Copy head(r18255) from main trunk excluding UNI files.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jeff Fan <jeff.fan@intel.com>
Signed-off-by: Hao Wu <hao.a.wu@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2010.SR1@18304 6f19259b-4bc3-4df7-8a09-765794883524

CryptoPkg/.gitignore

+Include/openssl
+Library/OpensslLib/openssl-*/

CryptoPkg/Application/Cryptest/Cryptest.c

-/** @file  
+/** @file
   Application for Cryptographic Primitives Validation.
 
-Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -73,6 +73,11 @@ CryptestMain (
     return Status;
   }
 
+  Status = ValidateTSCounterSignature ();
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+
   Status = ValidateCryptDh ();
   if (EFI_ERROR (Status)) {
     return Status;
@@ -84,4 +89,4 @@ CryptestMain (
   }
 
   return EFI_SUCCESS;
-}
+}
\ No newline at end of file

CryptoPkg/Application/Cryptest/Cryptest.h

-/** @file  
+/** @file
   Application for Cryptographic Primitives Validation.
 
-Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -108,6 +108,18 @@ ValidateAuthenticode (
   VOID
   );
 
+/**
+  Validate UEFI-OpenSSL RFC3161 Timestamp CounterSignature Verification Interfaces.
+
+  @retval  EFI_SUCCESS  Validation succeeded.
+  @retval  EFI_ABORTED  Validation failed.
+
+**/
+EFI_STATUS
+ValidateTSCounterSignature (
+  VOID
+  );
+
 /**
   Validate UEFI-OpenSSL DH Interfaces.
 
@@ -132,4 +144,4 @@ ValidateCryptPrng (
   VOID
   );
 
-#endif
+#endif
\ No newline at end of file

CryptoPkg/Application/Cryptest/Cryptest.inf

@@ -37,6 +37,7 @@
   RsaVerify.c
   RsaVerify2.c
   AuthenticodeVerify.c
+  TSVerify.c
   DhVerify.c
   RandVerify.c
   

CryptoPkg/Application/Cryptest/DhVerify.c

-/** @file  
+/** @file
   Application for Diffie-Hellman Primitives Validation.
 
-Copyright (c) 2010, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2010 - 2014, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -41,6 +41,14 @@ ValidateCryptDh (
 
   Print (L"\nUEFI-OpenSSL DH Engine Testing:\n");
 
+  //
+  // Initialize Key Length
+  //
+  PublicKey1Length = sizeof (PublicKey1);
+  PublicKey2Length = sizeof (PublicKey2);
+  Key1Length       = sizeof (Key1);
+  Key2Length       = sizeof (Key2);
+
   //
   // Generate & Initialize DH Context
   //
@@ -114,4 +122,4 @@ ValidateCryptDh (
   Print (L"[Pass]\n");
 
   return EFI_SUCCESS;
-}
+}
\ No newline at end of file

CryptoPkg/Application/Cryptest/HashVerify.c

-/** @file  
+/** @file
   Application for Hash Primitives Validation.
 
-Copyright (c) 2010, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2010 - 2014, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -54,6 +54,25 @@ GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Sha256Digest[SHA256_DIGEST_SIZE] = {
   0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad
   };
 
+//
+// Result for SHA-384("abc"). (From "D.1 SHA-384 Example" of NIST FIPS 180-2)
+//
+GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Sha384Digest[SHA384_DIGEST_SIZE] = {
+  0xcb, 0x00, 0x75, 0x3f, 0x45, 0xa3, 0x5e, 0x8b, 0xb5, 0xa0, 0x3d, 0x69, 0x9a, 0xc6, 0x50, 0x07,
+  0x27, 0x2c, 0x32, 0xab, 0x0e, 0xde, 0xd1, 0x63, 0x1a, 0x8b, 0x60, 0x5a, 0x43, 0xff, 0x5b, 0xed,
+  0x80, 0x86, 0x07, 0x2b, 0xa1, 0xe7, 0xcc, 0x23, 0x58, 0xba, 0xec, 0xa1, 0x34, 0xc8, 0x25, 0xa7
+  };
+
+//
+// Result for SHA-512("abc"). (From "C.1 SHA-512 Example" of NIST FIPS 180-2)
+//
+GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 Sha512Digest[SHA512_DIGEST_SIZE] = {
+  0xdd, 0xaf, 0x35, 0xa1, 0x93, 0x61, 0x7a, 0xba, 0xcc, 0x41, 0x73, 0x49, 0xae, 0x20, 0x41, 0x31,
+  0x12, 0xe6, 0xfa, 0x4e, 0x89, 0xa9, 0x7e, 0xa2, 0x0a, 0x9e, 0xee, 0xe6, 0x4b, 0x55, 0xd3, 0x9a,
+  0x21, 0x92, 0x99, 0x2a, 0x27, 0x4f, 0xc1, 0xa8, 0x36, 0xba, 0x3c, 0x23, 0xa3, 0xfe, 0xeb, 0xbd,
+  0x45, 0x4d, 0x44, 0x23, 0x64, 0x3c, 0xe8, 0x0e, 0x2a, 0x9a, 0xc9, 0x4f, 0xa5, 0x4c, 0xa4, 0x9f
+  };
+
 /**
   Validate UEFI-OpenSSL Digest Interfaces.
 
@@ -76,7 +95,7 @@ ValidateCryptDigest (
   DataSize = AsciiStrLen (HashData);
 
   Print (L"- MD4:    ");
-  
+
   //
   // MD4 Digest Validation
   //
@@ -234,6 +253,86 @@ ValidateCryptDigest (
   }
 
   Print (L"[Pass]\n");
-  
+
+  Print (L"- SHA384: ");
+
+  //
+  // SHA384 Digest Validation
+  //
+  ZeroMem (Digest, MAX_DIGEST_SIZE);
+  CtxSize = Sha384GetContextSize ();
+  HashCtx = AllocatePool (CtxSize);
+
+  Print (L"Init... ");
+  Status  = Sha384Init (HashCtx);
+  if (!Status) {
+    Print (L"[Fail]");
+    return EFI_ABORTED;
+  }
+
+  Print (L"Update... ");
+  Status  = Sha384Update (HashCtx, HashData, DataSize);
+  if (!Status) {
+    Print (L"[Fail]");
+    return EFI_ABORTED;
+  }
+
+  Print (L"Finalize... ");
+  Status  = Sha384Final (HashCtx, Digest);
+  if (!Status) {
+    Print (L"[Fail]");
+    return EFI_ABORTED;
+  }
+
+  FreePool (HashCtx);
+
+  Print (L"Check Value... ");
+  if (CompareMem (Digest, Sha384Digest, SHA384_DIGEST_SIZE) != 0) {
+    Print (L"[Fail]");
+    return EFI_ABORTED;
+  }
+
+  Print (L"[Pass]\n");
+
+  Print (L"- SHA512: ");
+
+  //
+  // SHA512 Digest Validation
+  //
+  ZeroMem (Digest, MAX_DIGEST_SIZE);
+  CtxSize = Sha512GetContextSize ();
+  HashCtx = AllocatePool (CtxSize);
+
+  Print (L"Init... ");
+  Status  = Sha512Init (HashCtx);
+  if (!Status) {
+    Print (L"[Fail]");
+    return EFI_ABORTED;
+  }
+
+  Print (L"Update... ");
+  Status  = Sha512Update (HashCtx, HashData, DataSize);
+  if (!Status) {
+    Print (L"[Fail]");
+    return EFI_ABORTED;
+  }
+
+  Print (L"Finalize... ");
+  Status  = Sha512Final (HashCtx, Digest);
+  if (!Status) {
+    Print (L"[Fail]");
+    return EFI_ABORTED;
+  }
+
+  FreePool (HashCtx);
+
+  Print (L"Check Value... ");
+  if (CompareMem (Digest, Sha512Digest, SHA512_DIGEST_SIZE) != 0) {
+    Print (L"[Fail]");
+    return EFI_ABORTED;
+  }
+
+  Print (L"[Pass]\n");
+
   return EFI_SUCCESS;
 }

CryptoPkg/Contributions.txt

@@ -34,9 +34,9 @@ To make a contribution to a TianoCore project, follow these steps.
    Contributions using other licenses might be accepted, but further
    review will be required.
 
-=======================================
-= Change Description / Commit Message =
-=======================================
+=====================================================
+= Change Description / Commit Message / Patch Email =
+=====================================================
 
 Your change description should use the standard format for a
 commit message, and must include your "Signed-off-by" signature
@@ -44,7 +44,32 @@ and the "Contributed-under" message.
 
 == Sample Change Description / Commit Message =
 
-=== Definitions for sample change description ===
+=== Start of sample patch email message ===
+
+From: Contributor Name <contributor@example.com>
+Subject: [PATCH] CodeModule: Brief-single-line-summary
+
+Full-commit-message
+
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Contributor Name <contributor@example.com>
+---
+
+An extra message for the patch email which will not be considered part
+of the commit message can be added here.
+
+Patch content inline or attached
+
+=== End of sample patch email message ===
+
+=== Notes for sample patch email ===
+
+* The first line of commit message is taken from the email's subject
+  line following [PATCH]. The remaining portion of the commit message
+  is the email's content until the '---' line.
+* git format-patch is one way to create this format
+
+=== Definitions for sample patch email ===
 
 * "CodeModule" is a short idenfier for the affected code.  For
   example MdePkg, or MdeModulePkg UsbBusDxe.
@@ -58,15 +83,6 @@ and the "Contributed-under" message.
 * "Signed-off-by" is the contributor's signature identifying them
   by their real/legal name and their email address.
 
-=== Start of sample change description / commit message ===
-CodeModule: Brief-single-line-summary
-
-Full-commit-message
-
-Contributed-under: TianoCore Contribution Agreement 1.0
-Signed-off-by: Contributor Name <contributor@email.server>
-=== End of sample change description / commit message ===
-
 ========================================
 = TianoCore Contribution Agreement 1.0 =
 ========================================

CryptoPkg/CryptoPkg.dec

@@ -4,7 +4,7 @@
 #  This Package provides cryptographic-related libraries for UEFI security modules.
 #  It also provides a test application to test libraries.
 #
-#  Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
 #  This program and the accompanying materials
 #  are licensed and made available under the terms and conditions of the BSD License
 #  which accompanies this distribution.  The full text of the license may be found at
@@ -19,7 +19,7 @@
   DEC_SPECIFICATION              = 0x00010005
   PACKAGE_NAME                   = CryptoPkg
   PACKAGE_GUID                   = 36470E80-36F2-4ba0-8CC8-937C7D9FF888
-  PACKAGE_VERSION                = 0.94
+  PACKAGE_VERSION                = 0.96
 
 [Includes]
   Include

CryptoPkg/CryptoPkg.dsc

 ## @file
 #  Cryptographic Library Package for UEFI Security Implementation.
 #
-#  Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
 #  This program and the accompanying materials
 #  are licensed and made available under the terms and conditions of the BSD License
 #  which accompanies this distribution.  The full text of the license may be found at
@@ -20,7 +20,7 @@
 [Defines]
   PLATFORM_NAME                  = CryptoPkg
   PLATFORM_GUID                  = E1063286-6C8C-4c25-AEF0-67A9A5B6E6B6
-  PLATFORM_VERSION               = 0.94
+  PLATFORM_VERSION               = 0.96
   DSC_SPECIFICATION              = 0x00010005
   OUTPUT_DIRECTORY               = Build/CryptoPkg
   SUPPORTED_ARCHITECTURES        = IA32|X64|IPF|ARM|AARCH64

CryptoPkg/Include/Library/BaseCryptLib.h

@@ -4,7 +4,7 @@
   primitives (Hash Serials, HMAC, RSA, Diffie-Hellman, etc) for UEFI security
   functionality enabling.
 
-Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -18,6 +18,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #ifndef __BASE_CRYPT_LIB_H__
 #define __BASE_CRYPT_LIB_H__
 
+#include <Uefi/UefiBaseType.h>
+
 ///
 /// MD4 digest size in bytes
 ///
@@ -38,6 +40,16 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 ///
 #define SHA256_DIGEST_SIZE  32
 
+///
+/// SHA-384 digest size in bytes
+///
+#define SHA384_DIGEST_SIZE  48
+
+///
+/// SHA-512 digest size in bytes
+///
+#define SHA512_DIGEST_SIZE  64
+
 ///
 /// TDES block size in bytes
 ///
@@ -513,6 +525,215 @@ Sha256Final (
   OUT     UINT8  *HashValue
   );
 
+/**
+  Retrieves the size, in bytes, of the context buffer required for SHA-384 hash operations.
+
+  @return  The size, in bytes, of the context buffer required for SHA-384 hash operations.
+
+**/
+UINTN
+EFIAPI
+Sha384GetContextSize (
+  VOID
+  );
+
+/**
+  Initializes user-supplied memory pointed by Sha384Context as SHA-384 hash context for
+  subsequent use.
+
+  If Sha384Context is NULL, then return FALSE.
+
+  @param[out]  Sha384Context  Pointer to SHA-384 context being initialized.
+
+  @retval TRUE   SHA-384 context initialization succeeded.
+  @retval FALSE  SHA-384 context initialization failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sha384Init (
+  OUT  VOID  *Sha384Context
+  );
+
+/**
+  Makes a copy of an existing SHA-384 context.
+
+  If Sha384Context is NULL, then return FALSE.
+  If NewSha384Context is NULL, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in]  Sha384Context     Pointer to SHA-384 context being copied.
+  @param[out] NewSha384Context  Pointer to new SHA-384 context.
+
+  @retval TRUE   SHA-384 context copy succeeded.
+  @retval FALSE  SHA-384 context copy failed.
+  @retval FALSE  This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha384Duplicate (
+  IN   CONST VOID  *Sha384Context,
+  OUT  VOID        *NewSha384Context
+  );
+
+/**
+  Digests the input data and updates SHA-384 context.
+
+  This function performs SHA-384 digest on a data buffer of the specified size.
+  It can be called multiple times to compute the digest of long or discontinuous data streams.
+  SHA-384 context should be already correctly intialized by Sha384Init(), and should not be finalized
+  by Sha384Final(). Behavior with invalid context is undefined.
+
+  If Sha384Context is NULL, then return FALSE.
+
+  @param[in, out]  Sha384Context  Pointer to the SHA-384 context.
+  @param[in]       Data           Pointer to the buffer containing the data to be hashed.
+  @param[in]       DataSize       Size of Data buffer in bytes.
+
+  @retval TRUE   SHA-384 data digest succeeded.
+  @retval FALSE  SHA-384 data digest failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sha384Update (
+  IN OUT  VOID        *Sha384Context,
+  IN      CONST VOID  *Data,
+  IN      UINTN       DataSize
+  );
+
+/**
+  Completes computation of the SHA-384 digest value.
+
+  This function completes SHA-384 hash computation and retrieves the digest value into
+  the specified memory. After this function has been called, the SHA-384 context cannot
+  be used again.
+  SHA-384 context should be already correctly intialized by Sha384Init(), and should not be
+  finalized by Sha384Final(). Behavior with invalid SHA-384 context is undefined.
+
+  If Sha384Context is NULL, then return FALSE.
+  If HashValue is NULL, then return FALSE.
+
+  @param[in, out]  Sha384Context  Pointer to the SHA-384 context.
+  @param[out]      HashValue      Pointer to a buffer that receives the SHA-384 digest
+                                  value (48 bytes).
+
+  @retval TRUE   SHA-384 digest computation succeeded.
+  @retval FALSE  SHA-384 digest computation failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sha384Final (
+  IN OUT  VOID   *Sha384Context,
+  OUT     UINT8  *HashValue
+  );
+
+/**
+  Retrieves the size, in bytes, of the context buffer required for SHA-512 hash operations.
+
+  @return  The size, in bytes, of the context buffer required for SHA-512 hash operations.
+
+**/
+UINTN
+EFIAPI
+Sha512GetContextSize (
+  VOID
+  );
+
+/**
+  Initializes user-supplied memory pointed by Sha512Context as SHA-512 hash context for
+  subsequent use.
+
+  If Sha512Context is NULL, then return FALSE.
+
+  @param[out]  Sha512Context  Pointer to SHA-512 context being initialized.
+
+  @retval TRUE   SHA-512 context initialization succeeded.
+  @retval FALSE  SHA-512 context initialization failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sha512Init (
+  OUT  VOID  *Sha512Context
+  );
+
+/**
+  Makes a copy of an existing SHA-512 context.
+
+  If Sha512Context is NULL, then return FALSE.
+  If NewSha512Context is NULL, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in]  Sha512Context     Pointer to SHA-512 context being copied.
+  @param[out] NewSha512Context  Pointer to new SHA-512 context.
+
+  @retval TRUE   SHA-512 context copy succeeded.
+  @retval FALSE  SHA-512 context copy failed.
+  @retval FALSE  This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha512Duplicate (
+  IN   CONST VOID  *Sha512Context,
+  OUT  VOID        *NewSha512Context
+  );
+
+/**
+  Digests the input data and updates SHA-512 context.
+
+  This function performs SHA-512 digest on a data buffer of the specified size.
+  It can be called multiple times to compute the digest of long or discontinuous data streams.
+  SHA-512 context should be already correctly intialized by Sha512Init(), and should not be finalized
+  by Sha512Final(). Behavior with invalid context is undefined.
+
+  If Sha512Context is NULL, then return FALSE.
+
+  @param[in, out]  Sha512Context  Pointer to the SHA-512 context.
+  @param[in]       Data           Pointer to the buffer containing the data to be hashed.
+  @param[in]       DataSize       Size of Data buffer in bytes.
+
+  @retval TRUE   SHA-512 data digest succeeded.
+  @retval FALSE  SHA-512 data digest failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sha512Update (
+  IN OUT  VOID        *Sha512Context,
+  IN      CONST VOID  *Data,
+  IN      UINTN       DataSize
+  );
+
+/**
+  Completes computation of the SHA-512 digest value.
+
+  This function completes SHA-512 hash computation and retrieves the digest value into
+  the specified memory. After this function has been called, the SHA-512 context cannot
+  be used again.
+  SHA-512 context should be already correctly intialized by Sha512Init(), and should not be
+  finalized by Sha512Final(). Behavior with invalid SHA-512 context is undefined.
+
+  If Sha512Context is NULL, then return FALSE.
+  If HashValue is NULL, then return FALSE.
+
+  @param[in, out]  Sha512Context  Pointer to the SHA-512 context.
+  @param[out]      HashValue      Pointer to a buffer that receives the SHA-512 digest
+                                  value (64 bytes).
+
+  @retval TRUE   SHA-512 digest computation succeeded.
+  @retval FALSE  SHA-512 digest computation failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sha512Final (
+  IN OUT  VOID   *Sha512Context,
+  OUT     UINT8  *HashValue
+  );
 
 //=====================================================================================
 //    MAC (Message Authentication Code) Primitive
@@ -754,7 +975,6 @@ HmacSha1Final (
   OUT     UINT8  *HmacValue
   );
 
-
 //=====================================================================================
 //    Symmetric Cryptography Primitive
 //=====================================================================================
@@ -1395,7 +1615,7 @@ RsaGetKey (
   @param[in, out]  RsaContext           Pointer to RSA context being set.
   @param[in]       ModulusLength        Length of RSA modulus N in bits.
   @param[in]       PublicExponent       Pointer to RSA public exponent.
-  @param[in]       PublicExponentSize   Size of RSA public exponent buffer in bytes. 
+  @param[in]       PublicExponentSize   Size of RSA public exponent buffer in bytes.
 
   @retval  TRUE   RSA key component was generated successfully.
   @retval  FALSE  Invalid RSA key component tag.
@@ -1413,6 +1633,8 @@ RsaGenerateKey (
 
 /**
   Validates key components of RSA context.
+  NOTE: This function performs integrity checks on all the RSA key material, so
+        the RSA key structure must contain all the private key data.
 
   This function validates key compoents of RSA context in following aspects:
   - Whether p is a prime
@@ -1519,7 +1741,6 @@ RsaPkcs1Verify (
   @retval  TRUE   RSA Private Key was retrieved successfully.
   @retval  FALSE  Invalid PEM key data or incorrect password.
   @retval  FALSE  This interface is not supported.
-  
 
 **/
 BOOLEAN
@@ -1642,13 +1863,13 @@ X509ConstructCertificate (
   If X509Stack is NULL, then return FALSE.
   If this interface is not supported, then return FALSE.
 
-  @param[in, out]  X509Stack  On input, pointer to an existing X509 stack object.
+  @param[in, out]  X509Stack  On input, pointer to an existing or NULL X509 stack object.
                               On output, pointer to the X509 stack object with new