From: "Gary West" <gary.west@intel.com>
To: devel@edk2.groups.io
Cc: Gary West <gary.west@intel.com>, Gary West <Gary.West@intel.com>,
Jian Wang <jian.j.wang@intel.com>, Ting Ye <ting.ye@intel.com>
Subject: [PATCH 1/1] CryptoPkg/BaseCryptLib: Wrap OpenSSL HKDF algorithm
Date: Tue, 23 Jul 2019 05:03:55 -0700 [thread overview]
Message-ID: <e5df6b8c87b6703d03d0295032335da8acf9d094.1563818777.git.gary.west@intel.com> (raw)
In-Reply-To: <cover.1563818777.git.gary.west@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1928
1. Implement OpenSSL HKDF wrapped function in CryptHkdf.c file.
2. Implement stub implementation function in CryptHkdfNull.c file.
3. Add wrapped HKDF function declaration to BaseCryptLib.h file.
4. Add CryptHkdf.c to module information BaseCryptLib.inf file.
5. Add CryptHkdfNull.c to module information PeiCryptLib.inf,
RuntimeCryptLib.inf and SmmCryptLib.inf
Signed-off-by: Gary West <Gary.West@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
---
.../Library/BaseCryptLib/BaseCryptLib.inf | 1 +
.../Library/BaseCryptLib/PeiCryptLib.inf | 4 +-
.../Library/BaseCryptLib/RuntimeCryptLib.inf | 1 +
.../Library/BaseCryptLib/SmmCryptLib.inf | 1 +
CryptoPkg/Include/Library/BaseCryptLib.h | 33 ++++++++
.../Library/BaseCryptLib/Kdf/CryptHkdf.c | 80 +++++++++++++++++++
.../Library/BaseCryptLib/Kdf/CryptHkdfNull.c | 43 ++++++++++
7 files changed, 160 insertions(+), 3 deletions(-)
create mode 100644 CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdf.c
create mode 100644 CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdfNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index 020df3c19b3c..8d4988e8c6b4 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -37,6 +37,7 @@ [Sources]
Hmac/CryptHmacMd5.c
Hmac/CryptHmacSha1.c
Hmac/CryptHmacSha256.c
+ Kdf/CryptHkdf.c
Cipher/CryptAes.c
Cipher/CryptTdes.c
Cipher/CryptArc4.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index 4c4353747622..d26161d79ae5 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -43,10 +43,10 @@ [Sources]
Hmac/CryptHmacMd5Null.c
Hmac/CryptHmacSha1Null.c
Hmac/CryptHmacSha256Null.c
+ Kdf/CryptHkdfNull.c
Cipher/CryptAesNull.c
Cipher/CryptTdesNull.c
Cipher/CryptArc4Null.c
-
Pk/CryptRsaBasic.c
Pk/CryptRsaExtNull.c
Pk/CryptPkcs1OaepNull.c
@@ -55,13 +55,11 @@ [Sources]
Pk/CryptPkcs7VerifyCommon.c
Pk/CryptPkcs7VerifyBase.c
Pk/CryptPkcs7VerifyEku.c
-
Pk/CryptDhNull.c
Pk/CryptX509Null.c
Pk/CryptAuthenticodeNull.c
Pk/CryptTsNull.c
Pem/CryptPemNull.c
-
Rand/CryptRandNull.c
SysCall/CrtWrapper.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index a59079d99e05..e99c046be29b 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -42,6 +42,7 @@ [Sources]
Hmac/CryptHmacMd5Null.c
Hmac/CryptHmacSha1Null.c
Hmac/CryptHmacSha256Null.c
+ Kdf/CryptHkdfNull.c
Cipher/CryptAesNull.c
Cipher/CryptTdesNull.c
Cipher/CryptArc4Null.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index 3fd7d65abfca..fc217938825d 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -42,6 +42,7 @@ [Sources]
Hmac/CryptHmacMd5Null.c
Hmac/CryptHmacSha1Null.c
Hmac/CryptHmacSha256.c
+ Kdf/CryptHkdfNull.c
Cipher/CryptAes.c
Cipher/CryptTdesNull.c
Cipher/CryptArc4Null.c
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 19d1afe3c8c0..da32bb2444fd 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -3122,4 +3122,37 @@ RandomBytes (
IN UINTN Size
);
+//=====================================================================================
+// Key Derivation Function Primitive
+//=====================================================================================
+
+/**
+ Derive key data using HMAC-SHA256 based KDF.
+
+ @param[in] Key Pointer to the user-supplied key.
+ @param[in] KeySize Key size in bytes.
+ @param[in] Salt Pointer to the salt(non-secret) value.
+ @param[in] SaltSize Salt size in bytes.
+ @param[in] Info Pointer to the application specific info.
+ @param[in] InfoSize Info size in bytes.
+ @param[Out] Out Pointer to buffer to receive hkdf value.
+ @param[in] OutSize Size of hkdf bytes to generate.
+
+ @retval TRUE Hkdf generated successfully.
+ @retval FALSE Hkdf generation failed.
+
+**/
+BOOLEAN
+EFIAPI
+HkdfSha256ExtractAndExpand (
+ IN CONST UINT8 *Key,
+ IN UINTN KeySize,
+ IN CONST UINT8 *Salt,
+ IN UINTN SaltSize,
+ IN CONST UINT8 *Info,
+ IN UINTN InfoSize,
+ OUT UINT8 *Out,
+ IN UINTN OutSize
+ );
+
#endif // __BASE_CRYPT_LIB_H__
diff --git a/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdf.c b/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdf.c
new file mode 100644
index 000000000000..c0b307806232
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdf.c
@@ -0,0 +1,80 @@
+/** @file
+ HMAC-SHA256 KDF Wrapper Implementation over OpenSSL.
+
+Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Library/BaseCryptLib.h>
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+
+/**
+ Derive HMAC-based Extract-and-Expand Key Derivation Function (HKDF).
+
+ @param[in] Key Pointer to the user-supplied key.
+ @param[in] KeySize Key size in bytes.
+ @param[in] Salt Pointer to the salt(non-secret) value.
+ @param[in] SaltSize Salt size in bytes.
+ @param[in] Info Pointer to the application specific info.
+ @param[in] InfoSize Info size in bytes.
+ @param[Out] Out Pointer to buffer to receive hkdf value.
+ @param[in] OutSize Size of hkdf bytes to generate.
+
+ @retval TRUE Hkdf generated successfully.
+ @retval FALSE Hkdf generation failed.
+
+**/
+BOOLEAN
+EFIAPI
+HkdfSha256ExtractAndExpand (
+ IN CONST UINT8 *Key,
+ IN UINTN KeySize,
+ IN CONST UINT8 *Salt,
+ IN UINTN SaltSize,
+ IN CONST UINT8 *Info,
+ IN UINTN InfoSize,
+ OUT UINT8 *Out,
+ IN UINTN OutSize
+ )
+{
+ EVP_PKEY_CTX *pHkdfCtx;
+
+ if (Key == NULL || Salt == NULL || Info == NULL || Out == NULL ||
+ KeySize > INT_MAX || SaltSize > INT_MAX || InfoSize > INT_MAX || OutSize > INT_MAX ) {
+ return FALSE;
+ }
+
+ pHkdfCtx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
+ if (pHkdfCtx == NULL) {
+ goto _Error;
+ }
+
+ if (EVP_PKEY_derive_init(pHkdfCtx) <= 0) {
+ goto _Error;
+ }
+ if (EVP_PKEY_CTX_set_hkdf_md(pHkdfCtx, EVP_sha256()) <= 0) {
+ goto _Error;
+ }
+ if (EVP_PKEY_CTX_set1_hkdf_salt(pHkdfCtx, Salt, (UINT32)SaltSize) <= 0) {
+ goto _Error;
+ }
+ if (EVP_PKEY_CTX_set1_hkdf_key(pHkdfCtx, Key, (UINT32)KeySize) <= 0) {
+ goto _Error;
+ }
+ if (EVP_PKEY_CTX_add1_hkdf_info(pHkdfCtx, Info, (UINT32)InfoSize) <= 0) {
+ goto _Error;
+ }
+ if (EVP_PKEY_derive(pHkdfCtx, Out, &OutSize) <= 0) {
+ goto _Error;
+ }
+
+ EVP_PKEY_CTX_free(pHkdfCtx);
+ pHkdfCtx = NULL;
+ return TRUE;
+
+_Error:
+ EVP_PKEY_CTX_free(pHkdfCtx);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdfNull.c b/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdfNull.c
new file mode 100644
index 000000000000..73deb5bc3614
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLib/Kdf/CryptHkdfNull.c
@@ -0,0 +1,43 @@
+/** @file
+ HMAC-SHA256 KDF Wrapper Implementation which does not provide real capabilities.
+
+Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Library/BaseCryptLib.h>
+#include <Library/DebugLib.h>
+
+/**
+ Derive key data using HMAC-SHA256 based KDF.
+
+ @param[in] Key Pointer to the user-supplied key.
+ @param[in] KeySize Key size in bytes.
+ @param[in] Salt Pointer to the salt(non-secret) value.
+ @param[in] SaltSize Salt size in bytes.
+ @param[in] Info Pointer to the application specific info.
+ @param[in] InfoSize Info size in bytes.
+ @param[Out] Out Pointer to buffer to receive hkdf value.
+ @param[in] OutSize Size of hkdf bytes to generate.
+
+ @retval TRUE Hkdf generated successfully.
+ @retval FALSE Hkdf generation failed.
+
+**/
+BOOLEAN
+EFIAPI
+HkdfSha256ExtractAndExpand (
+ IN CONST UINT8 *Key,
+ IN UINTN KeySize,
+ IN CONST UINT8 *Salt,
+ IN UINTN SaltSize,
+ IN CONST UINT8 *Info,
+ IN UINTN InfoSize,
+ OUT UINT8 *Out,
+ IN UINTN OutSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
--
2.19.1.windows.1
next prev parent reply other threads:[~2019-07-23 12:04 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-23 12:03 [PATCH 0/1] Add support for HKDF gary.west
2019-07-23 12:03 ` Gary West [this message]
2019-07-23 5:17 ` [PATCH 1/1] CryptoPkg/BaseCryptLib: Wrap OpenSSL HKDF algorithm Wang, Jian J
2019-07-26 2:59 ` Wang, Jian J
2019-07-29 16:38 ` Gary West
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e5df6b8c87b6703d03d0295032335da8acf9d094.1563818777.git.gary.west@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox