1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014-2019, Linaro Limited 4 */ 5 6 #include <crypto/crypto.h> 7 #include <stdlib.h> 8 #include <string.h> 9 #include <tee_api_types.h> 10 #include <tee_api_defines_extensions.h> 11 #include <tee/tee_cryp_utl.h> 12 #include <trace.h> 13 #include <utee_defines.h> 14 15 #include "acipher_helpers.h" 16 17 18 /* 19 * Compute the LibTomCrypt "hashindex" given a TEE Algorithm "algo" 20 * Return 21 * - TEE_SUCCESS in case of success, 22 * - TEE_ERROR_BAD_PARAMETERS in case algo is not a valid algo 23 * - TEE_ERROR_NOT_SUPPORTED in case algo is not supported by LTC 24 * Return -1 in case of error 25 */ 26 static TEE_Result tee_algo_to_ltc_hashindex(uint32_t algo, int *ltc_hashindex) 27 { 28 switch (algo) { 29 #if defined(_CFG_CORE_LTC_SHA1) 30 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 31 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 32 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1: 33 *ltc_hashindex = find_hash("sha1"); 34 break; 35 #endif 36 #if defined(_CFG_CORE_LTC_MD5) 37 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 38 *ltc_hashindex = find_hash("md5"); 39 break; 40 #endif 41 #if defined(_CFG_CORE_LTC_SHA224) 42 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 43 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 44 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224: 45 *ltc_hashindex = find_hash("sha224"); 46 break; 47 #endif 48 #if defined(_CFG_CORE_LTC_SHA256) 49 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 50 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 51 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256: 52 *ltc_hashindex = find_hash("sha256"); 53 break; 54 #endif 55 #if defined(_CFG_CORE_LTC_SHA384) 56 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 57 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 58 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384: 59 *ltc_hashindex = find_hash("sha384"); 60 break; 61 #endif 62 #if defined(_CFG_CORE_LTC_SHA512) 63 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 64 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 65 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512: 66 *ltc_hashindex = find_hash("sha512"); 67 break; 68 #endif 69 case TEE_ALG_RSASSA_PKCS1_V1_5: 70 case TEE_ALG_RSAES_PKCS1_V1_5: 71 /* invalid one. but it should not be used anyway */ 72 *ltc_hashindex = -1; 73 return TEE_SUCCESS; 74 75 default: 76 return TEE_ERROR_BAD_PARAMETERS; 77 } 78 79 if (*ltc_hashindex < 0) 80 return TEE_ERROR_NOT_SUPPORTED; 81 else 82 return TEE_SUCCESS; 83 } 84 85 TEE_Result crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s, 86 size_t key_size_bits __unused) 87 { 88 memset(s, 0, sizeof(*s)); 89 if (!bn_alloc_max(&s->e)) 90 return TEE_ERROR_OUT_OF_MEMORY; 91 if (!bn_alloc_max(&s->d)) 92 goto err; 93 if (!bn_alloc_max(&s->n)) 94 goto err; 95 if (!bn_alloc_max(&s->p)) 96 goto err; 97 if (!bn_alloc_max(&s->q)) 98 goto err; 99 if (!bn_alloc_max(&s->qp)) 100 goto err; 101 if (!bn_alloc_max(&s->dp)) 102 goto err; 103 if (!bn_alloc_max(&s->dq)) 104 goto err; 105 106 return TEE_SUCCESS; 107 err: 108 crypto_acipher_free_rsa_keypair(s); 109 return TEE_ERROR_OUT_OF_MEMORY; 110 } 111 112 TEE_Result crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s, 113 size_t key_size_bits __unused) 114 { 115 memset(s, 0, sizeof(*s)); 116 if (!bn_alloc_max(&s->e)) 117 return TEE_ERROR_OUT_OF_MEMORY; 118 if (!bn_alloc_max(&s->n)) 119 goto err; 120 return TEE_SUCCESS; 121 err: 122 crypto_bignum_free(s->e); 123 return TEE_ERROR_OUT_OF_MEMORY; 124 } 125 126 void crypto_acipher_free_rsa_public_key(struct rsa_public_key *s) 127 { 128 if (!s) 129 return; 130 crypto_bignum_free(s->n); 131 crypto_bignum_free(s->e); 132 } 133 134 void crypto_acipher_free_rsa_keypair(struct rsa_keypair *s) 135 { 136 if (!s) 137 return; 138 crypto_bignum_free(s->e); 139 crypto_bignum_free(s->d); 140 crypto_bignum_free(s->n); 141 crypto_bignum_free(s->p); 142 crypto_bignum_free(s->q); 143 crypto_bignum_free(s->qp); 144 crypto_bignum_free(s->dp); 145 crypto_bignum_free(s->dq); 146 } 147 148 TEE_Result crypto_acipher_gen_rsa_key(struct rsa_keypair *key, size_t key_size) 149 { 150 TEE_Result res; 151 rsa_key ltc_tmp_key; 152 int ltc_res; 153 154 /* Generate a temporary RSA key */ 155 ltc_res = rsa_make_key_bn_e(NULL, find_prng("prng_crypto"), 156 key_size / 8, key->e, <c_tmp_key); 157 if (ltc_res != CRYPT_OK) { 158 res = TEE_ERROR_BAD_PARAMETERS; 159 } else if ((size_t)mp_count_bits(ltc_tmp_key.N) != key_size) { 160 rsa_free(<c_tmp_key); 161 res = TEE_ERROR_BAD_PARAMETERS; 162 } else { 163 /* Copy the key */ 164 ltc_mp.copy(ltc_tmp_key.d, key->d); 165 ltc_mp.copy(ltc_tmp_key.N, key->n); 166 ltc_mp.copy(ltc_tmp_key.p, key->p); 167 ltc_mp.copy(ltc_tmp_key.q, key->q); 168 ltc_mp.copy(ltc_tmp_key.qP, key->qp); 169 ltc_mp.copy(ltc_tmp_key.dP, key->dp); 170 ltc_mp.copy(ltc_tmp_key.dQ, key->dq); 171 172 /* Free the temporary key */ 173 rsa_free(<c_tmp_key); 174 res = TEE_SUCCESS; 175 } 176 177 return res; 178 } 179 180 static TEE_Result rsadorep(rsa_key *ltc_key, const uint8_t *src, 181 size_t src_len, uint8_t *dst, size_t *dst_len) 182 { 183 TEE_Result res = TEE_SUCCESS; 184 uint8_t *buf = NULL; 185 unsigned long blen, offset; 186 int ltc_res; 187 188 /* 189 * Use a temporary buffer since we don't know exactly how large the 190 * required size of the out buffer without doing a partial decrypt. 191 * We know the upper bound though. 192 */ 193 blen = _CFG_CORE_LTC_BIGNUM_MAX_BITS / sizeof(uint8_t); 194 buf = malloc(blen); 195 if (!buf) { 196 res = TEE_ERROR_OUT_OF_MEMORY; 197 goto out; 198 } 199 200 ltc_res = rsa_exptmod(src, src_len, buf, &blen, ltc_key->type, 201 ltc_key); 202 switch (ltc_res) { 203 case CRYPT_PK_NOT_PRIVATE: 204 case CRYPT_PK_INVALID_TYPE: 205 case CRYPT_PK_INVALID_SIZE: 206 case CRYPT_INVALID_PACKET: 207 EMSG("rsa_exptmod() returned %d", ltc_res); 208 res = TEE_ERROR_BAD_PARAMETERS; 209 goto out; 210 case CRYPT_OK: 211 break; 212 default: 213 /* This will result in a panic */ 214 EMSG("rsa_exptmod() returned %d", ltc_res); 215 res = TEE_ERROR_GENERIC; 216 goto out; 217 } 218 219 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 220 offset = 0; 221 while ((offset < blen - 1) && (buf[offset] == 0)) 222 offset++; 223 224 if (*dst_len < blen - offset) { 225 *dst_len = blen - offset; 226 res = TEE_ERROR_SHORT_BUFFER; 227 goto out; 228 } 229 230 res = TEE_SUCCESS; 231 *dst_len = blen - offset; 232 memcpy(dst, (char *)buf + offset, *dst_len); 233 234 out: 235 if (buf) 236 free(buf); 237 238 return res; 239 } 240 241 TEE_Result crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key, 242 const uint8_t *src, size_t src_len, 243 uint8_t *dst, size_t *dst_len) 244 { 245 TEE_Result res; 246 rsa_key ltc_key = { 0, }; 247 248 ltc_key.type = PK_PUBLIC; 249 ltc_key.e = key->e; 250 ltc_key.N = key->n; 251 252 res = rsadorep(<c_key, src, src_len, dst, dst_len); 253 return res; 254 } 255 256 TEE_Result crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key, 257 const uint8_t *src, size_t src_len, 258 uint8_t *dst, size_t *dst_len) 259 { 260 TEE_Result res; 261 rsa_key ltc_key = { 0, }; 262 263 ltc_key.type = PK_PRIVATE; 264 ltc_key.e = key->e; 265 ltc_key.N = key->n; 266 ltc_key.d = key->d; 267 if (key->p && crypto_bignum_num_bytes(key->p)) { 268 ltc_key.p = key->p; 269 ltc_key.q = key->q; 270 ltc_key.qP = key->qp; 271 ltc_key.dP = key->dp; 272 ltc_key.dQ = key->dq; 273 } 274 275 res = rsadorep(<c_key, src, src_len, dst, dst_len); 276 return res; 277 } 278 279 TEE_Result crypto_acipher_rsaes_decrypt(uint32_t algo, struct rsa_keypair *key, 280 const uint8_t *label, size_t label_len, 281 const uint8_t *src, size_t src_len, 282 uint8_t *dst, size_t *dst_len) 283 { 284 TEE_Result res = TEE_SUCCESS; 285 void *buf = NULL; 286 unsigned long blen; 287 int ltc_hashindex, ltc_res, ltc_stat, ltc_rsa_algo; 288 size_t mod_size; 289 rsa_key ltc_key = { 0, }; 290 291 ltc_key.type = PK_PRIVATE; 292 ltc_key.e = key->e; 293 ltc_key.d = key->d; 294 ltc_key.N = key->n; 295 if (key->p && crypto_bignum_num_bytes(key->p)) { 296 ltc_key.p = key->p; 297 ltc_key.q = key->q; 298 ltc_key.qP = key->qp; 299 ltc_key.dP = key->dp; 300 ltc_key.dQ = key->dq; 301 } 302 303 /* Get the algorithm */ 304 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 305 if (res != TEE_SUCCESS) { 306 EMSG("tee_algo_to_ltc_hashindex() returned %d", (int)res); 307 goto out; 308 } 309 310 /* 311 * Use a temporary buffer since we don't know exactly how large 312 * the required size of the out buffer without doing a partial 313 * decrypt. We know the upper bound though. 314 */ 315 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) { 316 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 317 blen = mod_size - 11; 318 ltc_rsa_algo = LTC_PKCS_1_V1_5; 319 } else { 320 /* Decoded message is always shorter than encrypted message */ 321 blen = src_len; 322 ltc_rsa_algo = LTC_PKCS_1_OAEP; 323 } 324 325 buf = malloc(blen); 326 if (!buf) { 327 res = TEE_ERROR_OUT_OF_MEMORY; 328 goto out; 329 } 330 331 ltc_res = rsa_decrypt_key_ex(src, src_len, buf, &blen, 332 ((label_len == 0) ? 0 : label), label_len, 333 ltc_hashindex, ltc_rsa_algo, <c_stat, 334 <c_key); 335 switch (ltc_res) { 336 case CRYPT_PK_INVALID_PADDING: 337 case CRYPT_INVALID_PACKET: 338 case CRYPT_PK_INVALID_SIZE: 339 EMSG("rsa_decrypt_key_ex() returned %d", ltc_res); 340 res = TEE_ERROR_BAD_PARAMETERS; 341 goto out; 342 case CRYPT_OK: 343 break; 344 default: 345 /* This will result in a panic */ 346 EMSG("rsa_decrypt_key_ex() returned %d", ltc_res); 347 res = TEE_ERROR_GENERIC; 348 goto out; 349 } 350 if (ltc_stat != 1) { 351 /* This will result in a panic */ 352 EMSG("rsa_decrypt_key_ex() returned %d and %d", 353 ltc_res, ltc_stat); 354 res = TEE_ERROR_GENERIC; 355 goto out; 356 } 357 358 if (*dst_len < blen) { 359 *dst_len = blen; 360 res = TEE_ERROR_SHORT_BUFFER; 361 goto out; 362 } 363 364 res = TEE_SUCCESS; 365 *dst_len = blen; 366 memcpy(dst, buf, blen); 367 368 out: 369 if (buf) 370 free(buf); 371 372 return res; 373 } 374 375 TEE_Result crypto_acipher_rsaes_encrypt(uint32_t algo, 376 struct rsa_public_key *key, 377 const uint8_t *label, size_t label_len, 378 const uint8_t *src, size_t src_len, 379 uint8_t *dst, size_t *dst_len) 380 { 381 TEE_Result res; 382 uint32_t mod_size; 383 int ltc_hashindex, ltc_res, ltc_rsa_algo; 384 rsa_key ltc_key = { 385 .type = PK_PUBLIC, 386 .e = key->e, 387 .N = key->n 388 }; 389 390 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 391 if (*dst_len < mod_size) { 392 *dst_len = mod_size; 393 res = TEE_ERROR_SHORT_BUFFER; 394 goto out; 395 } 396 *dst_len = mod_size; 397 398 /* Get the algorithm */ 399 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 400 if (res != TEE_SUCCESS) 401 goto out; 402 403 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) 404 ltc_rsa_algo = LTC_PKCS_1_V1_5; 405 else 406 ltc_rsa_algo = LTC_PKCS_1_OAEP; 407 408 ltc_res = rsa_encrypt_key_ex(src, src_len, dst, 409 (unsigned long *)(dst_len), label, 410 label_len, NULL, find_prng("prng_crypto"), 411 ltc_hashindex, ltc_rsa_algo, <c_key); 412 switch (ltc_res) { 413 case CRYPT_PK_INVALID_PADDING: 414 case CRYPT_INVALID_PACKET: 415 case CRYPT_PK_INVALID_SIZE: 416 EMSG("rsa_encrypt_key_ex() returned %d", ltc_res); 417 res = TEE_ERROR_BAD_PARAMETERS; 418 goto out; 419 case CRYPT_OK: 420 break; 421 default: 422 /* This will result in a panic */ 423 res = TEE_ERROR_GENERIC; 424 goto out; 425 } 426 res = TEE_SUCCESS; 427 428 out: 429 return res; 430 } 431 432 TEE_Result crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key, 433 int salt_len, const uint8_t *msg, 434 size_t msg_len, uint8_t *sig, 435 size_t *sig_len) 436 { 437 TEE_Result res; 438 size_t hash_size, mod_size; 439 int ltc_res, ltc_rsa_algo, ltc_hashindex; 440 unsigned long ltc_sig_len; 441 rsa_key ltc_key = { 0, }; 442 443 ltc_key.type = PK_PRIVATE; 444 ltc_key.e = key->e; 445 ltc_key.N = key->n; 446 ltc_key.d = key->d; 447 if (key->p && crypto_bignum_num_bytes(key->p)) { 448 ltc_key.p = key->p; 449 ltc_key.q = key->q; 450 ltc_key.qP = key->qp; 451 ltc_key.dP = key->dp; 452 ltc_key.dQ = key->dq; 453 } 454 455 switch (algo) { 456 case TEE_ALG_RSASSA_PKCS1_V1_5: 457 ltc_rsa_algo = LTC_PKCS_1_V1_5_NA1; 458 break; 459 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 460 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 461 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 462 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 463 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 464 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 465 ltc_rsa_algo = LTC_PKCS_1_V1_5; 466 break; 467 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 468 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 469 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 470 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 471 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 472 ltc_rsa_algo = LTC_PKCS_1_PSS; 473 break; 474 default: 475 res = TEE_ERROR_BAD_PARAMETERS; 476 goto err; 477 } 478 479 if (ltc_rsa_algo != LTC_PKCS_1_V1_5_NA1) { 480 ltc_res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 481 if (ltc_res != CRYPT_OK) { 482 res = TEE_ERROR_BAD_PARAMETERS; 483 goto err; 484 } 485 486 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 487 &hash_size); 488 if (res != TEE_SUCCESS) 489 goto err; 490 491 if (msg_len != hash_size) { 492 res = TEE_ERROR_BAD_PARAMETERS; 493 goto err; 494 } 495 } 496 497 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 498 499 if (*sig_len < mod_size) { 500 *sig_len = mod_size; 501 res = TEE_ERROR_SHORT_BUFFER; 502 goto err; 503 } 504 505 ltc_sig_len = mod_size; 506 507 ltc_res = rsa_sign_hash_ex(msg, msg_len, sig, <c_sig_len, 508 ltc_rsa_algo, NULL, find_prng("prng_crypto"), 509 ltc_hashindex, salt_len, <c_key); 510 511 *sig_len = ltc_sig_len; 512 513 if (ltc_res != CRYPT_OK) { 514 res = TEE_ERROR_BAD_PARAMETERS; 515 goto err; 516 } 517 res = TEE_SUCCESS; 518 519 err: 520 return res; 521 } 522 523 TEE_Result crypto_acipher_rsassa_verify(uint32_t algo, 524 struct rsa_public_key *key, 525 int salt_len, const uint8_t *msg, 526 size_t msg_len, const uint8_t *sig, 527 size_t sig_len) 528 { 529 TEE_Result res; 530 uint32_t bigint_size; 531 size_t hash_size; 532 int stat, ltc_hashindex, ltc_res, ltc_rsa_algo; 533 rsa_key ltc_key = { 534 .type = PK_PUBLIC, 535 .e = key->e, 536 .N = key->n 537 }; 538 539 if (algo != TEE_ALG_RSASSA_PKCS1_V1_5) { 540 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 541 &hash_size); 542 if (res != TEE_SUCCESS) 543 goto err; 544 545 if (msg_len != hash_size) { 546 res = TEE_ERROR_BAD_PARAMETERS; 547 goto err; 548 } 549 } 550 551 bigint_size = ltc_mp.unsigned_size(ltc_key.N); 552 if (sig_len < bigint_size) { 553 res = TEE_ERROR_SIGNATURE_INVALID; 554 goto err; 555 } 556 557 /* Get the algorithm */ 558 if (algo != TEE_ALG_RSASSA_PKCS1_V1_5) { 559 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 560 if (res != TEE_SUCCESS) 561 goto err; 562 } 563 564 switch (algo) { 565 case TEE_ALG_RSASSA_PKCS1_V1_5: 566 ltc_rsa_algo = LTC_PKCS_1_V1_5_NA1; 567 break; 568 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 569 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 570 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 571 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 572 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 573 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 574 ltc_rsa_algo = LTC_PKCS_1_V1_5; 575 break; 576 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 577 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 578 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 579 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 580 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 581 ltc_rsa_algo = LTC_PKCS_1_PSS; 582 break; 583 default: 584 res = TEE_ERROR_BAD_PARAMETERS; 585 goto err; 586 } 587 588 ltc_res = rsa_verify_hash_ex(sig, sig_len, msg, msg_len, ltc_rsa_algo, 589 ltc_hashindex, salt_len, &stat, <c_key); 590 res = convert_ltc_verify_status(ltc_res, stat); 591 err: 592 return res; 593 } 594