From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 678E9740034 for ; Mon, 18 Mar 2024 23:19:11 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=l5itr7b3Qgwx4kDk9G1x+QI5nhul1puhgeXO8EvNECs=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Feedback-ID:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20240206; t=1710803950; v=1; b=eS0COcc2RCdmM70/s+AdiPAA9ORFfXY3TmfN4zAbA0fZG9NU3I4z5F61H24l2wPn9AacIPvV 7rL+qC0n1ChbZqi59qY/qdI4/gm50E46poktGuGvPHmxJB67c5847ScY1v+mlnOunsrEy4NMpGo RjbJKF4EnLnt4KNkZsgQef9rfmDa/diVBV7+QJ3VPQc5OnzyIyt3Y7+x+QbcoBl3N2Af2n8TEyt 30+d/h/CojfhL8b1aQcFV/Y2SEVN3MHWXY5UfaXq0ipVatsjEu/QxlCoJ7cwQdllpHTkB61QjYU itwMrPgWkUvWuM6Ae+GRjyhvs+XITAD/edMB9u3BcsMEQ== X-Received: by 127.0.0.2 with SMTP id XbGgYY7687511xg4TgtSf5zF; Mon, 18 Mar 2024 16:19:10 -0700 X-Received: from a2i971.smtp2go.com (a2i971.smtp2go.com [103.47.207.203]) by mx.groups.io with SMTP id smtpd.web10.178.1710798753648608885 for ; Mon, 18 Mar 2024 14:52:33 -0700 X-Received: from [10.45.79.71] (helo=SmtpCorp) by smtpcorp.com with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2-S2G) (envelope-from ) id 1rmKuG-gL4QKW-2k; Mon, 18 Mar 2024 21:52:32 +0000 X-Received: from [10.90.237.184] (helo=localhost.localdomain) by smtpcorp.com with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96.1-S2G) (envelope-from ) id 1rmKuF-Dv5ZTA-0f; Mon, 18 Mar 2024 21:52:31 +0000 From: "Chris Ruffin via groups.io" To: devel@edk2.groups.io Cc: Chris Ruffin , Jiewen Yao , Yi Li , Wenxing Hou Subject: [edk2-devel] [PATCH 1/3] CryptoPkg/BaseCryptLib: add additional RSAEP-OAEP crypto functions Date: Mon, 18 Mar 2024 17:52:03 -0400 Message-ID: <20240318215205.1339-1-cruffin@millcore.com> MIME-Version: 1.0 X-Smtpcorp-Track: 1rXKIFDv5ZTj0f.AH--Bqh3AyCKL Feedback-ID: 401384m:401384aZcXcRg:401384s7enTrO59a X-Report-Abuse: Please forward a copy of this message, including all headers, to Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Mon, 18 Mar 2024 16:19:09 -0700 Reply-To: devel@edk2.groups.io,cruffin@millcore.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: Kl42XMuPM2dNlazTjL8IfcpEx7686176AA= Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=eS0COcc2; dmarc=pass (policy=none) header.from=groups.io; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io From: Chris Ruffin Expand the availability of the RSAEP-OAEP crypto capability in BaseCryptLib. Applications using RSA crypto functions directly from OpensslLib can transition to BaseCryptLib to take advantage of the shared crypto feature in CryptoDxe. Pkcs1v2Decrypt(): decryption using DER-encoded private key RsaOaepEncrypt(): encryption using RSA contexts RsaOaepDecrypt(): decryption using RSA contexts Signed-off-by: Chris Ruffin Cc: Jiewen Yao Cc: Yi Li Cc: Wenxing Hou --- CryptoPkg/Include/Library/BaseCryptLib.h | 102 ++++ .../Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c | 506 ++++++++++++++++-- .../BaseCryptLib/Pk/CryptPkcs1OaepNull.c | 114 ++++ .../BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c | 114 ++++ 4 files changed, 789 insertions(+), 47 deletions(-) diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/L= ibrary/BaseCryptLib.h index a52bd91ad6..7ad2bf21fe 100644 --- a/CryptoPkg/Include/Library/BaseCryptLib.h +++ b/CryptoPkg/Include/Library/BaseCryptLib.h @@ -2147,6 +2147,108 @@ Pkcs1v2Encrypt ( OUT UINTN *EncryptedDataSize=0D );=0D =0D +/**=0D + Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + encrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - X509 key size does not match any known key size.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D + - Data size is too large for the provided key size (max size is a functi= on of key size=0D + and hash digest size).=0D +=0D + @param[in] RsaContext A pointer to an RSA context created by R= saNew() and=0D + provisioned with a public key using RsaS= etKey().=0D + @param[in] InData Data to be encrypted.=0D + @param[in] InDataSize Size of the data buffer.=0D + @param[in] PrngSeed [Optional] If provided, a pointer to a r= andom seed buffer=0D + to be used when initializing the PRNG. N= ULL otherwise.=0D + @param[in] PrngSeedSize [Optional] If provided, size of the rand= om seed buffer.=0D + 0 otherwise.=0D + @param[out] EncryptedData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] EncryptedDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +RsaOaepEncrypt (=0D + IN VOID *RsaContext,=0D + IN UINT8 *InData,=0D + IN UINTN InDataSize,=0D + IN CONST UINT8 *PrngSeed OPTIONAL,=0D + IN UINTN PrngSeedSize OPTIONAL,=0D + OUT UINT8 **EncryptedData,=0D + OUT UINTN *EncryptedDataSize=0D + );=0D +=0D +/**=0D + Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + decrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - Fail to parse private key.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D +=0D + @param[in] PrivateKey A pointer to the DER-encoded private key= .=0D + @param[in] PrivateKeySize Size of the private key buffer.=0D + @param[in] EncryptedData Data to be decrypted.=0D + @param[in] EncryptedDataSize Size of the encrypted buffer.=0D + @param[out] OutData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] OutDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +Pkcs1v2Decrypt (=0D + IN CONST UINT8 *PrivateKey,=0D + IN UINTN PrivateKeySize,=0D + IN UINT8 *EncryptedData,=0D + IN UINTN EncryptedDataSize,=0D + OUT UINT8 **OutData,=0D + OUT UINTN *OutDataSize=0D + );=0D +=0D +/**=0D + Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + decrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - Fail to parse private key.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D +=0D + @param[in] RsaContext A pointer to an RSA context created by R= saNew() and=0D + provisioned with a private key using Rsa= SetKey().=0D + @param[in] EncryptedData Data to be decrypted.=0D + @param[in] EncryptedDataSize Size of the encrypted buffer.=0D + @param[out] OutData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] OutDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +RsaOaepDecrypt (=0D + IN VOID *RsaContext,=0D + IN UINT8 *EncryptedData,=0D + IN UINTN EncryptedDataSize,=0D + OUT UINT8 **OutData,=0D + OUT UINTN *OutDataSize=0D + );=0D +=0D /**=0D The 3rd parameter of Pkcs7GetSigners will return all embedded=0D X.509 certificate in one given PKCS7 signature. The format is:=0D diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c b/CryptoPkg= /Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c index ea43c1381c..00e904dd6c 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c @@ -26,9 +26,8 @@ - Data size is too large for the provided key size (max size is a functi= on of key size=0D and hash digest size).=0D =0D - @param[in] PublicKey A pointer to the DER-encoded X509 certif= icate that=0D + @param[in] Pkey A pointer to an EVP_PKEY struct that=0D will be used to encrypt the data.=0D - @param[in] PublicKeySize Size of the X509 cert buffer.=0D @param[in] InData Data to be encrypted.=0D @param[in] InDataSize Size of the data buffer.=0D @param[in] PrngSeed [Optional] If provided, a pointer to a r= andom seed buffer=0D @@ -45,9 +44,8 @@ **/=0D BOOLEAN=0D EFIAPI=0D -Pkcs1v2Encrypt (=0D - IN CONST UINT8 *PublicKey,=0D - IN UINTN PublicKeySize,=0D +InternalPkcs1v2Encrypt (=0D + EVP_PKEY *Pkey,=0D IN UINT8 *InData,=0D IN UINTN InDataSize,=0D IN CONST UINT8 *PrngSeed OPTIONAL,=0D @@ -57,9 +55,6 @@ Pkcs1v2Encrypt ( )=0D {=0D BOOLEAN Result;=0D - CONST UINT8 *TempPointer;=0D - X509 *CertData;=0D - EVP_PKEY *InternalPublicKey;=0D EVP_PKEY_CTX *PkeyCtx;=0D UINT8 *OutData;=0D UINTN OutDataSize;=0D @@ -67,28 +62,15 @@ Pkcs1v2Encrypt ( //=0D // Check input parameters.=0D //=0D - if ((PublicKey =3D=3D NULL) || (InData =3D=3D NULL) ||=0D + if ((Pkey =3D=3D NULL) || (InData =3D=3D NULL) ||=0D (EncryptedData =3D=3D NULL) || (EncryptedDataSize =3D=3D NULL))=0D {=0D return FALSE;=0D }=0D =0D - //=0D - // Check public key size.=0D - //=0D - if (PublicKeySize > 0xFFFFFFFF) {=0D - //=0D - // Public key size is too large for implementation.=0D - //=0D - return FALSE;=0D - }=0D -=0D *EncryptedData =3D NULL;=0D *EncryptedDataSize =3D 0;=0D Result =3D FALSE;=0D - TempPointer =3D NULL;=0D - CertData =3D NULL;=0D - InternalPublicKey =3D NULL;=0D PkeyCtx =3D NULL;=0D OutData =3D NULL;=0D OutDataSize =3D 0;=0D @@ -104,6 +86,154 @@ Pkcs1v2Encrypt ( RandomSeed (NULL, 0);=0D }=0D =0D + //=0D + // Create a context for the public key operation.=0D + //=0D + PkeyCtx =3D EVP_PKEY_CTX_new (Pkey, NULL);=0D + if (PkeyCtx =3D=3D NULL) {=0D + //=0D + // Fail to create contex.=0D + //=0D + goto _Exit;=0D + }=0D +=0D + //=0D + // Initialize the context and set the desired padding.=0D + //=0D + if ((EVP_PKEY_encrypt_init (PkeyCtx) <=3D 0) ||=0D + (EVP_PKEY_CTX_set_rsa_padding (PkeyCtx, RSA_PKCS1_OAEP_PADDING) <=3D= 0))=0D + {=0D + //=0D + // Fail to initialize the context.=0D + //=0D + goto _Exit;=0D + }=0D +=0D + //=0D + // Determine the required buffer length for malloc'ing.=0D + //=0D + if (EVP_PKEY_encrypt (PkeyCtx, NULL, &OutDataSize, InData, InDataSize) <= =3D 0) {=0D + //=0D + // Fail to determine output buffer size.=0D + //=0D + goto _Exit;=0D + }=0D +=0D + //=0D + // Allocate a buffer for the output data.=0D + //=0D + OutData =3D AllocatePool (OutDataSize);=0D + if (OutData =3D=3D NULL) {=0D + //=0D + // Fail to allocate the output buffer.=0D + //=0D + goto _Exit;=0D + }=0D +=0D + //=0D + // Encrypt Data.=0D + //=0D + if (EVP_PKEY_encrypt (PkeyCtx, OutData, &OutDataSize, InData, InDataSize= ) <=3D 0) {=0D + //=0D + // Fail to encrypt data, need to free the output buffer.=0D + //=0D + FreePool (OutData);=0D + OutData =3D NULL;=0D + OutDataSize =3D 0;=0D + goto _Exit;=0D + }=0D +=0D + //=0D + // Encrypt done.=0D + //=0D + *EncryptedData =3D OutData;=0D + *EncryptedDataSize =3D OutDataSize;=0D + Result =3D TRUE;=0D +=0D +_Exit:=0D + //=0D + // Release Resources=0D + //=0D + if (PkeyCtx !=3D NULL) {=0D + EVP_PKEY_CTX_free (PkeyCtx);=0D + }=0D +=0D + return Result;=0D +}=0D +=0D +/**=0D + Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + encrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - X509 key size does not match any known key size.=0D + - Fail to parse X509 certificate.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D + - Data size is too large for the provided key size (max size is a functi= on of key size=0D + and hash digest size).=0D +=0D + @param[in] PublicKey A pointer to the DER-encoded X509 certif= icate that=0D + will be used to encrypt the data.=0D + @param[in] PublicKeySize Size of the X509 cert buffer.=0D + @param[in] InData Data to be encrypted.=0D + @param[in] InDataSize Size of the data buffer.=0D + @param[in] PrngSeed [Optional] If provided, a pointer to a r= andom seed buffer=0D + to be used when initializing the PRNG. N= ULL otherwise.=0D + @param[in] PrngSeedSize [Optional] If provided, size of the rand= om seed buffer.=0D + 0 otherwise.=0D + @param[out] EncryptedData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] EncryptedDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +Pkcs1v2Encrypt (=0D + IN CONST UINT8 *PublicKey,=0D + IN UINTN PublicKeySize,=0D + IN UINT8 *InData,=0D + IN UINTN InDataSize,=0D + IN CONST UINT8 *PrngSeed OPTIONAL,=0D + IN UINTN PrngSeedSize OPTIONAL,=0D + OUT UINT8 **EncryptedData,=0D + OUT UINTN *EncryptedDataSize=0D + )=0D +{=0D + BOOLEAN Result;=0D + CONST UINT8 *TempPointer;=0D + X509 *CertData;=0D + EVP_PKEY *Pkey;=0D +=0D + //=0D + // Check input parameters.=0D + //=0D + if ((PublicKey =3D=3D NULL) || (InData =3D=3D NULL) ||=0D + (EncryptedData =3D=3D NULL) || (EncryptedDataSize =3D=3D NULL))=0D + {=0D + return FALSE;=0D + }=0D +=0D + //=0D + // Check public key size.=0D + //=0D + if (PublicKeySize > 0xFFFFFFFF) {=0D + //=0D + // Public key size is too large for implementation.=0D + //=0D + return FALSE;=0D + }=0D +=0D + *EncryptedData =3D NULL;=0D + *EncryptedDataSize =3D 0;=0D + Result =3D FALSE;=0D + TempPointer =3D NULL;=0D + CertData =3D NULL;=0D + Pkey =3D NULL;=0D +=0D //=0D // Parse the X509 cert and extract the public key.=0D //=0D @@ -120,52 +250,201 @@ Pkcs1v2Encrypt ( // Extract the public key from the x509 cert in a format that=0D // OpenSSL can use.=0D //=0D - InternalPublicKey =3D X509_get_pubkey (CertData);=0D - if (InternalPublicKey =3D=3D NULL) {=0D + Pkey =3D X509_get_pubkey (CertData);=0D + if (Pkey =3D=3D NULL) {=0D //=0D // Fail to extract public key.=0D //=0D goto _Exit;=0D }=0D =0D + Result =3D InternalPkcs1v2Encrypt (Pkey, InData, InDataSize, PrngSeed, P= rngSeedSize, EncryptedData, EncryptedDataSize);=0D +=0D +_Exit:=0D //=0D - // Create a context for the public key operation.=0D + // Release Resources=0D + //=0D + if (CertData !=3D NULL) {=0D + X509_free (CertData);=0D + }=0D +=0D + if (Pkey !=3D NULL) {=0D + EVP_PKEY_free (Pkey);=0D + }=0D +=0D + return Result;=0D +}=0D +=0D +/**=0D + Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + encrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - X509 key size does not match any known key size.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D + - Data size is too large for the provided key size (max size is a functi= on of key size=0D + and hash digest size).=0D +=0D + @param[in] RsaContext A pointer to an RSA context created by R= saNew() and=0D + provisioned with a public key using RsaS= etKey().=0D + @param[in] InData Data to be encrypted.=0D + @param[in] InDataSize Size of the data buffer.=0D + @param[in] PrngSeed [Optional] If provided, a pointer to a r= andom seed buffer=0D + to be used when initializing the PRNG. N= ULL otherwise.=0D + @param[in] PrngSeedSize [Optional] If provided, size of the rand= om seed buffer.=0D + 0 otherwise.=0D + @param[out] EncryptedData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] EncryptedDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +RsaOaepEncrypt (=0D + IN VOID *RsaContext,=0D + IN UINT8 *InData,=0D + IN UINTN InDataSize,=0D + IN CONST UINT8 *PrngSeed OPTIONAL,=0D + IN UINTN PrngSeedSize OPTIONAL,=0D + OUT UINT8 **EncryptedData,=0D + OUT UINTN *EncryptedDataSize=0D + )=0D +{=0D + BOOLEAN Result;=0D + EVP_PKEY *Pkey;=0D +=0D //=0D - PkeyCtx =3D EVP_PKEY_CTX_new (InternalPublicKey, NULL);=0D + // Check input parameters.=0D + //=0D + if (((RsaContext =3D=3D NULL) || (InData =3D=3D NULL)) ||=0D + (EncryptedData =3D=3D NULL) || (EncryptedDataSize =3D=3D NULL))=0D + {=0D + return FALSE;=0D + }=0D +=0D + *EncryptedData =3D NULL;=0D + *EncryptedDataSize =3D 0;=0D + Result =3D FALSE;=0D + Pkey =3D NULL;=0D +=0D + Pkey =3D EVP_PKEY_new ();=0D + if (Pkey =3D=3D NULL) {=0D + goto _Exit;=0D + }=0D +=0D + if (EVP_PKEY_set1_RSA (Pkey, (RSA *)RsaContext) =3D=3D 0) {=0D + goto _Exit;=0D + }=0D +=0D + Result =3D InternalPkcs1v2Encrypt (Pkey, InData, InDataSize, PrngSeed, P= rngSeedSize, EncryptedData, EncryptedDataSize);=0D +=0D +_Exit:=0D + //=0D + // Release Resources=0D + //=0D + if (Pkey !=3D NULL) {=0D + EVP_PKEY_free (Pkey);=0D + }=0D +=0D + return Result;=0D +}=0D +=0D +/**=0D + Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + decrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - Fail to parse private key.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D +=0D + @param[in] Pkey A pointer to an EVP_PKEY which will decr= ypt that data.=0D + @param[in] EncryptedData Data to be decrypted.=0D + @param[in] EncryptedDataSize Size of the encrypted buffer.=0D + @param[out] OutData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] OutDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +InternalPkcs1v2Decrypt (=0D + EVP_PKEY *Pkey,=0D + IN UINT8 *EncryptedData,=0D + IN UINTN EncryptedDataSize,=0D + OUT UINT8 **OutData,=0D + OUT UINTN *OutDataSize=0D + )=0D +{=0D + BOOLEAN Result;=0D + EVP_PKEY_CTX *PkeyCtx;=0D + UINT8 *TempData;=0D + UINTN TempDataSize;=0D + INTN ReturnCode;=0D +=0D + //=0D + // Check input parameters.=0D + //=0D + if ((Pkey =3D=3D NULL) || (EncryptedData =3D=3D NULL) ||=0D + (OutData =3D=3D NULL) || (OutDataSize =3D=3D NULL))=0D + {=0D + return FALSE;=0D + }=0D +=0D + Result =3D FALSE;=0D + PkeyCtx =3D NULL;=0D + TempData =3D NULL;=0D + TempDataSize =3D 0;=0D +=0D + //=0D + // Create a context for the decryption operation.=0D + //=0D + PkeyCtx =3D EVP_PKEY_CTX_new (Pkey, NULL);=0D if (PkeyCtx =3D=3D NULL) {=0D //=0D // Fail to create contex.=0D //=0D + DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_CTK_new() failed\n", __func__));=0D goto _Exit;=0D }=0D =0D //=0D // Initialize the context and set the desired padding.=0D //=0D - if ((EVP_PKEY_encrypt_init (PkeyCtx) <=3D 0) ||=0D + if ((EVP_PKEY_decrypt_init (PkeyCtx) <=3D 0) ||=0D (EVP_PKEY_CTX_set_rsa_padding (PkeyCtx, RSA_PKCS1_OAEP_PADDING) <=3D= 0))=0D {=0D //=0D // Fail to initialize the context.=0D //=0D + DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_decrypt_init() failed\n", __func__= ));=0D goto _Exit;=0D }=0D =0D //=0D // Determine the required buffer length for malloc'ing.=0D //=0D - if (EVP_PKEY_encrypt (PkeyCtx, NULL, &OutDataSize, InData, InDataSize) <= =3D 0) {=0D + ReturnCode =3D EVP_PKEY_decrypt (PkeyCtx, NULL, &TempDataSize, Encrypted= Data, EncryptedDataSize);=0D + if (ReturnCode <=3D 0) {=0D //=0D // Fail to determine output buffer size.=0D //=0D + DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_decrypt() failed to determine outp= ut buffer size (rc=3D%d)\n", __func__, ReturnCode));=0D goto _Exit;=0D }=0D =0D //=0D // Allocate a buffer for the output data.=0D //=0D - OutData =3D AllocatePool (OutDataSize);=0D - if (OutData =3D=3D NULL) {=0D + TempData =3D AllocatePool (TempDataSize);=0D + if (TempData =3D=3D NULL) {=0D //=0D // Fail to allocate the output buffer.=0D //=0D @@ -173,39 +452,172 @@ Pkcs1v2Encrypt ( }=0D =0D //=0D - // Encrypt Data.=0D + // Decrypt Data.=0D //=0D - if (EVP_PKEY_encrypt (PkeyCtx, OutData, &OutDataSize, InData, InDataSize= ) <=3D 0) {=0D + ReturnCode =3D EVP_PKEY_decrypt (PkeyCtx, TempData, &TempDataSize, Encry= ptedData, EncryptedDataSize);=0D + if (ReturnCode <=3D 0) {=0D //=0D - // Fail to encrypt data, need to free the output buffer.=0D + // Fail to decrypt data, need to free the output buffer.=0D //=0D - FreePool (OutData);=0D - OutData =3D NULL;=0D - OutDataSize =3D 0;=0D + FreePool (TempData);=0D + TempData =3D NULL;=0D + TempDataSize =3D 0;=0D +=0D + DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_decrypt(TempData) failed to decryp= t (rc=3D%d)\n", __func__, ReturnCode));=0D goto _Exit;=0D }=0D =0D //=0D - // Encrypt done.=0D + // Decrypt done.=0D //=0D - *EncryptedData =3D OutData;=0D - *EncryptedDataSize =3D OutDataSize;=0D - Result =3D TRUE;=0D + *OutData =3D TempData;=0D + *OutDataSize =3D TempDataSize;=0D + Result =3D TRUE;=0D =0D _Exit:=0D + if (PkeyCtx !=3D NULL) {=0D + EVP_PKEY_CTX_free (PkeyCtx);=0D + }=0D +=0D + return Result;=0D +}=0D +=0D +/**=0D + Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + decrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - Fail to parse private key.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D +=0D + @param[in] PrivateKey A pointer to the DER-encoded private key= .=0D + @param[in] PrivateKeySize Size of the private key buffer.=0D + @param[in] EncryptedData Data to be decrypted.=0D + @param[in] EncryptedDataSize Size of the encrypted buffer.=0D + @param[out] OutData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] OutDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +Pkcs1v2Decrypt (=0D + IN CONST UINT8 *PrivateKey,=0D + IN UINTN PrivateKeySize,=0D + IN UINT8 *EncryptedData,=0D + IN UINTN EncryptedDataSize,=0D + OUT UINT8 **OutData,=0D + OUT UINTN *OutDataSize=0D + )=0D +{=0D + BOOLEAN Result;=0D + EVP_PKEY *Pkey;=0D + CONST UINT8 *TempPointer;=0D +=0D //=0D - // Release Resources=0D + // Check input parameters.=0D //=0D - if (CertData !=3D NULL) {=0D - X509_free (CertData);=0D + if ((PrivateKey =3D=3D NULL) || (EncryptedData =3D=3D NULL) ||=0D + (OutData =3D=3D NULL) || (OutDataSize =3D=3D NULL))=0D + {=0D + return FALSE;=0D + }=0D +=0D + Result =3D FALSE;=0D + Pkey =3D NULL;=0D + TempPointer =3D NULL;=0D +=0D + //=0D + // Parse the private key.=0D + //=0D + TempPointer =3D PrivateKey;=0D + Pkey =3D d2i_PrivateKey (EVP_PKEY_RSA, &Pkey, &TempPointer, (UINT= 32)PrivateKeySize);=0D + if (Pkey =3D=3D NULL) {=0D + //=0D + // Fail to parse private key.=0D + //=0D + DEBUG ((DEBUG_ERROR, "[%a] d2i_PrivateKey() failed\n", __func__));=0D + goto _Exit;=0D }=0D =0D - if (InternalPublicKey !=3D NULL) {=0D - EVP_PKEY_free (InternalPublicKey);=0D + Result =3D InternalPkcs1v2Decrypt (Pkey, EncryptedData, EncryptedDataSiz= e, OutData, OutDataSize);=0D +=0D +_Exit:=0D + if (Pkey !=3D NULL) {=0D + EVP_PKEY_free (Pkey);=0D }=0D =0D - if (PkeyCtx !=3D NULL) {=0D - EVP_PKEY_CTX_free (PkeyCtx);=0D + return Result;=0D +}=0D +=0D +/**=0D + Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + decrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - Fail to parse private key.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D +=0D + @param[in] RsaContext A pointer to an RSA context created by R= saNew() and=0D + provisioned with a private key using Rsa= SetKey().=0D + @param[in] EncryptedData Data to be decrypted.=0D + @param[in] EncryptedDataSize Size of the encrypted buffer.=0D + @param[out] OutData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] OutDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +RsaOaepDecrypt (=0D + IN VOID *RsaContext,=0D + IN UINT8 *EncryptedData,=0D + IN UINTN EncryptedDataSize,=0D + OUT UINT8 **OutData,=0D + OUT UINTN *OutDataSize=0D + )=0D +{=0D + BOOLEAN Result;=0D + EVP_PKEY *Pkey;=0D +=0D + //=0D + // Check input parameters.=0D + //=0D + if ((RsaContext =3D=3D NULL) || (EncryptedData =3D=3D NULL) ||=0D + (OutData =3D=3D NULL) || (OutDataSize =3D=3D NULL))=0D + {=0D + return FALSE;=0D + }=0D +=0D + Result =3D FALSE;=0D + Pkey =3D NULL;=0D +=0D + //=0D + // Create a context for the decryption operation.=0D + //=0D +=0D + Pkey =3D EVP_PKEY_new ();=0D + if (Pkey =3D=3D NULL) {=0D + goto _Exit;=0D + }=0D +=0D + if (EVP_PKEY_set1_RSA (Pkey, (RSA *)RsaContext) =3D=3D 0) {=0D + goto _Exit;=0D + }=0D +=0D + Result =3D InternalPkcs1v2Decrypt (Pkey, EncryptedData, EncryptedDataSiz= e, OutData, OutDataSize);=0D +=0D +_Exit:=0D + if (Pkey !=3D NULL) {=0D + EVP_PKEY_free (Pkey);=0D }=0D =0D return Result;=0D diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c b/Crypt= oPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c index 36508947c5..05e074d18e 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c @@ -48,3 +48,117 @@ Pkcs1v2Encrypt ( ASSERT (FALSE);=0D return FALSE;=0D }=0D +=0D +/**=0D + Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + encrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - X509 key size does not match any known key size.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D + - Data size is too large for the provided key size (max size is a functi= on of key size=0D + and hash digest size).=0D +=0D + @param[in] RsaContext A pointer to an RSA context created by R= saNew() and=0D + provisioned with a public key using RsaS= etKey().=0D + @param[in] InData Data to be encrypted.=0D + @param[in] InDataSize Size of the data buffer.=0D + @param[in] PrngSeed [Optional] If provided, a pointer to a r= andom seed buffer=0D + to be used when initializing the PRNG. N= ULL otherwise.=0D + @param[in] PrngSeedSize [Optional] If provided, size of the rand= om seed buffer.=0D + 0 otherwise.=0D + @param[out] EncryptedData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] EncryptedDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +RsaOaepEncrypt (=0D + IN VOID *RsaContext,=0D + IN UINT8 *InData,=0D + IN UINTN InDataSize,=0D + IN CONST UINT8 *PrngSeed OPTIONAL,=0D + IN UINTN PrngSeedSize OPTIONAL,=0D + OUT UINT8 **EncryptedData,=0D + OUT UINTN *EncryptedDataSize=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return FALSE;=0D +}=0D +=0D +/**=0D + Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + decrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - Fail to parse private key.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D +=0D + @param[in] PrivateKey A pointer to the DER-encoded private key= .=0D + @param[in] PrivateKeySize Size of the private key buffer.=0D + @param[in] EncryptedData Data to be decrypted.=0D + @param[in] EncryptedDataSize Size of the encrypted buffer.=0D + @param[out] OutData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] OutDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +Pkcs1v2Decrypt (=0D + IN CONST UINT8 *PrivateKey,=0D + IN UINTN PrivateKeySize,=0D + IN UINT8 *EncryptedData,=0D + IN UINTN EncryptedDataSize,=0D + OUT UINT8 **OutData,=0D + OUT UINTN *OutDataSize=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return FALSE;=0D +}=0D +=0D +/**=0D + Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + decrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - Fail to parse private key.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D +=0D + @param[in] RsaContext A pointer to an RSA context created by R= saNew() and=0D + provisioned with a private key using Rsa= SetKey().=0D + @param[in] EncryptedData Data to be decrypted.=0D + @param[in] EncryptedDataSize Size of the encrypted buffer.=0D + @param[out] OutData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] OutDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +RsaOaepDecrypt (=0D + IN VOID *RsaContext,=0D + IN UINT8 *EncryptedData,=0D + IN UINTN EncryptedDataSize,=0D + OUT UINT8 **OutData,=0D + OUT UINTN *OutDataSize=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return FALSE;=0D +}=0D diff --git a/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c b/C= ryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c index 36508947c5..05e074d18e 100644 --- a/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c +++ b/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c @@ -48,3 +48,117 @@ Pkcs1v2Encrypt ( ASSERT (FALSE);=0D return FALSE;=0D }=0D +=0D +/**=0D + Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + encrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - X509 key size does not match any known key size.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D + - Data size is too large for the provided key size (max size is a functi= on of key size=0D + and hash digest size).=0D +=0D + @param[in] RsaContext A pointer to an RSA context created by R= saNew() and=0D + provisioned with a public key using RsaS= etKey().=0D + @param[in] InData Data to be encrypted.=0D + @param[in] InDataSize Size of the data buffer.=0D + @param[in] PrngSeed [Optional] If provided, a pointer to a r= andom seed buffer=0D + to be used when initializing the PRNG. N= ULL otherwise.=0D + @param[in] PrngSeedSize [Optional] If provided, size of the rand= om seed buffer.=0D + 0 otherwise.=0D + @param[out] EncryptedData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] EncryptedDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +RsaOaepEncrypt (=0D + IN VOID *RsaContext,=0D + IN UINT8 *InData,=0D + IN UINTN InDataSize,=0D + IN CONST UINT8 *PrngSeed OPTIONAL,=0D + IN UINTN PrngSeedSize OPTIONAL,=0D + OUT UINT8 **EncryptedData,=0D + OUT UINTN *EncryptedDataSize=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return FALSE;=0D +}=0D +=0D +/**=0D + Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + decrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - Fail to parse private key.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D +=0D + @param[in] PrivateKey A pointer to the DER-encoded private key= .=0D + @param[in] PrivateKeySize Size of the private key buffer.=0D + @param[in] EncryptedData Data to be decrypted.=0D + @param[in] EncryptedDataSize Size of the encrypted buffer.=0D + @param[out] OutData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] OutDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +Pkcs1v2Decrypt (=0D + IN CONST UINT8 *PrivateKey,=0D + IN UINTN PrivateKeySize,=0D + IN UINT8 *EncryptedData,=0D + IN UINTN EncryptedDataSize,=0D + OUT UINT8 **OutData,=0D + OUT UINTN *OutDataSize=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return FALSE;=0D +}=0D +=0D +/**=0D + Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will retu= rn the=0D + decrypted message in a newly allocated buffer.=0D +=0D + Things that can cause a failure include:=0D + - Fail to parse private key.=0D + - Fail to allocate an intermediate buffer.=0D + - Null pointer provided for a non-optional parameter.=0D +=0D + @param[in] RsaContext A pointer to an RSA context created by R= saNew() and=0D + provisioned with a private key using Rsa= SetKey().=0D + @param[in] EncryptedData Data to be decrypted.=0D + @param[in] EncryptedDataSize Size of the encrypted buffer.=0D + @param[out] OutData Pointer to an allocated buffer containin= g the encrypted=0D + message.=0D + @param[out] OutDataSize Size of the encrypted message buffer.=0D +=0D + @retval TRUE Encryption was successful.=0D + @retval FALSE Encryption failed.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +RsaOaepDecrypt (=0D + IN VOID *RsaContext,=0D + IN UINT8 *EncryptedData,=0D + IN UINTN EncryptedDataSize,=0D + OUT UINT8 **OutData,=0D + OUT UINTN *OutDataSize=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return FALSE;=0D +}=0D --=20 2.44.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#116870): https://edk2.groups.io/g/devel/message/116870 Mute This Topic: https://groups.io/mt/105014749/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-