1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014-2019, Linaro Limited 4 */ 5 6 #include <crypto/crypto.h> 7 #include <stdlib.h> 8 #include <string.h> 9 #include <tee_api_types.h> 10 #include <tee_api_defines_extensions.h> 11 #include <tee/tee_cryp_utl.h> 12 #include <trace.h> 13 #include <utee_defines.h> 14 15 #include "acipher_helpers.h" 16 17 18 /* 19 * Compute the LibTomCrypt "hashindex" given a TEE Algorithm "algo" 20 * Return 21 * - TEE_SUCCESS in case of success, 22 * - TEE_ERROR_BAD_PARAMETERS in case algo is not a valid algo 23 * - TEE_ERROR_NOT_SUPPORTED in case algo is not supported by LTC 24 * Return -1 in case of error 25 */ 26 static TEE_Result tee_algo_to_ltc_hashindex(uint32_t algo, int *ltc_hashindex) 27 { 28 switch (algo) { 29 #if defined(_CFG_CORE_LTC_SHA1) 30 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 31 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 32 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1: 33 *ltc_hashindex = find_hash("sha1"); 34 break; 35 #endif 36 #if defined(_CFG_CORE_LTC_MD5) 37 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 38 *ltc_hashindex = find_hash("md5"); 39 break; 40 #endif 41 #if defined(_CFG_CORE_LTC_SHA224) 42 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 43 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 44 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224: 45 *ltc_hashindex = find_hash("sha224"); 46 break; 47 #endif 48 #if defined(_CFG_CORE_LTC_SHA256) 49 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 50 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 51 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256: 52 *ltc_hashindex = find_hash("sha256"); 53 break; 54 #endif 55 #if defined(_CFG_CORE_LTC_SHA384) 56 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 57 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 58 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384: 59 *ltc_hashindex = find_hash("sha384"); 60 break; 61 #endif 62 #if defined(_CFG_CORE_LTC_SHA512) 63 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 64 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 65 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512: 66 *ltc_hashindex = find_hash("sha512"); 67 break; 68 #endif 69 case TEE_ALG_RSASSA_PKCS1_V1_5: 70 case TEE_ALG_RSAES_PKCS1_V1_5: 71 /* invalid one. but it should not be used anyway */ 72 *ltc_hashindex = -1; 73 return TEE_SUCCESS; 74 75 default: 76 return TEE_ERROR_BAD_PARAMETERS; 77 } 78 79 if (*ltc_hashindex < 0) 80 return TEE_ERROR_NOT_SUPPORTED; 81 else 82 return TEE_SUCCESS; 83 } 84 85 TEE_Result crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s, 86 size_t key_size_bits __unused) 87 { 88 memset(s, 0, sizeof(*s)); 89 if (!bn_alloc_max(&s->e)) 90 return TEE_ERROR_OUT_OF_MEMORY; 91 if (!bn_alloc_max(&s->d)) 92 goto err; 93 if (!bn_alloc_max(&s->n)) 94 goto err; 95 if (!bn_alloc_max(&s->p)) 96 goto err; 97 if (!bn_alloc_max(&s->q)) 98 goto err; 99 if (!bn_alloc_max(&s->qp)) 100 goto err; 101 if (!bn_alloc_max(&s->dp)) 102 goto err; 103 if (!bn_alloc_max(&s->dq)) 104 goto err; 105 106 return TEE_SUCCESS; 107 err: 108 crypto_bignum_free(s->e); 109 crypto_bignum_free(s->d); 110 crypto_bignum_free(s->n); 111 crypto_bignum_free(s->p); 112 crypto_bignum_free(s->q); 113 crypto_bignum_free(s->qp); 114 crypto_bignum_free(s->dp); 115 116 return TEE_ERROR_OUT_OF_MEMORY; 117 } 118 119 TEE_Result crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s, 120 size_t key_size_bits __unused) 121 { 122 memset(s, 0, sizeof(*s)); 123 if (!bn_alloc_max(&s->e)) 124 return TEE_ERROR_OUT_OF_MEMORY; 125 if (!bn_alloc_max(&s->n)) 126 goto err; 127 return TEE_SUCCESS; 128 err: 129 crypto_bignum_free(s->e); 130 return TEE_ERROR_OUT_OF_MEMORY; 131 } 132 133 void crypto_acipher_free_rsa_public_key(struct rsa_public_key *s) 134 { 135 if (!s) 136 return; 137 crypto_bignum_free(s->n); 138 crypto_bignum_free(s->e); 139 } 140 141 void crypto_acipher_free_rsa_keypair(struct rsa_keypair *s) 142 { 143 if (!s) 144 return; 145 crypto_bignum_free(s->e); 146 crypto_bignum_free(s->d); 147 crypto_bignum_free(s->n); 148 crypto_bignum_free(s->p); 149 crypto_bignum_free(s->q); 150 crypto_bignum_free(s->qp); 151 crypto_bignum_free(s->dp); 152 } 153 154 TEE_Result crypto_acipher_gen_rsa_key(struct rsa_keypair *key, size_t key_size) 155 { 156 TEE_Result res; 157 rsa_key ltc_tmp_key; 158 int ltc_res; 159 long e; 160 161 /* get the public exponent */ 162 e = mp_get_int(key->e); 163 164 /* Generate a temporary RSA key */ 165 ltc_res = rsa_make_key(NULL, find_prng("prng_crypto"), key_size / 8, e, 166 <c_tmp_key); 167 if (ltc_res != CRYPT_OK) { 168 res = TEE_ERROR_BAD_PARAMETERS; 169 } else if ((size_t)mp_count_bits(ltc_tmp_key.N) != key_size) { 170 rsa_free(<c_tmp_key); 171 res = TEE_ERROR_BAD_PARAMETERS; 172 } else { 173 /* Copy the key */ 174 ltc_mp.copy(ltc_tmp_key.e, key->e); 175 ltc_mp.copy(ltc_tmp_key.d, key->d); 176 ltc_mp.copy(ltc_tmp_key.N, key->n); 177 ltc_mp.copy(ltc_tmp_key.p, key->p); 178 ltc_mp.copy(ltc_tmp_key.q, key->q); 179 ltc_mp.copy(ltc_tmp_key.qP, key->qp); 180 ltc_mp.copy(ltc_tmp_key.dP, key->dp); 181 ltc_mp.copy(ltc_tmp_key.dQ, key->dq); 182 183 /* Free the temporary key */ 184 rsa_free(<c_tmp_key); 185 res = TEE_SUCCESS; 186 } 187 188 return res; 189 } 190 191 static TEE_Result rsadorep(rsa_key *ltc_key, const uint8_t *src, 192 size_t src_len, uint8_t *dst, size_t *dst_len) 193 { 194 TEE_Result res = TEE_SUCCESS; 195 uint8_t *buf = NULL; 196 unsigned long blen, offset; 197 int ltc_res; 198 199 /* 200 * Use a temporary buffer since we don't know exactly how large the 201 * required size of the out buffer without doing a partial decrypt. 202 * We know the upper bound though. 203 */ 204 blen = _CFG_CORE_LTC_BIGNUM_MAX_BITS / sizeof(uint8_t); 205 buf = malloc(blen); 206 if (!buf) { 207 res = TEE_ERROR_OUT_OF_MEMORY; 208 goto out; 209 } 210 211 ltc_res = rsa_exptmod(src, src_len, buf, &blen, ltc_key->type, 212 ltc_key); 213 switch (ltc_res) { 214 case CRYPT_PK_NOT_PRIVATE: 215 case CRYPT_PK_INVALID_TYPE: 216 case CRYPT_PK_INVALID_SIZE: 217 case CRYPT_INVALID_PACKET: 218 EMSG("rsa_exptmod() returned %d", ltc_res); 219 res = TEE_ERROR_BAD_PARAMETERS; 220 goto out; 221 case CRYPT_OK: 222 break; 223 default: 224 /* This will result in a panic */ 225 EMSG("rsa_exptmod() returned %d", ltc_res); 226 res = TEE_ERROR_GENERIC; 227 goto out; 228 } 229 230 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 231 offset = 0; 232 while ((offset < blen - 1) && (buf[offset] == 0)) 233 offset++; 234 235 if (*dst_len < blen - offset) { 236 *dst_len = blen - offset; 237 res = TEE_ERROR_SHORT_BUFFER; 238 goto out; 239 } 240 241 res = TEE_SUCCESS; 242 *dst_len = blen - offset; 243 memcpy(dst, (char *)buf + offset, *dst_len); 244 245 out: 246 if (buf) 247 free(buf); 248 249 return res; 250 } 251 252 TEE_Result crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key, 253 const uint8_t *src, size_t src_len, 254 uint8_t *dst, size_t *dst_len) 255 { 256 TEE_Result res; 257 rsa_key ltc_key = { 0, }; 258 259 ltc_key.type = PK_PUBLIC; 260 ltc_key.e = key->e; 261 ltc_key.N = key->n; 262 263 res = rsadorep(<c_key, src, src_len, dst, dst_len); 264 return res; 265 } 266 267 TEE_Result crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key, 268 const uint8_t *src, size_t src_len, 269 uint8_t *dst, size_t *dst_len) 270 { 271 TEE_Result res; 272 rsa_key ltc_key = { 0, }; 273 274 ltc_key.type = PK_PRIVATE; 275 ltc_key.e = key->e; 276 ltc_key.N = key->n; 277 ltc_key.d = key->d; 278 if (key->p && crypto_bignum_num_bytes(key->p)) { 279 ltc_key.p = key->p; 280 ltc_key.q = key->q; 281 ltc_key.qP = key->qp; 282 ltc_key.dP = key->dp; 283 ltc_key.dQ = key->dq; 284 } 285 286 res = rsadorep(<c_key, src, src_len, dst, dst_len); 287 return res; 288 } 289 290 TEE_Result crypto_acipher_rsaes_decrypt(uint32_t algo, struct rsa_keypair *key, 291 const uint8_t *label, size_t label_len, 292 const uint8_t *src, size_t src_len, 293 uint8_t *dst, size_t *dst_len) 294 { 295 TEE_Result res = TEE_SUCCESS; 296 void *buf = NULL; 297 unsigned long blen; 298 int ltc_hashindex, ltc_res, ltc_stat, ltc_rsa_algo; 299 size_t mod_size; 300 rsa_key ltc_key = { 0, }; 301 302 ltc_key.type = PK_PRIVATE; 303 ltc_key.e = key->e; 304 ltc_key.d = key->d; 305 ltc_key.N = key->n; 306 if (key->p && crypto_bignum_num_bytes(key->p)) { 307 ltc_key.p = key->p; 308 ltc_key.q = key->q; 309 ltc_key.qP = key->qp; 310 ltc_key.dP = key->dp; 311 ltc_key.dQ = key->dq; 312 } 313 314 /* Get the algorithm */ 315 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 316 if (res != TEE_SUCCESS) { 317 EMSG("tee_algo_to_ltc_hashindex() returned %d", (int)res); 318 goto out; 319 } 320 321 /* 322 * Use a temporary buffer since we don't know exactly how large 323 * the required size of the out buffer without doing a partial 324 * decrypt. We know the upper bound though. 325 */ 326 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) { 327 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 328 blen = mod_size - 11; 329 ltc_rsa_algo = LTC_PKCS_1_V1_5; 330 } else { 331 /* Decoded message is always shorter than encrypted message */ 332 blen = src_len; 333 ltc_rsa_algo = LTC_PKCS_1_OAEP; 334 } 335 336 buf = malloc(blen); 337 if (!buf) { 338 res = TEE_ERROR_OUT_OF_MEMORY; 339 goto out; 340 } 341 342 ltc_res = rsa_decrypt_key_ex(src, src_len, buf, &blen, 343 ((label_len == 0) ? 0 : label), label_len, 344 ltc_hashindex, ltc_rsa_algo, <c_stat, 345 <c_key); 346 switch (ltc_res) { 347 case CRYPT_PK_INVALID_PADDING: 348 case CRYPT_INVALID_PACKET: 349 case CRYPT_PK_INVALID_SIZE: 350 EMSG("rsa_decrypt_key_ex() returned %d", ltc_res); 351 res = TEE_ERROR_BAD_PARAMETERS; 352 goto out; 353 case CRYPT_OK: 354 break; 355 default: 356 /* This will result in a panic */ 357 EMSG("rsa_decrypt_key_ex() returned %d", ltc_res); 358 res = TEE_ERROR_GENERIC; 359 goto out; 360 } 361 if (ltc_stat != 1) { 362 /* This will result in a panic */ 363 EMSG("rsa_decrypt_key_ex() returned %d and %d", 364 ltc_res, ltc_stat); 365 res = TEE_ERROR_GENERIC; 366 goto out; 367 } 368 369 if (*dst_len < blen) { 370 *dst_len = blen; 371 res = TEE_ERROR_SHORT_BUFFER; 372 goto out; 373 } 374 375 res = TEE_SUCCESS; 376 *dst_len = blen; 377 memcpy(dst, buf, blen); 378 379 out: 380 if (buf) 381 free(buf); 382 383 return res; 384 } 385 386 TEE_Result crypto_acipher_rsaes_encrypt(uint32_t algo, 387 struct rsa_public_key *key, 388 const uint8_t *label, size_t label_len, 389 const uint8_t *src, size_t src_len, 390 uint8_t *dst, size_t *dst_len) 391 { 392 TEE_Result res; 393 uint32_t mod_size; 394 int ltc_hashindex, ltc_res, ltc_rsa_algo; 395 rsa_key ltc_key = { 396 .type = PK_PUBLIC, 397 .e = key->e, 398 .N = key->n 399 }; 400 401 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 402 if (*dst_len < mod_size) { 403 *dst_len = mod_size; 404 res = TEE_ERROR_SHORT_BUFFER; 405 goto out; 406 } 407 *dst_len = mod_size; 408 409 /* Get the algorithm */ 410 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 411 if (res != TEE_SUCCESS) 412 goto out; 413 414 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) 415 ltc_rsa_algo = LTC_PKCS_1_V1_5; 416 else 417 ltc_rsa_algo = LTC_PKCS_1_OAEP; 418 419 ltc_res = rsa_encrypt_key_ex(src, src_len, dst, 420 (unsigned long *)(dst_len), label, 421 label_len, NULL, find_prng("prng_crypto"), 422 ltc_hashindex, ltc_rsa_algo, <c_key); 423 switch (ltc_res) { 424 case CRYPT_PK_INVALID_PADDING: 425 case CRYPT_INVALID_PACKET: 426 case CRYPT_PK_INVALID_SIZE: 427 EMSG("rsa_encrypt_key_ex() returned %d", ltc_res); 428 res = TEE_ERROR_BAD_PARAMETERS; 429 goto out; 430 case CRYPT_OK: 431 break; 432 default: 433 /* This will result in a panic */ 434 res = TEE_ERROR_GENERIC; 435 goto out; 436 } 437 res = TEE_SUCCESS; 438 439 out: 440 return res; 441 } 442 443 TEE_Result crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key, 444 int salt_len, const uint8_t *msg, 445 size_t msg_len, uint8_t *sig, 446 size_t *sig_len) 447 { 448 TEE_Result res; 449 size_t hash_size, mod_size; 450 int ltc_res, ltc_rsa_algo, ltc_hashindex; 451 unsigned long ltc_sig_len; 452 rsa_key ltc_key = { 0, }; 453 454 ltc_key.type = PK_PRIVATE; 455 ltc_key.e = key->e; 456 ltc_key.N = key->n; 457 ltc_key.d = key->d; 458 if (key->p && crypto_bignum_num_bytes(key->p)) { 459 ltc_key.p = key->p; 460 ltc_key.q = key->q; 461 ltc_key.qP = key->qp; 462 ltc_key.dP = key->dp; 463 ltc_key.dQ = key->dq; 464 } 465 466 switch (algo) { 467 case TEE_ALG_RSASSA_PKCS1_V1_5: 468 ltc_rsa_algo = LTC_PKCS_1_V1_5_NA1; 469 break; 470 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 471 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 472 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 473 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 474 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 475 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 476 ltc_rsa_algo = LTC_PKCS_1_V1_5; 477 break; 478 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 479 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 480 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 481 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 482 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 483 ltc_rsa_algo = LTC_PKCS_1_PSS; 484 break; 485 default: 486 res = TEE_ERROR_BAD_PARAMETERS; 487 goto err; 488 } 489 490 if (ltc_rsa_algo != LTC_PKCS_1_V1_5_NA1) { 491 ltc_res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 492 if (ltc_res != CRYPT_OK) { 493 res = TEE_ERROR_BAD_PARAMETERS; 494 goto err; 495 } 496 497 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 498 &hash_size); 499 if (res != TEE_SUCCESS) 500 goto err; 501 502 if (msg_len != hash_size) { 503 res = TEE_ERROR_BAD_PARAMETERS; 504 goto err; 505 } 506 } 507 508 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 509 510 if (*sig_len < mod_size) { 511 *sig_len = mod_size; 512 res = TEE_ERROR_SHORT_BUFFER; 513 goto err; 514 } 515 516 ltc_sig_len = mod_size; 517 518 ltc_res = rsa_sign_hash_ex(msg, msg_len, sig, <c_sig_len, 519 ltc_rsa_algo, NULL, find_prng("prng_crypto"), 520 ltc_hashindex, salt_len, <c_key); 521 522 *sig_len = ltc_sig_len; 523 524 if (ltc_res != CRYPT_OK) { 525 res = TEE_ERROR_BAD_PARAMETERS; 526 goto err; 527 } 528 res = TEE_SUCCESS; 529 530 err: 531 return res; 532 } 533 534 TEE_Result crypto_acipher_rsassa_verify(uint32_t algo, 535 struct rsa_public_key *key, 536 int salt_len, const uint8_t *msg, 537 size_t msg_len, const uint8_t *sig, 538 size_t sig_len) 539 { 540 TEE_Result res; 541 uint32_t bigint_size; 542 size_t hash_size; 543 int stat, ltc_hashindex, ltc_res, ltc_rsa_algo; 544 rsa_key ltc_key = { 545 .type = PK_PUBLIC, 546 .e = key->e, 547 .N = key->n 548 }; 549 550 if (algo != TEE_ALG_RSASSA_PKCS1_V1_5) { 551 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 552 &hash_size); 553 if (res != TEE_SUCCESS) 554 goto err; 555 556 if (msg_len != hash_size) { 557 res = TEE_ERROR_BAD_PARAMETERS; 558 goto err; 559 } 560 } 561 562 bigint_size = ltc_mp.unsigned_size(ltc_key.N); 563 if (sig_len < bigint_size) { 564 res = TEE_ERROR_SIGNATURE_INVALID; 565 goto err; 566 } 567 568 /* Get the algorithm */ 569 if (algo != TEE_ALG_RSASSA_PKCS1_V1_5) { 570 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 571 if (res != TEE_SUCCESS) 572 goto err; 573 } 574 575 switch (algo) { 576 case TEE_ALG_RSASSA_PKCS1_V1_5: 577 ltc_rsa_algo = LTC_PKCS_1_V1_5_NA1; 578 break; 579 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 580 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 581 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 582 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 583 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 584 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 585 ltc_rsa_algo = LTC_PKCS_1_V1_5; 586 break; 587 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 588 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 589 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 590 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 591 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 592 ltc_rsa_algo = LTC_PKCS_1_PSS; 593 break; 594 default: 595 res = TEE_ERROR_BAD_PARAMETERS; 596 goto err; 597 } 598 599 ltc_res = rsa_verify_hash_ex(sig, sig_len, msg, msg_len, ltc_rsa_algo, 600 ltc_hashindex, salt_len, &stat, <c_key); 601 res = convert_ltc_verify_status(ltc_res, stat); 602 err: 603 return res; 604 } 605