From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 2917978003C for ; Mon, 18 Mar 2024 23:17:35 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=1gl9n/kygOkWlQd+z/ERJPLofiGWvQ7+/V8ZCn5nKaw=; c=relaxed/simple; d=groups.io; h=From:To:Subject:Date:Message-ID:MIME-Version:Feedback-ID:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20240206; t=1710803853; v=1; b=sf6nnJ16nTOmIuaodtyK29QBRTTjCxAIuRUIOcnAHjNLTX/DwOqn0C3579sKTAdgEyByiSbd rntgr/1OB69+Dj5NDEHZniiX39TQptgSvpuY4rzcMULYYW0VigiBqiqCd1Fx+yoDL1FVrAH2b0l gGZAqLTSjWvUIW1dN58WzyDTJkZzp3UXQ1QYFYmgWhY9dB9e5w1TwzAIcZAdxlFe548NoZJBefY 0kcyX2wrG6tJZlkiy84RRmOidi0P5Rl/MA0QtXGJgqMpRbG7DSMI234sJhHCYzD/gRevrTMVHs5 djPB3ir15YpR4AlWOOFS7i2WVjbUTsi9RVvNPtLSVrdyg== X-Received: by 127.0.0.2 with SMTP id 39aoYY7687511xLXRM1SWWSX; Mon, 18 Mar 2024 16:17:33 -0700 X-Received: from a2i971.smtp2go.com (a2i971.smtp2go.com [103.47.207.203]) by mx.groups.io with SMTP id smtpd.web10.9987.1710465379586548532 for ; Thu, 14 Mar 2024 18:16:19 -0700 X-Received: from [10.45.79.170] (helo=SmtpCorp) by smtpcorp.com with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2-S2G) (envelope-from ) id 1rkwBG-gL4Tmj-Q9 for devel@edk2.groups.io; Fri, 15 Mar 2024 01:16:18 +0000 X-Received: from [10.90.237.184] (helo=gem-name-lb-02.localdomain) by smtpcorp.com with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96.1-S2G) (envelope-from ) id 1rkwBG-bMNhSV-0c for devel@edk2.groups.io; Fri, 15 Mar 2024 01:16:18 +0000 From: "Chris Ruffin via groups.io" To: devel@edk2.groups.io Subject: [edk2-devel] [PATCH 1/3] CryptoPkg/BaseCryptLib: add additional RSAEP-OAEP crypto functions Date: Thu, 14 Mar 2024 21:16:11 -0400 Message-ID: <20240315011613.1512-1-cruffin@millcore.com> MIME-Version: 1.0 X-Smtpcorp-Track: 1rkwUGPuNhSV0c.82FM9P6KzTjal Feedback-ID: 401384m:401384aZcXcRg:401384s7enTrO59a X-Report-Abuse: Please forward a copy of this message, including all headers, to Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Mon, 18 Mar 2024 16:17:33 -0700 Reply-To: devel@edk2.groups.io,cruffin@millcore.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: KHCj9ho1xWnCU09Nt3162rDjx7686176AA= Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=sf6nnJ16; dmarc=pass (policy=none) header.from=groups.io; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io From: Chris Ruffin Expand the availability of the RSAEP-OAEP crypto capability in BaseCryptLib. Applications using RSA crypto functions directly from OpensslLib can transition to BaseCryptLib to take advantage of the shared crypto feature in CryptoDxe. Pkcs1v2Decrypt(): decryption using DER-encoded private key RsaOaepEncrypt(): encryption using RSA contexts RsaOaepDecrypt(): decryption using RSA contexts Signed-off-by: Chris Ruffin Cc: Jiewen Yao Cc: Yi Li Cc: Wenxing Hou --- CryptoPkg/Include/Library/BaseCryptLib.h | 102 ++++ .../Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c | 506 ++++++++++++++++-- .../BaseCryptLib/Pk/CryptPkcs1OaepNull.c | 114 ++++ .../BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c | 114 ++++ 4 files changed, 789 insertions(+), 47 deletions(-) diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/L= ibrary/BaseCryptLib.h index a52bd91ad6..7ad2bf21fe 100644 --- a/CryptoPkg/Include/Library/BaseCryptLib.h +++ b/CryptoPkg/Include/Library/BaseCryptLib.h @@ -2147,6 +2147,108 @@ Pkcs1v2Encrypt ( OUT UINTN *EncryptedDataSize=0D );=0D =0D +/**=0D + Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + encrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - X509 key size does not match any known key size.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D + - Data size is too large for the provided key size (max size is a functi= on of key size=0D + and hash digest size).=0D +=0D + @param[in] RsaContext A pointer to an RSA context created by R= saNew() and=0D + provisioned with a public key using RsaS= etKey().=0D + @param[in] InData Data to be encrypted.=0D + @param[in] InDataSize Size of the data buffer.=0D + @param[in] PrngSeed [Optional] If provided, a pointer to a r= andom seed buffer=0D + to be used when initializing the PRNG. N= ULL otherwise.=0D + @param[in] PrngSeedSize [Optional] If provided, size of the rand= om seed buffer.=0D + 0 otherwise.=0D + @param[out] EncryptedData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] EncryptedDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +RsaOaepEncrypt (=0D + IN VOID *RsaContext,=0D + IN UINT8 *InData,=0D + IN UINTN InDataSize,=0D + IN CONST UINT8 *PrngSeed OPTIONAL,=0D + IN UINTN PrngSeedSize OPTIONAL,=0D + OUT UINT8 **EncryptedData,=0D + OUT UINTN *EncryptedDataSize=0D + );=0D +=0D +/**=0D + Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + decrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - Fail to parse private key.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D +=0D + @param[in] PrivateKey A pointer to the DER-encoded private key= .=0D + @param[in] PrivateKeySize Size of the private key buffer.=0D + @param[in] EncryptedData Data to be decrypted.=0D + @param[in] EncryptedDataSize Size of the encrypted buffer.=0D + @param[out] OutData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] OutDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +Pkcs1v2Decrypt (=0D + IN CONST UINT8 *PrivateKey,=0D + IN UINTN PrivateKeySize,=0D + IN UINT8 *EncryptedData,=0D + IN UINTN EncryptedDataSize,=0D + OUT UINT8 **OutData,=0D + OUT UINTN *OutDataSize=0D + );=0D +=0D +/**=0D + Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + decrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - Fail to parse private key.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D +=0D + @param[in] RsaContext A pointer to an RSA context created by R= saNew() and=0D + provisioned with a private key using Rsa= SetKey().=0D + @param[in] EncryptedData Data to be decrypted.=0D + @param[in] EncryptedDataSize Size of the encrypted buffer.=0D + @param[out] OutData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] OutDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +RsaOaepDecrypt (=0D + IN VOID *RsaContext,=0D + IN UINT8 *EncryptedData,=0D + IN UINTN EncryptedDataSize,=0D + OUT UINT8 **OutData,=0D + OUT UINTN *OutDataSize=0D + );=0D +=0D /**=0D The 3rd parameter of Pkcs7GetSigners will return all embedded=0D X.509 certificate in one given PKCS7 signature. The format is:=0D diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c b/CryptoPkg= /Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c index ea43c1381c..00e904dd6c 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c @@ -26,9 +26,8 @@ - Data size is too large for the provided key size (max size is a functi= on of key size=0D and hash digest size).=0D =0D - @param[in] PublicKey A pointer to the DER-encoded X509 certif= icate that=0D + @param[in] Pkey A pointer to an EVP_PKEY struct that=0D will be used to encrypt the data.=0D - @param[in] PublicKeySize Size of the X509 cert buffer.=0D @param[in] InData Data to be encrypted.=0D @param[in] InDataSize Size of the data buffer.=0D @param[in] PrngSeed [Optional] If provided, a pointer to a r= andom seed buffer=0D @@ -45,9 +44,8 @@ **/=0D BOOLEAN=0D EFIAPI=0D -Pkcs1v2Encrypt (=0D - IN CONST UINT8 *PublicKey,=0D - IN UINTN PublicKeySize,=0D +InternalPkcs1v2Encrypt (=0D + EVP_PKEY *Pkey,=0D IN UINT8 *InData,=0D IN UINTN InDataSize,=0D IN CONST UINT8 *PrngSeed OPTIONAL,=0D @@ -57,9 +55,6 @@ Pkcs1v2Encrypt ( )=0D {=0D BOOLEAN Result;=0D - CONST UINT8 *TempPointer;=0D - X509 *CertData;=0D - EVP_PKEY *InternalPublicKey;=0D EVP_PKEY_CTX *PkeyCtx;=0D UINT8 *OutData;=0D UINTN OutDataSize;=0D @@ -67,28 +62,15 @@ Pkcs1v2Encrypt ( //=0D // Check input parameters.=0D //=0D - if ((PublicKey =3D=3D NULL) || (InData =3D=3D NULL) ||=0D + if ((Pkey =3D=3D NULL) || (InData =3D=3D NULL) ||=0D (EncryptedData =3D=3D NULL) || (EncryptedDataSize =3D=3D NULL))=0D {=0D return FALSE;=0D }=0D =0D - //=0D - // Check public key size.=0D - //=0D - if (PublicKeySize > 0xFFFFFFFF) {=0D - //=0D - // Public key size is too large for implementation.=0D - //=0D - return FALSE;=0D - }=0D -=0D *EncryptedData =3D NULL;=0D *EncryptedDataSize =3D 0;=0D Result =3D FALSE;=0D - TempPointer =3D NULL;=0D - CertData =3D NULL;=0D - InternalPublicKey =3D NULL;=0D PkeyCtx =3D NULL;=0D OutData =3D NULL;=0D OutDataSize =3D 0;=0D @@ -104,6 +86,154 @@ Pkcs1v2Encrypt ( RandomSeed (NULL, 0);=0D }=0D =0D + //=0D + // Create a context for the public key operation.=0D + //=0D + PkeyCtx =3D EVP_PKEY_CTX_new (Pkey, NULL);=0D + if (PkeyCtx =3D=3D NULL) {=0D + //=0D + // Fail to create contex.=0D + //=0D + goto _Exit;=0D + }=0D +=0D + //=0D + // Initialize the context and set the desired padding.=0D + //=0D + if ((EVP_PKEY_encrypt_init (PkeyCtx) <=3D 0) ||=0D + (EVP_PKEY_CTX_set_rsa_padding (PkeyCtx, RSA_PKCS1_OAEP_PADDING) <=3D= 0))=0D + {=0D + //=0D + // Fail to initialize the context.=0D + //=0D + goto _Exit;=0D + }=0D +=0D + //=0D + // Determine the required buffer length for malloc'ing.=0D + //=0D + if (EVP_PKEY_encrypt (PkeyCtx, NULL, &OutDataSize, InData, InDataSize) <= =3D 0) {=0D + //=0D + // Fail to determine output buffer size.=0D + //=0D + goto _Exit;=0D + }=0D +=0D + //=0D + // Allocate a buffer for the output data.=0D + //=0D + OutData =3D AllocatePool (OutDataSize);=0D + if (OutData =3D=3D NULL) {=0D + //=0D + // Fail to allocate the output buffer.=0D + //=0D + goto _Exit;=0D + }=0D +=0D + //=0D + // Encrypt Data.=0D + //=0D + if (EVP_PKEY_encrypt (PkeyCtx, OutData, &OutDataSize, InData, InDataSize= ) <=3D 0) {=0D + //=0D + // Fail to encrypt data, need to free the output buffer.=0D + //=0D + FreePool (OutData);=0D + OutData =3D NULL;=0D + OutDataSize =3D 0;=0D + goto _Exit;=0D + }=0D +=0D + //=0D + // Encrypt done.=0D + //=0D + *EncryptedData =3D OutData;=0D + *EncryptedDataSize =3D OutDataSize;=0D + Result =3D TRUE;=0D +=0D +_Exit:=0D + //=0D + // Release Resources=0D + //=0D + if (PkeyCtx !=3D NULL) {=0D + EVP_PKEY_CTX_free (PkeyCtx);=0D + }=0D +=0D + return Result;=0D +}=0D +=0D +/**=0D + Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + encrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - X509 key size does not match any known key size.=0D + - Fail to parse X509 certificate.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D + - Data size is too large for the provided key size (max size is a functi= on of key size=0D + and hash digest size).=0D +=0D + @param[in] PublicKey A pointer to the DER-encoded X509 certif= icate that=0D + will be used to encrypt the data.=0D + @param[in] PublicKeySize Size of the X509 cert buffer.=0D + @param[in] InData Data to be encrypted.=0D + @param[in] InDataSize Size of the data buffer.=0D + @param[in] PrngSeed [Optional] If provided, a pointer to a r= andom seed buffer=0D + to be used when initializing the PRNG. N= ULL otherwise.=0D + @param[in] PrngSeedSize [Optional] If provided, size of the rand= om seed buffer.=0D + 0 otherwise.=0D + @param[out] EncryptedData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] EncryptedDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +Pkcs1v2Encrypt (=0D + IN CONST UINT8 *PublicKey,=0D + IN UINTN PublicKeySize,=0D + IN UINT8 *InData,=0D + IN UINTN InDataSize,=0D + IN CONST UINT8 *PrngSeed OPTIONAL,=0D + IN UINTN PrngSeedSize OPTIONAL,=0D + OUT UINT8 **EncryptedData,=0D + OUT UINTN *EncryptedDataSize=0D + )=0D +{=0D + BOOLEAN Result;=0D + CONST UINT8 *TempPointer;=0D + X509 *CertData;=0D + EVP_PKEY *Pkey;=0D +=0D + //=0D + // Check input parameters.=0D + //=0D + if ((PublicKey =3D=3D NULL) || (InData =3D=3D NULL) ||=0D + (EncryptedData =3D=3D NULL) || (EncryptedDataSize =3D=3D NULL))=0D + {=0D + return FALSE;=0D + }=0D +=0D + //=0D + // Check public key size.=0D + //=0D + if (PublicKeySize > 0xFFFFFFFF) {=0D + //=0D + // Public key size is too large for implementation.=0D + //=0D + return FALSE;=0D + }=0D +=0D + *EncryptedData =3D NULL;=0D + *EncryptedDataSize =3D 0;=0D + Result =3D FALSE;=0D + TempPointer =3D NULL;=0D + CertData =3D NULL;=0D + Pkey =3D NULL;=0D +=0D //=0D // Parse the X509 cert and extract the public key.=0D //=0D @@ -120,52 +250,201 @@ Pkcs1v2Encrypt ( // Extract the public key from the x509 cert in a format that=0D // OpenSSL can use.=0D //=0D - InternalPublicKey =3D X509_get_pubkey (CertData);=0D - if (InternalPublicKey =3D=3D NULL) {=0D + Pkey =3D X509_get_pubkey (CertData);=0D + if (Pkey =3D=3D NULL) {=0D //=0D // Fail to extract public key.=0D //=0D goto _Exit;=0D }=0D =0D + Result =3D InternalPkcs1v2Encrypt (Pkey, InData, InDataSize, PrngSeed, P= rngSeedSize, EncryptedData, EncryptedDataSize);=0D +=0D +_Exit:=0D //=0D - // Create a context for the public key operation.=0D + // Release Resources=0D + //=0D + if (CertData !=3D NULL) {=0D + X509_free (CertData);=0D + }=0D +=0D + if (Pkey !=3D NULL) {=0D + EVP_PKEY_free (Pkey);=0D + }=0D +=0D + return Result;=0D +}=0D +=0D +/**=0D + Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + encrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - X509 key size does not match any known key size.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D + - Data size is too large for the provided key size (max size is a functi= on of key size=0D + and hash digest size).=0D +=0D + @param[in] RsaContext A pointer to an RSA context created by R= saNew() and=0D + provisioned with a public key using RsaS= etKey().=0D + @param[in] InData Data to be encrypted.=0D + @param[in] InDataSize Size of the data buffer.=0D + @param[in] PrngSeed [Optional] If provided, a pointer to a r= andom seed buffer=0D + to be used when initializing the PRNG. N= ULL otherwise.=0D + @param[in] PrngSeedSize [Optional] If provided, size of the rand= om seed buffer.=0D + 0 otherwise.=0D + @param[out] EncryptedData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] EncryptedDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +RsaOaepEncrypt (=0D + IN VOID *RsaContext,=0D + IN UINT8 *InData,=0D + IN UINTN InDataSize,=0D + IN CONST UINT8 *PrngSeed OPTIONAL,=0D + IN UINTN PrngSeedSize OPTIONAL,=0D + OUT UINT8 **EncryptedData,=0D + OUT UINTN *EncryptedDataSize=0D + )=0D +{=0D + BOOLEAN Result;=0D + EVP_PKEY *Pkey;=0D +=0D //=0D - PkeyCtx =3D EVP_PKEY_CTX_new (InternalPublicKey, NULL);=0D + // Check input parameters.=0D + //=0D + if (((RsaContext =3D=3D NULL) || (InData =3D=3D NULL)) ||=0D + (EncryptedData =3D=3D NULL) || (EncryptedDataSize =3D=3D NULL))=0D + {=0D + return FALSE;=0D + }=0D +=0D + *EncryptedData =3D NULL;=0D + *EncryptedDataSize =3D 0;=0D + Result =3D FALSE;=0D + Pkey =3D NULL;=0D +=0D + Pkey =3D EVP_PKEY_new ();=0D + if (Pkey =3D=3D NULL) {=0D + goto _Exit;=0D + }=0D +=0D + if (EVP_PKEY_set1_RSA (Pkey, (RSA *)RsaContext) =3D=3D 0) {=0D + goto _Exit;=0D + }=0D +=0D + Result =3D InternalPkcs1v2Encrypt (Pkey, InData, InDataSize, PrngSeed, P= rngSeedSize, EncryptedData, EncryptedDataSize);=0D +=0D +_Exit:=0D + //=0D + // Release Resources=0D + //=0D + if (Pkey !=3D NULL) {=0D + EVP_PKEY_free (Pkey);=0D + }=0D +=0D + return Result;=0D +}=0D +=0D +/**=0D + Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + decrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - Fail to parse private key.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D +=0D + @param[in] Pkey A pointer to an EVP_PKEY which will decr= ypt that data.=0D + @param[in] EncryptedData Data to be decrypted.=0D + @param[in] EncryptedDataSize Size of the encrypted buffer.=0D + @param[out] OutData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] OutDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +InternalPkcs1v2Decrypt (=0D + EVP_PKEY *Pkey,=0D + IN UINT8 *EncryptedData,=0D + IN UINTN EncryptedDataSize,=0D + OUT UINT8 **OutData,=0D + OUT UINTN *OutDataSize=0D + )=0D +{=0D + BOOLEAN Result;=0D + EVP_PKEY_CTX *PkeyCtx;=0D + UINT8 *TempData;=0D + UINTN TempDataSize;=0D + INTN ReturnCode;=0D +=0D + //=0D + // Check input parameters.=0D + //=0D + if ((Pkey =3D=3D NULL) || (EncryptedData =3D=3D NULL) ||=0D + (OutData =3D=3D NULL) || (OutDataSize =3D=3D NULL))=0D + {=0D + return FALSE;=0D + }=0D +=0D + Result =3D FALSE;=0D + PkeyCtx =3D NULL;=0D + TempData =3D NULL;=0D + TempDataSize =3D 0;=0D +=0D + //=0D + // Create a context for the decryption operation.=0D + //=0D + PkeyCtx =3D EVP_PKEY_CTX_new (Pkey, NULL);=0D if (PkeyCtx =3D=3D NULL) {=0D //=0D // Fail to create contex.=0D //=0D + DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_CTK_new() failed\n", __func__));=0D goto _Exit;=0D }=0D =0D //=0D // Initialize the context and set the desired padding.=0D //=0D - if ((EVP_PKEY_encrypt_init (PkeyCtx) <=3D 0) ||=0D + if ((EVP_PKEY_decrypt_init (PkeyCtx) <=3D 0) ||=0D (EVP_PKEY_CTX_set_rsa_padding (PkeyCtx, RSA_PKCS1_OAEP_PADDING) <=3D= 0))=0D {=0D //=0D // Fail to initialize the context.=0D //=0D + DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_decrypt_init() failed\n", __func__= ));=0D goto _Exit;=0D }=0D =0D //=0D // Determine the required buffer length for malloc'ing.=0D //=0D - if (EVP_PKEY_encrypt (PkeyCtx, NULL, &OutDataSize, InData, InDataSize) <= =3D 0) {=0D + ReturnCode =3D EVP_PKEY_decrypt (PkeyCtx, NULL, &TempDataSize, Encrypted= Data, EncryptedDataSize);=0D + if (ReturnCode <=3D 0) {=0D //=0D // Fail to determine output buffer size.=0D //=0D + DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_decrypt() failed to determine outp= ut buffer size (rc=3D%d)\n", __func__, ReturnCode));=0D goto _Exit;=0D }=0D =0D //=0D // Allocate a buffer for the output data.=0D //=0D - OutData =3D AllocatePool (OutDataSize);=0D - if (OutData =3D=3D NULL) {=0D + TempData =3D AllocatePool (TempDataSize);=0D + if (TempData =3D=3D NULL) {=0D //=0D // Fail to allocate the output buffer.=0D //=0D @@ -173,39 +452,172 @@ Pkcs1v2Encrypt ( }=0D =0D //=0D - // Encrypt Data.=0D + // Decrypt Data.=0D //=0D - if (EVP_PKEY_encrypt (PkeyCtx, OutData, &OutDataSize, InData, InDataSize= ) <=3D 0) {=0D + ReturnCode =3D EVP_PKEY_decrypt (PkeyCtx, TempData, &TempDataSize, Encry= ptedData, EncryptedDataSize);=0D + if (ReturnCode <=3D 0) {=0D //=0D - // Fail to encrypt data, need to free the output buffer.=0D + // Fail to decrypt data, need to free the output buffer.=0D //=0D - FreePool (OutData);=0D - OutData =3D NULL;=0D - OutDataSize =3D 0;=0D + FreePool (TempData);=0D + TempData =3D NULL;=0D + TempDataSize =3D 0;=0D +=0D + DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_decrypt(TempData) failed to decryp= t (rc=3D%d)\n", __func__, ReturnCode));=0D goto _Exit;=0D }=0D =0D //=0D - // Encrypt done.=0D + // Decrypt done.=0D //=0D - *EncryptedData =3D OutData;=0D - *EncryptedDataSize =3D OutDataSize;=0D - Result =3D TRUE;=0D + *OutData =3D TempData;=0D + *OutDataSize =3D TempDataSize;=0D + Result =3D TRUE;=0D =0D _Exit:=0D + if (PkeyCtx !=3D NULL) {=0D + EVP_PKEY_CTX_free (PkeyCtx);=0D + }=0D +=0D + return Result;=0D +}=0D +=0D +/**=0D + Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + decrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - Fail to parse private key.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D +=0D + @param[in] PrivateKey A pointer to the DER-encoded private key= .=0D + @param[in] PrivateKeySize Size of the private key buffer.=0D + @param[in] EncryptedData Data to be decrypted.=0D + @param[in] EncryptedDataSize Size of the encrypted buffer.=0D + @param[out] OutData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] OutDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +Pkcs1v2Decrypt (=0D + IN CONST UINT8 *PrivateKey,=0D + IN UINTN PrivateKeySize,=0D + IN UINT8 *EncryptedData,=0D + IN UINTN EncryptedDataSize,=0D + OUT UINT8 **OutData,=0D + OUT UINTN *OutDataSize=0D + )=0D +{=0D + BOOLEAN Result;=0D + EVP_PKEY *Pkey;=0D + CONST UINT8 *TempPointer;=0D +=0D //=0D - // Release Resources=0D + // Check input parameters.=0D //=0D - if (CertData !=3D NULL) {=0D - X509_free (CertData);=0D + if ((PrivateKey =3D=3D NULL) || (EncryptedData =3D=3D NULL) ||=0D + (OutData =3D=3D NULL) || (OutDataSize =3D=3D NULL))=0D + {=0D + return FALSE;=0D + }=0D +=0D + Result =3D FALSE;=0D + Pkey =3D NULL;=0D + TempPointer =3D NULL;=0D +=0D + //=0D + // Parse the private key.=0D + //=0D + TempPointer =3D PrivateKey;=0D + Pkey =3D d2i_PrivateKey (EVP_PKEY_RSA, &Pkey, &TempPointer, (UINT= 32)PrivateKeySize);=0D + if (Pkey =3D=3D NULL) {=0D + //=0D + // Fail to parse private key.=0D + //=0D + DEBUG ((DEBUG_ERROR, "[%a] d2i_PrivateKey() failed\n", __func__));=0D + goto _Exit;=0D }=0D =0D - if (InternalPublicKey !=3D NULL) {=0D - EVP_PKEY_free (InternalPublicKey);=0D + Result =3D InternalPkcs1v2Decrypt (Pkey, EncryptedData, EncryptedDataSiz= e, OutData, OutDataSize);=0D +=0D +_Exit:=0D + if (Pkey !=3D NULL) {=0D + EVP_PKEY_free (Pkey);=0D }=0D =0D - if (PkeyCtx !=3D NULL) {=0D - EVP_PKEY_CTX_free (PkeyCtx);=0D + return Result;=0D +}=0D +=0D +/**=0D + Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + decrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - Fail to parse private key.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D +=0D + @param[in] RsaContext A pointer to an RSA context created by R= saNew() and=0D + provisioned with a private key using Rsa= SetKey().=0D + @param[in] EncryptedData Data to be decrypted.=0D + @param[in] EncryptedDataSize Size of the encrypted buffer.=0D + @param[out] OutData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] OutDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +RsaOaepDecrypt (=0D + IN VOID *RsaContext,=0D + IN UINT8 *EncryptedData,=0D + IN UINTN EncryptedDataSize,=0D + OUT UINT8 **OutData,=0D + OUT UINTN *OutDataSize=0D + )=0D +{=0D + BOOLEAN Result;=0D + EVP_PKEY *Pkey;=0D +=0D + //=0D + // Check input parameters.=0D + //=0D + if ((RsaContext =3D=3D NULL) || (EncryptedData =3D=3D NULL) ||=0D + (OutData =3D=3D NULL) || (OutDataSize =3D=3D NULL))=0D + {=0D + return FALSE;=0D + }=0D +=0D + Result =3D FALSE;=0D + Pkey =3D NULL;=0D +=0D + //=0D + // Create a context for the decryption operation.=0D + //=0D +=0D + Pkey =3D EVP_PKEY_new ();=0D + if (Pkey =3D=3D NULL) {=0D + goto _Exit;=0D + }=0D +=0D + if (EVP_PKEY_set1_RSA (Pkey, (RSA *)RsaContext) =3D=3D 0) {=0D + goto _Exit;=0D + }=0D +=0D + Result =3D InternalPkcs1v2Decrypt (Pkey, EncryptedData, EncryptedDataSiz= e, OutData, OutDataSize);=0D +=0D +_Exit:=0D + if (Pkey !=3D NULL) {=0D + EVP_PKEY_free (Pkey);=0D }=0D =0D return Result;=0D diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c b/Crypt= oPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c index 36508947c5..05e074d18e 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c @@ -48,3 +48,117 @@ Pkcs1v2Encrypt ( ASSERT (FALSE);=0D return FALSE;=0D }=0D +=0D +/**=0D + Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + encrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - X509 key size does not match any known key size.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D + - Data size is too large for the provided key size (max size is a functi= on of key size=0D + and hash digest size).=0D +=0D + @param[in] RsaContext A pointer to an RSA context created by R= saNew() and=0D + provisioned with a public key using RsaS= etKey().=0D + @param[in] InData Data to be encrypted.=0D + @param[in] InDataSize Size of the data buffer.=0D + @param[in] PrngSeed [Optional] If provided, a pointer to a r= andom seed buffer=0D + to be used when initializing the PRNG. N= ULL otherwise.=0D + @param[in] PrngSeedSize [Optional] If provided, size of the rand= om seed buffer.=0D + 0 otherwise.=0D + @param[out] EncryptedData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] EncryptedDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +RsaOaepEncrypt (=0D + IN VOID *RsaContext,=0D + IN UINT8 *InData,=0D + IN UINTN InDataSize,=0D + IN CONST UINT8 *PrngSeed OPTIONAL,=0D + IN UINTN PrngSeedSize OPTIONAL,=0D + OUT UINT8 **EncryptedData,=0D + OUT UINTN *EncryptedDataSize=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return FALSE;=0D +}=0D +=0D +/**=0D + Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + decrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - Fail to parse private key.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D +=0D + @param[in] PrivateKey A pointer to the DER-encoded private key= .=0D + @param[in] PrivateKeySize Size of the private key buffer.=0D + @param[in] EncryptedData Data to be decrypted.=0D + @param[in] EncryptedDataSize Size of the encrypted buffer.=0D + @param[out] OutData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] OutDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +Pkcs1v2Decrypt (=0D + IN CONST UINT8 *PrivateKey,=0D + IN UINTN PrivateKeySize,=0D + IN UINT8 *EncryptedData,=0D + IN UINTN EncryptedDataSize,=0D + OUT UINT8 **OutData,=0D + OUT UINTN *OutDataSize=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return FALSE;=0D +}=0D +=0D +/**=0D + Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + decrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - Fail to parse private key.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D +=0D + @param[in] RsaContext A pointer to an RSA context created by R= saNew() and=0D + provisioned with a private key using Rsa= SetKey().=0D + @param[in] EncryptedData Data to be decrypted.=0D + @param[in] EncryptedDataSize Size of the encrypted buffer.=0D + @param[out] OutData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] OutDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +RsaOaepDecrypt (=0D + IN VOID *RsaContext,=0D + IN UINT8 *EncryptedData,=0D + IN UINTN EncryptedDataSize,=0D + OUT UINT8 **OutData,=0D + OUT UINTN *OutDataSize=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return FALSE;=0D +}=0D diff --git a/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c b/C= ryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c index 36508947c5..05e074d18e 100644 --- a/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c +++ b/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c @@ -48,3 +48,117 @@ Pkcs1v2Encrypt ( ASSERT (FALSE);=0D return FALSE;=0D }=0D +=0D +/**=0D + Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + encrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - X509 key size does not match any known key size.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D + - Data size is too large for the provided key size (max size is a functi= on of key size=0D + and hash digest size).=0D +=0D + @param[in] RsaContext A pointer to an RSA context created by R= saNew() and=0D + provisioned with a public key using RsaS= etKey().=0D + @param[in] InData Data to be encrypted.=0D + @param[in] InDataSize Size of the data buffer.=0D + @param[in] PrngSeed [Optional] If provided, a pointer to a r= andom seed buffer=0D + to be used when initializing the PRNG. N= ULL otherwise.=0D + @param[in] PrngSeedSize [Optional] If provided, size of the rand= om seed buffer.=0D + 0 otherwise.=0D + @param[out] EncryptedData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] EncryptedDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +RsaOaepEncrypt (=0D + IN VOID *RsaContext,=0D + IN UINT8 *InData,=0D + IN UINTN InDataSize,=0D + IN CONST UINT8 *PrngSeed OPTIONAL,=0D + IN UINTN PrngSeedSize OPTIONAL,=0D + OUT UINT8 **EncryptedData,=0D + OUT UINTN *EncryptedDataSize=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return FALSE;=0D +}=0D +=0D +/**=0D + Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + decrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - Fail to parse private key.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D +=0D + @param[in] PrivateKey A pointer to the DER-encoded private key= .=0D + @param[in] PrivateKeySize Size of the private key buffer.=0D + @param[in] EncryptedData Data to be decrypted.=0D + @param[in] EncryptedDataSize Size of the encrypted buffer.=0D + @param[out] OutData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] OutDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +Pkcs1v2Decrypt (=0D + IN CONST UINT8 *PrivateKey,=0D + IN UINTN PrivateKeySize,=0D + IN UINT8 *EncryptedData,=0D + IN UINTN EncryptedDataSize,=0D + OUT UINT8 **OutData,=0D + OUT UINTN *OutDataSize=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return FALSE;=0D +}=0D +=0D +/**=0D + Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + decrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - Fail to parse private key.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D +=0D + @param[in] RsaContext A pointer to an RSA context created by R= saNew() and=0D + provisioned with a private key using Rsa= SetKey().=0D + @param[in] EncryptedData Data to be decrypted.=0D + @param[in] EncryptedDataSize Size of the encrypted buffer.=0D + @param[out] OutData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] OutDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +RsaOaepDecrypt (=0D + IN VOID *RsaContext,=0D + IN UINT8 *EncryptedData,=0D + IN UINTN EncryptedDataSize,=0D + OUT UINT8 **OutData,=0D + OUT UINTN *OutDataSize=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return FALSE;=0D +}=0D --=20 2.44.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#116861): https://edk2.groups.io/g/devel/message/116861 Mute This Topic: https://groups.io/mt/105014749/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-