1 /* 2 * Copyright (c) 2014, Linaro Limited 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright notice, 9 * this list of conditions and the following disclaimer. 10 * 11 * 2. Redistributions in binary form must reproduce the above copyright notice, 12 * this list of conditions and the following disclaimer in the documentation 13 * and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 16 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 19 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 * POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <stdlib.h> 29 #include <string.h> 30 #include <string_ext.h> 31 #include <utee_defines.h> 32 #include <tee/tee_cryp_utl.h> 33 #include <tee/tee_cryp_provider.h> 34 #include <kernel/tee_time.h> 35 #include <rng_support.h> 36 #include <initcall.h> 37 38 #if !defined(CFG_WITH_SOFTWARE_PRNG) 39 TEE_Result get_rng_array(void *buffer, int len) 40 { 41 char *buf_char = buffer; 42 int i; 43 44 45 if (buf_char == NULL) 46 return TEE_ERROR_BAD_PARAMETERS; 47 48 for (i = 0; i < len; i++) 49 buf_char[i] = hw_get_random_byte(); 50 51 return TEE_SUCCESS; 52 } 53 #endif 54 55 TEE_Result tee_hash_get_digest_size(uint32_t algo, size_t *size) 56 { 57 switch (algo) { 58 case TEE_ALG_MD5: 59 case TEE_ALG_HMAC_MD5: 60 *size = TEE_MD5_HASH_SIZE; 61 break; 62 case TEE_ALG_SHA1: 63 case TEE_ALG_HMAC_SHA1: 64 case TEE_ALG_DSA_SHA1: 65 *size = TEE_SHA1_HASH_SIZE; 66 break; 67 case TEE_ALG_SHA224: 68 case TEE_ALG_HMAC_SHA224: 69 case TEE_ALG_DSA_SHA224: 70 *size = TEE_SHA224_HASH_SIZE; 71 break; 72 case TEE_ALG_SHA256: 73 case TEE_ALG_HMAC_SHA256: 74 case TEE_ALG_DSA_SHA256: 75 *size = TEE_SHA256_HASH_SIZE; 76 break; 77 case TEE_ALG_SHA384: 78 case TEE_ALG_HMAC_SHA384: 79 *size = TEE_SHA384_HASH_SIZE; 80 break; 81 case TEE_ALG_SHA512: 82 case TEE_ALG_HMAC_SHA512: 83 *size = TEE_SHA512_HASH_SIZE; 84 break; 85 default: 86 return TEE_ERROR_NOT_SUPPORTED; 87 } 88 89 return TEE_SUCCESS; 90 } 91 92 TEE_Result tee_hash_createdigest(uint32_t algo, const uint8_t *data, 93 size_t datalen, uint8_t *digest, 94 size_t digestlen) 95 { 96 TEE_Result res = TEE_ERROR_BAD_STATE; 97 void *ctx = NULL; 98 size_t ctxsize; 99 100 if (crypto_hash_get_ctx_size(algo, &ctxsize) != TEE_SUCCESS) { 101 res = TEE_ERROR_NOT_SUPPORTED; 102 goto out; 103 } 104 105 ctx = malloc(ctxsize); 106 if (ctx == NULL) { 107 res = TEE_ERROR_OUT_OF_MEMORY; 108 goto out; 109 } 110 111 if (crypto_hash_init(ctx, algo) != TEE_SUCCESS) 112 goto out; 113 114 if (datalen != 0) { 115 if (crypto_hash_update(ctx, algo, data, datalen) 116 != TEE_SUCCESS) 117 goto out; 118 } 119 120 if (crypto_hash_final(ctx, algo, digest, digestlen) != TEE_SUCCESS) 121 goto out; 122 123 res = TEE_SUCCESS; 124 125 out: 126 if (ctx) 127 free(ctx); 128 129 return res; 130 } 131 132 TEE_Result tee_mac_get_digest_size(uint32_t algo, size_t *size) 133 { 134 switch (algo) { 135 case TEE_ALG_HMAC_MD5: 136 case TEE_ALG_HMAC_SHA224: 137 case TEE_ALG_HMAC_SHA1: 138 case TEE_ALG_HMAC_SHA256: 139 case TEE_ALG_HMAC_SHA384: 140 case TEE_ALG_HMAC_SHA512: 141 return tee_hash_get_digest_size(algo, size); 142 case TEE_ALG_AES_CBC_MAC_NOPAD: 143 case TEE_ALG_AES_CBC_MAC_PKCS5: 144 case TEE_ALG_AES_CMAC: 145 *size = TEE_AES_BLOCK_SIZE; 146 return TEE_SUCCESS; 147 case TEE_ALG_DES_CBC_MAC_NOPAD: 148 case TEE_ALG_DES_CBC_MAC_PKCS5: 149 case TEE_ALG_DES3_CBC_MAC_NOPAD: 150 case TEE_ALG_DES3_CBC_MAC_PKCS5: 151 *size = TEE_DES_BLOCK_SIZE; 152 return TEE_SUCCESS; 153 default: 154 return TEE_ERROR_NOT_SUPPORTED; 155 } 156 } 157 158 TEE_Result tee_cipher_get_block_size(uint32_t algo, size_t *size) 159 { 160 switch (algo) { 161 case TEE_ALG_AES_CBC_MAC_NOPAD: 162 case TEE_ALG_AES_CBC_MAC_PKCS5: 163 case TEE_ALG_AES_CMAC: 164 case TEE_ALG_AES_ECB_NOPAD: 165 case TEE_ALG_AES_CBC_NOPAD: 166 case TEE_ALG_AES_CTR: 167 case TEE_ALG_AES_CTS: 168 case TEE_ALG_AES_XTS: 169 case TEE_ALG_AES_CCM: 170 case TEE_ALG_AES_GCM: 171 *size = 16; 172 break; 173 174 case TEE_ALG_DES_CBC_MAC_NOPAD: 175 case TEE_ALG_DES_CBC_MAC_PKCS5: 176 case TEE_ALG_DES_ECB_NOPAD: 177 case TEE_ALG_DES_CBC_NOPAD: 178 case TEE_ALG_DES3_CBC_MAC_NOPAD: 179 case TEE_ALG_DES3_CBC_MAC_PKCS5: 180 case TEE_ALG_DES3_ECB_NOPAD: 181 case TEE_ALG_DES3_CBC_NOPAD: 182 *size = 8; 183 break; 184 185 default: 186 return TEE_ERROR_NOT_SUPPORTED; 187 } 188 189 return TEE_SUCCESS; 190 } 191 192 TEE_Result tee_do_cipher_update(void *ctx, uint32_t algo, 193 TEE_OperationMode mode, bool last_block, 194 const uint8_t *data, size_t len, uint8_t *dst) 195 { 196 TEE_Result res; 197 size_t block_size; 198 199 if (mode != TEE_MODE_ENCRYPT && mode != TEE_MODE_DECRYPT) 200 return TEE_ERROR_BAD_PARAMETERS; 201 202 if (crypto_ops.cipher.update == NULL) 203 return TEE_ERROR_NOT_IMPLEMENTED; 204 /* 205 * Check that the block contains the correct number of data, apart 206 * for the last block in some XTS / CTR / XTS mode 207 */ 208 res = tee_cipher_get_block_size(algo, &block_size); 209 if (res != TEE_SUCCESS) 210 return res; 211 if ((len % block_size) != 0) { 212 if (!last_block && algo != TEE_ALG_AES_CTR) 213 return TEE_ERROR_BAD_PARAMETERS; 214 215 switch (algo) { 216 case TEE_ALG_AES_ECB_NOPAD: 217 case TEE_ALG_DES_ECB_NOPAD: 218 case TEE_ALG_DES3_ECB_NOPAD: 219 case TEE_ALG_AES_CBC_NOPAD: 220 case TEE_ALG_DES_CBC_NOPAD: 221 case TEE_ALG_DES3_CBC_NOPAD: 222 return TEE_ERROR_BAD_PARAMETERS; 223 224 case TEE_ALG_AES_CTR: 225 case TEE_ALG_AES_XTS: 226 case TEE_ALG_AES_CTS: 227 /* 228 * These modes doesn't require padding for the last 229 * block. 230 * 231 * This isn't entirely true, both XTS and CTS can only 232 * encrypt minimum one block and also they need at least 233 * one complete block in the last update to finish the 234 * encryption. The algorithms are supposed to detect 235 * that, we're only making sure that all data fed up to 236 * that point consists of complete blocks. 237 */ 238 break; 239 240 default: 241 return TEE_ERROR_NOT_SUPPORTED; 242 } 243 } 244 245 return crypto_ops.cipher.update(ctx, algo, mode, last_block, data, len, 246 dst); 247 } 248 249 /* 250 * From http://en.wikipedia.org/wiki/Ciphertext_stealing 251 * CBC ciphertext stealing encryption using a standard 252 * CBC interface: 253 * 1. Pad the last partial plaintext block with 0. 254 * 2. Encrypt the whole padded plaintext using the 255 * standard CBC mode. 256 * 3. Swap the last two ciphertext blocks. 257 * 4. Truncate the ciphertext to the length of the 258 * original plaintext. 259 * 260 * CBC ciphertext stealing decryption using a standard 261 * CBC interface 262 * 1. Dn = Decrypt (K, Cn-1). Decrypt the second to last 263 * ciphertext block. 264 * 2. Cn = Cn || Tail (Dn, B-M). Pad the ciphertext to the 265 * nearest multiple of the block size using the last 266 * B-M bits of block cipher decryption of the 267 * second-to-last ciphertext block. 268 * 3. Swap the last two ciphertext blocks. 269 * 4. Decrypt the (modified) ciphertext using the standard 270 * CBC mode. 271 * 5. Truncate the plaintext to the length of the original 272 * ciphertext. 273 */ 274 TEE_Result tee_aes_cbc_cts_update(void *cbc_ctx, void *ecb_ctx, 275 TEE_OperationMode mode, bool last_block, 276 const uint8_t *data, size_t len, 277 uint8_t *dst) 278 { 279 TEE_Result res; 280 int nb_blocks, len_last_block, block_size = 16; 281 uint8_t tmp_block[64], tmp2_block[64]; 282 283 if (!last_block) 284 return tee_do_cipher_update(cbc_ctx, TEE_ALG_AES_CBC_NOPAD, 285 mode, last_block, data, len, dst); 286 287 /* Compute the last block length and check constraints */ 288 nb_blocks = ((len + block_size - 1) / block_size); 289 if (nb_blocks < 2) 290 return TEE_ERROR_BAD_STATE; 291 len_last_block = len % block_size; 292 if (len_last_block == 0) 293 len_last_block = block_size; 294 295 if (mode == TEE_MODE_ENCRYPT) { 296 memcpy(tmp_block, 297 data + ((nb_blocks - 1) * block_size), 298 len_last_block); 299 memset(tmp_block + len_last_block, 300 0, 301 block_size - len_last_block); 302 303 res = tee_do_cipher_update(cbc_ctx, TEE_ALG_AES_CBC_NOPAD, 304 mode, 0, data, 305 (nb_blocks - 1) * block_size, dst); 306 if (res != TEE_SUCCESS) 307 return res; 308 309 memcpy(dst + (nb_blocks - 1) * block_size, 310 dst + (nb_blocks - 2) * block_size, 311 len_last_block); 312 313 res = tee_do_cipher_update(cbc_ctx, TEE_ALG_AES_CBC_NOPAD, 314 mode, 0, tmp_block, block_size, 315 dst + (nb_blocks - 2) * block_size); 316 if (res != TEE_SUCCESS) 317 return res; 318 } else { 319 /* 1. Decrypt the second to last ciphertext block */ 320 res = tee_do_cipher_update(ecb_ctx, TEE_ALG_AES_ECB_NOPAD, 321 mode, 0, 322 data + (nb_blocks - 2) * block_size, 323 block_size, tmp2_block); 324 if (res != TEE_SUCCESS) 325 return res; 326 327 /* 2. Cn = Cn || Tail (Dn, B-M) */ 328 memcpy(tmp_block, data + ((nb_blocks - 1) * block_size), 329 len_last_block); 330 memcpy(tmp_block + len_last_block, tmp2_block + len_last_block, 331 block_size - len_last_block); 332 333 /* 3. Swap the last two ciphertext blocks */ 334 /* done by passing the correct buffers in step 4. */ 335 336 /* 4. Decrypt the (modified) ciphertext */ 337 if (nb_blocks > 2) { 338 res = tee_do_cipher_update(cbc_ctx, 339 TEE_ALG_AES_CBC_NOPAD, mode, 340 0, data, 341 (nb_blocks - 2) * 342 block_size, dst); 343 if (res != TEE_SUCCESS) 344 return res; 345 } 346 347 res = tee_do_cipher_update(cbc_ctx, TEE_ALG_AES_CBC_NOPAD, 348 mode, 0, tmp_block, block_size, 349 dst + 350 ((nb_blocks - 2) * block_size)); 351 if (res != TEE_SUCCESS) 352 return res; 353 354 res = tee_do_cipher_update(cbc_ctx, TEE_ALG_AES_CBC_NOPAD, 355 mode, 0, data + 356 ((nb_blocks - 2) * block_size), 357 block_size, tmp_block); 358 if (res != TEE_SUCCESS) 359 return res; 360 361 /* 5. Truncate the plaintext */ 362 memcpy(dst + (nb_blocks - 1) * block_size, tmp_block, 363 len_last_block); 364 } 365 return TEE_SUCCESS; 366 } 367 368 TEE_Result tee_prng_add_entropy(const uint8_t *in, size_t len) 369 { 370 return crypto_rng_add_entropy(in, len); 371 } 372 373 /* 374 * Override this in your platform code to feed the PRNG platform-specific 375 * jitter entropy. This implementation does not efficiently deliver entropy 376 * and is here for backwards-compatibility. 377 */ 378 __weak void plat_prng_add_jitter_entropy(void) 379 { 380 TEE_Time current; 381 382 if (tee_time_get_sys_time(¤t) == TEE_SUCCESS) 383 tee_prng_add_entropy((uint8_t *)¤t, sizeof(current)); 384 } 385 386 __weak void plat_prng_add_jitter_entropy_norpc(void) 387 { 388 #ifndef CFG_SECURE_TIME_SOURCE_REE 389 plat_prng_add_jitter_entropy(); 390 #endif 391 } 392 393 static TEE_Result tee_cryp_init(void) 394 { 395 if (crypto_ops.init) 396 return crypto_ops.init(); 397 398 return TEE_SUCCESS; 399 } 400 401 service_init(tee_cryp_init); 402