REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
Aes Ecb mode is not secure any longer. Remove the Aes Ecb mode support from edk2. Cc: Jian J Wang <jian.j.w...@intel.com> Cc: Xiaoyu Lu <xiaoyux...@intel.com> Signed-off-by: Zhichao Gao <zhichao....@intel.com> --- CryptoPkg/Driver/Crypto.c | 78 ------------ CryptoPkg/Include/Library/BaseCryptLib.h | 70 ----------- .../Library/BaseCryptLib/Cipher/CryptAes.c | 114 ------------------ .../BaseCryptLib/Cipher/CryptAesNull.c | 52 -------- .../BaseCryptLibNull/Cipher/CryptAesNull.c | 54 +-------- .../BaseCryptLibOnProtocolPpi/CryptLib.c | 76 ------------ CryptoPkg/Private/Protocol/Crypto.h | 72 ----------- 7 files changed, 1 insertion(+), 515 deletions(-) diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c index d471ecb5ba..cc5fd922b7 100644 --- a/CryptoPkg/Driver/Crypto.c +++ b/CryptoPkg/Driver/Crypto.c @@ -1524,82 +1524,6 @@ CryptoServiceAesInit ( return CALL_BASECRYPTLIB (Aes.Services.Init, AesInit, (AesContext, Key, KeyLength), FALSE); } -/** - Performs AES encryption on a data buffer of the specified size in ECB mode. - - This function performs AES encryption on data buffer pointed by Input, of specified - size of InputSize, in ECB mode. - InputSize must be multiple of block size (16 bytes). This function does not perform - padding. Caller must perform padding, if necessary, to ensure valid input data size. - AesContext should be already correctly initialized by AesInit(). Behavior with - invalid AES context is undefined. - - If AesContext is NULL, then return FALSE. - If Input is NULL, then return FALSE. - If InputSize is not multiple of block size (16 bytes), then return FALSE. - If Output is NULL, then return FALSE. - If this interface is not supported, then return FALSE. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be encrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES encryption output. - - @retval TRUE AES encryption succeeded. - @retval FALSE AES encryption failed. - @retval FALSE This interface is not supported. - -**/ -BOOLEAN -EFIAPI -CryptoServiceAesEcbEncrypt ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ) -{ - return CALL_BASECRYPTLIB (Aes.Services.EcbEncrypt, AesEcbEncrypt, (AesContext, Input, InputSize, Output), FALSE); -} - -/** - Performs AES decryption on a data buffer of the specified size in ECB mode. - - This function performs AES decryption on data buffer pointed by Input, of specified - size of InputSize, in ECB mode. - InputSize must be multiple of block size (16 bytes). This function does not perform - padding. Caller must perform padding, if necessary, to ensure valid input data size. - AesContext should be already correctly initialized by AesInit(). Behavior with - invalid AES context is undefined. - - If AesContext is NULL, then return FALSE. - If Input is NULL, then return FALSE. - If InputSize is not multiple of block size (16 bytes), then return FALSE. - If Output is NULL, then return FALSE. - If this interface is not supported, then return FALSE. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be decrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES decryption output. - - @retval TRUE AES decryption succeeded. - @retval FALSE AES decryption failed. - @retval FALSE This interface is not supported. - -**/ -BOOLEAN -EFIAPI -CryptoServiceAesEcbDecrypt ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ) -{ - return CALL_BASECRYPTLIB (Aes.Services.EcbDecrypt, AesEcbDecrypt, (AesContext, Input, InputSize, Output), FALSE); -} - /** Performs AES encryption on a data buffer of the specified size in CBC mode. @@ -3985,8 +3909,6 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = { /// AES CryptoServiceAesGetContextSize, CryptoServiceAesInit, - CryptoServiceAesEcbEncrypt, - CryptoServiceAesEcbDecrypt, CryptoServiceAesCbcEncrypt, CryptoServiceAesCbcDecrypt, /// SM3 diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h index c66232bc1c..ad93ee2634 100644 --- a/CryptoPkg/Include/Library/BaseCryptLib.h +++ b/CryptoPkg/Include/Library/BaseCryptLib.h @@ -1318,76 +1318,6 @@ AesInit ( IN UINTN KeyLength ); -/** - Performs AES encryption on a data buffer of the specified size in ECB mode. - - This function performs AES encryption on data buffer pointed by Input, of specified - size of InputSize, in ECB mode. - InputSize must be multiple of block size (16 bytes). This function does not perform - padding. Caller must perform padding, if necessary, to ensure valid input data size. - AesContext should be already correctly initialized by AesInit(). Behavior with - invalid AES context is undefined. - - If AesContext is NULL, then return FALSE. - If Input is NULL, then return FALSE. - If InputSize is not multiple of block size (16 bytes), then return FALSE. - If Output is NULL, then return FALSE. - If this interface is not supported, then return FALSE. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be encrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES encryption output. - - @retval TRUE AES encryption succeeded. - @retval FALSE AES encryption failed. - @retval FALSE This interface is not supported. - -**/ -BOOLEAN -EFIAPI -AesEcbEncrypt ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ); - -/** - Performs AES decryption on a data buffer of the specified size in ECB mode. - - This function performs AES decryption on data buffer pointed by Input, of specified - size of InputSize, in ECB mode. - InputSize must be multiple of block size (16 bytes). This function does not perform - padding. Caller must perform padding, if necessary, to ensure valid input data size. - AesContext should be already correctly initialized by AesInit(). Behavior with - invalid AES context is undefined. - - If AesContext is NULL, then return FALSE. - If Input is NULL, then return FALSE. - If InputSize is not multiple of block size (16 bytes), then return FALSE. - If Output is NULL, then return FALSE. - If this interface is not supported, then return FALSE. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be decrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES decryption output. - - @retval TRUE AES decryption succeeded. - @retval FALSE AES decryption failed. - @retval FALSE This interface is not supported. - -**/ -BOOLEAN -EFIAPI -AesEcbDecrypt ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ); - /** Performs AES encryption on a data buffer of the specified size in CBC mode. diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c index 2515b34bb8..914cffb211 100644 --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c +++ b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c @@ -78,120 +78,6 @@ AesInit ( return TRUE; } -/** - Performs AES encryption on a data buffer of the specified size in ECB mode. - - This function performs AES encryption on data buffer pointed by Input, of specified - size of InputSize, in ECB mode. - InputSize must be multiple of block size (16 bytes). This function does not perform - padding. Caller must perform padding, if necessary, to ensure valid input data size. - AesContext should be already correctly initialized by AesInit(). Behavior with - invalid AES context is undefined. - - If AesContext is NULL, then return FALSE. - If Input is NULL, then return FALSE. - If InputSize is not multiple of block size (16 bytes), then return FALSE. - If Output is NULL, then return FALSE. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be encrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES encryption output. - - @retval TRUE AES encryption succeeded. - @retval FALSE AES encryption failed. - -**/ -BOOLEAN -EFIAPI -AesEcbEncrypt ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ) -{ - AES_KEY *AesKey; - - // - // Check input parameters. - // - if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0 || Output == NULL) { - return FALSE; - } - - AesKey = (AES_KEY *) AesContext; - - // - // Perform AES data encryption with ECB mode (block-by-block) - // - while (InputSize > 0) { - AES_ecb_encrypt (Input, Output, AesKey, AES_ENCRYPT); - Input += AES_BLOCK_SIZE; - Output += AES_BLOCK_SIZE; - InputSize -= AES_BLOCK_SIZE; - } - - return TRUE; -} - -/** - Performs AES decryption on a data buffer of the specified size in ECB mode. - - This function performs AES decryption on data buffer pointed by Input, of specified - size of InputSize, in ECB mode. - InputSize must be multiple of block size (16 bytes). This function does not perform - padding. Caller must perform padding, if necessary, to ensure valid input data size. - AesContext should be already correctly initialized by AesInit(). Behavior with - invalid AES context is undefined. - - If AesContext is NULL, then return FALSE. - If Input is NULL, then return FALSE. - If InputSize is not multiple of block size (16 bytes), then return FALSE. - If Output is NULL, then return FALSE. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be decrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES decryption output. - - @retval TRUE AES decryption succeeded. - @retval FALSE AES decryption failed. - -**/ -BOOLEAN -EFIAPI -AesEcbDecrypt ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ) -{ - AES_KEY *AesKey; - - // - // Check input parameters. - // - if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0 || Output == NULL) { - return FALSE; - } - - AesKey = (AES_KEY *) AesContext; - - // - // Perform AES data decryption with ECB mode (block-by-block) - // - while (InputSize > 0) { - AES_ecb_encrypt (Input, Output, AesKey + 1, AES_DECRYPT); - Input += AES_BLOCK_SIZE; - Output += AES_BLOCK_SIZE; - InputSize -= AES_BLOCK_SIZE; - } - - return TRUE; -} - /** Performs AES encryption on a data buffer of the specified size in CBC mode. diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c index a82adacf4f..d235422e7a 100644 --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c +++ b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c @@ -50,58 +50,6 @@ AesInit ( return FALSE; } -/** - Performs AES encryption on a data buffer of the specified size in ECB mode. - - Return FALSE to indicate this interface is not supported. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be encrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES encryption output. - - @retval FALSE This interface is not supported. - -**/ -BOOLEAN -EFIAPI -AesEcbEncrypt ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ) -{ - ASSERT (FALSE); - return FALSE; -} - -/** - Performs AES decryption on a data buffer of the specified size in ECB mode. - - Return FALSE to indicate this interface is not supported. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be decrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES decryption output. - - @retval FALSE This interface is not supported. - -**/ -BOOLEAN -EFIAPI -AesEcbDecrypt ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ) -{ - ASSERT (FALSE); - return FALSE; -} - /** Performs AES encryption on a data buffer of the specified size in CBC mode. diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c index a82adacf4f..8ddc00a59b 100644 --- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c +++ b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c @@ -1,7 +1,7 @@ /** @file AES Wrapper Implementation which does not provide real capabilities. -Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR> +Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR> SPDX-License-Identifier: BSD-2-Clause-Patent **/ @@ -50,58 +50,6 @@ AesInit ( return FALSE; } -/** - Performs AES encryption on a data buffer of the specified size in ECB mode. - - Return FALSE to indicate this interface is not supported. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be encrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES encryption output. - - @retval FALSE This interface is not supported. - -**/ -BOOLEAN -EFIAPI -AesEcbEncrypt ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ) -{ - ASSERT (FALSE); - return FALSE; -} - -/** - Performs AES decryption on a data buffer of the specified size in ECB mode. - - Return FALSE to indicate this interface is not supported. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be decrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES decryption output. - - @retval FALSE This interface is not supported. - -**/ -BOOLEAN -EFIAPI -AesEcbDecrypt ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ) -{ - ASSERT (FALSE); - return FALSE; -} - /** Performs AES encryption on a data buffer of the specified size in CBC mode. diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c index 43ee4e0841..c937f8540d 100644 --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c @@ -1518,82 +1518,6 @@ AesInit ( CALL_CRYPTO_SERVICE (AesInit, (AesContext, Key, KeyLength), FALSE); } -/** - Performs AES encryption on a data buffer of the specified size in ECB mode. - - This function performs AES encryption on data buffer pointed by Input, of specified - size of InputSize, in ECB mode. - InputSize must be multiple of block size (16 bytes). This function does not perform - padding. Caller must perform padding, if necessary, to ensure valid input data size. - AesContext should be already correctly initialized by AesInit(). Behavior with - invalid AES context is undefined. - - If AesContext is NULL, then return FALSE. - If Input is NULL, then return FALSE. - If InputSize is not multiple of block size (16 bytes), then return FALSE. - If Output is NULL, then return FALSE. - If this interface is not supported, then return FALSE. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be encrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES encryption output. - - @retval TRUE AES encryption succeeded. - @retval FALSE AES encryption failed. - @retval FALSE This interface is not supported. - -**/ -BOOLEAN -EFIAPI -AesEcbEncrypt ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ) -{ - CALL_CRYPTO_SERVICE (AesEcbEncrypt, (AesContext, Input, InputSize, Output), FALSE); -} - -/** - Performs AES decryption on a data buffer of the specified size in ECB mode. - - This function performs AES decryption on data buffer pointed by Input, of specified - size of InputSize, in ECB mode. - InputSize must be multiple of block size (16 bytes). This function does not perform - padding. Caller must perform padding, if necessary, to ensure valid input data size. - AesContext should be already correctly initialized by AesInit(). Behavior with - invalid AES context is undefined. - - If AesContext is NULL, then return FALSE. - If Input is NULL, then return FALSE. - If InputSize is not multiple of block size (16 bytes), then return FALSE. - If Output is NULL, then return FALSE. - If this interface is not supported, then return FALSE. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be decrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES decryption output. - - @retval TRUE AES decryption succeeded. - @retval FALSE AES decryption failed. - @retval FALSE This interface is not supported. - -**/ -BOOLEAN -EFIAPI -AesEcbDecrypt ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ) -{ - CALL_CRYPTO_SERVICE (AesEcbDecrypt, (AesContext, Input, InputSize, Output), FALSE); -} - /** Performs AES encryption on a data buffer of the specified size in CBC mode. diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h index 5ecb3ccc79..2c46a91eb6 100644 --- a/CryptoPkg/Private/Protocol/Crypto.h +++ b/CryptoPkg/Private/Protocol/Crypto.h @@ -2389,76 +2389,6 @@ BOOLEAN IN UINTN KeyLength ); -/** - Performs AES encryption on a data buffer of the specified size in ECB mode. - - This function performs AES encryption on data buffer pointed by Input, of specified - size of InputSize, in ECB mode. - InputSize must be multiple of block size (16 bytes). This function does not perform - padding. Caller must perform padding, if necessary, to ensure valid input data size. - AesContext should be already correctly initialized by AesInit(). Behavior with - invalid AES context is undefined. - - If AesContext is NULL, then return FALSE. - If Input is NULL, then return FALSE. - If InputSize is not multiple of block size (16 bytes), then return FALSE. - If Output is NULL, then return FALSE. - If this interface is not supported, then return FALSE. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be encrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES encryption output. - - @retval TRUE AES encryption succeeded. - @retval FALSE AES encryption failed. - @retval FALSE This interface is not supported. - -**/ -typedef -BOOLEAN -(EFIAPI *EDKII_CRYPTO_AES_ECB_ENCRYPT) ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ); - -/** - Performs AES decryption on a data buffer of the specified size in ECB mode. - - This function performs AES decryption on data buffer pointed by Input, of specified - size of InputSize, in ECB mode. - InputSize must be multiple of block size (16 bytes). This function does not perform - padding. Caller must perform padding, if necessary, to ensure valid input data size. - AesContext should be already correctly initialized by AesInit(). Behavior with - invalid AES context is undefined. - - If AesContext is NULL, then return FALSE. - If Input is NULL, then return FALSE. - If InputSize is not multiple of block size (16 bytes), then return FALSE. - If Output is NULL, then return FALSE. - If this interface is not supported, then return FALSE. - - @param[in] AesContext Pointer to the AES context. - @param[in] Input Pointer to the buffer containing the data to be decrypted. - @param[in] InputSize Size of the Input buffer in bytes. - @param[out] Output Pointer to a buffer that receives the AES decryption output. - - @retval TRUE AES decryption succeeded. - @retval FALSE AES decryption failed. - @retval FALSE This interface is not supported. - -**/ -typedef -BOOLEAN -(EFIAPI *EDKII_CRYPTO_AES_ECB_DECRYPT) ( - IN VOID *AesContext, - IN CONST UINT8 *Input, - IN UINTN InputSize, - OUT UINT8 *Output - ); - /** Performs AES encryption on a data buffer of the specified size in CBC mode. @@ -3616,8 +3546,6 @@ struct _EDKII_CRYPTO_PROTOCOL { /// AES EDKII_CRYPTO_AES_GET_CONTEXT_SIZE AesGetContextSize; EDKII_CRYPTO_AES_INIT AesInit; - EDKII_CRYPTO_AES_ECB_ENCRYPT AesEcbEncrypt; - EDKII_CRYPTO_AES_ECB_DECRYPT AesEcbDecrypt; EDKII_CRYPTO_AES_CBC_ENCRYPT AesCbcEncrypt; EDKII_CRYPTO_AES_CBC_DECRYPT AesCbcDecrypt; /// SM3 -- 2.21.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#56444): https://edk2.groups.io/g/devel/message/56444 Mute This Topic: https://groups.io/mt/72579465/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-