1 /* 2 * Copyright (c) 2014, STMicroelectronics International N.V. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright notice, 9 * this list of conditions and the following disclaimer. 10 * 11 * 2. Redistributions in binary form must reproduce the above copyright notice, 12 * this list of conditions and the following disclaimer in the documentation 13 * and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 16 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 19 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 * POSSIBILITY OF SUCH DAMAGE. 26 */ 27 #include <stdlib.h> 28 #include <string.h> 29 #include <string_ext.h> 30 31 #include <tee_api.h> 32 #include <tee_api_defines_extensions.h> 33 #include <tee_internal_api_extensions.h> 34 #include <utee_syscalls.h> 35 #include <utee_defines.h> 36 #include <util.h> 37 38 struct __TEE_OperationHandle { 39 TEE_OperationInfo info; 40 TEE_ObjectHandle key1; 41 TEE_ObjectHandle key2; 42 uint32_t operationState;/* Operation state : INITIAL or ACTIVE */ 43 uint8_t *buffer; /* buffer to collect complete blocks */ 44 bool buffer_two_blocks; /* True if two blocks need to be buffered */ 45 size_t block_size; /* Block size of cipher */ 46 size_t buffer_offs; /* Offset in buffer */ 47 uint32_t state; /* Handle to state in TEE Core */ 48 uint32_t ae_tag_len; /* 49 * tag_len in bytes for AE operation else unused 50 */ 51 }; 52 53 /* Cryptographic Operations API - Generic Operation Functions */ 54 55 TEE_Result TEE_AllocateOperation(TEE_OperationHandle *operation, 56 uint32_t algorithm, uint32_t mode, 57 uint32_t maxKeySize) 58 { 59 TEE_Result res; 60 TEE_OperationHandle op = TEE_HANDLE_NULL; 61 uint32_t handle_state = 0; 62 size_t block_size = 1; 63 uint32_t req_key_usage; 64 bool with_private_key = false; 65 bool buffer_two_blocks = false; 66 67 if (!operation) 68 TEE_Panic(0); 69 70 if (algorithm == TEE_ALG_AES_XTS) 71 handle_state = TEE_HANDLE_FLAG_EXPECT_TWO_KEYS; 72 73 /* Check algorithm max key size */ 74 switch (algorithm) { 75 case TEE_ALG_DSA_SHA1: 76 if (maxKeySize < 512) 77 return TEE_ERROR_NOT_SUPPORTED; 78 if (maxKeySize > 1024) 79 return TEE_ERROR_NOT_SUPPORTED; 80 if (maxKeySize % 64 != 0) 81 return TEE_ERROR_NOT_SUPPORTED; 82 break; 83 84 case TEE_ALG_DSA_SHA224: 85 if (maxKeySize != 2048) 86 return TEE_ERROR_NOT_SUPPORTED; 87 break; 88 89 case TEE_ALG_DSA_SHA256: 90 if (maxKeySize != 2048 && maxKeySize != 3072) 91 return TEE_ERROR_NOT_SUPPORTED; 92 break; 93 94 case TEE_ALG_ECDSA_P192: 95 case TEE_ALG_ECDH_P192: 96 if (maxKeySize != 192) 97 return TEE_ERROR_NOT_SUPPORTED; 98 break; 99 100 case TEE_ALG_ECDSA_P224: 101 case TEE_ALG_ECDH_P224: 102 if (maxKeySize != 224) 103 return TEE_ERROR_NOT_SUPPORTED; 104 break; 105 106 case TEE_ALG_ECDSA_P256: 107 case TEE_ALG_ECDH_P256: 108 if (maxKeySize != 256) 109 return TEE_ERROR_NOT_SUPPORTED; 110 break; 111 112 case TEE_ALG_ECDSA_P384: 113 case TEE_ALG_ECDH_P384: 114 if (maxKeySize != 384) 115 return TEE_ERROR_NOT_SUPPORTED; 116 break; 117 118 case TEE_ALG_ECDSA_P521: 119 case TEE_ALG_ECDH_P521: 120 if (maxKeySize != 521) 121 return TEE_ERROR_NOT_SUPPORTED; 122 break; 123 124 default: 125 break; 126 } 127 128 /* Check algorithm mode */ 129 switch (algorithm) { 130 case TEE_ALG_AES_CTS: 131 case TEE_ALG_AES_XTS: 132 buffer_two_blocks = true; 133 /*FALLTHROUGH*/ case TEE_ALG_AES_ECB_NOPAD: 134 case TEE_ALG_AES_CBC_NOPAD: 135 case TEE_ALG_AES_CTR: 136 case TEE_ALG_AES_CCM: 137 case TEE_ALG_AES_GCM: 138 case TEE_ALG_DES_ECB_NOPAD: 139 case TEE_ALG_DES_CBC_NOPAD: 140 case TEE_ALG_DES3_ECB_NOPAD: 141 case TEE_ALG_DES3_CBC_NOPAD: 142 if (TEE_ALG_GET_MAIN_ALG(algorithm) == TEE_MAIN_ALGO_AES) 143 block_size = TEE_AES_BLOCK_SIZE; 144 else 145 block_size = TEE_DES_BLOCK_SIZE; 146 147 if (mode == TEE_MODE_ENCRYPT) 148 req_key_usage = TEE_USAGE_ENCRYPT; 149 else if (mode == TEE_MODE_DECRYPT) 150 req_key_usage = TEE_USAGE_DECRYPT; 151 else 152 return TEE_ERROR_NOT_SUPPORTED; 153 break; 154 155 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 156 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 157 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 158 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 159 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 160 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 161 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 162 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 163 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 164 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 165 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 166 case TEE_ALG_DSA_SHA1: 167 case TEE_ALG_DSA_SHA224: 168 case TEE_ALG_DSA_SHA256: 169 case TEE_ALG_ECDSA_P192: 170 case TEE_ALG_ECDSA_P224: 171 case TEE_ALG_ECDSA_P256: 172 case TEE_ALG_ECDSA_P384: 173 case TEE_ALG_ECDSA_P521: 174 if (mode == TEE_MODE_SIGN) { 175 with_private_key = true; 176 req_key_usage = TEE_USAGE_SIGN; 177 } else if (mode == TEE_MODE_VERIFY) { 178 req_key_usage = TEE_USAGE_VERIFY; 179 } else { 180 return TEE_ERROR_NOT_SUPPORTED; 181 } 182 break; 183 184 case TEE_ALG_RSAES_PKCS1_V1_5: 185 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1: 186 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224: 187 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256: 188 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384: 189 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512: 190 if (mode == TEE_MODE_ENCRYPT) { 191 req_key_usage = TEE_USAGE_ENCRYPT; 192 } else if (mode == TEE_MODE_DECRYPT) { 193 with_private_key = true; 194 req_key_usage = TEE_USAGE_DECRYPT; 195 } else { 196 return TEE_ERROR_NOT_SUPPORTED; 197 } 198 break; 199 200 case TEE_ALG_RSA_NOPAD: 201 if (mode == TEE_MODE_ENCRYPT) { 202 req_key_usage = TEE_USAGE_ENCRYPT | TEE_USAGE_VERIFY; 203 } else if (mode == TEE_MODE_DECRYPT) { 204 with_private_key = true; 205 req_key_usage = TEE_USAGE_DECRYPT | TEE_USAGE_SIGN; 206 } else { 207 return TEE_ERROR_NOT_SUPPORTED; 208 } 209 break; 210 211 case TEE_ALG_DH_DERIVE_SHARED_SECRET: 212 case TEE_ALG_ECDH_P192: 213 case TEE_ALG_ECDH_P224: 214 case TEE_ALG_ECDH_P256: 215 case TEE_ALG_ECDH_P384: 216 case TEE_ALG_ECDH_P521: 217 case TEE_ALG_HKDF_MD5_DERIVE_KEY: 218 case TEE_ALG_HKDF_SHA1_DERIVE_KEY: 219 case TEE_ALG_HKDF_SHA224_DERIVE_KEY: 220 case TEE_ALG_HKDF_SHA256_DERIVE_KEY: 221 case TEE_ALG_HKDF_SHA384_DERIVE_KEY: 222 case TEE_ALG_HKDF_SHA512_DERIVE_KEY: 223 case TEE_ALG_CONCAT_KDF_SHA1_DERIVE_KEY: 224 case TEE_ALG_CONCAT_KDF_SHA224_DERIVE_KEY: 225 case TEE_ALG_CONCAT_KDF_SHA256_DERIVE_KEY: 226 case TEE_ALG_CONCAT_KDF_SHA384_DERIVE_KEY: 227 case TEE_ALG_CONCAT_KDF_SHA512_DERIVE_KEY: 228 case TEE_ALG_PBKDF2_HMAC_SHA1_DERIVE_KEY: 229 if (mode != TEE_MODE_DERIVE) 230 return TEE_ERROR_NOT_SUPPORTED; 231 with_private_key = true; 232 req_key_usage = TEE_USAGE_DERIVE; 233 break; 234 235 case TEE_ALG_MD5: 236 case TEE_ALG_SHA1: 237 case TEE_ALG_SHA224: 238 case TEE_ALG_SHA256: 239 case TEE_ALG_SHA384: 240 case TEE_ALG_SHA512: 241 if (mode != TEE_MODE_DIGEST) 242 return TEE_ERROR_NOT_SUPPORTED; 243 /* v1.1: flags always set for digest operations */ 244 handle_state |= TEE_HANDLE_FLAG_KEY_SET; 245 req_key_usage = 0; 246 break; 247 248 case TEE_ALG_DES_CBC_MAC_NOPAD: 249 case TEE_ALG_AES_CBC_MAC_NOPAD: 250 case TEE_ALG_AES_CBC_MAC_PKCS5: 251 case TEE_ALG_AES_CMAC: 252 case TEE_ALG_DES_CBC_MAC_PKCS5: 253 case TEE_ALG_DES3_CBC_MAC_NOPAD: 254 case TEE_ALG_DES3_CBC_MAC_PKCS5: 255 case TEE_ALG_HMAC_MD5: 256 case TEE_ALG_HMAC_SHA1: 257 case TEE_ALG_HMAC_SHA224: 258 case TEE_ALG_HMAC_SHA256: 259 case TEE_ALG_HMAC_SHA384: 260 case TEE_ALG_HMAC_SHA512: 261 if (mode != TEE_MODE_MAC) 262 return TEE_ERROR_NOT_SUPPORTED; 263 req_key_usage = TEE_USAGE_MAC; 264 break; 265 266 default: 267 return TEE_ERROR_NOT_SUPPORTED; 268 } 269 270 op = TEE_Malloc(sizeof(*op), 0); 271 if (!op) 272 return TEE_ERROR_OUT_OF_MEMORY; 273 274 op->info.algorithm = algorithm; 275 op->info.operationClass = TEE_ALG_GET_CLASS(algorithm); 276 op->info.mode = mode; 277 op->info.maxKeySize = maxKeySize; 278 op->info.requiredKeyUsage = req_key_usage; 279 op->info.handleState = handle_state; 280 281 if (block_size > 1) { 282 size_t buffer_size = block_size; 283 284 if (buffer_two_blocks) 285 buffer_size *= 2; 286 287 op->buffer = TEE_Malloc(buffer_size, 288 TEE_USER_MEM_HINT_NO_FILL_ZERO); 289 if (op->buffer == NULL) { 290 res = TEE_ERROR_OUT_OF_MEMORY; 291 goto err0; 292 } 293 } 294 op->block_size = block_size; 295 op->buffer_two_blocks = buffer_two_blocks; 296 297 if (TEE_ALG_GET_CLASS(algorithm) != TEE_OPERATION_DIGEST) { 298 uint32_t mks = maxKeySize; 299 TEE_ObjectType key_type = TEE_ALG_GET_KEY_TYPE(algorithm, 300 with_private_key); 301 302 /* 303 * If two keys are expected the max key size is the sum of 304 * the size of both keys. 305 */ 306 if (op->info.handleState & TEE_HANDLE_FLAG_EXPECT_TWO_KEYS) 307 mks /= 2; 308 309 res = TEE_AllocateTransientObject(key_type, mks, &op->key1); 310 if (res != TEE_SUCCESS) 311 goto err1; 312 313 if (op->info.handleState & TEE_HANDLE_FLAG_EXPECT_TWO_KEYS) { 314 res = TEE_AllocateTransientObject(key_type, mks, 315 &op->key2); 316 if (res != TEE_SUCCESS) 317 goto err2; 318 } 319 } 320 321 res = utee_cryp_state_alloc(algorithm, mode, (uint32_t) op->key1, 322 (uint32_t) op->key2, &op->state); 323 if (res != TEE_SUCCESS) { 324 if ((op->info.handleState & 325 TEE_HANDLE_FLAG_EXPECT_TWO_KEYS) != 0) 326 goto err2; 327 goto err1; 328 } 329 330 /* 331 * Initialize digest operations 332 * Other multi-stage operations initialized w/ TEE_xxxInit functions 333 * Non-applicable on asymmetric operations 334 */ 335 if (TEE_ALG_GET_CLASS(algorithm) == TEE_OPERATION_DIGEST) { 336 res = utee_hash_init(op->state, NULL, 0); 337 if (res != TEE_SUCCESS) 338 goto err0; 339 /* v1.1: flags always set for digest operations */ 340 op->info.handleState |= TEE_HANDLE_FLAG_INITIALIZED; 341 } 342 343 op->operationState = TEE_OPERATION_STATE_INITIAL; 344 345 *operation = op; 346 goto out; 347 348 err2: 349 TEE_FreeTransientObject(op->key2); 350 err1: 351 TEE_FreeTransientObject(op->key1); 352 err0: 353 TEE_FreeOperation(op); 354 355 if (res != TEE_SUCCESS && 356 res != TEE_ERROR_OUT_OF_MEMORY && 357 res != TEE_ERROR_NOT_SUPPORTED) 358 TEE_Panic(0); 359 out: 360 return res; 361 } 362 363 void TEE_FreeOperation(TEE_OperationHandle operation) 364 { 365 TEE_Result res; 366 367 if (operation == TEE_HANDLE_NULL) 368 TEE_Panic(0); 369 370 /* 371 * Note that keys should not be freed here, since they are 372 * claimed by the operation they will be freed by 373 * utee_cryp_state_free(). 374 */ 375 res = utee_cryp_state_free(operation->state); 376 if (res != TEE_SUCCESS) 377 TEE_Panic(0); 378 379 TEE_Free(operation->buffer); 380 TEE_Free(operation); 381 } 382 383 void TEE_GetOperationInfo(TEE_OperationHandle operation, 384 TEE_OperationInfo *operationInfo) 385 { 386 if (operation == TEE_HANDLE_NULL) 387 TEE_Panic(0); 388 389 if (!operationInfo) 390 TEE_Panic(0); 391 392 *operationInfo = operation->info; 393 } 394 395 TEE_Result TEE_GetOperationInfoMultiple(TEE_OperationHandle operation, 396 TEE_OperationInfoMultiple *operationInfoMultiple, 397 uint32_t *operationSize) 398 { 399 TEE_Result res = TEE_SUCCESS; 400 TEE_ObjectInfo key_info1; 401 TEE_ObjectInfo key_info2; 402 uint32_t num_of_keys; 403 size_t n; 404 405 if (operation == TEE_HANDLE_NULL) { 406 res = TEE_ERROR_BAD_PARAMETERS; 407 goto out; 408 } 409 410 if (!operationInfoMultiple) { 411 res = TEE_ERROR_BAD_PARAMETERS; 412 goto out; 413 } 414 415 if (!operationSize) { 416 res = TEE_ERROR_BAD_PARAMETERS; 417 goto out; 418 } 419 420 num_of_keys = (*operationSize-sizeof(TEE_OperationInfoMultiple))/ 421 sizeof(TEE_OperationInfoKey); 422 423 if (num_of_keys > 2) { 424 res = TEE_ERROR_BAD_PARAMETERS; 425 goto out; 426 } 427 428 /* Two keys flag (TEE_ALG_AES_XTS only) */ 429 if ((operation->info.handleState & TEE_HANDLE_FLAG_EXPECT_TWO_KEYS) != 430 0 && 431 (num_of_keys != 2)) { 432 res = TEE_ERROR_SHORT_BUFFER; 433 goto out; 434 } 435 436 /* Clear */ 437 for (n = 0; n < num_of_keys; n++) { 438 operationInfoMultiple->keyInformation[n].keySize = 0; 439 operationInfoMultiple->keyInformation[n].requiredKeyUsage = 0; 440 } 441 442 if (num_of_keys == 2) { 443 res = TEE_GetObjectInfo1(operation->key2, &key_info2); 444 /* Key2 is not a valid handle */ 445 if (res != TEE_SUCCESS) 446 goto out; 447 448 operationInfoMultiple->keyInformation[1].keySize = 449 key_info2.keySize; 450 operationInfoMultiple->keyInformation[1].requiredKeyUsage = 451 operation->info.requiredKeyUsage; 452 } 453 454 if (num_of_keys >= 1) { 455 res = TEE_GetObjectInfo1(operation->key1, &key_info1); 456 /* Key1 is not a valid handle */ 457 if (res != TEE_SUCCESS) { 458 if (num_of_keys == 2) { 459 operationInfoMultiple->keyInformation[1]. 460 keySize = 0; 461 operationInfoMultiple->keyInformation[1]. 462 requiredKeyUsage = 0; 463 } 464 goto out; 465 } 466 467 operationInfoMultiple->keyInformation[0].keySize = 468 key_info1.keySize; 469 operationInfoMultiple->keyInformation[0].requiredKeyUsage = 470 operation->info.requiredKeyUsage; 471 } 472 473 /* No key */ 474 operationInfoMultiple->algorithm = operation->info.algorithm; 475 operationInfoMultiple->operationClass = operation->info.operationClass; 476 operationInfoMultiple->mode = operation->info.mode; 477 operationInfoMultiple->digestLength = operation->info.digestLength; 478 operationInfoMultiple->maxKeySize = operation->info.maxKeySize; 479 operationInfoMultiple->handleState = operation->info.handleState; 480 operationInfoMultiple->operationState = operation->operationState; 481 operationInfoMultiple->numberOfKeys = num_of_keys; 482 483 out: 484 if (res != TEE_SUCCESS && 485 res != TEE_ERROR_SHORT_BUFFER) 486 TEE_Panic(0); 487 488 return res; 489 } 490 491 void TEE_ResetOperation(TEE_OperationHandle operation) 492 { 493 TEE_Result res; 494 495 if (operation == TEE_HANDLE_NULL) 496 TEE_Panic(0); 497 498 if (!(operation->info.handleState & TEE_HANDLE_FLAG_KEY_SET)) 499 TEE_Panic(0); 500 501 operation->operationState = TEE_OPERATION_STATE_INITIAL; 502 503 if (operation->info.operationClass == TEE_OPERATION_DIGEST) { 504 res = utee_hash_init(operation->state, NULL, 0); 505 if (res != TEE_SUCCESS) 506 TEE_Panic(res); 507 operation->info.handleState |= TEE_HANDLE_FLAG_INITIALIZED; 508 } else { 509 operation->info.handleState &= ~TEE_HANDLE_FLAG_INITIALIZED; 510 } 511 } 512 513 TEE_Result TEE_SetOperationKey(TEE_OperationHandle operation, 514 TEE_ObjectHandle key) 515 { 516 TEE_Result res; 517 uint32_t key_size = 0; 518 TEE_ObjectInfo key_info; 519 520 if (operation == TEE_HANDLE_NULL) { 521 res = TEE_ERROR_BAD_PARAMETERS; 522 goto out; 523 } 524 525 if (operation->operationState != TEE_OPERATION_STATE_INITIAL) { 526 res = TEE_ERROR_BAD_PARAMETERS; 527 goto out; 528 } 529 530 if (key == TEE_HANDLE_NULL) { 531 /* Operation key cleared */ 532 TEE_ResetTransientObject(operation->key1); 533 res = TEE_ERROR_BAD_PARAMETERS; 534 goto out; 535 } 536 537 /* No key for digest operation */ 538 if (operation->info.operationClass == TEE_OPERATION_DIGEST) { 539 res = TEE_ERROR_BAD_PARAMETERS; 540 goto out; 541 } 542 543 /* Two keys flag not expected (TEE_ALG_AES_XTS excluded) */ 544 if ((operation->info.handleState & TEE_HANDLE_FLAG_EXPECT_TWO_KEYS) != 545 0) { 546 res = TEE_ERROR_BAD_PARAMETERS; 547 goto out; 548 } 549 550 res = TEE_GetObjectInfo1(key, &key_info); 551 /* Key is not a valid handle */ 552 if (res != TEE_SUCCESS) 553 goto out; 554 555 /* Supplied key has to meet required usage */ 556 if ((key_info.objectUsage & operation->info.requiredKeyUsage) != 557 operation->info.requiredKeyUsage) { 558 res = TEE_ERROR_BAD_PARAMETERS; 559 goto out; 560 } 561 562 if (operation->info.maxKeySize < key_info.keySize) { 563 res = TEE_ERROR_BAD_PARAMETERS; 564 goto out; 565 } 566 567 key_size = key_info.keySize; 568 569 TEE_ResetTransientObject(operation->key1); 570 operation->info.handleState &= ~TEE_HANDLE_FLAG_KEY_SET; 571 572 res = TEE_CopyObjectAttributes1(operation->key1, key); 573 if (res != TEE_SUCCESS) 574 goto out; 575 576 operation->info.handleState |= TEE_HANDLE_FLAG_KEY_SET; 577 578 operation->info.keySize = key_size; 579 580 out: 581 if (res != TEE_SUCCESS && 582 res != TEE_ERROR_CORRUPT_OBJECT && 583 res != TEE_ERROR_STORAGE_NOT_AVAILABLE) 584 TEE_Panic(0); 585 586 return res; 587 } 588 589 TEE_Result TEE_SetOperationKey2(TEE_OperationHandle operation, 590 TEE_ObjectHandle key1, TEE_ObjectHandle key2) 591 { 592 TEE_Result res; 593 uint32_t key_size = 0; 594 TEE_ObjectInfo key_info1; 595 TEE_ObjectInfo key_info2; 596 597 if (operation == TEE_HANDLE_NULL) { 598 res = TEE_ERROR_BAD_PARAMETERS; 599 goto out; 600 } 601 602 if (operation->operationState != TEE_OPERATION_STATE_INITIAL) { 603 res = TEE_ERROR_BAD_PARAMETERS; 604 goto out; 605 } 606 607 /* 608 * Key1/Key2 and/or are not initialized and 609 * Either both keys are NULL or both are not NULL 610 */ 611 if (key1 == TEE_HANDLE_NULL || key2 == TEE_HANDLE_NULL) { 612 /* Clear operation key1 (if needed) */ 613 if (key1 == TEE_HANDLE_NULL) 614 TEE_ResetTransientObject(operation->key1); 615 /* Clear operation key2 (if needed) */ 616 if (key2 == TEE_HANDLE_NULL) 617 TEE_ResetTransientObject(operation->key2); 618 res = TEE_ERROR_BAD_PARAMETERS; 619 goto out; 620 } 621 622 /* No key for digest operation */ 623 if (operation->info.operationClass == TEE_OPERATION_DIGEST) { 624 res = TEE_ERROR_BAD_PARAMETERS; 625 goto out; 626 } 627 628 /* Two keys flag expected (TEE_ALG_AES_XTS only) */ 629 if ((operation->info.handleState & TEE_HANDLE_FLAG_EXPECT_TWO_KEYS) == 630 0) { 631 res = TEE_ERROR_BAD_PARAMETERS; 632 goto out; 633 } 634 635 res = TEE_GetObjectInfo1(key1, &key_info1); 636 /* Key1 is not a valid handle */ 637 if (res != TEE_SUCCESS) 638 goto out; 639 640 /* Supplied key has to meet required usage */ 641 if ((key_info1.objectUsage & operation->info. 642 requiredKeyUsage) != operation->info.requiredKeyUsage) { 643 res = TEE_ERROR_BAD_PARAMETERS; 644 goto out; 645 } 646 647 res = TEE_GetObjectInfo1(key2, &key_info2); 648 /* Key2 is not a valid handle */ 649 if (res != TEE_SUCCESS) { 650 if (res == TEE_ERROR_CORRUPT_OBJECT) 651 res = TEE_ERROR_CORRUPT_OBJECT_2; 652 goto out; 653 } 654 655 /* Supplied key has to meet required usage */ 656 if ((key_info2.objectUsage & operation->info. 657 requiredKeyUsage) != operation->info.requiredKeyUsage) { 658 res = TEE_ERROR_BAD_PARAMETERS; 659 goto out; 660 } 661 662 /* 663 * AES-XTS (the only multi key algorithm supported, requires the 664 * keys to be of equal size. 665 */ 666 if (operation->info.algorithm == TEE_ALG_AES_XTS && 667 key_info1.keySize != key_info2.keySize) { 668 res = TEE_ERROR_BAD_PARAMETERS; 669 goto out; 670 671 } 672 673 if (operation->info.maxKeySize < key_info1.keySize) { 674 res = TEE_ERROR_BAD_PARAMETERS; 675 goto out; 676 } 677 678 /* 679 * Odd that only the size of one key should be reported while 680 * size of two key are used when allocating the operation. 681 */ 682 key_size = key_info1.keySize; 683 684 TEE_ResetTransientObject(operation->key1); 685 TEE_ResetTransientObject(operation->key2); 686 operation->info.handleState &= ~TEE_HANDLE_FLAG_KEY_SET; 687 688 res = TEE_CopyObjectAttributes1(operation->key1, key1); 689 if (res != TEE_SUCCESS) 690 goto out; 691 692 res = TEE_CopyObjectAttributes1(operation->key2, key2); 693 if (res != TEE_SUCCESS) { 694 if (res == TEE_ERROR_CORRUPT_OBJECT) 695 res = TEE_ERROR_CORRUPT_OBJECT_2; 696 goto out; 697 } 698 699 operation->info.handleState |= TEE_HANDLE_FLAG_KEY_SET; 700 701 operation->info.keySize = key_size; 702 703 out: 704 if (res != TEE_SUCCESS && 705 res != TEE_ERROR_CORRUPT_OBJECT && 706 res != TEE_ERROR_CORRUPT_OBJECT_2 && 707 res != TEE_ERROR_STORAGE_NOT_AVAILABLE && 708 res != TEE_ERROR_STORAGE_NOT_AVAILABLE_2) 709 TEE_Panic(0); 710 711 return res; 712 } 713 714 void TEE_CopyOperation(TEE_OperationHandle dst_op, TEE_OperationHandle src_op) 715 { 716 TEE_Result res; 717 718 if (dst_op == TEE_HANDLE_NULL || src_op == TEE_HANDLE_NULL) 719 TEE_Panic(0); 720 if (dst_op->info.algorithm != src_op->info.algorithm) 721 TEE_Panic(0); 722 if (src_op->info.operationClass != TEE_OPERATION_DIGEST) { 723 TEE_ObjectHandle key1 = TEE_HANDLE_NULL; 724 TEE_ObjectHandle key2 = TEE_HANDLE_NULL; 725 726 if (src_op->info.handleState & TEE_HANDLE_FLAG_KEY_SET) { 727 key1 = src_op->key1; 728 key2 = src_op->key2; 729 } 730 731 if ((src_op->info.handleState & 732 TEE_HANDLE_FLAG_EXPECT_TWO_KEYS) == 0) { 733 TEE_SetOperationKey(dst_op, key1); 734 } else { 735 TEE_SetOperationKey2(dst_op, key1, key2); 736 } 737 } 738 dst_op->info.handleState = src_op->info.handleState; 739 dst_op->info.keySize = src_op->info.keySize; 740 dst_op->operationState = src_op->operationState; 741 742 if (dst_op->buffer_two_blocks != src_op->buffer_two_blocks || 743 dst_op->block_size != src_op->block_size) 744 TEE_Panic(0); 745 746 if (dst_op->buffer != NULL) { 747 if (src_op->buffer == NULL) 748 TEE_Panic(0); 749 750 memcpy(dst_op->buffer, src_op->buffer, src_op->buffer_offs); 751 dst_op->buffer_offs = src_op->buffer_offs; 752 } else if (src_op->buffer != NULL) { 753 TEE_Panic(0); 754 } 755 756 res = utee_cryp_state_copy(dst_op->state, src_op->state); 757 if (res != TEE_SUCCESS) 758 TEE_Panic(res); 759 } 760 761 /* Cryptographic Operations API - Message Digest Functions */ 762 763 static void init_hash_operation(TEE_OperationHandle operation, void *IV, 764 uint32_t IVLen) 765 { 766 TEE_Result res; 767 768 /* 769 * Note : IV and IVLen are never used in current implementation 770 * This is why coherent values of IV and IVLen are not checked 771 */ 772 res = utee_hash_init(operation->state, IV, IVLen); 773 if (res != TEE_SUCCESS) 774 TEE_Panic(res); 775 operation->buffer_offs = 0; 776 operation->info.handleState |= TEE_HANDLE_FLAG_INITIALIZED; 777 } 778 779 void TEE_DigestUpdate(TEE_OperationHandle operation, 780 void *chunk, uint32_t chunkSize) 781 { 782 TEE_Result res = TEE_ERROR_GENERIC; 783 784 if (operation == TEE_HANDLE_NULL || 785 operation->info.operationClass != TEE_OPERATION_DIGEST) 786 TEE_Panic(0); 787 788 operation->operationState = TEE_OPERATION_STATE_ACTIVE; 789 790 res = utee_hash_update(operation->state, chunk, chunkSize); 791 if (res != TEE_SUCCESS) 792 TEE_Panic(res); 793 } 794 795 TEE_Result TEE_DigestDoFinal(TEE_OperationHandle operation, void *chunk, 796 uint32_t chunkLen, void *hash, uint32_t *hashLen) 797 { 798 TEE_Result res; 799 800 if ((operation == TEE_HANDLE_NULL) || 801 (!chunk && chunkLen) || 802 !hash || 803 !hashLen || 804 (operation->info.operationClass != TEE_OPERATION_DIGEST)) { 805 res = TEE_ERROR_BAD_PARAMETERS; 806 goto out; 807 } 808 809 res = utee_hash_final(operation->state, chunk, chunkLen, hash, 810 hashLen); 811 if (res != TEE_SUCCESS) 812 goto out; 813 814 /* Reset operation state */ 815 init_hash_operation(operation, NULL, 0); 816 817 operation->operationState = TEE_OPERATION_STATE_INITIAL; 818 819 out: 820 if (res != TEE_SUCCESS && 821 res != TEE_ERROR_SHORT_BUFFER) 822 TEE_Panic(0); 823 824 return res; 825 } 826 827 /* Cryptographic Operations API - Symmetric Cipher Functions */ 828 829 void TEE_CipherInit(TEE_OperationHandle operation, void *IV, uint32_t IVLen) 830 { 831 TEE_Result res; 832 833 if (operation == TEE_HANDLE_NULL) 834 TEE_Panic(0); 835 836 if (operation->info.operationClass != TEE_OPERATION_CIPHER) 837 TEE_Panic(0); 838 839 if (!(operation->info.handleState & TEE_HANDLE_FLAG_KEY_SET) || 840 !(operation->key1)) 841 TEE_Panic(0); 842 843 if (operation->operationState != TEE_OPERATION_STATE_INITIAL) 844 TEE_ResetOperation(operation); 845 846 operation->operationState = TEE_OPERATION_STATE_ACTIVE; 847 848 res = utee_cipher_init(operation->state, IV, IVLen); 849 if (res != TEE_SUCCESS) 850 TEE_Panic(res); 851 852 operation->buffer_offs = 0; 853 operation->info.handleState |= TEE_HANDLE_FLAG_INITIALIZED; 854 } 855 856 static TEE_Result tee_buffer_update( 857 TEE_OperationHandle op, 858 TEE_Result(*update_func) (uint32_t state, const void *src, 859 size_t slen, void *dst, uint32_t *dlen), 860 const void *src_data, size_t src_len, 861 void *dest_data, uint32_t *dest_len) 862 { 863 TEE_Result res; 864 const uint8_t *src = src_data; 865 size_t slen = src_len; 866 uint8_t *dst = dest_data; 867 size_t dlen = *dest_len; 868 size_t acc_dlen = 0; 869 uint32_t tmp_dlen; 870 size_t l; 871 size_t buffer_size; 872 size_t buffer_left; 873 874 if (op->buffer_two_blocks) { 875 buffer_size = op->block_size * 2; 876 buffer_left = 1; 877 } else { 878 buffer_size = op->block_size; 879 buffer_left = 0; 880 } 881 882 if (op->buffer_offs > 0) { 883 /* Fill up complete block */ 884 if (op->buffer_offs < op->block_size) 885 l = MIN(slen, op->block_size - op->buffer_offs); 886 else 887 l = MIN(slen, buffer_size - op->buffer_offs); 888 memcpy(op->buffer + op->buffer_offs, src, l); 889 op->buffer_offs += l; 890 src += l; 891 slen -= l; 892 if ((op->buffer_offs % op->block_size) != 0) 893 goto out; /* Nothing left to do */ 894 } 895 896 /* If we can feed from buffer */ 897 if ((op->buffer_offs > 0) && 898 ((op->buffer_offs + slen) >= (buffer_size + buffer_left))) { 899 l = ROUNDUP(op->buffer_offs + slen - buffer_size, 900 op->block_size); 901 l = MIN(op->buffer_offs, l); 902 tmp_dlen = dlen; 903 res = update_func(op->state, op->buffer, l, dst, &tmp_dlen); 904 if (res != TEE_SUCCESS) 905 TEE_Panic(res); 906 dst += tmp_dlen; 907 dlen -= tmp_dlen; 908 acc_dlen += tmp_dlen; 909 op->buffer_offs -= l; 910 if (op->buffer_offs > 0) { 911 /* 912 * Slen is small enough to be contained in rest buffer. 913 */ 914 memcpy(op->buffer, op->buffer + l, buffer_size - l); 915 memcpy(op->buffer + op->buffer_offs, src, slen); 916 op->buffer_offs += slen; 917 goto out; /* Nothing left to do */ 918 } 919 } 920 921 if (slen >= (buffer_size + buffer_left)) { 922 /* Buffer is empty, feed as much as possible from src */ 923 l = ROUNDUP(slen - buffer_size + 1, op->block_size); 924 925 tmp_dlen = dlen; 926 res = update_func(op->state, src, l, dst, &tmp_dlen); 927 if (res != TEE_SUCCESS) 928 TEE_Panic(res); 929 src += l; 930 slen -= l; 931 dst += tmp_dlen; 932 dlen -= tmp_dlen; 933 acc_dlen += tmp_dlen; 934 } 935 936 /* Slen is small enough to be contained in buffer. */ 937 memcpy(op->buffer + op->buffer_offs, src, slen); 938 op->buffer_offs += slen; 939 940 out: 941 *dest_len = acc_dlen; 942 return TEE_SUCCESS; 943 } 944 945 TEE_Result TEE_CipherUpdate(TEE_OperationHandle operation, void *srcData, 946 uint32_t srcLen, void *destData, uint32_t *destLen) 947 { 948 TEE_Result res; 949 size_t req_dlen; 950 951 if (operation == TEE_HANDLE_NULL || 952 (srcData == NULL && srcLen != 0) || 953 destLen == NULL || 954 (destData == NULL && *destLen != 0)) { 955 res = TEE_ERROR_BAD_PARAMETERS; 956 goto out; 957 } 958 959 if (operation->info.operationClass != TEE_OPERATION_CIPHER) { 960 res = TEE_ERROR_BAD_PARAMETERS; 961 goto out; 962 } 963 964 if ((operation->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) { 965 res = TEE_ERROR_BAD_PARAMETERS; 966 goto out; 967 } 968 969 if (operation->operationState != TEE_OPERATION_STATE_ACTIVE) { 970 res = TEE_ERROR_BAD_PARAMETERS; 971 goto out; 972 } 973 974 /* Calculate required dlen */ 975 req_dlen = ((operation->buffer_offs + srcLen) / operation->block_size) * 976 operation->block_size; 977 if (operation->buffer_two_blocks) { 978 if (req_dlen > operation->block_size * 2) 979 req_dlen -= operation->block_size * 2; 980 else 981 req_dlen = 0; 982 } 983 /* 984 * Check that required destLen is big enough before starting to feed 985 * data to the algorithm. Errors during feeding of data are fatal as we 986 * can't restore sync with this API. 987 */ 988 if (*destLen < req_dlen) { 989 *destLen = req_dlen; 990 res = TEE_ERROR_SHORT_BUFFER; 991 goto out; 992 } 993 994 res = tee_buffer_update(operation, utee_cipher_update, srcData, srcLen, 995 destData, destLen); 996 997 out: 998 if (res != TEE_SUCCESS && 999 res != TEE_ERROR_SHORT_BUFFER) 1000 TEE_Panic(0); 1001 1002 return res; 1003 } 1004 1005 TEE_Result TEE_CipherDoFinal(TEE_OperationHandle operation, 1006 void *srcData, uint32_t srcLen, void *destData, 1007 uint32_t *destLen) 1008 { 1009 TEE_Result res; 1010 uint8_t *dst = destData; 1011 size_t acc_dlen = 0; 1012 uint32_t tmp_dlen; 1013 size_t req_dlen; 1014 1015 if (operation == TEE_HANDLE_NULL || 1016 (srcData == NULL && srcLen != 0) || 1017 destLen == NULL || 1018 (destData == NULL && *destLen != 0)) { 1019 res = TEE_ERROR_BAD_PARAMETERS; 1020 goto out; 1021 } 1022 1023 if (operation->info.operationClass != TEE_OPERATION_CIPHER) { 1024 res = TEE_ERROR_BAD_PARAMETERS; 1025 goto out; 1026 } 1027 1028 if ((operation->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) { 1029 res = TEE_ERROR_BAD_PARAMETERS; 1030 goto out; 1031 } 1032 1033 if (operation->operationState != TEE_OPERATION_STATE_ACTIVE) { 1034 res = TEE_ERROR_BAD_PARAMETERS; 1035 goto out; 1036 } 1037 1038 /* 1039 * Check that the final block doesn't require padding for those 1040 * algorithms that requires client to supply padding. 1041 */ 1042 if (operation->info.algorithm == TEE_ALG_AES_ECB_NOPAD || 1043 operation->info.algorithm == TEE_ALG_AES_CBC_NOPAD || 1044 operation->info.algorithm == TEE_ALG_DES_ECB_NOPAD || 1045 operation->info.algorithm == TEE_ALG_DES_CBC_NOPAD || 1046 operation->info.algorithm == TEE_ALG_DES3_ECB_NOPAD || 1047 operation->info.algorithm == TEE_ALG_DES3_CBC_NOPAD) { 1048 if (((operation->buffer_offs + srcLen) % operation->block_size) 1049 != 0) { 1050 res = TEE_ERROR_BAD_PARAMETERS; 1051 goto out; 1052 } 1053 } 1054 1055 /* 1056 * Check that required destLen is big enough before starting to feed 1057 * data to the algorithm. Errors during feeding of data are fatal as we 1058 * can't restore sync with this API. 1059 */ 1060 req_dlen = operation->buffer_offs + srcLen; 1061 if (*destLen < req_dlen) { 1062 *destLen = req_dlen; 1063 res = TEE_ERROR_SHORT_BUFFER; 1064 goto out; 1065 } 1066 1067 tmp_dlen = *destLen - acc_dlen; 1068 res = tee_buffer_update(operation, utee_cipher_update, srcData, srcLen, 1069 dst, &tmp_dlen); 1070 if (res != TEE_SUCCESS) 1071 goto out; 1072 1073 dst += tmp_dlen; 1074 acc_dlen += tmp_dlen; 1075 1076 tmp_dlen = *destLen - acc_dlen; 1077 res = utee_cipher_final(operation->state, operation->buffer, 1078 operation->buffer_offs, dst, &tmp_dlen); 1079 if (res != TEE_SUCCESS) 1080 goto out; 1081 1082 acc_dlen += tmp_dlen; 1083 *destLen = acc_dlen; 1084 1085 operation->info.handleState &= ~TEE_HANDLE_FLAG_INITIALIZED; 1086 1087 operation->operationState = TEE_OPERATION_STATE_INITIAL; 1088 1089 out: 1090 if (res != TEE_SUCCESS && 1091 res != TEE_ERROR_SHORT_BUFFER) 1092 TEE_Panic(0); 1093 1094 return res; 1095 } 1096 1097 /* Cryptographic Operations API - MAC Functions */ 1098 1099 void TEE_MACInit(TEE_OperationHandle operation, void *IV, uint32_t IVLen) 1100 { 1101 if (operation == TEE_HANDLE_NULL) 1102 TEE_Panic(0); 1103 1104 if (operation->info.operationClass != TEE_OPERATION_MAC) 1105 TEE_Panic(0); 1106 1107 if (!(operation->info.handleState & TEE_HANDLE_FLAG_KEY_SET) || 1108 !(operation->key1)) 1109 TEE_Panic(0); 1110 1111 if (operation->operationState != TEE_OPERATION_STATE_INITIAL) 1112 TEE_ResetOperation(operation); 1113 1114 operation->operationState = TEE_OPERATION_STATE_ACTIVE; 1115 1116 init_hash_operation(operation, IV, IVLen); 1117 } 1118 1119 void TEE_MACUpdate(TEE_OperationHandle operation, void *chunk, 1120 uint32_t chunkSize) 1121 { 1122 TEE_Result res; 1123 1124 if (operation == TEE_HANDLE_NULL || (chunk == NULL && chunkSize != 0)) 1125 TEE_Panic(0); 1126 1127 if (operation->info.operationClass != TEE_OPERATION_MAC) 1128 TEE_Panic(0); 1129 1130 if ((operation->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) 1131 TEE_Panic(0); 1132 1133 if (operation->operationState != TEE_OPERATION_STATE_ACTIVE) 1134 TEE_Panic(0); 1135 1136 res = utee_hash_update(operation->state, chunk, chunkSize); 1137 if (res != TEE_SUCCESS) 1138 TEE_Panic(res); 1139 } 1140 1141 TEE_Result TEE_MACComputeFinal(TEE_OperationHandle operation, 1142 void *message, uint32_t messageLen, 1143 void *mac, uint32_t *macLen) 1144 { 1145 TEE_Result res; 1146 1147 if (operation == TEE_HANDLE_NULL || 1148 (message == NULL && messageLen != 0) || 1149 mac == NULL || 1150 macLen == NULL) { 1151 res = TEE_ERROR_BAD_PARAMETERS; 1152 goto out; 1153 } 1154 1155 if (operation->info.operationClass != TEE_OPERATION_MAC) { 1156 res = TEE_ERROR_BAD_PARAMETERS; 1157 goto out; 1158 } 1159 1160 if ((operation->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) { 1161 res = TEE_ERROR_BAD_PARAMETERS; 1162 goto out; 1163 } 1164 1165 if (operation->operationState != TEE_OPERATION_STATE_ACTIVE) { 1166 res = TEE_ERROR_BAD_PARAMETERS; 1167 goto out; 1168 } 1169 1170 res = utee_hash_final(operation->state, message, messageLen, mac, 1171 macLen); 1172 if (res != TEE_SUCCESS) 1173 goto out; 1174 1175 operation->info.handleState &= ~TEE_HANDLE_FLAG_INITIALIZED; 1176 1177 operation->operationState = TEE_OPERATION_STATE_INITIAL; 1178 1179 out: 1180 if (res != TEE_SUCCESS && 1181 res != TEE_ERROR_SHORT_BUFFER) 1182 TEE_Panic(res); 1183 1184 return res; 1185 } 1186 1187 TEE_Result TEE_MACCompareFinal(TEE_OperationHandle operation, 1188 void *message, uint32_t messageLen, 1189 void *mac, uint32_t macLen) 1190 { 1191 TEE_Result res; 1192 uint8_t computed_mac[TEE_MAX_HASH_SIZE]; 1193 uint32_t computed_mac_size = TEE_MAX_HASH_SIZE; 1194 1195 if (operation->info.operationClass != TEE_OPERATION_MAC) { 1196 res = TEE_ERROR_BAD_PARAMETERS; 1197 goto out; 1198 } 1199 1200 if ((operation->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) { 1201 res = TEE_ERROR_BAD_PARAMETERS; 1202 goto out; 1203 } 1204 1205 if (operation->operationState != TEE_OPERATION_STATE_ACTIVE) { 1206 res = TEE_ERROR_BAD_PARAMETERS; 1207 goto out; 1208 } 1209 1210 res = TEE_MACComputeFinal(operation, message, messageLen, computed_mac, 1211 &computed_mac_size); 1212 if (res != TEE_SUCCESS) 1213 goto out; 1214 1215 if (computed_mac_size != macLen) { 1216 res = TEE_ERROR_MAC_INVALID; 1217 goto out; 1218 } 1219 1220 if (buf_compare_ct(mac, computed_mac, computed_mac_size) != 0) { 1221 res = TEE_ERROR_MAC_INVALID; 1222 goto out; 1223 } 1224 1225 operation->operationState = TEE_OPERATION_STATE_INITIAL; 1226 1227 out: 1228 if (res != TEE_SUCCESS && 1229 res != TEE_ERROR_MAC_INVALID) 1230 TEE_Panic(res); 1231 1232 return res; 1233 } 1234 1235 /* Cryptographic Operations API - Authenticated Encryption Functions */ 1236 1237 TEE_Result TEE_AEInit(TEE_OperationHandle operation, void *nonce, 1238 uint32_t nonceLen, uint32_t tagLen, uint32_t AADLen, 1239 uint32_t payloadLen) 1240 { 1241 TEE_Result res; 1242 1243 if (operation == TEE_HANDLE_NULL || nonce == NULL) { 1244 res = TEE_ERROR_BAD_PARAMETERS; 1245 goto out; 1246 } 1247 1248 if (operation->info.operationClass != TEE_OPERATION_AE) { 1249 res = TEE_ERROR_BAD_PARAMETERS; 1250 goto out; 1251 } 1252 1253 if (operation->operationState != TEE_OPERATION_STATE_INITIAL) { 1254 res = TEE_ERROR_BAD_PARAMETERS; 1255 goto out; 1256 } 1257 1258 /* 1259 * AES-CCM tag len is specified by AES-CCM spec and handled in TEE Core 1260 * in the implementation. But AES-GCM spec doesn't specify the tag len 1261 * according to the same principle so we have to check here instead to 1262 * be GP compliant. 1263 */ 1264 if (operation->info.algorithm == TEE_ALG_AES_GCM) { 1265 /* 1266 * From GP spec: For AES-GCM, can be 128, 120, 112, 104, or 96 1267 */ 1268 if (tagLen < 96 || tagLen > 128 || (tagLen % 8 != 0)) { 1269 res = TEE_ERROR_NOT_SUPPORTED; 1270 goto out; 1271 } 1272 } 1273 1274 res = utee_authenc_init(operation->state, nonce, nonceLen, 1275 tagLen / 8, AADLen, payloadLen); 1276 if (res != TEE_SUCCESS) 1277 goto out; 1278 1279 operation->ae_tag_len = tagLen / 8; 1280 operation->info.handleState |= TEE_HANDLE_FLAG_INITIALIZED; 1281 1282 out: 1283 if (res != TEE_SUCCESS && 1284 res != TEE_ERROR_NOT_SUPPORTED) 1285 TEE_Panic(res); 1286 1287 return res; 1288 } 1289 1290 void TEE_AEUpdateAAD(TEE_OperationHandle operation, void *AADdata, 1291 uint32_t AADdataLen) 1292 { 1293 TEE_Result res; 1294 1295 if (operation == TEE_HANDLE_NULL || 1296 (AADdata == NULL && AADdataLen != 0)) 1297 TEE_Panic(0); 1298 1299 if (operation->info.operationClass != TEE_OPERATION_AE) 1300 TEE_Panic(0); 1301 1302 if ((operation->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) 1303 TEE_Panic(0); 1304 1305 res = utee_authenc_update_aad(operation->state, AADdata, AADdataLen); 1306 1307 operation->operationState = TEE_OPERATION_STATE_ACTIVE; 1308 1309 if (res != TEE_SUCCESS) 1310 TEE_Panic(res); 1311 } 1312 1313 TEE_Result TEE_AEUpdate(TEE_OperationHandle operation, void *srcData, 1314 uint32_t srcLen, void *destData, uint32_t *destLen) 1315 { 1316 TEE_Result res; 1317 size_t req_dlen; 1318 1319 if (operation == TEE_HANDLE_NULL || 1320 (srcData == NULL && srcLen != 0) || 1321 destLen == NULL || 1322 (destData == NULL && *destLen != 0)) { 1323 res = TEE_ERROR_BAD_PARAMETERS; 1324 goto out; 1325 } 1326 1327 if (operation->info.operationClass != TEE_OPERATION_AE) { 1328 res = TEE_ERROR_BAD_PARAMETERS; 1329 goto out; 1330 } 1331 1332 if ((operation->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) { 1333 res = TEE_ERROR_BAD_PARAMETERS; 1334 goto out; 1335 } 1336 1337 /* 1338 * Check that required destLen is big enough before starting to feed 1339 * data to the algorithm. Errors during feeding of data are fatal as we 1340 * can't restore sync with this API. 1341 */ 1342 req_dlen = ROUNDDOWN(operation->buffer_offs + srcLen, 1343 operation->block_size); 1344 if (*destLen < req_dlen) { 1345 *destLen = req_dlen; 1346 res = TEE_ERROR_SHORT_BUFFER; 1347 goto out; 1348 } 1349 1350 res = tee_buffer_update(operation, utee_authenc_update_payload, srcData, 1351 srcLen, destData, destLen); 1352 1353 operation->operationState = TEE_OPERATION_STATE_ACTIVE; 1354 1355 out: 1356 if (res != TEE_SUCCESS && 1357 res != TEE_ERROR_SHORT_BUFFER) 1358 TEE_Panic(res); 1359 1360 return res; 1361 } 1362 1363 TEE_Result TEE_AEEncryptFinal(TEE_OperationHandle operation, 1364 void *srcData, uint32_t srcLen, 1365 void *destData, uint32_t *destLen, void *tag, 1366 uint32_t *tagLen) 1367 { 1368 TEE_Result res; 1369 uint8_t *dst = destData; 1370 size_t acc_dlen = 0; 1371 uint32_t tmp_dlen; 1372 size_t req_dlen; 1373 1374 if (operation == TEE_HANDLE_NULL || 1375 (srcData == NULL && srcLen != 0) || 1376 destLen == NULL || 1377 (destData == NULL && *destLen != 0) || 1378 tag == NULL || tagLen == NULL) { 1379 res = TEE_ERROR_BAD_PARAMETERS; 1380 goto out; 1381 } 1382 1383 if (operation->info.operationClass != TEE_OPERATION_AE) { 1384 res = TEE_ERROR_BAD_PARAMETERS; 1385 goto out; 1386 } 1387 1388 if ((operation->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) { 1389 res = TEE_ERROR_BAD_PARAMETERS; 1390 goto out; 1391 } 1392 1393 /* 1394 * Check that required destLen is big enough before starting to feed 1395 * data to the algorithm. Errors during feeding of data are fatal as we 1396 * can't restore sync with this API. 1397 */ 1398 req_dlen = operation->buffer_offs + srcLen; 1399 if (*destLen < req_dlen) { 1400 *destLen = req_dlen; 1401 res = TEE_ERROR_SHORT_BUFFER; 1402 goto out; 1403 } 1404 1405 /* 1406 * Need to check this before update_payload since sync would be lost if 1407 * we return short buffer after that. 1408 */ 1409 if (*tagLen < operation->ae_tag_len) { 1410 *tagLen = operation->ae_tag_len; 1411 res = TEE_ERROR_SHORT_BUFFER; 1412 goto out; 1413 } 1414 1415 tmp_dlen = *destLen - acc_dlen; 1416 res = tee_buffer_update(operation, utee_authenc_update_payload, srcData, 1417 srcLen, dst, &tmp_dlen); 1418 if (res != TEE_SUCCESS) 1419 goto out; 1420 1421 dst += tmp_dlen; 1422 acc_dlen += tmp_dlen; 1423 1424 tmp_dlen = *destLen - acc_dlen; 1425 res = utee_authenc_enc_final(operation->state, operation->buffer, 1426 operation->buffer_offs, dst, &tmp_dlen, 1427 tag, tagLen); 1428 if (res != TEE_SUCCESS) 1429 goto out; 1430 1431 acc_dlen += tmp_dlen; 1432 *destLen = acc_dlen; 1433 1434 operation->info.handleState &= ~TEE_HANDLE_FLAG_INITIALIZED; 1435 1436 operation->operationState = TEE_OPERATION_STATE_INITIAL; 1437 1438 out: 1439 if (res != TEE_SUCCESS && 1440 res != TEE_ERROR_SHORT_BUFFER) 1441 TEE_Panic(res); 1442 1443 return res; 1444 } 1445 1446 TEE_Result TEE_AEDecryptFinal(TEE_OperationHandle operation, 1447 void *srcData, uint32_t srcLen, 1448 void *destData, uint32_t *destLen, void *tag, 1449 uint32_t tagLen) 1450 { 1451 TEE_Result res; 1452 uint8_t *dst = destData; 1453 size_t acc_dlen = 0; 1454 uint32_t tmp_dlen; 1455 size_t req_dlen; 1456 1457 if (operation == TEE_HANDLE_NULL || 1458 (srcData == NULL && srcLen != 0) || 1459 destLen == NULL || 1460 (destData == NULL && *destLen != 0) || 1461 (tag == NULL && tagLen != 0)) { 1462 res = TEE_ERROR_BAD_PARAMETERS; 1463 goto out; 1464 } 1465 1466 if (operation->info.operationClass != TEE_OPERATION_AE) { 1467 res = TEE_ERROR_BAD_PARAMETERS; 1468 goto out; 1469 } 1470 1471 if ((operation->info.handleState & TEE_HANDLE_FLAG_INITIALIZED) == 0) { 1472 res = TEE_ERROR_BAD_PARAMETERS; 1473 goto out; 1474 } 1475 1476 /* 1477 * Check that required destLen is big enough before starting to feed 1478 * data to the algorithm. Errors during feeding of data are fatal as we 1479 * can't restore sync with this API. 1480 */ 1481 req_dlen = operation->buffer_offs + srcLen; 1482 if (*destLen < req_dlen) { 1483 *destLen = req_dlen; 1484 res = TEE_ERROR_SHORT_BUFFER; 1485 goto out; 1486 } 1487 1488 tmp_dlen = *destLen - acc_dlen; 1489 res = tee_buffer_update(operation, utee_authenc_update_payload, srcData, 1490 srcLen, dst, &tmp_dlen); 1491 if (res != TEE_SUCCESS) 1492 goto out; 1493 1494 dst += tmp_dlen; 1495 acc_dlen += tmp_dlen; 1496 1497 tmp_dlen = *destLen - acc_dlen; 1498 res = utee_authenc_dec_final(operation->state, operation->buffer, 1499 operation->buffer_offs, dst, &tmp_dlen, 1500 tag, tagLen); 1501 if (res != TEE_SUCCESS) 1502 goto out; 1503 1504 /* Supplied tagLen should match what we initiated with */ 1505 if (tagLen != operation->ae_tag_len) 1506 res = TEE_ERROR_MAC_INVALID; 1507 1508 acc_dlen += tmp_dlen; 1509 *destLen = acc_dlen; 1510 1511 operation->info.handleState &= ~TEE_HANDLE_FLAG_INITIALIZED; 1512 1513 operation->operationState = TEE_OPERATION_STATE_INITIAL; 1514 1515 out: 1516 if (res != TEE_SUCCESS && 1517 res != TEE_ERROR_SHORT_BUFFER && 1518 res != TEE_ERROR_MAC_INVALID) 1519 TEE_Panic(res); 1520 1521 return res; 1522 } 1523 1524 /* Cryptographic Operations API - Asymmetric Functions */ 1525 1526 TEE_Result TEE_AsymmetricEncrypt(TEE_OperationHandle operation, 1527 TEE_Attribute *params, 1528 uint32_t paramCount, void *srcData, 1529 uint32_t srcLen, void *destData, 1530 uint32_t *destLen) 1531 { 1532 TEE_Result res; 1533 1534 if (operation == TEE_HANDLE_NULL || (srcData == NULL && srcLen != 0) || 1535 destLen == NULL || (destData == NULL && *destLen != 0)) 1536 TEE_Panic(0); 1537 if (params == NULL && paramCount != 0) 1538 TEE_Panic(0); 1539 if (!operation->key1) 1540 TEE_Panic(0); 1541 if (operation->info.operationClass != TEE_OPERATION_ASYMMETRIC_CIPHER) 1542 TEE_Panic(0); 1543 if (operation->info.mode != TEE_MODE_ENCRYPT) 1544 TEE_Panic(0); 1545 1546 res = utee_asymm_operate(operation->state, params, paramCount, srcData, 1547 srcLen, destData, destLen); 1548 1549 if (res != TEE_SUCCESS && 1550 res != TEE_ERROR_SHORT_BUFFER && 1551 res != TEE_ERROR_BAD_PARAMETERS) 1552 TEE_Panic(res); 1553 1554 return res; 1555 } 1556 1557 TEE_Result TEE_AsymmetricDecrypt(TEE_OperationHandle operation, 1558 TEE_Attribute *params, 1559 uint32_t paramCount, void *srcData, 1560 uint32_t srcLen, void *destData, 1561 uint32_t *destLen) 1562 { 1563 TEE_Result res; 1564 1565 if (operation == TEE_HANDLE_NULL || (srcData == NULL && srcLen != 0) || 1566 destLen == NULL || (destData == NULL && *destLen != 0)) 1567 TEE_Panic(0); 1568 if (params == NULL && paramCount != 0) 1569 TEE_Panic(0); 1570 if (!operation->key1) 1571 TEE_Panic(0); 1572 if (operation->info.operationClass != TEE_OPERATION_ASYMMETRIC_CIPHER) 1573 TEE_Panic(0); 1574 if (operation->info.mode != TEE_MODE_DECRYPT) 1575 TEE_Panic(0); 1576 1577 res = utee_asymm_operate(operation->state, params, paramCount, srcData, 1578 srcLen, destData, destLen); 1579 1580 if (res != TEE_SUCCESS && 1581 res != TEE_ERROR_SHORT_BUFFER && 1582 res != TEE_ERROR_BAD_PARAMETERS) 1583 TEE_Panic(res); 1584 1585 return res; 1586 } 1587 1588 TEE_Result TEE_AsymmetricSignDigest(TEE_OperationHandle operation, 1589 TEE_Attribute *params, 1590 uint32_t paramCount, void *digest, 1591 uint32_t digestLen, void *signature, 1592 uint32_t *signatureLen) 1593 { 1594 TEE_Result res; 1595 1596 if (operation == TEE_HANDLE_NULL || 1597 (digest == NULL && digestLen != 0) || 1598 signature == NULL || signatureLen == NULL) 1599 TEE_Panic(0); 1600 if (params == NULL && paramCount != 0) 1601 TEE_Panic(0); 1602 if (!operation->key1) 1603 TEE_Panic(0); 1604 if (operation->info.operationClass != 1605 TEE_OPERATION_ASYMMETRIC_SIGNATURE) 1606 TEE_Panic(0); 1607 if (operation->info.mode != TEE_MODE_SIGN) 1608 TEE_Panic(0); 1609 1610 res = utee_asymm_operate(operation->state, params, paramCount, digest, 1611 digestLen, signature, signatureLen); 1612 1613 if (res != TEE_SUCCESS && res != TEE_ERROR_SHORT_BUFFER) 1614 TEE_Panic(res); 1615 1616 return res; 1617 } 1618 1619 TEE_Result TEE_AsymmetricVerifyDigest(TEE_OperationHandle operation, 1620 TEE_Attribute *params, 1621 uint32_t paramCount, void *digest, 1622 uint32_t digestLen, void *signature, 1623 uint32_t signatureLen) 1624 { 1625 TEE_Result res; 1626 1627 if (operation == TEE_HANDLE_NULL || 1628 (digest == NULL && digestLen != 0) || 1629 (signature == NULL && signatureLen != 0)) 1630 TEE_Panic(0); 1631 if (params == NULL && paramCount != 0) 1632 TEE_Panic(0); 1633 if (!operation->key1) 1634 TEE_Panic(0); 1635 if (operation->info.operationClass != 1636 TEE_OPERATION_ASYMMETRIC_SIGNATURE) 1637 TEE_Panic(0); 1638 if (operation->info.mode != TEE_MODE_VERIFY) 1639 TEE_Panic(0); 1640 1641 res = utee_asymm_verify(operation->state, params, paramCount, digest, 1642 digestLen, signature, signatureLen); 1643 1644 if (res != TEE_SUCCESS && res != TEE_ERROR_SIGNATURE_INVALID) 1645 TEE_Panic(res); 1646 1647 return res; 1648 } 1649 1650 /* Cryptographic Operations API - Key Derivation Functions */ 1651 1652 void TEE_DeriveKey(TEE_OperationHandle operation, 1653 const TEE_Attribute *params, uint32_t paramCount, 1654 TEE_ObjectHandle derivedKey) 1655 { 1656 TEE_Result res; 1657 TEE_ObjectInfo key_info; 1658 1659 if (operation == TEE_HANDLE_NULL || derivedKey == 0) 1660 TEE_Panic(0); 1661 if (params == NULL && paramCount != 0) 1662 TEE_Panic(0); 1663 if (TEE_ALG_GET_CLASS(operation->info.algorithm) != 1664 TEE_OPERATION_KEY_DERIVATION) 1665 TEE_Panic(0); 1666 1667 if (operation->info.operationClass != TEE_OPERATION_KEY_DERIVATION) 1668 TEE_Panic(0); 1669 if (!operation->key1) 1670 TEE_Panic(0); 1671 if (operation->info.mode != TEE_MODE_DERIVE) 1672 TEE_Panic(0); 1673 if ((operation->info.handleState & TEE_HANDLE_FLAG_KEY_SET) == 0) 1674 TEE_Panic(0); 1675 1676 res = utee_cryp_obj_get_info((uint32_t) derivedKey, &key_info); 1677 if (res != TEE_SUCCESS) 1678 TEE_Panic(0); 1679 1680 if (key_info.objectType != TEE_TYPE_GENERIC_SECRET) 1681 TEE_Panic(0); 1682 if ((key_info.handleFlags & TEE_HANDLE_FLAG_INITIALIZED) != 0) 1683 TEE_Panic(0); 1684 1685 res = utee_cryp_derive_key(operation->state, params, paramCount, 1686 (uint32_t) derivedKey); 1687 if (res != TEE_SUCCESS) 1688 TEE_Panic(res); 1689 } 1690 1691 /* Cryptographic Operations API - Random Number Generation Functions */ 1692 1693 void TEE_GenerateRandom(void *randomBuffer, uint32_t randomBufferLen) 1694 { 1695 TEE_Result res; 1696 1697 res = utee_cryp_random_number_generate(randomBuffer, randomBufferLen); 1698 if (res != TEE_SUCCESS) 1699 TEE_Panic(res); 1700 } 1701