DMTF
diff --git a/‎CMakeLists.txt‎
Lines changed: 11 additions & 11 deletions b/‎CMakeLists.txt‎
Lines changed: 11 additions & 11 deletions
diff --git a/‎library/spdm_crypt_lib/CMakeLists.txt‎
Lines changed: 8 additions & 1 deletion b/‎library/spdm_crypt_lib/CMakeLists.txt‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎os_stub/cryptlib_openssl/CMakeLists.txt‎
Lines changed: 28 additions & 21 deletions b/‎os_stub/cryptlib_openssl/CMakeLists.txt‎
Lines changed: 28 additions & 21 deletions
diff --git a/‎os_stub/cryptlib_openssl/der/der.c‎
Lines changed: 32 additions & 5 deletions b/‎os_stub/cryptlib_openssl/der/der.c‎
Lines changed: 32 additions & 5 deletions
@@ -693,6 +693,11 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
         set(CMAKE_EXE_LINKER_FLAGS "")
 
         set(CMAKE_C_LINK_EXECUTABLE "")
+    elseif(TOOLCHAIN STREQUAL "NONE")
+        # Use native toolchain with group linking for static libraries
+        set(CMAKE_LINKER gcc)
+        set(CMAKE_EXE_LINKER_FLAGS "-no-pie")
+        set(CMAKE_C_LINK_EXECUTABLE "<CMAKE_LINKER> <LINK_FLAGS> <OBJECTS> -o <TARGET> -Wl,--start-group <LINK_LIBRARIES> -Wl,--end-group")
     endif()
 
     if(NOT TOOLCHAIN STREQUAL "NIOS2_GCC")
@@ -1164,17 +1169,12 @@ else()
             )
         elseif(CRYPTO STREQUAL "openssl")
             set(CRYPTO_DEPS "-lssl -lcrypto")
-            if(TOOLCHAIN STREQUAL "NONE")
-                target_link_libraries(${LIB_NAME}_crypto
-                    PUBLIC openssllib
-                    PUBLIC cryptlib_openssl
-                )
-            else()
-                target_link_libraries(${LIB_NAME}_crypto
-                    PUBLIC ssl
-                    PUBLIC crypto
-                )
-            endif()
+            # Always link to the OpenSSL library built from source (openssllib target)
+            # openssllib will be STATIC when TOOLCHAIN=NONE, SHARED otherwise
+            target_link_libraries(${LIB_NAME}_crypto
+                PUBLIC openssllib
+                PUBLIC cryptlib_openssl
+            )
         endif()
 
         target_link_libraries(${LIB_NAME}
 
@@ -38,4 +38,11 @@ target_sources(spdm_crypt_lib
         fips/libspdm_selftest_mldsa_vec.c
         fips/libspdm_selftest_slhdsa.c
         fips/libspdm_selftest_slhdsa_vec.c
-)
+)
+
+# Link to cryptlib implementation
+if(TARGET cryptlib_openssl)
+    target_link_libraries(spdm_crypt_lib INTERFACE cryptlib_openssl)
+elseif(TARGET cryptlib_mbedtls)
+    target_link_libraries(spdm_crypt_lib INTERFACE cryptlib_mbedtls)
+endif()
@@ -9,12 +9,11 @@ target_include_directories(cryptlib_openssl
         ${LIBSPDM_DIR}/os_stub/include
         ${LIBSPDM_DIR}/os_stub/cryptlib_openssl
         ${LIBSPDM_DIR}/os_stub/openssllib/include
-        ${LIBSPDM_DIR}/os_stub/openssllib/openssl_gen
-        ${LIBSPDM_DIR}/os_stub/openssllib/openssl/include
-        ${LIBSPDM_DIR}/os_stub/openssllib/openssl/crypto/include
-        ${LIBSPDM_DIR}/os_stub/openssllib/openssl
 )
 
+# Ensure OpenSSL is built before cryptlib_openssl
+add_dependencies(cryptlib_openssl openssllib)
+
 target_sources(cryptlib_openssl
     PRIVATE
         cipher/aead_aes_gcm.c
@@ -47,25 +46,33 @@ target_sources(cryptlib_openssl
         pk/x509.c
         pk/x509_pqc.c
         rand/rand.c
+        rsa_context.c
+        pqc_context.c
         sys_call/crt_wrapper_host.c
 )
 
 target_compile_options(cryptlib_openssl PRIVATE ${OPENSSL_FLAGS})
 
-if(ARCH STREQUAL "x64")
-    target_compile_options(cryptlib_openssl PRIVATE -DLIBSPDM_CPU_X64)
-elseif(ARCH STREQUAL "ia32")
-    target_compile_options(cryptlib_openssl PRIVATE -DLIBSPDM_CPU_IA32)
-elseif(ARCH STREQUAL "aarch64")
-    target_compile_options(cryptlib_openssl PRIVATE -DLIBSPDM_CPU_AARCH64)
-elseif(ARCH STREQUAL "riscv32")
-    target_compile_options(cryptlib_openssl PRIVATE -DLIBSPDM_CPU_RISCV32)
-elseif(ARCH STREQUAL "riscv64")
-    target_compile_options(cryptlib_openssl PRIVATE -DLIBSPDM_CPU_RISCV64)
-elseif((ARCH STREQUAL "arm") OR (ARCH STREQUAL "aarch64"))
-    target_compile_options(cryptlib_openssl PRIVATE -DLIBSPDM_CPU_ARM)
-elseif(ARCH STREQUAL "loongarch64")
-    target_compile_options(cryptlib_openssl PRIVATE -DLIBSPDM_CPU_LOONGARCH64)
-else()
-    message(FATAL_ERROR "Unknown ARCH")
-endif()
+# Suppress deprecated warnings for OpenSSL deprecated APIs
+# 
+# Why suppress instead of fixing:
+# 1. EC Key Management: libspdm_ec_set_pub_key/libspdm_ec_set_priv_key use deprecated EC_KEY APIs
+#    as fallback when modern EVP_PKEY_set* methods fail. This ensures compatibility when keys
+#    are set separately (public first, then private).
+#
+# 2. SM2 Implementation: os_stub/cryptlib_openssl/pk/sm2.c uses deprecated EC_KEY APIs throughout.
+#    Full migration to modern APIs requires significant refactoring.
+#
+# 3. FIPS Mode: libspdm_ecdsa_sign_ex uses deprecated APIs for custom random number injection,
+#    which is required for FIPS testing (only compiled when LIBSPDM_FIPS_MODE is enabled).
+#
+# Cross-platform suppression:
+# - GCC/Clang (Linux/macOS): -Wno-deprecated-declarations
+# - MSVC (Windows): /wd4996
+if(CMAKE_C_COMPILER_ID MATCHES "GNU|Clang")
+    target_compile_options(cryptlib_openssl PRIVATE -Wno-deprecated-declarations)
+elseif(CMAKE_C_COMPILER_ID MATCHES "MSVC")
+    target_compile_options(cryptlib_openssl PRIVATE /wd4996)
+endif()
+
+target_link_libraries(cryptlib_openssl PUBLIC openssllib memlib)
@@ -12,8 +12,10 @@
 #include <openssl/x509.h>
 #include <openssl/evp.h>
 #include <openssl/decoder.h>
+#include "rsa_context.h"
 
 #if (LIBSPDM_RSA_SSA_SUPPORT) || (LIBSPDM_RSA_PSS_SUPPORT)
+
 /**
  * Retrieve the RSA Public key from the DER key data.
  *
@@ -39,6 +41,7 @@ bool libspdm_rsa_get_public_key_from_der(const uint8_t *der_data,
 {
     bool status;
     BIO *der_bio;
+    EVP_PKEY *pkey;
 
     /* Check input parameters.*/
 
@@ -47,6 +50,7 @@ bool libspdm_rsa_get_public_key_from_der(const uint8_t *der_data,
     }
 
     status = false;
+    pkey = NULL;
 
     /* Read DER data.*/
 
@@ -59,11 +63,25 @@ bool libspdm_rsa_get_public_key_from_der(const uint8_t *der_data,
         goto done;
     }
 
-    /* Retrieve RSA Public key from DER data.*/
-
-    *rsa_context = d2i_RSA_PUBKEY_bio(der_bio, NULL);
-    if (*rsa_context != NULL) {
+    /* Retrieve RSA Public key from DER data as EVP_PKEY.*/
+    pkey = d2i_PUBKEY_bio(der_bio, NULL);
+    if (pkey == NULL) {
+        goto done;
+    }
+    if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) {
+        goto done;
+    }
+    {
+        libspdm_rsa_ctx_evp_t *ctx;
+        ctx = (libspdm_rsa_ctx_evp_t *)allocate_pool(sizeof(libspdm_rsa_ctx_evp_t));
+        if (ctx == NULL) {
+            goto done;
+        }
+        libspdm_zero_mem(ctx, sizeof(*ctx));
+        ctx->pkey = pkey;
+        *rsa_context = (void *)ctx;
         status = true;
+        pkey = NULL; /* ownership moved */
     }
 
 done:
@@ -199,9 +217,18 @@ bool libspdm_ecd_get_public_key_from_der(const uint8_t *der_data,
     }
     type = EVP_PKEY_id(pkey);
     if ((type != EVP_PKEY_ED25519) && (type != EVP_PKEY_ED448)) {
+        EVP_PKEY_free(pkey);
+        goto done;
+    }
+
+    /* Create double pointer structure for EdDSA context (compatible with libspdm_ecd_new_by_nid) */
+    EVP_PKEY **ecd_context_ptr = malloc(sizeof(EVP_PKEY *));
+    if (ecd_context_ptr == NULL) {
+        EVP_PKEY_free(pkey);
         goto done;
     }
-    *ecd_context = pkey;
+    *ecd_context_ptr = pkey;
+    *ecd_context = ecd_context_ptr;
     status = true;
 
 done: