1 /* 2 * Copyright (c) 2014, Linaro Limited 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright notice, 9 * this list of conditions and the following disclaimer. 10 * 11 * 2. Redistributions in binary form must reproduce the above copyright notice, 12 * this list of conditions and the following disclaimer in the documentation 13 * and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 16 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 19 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 * POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <stdlib.h> 29 #include <string.h> 30 #include <string_ext.h> 31 #include <utee_defines.h> 32 #include <tee/tee_cryp_utl.h> 33 #include <tee/tee_cryp_provider.h> 34 #include <rng_support.h> 35 #include <initcall.h> 36 37 #if !defined(CFG_WITH_SOFTWARE_PRNG) 38 TEE_Result get_rng_array(void *buffer, int len) 39 { 40 char *buf_char = buffer; 41 int i; 42 43 44 if (buf_char == NULL) 45 return TEE_ERROR_BAD_PARAMETERS; 46 47 for (i = 0; i < len; i++) 48 buf_char[i] = hw_get_random_byte(); 49 50 return TEE_SUCCESS; 51 } 52 #endif 53 54 TEE_Result tee_hash_get_digest_size(uint32_t algo, size_t *size) 55 { 56 switch (algo) { 57 case TEE_ALG_MD5: 58 case TEE_ALG_HMAC_MD5: 59 *size = TEE_MD5_HASH_SIZE; 60 break; 61 case TEE_ALG_SHA1: 62 case TEE_ALG_HMAC_SHA1: 63 case TEE_ALG_DSA_SHA1: 64 *size = TEE_SHA1_HASH_SIZE; 65 break; 66 case TEE_ALG_SHA224: 67 case TEE_ALG_HMAC_SHA224: 68 case TEE_ALG_DSA_SHA224: 69 *size = TEE_SHA224_HASH_SIZE; 70 break; 71 case TEE_ALG_SHA256: 72 case TEE_ALG_HMAC_SHA256: 73 case TEE_ALG_DSA_SHA256: 74 *size = TEE_SHA256_HASH_SIZE; 75 break; 76 case TEE_ALG_SHA384: 77 case TEE_ALG_HMAC_SHA384: 78 *size = TEE_SHA384_HASH_SIZE; 79 break; 80 case TEE_ALG_SHA512: 81 case TEE_ALG_HMAC_SHA512: 82 *size = TEE_SHA512_HASH_SIZE; 83 break; 84 default: 85 return TEE_ERROR_NOT_SUPPORTED; 86 } 87 88 return TEE_SUCCESS; 89 } 90 91 TEE_Result tee_hash_createdigest(uint32_t algo, const uint8_t *data, 92 size_t datalen, uint8_t *digest, 93 size_t digestlen) 94 { 95 TEE_Result res = TEE_ERROR_BAD_STATE; 96 void *ctx = NULL; 97 size_t ctxsize; 98 99 if (crypto_ops.hash.get_ctx_size == NULL || 100 crypto_ops.hash.init == NULL || 101 crypto_ops.hash.update == NULL || 102 crypto_ops.hash.final == NULL) 103 return TEE_ERROR_NOT_IMPLEMENTED; 104 105 if (crypto_ops.hash.get_ctx_size(algo, &ctxsize) != TEE_SUCCESS) { 106 res = TEE_ERROR_NOT_SUPPORTED; 107 goto out; 108 } 109 110 ctx = malloc(ctxsize); 111 if (ctx == NULL) { 112 res = TEE_ERROR_OUT_OF_MEMORY; 113 goto out; 114 } 115 116 if (crypto_ops.hash.init(ctx, algo) != TEE_SUCCESS) 117 goto out; 118 119 if (datalen != 0) { 120 if (crypto_ops.hash.update(ctx, algo, data, datalen) 121 != TEE_SUCCESS) 122 goto out; 123 } 124 125 if (crypto_ops.hash.final(ctx, algo, digest, digestlen) != TEE_SUCCESS) 126 goto out; 127 128 res = TEE_SUCCESS; 129 130 out: 131 if (ctx) 132 free(ctx); 133 134 return res; 135 } 136 137 TEE_Result tee_hash_check(uint32_t algo, const uint8_t *hash, 138 size_t hash_size, const uint8_t *data, 139 size_t data_size) 140 { 141 TEE_Result res; 142 uint8_t digest[TEE_MAX_HASH_SIZE]; 143 size_t digestlen; 144 145 res = tee_hash_get_digest_size(algo, &digestlen); 146 if (res != TEE_SUCCESS) 147 return TEE_ERROR_BAD_PARAMETERS; 148 if ((hash_size == 0) || 149 (digestlen < hash_size) || 150 (digestlen > TEE_MAX_HASH_SIZE)) 151 return TEE_ERROR_BAD_PARAMETERS; 152 153 res = tee_hash_createdigest(algo, data, data_size, digest, 154 sizeof(digest)); 155 if (res != TEE_SUCCESS) 156 return res; 157 158 if (buf_compare_ct(digest, hash, hash_size) != 0) 159 return TEE_ERROR_SECURITY; 160 161 return TEE_SUCCESS; 162 } 163 164 TEE_Result tee_mac_get_digest_size(uint32_t algo, size_t *size) 165 { 166 switch (algo) { 167 case TEE_ALG_HMAC_MD5: 168 case TEE_ALG_HMAC_SHA224: 169 case TEE_ALG_HMAC_SHA1: 170 case TEE_ALG_HMAC_SHA256: 171 case TEE_ALG_HMAC_SHA384: 172 case TEE_ALG_HMAC_SHA512: 173 return tee_hash_get_digest_size(algo, size); 174 case TEE_ALG_AES_CBC_MAC_NOPAD: 175 case TEE_ALG_AES_CBC_MAC_PKCS5: 176 case TEE_ALG_AES_CMAC: 177 *size = TEE_AES_BLOCK_SIZE; 178 return TEE_SUCCESS; 179 case TEE_ALG_DES_CBC_MAC_NOPAD: 180 case TEE_ALG_DES_CBC_MAC_PKCS5: 181 case TEE_ALG_DES3_CBC_MAC_NOPAD: 182 case TEE_ALG_DES3_CBC_MAC_PKCS5: 183 *size = TEE_DES_BLOCK_SIZE; 184 return TEE_SUCCESS; 185 default: 186 return TEE_ERROR_NOT_SUPPORTED; 187 } 188 } 189 190 TEE_Result tee_cipher_get_block_size(uint32_t algo, size_t *size) 191 { 192 switch (algo) { 193 case TEE_ALG_AES_CBC_MAC_NOPAD: 194 case TEE_ALG_AES_CBC_MAC_PKCS5: 195 case TEE_ALG_AES_CMAC: 196 case TEE_ALG_AES_ECB_NOPAD: 197 case TEE_ALG_AES_CBC_NOPAD: 198 case TEE_ALG_AES_CTR: 199 case TEE_ALG_AES_CTS: 200 case TEE_ALG_AES_XTS: 201 case TEE_ALG_AES_CCM: 202 case TEE_ALG_AES_GCM: 203 *size = 16; 204 break; 205 206 case TEE_ALG_DES_CBC_MAC_NOPAD: 207 case TEE_ALG_DES_CBC_MAC_PKCS5: 208 case TEE_ALG_DES_ECB_NOPAD: 209 case TEE_ALG_DES_CBC_NOPAD: 210 case TEE_ALG_DES3_CBC_MAC_NOPAD: 211 case TEE_ALG_DES3_CBC_MAC_PKCS5: 212 case TEE_ALG_DES3_ECB_NOPAD: 213 case TEE_ALG_DES3_CBC_NOPAD: 214 *size = 8; 215 break; 216 217 default: 218 return TEE_ERROR_NOT_SUPPORTED; 219 } 220 221 return TEE_SUCCESS; 222 } 223 224 TEE_Result tee_do_cipher_update(void *ctx, uint32_t algo, 225 TEE_OperationMode mode, bool last_block, 226 const uint8_t *data, size_t len, uint8_t *dst) 227 { 228 TEE_Result res; 229 size_t block_size; 230 231 if (mode != TEE_MODE_ENCRYPT && mode != TEE_MODE_DECRYPT) 232 return TEE_ERROR_BAD_PARAMETERS; 233 234 if (crypto_ops.cipher.update == NULL) 235 return TEE_ERROR_NOT_IMPLEMENTED; 236 /* 237 * Check that the block contains the correct number of data, apart 238 * for the last block in some XTS / CTR / XTS mode 239 */ 240 res = tee_cipher_get_block_size(algo, &block_size); 241 if (res != TEE_SUCCESS) 242 return res; 243 if ((len % block_size) != 0) { 244 if (!last_block) 245 return TEE_ERROR_BAD_PARAMETERS; 246 247 switch (algo) { 248 case TEE_ALG_AES_ECB_NOPAD: 249 case TEE_ALG_DES_ECB_NOPAD: 250 case TEE_ALG_DES3_ECB_NOPAD: 251 case TEE_ALG_AES_CBC_NOPAD: 252 case TEE_ALG_DES_CBC_NOPAD: 253 case TEE_ALG_DES3_CBC_NOPAD: 254 return TEE_ERROR_BAD_PARAMETERS; 255 256 case TEE_ALG_AES_CTR: 257 case TEE_ALG_AES_XTS: 258 case TEE_ALG_AES_CTS: 259 /* 260 * These modes doesn't require padding for the last 261 * block. 262 * 263 * This isn't entirely true, both XTS and CTS can only 264 * encrypt minimum one block and also they need at least 265 * one complete block in the last update to finish the 266 * encryption. The algorithms are supposed to detect 267 * that, we're only making sure that all data fed up to 268 * that point consists of complete blocks. 269 */ 270 break; 271 272 default: 273 return TEE_ERROR_NOT_SUPPORTED; 274 } 275 } 276 277 return crypto_ops.cipher.update(ctx, algo, mode, last_block, data, len, 278 dst); 279 } 280 281 /* 282 * From http://en.wikipedia.org/wiki/Ciphertext_stealing 283 * CBC ciphertext stealing encryption using a standard 284 * CBC interface: 285 * 1. Pad the last partial plaintext block with 0. 286 * 2. Encrypt the whole padded plaintext using the 287 * standard CBC mode. 288 * 3. Swap the last two ciphertext blocks. 289 * 4. Truncate the ciphertext to the length of the 290 * original plaintext. 291 * 292 * CBC ciphertext stealing decryption using a standard 293 * CBC interface 294 * 1. Dn = Decrypt (K, Cn-1). Decrypt the second to last 295 * ciphertext block. 296 * 2. Cn = Cn || Tail (Dn, B-M). Pad the ciphertext to the 297 * nearest multiple of the block size using the last 298 * B-M bits of block cipher decryption of the 299 * second-to-last ciphertext block. 300 * 3. Swap the last two ciphertext blocks. 301 * 4. Decrypt the (modified) ciphertext using the standard 302 * CBC mode. 303 * 5. Truncate the plaintext to the length of the original 304 * ciphertext. 305 */ 306 TEE_Result tee_aes_cbc_cts_update(void *cbc_ctx, void *ecb_ctx, 307 TEE_OperationMode mode, bool last_block, 308 const uint8_t *data, size_t len, 309 uint8_t *dst) 310 { 311 TEE_Result res; 312 int nb_blocks, len_last_block, block_size = 16; 313 uint8_t tmp_block[64], tmp2_block[64]; 314 315 if (!last_block) 316 return tee_do_cipher_update(cbc_ctx, TEE_ALG_AES_CBC_NOPAD, 317 mode, last_block, data, len, dst); 318 319 /* Compute the last block length and check constraints */ 320 nb_blocks = ((len + block_size - 1) / block_size); 321 if (nb_blocks < 2) 322 return TEE_ERROR_BAD_STATE; 323 len_last_block = len % block_size; 324 if (len_last_block == 0) 325 len_last_block = block_size; 326 327 if (mode == TEE_MODE_ENCRYPT) { 328 memcpy(tmp_block, 329 data + ((nb_blocks - 1) * block_size), 330 len_last_block); 331 memset(tmp_block + len_last_block, 332 0, 333 block_size - len_last_block); 334 335 res = tee_do_cipher_update(cbc_ctx, TEE_ALG_AES_CBC_NOPAD, 336 mode, 0, data, 337 (nb_blocks - 1) * block_size, dst); 338 if (res != TEE_SUCCESS) 339 return res; 340 341 memcpy(dst + (nb_blocks - 1) * block_size, 342 dst + (nb_blocks - 2) * block_size, 343 len_last_block); 344 345 res = tee_do_cipher_update(cbc_ctx, TEE_ALG_AES_CBC_NOPAD, 346 mode, 0, tmp_block, block_size, 347 dst + (nb_blocks - 2) * block_size); 348 if (res != TEE_SUCCESS) 349 return res; 350 } else { 351 /* 1. Decrypt the second to last ciphertext block */ 352 res = tee_do_cipher_update(ecb_ctx, TEE_ALG_AES_ECB_NOPAD, 353 mode, 0, 354 data + (nb_blocks - 2) * block_size, 355 block_size, tmp2_block); 356 if (res != TEE_SUCCESS) 357 return res; 358 359 /* 2. Cn = Cn || Tail (Dn, B-M) */ 360 memcpy(tmp_block, data + ((nb_blocks - 1) * block_size), 361 len_last_block); 362 memcpy(tmp_block + len_last_block, tmp2_block + len_last_block, 363 block_size - len_last_block); 364 365 /* 3. Swap the last two ciphertext blocks */ 366 /* done by passing the correct buffers in step 4. */ 367 368 /* 4. Decrypt the (modified) ciphertext */ 369 if (nb_blocks > 2) { 370 res = tee_do_cipher_update(cbc_ctx, 371 TEE_ALG_AES_CBC_NOPAD, mode, 372 0, data, 373 (nb_blocks - 2) * 374 block_size, dst); 375 if (res != TEE_SUCCESS) 376 return res; 377 } 378 379 res = tee_do_cipher_update(cbc_ctx, TEE_ALG_AES_CBC_NOPAD, 380 mode, 0, tmp_block, block_size, 381 dst + 382 ((nb_blocks - 2) * block_size)); 383 if (res != TEE_SUCCESS) 384 return res; 385 386 res = tee_do_cipher_update(cbc_ctx, TEE_ALG_AES_CBC_NOPAD, 387 mode, 0, data + 388 ((nb_blocks - 2) * block_size), 389 block_size, tmp_block); 390 if (res != TEE_SUCCESS) 391 return res; 392 393 /* 5. Truncate the plaintext */ 394 memcpy(dst + (nb_blocks - 1) * block_size, tmp_block, 395 len_last_block); 396 } 397 return TEE_SUCCESS; 398 } 399 400 TEE_Result tee_prng_add_entropy(const uint8_t *in, size_t len) 401 { 402 if (crypto_ops.prng.add_entropy) 403 return crypto_ops.prng.add_entropy(in, len); 404 405 return TEE_SUCCESS; 406 } 407 408 static TEE_Result tee_cryp_init(void) 409 { 410 if (crypto_ops.init) 411 return crypto_ops.init(); 412 413 return TEE_SUCCESS; 414 } 415 416 service_init(tee_cryp_init); 417