xref: /optee_os/core/tee/tee_cryp_utl.c (revision 75200110483dcee11cdcf4cef3d0ac4d92f63c14) 
1 /*
2  * Copyright (c) 2014, Linaro Limited
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions are met:
7  *
8  * 1. Redistributions of source code must retain the above copyright notice,
9  * this list of conditions and the following disclaimer.
10  *
11  * 2. Redistributions in binary form must reproduce the above copyright notice,
12  * this list of conditions and the following disclaimer in the documentation
13  * and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
16  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
19  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
20  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
21  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
22  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
23  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
24  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
25  * POSSIBILITY OF SUCH DAMAGE.
26  */
27 
28 #include <crypto/crypto.h>
29 #include <initcall.h>
30 #include <kernel/tee_time.h>
31 #include <rng_support.h>
32 #include <stdlib.h>
33 #include <string_ext.h>
34 #include <string.h>
35 #include <tee/tee_cryp_utl.h>
36 #include <utee_defines.h>
37 
38 #if !defined(CFG_WITH_SOFTWARE_PRNG)
39 TEE_Result get_rng_array(void *buffer, int len)
40 {
41 	char *buf_char = buffer;
42 	int i;
43 
44 
45 	if (buf_char == NULL)
46 		return TEE_ERROR_BAD_PARAMETERS;
47 
48 	for (i = 0; i < len; i++)
49 		buf_char[i] = hw_get_random_byte();
50 
51 	return TEE_SUCCESS;
52 }
53 #endif
54 
55 TEE_Result tee_hash_get_digest_size(uint32_t algo, size_t *size)
56 {
57 	switch (algo) {
58 	case TEE_ALG_MD5:
59 	case TEE_ALG_HMAC_MD5:
60 		*size = TEE_MD5_HASH_SIZE;
61 		break;
62 	case TEE_ALG_SHA1:
63 	case TEE_ALG_HMAC_SHA1:
64 	case TEE_ALG_DSA_SHA1:
65 		*size = TEE_SHA1_HASH_SIZE;
66 		break;
67 	case TEE_ALG_SHA224:
68 	case TEE_ALG_HMAC_SHA224:
69 	case TEE_ALG_DSA_SHA224:
70 		*size = TEE_SHA224_HASH_SIZE;
71 		break;
72 	case TEE_ALG_SHA256:
73 	case TEE_ALG_HMAC_SHA256:
74 	case TEE_ALG_DSA_SHA256:
75 		*size = TEE_SHA256_HASH_SIZE;
76 		break;
77 	case TEE_ALG_SHA384:
78 	case TEE_ALG_HMAC_SHA384:
79 		*size = TEE_SHA384_HASH_SIZE;
80 		break;
81 	case TEE_ALG_SHA512:
82 	case TEE_ALG_HMAC_SHA512:
83 		*size = TEE_SHA512_HASH_SIZE;
84 		break;
85 	default:
86 		return TEE_ERROR_NOT_SUPPORTED;
87 	}
88 
89 	return TEE_SUCCESS;
90 }
91 
92 TEE_Result tee_hash_createdigest(uint32_t algo, const uint8_t *data,
93 				 size_t datalen, uint8_t *digest,
94 				 size_t digestlen)
95 {
96 	TEE_Result res = TEE_ERROR_BAD_STATE;
97 	void *ctx = NULL;
98 	size_t ctxsize;
99 
100 	if (crypto_hash_get_ctx_size(algo, &ctxsize) != TEE_SUCCESS) {
101 		res = TEE_ERROR_NOT_SUPPORTED;
102 		goto out;
103 	}
104 
105 	ctx = malloc(ctxsize);
106 	if (ctx == NULL) {
107 		res = TEE_ERROR_OUT_OF_MEMORY;
108 		goto out;
109 	}
110 
111 	if (crypto_hash_init(ctx, algo) != TEE_SUCCESS)
112 		goto out;
113 
114 	if (datalen != 0) {
115 		if (crypto_hash_update(ctx, algo, data, datalen)
116 		    != TEE_SUCCESS)
117 			goto out;
118 	}
119 
120 	if (crypto_hash_final(ctx, algo, digest, digestlen) != TEE_SUCCESS)
121 		goto out;
122 
123 	res = TEE_SUCCESS;
124 
125 out:
126 	if (ctx)
127 		free(ctx);
128 
129 	return res;
130 }
131 
132 TEE_Result tee_mac_get_digest_size(uint32_t algo, size_t *size)
133 {
134 	switch (algo) {
135 	case TEE_ALG_HMAC_MD5:
136 	case TEE_ALG_HMAC_SHA224:
137 	case TEE_ALG_HMAC_SHA1:
138 	case TEE_ALG_HMAC_SHA256:
139 	case TEE_ALG_HMAC_SHA384:
140 	case TEE_ALG_HMAC_SHA512:
141 		return tee_hash_get_digest_size(algo, size);
142 	case TEE_ALG_AES_CBC_MAC_NOPAD:
143 	case TEE_ALG_AES_CBC_MAC_PKCS5:
144 	case TEE_ALG_AES_CMAC:
145 		*size = TEE_AES_BLOCK_SIZE;
146 		return TEE_SUCCESS;
147 	case TEE_ALG_DES_CBC_MAC_NOPAD:
148 	case TEE_ALG_DES_CBC_MAC_PKCS5:
149 	case TEE_ALG_DES3_CBC_MAC_NOPAD:
150 	case TEE_ALG_DES3_CBC_MAC_PKCS5:
151 		*size = TEE_DES_BLOCK_SIZE;
152 		return TEE_SUCCESS;
153 	default:
154 		return TEE_ERROR_NOT_SUPPORTED;
155 	}
156 }
157 
158 TEE_Result tee_cipher_get_block_size(uint32_t algo, size_t *size)
159 {
160 	switch (algo) {
161 	case TEE_ALG_AES_CBC_MAC_NOPAD:
162 	case TEE_ALG_AES_CBC_MAC_PKCS5:
163 	case TEE_ALG_AES_CMAC:
164 	case TEE_ALG_AES_ECB_NOPAD:
165 	case TEE_ALG_AES_CBC_NOPAD:
166 	case TEE_ALG_AES_CTR:
167 	case TEE_ALG_AES_CTS:
168 	case TEE_ALG_AES_XTS:
169 	case TEE_ALG_AES_CCM:
170 	case TEE_ALG_AES_GCM:
171 		*size = 16;
172 		break;
173 
174 	case TEE_ALG_DES_CBC_MAC_NOPAD:
175 	case TEE_ALG_DES_CBC_MAC_PKCS5:
176 	case TEE_ALG_DES_ECB_NOPAD:
177 	case TEE_ALG_DES_CBC_NOPAD:
178 	case TEE_ALG_DES3_CBC_MAC_NOPAD:
179 	case TEE_ALG_DES3_CBC_MAC_PKCS5:
180 	case TEE_ALG_DES3_ECB_NOPAD:
181 	case TEE_ALG_DES3_CBC_NOPAD:
182 		*size = 8;
183 		break;
184 
185 	default:
186 		return TEE_ERROR_NOT_SUPPORTED;
187 	}
188 
189 	return TEE_SUCCESS;
190 }
191 
192 TEE_Result tee_do_cipher_update(void *ctx, uint32_t algo,
193 				TEE_OperationMode mode, bool last_block,
194 				const uint8_t *data, size_t len, uint8_t *dst)
195 {
196 	TEE_Result res;
197 	size_t block_size;
198 
199 	if (mode != TEE_MODE_ENCRYPT && mode != TEE_MODE_DECRYPT)
200 		return TEE_ERROR_BAD_PARAMETERS;
201 
202 	/*
203 	 * Check that the block contains the correct number of data, apart
204 	 * for the last block in some XTS / CTR / XTS mode
205 	 */
206 	res = tee_cipher_get_block_size(algo, &block_size);
207 	if (res != TEE_SUCCESS)
208 		return res;
209 	if ((len % block_size) != 0) {
210 		if (!last_block && algo != TEE_ALG_AES_CTR)
211 			return TEE_ERROR_BAD_PARAMETERS;
212 
213 		switch (algo) {
214 		case TEE_ALG_AES_ECB_NOPAD:
215 		case TEE_ALG_DES_ECB_NOPAD:
216 		case TEE_ALG_DES3_ECB_NOPAD:
217 		case TEE_ALG_AES_CBC_NOPAD:
218 		case TEE_ALG_DES_CBC_NOPAD:
219 		case TEE_ALG_DES3_CBC_NOPAD:
220 			return TEE_ERROR_BAD_PARAMETERS;
221 
222 		case TEE_ALG_AES_CTR:
223 		case TEE_ALG_AES_XTS:
224 		case TEE_ALG_AES_CTS:
225 			/*
226 			 * These modes doesn't require padding for the last
227 			 * block.
228 			 *
229 			 * This isn't entirely true, both XTS and CTS can only
230 			 * encrypt minimum one block and also they need at least
231 			 * one complete block in the last update to finish the
232 			 * encryption. The algorithms are supposed to detect
233 			 * that, we're only making sure that all data fed up to
234 			 * that point consists of complete blocks.
235 			 */
236 			break;
237 
238 		default:
239 			return TEE_ERROR_NOT_SUPPORTED;
240 		}
241 	}
242 
243 	return crypto_cipher_update(ctx, algo, mode, last_block, data, len,
244 				    dst);
245 }
246 
247 /*
248  * From http://en.wikipedia.org/wiki/Ciphertext_stealing
249  * CBC ciphertext stealing encryption using a standard
250  * CBC interface:
251  *	1. Pad the last partial plaintext block with 0.
252  *	2. Encrypt the whole padded plaintext using the
253  *	   standard CBC mode.
254  *	3. Swap the last two ciphertext blocks.
255  *	4. Truncate the ciphertext to the length of the
256  *	   original plaintext.
257  *
258  * CBC ciphertext stealing decryption using a standard
259  * CBC interface
260  *	1. Dn = Decrypt (K, Cn-1). Decrypt the second to last
261  *	   ciphertext block.
262  *	2. Cn = Cn || Tail (Dn, B-M). Pad the ciphertext to the
263  *	   nearest multiple of the block size using the last
264  *	   B-M bits of block cipher decryption of the
265  *	   second-to-last ciphertext block.
266  *	3. Swap the last two ciphertext blocks.
267  *	4. Decrypt the (modified) ciphertext using the standard
268  *	   CBC mode.
269  *	5. Truncate the plaintext to the length of the original
270  *	   ciphertext.
271  */
272 TEE_Result tee_aes_cbc_cts_update(void *cbc_ctx, void *ecb_ctx,
273 				  TEE_OperationMode mode, bool last_block,
274 				  const uint8_t *data, size_t len,
275 				  uint8_t *dst)
276 {
277 	TEE_Result res;
278 	int nb_blocks, len_last_block, block_size = 16;
279 	uint8_t tmp_block[64], tmp2_block[64];
280 
281 	if (!last_block)
282 		return tee_do_cipher_update(cbc_ctx, TEE_ALG_AES_CBC_NOPAD,
283 					     mode, last_block, data, len, dst);
284 
285 	/* Compute the last block length and check constraints */
286 	nb_blocks = ((len + block_size - 1) / block_size);
287 	if (nb_blocks < 2)
288 		return TEE_ERROR_BAD_STATE;
289 	len_last_block = len % block_size;
290 	if (len_last_block == 0)
291 		len_last_block = block_size;
292 
293 	if (mode == TEE_MODE_ENCRYPT) {
294 		memcpy(tmp_block,
295 		       data + ((nb_blocks - 1) * block_size),
296 		       len_last_block);
297 		memset(tmp_block + len_last_block,
298 		       0,
299 		       block_size - len_last_block);
300 
301 		res = tee_do_cipher_update(cbc_ctx, TEE_ALG_AES_CBC_NOPAD,
302 					   mode, 0, data,
303 					   (nb_blocks - 1) * block_size, dst);
304 		if (res != TEE_SUCCESS)
305 			return res;
306 
307 		memcpy(dst + (nb_blocks - 1) * block_size,
308 		       dst + (nb_blocks - 2) * block_size,
309 		       len_last_block);
310 
311 		res = tee_do_cipher_update(cbc_ctx, TEE_ALG_AES_CBC_NOPAD,
312 					   mode, 0, tmp_block, block_size,
313 					   dst + (nb_blocks - 2) * block_size);
314 		if (res != TEE_SUCCESS)
315 			return res;
316 	} else {
317 		/* 1. Decrypt the second to last ciphertext block */
318 		res = tee_do_cipher_update(ecb_ctx, TEE_ALG_AES_ECB_NOPAD,
319 					   mode, 0,
320 					   data + (nb_blocks - 2) * block_size,
321 					   block_size, tmp2_block);
322 		if (res != TEE_SUCCESS)
323 			return res;
324 
325 		/* 2. Cn = Cn || Tail (Dn, B-M) */
326 		memcpy(tmp_block, data + ((nb_blocks - 1) * block_size),
327 		       len_last_block);
328 		memcpy(tmp_block + len_last_block, tmp2_block + len_last_block,
329 		       block_size - len_last_block);
330 
331 		/* 3. Swap the last two ciphertext blocks */
332 		/* done by passing the correct buffers in step 4. */
333 
334 		/* 4. Decrypt the (modified) ciphertext */
335 		if (nb_blocks > 2) {
336 			res = tee_do_cipher_update(cbc_ctx,
337 						   TEE_ALG_AES_CBC_NOPAD, mode,
338 						   0, data,
339 						   (nb_blocks - 2) *
340 						   block_size, dst);
341 			if (res != TEE_SUCCESS)
342 				return res;
343 		}
344 
345 		res = tee_do_cipher_update(cbc_ctx, TEE_ALG_AES_CBC_NOPAD,
346 					   mode, 0, tmp_block, block_size,
347 					   dst +
348 					   ((nb_blocks - 2) * block_size));
349 		if (res != TEE_SUCCESS)
350 			return res;
351 
352 		res = tee_do_cipher_update(cbc_ctx, TEE_ALG_AES_CBC_NOPAD,
353 					   mode, 0, data +
354 					   ((nb_blocks - 2) * block_size),
355 					   block_size, tmp_block);
356 		if (res != TEE_SUCCESS)
357 			return res;
358 
359 		/* 5. Truncate the plaintext */
360 		memcpy(dst + (nb_blocks - 1) * block_size, tmp_block,
361 		       len_last_block);
362 	}
363 	return TEE_SUCCESS;
364 }
365 
366 TEE_Result tee_prng_add_entropy(const uint8_t *in, size_t len)
367 {
368 	return crypto_rng_add_entropy(in, len);
369 }
370 
371 /*
372  * Override this in your platform code to feed the PRNG platform-specific
373  * jitter entropy. This implementation does not efficiently deliver entropy
374  * and is here for backwards-compatibility.
375  */
376 __weak void plat_prng_add_jitter_entropy(void)
377 {
378 	TEE_Time current;
379 
380 	if (tee_time_get_sys_time(&current) == TEE_SUCCESS)
381 		tee_prng_add_entropy((uint8_t *)&current, sizeof(current));
382 }
383 
384 __weak void plat_prng_add_jitter_entropy_norpc(void)
385 {
386 #ifndef CFG_SECURE_TIME_SOURCE_REE
387 	plat_prng_add_jitter_entropy();
388 #endif
389 }
390 
391 static TEE_Result tee_cryp_init(void)
392 {
393 	return crypto_init();
394 }
395 
396 service_init(tee_cryp_init);
397