1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014-2019, Linaro Limited 4 */ 5 6 #include <crypto/crypto.h> 7 #include <stdlib.h> 8 #include <string.h> 9 #include <tee_api_types.h> 10 #include <tee_api_defines_extensions.h> 11 #include <tee/tee_cryp_utl.h> 12 #include <trace.h> 13 #include <utee_defines.h> 14 15 #include "acipher_helpers.h" 16 17 18 /* 19 * Compute the LibTomCrypt "hashindex" given a TEE Algorithm "algo" 20 * Return 21 * - TEE_SUCCESS in case of success, 22 * - TEE_ERROR_BAD_PARAMETERS in case algo is not a valid algo 23 * - TEE_ERROR_NOT_SUPPORTED in case algo is not supported by LTC 24 * Return -1 in case of error 25 */ 26 static TEE_Result tee_algo_to_ltc_hashindex(uint32_t algo, int *ltc_hashindex) 27 { 28 switch (algo) { 29 #if defined(_CFG_CORE_LTC_SHA1) 30 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 31 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 32 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1: 33 *ltc_hashindex = find_hash("sha1"); 34 break; 35 #endif 36 #if defined(_CFG_CORE_LTC_MD5) 37 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 38 *ltc_hashindex = find_hash("md5"); 39 break; 40 #endif 41 #if defined(_CFG_CORE_LTC_SHA224) 42 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 43 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 44 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224: 45 *ltc_hashindex = find_hash("sha224"); 46 break; 47 #endif 48 #if defined(_CFG_CORE_LTC_SHA256) 49 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 50 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 51 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256: 52 *ltc_hashindex = find_hash("sha256"); 53 break; 54 #endif 55 #if defined(_CFG_CORE_LTC_SHA384) 56 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 57 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 58 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384: 59 *ltc_hashindex = find_hash("sha384"); 60 break; 61 #endif 62 #if defined(_CFG_CORE_LTC_SHA512) 63 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 64 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 65 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512: 66 *ltc_hashindex = find_hash("sha512"); 67 break; 68 #endif 69 case TEE_ALG_RSASSA_PKCS1_V1_5: 70 case TEE_ALG_RSAES_PKCS1_V1_5: 71 /* invalid one. but it should not be used anyway */ 72 *ltc_hashindex = -1; 73 return TEE_SUCCESS; 74 75 default: 76 return TEE_ERROR_BAD_PARAMETERS; 77 } 78 79 if (*ltc_hashindex < 0) 80 return TEE_ERROR_NOT_SUPPORTED; 81 else 82 return TEE_SUCCESS; 83 } 84 85 TEE_Result crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s, 86 size_t key_size_bits __unused) 87 { 88 memset(s, 0, sizeof(*s)); 89 if (!bn_alloc_max(&s->e)) 90 return TEE_ERROR_OUT_OF_MEMORY; 91 if (!bn_alloc_max(&s->d)) 92 goto err; 93 if (!bn_alloc_max(&s->n)) 94 goto err; 95 if (!bn_alloc_max(&s->p)) 96 goto err; 97 if (!bn_alloc_max(&s->q)) 98 goto err; 99 if (!bn_alloc_max(&s->qp)) 100 goto err; 101 if (!bn_alloc_max(&s->dp)) 102 goto err; 103 if (!bn_alloc_max(&s->dq)) 104 goto err; 105 106 return TEE_SUCCESS; 107 err: 108 crypto_bignum_free(s->e); 109 crypto_bignum_free(s->d); 110 crypto_bignum_free(s->n); 111 crypto_bignum_free(s->p); 112 crypto_bignum_free(s->q); 113 crypto_bignum_free(s->qp); 114 crypto_bignum_free(s->dp); 115 116 return TEE_ERROR_OUT_OF_MEMORY; 117 } 118 119 TEE_Result crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s, 120 size_t key_size_bits __unused) 121 { 122 memset(s, 0, sizeof(*s)); 123 if (!bn_alloc_max(&s->e)) 124 return TEE_ERROR_OUT_OF_MEMORY; 125 if (!bn_alloc_max(&s->n)) 126 goto err; 127 return TEE_SUCCESS; 128 err: 129 crypto_bignum_free(s->e); 130 return TEE_ERROR_OUT_OF_MEMORY; 131 } 132 133 void crypto_acipher_free_rsa_public_key(struct rsa_public_key *s) 134 { 135 if (!s) 136 return; 137 crypto_bignum_free(s->n); 138 crypto_bignum_free(s->e); 139 } 140 141 void crypto_acipher_free_rsa_keypair(struct rsa_keypair *s) 142 { 143 if (!s) 144 return; 145 crypto_bignum_free(s->e); 146 crypto_bignum_free(s->d); 147 crypto_bignum_free(s->n); 148 crypto_bignum_free(s->p); 149 crypto_bignum_free(s->q); 150 crypto_bignum_free(s->qp); 151 crypto_bignum_free(s->dp); 152 crypto_bignum_free(s->dq); 153 } 154 155 TEE_Result crypto_acipher_gen_rsa_key(struct rsa_keypair *key, size_t key_size) 156 { 157 TEE_Result res; 158 rsa_key ltc_tmp_key; 159 int ltc_res; 160 long e; 161 162 /* get the public exponent */ 163 e = mp_get_int(key->e); 164 165 /* Generate a temporary RSA key */ 166 ltc_res = rsa_make_key(NULL, find_prng("prng_crypto"), key_size / 8, e, 167 <c_tmp_key); 168 if (ltc_res != CRYPT_OK) { 169 res = TEE_ERROR_BAD_PARAMETERS; 170 } else if ((size_t)mp_count_bits(ltc_tmp_key.N) != key_size) { 171 rsa_free(<c_tmp_key); 172 res = TEE_ERROR_BAD_PARAMETERS; 173 } else { 174 /* Copy the key */ 175 ltc_mp.copy(ltc_tmp_key.e, key->e); 176 ltc_mp.copy(ltc_tmp_key.d, key->d); 177 ltc_mp.copy(ltc_tmp_key.N, key->n); 178 ltc_mp.copy(ltc_tmp_key.p, key->p); 179 ltc_mp.copy(ltc_tmp_key.q, key->q); 180 ltc_mp.copy(ltc_tmp_key.qP, key->qp); 181 ltc_mp.copy(ltc_tmp_key.dP, key->dp); 182 ltc_mp.copy(ltc_tmp_key.dQ, key->dq); 183 184 /* Free the temporary key */ 185 rsa_free(<c_tmp_key); 186 res = TEE_SUCCESS; 187 } 188 189 return res; 190 } 191 192 static TEE_Result rsadorep(rsa_key *ltc_key, const uint8_t *src, 193 size_t src_len, uint8_t *dst, size_t *dst_len) 194 { 195 TEE_Result res = TEE_SUCCESS; 196 uint8_t *buf = NULL; 197 unsigned long blen, offset; 198 int ltc_res; 199 200 /* 201 * Use a temporary buffer since we don't know exactly how large the 202 * required size of the out buffer without doing a partial decrypt. 203 * We know the upper bound though. 204 */ 205 blen = _CFG_CORE_LTC_BIGNUM_MAX_BITS / sizeof(uint8_t); 206 buf = malloc(blen); 207 if (!buf) { 208 res = TEE_ERROR_OUT_OF_MEMORY; 209 goto out; 210 } 211 212 ltc_res = rsa_exptmod(src, src_len, buf, &blen, ltc_key->type, 213 ltc_key); 214 switch (ltc_res) { 215 case CRYPT_PK_NOT_PRIVATE: 216 case CRYPT_PK_INVALID_TYPE: 217 case CRYPT_PK_INVALID_SIZE: 218 case CRYPT_INVALID_PACKET: 219 EMSG("rsa_exptmod() returned %d", ltc_res); 220 res = TEE_ERROR_BAD_PARAMETERS; 221 goto out; 222 case CRYPT_OK: 223 break; 224 default: 225 /* This will result in a panic */ 226 EMSG("rsa_exptmod() returned %d", ltc_res); 227 res = TEE_ERROR_GENERIC; 228 goto out; 229 } 230 231 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 232 offset = 0; 233 while ((offset < blen - 1) && (buf[offset] == 0)) 234 offset++; 235 236 if (*dst_len < blen - offset) { 237 *dst_len = blen - offset; 238 res = TEE_ERROR_SHORT_BUFFER; 239 goto out; 240 } 241 242 res = TEE_SUCCESS; 243 *dst_len = blen - offset; 244 memcpy(dst, (char *)buf + offset, *dst_len); 245 246 out: 247 if (buf) 248 free(buf); 249 250 return res; 251 } 252 253 TEE_Result crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key, 254 const uint8_t *src, size_t src_len, 255 uint8_t *dst, size_t *dst_len) 256 { 257 TEE_Result res; 258 rsa_key ltc_key = { 0, }; 259 260 ltc_key.type = PK_PUBLIC; 261 ltc_key.e = key->e; 262 ltc_key.N = key->n; 263 264 res = rsadorep(<c_key, src, src_len, dst, dst_len); 265 return res; 266 } 267 268 TEE_Result crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key, 269 const uint8_t *src, size_t src_len, 270 uint8_t *dst, size_t *dst_len) 271 { 272 TEE_Result res; 273 rsa_key ltc_key = { 0, }; 274 275 ltc_key.type = PK_PRIVATE; 276 ltc_key.e = key->e; 277 ltc_key.N = key->n; 278 ltc_key.d = key->d; 279 if (key->p && crypto_bignum_num_bytes(key->p)) { 280 ltc_key.p = key->p; 281 ltc_key.q = key->q; 282 ltc_key.qP = key->qp; 283 ltc_key.dP = key->dp; 284 ltc_key.dQ = key->dq; 285 } 286 287 res = rsadorep(<c_key, src, src_len, dst, dst_len); 288 return res; 289 } 290 291 TEE_Result crypto_acipher_rsaes_decrypt(uint32_t algo, struct rsa_keypair *key, 292 const uint8_t *label, size_t label_len, 293 const uint8_t *src, size_t src_len, 294 uint8_t *dst, size_t *dst_len) 295 { 296 TEE_Result res = TEE_SUCCESS; 297 void *buf = NULL; 298 unsigned long blen; 299 int ltc_hashindex, ltc_res, ltc_stat, ltc_rsa_algo; 300 size_t mod_size; 301 rsa_key ltc_key = { 0, }; 302 303 ltc_key.type = PK_PRIVATE; 304 ltc_key.e = key->e; 305 ltc_key.d = key->d; 306 ltc_key.N = key->n; 307 if (key->p && crypto_bignum_num_bytes(key->p)) { 308 ltc_key.p = key->p; 309 ltc_key.q = key->q; 310 ltc_key.qP = key->qp; 311 ltc_key.dP = key->dp; 312 ltc_key.dQ = key->dq; 313 } 314 315 /* Get the algorithm */ 316 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 317 if (res != TEE_SUCCESS) { 318 EMSG("tee_algo_to_ltc_hashindex() returned %d", (int)res); 319 goto out; 320 } 321 322 /* 323 * Use a temporary buffer since we don't know exactly how large 324 * the required size of the out buffer without doing a partial 325 * decrypt. We know the upper bound though. 326 */ 327 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) { 328 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 329 blen = mod_size - 11; 330 ltc_rsa_algo = LTC_PKCS_1_V1_5; 331 } else { 332 /* Decoded message is always shorter than encrypted message */ 333 blen = src_len; 334 ltc_rsa_algo = LTC_PKCS_1_OAEP; 335 } 336 337 buf = malloc(blen); 338 if (!buf) { 339 res = TEE_ERROR_OUT_OF_MEMORY; 340 goto out; 341 } 342 343 ltc_res = rsa_decrypt_key_ex(src, src_len, buf, &blen, 344 ((label_len == 0) ? 0 : label), label_len, 345 ltc_hashindex, ltc_rsa_algo, <c_stat, 346 <c_key); 347 switch (ltc_res) { 348 case CRYPT_PK_INVALID_PADDING: 349 case CRYPT_INVALID_PACKET: 350 case CRYPT_PK_INVALID_SIZE: 351 EMSG("rsa_decrypt_key_ex() returned %d", ltc_res); 352 res = TEE_ERROR_BAD_PARAMETERS; 353 goto out; 354 case CRYPT_OK: 355 break; 356 default: 357 /* This will result in a panic */ 358 EMSG("rsa_decrypt_key_ex() returned %d", ltc_res); 359 res = TEE_ERROR_GENERIC; 360 goto out; 361 } 362 if (ltc_stat != 1) { 363 /* This will result in a panic */ 364 EMSG("rsa_decrypt_key_ex() returned %d and %d", 365 ltc_res, ltc_stat); 366 res = TEE_ERROR_GENERIC; 367 goto out; 368 } 369 370 if (*dst_len < blen) { 371 *dst_len = blen; 372 res = TEE_ERROR_SHORT_BUFFER; 373 goto out; 374 } 375 376 res = TEE_SUCCESS; 377 *dst_len = blen; 378 memcpy(dst, buf, blen); 379 380 out: 381 if (buf) 382 free(buf); 383 384 return res; 385 } 386 387 TEE_Result crypto_acipher_rsaes_encrypt(uint32_t algo, 388 struct rsa_public_key *key, 389 const uint8_t *label, size_t label_len, 390 const uint8_t *src, size_t src_len, 391 uint8_t *dst, size_t *dst_len) 392 { 393 TEE_Result res; 394 uint32_t mod_size; 395 int ltc_hashindex, ltc_res, ltc_rsa_algo; 396 rsa_key ltc_key = { 397 .type = PK_PUBLIC, 398 .e = key->e, 399 .N = key->n 400 }; 401 402 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 403 if (*dst_len < mod_size) { 404 *dst_len = mod_size; 405 res = TEE_ERROR_SHORT_BUFFER; 406 goto out; 407 } 408 *dst_len = mod_size; 409 410 /* Get the algorithm */ 411 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 412 if (res != TEE_SUCCESS) 413 goto out; 414 415 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) 416 ltc_rsa_algo = LTC_PKCS_1_V1_5; 417 else 418 ltc_rsa_algo = LTC_PKCS_1_OAEP; 419 420 ltc_res = rsa_encrypt_key_ex(src, src_len, dst, 421 (unsigned long *)(dst_len), label, 422 label_len, NULL, find_prng("prng_crypto"), 423 ltc_hashindex, ltc_rsa_algo, <c_key); 424 switch (ltc_res) { 425 case CRYPT_PK_INVALID_PADDING: 426 case CRYPT_INVALID_PACKET: 427 case CRYPT_PK_INVALID_SIZE: 428 EMSG("rsa_encrypt_key_ex() returned %d", ltc_res); 429 res = TEE_ERROR_BAD_PARAMETERS; 430 goto out; 431 case CRYPT_OK: 432 break; 433 default: 434 /* This will result in a panic */ 435 res = TEE_ERROR_GENERIC; 436 goto out; 437 } 438 res = TEE_SUCCESS; 439 440 out: 441 return res; 442 } 443 444 TEE_Result crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key, 445 int salt_len, const uint8_t *msg, 446 size_t msg_len, uint8_t *sig, 447 size_t *sig_len) 448 { 449 TEE_Result res; 450 size_t hash_size, mod_size; 451 int ltc_res, ltc_rsa_algo, ltc_hashindex; 452 unsigned long ltc_sig_len; 453 rsa_key ltc_key = { 0, }; 454 455 ltc_key.type = PK_PRIVATE; 456 ltc_key.e = key->e; 457 ltc_key.N = key->n; 458 ltc_key.d = key->d; 459 if (key->p && crypto_bignum_num_bytes(key->p)) { 460 ltc_key.p = key->p; 461 ltc_key.q = key->q; 462 ltc_key.qP = key->qp; 463 ltc_key.dP = key->dp; 464 ltc_key.dQ = key->dq; 465 } 466 467 switch (algo) { 468 case TEE_ALG_RSASSA_PKCS1_V1_5: 469 ltc_rsa_algo = LTC_PKCS_1_V1_5_NA1; 470 break; 471 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 472 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 473 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 474 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 475 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 476 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 477 ltc_rsa_algo = LTC_PKCS_1_V1_5; 478 break; 479 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 480 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 481 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 482 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 483 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 484 ltc_rsa_algo = LTC_PKCS_1_PSS; 485 break; 486 default: 487 res = TEE_ERROR_BAD_PARAMETERS; 488 goto err; 489 } 490 491 if (ltc_rsa_algo != LTC_PKCS_1_V1_5_NA1) { 492 ltc_res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 493 if (ltc_res != CRYPT_OK) { 494 res = TEE_ERROR_BAD_PARAMETERS; 495 goto err; 496 } 497 498 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 499 &hash_size); 500 if (res != TEE_SUCCESS) 501 goto err; 502 503 if (msg_len != hash_size) { 504 res = TEE_ERROR_BAD_PARAMETERS; 505 goto err; 506 } 507 } 508 509 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 510 511 if (*sig_len < mod_size) { 512 *sig_len = mod_size; 513 res = TEE_ERROR_SHORT_BUFFER; 514 goto err; 515 } 516 517 ltc_sig_len = mod_size; 518 519 ltc_res = rsa_sign_hash_ex(msg, msg_len, sig, <c_sig_len, 520 ltc_rsa_algo, NULL, find_prng("prng_crypto"), 521 ltc_hashindex, salt_len, <c_key); 522 523 *sig_len = ltc_sig_len; 524 525 if (ltc_res != CRYPT_OK) { 526 res = TEE_ERROR_BAD_PARAMETERS; 527 goto err; 528 } 529 res = TEE_SUCCESS; 530 531 err: 532 return res; 533 } 534 535 TEE_Result crypto_acipher_rsassa_verify(uint32_t algo, 536 struct rsa_public_key *key, 537 int salt_len, const uint8_t *msg, 538 size_t msg_len, const uint8_t *sig, 539 size_t sig_len) 540 { 541 TEE_Result res; 542 uint32_t bigint_size; 543 size_t hash_size; 544 int stat, ltc_hashindex, ltc_res, ltc_rsa_algo; 545 rsa_key ltc_key = { 546 .type = PK_PUBLIC, 547 .e = key->e, 548 .N = key->n 549 }; 550 551 if (algo != TEE_ALG_RSASSA_PKCS1_V1_5) { 552 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 553 &hash_size); 554 if (res != TEE_SUCCESS) 555 goto err; 556 557 if (msg_len != hash_size) { 558 res = TEE_ERROR_BAD_PARAMETERS; 559 goto err; 560 } 561 } 562 563 bigint_size = ltc_mp.unsigned_size(ltc_key.N); 564 if (sig_len < bigint_size) { 565 res = TEE_ERROR_SIGNATURE_INVALID; 566 goto err; 567 } 568 569 /* Get the algorithm */ 570 if (algo != TEE_ALG_RSASSA_PKCS1_V1_5) { 571 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 572 if (res != TEE_SUCCESS) 573 goto err; 574 } 575 576 switch (algo) { 577 case TEE_ALG_RSASSA_PKCS1_V1_5: 578 ltc_rsa_algo = LTC_PKCS_1_V1_5_NA1; 579 break; 580 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 581 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 582 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 583 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 584 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 585 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 586 ltc_rsa_algo = LTC_PKCS_1_V1_5; 587 break; 588 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 589 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 590 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 591 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 592 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 593 ltc_rsa_algo = LTC_PKCS_1_PSS; 594 break; 595 default: 596 res = TEE_ERROR_BAD_PARAMETERS; 597 goto err; 598 } 599 600 ltc_res = rsa_verify_hash_ex(sig, sig_len, msg, msg_len, ltc_rsa_algo, 601 ltc_hashindex, salt_len, &stat, <c_key); 602 res = convert_ltc_verify_status(ltc_res, stat); 603 err: 604 return res; 605 } 606