From: "Wang, Jian J" <jian.j.wang@intel.com>
To: "West, Gary" <gary.west@intel.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Ye, Ting" <ting.ye@intel.com>
Subject: Re: [PATCH v2 1/1] CryptoPkg/BaseCryptLib: Wrap OpenSSL HKDF algorithm
Date: Tue, 6 Aug 2019 02:02:18 +0000 [thread overview]
Message-ID: <D827630B58408649ACB04F44C510003625953317@SHSMSX107.ccr.corp.intel.com> (raw)
In-Reply-To: <20190730215409.26104-2-gary.west@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
> -----Original Message-----
> From: West, Gary
> Sent: Wednesday, July 31, 2019 5:54 AM
> To: devel@edk2.groups.io
> Cc: West, Gary <gary.west@intel.com>; West, Gary <gary.west@intel.com>;
> Wang, Jian J <jian.j.wang@intel.com>; Ye, Ting <ting.ye@intel.com>
> Subject: [PATCH v2 1/1] CryptoPkg/BaseCryptLib: Wrap OpenSSL HKDF
> algorithm
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1928
>
> 1. Implement OpenSSL HKDF wrapped function in CryptHkdf.c file.
> 2. Implement stub implementation function in CryptHkdfNull.c file.
> 3. Add wrapped HKDF function declaration to BaseCryptLib.h file.
> 4. Add CryptHkdf.c to module information BaseCryptLib.inf file.
> 5. Add CryptHkdfNull.c to module information PeiCryptLib.inf,
> RuntimeCryptLib.inf and SmmCryptLib.inf
>
> Signed-off-by: Gary West <Gary.West@intel.com>
> Cc: Jian Wang <jian.j.wang@intel.com>
> Cc: Ting Ye <ting.ye@intel.com>
> ---
> CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf | 1 +
> CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 4 +-
> CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf | 1 +
> CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 1 +
> CryptoPkg/Include/Library/BaseCryptLib.h | 33 +++++++++
> CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdf.c | 75
> ++++++++++++++++++++
> CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdfNull.c | 43 +++++++++++
> 7 files changed, 155 insertions(+), 3 deletions(-)
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> index 020df3c19b3c..8d4988e8c6b4 100644
> --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> @@ -37,6 +37,7 @@ [Sources]
> Hmac/CryptHmacMd5.c
> Hmac/CryptHmacSha1.c
> Hmac/CryptHmacSha256.c
> + Kdf/CryptHkdf.c
> Cipher/CryptAes.c
> Cipher/CryptTdes.c
> Cipher/CryptArc4.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> index 99dbad23ed5d..3da8bd848017 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> @@ -44,10 +44,10 @@ [Sources]
> Hmac/CryptHmacMd5Null.c
> Hmac/CryptHmacSha1Null.c
> Hmac/CryptHmacSha256Null.c
> + Kdf/CryptHkdfNull.c
> Cipher/CryptAesNull.c
> Cipher/CryptTdesNull.c
> Cipher/CryptArc4Null.c
> -
> Pk/CryptRsaBasic.c
> Pk/CryptRsaExtNull.c
> Pk/CryptPkcs1OaepNull.c
> @@ -56,13 +56,11 @@ [Sources]
> Pk/CryptPkcs7VerifyCommon.c
> Pk/CryptPkcs7VerifyBase.c
> Pk/CryptPkcs7VerifyEku.c
> -
> Pk/CryptDhNull.c
> Pk/CryptX509Null.c
> Pk/CryptAuthenticodeNull.c
> Pk/CryptTsNull.c
> Pem/CryptPemNull.c
> -
> Rand/CryptRandNull.c
>
> SysCall/CrtWrapper.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> index 0e58d2b5b0ea..21a481eb7767 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> @@ -43,6 +43,7 @@ [Sources]
> Hmac/CryptHmacMd5Null.c
> Hmac/CryptHmacSha1Null.c
> Hmac/CryptHmacSha256Null.c
> + Kdf/CryptHkdfNull.c
> Cipher/CryptAesNull.c
> Cipher/CryptTdesNull.c
> Cipher/CryptArc4Null.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> index c79f2bf4c6c0..7c187e21b3b9 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> @@ -43,6 +43,7 @@ [Sources]
> Hmac/CryptHmacMd5Null.c
> Hmac/CryptHmacSha1Null.c
> Hmac/CryptHmacSha256.c
> + Kdf/CryptHkdfNull.c
> Cipher/CryptAes.c
> Cipher/CryptTdesNull.c
> Cipher/CryptArc4Null.c
> diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
> b/CryptoPkg/Include/Library/BaseCryptLib.h
> index 19d1afe3c8c0..da32bb2444fd 100644
> --- a/CryptoPkg/Include/Library/BaseCryptLib.h
> +++ b/CryptoPkg/Include/Library/BaseCryptLib.h
> @@ -3122,4 +3122,37 @@ RandomBytes (
> IN UINTN Size
> );
>
> +//========================================================
> =============================
> +// Key Derivation Function Primitive
> +//========================================================
> =============================
> +
> +/**
> + Derive key data using HMAC-SHA256 based KDF.
> +
> + @param[in] Key Pointer to the user-supplied key.
> + @param[in] KeySize Key size in bytes.
> + @param[in] Salt Pointer to the salt(non-secret) value.
> + @param[in] SaltSize Salt size in bytes.
> + @param[in] Info Pointer to the application specific info.
> + @param[in] InfoSize Info size in bytes.
> + @param[Out] Out Pointer to buffer to receive hkdf value.
> + @param[in] OutSize Size of hkdf bytes to generate.
> +
> + @retval TRUE Hkdf generated successfully.
> + @retval FALSE Hkdf generation failed.
> +
> +**/
> +BOOLEAN
> +EFIAPI
> +HkdfSha256ExtractAndExpand (
> + IN CONST UINT8 *Key,
> + IN UINTN KeySize,
> + IN CONST UINT8 *Salt,
> + IN UINTN SaltSize,
> + IN CONST UINT8 *Info,
> + IN UINTN InfoSize,
> + OUT UINT8 *Out,
> + IN UINTN OutSize
> + );
> +
> #endif // __BASE_CRYPT_LIB_H__
> diff --git a/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdf.c
> b/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdf.c
> new file mode 100644
> index 000000000000..f0fcef211d3f
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdf.c
> @@ -0,0 +1,75 @@
> +/** @file
> + HMAC-SHA256 KDF Wrapper Implementation over OpenSSL.
> +
> +Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include <Library/BaseCryptLib.h>
> +#include <openssl/evp.h>
> +#include <openssl/kdf.h>
> +
> +/**
> + Derive HMAC-based Extract-and-Expand Key Derivation Function (HKDF).
> +
> + @param[in] Key Pointer to the user-supplied key.
> + @param[in] KeySize Key size in bytes.
> + @param[in] Salt Pointer to the salt(non-secret) value.
> + @param[in] SaltSize Salt size in bytes.
> + @param[in] Info Pointer to the application specific info.
> + @param[in] InfoSize Info size in bytes.
> + @param[Out] Out Pointer to buffer to receive hkdf value.
> + @param[in] OutSize Size of hkdf bytes to generate.
> +
> + @retval TRUE Hkdf generated successfully.
> + @retval FALSE Hkdf generation failed.
> +
> +**/
> +BOOLEAN
> +EFIAPI
> +HkdfSha256ExtractAndExpand (
> + IN CONST UINT8 *Key,
> + IN UINTN KeySize,
> + IN CONST UINT8 *Salt,
> + IN UINTN SaltSize,
> + IN CONST UINT8 *Info,
> + IN UINTN InfoSize,
> + OUT UINT8 *Out,
> + IN UINTN OutSize
> + )
> +{
> + EVP_PKEY_CTX *pHkdfCtx;
> + BOOLEAN Result;
> +
> + if (Key == NULL || Salt == NULL || Info == NULL || Out == NULL ||
> + KeySize > INT_MAX || SaltSize > INT_MAX || InfoSize > INT_MAX ||
> OutSize > INT_MAX ) {
> + return FALSE;
> + }
> +
> + pHkdfCtx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
> + if (pHkdfCtx == NULL) {
> + return FALSE;
> + }
> +
> + Result = EVP_PKEY_derive_init(pHkdfCtx) > 0;
> + if (Result) {
> + Result = EVP_PKEY_CTX_set_hkdf_md(pHkdfCtx, EVP_sha256()) > 0;
> + }
> + if (Result) {
> + Result = EVP_PKEY_CTX_set1_hkdf_salt(pHkdfCtx, Salt,
> (UINT32)SaltSize) > 0;
> + }
> + if (Result) {
> + Result = EVP_PKEY_CTX_set1_hkdf_key(pHkdfCtx, Key,
> (UINT32)KeySize) > 0;
> + }
> + if (Result) {
> + Result = EVP_PKEY_CTX_add1_hkdf_info(pHkdfCtx, Info,
> (UINT32)InfoSize) > 0;
> + }
> + if (Result) {
> + Result = EVP_PKEY_derive(pHkdfCtx, Out, &OutSize) > 0;
> + }
> +
> + EVP_PKEY_CTX_free(pHkdfCtx);
> + pHkdfCtx = NULL;
> + return Result;
> +}
> diff --git a/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdfNull.c
> b/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdfNull.c
> new file mode 100644
> index 000000000000..73deb5bc3614
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdfNull.c
> @@ -0,0 +1,43 @@
> +/** @file
> + HMAC-SHA256 KDF Wrapper Implementation which does not provide
> real capabilities.
> +
> +Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include <Library/BaseCryptLib.h>
> +#include <Library/DebugLib.h>
> +
> +/**
> + Derive key data using HMAC-SHA256 based KDF.
> +
> + @param[in] Key Pointer to the user-supplied key.
> + @param[in] KeySize Key size in bytes.
> + @param[in] Salt Pointer to the salt(non-secret) value.
> + @param[in] SaltSize Salt size in bytes.
> + @param[in] Info Pointer to the application specific info.
> + @param[in] InfoSize Info size in bytes.
> + @param[Out] Out Pointer to buffer to receive hkdf value.
> + @param[in] OutSize Size of hkdf bytes to generate.
> +
> + @retval TRUE Hkdf generated successfully.
> + @retval FALSE Hkdf generation failed.
> +
> +**/
> +BOOLEAN
> +EFIAPI
> +HkdfSha256ExtractAndExpand (
> + IN CONST UINT8 *Key,
> + IN UINTN KeySize,
> + IN CONST UINT8 *Salt,
> + IN UINTN SaltSize,
> + IN CONST UINT8 *Info,
> + IN UINTN InfoSize,
> + OUT UINT8 *Out,
> + IN UINTN OutSize
> + )
> +{
> + ASSERT (FALSE);
> + return FALSE;
> +}
> --
> 2.19.1.windows.1
next prev parent reply other threads:[~2019-08-06 2:02 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-30 21:54 [PATCH v2 0/1] Add support for HKDF Gary West
2019-07-30 21:54 ` [PATCH v2 1/1] CryptoPkg/BaseCryptLib: Wrap OpenSSL HKDF algorithm Gary West
2019-08-06 2:02 ` Wang, Jian J [this message]
[not found] ` <15B832FF860ADD95.3070@groups.io>
2019-08-09 1:43 ` [edk2-devel] " Wang, Jian J
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D827630B58408649ACB04F44C510003625953317@SHSMSX107.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox