// SPDX-License-Identifier: BSD-2-Clause /* * Copyright (c) 2017-2020, Linaro Limited */ #include #include #include #include #include #include #include #include #include "attributes.h" #include "object.h" #include "pkcs11_attributes.h" #include "pkcs11_helpers.h" #include "pkcs11_token.h" #include "processing.h" #include "serializer.h" struct input_data_ref { size_t size; void *data; }; bool processing_is_tee_symm(enum pkcs11_mechanism_id proc_id) { switch (proc_id) { /* Authentication */ case PKCS11_CKM_AES_CMAC: case PKCS11_CKM_MD5_HMAC: case PKCS11_CKM_SHA_1_HMAC: case PKCS11_CKM_SHA224_HMAC: case PKCS11_CKM_SHA256_HMAC: case PKCS11_CKM_SHA384_HMAC: case PKCS11_CKM_SHA512_HMAC: case PKCS11_CKM_AES_CMAC_GENERAL: case PKCS11_CKM_MD5_HMAC_GENERAL: case PKCS11_CKM_SHA_1_HMAC_GENERAL: case PKCS11_CKM_SHA224_HMAC_GENERAL: case PKCS11_CKM_SHA256_HMAC_GENERAL: case PKCS11_CKM_SHA384_HMAC_GENERAL: case PKCS11_CKM_SHA512_HMAC_GENERAL: /* Ciphering */ case PKCS11_CKM_AES_ECB: case PKCS11_CKM_AES_CBC: case PKCS11_CKM_AES_CTS: case PKCS11_CKM_AES_CTR: case PKCS11_CKM_AES_GCM: case PKCS11_CKM_AES_ECB_ENCRYPT_DATA: case PKCS11_CKM_AES_CBC_ENCRYPT_DATA: return true; default: return false; } } static enum pkcs11_rc pkcs2tee_algorithm(uint32_t *tee_id, struct pkcs11_attribute_head *proc_params) { static const struct { enum pkcs11_mechanism_id mech_id; uint32_t tee_id; } pkcs2tee_algo[] = { /* AES flavors */ { PKCS11_CKM_AES_ECB, TEE_ALG_AES_ECB_NOPAD }, { PKCS11_CKM_AES_CBC, TEE_ALG_AES_CBC_NOPAD }, { PKCS11_CKM_AES_ECB_ENCRYPT_DATA, TEE_ALG_AES_ECB_NOPAD }, { PKCS11_CKM_AES_CBC_ENCRYPT_DATA, TEE_ALG_AES_CBC_NOPAD }, { PKCS11_CKM_AES_CTR, TEE_ALG_AES_CTR }, { PKCS11_CKM_AES_CTS, TEE_ALG_AES_CTS }, { PKCS11_CKM_AES_GCM, TEE_ALG_AES_GCM }, { PKCS11_CKM_AES_CMAC, TEE_ALG_AES_CMAC }, { PKCS11_CKM_AES_CMAC_GENERAL, TEE_ALG_AES_CMAC }, /* HMAC flavors */ { PKCS11_CKM_MD5_HMAC, TEE_ALG_HMAC_MD5 }, { PKCS11_CKM_SHA_1_HMAC, TEE_ALG_HMAC_SHA1 }, { PKCS11_CKM_SHA224_HMAC, TEE_ALG_HMAC_SHA224 }, { PKCS11_CKM_SHA256_HMAC, TEE_ALG_HMAC_SHA256 }, { PKCS11_CKM_SHA384_HMAC, TEE_ALG_HMAC_SHA384 }, { PKCS11_CKM_SHA512_HMAC, TEE_ALG_HMAC_SHA512 }, { PKCS11_CKM_MD5_HMAC_GENERAL, TEE_ALG_HMAC_MD5 }, { PKCS11_CKM_SHA_1_HMAC_GENERAL, TEE_ALG_HMAC_SHA1 }, { PKCS11_CKM_SHA224_HMAC_GENERAL, TEE_ALG_HMAC_SHA224 }, { PKCS11_CKM_SHA256_HMAC_GENERAL, TEE_ALG_HMAC_SHA256 }, { PKCS11_CKM_SHA384_HMAC_GENERAL, TEE_ALG_HMAC_SHA384 }, { PKCS11_CKM_SHA512_HMAC_GENERAL, TEE_ALG_HMAC_SHA512 }, }; size_t n = 0; for (n = 0; n < ARRAY_SIZE(pkcs2tee_algo); n++) { if (proc_params->id == pkcs2tee_algo[n].mech_id) { *tee_id = pkcs2tee_algo[n].tee_id; return PKCS11_CKR_OK; } } return PKCS11_RV_NOT_IMPLEMENTED; } static enum pkcs11_rc pkcs2tee_key_type(uint32_t *tee_type, struct pkcs11_object *obj) { static const struct { enum pkcs11_key_type key_type; uint32_t tee_id; } pkcs2tee_key_type[] = { { PKCS11_CKK_AES, TEE_TYPE_AES }, { PKCS11_CKK_GENERIC_SECRET, TEE_TYPE_GENERIC_SECRET }, { PKCS11_CKK_MD5_HMAC, TEE_TYPE_HMAC_MD5 }, { PKCS11_CKK_SHA_1_HMAC, TEE_TYPE_HMAC_SHA1 }, { PKCS11_CKK_SHA224_HMAC, TEE_TYPE_HMAC_SHA224 }, { PKCS11_CKK_SHA256_HMAC, TEE_TYPE_HMAC_SHA256 }, { PKCS11_CKK_SHA384_HMAC, TEE_TYPE_HMAC_SHA384 }, { PKCS11_CKK_SHA512_HMAC, TEE_TYPE_HMAC_SHA512 }, }; size_t n = 0; enum pkcs11_key_type key_type = get_key_type(obj->attributes); assert(get_class(obj->attributes) == PKCS11_CKO_SECRET_KEY); for (n = 0; n < ARRAY_SIZE(pkcs2tee_key_type); n++) { if (pkcs2tee_key_type[n].key_type == key_type) { *tee_type = pkcs2tee_key_type[n].tee_id; return PKCS11_CKR_OK; } } return PKCS11_RV_NOT_FOUND; } static enum pkcs11_rc pkcsmech2tee_key_type(uint32_t *tee_type, enum pkcs11_mechanism_id mech_id) { static const struct { enum pkcs11_mechanism_id mech; uint32_t tee_id; } pkcs2tee_key_type[] = { { PKCS11_CKM_MD5_HMAC, TEE_TYPE_HMAC_MD5 }, { PKCS11_CKM_SHA_1_HMAC, TEE_TYPE_HMAC_SHA1 }, { PKCS11_CKM_SHA224_HMAC, TEE_TYPE_HMAC_SHA224 }, { PKCS11_CKM_SHA256_HMAC, TEE_TYPE_HMAC_SHA256 }, { PKCS11_CKM_SHA384_HMAC, TEE_TYPE_HMAC_SHA384 }, { PKCS11_CKM_SHA512_HMAC, TEE_TYPE_HMAC_SHA512 }, { PKCS11_CKM_MD5_HMAC_GENERAL, TEE_TYPE_HMAC_MD5 }, { PKCS11_CKM_SHA_1_HMAC_GENERAL, TEE_TYPE_HMAC_SHA1 }, { PKCS11_CKM_SHA224_HMAC_GENERAL, TEE_TYPE_HMAC_SHA224 }, { PKCS11_CKM_SHA256_HMAC_GENERAL, TEE_TYPE_HMAC_SHA256 }, { PKCS11_CKM_SHA384_HMAC_GENERAL, TEE_TYPE_HMAC_SHA384 }, { PKCS11_CKM_SHA512_HMAC_GENERAL, TEE_TYPE_HMAC_SHA512 }, }; size_t n = 0; for (n = 0; n < ARRAY_SIZE(pkcs2tee_key_type); n++) { if (pkcs2tee_key_type[n].mech == mech_id) { *tee_type = pkcs2tee_key_type[n].tee_id; return PKCS11_CKR_OK; } } return PKCS11_RV_NOT_FOUND; } static enum pkcs11_rc hmac_to_tee_hash(uint32_t *algo, enum pkcs11_mechanism_id mech_id) { static const struct { enum pkcs11_mechanism_id mech; uint32_t tee_id; } hmac_hash[] = { { PKCS11_CKM_MD5_HMAC, TEE_ALG_MD5 }, { PKCS11_CKM_SHA_1_HMAC, TEE_ALG_SHA1 }, { PKCS11_CKM_SHA224_HMAC, TEE_ALG_SHA224 }, { PKCS11_CKM_SHA256_HMAC, TEE_ALG_SHA256 }, { PKCS11_CKM_SHA384_HMAC, TEE_ALG_SHA384 }, { PKCS11_CKM_SHA512_HMAC, TEE_ALG_SHA512 }, { PKCS11_CKM_MD5_HMAC_GENERAL, TEE_ALG_MD5 }, { PKCS11_CKM_SHA_1_HMAC_GENERAL, TEE_ALG_SHA1 }, { PKCS11_CKM_SHA224_HMAC_GENERAL, TEE_ALG_SHA224 }, { PKCS11_CKM_SHA256_HMAC_GENERAL, TEE_ALG_SHA256 }, { PKCS11_CKM_SHA384_HMAC_GENERAL, TEE_ALG_SHA384 }, { PKCS11_CKM_SHA512_HMAC_GENERAL, TEE_ALG_SHA512 }, }; size_t n = 0; for (n = 0; n < ARRAY_SIZE(hmac_hash); n++) { if (hmac_hash[n].mech == mech_id) { *algo = hmac_hash[n].tee_id; return PKCS11_CKR_OK; } } return PKCS11_RV_NOT_FOUND; } static enum pkcs11_rc allocate_tee_operation(struct pkcs11_session *session, enum processing_func function, struct pkcs11_attribute_head *params, struct pkcs11_object *obj) { uint32_t size = (uint32_t)get_object_key_bit_size(obj); uint32_t key_size = size / 8; uint32_t algo = 0; uint32_t mode = 0; uint32_t max_key_size = 0; uint32_t min_key_size = 0; TEE_Result res = TEE_ERROR_GENERIC; assert(session->processing->tee_op_handle == TEE_HANDLE_NULL && session->processing->tee_op_handle2 == TEE_HANDLE_NULL); if (pkcs2tee_algorithm(&algo, params)) return PKCS11_CKR_FUNCTION_FAILED; /* Sign/Verify with AES or generic key relate to TEE MAC operation */ switch (params->id) { case PKCS11_CKM_MD5_HMAC: case PKCS11_CKM_SHA_1_HMAC: case PKCS11_CKM_SHA224_HMAC: case PKCS11_CKM_SHA256_HMAC: case PKCS11_CKM_SHA384_HMAC: case PKCS11_CKM_SHA512_HMAC: case PKCS11_CKM_MD5_HMAC_GENERAL: case PKCS11_CKM_SHA_1_HMAC_GENERAL: case PKCS11_CKM_SHA224_HMAC_GENERAL: case PKCS11_CKM_SHA256_HMAC_GENERAL: case PKCS11_CKM_SHA384_HMAC_GENERAL: case PKCS11_CKM_SHA512_HMAC_GENERAL: mechanism_supported_key_sizes_bytes(params->id, &min_key_size, &max_key_size); if (key_size < min_key_size) return PKCS11_CKR_KEY_SIZE_RANGE; /* * If size of generic key is greater than the size * supported by TEE API, this is not considered an * error. When loading TEE key, we will hash the key * to generate the appropriate key for HMAC operation. * This key size will not be greater than the * max_key_size. So we can use max_key_size for * TEE_AllocateOperation(). */ if (key_size > max_key_size) size = max_key_size * 8; mode = TEE_MODE_MAC; break; case PKCS11_CKM_AES_CMAC: case PKCS11_CKM_AES_CMAC_GENERAL: mode = TEE_MODE_MAC; break; default: pkcs2tee_mode(&mode, function); break; } res = TEE_AllocateOperation(&session->processing->tee_op_handle, algo, mode, size); if (res) EMSG("TEE_AllocateOp. failed %#"PRIx32" %#"PRIx32" %#"PRIx32, algo, mode, size); if (res == TEE_ERROR_NOT_SUPPORTED) return PKCS11_CKR_MECHANISM_INVALID; if (res == TEE_SUCCESS || params->id == PKCS11_CKM_AES_GCM) { /* * Allocate a 2nd operation handler to save the operation state * on AES GCM one-shot processing that queries the output * buffer size. This is needed as we will need to reset and * re-init the TEE operation once we report the expected output * buffer size to client that we call again the AE processing * function. */ TEE_OperationHandle *hdl = &session->processing->tee_op_handle2; res = TEE_AllocateOperation(hdl, algo, mode, size); } return tee2pkcs_error(res); } static enum pkcs11_rc hash_secret_helper(enum pkcs11_mechanism_id mech_id, struct pkcs11_object *obj, TEE_Attribute *tee_attr, void **ctx, size_t *object_size_bits) { uint32_t algo = 0; void *hash_ptr = NULL; uint32_t hash_size = 0; enum pkcs11_rc rc = PKCS11_CKR_OK; rc = hmac_to_tee_hash(&algo, mech_id); if (rc) return rc; hash_size = TEE_ALG_GET_DIGEST_SIZE(algo); hash_ptr = TEE_Malloc(hash_size, 0); if (!hash_ptr) return PKCS11_CKR_DEVICE_MEMORY; rc = pkcs2tee_load_hashed_attr(tee_attr, TEE_ATTR_SECRET_VALUE, obj, PKCS11_CKA_VALUE, algo, hash_ptr, &hash_size); if (rc) { EMSG("No secret/hash error"); TEE_Free(hash_ptr); return rc; } *ctx = hash_ptr; *object_size_bits = hash_size * 8; return PKCS11_CKR_OK; } static enum pkcs11_rc load_tee_key(struct pkcs11_session *session, struct pkcs11_object *obj, struct pkcs11_attribute_head *proc_params) { TEE_Attribute tee_attr = { }; size_t object_size = 0; uint32_t tee_key_type = 0; enum pkcs11_key_type key_type = 0; enum pkcs11_rc rc = PKCS11_CKR_OK; TEE_Result res = TEE_ERROR_GENERIC; uint32_t max_key_size = 0; uint32_t min_key_size = 0; if (obj->key_handle != TEE_HANDLE_NULL) { /* Key was already loaded and fits current need */ goto key_ready; } object_size = get_object_key_bit_size(obj); if (!object_size) return PKCS11_CKR_GENERAL_ERROR; switch (proc_params->id) { case PKCS11_CKM_MD5_HMAC: case PKCS11_CKM_SHA_1_HMAC: case PKCS11_CKM_SHA224_HMAC: case PKCS11_CKM_SHA256_HMAC: case PKCS11_CKM_SHA384_HMAC: case PKCS11_CKM_SHA512_HMAC: case PKCS11_CKM_MD5_HMAC_GENERAL: case PKCS11_CKM_SHA_1_HMAC_GENERAL: case PKCS11_CKM_SHA224_HMAC_GENERAL: case PKCS11_CKM_SHA256_HMAC_GENERAL: case PKCS11_CKM_SHA384_HMAC_GENERAL: case PKCS11_CKM_SHA512_HMAC_GENERAL: key_type = get_key_type(obj->attributes); /* * If Object Key type is PKCS11_CKK_GENERIC_SECRET, * determine the tee_key_type using the * mechanism instead of object key_type. */ if (key_type == PKCS11_CKK_GENERIC_SECRET) rc = pkcsmech2tee_key_type(&tee_key_type, proc_params->id); else rc = pkcs2tee_key_type(&tee_key_type, obj); if (rc) return rc; mechanism_supported_key_sizes_bytes(proc_params->id, &min_key_size, &max_key_size); if ((object_size / 8) > max_key_size) { rc = hash_secret_helper(proc_params->id, obj, &tee_attr, &session->processing->extra_ctx, &object_size); if (rc) return rc; } else { if (!pkcs2tee_load_attr(&tee_attr, TEE_ATTR_SECRET_VALUE, obj, PKCS11_CKA_VALUE)) { EMSG("No secret found"); return PKCS11_CKR_FUNCTION_FAILED; } } break; default: rc = pkcs2tee_key_type(&tee_key_type, obj); if (rc) return rc; if (!pkcs2tee_load_attr(&tee_attr, TEE_ATTR_SECRET_VALUE, obj, PKCS11_CKA_VALUE)) { EMSG("No secret found"); return PKCS11_CKR_FUNCTION_FAILED; } break; } res = TEE_AllocateTransientObject(tee_key_type, object_size, &obj->key_handle); if (res) { DMSG("TEE_AllocateTransientObject failed, %#"PRIx32, res); return tee2pkcs_error(res); } res = TEE_PopulateTransientObject(obj->key_handle, &tee_attr, 1); if (res) { DMSG("TEE_PopulateTransientObject failed, %#"PRIx32, res); goto error; } key_ready: res = TEE_SetOperationKey(session->processing->tee_op_handle, obj->key_handle); if (res) { DMSG("TEE_SetOperationKey failed, %#"PRIx32, res); goto error; } return PKCS11_CKR_OK; error: TEE_FreeTransientObject(obj->key_handle); obj->key_handle = TEE_HANDLE_NULL; return tee2pkcs_error(res); } static enum pkcs11_rc tee_init_derive_symm(struct active_processing *processing, struct pkcs11_attribute_head *proc_params) { struct serialargs args = { }; enum pkcs11_rc rc = PKCS11_CKR_OK; struct input_data_ref *param = NULL; void *iv = NULL; if (!proc_params) return PKCS11_CKR_ARGUMENTS_BAD; param = TEE_Malloc(sizeof(struct input_data_ref), TEE_MALLOC_FILL_ZERO); if (!param) return PKCS11_CKR_DEVICE_MEMORY; serialargs_init(&args, proc_params->data, proc_params->size); switch (proc_params->id) { case PKCS11_CKM_AES_CBC_ENCRYPT_DATA: rc = serialargs_get_ptr(&args, &iv, 16); if (rc) goto err; break; default: break; } rc = serialargs_get(&args, ¶m->size, sizeof(uint32_t)); if (rc) goto err; rc = serialargs_get_ptr(&args, ¶m->data, param->size); if (rc) goto err; if (serialargs_remaining_bytes(&args)) { rc = PKCS11_CKR_ARGUMENTS_BAD; goto err; } processing->extra_ctx = param; switch (proc_params->id) { case PKCS11_CKM_AES_ECB_ENCRYPT_DATA: if (param->size % TEE_AES_BLOCK_SIZE) { rc = PKCS11_CKR_DATA_LEN_RANGE; goto err; } TEE_CipherInit(processing->tee_op_handle, NULL, 0); break; case PKCS11_CKM_AES_CBC_ENCRYPT_DATA: if (param->size % TEE_AES_BLOCK_SIZE) { rc = PKCS11_CKR_DATA_LEN_RANGE; goto err; } TEE_CipherInit(processing->tee_op_handle, iv, 16); break; default: TEE_Panic(proc_params->id); break; } return PKCS11_CKR_OK; err: processing->extra_ctx = NULL; TEE_Free(param); return rc; } static enum pkcs11_rc input_hmac_len_is_valid(struct pkcs11_attribute_head *proc_params, uint32_t hmac_len) { uint32_t sign_sz = 0; switch (proc_params->id) { case PKCS11_CKM_MD5_HMAC_GENERAL: sign_sz = TEE_MD5_HASH_SIZE; break; case PKCS11_CKM_SHA_1_HMAC_GENERAL: sign_sz = TEE_SHA1_HASH_SIZE; break; case PKCS11_CKM_SHA224_HMAC_GENERAL: sign_sz = TEE_SHA224_HASH_SIZE; break; case PKCS11_CKM_SHA256_HMAC_GENERAL: sign_sz = TEE_SHA256_HASH_SIZE; break; case PKCS11_CKM_SHA384_HMAC_GENERAL: sign_sz = TEE_SHA384_HASH_SIZE; break; case PKCS11_CKM_SHA512_HMAC_GENERAL: sign_sz = TEE_SHA512_HASH_SIZE; break; case PKCS11_CKM_AES_CMAC_GENERAL: sign_sz = TEE_AES_BLOCK_SIZE; break; default: return PKCS11_CKR_MECHANISM_INVALID; } if (!hmac_len || hmac_len > sign_sz) return PKCS11_CKR_SIGNATURE_LEN_RANGE; return PKCS11_CKR_OK; } static enum pkcs11_rc init_tee_operation(struct pkcs11_session *session, struct pkcs11_attribute_head *proc_params) { enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; uint32_t *pkcs11_data = NULL; switch (proc_params->id) { case PKCS11_CKM_AES_CMAC: case PKCS11_CKM_MD5_HMAC: case PKCS11_CKM_SHA_1_HMAC: case PKCS11_CKM_SHA224_HMAC: case PKCS11_CKM_SHA256_HMAC: case PKCS11_CKM_SHA384_HMAC: case PKCS11_CKM_SHA512_HMAC: if (proc_params->size) return PKCS11_CKR_MECHANISM_PARAM_INVALID; TEE_MACInit(session->processing->tee_op_handle, NULL, 0); rc = PKCS11_CKR_OK; break; case PKCS11_CKM_AES_CMAC_GENERAL: case PKCS11_CKM_MD5_HMAC_GENERAL: case PKCS11_CKM_SHA_1_HMAC_GENERAL: case PKCS11_CKM_SHA224_HMAC_GENERAL: case PKCS11_CKM_SHA256_HMAC_GENERAL: case PKCS11_CKM_SHA384_HMAC_GENERAL: case PKCS11_CKM_SHA512_HMAC_GENERAL: if (proc_params->size != sizeof(uint32_t)) return PKCS11_CKR_MECHANISM_PARAM_INVALID; pkcs11_data = TEE_Malloc(sizeof(uint32_t), TEE_MALLOC_FILL_ZERO); if (!pkcs11_data) return PKCS11_CKR_DEVICE_MEMORY; TEE_MemMove(pkcs11_data, proc_params->data, sizeof(uint32_t)); rc = input_hmac_len_is_valid(proc_params, *pkcs11_data); if (rc) { TEE_Free(pkcs11_data); return rc; } session->processing->extra_ctx = (void *)pkcs11_data; TEE_MACInit(session->processing->tee_op_handle, NULL, 0); rc = PKCS11_CKR_OK; break; case PKCS11_CKM_AES_ECB: if (proc_params->size) return PKCS11_CKR_MECHANISM_PARAM_INVALID; TEE_CipherInit(session->processing->tee_op_handle, NULL, 0); rc = PKCS11_CKR_OK; break; case PKCS11_CKM_AES_CBC: case PKCS11_CKM_AES_CTS: if (proc_params->size != 16) return PKCS11_CKR_MECHANISM_PARAM_INVALID; TEE_CipherInit(session->processing->tee_op_handle, proc_params->data, 16); rc = PKCS11_CKR_OK; break; case PKCS11_CKM_AES_CTR: rc = tee_init_ctr_operation(session->processing, proc_params->data, proc_params->size); break; case PKCS11_CKM_AES_GCM: rc = tee_init_gcm_operation(session, proc_params->data, proc_params->size); break; case PKCS11_CKM_AES_ECB_ENCRYPT_DATA: case PKCS11_CKM_AES_CBC_ENCRYPT_DATA: rc = tee_init_derive_symm(session->processing, proc_params); break; default: TEE_Panic(proc_params->id); break; } return rc; } enum pkcs11_rc init_symm_operation(struct pkcs11_session *session, enum processing_func function, struct pkcs11_attribute_head *proc_params, struct pkcs11_object *obj) { enum pkcs11_rc rc = PKCS11_CKR_OK; assert(processing_is_tee_symm(proc_params->id)); rc = allocate_tee_operation(session, function, proc_params, obj); if (rc) return rc; rc = load_tee_key(session, obj, proc_params); if (rc) return rc; rc = init_tee_operation(session, proc_params); if (!rc) session->processing->mecha_type = proc_params->id; return rc; } /* Validate input buffer size as per PKCS#11 constraints */ static enum pkcs11_rc input_data_size_is_valid(struct active_processing *proc, enum processing_func function, size_t in_size) { switch (proc->mecha_type) { case PKCS11_CKM_AES_ECB: case PKCS11_CKM_AES_CBC: if (function == PKCS11_FUNCTION_ENCRYPT && in_size % TEE_AES_BLOCK_SIZE) return PKCS11_CKR_DATA_LEN_RANGE; if (function == PKCS11_FUNCTION_DECRYPT && in_size % TEE_AES_BLOCK_SIZE) return PKCS11_CKR_ENCRYPTED_DATA_LEN_RANGE; break; case PKCS11_CKM_AES_CTS: if (function == PKCS11_FUNCTION_ENCRYPT && in_size < TEE_AES_BLOCK_SIZE) return PKCS11_CKR_DATA_LEN_RANGE; if (function == PKCS11_FUNCTION_DECRYPT && in_size < TEE_AES_BLOCK_SIZE) return PKCS11_CKR_ENCRYPTED_DATA_LEN_RANGE; break; default: break; } return PKCS11_CKR_OK; } /* Validate input buffer size as per PKCS#11 constraints */ static enum pkcs11_rc input_sign_size_is_valid(struct active_processing *proc, size_t in_size) { size_t sign_sz = 0; switch (proc->mecha_type) { case PKCS11_CKM_MD5_HMAC: sign_sz = TEE_MD5_HASH_SIZE; break; case PKCS11_CKM_SHA_1_HMAC: sign_sz = TEE_SHA1_HASH_SIZE; break; case PKCS11_CKM_SHA224_HMAC: sign_sz = TEE_SHA224_HASH_SIZE; break; case PKCS11_CKM_SHA256_HMAC: sign_sz = TEE_SHA256_HASH_SIZE; break; case PKCS11_CKM_SHA384_HMAC: sign_sz = TEE_SHA384_HASH_SIZE; break; case PKCS11_CKM_SHA512_HMAC: sign_sz = TEE_SHA512_HASH_SIZE; break; case PKCS11_CKM_AES_CMAC: sign_sz = TEE_AES_BLOCK_SIZE; break; default: return PKCS11_CKR_GENERAL_ERROR; } if (in_size != sign_sz) return PKCS11_CKR_SIGNATURE_LEN_RANGE; return PKCS11_CKR_OK; } /* * step_sym_cipher - processing symmetric (and related) cipher operation step * * @session - current session * @function - processing function (encrypt, decrypt, sign, ...) * @step - step ID in the processing (oneshot, update, final) * @ptype - invocation parameter types * @params - invocation parameter references */ enum pkcs11_rc step_symm_operation(struct pkcs11_session *session, enum processing_func function, enum processing_step step, uint32_t ptypes, TEE_Param *params) { enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; TEE_Result res = TEE_ERROR_GENERIC; void *in_buf = NULL; size_t in_size = 0; void *out_buf = NULL; size_t out_size = 0; void *in2_buf = NULL; uint32_t in2_size = 0; bool output_data = false; struct active_processing *proc = session->processing; uint32_t hmac_len = 0; uint8_t computed_mac[TEE_MAX_HASH_SIZE] = { 0 }; size_t computed_mac_size = TEE_MAX_HASH_SIZE; size_t ae_out_size = 0; if (TEE_PARAM_TYPE_GET(ptypes, 1) == TEE_PARAM_TYPE_MEMREF_INPUT) { in_buf = params[1].memref.buffer; in_size = params[1].memref.size; if (in_size && !in_buf) return PKCS11_CKR_ARGUMENTS_BAD; } if (TEE_PARAM_TYPE_GET(ptypes, 2) == TEE_PARAM_TYPE_MEMREF_INPUT) { in2_buf = params[2].memref.buffer; in2_size = params[2].memref.size; if (in2_size && !in2_buf) return PKCS11_CKR_ARGUMENTS_BAD; } if (TEE_PARAM_TYPE_GET(ptypes, 2) == TEE_PARAM_TYPE_MEMREF_OUTPUT) { out_buf = params[2].memref.buffer; out_size = params[2].memref.size; ae_out_size = out_size; if (out_size && !out_buf) return PKCS11_CKR_ARGUMENTS_BAD; } if (TEE_PARAM_TYPE_GET(ptypes, 3) != TEE_PARAM_TYPE_NONE) return PKCS11_CKR_ARGUMENTS_BAD; switch (step) { case PKCS11_FUNC_STEP_ONESHOT: case PKCS11_FUNC_STEP_UPDATE: case PKCS11_FUNC_STEP_FINAL: break; default: return PKCS11_CKR_GENERAL_ERROR; } if (step != PKCS11_FUNC_STEP_FINAL) { rc = input_data_size_is_valid(proc, function, in_size); if (rc) return rc; } /* * Feed active operation with data */ switch (proc->mecha_type) { case PKCS11_CKM_AES_CMAC: case PKCS11_CKM_MD5_HMAC: case PKCS11_CKM_SHA_1_HMAC: case PKCS11_CKM_SHA224_HMAC: case PKCS11_CKM_SHA256_HMAC: case PKCS11_CKM_SHA384_HMAC: case PKCS11_CKM_SHA512_HMAC: case PKCS11_CKM_AES_CMAC_GENERAL: case PKCS11_CKM_MD5_HMAC_GENERAL: case PKCS11_CKM_SHA_1_HMAC_GENERAL: case PKCS11_CKM_SHA224_HMAC_GENERAL: case PKCS11_CKM_SHA256_HMAC_GENERAL: case PKCS11_CKM_SHA384_HMAC_GENERAL: case PKCS11_CKM_SHA512_HMAC_GENERAL: if (step == PKCS11_FUNC_STEP_FINAL || step == PKCS11_FUNC_STEP_ONESHOT) break; if (!in_buf) { DMSG("No input data"); return PKCS11_CKR_ARGUMENTS_BAD; } switch (function) { case PKCS11_FUNCTION_SIGN: case PKCS11_FUNCTION_VERIFY: TEE_MACUpdate(proc->tee_op_handle, in_buf, in_size); rc = PKCS11_CKR_OK; break; default: TEE_Panic(function); break; } break; case PKCS11_CKM_AES_ECB: case PKCS11_CKM_AES_CBC: case PKCS11_CKM_AES_CTS: case PKCS11_CKM_AES_CTR: if (step == PKCS11_FUNC_STEP_FINAL || step == PKCS11_FUNC_STEP_ONESHOT) break; if (!in_buf) { EMSG("No input data"); return PKCS11_CKR_ARGUMENTS_BAD; } switch (function) { case PKCS11_FUNCTION_ENCRYPT: case PKCS11_FUNCTION_DECRYPT: res = TEE_CipherUpdate(proc->tee_op_handle, in_buf, in_size, out_buf, &out_size); output_data = true; rc = tee2pkcs_error(res); break; default: TEE_Panic(function); break; } break; case PKCS11_CKM_AES_GCM: if (step == PKCS11_FUNC_STEP_FINAL) break; switch (function) { case PKCS11_FUNCTION_ENCRYPT: res = TEE_AEUpdate(proc->tee_op_handle, in_buf, in_size, out_buf, &out_size); output_data = true; rc = tee2pkcs_error(res); if (rc && rc != PKCS11_CKR_BUFFER_TOO_SMALL) return rc; if (step == PKCS11_FUNC_STEP_ONESHOT) { if (rc == PKCS11_CKR_BUFFER_TOO_SMALL) { /* Return output data size incl. tag*/ out_size += 16; goto out; } out_buf = (char *)out_buf + out_size; /* Remaining space for the tag data */ ae_out_size -= out_size; } break; case PKCS11_FUNCTION_DECRYPT: rc = tee_ae_decrypt_update(session, in_buf, in_size); assert(rc != PKCS11_CKR_BUFFER_TOO_SMALL); if (rc) return rc; /* Do not output decrypted data until tag is verified */ out_size = 0; output_data = true; break; default: TEE_Panic(function); break; } break; default: TEE_Panic(proc->mecha_type); break; } if (step == PKCS11_FUNC_STEP_UPDATE) goto out; /* * Finalize (PKCS11_FUNC_STEP_ONESHOT/_FINAL) operation */ switch (proc->mecha_type) { case PKCS11_CKM_AES_CMAC: case PKCS11_CKM_MD5_HMAC: case PKCS11_CKM_SHA_1_HMAC: case PKCS11_CKM_SHA224_HMAC: case PKCS11_CKM_SHA256_HMAC: case PKCS11_CKM_SHA384_HMAC: case PKCS11_CKM_SHA512_HMAC: switch (function) { case PKCS11_FUNCTION_SIGN: res = TEE_MACComputeFinal(proc->tee_op_handle, in_buf, in_size, out_buf, &out_size); output_data = true; rc = tee2pkcs_error(res); break; case PKCS11_FUNCTION_VERIFY: rc = input_sign_size_is_valid(proc, in2_size); if (rc) return rc; res = TEE_MACCompareFinal(proc->tee_op_handle, in_buf, in_size, in2_buf, in2_size); rc = tee2pkcs_error(res); break; default: TEE_Panic(function); break; } break; case PKCS11_CKM_AES_CMAC_GENERAL: case PKCS11_CKM_MD5_HMAC_GENERAL: case PKCS11_CKM_SHA_1_HMAC_GENERAL: case PKCS11_CKM_SHA224_HMAC_GENERAL: case PKCS11_CKM_SHA256_HMAC_GENERAL: case PKCS11_CKM_SHA384_HMAC_GENERAL: case PKCS11_CKM_SHA512_HMAC_GENERAL: assert(proc->extra_ctx); hmac_len = *(uint32_t *)proc->extra_ctx; switch (function) { case PKCS11_FUNCTION_SIGN: if (out_size < hmac_len) { /* inform client of required size */ out_size = hmac_len; output_data = true; rc = PKCS11_CKR_BUFFER_TOO_SMALL; goto out; } res = TEE_MACComputeFinal(proc->tee_op_handle, in_buf, in_size, computed_mac, &computed_mac_size); if (res == TEE_SUCCESS) { /* truncate to hmac_len */ TEE_MemMove(out_buf, computed_mac, hmac_len); output_data = true; } /* inform client of required size */ out_size = hmac_len; rc = tee2pkcs_error(res); break; case PKCS11_FUNCTION_VERIFY: /* must compute full MAC before comparing partial */ res = TEE_MACComputeFinal(proc->tee_op_handle, in_buf, in_size, computed_mac, &computed_mac_size); if (!in2_size || in2_size > computed_mac_size) { EMSG("Invalid signature size: %"PRIu32, in2_size); return PKCS11_CKR_SIGNATURE_LEN_RANGE; } if (res == TEE_SUCCESS) { /* * Only the first in2_size bytes of the * signature to be verified is passed in from * caller */ if (TEE_MemCompare(in2_buf, computed_mac, in2_size)) { res = TEE_ERROR_MAC_INVALID; } } rc = tee2pkcs_error(res); break; default: TEE_Panic(function); break; } break; case PKCS11_CKM_AES_ECB: case PKCS11_CKM_AES_CBC: case PKCS11_CKM_AES_CTS: case PKCS11_CKM_AES_CTR: if (step == PKCS11_FUNC_STEP_ONESHOT && !in_buf) { EMSG("No input data"); return PKCS11_CKR_ARGUMENTS_BAD; } switch (function) { case PKCS11_FUNCTION_ENCRYPT: case PKCS11_FUNCTION_DECRYPT: res = TEE_CipherDoFinal(proc->tee_op_handle, in_buf, in_size, out_buf, &out_size); output_data = true; rc = tee2pkcs_error(res); break; default: TEE_Panic(function); break; } break; case PKCS11_CKM_AES_GCM: switch (function) { case PKCS11_FUNCTION_ENCRYPT: rc = tee_ae_encrypt_final(session, out_buf, &ae_out_size); output_data = true; if (step == PKCS11_FUNC_STEP_ONESHOT) out_size += ae_out_size; else out_size = ae_out_size; break; case PKCS11_FUNCTION_DECRYPT: /* Now we're ready to reveal data */ out_size = ae_out_size; rc = tee_ae_decrypt_final(session, out_buf, &out_size); output_data = true; break; default: TEE_Panic(function); break; } if (step == PKCS11_FUNC_STEP_ONESHOT && rc == PKCS11_CKR_BUFFER_TOO_SMALL) { enum pkcs11_rc rc2 = PKCS11_CKR_OK; /* * Change operation state to its initial state * as client will likely request again the * one-shot processing but possibly with * different input data. */ rc2 = tee_ae_reinit_gcm_operation(session); if (rc2) return rc2; } break; default: TEE_Panic(proc->mecha_type); break; } out: if (output_data && (rc == PKCS11_CKR_OK || rc == PKCS11_CKR_BUFFER_TOO_SMALL)) { switch (TEE_PARAM_TYPE_GET(ptypes, 2)) { case TEE_PARAM_TYPE_MEMREF_OUTPUT: case TEE_PARAM_TYPE_MEMREF_INOUT: params[2].memref.size = out_size; break; default: rc = PKCS11_CKR_ARGUMENTS_BAD; break; } } return rc; } enum pkcs11_rc derive_key_by_symm_enc(struct pkcs11_session *session, void **out_buf, uint32_t *out_size) { enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; TEE_Result res = TEE_ERROR_GENERIC; struct active_processing *proc = session->processing; struct input_data_ref *input = proc->extra_ctx; void *in_buf = NULL; void *dest_buf = NULL; uint32_t in_size = 0; size_t tmp_sz = 0; switch (proc->mecha_type) { case PKCS11_CKM_AES_ECB_ENCRYPT_DATA: case PKCS11_CKM_AES_CBC_ENCRYPT_DATA: if (!proc->extra_ctx) return PKCS11_CKR_ARGUMENTS_BAD; in_buf = input->data; in_size = input->size; *out_size = in_size; dest_buf = TEE_Malloc(*out_size, 0); if (!dest_buf) return PKCS11_CKR_DEVICE_MEMORY; tmp_sz = *out_size; res = TEE_CipherDoFinal(proc->tee_op_handle, in_buf, in_size, dest_buf, &tmp_sz); *out_size = tmp_sz; rc = tee2pkcs_error(res); if (rc) { TEE_Free(dest_buf); return rc; } *out_buf = dest_buf; break; default: return PKCS11_CKR_MECHANISM_INVALID; } return rc; } enum pkcs11_rc wrap_data_by_symm_enc(struct pkcs11_session *session, void *data, uint32_t data_sz, void *out_buf, uint32_t *out_sz) { TEE_Result res = TEE_ERROR_GENERIC; struct active_processing *proc = session->processing; void *in_buf = NULL; uint32_t align = 0; uint32_t in_sz = data_sz; size_t tmp_sz = *out_sz; uint8_t *tmp_buf = out_buf; switch (proc->mecha_type) { case PKCS11_CKM_AES_ECB: case PKCS11_CKM_AES_CBC: align = data_sz % TEE_AES_BLOCK_SIZE; if (align) in_sz = data_sz + (TEE_AES_BLOCK_SIZE - align); if (*out_sz < in_sz) { *out_sz = in_sz; return PKCS11_CKR_BUFFER_TOO_SMALL; } if (align) { if (data_sz > TEE_AES_BLOCK_SIZE) { in_sz = data_sz - align; res = TEE_CipherUpdate(proc->tee_op_handle, data, in_sz, tmp_buf, &tmp_sz); if (res) { assert(res != TEE_ERROR_SHORT_BUFFER); return tee2pkcs_error(res); } tmp_buf += tmp_sz; tmp_sz = *out_sz - tmp_sz; } else { in_sz = 0; } in_buf = TEE_Malloc(TEE_AES_BLOCK_SIZE, TEE_MALLOC_FILL_ZERO); if (!in_buf) return PKCS11_CKR_DEVICE_MEMORY; TEE_MemMove(in_buf, (uint8_t *)data + in_sz, align); in_sz = TEE_AES_BLOCK_SIZE; } else { in_buf = data; in_sz = data_sz; } res = TEE_CipherDoFinal(proc->tee_op_handle, in_buf, in_sz, tmp_buf, &tmp_sz); if (res == TEE_SUCCESS || res == TEE_ERROR_SHORT_BUFFER) { *out_sz = tmp_sz; if (align) *out_sz += tmp_buf - (uint8_t *)out_buf; } if (align) TEE_Free(in_buf); return tee2pkcs_error(res); default: return PKCS11_CKR_MECHANISM_INVALID; } return PKCS11_CKR_GENERAL_ERROR; } enum pkcs11_rc unwrap_key_by_symm(struct pkcs11_session *session, void *data, uint32_t data_sz, void **out_buf, uint32_t *out_sz) { TEE_Result res = TEE_ERROR_GENERIC; struct active_processing *proc = session->processing; size_t tmp_sz = 0; if (input_data_size_is_valid(proc, PKCS11_FUNCTION_DECRYPT, data_sz)) return PKCS11_CKR_WRAPPED_KEY_LEN_RANGE; switch (proc->mecha_type) { case PKCS11_CKM_AES_ECB: case PKCS11_CKM_AES_CBC: *out_sz = 0; res = TEE_CipherDoFinal(proc->tee_op_handle, data, data_sz, NULL, &tmp_sz); *out_sz = tmp_sz; if (res != TEE_ERROR_SHORT_BUFFER) { DMSG("TEE_CipherDoFinal() issue: %#"PRIx32, res); return PKCS11_CKR_GENERAL_ERROR; } *out_buf = TEE_Malloc(*out_sz, TEE_MALLOC_FILL_ZERO); if (!*out_buf) return PKCS11_CKR_DEVICE_MEMORY; res = TEE_CipherDoFinal(proc->tee_op_handle, data, data_sz, *out_buf, &tmp_sz); *out_sz = tmp_sz; if (tee2pkcs_error(res)) { TEE_Free(*out_buf); *out_buf = NULL; return PKCS11_CKR_WRAPPED_KEY_INVALID; } break; default: return PKCS11_CKR_MECHANISM_INVALID; } return PKCS11_CKR_OK; }