Reviewed-by: Jian J Wang <jian.j.w...@intel.com>
> -----Original Message----- > From: West, Gary > Sent: Wednesday, July 31, 2019 5:54 AM > To: devel@edk2.groups.io > Cc: West, Gary <gary.w...@intel.com>; West, Gary <gary.w...@intel.com>; > Wang, Jian J <jian.j.w...@intel.com>; Ye, Ting <ting...@intel.com> > Subject: [PATCH v2 1/1] CryptoPkg/BaseCryptLib: Wrap OpenSSL HKDF > algorithm > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1928 > > 1. Implement OpenSSL HKDF wrapped function in CryptHkdf.c file. > 2. Implement stub implementation function in CryptHkdfNull.c file. > 3. Add wrapped HKDF function declaration to BaseCryptLib.h file. > 4. Add CryptHkdf.c to module information BaseCryptLib.inf file. > 5. Add CryptHkdfNull.c to module information PeiCryptLib.inf, > RuntimeCryptLib.inf and SmmCryptLib.inf > > Signed-off-by: Gary West <gary.w...@intel.com> > Cc: Jian Wang <jian.j.w...@intel.com> > Cc: Ting Ye <ting...@intel.com> > --- > CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf | 1 + > CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 4 +- > CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf | 1 + > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 1 + > CryptoPkg/Include/Library/BaseCryptLib.h | 33 +++++++++ > CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdf.c | 75 > ++++++++++++++++++++ > CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdfNull.c | 43 +++++++++++ > 7 files changed, 155 insertions(+), 3 deletions(-) > > diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > index 020df3c19b3c..8d4988e8c6b4 100644 > --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > @@ -37,6 +37,7 @@ [Sources] > Hmac/CryptHmacMd5.c > Hmac/CryptHmacSha1.c > Hmac/CryptHmacSha256.c > + Kdf/CryptHkdf.c > Cipher/CryptAes.c > Cipher/CryptTdes.c > Cipher/CryptArc4.c > diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > index 99dbad23ed5d..3da8bd848017 100644 > --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > @@ -44,10 +44,10 @@ [Sources] > Hmac/CryptHmacMd5Null.c > Hmac/CryptHmacSha1Null.c > Hmac/CryptHmacSha256Null.c > + Kdf/CryptHkdfNull.c > Cipher/CryptAesNull.c > Cipher/CryptTdesNull.c > Cipher/CryptArc4Null.c > - > Pk/CryptRsaBasic.c > Pk/CryptRsaExtNull.c > Pk/CryptPkcs1OaepNull.c > @@ -56,13 +56,11 @@ [Sources] > Pk/CryptPkcs7VerifyCommon.c > Pk/CryptPkcs7VerifyBase.c > Pk/CryptPkcs7VerifyEku.c > - > Pk/CryptDhNull.c > Pk/CryptX509Null.c > Pk/CryptAuthenticodeNull.c > Pk/CryptTsNull.c > Pem/CryptPemNull.c > - > Rand/CryptRandNull.c > > SysCall/CrtWrapper.c > diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > index 0e58d2b5b0ea..21a481eb7767 100644 > --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > @@ -43,6 +43,7 @@ [Sources] > Hmac/CryptHmacMd5Null.c > Hmac/CryptHmacSha1Null.c > Hmac/CryptHmacSha256Null.c > + Kdf/CryptHkdfNull.c > Cipher/CryptAesNull.c > Cipher/CryptTdesNull.c > Cipher/CryptArc4Null.c > diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > index c79f2bf4c6c0..7c187e21b3b9 100644 > --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > @@ -43,6 +43,7 @@ [Sources] > Hmac/CryptHmacMd5Null.c > Hmac/CryptHmacSha1Null.c > Hmac/CryptHmacSha256.c > + Kdf/CryptHkdfNull.c > Cipher/CryptAes.c > Cipher/CryptTdesNull.c > Cipher/CryptArc4Null.c > diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h > b/CryptoPkg/Include/Library/BaseCryptLib.h > index 19d1afe3c8c0..da32bb2444fd 100644 > --- a/CryptoPkg/Include/Library/BaseCryptLib.h > +++ b/CryptoPkg/Include/Library/BaseCryptLib.h > @@ -3122,4 +3122,37 @@ RandomBytes ( > IN UINTN Size > ); > > +//======================================================== > ============================= > +// Key Derivation Function Primitive > +//======================================================== > ============================= > + > +/** > + Derive key data using HMAC-SHA256 based KDF. > + > + @param[in] Key Pointer to the user-supplied key. > + @param[in] KeySize Key size in bytes. > + @param[in] Salt Pointer to the salt(non-secret) value. > + @param[in] SaltSize Salt size in bytes. > + @param[in] Info Pointer to the application specific info. > + @param[in] InfoSize Info size in bytes. > + @param[Out] Out Pointer to buffer to receive hkdf value. > + @param[in] OutSize Size of hkdf bytes to generate. > + > + @retval TRUE Hkdf generated successfully. > + @retval FALSE Hkdf generation failed. > + > +**/ > +BOOLEAN > +EFIAPI > +HkdfSha256ExtractAndExpand ( > + IN CONST UINT8 *Key, > + IN UINTN KeySize, > + IN CONST UINT8 *Salt, > + IN UINTN SaltSize, > + IN CONST UINT8 *Info, > + IN UINTN InfoSize, > + OUT UINT8 *Out, > + IN UINTN OutSize > + ); > + > #endif // __BASE_CRYPT_LIB_H__ > diff --git a/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdf.c > b/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdf.c > new file mode 100644 > index 000000000000..f0fcef211d3f > --- /dev/null > +++ b/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdf.c > @@ -0,0 +1,75 @@ > +/** @file > + HMAC-SHA256 KDF Wrapper Implementation over OpenSSL. > + > +Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.<BR> > +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include <Library/BaseCryptLib.h> > +#include <openssl/evp.h> > +#include <openssl/kdf.h> > + > +/** > + Derive HMAC-based Extract-and-Expand Key Derivation Function (HKDF). > + > + @param[in] Key Pointer to the user-supplied key. > + @param[in] KeySize Key size in bytes. > + @param[in] Salt Pointer to the salt(non-secret) value. > + @param[in] SaltSize Salt size in bytes. > + @param[in] Info Pointer to the application specific info. > + @param[in] InfoSize Info size in bytes. > + @param[Out] Out Pointer to buffer to receive hkdf value. > + @param[in] OutSize Size of hkdf bytes to generate. > + > + @retval TRUE Hkdf generated successfully. > + @retval FALSE Hkdf generation failed. > + > +**/ > +BOOLEAN > +EFIAPI > +HkdfSha256ExtractAndExpand ( > + IN CONST UINT8 *Key, > + IN UINTN KeySize, > + IN CONST UINT8 *Salt, > + IN UINTN SaltSize, > + IN CONST UINT8 *Info, > + IN UINTN InfoSize, > + OUT UINT8 *Out, > + IN UINTN OutSize > + ) > +{ > + EVP_PKEY_CTX *pHkdfCtx; > + BOOLEAN Result; > + > + if (Key == NULL || Salt == NULL || Info == NULL || Out == NULL || > + KeySize > INT_MAX || SaltSize > INT_MAX || InfoSize > INT_MAX || > OutSize > INT_MAX ) { > + return FALSE; > + } > + > + pHkdfCtx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); > + if (pHkdfCtx == NULL) { > + return FALSE; > + } > + > + Result = EVP_PKEY_derive_init(pHkdfCtx) > 0; > + if (Result) { > + Result = EVP_PKEY_CTX_set_hkdf_md(pHkdfCtx, EVP_sha256()) > 0; > + } > + if (Result) { > + Result = EVP_PKEY_CTX_set1_hkdf_salt(pHkdfCtx, Salt, > (UINT32)SaltSize) > 0; > + } > + if (Result) { > + Result = EVP_PKEY_CTX_set1_hkdf_key(pHkdfCtx, Key, > (UINT32)KeySize) > 0; > + } > + if (Result) { > + Result = EVP_PKEY_CTX_add1_hkdf_info(pHkdfCtx, Info, > (UINT32)InfoSize) > 0; > + } > + if (Result) { > + Result = EVP_PKEY_derive(pHkdfCtx, Out, &OutSize) > 0; > + } > + > + EVP_PKEY_CTX_free(pHkdfCtx); > + pHkdfCtx = NULL; > + return Result; > +} > diff --git a/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdfNull.c > b/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdfNull.c > new file mode 100644 > index 000000000000..73deb5bc3614 > --- /dev/null > +++ b/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdfNull.c > @@ -0,0 +1,43 @@ > +/** @file > + HMAC-SHA256 KDF Wrapper Implementation which does not provide > real capabilities. > + > +Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.<BR> > +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include <Library/BaseCryptLib.h> > +#include <Library/DebugLib.h> > + > +/** > + Derive key data using HMAC-SHA256 based KDF. > + > + @param[in] Key Pointer to the user-supplied key. > + @param[in] KeySize Key size in bytes. > + @param[in] Salt Pointer to the salt(non-secret) value. > + @param[in] SaltSize Salt size in bytes. > + @param[in] Info Pointer to the application specific info. > + @param[in] InfoSize Info size in bytes. > + @param[Out] Out Pointer to buffer to receive hkdf value. > + @param[in] OutSize Size of hkdf bytes to generate. > + > + @retval TRUE Hkdf generated successfully. > + @retval FALSE Hkdf generation failed. > + > +**/ > +BOOLEAN > +EFIAPI > +HkdfSha256ExtractAndExpand ( > + IN CONST UINT8 *Key, > + IN UINTN KeySize, > + IN CONST UINT8 *Salt, > + IN UINTN SaltSize, > + IN CONST UINT8 *Info, > + IN UINTN InfoSize, > + OUT UINT8 *Out, > + IN UINTN OutSize > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > -- > 2.19.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#44918): https://edk2.groups.io/g/devel/message/44918 Mute This Topic: https://groups.io/mt/32659321/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
