Changeset 85718 in vbox for trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib

Timestamp:

Aug 12, 2020 4:09:12 PM (5 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

139865

Message:

Devices/EFI: Merge edk-stable202005 and make it build, bugref:4643

Location:

trunk/src/VBox/Devices/EFI/FirmwareNew

Files:

• . (modified) (1 prop)
• CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf (modified) (6 diffs)
• CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c (modified) (1 diff)
• CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c (modified) (1 diff)
• CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c (deleted)
• CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c (deleted)
• CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c (deleted)
• CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c (deleted)
• CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c (deleted)
• CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c (deleted)
• CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c (deleted)
• CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c (deleted)
• CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c (deleted)
• CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c (deleted)
• CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha256.c (modified) (6 diffs)
• CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha256Null.c (modified) (4 diffs)
• CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf (modified) (5 diffs)
• CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni (modified) (2 diffs)
• CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c (modified) (2 diffs)
• CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c (modified) (2 diffs)
• CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c (modified) (4 diffs)
• CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c (modified) (4 diffs)
• CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c (modified) (7 diffs)
• CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c (modified) (2 diffs)
• CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf (modified) (5 diffs)
• CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni (modified) (2 diffs)
• CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf (modified) (4 diffs)
• CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni (modified) (2 diffs)
• CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c (modified) (1 diff)
• CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c (added)

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf

@@ -7 +7 @@
 #  buffer overflow or integer overflow.
 #
-#  Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights reserved.<BR>
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
@@ -24 +25 @@
 # The following information is for reference only and not required by the build tools.
 #
-#  VALID_ARCHITECTURES           = IA32 X64 ARM AARCH64
+#  VALID_ARCHITECTURES           = IA32 X64 ARM AARCH64 RISCV64
 #
 
 [Sources]
   InternalCryptLib.h
-  Hash/CryptMd4.c
   Hash/CryptMd5.c
   Hash/CryptSha1.c
@@ -35 +35 @@
   Hash/CryptSha512.c
   Hash/CryptSm3.c
-  Hmac/CryptHmacMd5.c
-  Hmac/CryptHmacSha1.c
   Hmac/CryptHmacSha256.c
   Kdf/CryptHkdf.c
   Cipher/CryptAes.c
-  Cipher/CryptTdes.c
-  Cipher/CryptArc4.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExt.c
@@ -59 +55 @@
   SysCall/TimerWrapper.c
   SysCall/BaseMemAllocation.c
+  SysCall/inet_pton.c
 
 [Sources.Ia32]
@@ -70 +67 @@
 
 [Sources.AARCH64]
+  Rand/CryptRand.c
+
+[Sources.RISCV64]
   Rand/CryptRand.c
 
@@ -102 +102 @@
   GCC:*_CLANG35_*_CC_FLAGS = -std=c99
   GCC:*_CLANG38_*_CC_FLAGS = -std=c99
+  GCC:*_CLANGPDB_*_CC_FLAGS = -std=c99 -Wno-error=incompatible-pointer-types
 
   XCODE:*_*_*_CC_FLAGS = -std=c99

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c

@@ -76 +76 @@
     return FALSE;
   }
-  return TRUE;
-}
-
-/**
-  Performs AES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES encryption output.
-
-  @retval TRUE   AES encryption succeeded.
-  @retval FALSE  AES encryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbEncrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  AES_KEY  *AesKey;
-
-  //
-  // Check input parameters.
-  //
-  if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0 || Output == NULL) {
-    return FALSE;
-  }
-
-  AesKey = (AES_KEY *) AesContext;
-
-  //
-  // Perform AES data encryption with ECB mode (block-by-block)
-  //
-  while (InputSize > 0) {
-    AES_ecb_encrypt (Input, Output, AesKey, AES_ENCRYPT);
-    Input     += AES_BLOCK_SIZE;
-    Output    += AES_BLOCK_SIZE;
-    InputSize -= AES_BLOCK_SIZE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Performs AES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES decryption output.
-
-  @retval TRUE   AES decryption succeeded.
-  @retval FALSE  AES decryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbDecrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  AES_KEY  *AesKey;
-
-  //
-  // Check input parameters.
-  //
-  if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0 || Output == NULL) {
-    return FALSE;
-  }
-
-  AesKey = (AES_KEY *) AesContext;
-
-  //
-  // Perform AES data decryption with ECB mode (block-by-block)
-  //
-  while (InputSize > 0) {
-    AES_ecb_encrypt (Input, Output, AesKey + 1, AES_DECRYPT);
-    Input     += AES_BLOCK_SIZE;
-    Output    += AES_BLOCK_SIZE;
-    InputSize -= AES_BLOCK_SIZE;
-  }
-
   return TRUE;
 }

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c

@@ -45 +45 @@
   IN   CONST UINT8  *Key,
   IN   UINTN        KeyLength
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs AES encryption on a data buffer of the specified size in ECB mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbEncrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs AES decryption on a data buffer of the specified size in ECB mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES decryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbDecrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
   )
 {

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha256.c

@@ -2 +2 @@
   HMAC-SHA256 Wrapper Implementation over OpenSSL.
 
-Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2016 - 2020, Intel Corporation. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
@@ -10 +10 @@
 #include <openssl/hmac.h>
 
-//
-// NOTE: OpenSSL redefines the size of HMAC_CTX at crypto/hmac/hmac_lcl.h
-//       #define HMAC_MAX_MD_CBLOCK_SIZE     144
-//
-#define HMAC_SHA256_CTX_SIZE    (sizeof(void *) * 4 + sizeof(unsigned int) + \
-                             sizeof(unsigned char) * 144)
-
-/**
-  Retrieves the size, in bytes, of the context buffer required for HMAC-SHA256 operations.
-  (NOTE: This API is deprecated.
-         Use HmacSha256New() / HmacSha256Free() for HMAC-SHA256 Context operations.)
-
-  @return  The size, in bytes, of the context buffer required for HMAC-SHA256 operations.
-
-**/
-UINTN
-EFIAPI
-HmacSha256GetContextSize (
-  VOID
-  )
-{
-  //
-  // Retrieves the OpenSSL HMAC-SHA256 Context Size
-  // NOTE: HMAC_CTX object was made opaque in openssl-1.1.x, here we just use the
-  //       fixed size as a workaround to make this API work for compatibility.
-  //       We should retire HmacSha256GetContextSize() in future, and use HmacSha256New()
-  //       and HmacSha256Free() for context allocation and release.
-  //
-  return (UINTN)HMAC_SHA256_CTX_SIZE;
-}
-
 /**
   Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use.
@@ -79 +48 @@
 
 /**
-  Initializes user-supplied memory pointed by HmacSha256Context as HMAC-SHA256 context for
-  subsequent use.
-
-  If HmacSha256Context is NULL, then return FALSE.
-
-  @param[out]  HmacSha256Context  Pointer to HMAC-SHA256 context being initialized.
+  Set user-supplied key for subsequent use. It must be done before any
+  calling to HmacSha256Update().
+
+  If HmacSha256Context is NULL, then return FALSE.
+
+  @param[out]  HmacSha256Context  Pointer to HMAC-SHA256 context.
   @param[in]   Key                Pointer to the user-supplied key.
   @param[in]   KeySize            Key size in bytes.
 
-  @retval TRUE   HMAC-SHA256 context initialization succeeded.
-  @retval FALSE  HMAC-SHA256 context initialization failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha256Init (
+  @retval TRUE   The Key is set successfully.
+  @retval FALSE  The Key is set unsuccessfully.
+
+**/
+BOOLEAN
+EFIAPI
+HmacSha256SetKey (
   OUT  VOID         *HmacSha256Context,
   IN   CONST UINT8  *Key,
@@ -107 +76 @@
   }
 
-  //
-  // OpenSSL HMAC-SHA256 Context Initialization
-  //
-  memset(HmacSha256Context, 0, HMAC_SHA256_CTX_SIZE);
-  if (HMAC_CTX_reset ((HMAC_CTX *)HmacSha256Context) != 1) {
-    return FALSE;
-  }
   if (HMAC_Init_ex ((HMAC_CTX *)HmacSha256Context, Key, (UINT32) KeySize, EVP_sha256(), NULL) != 1) {
     return FALSE;
@@ -160 +122 @@
   This function performs HMAC-SHA256 digest on a data buffer of the specified size.
   It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-SHA256 context should be already correctly initialized by HmacSha256Init(), and should not
-  be finalized by HmacSha256Final(). Behavior with invalid context is undefined.
+  HMAC-SHA256 context should be initialized by HmacSha256New(), and should not be finalized
+  by HmacSha256Final(). Behavior with invalid context is undefined.
 
   If HmacSha256Context is NULL, then return FALSE.
@@ -211 +173 @@
   the specified memory. After this function has been called, the HMAC-SHA256 context cannot
   be used again.
-  HMAC-SHA256 context should be already correctly initialized by HmacSha256Init(), and should
-  not be finalized by HmacSha256Final(). Behavior with invalid HMAC-SHA256 context is undefined.
+  HMAC-SHA256 context should be initialized by HmacSha256New(), and should not be finalized
+  by HmacSha256Final(). Behavior with invalid HMAC-SHA256 context is undefined.
 
   If HmacSha256Context is NULL, then return FALSE.

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha256Null.c

@@ -2 +2 @@
   HMAC-SHA256 Wrapper Implementation which does not provide real capabilities.
 
-Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2016 - 2020, Intel Corporation. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
@@ -8 +8 @@
 
 #include "InternalCryptLib.h"
-
-/**
-  Retrieves the size, in bytes, of the context buffer required for HMAC-SHA256 operations.
-  (NOTE: This API is deprecated.
-         Use HmacSha256New() / HmacSha256Free() for HMAC-SHA256 Context operations.)
-
-  Return zero to indicate this interface is not supported.
-
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-HmacSha256GetContextSize (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return 0;
-}
 
 /**
@@ -66 +46 @@
 
 /**
-  Initializes user-supplied memory pointed by HmacSha256Context as HMAC-SHA256 context for
-  subsequent use.
+  Set user-supplied key for subsequent use. It must be done before any
+  calling to HmacSha256Update().
 
   Return FALSE to indicate this interface is not supported.
 
-  @param[out]  HmacSha256Context  Pointer to HMAC-SHA256 context being initialized.
+  @param[out]  HmacSha256Context  Pointer to HMAC-SHA256 context.
   @param[in]   Key                Pointer to the user-supplied key.
   @param[in]   KeySize            Key size in bytes.
@@ -80 +60 @@
 BOOLEAN
 EFIAPI
-HmacSha256Init (
+HmacSha256SetKey (
   OUT  VOID         *HmacSha256Context,
   IN   CONST UINT8  *Key,

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf

@@ -7 +7 @@
 #  buffer overflow or integer overflow.
 #
-#  Note: MD4 Digest functions,
-#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4 functions, RSA external
+#  Note:
+#  HMAC-SHA256 functions, AES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
 #  certificate handler functions, authenticode signature verification functions,
@@ -14 +14 @@
 #  supported in this instance.
 #
-#  Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
@@ -36 +36 @@
 [Sources]
   InternalCryptLib.h
-  Hash/CryptMd4Null.c
   Hash/CryptMd5.c
   Hash/CryptSha1.c
@@ -42 +41 @@
   Hash/CryptSm3.c
   Hash/CryptSha512.c
-  Hmac/CryptHmacMd5Null.c
-  Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
-  Cipher/CryptTdesNull.c
-  Cipher/CryptArc4Null.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExtNull.c
@@ -97 +92 @@
   GCC:*_CLANG35_*_CC_FLAGS = -std=c99
   GCC:*_CLANG38_*_CC_FLAGS = -std=c99
+  GCC:*_CLANGPDB_*_CC_FLAGS = -std=c99 -Wno-error=incompatible-pointer-types
 
   XCODE:*_*_*_CC_FLAGS = -std=c99

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni

@@ -7 +7 @@
 // buffer overflow or integer overflow.
 //
-// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
+// Note: AES
+// functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
 // signature verification functions, PEM handler functions, and pseudorandom number
 // generator functions are not supported in this instance.
 //
-// Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
+// Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
 //
 // SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -22 +22 @@
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for PEIM"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
 

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c

@@ -2 +2 @@
   PEM (Privacy Enhanced Mail) Format Handler Wrapper Implementation over OpenSSL.
 
-Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
@@ -83 +83 @@
   //
   // Add possible block-cipher descriptor for PEM data decryption.
-  // NOTE: Only support most popular ciphers (3DES, AES) for the encrypted PEM.
+  // NOTE: Only support most popular ciphers AES for the encrypted PEM.
   //
-  if (EVP_add_cipher (EVP_des_ede3_cbc ()) == 0) {
-    return FALSE;
-  }
   if (EVP_add_cipher (EVP_aes_128_cbc ()) == 0) {
     return FALSE;

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c

@@ -13 +13 @@
 #include <openssl/x509v3.h>
 #include <openssl/pkcs7.h>
+
+/**
+  Check the contents of PKCS7 is not data.
+
+  It is copied from PKCS7_type_is_other() in pk7_doit.c.
+
+  @param[in] P7 Pointer to the location at which the PKCS7 is located.
+
+  @retval TRUE  If the type is others.
+  @retval FALSE If the type is expected.
+**/
+STATIC
+BOOLEAN
+Pkcs7TypeIsOther (
+  IN PKCS7 *P7
+  )
+{
+  BOOLEAN Others;
+  INTN    Nid = OBJ_obj2nid (P7->type);
+
+  switch (Nid) {
+    case NID_pkcs7_data:
+    case NID_pkcs7_signed:
+    case NID_pkcs7_enveloped:
+    case NID_pkcs7_signedAndEnveloped:
+    case NID_pkcs7_encrypted:
+      Others = FALSE;
+      break;
+    default:
+      Others = TRUE;
+  }
+
+  return Others;
+}
+
+/**
+  Get the ASN.1 string for the PKCS7.
+
+  It is copied from PKCS7_get_octet_string() in pk7_doit.c.
+
+  @param[in] P7 Pointer to the location at which the PKCS7 is located.
+
+  @return ASN1_OCTET_STRING ASN.1 string.
+**/
+STATIC
+ASN1_OCTET_STRING*
+Pkcs7GetOctetString (
+  IN PKCS7 *P7
+  )
+{
+  if (PKCS7_type_is_data (P7)) {
+    return P7->d.data;
+  }
+
+  if (Pkcs7TypeIsOther(P7) && (P7->d.other != NULL) &&
+      (P7->d.other->type == V_ASN1_OCTET_STRING)) {
+    return P7->d.other->value.octet_string;
+  }
+
+  return NULL;
+}
 
 /**
@@ -99 +160 @@
     // Retrieve the attached content in PKCS7 signedData
     //
-    OctStr = Pkcs7->d.sign->contents->d.data;
+    OctStr = Pkcs7GetOctetString (Pkcs7->d.sign->contents);
+    if (OctStr == NULL) {
+      goto _Exit;
+    }
+
     if ((OctStr->length > 0) && (OctStr->data != NULL)) {
       *ContentSize = OctStr->length;

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c

@@ -8 +8 @@
   4) RsaPkcs1Verify
 
-Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
@@ -251 +251 @@
   If MessageHash is NULL, then return FALSE.
   If Signature is NULL, then return FALSE.
-  If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then return FALSE.
+  If HashSize is not equal to the size of MD5, SHA-1, SHA-256, SHA-384 or SHA-512 digest, then return FALSE.
 
   @param[in]  RsaContext   Pointer to RSA context for signature verification.
@@ -289 +289 @@
   //
   // Determine the message digest algorithm according to digest size.
-  //   Only MD5, SHA-1 or SHA-256 algorithm is supported.
+  //   Only MD5, SHA-1, SHA-256, SHA-384 or SHA-512 algorithm is supported.
   //
   switch (HashSize) {
@@ -302 +302 @@
   case SHA256_DIGEST_SIZE:
     DigestType = NID_sha256;
+    break;
+
+  case SHA384_DIGEST_SIZE:
+    DigestType = NID_sha384;
+    break;
+
+  case SHA512_DIGEST_SIZE:
+    DigestType = NID_sha512;
     break;
 

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c

@@ -8 +8 @@
   4) RsaPkcs1Sign
 
-Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
@@ -277 +277 @@
   If RsaContext is NULL, then return FALSE.
   If MessageHash is NULL, then return FALSE.
-  If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then return FALSE.
+  If HashSize is not equal to the size of MD5, SHA-1, SHA-256, SHA-384 or SHA-512 digest, then return FALSE.
   If SigSize is large enough but Signature is NULL, then return FALSE.
 
@@ -327 +327 @@
   //
   // Determine the message digest algorithm according to digest size.
-  //   Only MD5, SHA-1 or SHA-256 algorithm is supported.
+  //   Only MD5, SHA-1, SHA-256, SHA-384 or SHA-512 algorithm is supported.
   //
   switch (HashSize) {
@@ -340 +340 @@
   case SHA256_DIGEST_SIZE:
     DigestType = NID_sha256;
+    break;
+
+  case SHA384_DIGEST_SIZE:
+    DigestType = NID_sha384;
+    break;
+
+  case SHA512_DIGEST_SIZE:
+    DigestType = NID_sha512;
     break;
 

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c

@@ -2 +2 @@
   X.509 Certificate Handler Wrapper Implementation over OpenSSL.
 
-Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
@@ -61 +61 @@
 
   If X509Stack is NULL, then return FALSE.
+  If this interface is not supported, then return FALSE.
 
   @param[in, out]  X509Stack  On input, pointer to an existing or NULL X509 stack object.
                               On output, pointer to the X509 stack object with new
                               inserted X509 certificate.
-  @param           ...        A list of DER-encoded single certificate data followed
+  @param[in]       Args       VA_LIST marker for the variable argument list.
+                              A list of DER-encoded single certificate data followed
                               by certificate size. A NULL terminates the list. The
                               pairs are the arguments to X509ConstructCertificate().
@@ -71 +73 @@
   @retval     TRUE            The X509 stack construction succeeded.
   @retval     FALSE           The construction operation failed.
+  @retval     FALSE           This interface is not supported.
 
 **/
 BOOLEAN
 EFIAPI
-X509ConstructCertificateStack (
-  IN OUT  UINT8  **X509Stack,
-  ...
+X509ConstructCertificateStackV (
+  IN OUT  UINT8    **X509Stack,
+  IN      VA_LIST  Args
   )
 {
@@ -85 +88 @@
   STACK_OF(X509)  *CertStack;
   BOOLEAN         Status;
-  VA_LIST         Args;
   UINTN           Index;
 
@@ -107 +109 @@
     }
   }
-
-  VA_START (Args, X509Stack);
 
   for (Index = 0; ; Index++) {
@@ -146 +146 @@
   }
 
-  VA_END (Args);
-
   if (!Status) {
     sk_X509_pop_free (CertStack, X509_free);
@@ -155 +153 @@
 
   return Status;
+}
+
+/**
+  Construct a X509 stack object from a list of DER-encoded certificate data.
+
+  If X509Stack is NULL, then return FALSE.
+
+  @param[in, out]  X509Stack  On input, pointer to an existing or NULL X509 stack object.
+                              On output, pointer to the X509 stack object with new
+                              inserted X509 certificate.
+  @param           ...        A list of DER-encoded single certificate data followed
+                              by certificate size. A NULL terminates the list. The
+                              pairs are the arguments to X509ConstructCertificate().
+
+  @retval     TRUE            The X509 stack construction succeeded.
+  @retval     FALSE           The construction operation failed.
+
+**/
+BOOLEAN
+EFIAPI
+X509ConstructCertificateStack (
+  IN OUT  UINT8  **X509Stack,
+  ...
+  )
+{
+  VA_LIST  Args;
+  BOOLEAN  Result;
+
+  VA_START (Args, X509Stack);
+  Result = X509ConstructCertificateStackV (X509Stack, Args);
+  VA_END (Args);
+  return Result;
 }
 

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c

@@ -3 +3 @@
   real capabilities.
 
-Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
@@ -28 +28 @@
   IN   UINTN        CertSize,
   OUT  UINT8        **SingleX509Cert
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Construct a X509 stack object from a list of DER-encoded certificate data.
+
+  If X509Stack is NULL, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in, out]  X509Stack  On input, pointer to an existing or NULL X509 stack object.
+                              On output, pointer to the X509 stack object with new
+                              inserted X509 certificate.
+  @param[in]       Args       VA_LIST marker for the variable argument list.
+                              A list of DER-encoded single certificate data followed
+                              by certificate size. A NULL terminates the list. The
+                              pairs are the arguments to X509ConstructCertificate().
+
+  @retval     TRUE            The X509 stack construction succeeded.
+  @retval     FALSE           The construction operation failed.
+  @retval     FALSE           This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+X509ConstructCertificateStackV (
+  IN OUT  UINT8    **X509Stack,
+  IN      VA_LIST  Args
   )
 {

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf

@@ -7 +7 @@
 #  buffer overflow or integer overflow.
 #
-#  Note: MD4 Digest functions, SHA-384 Digest functions, SHA-512 Digest functions,
-#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4 functions, RSA external
+#  Note: SHA-384 Digest functions, SHA-512 Digest functions,
+#  HMAC-SHA256 functions, AES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
-#  Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights reserved.<BR>
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
@@ -35 +36 @@
 [Sources]
   InternalCryptLib.h
-  Hash/CryptMd4Null.c
   Hash/CryptMd5.c
   Hash/CryptSha1.c
@@ -41 +41 @@
   Hash/CryptSm3.c
   Hash/CryptSha512Null.c
-  Hmac/CryptHmacMd5Null.c
-  Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
-  Cipher/CryptTdesNull.c
-  Cipher/CryptArc4Null.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExtNull.c
@@ -76 +72 @@
 
 [Sources.AARCH64]
+  Rand/CryptRand.c
+
+[Sources.RISCV64]
   Rand/CryptRand.c
 
@@ -108 +107 @@
   GCC:*_CLANG35_*_CC_FLAGS = -std=c99
   GCC:*_CLANG38_*_CC_FLAGS = -std=c99
+  GCC:*_CLANGPDB_*_CC_FLAGS = -std=c99 -Wno-error=incompatible-pointer-types
 
   XCODE:*_*_*_CC_FLAGS = -std=c99

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni

@@ -7 +7 @@
 // buffer overflow or integer overflow.
 //
-// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
+// Note: AES
+// functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
 //
-// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+// Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
 //
 // SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -21 +21 @@
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for DXE_RUNTIME_DRIVER"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf

@@ -7 +7 @@
 #  buffer overflow or integer overflow.
 #
-#  Note: MD4 Digest functions, SHA-384 Digest functions, SHA-512 Digest functions,
-#  HMAC-MD5 functions, HMAC-SHA1 functions, TDES/ARC4 functions, RSA external
-#  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
+#  Note: SHA-384 Digest functions, SHA-512 Digest functions,
+#  RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
-#  Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
@@ -35 +34 @@
 [Sources]
   InternalCryptLib.h
-  Hash/CryptMd4Null.c
   Hash/CryptMd5.c
   Hash/CryptSha1.c
@@ -41 +39 @@
   Hash/CryptSm3.c
   Hash/CryptSha512Null.c
-  Hmac/CryptHmacMd5Null.c
-  Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAes.c
-  Cipher/CryptTdesNull.c
-  Cipher/CryptArc4Null.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExtNull.c
@@ -105 +99 @@
   GCC:*_CLANG35_*_CC_FLAGS = -std=c99
   GCC:*_CLANG38_*_CC_FLAGS = -std=c99
+  GCC:*_CLANGPDB_*_CC_FLAGS = -std=c99 -Wno-error=incompatible-pointer-types

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni

@@ -7 +7 @@
 // buffer overflow or integer overflow.
 //
-// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
+// Note: AES
+// functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
 //
-// Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
+// Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
 //
 // SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -21 +21 @@
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for SMM driver"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 

trunk/src/VBox/Devices/EFI/FirmwareNew/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c

@@ -116 +116 @@
 //
 
+char *strchr(const char *str, int ch)
+{
+  return ScanMem8 (str, AsciiStrSize (str), (UINT8)ch);
+}
+
 /* Scan a string for the last occurrence of a character */
 char *strrchr (const char *str, int c)