public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Wenxing Hou" <wenxing.hou@intel.com>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>, Yi Li <yi1.li@intel.com>
Subject: [edk2-devel] [PATCH v2 1/9] CryptoPkg: Add AeadAesGcm based on Mbedtls
Date: Tue, 23 Apr 2024 10:34:24 +0800	[thread overview]
Message-ID: <20240423023432.2147-2-wenxing.hou@intel.com> (raw)
In-Reply-To: <20240423023432.2147-1-wenxing.hou@intel.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177

AeadAesGcm implementation based on Mbedtls.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Yi Li <yi1.li@intel.com>
Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
---
 .../Cipher/CryptAeadAesGcm.c                  | 227 ++++++++++++++++++
 1 file changed, 227 insertions(+)
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAeadAesGcm.c

diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAeadAesGcm.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAeadAesGcm.c
new file mode 100644
index 0000000000..b49d6f9f87
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAeadAesGcm.c
@@ -0,0 +1,227 @@
+/** @file
+  AEAD (AES-GCM) Wrapper Implementation over MbedTLS.
+
+  RFC 5116 - An Interface and Algorithms for Authenticated Encryption
+  NIST SP800-38d - Cipher Modes of Operation: Galois / Counter Mode(GCM) and GMAC
+
+Copyright (c) 2024, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+#include <mbedtls/gcm.h>
+
+/**
+  Performs AEAD AES-GCM authenticated encryption on a data buffer and additional authenticated data (AAD).
+
+  IvSize must be 12, otherwise FALSE is returned.
+  KeySize must be 16, 24 or 32, otherwise FALSE is returned.
+  TagSize must be 12, 13, 14, 15, 16, otherwise FALSE is returned.
+
+  @param[in]   Key         Pointer to the encryption key.
+  @param[in]   KeySize     Size of the encryption key in bytes.
+  @param[in]   Iv          Pointer to the IV value.
+  @param[in]   IvSize      Size of the IV value in bytes.
+  @param[in]   AData       Pointer to the additional authenticated data (AAD).
+  @param[in]   ADataSize   Size of the additional authenticated data (AAD) in bytes.
+  @param[in]   DataIn      Pointer to the input data buffer to be encrypted.
+  @param[in]   DataInSize  Size of the input data buffer in bytes.
+  @param[out]  TagOut      Pointer to a buffer that receives the authentication tag output.
+  @param[in]   TagSize     Size of the authentication tag in bytes.
+  @param[out]  DataOut     Pointer to a buffer that receives the encryption output.
+  @param[out]  DataOutSize Size of the output data buffer in bytes.
+
+  @retval TRUE   AEAD AES-GCM authenticated encryption succeeded.
+  @retval FALSE  AEAD AES-GCM authenticated encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+AeadAesGcmEncrypt (
+  IN   CONST UINT8  *Key,
+  IN   UINTN        KeySize,
+  IN   CONST UINT8  *Iv,
+  IN   UINTN        IvSize,
+  IN   CONST UINT8  *AData,
+  IN   UINTN        ADataSize,
+  IN   CONST UINT8  *DataIn,
+  IN   UINTN        DataInSize,
+  OUT  UINT8        *TagOut,
+  IN   UINTN        TagSize,
+  OUT  UINT8        *DataOut,
+  OUT  UINTN        *DataOutSize
+  )
+{
+  mbedtls_gcm_context  Ctx;
+  INT32                Ret;
+
+  if (DataInSize > INT_MAX) {
+    return FALSE;
+  }
+
+  if (ADataSize > INT_MAX) {
+    return FALSE;
+  }
+
+  if (IvSize != 12) {
+    return FALSE;
+  }
+
+  switch (KeySize) {
+    case 16:
+    case 24:
+    case 32:
+      break;
+    default:
+      return FALSE;
+  }
+
+  if ((TagSize != 12) && (TagSize != 13) && (TagSize != 14) && (TagSize != 15) && (TagSize != 16)) {
+    return FALSE;
+  }
+
+  if (DataOutSize != NULL) {
+    if ((*DataOutSize > INT_MAX) || (*DataOutSize < DataInSize)) {
+      return FALSE;
+    }
+  }
+
+  mbedtls_gcm_init (&Ctx);
+
+  Ret = mbedtls_gcm_setkey (&Ctx, MBEDTLS_CIPHER_ID_AES, Key, (UINT32)(KeySize * 8));
+  if (Ret != 0) {
+    return FALSE;
+  }
+
+  Ret = mbedtls_gcm_crypt_and_tag (
+          &Ctx,
+          MBEDTLS_GCM_ENCRYPT,
+          (UINT32)DataInSize,
+          Iv,
+          (UINT32)IvSize,
+          AData,
+          (UINT32)ADataSize,
+          DataIn,
+          DataOut,
+          TagSize,
+          TagOut
+          );
+  mbedtls_gcm_free (&Ctx);
+  if (Ret != 0) {
+    return FALSE;
+  }
+
+  if (DataOutSize != NULL) {
+    *DataOutSize = DataInSize;
+  }
+
+  return TRUE;
+}
+
+/**
+  Performs AEAD AES-GCM authenticated decryption on a data buffer and additional authenticated data (AAD).
+
+  IvSize must be 12, otherwise FALSE is returned.
+  KeySize must be 16, 24 or 32, otherwise FALSE is returned.
+  TagSize must be 12, 13, 14, 15, 16, otherwise FALSE is returned.
+  If additional authenticated data verification fails, FALSE is returned.
+
+  @param[in]   Key         Pointer to the encryption key.
+  @param[in]   KeySize     Size of the encryption key in bytes.
+  @param[in]   Iv          Pointer to the IV value.
+  @param[in]   IvSize      Size of the IV value in bytes.
+  @param[in]   AData       Pointer to the additional authenticated data (AAD).
+  @param[in]   ADataSize   Size of the additional authenticated data (AAD) in bytes.
+  @param[in]   DataIn      Pointer to the input data buffer to be decrypted.
+  @param[in]   DataInSize  Size of the input data buffer in bytes.
+  @param[in]   Tag         Pointer to a buffer that contains the authentication tag.
+  @param[in]   TagSize     Size of the authentication tag in bytes.
+  @param[out]  DataOut     Pointer to a buffer that receives the decryption output.
+  @param[out]  DataOutSize Size of the output data buffer in bytes.
+
+  @retval TRUE   AEAD AES-GCM authenticated decryption succeeded.
+  @retval FALSE  AEAD AES-GCM authenticated decryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+AeadAesGcmDecrypt (
+  IN   CONST UINT8  *Key,
+  IN   UINTN        KeySize,
+  IN   CONST UINT8  *Iv,
+  IN   UINTN        IvSize,
+  IN   CONST UINT8  *AData,
+  IN   UINTN        ADataSize,
+  IN   CONST UINT8  *DataIn,
+  IN   UINTN        DataInSize,
+  IN   CONST UINT8  *Tag,
+  IN   UINTN        TagSize,
+  OUT  UINT8        *DataOut,
+  OUT  UINTN        *DataOutSize
+  )
+{
+  mbedtls_gcm_context  Ctx;
+  INT32                Ret;
+
+  if (DataInSize > INT_MAX) {
+    return FALSE;
+  }
+
+  if (ADataSize > INT_MAX) {
+    return FALSE;
+  }
+
+  if (IvSize != 12) {
+    return FALSE;
+  }
+
+  switch (KeySize) {
+    case 16:
+    case 24:
+    case 32:
+      break;
+    default:
+      return FALSE;
+  }
+
+  if ((TagSize != 12) && (TagSize != 13) && (TagSize != 14) && (TagSize != 15) && (TagSize != 16)) {
+    return FALSE;
+  }
+
+  if (DataOutSize != NULL) {
+    if ((*DataOutSize > INT_MAX) || (*DataOutSize < DataInSize)) {
+      return FALSE;
+    }
+  }
+
+  mbedtls_gcm_init (&Ctx);
+
+  Ret = mbedtls_gcm_setkey (&Ctx, MBEDTLS_CIPHER_ID_AES, Key, (UINT32)(KeySize * 8));
+  if (Ret != 0) {
+    return FALSE;
+  }
+
+  Ret = mbedtls_gcm_auth_decrypt (
+          &Ctx,
+          (UINT32)DataInSize,
+          Iv,
+          (UINT32)IvSize,
+          AData,
+          (UINT32)ADataSize,
+          Tag,
+          (UINT32)TagSize,
+          DataIn,
+          DataOut
+          );
+  mbedtls_gcm_free (&Ctx);
+  if (Ret != 0) {
+    return FALSE;
+  }
+
+  if (DataOutSize != NULL) {
+    *DataOutSize = DataInSize;
+  }
+
+  return TRUE;
+}
-- 
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118111): https://edk2.groups.io/g/devel/message/118111
Mute This Topic: https://groups.io/mt/105683585/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



  reply	other threads:[~2024-04-23  2:34 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-23  2:34 [edk2-devel] [PATCH v2 0/9] Add more crypt APIs based on Mbedtls Wenxing Hou
2024-04-23  2:34 ` Wenxing Hou [this message]
2024-04-23  2:34 ` [edk2-devel] [PATCH v2 2/9] CryptoPkg: Add rand function for BaseCryptLibMbedTls Wenxing Hou
2024-04-23  2:34 ` [edk2-devel] [PATCH v2 3/9] CryptoPkg: Add Pem APIs based on Mbedtls Wenxing Hou
2024-04-23  2:34 ` [edk2-devel] [PATCH v2 4/9] CryptoPkg: Add X509 functions " Wenxing Hou
2024-04-23  2:34 ` [edk2-devel] [PATCH v2 5/9] CryptoPkg: Add Pkcs7 related " Wenxing Hou
2024-04-23  2:34 ` [edk2-devel] [PATCH v2 6/9] CryptoPkg: Add Pkcs5 " Wenxing Hou
2024-04-23  2:34 ` [edk2-devel] [PATCH v2 7/9] CryptoPkg: Add more RSA related " Wenxing Hou
2024-04-23  2:34 ` [edk2-devel] [PATCH v2 8/9] CryptoPkg: Add AuthenticodeVerify " Wenxing Hou
2024-04-23  2:34 ` [edk2-devel] [PATCH v2 9/9] CryptoPkg: Add ImageTimestampVerify " Wenxing Hou

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240423023432.2147-2-wenxing.hou@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox