1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2018-2020, Linaro Limited 4 */ 5 6 #include <assert.h> 7 #include <compiler.h> 8 #include <mbedtls/nist_kw.h> 9 #include <tee_api_defines.h> 10 #include <tee_internal_api.h> 11 #include <tee_internal_api_extensions.h> 12 13 #include "attributes.h" 14 #include "pkcs11_helpers.h" 15 #include "pkcs11_token.h" 16 #include "processing.h" 17 #include "serializer.h" 18 19 bool processing_is_tee_asymm(uint32_t proc_id) 20 { 21 switch (proc_id) { 22 /* RSA flavors */ 23 case PKCS11_CKM_RSA_AES_KEY_WRAP: 24 case PKCS11_CKM_RSA_PKCS: 25 case PKCS11_CKM_RSA_PKCS_OAEP: 26 case PKCS11_CKM_RSA_PKCS_PSS: 27 case PKCS11_CKM_MD5_RSA_PKCS: 28 case PKCS11_CKM_SHA1_RSA_PKCS: 29 case PKCS11_CKM_SHA224_RSA_PKCS: 30 case PKCS11_CKM_SHA256_RSA_PKCS: 31 case PKCS11_CKM_SHA384_RSA_PKCS: 32 case PKCS11_CKM_SHA512_RSA_PKCS: 33 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 34 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 35 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 36 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 37 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 38 /* EC flavors */ 39 case PKCS11_CKM_EDDSA: 40 case PKCS11_CKM_ECDSA: 41 case PKCS11_CKM_ECDH1_DERIVE: 42 case PKCS11_CKM_ECDSA_SHA1: 43 case PKCS11_CKM_ECDSA_SHA224: 44 case PKCS11_CKM_ECDSA_SHA256: 45 case PKCS11_CKM_ECDSA_SHA384: 46 case PKCS11_CKM_ECDSA_SHA512: 47 return true; 48 default: 49 return false; 50 } 51 } 52 53 static enum pkcs11_rc 54 pkcs2tee_algorithm(uint32_t *tee_id, uint32_t *tee_hash_id, 55 enum processing_func function __unused, 56 struct pkcs11_attribute_head *proc_params, 57 struct pkcs11_object *obj) 58 { 59 static const struct { 60 enum pkcs11_mechanism_id mech_id; 61 uint32_t tee_id; 62 uint32_t tee_hash_id; 63 } pkcs2tee_algo[] = { 64 /* RSA flavors */ 65 { PKCS11_CKM_RSA_AES_KEY_WRAP, 1, 0 }, 66 { PKCS11_CKM_RSA_PKCS, TEE_ALG_RSAES_PKCS1_V1_5, 0 }, 67 { PKCS11_CKM_RSA_PKCS_OAEP, 1, 0 }, 68 { PKCS11_CKM_RSA_PKCS_PSS, 1, 0 }, 69 { PKCS11_CKM_MD5_RSA_PKCS, TEE_ALG_RSASSA_PKCS1_V1_5_MD5, 70 TEE_ALG_MD5 }, 71 { PKCS11_CKM_SHA1_RSA_PKCS, TEE_ALG_RSASSA_PKCS1_V1_5_SHA1, 72 TEE_ALG_SHA1 }, 73 { PKCS11_CKM_SHA224_RSA_PKCS, TEE_ALG_RSASSA_PKCS1_V1_5_SHA224, 74 TEE_ALG_SHA224 }, 75 { PKCS11_CKM_SHA256_RSA_PKCS, TEE_ALG_RSASSA_PKCS1_V1_5_SHA256, 76 TEE_ALG_SHA256 }, 77 { PKCS11_CKM_SHA384_RSA_PKCS, TEE_ALG_RSASSA_PKCS1_V1_5_SHA384, 78 TEE_ALG_SHA384 }, 79 { PKCS11_CKM_SHA512_RSA_PKCS, TEE_ALG_RSASSA_PKCS1_V1_5_SHA512, 80 TEE_ALG_SHA512 }, 81 { PKCS11_CKM_SHA1_RSA_PKCS_PSS, 82 TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1, TEE_ALG_SHA1 }, 83 { PKCS11_CKM_SHA224_RSA_PKCS_PSS, 84 TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224, TEE_ALG_SHA224 }, 85 { PKCS11_CKM_SHA256_RSA_PKCS_PSS, 86 TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256, TEE_ALG_SHA256 }, 87 { PKCS11_CKM_SHA384_RSA_PKCS_PSS, 88 TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384, TEE_ALG_SHA384 }, 89 { PKCS11_CKM_SHA512_RSA_PKCS_PSS, 90 TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512, TEE_ALG_SHA512 }, 91 /* EC flavors (Must find key size from the object) */ 92 { PKCS11_CKM_ECDSA, 1, 0 }, 93 { PKCS11_CKM_ECDSA_SHA1, 1, TEE_ALG_SHA1 }, 94 { PKCS11_CKM_ECDSA_SHA224, 1, TEE_ALG_SHA224 }, 95 { PKCS11_CKM_ECDSA_SHA256, 1, TEE_ALG_SHA256 }, 96 { PKCS11_CKM_ECDSA_SHA384, 1, TEE_ALG_SHA384 }, 97 { PKCS11_CKM_ECDSA_SHA512, 1, TEE_ALG_SHA512 }, 98 { PKCS11_CKM_ECDH1_DERIVE, 1, 0 }, 99 { PKCS11_CKM_EDDSA, TEE_ALG_ED25519, 0 }, 100 }; 101 size_t n = 0; 102 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 103 104 for (n = 0; n < ARRAY_SIZE(pkcs2tee_algo); n++) { 105 if (pkcs2tee_algo[n].mech_id == proc_params->id) { 106 *tee_id = pkcs2tee_algo[n].tee_id; 107 *tee_hash_id = pkcs2tee_algo[n].tee_hash_id; 108 break; 109 } 110 } 111 112 if (n == ARRAY_SIZE(pkcs2tee_algo)) 113 return PKCS11_RV_NOT_IMPLEMENTED; 114 115 switch (proc_params->id) { 116 case PKCS11_CKM_RSA_PKCS_PSS: 117 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 118 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 119 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 120 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 121 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 122 rc = pkcs2tee_algo_rsa_pss(tee_id, proc_params); 123 break; 124 case PKCS11_CKM_RSA_PKCS_OAEP: 125 rc = pkcs2tee_algo_rsa_oaep(tee_id, tee_hash_id, proc_params); 126 break; 127 case PKCS11_CKM_RSA_AES_KEY_WRAP: 128 rc = pkcs2tee_algo_rsa_aes_wrap(tee_id, tee_hash_id, 129 proc_params); 130 break; 131 case PKCS11_CKM_ECDSA: 132 case PKCS11_CKM_ECDSA_SHA1: 133 case PKCS11_CKM_ECDSA_SHA224: 134 case PKCS11_CKM_ECDSA_SHA256: 135 case PKCS11_CKM_ECDSA_SHA384: 136 case PKCS11_CKM_ECDSA_SHA512: 137 rc = pkcs2tee_algo_ecdsa(tee_id, proc_params, obj); 138 break; 139 case PKCS11_CKM_ECDH1_DERIVE: 140 rc = pkcs2tee_algo_ecdh(tee_id, proc_params, obj); 141 break; 142 default: 143 rc = PKCS11_CKR_OK; 144 break; 145 } 146 147 /* 148 * PKCS#11 uses single mechanism CKM_RSA_PKCS for both ciphering and 149 * authentication whereas GPD TEE expects TEE_ALG_RSAES_PKCS1_V1_5 for 150 * ciphering and TEE_ALG_RSASSA_PKCS1_V1_5 for authentication. 151 */ 152 if (*tee_id == TEE_ALG_RSAES_PKCS1_V1_5 && 153 (function == PKCS11_FUNCTION_SIGN || 154 function == PKCS11_FUNCTION_VERIFY)) 155 *tee_id = TEE_ALG_RSASSA_PKCS1_V1_5; 156 157 return rc; 158 } 159 160 static enum pkcs11_rc pkcs2tee_key_type(uint32_t *tee_type, 161 struct pkcs11_object *obj, 162 enum processing_func function) 163 { 164 enum pkcs11_class_id class = get_class(obj->attributes); 165 enum pkcs11_key_type type = get_key_type(obj->attributes); 166 167 switch (class) { 168 case PKCS11_CKO_PUBLIC_KEY: 169 case PKCS11_CKO_PRIVATE_KEY: 170 break; 171 default: 172 TEE_Panic(class); 173 break; 174 } 175 176 switch (type) { 177 case PKCS11_CKK_EC: 178 if (class == PKCS11_CKO_PRIVATE_KEY) { 179 if (function == PKCS11_FUNCTION_DERIVE) 180 *tee_type = TEE_TYPE_ECDH_KEYPAIR; 181 else 182 *tee_type = TEE_TYPE_ECDSA_KEYPAIR; 183 } else { 184 if (function == PKCS11_FUNCTION_DERIVE) 185 *tee_type = TEE_TYPE_ECDH_PUBLIC_KEY; 186 else 187 *tee_type = TEE_TYPE_ECDSA_PUBLIC_KEY; 188 } 189 break; 190 case PKCS11_CKK_RSA: 191 if (class == PKCS11_CKO_PRIVATE_KEY) 192 *tee_type = TEE_TYPE_RSA_KEYPAIR; 193 else 194 *tee_type = TEE_TYPE_RSA_PUBLIC_KEY; 195 break; 196 case PKCS11_CKK_EC_EDWARDS: 197 if (class == PKCS11_CKO_PRIVATE_KEY) 198 *tee_type = TEE_TYPE_ED25519_KEYPAIR; 199 else 200 *tee_type = TEE_TYPE_ED25519_PUBLIC_KEY; 201 break; 202 default: 203 TEE_Panic(type); 204 break; 205 } 206 207 return PKCS11_CKR_OK; 208 } 209 210 static enum pkcs11_rc 211 allocate_tee_operation(struct pkcs11_session *session, 212 enum processing_func function, 213 struct pkcs11_attribute_head *params, 214 struct pkcs11_object *obj) 215 { 216 uint32_t size = (uint32_t)get_object_key_bit_size(obj); 217 uint32_t algo = 0; 218 uint32_t hash_algo = 0; 219 uint32_t mode = 0; 220 uint32_t hash_mode = 0; 221 TEE_Result res = TEE_ERROR_GENERIC; 222 struct active_processing *processing = session->processing; 223 224 assert(processing->tee_op_handle == TEE_HANDLE_NULL); 225 assert(processing->tee_hash_op_handle == TEE_HANDLE_NULL); 226 227 if (pkcs2tee_algorithm(&algo, &hash_algo, function, params, obj)) 228 return PKCS11_CKR_FUNCTION_FAILED; 229 230 pkcs2tee_mode(&mode, function); 231 232 if (hash_algo) { 233 pkcs2tee_mode(&hash_mode, PKCS11_FUNCTION_DIGEST); 234 235 res = TEE_AllocateOperation(&processing->tee_hash_op_handle, 236 hash_algo, hash_mode, 0); 237 if (res) { 238 EMSG("TEE_AllocateOp. failed %#"PRIx32" %#"PRIx32, 239 hash_algo, hash_mode); 240 241 if (res == TEE_ERROR_NOT_SUPPORTED) 242 return PKCS11_CKR_MECHANISM_INVALID; 243 return tee2pkcs_error(res); 244 } 245 processing->tee_hash_algo = hash_algo; 246 } 247 248 res = TEE_AllocateOperation(&processing->tee_op_handle, 249 algo, mode, size); 250 if (res) 251 EMSG("TEE_AllocateOp. failed %#"PRIx32" %#"PRIx32" %#"PRIx32, 252 algo, mode, size); 253 254 if (res == TEE_ERROR_NOT_SUPPORTED) 255 return PKCS11_CKR_MECHANISM_INVALID; 256 257 if (res != TEE_SUCCESS && 258 processing->tee_hash_op_handle != TEE_HANDLE_NULL) { 259 TEE_FreeOperation(session->processing->tee_hash_op_handle); 260 processing->tee_hash_op_handle = TEE_HANDLE_NULL; 261 processing->tee_hash_algo = 0; 262 } 263 264 return tee2pkcs_error(res); 265 } 266 267 static enum pkcs11_rc load_tee_key(struct pkcs11_session *session, 268 struct pkcs11_object *obj, 269 enum processing_func function) 270 { 271 TEE_Attribute *tee_attrs = NULL; 272 size_t tee_attrs_count = 0; 273 size_t object_size = 0; 274 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 275 TEE_Result res = TEE_ERROR_GENERIC; 276 enum pkcs11_class_id __maybe_unused class = get_class(obj->attributes); 277 enum pkcs11_key_type type = get_key_type(obj->attributes); 278 279 assert(class == PKCS11_CKO_PUBLIC_KEY || 280 class == PKCS11_CKO_PRIVATE_KEY); 281 282 if (obj->key_handle != TEE_HANDLE_NULL) { 283 switch (type) { 284 case PKCS11_CKK_RSA: 285 /* RSA loaded keys can be reused */ 286 assert((obj->key_type == TEE_TYPE_RSA_PUBLIC_KEY && 287 class == PKCS11_CKO_PUBLIC_KEY) || 288 (obj->key_type == TEE_TYPE_RSA_KEYPAIR && 289 class == PKCS11_CKO_PRIVATE_KEY)); 290 goto key_ready; 291 case PKCS11_CKK_EC: 292 /* Reuse EC TEE key only if already DSA or DH */ 293 switch (obj->key_type) { 294 case TEE_TYPE_ECDSA_PUBLIC_KEY: 295 case TEE_TYPE_ECDSA_KEYPAIR: 296 if (function != PKCS11_FUNCTION_DERIVE) 297 goto key_ready; 298 break; 299 case TEE_TYPE_ECDH_PUBLIC_KEY: 300 case TEE_TYPE_ECDH_KEYPAIR: 301 if (function == PKCS11_FUNCTION_DERIVE) 302 goto key_ready; 303 break; 304 default: 305 assert(0); 306 break; 307 } 308 break; 309 default: 310 assert(0); 311 break; 312 } 313 314 TEE_CloseObject(obj->key_handle); 315 obj->key_handle = TEE_HANDLE_NULL; 316 } 317 318 rc = pkcs2tee_key_type(&obj->key_type, obj, function); 319 if (rc) 320 return rc; 321 322 object_size = get_object_key_bit_size(obj); 323 if (!object_size) 324 return PKCS11_CKR_GENERAL_ERROR; 325 326 switch (type) { 327 case PKCS11_CKK_RSA: 328 rc = load_tee_rsa_key_attrs(&tee_attrs, &tee_attrs_count, obj); 329 break; 330 case PKCS11_CKK_EC: 331 rc = load_tee_ec_key_attrs(&tee_attrs, &tee_attrs_count, obj); 332 break; 333 case PKCS11_CKK_EC_EDWARDS: 334 rc = load_tee_eddsa_key_attrs(&tee_attrs, &tee_attrs_count, 335 obj); 336 break; 337 default: 338 break; 339 } 340 if (rc) 341 return rc; 342 343 res = TEE_AllocateTransientObject(obj->key_type, object_size, 344 &obj->key_handle); 345 if (res) { 346 DMSG("TEE_AllocateTransientObject failed, %#"PRIx32, res); 347 348 return tee2pkcs_error(res); 349 } 350 351 res = TEE_PopulateTransientObject(obj->key_handle, 352 tee_attrs, tee_attrs_count); 353 354 TEE_Free(tee_attrs); 355 356 if (res) { 357 DMSG("TEE_PopulateTransientObject failed, %#"PRIx32, res); 358 359 goto error; 360 } 361 362 key_ready: 363 res = TEE_SetOperationKey(session->processing->tee_op_handle, 364 obj->key_handle); 365 if (res) { 366 DMSG("TEE_SetOperationKey failed, %#"PRIx32, res); 367 368 goto error; 369 } 370 371 return PKCS11_CKR_OK; 372 373 error: 374 TEE_FreeTransientObject(obj->key_handle); 375 obj->key_handle = TEE_HANDLE_NULL; 376 return tee2pkcs_error(res); 377 } 378 379 static enum pkcs11_rc 380 init_tee_operation(struct pkcs11_session *session, 381 struct pkcs11_attribute_head *proc_params, 382 struct pkcs11_object *obj) 383 { 384 enum pkcs11_rc rc = PKCS11_CKR_OK; 385 struct active_processing *proc = session->processing; 386 387 switch (proc_params->id) { 388 case PKCS11_CKM_RSA_PKCS_PSS: 389 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 390 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 391 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 392 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 393 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 394 rc = pkcs2tee_proc_params_rsa_pss(proc, proc_params); 395 if (rc) 396 break; 397 398 rc = pkcs2tee_validate_rsa_pss(proc, obj); 399 break; 400 case PKCS11_CKM_RSA_PKCS_OAEP: 401 rc = pkcs2tee_proc_params_rsa_oaep(proc, proc_params); 402 break; 403 case PKCS11_CKM_EDDSA: 404 rc = pkcs2tee_proc_params_eddsa(proc, proc_params); 405 break; 406 case PKCS11_CKM_RSA_AES_KEY_WRAP: 407 rc = pkcs2tee_proc_params_rsa_aes_wrap(proc, proc_params); 408 break; 409 default: 410 break; 411 } 412 413 return rc; 414 } 415 416 enum pkcs11_rc init_asymm_operation(struct pkcs11_session *session, 417 enum processing_func function, 418 struct pkcs11_attribute_head *proc_params, 419 struct pkcs11_object *obj) 420 { 421 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 422 423 assert(processing_is_tee_asymm(proc_params->id)); 424 425 rc = allocate_tee_operation(session, function, proc_params, obj); 426 if (rc) 427 return rc; 428 429 rc = load_tee_key(session, obj, function); 430 if (rc) 431 return rc; 432 433 rc = init_tee_operation(session, proc_params, obj); 434 if (!rc) 435 session->processing->mecha_type = proc_params->id; 436 437 return rc; 438 } 439 440 /* 441 * step_sym_step - step (update/oneshot/final) on a symmetric crypto operation 442 * 443 * @session - current session 444 * @function - processing function (encrypt, decrypt, sign, ...) 445 * @step - step ID in the processing (oneshot, update, final) 446 * @ptypes - invocation parameter types 447 * @params - invocation parameter references 448 */ 449 enum pkcs11_rc step_asymm_operation(struct pkcs11_session *session, 450 enum processing_func function, 451 enum processing_step step, 452 uint32_t ptypes, TEE_Param *params) 453 { 454 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 455 TEE_Result res = TEE_ERROR_GENERIC; 456 void *in_buf = NULL; 457 void *in2_buf = NULL; 458 void *out_buf = NULL; 459 void *hash_buf = NULL; 460 uint32_t in_size = 0; 461 uint32_t in2_size = 0; 462 size_t out_size = 0; 463 size_t hash_size = 0; 464 TEE_Attribute *tee_attrs = NULL; 465 size_t tee_attrs_count = 0; 466 bool output_data = false; 467 struct active_processing *proc = session->processing; 468 struct rsa_aes_key_wrap_processing_ctx *rsa_aes_ctx = NULL; 469 struct rsa_oaep_processing_ctx *rsa_oaep_ctx = NULL; 470 struct rsa_pss_processing_ctx *rsa_pss_ctx = NULL; 471 struct eddsa_processing_ctx *eddsa_ctx = NULL; 472 size_t sz = 0; 473 474 if (TEE_PARAM_TYPE_GET(ptypes, 1) == TEE_PARAM_TYPE_MEMREF_INPUT) { 475 in_buf = params[1].memref.buffer; 476 in_size = params[1].memref.size; 477 if (in_size && !in_buf) 478 return PKCS11_CKR_ARGUMENTS_BAD; 479 } 480 if (TEE_PARAM_TYPE_GET(ptypes, 2) == TEE_PARAM_TYPE_MEMREF_INPUT) { 481 in2_buf = params[2].memref.buffer; 482 in2_size = params[2].memref.size; 483 if (in2_size && !in2_buf) 484 return PKCS11_CKR_ARGUMENTS_BAD; 485 } 486 if (TEE_PARAM_TYPE_GET(ptypes, 2) == TEE_PARAM_TYPE_MEMREF_OUTPUT) { 487 out_buf = params[2].memref.buffer; 488 out_size = params[2].memref.size; 489 if (out_size && !out_buf) 490 return PKCS11_CKR_ARGUMENTS_BAD; 491 } 492 if (TEE_PARAM_TYPE_GET(ptypes, 3) != TEE_PARAM_TYPE_NONE) 493 return PKCS11_CKR_ARGUMENTS_BAD; 494 495 switch (step) { 496 case PKCS11_FUNC_STEP_ONESHOT: 497 case PKCS11_FUNC_STEP_UPDATE: 498 case PKCS11_FUNC_STEP_FINAL: 499 break; 500 default: 501 return PKCS11_CKR_GENERAL_ERROR; 502 } 503 504 /* TEE attribute(s) required by the operation */ 505 switch (proc->mecha_type) { 506 case PKCS11_CKM_RSA_PKCS_PSS: 507 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 508 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 509 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 510 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 511 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 512 tee_attrs = TEE_Malloc(sizeof(TEE_Attribute), 513 TEE_USER_MEM_HINT_NO_FILL_ZERO); 514 if (!tee_attrs) { 515 rc = PKCS11_CKR_DEVICE_MEMORY; 516 goto out; 517 } 518 519 rsa_pss_ctx = proc->extra_ctx; 520 521 TEE_InitValueAttribute(&tee_attrs[tee_attrs_count], 522 TEE_ATTR_RSA_PSS_SALT_LENGTH, 523 rsa_pss_ctx->salt_len, 0); 524 tee_attrs_count++; 525 break; 526 case PKCS11_CKM_EDDSA: 527 eddsa_ctx = proc->extra_ctx; 528 529 tee_attrs = TEE_Malloc(2 * sizeof(TEE_Attribute), 530 TEE_USER_MEM_HINT_NO_FILL_ZERO); 531 if (!tee_attrs) { 532 rc = PKCS11_CKR_DEVICE_MEMORY; 533 goto out; 534 } 535 536 if (eddsa_ctx->flag) { 537 TEE_InitValueAttribute(&tee_attrs[tee_attrs_count], 538 TEE_ATTR_EDDSA_PREHASH, 0, 0); 539 tee_attrs_count++; 540 } 541 542 if (eddsa_ctx->ctx_len > 0) { 543 TEE_InitRefAttribute(&tee_attrs[tee_attrs_count], 544 TEE_ATTR_EDDSA_CTX, eddsa_ctx->ctx, 545 eddsa_ctx->ctx_len); 546 tee_attrs_count++; 547 } 548 break; 549 case PKCS11_CKM_RSA_PKCS_OAEP: 550 rsa_oaep_ctx = proc->extra_ctx; 551 552 if (!rsa_oaep_ctx->source_data_len) 553 break; 554 555 tee_attrs = TEE_Malloc(sizeof(TEE_Attribute), 556 TEE_USER_MEM_HINT_NO_FILL_ZERO); 557 if (!tee_attrs) { 558 rc = PKCS11_CKR_DEVICE_MEMORY; 559 goto out; 560 } 561 562 TEE_InitRefAttribute(&tee_attrs[tee_attrs_count], 563 TEE_ATTR_RSA_OAEP_LABEL, 564 rsa_oaep_ctx->source_data, 565 rsa_oaep_ctx->source_data_len); 566 tee_attrs_count++; 567 break; 568 case PKCS11_CKM_RSA_AES_KEY_WRAP: 569 rsa_aes_ctx = proc->extra_ctx; 570 571 if (!rsa_aes_ctx->source_data_len) 572 break; 573 574 tee_attrs = TEE_Malloc(sizeof(TEE_Attribute), 575 TEE_USER_MEM_HINT_NO_FILL_ZERO); 576 if (!tee_attrs) { 577 rc = PKCS11_CKR_DEVICE_MEMORY; 578 goto out; 579 } 580 581 TEE_InitRefAttribute(&tee_attrs[tee_attrs_count], 582 TEE_ATTR_RSA_OAEP_LABEL, 583 rsa_aes_ctx->source_data, 584 rsa_aes_ctx->source_data_len); 585 tee_attrs_count++; 586 break; 587 default: 588 break; 589 } 590 591 /* 592 * Handle multi stage update step for mechas needing hash 593 * calculation 594 */ 595 if (step == PKCS11_FUNC_STEP_UPDATE) { 596 switch (proc->mecha_type) { 597 case PKCS11_CKM_ECDSA_SHA1: 598 case PKCS11_CKM_ECDSA_SHA224: 599 case PKCS11_CKM_ECDSA_SHA256: 600 case PKCS11_CKM_ECDSA_SHA384: 601 case PKCS11_CKM_ECDSA_SHA512: 602 case PKCS11_CKM_MD5_RSA_PKCS: 603 case PKCS11_CKM_SHA1_RSA_PKCS: 604 case PKCS11_CKM_SHA224_RSA_PKCS: 605 case PKCS11_CKM_SHA256_RSA_PKCS: 606 case PKCS11_CKM_SHA384_RSA_PKCS: 607 case PKCS11_CKM_SHA512_RSA_PKCS: 608 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 609 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 610 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 611 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 612 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 613 assert(proc->tee_hash_op_handle != TEE_HANDLE_NULL); 614 615 TEE_DigestUpdate(proc->tee_hash_op_handle, in_buf, 616 in_size); 617 rc = PKCS11_CKR_OK; 618 break; 619 default: 620 /* 621 * Other mechanism do not expect multi stage 622 * operation 623 */ 624 rc = PKCS11_CKR_GENERAL_ERROR; 625 break; 626 } 627 628 goto out; 629 } 630 631 /* 632 * Handle multi stage one shot and final steps for mechas needing hash 633 * calculation 634 */ 635 switch (proc->mecha_type) { 636 case PKCS11_CKM_ECDSA_SHA1: 637 case PKCS11_CKM_ECDSA_SHA224: 638 case PKCS11_CKM_ECDSA_SHA256: 639 case PKCS11_CKM_ECDSA_SHA384: 640 case PKCS11_CKM_ECDSA_SHA512: 641 case PKCS11_CKM_MD5_RSA_PKCS: 642 case PKCS11_CKM_SHA1_RSA_PKCS: 643 case PKCS11_CKM_SHA224_RSA_PKCS: 644 case PKCS11_CKM_SHA256_RSA_PKCS: 645 case PKCS11_CKM_SHA384_RSA_PKCS: 646 case PKCS11_CKM_SHA512_RSA_PKCS: 647 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 648 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 649 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 650 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 651 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 652 assert(proc->tee_hash_op_handle != TEE_HANDLE_NULL); 653 654 hash_size = TEE_ALG_GET_DIGEST_SIZE(proc->tee_hash_algo); 655 hash_buf = TEE_Malloc(hash_size, 0); 656 if (!hash_buf) 657 return PKCS11_CKR_DEVICE_MEMORY; 658 659 res = TEE_DigestDoFinal(proc->tee_hash_op_handle, 660 in_buf, in_size, hash_buf, 661 &hash_size); 662 663 rc = tee2pkcs_error(res); 664 if (rc != PKCS11_CKR_OK) 665 goto out; 666 667 break; 668 default: 669 break; 670 } 671 672 /* 673 * Finalize either provided hash or calculated hash with signing 674 * operation 675 */ 676 677 /* First determine amount of bytes for signing operation */ 678 switch (proc->mecha_type) { 679 case PKCS11_CKM_ECDSA: 680 sz = ecdsa_get_input_max_byte_size(proc->tee_op_handle); 681 if (!in_size || !sz) { 682 rc = PKCS11_CKR_FUNCTION_FAILED; 683 goto out; 684 } 685 686 /* 687 * Note 3) Input the entire raw digest. Internally, this will 688 * be truncated to the appropriate number of bits. 689 */ 690 if (in_size > sz) 691 in_size = sz; 692 693 if (function == PKCS11_FUNCTION_VERIFY && in2_size != 2 * sz) { 694 rc = PKCS11_CKR_SIGNATURE_LEN_RANGE; 695 goto out; 696 } 697 break; 698 case PKCS11_CKM_ECDSA_SHA1: 699 case PKCS11_CKM_ECDSA_SHA224: 700 case PKCS11_CKM_ECDSA_SHA256: 701 case PKCS11_CKM_ECDSA_SHA384: 702 case PKCS11_CKM_ECDSA_SHA512: 703 /* Get key size in bytes */ 704 sz = ecdsa_get_input_max_byte_size(proc->tee_op_handle); 705 if (!sz) { 706 rc = PKCS11_CKR_FUNCTION_FAILED; 707 goto out; 708 } 709 710 if (function == PKCS11_FUNCTION_VERIFY && 711 in2_size != 2 * sz) { 712 rc = PKCS11_CKR_SIGNATURE_LEN_RANGE; 713 goto out; 714 } 715 break; 716 case PKCS11_CKM_RSA_PKCS: 717 case PKCS11_CKM_MD5_RSA_PKCS: 718 case PKCS11_CKM_SHA1_RSA_PKCS: 719 case PKCS11_CKM_SHA224_RSA_PKCS: 720 case PKCS11_CKM_SHA256_RSA_PKCS: 721 case PKCS11_CKM_SHA384_RSA_PKCS: 722 case PKCS11_CKM_SHA512_RSA_PKCS: 723 case PKCS11_CKM_RSA_PKCS_PSS: 724 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 725 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 726 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 727 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 728 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 729 /* Get key size in bytes */ 730 sz = rsa_get_input_max_byte_size(proc->tee_op_handle); 731 if (!sz) { 732 rc = PKCS11_CKR_FUNCTION_FAILED; 733 goto out; 734 } 735 736 if (function == PKCS11_FUNCTION_VERIFY && in2_size != sz) { 737 rc = PKCS11_CKR_SIGNATURE_LEN_RANGE; 738 goto out; 739 } 740 break; 741 default: 742 break; 743 } 744 745 /* Next perform actual signing operation */ 746 switch (proc->mecha_type) { 747 case PKCS11_CKM_ECDSA: 748 case PKCS11_CKM_EDDSA: 749 case PKCS11_CKM_RSA_PKCS: 750 case PKCS11_CKM_RSA_PKCS_OAEP: 751 case PKCS11_CKM_RSA_PKCS_PSS: 752 /* For operations using provided input data */ 753 switch (function) { 754 case PKCS11_FUNCTION_ENCRYPT: 755 res = TEE_AsymmetricEncrypt(proc->tee_op_handle, 756 tee_attrs, tee_attrs_count, 757 in_buf, in_size, 758 out_buf, &out_size); 759 output_data = true; 760 rc = tee2pkcs_error(res); 761 if (rc == PKCS11_CKR_ARGUMENTS_BAD) 762 rc = PKCS11_CKR_DATA_LEN_RANGE; 763 break; 764 765 case PKCS11_FUNCTION_DECRYPT: 766 res = TEE_AsymmetricDecrypt(proc->tee_op_handle, 767 tee_attrs, tee_attrs_count, 768 in_buf, in_size, 769 out_buf, &out_size); 770 output_data = true; 771 rc = tee2pkcs_error(res); 772 if (rc == PKCS11_CKR_ARGUMENTS_BAD) 773 rc = PKCS11_CKR_ENCRYPTED_DATA_LEN_RANGE; 774 break; 775 776 case PKCS11_FUNCTION_SIGN: 777 res = TEE_AsymmetricSignDigest(proc->tee_op_handle, 778 tee_attrs, 779 tee_attrs_count, 780 in_buf, in_size, 781 out_buf, &out_size); 782 output_data = true; 783 rc = tee2pkcs_error(res); 784 break; 785 786 case PKCS11_FUNCTION_VERIFY: 787 res = TEE_AsymmetricVerifyDigest(proc->tee_op_handle, 788 tee_attrs, 789 tee_attrs_count, 790 in_buf, in_size, 791 in2_buf, in2_size); 792 rc = tee2pkcs_error(res); 793 break; 794 795 default: 796 TEE_Panic(function); 797 break; 798 } 799 break; 800 case PKCS11_CKM_ECDSA_SHA1: 801 case PKCS11_CKM_ECDSA_SHA224: 802 case PKCS11_CKM_ECDSA_SHA256: 803 case PKCS11_CKM_ECDSA_SHA384: 804 case PKCS11_CKM_ECDSA_SHA512: 805 case PKCS11_CKM_MD5_RSA_PKCS: 806 case PKCS11_CKM_SHA1_RSA_PKCS: 807 case PKCS11_CKM_SHA224_RSA_PKCS: 808 case PKCS11_CKM_SHA256_RSA_PKCS: 809 case PKCS11_CKM_SHA384_RSA_PKCS: 810 case PKCS11_CKM_SHA512_RSA_PKCS: 811 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 812 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 813 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 814 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 815 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 816 /* For operations having hash operation use calculated hash */ 817 switch (function) { 818 case PKCS11_FUNCTION_SIGN: 819 res = TEE_AsymmetricSignDigest(proc->tee_op_handle, 820 tee_attrs, 821 tee_attrs_count, 822 hash_buf, hash_size, 823 out_buf, &out_size); 824 output_data = true; 825 rc = tee2pkcs_error(res); 826 break; 827 828 case PKCS11_FUNCTION_VERIFY: 829 res = TEE_AsymmetricVerifyDigest(proc->tee_op_handle, 830 tee_attrs, 831 tee_attrs_count, 832 hash_buf, hash_size, 833 in2_buf, in2_size); 834 rc = tee2pkcs_error(res); 835 break; 836 837 default: 838 TEE_Panic(function); 839 break; 840 } 841 break; 842 default: 843 TEE_Panic(proc->mecha_type); 844 break; 845 } 846 847 out: 848 if (output_data && 849 (rc == PKCS11_CKR_OK || rc == PKCS11_CKR_BUFFER_TOO_SMALL)) { 850 switch (TEE_PARAM_TYPE_GET(ptypes, 2)) { 851 case TEE_PARAM_TYPE_MEMREF_OUTPUT: 852 case TEE_PARAM_TYPE_MEMREF_INOUT: 853 params[2].memref.size = out_size; 854 break; 855 default: 856 rc = PKCS11_CKR_GENERAL_ERROR; 857 break; 858 } 859 } 860 861 TEE_Free(hash_buf); 862 TEE_Free(tee_attrs); 863 864 return rc; 865 } 866 867 enum pkcs11_rc do_asymm_derivation(struct pkcs11_session *session, 868 struct pkcs11_attribute_head *proc_params, 869 struct obj_attrs **head) 870 { 871 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 872 TEE_ObjectHandle out_handle = TEE_HANDLE_NULL; 873 TEE_Result res = TEE_ERROR_GENERIC; 874 TEE_Attribute tee_attrs[2] = { }; 875 size_t tee_attrs_count = 0; 876 uint32_t key_byte_size = 0; 877 uint32_t key_bit_size = 0; 878 void *a_ptr = NULL; 879 size_t a_size = 0; 880 881 /* Remove default attribute set at template sanitization */ 882 if (remove_empty_attribute(head, PKCS11_CKA_VALUE)) 883 return PKCS11_CKR_FUNCTION_FAILED; 884 885 rc = get_u32_attribute(*head, PKCS11_CKA_VALUE_LEN, &key_bit_size); 886 if (rc) 887 return rc; 888 889 key_bit_size *= 8; 890 key_byte_size = (key_bit_size + 7) / 8; 891 892 res = TEE_AllocateTransientObject(TEE_TYPE_GENERIC_SECRET, 893 key_byte_size * 8, &out_handle); 894 if (res) { 895 DMSG("TEE_AllocateTransientObject failed, %#"PRIx32, res); 896 return tee2pkcs_error(res); 897 } 898 899 switch (proc_params->id) { 900 case PKCS11_CKM_ECDH1_DERIVE: 901 rc = pkcs2tee_param_ecdh(proc_params, &a_ptr, &a_size); 902 if (rc) 903 goto out; 904 905 TEE_InitRefAttribute(&tee_attrs[tee_attrs_count], 906 TEE_ATTR_ECC_PUBLIC_VALUE_X, 907 a_ptr, a_size / 2); 908 tee_attrs_count++; 909 TEE_InitRefAttribute(&tee_attrs[tee_attrs_count], 910 TEE_ATTR_ECC_PUBLIC_VALUE_Y, 911 (char *)a_ptr + a_size / 2, 912 a_size / 2); 913 tee_attrs_count++; 914 break; 915 default: 916 TEE_Panic(proc_params->id); 917 break; 918 } 919 920 TEE_DeriveKey(session->processing->tee_op_handle, &tee_attrs[0], 921 tee_attrs_count, out_handle); 922 923 rc = alloc_get_tee_attribute_data(out_handle, TEE_ATTR_SECRET_VALUE, 924 &a_ptr, &a_size); 925 if (rc) 926 goto out; 927 928 if (a_size * 8 < key_bit_size) 929 rc = PKCS11_CKR_KEY_SIZE_RANGE; 930 else 931 rc = add_attribute(head, PKCS11_CKA_VALUE, a_ptr, 932 key_byte_size); 933 TEE_Free(a_ptr); 934 out: 935 release_active_processing(session); 936 TEE_FreeTransientObject(out_handle); 937 938 return rc; 939 } 940 941 static enum pkcs11_rc wrap_rsa_aes_key(struct active_processing *proc, 942 void *data, uint32_t data_sz, 943 void *out_buf, uint32_t *out_sz) 944 { 945 enum pkcs11_rc rc = PKCS11_CKR_OK; 946 TEE_Result res = TEE_ERROR_GENERIC; 947 int mbedtls_rc = 0; 948 struct rsa_aes_key_wrap_processing_ctx *ctx = proc->extra_ctx; 949 mbedtls_nist_kw_context kw_ctx = { }; 950 uint8_t aes_key_value[32] = { }; 951 uint32_t aes_key_size = ctx->aes_key_bits / 8; 952 size_t aes_wrapped_size = *out_sz; 953 uint32_t expected_size = 0; 954 size_t target_key_size = 0; 955 const size_t kw_semiblock_len = 8; 956 957 if (ctx->aes_key_bits != 128 && 958 ctx->aes_key_bits != 192 && 959 ctx->aes_key_bits != 256) 960 return PKCS11_CKR_ARGUMENTS_BAD; 961 962 mbedtls_nist_kw_init(&kw_ctx); 963 TEE_GenerateRandom(aes_key_value, aes_key_size); 964 res = TEE_AsymmetricEncrypt(proc->tee_op_handle, 965 NULL, 0, 966 aes_key_value, aes_key_size, 967 out_buf, &aes_wrapped_size); 968 expected_size = aes_wrapped_size + data_sz + kw_semiblock_len; 969 if (res) { 970 if (res == TEE_ERROR_SHORT_BUFFER) 971 *out_sz = expected_size; 972 973 rc = tee2pkcs_error(res); 974 goto out; 975 } 976 977 if (*out_sz < expected_size) { 978 rc = PKCS11_CKR_BUFFER_TOO_SMALL; 979 *out_sz = expected_size; 980 goto out; 981 } 982 983 mbedtls_rc = mbedtls_nist_kw_setkey(&kw_ctx, MBEDTLS_CIPHER_ID_AES, 984 aes_key_value, ctx->aes_key_bits, 985 true); 986 if (mbedtls_rc) { 987 if (mbedtls_rc == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA) 988 rc = PKCS11_CKR_KEY_SIZE_RANGE; 989 else 990 rc = PKCS11_CKR_FUNCTION_FAILED; 991 992 goto out; 993 } 994 995 mbedtls_rc = mbedtls_nist_kw_wrap(&kw_ctx, MBEDTLS_KW_MODE_KWP, 996 data, data_sz, 997 (uint8_t *)out_buf + aes_wrapped_size, 998 &target_key_size, 999 *out_sz - aes_wrapped_size); 1000 if (mbedtls_rc) { 1001 rc = PKCS11_CKR_ARGUMENTS_BAD; 1002 goto out; 1003 } 1004 1005 assert(*out_sz >= target_key_size + aes_wrapped_size); 1006 *out_sz = target_key_size + aes_wrapped_size; 1007 1008 out: 1009 mbedtls_nist_kw_free(&kw_ctx); 1010 TEE_MemFill(aes_key_value, 0, aes_key_size); 1011 return rc; 1012 } 1013 1014 static enum pkcs11_rc unwrap_rsa_aes_key(struct active_processing *proc, 1015 void *data, uint32_t data_sz, 1016 void **out_buf, uint32_t *out_sz) 1017 { 1018 enum pkcs11_rc rc = PKCS11_CKR_OK; 1019 int mbedtls_rc = 0; 1020 TEE_Result res = TEE_ERROR_GENERIC; 1021 TEE_OperationInfo info = { }; 1022 struct rsa_aes_key_wrap_processing_ctx *ctx = proc->extra_ctx; 1023 mbedtls_nist_kw_context kw_ctx = { }; 1024 uint8_t aes_key_value[32] = { }; 1025 size_t aes_key_size = ctx->aes_key_bits / 8; 1026 uint32_t wrapped_key_size = 0; 1027 uint32_t rsa_key_size = 0; 1028 size_t target_key_size = 0; 1029 1030 if (ctx->aes_key_bits != 128 && 1031 ctx->aes_key_bits != 192 && 1032 ctx->aes_key_bits != 256) 1033 return PKCS11_CKR_ARGUMENTS_BAD; 1034 1035 TEE_GetOperationInfo(proc->tee_op_handle, &info); 1036 rsa_key_size = info.keySize / 8; 1037 wrapped_key_size = data_sz - rsa_key_size; 1038 target_key_size = wrapped_key_size - 8; 1039 1040 *out_buf = TEE_Malloc(target_key_size, TEE_MALLOC_FILL_ZERO); 1041 if (!*out_buf) 1042 return PKCS11_CKR_DEVICE_MEMORY; 1043 1044 mbedtls_nist_kw_init(&kw_ctx); 1045 res = TEE_AsymmetricDecrypt(proc->tee_op_handle, 1046 NULL, 0, 1047 data, rsa_key_size, 1048 aes_key_value, &aes_key_size); 1049 if (res) { 1050 rc = tee2pkcs_error(res); 1051 goto out; 1052 } 1053 1054 mbedtls_rc = mbedtls_nist_kw_setkey(&kw_ctx, MBEDTLS_CIPHER_ID_AES, 1055 aes_key_value, ctx->aes_key_bits, 1056 false); 1057 if (mbedtls_rc) { 1058 rc = PKCS11_CKR_WRAPPED_KEY_INVALID; 1059 goto out; 1060 } 1061 1062 mbedtls_rc = mbedtls_nist_kw_unwrap(&kw_ctx, MBEDTLS_KW_MODE_KWP, 1063 (uint8_t *)data + rsa_key_size, 1064 wrapped_key_size, *out_buf, 1065 &target_key_size, target_key_size); 1066 if (mbedtls_rc) { 1067 rc = PKCS11_CKR_WRAPPED_KEY_INVALID; 1068 goto out; 1069 } 1070 1071 *out_sz = target_key_size; 1072 out: 1073 TEE_MemFill(aes_key_value, 0, aes_key_size); 1074 mbedtls_nist_kw_free(&kw_ctx); 1075 return rc; 1076 } 1077 1078 enum pkcs11_rc wrap_data_by_asymm_enc(struct pkcs11_session *session, 1079 void *data, uint32_t data_sz, 1080 void *out_buf, uint32_t *out_sz) 1081 { 1082 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 1083 struct active_processing *proc = session->processing; 1084 1085 switch (proc->mecha_type) { 1086 case PKCS11_CKM_RSA_AES_KEY_WRAP: 1087 rc = wrap_rsa_aes_key(proc, data, data_sz, out_buf, out_sz); 1088 break; 1089 default: 1090 return PKCS11_CKR_MECHANISM_INVALID; 1091 } 1092 1093 return rc; 1094 } 1095 1096 enum pkcs11_rc unwrap_key_by_asymm(struct pkcs11_session *session, 1097 void *data, uint32_t data_sz, 1098 void **out_buf, uint32_t *out_sz) 1099 { 1100 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 1101 struct active_processing *proc = session->processing; 1102 1103 switch (proc->mecha_type) { 1104 case PKCS11_CKM_RSA_AES_KEY_WRAP: 1105 rc = unwrap_rsa_aes_key(proc, data, data_sz, out_buf, out_sz); 1106 break; 1107 default: 1108 return PKCS11_CKR_MECHANISM_INVALID; 1109 } 1110 1111 return rc; 1112 } 1113