1 /* 2 * Copyright (c) 2014, STMicroelectronics International N.V. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright notice, 9 * this list of conditions and the following disclaimer. 10 * 11 * 2. Redistributions in binary form must reproduce the above copyright notice, 12 * this list of conditions and the following disclaimer in the documentation 13 * and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 16 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 19 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 * POSSIBILITY OF SUCH DAMAGE. 26 */ 27 #include <stdlib.h> 28 #include <string.h> 29 #include <string_ext.h> 30 31 #include <tee_api.h> 32 #include <tee_api_defines_extensions.h> 33 #include <tee_internal_api_extensions.h> 34 #include <utee_syscalls.h> 35 #include <utee_defines.h> 36 37 struct __TEE_OperationHandle { 38 TEE_OperationInfo info; 39 TEE_ObjectHandle key1; 40 TEE_ObjectHandle key2; 41 uint8_t *buffer; /* buffer to collect complete blocks */ 42 bool buffer_two_blocks; /* True if two blocks need to be buffered */ 43 size_t block_size; /* Block size of cipher */ 44 size_t buffer_offs; /* Offset in buffer */ 45 uint32_t state; /* Handle to state in TEE Core */ 46 uint32_t ae_tag_len; /* 47 * tag_len in bytes for AE operation else unused 48 */ 49 }; 50 51 /* Cryptographic Operations API - Generic Operation Functions */ 52 53 TEE_Result TEE_AllocateOperation(TEE_OperationHandle *operation, 54 uint32_t algorithm, uint32_t mode, 55 uint32_t maxKeySize) 56 { 57 TEE_Result res; 58 TEE_OperationHandle op = TEE_HANDLE_NULL; 59 uint32_t handle_state = 0; 60 size_t block_size = 1; 61 uint32_t req_key_usage; 62 bool with_private_key = false; 63 bool buffer_two_blocks = false; 64 65 if (operation == NULL) 66 TEE_Panic(0); 67 68 if (algorithm == TEE_ALG_AES_XTS) 69 handle_state = TEE_HANDLE_FLAG_EXPECT_TWO_KEYS; 70 71 switch (algorithm) { 72 case TEE_ALG_AES_CTS: 73 case TEE_ALG_AES_XTS: 74 buffer_two_blocks = true; 75 /*FALLTHROUGH*/ case TEE_ALG_AES_ECB_NOPAD: 76 case TEE_ALG_AES_CBC_NOPAD: 77 case TEE_ALG_AES_CTR: 78 case TEE_ALG_AES_CCM: 79 case TEE_ALG_AES_GCM: 80 case TEE_ALG_DES_ECB_NOPAD: 81 case TEE_ALG_DES_CBC_NOPAD: 82 case TEE_ALG_DES3_ECB_NOPAD: 83 case TEE_ALG_DES3_CBC_NOPAD: 84 if (TEE_ALG_GET_MAIN_ALG(algorithm) == TEE_MAIN_ALGO_AES) 85 block_size = TEE_AES_BLOCK_SIZE; 86 else 87 block_size = TEE_DES_BLOCK_SIZE; 88 89 if (mode == TEE_MODE_ENCRYPT) 90 req_key_usage = TEE_USAGE_ENCRYPT; 91 else if (mode == TEE_MODE_DECRYPT) 92 req_key_usage = TEE_USAGE_DECRYPT; 93 else 94 return TEE_ERROR_NOT_SUPPORTED; 95 break; 96 97 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 98 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 99 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 100 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 101 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 102 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 103 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 104 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 105 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 106 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 107 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 108 case TEE_ALG_DSA_SHA1: 109 if (mode == TEE_MODE_SIGN) { 110 with_private_key = true; 111 req_key_usage = TEE_USAGE_SIGN; 112 } else if (mode == TEE_MODE_VERIFY) { 113 req_key_usage = TEE_USAGE_VERIFY; 114 } else { 115 return TEE_ERROR_NOT_SUPPORTED; 116 } 117 break; 118 119 case TEE_ALG_RSAES_PKCS1_V1_5: 120 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1: 121 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224: 122 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256: 123 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384: 124 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512: 125 if (mode == TEE_MODE_ENCRYPT) { 126 req_key_usage = TEE_USAGE_ENCRYPT; 127 } else if (mode == TEE_MODE_DECRYPT) { 128 with_private_key = true; 129 req_key_usage = TEE_USAGE_DECRYPT; 130 } else { 131 return TEE_ERROR_NOT_SUPPORTED; 132 } 133 break; 134 135 case TEE_ALG_RSA_NOPAD: 136 if (mode == TEE_MODE_ENCRYPT) { 137 req_key_usage = TEE_USAGE_ENCRYPT | TEE_USAGE_VERIFY; 138 } else if (mode == TEE_MODE_DECRYPT) { 139 with_private_key = true; 140 req_key_usage = TEE_USAGE_DECRYPT | TEE_USAGE_SIGN; 141 } else { 142 return TEE_ERROR_NOT_SUPPORTED; 143 } 144 break; 145 146 case TEE_ALG_DH_DERIVE_SHARED_SECRET: 147 case TEE_ALG_CONCAT_KDF_SHA1_DERIVE_KEY: 148 case TEE_ALG_CONCAT_KDF_SHA224_DERIVE_KEY: 149 case TEE_ALG_CONCAT_KDF_SHA256_DERIVE_KEY: 150 case TEE_ALG_CONCAT_KDF_SHA384_DERIVE_KEY: 151 case TEE_ALG_CONCAT_KDF_SHA512_DERIVE_KEY: 152 if (mode != TEE_MODE_DERIVE) 153 return TEE_ERROR_NOT_SUPPORTED; 154 with_private_key = true; 155 req_key_usage = TEE_USAGE_DERIVE; 156 break; 157 158 case TEE_ALG_MD5: 159 case TEE_ALG_SHA1: 160 case TEE_ALG_SHA224: 161 case TEE_ALG_SHA256: 162 case TEE_ALG_SHA384: 163 case TEE_ALG_SHA512: 164 if (mode != TEE_MODE_DIGEST) 165 return TEE_ERROR_NOT_SUPPORTED; 166 handle_state |= TEE_HANDLE_FLAG_KEY_SET; 167 req_key_usage = 0; 168 break; 169 170 case TEE_ALG_DES_CBC_MAC_NOPAD: 171 case TEE_ALG_AES_CBC_MAC_NOPAD: 172 case TEE_ALG_AES_CBC_MAC_PKCS5: 173 case TEE_ALG_AES_CMAC: 174 case TEE_ALG_DES_CBC_MAC_PKCS5: 175 case TEE_ALG_DES3_CBC_MAC_NOPAD: 176 case TEE_ALG_DES3_CBC_MAC_PKCS5: 177 case TEE_ALG_HMAC_MD5: 178 case TEE_ALG_HMAC_SHA1: 179 case TEE_ALG_HMAC_SHA224: 180 case TEE_ALG_HMAC_SHA256: 181 case TEE_ALG_HMAC_SHA384: 182 case TEE_ALG_HMAC_SHA512: 183 if (mode != TEE_MODE_MAC) 184 return TEE_ERROR_NOT_SUPPORTED; 185 req_key_usage = TEE_USAGE_MAC; 186 break; 187 188 default: 189 return TEE_ERROR_NOT_SUPPORTED; 190 } 191 192 op = TEE_Malloc(sizeof(*op), 0); 193 if (op == NULL) 194 return TEE_ERROR_OUT_OF_MEMORY; 195 196 op->info.algorithm = algorithm; 197 op->info.operationClass = TEE_ALG_GET_CLASS(algorithm); 198 op->info.mode = mode; 199 op->info.maxKeySize = maxKeySize; 200 op->info.requiredKeyUsage = req_key_usage; 201 op->info.handleState = handle_state; 202 203 if (block_size > 1) { 204 size_t buffer_size = block_size; 205 206 if (buffer_two_blocks) 207 buffer_size *= 2; 208 209 op->buffer = 210 TEE_Malloc(buffer_size, TEE_USER_MEM_HINT_NO_FILL_ZERO); 211 if (op->buffer == NULL) { 212 res = TEE_ERROR_OUT_OF_MEMORY; 213 goto out; 214 } 215 } 216 op->block_size = block_size; 217 op->buffer_two_blocks = buffer_two_blocks; 218 219 if (TEE_ALG_GET_CLASS(algorithm) != TEE_OPERATION_DIGEST) { 220 uint32_t mks = maxKeySize; 221 TEE_ObjectType key_type = TEE_ALG_GET_KEY_TYPE(algorithm, 222 with_private_key); 223 224 /* 225 * If two keys are expected the max key size is the sum of 226 * the size of both keys. 227 */ 228 if (op->info.handleState & TEE_HANDLE_FLAG_EXPECT_TWO_KEYS) 229 mks /= 2; 230 231 res = TEE_AllocateTransientObject(key_type, mks, &op->key1); 232 if (res != TEE_SUCCESS) 233 goto out; 234 235 if ((op->info.handleState & TEE_HANDLE_FLAG_EXPECT_TWO_KEYS) != 236 0) { 237 res = 238 TEE_AllocateTransientObject(key_type, mks, 239 &op->key2); 240 if (res != TEE_SUCCESS) 241 goto out; 242 } 243 } 244 245 res = utee_cryp_state_alloc(algorithm, mode, (uint32_t) op->key1, 246 (uint32_t) op->key2, &op->state); 247 if (res != TEE_SUCCESS) 248 goto out; 249 250 /* For multi-stage operation do an "init". */ 251 TEE_ResetOperation(op); 252 *operation = op; 253 254 out: 255 if (res != TEE_SUCCESS) { 256 TEE_FreeTransientObject(op->key1); 257 TEE_FreeTransientObject(op->key2); 258 TEE_FreeOperation(op); 259 } 260 261 return res; 262 } 263 264 void TEE_FreeOperation(TEE_OperationHandle operation) 265 { 266 if (operation != TEE_HANDLE_NULL) { 267 /* 268 * Note that keys should not be freed here, since they are 269 * claimed by the operation they will be freed by 270 * utee_cryp_state_free(). 271 */ 272 utee_cryp_state_free(operation->state); 273 TEE_Free(operation->buffer); 274 TEE_Free(operation); 275 } 276 } 277 278 void TEE_GetOperationInfo(TEE_OperationHandle operation, 279 TEE_OperationInfo *operationInfo) 280 { 281 if (operation == TEE_HANDLE_NULL) 282 TEE_Panic(0); 283 284 if (operationInfo == NULL) 285 TEE_Panic(0); 286 287 *operationInfo = operation->info; 288 } 289 290 void TEE_ResetOperation(TEE_OperationHandle operation) 291 { 292 TEE_Result res; 293 294 if (operation == TEE_HANDLE_NULL) 295 TEE_Panic(0); 296 if (operation->info.operationClass == TEE_OPERATION_DIGEST) { 297 res = utee_hash_init(operation->state, NULL, 0); 298 if (res != TEE_SUCCESS) 299 TEE_Panic(res); 300 } 301 operation->info.handleState &= ~TEE_HANDLE_FLAG_INITIALIZED; 302 } 303 304 TEE_Result TEE_SetOperationKey(TEE_OperationHandle operation, 305 TEE_ObjectHandle key) 306 { 307 uint32_t key_size = 0; 308 309 if (operation == TEE_HANDLE_NULL) 310 TEE_Panic(0); 311 312 /* No key for digests */ 313 if (operation->info.operationClass == TEE_OPERATION_DIGEST) 314 TEE_Panic(0); 315 316 /* Two keys expected */ 317 if ((operation->info.handleState & TEE_HANDLE_FLAG_EXPECT_TWO_KEYS) != 318 0) 319 TEE_Panic(0); 320 321 if (key != TEE_HANDLE_NULL) { 322 TEE_ObjectInfo key_info; 323 324 TEE_GetObjectInfo(key, &key_info); 325 /* Supplied key has to meet required usage */ 326 if ((key_info.objectUsage & operation->info.requiredKeyUsage) != 327 operation->info.requiredKeyUsage) { 328 TEE_Panic(0); 329 } 330 331 if (operation->info.maxKeySize < key_info.objectSize) 332 TEE_Panic(0); 333 334 key_size = key_info.objectSize; 335 } 336 337 TEE_ResetTransientObject(operation->key1); 338 operation->info.handleState &= ~TEE_HANDLE_FLAG_KEY_SET; 339 340 if (key != TEE_HANDLE_NULL) { 341 TEE_CopyObjectAttributes(operation->key1, key); 342 operation->info.handleState |= TEE_HANDLE_FLAG_KEY_SET; 343 } 344 345 operation->info.keySize = key_size; 346 347 return TEE_SUCCESS; 348 } 349 350 TEE_Result TEE_SetOperationKey2(TEE_OperationHandle operation, 351 TEE_ObjectHandle key1, TEE_ObjectHandle key2) 352 { 353 uint32_t key_size = 0; 354 355 if (operation == TEE_HANDLE_NULL) 356 TEE_Panic(0); 357 358 /* Two keys not expected */ 359 if ((operation->info.handleState & TEE_HANDLE_FLAG_EXPECT_TWO_KEYS) == 360 0) 361 TEE_Panic(0); 362 363 /* Either both keys are NULL or both are not NULL */ 364 if ((key1 == TEE_HANDLE_NULL || key2 == TEE_HANDLE_NULL) && 365 key1 != key2) 366 TEE_Panic(0); 367 368 if (key1 != TEE_HANDLE_NULL) { 369 TEE_ObjectInfo key_info1; 370 TEE_ObjectInfo key_info2; 371 372 TEE_GetObjectInfo(key1, &key_info1); 373 /* Supplied key has to meet required usage */ 374 if ((key_info1.objectUsage & operation->info. 375 requiredKeyUsage) != operation->info.requiredKeyUsage) { 376 TEE_Panic(0); 377 } 378 379 TEE_GetObjectInfo(key2, &key_info2); 380 /* Supplied key has to meet required usage */ 381 if ((key_info2.objectUsage & operation->info. 382 requiredKeyUsage) != operation->info.requiredKeyUsage) { 383 TEE_Panic(0); 384 } 385 386 /* 387 * AES-XTS (the only multi key algorithm supported, requires the 388 * keys to be of equal size. 389 */ 390 if (operation->info.algorithm == TEE_ALG_AES_XTS && 391 key_info1.objectSize != key_info2.objectSize) 392 TEE_Panic(0); 393 394 if (operation->info.maxKeySize < key_info1.objectSize) 395 TEE_Panic(0); 396 397 /* 398 * Odd that only the size of one key should be reported while 399 * size of two key are used when allocating the operation. 400 */ 401 key_size = key_info1.objectSize; 402 } 403 404 TEE_ResetTransientObject(operation->key1); 405 TEE_ResetTransientObject(operation->key2); 406 operation->info.handleState &= ~TEE_HANDLE_FLAG_KEY_SET; 407 408 if (key1 != TEE_HANDLE_NULL) { 409 TEE_CopyObjectAttributes(operation->key1, key1); 410 TEE_CopyObjectAttributes(operation->key2, key2); 411 operation->info.handleState |= TEE_HANDLE_FLAG_KEY_SET; 412 } 413 414 operation->info.keySize = key_size; 415 416 return TEE_SUCCESS; 417 } 418 419 void TEE_CopyOperation(TEE_OperationHandle dst_op, TEE_OperationHandle src_op) 420 { 421 TEE_Result res; 422 423 if (dst_op == TEE_HANDLE_NULL || src_op == TEE_HANDLE_NULL) 424 TEE_Panic(0); 425 if (dst_op->info.algorithm != src_op->info.algorithm) 426 TEE_Panic(0); 427 if (src_op->info.operationClass != TEE_OPERATION_DIGEST) { 428 TEE_ObjectHandle key1 = TEE_HANDLE_NULL; 429 TEE_ObjectHandle key2 = TEE_HANDLE_NULL; 430 431 if (src_op->info.handleState & TEE_HANDLE_FLAG_KEY_SET) { 432 key1 = src_op->key1; 433 key2 = src_op->key2; 434 } 435 436 if ((src_op->info.handleState & 437 TEE_HANDLE_FLAG_EXPECT_TWO_KEYS) == 0) { 438 TEE_SetOperationKey(dst_op, key1); 439 } else { 440 TEE_SetOperationKey2(dst_op, key1, key2); 441 } 442 } 443 dst_op->info.handleState = src_op->info.handleState; 444 dst_op->info.keySize = src_op->info.keySize; 445 446 if (dst_op->buffer_two_blocks != src_op->buffer_two_blocks || 447 dst_op->block_size != src_op->block_size) 448 TEE_Panic(0); 449 450 if (dst_op->buffer != NULL) { 451 if (src_op->buffer == NULL) 452 TEE_Panic(0); 453 454 memcpy(dst_op->buffer, src_op->buffer, src_op->buffer_offs); 455 dst_op->buffer_offs = src_op->buffer_offs; 456 } else if (src_op->buffer != NULL) { 457 TEE_Panic(0); 458 } 459 460 res = utee_cryp_state_copy(dst_op->state, src_op->state); 461 if (res != TEE_SUCCESS) 462 TEE_Panic(res); 463 } 464 465 /* Cryptographic Operations API - Message Digest Functions */ 466 467 void TEE_DigestUpdate(TEE_OperationHandle operation, 468 void *chunk, size_t chunkSize) 469 { 470 TEE_Result res = TEE_ERROR_GENERIC; 471 472 if (operation == TEE_HANDLE_NULL || 473 operation->info.operationClass != TEE_OPERATION_DIGEST) 474 TEE_Panic(0); 475 476 res = utee_hash_update(operation->state, chunk, chunkSize); 477 if (res != TEE_SUCCESS) 478 TEE_Panic(res); 479 } 480 481 TEE_Result TEE_DigestDoFinal(TEE_OperationHandle operation, const void *chunk, 482 size_t chunkLen, void *hash, size_t *hashLen) 483 { 484 if ((operation == TEE_HANDLE_NULL) || (!chunk && chunkLen) || 485 !hash || !hashLen || 486 (operation->info.operationClass != TEE_OPERATION_DIGEST)) 487 TEE_Panic(0); 488 489 return utee_hash_final(operation->state, chunk, chunkLen, hash, 490 hashLen); 491 } 492 493 /* Cryptographic Operations API - Symmetric Cipher Functions */ 494 495 void TEE_CipherInit(TEE_OperationHandle operation, const void *IV, size_t IVLen) 496 { 497 TEE_Result res; 498 499 if (operation == TEE_HANDLE_NULL) 500 TEE_Panic(0); 501 if (operation->info.operationClass != TEE_OPERATION_CIPHER) 502 TEE_Panic(0); 503 res = utee_cipher_init(operation->state, IV, IVLen); 504 if (res != TEE_SUCCESS) 505 TEE_Panic(res); 506 operation->buffer_offs = 0; 507 operation->info.handleState |= TEE_HANDLE_FLAG_INITIALIZED; 508 } 509 510 static TEE_Result tee_buffer_update( 511 TEE_OperationHandle op, 512 TEE_Result(*update_func) (uint32_t state, const void *src, 513 size_t slen, void *dst, size_t *dlen), 514 const void *src_data, size_t src_len, 515 void *dest_data, size_t *dest_len) 516 { 517 TEE_Result res; 518 const uint8_t *src = src_data; 519 size_t slen = src_len; 520 uint8_t *dst = dest_data; 521 size_t dlen = *dest_len; 522 size_t acc_dlen = 0; 523 size_t tmp_dlen; 524 size_t l; 525 size_t buffer_size; 526 527 if (op->buffer_two_blocks) 528 buffer_size = op->block_size * 2; 529 else 530 buffer_size = op->block_size; 531 532 if (op->buffer_offs > 0) { 533 /* Fill up complete block */ 534 if (op->buffer_offs < op->block_size) 535 l = MIN(slen, op->block_size - op->buffer_offs); 536 else 537 l = MIN(slen, buffer_size - op->buffer_offs); 538 memcpy(op->buffer + op->buffer_offs, src, l); 539 op->buffer_offs += l; 540 src += l; 541 slen -= l; 542 if ((op->buffer_offs % op->block_size) != 0) 543 goto out; /* Nothing left to do */ 544 } 545 546 /* If we can feed from buffer */ 547 if (op->buffer_offs > 0 && (op->buffer_offs + slen) > buffer_size) { 548 l = ROUNDUP(op->buffer_offs + slen - buffer_size, 549 op->block_size); 550 l = MIN(op->buffer_offs, l); 551 tmp_dlen = dlen; 552 res = update_func(op->state, op->buffer, l, dst, &tmp_dlen); 553 if (res != TEE_SUCCESS) 554 TEE_Panic(res); 555 dst += tmp_dlen; 556 dlen -= tmp_dlen; 557 acc_dlen += tmp_dlen; 558 op->buffer_offs -= l; 559 if (op->buffer_offs > 0) { 560 /* 561 * Slen is small enough to be contained in rest buffer. 562 */ 563 memcpy(op->buffer, op->buffer + l, buffer_size - l); 564 memcpy(op->buffer + op->buffer_offs, src, slen); 565 op->buffer_offs += slen; 566 goto out; /* Nothing left to do */ 567 } 568 } 569 570 if (slen > buffer_size) { 571 /* Buffer is empty, feed as much as possible from src */ 572 if (TEE_ALIGNMENT_IS_OK(src, uint32_t)) { 573 l = ROUNDUP(slen - buffer_size + 1, op->block_size); 574 575 tmp_dlen = dlen; 576 res = update_func(op->state, src, l, dst, &tmp_dlen); 577 if (res != TEE_SUCCESS) 578 TEE_Panic(res); 579 src += l; 580 slen -= l; 581 dst += tmp_dlen; 582 dlen -= tmp_dlen; 583 acc_dlen += tmp_dlen; 584 } else { 585 /* 586 * Supplied data isn't well aligned, we're forced to 587 * feed through the buffer. 588 */ 589 while (slen >= op->block_size) { 590 memcpy(op->buffer, src, op->block_size); 591 592 tmp_dlen = dlen; 593 res = 594 update_func(op->state, op->buffer, 595 op->block_size, dst, &tmp_dlen); 596 if (res != TEE_SUCCESS) 597 TEE_Panic(res); 598 src += op->block_size; 599 slen -= op->block_size; 600 dst += tmp_dlen; 601 dlen -= tmp_dlen; 602 acc_dlen += tmp_dlen; 603 } 604 } 605 } 606 607 /* Slen is small enough to be contained in buffer. */ 608 memcpy(op->buffer + op->buffer_offs, src, slen); 609 op->buffer_offs += slen; 610 611 out: 612 *dest_len = acc_dlen; 613 return TEE_SUCCESS; 614 } 615 616 TEE_Result TEE_CipherUpdate(TEE_OperationHandle op, const void *srcData, 617 size_t srcLen, void *destData, size_t *destLen) 618 { 619 size_t req_dlen; 620 621 if (op == TEE_HANDLE_NULL || (srcData == NULL && srcLen != 0) || 622 destLen == NULL || (destData == NULL && *destLen != 0)) 623 TEE_Panic(0); 624 if (op->info.operationClass != TEE_OPERATION_CIPHER) 625 TEE_Panic(0); 626 if ((op->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) 627 TEE_Panic(0); 628 629 /* Calculate required dlen */ 630 req_dlen = ((op->buffer_offs + srcLen) / op->block_size) * 631 op->block_size; 632 if (op->buffer_two_blocks) { 633 if (req_dlen > op->block_size * 2) 634 req_dlen -= op->block_size * 2; 635 else 636 req_dlen = 0; 637 } 638 /* 639 * Check that required destLen is big enough before starting to feed 640 * data to the algorithm. Errors during feeding of data are fatal as we 641 * can't restore sync with this API. 642 */ 643 if (*destLen < req_dlen) { 644 *destLen = req_dlen; 645 return TEE_ERROR_SHORT_BUFFER; 646 } 647 648 tee_buffer_update(op, utee_cipher_update, srcData, srcLen, destData, 649 destLen); 650 651 return TEE_SUCCESS; 652 } 653 654 TEE_Result TEE_CipherDoFinal(TEE_OperationHandle op, 655 const void *srcData, size_t srcLen, void *destData, 656 size_t *destLen) 657 { 658 TEE_Result res; 659 uint8_t *dst = destData; 660 size_t acc_dlen = 0; 661 size_t tmp_dlen; 662 size_t req_dlen; 663 664 if (op == TEE_HANDLE_NULL || (srcData == NULL && srcLen != 0) || 665 destLen == NULL || (destData == NULL && *destLen != 0)) 666 TEE_Panic(0); 667 if (op->info.operationClass != TEE_OPERATION_CIPHER) 668 TEE_Panic(0); 669 if ((op->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) 670 TEE_Panic(0); 671 672 /* 673 * Check that the final block doesn't require padding for those 674 * algorithms that requires client to supply padding. 675 */ 676 if (op->info.algorithm == TEE_ALG_AES_ECB_NOPAD || 677 op->info.algorithm == TEE_ALG_AES_CBC_NOPAD || 678 op->info.algorithm == TEE_ALG_DES_ECB_NOPAD || 679 op->info.algorithm == TEE_ALG_DES_CBC_NOPAD || 680 op->info.algorithm == TEE_ALG_DES3_ECB_NOPAD || 681 op->info.algorithm == TEE_ALG_DES3_CBC_NOPAD) { 682 if (((op->buffer_offs + srcLen) % op->block_size) != 0) 683 return TEE_ERROR_BAD_PARAMETERS; 684 } 685 686 /* 687 * Check that required destLen is big enough before starting to feed 688 * data to the algorithm. Errors during feeding of data are fatal as we 689 * can't restore sync with this API. 690 */ 691 req_dlen = op->buffer_offs + srcLen; 692 if (*destLen < req_dlen) { 693 *destLen = req_dlen; 694 return TEE_ERROR_SHORT_BUFFER; 695 } 696 697 tmp_dlen = *destLen - acc_dlen; 698 tee_buffer_update(op, utee_cipher_update, srcData, srcLen, dst, 699 &tmp_dlen); 700 dst += tmp_dlen; 701 acc_dlen += tmp_dlen; 702 703 tmp_dlen = *destLen - acc_dlen; 704 res = utee_cipher_final(op->state, op->buffer, op->buffer_offs, 705 dst, &tmp_dlen); 706 if (res != TEE_SUCCESS) 707 TEE_Panic(res); 708 acc_dlen += tmp_dlen; 709 710 op->info.handleState &= ~TEE_HANDLE_FLAG_INITIALIZED; 711 *destLen = acc_dlen; 712 return TEE_SUCCESS; 713 } 714 715 /* Cryptographic Operations API - MAC Functions */ 716 717 void TEE_MACInit(TEE_OperationHandle operation, const void *IV, size_t IVLen) 718 { 719 TEE_Result res; 720 721 if (operation == TEE_HANDLE_NULL) 722 TEE_Panic(0); 723 if (IV == NULL && IVLen != 0) 724 TEE_Panic(0); 725 if (operation->info.operationClass != TEE_OPERATION_MAC) 726 TEE_Panic(0); 727 res = utee_hash_init(operation->state, IV, IVLen); 728 if (res != TEE_SUCCESS) 729 TEE_Panic(res); 730 operation->buffer_offs = 0; 731 operation->info.handleState |= TEE_HANDLE_FLAG_INITIALIZED; 732 } 733 734 void TEE_MACUpdate(TEE_OperationHandle op, const void *chunk, size_t chunkSize) 735 { 736 TEE_Result res; 737 738 if (op == TEE_HANDLE_NULL || (chunk == NULL && chunkSize != 0)) 739 TEE_Panic(0); 740 if (op->info.operationClass != TEE_OPERATION_MAC) 741 TEE_Panic(0); 742 if ((op->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) 743 TEE_Panic(0); 744 745 res = utee_hash_update(op->state, chunk, chunkSize); 746 if (res != TEE_SUCCESS) 747 TEE_Panic(res); 748 } 749 750 TEE_Result TEE_MACComputeFinal(TEE_OperationHandle op, 751 const void *message, size_t messageLen, 752 void *mac, size_t *macLen) 753 { 754 TEE_Result res; 755 756 if (op == TEE_HANDLE_NULL || (message == NULL && messageLen != 0) || 757 mac == NULL || macLen == NULL) 758 TEE_Panic(0); 759 if (op->info.operationClass != TEE_OPERATION_MAC) 760 TEE_Panic(0); 761 if ((op->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) 762 TEE_Panic(0); 763 764 res = utee_hash_final(op->state, message, messageLen, mac, macLen); 765 op->info.handleState &= ~TEE_HANDLE_FLAG_INITIALIZED; 766 return res; 767 } 768 769 TEE_Result TEE_MACCompareFinal(TEE_OperationHandle operation, 770 const void *message, size_t messageLen, 771 const void *mac, size_t macLen) 772 { 773 TEE_Result res; 774 uint8_t computed_mac[TEE_MAX_HASH_SIZE]; 775 size_t computed_mac_size = TEE_MAX_HASH_SIZE; 776 777 res = TEE_MACComputeFinal(operation, message, messageLen, computed_mac, 778 &computed_mac_size); 779 if (res != TEE_SUCCESS) 780 return res; 781 if (computed_mac_size != macLen) 782 return TEE_ERROR_MAC_INVALID; 783 if (buf_compare_ct(mac, computed_mac, computed_mac_size) != 0) 784 return TEE_ERROR_MAC_INVALID; 785 return TEE_SUCCESS; 786 } 787 788 /* Cryptographic Operations API - Authenticated Encryption Functions */ 789 790 TEE_Result TEE_AEInit(TEE_OperationHandle op, const void *nonce, 791 size_t nonceLen, uint32_t tagLen, uint32_t AADLen, 792 uint32_t payloadLen) 793 { 794 TEE_Result res; 795 796 if (op == TEE_HANDLE_NULL || nonce == NULL) 797 TEE_Panic(0); 798 if (op->info.operationClass != TEE_OPERATION_AE) 799 TEE_Panic(0); 800 801 /* 802 * AES-CCM tag len is specified by AES-CCM spec and handled in TEE Core 803 * in the implementation. But AES-GCM spec doesn't specify the tag len 804 * according to the same principle so we have to check here instead to 805 * be GP compliant. 806 */ 807 if (op->info.algorithm == TEE_ALG_AES_GCM) { 808 /* 809 * From GP spec: For AES-GCM, can be 128, 120, 112, 104, or 96 810 */ 811 if (tagLen < 96 || tagLen > 128 || (tagLen % 8 != 0)) 812 return TEE_ERROR_NOT_SUPPORTED; 813 } 814 815 res = utee_authenc_init(op->state, nonce, nonceLen, tagLen / 8, AADLen, 816 payloadLen); 817 if (res != TEE_SUCCESS) { 818 if (res != TEE_ERROR_NOT_SUPPORTED) 819 TEE_Panic(res); 820 return res; 821 } 822 op->ae_tag_len = tagLen / 8; 823 824 op->info.handleState |= TEE_HANDLE_FLAG_INITIALIZED; 825 return TEE_SUCCESS; 826 } 827 828 void TEE_AEUpdateAAD(TEE_OperationHandle op, const void *AADdata, 829 size_t AADdataLen) 830 { 831 TEE_Result res; 832 833 if (op == TEE_HANDLE_NULL || (AADdata == NULL && AADdataLen != 0)) 834 TEE_Panic(0); 835 if (op->info.operationClass != TEE_OPERATION_AE) 836 TEE_Panic(0); 837 if ((op->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) 838 TEE_Panic(0); 839 840 res = utee_authenc_update_aad(op->state, AADdata, AADdataLen); 841 if (res != TEE_SUCCESS) 842 TEE_Panic(res); 843 } 844 845 TEE_Result TEE_AEUpdate(TEE_OperationHandle op, const void *srcData, 846 size_t srcLen, void *destData, size_t *destLen) 847 { 848 size_t req_dlen; 849 850 if (op == TEE_HANDLE_NULL || (srcData == NULL && srcLen != 0) || 851 destLen == NULL || (destData == NULL && *destLen != 0)) 852 TEE_Panic(0); 853 if (op->info.operationClass != TEE_OPERATION_AE) 854 TEE_Panic(0); 855 if ((op->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) 856 TEE_Panic(0); 857 858 /* 859 * Check that required destLen is big enough before starting to feed 860 * data to the algorithm. Errors during feeding of data are fatal as we 861 * can't restore sync with this API. 862 */ 863 req_dlen = ROUNDDOWN(op->buffer_offs + srcLen, op->block_size); 864 if (*destLen < req_dlen) { 865 *destLen = req_dlen; 866 return TEE_ERROR_SHORT_BUFFER; 867 } 868 869 tee_buffer_update(op, utee_authenc_update_payload, srcData, srcLen, 870 destData, destLen); 871 872 return TEE_SUCCESS; 873 } 874 875 TEE_Result TEE_AEEncryptFinal(TEE_OperationHandle op, 876 const void *srcData, size_t srcLen, 877 void *destData, size_t *destLen, void *tag, 878 size_t *tagLen) 879 { 880 TEE_Result res; 881 uint8_t *dst = destData; 882 size_t acc_dlen = 0; 883 size_t tmp_dlen; 884 size_t req_dlen; 885 886 if (op == TEE_HANDLE_NULL || (srcData == NULL && srcLen != 0) || 887 destLen == NULL || (destData == NULL && *destLen != 0) || 888 tag == NULL || tagLen == NULL) 889 TEE_Panic(0); 890 if (op->info.operationClass != TEE_OPERATION_AE) 891 TEE_Panic(0); 892 if ((op->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) 893 TEE_Panic(0); 894 895 /* 896 * Check that required destLen is big enough before starting to feed 897 * data to the algorithm. Errors during feeding of data are fatal as we 898 * can't restore sync with this API. 899 */ 900 req_dlen = op->buffer_offs + srcLen; 901 if (*destLen < req_dlen) { 902 *destLen = req_dlen; 903 return TEE_ERROR_SHORT_BUFFER; 904 } 905 906 /* 907 * Need to check this before update_payload since sync would be lost if 908 * we return short buffer after that. 909 */ 910 if (*tagLen < op->ae_tag_len) { 911 *tagLen = op->ae_tag_len; 912 return TEE_ERROR_SHORT_BUFFER; 913 } 914 915 tmp_dlen = *destLen - acc_dlen; 916 tee_buffer_update(op, utee_authenc_update_payload, srcData, srcLen, 917 dst, &tmp_dlen); 918 dst += tmp_dlen; 919 acc_dlen += tmp_dlen; 920 921 tmp_dlen = *destLen - acc_dlen; 922 res = 923 utee_authenc_enc_final(op->state, op->buffer, op->buffer_offs, dst, 924 &tmp_dlen, tag, tagLen); 925 if (res != TEE_SUCCESS) 926 TEE_Panic(res); 927 acc_dlen += tmp_dlen; 928 929 *destLen = acc_dlen; 930 op->info.handleState &= ~TEE_HANDLE_FLAG_INITIALIZED; 931 932 return res; 933 } 934 935 TEE_Result TEE_AEDecryptFinal(TEE_OperationHandle op, 936 const void *srcData, size_t srcLen, 937 void *destData, size_t *destLen, const void *tag, 938 size_t tagLen) 939 { 940 TEE_Result res; 941 uint8_t *dst = destData; 942 size_t acc_dlen = 0; 943 size_t tmp_dlen; 944 size_t req_dlen; 945 946 if (op == TEE_HANDLE_NULL || (srcData == NULL && srcLen != 0) || 947 destLen == NULL || (destData == NULL && *destLen != 0) || 948 (tag == NULL && tagLen != 0)) 949 TEE_Panic(0); 950 if (op->info.operationClass != TEE_OPERATION_AE) 951 TEE_Panic(0); 952 if ((op->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) 953 TEE_Panic(0); 954 955 /* 956 * Check that required destLen is big enough before starting to feed 957 * data to the algorithm. Errors during feeding of data are fatal as we 958 * can't restore sync with this API. 959 */ 960 req_dlen = op->buffer_offs + srcLen; 961 if (*destLen < req_dlen) { 962 *destLen = req_dlen; 963 return TEE_ERROR_SHORT_BUFFER; 964 } 965 966 tmp_dlen = *destLen - acc_dlen; 967 tee_buffer_update(op, utee_authenc_update_payload, srcData, srcLen, 968 dst, &tmp_dlen); 969 dst += tmp_dlen; 970 acc_dlen += tmp_dlen; 971 972 tmp_dlen = *destLen - acc_dlen; 973 res = 974 utee_authenc_dec_final(op->state, op->buffer, op->buffer_offs, dst, 975 &tmp_dlen, tag, tagLen); 976 if (res != TEE_SUCCESS && res != TEE_ERROR_MAC_INVALID) 977 TEE_Panic(res); 978 /* Supplied tagLen should match what we initiated with */ 979 if (tagLen != op->ae_tag_len) 980 res = TEE_ERROR_MAC_INVALID; 981 982 acc_dlen += tmp_dlen; 983 984 *destLen = acc_dlen; 985 op->info.handleState &= ~TEE_HANDLE_FLAG_INITIALIZED; 986 987 return res; 988 } 989 990 /* Cryptographic Operations API - Asymmetric Functions */ 991 992 TEE_Result TEE_AsymmetricEncrypt(TEE_OperationHandle op, 993 const TEE_Attribute *params, 994 uint32_t paramCount, const void *srcData, 995 size_t srcLen, void *destData, 996 size_t *destLen) 997 { 998 TEE_Result res; 999 1000 if (op == TEE_HANDLE_NULL || (srcData == NULL && srcLen != 0) || 1001 destLen == NULL || (destData == NULL && *destLen != 0)) 1002 TEE_Panic(0); 1003 if (paramCount != 0 && params == NULL) 1004 TEE_Panic(0); 1005 if (op->info.operationClass != TEE_OPERATION_ASYMMETRIC_CIPHER) 1006 TEE_Panic(0); 1007 if (op->info.mode != TEE_MODE_ENCRYPT) 1008 TEE_Panic(0); 1009 1010 res = utee_asymm_operate(op->state, params, paramCount, srcData, srcLen, 1011 destData, destLen); 1012 if (res != TEE_SUCCESS && 1013 res != TEE_ERROR_SHORT_BUFFER && 1014 res != TEE_ERROR_BAD_PARAMETERS) 1015 TEE_Panic(res); 1016 return res; 1017 } 1018 1019 TEE_Result TEE_AsymmetricDecrypt(TEE_OperationHandle op, 1020 const TEE_Attribute *params, 1021 uint32_t paramCount, const void *srcData, 1022 size_t srcLen, void *destData, 1023 size_t *destLen) 1024 { 1025 TEE_Result res; 1026 1027 if (op == TEE_HANDLE_NULL || (srcData == NULL && srcLen != 0) || 1028 destLen == NULL || (destData == NULL && *destLen != 0)) 1029 TEE_Panic(0); 1030 if (paramCount != 0 && params == NULL) 1031 TEE_Panic(0); 1032 if (op->info.operationClass != TEE_OPERATION_ASYMMETRIC_CIPHER) 1033 TEE_Panic(0); 1034 if (op->info.mode != TEE_MODE_DECRYPT) 1035 TEE_Panic(0); 1036 1037 res = utee_asymm_operate(op->state, params, paramCount, srcData, srcLen, 1038 destData, destLen); 1039 if (res != TEE_SUCCESS && 1040 res != TEE_ERROR_SHORT_BUFFER && 1041 res != TEE_ERROR_BAD_PARAMETERS) 1042 TEE_Panic(res); 1043 return res; 1044 } 1045 1046 TEE_Result TEE_AsymmetricSignDigest(TEE_OperationHandle op, 1047 const TEE_Attribute *params, 1048 uint32_t paramCount, const void *digest, 1049 size_t digestLen, void *signature, 1050 size_t *signatureLen) 1051 { 1052 TEE_Result res; 1053 1054 if (op == TEE_HANDLE_NULL || (digest == NULL && digestLen != 0) || 1055 signature == NULL || signatureLen == NULL) 1056 TEE_Panic(0); 1057 if (paramCount != 0 && params == NULL) 1058 TEE_Panic(0); 1059 if (op->info.operationClass != TEE_OPERATION_ASYMMETRIC_SIGNATURE) 1060 TEE_Panic(0); 1061 if (op->info.mode != TEE_MODE_SIGN) 1062 TEE_Panic(0); 1063 1064 res = 1065 utee_asymm_operate(op->state, params, paramCount, digest, digestLen, 1066 signature, signatureLen); 1067 if (res != TEE_SUCCESS && res != TEE_ERROR_SHORT_BUFFER) 1068 TEE_Panic(res); 1069 return res; 1070 } 1071 1072 TEE_Result TEE_AsymmetricVerifyDigest(TEE_OperationHandle op, 1073 const TEE_Attribute *params, 1074 uint32_t paramCount, const void *digest, 1075 size_t digestLen, const void *signature, 1076 size_t signatureLen) 1077 { 1078 TEE_Result res; 1079 1080 if (op == TEE_HANDLE_NULL || (digest == NULL && digestLen != 0) || 1081 (signature == NULL && signatureLen != 0)) 1082 TEE_Panic(0); 1083 if (paramCount != 0 && params == NULL) 1084 TEE_Panic(0); 1085 if (op->info.operationClass != TEE_OPERATION_ASYMMETRIC_SIGNATURE) 1086 TEE_Panic(0); 1087 if (op->info.mode != TEE_MODE_VERIFY) 1088 TEE_Panic(0); 1089 1090 res = 1091 utee_asymm_verify(op->state, params, paramCount, digest, digestLen, 1092 signature, signatureLen); 1093 if (res != TEE_SUCCESS && res != TEE_ERROR_SIGNATURE_INVALID) 1094 TEE_Panic(res); 1095 return res; 1096 } 1097 1098 /* Cryptographic Operations API - Key Derivation Functions */ 1099 1100 void TEE_DeriveKey(TEE_OperationHandle operation, 1101 const TEE_Attribute *params, uint32_t paramCount, 1102 TEE_ObjectHandle derivedKey) 1103 { 1104 TEE_Result res; 1105 TEE_ObjectInfo key_info; 1106 1107 if (operation == TEE_HANDLE_NULL || derivedKey == 0) 1108 TEE_Panic(0); 1109 if (paramCount != 0 && params == NULL) 1110 TEE_Panic(0); 1111 if (TEE_ALG_GET_CLASS(operation->info.algorithm) != 1112 TEE_OPERATION_KEY_DERIVATION) 1113 TEE_Panic(0); 1114 1115 if (operation->info.operationClass != TEE_OPERATION_KEY_DERIVATION) 1116 TEE_Panic(0); 1117 if (operation->info.mode != TEE_MODE_DERIVE) 1118 TEE_Panic(0); 1119 if ((operation->info.handleState & TEE_HANDLE_FLAG_KEY_SET) == 0) 1120 TEE_Panic(0); 1121 1122 res = utee_cryp_obj_get_info((uint32_t) derivedKey, &key_info); 1123 if (res != TEE_SUCCESS) 1124 TEE_Panic(0); 1125 1126 if (key_info.objectType != TEE_TYPE_GENERIC_SECRET) 1127 TEE_Panic(0); 1128 if ((key_info.handleFlags & TEE_HANDLE_FLAG_INITIALIZED) != 0) 1129 TEE_Panic(0); 1130 1131 res = utee_cryp_derive_key(operation->state, params, paramCount, 1132 (uint32_t) derivedKey); 1133 if (res != TEE_SUCCESS) 1134 TEE_Panic(res); 1135 } 1136 1137 /* Cryptographic Operations API - Random Number Generation Functions */ 1138 1139 void TEE_GenerateRandom(void *randomBuffer, size_t randomBufferLen) 1140 { 1141 TEE_Result res; 1142 1143 res = utee_cryp_random_number_generate(randomBuffer, randomBufferLen); 1144 if (res != TEE_SUCCESS) 1145 TEE_Panic(res); 1146 } 1147