1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014-2019, Linaro Limited 4 */ 5 6 #include <config.h> 7 #include <crypto/crypto_impl.h> 8 #include <stdlib.h> 9 #include <string.h> 10 #include <tee_api_types.h> 11 #include <trace.h> 12 #include <utee_defines.h> 13 14 #include "acipher_helpers.h" 15 16 static void _ltc_ecc_free_public_key(struct ecc_public_key *s) 17 { 18 if (!s) 19 return; 20 21 crypto_bignum_free(s->x); 22 crypto_bignum_free(s->y); 23 } 24 25 /* 26 * For a given TEE @curve, return key size and LTC curve name. Also check that 27 * @algo is compatible with this curve. 28 * @curve: TEE_ECC_CURVE_NIST_P192, ... 29 * @algo: TEE_ALG_ECDSA_P192, ... 30 */ 31 static TEE_Result ecc_get_curve_info(uint32_t curve, uint32_t algo, 32 size_t *key_size_bytes, 33 size_t *key_size_bits, 34 const char **curve_name) 35 { 36 size_t size_bytes = 0; 37 size_t size_bits = 0; 38 const char *name = NULL; 39 40 /* 41 * Excerpt of libtomcrypt documentation: 42 * ecc_make_key(... key_size ...): The keysize is the size of the 43 * modulus in bytes desired. Currently directly supported values 44 * are 12, 16, 20, 24, 28, 32, 48, and 65 bytes which correspond 45 * to key sizes of 112, 128, 160, 192, 224, 256, 384, and 521 bits 46 * respectively. 47 */ 48 49 /* 50 * Note GPv1.1 indicates TEE_ALG_ECDH_NIST_P192_DERIVE_SHARED_SECRET 51 * but defines TEE_ALG_ECDH_P192 52 */ 53 54 switch (curve) { 55 case TEE_ECC_CURVE_NIST_P192: 56 size_bits = 192; 57 size_bytes = 24; 58 name = "NISTP192"; 59 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P192) && 60 (algo != TEE_ALG_ECDH_P192)) 61 return TEE_ERROR_BAD_PARAMETERS; 62 break; 63 case TEE_ECC_CURVE_NIST_P224: 64 size_bits = 224; 65 size_bytes = 28; 66 name = "NISTP224"; 67 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P224) && 68 (algo != TEE_ALG_ECDH_P224)) 69 return TEE_ERROR_BAD_PARAMETERS; 70 break; 71 case TEE_ECC_CURVE_NIST_P256: 72 size_bits = 256; 73 size_bytes = 32; 74 name = "NISTP256"; 75 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P256) && 76 (algo != TEE_ALG_ECDH_P256)) 77 return TEE_ERROR_BAD_PARAMETERS; 78 break; 79 case TEE_ECC_CURVE_NIST_P384: 80 size_bits = 384; 81 size_bytes = 48; 82 name = "NISTP384"; 83 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P384) && 84 (algo != TEE_ALG_ECDH_P384)) 85 return TEE_ERROR_BAD_PARAMETERS; 86 break; 87 case TEE_ECC_CURVE_NIST_P521: 88 size_bits = 521; 89 size_bytes = 66; 90 name = "NISTP521"; 91 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P521) && 92 (algo != TEE_ALG_ECDH_P521)) 93 return TEE_ERROR_BAD_PARAMETERS; 94 break; 95 case TEE_ECC_CURVE_SM2: 96 size_bits = 256; 97 size_bytes = 32; 98 name = "SM2"; 99 if ((algo != 0) && (algo != TEE_ALG_SM2_PKE) && 100 (algo != TEE_ALG_SM2_DSA_SM3) && 101 (algo != TEE_ALG_SM2_KEP)) 102 return TEE_ERROR_BAD_PARAMETERS; 103 break; 104 default: 105 return TEE_ERROR_NOT_SUPPORTED; 106 } 107 108 if (key_size_bytes) 109 *key_size_bytes = size_bytes; 110 if (key_size_bits) 111 *key_size_bits = size_bits; 112 if (curve_name) 113 *curve_name = name; 114 return TEE_SUCCESS; 115 } 116 117 static TEE_Result _ltc_ecc_generate_keypair(struct ecc_keypair *key, 118 size_t key_size) 119 { 120 TEE_Result res; 121 ecc_key ltc_tmp_key; 122 int ltc_res; 123 size_t key_size_bytes = 0; 124 size_t key_size_bits = 0; 125 126 res = ecc_get_curve_info(key->curve, 0, &key_size_bytes, &key_size_bits, 127 NULL); 128 if (res != TEE_SUCCESS) 129 return res; 130 131 if (key_size != key_size_bits) 132 return TEE_ERROR_BAD_PARAMETERS; 133 134 /* Generate the ECC key */ 135 ltc_res = ecc_make_key(NULL, find_prng("prng_crypto"), 136 key_size_bytes, <c_tmp_key); 137 if (ltc_res != CRYPT_OK) 138 return TEE_ERROR_BAD_PARAMETERS; 139 140 /* check the size of the keys */ 141 if (((size_t)mp_count_bits(ltc_tmp_key.pubkey.x) > key_size_bits) || 142 ((size_t)mp_count_bits(ltc_tmp_key.pubkey.y) > key_size_bits) || 143 ((size_t)mp_count_bits(ltc_tmp_key.k) > key_size_bits)) { 144 res = TEE_ERROR_BAD_PARAMETERS; 145 goto exit; 146 } 147 148 /* check LTC is returning z==1 */ 149 if (mp_count_bits(ltc_tmp_key.pubkey.z) != 1) { 150 res = TEE_ERROR_BAD_PARAMETERS; 151 goto exit; 152 } 153 154 /* Copy the key */ 155 ltc_mp.copy(ltc_tmp_key.k, key->d); 156 ltc_mp.copy(ltc_tmp_key.pubkey.x, key->x); 157 ltc_mp.copy(ltc_tmp_key.pubkey.y, key->y); 158 159 res = TEE_SUCCESS; 160 161 exit: 162 ecc_free(<c_tmp_key); /* Free the temporary key */ 163 return res; 164 } 165 166 /* Note: this function clears the key before setting the curve */ 167 static TEE_Result ecc_set_curve_from_name(ecc_key *ltc_key, 168 const char *curve_name) 169 { 170 const ltc_ecc_curve *curve = NULL; 171 int ltc_res = 0; 172 173 ltc_res = ecc_find_curve(curve_name, &curve); 174 if (ltc_res != CRYPT_OK) 175 return TEE_ERROR_NOT_SUPPORTED; 176 177 ltc_res = ecc_set_curve(curve, ltc_key); 178 if (ltc_res != CRYPT_OK) 179 return TEE_ERROR_GENERIC; 180 181 return TEE_SUCCESS; 182 } 183 184 /* 185 * Given a keypair "key", populate the Libtomcrypt private key "ltc_key" 186 * It also returns the key size, in bytes 187 */ 188 TEE_Result ecc_populate_ltc_private_key(ecc_key *ltc_key, 189 struct ecc_keypair *key, 190 uint32_t algo, size_t *key_size_bytes) 191 { 192 TEE_Result res = TEE_ERROR_GENERIC; 193 const char *name = NULL; 194 195 res = ecc_get_curve_info(key->curve, algo, key_size_bytes, NULL, &name); 196 if (res) 197 return res; 198 199 memset(ltc_key, 0, sizeof(*ltc_key)); 200 201 res = ecc_set_curve_from_name(ltc_key, name); 202 if (res) 203 return res; 204 205 ltc_key->type = PK_PRIVATE; 206 mp_copy(key->d, ltc_key->k); 207 mp_copy(key->x, ltc_key->pubkey.x); 208 mp_copy(key->y, ltc_key->pubkey.y); 209 mp_set_int(ltc_key->pubkey.z, 1); 210 211 return TEE_SUCCESS; 212 } 213 214 /* 215 * Given a public "key", populate the Libtomcrypt public key "ltc_key" 216 * It also returns the key size, in bytes 217 */ 218 TEE_Result ecc_populate_ltc_public_key(ecc_key *ltc_key, 219 struct ecc_public_key *key, 220 uint32_t algo, size_t *key_size_bytes) 221 { 222 TEE_Result res = TEE_ERROR_GENERIC; 223 const char *name = NULL; 224 uint8_t one[1] = { 1 }; 225 226 res = ecc_get_curve_info(key->curve, algo, key_size_bytes, NULL, &name); 227 if (res) 228 return res; 229 230 memset(ltc_key, 0, sizeof(*ltc_key)); 231 232 res = ecc_set_curve_from_name(ltc_key, name); 233 if (res) 234 return res; 235 236 ltc_key->type = PK_PUBLIC; 237 238 mp_copy(key->x, ltc_key->pubkey.x); 239 mp_copy(key->y, ltc_key->pubkey.y); 240 mp_read_unsigned_bin(ltc_key->pubkey.z, one, sizeof(one)); 241 242 return TEE_SUCCESS; 243 } 244 245 static TEE_Result _ltc_ecc_sign(uint32_t algo, struct ecc_keypair *key, 246 const uint8_t *msg, size_t msg_len, 247 uint8_t *sig, size_t *sig_len) 248 { 249 TEE_Result res = TEE_ERROR_GENERIC; 250 int ltc_res = 0; 251 size_t key_size_bytes = 0; 252 ecc_key ltc_key = { }; 253 unsigned long ltc_sig_len = 0; 254 255 if (algo == 0) 256 return TEE_ERROR_BAD_PARAMETERS; 257 258 res = ecc_populate_ltc_private_key(<c_key, key, algo, 259 &key_size_bytes); 260 if (res != TEE_SUCCESS) 261 return res; 262 263 if (*sig_len < 2 * key_size_bytes) { 264 *sig_len = 2 * key_size_bytes; 265 res = TEE_ERROR_SHORT_BUFFER; 266 goto out; 267 } 268 269 ltc_sig_len = *sig_len; 270 ltc_res = ecc_sign_hash_rfc7518(msg, msg_len, sig, <c_sig_len, 271 NULL, find_prng("prng_crypto"), <c_key); 272 if (ltc_res == CRYPT_OK) { 273 res = TEE_SUCCESS; 274 } else { 275 res = TEE_ERROR_GENERIC; 276 } 277 *sig_len = ltc_sig_len; 278 279 out: 280 ecc_free(<c_key); 281 return res; 282 } 283 284 static TEE_Result _ltc_ecc_verify(uint32_t algo, struct ecc_public_key *key, 285 const uint8_t *msg, size_t msg_len, 286 const uint8_t *sig, size_t sig_len) 287 { 288 TEE_Result res = TEE_ERROR_GENERIC; 289 int ltc_stat = 0; 290 int ltc_res = 0; 291 size_t key_size_bytes = 0; 292 ecc_key ltc_key = { }; 293 294 if (algo == 0) 295 return TEE_ERROR_BAD_PARAMETERS; 296 297 res = ecc_populate_ltc_public_key(<c_key, key, algo, &key_size_bytes); 298 if (res != TEE_SUCCESS) 299 goto out; 300 301 /* check keysize vs sig_len */ 302 if ((key_size_bytes * 2) != sig_len) { 303 res = TEE_ERROR_BAD_PARAMETERS; 304 goto out; 305 } 306 307 ltc_res = ecc_verify_hash_rfc7518(sig, sig_len, msg, msg_len, <c_stat, 308 <c_key); 309 res = convert_ltc_verify_status(ltc_res, ltc_stat); 310 out: 311 ecc_free(<c_key); 312 return res; 313 } 314 315 static TEE_Result _ltc_ecc_shared_secret(struct ecc_keypair *private_key, 316 struct ecc_public_key *public_key, 317 void *secret, 318 unsigned long *secret_len) 319 { 320 TEE_Result res = TEE_ERROR_GENERIC; 321 int ltc_res = 0; 322 ecc_key ltc_private_key = { }; 323 ecc_key ltc_public_key = { }; 324 size_t key_size_bytes = 0; 325 326 /* Check the curves are the same */ 327 if (private_key->curve != public_key->curve) 328 return TEE_ERROR_BAD_PARAMETERS; 329 330 res = ecc_populate_ltc_private_key(<c_private_key, private_key, 331 0, &key_size_bytes); 332 if (res != TEE_SUCCESS) 333 goto out; 334 res = ecc_populate_ltc_public_key(<c_public_key, public_key, 335 0, &key_size_bytes); 336 if (res != TEE_SUCCESS) 337 goto out; 338 339 ltc_res = ecc_shared_secret(<c_private_key, <c_public_key, 340 secret, secret_len); 341 if (ltc_res == CRYPT_OK) 342 res = TEE_SUCCESS; 343 else 344 res = TEE_ERROR_BAD_PARAMETERS; 345 346 out: 347 ecc_free(<c_private_key); 348 ecc_free(<c_public_key); 349 return res; 350 } 351 352 static const struct crypto_ecc_keypair_ops ecc_keypair_ops = { 353 .generate = _ltc_ecc_generate_keypair, 354 .sign = _ltc_ecc_sign, 355 .shared_secret = _ltc_ecc_shared_secret, 356 }; 357 358 static const struct crypto_ecc_public_ops ecc_public_key_ops = { 359 .free = _ltc_ecc_free_public_key, 360 .verify = _ltc_ecc_verify, 361 }; 362 363 static const struct crypto_ecc_keypair_ops sm2_dsa_keypair_ops = { 364 .generate = _ltc_ecc_generate_keypair, 365 .sign = sm2_ltc_dsa_sign, 366 }; 367 368 static const struct crypto_ecc_public_ops sm2_dsa_public_key_ops = { 369 .free = _ltc_ecc_free_public_key, 370 .verify = sm2_ltc_dsa_verify, 371 }; 372 373 static const struct crypto_ecc_keypair_ops sm2_pke_keypair_ops = { 374 .generate = _ltc_ecc_generate_keypair, 375 .decrypt = sm2_ltc_pke_decrypt, 376 }; 377 378 static const struct crypto_ecc_public_ops sm2_pke_public_key_ops = { 379 .free = _ltc_ecc_free_public_key, 380 .encrypt = sm2_ltc_pke_encrypt, 381 }; 382 383 static const struct crypto_ecc_keypair_ops sm2_kep_keypair_ops = { 384 .generate = _ltc_ecc_generate_keypair, 385 }; 386 387 static const struct crypto_ecc_public_ops sm2_kep_public_key_ops = { 388 .free = _ltc_ecc_free_public_key, 389 }; 390 391 TEE_Result crypto_asym_alloc_ecc_keypair(struct ecc_keypair *s, 392 uint32_t key_type, 393 size_t key_size_bits __unused) 394 { 395 memset(s, 0, sizeof(*s)); 396 397 switch (key_type) { 398 case TEE_TYPE_ECDSA_KEYPAIR: 399 case TEE_TYPE_ECDH_KEYPAIR: 400 s->ops = &ecc_keypair_ops; 401 break; 402 case TEE_TYPE_SM2_DSA_KEYPAIR: 403 if (!IS_ENABLED(_CFG_CORE_LTC_SM2_DSA)) 404 return TEE_ERROR_NOT_IMPLEMENTED; 405 406 s->ops = &sm2_dsa_keypair_ops; 407 break; 408 case TEE_TYPE_SM2_PKE_KEYPAIR: 409 if (!IS_ENABLED(_CFG_CORE_LTC_SM2_PKE)) 410 return TEE_ERROR_NOT_IMPLEMENTED; 411 412 s->ops = &sm2_pke_keypair_ops; 413 break; 414 case TEE_TYPE_SM2_KEP_KEYPAIR: 415 if (!IS_ENABLED(_CFG_CORE_LTC_SM2_KEP)) 416 return TEE_ERROR_NOT_IMPLEMENTED; 417 418 s->ops = &sm2_kep_keypair_ops; 419 break; 420 default: 421 return TEE_ERROR_NOT_IMPLEMENTED; 422 } 423 424 if (!bn_alloc_max(&s->d)) 425 goto err; 426 if (!bn_alloc_max(&s->x)) 427 goto err; 428 if (!bn_alloc_max(&s->y)) 429 goto err; 430 431 return TEE_SUCCESS; 432 433 err: 434 s->ops = NULL; 435 436 crypto_bignum_free(s->d); 437 crypto_bignum_free(s->x); 438 439 return TEE_ERROR_OUT_OF_MEMORY; 440 } 441 442 TEE_Result crypto_asym_alloc_ecc_public_key(struct ecc_public_key *s, 443 uint32_t key_type, 444 size_t key_size_bits __unused) 445 { 446 memset(s, 0, sizeof(*s)); 447 448 switch (key_type) { 449 case TEE_TYPE_ECDSA_PUBLIC_KEY: 450 case TEE_TYPE_ECDH_PUBLIC_KEY: 451 s->ops = &ecc_public_key_ops; 452 break; 453 case TEE_TYPE_SM2_DSA_PUBLIC_KEY: 454 if (!IS_ENABLED(_CFG_CORE_LTC_SM2_DSA)) 455 return TEE_ERROR_NOT_IMPLEMENTED; 456 457 s->ops = &sm2_dsa_public_key_ops; 458 break; 459 case TEE_TYPE_SM2_PKE_PUBLIC_KEY: 460 if (!IS_ENABLED(_CFG_CORE_LTC_SM2_PKE)) 461 return TEE_ERROR_NOT_IMPLEMENTED; 462 463 s->ops = &sm2_pke_public_key_ops; 464 break; 465 case TEE_TYPE_SM2_KEP_PUBLIC_KEY: 466 if (!IS_ENABLED(_CFG_CORE_LTC_SM2_KEP)) 467 return TEE_ERROR_NOT_IMPLEMENTED; 468 469 s->ops = &sm2_kep_public_key_ops; 470 break; 471 default: 472 return TEE_ERROR_NOT_IMPLEMENTED; 473 } 474 475 if (!bn_alloc_max(&s->x)) 476 goto err; 477 if (!bn_alloc_max(&s->y)) 478 goto err; 479 480 return TEE_SUCCESS; 481 482 err: 483 s->ops = NULL; 484 485 crypto_bignum_free(s->x); 486 487 return TEE_ERROR_OUT_OF_MEMORY; 488 } 489