Skip to content

Migrate to EVP Model #200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Flickdm wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Migrate to EVP Model #200

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
94e1780
OpensslPkg: Migrate CryptHmac.c from HMAC_CTX to EVP_MAC_CTX
Flickdm Mar 22, 2026
375cc0a
OpensslPkg: Migrate RSA key context to EVP_PKEY APIs
Flickdm Mar 22, 2026
ca90192
OpensslPkg: Migrate RSA consumers to RSA_PKEY_CTX
Flickdm Mar 22, 2026
80bb664
OpensslPkg: Migrate CryptEc.c to EVP_PKEY APIs
Flickdm Mar 22, 2026
4658759
OpensslPkg: Migrate CryptDh.c to EVP_PKEY APIs
Flickdm Mar 22, 2026
87386e8
OpensslPkg: Migrate CryptX509 to EVP_PKEY APIs
Flickdm Mar 22, 2026
913d3b0
OpensslPkg: Migrate CryptPem to EVP_PKEY APIs
Flickdm Mar 22, 2026
edbfcd7
OpensslPkg: Remove OPENSSL_NO_DEPRECATED override
Flickdm Mar 31, 2026
f70634e
OpensslPkg: Fix memory leak in RsaExtractBigNums
Flickdm Mar 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
247 changes: 187 additions & 60 deletions OpensslPkg/Library/BaseCryptLib/Hmac/CryptHmac.c
View file
Open in desktop

Large diffs are not rendered by default.

6 changes: 3 additions & 3 deletions OpensslPkg/Library/BaseCryptLib/InternalCryptLib.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent

#include "CrtLibSupport.h"

// MU_CHANGE [BEGIN]
// TODO: remove in near future to stop using deprecated OpenSSL APIs
#undef OPENSSL_NO_DEPRECATED // MU_CHANGE
#define OPENSSL_NO_DEPRECATED 0

// #define OPENSSL_NO_DEPRECATED 0
// MU_CHANGE [END]
#include <openssl/opensslv.h>

#if OPENSSL_VERSION_NUMBER < 0x10100000L
Expand Down
107 changes: 97 additions & 10 deletions OpensslPkg/Library/BaseCryptLib/Pem/CryptPem.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent

#include "InternalCryptLib.h"
#include <openssl/pem.h>
// MU_CHANGE [BEGIN]
#include <openssl/evp.h>
#include <openssl/core_names.h>
#include <openssl/objects.h>
#include "Pk/CryptRsaPkeyCtx.h"
#include "Pk/CryptEcPkeyCtx.h"
// MU_CHANGE [END]

/**
Callback function for password phrase conversion used for retrieving the encrypted PEM.
Expand Down Expand Up @@ -70,8 +77,13 @@ RsaGetPrivateKeyFromPem (
OUT VOID **RsaContext
)
{
BOOLEAN Status;
BIO *PemBio;
// MU_CHANGE [BEGIN]
BOOLEAN Status;
BIO *PemBio;
EVP_PKEY *Pkey;
RSA_PKEY_CTX *RsaPkeyCtx;

// MU_CHANGE [END]

//
// Check input parameters.
Expand All @@ -97,6 +109,7 @@ RsaGetPrivateKeyFromPem (
}

Status = FALSE;
Pkey = NULL; // MU_CHANGE

//
// Read encrypted PEM Data.
Expand All @@ -113,15 +126,37 @@ RsaGetPrivateKeyFromPem (
//
// Retrieve RSA Private Key from encrypted PEM data.
//
*RsaContext = PEM_read_bio_RSAPrivateKey (PemBio, NULL, (pem_password_cb *)&PasswordCallback, (void *)Password);
if (*RsaContext != NULL) {
Status = TRUE;
// MU_CHANGE [BEGIN]
Pkey = PEM_read_bio_PrivateKey (PemBio, NULL, (pem_password_cb *)&PasswordCallback, (void *)Password);
if ((Pkey == NULL) || (EVP_PKEY_id (Pkey) != EVP_PKEY_RSA)) {
goto _Exit;
}

RsaPkeyCtx = AllocateZeroPool (sizeof (RSA_PKEY_CTX));
if (RsaPkeyCtx != NULL) {
RsaPkeyCtx->Pkey = Pkey;
if (RsaExtractBigNums (RsaPkeyCtx, RsaPkeyCtx->Pkey)) {
Pkey = NULL;
*RsaContext = (VOID *)RsaPkeyCtx;
Status = TRUE;
} else {
RsaFree ((VOID *)RsaPkeyCtx);
Pkey = NULL;
}

// MU_CHANGE [END]
}

_Exit:
//
// Release Resources.
//
// MU_CHANGE [BEGIN]
if (Pkey != NULL) {
EVP_PKEY_free (Pkey);
}

// MU_CHANGE [END]
BIO_free (PemBio);

return Status;
Expand Down Expand Up @@ -153,8 +188,16 @@ EcGetPrivateKeyFromPem (
OUT VOID **EcContext
)
{
BOOLEAN Status;
BIO *PemBio;
// MU_CHANGE [BEGIN]
BOOLEAN Status;
BIO *PemBio;
EVP_PKEY *Pkey;
EC_PKEY_CTX *EcPkeyCtx;
CHAR8 CurveNameBuf[64];
UINTN CurveNameLen;
INT32 OpenSslNid;

// MU_CHANGE [END]

//
// Check input parameters.
Expand All @@ -180,6 +223,7 @@ EcGetPrivateKeyFromPem (
}

Status = FALSE;
Pkey = NULL; // MU_CHANGE

//
// Read encrypted PEM Data.
Expand All @@ -196,15 +240,58 @@ EcGetPrivateKeyFromPem (
//
// Retrieve EC Private Key from encrypted PEM data.
//
*EcContext = PEM_read_bio_ECPrivateKey (PemBio, NULL, (pem_password_cb *)&PasswordCallback, (void *)Password);
if (*EcContext != NULL) {
Status = TRUE;
// MU_CHANGE [BEGIN]
Pkey = PEM_read_bio_PrivateKey (PemBio, NULL, (pem_password_cb *)&PasswordCallback, (void *)Password);
if ((Pkey == NULL) || (EVP_PKEY_id (Pkey) != EVP_PKEY_EC)) {
goto _Exit;
}

CurveNameLen = sizeof (CurveNameBuf);
if (EVP_PKEY_get_utf8_string_param (
Pkey,
OSSL_PKEY_PARAM_GROUP_NAME,
CurveNameBuf,
CurveNameLen,
&CurveNameLen
) != 1)
{
goto _Exit;
}

//
// Convert OpenSSL curve group name to an internal NID.
// Try short-name lookup first (for example, "prime256v1"), then
// fall back to long-name lookup if the short name is not recognized.
//
OpenSslNid = OBJ_sn2nid (CurveNameBuf);
if (OpenSslNid == NID_undef) {
OpenSslNid = OBJ_ln2nid (CurveNameBuf);
}

if (OpenSslNid == NID_undef) {
goto _Exit;
}

EcPkeyCtx = AllocateZeroPool (sizeof (EC_PKEY_CTX));
if (EcPkeyCtx != NULL) {
EcPkeyCtx->Nid = OpenSslNid;
EcPkeyCtx->Pkey = Pkey;
Pkey = NULL;
*EcContext = (VOID *)EcPkeyCtx;
Status = TRUE;
// MU_CHANGE [END]
}

_Exit:
//
// Release Resources.
//
// MU_CHANGE [BEGIN]
if (Pkey != NULL) {
EVP_PKEY_free (Pkey);
}

// MU_CHANGE [END]
BIO_free (PemBio);

return Status;
Expand Down
Loading
Loading