* [PATCH 0/4] CryptoPkg: add AeadAesGcm support.
@ 2022-08-29 8:42 Qi Zhang
2022-08-29 8:42 ` [PATCH 1/4] CryptoPkg: add AeadAesGcm function() definition Qi Zhang
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Qi Zhang @ 2022-08-29 8:42 UTC (permalink / raw)
To: devel; +Cc: Qi Zhang, Jiewen Yao, Jian J Wang, Xiaoyu Lu, Guomin Jiang
Add AeadAesGcm Encrypt and Decrypt.
With this change, the size increase of BaseCyrptLib is about 60K bytes.
The new functions are verifed by the Host UnitTest.
And also it has been integratd in
https://github.com/tianocore/edk2-staging/tree/DeviceSecurity and been
verified.
All the code change is on the PR https://github.com/tianocore/edk2/pull/3252.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4036
Signed-off-by: Qi Zhang <qi1.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Qi Zhang (4):
CryptoPkg: add AeadAesGcm function() definition.
CryptoPkg: add AeadAesGcm support.
CryptoPkg: add AeadAesGcm to Crypto Service.
CryptoPkg: add UnitTest for AeadAesGcm.
CryptoPkg/CryptoPkg.dsc | 2 +
CryptoPkg/Driver/Crypto.c | 94 +++++-
CryptoPkg/Include/Library/BaseCryptLib.h | 87 ++++++
.../Pcd/PcdCryptoServiceFamilyEnable.h | 7 +
.../Library/BaseCryptLib/BaseCryptLib.inf | 1 +
.../BaseCryptLib/Cipher/CryptAeadAesGcm.c | 279 ++++++++++++++++++
.../BaseCryptLib/Cipher/CryptAeadAesGcmNull.c | 100 +++++++
.../Library/BaseCryptLib/PeiCryptLib.inf | 1 +
.../Library/BaseCryptLib/RuntimeCryptLib.inf | 1 +
.../Library/BaseCryptLib/SmmCryptLib.inf | 1 +
.../BaseCryptLib/UnitTestHostBaseCryptLib.inf | 1 +
.../BaseCryptLibNull/BaseCryptLibNull.inf | 1 +
.../Cipher/CryptAeadAesGcmNull.c | 100 +++++++
.../BaseCryptLibOnProtocolPpi/CryptLib.c | 93 ++++++
CryptoPkg/Private/Protocol/Crypto.h | 86 ++++++
.../Library/BaseCryptLib/AeadAesGcmTests.c | 112 +++++++
.../BaseCryptLib/BaseCryptLibUnitTests.c | 1 +
.../Library/BaseCryptLib/TestBaseCryptLib.h | 3 +
.../BaseCryptLib/TestBaseCryptLibHost.inf | 1 +
.../BaseCryptLib/TestBaseCryptLibShell.inf | 1 +
20 files changed, 971 insertions(+), 1 deletion(-)
create mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptAeadAesGcm.c
create mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptAeadAesGcmNull.c
create mode 100644 CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAeadAesGcmNull.c
create mode 100644 CryptoPkg/Test/UnitTest/Library/BaseCryptLib/AeadAesGcmTests.c
--
2.26.2.windows.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/4] CryptoPkg: add AeadAesGcm function() definition.
2022-08-29 8:42 [PATCH 0/4] CryptoPkg: add AeadAesGcm support Qi Zhang
@ 2022-08-29 8:42 ` Qi Zhang
2022-08-29 8:42 ` [PATCH 2/4] CryptoPkg: add AeadAesGcm support Qi Zhang
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Qi Zhang @ 2022-08-29 8:42 UTC (permalink / raw)
To: devel; +Cc: Qi Zhang, Jiewen Yao, Jian J Wang, Xiaoyu Lu, Guomin Jiang
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4036
Signed-off-by: Qi Zhang <qi1.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
---
CryptoPkg/Include/Library/BaseCryptLib.h | 87 ++++++++++++++++++++++++
1 file changed, 87 insertions(+)
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 7d1499350a..b27ec28944 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -1172,6 +1172,93 @@ AesCbcDecrypt (
OUT UINT8 *Output
);
+// =====================================================================================
+// Authenticated Encryption with Associated Data (AEAD) Cryptography Primitive
+// =====================================================================================
+
+/**
+ Performs AEAD AES-GCM authenticated encryption on a data buffer and additional authenticated data (AAD).
+
+ IvSize must be 12, otherwise FALSE is returned.
+ KeySize must be 16, 24 or 32, otherwise FALSE is returned.
+ TagSize must be 12, 13, 14, 15, 16, otherwise FALSE is returned.
+
+ @param[in] Key Pointer to the encryption key.
+ @param[in] KeySize Size of the encryption key in bytes.
+ @param[in] Iv Pointer to the IV value.
+ @param[in] IvSize Size of the IV value in bytes.
+ @param[in] AData Pointer to the additional authenticated data (AAD).
+ @param[in] ADataSize Size of the additional authenticated data (AAD) in bytes.
+ @param[in] DataIn Pointer to the input data buffer to be encrypted.
+ @param[in] DataInSize Size of the input data buffer in bytes.
+ @param[out] TagOut Pointer to a buffer that receives the authentication tag output.
+ @param[in] TagSize Size of the authentication tag in bytes.
+ @param[out] DataOut Pointer to a buffer that receives the encryption output.
+ @param[out] DataOutSize Size of the output data buffer in bytes.
+
+ @retval TRUE AEAD AES-GCM authenticated encryption succeeded.
+ @retval FALSE AEAD AES-GCM authenticated encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+AeadAesGcmEncrypt (
+ IN CONST UINT8 *Key,
+ IN UINTN KeySize,
+ IN CONST UINT8 *Iv,
+ IN UINTN IvSize,
+ IN CONST UINT8 *AData,
+ IN UINTN ADataSize,
+ IN CONST UINT8 *DataIn,
+ IN UINTN DataInSize,
+ OUT UINT8 *TagOut,
+ IN UINTN TagSize,
+ OUT UINT8 *DataOut,
+ OUT UINTN *DataOutSize
+ );
+
+/**
+ Performs AEAD AES-GCM authenticated decryption on a data buffer and additional authenticated data (AAD).
+
+ IvSize must be 12, otherwise FALSE is returned.
+ KeySize must be 16, 24 or 32, otherwise FALSE is returned.
+ TagSize must be 12, 13, 14, 15, 16, otherwise FALSE is returned.
+ If additional authenticated data verification fails, FALSE is returned.
+
+ @param[in] Key Pointer to the encryption key.
+ @param[in] KeySize Size of the encryption key in bytes.
+ @param[in] Iv Pointer to the IV value.
+ @param[in] IvSize Size of the IV value in bytes.
+ @param[in] AData Pointer to the additional authenticated data (AAD).
+ @param[in] ADataSize Size of the additional authenticated data (AAD) in bytes.
+ @param[in] DataIn Pointer to the input data buffer to be decrypted.
+ @param[in] DataInSize Size of the input data buffer in bytes.
+ @param[in] Tag Pointer to a buffer that contains the authentication tag.
+ @param[in] TagSize Size of the authentication tag in bytes.
+ @param[out] DataOut Pointer to a buffer that receives the decryption output.
+ @param[out] DataOutSize Size of the output data buffer in bytes.
+
+ @retval TRUE AEAD AES-GCM authenticated decryption succeeded.
+ @retval FALSE AEAD AES-GCM authenticated decryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+AeadAesGcmDecrypt (
+ IN CONST UINT8 *Key,
+ IN UINTN KeySize,
+ IN CONST UINT8 *Iv,
+ IN UINTN IvSize,
+ IN CONST UINT8 *AData,
+ IN UINTN ADataSize,
+ IN CONST UINT8 *DataIn,
+ IN UINTN DataInSize,
+ IN CONST UINT8 *Tag,
+ IN UINTN TagSize,
+ OUT UINT8 *DataOut,
+ OUT UINTN *DataOutSize
+ );
+
// =====================================================================================
// Asymmetric Cryptography Primitive
// =====================================================================================
--
2.26.2.windows.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/4] CryptoPkg: add AeadAesGcm support.
2022-08-29 8:42 [PATCH 0/4] CryptoPkg: add AeadAesGcm support Qi Zhang
2022-08-29 8:42 ` [PATCH 1/4] CryptoPkg: add AeadAesGcm function() definition Qi Zhang
@ 2022-08-29 8:42 ` Qi Zhang
2022-08-29 8:42 ` [PATCH 3/4] CryptoPkg: add AeadAesGcm to Crypto Service Qi Zhang
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Qi Zhang @ 2022-08-29 8:42 UTC (permalink / raw)
To: devel; +Cc: Qi Zhang, Jiewen Yao, Jian J Wang, Xiaoyu Lu, Guomin Jiang
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4036
Signed-off-by: Qi Zhang <qi1.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
---
.../Library/BaseCryptLib/BaseCryptLib.inf | 1 +
.../BaseCryptLib/Cipher/CryptAeadAesGcm.c | 279 ++++++++++++++++++
.../BaseCryptLib/Cipher/CryptAeadAesGcmNull.c | 100 +++++++
.../Library/BaseCryptLib/PeiCryptLib.inf | 1 +
.../Library/BaseCryptLib/RuntimeCryptLib.inf | 1 +
.../Library/BaseCryptLib/SmmCryptLib.inf | 1 +
.../BaseCryptLibNull/BaseCryptLibNull.inf | 1 +
.../Cipher/CryptAeadAesGcmNull.c | 100 +++++++
8 files changed, 484 insertions(+)
create mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptAeadAesGcm.c
create mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptAeadAesGcmNull.c
create mode 100644 CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAeadAesGcmNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index 3d7b917103..3a00e16948 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -38,6 +38,7 @@
Hmac/CryptHmacSha256.c
Kdf/CryptHkdf.c
Cipher/CryptAes.c
+ Cipher/CryptAeadAesGcm.c
Pk/CryptRsaBasic.c
Pk/CryptRsaExt.c
Pk/CryptPkcs1Oaep.c
diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAeadAesGcm.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAeadAesGcm.c
new file mode 100644
index 0000000000..b4c93d47a9
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAeadAesGcm.c
@@ -0,0 +1,279 @@
+/** @file
+ AEAD (AES-GCM) Wrapper Implementation over OpenSSL.
+
+ RFC 5116 - An Interface and Algorithms for Authenticated Encryption
+ NIST SP800-38d - Cipher Modes of Operation: Galois / Counter Mode(GCM) and GMAC
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+#include <openssl/aes.h>
+#include <openssl/evp.h>
+
+/**
+ Performs AEAD AES-GCM authenticated encryption on a data buffer and additional authenticated data (AAD).
+
+ IvSize must be 12, otherwise FALSE is returned.
+ KeySize must be 16, 24 or 32, otherwise FALSE is returned.
+ TagSize must be 12, 13, 14, 15, 16, otherwise FALSE is returned.
+
+ @param[in] Key Pointer to the encryption key.
+ @param[in] KeySize Size of the encryption key in bytes.
+ @param[in] Iv Pointer to the IV value.
+ @param[in] IvSize Size of the IV value in bytes.
+ @param[in] AData Pointer to the additional authenticated data (AAD).
+ @param[in] ADataSize Size of the additional authenticated data (AAD) in bytes.
+ @param[in] DataIn Pointer to the input data buffer to be encrypted.
+ @param[in] DataInSize Size of the input data buffer in bytes.
+ @param[out] TagOut Pointer to a buffer that receives the authentication tag output.
+ @param[in] TagSize Size of the authentication tag in bytes.
+ @param[out] DataOut Pointer to a buffer that receives the encryption output.
+ @param[out] DataOutSize Size of the output data buffer in bytes.
+
+ @retval TRUE AEAD AES-GCM authenticated encryption succeeded.
+ @retval FALSE AEAD AES-GCM authenticated encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+AeadAesGcmEncrypt (
+ IN CONST UINT8 *Key,
+ IN UINTN KeySize,
+ IN CONST UINT8 *Iv,
+ IN UINTN IvSize,
+ IN CONST UINT8 *AData,
+ IN UINTN ADataSize,
+ IN CONST UINT8 *DataIn,
+ IN UINTN DataInSize,
+ OUT UINT8 *TagOut,
+ IN UINTN TagSize,
+ OUT UINT8 *DataOut,
+ OUT UINTN *DataOutSize
+ )
+{
+ EVP_CIPHER_CTX *Ctx;
+ CONST EVP_CIPHER *Cipher;
+ UINTN TempOutSize;
+ BOOLEAN RetValue;
+
+ if (DataInSize > INT_MAX) {
+ return FALSE;
+ }
+
+ if (ADataSize > INT_MAX) {
+ return FALSE;
+ }
+
+ if (IvSize != 12) {
+ return FALSE;
+ }
+
+ switch (KeySize) {
+ case 16:
+ Cipher = EVP_aes_128_gcm ();
+ break;
+ case 24:
+ Cipher = EVP_aes_192_gcm ();
+ break;
+ case 32:
+ Cipher = EVP_aes_256_gcm ();
+ break;
+ default:
+ return FALSE;
+ }
+
+ if ((TagSize != 12) && (TagSize != 13) && (TagSize != 14) && (TagSize != 15) && (TagSize != 16)) {
+ return FALSE;
+ }
+
+ if (DataOutSize != NULL) {
+ if ((*DataOutSize > INT_MAX) || (*DataOutSize < DataInSize)) {
+ return FALSE;
+ }
+ }
+
+ Ctx = EVP_CIPHER_CTX_new ();
+ if (Ctx == NULL) {
+ return FALSE;
+ }
+
+ RetValue = (BOOLEAN)EVP_EncryptInit_ex (Ctx, Cipher, NULL, NULL, NULL);
+ if (!RetValue) {
+ goto Done;
+ }
+
+ RetValue = (BOOLEAN)EVP_CIPHER_CTX_ctrl (Ctx, EVP_CTRL_GCM_SET_IVLEN, (INT32)IvSize, NULL);
+ if (!RetValue) {
+ goto Done;
+ }
+
+ RetValue = (BOOLEAN)EVP_EncryptInit_ex (Ctx, NULL, NULL, Key, Iv);
+ if (!RetValue) {
+ goto Done;
+ }
+
+ RetValue = (BOOLEAN)EVP_EncryptUpdate (Ctx, NULL, (INT32 *)&TempOutSize, AData, (INT32)ADataSize);
+ if (!RetValue) {
+ goto Done;
+ }
+
+ RetValue = (BOOLEAN)EVP_EncryptUpdate (Ctx, DataOut, (INT32 *)&TempOutSize, DataIn, (INT32)DataInSize);
+ if (!RetValue) {
+ goto Done;
+ }
+
+ RetValue = (BOOLEAN)EVP_EncryptFinal_ex (Ctx, DataOut, (INT32 *)&TempOutSize);
+ if (!RetValue) {
+ goto Done;
+ }
+
+ RetValue = (BOOLEAN)EVP_CIPHER_CTX_ctrl (Ctx, EVP_CTRL_GCM_GET_TAG, (INT32)TagSize, (VOID *)TagOut);
+
+Done:
+ EVP_CIPHER_CTX_free (Ctx);
+ if (!RetValue) {
+ return RetValue;
+ }
+
+ if (DataOutSize != NULL) {
+ *DataOutSize = DataInSize;
+ }
+
+ return RetValue;
+}
+
+/**
+ Performs AEAD AES-GCM authenticated decryption on a data buffer and additional authenticated data (AAD).
+
+ IvSize must be 12, otherwise FALSE is returned.
+ KeySize must be 16, 24 or 32, otherwise FALSE is returned.
+ TagSize must be 12, 13, 14, 15, 16, otherwise FALSE is returned.
+ If additional authenticated data verification fails, FALSE is returned.
+
+ @param[in] Key Pointer to the encryption key.
+ @param[in] KeySize Size of the encryption key in bytes.
+ @param[in] Iv Pointer to the IV value.
+ @param[in] IvSize Size of the IV value in bytes.
+ @param[in] AData Pointer to the additional authenticated data (AAD).
+ @param[in] ADataSize Size of the additional authenticated data (AAD) in bytes.
+ @param[in] DataIn Pointer to the input data buffer to be decrypted.
+ @param[in] DataInSize Size of the input data buffer in bytes.
+ @param[in] Tag Pointer to a buffer that contains the authentication tag.
+ @param[in] TagSize Size of the authentication tag in bytes.
+ @param[out] DataOut Pointer to a buffer that receives the decryption output.
+ @param[out] DataOutSize Size of the output data buffer in bytes.
+
+ @retval TRUE AEAD AES-GCM authenticated decryption succeeded.
+ @retval FALSE AEAD AES-GCM authenticated decryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+AeadAesGcmDecrypt (
+ IN CONST UINT8 *Key,
+ IN UINTN KeySize,
+ IN CONST UINT8 *Iv,
+ IN UINTN IvSize,
+ IN CONST UINT8 *AData,
+ IN UINTN ADataSize,
+ IN CONST UINT8 *DataIn,
+ IN UINTN DataInSize,
+ IN CONST UINT8 *Tag,
+ IN UINTN TagSize,
+ OUT UINT8 *DataOut,
+ OUT UINTN *DataOutSize
+ )
+{
+ EVP_CIPHER_CTX *Ctx;
+ CONST EVP_CIPHER *Cipher;
+ UINTN TempOutSize;
+ BOOLEAN RetValue;
+
+ if (DataInSize > INT_MAX) {
+ return FALSE;
+ }
+
+ if (ADataSize > INT_MAX) {
+ return FALSE;
+ }
+
+ if (IvSize != 12) {
+ return FALSE;
+ }
+
+ switch (KeySize) {
+ case 16:
+ Cipher = EVP_aes_128_gcm ();
+ break;
+ case 24:
+ Cipher = EVP_aes_192_gcm ();
+ break;
+ case 32:
+ Cipher = EVP_aes_256_gcm ();
+ break;
+ default:
+ return FALSE;
+ }
+
+ if ((TagSize != 12) && (TagSize != 13) && (TagSize != 14) && (TagSize != 15) && (TagSize != 16)) {
+ return FALSE;
+ }
+
+ if (DataOutSize != NULL) {
+ if ((*DataOutSize > INT_MAX) || (*DataOutSize < DataInSize)) {
+ return FALSE;
+ }
+ }
+
+ Ctx = EVP_CIPHER_CTX_new ();
+ if (Ctx == NULL) {
+ return FALSE;
+ }
+
+ RetValue = (BOOLEAN)EVP_DecryptInit_ex (Ctx, Cipher, NULL, NULL, NULL);
+ if (!RetValue) {
+ goto Done;
+ }
+
+ RetValue = (BOOLEAN)EVP_CIPHER_CTX_ctrl (Ctx, EVP_CTRL_GCM_SET_IVLEN, (INT32)IvSize, NULL);
+ if (!RetValue) {
+ goto Done;
+ }
+
+ RetValue = (BOOLEAN)EVP_DecryptInit_ex (Ctx, NULL, NULL, Key, Iv);
+ if (!RetValue) {
+ goto Done;
+ }
+
+ RetValue = (BOOLEAN)EVP_DecryptUpdate (Ctx, NULL, (INT32 *)&TempOutSize, AData, (INT32)ADataSize);
+ if (!RetValue) {
+ goto Done;
+ }
+
+ RetValue = (BOOLEAN)EVP_DecryptUpdate (Ctx, DataOut, (INT32 *)&TempOutSize, DataIn, (INT32)DataInSize);
+ if (!RetValue) {
+ goto Done;
+ }
+
+ RetValue = (BOOLEAN)EVP_CIPHER_CTX_ctrl (Ctx, EVP_CTRL_GCM_SET_TAG, (INT32)TagSize, (VOID *)Tag);
+ if (!RetValue) {
+ goto Done;
+ }
+
+ RetValue = (BOOLEAN)EVP_DecryptFinal_ex (Ctx, DataOut, (INT32 *)&TempOutSize);
+
+Done:
+ EVP_CIPHER_CTX_free (Ctx);
+ if (!RetValue) {
+ return RetValue;
+ }
+
+ if (DataOutSize != NULL) {
+ *DataOutSize = DataInSize;
+ }
+
+ return RetValue;
+}
diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAeadAesGcmNull.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAeadAesGcmNull.c
new file mode 100644
index 0000000000..b9f9d16ff9
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAeadAesGcmNull.c
@@ -0,0 +1,100 @@
+/** @file
+ AEAD Wrapper Implementation which does not provide real capabilities.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Performs AEAD AES-GCM authenticated encryption on a data buffer and additional authenticated data (AAD).
+
+ IvSize must be 12, otherwise FALSE is returned.
+ KeySize must be 16, 24 or 32, otherwise FALSE is returned.
+ TagSize must be 12, 13, 14, 15, 16, otherwise FALSE is returned.
+
+ @param[in] Key Pointer to the encryption key.
+ @param[in] KeySize Size of the encryption key in bytes.
+ @param[in] Iv Pointer to the IV value.
+ @param[in] IvSize Size of the IV value in bytes.
+ @param[in] AData Pointer to the additional authenticated data (AAD).
+ @param[in] ADataSize Size of the additional authenticated data (AAD) in bytes.
+ @param[in] DataIn Pointer to the input data buffer to be encrypted.
+ @param[in] DataInSize Size of the input data buffer in bytes.
+ @param[out] TagOut Pointer to a buffer that receives the authentication tag output.
+ @param[in] TagSize Size of the authentication tag in bytes.
+ @param[out] DataOut Pointer to a buffer that receives the encryption output.
+ @param[out] DataOutSize Size of the output data buffer in bytes.
+
+ @retval TRUE AEAD AES-GCM authenticated encryption succeeded.
+ @retval FALSE AEAD AES-GCM authenticated encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+AeadAesGcmEncrypt (
+ IN CONST UINT8 *Key,
+ IN UINTN KeySize,
+ IN CONST UINT8 *Iv,
+ IN UINTN IvSize,
+ IN CONST UINT8 *AData,
+ IN UINTN ADataSize,
+ IN CONST UINT8 *DataIn,
+ IN UINTN DataInSize,
+ OUT UINT8 *TagOut,
+ IN UINTN TagSize,
+ OUT UINT8 *DataOut,
+ OUT UINTN *DataOutSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Performs AEAD AES-GCM authenticated decryption on a data buffer and additional authenticated data (AAD).
+
+ IvSize must be 12, otherwise FALSE is returned.
+ KeySize must be 16, 24 or 32, otherwise FALSE is returned.
+ TagSize must be 12, 13, 14, 15, 16, otherwise FALSE is returned.
+ If additional authenticated data verification fails, FALSE is returned.
+
+ @param[in] Key Pointer to the encryption key.
+ @param[in] KeySize Size of the encryption key in bytes.
+ @param[in] Iv Pointer to the IV value.
+ @param[in] IvSize Size of the IV value in bytes.
+ @param[in] AData Pointer to the additional authenticated data (AAD).
+ @param[in] ADataSize Size of the additional authenticated data (AAD) in bytes.
+ @param[in] DataIn Pointer to the input data buffer to be decrypted.
+ @param[in] DataInSize Size of the input data buffer in bytes.
+ @param[in] Tag Pointer to a buffer that contains the authentication tag.
+ @param[in] TagSize Size of the authentication tag in bytes.
+ @param[out] DataOut Pointer to a buffer that receives the decryption output.
+ @param[out] DataOutSize Size of the output data buffer in bytes.
+
+ @retval TRUE AEAD AES-GCM authenticated decryption succeeded.
+ @retval FALSE AEAD AES-GCM authenticated decryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+AeadAesGcmDecrypt (
+ IN CONST UINT8 *Key,
+ IN UINTN KeySize,
+ IN CONST UINT8 *Iv,
+ IN UINTN IvSize,
+ IN CONST UINT8 *AData,
+ IN UINTN ADataSize,
+ IN CONST UINT8 *DataIn,
+ IN UINTN DataInSize,
+ IN CONST UINT8 *Tag,
+ IN UINTN TagSize,
+ OUT UINT8 *DataOut,
+ OUT UINTN *DataOutSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index 01de27e037..43b122d904 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -44,6 +44,7 @@
Hmac/CryptHmacSha256.c
Kdf/CryptHkdf.c
Cipher/CryptAesNull.c
+ Cipher/CryptAeadAesGcmNull.c
Pk/CryptRsaBasic.c
Pk/CryptRsaExtNull.c
Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index d28fb98b66..291e30cf5e 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -44,6 +44,7 @@
Hmac/CryptHmacSha256.c
Kdf/CryptHkdf.c
Cipher/CryptAes.c
+ Cipher/CryptAeadAesGcmNull.c
Pk/CryptRsaBasic.c
Pk/CryptRsaExtNull.c
Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index 91a1715095..6c65cc7a67 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -45,6 +45,7 @@
Hmac/CryptHmacSha256.c
Kdf/CryptHkdfNull.c
Cipher/CryptAes.c
+ Cipher/CryptAeadAesGcmNull.c
Pk/CryptRsaBasic.c
Pk/CryptRsaExtNull.c
Pk/CryptPkcs1Oaep.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
index 63d1d82d19..bfc0d6a869 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -38,6 +38,7 @@
Hmac/CryptHmacSha256Null.c
Kdf/CryptHkdfNull.c
Cipher/CryptAesNull.c
+ Cipher/CryptAeadAesGcmNull.c
Pk/CryptRsaBasicNull.c
Pk/CryptRsaExtNull.c
Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAeadAesGcmNull.c b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAeadAesGcmNull.c
new file mode 100644
index 0000000000..b9f9d16ff9
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAeadAesGcmNull.c
@@ -0,0 +1,100 @@
+/** @file
+ AEAD Wrapper Implementation which does not provide real capabilities.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Performs AEAD AES-GCM authenticated encryption on a data buffer and additional authenticated data (AAD).
+
+ IvSize must be 12, otherwise FALSE is returned.
+ KeySize must be 16, 24 or 32, otherwise FALSE is returned.
+ TagSize must be 12, 13, 14, 15, 16, otherwise FALSE is returned.
+
+ @param[in] Key Pointer to the encryption key.
+ @param[in] KeySize Size of the encryption key in bytes.
+ @param[in] Iv Pointer to the IV value.
+ @param[in] IvSize Size of the IV value in bytes.
+ @param[in] AData Pointer to the additional authenticated data (AAD).
+ @param[in] ADataSize Size of the additional authenticated data (AAD) in bytes.
+ @param[in] DataIn Pointer to the input data buffer to be encrypted.
+ @param[in] DataInSize Size of the input data buffer in bytes.
+ @param[out] TagOut Pointer to a buffer that receives the authentication tag output.
+ @param[in] TagSize Size of the authentication tag in bytes.
+ @param[out] DataOut Pointer to a buffer that receives the encryption output.
+ @param[out] DataOutSize Size of the output data buffer in bytes.
+
+ @retval TRUE AEAD AES-GCM authenticated encryption succeeded.
+ @retval FALSE AEAD AES-GCM authenticated encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+AeadAesGcmEncrypt (
+ IN CONST UINT8 *Key,
+ IN UINTN KeySize,
+ IN CONST UINT8 *Iv,
+ IN UINTN IvSize,
+ IN CONST UINT8 *AData,
+ IN UINTN ADataSize,
+ IN CONST UINT8 *DataIn,
+ IN UINTN DataInSize,
+ OUT UINT8 *TagOut,
+ IN UINTN TagSize,
+ OUT UINT8 *DataOut,
+ OUT UINTN *DataOutSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Performs AEAD AES-GCM authenticated decryption on a data buffer and additional authenticated data (AAD).
+
+ IvSize must be 12, otherwise FALSE is returned.
+ KeySize must be 16, 24 or 32, otherwise FALSE is returned.
+ TagSize must be 12, 13, 14, 15, 16, otherwise FALSE is returned.
+ If additional authenticated data verification fails, FALSE is returned.
+
+ @param[in] Key Pointer to the encryption key.
+ @param[in] KeySize Size of the encryption key in bytes.
+ @param[in] Iv Pointer to the IV value.
+ @param[in] IvSize Size of the IV value in bytes.
+ @param[in] AData Pointer to the additional authenticated data (AAD).
+ @param[in] ADataSize Size of the additional authenticated data (AAD) in bytes.
+ @param[in] DataIn Pointer to the input data buffer to be decrypted.
+ @param[in] DataInSize Size of the input data buffer in bytes.
+ @param[in] Tag Pointer to a buffer that contains the authentication tag.
+ @param[in] TagSize Size of the authentication tag in bytes.
+ @param[out] DataOut Pointer to a buffer that receives the decryption output.
+ @param[out] DataOutSize Size of the output data buffer in bytes.
+
+ @retval TRUE AEAD AES-GCM authenticated decryption succeeded.
+ @retval FALSE AEAD AES-GCM authenticated decryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+AeadAesGcmDecrypt (
+ IN CONST UINT8 *Key,
+ IN UINTN KeySize,
+ IN CONST UINT8 *Iv,
+ IN UINTN IvSize,
+ IN CONST UINT8 *AData,
+ IN UINTN ADataSize,
+ IN CONST UINT8 *DataIn,
+ IN UINTN DataInSize,
+ IN CONST UINT8 *Tag,
+ IN UINTN TagSize,
+ OUT UINT8 *DataOut,
+ OUT UINTN *DataOutSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
--
2.26.2.windows.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/4] CryptoPkg: add AeadAesGcm to Crypto Service.
2022-08-29 8:42 [PATCH 0/4] CryptoPkg: add AeadAesGcm support Qi Zhang
2022-08-29 8:42 ` [PATCH 1/4] CryptoPkg: add AeadAesGcm function() definition Qi Zhang
2022-08-29 8:42 ` [PATCH 2/4] CryptoPkg: add AeadAesGcm support Qi Zhang
@ 2022-08-29 8:42 ` Qi Zhang
2022-08-29 8:42 ` [PATCH 4/4] CryptoPkg: add UnitTest for AeadAesGcm Qi Zhang
2022-09-20 15:53 ` [PATCH 0/4] CryptoPkg: add AeadAesGcm support Yao, Jiewen
4 siblings, 0 replies; 6+ messages in thread
From: Qi Zhang @ 2022-08-29 8:42 UTC (permalink / raw)
To: devel; +Cc: Qi Zhang, Jiewen Yao, Jian J Wang, Xiaoyu Lu, Guomin Jiang
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4036
Signed-off-by: Qi Zhang <qi1.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
---
CryptoPkg/CryptoPkg.dsc | 2 +
CryptoPkg/Driver/Crypto.c | 94 ++++++++++++++++++-
.../Pcd/PcdCryptoServiceFamilyEnable.h | 7 ++
.../BaseCryptLibOnProtocolPpi/CryptLib.c | 93 ++++++++++++++++++
CryptoPkg/Private/Protocol/Crypto.h | 86 +++++++++++++++++
5 files changed, 281 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index 50e7721f25..0f6587b36d 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -212,6 +212,8 @@
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init | TRUE
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcEncrypt | TRUE
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcDecrypt | TRUE
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.AeadAesGcm.Services.Encrypt | TRUE
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.AeadAesGcm.Services.Decrypt | TRUE
!endif
###################################################################################################
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 76cb9f4da0..016cb5da74 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -4582,6 +4582,95 @@ CryptoServiceParallelHash256HashAll (
return CALL_BASECRYPTLIB (ParallelHash.Services.HashAll, ParallelHash256HashAll, (Input, InputByteLen, BlockSize, Output, OutputByteLen, Customization, CustomByteLen), FALSE);
}
+/**
+ Performs AEAD AES-GCM authenticated encryption on a data buffer and additional authenticated data (AAD).
+
+ IvSize must be 12, otherwise FALSE is returned.
+ KeySize must be 16, 24 or 32, otherwise FALSE is returned.
+ TagSize must be 12, 13, 14, 15, 16, otherwise FALSE is returned.
+
+ @param[in] Key Pointer to the encryption key.
+ @param[in] KeySize Size of the encryption key in bytes.
+ @param[in] Iv Pointer to the IV value.
+ @param[in] IvSize Size of the IV value in bytes.
+ @param[in] AData Pointer to the additional authenticated data (AAD).
+ @param[in] ADataSize Size of the additional authenticated data (AAD) in bytes.
+ @param[in] DataIn Pointer to the input data buffer to be encrypted.
+ @param[in] DataInSize Size of the input data buffer in bytes.
+ @param[out] TagOut Pointer to a buffer that receives the authentication tag output.
+ @param[in] TagSize Size of the authentication tag in bytes.
+ @param[out] DataOut Pointer to a buffer that receives the encryption output.
+ @param[out] DataOutSize Size of the output data buffer in bytes.
+
+ @retval TRUE AEAD AES-GCM authenticated encryption succeeded.
+ @retval FALSE AEAD AES-GCM authenticated encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+CryptoServiceAeadAesGcmEncrypt (
+ IN CONST UINT8 *Key,
+ IN UINTN KeySize,
+ IN CONST UINT8 *Iv,
+ IN UINTN IvSize,
+ IN CONST UINT8 *AData,
+ IN UINTN ADataSize,
+ IN CONST UINT8 *DataIn,
+ IN UINTN DataInSize,
+ OUT UINT8 *TagOut,
+ IN UINTN TagSize,
+ OUT UINT8 *DataOut,
+ OUT UINTN *DataOutSize
+ )
+{
+ return CALL_BASECRYPTLIB (AeadAesGcm.Services.Encrypt, AeadAesGcmEncrypt, (Key, KeySize, Iv, IvSize, AData, ADataSize, DataIn, DataInSize, TagOut, TagSize, DataOut, DataOutSize), FALSE);
+}
+
+/**
+ Performs AEAD AES-GCM authenticated decryption on a data buffer and additional authenticated data (AAD).
+
+ IvSize must be 12, otherwise FALSE is returned.
+ KeySize must be 16, 24 or 32, otherwise FALSE is returned.
+ TagSize must be 12, 13, 14, 15, 16, otherwise FALSE is returned.
+ If additional authenticated data verification fails, FALSE is returned.
+
+ @param[in] Key Pointer to the encryption key.
+ @param[in] KeySize Size of the encryption key in bytes.
+ @param[in] Iv Pointer to the IV value.
+ @param[in] IvSize Size of the IV value in bytes.
+ @param[in] AData Pointer to the additional authenticated data (AAD).
+ @param[in] ADataSize Size of the additional authenticated data (AAD) in bytes.
+ @param[in] DataIn Pointer to the input data buffer to be decrypted.
+ @param[in] DataInSize Size of the input data buffer in bytes.
+ @param[in] Tag Pointer to a buffer that contains the authentication tag.
+ @param[in] TagSize Size of the authentication tag in bytes.
+ @param[out] DataOut Pointer to a buffer that receives the decryption output.
+ @param[out] DataOutSize Size of the output data buffer in bytes.
+
+ @retval TRUE AEAD AES-GCM authenticated decryption succeeded.
+ @retval FALSE AEAD AES-GCM authenticated decryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+CryptoServiceAeadAesGcmDecrypt (
+ IN CONST UINT8 *Key,
+ IN UINTN KeySize,
+ IN CONST UINT8 *Iv,
+ IN UINTN IvSize,
+ IN CONST UINT8 *AData,
+ IN UINTN ADataSize,
+ IN CONST UINT8 *DataIn,
+ IN UINTN DataInSize,
+ IN CONST UINT8 *Tag,
+ IN UINTN TagSize,
+ OUT UINT8 *DataOut,
+ OUT UINTN *DataOutSize
+ )
+{
+ return CALL_BASECRYPTLIB (AeadAesGcm.Services.Decrypt, AeadAesGcmDecrypt, (Key, KeySize, Iv, IvSize, AData, ADataSize, DataIn, DataInSize, Tag, TagSize, DataOut, DataOutSize), FALSE);
+}
+
const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
/// Version
CryptoServiceGetCryptoVersion,
@@ -4787,5 +4876,8 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
CryptoServiceRsaPssSign,
CryptoServiceRsaPssVerify,
/// Parallel hash
- CryptoServiceParallelHash256HashAll
+ CryptoServiceParallelHash256HashAll,
+ /// Aead Aes GCM
+ CryptoServiceAeadAesGcmEncrypt,
+ CryptoServiceAeadAesGcmDecrypt
};
diff --git a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
index 3d53c2f105..89f61d0d99 100644
--- a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
+++ b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
@@ -301,6 +301,13 @@ typedef struct {
} Services;
UINT32 Family;
} ParallelHash;
+ union {
+ struct {
+ UINT8 Encrypt : 1;
+ UINT8 Decrypt : 1;
+ } Services;
+ UINT32 Family;
+ } AeadAesGcm;
} PCD_CRYPTO_SERVICE_FAMILY_ENABLE;
#endif
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 8ee1b53cf9..765d298ad1 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -1340,6 +1340,99 @@ AesCbcDecrypt (
CALL_CRYPTO_SERVICE (AesCbcDecrypt, (AesContext, Input, InputSize, Ivec, Output), FALSE);
}
+// =====================================================================================
+// Authenticated Encryption with Associated Data (AEAD) Cryptography Primitive
+// =====================================================================================
+
+/**
+ Performs AEAD AES-GCM authenticated encryption on a data buffer and additional authenticated data (AAD).
+
+ IvSize must be 12, otherwise FALSE is returned.
+ KeySize must be 16, 24 or 32, otherwise FALSE is returned.
+ TagSize must be 12, 13, 14, 15, 16, otherwise FALSE is returned.
+
+ @param[in] Key Pointer to the encryption key.
+ @param[in] KeySize Size of the encryption key in bytes.
+ @param[in] Iv Pointer to the IV value.
+ @param[in] IvSize Size of the IV value in bytes.
+ @param[in] AData Pointer to the additional authenticated data (AAD).
+ @param[in] ADataSize Size of the additional authenticated data (AAD) in bytes.
+ @param[in] DataIn Pointer to the input data buffer to be encrypted.
+ @param[in] DataInSize Size of the input data buffer in bytes.
+ @param[out] TagOut Pointer to a buffer that receives the authentication tag output.
+ @param[in] TagSize Size of the authentication tag in bytes.
+ @param[out] DataOut Pointer to a buffer that receives the encryption output.
+ @param[out] DataOutSize Size of the output data buffer in bytes.
+
+ @retval TRUE AEAD AES-GCM authenticated encryption succeeded.
+ @retval FALSE AEAD AES-GCM authenticated encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+AeadAesGcmEncrypt (
+ IN CONST UINT8 *Key,
+ IN UINTN KeySize,
+ IN CONST UINT8 *Iv,
+ IN UINTN IvSize,
+ IN CONST UINT8 *AData,
+ IN UINTN ADataSize,
+ IN CONST UINT8 *DataIn,
+ IN UINTN DataInSize,
+ OUT UINT8 *TagOut,
+ IN UINTN TagSize,
+ OUT UINT8 *DataOut,
+ OUT UINTN *DataOutSize
+ )
+{
+ CALL_CRYPTO_SERVICE (AeadAesGcmEncrypt, (Key, KeySize, Iv, IvSize, AData, ADataSize, DataIn, DataInSize, TagOut, TagSize, DataOut, DataOutSize), FALSE);
+}
+
+/**
+ Performs AEAD AES-GCM authenticated decryption on a data buffer and additional authenticated data (AAD).
+
+ IvSize must be 12, otherwise FALSE is returned.
+ KeySize must be 16, 24 or 32, otherwise FALSE is returned.
+ TagSize must be 12, 13, 14, 15, 16, otherwise FALSE is returned.
+ If additional authenticated data verification fails, FALSE is returned.
+
+ @param[in] Key Pointer to the encryption key.
+ @param[in] KeySize Size of the encryption key in bytes.
+ @param[in] Iv Pointer to the IV value.
+ @param[in] IvSize Size of the IV value in bytes.
+ @param[in] AData Pointer to the additional authenticated data (AAD).
+ @param[in] ADataSize Size of the additional authenticated data (AAD) in bytes.
+ @param[in] DataIn Pointer to the input data buffer to be decrypted.
+ @param[in] DataInSize Size of the input data buffer in bytes.
+ @param[in] Tag Pointer to a buffer that contains the authentication tag.
+ @param[in] TagSize Size of the authentication tag in bytes.
+ @param[out] DataOut Pointer to a buffer that receives the decryption output.
+ @param[out] DataOutSize Size of the output data buffer in bytes.
+
+ @retval TRUE AEAD AES-GCM authenticated decryption succeeded.
+ @retval FALSE AEAD AES-GCM authenticated decryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+AeadAesGcmDecrypt (
+ IN CONST UINT8 *Key,
+ IN UINTN KeySize,
+ IN CONST UINT8 *Iv,
+ IN UINTN IvSize,
+ IN CONST UINT8 *AData,
+ IN UINTN ADataSize,
+ IN CONST UINT8 *DataIn,
+ IN UINTN DataInSize,
+ IN CONST UINT8 *Tag,
+ IN UINTN TagSize,
+ OUT UINT8 *DataOut,
+ OUT UINTN *DataOutSize
+ )
+{
+ CALL_CRYPTO_SERVICE (AeadAesGcmDecrypt, (Key, KeySize, Iv, IvSize, AData, ADataSize, DataIn, DataInSize, Tag, TagSize, DataOut, DataOutSize), FALSE);
+}
+
// =====================================================================================
// Asymmetric Cryptography Primitive
// =====================================================================================
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index c417568e96..d79cc3c540 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -3486,6 +3486,89 @@ BOOLEAN
IN UINTN CustomByteLen
);
+/**
+ Performs AEAD AES-GCM authenticated encryption on a data buffer and additional authenticated data (AAD).
+
+ IvSize must be 12, otherwise FALSE is returned.
+ KeySize must be 16, 24 or 32, otherwise FALSE is returned.
+ TagSize must be 12, 13, 14, 15, 16, otherwise FALSE is returned.
+
+ @param[in] Key Pointer to the encryption key.
+ @param[in] KeySize Size of the encryption key in bytes.
+ @param[in] Iv Pointer to the IV value.
+ @param[in] IvSize Size of the IV value in bytes.
+ @param[in] AData Pointer to the additional authenticated data (AAD).
+ @param[in] ADataSize Size of the additional authenticated data (AAD) in bytes.
+ @param[in] DataIn Pointer to the input data buffer to be encrypted.
+ @param[in] DataInSize Size of the input data buffer in bytes.
+ @param[out] TagOut Pointer to a buffer that receives the authentication tag output.
+ @param[in] TagSize Size of the authentication tag in bytes.
+ @param[out] DataOut Pointer to a buffer that receives the encryption output.
+ @param[out] DataOutSize Size of the output data buffer in bytes.
+
+ @retval TRUE AEAD AES-GCM authenticated encryption succeeded.
+ @retval FALSE AEAD AES-GCM authenticated encryption failed.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *EDKII_AEAD_AES_GCM_ENCRYPT)(
+ IN CONST UINT8 *Key,
+ IN UINTN KeySize,
+ IN CONST UINT8 *Iv,
+ IN UINTN IvSize,
+ IN CONST UINT8 *AData,
+ IN UINTN ADataSize,
+ IN CONST UINT8 *DataIn,
+ IN UINTN DataInSize,
+ OUT UINT8 *TagOut,
+ IN UINTN TagSize,
+ OUT UINT8 *DataOut,
+ OUT UINTN *DataOutSize
+ );
+
+/**
+ Performs AEAD AES-GCM authenticated decryption on a data buffer and additional authenticated data (AAD).
+
+ IvSize must be 12, otherwise FALSE is returned.
+ KeySize must be 16, 24 or 32, otherwise FALSE is returned.
+ TagSize must be 12, 13, 14, 15, 16, otherwise FALSE is returned.
+ If additional authenticated data verification fails, FALSE is returned.
+
+ @param[in] Key Pointer to the encryption key.
+ @param[in] KeySize Size of the encryption key in bytes.
+ @param[in] Iv Pointer to the IV value.
+ @param[in] IvSize Size of the IV value in bytes.
+ @param[in] AData Pointer to the additional authenticated data (AAD).
+ @param[in] ADataSize Size of the additional authenticated data (AAD) in bytes.
+ @param[in] DataIn Pointer to the input data buffer to be decrypted.
+ @param[in] DataInSize Size of the input data buffer in bytes.
+ @param[in] Tag Pointer to a buffer that contains the authentication tag.
+ @param[in] TagSize Size of the authentication tag in bytes.
+ @param[out] DataOut Pointer to a buffer that receives the decryption output.
+ @param[out] DataOutSize Size of the output data buffer in bytes.
+
+ @retval TRUE AEAD AES-GCM authenticated decryption succeeded.
+ @retval FALSE AEAD AES-GCM authenticated decryption failed.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *EDKII_AEAD_AES_GCM_DECRYPT)(
+ IN CONST UINT8 *Key,
+ IN UINTN KeySize,
+ IN CONST UINT8 *Iv,
+ IN UINTN IvSize,
+ IN CONST UINT8 *AData,
+ IN UINTN ADataSize,
+ IN CONST UINT8 *DataIn,
+ IN UINTN DataInSize,
+ IN CONST UINT8 *Tag,
+ IN UINTN TagSize,
+ OUT UINT8 *DataOut,
+ OUT UINTN *DataOutSize
+ );
+
///
/// EDK II Crypto Protocol
///
@@ -3675,6 +3758,9 @@ struct _EDKII_CRYPTO_PROTOCOL {
EDKII_CRYPTO_RSA_PSS_VERIFY RsaPssVerify;
/// Parallel hash
EDKII_CRYPTO_PARALLEL_HASH_ALL ParallelHash256HashAll;
+ /// AEAD AES-GCM
+ EDKII_AEAD_AES_GCM_ENCRYPT AeadAesGcmEncrypt;
+ EDKII_AEAD_AES_GCM_DECRYPT AeadAesGcmDecrypt;
};
extern GUID gEdkiiCryptoProtocolGuid;
--
2.26.2.windows.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 4/4] CryptoPkg: add UnitTest for AeadAesGcm.
2022-08-29 8:42 [PATCH 0/4] CryptoPkg: add AeadAesGcm support Qi Zhang
` (2 preceding siblings ...)
2022-08-29 8:42 ` [PATCH 3/4] CryptoPkg: add AeadAesGcm to Crypto Service Qi Zhang
@ 2022-08-29 8:42 ` Qi Zhang
2022-09-20 15:53 ` [PATCH 0/4] CryptoPkg: add AeadAesGcm support Yao, Jiewen
4 siblings, 0 replies; 6+ messages in thread
From: Qi Zhang @ 2022-08-29 8:42 UTC (permalink / raw)
To: devel; +Cc: Qi Zhang, Jiewen Yao, Jian J Wang, Xiaoyu Lu, Guomin Jiang
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4036
Signed-off-by: Qi Zhang <qi1.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
---
.../BaseCryptLib/UnitTestHostBaseCryptLib.inf | 1 +
.../Library/BaseCryptLib/AeadAesGcmTests.c | 112 ++++++++++++++++++
.../BaseCryptLib/BaseCryptLibUnitTests.c | 1 +
.../Library/BaseCryptLib/TestBaseCryptLib.h | 3 +
.../BaseCryptLib/TestBaseCryptLibHost.inf | 1 +
.../BaseCryptLib/TestBaseCryptLibShell.inf | 1 +
6 files changed, 119 insertions(+)
create mode 100644 CryptoPkg/Test/UnitTest/Library/BaseCryptLib/AeadAesGcmTests.c
diff --git a/CryptoPkg/Library/BaseCryptLib/UnitTestHostBaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/UnitTestHostBaseCryptLib.inf
index 11ff1c6931..49c75ecccd 100644
--- a/CryptoPkg/Library/BaseCryptLib/UnitTestHostBaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/UnitTestHostBaseCryptLib.inf
@@ -31,6 +31,7 @@
Hmac/CryptHmacSha256.c
Kdf/CryptHkdf.c
Cipher/CryptAes.c
+ Cipher/CryptAeadAesGcm.c
Pk/CryptRsaBasic.c
Pk/CryptRsaExt.c
Pk/CryptPkcs1Oaep.c
diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/AeadAesGcmTests.c b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/AeadAesGcmTests.c
new file mode 100644
index 0000000000..989a4df788
--- /dev/null
+++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/AeadAesGcmTests.c
@@ -0,0 +1,112 @@
+/** @file
+ Application for Authenticated Encryption with Associated Data
+ (AEAD) Validation.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "TestBaseCryptLib.h"
+
+/* AES-GCM test data from NIST public test vectors */
+GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 gcm_key[] = {
+ 0xee, 0xbc, 0x1f, 0x57, 0x48, 0x7f, 0x51, 0x92, 0x1c, 0x04, 0x65, 0x66,
+ 0x5f, 0x8a, 0xe6, 0xd1, 0x65, 0x8b, 0xb2, 0x6d, 0xe6, 0xf8, 0xa0, 0x69,
+ 0xa3, 0x52, 0x02, 0x93, 0xa5, 0x72, 0x07, 0x8f
+};
+
+GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 gcm_iv[] = {
+ 0x99, 0xaa, 0x3e, 0x68, 0xed, 0x81, 0x73, 0xa0, 0xee, 0xd0, 0x66, 0x84
+};
+
+GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 gcm_pt[] = {
+ 0xf5, 0x6e, 0x87, 0x05, 0x5b, 0xc3, 0x2d, 0x0e, 0xeb, 0x31, 0xb2, 0xea,
+ 0xcc, 0x2b, 0xf2, 0xa5
+};
+
+GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 gcm_aad[] = {
+ 0x4d, 0x23, 0xc3, 0xce, 0xc3, 0x34, 0xb4, 0x9b, 0xdb, 0x37, 0x0c, 0x43,
+ 0x7f, 0xec, 0x78, 0xde
+};
+
+GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 gcm_ct[] = {
+ 0xf7, 0x26, 0x44, 0x13, 0xa8, 0x4c, 0x0e, 0x7c, 0xd5, 0x36, 0x86, 0x7e,
+ 0xb9, 0xf2, 0x17, 0x36
+};
+
+GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 gcm_tag[] = {
+ 0x67, 0xba, 0x05, 0x10, 0x26, 0x2a, 0xe4, 0x87, 0xd7, 0x37, 0xee, 0x62,
+ 0x98, 0xf7, 0x7e, 0x0c
+};
+
+UNIT_TEST_STATUS
+EFIAPI
+TestVerifyAeadAesGcm (
+ IN UNIT_TEST_CONTEXT Context
+ )
+{
+ BOOLEAN Status;
+ UINT8 OutBuffer[1024];
+ UINTN OutBufferSize;
+ UINT8 OutTag[1024];
+ UINTN OutTagSize;
+
+ OutBufferSize = sizeof (OutBuffer);
+ OutTagSize = sizeof (gcm_tag);
+ ZeroMem (OutBuffer, sizeof (OutBuffer));
+ ZeroMem (OutTag, sizeof (OutTag));
+ Status = AeadAesGcmEncrypt (
+ gcm_key,
+ sizeof (gcm_key),
+ gcm_iv,
+ sizeof (gcm_iv),
+ gcm_aad,
+ sizeof (gcm_aad),
+ gcm_pt,
+ sizeof (gcm_pt),
+ OutTag,
+ OutTagSize,
+ OutBuffer,
+ &OutBufferSize
+ );
+ UT_ASSERT_TRUE (Status);
+
+ UT_ASSERT_EQUAL (OutBufferSize, sizeof (gcm_ct));
+
+ UT_ASSERT_MEM_EQUAL (OutBuffer, gcm_ct, sizeof (gcm_ct));
+
+ UT_ASSERT_MEM_EQUAL (OutTag, gcm_tag, sizeof (gcm_tag));
+
+ ZeroMem (OutBuffer, sizeof (OutBuffer));
+ Status = AeadAesGcmDecrypt (
+ gcm_key,
+ sizeof (gcm_key),
+ gcm_iv,
+ sizeof (gcm_iv),
+ gcm_aad,
+ sizeof (gcm_aad),
+ gcm_ct,
+ sizeof (gcm_ct),
+ gcm_tag,
+ sizeof (gcm_tag),
+ OutBuffer,
+ &OutBufferSize
+ );
+ UT_ASSERT_TRUE (Status);
+
+ UT_ASSERT_EQUAL (OutBufferSize, sizeof (gcm_pt));
+
+ UT_ASSERT_MEM_EQUAL (OutBuffer, gcm_pt, sizeof (gcm_pt));
+
+ return UNIT_TEST_PASSED;
+}
+
+TEST_DESC mAeadAesGcmTest[] = {
+ //
+ // -----Description--------------------------------------Class----------------------Function---------------------------------Pre---------------------Post---------Context
+ //
+ { "TestVerifyAeadAesGcm()", "CryptoPkg.BaseCryptLib.AeadAesGcm", TestVerifyAeadAesGcm, NULL, NULL, NULL },
+};
+
+UINTN mAeadAesGcmTestNum = ARRAY_SIZE (mAeadAesGcmTest);
diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/BaseCryptLibUnitTests.c b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/BaseCryptLibUnitTests.c
index 3c57aead1e..8cec308157 100644
--- a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/BaseCryptLibUnitTests.c
+++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/BaseCryptLibUnitTests.c
@@ -25,6 +25,7 @@ SUITE_DESC mSuiteDesc[] = {
{ "DH verify tests", "CryptoPkg.BaseCryptLib", NULL, NULL, &mDhTestNum, mDhTest },
{ "PRNG verify tests", "CryptoPkg.BaseCryptLib", NULL, NULL, &mPrngTestNum, mPrngTest },
{ "OAEP encrypt verify tests", "CryptoPkg.BaseCryptLib", NULL, NULL, &mOaepTestNum, mOaepTest },
+ { "Aead AES Gcm tests", "CryptoPkg.BaseCryptLib", NULL, NULL, &mAeadAesGcmTestNum, mAeadAesGcmTest },
};
EFI_STATUS
diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLib.h b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLib.h
index a6b3482742..ca763177a7 100644
--- a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLib.h
+++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLib.h
@@ -86,6 +86,9 @@ extern TEST_DESC mOaepTest[];
extern UINTN mRsaPssTestNum;
extern TEST_DESC mRsaPssTest[];
+extern UINTN mAeadAesGcmTestNum;
+extern TEST_DESC mAeadAesGcmTest[];
+
/** Creates a framework you can use */
EFI_STATUS
EFIAPI
diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibHost.inf b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibHost.inf
index 399db596c2..cf08b6553d 100644
--- a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibHost.inf
+++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibHost.inf
@@ -37,6 +37,7 @@
OaepEncryptTests.c
RsaPssTests.c
ParallelhashTests.c
+ AeadAesGcmTests.c
[Packages]
MdePkg/MdePkg.dec
diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibShell.inf b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibShell.inf
index ca789aa6ad..dc81b78357 100644
--- a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibShell.inf
+++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibShell.inf
@@ -36,6 +36,7 @@
Pkcs7EkuTests.c
OaepEncryptTests.c
RsaPssTests.c
+ AeadAesGcmTests.c
[Packages]
MdePkg/MdePkg.dec
--
2.26.2.windows.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 0/4] CryptoPkg: add AeadAesGcm support.
2022-08-29 8:42 [PATCH 0/4] CryptoPkg: add AeadAesGcm support Qi Zhang
` (3 preceding siblings ...)
2022-08-29 8:42 ` [PATCH 4/4] CryptoPkg: add UnitTest for AeadAesGcm Qi Zhang
@ 2022-09-20 15:53 ` Yao, Jiewen
4 siblings, 0 replies; 6+ messages in thread
From: Yao, Jiewen @ 2022-09-20 15:53 UTC (permalink / raw)
To: Zhang, Qi1, devel@edk2.groups.io; +Cc: Wang, Jian J, Lu, Xiaoyu1, Jiang, Guomin
Thanks for the patch. Please
1) Update the EDKII_CRYPTO_VERSION to higher version
With that change, reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
> -----Original Message-----
> From: Zhang, Qi1 <qi1.zhang@intel.com>
> Sent: Monday, August 29, 2022 4:43 PM
> To: devel@edk2.groups.io
> Cc: Zhang, Qi1 <qi1.zhang@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Lu, Xiaoyu1
> <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>
> Subject: [PATCH 0/4] CryptoPkg: add AeadAesGcm support.
>
> Add AeadAesGcm Encrypt and Decrypt.
> With this change, the size increase of BaseCyrptLib is about 60K bytes.
> The new functions are verifed by the Host UnitTest.
> And also it has been integratd in
> https://github.com/tianocore/edk2-staging/tree/DeviceSecurity and been
> verified.
>
> All the code change is on the PR
> https://github.com/tianocore/edk2/pull/3252.
>
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4036
>
> Signed-off-by: Qi Zhang <qi1.zhang@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
>
> Qi Zhang (4):
> CryptoPkg: add AeadAesGcm function() definition.
> CryptoPkg: add AeadAesGcm support.
> CryptoPkg: add AeadAesGcm to Crypto Service.
> CryptoPkg: add UnitTest for AeadAesGcm.
>
> CryptoPkg/CryptoPkg.dsc | 2 +
> CryptoPkg/Driver/Crypto.c | 94 +++++-
> CryptoPkg/Include/Library/BaseCryptLib.h | 87 ++++++
> .../Pcd/PcdCryptoServiceFamilyEnable.h | 7 +
> .../Library/BaseCryptLib/BaseCryptLib.inf | 1 +
> .../BaseCryptLib/Cipher/CryptAeadAesGcm.c | 279
> ++++++++++++++++++
> .../BaseCryptLib/Cipher/CryptAeadAesGcmNull.c | 100 +++++++
> .../Library/BaseCryptLib/PeiCryptLib.inf | 1 +
> .../Library/BaseCryptLib/RuntimeCryptLib.inf | 1 +
> .../Library/BaseCryptLib/SmmCryptLib.inf | 1 +
> .../BaseCryptLib/UnitTestHostBaseCryptLib.inf | 1 +
> .../BaseCryptLibNull/BaseCryptLibNull.inf | 1 +
> .../Cipher/CryptAeadAesGcmNull.c | 100 +++++++
> .../BaseCryptLibOnProtocolPpi/CryptLib.c | 93 ++++++
> CryptoPkg/Private/Protocol/Crypto.h | 86 ++++++
> .../Library/BaseCryptLib/AeadAesGcmTests.c | 112 +++++++
> .../BaseCryptLib/BaseCryptLibUnitTests.c | 1 +
> .../Library/BaseCryptLib/TestBaseCryptLib.h | 3 +
> .../BaseCryptLib/TestBaseCryptLibHost.inf | 1 +
> .../BaseCryptLib/TestBaseCryptLibShell.inf | 1 +
> 20 files changed, 971 insertions(+), 1 deletion(-)
> create mode 100644
> CryptoPkg/Library/BaseCryptLib/Cipher/CryptAeadAesGcm.c
> create mode 100644
> CryptoPkg/Library/BaseCryptLib/Cipher/CryptAeadAesGcmNull.c
> create mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAeadAesGcmNull.c
> create mode 100644
> CryptoPkg/Test/UnitTest/Library/BaseCryptLib/AeadAesGcmTests.c
>
> --
> 2.26.2.windows.1
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-09-20 15:53 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-08-29 8:42 [PATCH 0/4] CryptoPkg: add AeadAesGcm support Qi Zhang
2022-08-29 8:42 ` [PATCH 1/4] CryptoPkg: add AeadAesGcm function() definition Qi Zhang
2022-08-29 8:42 ` [PATCH 2/4] CryptoPkg: add AeadAesGcm support Qi Zhang
2022-08-29 8:42 ` [PATCH 3/4] CryptoPkg: add AeadAesGcm to Crypto Service Qi Zhang
2022-08-29 8:42 ` [PATCH 4/4] CryptoPkg: add UnitTest for AeadAesGcm Qi Zhang
2022-09-20 15:53 ` [PATCH 0/4] CryptoPkg: add AeadAesGcm support Yao, Jiewen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox