xref: /optee_os/core/include/crypto/crypto.h (revision 52ee414bd86e52e105b7ea0da2ee544f90d3b18b)

/* SPDX-License-Identifier: BSD-2-Clause */
/*
 * Copyright (c) 2014-2017, Linaro Limited
 */

/*
 * This is the Cryptographic Provider API (CP API).
 *
 * This defines how most crypto syscalls that implement the Cryptographic
 * Operations API can invoke the actual providers of cryptographic algorithms
 * (such as LibTomCrypt).
 *
 * To add a new provider, you need to provide an implementation of this
 * interface.
 *
 * The following parameters are commonly used.
 *
 * @ctx: context allocated by the syscall, for later use by the algorithm
 * @algo: algorithm identifier (TEE_ALG_*)
 */

#ifndef __CRYPTO_CRYPTO_H
#define __CRYPTO_CRYPTO_H

#include <tee_api_types.h>

TEE_Result crypto_init(void);

/* Message digest functions */
TEE_Result crypto_hash_alloc_ctx(void **ctx, uint32_t algo);
TEE_Result crypto_hash_init(void *ctx);
TEE_Result crypto_hash_update(void *ctx, const uint8_t *data, size_t len);
TEE_Result crypto_hash_final(void *ctx, uint8_t *digest, size_t len);
void crypto_hash_free_ctx(void *ctx);
void crypto_hash_copy_state(void *dst_ctx, void *src_ctx);

/* Symmetric ciphers */
TEE_Result crypto_cipher_alloc_ctx(void **ctx, uint32_t algo);
TEE_Result crypto_cipher_init(void *ctx, TEE_OperationMode mode,
			      const uint8_t *key1, size_t key1_len,
			      const uint8_t *key2, size_t key2_len,
			      const uint8_t *iv, size_t iv_len);
TEE_Result crypto_cipher_update(void *ctx, TEE_OperationMode mode,
				bool last_block, const uint8_t *data,
				size_t len, uint8_t *dst);
void crypto_cipher_final(void *ctx);
TEE_Result crypto_cipher_get_block_size(uint32_t algo, size_t *size);
void crypto_cipher_free_ctx(void *ctx);
void crypto_cipher_copy_state(void *dst_ctx, void *src_ctx);

/* Message Authentication Code functions */
TEE_Result crypto_mac_alloc_ctx(void **ctx, uint32_t algo);
TEE_Result crypto_mac_init(void *ctx, const uint8_t *key, size_t len);
TEE_Result crypto_mac_update(void *ctx, const uint8_t *data, size_t len);
TEE_Result crypto_mac_final(void *ctx, uint8_t *digest, size_t digest_len);
void crypto_mac_free_ctx(void *ctx);
void crypto_mac_copy_state(void *dst_ctx, void *src_ctx);

/* Authenticated encryption */
TEE_Result crypto_authenc_alloc_ctx(void **ctx, uint32_t algo);
TEE_Result crypto_authenc_init(void *ctx, TEE_OperationMode mode,
			       const uint8_t *key, size_t key_len,
			       const uint8_t *nonce, size_t nonce_len,
			       size_t tag_len, size_t aad_len,
			       size_t payload_len);
TEE_Result crypto_authenc_update_aad(void *ctx, TEE_OperationMode mode,
				     const uint8_t *data, size_t len);
TEE_Result crypto_authenc_update_payload(void *ctx, TEE_OperationMode mode,
					 const uint8_t *src_data,
					 size_t src_len, uint8_t *dst_data,
					 size_t *dst_len);
TEE_Result crypto_authenc_enc_final(void *ctx, const uint8_t *src_data,
				    size_t src_len, uint8_t *dst_data,
				    size_t *dst_len, uint8_t *dst_tag,
				    size_t *dst_tag_len);
TEE_Result crypto_authenc_dec_final(void *ctx, const uint8_t *src_data,
				    size_t src_len, uint8_t *dst_data,
				    size_t *dst_len, const uint8_t *tag,
				    size_t tag_len);
void crypto_authenc_final(void *ctx);
void crypto_authenc_free_ctx(void *ctx);
void crypto_authenc_copy_state(void *dst_ctx, void *src_ctx);

/* Implementation-defined big numbers */

/*
 * Allocate a bignum capable of holding an unsigned integer value of
 * up to bitsize bits
 */
struct bignum *crypto_bignum_allocate(size_t size_bits);
TEE_Result crypto_bignum_bin2bn(const uint8_t *from, size_t fromsize,
				struct bignum *to);
size_t crypto_bignum_num_bytes(struct bignum *a);
size_t crypto_bignum_num_bits(struct bignum *a);
void crypto_bignum_bn2bin(const struct bignum *from, uint8_t *to);
void crypto_bignum_copy(struct bignum *to, const struct bignum *from);
void crypto_bignum_free(struct bignum *a);
void crypto_bignum_clear(struct bignum *a);

/* return -1 if a<b, 0 if a==b, +1 if a>b */
int32_t crypto_bignum_compare(struct bignum *a, struct bignum *b);

/* Asymmetric algorithms */

struct rsa_keypair {
	struct bignum *e;	/* Public exponent */
	struct bignum *d;	/* Private exponent */
	struct bignum *n;	/* Modulus */

	/* Optional CRT parameters (all NULL if unused) */
	struct bignum *p;	/* N = pq */
	struct bignum *q;
	struct bignum *qp;	/* 1/q mod p */
	struct bignum *dp;	/* d mod (p-1) */
	struct bignum *dq;	/* d mod (q-1) */
};

struct rsa_public_key {
	struct bignum *e;	/* Public exponent */
	struct bignum *n;	/* Modulus */
};

struct dsa_keypair {
	struct bignum *g;	/* Generator of subgroup (public) */
	struct bignum *p;	/* Prime number (public) */
	struct bignum *q;	/* Order of subgroup (public) */
	struct bignum *y;	/* Public key */
	struct bignum *x;	/* Private key */
};

struct dsa_public_key {
	struct bignum *g;	/* Generator of subgroup (public) */
	struct bignum *p;	/* Prime number (public) */
	struct bignum *q;	/* Order of subgroup (public) */
	struct bignum *y;	/* Public key */
};

struct dh_keypair {
	struct bignum *g;	/* Generator of Z_p (shared) */
	struct bignum *p;	/* Prime modulus (shared) */
	struct bignum *x;	/* Private key */
	struct bignum *y;	/* Public key y = g^x */

	/*
	 * Optional parameters used by key generation.
	 * When not used, q == NULL and xbits == 0
	 */
	struct bignum *q;	/* x must be in the range [2, q-2] */
	uint32_t xbits;		/* Number of bits in the private key */
};

struct ecc_public_key {
	struct bignum *x;	/* Public value x */
	struct bignum *y;	/* Public value y */
	uint32_t curve;	        /* Curve type */
};

struct ecc_keypair {
	struct bignum *d;	/* Private value */
	struct bignum *x;	/* Public value x */
	struct bignum *y;	/* Public value y */
	uint32_t curve;	        /* Curve type */
};

/*
 * Key allocation functions
 * Allocate the bignum's inside a key structure.
 * TEE core will later use crypto_bignum_free().
 */
TEE_Result crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s,
				size_t key_size_bits);
TEE_Result crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s,
				   size_t key_size_bits);
void crypto_acipher_free_rsa_public_key(struct rsa_public_key *s);
TEE_Result crypto_acipher_alloc_dsa_keypair(struct dsa_keypair *s,
				size_t key_size_bits);
TEE_Result crypto_acipher_alloc_dsa_public_key(struct dsa_public_key *s,
				   size_t key_size_bits);
TEE_Result crypto_acipher_alloc_dh_keypair(struct dh_keypair *s,
			       size_t key_size_bits);
TEE_Result crypto_acipher_alloc_ecc_public_key(struct ecc_public_key *s,
				   size_t key_size_bits);
TEE_Result crypto_acipher_alloc_ecc_keypair(struct ecc_keypair *s,
				size_t key_size_bits);
void crypto_acipher_free_ecc_public_key(struct ecc_public_key *s);

/*
 * Key generation functions
 */
TEE_Result crypto_acipher_gen_rsa_key(struct rsa_keypair *key, size_t key_size);
TEE_Result crypto_acipher_gen_dsa_key(struct dsa_keypair *key, size_t key_size);
TEE_Result crypto_acipher_gen_dh_key(struct dh_keypair *key, struct bignum *q,
				     size_t xbits);
TEE_Result crypto_acipher_gen_ecc_key(struct ecc_keypair *key);

TEE_Result crypto_acipher_dh_shared_secret(struct dh_keypair *private_key,
					   struct bignum *public_key,
					   struct bignum *secret);

TEE_Result crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key,
					   const uint8_t *src, size_t src_len,
					   uint8_t *dst, size_t *dst_len);
TEE_Result crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key,
					   const uint8_t *src, size_t src_len,
					   uint8_t *dst, size_t *dst_len);
TEE_Result crypto_acipher_rsaes_decrypt(uint32_t algo, struct rsa_keypair *key,
					const uint8_t *label, size_t label_len,
					const uint8_t *src, size_t src_len,
					uint8_t *dst, size_t *dst_len);
TEE_Result crypto_acipher_rsaes_encrypt(uint32_t algo,
					struct rsa_public_key *key,
					const uint8_t *label, size_t label_len,
					const uint8_t *src, size_t src_len,
					uint8_t *dst, size_t *dst_len);
/* RSA SSA sign/verify: if salt_len == -1, use default value */
TEE_Result crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key,
				      int salt_len, const uint8_t *msg,
				      size_t msg_len, uint8_t *sig,
				      size_t *sig_len);
TEE_Result crypto_acipher_rsassa_verify(uint32_t algo,
					struct rsa_public_key *key,
					int salt_len, const uint8_t *msg,
					size_t msg_len, const uint8_t *sig,
					size_t sig_len);
TEE_Result crypto_acipher_dsa_sign(uint32_t algo, struct dsa_keypair *key,
				   const uint8_t *msg, size_t msg_len,
				   uint8_t *sig, size_t *sig_len);
TEE_Result crypto_acipher_dsa_verify(uint32_t algo, struct dsa_public_key *key,
				     const uint8_t *msg, size_t msg_len,
				     const uint8_t *sig, size_t sig_len);
TEE_Result crypto_acipher_ecc_sign(uint32_t algo, struct ecc_keypair *key,
				   const uint8_t *msg, size_t msg_len,
				   uint8_t *sig, size_t *sig_len);
TEE_Result crypto_acipher_ecc_verify(uint32_t algo, struct ecc_public_key *key,
				     const uint8_t *msg, size_t msg_len,
				     const uint8_t *sig, size_t sig_len);
TEE_Result crypto_acipher_ecc_shared_secret(struct ecc_keypair *private_key,
					    struct ecc_public_key *public_key,
					    void *secret,
					    unsigned long *secret_len);

/*
 * Verifies a SHA-256 hash, doesn't require crypto_init() to be called in
 * advance and has as few dependencies as possible.
 *
 * This function is primarily used by pager and early initialization code
 * where the complete crypto library isn't available.
 */
TEE_Result hash_sha256_check(const uint8_t *hash, const uint8_t *data,
		size_t data_size);

/*
 * Computes a SHA-512/256 hash, vetted conditioner as per NIST.SP.800-90B.
 * It doesn't require crypto_init() to be called in advance and has as few
 * dependencies as possible.
 *
 * This function could be used inside interrupt context where the crypto
 * library can't be used due to mutex handling.
 */
TEE_Result hash_sha512_256_compute(uint8_t *digest, const uint8_t *data,
		size_t data_size);

#define CRYPTO_RNG_SRC_IS_QUICK(sid) (!!((sid) & 1))

/*
 * enum crypto_rng_src - RNG entropy source
 *
 * Identifiers for different RNG entropy sources. The lowest bit indicates
 * if the source is to be merely queued (bit is 1) or if it's delivered
 * directly to the pool. The difference is that in the latter case RPC to
 * normal world can be performed and in the former it must not.
 */
enum crypto_rng_src {
	CRYPTO_RNG_SRC_JITTER_SESSION	= (0 << 1 | 0),
	CRYPTO_RNG_SRC_JITTER_RPC	= (1 << 1 | 1),
	CRYPTO_RNG_SRC_NONSECURE	= (1 << 1 | 0),
};

/*
 * crypto_rng_init() - initialize the RNG
 * @data:	buffer with initial seed
 * @dlen:	length of @data
 */
TEE_Result crypto_rng_init(const void *data, size_t dlen);

/*
 * crypto_rng_add_event() - supply entropy to RNG from a source
 * @sid:	Source identifier, should be unique for a specific source
 * @pnum:	Pool number, acquired using crypto_rng_get_next_pool_num()
 * @data:	Data associated with the event
 * @dlen:	Length of @data
 *
 * @sid controls whether the event is merly queued in a ring buffer or if
 * it's added to one of the pools directly. If CRYPTO_RNG_SRC_IS_QUICK() is
 * true (lowest bit set) events are queue otherwise added to corresponding
 * pool. If CRYPTO_RNG_SRC_IS_QUICK() is false, eventual queued events are
 * added to their queues too.
 */
void crypto_rng_add_event(enum crypto_rng_src sid, unsigned int *pnum,
			  const void *data, size_t dlen);

/*
 * crypto_rng_read() - read cryptograhically secure RNG
 * @buf:	Buffer to hold the data
 * @len:	Length of buffer.
 *
 * Eventual queued events are also added to their pools during this
 * function call.
 */
TEE_Result crypto_rng_read(void *buf, size_t len);

/*
 * crypto_aes_expand_enc_key() - Expand an AES key
 * @key:	AES key buffer
 * @key_len:	Size of the the @key buffer in bytes
 * @enc_key:	Expanded AES encryption key buffer
 * @enc_keylen: Size of the @enc_key buffer in bytes
 * @rounds:	Number of rounds to be used during encryption
 */
TEE_Result crypto_aes_expand_enc_key(const void *key, size_t key_len,
				     void *enc_key, size_t enc_keylen,
				     unsigned int *rounds);

/*
 * crypto_aes_enc_block() - Encrypt an AES block
 * @enc_key:	Expanded AES encryption key
 * @enc_keylen:	Size of @enc_key in bytes
 * @rounds:	Number of rounds
 * @src:	Source buffer of one AES block (16 bytes)
 * @dst:	Destination buffer of one AES block (16 bytes)
 */
void crypto_aes_enc_block(const void *enc_key, size_t enc_keylen,
			  unsigned int rounds, const void *src, void *dst);

#endif /* __CRYPTO_CRYPTO_H */