Open
Conversation
mu-automation
bot
added
the
impact:non-functional
Flickdm
force-pushed
the
feature/migrate_to_evp_model
branch
5 times, most recently
from
2eaf1ac to
f272faf
Compare
Flickdm
force-pushed
the
feature/migrate_to_evp_model
branch
9 times, most recently
from
7b258f3 to
6ee4bd1
Compare
Flickdm
force-pushed
the
feature/migrate_to_evp_model
branch
3 times, most recently
from
2629973 to
bf1ffbe
Compare
Flickdm
force-pushed
the
feature/migrate_to_evp_model
branch
from
bf1ffbe to
906fbd1
Compare
mu-automation
bot
removed
the
language:python
Flickdm
force-pushed
the
feature/migrate_to_evp_model
branch
7 times, most recently
from
cf30cca to
f2f66e6
Compare
Flickdm
force-pushed
the
feature/migrate_to_evp_model
branch
2 times, most recently
from
2e85cab to
c3283e2
Compare
Replace deprecated HMAC_CTX_new/HMAC_Init_ex/HMAC_Update/HMAC_Final/HMAC_CTX_free with the OpenSSL 3.x EVP_MAC_CTX provider API. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Replace direct RSA* usage with a new RSA_PKEY_CTX struct holding individual BIGNUMs (N, E, D, P, Q, Dp, Dq, QInv) plus a cached EVP_PKEY*. - Add CryptRsaPkeyCtx.h defining RSA_PKEY_CTX and helper declarations - RsaBuildEvpPkey(): lazily builds EVP_PKEY from stored BIGNUMs - RsaInvalidatePkey(): invalidates the cache on component change - RsaGetKey(): return TRUE with *BnSize=0 for unset (NULL) components - All operations (sign/verify/encrypt/decrypt) use EVP_PKEY_CTX Signed-off-by: Doug Flick <dougflick@microsoft.com>
Update files that consume RSA keys to work with the new RSA_PKEY_CTX type instead of the deprecated RSA* direct usage: - CryptPkcs7Sign.c: remove EVP_PKEY_assign_RSA; use RSA_PKEY_CTX->Pkey - CryptPkcs1Oaep.c: remove EVP_PKEY_set1_RSA; use RSA_PKEY_CTX->Pkey - CryptRsaPss.c: update context casting to RSA_PKEY_CTX - CryptRsaPssSign.c: update context casting to RSA_PKEY_CTX Signed-off-by: Doug Flick <dougflick@microsoft.com>
Replace EC_KEY* based implementation with a new EC_PKEY_CTX struct holding the curve NID and a cached EVP_PKEY*: - Add CryptEcPkeyCtx.h defining EC_PKEY_CTX - EcNewByNid(): allocates EC_PKEY_CTX with OpenSSL NID - EcDhComputeKey(): uses EVP_PKEY_derive with OSSL_PARAM_BLD peer key - EcDsaSign(): uses EVP_PKEY_sign producing DER; converts to raw R||S - EcDsaVerify(): converts raw R||S to DER via i2d_ECDSA_SIG; EVP_PKEY_verify - EC public key export: EVP_PKEY_get_octet_string_param returns 04||X||Y; skip leading 0x04 byte to match caller expectation of raw X||Y Signed-off-by: Doug Flick <dougflick@microsoft.com>
Replace DH* based implementation with a new DH_PKEY_CTX struct: - DH_PKEY_CTX holds BnP, BnG (set independently by DhSetParameter) and EVP_PKEY* (generated on DhGenerateKey) - DhSetParameter(): stores BnP/BnG; defers key generation - DhGenerateKey(): uses EVP_PKEY_paramgen + EVP_PKEY_keygen - DhComputeKey(): uses EVP_PKEY_derive with peer public key Signed-off-by: Doug Flick <dougflick@microsoft.com>
Signed-off-by: Doug Flick <dougflick@microsoft.com>
Signed-off-by: Doug Flick <dougflick@microsoft.com>
All BaseCryptLib files now use OpenSSL 3.x non-deprecated EVP_PKEY provider APIs. Remove the OPENSSL_NO_DEPRECATED=0 override from InternalCryptLib.h that was previously required to suppress deprecation warnings. Signed-off-by: Doug Flick <dougflick@microsoft.com>
- RsaExtractBigNums now cleans up partially extracted BIGNUMs on failure instead of leaving them dangling in the RSA_PKEY_CTX. - RsaGetPublicKeyFromX509 error path uses RsaFree() for proper cleanup of all RSA_PKEY_CTX resources. - Fix RsaGetKey doc comment: BigNumber=NULL with sufficient BnSize returns TRUE (size query), not FALSE. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Flickdm
force-pushed
the
feature/migrate_to_evp_model
branch
from
c3283e2 to
f70634e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Quick testing shows that this only adds ~6K worth of extra size. Most of the code to use EVP was already being linked in via Openssl. This change will be necessary to use the new Crypto Providers / Crypto Algorithms (ML-DSA is only being brought in as EVP)
Likely to upstream once proper testing is performed.
Resolves: #191
For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
How This Was Tested
Passes BaseCryptLibUnitTests
TODO: Test on a physical platform
Integration Instructions
N/A