1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (C) 2018, ARM Limited 4 * Copyright (C) 2019, Linaro Limited 5 */ 6 7 #include <assert.h> 8 #include <config.h> 9 #include <crypto/crypto_impl.h> 10 #include <mbedtls/ctr_drbg.h> 11 #include <mbedtls/ecdh.h> 12 #include <mbedtls/ecdsa.h> 13 #include <mbedtls/ecp.h> 14 #include <mbedtls/entropy.h> 15 #include <mbedtls/pk.h> 16 #include <stdlib.h> 17 #include <string.h> 18 19 #include "mbed_helpers.h" 20 #include "sm2-dsa.h" 21 #include "sm2-pke.h" 22 23 /* Translate mbedtls result to TEE result */ 24 static TEE_Result get_tee_result(int lmd_res) 25 { 26 switch (lmd_res) { 27 case 0: 28 return TEE_SUCCESS; 29 case MBEDTLS_ERR_ECP_VERIFY_FAILED: 30 return TEE_ERROR_SIGNATURE_INVALID; 31 case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL: 32 return TEE_ERROR_SHORT_BUFFER; 33 default: 34 return TEE_ERROR_BAD_STATE; 35 } 36 } 37 38 static void ecc_free_public_key(struct ecc_public_key *s) 39 { 40 if (!s) 41 return; 42 43 crypto_bignum_free(s->x); 44 crypto_bignum_free(s->y); 45 } 46 47 /* 48 * curve is part of TEE_ECC_CURVE_NIST_P192,... 49 * algo is part of TEE_ALG_ECDSA_P192,..., and 0 if we do not have it 50 */ 51 static TEE_Result ecc_get_keysize(uint32_t curve, uint32_t algo, 52 size_t *key_size_bytes, size_t *key_size_bits) 53 { 54 /* 55 * Note GPv1.1 indicates TEE_ALG_ECDH_NIST_P192_DERIVE_SHARED_SECRET 56 * but defines TEE_ALG_ECDH_P192 57 */ 58 switch (curve) { 59 case TEE_ECC_CURVE_NIST_P192: 60 *key_size_bits = 192; 61 *key_size_bytes = 24; 62 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P192) && 63 (algo != TEE_ALG_ECDH_P192)) 64 return TEE_ERROR_BAD_PARAMETERS; 65 break; 66 case TEE_ECC_CURVE_NIST_P224: 67 *key_size_bits = 224; 68 *key_size_bytes = 28; 69 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P224) && 70 (algo != TEE_ALG_ECDH_P224)) 71 return TEE_ERROR_BAD_PARAMETERS; 72 break; 73 case TEE_ECC_CURVE_NIST_P256: 74 *key_size_bits = 256; 75 *key_size_bytes = 32; 76 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P256) && 77 (algo != TEE_ALG_ECDH_P256)) 78 return TEE_ERROR_BAD_PARAMETERS; 79 break; 80 case TEE_ECC_CURVE_NIST_P384: 81 *key_size_bits = 384; 82 *key_size_bytes = 48; 83 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P384) && 84 (algo != TEE_ALG_ECDH_P384)) 85 return TEE_ERROR_BAD_PARAMETERS; 86 break; 87 case TEE_ECC_CURVE_NIST_P521: 88 *key_size_bits = 521; 89 *key_size_bytes = 66; 90 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P521) && 91 (algo != TEE_ALG_ECDH_P521)) 92 return TEE_ERROR_BAD_PARAMETERS; 93 break; 94 default: 95 *key_size_bits = 0; 96 *key_size_bytes = 0; 97 return TEE_ERROR_NOT_SUPPORTED; 98 } 99 100 return TEE_SUCCESS; 101 } 102 103 /* 104 * Clear some memory that was used to prepare the context 105 */ 106 static void ecc_clear_precomputed(mbedtls_ecp_group *grp) 107 { 108 size_t i = 0; 109 110 if (grp->T) { 111 for (i = 0; i < grp->T_size; i++) 112 mbedtls_ecp_point_free(&grp->T[i]); 113 free(grp->T); 114 } 115 grp->T = NULL; 116 grp->T_size = 0; 117 } 118 119 static TEE_Result ecc_generate_keypair(struct ecc_keypair *key, size_t key_size) 120 { 121 TEE_Result res = TEE_SUCCESS; 122 int lmd_res = 0; 123 mbedtls_ecdsa_context ecdsa; 124 size_t key_size_bytes = 0; 125 size_t key_size_bits = 0; 126 127 memset(&ecdsa, 0, sizeof(ecdsa)); 128 129 res = ecc_get_keysize(key->curve, 0, &key_size_bytes, &key_size_bits); 130 if (res != TEE_SUCCESS) 131 return res; 132 133 if (key_size != key_size_bits) 134 return TEE_ERROR_BAD_PARAMETERS; 135 136 mbedtls_ecdsa_init(&ecdsa); 137 138 /* Generate the ECC key */ 139 lmd_res = mbedtls_ecdsa_genkey(&ecdsa, key->curve, mbd_rand, NULL); 140 if (lmd_res != 0) { 141 res = TEE_ERROR_BAD_PARAMETERS; 142 FMSG("mbedtls_ecdsa_genkey failed."); 143 goto exit; 144 } 145 ecc_clear_precomputed(&ecdsa.grp); 146 147 /* check the size of the keys */ 148 if ((mbedtls_mpi_bitlen(&ecdsa.Q.X) > key_size_bits) || 149 (mbedtls_mpi_bitlen(&ecdsa.Q.Y) > key_size_bits) || 150 (mbedtls_mpi_bitlen(&ecdsa.d) > key_size_bits)) { 151 res = TEE_ERROR_BAD_PARAMETERS; 152 FMSG("Check the size of the keys failed."); 153 goto exit; 154 } 155 156 /* check LMD is returning z==1 */ 157 if (mbedtls_mpi_bitlen(&ecdsa.Q.Z) != 1) { 158 res = TEE_ERROR_BAD_PARAMETERS; 159 FMSG("Check LMD failed."); 160 goto exit; 161 } 162 163 /* Copy the key */ 164 crypto_bignum_copy(key->d, (void *)&ecdsa.d); 165 crypto_bignum_copy(key->x, (void *)&ecdsa.Q.X); 166 crypto_bignum_copy(key->y, (void *)&ecdsa.Q.Y); 167 168 res = TEE_SUCCESS; 169 exit: 170 mbedtls_ecdsa_free(&ecdsa); /* Free the temporary key */ 171 return res; 172 } 173 174 static TEE_Result ecc_sign(uint32_t algo, struct ecc_keypair *key, 175 const uint8_t *msg, size_t msg_len, uint8_t *sig, 176 size_t *sig_len) 177 { 178 TEE_Result res = TEE_SUCCESS; 179 int lmd_res = 0; 180 const mbedtls_pk_info_t *pk_info = NULL; 181 mbedtls_ecdsa_context ecdsa; 182 size_t key_size_bytes = 0; 183 size_t key_size_bits = 0; 184 mbedtls_mpi r; 185 mbedtls_mpi s; 186 187 memset(&ecdsa, 0, sizeof(ecdsa)); 188 memset(&r, 0, sizeof(r)); 189 memset(&s, 0, sizeof(s)); 190 191 if (algo == 0) 192 return TEE_ERROR_BAD_PARAMETERS; 193 194 mbedtls_mpi_init(&r); 195 mbedtls_mpi_init(&s); 196 197 mbedtls_ecdsa_init(&ecdsa); 198 lmd_res = mbedtls_ecp_group_load(&ecdsa.grp, key->curve); 199 if (lmd_res != 0) { 200 res = TEE_ERROR_NOT_SUPPORTED; 201 goto out; 202 } 203 204 ecdsa.d = *(mbedtls_mpi *)key->d; 205 206 res = ecc_get_keysize(key->curve, algo, &key_size_bytes, 207 &key_size_bits); 208 if (res != TEE_SUCCESS) 209 goto out; 210 211 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECDSA); 212 if (pk_info == NULL) { 213 res = TEE_ERROR_NOT_SUPPORTED; 214 goto out; 215 } 216 217 lmd_res = mbedtls_ecdsa_sign(&ecdsa.grp, &r, &s, &ecdsa.d, msg, 218 msg_len, mbd_rand, NULL); 219 if (lmd_res == 0) { 220 *sig_len = 2 * key_size_bytes; 221 memset(sig, 0, *sig_len); 222 mbedtls_mpi_write_binary(&r, sig + *sig_len / 2 - 223 mbedtls_mpi_size(&r), 224 mbedtls_mpi_size(&r)); 225 226 mbedtls_mpi_write_binary(&s, sig + *sig_len - 227 mbedtls_mpi_size(&s), 228 mbedtls_mpi_size(&s)); 229 res = TEE_SUCCESS; 230 } else { 231 FMSG("mbedtls_ecdsa_sign failed, returned 0x%x\n", -lmd_res); 232 res = TEE_ERROR_GENERIC; 233 } 234 out: 235 mbedtls_mpi_free(&r); 236 mbedtls_mpi_free(&s); 237 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 238 mbedtls_mpi_init(&ecdsa.d); 239 mbedtls_ecdsa_free(&ecdsa); 240 return res; 241 } 242 243 static TEE_Result ecc_verify(uint32_t algo, struct ecc_public_key *key, 244 const uint8_t *msg, size_t msg_len, 245 const uint8_t *sig, size_t sig_len) 246 { 247 TEE_Result res = TEE_SUCCESS; 248 int lmd_res = 0; 249 mbedtls_ecdsa_context ecdsa; 250 size_t key_size_bytes, key_size_bits = 0; 251 uint8_t one[1] = { 1 }; 252 mbedtls_mpi r; 253 mbedtls_mpi s; 254 255 memset(&ecdsa, 0, sizeof(ecdsa)); 256 memset(&r, 0, sizeof(r)); 257 memset(&s, 0, sizeof(s)); 258 259 if (algo == 0) 260 return TEE_ERROR_BAD_PARAMETERS; 261 262 mbedtls_mpi_init(&r); 263 mbedtls_mpi_init(&s); 264 265 mbedtls_ecdsa_init(&ecdsa); 266 267 lmd_res = mbedtls_ecp_group_load(&ecdsa.grp, key->curve); 268 if (lmd_res != 0) { 269 res = TEE_ERROR_NOT_SUPPORTED; 270 goto out; 271 } 272 273 ecdsa.Q.X = *(mbedtls_mpi *)key->x; 274 ecdsa.Q.Y = *(mbedtls_mpi *)key->y; 275 mbedtls_mpi_read_binary(&ecdsa.Q.Z, one, sizeof(one)); 276 277 res = ecc_get_keysize(key->curve, algo, 278 &key_size_bytes, &key_size_bits); 279 if (res != TEE_SUCCESS) { 280 res = TEE_ERROR_BAD_PARAMETERS; 281 goto out; 282 } 283 284 /* check keysize vs sig_len */ 285 if ((key_size_bytes * 2) != sig_len) { 286 res = TEE_ERROR_BAD_PARAMETERS; 287 goto out; 288 } 289 290 mbedtls_mpi_read_binary(&r, sig, sig_len / 2); 291 mbedtls_mpi_read_binary(&s, sig + sig_len / 2, sig_len / 2); 292 293 lmd_res = mbedtls_ecdsa_verify(&ecdsa.grp, msg, msg_len, &ecdsa.Q, 294 &r, &s); 295 if (lmd_res != 0) { 296 FMSG("mbedtls_ecdsa_verify failed, returned 0x%x", -lmd_res); 297 res = get_tee_result(lmd_res); 298 } 299 out: 300 mbedtls_mpi_free(&r); 301 mbedtls_mpi_free(&s); 302 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 303 mbedtls_mpi_init(&ecdsa.Q.X); 304 mbedtls_mpi_init(&ecdsa.Q.Y); 305 mbedtls_ecdsa_free(&ecdsa); 306 return res; 307 } 308 309 static TEE_Result ecc_shared_secret(struct ecc_keypair *private_key, 310 struct ecc_public_key *public_key, 311 void *secret, unsigned long *secret_len) 312 { 313 TEE_Result res = TEE_SUCCESS; 314 int lmd_res = 0; 315 uint8_t one[1] = { 1 }; 316 mbedtls_ecdh_context ecdh; 317 size_t out_len = 0; 318 319 memset(&ecdh, 0, sizeof(ecdh)); 320 mbedtls_ecdh_init(&ecdh); 321 lmd_res = mbedtls_ecp_group_load(&ecdh.grp, private_key->curve); 322 if (lmd_res != 0) { 323 res = TEE_ERROR_NOT_SUPPORTED; 324 goto out; 325 } 326 327 ecdh.d = *(mbedtls_mpi *)private_key->d; 328 ecdh.Qp.X = *(mbedtls_mpi *)public_key->x; 329 ecdh.Qp.Y = *(mbedtls_mpi *)public_key->y; 330 mbedtls_mpi_read_binary(&ecdh.Qp.Z, one, sizeof(one)); 331 332 lmd_res = mbedtls_ecdh_calc_secret(&ecdh, &out_len, secret, 333 *secret_len, mbd_rand, NULL); 334 if (lmd_res != 0) { 335 res = get_tee_result(lmd_res); 336 goto out; 337 } 338 *secret_len = out_len; 339 out: 340 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 341 mbedtls_mpi_init(&ecdh.d); 342 mbedtls_mpi_init(&ecdh.Qp.X); 343 mbedtls_mpi_init(&ecdh.Qp.Y); 344 mbedtls_ecdh_free(&ecdh); 345 return res; 346 } 347 348 static const struct crypto_ecc_keypair_ops ecc_keypair_ops = { 349 .generate = ecc_generate_keypair, 350 .sign = ecc_sign, 351 .shared_secret = ecc_shared_secret, 352 }; 353 354 static const struct crypto_ecc_keypair_ops sm2_pke_keypair_ops = { 355 .generate = ecc_generate_keypair, 356 .decrypt = sm2_mbedtls_pke_decrypt, 357 }; 358 359 static const struct crypto_ecc_keypair_ops sm2_kep_keypair_ops = { 360 .generate = ecc_generate_keypair, 361 }; 362 363 static const struct crypto_ecc_keypair_ops sm2_dsa_keypair_ops = { 364 .generate = ecc_generate_keypair, 365 .sign = sm2_mbedtls_dsa_sign, 366 }; 367 368 TEE_Result crypto_asym_alloc_ecc_keypair(struct ecc_keypair *s, 369 uint32_t key_type, 370 size_t key_size_bits) 371 { 372 memset(s, 0, sizeof(*s)); 373 374 switch (key_type) { 375 case TEE_TYPE_ECDSA_KEYPAIR: 376 case TEE_TYPE_ECDH_KEYPAIR: 377 s->ops = &ecc_keypair_ops; 378 break; 379 case TEE_TYPE_SM2_DSA_KEYPAIR: 380 if (!IS_ENABLED(CFG_CRYPTO_SM2_DSA)) 381 return TEE_ERROR_NOT_IMPLEMENTED; 382 383 s->ops = &sm2_dsa_keypair_ops; 384 break; 385 case TEE_TYPE_SM2_PKE_KEYPAIR: 386 if (!IS_ENABLED(CFG_CRYPTO_SM2_PKE)) 387 return TEE_ERROR_NOT_IMPLEMENTED; 388 389 s->ops = &sm2_pke_keypair_ops; 390 break; 391 case TEE_TYPE_SM2_KEP_KEYPAIR: 392 if (!IS_ENABLED(CFG_CRYPTO_SM2_KEP)) 393 return TEE_ERROR_NOT_IMPLEMENTED; 394 395 s->ops = &sm2_kep_keypair_ops; 396 break; 397 default: 398 return TEE_ERROR_NOT_IMPLEMENTED; 399 } 400 401 s->d = crypto_bignum_allocate(key_size_bits); 402 if (!s->d) 403 goto err; 404 s->x = crypto_bignum_allocate(key_size_bits); 405 if (!s->x) 406 goto err; 407 s->y = crypto_bignum_allocate(key_size_bits); 408 if (!s->y) 409 goto err; 410 411 return TEE_SUCCESS; 412 413 err: 414 crypto_bignum_free(s->d); 415 crypto_bignum_free(s->x); 416 417 return TEE_ERROR_OUT_OF_MEMORY; 418 } 419 420 static const struct crypto_ecc_public_ops ecc_public_key_ops = { 421 .free = ecc_free_public_key, 422 .verify = ecc_verify, 423 }; 424 425 static const struct crypto_ecc_public_ops sm2_pke_public_key_ops = { 426 .free = ecc_free_public_key, 427 .encrypt = sm2_mbedtls_pke_encrypt, 428 }; 429 430 static const struct crypto_ecc_public_ops sm2_kep_public_key_ops = { 431 .free = ecc_free_public_key, 432 }; 433 434 static const struct crypto_ecc_public_ops sm2_dsa_public_key_ops = { 435 .free = ecc_free_public_key, 436 .verify = sm2_mbedtls_dsa_verify, 437 }; 438 439 TEE_Result crypto_asym_alloc_ecc_public_key(struct ecc_public_key *s, 440 uint32_t key_type, 441 size_t key_size_bits) 442 { 443 memset(s, 0, sizeof(*s)); 444 445 switch (key_type) { 446 case TEE_TYPE_ECDSA_PUBLIC_KEY: 447 case TEE_TYPE_ECDH_PUBLIC_KEY: 448 s->ops = &ecc_public_key_ops; 449 break; 450 case TEE_TYPE_SM2_DSA_PUBLIC_KEY: 451 if (!IS_ENABLED(CFG_CRYPTO_SM2_DSA)) 452 return TEE_ERROR_NOT_IMPLEMENTED; 453 454 s->ops = &sm2_dsa_public_key_ops; 455 break; 456 case TEE_TYPE_SM2_PKE_PUBLIC_KEY: 457 if (!IS_ENABLED(CFG_CRYPTO_SM2_PKE)) 458 return TEE_ERROR_NOT_IMPLEMENTED; 459 460 s->ops = &sm2_pke_public_key_ops; 461 break; 462 case TEE_TYPE_SM2_KEP_PUBLIC_KEY: 463 if (!IS_ENABLED(CFG_CRYPTO_SM2_KEP)) 464 return TEE_ERROR_NOT_IMPLEMENTED; 465 466 s->ops = &sm2_kep_public_key_ops; 467 break; 468 default: 469 return TEE_ERROR_NOT_IMPLEMENTED; 470 } 471 472 s->x = crypto_bignum_allocate(key_size_bits); 473 if (!s->x) 474 goto err; 475 s->y = crypto_bignum_allocate(key_size_bits); 476 if (!s->y) 477 goto err; 478 479 return TEE_SUCCESS; 480 481 err: 482 crypto_bignum_free(s->x); 483 484 return TEE_ERROR_OUT_OF_MEMORY; 485 } 486