Feature: Enable PQC#252
Draft
Flickdm wants to merge 17 commits into
Draft
Conversation
Add UnitTestHostTlsLib.inf, a HOST_APPLICATION wrapper for the production TlsLib sources, enabling TlsLib to be linked into host-based unit test executables. Update OpensslPkgHostUnitTest.dsc with TlsLib and IntrinsicLib library mappings and the TlsLibUnitTestHost component reference for the provider-agnostic TLS unit tests in CryptoPkg. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Bring in the latest MU_BASECORE commit to pull in TLS unit tests that are needed to validate the TlsLib. Signed-off-by: Doug Flick <dougflick@microsoft.com>
After running OpensslPkg host-based unit tests, re-run the TlsLibUnitTestHost binary and extract the structured TLS capability report (cipher suites, TLS versions, EC curves, TLS 1.3, PQC groups, DFCI required ciphers, security levels) into the GitHub Actions job summary. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Update the openssl submodule pointer to the openssl-4.0.0 tag. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Fix X64-MSFT assembly filename conversion to handle both .S and .s extensions. Disable SM3 assembly sources in the asm filter to work around build issues with OpenSSL 4.0.0. SM3 support will need to be re-evaluated in a future update. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Regenerate all intermediate files in OpensslGen including headers, architecture-specific assembly files, DER encoding sources, and the new .inc files generated from .inc.in templates introduced in OpenSSL 4.0. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Update the autogenerated source file lists in all OpensslLib INF files to reflect the new and changed source files in OpenSSL 4.0.0. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add Library/OpensslLib/OpensslGen as a package include path in OpensslPkg.dec. OpenSSL 4.0 introduces .inc files generated from .inc.in templates that are included by provider source files using paths relative to the build root. The OpensslGen directory must be in the include search path to resolve these references. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add va_copy, vsnprintf, INT64_C, UINT64_C, INT32_C, and UINT32_C macros to CrtLibSupport.h. These are required by OpenSSL 4.0 source files that were not needed in previous versions. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Replace direct struct member access with OpenSSL accessor functions for ASN1_STRING, ASN1_TYPE, and ASN1_OBJECT types. OpenSSL 4.0 makes these struct fields opaque, requiring use of ASN1_STRING_get0_data(), ASN1_STRING_length(), ASN1_STRING_type(), OBJ_get0_data(), and OBJ_length(). Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add null stubs for tls_parse_ctos_ech() and tls_construct_stoc_ech() in SslExtServNull.c for the new Encrypted Client Hello (ECH) extension in OpenSSL 4.0. Update tls_construct_cert_status_body() signature in SslStatServNull.c to include the new OCSP_RESPONSE parameter. Update OSSL_STORE_SEARCH_by_name() in ossl_store.c to use const X509_NAME parameter matching the OpenSSL 4.0 API. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Replace the vsnprintf and sprintf macros in CrtLibSupport.h with proper function implementations that translate standard C format specifiers to EDK2 BasePrintLib equivalents. OpenSSL 4.0 error reporting calls BIO_vsnprintf with C %s (ASCII string), but EDK2 BasePrintLib treats %s as Unicode, causing a segfault in the host unit tests. The new TranslateFormatSpecifiers helper converts C %s to EDK2 %a before calling AsciiVSPrint. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Remove no-ml-dsa, no-ml-kem, and no-tls1_3 from configure.py to enable Post-Quantum Cryptography support in OpenSSL 4.0.0. Regenerated configuration headers and INF files with: - ML-KEM (FIPS 203) key encapsulation sources - ML-DSA (FIPS 204) digital signature sources - MLX hybrid key exchange sources - TLS 1.3 protocol support (required for PQC key exchange) OpenSSL 4.0.0 has native PQC support - no external provider (oqsprovider) needed. Note: Build is blocked by pre-existing missing decoders.inc in uefiprov.c (not related to this change). Signed-off-by: Doug Flick <dougflick@microsoft.com>
Rewrite TlsSetEcCurve to use SSL_set1_groups_list with string group names, replacing the deprecated EC_KEY_new_by_curve_name and SSL_set_tmp_ecdh APIs. This enables P-256 (previously rejected), X25519, X448, and PQC hybrid key exchange groups (X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM1024). Add TLS 1.3 cipher suite support to TlsSetCipherList by detecting IANA IDs in the 0x1300 range and routing them through SSL_set_ciphersuites instead of SSL_set_cipher_list. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Enable OpenSSL CMS module by removing OPENSSL_NO_CMS from configuration-ec.h and configuration-noec.h, and adding 19 CMS source files to OpensslLibFull.inf and OpensslLibAccel.inf. Register ML-DSA-44/65/87 signature and keymgmt providers, plus SHAKE-128/256 and ML-DSA-MU digest providers in the UEFI OpenSSL provider (uefiprov.c). Without these registrations, the EVP provider framework cannot locate the ML-DSA algorithms. Add CMS verification fallback to Pkcs7Verify. OpenSSL's PKCS7_verify does not support ML-DSA (returns 'provider signature not supported'). When PKCS7 verification fails, the function now attempts CMS_verify which has explicit ML-DSA support through the cms_sd.c key2data table. Signed-off-by: Doug Flick <dougflick@microsoft.com>
mu-automation
Bot
added
language:python
Replace the PKCS7-first + CMS-fallback approach with a single CMS_verify call. CMS (RFC 5652) is the successor to PKCS#7 and is backward-compatible at the ASN.1 level. CMS_verify supports RSA, ECDSA, Ed25519, ML-DSA, and future algorithms through the OpenSSL EVP provider framework. PKCS7_verify cannot verify ML-DSA signatures (returns 'provider signature not supported'). Using CMS exclusively simplifies the code and provides crypto-agile verification for both classical and post-quantum algorithms. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add 19 CMS source files to OpensslLibFullAccel.inf to resolve linker errors when building OneCryptoPkg. The CMS module is required for ML-DSA signature verification through Pkcs7Verify. Signed-off-by: Doug Flick <dougflick@microsoft.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
<Include a description of the change and why this change was made.>
For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
How This Was Tested
<Describe the test(s) that were run to verify the changes.>
Integration Instructions
<Describe how these changes should be integrated. Use N/A if nothing is required.>