+// test case = "123\0"
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  Msg1230[] = {
+  0x31, 0x32, 0x33, 0x00
+};
+
+// Ciphertext of the test case using RSAES-OAEP2048 with SHA1 MD/BGF1 created with openssl.
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  Ct1230RsaesOaepMdSha1Mgf1Sha1[] = {
+  0x88, 0x5d, 0xf3, 0x00, 0x66, 0x77, 0x91, 0x94, 0x5c, 0x8d, 0x45, 0xb6, 0xb2, 0x24, 0x26, 0x26,
+  0x37, 0xbe, 0xe0, 0x87, 0x4f, 0x50, 0xbf, 0x88, 0xde, 0x5d, 0xe9, 0xe0, 0xb2, 0x7e, 0x66, 0xfa,
+  0x6c, 0xfd, 0x0d, 0x19, 0x48, 0x41, 0xfe, 0x7a, 0x86, 0xa8, 0x28, 0xc2, 0x01, 0xcf, 0x76, 0xd7,
+  0xea, 0xab, 0x6d, 0xc3, 0x5e, 0x2c, 0x36, 0x04, 0xc0, 0x54, 0xc2, 0x68, 0x67, 0xe7, 0x04, 0x27,
+  0x56, 0xbe, 0x53, 0xb5, 0x80, 0x94, 0xd8, 0xde, 0x8c, 0x75, 0x69, 0x42, 0xba, 0x55, 0xd6, 0x2c,
+  0xda, 0x22, 0xe6, 0x09, 0xf6, 0x90, 0x27, 0x4b, 0x10, 0x54, 0x40, 0xa0, 0x74, 0x31, 0xdb, 0x5f,
+  0x80, 0x06, 0xc7, 0x67, 0x96, 0xe8, 0x45, 0xea, 0x7f, 0x72, 0x18, 0x24, 0xe8, 0x0d, 0x46, 0xc2,
+  0xa0, 0x83, 0xca, 0x71, 0xca, 0x91, 0x4b, 0x89, 0x80, 0x61, 0x01, 0x8e, 0xcf, 0xa1, 0x68, 0x81,
+  0x2d, 0xf2, 0x08, 0xd2, 0x02, 0x9e, 0xc0, 0xa4, 0x91, 0x71, 0x90, 0x84, 0x2f, 0x4e, 0x18, 0x37,
+  0x9b, 0x61, 0x0b, 0xf5, 0x88, 0xf7, 0x6b, 0x87, 0xb9, 0x4e, 0x31, 0xda, 0xf3, 0xb5, 0xe2, 0x60,
+  0x4d, 0xd9, 0x52, 0x99, 0x6b, 0x19, 0x98, 0xa2, 0x28, 0xaa, 0xeb, 0x5a, 0x33, 0xef, 0xf1, 0x4e,
+  0x29, 0x86, 0xbf, 0x70, 0x08, 0xfd, 0x34, 0x8a, 0x8c, 0x6d, 0xef, 0xc4, 0xa1, 0xfe, 0xdf, 0x4d,
+  0xeb, 0xf0, 0x2c, 0x4c, 0xf5, 0xb3, 0xe8, 0xf8, 0xc3, 0x45, 0xc7, 0x6b, 0x59, 0x1c, 0x9b, 0xd9,
+  0x52, 0xdf, 0x65, 0x87, 0x18, 0xd2, 0x6d, 0xff, 0x8b, 0x98, 0x2a, 0x97, 0xeb, 0x93, 0xea, 0x6a,
+  0x23, 0x23, 0xc6, 0x32, 0xf5, 0xea, 0x45, 0xe3, 0x99, 0xa0, 0x4d, 0x4b, 0x8f, 0xf8, 0x1d, 0xad,
+  0xa9, 0x97, 0xa2, 0xd6, 0xaf, 0x5e, 0x11, 0xf7, 0x5f, 0x28, 0xfb, 0x38, 0x80, 0x38, 0x50, 0xc4,
+};
+
+// Ciphertext of the test case using RSAES-OAEP2048 with SHA256 MD/BGF1 created with openssl.
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  Ct1230RsaesOaep2048MdSha256Mgf1Sha256[] = {
+  0xa7, 0x20, 0xa9, 0x31, 0xb5, 0xad, 0x83, 0x0a, 0x07, 0xee, 0x36, 0x46, 0xa5, 0x78, 0x3a, 0xda,
+  0x9d, 0xdf, 0xe6, 0x05, 0x0f, 0x7c, 0x46, 0xfe, 0x5f, 0xd6, 0x58, 0x16, 0xb6, 0xaa, 0x82, 0x7c,
+  0x58, 0x8a, 0x52, 0x14, 0x12, 0x29, 0x6f, 0x62, 0x80, 0xa7, 0x61, 0xfe, 0x29, 0x72, 0x6f, 0x73,
+  0xf6, 0x2f, 0x54, 0x38, 0x58, 0x7b, 0xbd, 0xa1, 0x2f, 0x9d, 0x12, 0x83, 0x72, 0xbc, 0x3d, 0x29,
+  0x65, 0x39, 0xcb, 0x93, 0x95, 0x3e, 0x73, 0xc9, 0x6f, 0xb9, 0xe8, 0xd5, 0x8b, 0x91, 0x0d, 0x87,
+  0x7e, 0x22, 0xb5, 0x93, 0x3d, 0xa8, 0x4a, 0xd9, 0x1a, 0x13, 0xf7, 0xf4, 0x7f, 0x16, 0x42, 0xfe,
+  0x63, 0x10, 0x7e, 0xa1, 0xe5, 0x04, 0xcf, 0xed, 0x93, 0x2d, 0x16, 0x3b, 0x79, 0x1f, 0x53, 0x41,
+  0xe3, 0xca, 0x69, 0x18, 0x6a, 0xe5, 0xec, 0x9a, 0xce, 0xbc, 0x47, 0xf6, 0x77, 0x9a, 0x5c, 0xea,
+  0xac, 0x7e, 0x28, 0xeb, 0x1e, 0xfe, 0x75, 0xa6, 0xbf, 0x1e, 0xfd, 0x1c, 0x63, 0x69, 0x47, 0x04,
+  0xaf, 0x69, 0x7e, 0x1c, 0xa1, 0x7f, 0x00, 0xcf, 0xec, 0x16, 0x34, 0xd9, 0xde, 0x91, 0x0e, 0x0f,
+  0x0b, 0x1e, 0x66, 0xc3, 0x41, 0x88, 0x43, 0xbe, 0xa3, 0x2a, 0x7c, 0x87, 0xff, 0xc0, 0x67, 0xdc,
+  0xc7, 0xeb, 0x28, 0x07, 0x00, 0x72, 0x85, 0x17, 0xca, 0x05, 0x9f, 0x29, 0x6b, 0xad, 0xc6, 0xae,
+  0x1c, 0x4a, 0xf2, 0xfe, 0x97, 0xc7, 0x6e, 0x4b, 0xbf, 0xfd, 0x46, 0xbe, 0xf8, 0x76, 0xc9, 0x70,
+  0x58, 0x3a, 0x73, 0xcc, 0x34, 0xda, 0xfe, 0x5b, 0x6d, 0x98, 0x74, 0x95, 0x85, 0xc7, 0xc9, 0x84,
+  0x02, 0xa8, 0x97, 0x13, 0xa3, 0x83, 0xcb, 0x28, 0x3d, 0xbb, 0x2b, 0x3b, 0x45, 0xf1, 0x6e, 0xc5,
+  0x37, 0x23, 0x21, 0xe6, 0x74, 0x2d, 0x48, 0x19, 0x97, 0xaf, 0xee, 0x3d, 0x9b, 0xd0, 0x05, 0xc7
+};
+
+typedef struct _OAEP_ENC_DEC_TEST_CONTEXT OAEP_ENC_DEC_TEST_CONTEXT;
+typedef
+BOOLEAN
+(EFIAPI *OAEP_TEST_ENCRYPT)(
+  IN      OAEP_ENC_DEC_TEST_CONTEXT *TestContext,
+  IN      CONST UINT8 *ClearText,
+  IN      UINTN       ClearTextSize,
+  IN      CONST UINT8 *PrngSeed,
+  IN      UINTN       PrngSeedSize,
+  IN      UINT16      DigestLen,
+  OUT     UINT8       **CipherText,
+  OUT     UINTN       *CipherTextSize
+  );
+
+typedef
+BOOLEAN
+(EFIAPI *OAEP_TEST_DECRYPT)(
+  IN      OAEP_ENC_DEC_TEST_CONTEXT *TestContext,
+  IN      CONST UINT8 *CipherText,
+  IN      UINTN       CipherTextSize,
+  IN      UINT16      DigestLen,
+  OUT     UINT8       **ClearText,
+  OUT     UINTN       *ClearTextSize
+  );
+
+typedef struct _OAEP_ENC_DEC_TEST_CONTEXT {
+  CONST UINT8          *SelfTestCert;
+  UINTN                SelfTestCertSize;
+  CONST UINT8          *PrivateKey;
+  UINTN                PrivateKeySize;
+  CONST UINT8          *RsaN;
+  UINTN                RsaNSize;
+  CONST UINT8          *RsaE;
+  UINTN                RsaESize;
+  CONST UINT8          *RsaD;
+  UINTN                RsaDSize;
+  CONST UINT8          *PrngSeed;
+  UINTN                PrngSeedSize;
+  CONST UINT8          *ClearText;
+  UINTN                ClearTextSize;
+  CONST UINT8          *CipherText;
+  UINTN                CipherTextSize;
+  UINT16               DigestLen;
+  OAEP_TEST_ENCRYPT    Encrypt;
+  OAEP_TEST_DECRYPT    Decrypt;
+  UNIT_TEST_STATUS     Expect;
+} OAEP_ENC_DEC_TEST_CONTEXT;
+
+BOOLEAN
+EFIAPI
+CallPkcs1v2Encrypt (
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx,
+  CONST UINT8                *ClearText,
+  UINTN                      ClearTextSize,
+  CONST UINT8                *PrngSeed,
+  UINTN                      PrngSeedSize,
+  UINT16                     DigestLen,
+  UINT8                      **CipherText,
+  UINTN                      *CipherTextSize
+  )
+{
+  BOOLEAN  Status;
+
+  Status = Pkcs1v2Encrypt (
+             TestCtx->SelfTestCert,
+             TestCtx->SelfTestCertSize,
+             (UINT8 *)ClearText,
+             ClearTextSize,
+             PrngSeed,
+             PrngSeedSize,
+             CipherText,
+             CipherTextSize
+             );
+
+  return Status;
+}
+
+BOOLEAN
+EFIAPI
+CallPkcs1v2Decrypt (
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx,
+  CONST UINT8                *CipherText,
+  UINTN                      CipherTextSize,
+  UINT16                     DigestLen,
+  UINT8                      **ClearText,
+  UINTN                      *ClearTextSize
+  )
+{
+  BOOLEAN  Status;
+
+  Status = Pkcs1v2Decrypt (
+             TestCtx->PrivateKey,
+             TestCtx->PrivateKeySize,
+             (UINT8 *)CipherText,
+             CipherTextSize,
+             ClearText,
+             ClearTextSize
+             );
+  return Status;
+}
+
+BOOLEAN
+EFIAPI
+CallRsaOaepEncrypt (
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx,
+  CONST UINT8                *ClearText,
+  UINTN                      ClearTextSize,
+  CONST UINT8                *RandSeedIn,
+  UINTN                      RandSeedSizeIn,
+  UINT16                     DigestLen,
+  UINT8                      **CipherText,
+  UINTN                      *CipherTextSize
+  )
+{
+  VOID     *RsaContext = NULL;
+  BOOLEAN  Status;
+
+  RsaContext = RsaNew ();
+  UT_ASSERT_FALSE (RsaContext == NULL);
+
+  Status = RsaSetKey (RsaContext, RsaKeyN, TestCtx->RsaN, TestCtx->RsaNSize);
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaSetKey (RsaContext, RsaKeyE, TestCtx->RsaE, TestCtx->RsaESize);
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaOaepEncrypt (
+             RsaContext,
+             (UINT8 *)ClearText,
+             ClearTextSize,
+             RandSeedIn,
+             RandSeedSizeIn,
+             DigestLen,
+             CipherText,
+             CipherTextSize
+             );
+
+  return Status;
+}
+
+BOOLEAN
+EFIAPI
+CallRsaOaepDecrypt (
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx,
+  CONST UINT8                *CipherText,
+  UINTN                      CipherTextSize,
+  UINT16                     DigestLen,
+  UINT8                      **ClearText,
+  UINTN                      *ClearTextSize
+  )
+{
+  VOID     *RsaContext = NULL;
+  BOOLEAN  Status;
+
+  RsaContext = RsaNew ();
+  UT_ASSERT_FALSE (RsaContext == NULL);
+
+  Status = RsaSetKey (RsaContext, RsaKeyN, TestCtx->RsaN, TestCtx->RsaNSize);
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaSetKey (RsaContext, RsaKeyE, TestCtx->RsaE, TestCtx->RsaESize);
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaSetKey (RsaContext, RsaKeyD, TestCtx->RsaD, TestCtx->RsaDSize);
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaOaepDecrypt (
+             RsaContext,
+             (UINT8 *)CipherText,
+             CipherTextSize,
+             DigestLen,
+             ClearText,
+             ClearTextSize
+             );
+
+  return Status;
+}
+
 UNIT_TEST_STATUS
 EFIAPI
-TestVerifyOaepEncrypt (
+TestVerifyEncrypt (
   IN UNIT_TEST_CONTEXT  Context
   )
 {
-  BOOLEAN  Status;
-  UINT8    File[4];
-  UINT8    *OutBuffer;
-  UINTN    OutBufferSize;
-  UINT8    *OutBuffer2;
-  UINTN    OutBuffer2Size;
-
-  // Create a file and add content '123' in it
-  File[0] = '1';
-  File[1] = '2';
-  File[2] = '3';
-  File[3] = 0;
-
-  OutBuffer      = NULL;
-  OutBufferSize  = 0;
-  OutBuffer2     = NULL;
-  OutBuffer2Size = 0;
-
-  Status = Pkcs1v2Encrypt (
-             SelfTestCert,
-             (UINTN)sizeof (SelfTestCert),
-             File,
-             (UINTN)sizeof (File),
-             NULL,
-             0,
-             &OutBuffer,
-             (UINTN *)&OutBufferSize
-             );
-  UT_ASSERT_TRUE (Status);
-
-  Status = Pkcs1v2Encrypt (
-             SelfTestCert,
-             (UINTN)sizeof (SelfTestCert),
-             File,
-             (UINTN)4,
-             NULL,
-             0,
-             &OutBuffer2,
-             (UINTN *)&OutBuffer2Size
-             );
+  BOOLEAN                    Status;
+  UINT8                      *OutBuffer     = NULL;
+  UINTN                      OutBufferSize  = 0;
+  UINT8                      *OutBuffer2    = NULL;
+  UINTN                      OutBuffer2Size = 0;
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx;
+
+  TestCtx = (OAEP_ENC_DEC_TEST_CONTEXT *)Context;
+
+  Status = TestCtx->Encrypt (
+                      TestCtx,
+                      TestCtx->ClearText,
+                      TestCtx->ClearTextSize,
+                      TestCtx->PrngSeed,
+                      TestCtx->PrngSeedSize,
+                      TestCtx->DigestLen,
+                      &OutBuffer,
+                      &OutBufferSize
+                      );
+  UT_ASSERT_TRUE (Status);
+
+  Status = TestCtx->Encrypt (
+                      TestCtx,
+                      TestCtx->ClearText,
+                      TestCtx->ClearTextSize,
+                      TestCtx->PrngSeed,
+                      TestCtx->PrngSeedSize,
+                      TestCtx->DigestLen,
+                      &OutBuffer2,
+                      &OutBuffer2Size
+                      );
   UT_ASSERT_TRUE (Status);
 
@@ -218 +477 @@
   }
 
-  Status = Pkcs1v2Encrypt (
-             SelfTestCert,
-             (UINTN)sizeof (SelfTestCert),
-             File,
-             (UINTN)4,
-             RandSeed,
-             (UINTN)sizeof (RandSeed),
-             &OutBuffer,
-             (UINTN *)&OutBufferSize
-             );
-  UT_ASSERT_TRUE (Status);
-
-  Status = Pkcs1v2Encrypt (
-             SelfTestCert,
-             (UINTN)sizeof (SelfTestCert),
-             File,
-             (UINTN)4,
-             RandSeed,
-             (UINTN)sizeof (RandSeed),
-             &OutBuffer2,
-             (UINTN *)&OutBuffer2Size
-             );
-  UT_ASSERT_TRUE (Status);
-
-  // TRUE - the two OutBuffers are indentical. That means the Oaep encrypt result is incorrect.
-  Status = (CompareMem (OutBuffer, OutBuffer2, OutBufferSize >= OutBuffer2Size ? OutBufferSize : OutBuffer2Size) == 0);
-  UT_ASSERT_FALSE (Status);
+  return UNIT_TEST_PASSED;
+}
+
+UNIT_TEST_STATUS
+EFIAPI
+TestVerifyDecrypt (
+  IN UNIT_TEST_CONTEXT  Context
+  )
+{
+  BOOLEAN                    Status;
+  UINT8                      *OutBuffer    = NULL;
+  UINTN                      OutBufferSize = 0;
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx;
+
+  TestCtx = Context;
+
+  Status = TestCtx->Decrypt (
+                      TestCtx,
+                      TestCtx->CipherText,
+                      TestCtx->CipherTextSize,
+                      TestCtx->DigestLen,
+                      &OutBuffer,
+                      &OutBufferSize
+                      );
+  UT_ASSERT_TRUE (Status);
+
+  UT_ASSERT_TRUE (CompareMem (OutBuffer, TestCtx->ClearText, OutBufferSize >= TestCtx->ClearTextSize ? OutBufferSize : TestCtx->ClearTextSize) == 0);
+  UT_ASSERT_TRUE (OutBufferSize == TestCtx->ClearTextSize);
 
   if (OutBuffer) {
@@ -252 +512 @@
   }
 
-  if (OutBuffer2) {
-    FreePool (OutBuffer2);
-    OutBuffer2     = NULL;
-    OutBuffer2Size = 0;
+  return UNIT_TEST_PASSED;
+}
+
+UNIT_TEST_STATUS
+EFIAPI
+TestVerifyEncryptDecrypt (
+  IN UNIT_TEST_CONTEXT  Context
+  )
+{
+  BOOLEAN                    Status;
+  UINT8                      *ClearText     = NULL;
+  UINTN                      ClearTextSize  = 0;
+  UINT8                      *CipherText    = NULL;
+  UINTN                      CipherTextSize = 0;
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx;
+
+  TestCtx = Context;
+
+  Status = TestCtx->Encrypt (
+                      TestCtx,
+                      TestCtx->ClearText,
+                      TestCtx->ClearTextSize,
+                      TestCtx->PrngSeed,
+                      TestCtx->PrngSeedSize,
+                      TestCtx->DigestLen,
+                      &CipherText,
+                      &CipherTextSize
+                      );
+  UT_ASSERT_TRUE (Status);
+
+  Status = TestCtx->Decrypt (
+                      TestCtx,
+                      CipherText,
+                      CipherTextSize,
+                      TestCtx->DigestLen,
+                      &ClearText,
+                      &ClearTextSize
+                      );
+
+  if (TestCtx->Expect == UNIT_TEST_PASSED) {
+    UT_ASSERT_TRUE (Status);
+  } else {
+    UT_ASSERT_FALSE (Status);
   }
+
+  if (TestCtx->Expect == UNIT_TEST_PASSED) {
+    UT_ASSERT_TRUE (CompareMem (ClearText, TestCtx->ClearText, ClearTextSize >= TestCtx->ClearTextSize ? ClearTextSize : TestCtx->ClearTextSize) == 0);
+    UT_ASSERT_TRUE (ClearTextSize == TestCtx->ClearTextSize);
+  }
+
+  if (CipherText) {
+    FreePool (CipherText);
+    CipherText     = NULL;
+    CipherTextSize = 0;
+  }
+
+  if (ClearText) {
+    FreePool (ClearText);
+    ClearText     = NULL;
+    ClearTextSize = 0;
+  }
+
+  return UNIT_TEST_PASSED;
+}
+
+UNIT_TEST_STATUS
+EFIAPI
+TestVerifyPkcs1v2EncryptInterface (
+  IN UNIT_TEST_CONTEXT  Context
+  )
+{
+  BOOLEAN  Status;
+  UINT8    *OutBuffer;
+  UINTN    OutBufferSize;
 
   Status = Pkcs1v2Encrypt (
              NULL,
              (UINTN)sizeof (SelfTestCert),
-             File,
+             (UINT8 *)Msg1230,
              (UINTN)4,
              NULL,
@@ -273 +602 @@
              SelfTestCert,
              (UINTN)sizeof (SelfTestCert),
-             File,
+             (UINT8 *)Msg1230,
              (UINTN)4,
              NULL,
@@ -285 +614 @@
              SelfTestCert,
              (UINTN)sizeof (SelfTestCert),
-             File,
+             (UINT8 *)Msg1230,
              (UINTN)4,
              NULL,
@@ -297 +626 @@
 }
 
+UNIT_TEST_STATUS
+EFIAPI
+TestVerifyRsaOaepEncryptInterface (
+  IN UNIT_TEST_CONTEXT  Context
+  )
+{
+  VOID     *RsaContext = NULL;
+  BOOLEAN  Status;
+  UINT8    *OutBuffer;
+  UINTN    OutBufferSize;
+
+  RsaContext = RsaNew ();
+  UT_ASSERT_FALSE (RsaContext == NULL);
+
+  Status = RsaSetKey (RsaContext, RsaKeyN, RsaN, sizeof (RsaN));
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaSetKey (RsaContext, RsaKeyE, RsaE, sizeof (RsaE));
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaOaepEncrypt (
+             NULL,
+             (UINT8 *)Msg1230,
+             (UINTN)4,
+             NULL,
+             0,
+             0,
+             &OutBuffer,
+             (UINTN *)&OutBufferSize
+             );
+  UT_ASSERT_FALSE (Status);
+
+  Status = RsaOaepEncrypt (
+             RsaContext,
+             (UINT8 *)Msg1230,
+             (UINTN)4,
+             NULL,
+             0,
+             0,
+             (UINT8 **)NULL,
+             (UINTN *)&OutBufferSize
+             );
+  UT_ASSERT_FALSE (Status);
+
+  Status = RsaOaepEncrypt (
+             RsaContext,
+             (UINT8 *)Msg1230,
+             (UINTN)4,
+             NULL,
+             0,
+             0,
+             &OutBuffer,
+             (UINTN *)NULL
+             );
+  UT_ASSERT_FALSE (Status);
+
+  return UNIT_TEST_PASSED;
+}
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyPkcs1v2Msg1230 = {
+  .SelfTestCert     = SelfTestCert,
+  .SelfTestCertSize = sizeof (SelfTestCert),
+  .PrivateKey       = PrivateKey,
+  .PrivateKeySize   = sizeof (PrivateKey),
+  .RsaN             = NULL,
+  .RsaNSize         = 0,
+  .RsaE             = NULL,
+  .RsaESize         = 0,
+  .RsaD             = NULL,
+  .RsaDSize         = 0,
+  .PrngSeed         = NULL,
+  .PrngSeedSize     = 0,
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallPkcs1v2Encrypt,
+  .Decrypt          = CallPkcs1v2Decrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyPkcs1v2Msg1230PrngSeed = {
+  .SelfTestCert     = SelfTestCert,
+  .SelfTestCertSize = sizeof (SelfTestCert),
+  .PrivateKey       = PrivateKey,
+  .PrivateKeySize   = sizeof (PrivateKey),
+  .RsaN             = NULL,
+  .RsaNSize         = 0,
+  .RsaE             = NULL,
+  .RsaESize         = 0,
+  .RsaD             = NULL,
+  .RsaDSize         = 0,
+  .PrngSeed         = RandSeed,
+  .PrngSeedSize     = sizeof (RandSeed),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallPkcs1v2Encrypt,
+  .Decrypt          = CallPkcs1v2Decrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyRsaOaepMsg1230 = {
+  .SelfTestCert     = NULL,
+  .SelfTestCertSize = 0,
+  .PrivateKey       = NULL,
+  .PrivateKeySize   = 0,
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .PrngSeed         = NULL,
+  .PrngSeedSize     = 0,
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallRsaOaepEncrypt,
+  .Decrypt          = CallRsaOaepDecrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyRsaOaepMsg1230PrngSeed = {
+  .SelfTestCert     = NULL,
+  .SelfTestCertSize = 0,
+  .PrivateKey       = NULL,
+  .PrivateKeySize   = 0,
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .PrngSeed         = RandSeed,
+  .PrngSeedSize     = sizeof (RandSeed),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallRsaOaepEncrypt,
+  .Decrypt          = CallRsaOaepDecrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyPkcs1v2EncryptRsaOaepDecrypt = {
+  .SelfTestCert     = SelfTestCert,
+  .SelfTestCertSize = sizeof (SelfTestCert),
+  .PrivateKey       = PrivateKey,
+  .PrivateKeySize   = sizeof (PrivateKey),
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallPkcs1v2Encrypt,
+  .Decrypt          = CallRsaOaepDecrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyRsaOaepEncryptPkcs1v2Decrypt = {
+  .SelfTestCert     = SelfTestCert,
+  .SelfTestCertSize = sizeof (SelfTestCert),
+  .PrivateKey       = PrivateKey,
+  .PrivateKeySize   = sizeof (PrivateKey),
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallRsaOaepEncrypt,
+  .Decrypt          = CallPkcs1v2Decrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyRsaesOaep2048MdDefaultBgf1Default = {
+  .SelfTestCert     = NULL,
+  .SelfTestCertSize = 0,
+  .PrivateKey       = NULL,
+  .PrivateKeySize   = 0,
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallRsaOaepEncrypt,
+  .Decrypt          = CallRsaOaepDecrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyRsaesOaep2048MdSha1Mgf1Sha1 = {
+  .SelfTestCert     = NULL,
+  .SelfTestCertSize = 0,
+  .PrivateKey       = NULL,
+  .PrivateKeySize   = 0,
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = SHA1_DIGEST_SIZE,
+  .Encrypt          = CallRsaOaepEncrypt,
+  .Decrypt          = CallRsaOaepDecrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyRsaesOaep2048MdSha256Mgf1Sha256 = {
+  .SelfTestCert     = NULL,
+  .SelfTestCertSize = 0,
+  .PrivateKey       = NULL,
+  .PrivateKeySize   = 0,
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaep2048MdSha256Mgf1Sha256,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaep2048MdSha256Mgf1Sha256),
+  .DigestLen        = SHA256_DIGEST_SIZE,
+  .Encrypt          = CallRsaOaepEncrypt,
+  .Decrypt          = CallRsaOaepDecrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
 TEST_DESC  mOaepTest[] = {
   //
   // -----Description--------------------------------------Class----------------------Function-----------------Pre---Post--Context
   //
-  { "TestVerifyOaepEncrypt()", "CryptoPkg.BaseCryptLib.Pkcs1v2Encrypt", TestVerifyOaepEncrypt, NULL, NULL, NULL },
+  // Pkcs1v2Encrypt / Decrypt
+  { "Pkcs1v2Encrypt (Interface)",                   "CryptoPkg.BaseCryptLib.Pkcs1v2Encrypt.Interface",                   TestVerifyPkcs1v2EncryptInterface, NULL, NULL, &mTestVerifyPkcs1v2Msg1230                    },
+  { "Pkcs1v2Encrypt (NoSeed)",                      "CryptoPkg.BaseCryptLib.Pkcs1v2Encrypt.NoSeed",                      TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyPkcs1v2Msg1230                    },
+  { "Pkcs1v2Encrypt (Seeded)",                      "CryptoPkg.BaseCryptLib.Pkcs1v2Encrypt.Seeded",                      TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyPkcs1v2Msg1230PrngSeed            },
+  { "Pkcs1v2Decrypt",                               "CryptoPkg.BaseCryptLib.Pkcs1v2Decrypt",                             TestVerifyDecrypt,                 NULL, NULL, &mTestVerifyPkcs1v2Msg1230                    },
+  { "Pkcs1v2EncryptDecrypt",                        "CryptoPkg.BaseCryptLib.Pkcs1v2EncryptDecrypt",                      TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyPkcs1v2Msg1230                    },
+
+  // RsaOaepEncrypt / Decrypt
+  { "RsaOaepEncrypt (Interface)",                   "CryptoPkg.BaseCryptLib.RsaOaepEncrypt.Interface",                   TestVerifyRsaOaepEncryptInterface, NULL, NULL, &mTestVerifyRsaOaepMsg1230                    },
+  { "RsaOaepEncrypt (NoSeed)",                      "CryptoPkg.BaseCryptLib.RsaOaepEncrypt.NoSeed",                      TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyRsaOaepMsg1230                    },
+  { "RsaOaepEncrypt (Seeded)",                      "CryptoPkg.BaseCryptLib.RsaOaepEncrypt.Seeded",                      TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyRsaOaepMsg1230PrngSeed            },
+  { "RsaOaepDecrypt",                               "CryptoPkg.BaseCryptLib.RsaOaepDecrypt",                             TestVerifyDecrypt,                 NULL, NULL, &mTestVerifyRsaOaepMsg1230                    },
+  { "RsaOaepEncryptDecrypt",                        "CryptoPkg.BaseCryptLib.RsaOaepEncryptDecrypt",                      TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyRsaOaepMsg1230                    },
+
+  // Mix interfaces
+  { "RsaOaepEncryptPkcs1v2Decrypt",                 "CryptoPkg.BaseCryptLib.RsaOaepEncryptPkcs1v2Decrypt",               TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyRsaOaepEncryptPkcs1v2Decrypt      },
+  { "Pkcs1v2EncryptRsaOaepDecrypt",                 "CryptoPkg.BaseCryptLib.Pkcs1v2EncryptRsaOaepDecrypt",               TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyPkcs1v2EncryptRsaOaepDecrypt      },
+
+  // Message digest default / MGF1 default (SHA1)
+  { "RsaOaepEncrypt (MdDefaultMgf1Default)",        "CryptoPkg.BaseCryptLib.RsaOaepEncrypt.MdDefaultMgf1Default",        TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyRsaesOaep2048MdDefaultBgf1Default },
+  { "RsaOaepDecrypt (MdDefaultMgf1Default)",        "CryptoPkg.BaseCryptLib.RsaOaepDecrypt.MdDefaultMgf1Default",        TestVerifyDecrypt,                 NULL, NULL, &mTestVerifyRsaesOaep2048MdDefaultBgf1Default },
+  { "RsaOaepEncryptDecrypt (MdDefaultMgf1Default)", "CryptoPkg.BaseCryptLib.RsaOaepEncryptDecrypt.MdDefaultMgf1Default", TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyRsaesOaep2048MdDefaultBgf1Default },
+
+  // Message digest SHA1 / MGF1 SHA1
+  { "RsaOaepEncrypt (MdSha1Bgf1Sha1",               "CryptoPkg.BaseCryptLib.RsaOaepEncrypt.MdSha1Bgf1Sha1",              TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyRsaesOaep2048MdSha1Mgf1Sha1       },
+  { "RsaOaepDecrypt (MdSha1Bgf1Sha1)",              "CryptoPkg.BaseCryptLib.RsaOaepDecrypt.MdSha1Bgf1Sha1",              TestVerifyDecrypt,                 NULL, NULL, &mTestVerifyRsaesOaep2048MdSha1Mgf1Sha1       },
+  { "RsaOaepEncryptDecrypt (MdSha1Bgf1Sha1)",       "CryptoPkg.BaseCryptLib.RsaOaepEncryptDecrypt.MdSha1Bgf1Sha1",       TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyRsaesOaep2048MdSha1Mgf1Sha1       },
+
+  // Message digest SHA256 / MGF1 SHA256
+  { "RsaOaepEncrypt (MdSha256Bgf1Sha256)",          "CryptoPkg.BaseCryptLib.RsaOaepEncrypt.MdSha256Bgf1Sha256",          TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyRsaesOaep2048MdSha256Mgf1Sha256   },
+  { "RsaOaepDecrypt (MdSha256Bgf1Sha256)",          "CryptoPkg.BaseCryptLib.RsaOaepDecrypt.MdSha256Bgf1Sha256",          TestVerifyDecrypt,                 NULL, NULL, &mTestVerifyRsaesOaep2048MdSha256Mgf1Sha256   },
+  { "RsaOaepEncryptDecrypt (MdSha256Bgf1Sha256)",   "CryptoPkg.BaseCryptLib.RsaOaepEncryptDecryptMdSha256Bgf1Sha256",    TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyRsaesOaep2048MdSha256Mgf1Sha256   },
 };
 

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RsaTests.c

@@ -195 +195 @@
   UINTN    KeySize;
   UINT8    *KeyBuffer;
+  UINT8    TestPublicExponent1[] = { 0x03 };
+  UINT8    TestPublicExponent2[] = { 0x01, 0x01 };
+  UINT8    TestPublicExponent3[] = { 0x01, 0x00, 0x01 };
 
   //
@@ -201 +204 @@
 
   Status = RsaGenerateKey (mRsa, RSA_MODULUS_LENGTH, NULL, 0);
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaGenerateKey (mRsa, RSA_MODULUS_LENGTH, TestPublicExponent1, sizeof (TestPublicExponent1));
+  UT_ASSERT_TRUE (Status);
+  Status = RsaGenerateKey (mRsa, RSA_MODULUS_LENGTH, TestPublicExponent2, sizeof (TestPublicExponent2));
+  UT_ASSERT_TRUE (Status);
+  Status = RsaGenerateKey (mRsa, RSA_MODULUS_LENGTH, TestPublicExponent3, sizeof (TestPublicExponent3));
   UT_ASSERT_TRUE (Status);