1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (C) 2018, ARM Limited 4 * Copyright (C) 2019, Linaro Limited 5 */ 6 7 #include <assert.h> 8 #include <config.h> 9 #include <crypto/crypto_impl.h> 10 #include <mbedtls/ctr_drbg.h> 11 #include <mbedtls/ecdh.h> 12 #include <mbedtls/ecdsa.h> 13 #include <mbedtls/ecp.h> 14 #include <mbedtls/entropy.h> 15 #include <mbedtls/pk.h> 16 #include <stdlib.h> 17 #include <string.h> 18 19 #include "mbed_helpers.h" 20 #include "sm2-dsa.h" 21 #include "sm2-pke.h" 22 23 /* Translate mbedtls result to TEE result */ 24 static TEE_Result get_tee_result(int lmd_res) 25 { 26 switch (lmd_res) { 27 case 0: 28 return TEE_SUCCESS; 29 case MBEDTLS_ERR_ECP_VERIFY_FAILED: 30 return TEE_ERROR_SIGNATURE_INVALID; 31 case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL: 32 return TEE_ERROR_SHORT_BUFFER; 33 default: 34 return TEE_ERROR_BAD_STATE; 35 } 36 } 37 38 static void ecc_free_public_key(struct ecc_public_key *s) 39 { 40 if (!s) 41 return; 42 43 crypto_bignum_free(s->x); 44 crypto_bignum_free(s->y); 45 } 46 47 static TEE_Result ecc_get_keysize(uint32_t curve, uint32_t algo, 48 size_t *key_size_bytes, size_t *key_size_bits) 49 { 50 switch (curve) { 51 case TEE_ECC_CURVE_NIST_P192: 52 *key_size_bits = 192; 53 *key_size_bytes = 24; 54 break; 55 case TEE_ECC_CURVE_NIST_P224: 56 *key_size_bits = 224; 57 *key_size_bytes = 28; 58 break; 59 case TEE_ECC_CURVE_NIST_P256: 60 *key_size_bits = 256; 61 *key_size_bytes = 32; 62 break; 63 case TEE_ECC_CURVE_NIST_P384: 64 *key_size_bits = 384; 65 *key_size_bytes = 48; 66 break; 67 case TEE_ECC_CURVE_NIST_P521: 68 *key_size_bits = 521; 69 *key_size_bytes = 66; 70 break; 71 case TEE_ECC_CURVE_SM2: 72 *key_size_bits = 256; 73 *key_size_bytes = 32; 74 if (algo != 0 && algo != TEE_ALG_SM2_DSA_SM3 && 75 algo != TEE_ALG_SM2_KEP && algo != TEE_ALG_SM2_PKE) 76 return TEE_ERROR_BAD_PARAMETERS; 77 break; 78 default: 79 *key_size_bits = 0; 80 *key_size_bytes = 0; 81 return TEE_ERROR_NOT_SUPPORTED; 82 } 83 84 return TEE_SUCCESS; 85 } 86 87 /* 88 * Clear some memory that was used to prepare the context 89 */ 90 static void ecc_clear_precomputed(mbedtls_ecp_group *grp) 91 { 92 size_t i = 0; 93 94 if (grp->T) { 95 for (i = 0; i < grp->T_size; i++) 96 mbedtls_ecp_point_free(&grp->T[i]); 97 free(grp->T); 98 } 99 grp->T = NULL; 100 grp->T_size = 0; 101 } 102 103 static mbedtls_ecp_group_id curve_to_group_id(uint32_t curve) 104 { 105 switch (curve) { 106 case TEE_ECC_CURVE_NIST_P192: 107 return MBEDTLS_ECP_DP_SECP192R1; 108 case TEE_ECC_CURVE_NIST_P224: 109 return MBEDTLS_ECP_DP_SECP224R1; 110 case TEE_ECC_CURVE_NIST_P256: 111 return MBEDTLS_ECP_DP_SECP256R1; 112 case TEE_ECC_CURVE_NIST_P384: 113 return MBEDTLS_ECP_DP_SECP384R1; 114 case TEE_ECC_CURVE_NIST_P521: 115 return MBEDTLS_ECP_DP_SECP521R1; 116 case TEE_ECC_CURVE_SM2: 117 return MBEDTLS_ECP_DP_SM2; 118 default: 119 return MBEDTLS_ECP_DP_NONE; 120 } 121 } 122 123 static TEE_Result ecc_generate_keypair(struct ecc_keypair *key, size_t key_size) 124 { 125 TEE_Result res = TEE_SUCCESS; 126 int lmd_res = 0; 127 mbedtls_ecdsa_context ecdsa; 128 mbedtls_ecp_group_id gid; 129 size_t key_size_bytes = 0; 130 size_t key_size_bits = 0; 131 132 memset(&ecdsa, 0, sizeof(ecdsa)); 133 memset(&gid, 0, sizeof(gid)); 134 135 res = ecc_get_keysize(key->curve, 0, &key_size_bytes, &key_size_bits); 136 if (res != TEE_SUCCESS) 137 return res; 138 139 if (key_size != key_size_bits) 140 return TEE_ERROR_BAD_PARAMETERS; 141 142 mbedtls_ecdsa_init(&ecdsa); 143 144 /* Generate the ECC key */ 145 gid = curve_to_group_id(key->curve); 146 lmd_res = mbedtls_ecdsa_genkey(&ecdsa, gid, mbd_rand, NULL); 147 if (lmd_res != 0) { 148 res = TEE_ERROR_BAD_PARAMETERS; 149 FMSG("mbedtls_ecdsa_genkey failed."); 150 goto exit; 151 } 152 ecc_clear_precomputed(&ecdsa.grp); 153 154 /* check the size of the keys */ 155 if ((mbedtls_mpi_bitlen(&ecdsa.Q.X) > key_size_bits) || 156 (mbedtls_mpi_bitlen(&ecdsa.Q.Y) > key_size_bits) || 157 (mbedtls_mpi_bitlen(&ecdsa.d) > key_size_bits)) { 158 res = TEE_ERROR_BAD_PARAMETERS; 159 FMSG("Check the size of the keys failed."); 160 goto exit; 161 } 162 163 /* check LMD is returning z==1 */ 164 if (mbedtls_mpi_bitlen(&ecdsa.Q.Z) != 1) { 165 res = TEE_ERROR_BAD_PARAMETERS; 166 FMSG("Check LMD failed."); 167 goto exit; 168 } 169 170 /* Copy the key */ 171 crypto_bignum_copy(key->d, (void *)&ecdsa.d); 172 crypto_bignum_copy(key->x, (void *)&ecdsa.Q.X); 173 crypto_bignum_copy(key->y, (void *)&ecdsa.Q.Y); 174 175 res = TEE_SUCCESS; 176 exit: 177 mbedtls_ecdsa_free(&ecdsa); /* Free the temporary key */ 178 return res; 179 } 180 181 static TEE_Result ecc_sign(uint32_t algo, struct ecc_keypair *key, 182 const uint8_t *msg, size_t msg_len, uint8_t *sig, 183 size_t *sig_len) 184 { 185 TEE_Result res = TEE_SUCCESS; 186 int lmd_res = 0; 187 const mbedtls_pk_info_t *pk_info = NULL; 188 mbedtls_ecdsa_context ecdsa; 189 mbedtls_ecp_group_id gid; 190 size_t key_size_bytes = 0; 191 size_t key_size_bits = 0; 192 mbedtls_mpi r; 193 mbedtls_mpi s; 194 195 memset(&ecdsa, 0, sizeof(ecdsa)); 196 memset(&gid, 0, sizeof(gid)); 197 memset(&r, 0, sizeof(r)); 198 memset(&s, 0, sizeof(s)); 199 200 if (algo == 0) 201 return TEE_ERROR_BAD_PARAMETERS; 202 203 mbedtls_mpi_init(&r); 204 mbedtls_mpi_init(&s); 205 206 mbedtls_ecdsa_init(&ecdsa); 207 208 gid = curve_to_group_id(key->curve); 209 lmd_res = mbedtls_ecp_group_load(&ecdsa.grp, gid); 210 if (lmd_res != 0) { 211 res = TEE_ERROR_NOT_SUPPORTED; 212 goto out; 213 } 214 215 ecdsa.d = *(mbedtls_mpi *)key->d; 216 217 res = ecc_get_keysize(key->curve, algo, &key_size_bytes, 218 &key_size_bits); 219 if (res != TEE_SUCCESS) 220 goto out; 221 222 if (*sig_len < 2 * key_size_bytes) { 223 *sig_len = 2 * key_size_bytes; 224 res = TEE_ERROR_SHORT_BUFFER; 225 goto out; 226 } 227 228 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECDSA); 229 if (pk_info == NULL) { 230 res = TEE_ERROR_NOT_SUPPORTED; 231 goto out; 232 } 233 234 lmd_res = mbedtls_ecdsa_sign(&ecdsa.grp, &r, &s, &ecdsa.d, msg, 235 msg_len, mbd_rand, NULL); 236 if (lmd_res == 0) { 237 *sig_len = 2 * key_size_bytes; 238 memset(sig, 0, *sig_len); 239 mbedtls_mpi_write_binary(&r, sig + *sig_len / 2 - 240 mbedtls_mpi_size(&r), 241 mbedtls_mpi_size(&r)); 242 243 mbedtls_mpi_write_binary(&s, sig + *sig_len - 244 mbedtls_mpi_size(&s), 245 mbedtls_mpi_size(&s)); 246 res = TEE_SUCCESS; 247 } else { 248 FMSG("mbedtls_ecdsa_sign failed, returned 0x%x\n", -lmd_res); 249 res = TEE_ERROR_GENERIC; 250 } 251 out: 252 mbedtls_mpi_free(&r); 253 mbedtls_mpi_free(&s); 254 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 255 mbedtls_mpi_init(&ecdsa.d); 256 mbedtls_ecdsa_free(&ecdsa); 257 return res; 258 } 259 260 static TEE_Result ecc_verify(uint32_t algo, struct ecc_public_key *key, 261 const uint8_t *msg, size_t msg_len, 262 const uint8_t *sig, size_t sig_len) 263 { 264 TEE_Result res = TEE_SUCCESS; 265 int lmd_res = 0; 266 mbedtls_ecdsa_context ecdsa; 267 mbedtls_ecp_group_id gid; 268 size_t key_size_bytes, key_size_bits = 0; 269 uint8_t one[1] = { 1 }; 270 mbedtls_mpi r; 271 mbedtls_mpi s; 272 273 memset(&ecdsa, 0, sizeof(ecdsa)); 274 memset(&gid, 0, sizeof(gid)); 275 memset(&r, 0, sizeof(r)); 276 memset(&s, 0, sizeof(s)); 277 278 if (algo == 0) 279 return TEE_ERROR_BAD_PARAMETERS; 280 281 mbedtls_mpi_init(&r); 282 mbedtls_mpi_init(&s); 283 284 mbedtls_ecdsa_init(&ecdsa); 285 286 gid = curve_to_group_id(key->curve); 287 lmd_res = mbedtls_ecp_group_load(&ecdsa.grp, gid); 288 if (lmd_res != 0) { 289 res = TEE_ERROR_NOT_SUPPORTED; 290 goto out; 291 } 292 293 ecdsa.Q.X = *(mbedtls_mpi *)key->x; 294 ecdsa.Q.Y = *(mbedtls_mpi *)key->y; 295 mbedtls_mpi_read_binary(&ecdsa.Q.Z, one, sizeof(one)); 296 297 res = ecc_get_keysize(key->curve, algo, 298 &key_size_bytes, &key_size_bits); 299 if (res != TEE_SUCCESS) { 300 res = TEE_ERROR_BAD_PARAMETERS; 301 goto out; 302 } 303 304 /* check keysize vs sig_len */ 305 if ((key_size_bytes * 2) != sig_len) { 306 res = TEE_ERROR_BAD_PARAMETERS; 307 goto out; 308 } 309 310 mbedtls_mpi_read_binary(&r, sig, sig_len / 2); 311 mbedtls_mpi_read_binary(&s, sig + sig_len / 2, sig_len / 2); 312 313 lmd_res = mbedtls_ecdsa_verify(&ecdsa.grp, msg, msg_len, &ecdsa.Q, 314 &r, &s); 315 if (lmd_res != 0) { 316 FMSG("mbedtls_ecdsa_verify failed, returned 0x%x", -lmd_res); 317 res = get_tee_result(lmd_res); 318 } 319 out: 320 mbedtls_mpi_free(&r); 321 mbedtls_mpi_free(&s); 322 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 323 mbedtls_mpi_init(&ecdsa.Q.X); 324 mbedtls_mpi_init(&ecdsa.Q.Y); 325 mbedtls_ecdsa_free(&ecdsa); 326 return res; 327 } 328 329 static TEE_Result ecc_shared_secret(struct ecc_keypair *private_key, 330 struct ecc_public_key *public_key, 331 void *secret, unsigned long *secret_len) 332 { 333 TEE_Result res = TEE_SUCCESS; 334 int lmd_res = 0; 335 uint8_t one[1] = { 1 }; 336 mbedtls_ecdh_context ecdh; 337 mbedtls_ecp_group_id gid; 338 size_t out_len = 0; 339 340 memset(&ecdh, 0, sizeof(ecdh)); 341 memset(&gid, 0, sizeof(gid)); 342 mbedtls_ecdh_init(&ecdh); 343 gid = curve_to_group_id(private_key->curve); 344 lmd_res = mbedtls_ecp_group_load(&ecdh.grp, gid); 345 if (lmd_res != 0) { 346 res = TEE_ERROR_NOT_SUPPORTED; 347 goto out; 348 } 349 350 ecdh.d = *(mbedtls_mpi *)private_key->d; 351 ecdh.Qp.X = *(mbedtls_mpi *)public_key->x; 352 ecdh.Qp.Y = *(mbedtls_mpi *)public_key->y; 353 mbedtls_mpi_read_binary(&ecdh.Qp.Z, one, sizeof(one)); 354 355 lmd_res = mbedtls_ecdh_calc_secret(&ecdh, &out_len, secret, 356 *secret_len, mbd_rand, NULL); 357 if (lmd_res != 0) { 358 res = get_tee_result(lmd_res); 359 goto out; 360 } 361 *secret_len = out_len; 362 out: 363 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 364 mbedtls_mpi_init(&ecdh.d); 365 mbedtls_mpi_init(&ecdh.Qp.X); 366 mbedtls_mpi_init(&ecdh.Qp.Y); 367 mbedtls_ecdh_free(&ecdh); 368 return res; 369 } 370 371 static const struct crypto_ecc_keypair_ops ecc_keypair_ops = { 372 .generate = ecc_generate_keypair, 373 .sign = ecc_sign, 374 .shared_secret = ecc_shared_secret, 375 }; 376 377 static const struct crypto_ecc_keypair_ops sm2_pke_keypair_ops = { 378 .generate = ecc_generate_keypair, 379 .decrypt = sm2_mbedtls_pke_decrypt, 380 }; 381 382 static const struct crypto_ecc_keypair_ops sm2_kep_keypair_ops = { 383 .generate = ecc_generate_keypair, 384 }; 385 386 static const struct crypto_ecc_keypair_ops sm2_dsa_keypair_ops = { 387 .generate = ecc_generate_keypair, 388 .sign = sm2_mbedtls_dsa_sign, 389 }; 390 391 const struct crypto_ecc_keypair_ops * 392 crypto_asym_get_ecc_keypair_ops(uint32_t key_type) 393 { 394 switch (key_type) { 395 case TEE_TYPE_ECDSA_KEYPAIR: 396 case TEE_TYPE_ECDH_KEYPAIR: 397 return &ecc_keypair_ops; 398 case TEE_TYPE_SM2_DSA_KEYPAIR: 399 if (!IS_ENABLED(CFG_CRYPTO_SM2_DSA)) 400 return NULL; 401 return &sm2_dsa_keypair_ops; 402 case TEE_TYPE_SM2_PKE_KEYPAIR: 403 if (!IS_ENABLED(CFG_CRYPTO_SM2_PKE)) 404 return NULL; 405 return &sm2_pke_keypair_ops; 406 case TEE_TYPE_SM2_KEP_KEYPAIR: 407 if (!IS_ENABLED(CFG_CRYPTO_SM2_KEP)) 408 return NULL; 409 return &sm2_kep_keypair_ops; 410 default: 411 return NULL; 412 } 413 } 414 415 TEE_Result crypto_asym_alloc_ecc_keypair(struct ecc_keypair *s, 416 uint32_t key_type, 417 size_t key_size_bits) 418 { 419 memset(s, 0, sizeof(*s)); 420 421 switch (key_type) { 422 case TEE_TYPE_ECDSA_KEYPAIR: 423 case TEE_TYPE_ECDH_KEYPAIR: 424 s->ops = &ecc_keypair_ops; 425 break; 426 case TEE_TYPE_SM2_DSA_KEYPAIR: 427 if (!IS_ENABLED(CFG_CRYPTO_SM2_DSA)) 428 return TEE_ERROR_NOT_IMPLEMENTED; 429 430 s->curve = TEE_ECC_CURVE_SM2; 431 s->ops = &sm2_dsa_keypair_ops; 432 break; 433 case TEE_TYPE_SM2_PKE_KEYPAIR: 434 if (!IS_ENABLED(CFG_CRYPTO_SM2_PKE)) 435 return TEE_ERROR_NOT_IMPLEMENTED; 436 437 s->curve = TEE_ECC_CURVE_SM2; 438 s->ops = &sm2_pke_keypair_ops; 439 break; 440 case TEE_TYPE_SM2_KEP_KEYPAIR: 441 if (!IS_ENABLED(CFG_CRYPTO_SM2_KEP)) 442 return TEE_ERROR_NOT_IMPLEMENTED; 443 444 s->curve = TEE_ECC_CURVE_SM2; 445 s->ops = &sm2_kep_keypair_ops; 446 break; 447 default: 448 return TEE_ERROR_NOT_IMPLEMENTED; 449 } 450 451 s->d = crypto_bignum_allocate(key_size_bits); 452 if (!s->d) 453 goto err; 454 s->x = crypto_bignum_allocate(key_size_bits); 455 if (!s->x) 456 goto err; 457 s->y = crypto_bignum_allocate(key_size_bits); 458 if (!s->y) 459 goto err; 460 461 return TEE_SUCCESS; 462 463 err: 464 crypto_bignum_free(s->d); 465 crypto_bignum_free(s->x); 466 467 return TEE_ERROR_OUT_OF_MEMORY; 468 } 469 470 static const struct crypto_ecc_public_ops ecc_public_key_ops = { 471 .free = ecc_free_public_key, 472 .verify = ecc_verify, 473 }; 474 475 static const struct crypto_ecc_public_ops sm2_pke_public_key_ops = { 476 .free = ecc_free_public_key, 477 .encrypt = sm2_mbedtls_pke_encrypt, 478 }; 479 480 static const struct crypto_ecc_public_ops sm2_kep_public_key_ops = { 481 .free = ecc_free_public_key, 482 }; 483 484 static const struct crypto_ecc_public_ops sm2_dsa_public_key_ops = { 485 .free = ecc_free_public_key, 486 .verify = sm2_mbedtls_dsa_verify, 487 }; 488 489 const struct crypto_ecc_public_ops* 490 crypto_asym_get_ecc_public_ops(uint32_t key_type) 491 { 492 switch (key_type) { 493 case TEE_TYPE_ECDSA_PUBLIC_KEY: 494 case TEE_TYPE_ECDH_PUBLIC_KEY: 495 return &ecc_public_key_ops; 496 case TEE_TYPE_SM2_DSA_PUBLIC_KEY: 497 if (!IS_ENABLED(CFG_CRYPTO_SM2_DSA)) 498 return NULL; 499 500 return &sm2_dsa_public_key_ops; 501 case TEE_TYPE_SM2_PKE_PUBLIC_KEY: 502 if (!IS_ENABLED(CFG_CRYPTO_SM2_PKE)) 503 return NULL; 504 505 return &sm2_pke_public_key_ops; 506 case TEE_TYPE_SM2_KEP_PUBLIC_KEY: 507 if (!IS_ENABLED(CFG_CRYPTO_SM2_KEP)) 508 return NULL; 509 return &sm2_kep_public_key_ops; 510 default: 511 return NULL; 512 } 513 } 514 515 TEE_Result crypto_asym_alloc_ecc_public_key(struct ecc_public_key *s, 516 uint32_t key_type, 517 size_t key_size_bits) 518 { 519 memset(s, 0, sizeof(*s)); 520 521 switch (key_type) { 522 case TEE_TYPE_ECDSA_PUBLIC_KEY: 523 case TEE_TYPE_ECDH_PUBLIC_KEY: 524 s->ops = &ecc_public_key_ops; 525 break; 526 case TEE_TYPE_SM2_DSA_PUBLIC_KEY: 527 if (!IS_ENABLED(CFG_CRYPTO_SM2_DSA)) 528 return TEE_ERROR_NOT_IMPLEMENTED; 529 530 s->curve = TEE_ECC_CURVE_SM2; 531 s->ops = &sm2_dsa_public_key_ops; 532 break; 533 case TEE_TYPE_SM2_PKE_PUBLIC_KEY: 534 if (!IS_ENABLED(CFG_CRYPTO_SM2_PKE)) 535 return TEE_ERROR_NOT_IMPLEMENTED; 536 537 s->curve = TEE_ECC_CURVE_SM2; 538 s->ops = &sm2_pke_public_key_ops; 539 break; 540 case TEE_TYPE_SM2_KEP_PUBLIC_KEY: 541 if (!IS_ENABLED(CFG_CRYPTO_SM2_KEP)) 542 return TEE_ERROR_NOT_IMPLEMENTED; 543 544 s->curve = TEE_ECC_CURVE_SM2; 545 s->ops = &sm2_kep_public_key_ops; 546 break; 547 default: 548 return TEE_ERROR_NOT_IMPLEMENTED; 549 } 550 551 s->x = crypto_bignum_allocate(key_size_bits); 552 if (!s->x) 553 goto err; 554 s->y = crypto_bignum_allocate(key_size_bits); 555 if (!s->y) 556 goto err; 557 558 return TEE_SUCCESS; 559 560 err: 561 crypto_bignum_free(s->x); 562 563 return TEE_ERROR_OUT_OF_MEMORY; 564 } 565