1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014-2019, Linaro Limited 4 */ 5 6 #include <crypto/crypto.h> 7 #include <stdlib.h> 8 #include <string.h> 9 #include <tee_api_types.h> 10 #include <tee_api_defines_extensions.h> 11 #include <tee/tee_cryp_utl.h> 12 #include <tomcrypt.h> 13 #include <trace.h> 14 #include <utee_defines.h> 15 16 #include "acipher_helpers.h" 17 18 19 /* 20 * Compute the LibTomCrypt "hashindex" given a TEE Algorithm "algo" 21 * Return 22 * - TEE_SUCCESS in case of success, 23 * - TEE_ERROR_BAD_PARAMETERS in case algo is not a valid algo 24 * - TEE_ERROR_NOT_SUPPORTED in case algo is not supported by LTC 25 * Return -1 in case of error 26 */ 27 static TEE_Result tee_algo_to_ltc_hashindex(uint32_t algo, int *ltc_hashindex) 28 { 29 switch (algo) { 30 #if defined(_CFG_CORE_LTC_SHA1) 31 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 32 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 33 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1: 34 *ltc_hashindex = find_hash("sha1"); 35 break; 36 #endif 37 #if defined(_CFG_CORE_LTC_MD5) 38 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 39 *ltc_hashindex = find_hash("md5"); 40 break; 41 #endif 42 #if defined(_CFG_CORE_LTC_SHA224) 43 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 44 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 45 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224: 46 *ltc_hashindex = find_hash("sha224"); 47 break; 48 #endif 49 #if defined(_CFG_CORE_LTC_SHA256) 50 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 51 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 52 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256: 53 *ltc_hashindex = find_hash("sha256"); 54 break; 55 #endif 56 #if defined(_CFG_CORE_LTC_SHA384) 57 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 58 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 59 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384: 60 *ltc_hashindex = find_hash("sha384"); 61 break; 62 #endif 63 #if defined(_CFG_CORE_LTC_SHA512) 64 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 65 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 66 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512: 67 *ltc_hashindex = find_hash("sha512"); 68 break; 69 #endif 70 case TEE_ALG_RSASSA_PKCS1_V1_5: 71 case TEE_ALG_RSAES_PKCS1_V1_5: 72 /* invalid one. but it should not be used anyway */ 73 *ltc_hashindex = -1; 74 return TEE_SUCCESS; 75 76 default: 77 return TEE_ERROR_BAD_PARAMETERS; 78 } 79 80 if (*ltc_hashindex < 0) 81 return TEE_ERROR_NOT_SUPPORTED; 82 else 83 return TEE_SUCCESS; 84 } 85 86 TEE_Result crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s, 87 size_t key_size_bits __unused) 88 { 89 memset(s, 0, sizeof(*s)); 90 if (!bn_alloc_max(&s->e)) 91 return TEE_ERROR_OUT_OF_MEMORY; 92 if (!bn_alloc_max(&s->d)) 93 goto err; 94 if (!bn_alloc_max(&s->n)) 95 goto err; 96 if (!bn_alloc_max(&s->p)) 97 goto err; 98 if (!bn_alloc_max(&s->q)) 99 goto err; 100 if (!bn_alloc_max(&s->qp)) 101 goto err; 102 if (!bn_alloc_max(&s->dp)) 103 goto err; 104 if (!bn_alloc_max(&s->dq)) 105 goto err; 106 107 return TEE_SUCCESS; 108 err: 109 crypto_bignum_free(s->e); 110 crypto_bignum_free(s->d); 111 crypto_bignum_free(s->n); 112 crypto_bignum_free(s->p); 113 crypto_bignum_free(s->q); 114 crypto_bignum_free(s->qp); 115 crypto_bignum_free(s->dp); 116 117 return TEE_ERROR_OUT_OF_MEMORY; 118 } 119 120 TEE_Result crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s, 121 size_t key_size_bits __unused) 122 { 123 memset(s, 0, sizeof(*s)); 124 if (!bn_alloc_max(&s->e)) 125 return TEE_ERROR_OUT_OF_MEMORY; 126 if (!bn_alloc_max(&s->n)) 127 goto err; 128 return TEE_SUCCESS; 129 err: 130 crypto_bignum_free(s->e); 131 return TEE_ERROR_OUT_OF_MEMORY; 132 } 133 134 void crypto_acipher_free_rsa_public_key(struct rsa_public_key *s) 135 { 136 if (!s) 137 return; 138 crypto_bignum_free(s->n); 139 crypto_bignum_free(s->e); 140 } 141 142 TEE_Result crypto_acipher_gen_rsa_key(struct rsa_keypair *key, size_t key_size) 143 { 144 TEE_Result res; 145 rsa_key ltc_tmp_key; 146 int ltc_res; 147 long e; 148 149 /* get the public exponent */ 150 e = mp_get_int(key->e); 151 152 /* Generate a temporary RSA key */ 153 ltc_res = rsa_make_key(NULL, find_prng("prng_crypto"), key_size / 8, e, 154 <c_tmp_key); 155 if (ltc_res != CRYPT_OK) { 156 res = TEE_ERROR_BAD_PARAMETERS; 157 } else if ((size_t)mp_count_bits(ltc_tmp_key.N) != key_size) { 158 rsa_free(<c_tmp_key); 159 res = TEE_ERROR_BAD_PARAMETERS; 160 } else { 161 /* Copy the key */ 162 ltc_mp.copy(ltc_tmp_key.e, key->e); 163 ltc_mp.copy(ltc_tmp_key.d, key->d); 164 ltc_mp.copy(ltc_tmp_key.N, key->n); 165 ltc_mp.copy(ltc_tmp_key.p, key->p); 166 ltc_mp.copy(ltc_tmp_key.q, key->q); 167 ltc_mp.copy(ltc_tmp_key.qP, key->qp); 168 ltc_mp.copy(ltc_tmp_key.dP, key->dp); 169 ltc_mp.copy(ltc_tmp_key.dQ, key->dq); 170 171 /* Free the temporary key */ 172 rsa_free(<c_tmp_key); 173 res = TEE_SUCCESS; 174 } 175 176 return res; 177 } 178 179 static TEE_Result rsadorep(rsa_key *ltc_key, const uint8_t *src, 180 size_t src_len, uint8_t *dst, size_t *dst_len) 181 { 182 TEE_Result res = TEE_SUCCESS; 183 uint8_t *buf = NULL; 184 unsigned long blen, offset; 185 int ltc_res; 186 187 /* 188 * Use a temporary buffer since we don't know exactly how large the 189 * required size of the out buffer without doing a partial decrypt. 190 * We know the upper bound though. 191 */ 192 blen = _CFG_CORE_LTC_BIGNUM_MAX_BITS / sizeof(uint8_t); 193 buf = malloc(blen); 194 if (!buf) { 195 res = TEE_ERROR_OUT_OF_MEMORY; 196 goto out; 197 } 198 199 ltc_res = rsa_exptmod(src, src_len, buf, &blen, ltc_key->type, 200 ltc_key); 201 switch (ltc_res) { 202 case CRYPT_PK_NOT_PRIVATE: 203 case CRYPT_PK_INVALID_TYPE: 204 case CRYPT_PK_INVALID_SIZE: 205 case CRYPT_INVALID_PACKET: 206 EMSG("rsa_exptmod() returned %d", ltc_res); 207 res = TEE_ERROR_BAD_PARAMETERS; 208 goto out; 209 case CRYPT_OK: 210 break; 211 default: 212 /* This will result in a panic */ 213 EMSG("rsa_exptmod() returned %d", ltc_res); 214 res = TEE_ERROR_GENERIC; 215 goto out; 216 } 217 218 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 219 offset = 0; 220 while ((offset < blen - 1) && (buf[offset] == 0)) 221 offset++; 222 223 if (*dst_len < blen - offset) { 224 *dst_len = blen - offset; 225 res = TEE_ERROR_SHORT_BUFFER; 226 goto out; 227 } 228 229 res = TEE_SUCCESS; 230 *dst_len = blen - offset; 231 memcpy(dst, (char *)buf + offset, *dst_len); 232 233 out: 234 if (buf) 235 free(buf); 236 237 return res; 238 } 239 240 TEE_Result crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key, 241 const uint8_t *src, size_t src_len, 242 uint8_t *dst, size_t *dst_len) 243 { 244 TEE_Result res; 245 rsa_key ltc_key = { 0, }; 246 247 ltc_key.type = PK_PUBLIC; 248 ltc_key.e = key->e; 249 ltc_key.N = key->n; 250 251 res = rsadorep(<c_key, src, src_len, dst, dst_len); 252 return res; 253 } 254 255 TEE_Result crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key, 256 const uint8_t *src, size_t src_len, 257 uint8_t *dst, size_t *dst_len) 258 { 259 TEE_Result res; 260 rsa_key ltc_key = { 0, }; 261 262 ltc_key.type = PK_PRIVATE; 263 ltc_key.e = key->e; 264 ltc_key.N = key->n; 265 ltc_key.d = key->d; 266 if (key->p && crypto_bignum_num_bytes(key->p)) { 267 ltc_key.p = key->p; 268 ltc_key.q = key->q; 269 ltc_key.qP = key->qp; 270 ltc_key.dP = key->dp; 271 ltc_key.dQ = key->dq; 272 } 273 274 res = rsadorep(<c_key, src, src_len, dst, dst_len); 275 return res; 276 } 277 278 TEE_Result crypto_acipher_rsaes_decrypt(uint32_t algo, struct rsa_keypair *key, 279 const uint8_t *label, size_t label_len, 280 const uint8_t *src, size_t src_len, 281 uint8_t *dst, size_t *dst_len) 282 { 283 TEE_Result res = TEE_SUCCESS; 284 void *buf = NULL; 285 unsigned long blen; 286 int ltc_hashindex, ltc_res, ltc_stat, ltc_rsa_algo; 287 size_t mod_size; 288 rsa_key ltc_key = { 0, }; 289 290 ltc_key.type = PK_PRIVATE; 291 ltc_key.e = key->e; 292 ltc_key.d = key->d; 293 ltc_key.N = key->n; 294 if (key->p && crypto_bignum_num_bytes(key->p)) { 295 ltc_key.p = key->p; 296 ltc_key.q = key->q; 297 ltc_key.qP = key->qp; 298 ltc_key.dP = key->dp; 299 ltc_key.dQ = key->dq; 300 } 301 302 /* Get the algorithm */ 303 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 304 if (res != TEE_SUCCESS) { 305 EMSG("tee_algo_to_ltc_hashindex() returned %d", (int)res); 306 goto out; 307 } 308 309 /* 310 * Use a temporary buffer since we don't know exactly how large 311 * the required size of the out buffer without doing a partial 312 * decrypt. We know the upper bound though. 313 */ 314 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) { 315 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 316 blen = mod_size - 11; 317 ltc_rsa_algo = LTC_PKCS_1_V1_5; 318 } else { 319 /* Decoded message is always shorter than encrypted message */ 320 blen = src_len; 321 ltc_rsa_algo = LTC_PKCS_1_OAEP; 322 } 323 324 buf = malloc(blen); 325 if (!buf) { 326 res = TEE_ERROR_OUT_OF_MEMORY; 327 goto out; 328 } 329 330 ltc_res = rsa_decrypt_key_ex(src, src_len, buf, &blen, 331 ((label_len == 0) ? 0 : label), label_len, 332 ltc_hashindex, ltc_rsa_algo, <c_stat, 333 <c_key); 334 switch (ltc_res) { 335 case CRYPT_PK_INVALID_PADDING: 336 case CRYPT_INVALID_PACKET: 337 case CRYPT_PK_INVALID_SIZE: 338 EMSG("rsa_decrypt_key_ex() returned %d", ltc_res); 339 res = TEE_ERROR_BAD_PARAMETERS; 340 goto out; 341 case CRYPT_OK: 342 break; 343 default: 344 /* This will result in a panic */ 345 EMSG("rsa_decrypt_key_ex() returned %d", ltc_res); 346 res = TEE_ERROR_GENERIC; 347 goto out; 348 } 349 if (ltc_stat != 1) { 350 /* This will result in a panic */ 351 EMSG("rsa_decrypt_key_ex() returned %d and %d", 352 ltc_res, ltc_stat); 353 res = TEE_ERROR_GENERIC; 354 goto out; 355 } 356 357 if (*dst_len < blen) { 358 *dst_len = blen; 359 res = TEE_ERROR_SHORT_BUFFER; 360 goto out; 361 } 362 363 res = TEE_SUCCESS; 364 *dst_len = blen; 365 memcpy(dst, buf, blen); 366 367 out: 368 if (buf) 369 free(buf); 370 371 return res; 372 } 373 374 TEE_Result crypto_acipher_rsaes_encrypt(uint32_t algo, 375 struct rsa_public_key *key, 376 const uint8_t *label, size_t label_len, 377 const uint8_t *src, size_t src_len, 378 uint8_t *dst, size_t *dst_len) 379 { 380 TEE_Result res; 381 uint32_t mod_size; 382 int ltc_hashindex, ltc_res, ltc_rsa_algo; 383 rsa_key ltc_key = { 384 .type = PK_PUBLIC, 385 .e = key->e, 386 .N = key->n 387 }; 388 389 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 390 if (*dst_len < mod_size) { 391 *dst_len = mod_size; 392 res = TEE_ERROR_SHORT_BUFFER; 393 goto out; 394 } 395 *dst_len = mod_size; 396 397 /* Get the algorithm */ 398 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 399 if (res != TEE_SUCCESS) 400 goto out; 401 402 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) 403 ltc_rsa_algo = LTC_PKCS_1_V1_5; 404 else 405 ltc_rsa_algo = LTC_PKCS_1_OAEP; 406 407 ltc_res = rsa_encrypt_key_ex(src, src_len, dst, 408 (unsigned long *)(dst_len), label, 409 label_len, NULL, find_prng("prng_crypto"), 410 ltc_hashindex, ltc_rsa_algo, <c_key); 411 switch (ltc_res) { 412 case CRYPT_PK_INVALID_PADDING: 413 case CRYPT_INVALID_PACKET: 414 case CRYPT_PK_INVALID_SIZE: 415 EMSG("rsa_encrypt_key_ex() returned %d", ltc_res); 416 res = TEE_ERROR_BAD_PARAMETERS; 417 goto out; 418 case CRYPT_OK: 419 break; 420 default: 421 /* This will result in a panic */ 422 res = TEE_ERROR_GENERIC; 423 goto out; 424 } 425 res = TEE_SUCCESS; 426 427 out: 428 return res; 429 } 430 431 TEE_Result crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key, 432 int salt_len, const uint8_t *msg, 433 size_t msg_len, uint8_t *sig, 434 size_t *sig_len) 435 { 436 TEE_Result res; 437 size_t hash_size, mod_size; 438 int ltc_res, ltc_rsa_algo, ltc_hashindex; 439 unsigned long ltc_sig_len; 440 rsa_key ltc_key = { 0, }; 441 442 ltc_key.type = PK_PRIVATE; 443 ltc_key.e = key->e; 444 ltc_key.N = key->n; 445 ltc_key.d = key->d; 446 if (key->p && crypto_bignum_num_bytes(key->p)) { 447 ltc_key.p = key->p; 448 ltc_key.q = key->q; 449 ltc_key.qP = key->qp; 450 ltc_key.dP = key->dp; 451 ltc_key.dQ = key->dq; 452 } 453 454 switch (algo) { 455 case TEE_ALG_RSASSA_PKCS1_V1_5: 456 ltc_rsa_algo = LTC_PKCS_1_V1_5_NA1; 457 break; 458 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 459 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 460 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 461 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 462 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 463 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 464 ltc_rsa_algo = LTC_PKCS_1_V1_5; 465 break; 466 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 467 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 468 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 469 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 470 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 471 ltc_rsa_algo = LTC_PKCS_1_PSS; 472 break; 473 default: 474 res = TEE_ERROR_BAD_PARAMETERS; 475 goto err; 476 } 477 478 if (ltc_rsa_algo != LTC_PKCS_1_V1_5_NA1) { 479 ltc_res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 480 if (ltc_res != CRYPT_OK) { 481 res = TEE_ERROR_BAD_PARAMETERS; 482 goto err; 483 } 484 485 res = tee_hash_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 486 &hash_size); 487 if (res != TEE_SUCCESS) 488 goto err; 489 490 if (msg_len != hash_size) { 491 res = TEE_ERROR_BAD_PARAMETERS; 492 goto err; 493 } 494 } 495 496 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 497 498 if (*sig_len < mod_size) { 499 *sig_len = mod_size; 500 res = TEE_ERROR_SHORT_BUFFER; 501 goto err; 502 } 503 504 ltc_sig_len = mod_size; 505 506 ltc_res = rsa_sign_hash_ex(msg, msg_len, sig, <c_sig_len, 507 ltc_rsa_algo, NULL, find_prng("prng_crypto"), 508 ltc_hashindex, salt_len, <c_key); 509 510 *sig_len = ltc_sig_len; 511 512 if (ltc_res != CRYPT_OK) { 513 res = TEE_ERROR_BAD_PARAMETERS; 514 goto err; 515 } 516 res = TEE_SUCCESS; 517 518 err: 519 return res; 520 } 521 522 TEE_Result crypto_acipher_rsassa_verify(uint32_t algo, 523 struct rsa_public_key *key, 524 int salt_len, const uint8_t *msg, 525 size_t msg_len, const uint8_t *sig, 526 size_t sig_len) 527 { 528 TEE_Result res; 529 uint32_t bigint_size; 530 size_t hash_size; 531 int stat, ltc_hashindex, ltc_res, ltc_rsa_algo; 532 rsa_key ltc_key = { 533 .type = PK_PUBLIC, 534 .e = key->e, 535 .N = key->n 536 }; 537 538 if (algo != TEE_ALG_RSASSA_PKCS1_V1_5) { 539 res = tee_hash_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 540 &hash_size); 541 if (res != TEE_SUCCESS) 542 goto err; 543 544 if (msg_len != hash_size) { 545 res = TEE_ERROR_BAD_PARAMETERS; 546 goto err; 547 } 548 } 549 550 bigint_size = ltc_mp.unsigned_size(ltc_key.N); 551 if (sig_len < bigint_size) { 552 res = TEE_ERROR_SIGNATURE_INVALID; 553 goto err; 554 } 555 556 /* Get the algorithm */ 557 if (algo != TEE_ALG_RSASSA_PKCS1_V1_5) { 558 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 559 if (res != TEE_SUCCESS) 560 goto err; 561 } 562 563 switch (algo) { 564 case TEE_ALG_RSASSA_PKCS1_V1_5: 565 ltc_rsa_algo = LTC_PKCS_1_V1_5_NA1; 566 break; 567 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 568 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 569 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 570 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 571 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 572 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 573 ltc_rsa_algo = LTC_PKCS_1_V1_5; 574 break; 575 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 576 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 577 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 578 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 579 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 580 ltc_rsa_algo = LTC_PKCS_1_PSS; 581 break; 582 default: 583 res = TEE_ERROR_BAD_PARAMETERS; 584 goto err; 585 } 586 587 ltc_res = rsa_verify_hash_ex(sig, sig_len, msg, msg_len, ltc_rsa_algo, 588 ltc_hashindex, salt_len, &stat, <c_key); 589 res = convert_ltc_verify_status(ltc_res, stat); 590 err: 591 return res; 592 } 593