Changeset 105670 in vbox for trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library

Timestamp:

Aug 14, 2024 1:16:30 PM (9 months ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

164367

Message:

Devices/EFI/FirmwareNew: Merge edk2-stable-202405 and make it build on aarch64, bugref:4643

Location:

trunk/src/VBox/Devices/EFI/FirmwareNew

Files:

• . (modified) (1 prop)
• CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c (modified) (12 diffs)
• CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c (modified) (2 diffs)
• CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c (modified) (1 diff)
• CryptoPkg/Library/BaseCryptLibMbedTls (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/BaseCryptLib.inf (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Bn (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Bn/CryptBnNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Cipher (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAeadAesGcmNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAes.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAesNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptMd5.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptMd5Null.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptParallelHashNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha1.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha1Null.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha256.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha256Null.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha512.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha512Null.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSm3Null.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hmac (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hmac/CryptHmac.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Hmac/CryptHmacNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/InternalCryptLib.h (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Kdf (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Kdf/CryptHkdf.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Kdf/CryptHkdfNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/PeiCryptLib.inf (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/PeiCryptLib.uni (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pem (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pem/CryptPemNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptAuthenticodeNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptDhNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptEcNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs1OaepNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs5Pbkdf2Null.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Internal.h (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7SignNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEkuNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEkuRuntime.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyRuntime.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaBasic.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaBasicNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaExtNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPss.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPssNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPssSignNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptTsNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509Null.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Rand (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/Rand/CryptRandNull.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.inf (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.uni (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/SecCryptLib.inf (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/SecCryptLib.uni (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.inf (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.uni (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/SysCall (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/ConstantTimeClock.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/CrtWrapper.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/RuntimeMemAllocation.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/TimerWrapper.c (added)
• CryptoPkg/Library/BaseCryptLibMbedTls/TestBaseCryptLib.inf (added)
• CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c (modified) (2 diffs)
• CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c (modified) (2 diffs)
• CryptoPkg/Library/Include/inttypes.h (added)
• CryptoPkg/Library/Include/stdint.h (added)
• CryptoPkg/Library/Include/stubs-32.h (added)
• CryptoPkg/Library/MbedTlsLib (added)
• CryptoPkg/Library/MbedTlsLib/CrtWrapper.c (added)
• CryptoPkg/Library/MbedTlsLib/EcSm2Null.c (added)
• CryptoPkg/Library/MbedTlsLib/Include (added)
• CryptoPkg/Library/MbedTlsLib/Include/mbedtls (added)
• CryptoPkg/Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h (added)
• CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf (added)
• CryptoPkg/Library/MbedTlsLib/MbedTlsLibFull.inf (added)
• CryptoPkg/Library/MbedTlsLib/mbedtls (added)
• CryptoPkg/Library/TlsLib/TlsConfig.c (modified) (10 diffs)

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c

@@ -4 +4 @@
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
-  Copyright (C) 2016 Microsoft Corporation. All Rights Reserved.
+  Copyright (C) Microsoft Corporation. All Rights Reserved.
   Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
 
@@ -14 +14 @@
 #include <openssl/x509.h>
 #include <Library/MemoryAllocationLib.h>
+
+/**
+  Retrieve a pointer to EVP message digest object.
+
+  @param[in]  DigestLen   Length of the message digest.
+
+**/
+STATIC
+const
+EVP_MD *
+GetEvpMD (
+  IN UINT16  DigestLen
+  )
+{
+  switch (DigestLen) {
+    case SHA1_DIGEST_SIZE:
+      return EVP_sha1 ();
+      break;
+    case SHA256_DIGEST_SIZE:
+      return EVP_sha256 ();
+      break;
+    case SHA384_DIGEST_SIZE:
+      return EVP_sha384 ();
+      break;
+    case SHA512_DIGEST_SIZE:
+      return EVP_sha512 ();
+      break;
+    default:
+      return NULL;
+  }
+}
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to parse X509 certificate.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  Pkey                A pointer to an EVP_PKEY struct that
+                                  will be used to encrypt the data.
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+InternalPkcs1v2Encrypt (
+  EVP_PKEY          *Pkey,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  BOOLEAN       Result;
+  EVP_PKEY_CTX  *PkeyCtx;
+  UINT8         *OutData;
+  UINTN         OutDataSize;
+  CONST EVP_MD  *HashAlg;
+
+  //
+  // Check input parameters.
+  //
+  if ((Pkey == NULL) || (InData == NULL) ||
+      (EncryptedData == NULL) || (EncryptedDataSize == NULL))
+  {
+    return FALSE;
+  }
+
+  *EncryptedData     = NULL;
+  *EncryptedDataSize = 0;
+  Result             = FALSE;
+  PkeyCtx            = NULL;
+  OutData            = NULL;
+  OutDataSize        = 0;
+
+  //
+  // If it provides a seed then use it.
+  // Ohterwise, we'll seed with fixed values and hope that the PRNG has already been
+  // used enough to generate sufficient entropy.
+  //
+  if (PrngSeed != NULL) {
+    RandomSeed (PrngSeed, PrngSeedSize);
+  } else {
+    RandomSeed (NULL, 0);
+  }
+
+  //
+  // Create a context for the public key operation.
+  //
+  PkeyCtx = EVP_PKEY_CTX_new (Pkey, NULL);
+  if (PkeyCtx == NULL) {
+    //
+    // Fail to create contex.
+    //
+    goto _Exit;
+  }
+
+  //
+  // Initialize the context and set the desired padding.
+  //
+  if ((EVP_PKEY_encrypt_init (PkeyCtx) <= 0) ||
+      (EVP_PKEY_CTX_set_rsa_padding (PkeyCtx, RSA_PKCS1_OAEP_PADDING) <= 0))
+  {
+    //
+    // Fail to initialize the context.
+    //
+    goto _Exit;
+  }
+
+  if (DigestLen != 0) {
+    HashAlg = GetEvpMD (DigestLen);
+    if (HashAlg == NULL) {
+      goto _Exit;
+    }
+
+    if (EVP_PKEY_CTX_set_rsa_oaep_md (PkeyCtx, HashAlg) <= 0) {
+      goto _Exit;
+    }
+
+    if (EVP_PKEY_CTX_set_rsa_mgf1_md (PkeyCtx, HashAlg) <= 0) {
+      goto _Exit;
+    }
+  }
+
+  //
+  // Determine the required buffer length for malloc'ing.
+  //
+  if (EVP_PKEY_encrypt (PkeyCtx, NULL, &OutDataSize, InData, InDataSize) <= 0) {
+    //
+    // Fail to determine output buffer size.
+    //
+    goto _Exit;
+  }
+
+  //
+  // Allocate a buffer for the output data.
+  //
+  OutData = AllocatePool (OutDataSize);
+  if (OutData == NULL) {
+    //
+    // Fail to allocate the output buffer.
+    //
+    goto _Exit;
+  }
+
+  //
+  // Encrypt Data.
+  //
+  if (EVP_PKEY_encrypt (PkeyCtx, OutData, &OutDataSize, InData, InDataSize) <= 0) {
+    //
+    // Fail to encrypt data, need to free the output buffer.
+    //
+    FreePool (OutData);
+    OutData     = NULL;
+    OutDataSize = 0;
+    goto _Exit;
+  }
+
+  //
+  // Encrypt done.
+  //
+  *EncryptedData     = OutData;
+  *EncryptedDataSize = OutDataSize;
+  Result             = TRUE;
+
+_Exit:
+  //
+  // Release Resources
+  //
+  if (PkeyCtx != NULL) {
+    EVP_PKEY_CTX_free (PkeyCtx);
+  }
+
+  return Result;
+}
 
 /**
@@ -57 +258 @@
   )
 {
-  BOOLEAN       Result;
-  CONST UINT8   *TempPointer;
-  X509          *CertData;
-  EVP_PKEY      *InternalPublicKey;
-  EVP_PKEY_CTX  *PkeyCtx;
-  UINT8         *OutData;
-  UINTN         OutDataSize;
+  BOOLEAN      Result;
+  CONST UINT8  *TempPointer;
+  X509         *CertData;
+  EVP_PKEY     *Pkey;
 
   //
@@ -89 +287 @@
   TempPointer        = NULL;
   CertData           = NULL;
-  InternalPublicKey  = NULL;
-  PkeyCtx            = NULL;
-  OutData            = NULL;
-  OutDataSize        = 0;
-
-  //
-  // If it provides a seed then use it.
-  // Ohterwise, we'll seed with fixed values and hope that the PRNG has already been
-  // used enough to generate sufficient entropy.
-  //
-  if (PrngSeed != NULL) {
-    RandomSeed (PrngSeed, PrngSeedSize);
-  } else {
-    RandomSeed (NULL, 0);
-  }
+  Pkey               = NULL;
 
   //
@@ -121 +305 @@
   // OpenSSL can use.
   //
-  InternalPublicKey = X509_get_pubkey (CertData);
-  if (InternalPublicKey == NULL) {
+  Pkey = X509_get_pubkey (CertData);
+  if (Pkey == NULL) {
     //
     // Fail to extract public key.
@@ -129 +313 @@
   }
 
-  //
-  // Create a context for the public key operation.
-  //
-  PkeyCtx = EVP_PKEY_CTX_new (InternalPublicKey, NULL);
+  Result = InternalPkcs1v2Encrypt (Pkey, InData, InDataSize, PrngSeed, PrngSeedSize, 0, EncryptedData, EncryptedDataSize);
+
+_Exit:
+  //
+  // Release Resources
+  //
+  if (CertData != NULL) {
+    X509_free (CertData);
+  }
+
+  if (Pkey != NULL) {
+    EVP_PKEY_free (Pkey);
+  }
+
+  return Result;
+}
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  BOOLEAN   Result;
+  EVP_PKEY  *Pkey;
+
+  //
+  // Check input parameters.
+  //
+  if (((RsaContext == NULL) || (InData == NULL)) ||
+      (EncryptedData == NULL) || (EncryptedDataSize == NULL))
+  {
+    return FALSE;
+  }
+
+  *EncryptedData     = NULL;
+  *EncryptedDataSize = 0;
+  Result             = FALSE;
+  Pkey               = NULL;
+
+  Pkey = EVP_PKEY_new ();
+  if (Pkey == NULL) {
+    goto _Exit;
+  }
+
+  if (EVP_PKEY_set1_RSA (Pkey, (RSA *)RsaContext) == 0) {
+    goto _Exit;
+  }
+
+  Result = InternalPkcs1v2Encrypt (Pkey, InData, InDataSize, PrngSeed, PrngSeedSize, DigestLen, EncryptedData, EncryptedDataSize);
+
+_Exit:
+  //
+  // Release Resources
+  //
+  if (Pkey != NULL) {
+    EVP_PKEY_free (Pkey);
+  }
+
+  return Result;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  Pkey                A pointer to an EVP_PKEY which will decrypt that data.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+InternalPkcs1v2Decrypt (
+  EVP_PKEY     *Pkey,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  BOOLEAN       Result;
+  EVP_PKEY_CTX  *PkeyCtx;
+  UINT8         *TempData;
+  UINTN         TempDataSize;
+  INTN          ReturnCode;
+  CONST EVP_MD  *HashAlg;
+
+  //
+  // Check input parameters.
+  //
+  if ((Pkey == NULL) || (EncryptedData == NULL) ||
+      (OutData == NULL) || (OutDataSize == NULL))
+  {
+    return FALSE;
+  }
+
+  Result       = FALSE;
+  PkeyCtx      = NULL;
+  TempData     = NULL;
+  TempDataSize = 0;
+
+  //
+  // Create a context for the decryption operation.
+  //
+  PkeyCtx = EVP_PKEY_CTX_new (Pkey, NULL);
   if (PkeyCtx == NULL) {
     //
     // Fail to create contex.
     //
+    DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_CTK_new() failed\n", __func__));
     goto _Exit;
   }
@@ -143 +487 @@
   // Initialize the context and set the desired padding.
   //
-  if ((EVP_PKEY_encrypt_init (PkeyCtx) <= 0) ||
+  if ((EVP_PKEY_decrypt_init (PkeyCtx) <= 0) ||
       (EVP_PKEY_CTX_set_rsa_padding (PkeyCtx, RSA_PKCS1_OAEP_PADDING) <= 0))
   {
@@ -149 +493 @@
     // Fail to initialize the context.
     //
-    goto _Exit;
+    DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_decrypt_init() failed\n", __func__));
+    goto _Exit;
+  }
+
+  if (DigestLen != 0) {
+    HashAlg = GetEvpMD (DigestLen);
+    if (HashAlg == NULL) {
+      goto _Exit;
+    }
+
+    if (EVP_PKEY_CTX_set_rsa_oaep_md (PkeyCtx, HashAlg) <= 0) {
+      goto _Exit;
+    }
+
+    if (EVP_PKEY_CTX_set_rsa_mgf1_md (PkeyCtx, HashAlg) <= 0) {
+      goto _Exit;
+    }
   }
 
@@ -155 +515 @@
   // Determine the required buffer length for malloc'ing.
   //
-  if (EVP_PKEY_encrypt (PkeyCtx, NULL, &OutDataSize, InData, InDataSize) <= 0) {
+  ReturnCode = EVP_PKEY_decrypt (PkeyCtx, NULL, &TempDataSize, EncryptedData, EncryptedDataSize);
+  if (ReturnCode <= 0) {
     //
     // Fail to determine output buffer size.
     //
+    DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_decrypt() failed to determine output buffer size (rc=%d)\n", __func__, ReturnCode));
     goto _Exit;
   }
@@ -165 +527 @@
   // Allocate a buffer for the output data.
   //
-  OutData = AllocatePool (OutDataSize);
-  if (OutData == NULL) {
+  TempData = AllocatePool (TempDataSize);
+  if (TempData == NULL) {
     //
     // Fail to allocate the output buffer.
@@ -174 +536 @@
 
   //
-  // Encrypt Data.
-  //
-  if (EVP_PKEY_encrypt (PkeyCtx, OutData, &OutDataSize, InData, InDataSize) <= 0) {
-    //
-    // Fail to encrypt data, need to free the output buffer.
-    //
-    FreePool (OutData);
-    OutData     = NULL;
-    OutDataSize = 0;
-    goto _Exit;
-  }
-
-  //
-  // Encrypt done.
-  //
-  *EncryptedData     = OutData;
-  *EncryptedDataSize = OutDataSize;
-  Result             = TRUE;
+  // Decrypt Data.
+  //
+  ReturnCode = EVP_PKEY_decrypt (PkeyCtx, TempData, &TempDataSize, EncryptedData, EncryptedDataSize);
+  if (ReturnCode <= 0) {
+    //
+    // Fail to decrypt data, need to free the output buffer.
+    //
+    FreePool (TempData);
+    TempData     = NULL;
+    TempDataSize = 0;
+
+    DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_decrypt(TempData) failed to decrypt (rc=%d)\n", __func__, ReturnCode));
+    goto _Exit;
+  }
+
+  //
+  // Decrypt done.
+  //
+  *OutData     = TempData;
+  *OutDataSize = TempDataSize;
+  Result       = TRUE;
 
 _Exit:
-  //
-  // Release Resources
-  //
-  if (CertData != NULL) {
-    X509_free (CertData);
-  }
-
-  if (InternalPublicKey != NULL) {
-    EVP_PKEY_free (InternalPublicKey);
-  }
-
   if (PkeyCtx != NULL) {
     EVP_PKEY_CTX_free (PkeyCtx);
@@ -211 +565 @@
   return Result;
 }
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  BOOLEAN      Result;
+  EVP_PKEY     *Pkey;
+  CONST UINT8  *TempPointer;
+
+  //
+  // Check input parameters.
+  //
+  if ((PrivateKey == NULL) || (EncryptedData == NULL) ||
+      (OutData == NULL) || (OutDataSize == NULL))
+  {
+    return FALSE;
+  }
+
+  Result      = FALSE;
+  Pkey        = NULL;
+  TempPointer = NULL;
+
+  //
+  // Parse the private key.
+  //
+  TempPointer = PrivateKey;
+  Pkey        = d2i_PrivateKey (EVP_PKEY_RSA, &Pkey, &TempPointer, (UINT32)PrivateKeySize);
+  if (Pkey == NULL) {
+    //
+    // Fail to parse private key.
+    //
+    DEBUG ((DEBUG_ERROR, "[%a] d2i_PrivateKey() failed\n", __func__));
+    goto _Exit;
+  }
+
+  Result = InternalPkcs1v2Decrypt (Pkey, EncryptedData, EncryptedDataSize, 0, OutData, OutDataSize);
+
+_Exit:
+  if (Pkey != NULL) {
+    EVP_PKEY_free (Pkey);
+  }
+
+  return Result;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  BOOLEAN   Result;
+  EVP_PKEY  *Pkey;
+
+  //
+  // Check input parameters.
+  //
+  if ((RsaContext == NULL) || (EncryptedData == NULL) ||
+      (OutData == NULL) || (OutDataSize == NULL))
+  {
+    return FALSE;
+  }
+
+  Result = FALSE;
+  Pkey   = NULL;
+
+  //
+  // Create a context for the decryption operation.
+  //
+
+  Pkey = EVP_PKEY_new ();
+  if (Pkey == NULL) {
+    goto _Exit;
+  }
+
+  if (EVP_PKEY_set1_RSA (Pkey, (RSA *)RsaContext) == 0) {
+    goto _Exit;
+  }
+
+  Result = InternalPkcs1v2Decrypt (Pkey, EncryptedData, EncryptedDataSize, DigestLen, OutData, OutDataSize);
+
+_Exit:
+  if (Pkey != NULL) {
+    EVP_PKEY_free (Pkey);
+  }
+
+  return Result;
+}

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c

@@ -4 +4 @@
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
-  Copyright (C) 2016 Microsoft Corporation. All Rights Reserved.
+  Copyright (C) Microsoft Corporation. All Rights Reserved.
   Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
 
@@ -49 +49 @@
   return FALSE;
 }
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c

@@ -592 +592 @@
   //
   if ((EVP_add_digest (EVP_md5 ()) == 0) || (EVP_add_digest (EVP_sha1 ()) == 0) ||
-      (EVP_add_digest (EVP_sha256 ()) == 0) || ((EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) == 0))
+      (EVP_add_digest (EVP_sha256 ()) == 0) || (EVP_add_digest (EVP_sha384 ()) == 0) ||
+      (EVP_add_digest (EVP_sha512 ()) == 0) || ((EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) == 0))
   {
     return FALSE;

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c

@@ -4 +4 @@
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
-  Copyright (C) 2016 Microsoft Corporation. All Rights Reserved.
+  Copyright (C) Microsoft Corporation. All Rights Reserved.
   Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
 
@@ -49 +49 @@
   return FALSE;
 }
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c

@@ -2827 +2827 @@
 
 /**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  CALL_CRYPTO_SERVICE (Pkcs1v2Decrypt, (PrivateKey, PrivateKeySize, EncryptedData, EncryptedDataSize, OutData, OutDataSize), FALSE);
+}
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  CALL_CRYPTO_SERVICE (RsaOaepEncrypt, (RsaContext, InData, InDataSize, PrngSeed, PrngSeedSize, DigestLen, EncryptedData, EncryptedDataSize), FALSE);
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  CALL_CRYPTO_SERVICE (RsaOaepDecrypt, (RsaContext, EncryptedData, EncryptedDataSize, DigestLen, OutData, OutDataSize), FALSE);
+}
+
+/**
   Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7:
   Cryptographic Message Syntax Standard". The input signed data could be wrapped
@@ -2850 +2963 @@
   @retval  FALSE           Error occurs during the operation.
   @retval  FALSE           This interface is not supported.
+
 
 **/

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/TlsLib/TlsConfig.c

@@ -9 +9 @@
 
 #include "InternalTlsLib.h"
-
-typedef struct {
-  //
-  // IANA/IETF defined Cipher Suite ID
-  //
-  UINT16         IanaCipher;
-  //
-  // OpenSSL-used Cipher Suite String
-  //
-  CONST CHAR8    *OpensslCipher;
-  //
-  // Length of OpensslCipher
-  //
-  UINTN          OpensslCipherLength;
-} TLS_CIPHER_MAPPING;
-
-//
-// Create a TLS_CIPHER_MAPPING initializer from IanaCipher and OpensslCipher so
-// that OpensslCipherLength is filled in automatically. IanaCipher must be an
-// integer constant expression, and OpensslCipher must be a string literal.
-//
-#define MAP(IanaCipher, OpensslCipher) \
-  { (IanaCipher), (OpensslCipher), sizeof (OpensslCipher) - 1 }
-
-//
-// The mapping table between IANA/IETF Cipher Suite definitions and
-// OpenSSL-used Cipher Suite name.
-//
-// Keep the table uniquely sorted by the IanaCipher field, in increasing order.
-//
-STATIC CONST TLS_CIPHER_MAPPING  TlsCipherMappingTable[] = {
-  MAP (0x0001, "NULL-MD5"),                         /// TLS_RSA_WITH_NULL_MD5
-  MAP (0x0002, "NULL-SHA"),                         /// TLS_RSA_WITH_NULL_SHA
-  MAP (0x0004, "RC4-MD5"),                          /// TLS_RSA_WITH_RC4_128_MD5
-  MAP (0x0005, "RC4-SHA"),                          /// TLS_RSA_WITH_RC4_128_SHA
-  MAP (0x000A, "DES-CBC3-SHA"),                     /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1
-  MAP (0x0016, "DHE-RSA-DES-CBC3-SHA"),             /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
-  MAP (0x002F, "AES128-SHA"),                       /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2
-  MAP (0x0030, "DH-DSS-AES128-SHA"),                /// TLS_DH_DSS_WITH_AES_128_CBC_SHA
-  MAP (0x0031, "DH-RSA-AES128-SHA"),                /// TLS_DH_RSA_WITH_AES_128_CBC_SHA
-  MAP (0x0033, "DHE-RSA-AES128-SHA"),               /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA
-  MAP (0x0035, "AES256-SHA"),                       /// TLS_RSA_WITH_AES_256_CBC_SHA
-  MAP (0x0036, "DH-DSS-AES256-SHA"),                /// TLS_DH_DSS_WITH_AES_256_CBC_SHA
-  MAP (0x0037, "DH-RSA-AES256-SHA"),                /// TLS_DH_RSA_WITH_AES_256_CBC_SHA
-  MAP (0x0039, "DHE-RSA-AES256-SHA"),               /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA
-  MAP (0x003B, "NULL-SHA256"),                      /// TLS_RSA_WITH_NULL_SHA256
-  MAP (0x003C, "AES128-SHA256"),                    /// TLS_RSA_WITH_AES_128_CBC_SHA256
-  MAP (0x003D, "AES256-SHA256"),                    /// TLS_RSA_WITH_AES_256_CBC_SHA256
-  MAP (0x003E, "DH-DSS-AES128-SHA256"),             /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256
-  MAP (0x003F, "DH-RSA-AES128-SHA256"),             /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256
-  MAP (0x0067, "DHE-RSA-AES128-SHA256"),            /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-  MAP (0x0068, "DH-DSS-AES256-SHA256"),             /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256
-  MAP (0x0069, "DH-RSA-AES256-SHA256"),             /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256
-  MAP (0x006B, "DHE-RSA-AES256-SHA256"),            /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
-  MAP (0x009F, "DHE-RSA-AES256-GCM-SHA384"),        /// TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
-  MAP (0xC02B, "ECDHE-ECDSA-AES128-GCM-SHA256"),    /// TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-  MAP (0xC02C, "ECDHE-ECDSA-AES256-GCM-SHA384"),    /// TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-  MAP (0xC030, "ECDHE-RSA-AES256-GCM-SHA384"),      /// TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-};
 
 typedef struct {
@@ -96 +37 @@
   { TlsSignatureAlgoEcdsa,     "ECDSA" },
 };
-
-/**
-  Gets the OpenSSL cipher suite mapping for the supplied IANA TLS cipher suite.
-
-  @param[in]  CipherId    The supplied IANA TLS cipher suite ID.
-
-  @return  The corresponding OpenSSL cipher suite mapping if found,
-           NULL otherwise.
-
-**/
-STATIC
-CONST TLS_CIPHER_MAPPING *
-TlsGetCipherMapping (
-  IN     UINT16  CipherId
-  )
-{
-  INTN  Left;
-  INTN  Right;
-  INTN  Middle;
-
-  //
-  // Binary Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation
-  //
-  Left  = 0;
-  Right = ARRAY_SIZE (TlsCipherMappingTable) - 1;
-
-  while (Right >= Left) {
-    Middle = (Left + Right) / 2;
-
-    if (CipherId == TlsCipherMappingTable[Middle].IanaCipher) {
-      //
-      // Translate IANA cipher suite ID to OpenSSL name.
-      //
-      return &TlsCipherMappingTable[Middle];
-    }
-
-    if (CipherId < TlsCipherMappingTable[Middle].IanaCipher) {
-      Right = Middle - 1;
-    } else {
-      Left = Middle + 1;
-    }
-  }
-
-  //
-  // No Cipher Mapping found, return NULL.
-  //
-  return NULL;
-}
 
 /**
@@ -282 +175 @@
   )
 {
-  TLS_CONNECTION            *TlsConn;
-  EFI_STATUS                Status;
-  CONST TLS_CIPHER_MAPPING  **MappedCipher;
-  UINTN                     MappedCipherBytes;
-  UINTN                     MappedCipherCount;
-  UINTN                     CipherStringSize;
-  UINTN                     Index;
-  CONST TLS_CIPHER_MAPPING  *Mapping;
-  CHAR8                     *CipherString;
-  CHAR8                     *CipherStringPosition;
+  TLS_CONNECTION    *TlsConn;
+  EFI_STATUS        Status;
+  CONST SSL_CIPHER  **MappedCipher;
+  UINTN             MappedCipherBytes;
+  UINTN             MappedCipherCount;
+  UINTN             CipherStringSize;
+  UINTN             Index;
+  INT32             StackIdx;
+  CHAR8             *CipherString;
+  CHAR8             *CipherStringPosition;
+
+  STACK_OF (SSL_CIPHER)      *OpensslCipherStack;
+  CONST SSL_CIPHER  *OpensslCipher;
+  CONST CHAR8       *OpensslCipherName;
+  UINTN             OpensslCipherNameLength;
 
   TlsConn = (TLS_CONNECTION *)Tls;
@@ -316 +214 @@
   }
 
+  OpensslCipherStack = SSL_get_ciphers (TlsConn->Ssl);
+
   //
   // Map the cipher IDs, and count the number of bytes for the full
@@ -322 +222 @@
   MappedCipherCount = 0;
   CipherStringSize  = 0;
-  for (Index = 0; Index < CipherNum; Index++) {
+  for (Index = 0; OpensslCipherStack != NULL && Index < CipherNum; Index++) {
     //
     // Look up the IANA-to-OpenSSL mapping.
     //
-    Mapping = TlsGetCipherMapping (CipherId[Index]);
-    if (Mapping == NULL) {
+    for (StackIdx = 0; StackIdx < sk_SSL_CIPHER_num (OpensslCipherStack); StackIdx++) {
+      OpensslCipher = sk_SSL_CIPHER_value (OpensslCipherStack, StackIdx);
+      if (CipherId[Index] == SSL_CIPHER_get_protocol_id (OpensslCipher)) {
+        break;
+      }
+    }
+
+    if (StackIdx == sk_SSL_CIPHER_num (OpensslCipherStack)) {
       DEBUG ((
         DEBUG_VERBOSE,
@@ -344 +250 @@
 
     //
-    // Accumulate Mapping->OpensslCipherLength into CipherStringSize. If this
+    // Accumulate cipher name string length into CipherStringSize. If this
     // is not the first successful mapping, account for a colon (":") prefix
     // too.
@@ -358 +264 @@
     Status = SafeUintnAdd (
                CipherStringSize,
-               Mapping->OpensslCipherLength,
+               AsciiStrLen (SSL_CIPHER_get_name (OpensslCipher)),
                &CipherStringSize
                );
@@ -369 +275 @@
     // Record the mapping.
     //
-    MappedCipher[MappedCipherCount++] = Mapping;
+    MappedCipher[MappedCipherCount++] = OpensslCipher;
   }
 
@@ -404 +310 @@
   CipherStringPosition = CipherString;
   for (Index = 0; Index < MappedCipherCount; Index++) {
-    Mapping = MappedCipher[Index];
+    OpensslCipher           = MappedCipher[Index];
+    OpensslCipherName       = SSL_CIPHER_get_name (OpensslCipher);
+    OpensslCipherNameLength = AsciiStrLen (OpensslCipherName);
     //
     // Append the colon (":") prefix except for the first mapping, then append
-    // Mapping->OpensslCipher.
+    // OpensslCipherName.
     //
     if (Index > 0) {
@@ -415 +323 @@
     CopyMem (
       CipherStringPosition,
-      Mapping->OpensslCipher,
-      Mapping->OpensslCipherLength
+      OpensslCipherName,
+      OpensslCipherNameLength
       );
-    CipherStringPosition += Mapping->OpensslCipherLength;
+    CipherStringPosition += OpensslCipherNameLength;
   }