1 /* 2 * Copyright (c) 2014, STMicroelectronics International N.V. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright notice, 9 * this list of conditions and the following disclaimer. 10 * 11 * 2. Redistributions in binary form must reproduce the above copyright notice, 12 * this list of conditions and the following disclaimer in the documentation 13 * and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 16 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 19 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 * POSSIBILITY OF SUCH DAMAGE. 26 */ 27 #include <stdlib.h> 28 #include <string.h> 29 #include <string_ext.h> 30 31 #include <tee_api.h> 32 #include <tee_api_defines_extensions.h> 33 #include <tee_internal_api_extensions.h> 34 #include <utee_syscalls.h> 35 #include <utee_defines.h> 36 37 struct __TEE_OperationHandle { 38 TEE_OperationInfo info; 39 TEE_ObjectHandle key1; 40 TEE_ObjectHandle key2; 41 uint8_t *buffer; /* buffer to collect complete blocks */ 42 bool buffer_two_blocks; /* True if two blocks need to be buffered */ 43 size_t block_size; /* Block size of cipher */ 44 size_t buffer_offs; /* Offset in buffer */ 45 uint32_t state; /* Handle to state in TEE Core */ 46 uint32_t ae_tag_len; /* 47 * tag_len in bytes for AE operation else unused 48 */ 49 }; 50 51 /* Cryptographic Operations API - Generic Operation Functions */ 52 53 TEE_Result TEE_AllocateOperation(TEE_OperationHandle *operation, 54 uint32_t algorithm, uint32_t mode, 55 uint32_t maxKeySize) 56 { 57 TEE_Result res; 58 TEE_OperationHandle op = TEE_HANDLE_NULL; 59 uint32_t handle_state = 0; 60 size_t block_size = 1; 61 uint32_t req_key_usage; 62 bool with_private_key = false; 63 bool buffer_two_blocks = false; 64 65 if (operation == NULL) 66 TEE_Panic(0); 67 68 if (algorithm == TEE_ALG_AES_XTS) 69 handle_state = TEE_HANDLE_FLAG_EXPECT_TWO_KEYS; 70 71 switch (algorithm) { 72 case TEE_ALG_AES_CTS: 73 case TEE_ALG_AES_XTS: 74 buffer_two_blocks = true; 75 /*FALLTHROUGH*/ case TEE_ALG_AES_ECB_NOPAD: 76 case TEE_ALG_AES_CBC_NOPAD: 77 case TEE_ALG_AES_CTR: 78 case TEE_ALG_AES_CCM: 79 case TEE_ALG_AES_GCM: 80 case TEE_ALG_DES_ECB_NOPAD: 81 case TEE_ALG_DES_CBC_NOPAD: 82 case TEE_ALG_DES3_ECB_NOPAD: 83 case TEE_ALG_DES3_CBC_NOPAD: 84 if (TEE_ALG_GET_MAIN_ALG(algorithm) == TEE_MAIN_ALGO_AES) 85 block_size = TEE_AES_BLOCK_SIZE; 86 else 87 block_size = TEE_DES_BLOCK_SIZE; 88 89 if (mode == TEE_MODE_ENCRYPT) 90 req_key_usage = TEE_USAGE_ENCRYPT; 91 else if (mode == TEE_MODE_DECRYPT) 92 req_key_usage = TEE_USAGE_DECRYPT; 93 else 94 return TEE_ERROR_NOT_SUPPORTED; 95 break; 96 97 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 98 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 99 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 100 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 101 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 102 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 103 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 104 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 105 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 106 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 107 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 108 case TEE_ALG_DSA_SHA1: 109 if (mode == TEE_MODE_SIGN) { 110 with_private_key = true; 111 req_key_usage = TEE_USAGE_SIGN; 112 } else if (mode == TEE_MODE_VERIFY) { 113 req_key_usage = TEE_USAGE_VERIFY; 114 } else { 115 return TEE_ERROR_NOT_SUPPORTED; 116 } 117 break; 118 119 case TEE_ALG_RSAES_PKCS1_V1_5: 120 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1: 121 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224: 122 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256: 123 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384: 124 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512: 125 if (mode == TEE_MODE_ENCRYPT) { 126 req_key_usage = TEE_USAGE_ENCRYPT; 127 } else if (mode == TEE_MODE_DECRYPT) { 128 with_private_key = true; 129 req_key_usage = TEE_USAGE_DECRYPT; 130 } else { 131 return TEE_ERROR_NOT_SUPPORTED; 132 } 133 break; 134 135 case TEE_ALG_RSA_NOPAD: 136 if (mode == TEE_MODE_ENCRYPT) { 137 req_key_usage = TEE_USAGE_ENCRYPT | TEE_USAGE_VERIFY; 138 } else if (mode == TEE_MODE_DECRYPT) { 139 with_private_key = true; 140 req_key_usage = TEE_USAGE_DECRYPT | TEE_USAGE_SIGN; 141 } else { 142 return TEE_ERROR_NOT_SUPPORTED; 143 } 144 break; 145 146 case TEE_ALG_DH_DERIVE_SHARED_SECRET: 147 case TEE_ALG_HKDF_MD5_DERIVE_KEY: 148 case TEE_ALG_HKDF_SHA1_DERIVE_KEY: 149 case TEE_ALG_HKDF_SHA224_DERIVE_KEY: 150 case TEE_ALG_HKDF_SHA256_DERIVE_KEY: 151 case TEE_ALG_HKDF_SHA384_DERIVE_KEY: 152 case TEE_ALG_HKDF_SHA512_DERIVE_KEY: 153 case TEE_ALG_CONCAT_KDF_SHA1_DERIVE_KEY: 154 case TEE_ALG_CONCAT_KDF_SHA224_DERIVE_KEY: 155 case TEE_ALG_CONCAT_KDF_SHA256_DERIVE_KEY: 156 case TEE_ALG_CONCAT_KDF_SHA384_DERIVE_KEY: 157 case TEE_ALG_CONCAT_KDF_SHA512_DERIVE_KEY: 158 case TEE_ALG_PBKDF2_HMAC_SHA1_DERIVE_KEY: 159 if (mode != TEE_MODE_DERIVE) 160 return TEE_ERROR_NOT_SUPPORTED; 161 with_private_key = true; 162 req_key_usage = TEE_USAGE_DERIVE; 163 break; 164 165 case TEE_ALG_MD5: 166 case TEE_ALG_SHA1: 167 case TEE_ALG_SHA224: 168 case TEE_ALG_SHA256: 169 case TEE_ALG_SHA384: 170 case TEE_ALG_SHA512: 171 if (mode != TEE_MODE_DIGEST) 172 return TEE_ERROR_NOT_SUPPORTED; 173 handle_state |= TEE_HANDLE_FLAG_KEY_SET; 174 req_key_usage = 0; 175 break; 176 177 case TEE_ALG_DES_CBC_MAC_NOPAD: 178 case TEE_ALG_AES_CBC_MAC_NOPAD: 179 case TEE_ALG_AES_CBC_MAC_PKCS5: 180 case TEE_ALG_AES_CMAC: 181 case TEE_ALG_DES_CBC_MAC_PKCS5: 182 case TEE_ALG_DES3_CBC_MAC_NOPAD: 183 case TEE_ALG_DES3_CBC_MAC_PKCS5: 184 case TEE_ALG_HMAC_MD5: 185 case TEE_ALG_HMAC_SHA1: 186 case TEE_ALG_HMAC_SHA224: 187 case TEE_ALG_HMAC_SHA256: 188 case TEE_ALG_HMAC_SHA384: 189 case TEE_ALG_HMAC_SHA512: 190 if (mode != TEE_MODE_MAC) 191 return TEE_ERROR_NOT_SUPPORTED; 192 req_key_usage = TEE_USAGE_MAC; 193 break; 194 195 default: 196 return TEE_ERROR_NOT_SUPPORTED; 197 } 198 199 op = TEE_Malloc(sizeof(*op), 0); 200 if (op == NULL) 201 return TEE_ERROR_OUT_OF_MEMORY; 202 203 op->info.algorithm = algorithm; 204 op->info.operationClass = TEE_ALG_GET_CLASS(algorithm); 205 op->info.mode = mode; 206 op->info.maxKeySize = maxKeySize; 207 op->info.requiredKeyUsage = req_key_usage; 208 op->info.handleState = handle_state; 209 210 if (block_size > 1) { 211 size_t buffer_size = block_size; 212 213 if (buffer_two_blocks) 214 buffer_size *= 2; 215 216 op->buffer = 217 TEE_Malloc(buffer_size, TEE_USER_MEM_HINT_NO_FILL_ZERO); 218 if (op->buffer == NULL) { 219 res = TEE_ERROR_OUT_OF_MEMORY; 220 goto out; 221 } 222 } 223 op->block_size = block_size; 224 op->buffer_two_blocks = buffer_two_blocks; 225 226 if (TEE_ALG_GET_CLASS(algorithm) != TEE_OPERATION_DIGEST) { 227 uint32_t mks = maxKeySize; 228 TEE_ObjectType key_type = TEE_ALG_GET_KEY_TYPE(algorithm, 229 with_private_key); 230 231 /* 232 * If two keys are expected the max key size is the sum of 233 * the size of both keys. 234 */ 235 if (op->info.handleState & TEE_HANDLE_FLAG_EXPECT_TWO_KEYS) 236 mks /= 2; 237 238 res = TEE_AllocateTransientObject(key_type, mks, &op->key1); 239 if (res != TEE_SUCCESS) 240 goto out; 241 242 if ((op->info.handleState & TEE_HANDLE_FLAG_EXPECT_TWO_KEYS) != 243 0) { 244 res = 245 TEE_AllocateTransientObject(key_type, mks, 246 &op->key2); 247 if (res != TEE_SUCCESS) 248 goto out; 249 } 250 } 251 252 res = utee_cryp_state_alloc(algorithm, mode, (uint32_t) op->key1, 253 (uint32_t) op->key2, &op->state); 254 if (res != TEE_SUCCESS) 255 goto out; 256 257 /* For multi-stage operation do an "init". */ 258 TEE_ResetOperation(op); 259 *operation = op; 260 261 out: 262 if (res != TEE_SUCCESS) { 263 TEE_FreeTransientObject(op->key1); 264 TEE_FreeTransientObject(op->key2); 265 TEE_FreeOperation(op); 266 } 267 268 return res; 269 } 270 271 void TEE_FreeOperation(TEE_OperationHandle operation) 272 { 273 if (operation != TEE_HANDLE_NULL) { 274 /* 275 * Note that keys should not be freed here, since they are 276 * claimed by the operation they will be freed by 277 * utee_cryp_state_free(). 278 */ 279 utee_cryp_state_free(operation->state); 280 TEE_Free(operation->buffer); 281 TEE_Free(operation); 282 } 283 } 284 285 void TEE_GetOperationInfo(TEE_OperationHandle operation, 286 TEE_OperationInfo *operationInfo) 287 { 288 if (operation == TEE_HANDLE_NULL) 289 TEE_Panic(0); 290 291 if (operationInfo == NULL) 292 TEE_Panic(0); 293 294 *operationInfo = operation->info; 295 } 296 297 void TEE_ResetOperation(TEE_OperationHandle operation) 298 { 299 TEE_Result res; 300 301 if (operation == TEE_HANDLE_NULL) 302 TEE_Panic(0); 303 if (operation->info.operationClass == TEE_OPERATION_DIGEST) { 304 res = utee_hash_init(operation->state, NULL, 0); 305 if (res != TEE_SUCCESS) 306 TEE_Panic(res); 307 } 308 operation->info.handleState &= ~TEE_HANDLE_FLAG_INITIALIZED; 309 } 310 311 TEE_Result TEE_SetOperationKey(TEE_OperationHandle operation, 312 TEE_ObjectHandle key) 313 { 314 uint32_t key_size = 0; 315 316 if (operation == TEE_HANDLE_NULL) 317 TEE_Panic(0); 318 319 /* No key for digests */ 320 if (operation->info.operationClass == TEE_OPERATION_DIGEST) 321 TEE_Panic(0); 322 323 /* Two keys expected */ 324 if ((operation->info.handleState & TEE_HANDLE_FLAG_EXPECT_TWO_KEYS) != 325 0) 326 TEE_Panic(0); 327 328 if (key != TEE_HANDLE_NULL) { 329 TEE_ObjectInfo key_info; 330 331 TEE_GetObjectInfo(key, &key_info); 332 /* Supplied key has to meet required usage */ 333 if ((key_info.objectUsage & operation->info.requiredKeyUsage) != 334 operation->info.requiredKeyUsage) { 335 TEE_Panic(0); 336 } 337 338 if (operation->info.maxKeySize < key_info.objectSize) 339 TEE_Panic(0); 340 341 key_size = key_info.objectSize; 342 } 343 344 TEE_ResetTransientObject(operation->key1); 345 operation->info.handleState &= ~TEE_HANDLE_FLAG_KEY_SET; 346 347 if (key != TEE_HANDLE_NULL) { 348 TEE_CopyObjectAttributes(operation->key1, key); 349 operation->info.handleState |= TEE_HANDLE_FLAG_KEY_SET; 350 } 351 352 operation->info.keySize = key_size; 353 354 return TEE_SUCCESS; 355 } 356 357 TEE_Result TEE_SetOperationKey2(TEE_OperationHandle operation, 358 TEE_ObjectHandle key1, TEE_ObjectHandle key2) 359 { 360 uint32_t key_size = 0; 361 362 if (operation == TEE_HANDLE_NULL) 363 TEE_Panic(0); 364 365 /* Two keys not expected */ 366 if ((operation->info.handleState & TEE_HANDLE_FLAG_EXPECT_TWO_KEYS) == 367 0) 368 TEE_Panic(0); 369 370 /* Either both keys are NULL or both are not NULL */ 371 if ((key1 == TEE_HANDLE_NULL || key2 == TEE_HANDLE_NULL) && 372 key1 != key2) 373 TEE_Panic(0); 374 375 if (key1 != TEE_HANDLE_NULL) { 376 TEE_ObjectInfo key_info1; 377 TEE_ObjectInfo key_info2; 378 379 TEE_GetObjectInfo(key1, &key_info1); 380 /* Supplied key has to meet required usage */ 381 if ((key_info1.objectUsage & operation->info. 382 requiredKeyUsage) != operation->info.requiredKeyUsage) { 383 TEE_Panic(0); 384 } 385 386 TEE_GetObjectInfo(key2, &key_info2); 387 /* Supplied key has to meet required usage */ 388 if ((key_info2.objectUsage & operation->info. 389 requiredKeyUsage) != operation->info.requiredKeyUsage) { 390 TEE_Panic(0); 391 } 392 393 /* 394 * AES-XTS (the only multi key algorithm supported, requires the 395 * keys to be of equal size. 396 */ 397 if (operation->info.algorithm == TEE_ALG_AES_XTS && 398 key_info1.objectSize != key_info2.objectSize) 399 TEE_Panic(0); 400 401 if (operation->info.maxKeySize < key_info1.objectSize) 402 TEE_Panic(0); 403 404 /* 405 * Odd that only the size of one key should be reported while 406 * size of two key are used when allocating the operation. 407 */ 408 key_size = key_info1.objectSize; 409 } 410 411 TEE_ResetTransientObject(operation->key1); 412 TEE_ResetTransientObject(operation->key2); 413 operation->info.handleState &= ~TEE_HANDLE_FLAG_KEY_SET; 414 415 if (key1 != TEE_HANDLE_NULL) { 416 TEE_CopyObjectAttributes(operation->key1, key1); 417 TEE_CopyObjectAttributes(operation->key2, key2); 418 operation->info.handleState |= TEE_HANDLE_FLAG_KEY_SET; 419 } 420 421 operation->info.keySize = key_size; 422 423 return TEE_SUCCESS; 424 } 425 426 void TEE_CopyOperation(TEE_OperationHandle dst_op, TEE_OperationHandle src_op) 427 { 428 TEE_Result res; 429 430 if (dst_op == TEE_HANDLE_NULL || src_op == TEE_HANDLE_NULL) 431 TEE_Panic(0); 432 if (dst_op->info.algorithm != src_op->info.algorithm) 433 TEE_Panic(0); 434 if (src_op->info.operationClass != TEE_OPERATION_DIGEST) { 435 TEE_ObjectHandle key1 = TEE_HANDLE_NULL; 436 TEE_ObjectHandle key2 = TEE_HANDLE_NULL; 437 438 if (src_op->info.handleState & TEE_HANDLE_FLAG_KEY_SET) { 439 key1 = src_op->key1; 440 key2 = src_op->key2; 441 } 442 443 if ((src_op->info.handleState & 444 TEE_HANDLE_FLAG_EXPECT_TWO_KEYS) == 0) { 445 TEE_SetOperationKey(dst_op, key1); 446 } else { 447 TEE_SetOperationKey2(dst_op, key1, key2); 448 } 449 } 450 dst_op->info.handleState = src_op->info.handleState; 451 dst_op->info.keySize = src_op->info.keySize; 452 453 if (dst_op->buffer_two_blocks != src_op->buffer_two_blocks || 454 dst_op->block_size != src_op->block_size) 455 TEE_Panic(0); 456 457 if (dst_op->buffer != NULL) { 458 if (src_op->buffer == NULL) 459 TEE_Panic(0); 460 461 memcpy(dst_op->buffer, src_op->buffer, src_op->buffer_offs); 462 dst_op->buffer_offs = src_op->buffer_offs; 463 } else if (src_op->buffer != NULL) { 464 TEE_Panic(0); 465 } 466 467 res = utee_cryp_state_copy(dst_op->state, src_op->state); 468 if (res != TEE_SUCCESS) 469 TEE_Panic(res); 470 } 471 472 /* Cryptographic Operations API - Message Digest Functions */ 473 474 void TEE_DigestUpdate(TEE_OperationHandle operation, 475 void *chunk, size_t chunkSize) 476 { 477 TEE_Result res = TEE_ERROR_GENERIC; 478 479 if (operation == TEE_HANDLE_NULL || 480 operation->info.operationClass != TEE_OPERATION_DIGEST) 481 TEE_Panic(0); 482 483 res = utee_hash_update(operation->state, chunk, chunkSize); 484 if (res != TEE_SUCCESS) 485 TEE_Panic(res); 486 } 487 488 TEE_Result TEE_DigestDoFinal(TEE_OperationHandle operation, const void *chunk, 489 size_t chunkLen, void *hash, size_t *hashLen) 490 { 491 if ((operation == TEE_HANDLE_NULL) || (!chunk && chunkLen) || 492 !hash || !hashLen || 493 (operation->info.operationClass != TEE_OPERATION_DIGEST)) 494 TEE_Panic(0); 495 496 return utee_hash_final(operation->state, chunk, chunkLen, hash, 497 hashLen); 498 } 499 500 /* Cryptographic Operations API - Symmetric Cipher Functions */ 501 502 void TEE_CipherInit(TEE_OperationHandle operation, const void *IV, size_t IVLen) 503 { 504 TEE_Result res; 505 506 if (operation == TEE_HANDLE_NULL) 507 TEE_Panic(0); 508 if (operation->info.operationClass != TEE_OPERATION_CIPHER) 509 TEE_Panic(0); 510 res = utee_cipher_init(operation->state, IV, IVLen); 511 if (res != TEE_SUCCESS) 512 TEE_Panic(res); 513 operation->buffer_offs = 0; 514 operation->info.handleState |= TEE_HANDLE_FLAG_INITIALIZED; 515 } 516 517 static TEE_Result tee_buffer_update( 518 TEE_OperationHandle op, 519 TEE_Result(*update_func) (uint32_t state, const void *src, 520 size_t slen, void *dst, size_t *dlen), 521 const void *src_data, size_t src_len, 522 void *dest_data, size_t *dest_len) 523 { 524 TEE_Result res; 525 const uint8_t *src = src_data; 526 size_t slen = src_len; 527 uint8_t *dst = dest_data; 528 size_t dlen = *dest_len; 529 size_t acc_dlen = 0; 530 size_t tmp_dlen; 531 size_t l; 532 size_t buffer_size; 533 534 if (op->buffer_two_blocks) 535 buffer_size = op->block_size * 2; 536 else 537 buffer_size = op->block_size; 538 539 if (op->buffer_offs > 0) { 540 /* Fill up complete block */ 541 if (op->buffer_offs < op->block_size) 542 l = MIN(slen, op->block_size - op->buffer_offs); 543 else 544 l = MIN(slen, buffer_size - op->buffer_offs); 545 memcpy(op->buffer + op->buffer_offs, src, l); 546 op->buffer_offs += l; 547 src += l; 548 slen -= l; 549 if ((op->buffer_offs % op->block_size) != 0) 550 goto out; /* Nothing left to do */ 551 } 552 553 /* If we can feed from buffer */ 554 if (op->buffer_offs > 0 && (op->buffer_offs + slen) > buffer_size) { 555 l = ROUNDUP(op->buffer_offs + slen - buffer_size, 556 op->block_size); 557 l = MIN(op->buffer_offs, l); 558 tmp_dlen = dlen; 559 res = update_func(op->state, op->buffer, l, dst, &tmp_dlen); 560 if (res != TEE_SUCCESS) 561 TEE_Panic(res); 562 dst += tmp_dlen; 563 dlen -= tmp_dlen; 564 acc_dlen += tmp_dlen; 565 op->buffer_offs -= l; 566 if (op->buffer_offs > 0) { 567 /* 568 * Slen is small enough to be contained in rest buffer. 569 */ 570 memcpy(op->buffer, op->buffer + l, buffer_size - l); 571 memcpy(op->buffer + op->buffer_offs, src, slen); 572 op->buffer_offs += slen; 573 goto out; /* Nothing left to do */ 574 } 575 } 576 577 if (slen > buffer_size) { 578 /* Buffer is empty, feed as much as possible from src */ 579 if (TEE_ALIGNMENT_IS_OK(src, uint32_t)) { 580 l = ROUNDUP(slen - buffer_size + 1, op->block_size); 581 582 tmp_dlen = dlen; 583 res = update_func(op->state, src, l, dst, &tmp_dlen); 584 if (res != TEE_SUCCESS) 585 TEE_Panic(res); 586 src += l; 587 slen -= l; 588 dst += tmp_dlen; 589 dlen -= tmp_dlen; 590 acc_dlen += tmp_dlen; 591 } else { 592 /* 593 * Supplied data isn't well aligned, we're forced to 594 * feed through the buffer. 595 */ 596 while (slen >= op->block_size) { 597 memcpy(op->buffer, src, op->block_size); 598 599 tmp_dlen = dlen; 600 res = 601 update_func(op->state, op->buffer, 602 op->block_size, dst, &tmp_dlen); 603 if (res != TEE_SUCCESS) 604 TEE_Panic(res); 605 src += op->block_size; 606 slen -= op->block_size; 607 dst += tmp_dlen; 608 dlen -= tmp_dlen; 609 acc_dlen += tmp_dlen; 610 } 611 } 612 } 613 614 /* Slen is small enough to be contained in buffer. */ 615 memcpy(op->buffer + op->buffer_offs, src, slen); 616 op->buffer_offs += slen; 617 618 out: 619 *dest_len = acc_dlen; 620 return TEE_SUCCESS; 621 } 622 623 TEE_Result TEE_CipherUpdate(TEE_OperationHandle op, const void *srcData, 624 size_t srcLen, void *destData, size_t *destLen) 625 { 626 size_t req_dlen; 627 628 if (op == TEE_HANDLE_NULL || (srcData == NULL && srcLen != 0) || 629 destLen == NULL || (destData == NULL && *destLen != 0)) 630 TEE_Panic(0); 631 if (op->info.operationClass != TEE_OPERATION_CIPHER) 632 TEE_Panic(0); 633 if ((op->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) 634 TEE_Panic(0); 635 636 /* Calculate required dlen */ 637 req_dlen = ((op->buffer_offs + srcLen) / op->block_size) * 638 op->block_size; 639 if (op->buffer_two_blocks) { 640 if (req_dlen > op->block_size * 2) 641 req_dlen -= op->block_size * 2; 642 else 643 req_dlen = 0; 644 } 645 /* 646 * Check that required destLen is big enough before starting to feed 647 * data to the algorithm. Errors during feeding of data are fatal as we 648 * can't restore sync with this API. 649 */ 650 if (*destLen < req_dlen) { 651 *destLen = req_dlen; 652 return TEE_ERROR_SHORT_BUFFER; 653 } 654 655 tee_buffer_update(op, utee_cipher_update, srcData, srcLen, destData, 656 destLen); 657 658 return TEE_SUCCESS; 659 } 660 661 TEE_Result TEE_CipherDoFinal(TEE_OperationHandle op, 662 const void *srcData, size_t srcLen, void *destData, 663 size_t *destLen) 664 { 665 TEE_Result res; 666 uint8_t *dst = destData; 667 size_t acc_dlen = 0; 668 size_t tmp_dlen; 669 size_t req_dlen; 670 671 if (op == TEE_HANDLE_NULL || (srcData == NULL && srcLen != 0) || 672 destLen == NULL || (destData == NULL && *destLen != 0)) 673 TEE_Panic(0); 674 if (op->info.operationClass != TEE_OPERATION_CIPHER) 675 TEE_Panic(0); 676 if ((op->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) 677 TEE_Panic(0); 678 679 /* 680 * Check that the final block doesn't require padding for those 681 * algorithms that requires client to supply padding. 682 */ 683 if (op->info.algorithm == TEE_ALG_AES_ECB_NOPAD || 684 op->info.algorithm == TEE_ALG_AES_CBC_NOPAD || 685 op->info.algorithm == TEE_ALG_DES_ECB_NOPAD || 686 op->info.algorithm == TEE_ALG_DES_CBC_NOPAD || 687 op->info.algorithm == TEE_ALG_DES3_ECB_NOPAD || 688 op->info.algorithm == TEE_ALG_DES3_CBC_NOPAD) { 689 if (((op->buffer_offs + srcLen) % op->block_size) != 0) 690 return TEE_ERROR_BAD_PARAMETERS; 691 } 692 693 /* 694 * Check that required destLen is big enough before starting to feed 695 * data to the algorithm. Errors during feeding of data are fatal as we 696 * can't restore sync with this API. 697 */ 698 req_dlen = op->buffer_offs + srcLen; 699 if (*destLen < req_dlen) { 700 *destLen = req_dlen; 701 return TEE_ERROR_SHORT_BUFFER; 702 } 703 704 tmp_dlen = *destLen - acc_dlen; 705 tee_buffer_update(op, utee_cipher_update, srcData, srcLen, dst, 706 &tmp_dlen); 707 dst += tmp_dlen; 708 acc_dlen += tmp_dlen; 709 710 tmp_dlen = *destLen - acc_dlen; 711 res = utee_cipher_final(op->state, op->buffer, op->buffer_offs, 712 dst, &tmp_dlen); 713 if (res != TEE_SUCCESS) 714 TEE_Panic(res); 715 acc_dlen += tmp_dlen; 716 717 op->info.handleState &= ~TEE_HANDLE_FLAG_INITIALIZED; 718 *destLen = acc_dlen; 719 return TEE_SUCCESS; 720 } 721 722 /* Cryptographic Operations API - MAC Functions */ 723 724 void TEE_MACInit(TEE_OperationHandle operation, const void *IV, size_t IVLen) 725 { 726 TEE_Result res; 727 728 if (operation == TEE_HANDLE_NULL) 729 TEE_Panic(0); 730 if (IV == NULL && IVLen != 0) 731 TEE_Panic(0); 732 if (operation->info.operationClass != TEE_OPERATION_MAC) 733 TEE_Panic(0); 734 res = utee_hash_init(operation->state, IV, IVLen); 735 if (res != TEE_SUCCESS) 736 TEE_Panic(res); 737 operation->buffer_offs = 0; 738 operation->info.handleState |= TEE_HANDLE_FLAG_INITIALIZED; 739 } 740 741 void TEE_MACUpdate(TEE_OperationHandle op, const void *chunk, size_t chunkSize) 742 { 743 TEE_Result res; 744 745 if (op == TEE_HANDLE_NULL || (chunk == NULL && chunkSize != 0)) 746 TEE_Panic(0); 747 if (op->info.operationClass != TEE_OPERATION_MAC) 748 TEE_Panic(0); 749 if ((op->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) 750 TEE_Panic(0); 751 752 res = utee_hash_update(op->state, chunk, chunkSize); 753 if (res != TEE_SUCCESS) 754 TEE_Panic(res); 755 } 756 757 TEE_Result TEE_MACComputeFinal(TEE_OperationHandle op, 758 const void *message, size_t messageLen, 759 void *mac, size_t *macLen) 760 { 761 TEE_Result res; 762 763 if (op == TEE_HANDLE_NULL || (message == NULL && messageLen != 0) || 764 mac == NULL || macLen == NULL) 765 TEE_Panic(0); 766 if (op->info.operationClass != TEE_OPERATION_MAC) 767 TEE_Panic(0); 768 if ((op->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) 769 TEE_Panic(0); 770 771 res = utee_hash_final(op->state, message, messageLen, mac, macLen); 772 op->info.handleState &= ~TEE_HANDLE_FLAG_INITIALIZED; 773 return res; 774 } 775 776 TEE_Result TEE_MACCompareFinal(TEE_OperationHandle operation, 777 const void *message, size_t messageLen, 778 const void *mac, size_t macLen) 779 { 780 TEE_Result res; 781 uint8_t computed_mac[TEE_MAX_HASH_SIZE]; 782 size_t computed_mac_size = TEE_MAX_HASH_SIZE; 783 784 res = TEE_MACComputeFinal(operation, message, messageLen, computed_mac, 785 &computed_mac_size); 786 if (res != TEE_SUCCESS) 787 return res; 788 if (computed_mac_size != macLen) 789 return TEE_ERROR_MAC_INVALID; 790 if (buf_compare_ct(mac, computed_mac, computed_mac_size) != 0) 791 return TEE_ERROR_MAC_INVALID; 792 return TEE_SUCCESS; 793 } 794 795 /* Cryptographic Operations API - Authenticated Encryption Functions */ 796 797 TEE_Result TEE_AEInit(TEE_OperationHandle op, const void *nonce, 798 size_t nonceLen, uint32_t tagLen, uint32_t AADLen, 799 uint32_t payloadLen) 800 { 801 TEE_Result res; 802 803 if (op == TEE_HANDLE_NULL || nonce == NULL) 804 TEE_Panic(0); 805 if (op->info.operationClass != TEE_OPERATION_AE) 806 TEE_Panic(0); 807 808 /* 809 * AES-CCM tag len is specified by AES-CCM spec and handled in TEE Core 810 * in the implementation. But AES-GCM spec doesn't specify the tag len 811 * according to the same principle so we have to check here instead to 812 * be GP compliant. 813 */ 814 if (op->info.algorithm == TEE_ALG_AES_GCM) { 815 /* 816 * From GP spec: For AES-GCM, can be 128, 120, 112, 104, or 96 817 */ 818 if (tagLen < 96 || tagLen > 128 || (tagLen % 8 != 0)) 819 return TEE_ERROR_NOT_SUPPORTED; 820 } 821 822 res = utee_authenc_init(op->state, nonce, nonceLen, tagLen / 8, AADLen, 823 payloadLen); 824 if (res != TEE_SUCCESS) { 825 if (res != TEE_ERROR_NOT_SUPPORTED) 826 TEE_Panic(res); 827 return res; 828 } 829 op->ae_tag_len = tagLen / 8; 830 831 op->info.handleState |= TEE_HANDLE_FLAG_INITIALIZED; 832 return TEE_SUCCESS; 833 } 834 835 void TEE_AEUpdateAAD(TEE_OperationHandle op, const void *AADdata, 836 size_t AADdataLen) 837 { 838 TEE_Result res; 839 840 if (op == TEE_HANDLE_NULL || (AADdata == NULL && AADdataLen != 0)) 841 TEE_Panic(0); 842 if (op->info.operationClass != TEE_OPERATION_AE) 843 TEE_Panic(0); 844 if ((op->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) 845 TEE_Panic(0); 846 847 res = utee_authenc_update_aad(op->state, AADdata, AADdataLen); 848 if (res != TEE_SUCCESS) 849 TEE_Panic(res); 850 } 851 852 TEE_Result TEE_AEUpdate(TEE_OperationHandle op, const void *srcData, 853 size_t srcLen, void *destData, size_t *destLen) 854 { 855 size_t req_dlen; 856 857 if (op == TEE_HANDLE_NULL || (srcData == NULL && srcLen != 0) || 858 destLen == NULL || (destData == NULL && *destLen != 0)) 859 TEE_Panic(0); 860 if (op->info.operationClass != TEE_OPERATION_AE) 861 TEE_Panic(0); 862 if ((op->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) 863 TEE_Panic(0); 864 865 /* 866 * Check that required destLen is big enough before starting to feed 867 * data to the algorithm. Errors during feeding of data are fatal as we 868 * can't restore sync with this API. 869 */ 870 req_dlen = ROUNDDOWN(op->buffer_offs + srcLen, op->block_size); 871 if (*destLen < req_dlen) { 872 *destLen = req_dlen; 873 return TEE_ERROR_SHORT_BUFFER; 874 } 875 876 tee_buffer_update(op, utee_authenc_update_payload, srcData, srcLen, 877 destData, destLen); 878 879 return TEE_SUCCESS; 880 } 881 882 TEE_Result TEE_AEEncryptFinal(TEE_OperationHandle op, 883 const void *srcData, size_t srcLen, 884 void *destData, size_t *destLen, void *tag, 885 size_t *tagLen) 886 { 887 TEE_Result res; 888 uint8_t *dst = destData; 889 size_t acc_dlen = 0; 890 size_t tmp_dlen; 891 size_t req_dlen; 892 893 if (op == TEE_HANDLE_NULL || (srcData == NULL && srcLen != 0) || 894 destLen == NULL || (destData == NULL && *destLen != 0) || 895 tag == NULL || tagLen == NULL) 896 TEE_Panic(0); 897 if (op->info.operationClass != TEE_OPERATION_AE) 898 TEE_Panic(0); 899 if ((op->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) 900 TEE_Panic(0); 901 902 /* 903 * Check that required destLen is big enough before starting to feed 904 * data to the algorithm. Errors during feeding of data are fatal as we 905 * can't restore sync with this API. 906 */ 907 req_dlen = op->buffer_offs + srcLen; 908 if (*destLen < req_dlen) { 909 *destLen = req_dlen; 910 return TEE_ERROR_SHORT_BUFFER; 911 } 912 913 /* 914 * Need to check this before update_payload since sync would be lost if 915 * we return short buffer after that. 916 */ 917 if (*tagLen < op->ae_tag_len) { 918 *tagLen = op->ae_tag_len; 919 return TEE_ERROR_SHORT_BUFFER; 920 } 921 922 tmp_dlen = *destLen - acc_dlen; 923 tee_buffer_update(op, utee_authenc_update_payload, srcData, srcLen, 924 dst, &tmp_dlen); 925 dst += tmp_dlen; 926 acc_dlen += tmp_dlen; 927 928 tmp_dlen = *destLen - acc_dlen; 929 res = 930 utee_authenc_enc_final(op->state, op->buffer, op->buffer_offs, dst, 931 &tmp_dlen, tag, tagLen); 932 if (res != TEE_SUCCESS) 933 TEE_Panic(res); 934 acc_dlen += tmp_dlen; 935 936 *destLen = acc_dlen; 937 op->info.handleState &= ~TEE_HANDLE_FLAG_INITIALIZED; 938 939 return res; 940 } 941 942 TEE_Result TEE_AEDecryptFinal(TEE_OperationHandle op, 943 const void *srcData, size_t srcLen, 944 void *destData, size_t *destLen, const void *tag, 945 size_t tagLen) 946 { 947 TEE_Result res; 948 uint8_t *dst = destData; 949 size_t acc_dlen = 0; 950 size_t tmp_dlen; 951 size_t req_dlen; 952 953 if (op == TEE_HANDLE_NULL || (srcData == NULL && srcLen != 0) || 954 destLen == NULL || (destData == NULL && *destLen != 0) || 955 (tag == NULL && tagLen != 0)) 956 TEE_Panic(0); 957 if (op->info.operationClass != TEE_OPERATION_AE) 958 TEE_Panic(0); 959 if ((op->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) 960 TEE_Panic(0); 961 962 /* 963 * Check that required destLen is big enough before starting to feed 964 * data to the algorithm. Errors during feeding of data are fatal as we 965 * can't restore sync with this API. 966 */ 967 req_dlen = op->buffer_offs + srcLen; 968 if (*destLen < req_dlen) { 969 *destLen = req_dlen; 970 return TEE_ERROR_SHORT_BUFFER; 971 } 972 973 tmp_dlen = *destLen - acc_dlen; 974 tee_buffer_update(op, utee_authenc_update_payload, srcData, srcLen, 975 dst, &tmp_dlen); 976 dst += tmp_dlen; 977 acc_dlen += tmp_dlen; 978 979 tmp_dlen = *destLen - acc_dlen; 980 res = 981 utee_authenc_dec_final(op->state, op->buffer, op->buffer_offs, dst, 982 &tmp_dlen, tag, tagLen); 983 if (res != TEE_SUCCESS && res != TEE_ERROR_MAC_INVALID) 984 TEE_Panic(res); 985 /* Supplied tagLen should match what we initiated with */ 986 if (tagLen != op->ae_tag_len) 987 res = TEE_ERROR_MAC_INVALID; 988 989 acc_dlen += tmp_dlen; 990 991 *destLen = acc_dlen; 992 op->info.handleState &= ~TEE_HANDLE_FLAG_INITIALIZED; 993 994 return res; 995 } 996 997 /* Cryptographic Operations API - Asymmetric Functions */ 998 999 TEE_Result TEE_AsymmetricEncrypt(TEE_OperationHandle op, 1000 const TEE_Attribute *params, 1001 uint32_t paramCount, const void *srcData, 1002 size_t srcLen, void *destData, 1003 size_t *destLen) 1004 { 1005 TEE_Result res; 1006 1007 if (op == TEE_HANDLE_NULL || (srcData == NULL && srcLen != 0) || 1008 destLen == NULL || (destData == NULL && *destLen != 0)) 1009 TEE_Panic(0); 1010 if (paramCount != 0 && params == NULL) 1011 TEE_Panic(0); 1012 if (op->info.operationClass != TEE_OPERATION_ASYMMETRIC_CIPHER) 1013 TEE_Panic(0); 1014 if (op->info.mode != TEE_MODE_ENCRYPT) 1015 TEE_Panic(0); 1016 1017 res = utee_asymm_operate(op->state, params, paramCount, srcData, srcLen, 1018 destData, destLen); 1019 if (res != TEE_SUCCESS && 1020 res != TEE_ERROR_SHORT_BUFFER && 1021 res != TEE_ERROR_BAD_PARAMETERS) 1022 TEE_Panic(res); 1023 return res; 1024 } 1025 1026 TEE_Result TEE_AsymmetricDecrypt(TEE_OperationHandle op, 1027 const TEE_Attribute *params, 1028 uint32_t paramCount, const void *srcData, 1029 size_t srcLen, void *destData, 1030 size_t *destLen) 1031 { 1032 TEE_Result res; 1033 1034 if (op == TEE_HANDLE_NULL || (srcData == NULL && srcLen != 0) || 1035 destLen == NULL || (destData == NULL && *destLen != 0)) 1036 TEE_Panic(0); 1037 if (paramCount != 0 && params == NULL) 1038 TEE_Panic(0); 1039 if (op->info.operationClass != TEE_OPERATION_ASYMMETRIC_CIPHER) 1040 TEE_Panic(0); 1041 if (op->info.mode != TEE_MODE_DECRYPT) 1042 TEE_Panic(0); 1043 1044 res = utee_asymm_operate(op->state, params, paramCount, srcData, srcLen, 1045 destData, destLen); 1046 if (res != TEE_SUCCESS && 1047 res != TEE_ERROR_SHORT_BUFFER && 1048 res != TEE_ERROR_BAD_PARAMETERS) 1049 TEE_Panic(res); 1050 return res; 1051 } 1052 1053 TEE_Result TEE_AsymmetricSignDigest(TEE_OperationHandle op, 1054 const TEE_Attribute *params, 1055 uint32_t paramCount, const void *digest, 1056 size_t digestLen, void *signature, 1057 size_t *signatureLen) 1058 { 1059 TEE_Result res; 1060 1061 if (op == TEE_HANDLE_NULL || (digest == NULL && digestLen != 0) || 1062 signature == NULL || signatureLen == NULL) 1063 TEE_Panic(0); 1064 if (paramCount != 0 && params == NULL) 1065 TEE_Panic(0); 1066 if (op->info.operationClass != TEE_OPERATION_ASYMMETRIC_SIGNATURE) 1067 TEE_Panic(0); 1068 if (op->info.mode != TEE_MODE_SIGN) 1069 TEE_Panic(0); 1070 1071 res = 1072 utee_asymm_operate(op->state, params, paramCount, digest, digestLen, 1073 signature, signatureLen); 1074 if (res != TEE_SUCCESS && res != TEE_ERROR_SHORT_BUFFER) 1075 TEE_Panic(res); 1076 return res; 1077 } 1078 1079 TEE_Result TEE_AsymmetricVerifyDigest(TEE_OperationHandle op, 1080 const TEE_Attribute *params, 1081 uint32_t paramCount, const void *digest, 1082 size_t digestLen, const void *signature, 1083 size_t signatureLen) 1084 { 1085 TEE_Result res; 1086 1087 if (op == TEE_HANDLE_NULL || (digest == NULL && digestLen != 0) || 1088 (signature == NULL && signatureLen != 0)) 1089 TEE_Panic(0); 1090 if (paramCount != 0 && params == NULL) 1091 TEE_Panic(0); 1092 if (op->info.operationClass != TEE_OPERATION_ASYMMETRIC_SIGNATURE) 1093 TEE_Panic(0); 1094 if (op->info.mode != TEE_MODE_VERIFY) 1095 TEE_Panic(0); 1096 1097 res = 1098 utee_asymm_verify(op->state, params, paramCount, digest, digestLen, 1099 signature, signatureLen); 1100 if (res != TEE_SUCCESS && res != TEE_ERROR_SIGNATURE_INVALID) 1101 TEE_Panic(res); 1102 return res; 1103 } 1104 1105 /* Cryptographic Operations API - Key Derivation Functions */ 1106 1107 void TEE_DeriveKey(TEE_OperationHandle operation, 1108 const TEE_Attribute *params, uint32_t paramCount, 1109 TEE_ObjectHandle derivedKey) 1110 { 1111 TEE_Result res; 1112 TEE_ObjectInfo key_info; 1113 1114 if (operation == TEE_HANDLE_NULL || derivedKey == 0) 1115 TEE_Panic(0); 1116 if (paramCount != 0 && params == NULL) 1117 TEE_Panic(0); 1118 if (TEE_ALG_GET_CLASS(operation->info.algorithm) != 1119 TEE_OPERATION_KEY_DERIVATION) 1120 TEE_Panic(0); 1121 1122 if (operation->info.operationClass != TEE_OPERATION_KEY_DERIVATION) 1123 TEE_Panic(0); 1124 if (operation->info.mode != TEE_MODE_DERIVE) 1125 TEE_Panic(0); 1126 if ((operation->info.handleState & TEE_HANDLE_FLAG_KEY_SET) == 0) 1127 TEE_Panic(0); 1128 1129 res = utee_cryp_obj_get_info((uint32_t) derivedKey, &key_info); 1130 if (res != TEE_SUCCESS) 1131 TEE_Panic(0); 1132 1133 if (key_info.objectType != TEE_TYPE_GENERIC_SECRET) 1134 TEE_Panic(0); 1135 if ((key_info.handleFlags & TEE_HANDLE_FLAG_INITIALIZED) != 0) 1136 TEE_Panic(0); 1137 1138 res = utee_cryp_derive_key(operation->state, params, paramCount, 1139 (uint32_t) derivedKey); 1140 if (res != TEE_SUCCESS) 1141 TEE_Panic(res); 1142 } 1143 1144 /* Cryptographic Operations API - Random Number Generation Functions */ 1145 1146 void TEE_GenerateRandom(void *randomBuffer, size_t randomBufferLen) 1147 { 1148 TEE_Result res; 1149 1150 res = utee_cryp_random_number_generate(randomBuffer, randomBufferLen); 1151 if (res != TEE_SUCCESS) 1152 TEE_Panic(res); 1153 } 1154