1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2018-2020, Linaro Limited 4 */ 5 6 #include <assert.h> 7 #include <compiler.h> 8 #include <mbedtls/nist_kw.h> 9 #include <tee_api_defines.h> 10 #include <tee_internal_api.h> 11 #include <tee_internal_api_extensions.h> 12 13 #include "attributes.h" 14 #include "pkcs11_helpers.h" 15 #include "pkcs11_token.h" 16 #include "processing.h" 17 #include "serializer.h" 18 19 bool processing_is_tee_asymm(uint32_t proc_id) 20 { 21 switch (proc_id) { 22 /* RSA flavors */ 23 case PKCS11_CKM_RSA_AES_KEY_WRAP: 24 case PKCS11_CKM_RSA_PKCS: 25 case PKCS11_CKM_RSA_PKCS_OAEP: 26 case PKCS11_CKM_RSA_PKCS_PSS: 27 case PKCS11_CKM_MD5_RSA_PKCS: 28 case PKCS11_CKM_SHA1_RSA_PKCS: 29 case PKCS11_CKM_SHA224_RSA_PKCS: 30 case PKCS11_CKM_SHA256_RSA_PKCS: 31 case PKCS11_CKM_SHA384_RSA_PKCS: 32 case PKCS11_CKM_SHA512_RSA_PKCS: 33 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 34 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 35 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 36 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 37 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 38 /* EC flavors */ 39 case PKCS11_CKM_EDDSA: 40 case PKCS11_CKM_ECDSA: 41 case PKCS11_CKM_ECDH1_DERIVE: 42 case PKCS11_CKM_ECDSA_SHA1: 43 case PKCS11_CKM_ECDSA_SHA224: 44 case PKCS11_CKM_ECDSA_SHA256: 45 case PKCS11_CKM_ECDSA_SHA384: 46 case PKCS11_CKM_ECDSA_SHA512: 47 return true; 48 default: 49 return false; 50 } 51 } 52 53 static enum pkcs11_rc 54 pkcs2tee_algorithm(uint32_t *tee_id, uint32_t *tee_hash_id, 55 enum processing_func function __unused, 56 struct pkcs11_attribute_head *proc_params, 57 struct pkcs11_object *obj) 58 { 59 static const struct { 60 enum pkcs11_mechanism_id mech_id; 61 uint32_t tee_id; 62 uint32_t tee_hash_id; 63 } pkcs2tee_algo[] = { 64 /* RSA flavors */ 65 { PKCS11_CKM_RSA_AES_KEY_WRAP, 1, 0 }, 66 { PKCS11_CKM_RSA_PKCS, TEE_ALG_RSAES_PKCS1_V1_5, 0 }, 67 { PKCS11_CKM_RSA_PKCS_OAEP, 1, 0 }, 68 { PKCS11_CKM_RSA_PKCS_PSS, 1, 0 }, 69 { PKCS11_CKM_MD5_RSA_PKCS, TEE_ALG_RSASSA_PKCS1_V1_5_MD5, 70 TEE_ALG_MD5 }, 71 { PKCS11_CKM_SHA1_RSA_PKCS, TEE_ALG_RSASSA_PKCS1_V1_5_SHA1, 72 TEE_ALG_SHA1 }, 73 { PKCS11_CKM_SHA224_RSA_PKCS, TEE_ALG_RSASSA_PKCS1_V1_5_SHA224, 74 TEE_ALG_SHA224 }, 75 { PKCS11_CKM_SHA256_RSA_PKCS, TEE_ALG_RSASSA_PKCS1_V1_5_SHA256, 76 TEE_ALG_SHA256 }, 77 { PKCS11_CKM_SHA384_RSA_PKCS, TEE_ALG_RSASSA_PKCS1_V1_5_SHA384, 78 TEE_ALG_SHA384 }, 79 { PKCS11_CKM_SHA512_RSA_PKCS, TEE_ALG_RSASSA_PKCS1_V1_5_SHA512, 80 TEE_ALG_SHA512 }, 81 { PKCS11_CKM_SHA1_RSA_PKCS_PSS, 82 TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1, TEE_ALG_SHA1 }, 83 { PKCS11_CKM_SHA224_RSA_PKCS_PSS, 84 TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224, TEE_ALG_SHA224 }, 85 { PKCS11_CKM_SHA256_RSA_PKCS_PSS, 86 TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256, TEE_ALG_SHA256 }, 87 { PKCS11_CKM_SHA384_RSA_PKCS_PSS, 88 TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384, TEE_ALG_SHA384 }, 89 { PKCS11_CKM_SHA512_RSA_PKCS_PSS, 90 TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512, TEE_ALG_SHA512 }, 91 /* EC flavors (Must find key size from the object) */ 92 { PKCS11_CKM_ECDSA, 1, 0 }, 93 { PKCS11_CKM_ECDSA_SHA1, 1, TEE_ALG_SHA1 }, 94 { PKCS11_CKM_ECDSA_SHA224, 1, TEE_ALG_SHA224 }, 95 { PKCS11_CKM_ECDSA_SHA256, 1, TEE_ALG_SHA256 }, 96 { PKCS11_CKM_ECDSA_SHA384, 1, TEE_ALG_SHA384 }, 97 { PKCS11_CKM_ECDSA_SHA512, 1, TEE_ALG_SHA512 }, 98 { PKCS11_CKM_ECDH1_DERIVE, 1, 0 }, 99 { PKCS11_CKM_EDDSA, TEE_ALG_ED25519, 0 }, 100 }; 101 size_t n = 0; 102 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 103 104 for (n = 0; n < ARRAY_SIZE(pkcs2tee_algo); n++) { 105 if (pkcs2tee_algo[n].mech_id == proc_params->id) { 106 *tee_id = pkcs2tee_algo[n].tee_id; 107 *tee_hash_id = pkcs2tee_algo[n].tee_hash_id; 108 break; 109 } 110 } 111 112 if (n == ARRAY_SIZE(pkcs2tee_algo)) 113 return PKCS11_RV_NOT_IMPLEMENTED; 114 115 switch (proc_params->id) { 116 case PKCS11_CKM_RSA_PKCS_PSS: 117 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 118 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 119 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 120 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 121 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 122 rc = pkcs2tee_algo_rsa_pss(tee_id, proc_params); 123 break; 124 case PKCS11_CKM_RSA_PKCS_OAEP: 125 rc = pkcs2tee_algo_rsa_oaep(tee_id, tee_hash_id, proc_params); 126 break; 127 case PKCS11_CKM_RSA_AES_KEY_WRAP: 128 rc = pkcs2tee_algo_rsa_aes_wrap(tee_id, tee_hash_id, 129 proc_params); 130 break; 131 case PKCS11_CKM_ECDSA: 132 case PKCS11_CKM_ECDSA_SHA1: 133 case PKCS11_CKM_ECDSA_SHA224: 134 case PKCS11_CKM_ECDSA_SHA256: 135 case PKCS11_CKM_ECDSA_SHA384: 136 case PKCS11_CKM_ECDSA_SHA512: 137 rc = pkcs2tee_algo_ecdsa(tee_id, proc_params, obj); 138 break; 139 case PKCS11_CKM_ECDH1_DERIVE: 140 rc = pkcs2tee_algo_ecdh(tee_id, proc_params, obj); 141 break; 142 default: 143 rc = PKCS11_CKR_OK; 144 break; 145 } 146 147 /* 148 * PKCS#11 uses single mechanism CKM_RSA_PKCS for both ciphering and 149 * authentication whereas GPD TEE expects TEE_ALG_RSAES_PKCS1_V1_5 for 150 * ciphering and TEE_ALG_RSASSA_PKCS1_V1_5 for authentication. 151 */ 152 if (*tee_id == TEE_ALG_RSAES_PKCS1_V1_5 && 153 (function == PKCS11_FUNCTION_SIGN || 154 function == PKCS11_FUNCTION_VERIFY)) 155 *tee_id = TEE_ALG_RSASSA_PKCS1_V1_5; 156 157 return rc; 158 } 159 160 static enum pkcs11_rc pkcs2tee_key_type(uint32_t *tee_type, 161 struct pkcs11_object *obj, 162 enum processing_func function) 163 { 164 enum pkcs11_class_id class = get_class(obj->attributes); 165 enum pkcs11_key_type type = get_key_type(obj->attributes); 166 167 switch (class) { 168 case PKCS11_CKO_PUBLIC_KEY: 169 case PKCS11_CKO_PRIVATE_KEY: 170 break; 171 default: 172 TEE_Panic(class); 173 break; 174 } 175 176 switch (type) { 177 case PKCS11_CKK_EC: 178 if (class == PKCS11_CKO_PRIVATE_KEY) { 179 if (function == PKCS11_FUNCTION_DERIVE) 180 *tee_type = TEE_TYPE_ECDH_KEYPAIR; 181 else 182 *tee_type = TEE_TYPE_ECDSA_KEYPAIR; 183 } else { 184 if (function == PKCS11_FUNCTION_DERIVE) 185 *tee_type = TEE_TYPE_ECDH_PUBLIC_KEY; 186 else 187 *tee_type = TEE_TYPE_ECDSA_PUBLIC_KEY; 188 } 189 break; 190 case PKCS11_CKK_RSA: 191 if (class == PKCS11_CKO_PRIVATE_KEY) 192 *tee_type = TEE_TYPE_RSA_KEYPAIR; 193 else 194 *tee_type = TEE_TYPE_RSA_PUBLIC_KEY; 195 break; 196 case PKCS11_CKK_EC_EDWARDS: 197 if (class == PKCS11_CKO_PRIVATE_KEY) 198 *tee_type = TEE_TYPE_ED25519_KEYPAIR; 199 else 200 *tee_type = TEE_TYPE_ED25519_PUBLIC_KEY; 201 break; 202 default: 203 TEE_Panic(type); 204 break; 205 } 206 207 return PKCS11_CKR_OK; 208 } 209 210 static enum pkcs11_rc 211 allocate_tee_operation(struct pkcs11_session *session, 212 enum processing_func function, 213 struct pkcs11_attribute_head *params, 214 struct pkcs11_object *obj) 215 { 216 uint32_t size = (uint32_t)get_object_key_bit_size(obj); 217 uint32_t algo = 0; 218 uint32_t hash_algo = 0; 219 uint32_t mode = 0; 220 uint32_t hash_mode = 0; 221 TEE_Result res = TEE_ERROR_GENERIC; 222 struct active_processing *processing = session->processing; 223 224 assert(processing->tee_op_handle == TEE_HANDLE_NULL); 225 assert(processing->tee_hash_op_handle == TEE_HANDLE_NULL); 226 227 if (pkcs2tee_algorithm(&algo, &hash_algo, function, params, obj)) 228 return PKCS11_CKR_FUNCTION_FAILED; 229 230 pkcs2tee_mode(&mode, function); 231 232 if (hash_algo) { 233 pkcs2tee_mode(&hash_mode, PKCS11_FUNCTION_DIGEST); 234 235 res = TEE_AllocateOperation(&processing->tee_hash_op_handle, 236 hash_algo, hash_mode, 0); 237 if (res) { 238 EMSG("TEE_AllocateOp. failed %#"PRIx32" %#"PRIx32, 239 hash_algo, hash_mode); 240 241 if (res == TEE_ERROR_NOT_SUPPORTED) 242 return PKCS11_CKR_MECHANISM_INVALID; 243 return tee2pkcs_error(res); 244 } 245 processing->tee_hash_algo = hash_algo; 246 } 247 248 res = TEE_AllocateOperation(&processing->tee_op_handle, 249 algo, mode, size); 250 if (res) 251 EMSG("TEE_AllocateOp. failed %#"PRIx32" %#"PRIx32" %#"PRIx32, 252 algo, mode, size); 253 254 if (res == TEE_ERROR_NOT_SUPPORTED) 255 return PKCS11_CKR_MECHANISM_INVALID; 256 257 if (res != TEE_SUCCESS && 258 processing->tee_hash_op_handle != TEE_HANDLE_NULL) { 259 TEE_FreeOperation(session->processing->tee_hash_op_handle); 260 processing->tee_hash_op_handle = TEE_HANDLE_NULL; 261 processing->tee_hash_algo = 0; 262 } 263 264 return tee2pkcs_error(res); 265 } 266 267 static enum pkcs11_rc load_tee_key(struct pkcs11_session *session, 268 struct pkcs11_object *obj, 269 enum processing_func function) 270 { 271 TEE_Attribute *tee_attrs = NULL; 272 size_t tee_attrs_count = 0; 273 size_t object_size = 0; 274 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 275 TEE_Result res = TEE_ERROR_GENERIC; 276 enum pkcs11_class_id __maybe_unused class = get_class(obj->attributes); 277 enum pkcs11_key_type type = get_key_type(obj->attributes); 278 279 assert(class == PKCS11_CKO_PUBLIC_KEY || 280 class == PKCS11_CKO_PRIVATE_KEY); 281 282 if (obj->key_handle != TEE_HANDLE_NULL) { 283 switch (type) { 284 case PKCS11_CKK_RSA: 285 /* RSA loaded keys can be reused */ 286 assert((obj->key_type == TEE_TYPE_RSA_PUBLIC_KEY && 287 class == PKCS11_CKO_PUBLIC_KEY) || 288 (obj->key_type == TEE_TYPE_RSA_KEYPAIR && 289 class == PKCS11_CKO_PRIVATE_KEY)); 290 goto key_ready; 291 case PKCS11_CKK_EC: 292 /* Reuse EC TEE key only if already DSA or DH */ 293 switch (obj->key_type) { 294 case TEE_TYPE_ECDSA_PUBLIC_KEY: 295 case TEE_TYPE_ECDSA_KEYPAIR: 296 if (function != PKCS11_FUNCTION_DERIVE) 297 goto key_ready; 298 break; 299 case TEE_TYPE_ECDH_PUBLIC_KEY: 300 case TEE_TYPE_ECDH_KEYPAIR: 301 if (function == PKCS11_FUNCTION_DERIVE) 302 goto key_ready; 303 break; 304 default: 305 assert(0); 306 break; 307 } 308 break; 309 default: 310 assert(0); 311 break; 312 } 313 314 TEE_CloseObject(obj->key_handle); 315 obj->key_handle = TEE_HANDLE_NULL; 316 } 317 318 rc = pkcs2tee_key_type(&obj->key_type, obj, function); 319 if (rc) 320 return rc; 321 322 object_size = get_object_key_bit_size(obj); 323 if (!object_size) 324 return PKCS11_CKR_GENERAL_ERROR; 325 326 switch (type) { 327 case PKCS11_CKK_RSA: 328 rc = load_tee_rsa_key_attrs(&tee_attrs, &tee_attrs_count, obj); 329 break; 330 case PKCS11_CKK_EC: 331 rc = load_tee_ec_key_attrs(&tee_attrs, &tee_attrs_count, obj); 332 break; 333 case PKCS11_CKK_EC_EDWARDS: 334 rc = load_tee_eddsa_key_attrs(&tee_attrs, &tee_attrs_count, 335 obj); 336 break; 337 default: 338 break; 339 } 340 if (rc) 341 return rc; 342 343 res = TEE_AllocateTransientObject(obj->key_type, object_size, 344 &obj->key_handle); 345 if (res) { 346 DMSG("TEE_AllocateTransientObject failed, %#"PRIx32, res); 347 348 return tee2pkcs_error(res); 349 } 350 351 res = TEE_PopulateTransientObject(obj->key_handle, 352 tee_attrs, tee_attrs_count); 353 354 TEE_Free(tee_attrs); 355 356 if (res) { 357 DMSG("TEE_PopulateTransientObject failed, %#"PRIx32, res); 358 359 goto error; 360 } 361 362 key_ready: 363 res = TEE_SetOperationKey(session->processing->tee_op_handle, 364 obj->key_handle); 365 if (res) { 366 DMSG("TEE_SetOperationKey failed, %#"PRIx32, res); 367 368 goto error; 369 } 370 371 return PKCS11_CKR_OK; 372 373 error: 374 TEE_FreeTransientObject(obj->key_handle); 375 obj->key_handle = TEE_HANDLE_NULL; 376 return tee2pkcs_error(res); 377 } 378 379 static enum pkcs11_rc 380 init_tee_operation(struct pkcs11_session *session, 381 struct pkcs11_attribute_head *proc_params, 382 struct pkcs11_object *obj) 383 { 384 enum pkcs11_rc rc = PKCS11_CKR_OK; 385 struct active_processing *proc = session->processing; 386 387 switch (proc_params->id) { 388 case PKCS11_CKM_RSA_PKCS_PSS: 389 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 390 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 391 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 392 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 393 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 394 rc = pkcs2tee_proc_params_rsa_pss(proc, proc_params); 395 if (rc) 396 break; 397 398 rc = pkcs2tee_validate_rsa_pss(proc, obj); 399 break; 400 case PKCS11_CKM_RSA_PKCS_OAEP: 401 rc = pkcs2tee_proc_params_rsa_oaep(proc, proc_params); 402 break; 403 case PKCS11_CKM_EDDSA: 404 rc = pkcs2tee_proc_params_eddsa(proc, proc_params); 405 break; 406 case PKCS11_CKM_RSA_AES_KEY_WRAP: 407 rc = pkcs2tee_proc_params_rsa_aes_wrap(proc, proc_params); 408 break; 409 default: 410 break; 411 } 412 413 return rc; 414 } 415 416 enum pkcs11_rc init_asymm_operation(struct pkcs11_session *session, 417 enum processing_func function, 418 struct pkcs11_attribute_head *proc_params, 419 struct pkcs11_object *obj) 420 { 421 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 422 423 assert(processing_is_tee_asymm(proc_params->id)); 424 425 rc = allocate_tee_operation(session, function, proc_params, obj); 426 if (rc) 427 return rc; 428 429 rc = load_tee_key(session, obj, function); 430 if (rc) 431 return rc; 432 433 return init_tee_operation(session, proc_params, obj); 434 } 435 436 /* 437 * step_sym_step - step (update/oneshot/final) on a symmetric crypto operation 438 * 439 * @session - current session 440 * @function - processing function (encrypt, decrypt, sign, ...) 441 * @step - step ID in the processing (oneshot, update, final) 442 * @ptypes - invocation parameter types 443 * @params - invocation parameter references 444 */ 445 enum pkcs11_rc step_asymm_operation(struct pkcs11_session *session, 446 enum processing_func function, 447 enum processing_step step, 448 uint32_t ptypes, TEE_Param *params) 449 { 450 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 451 TEE_Result res = TEE_ERROR_GENERIC; 452 void *in_buf = NULL; 453 void *in2_buf = NULL; 454 void *out_buf = NULL; 455 void *hash_buf = NULL; 456 uint32_t in_size = 0; 457 uint32_t in2_size = 0; 458 uint32_t out_size = 0; 459 uint32_t hash_size = 0; 460 TEE_Attribute *tee_attrs = NULL; 461 size_t tee_attrs_count = 0; 462 bool output_data = false; 463 struct active_processing *proc = session->processing; 464 struct rsa_aes_key_wrap_processing_ctx *rsa_aes_ctx = NULL; 465 struct rsa_oaep_processing_ctx *rsa_oaep_ctx = NULL; 466 struct rsa_pss_processing_ctx *rsa_pss_ctx = NULL; 467 struct eddsa_processing_ctx *eddsa_ctx = NULL; 468 size_t sz = 0; 469 470 if (TEE_PARAM_TYPE_GET(ptypes, 1) == TEE_PARAM_TYPE_MEMREF_INPUT) { 471 in_buf = params[1].memref.buffer; 472 in_size = params[1].memref.size; 473 if (in_size && !in_buf) 474 return PKCS11_CKR_ARGUMENTS_BAD; 475 } 476 if (TEE_PARAM_TYPE_GET(ptypes, 2) == TEE_PARAM_TYPE_MEMREF_INPUT) { 477 in2_buf = params[2].memref.buffer; 478 in2_size = params[2].memref.size; 479 if (in2_size && !in2_buf) 480 return PKCS11_CKR_ARGUMENTS_BAD; 481 } 482 if (TEE_PARAM_TYPE_GET(ptypes, 2) == TEE_PARAM_TYPE_MEMREF_OUTPUT) { 483 out_buf = params[2].memref.buffer; 484 out_size = params[2].memref.size; 485 if (out_size && !out_buf) 486 return PKCS11_CKR_ARGUMENTS_BAD; 487 } 488 if (TEE_PARAM_TYPE_GET(ptypes, 3) != TEE_PARAM_TYPE_NONE) 489 return PKCS11_CKR_ARGUMENTS_BAD; 490 491 switch (step) { 492 case PKCS11_FUNC_STEP_ONESHOT: 493 case PKCS11_FUNC_STEP_UPDATE: 494 case PKCS11_FUNC_STEP_FINAL: 495 break; 496 default: 497 return PKCS11_CKR_GENERAL_ERROR; 498 } 499 500 /* TEE attribute(s) required by the operation */ 501 switch (proc->mecha_type) { 502 case PKCS11_CKM_RSA_PKCS_PSS: 503 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 504 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 505 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 506 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 507 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 508 tee_attrs = TEE_Malloc(sizeof(TEE_Attribute), 509 TEE_USER_MEM_HINT_NO_FILL_ZERO); 510 if (!tee_attrs) { 511 rc = PKCS11_CKR_DEVICE_MEMORY; 512 goto out; 513 } 514 515 rsa_pss_ctx = proc->extra_ctx; 516 517 TEE_InitValueAttribute(&tee_attrs[tee_attrs_count], 518 TEE_ATTR_RSA_PSS_SALT_LENGTH, 519 rsa_pss_ctx->salt_len, 0); 520 tee_attrs_count++; 521 break; 522 case PKCS11_CKM_EDDSA: 523 eddsa_ctx = proc->extra_ctx; 524 525 tee_attrs = TEE_Malloc(2 * sizeof(TEE_Attribute), 526 TEE_USER_MEM_HINT_NO_FILL_ZERO); 527 if (!tee_attrs) { 528 rc = PKCS11_CKR_DEVICE_MEMORY; 529 goto out; 530 } 531 532 if (eddsa_ctx->flag) { 533 TEE_InitValueAttribute(&tee_attrs[tee_attrs_count], 534 TEE_ATTR_EDDSA_PREHASH, 0, 0); 535 tee_attrs_count++; 536 } 537 538 if (eddsa_ctx->ctx_len > 0) { 539 TEE_InitRefAttribute(&tee_attrs[tee_attrs_count], 540 TEE_ATTR_EDDSA_CTX, eddsa_ctx->ctx, 541 eddsa_ctx->ctx_len); 542 tee_attrs_count++; 543 } 544 break; 545 case PKCS11_CKM_RSA_PKCS_OAEP: 546 rsa_oaep_ctx = proc->extra_ctx; 547 548 if (!rsa_oaep_ctx->source_data_len) 549 break; 550 551 tee_attrs = TEE_Malloc(sizeof(TEE_Attribute), 552 TEE_USER_MEM_HINT_NO_FILL_ZERO); 553 if (!tee_attrs) { 554 rc = PKCS11_CKR_DEVICE_MEMORY; 555 goto out; 556 } 557 558 TEE_InitRefAttribute(&tee_attrs[tee_attrs_count], 559 TEE_ATTR_RSA_OAEP_LABEL, 560 rsa_oaep_ctx->source_data, 561 rsa_oaep_ctx->source_data_len); 562 tee_attrs_count++; 563 break; 564 case PKCS11_CKM_RSA_AES_KEY_WRAP: 565 rsa_aes_ctx = proc->extra_ctx; 566 567 if (!rsa_aes_ctx->source_data_len) 568 break; 569 570 tee_attrs = TEE_Malloc(sizeof(TEE_Attribute), 571 TEE_USER_MEM_HINT_NO_FILL_ZERO); 572 if (!tee_attrs) { 573 rc = PKCS11_CKR_DEVICE_MEMORY; 574 goto out; 575 } 576 577 TEE_InitRefAttribute(&tee_attrs[tee_attrs_count], 578 TEE_ATTR_RSA_OAEP_LABEL, 579 rsa_aes_ctx->source_data, 580 rsa_aes_ctx->source_data_len); 581 tee_attrs_count++; 582 break; 583 default: 584 break; 585 } 586 587 /* 588 * Handle multi stage update step for mechas needing hash 589 * calculation 590 */ 591 if (step == PKCS11_FUNC_STEP_UPDATE) { 592 switch (proc->mecha_type) { 593 case PKCS11_CKM_ECDSA_SHA1: 594 case PKCS11_CKM_ECDSA_SHA224: 595 case PKCS11_CKM_ECDSA_SHA256: 596 case PKCS11_CKM_ECDSA_SHA384: 597 case PKCS11_CKM_ECDSA_SHA512: 598 case PKCS11_CKM_MD5_RSA_PKCS: 599 case PKCS11_CKM_SHA1_RSA_PKCS: 600 case PKCS11_CKM_SHA224_RSA_PKCS: 601 case PKCS11_CKM_SHA256_RSA_PKCS: 602 case PKCS11_CKM_SHA384_RSA_PKCS: 603 case PKCS11_CKM_SHA512_RSA_PKCS: 604 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 605 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 606 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 607 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 608 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 609 assert(proc->tee_hash_op_handle != TEE_HANDLE_NULL); 610 611 TEE_DigestUpdate(proc->tee_hash_op_handle, in_buf, 612 in_size); 613 rc = PKCS11_CKR_OK; 614 break; 615 default: 616 /* 617 * Other mechanism do not expect multi stage 618 * operation 619 */ 620 rc = PKCS11_CKR_GENERAL_ERROR; 621 break; 622 } 623 624 goto out; 625 } 626 627 /* 628 * Handle multi stage one shot and final steps for mechas needing hash 629 * calculation 630 */ 631 switch (proc->mecha_type) { 632 case PKCS11_CKM_ECDSA_SHA1: 633 case PKCS11_CKM_ECDSA_SHA224: 634 case PKCS11_CKM_ECDSA_SHA256: 635 case PKCS11_CKM_ECDSA_SHA384: 636 case PKCS11_CKM_ECDSA_SHA512: 637 case PKCS11_CKM_MD5_RSA_PKCS: 638 case PKCS11_CKM_SHA1_RSA_PKCS: 639 case PKCS11_CKM_SHA224_RSA_PKCS: 640 case PKCS11_CKM_SHA256_RSA_PKCS: 641 case PKCS11_CKM_SHA384_RSA_PKCS: 642 case PKCS11_CKM_SHA512_RSA_PKCS: 643 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 644 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 645 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 646 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 647 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 648 assert(proc->tee_hash_op_handle != TEE_HANDLE_NULL); 649 650 hash_size = TEE_ALG_GET_DIGEST_SIZE(proc->tee_hash_algo); 651 hash_buf = TEE_Malloc(hash_size, 0); 652 if (!hash_buf) 653 return PKCS11_CKR_DEVICE_MEMORY; 654 655 res = TEE_DigestDoFinal(proc->tee_hash_op_handle, 656 in_buf, in_size, hash_buf, 657 &hash_size); 658 659 rc = tee2pkcs_error(res); 660 if (rc != PKCS11_CKR_OK) 661 goto out; 662 663 break; 664 default: 665 break; 666 } 667 668 /* 669 * Finalize either provided hash or calculated hash with signing 670 * operation 671 */ 672 673 /* First determine amount of bytes for signing operation */ 674 switch (proc->mecha_type) { 675 case PKCS11_CKM_ECDSA: 676 sz = ecdsa_get_input_max_byte_size(proc->tee_op_handle); 677 if (!in_size || !sz) { 678 rc = PKCS11_CKR_FUNCTION_FAILED; 679 goto out; 680 } 681 682 /* 683 * Note 3) Input the entire raw digest. Internally, this will 684 * be truncated to the appropriate number of bits. 685 */ 686 if (in_size > sz) 687 in_size = sz; 688 689 if (function == PKCS11_FUNCTION_VERIFY && in2_size != 2 * sz) { 690 rc = PKCS11_CKR_SIGNATURE_LEN_RANGE; 691 goto out; 692 } 693 break; 694 case PKCS11_CKM_ECDSA_SHA1: 695 case PKCS11_CKM_ECDSA_SHA224: 696 case PKCS11_CKM_ECDSA_SHA256: 697 case PKCS11_CKM_ECDSA_SHA384: 698 case PKCS11_CKM_ECDSA_SHA512: 699 /* Get key size in bytes */ 700 sz = ecdsa_get_input_max_byte_size(proc->tee_op_handle); 701 if (!sz) { 702 rc = PKCS11_CKR_FUNCTION_FAILED; 703 goto out; 704 } 705 706 if (function == PKCS11_FUNCTION_VERIFY && 707 in2_size != 2 * sz) { 708 rc = PKCS11_CKR_SIGNATURE_LEN_RANGE; 709 goto out; 710 } 711 break; 712 case PKCS11_CKM_RSA_PKCS: 713 case PKCS11_CKM_MD5_RSA_PKCS: 714 case PKCS11_CKM_SHA1_RSA_PKCS: 715 case PKCS11_CKM_SHA224_RSA_PKCS: 716 case PKCS11_CKM_SHA256_RSA_PKCS: 717 case PKCS11_CKM_SHA384_RSA_PKCS: 718 case PKCS11_CKM_SHA512_RSA_PKCS: 719 case PKCS11_CKM_RSA_PKCS_PSS: 720 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 721 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 722 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 723 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 724 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 725 /* Get key size in bytes */ 726 sz = rsa_get_input_max_byte_size(proc->tee_op_handle); 727 if (!sz) { 728 rc = PKCS11_CKR_FUNCTION_FAILED; 729 goto out; 730 } 731 732 if (function == PKCS11_FUNCTION_VERIFY && in2_size != sz) { 733 rc = PKCS11_CKR_SIGNATURE_LEN_RANGE; 734 goto out; 735 } 736 break; 737 default: 738 break; 739 } 740 741 /* Next perform actual signing operation */ 742 switch (proc->mecha_type) { 743 case PKCS11_CKM_ECDSA: 744 case PKCS11_CKM_EDDSA: 745 case PKCS11_CKM_RSA_PKCS: 746 case PKCS11_CKM_RSA_PKCS_OAEP: 747 case PKCS11_CKM_RSA_PKCS_PSS: 748 /* For operations using provided input data */ 749 switch (function) { 750 case PKCS11_FUNCTION_ENCRYPT: 751 res = TEE_AsymmetricEncrypt(proc->tee_op_handle, 752 tee_attrs, tee_attrs_count, 753 in_buf, in_size, 754 out_buf, &out_size); 755 output_data = true; 756 rc = tee2pkcs_error(res); 757 if (rc == PKCS11_CKR_ARGUMENTS_BAD) 758 rc = PKCS11_CKR_DATA_LEN_RANGE; 759 break; 760 761 case PKCS11_FUNCTION_DECRYPT: 762 res = TEE_AsymmetricDecrypt(proc->tee_op_handle, 763 tee_attrs, tee_attrs_count, 764 in_buf, in_size, 765 out_buf, &out_size); 766 output_data = true; 767 rc = tee2pkcs_error(res); 768 if (rc == PKCS11_CKR_ARGUMENTS_BAD) 769 rc = PKCS11_CKR_ENCRYPTED_DATA_LEN_RANGE; 770 break; 771 772 case PKCS11_FUNCTION_SIGN: 773 res = TEE_AsymmetricSignDigest(proc->tee_op_handle, 774 tee_attrs, 775 tee_attrs_count, 776 in_buf, in_size, 777 out_buf, &out_size); 778 output_data = true; 779 rc = tee2pkcs_error(res); 780 break; 781 782 case PKCS11_FUNCTION_VERIFY: 783 res = TEE_AsymmetricVerifyDigest(proc->tee_op_handle, 784 tee_attrs, 785 tee_attrs_count, 786 in_buf, in_size, 787 in2_buf, in2_size); 788 rc = tee2pkcs_error(res); 789 break; 790 791 default: 792 TEE_Panic(function); 793 break; 794 } 795 break; 796 case PKCS11_CKM_ECDSA_SHA1: 797 case PKCS11_CKM_ECDSA_SHA224: 798 case PKCS11_CKM_ECDSA_SHA256: 799 case PKCS11_CKM_ECDSA_SHA384: 800 case PKCS11_CKM_ECDSA_SHA512: 801 case PKCS11_CKM_MD5_RSA_PKCS: 802 case PKCS11_CKM_SHA1_RSA_PKCS: 803 case PKCS11_CKM_SHA224_RSA_PKCS: 804 case PKCS11_CKM_SHA256_RSA_PKCS: 805 case PKCS11_CKM_SHA384_RSA_PKCS: 806 case PKCS11_CKM_SHA512_RSA_PKCS: 807 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 808 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 809 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 810 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 811 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 812 /* For operations having hash operation use calculated hash */ 813 switch (function) { 814 case PKCS11_FUNCTION_SIGN: 815 res = TEE_AsymmetricSignDigest(proc->tee_op_handle, 816 tee_attrs, 817 tee_attrs_count, 818 hash_buf, hash_size, 819 out_buf, &out_size); 820 output_data = true; 821 rc = tee2pkcs_error(res); 822 break; 823 824 case PKCS11_FUNCTION_VERIFY: 825 res = TEE_AsymmetricVerifyDigest(proc->tee_op_handle, 826 tee_attrs, 827 tee_attrs_count, 828 hash_buf, hash_size, 829 in2_buf, in2_size); 830 rc = tee2pkcs_error(res); 831 break; 832 833 default: 834 TEE_Panic(function); 835 break; 836 } 837 break; 838 default: 839 TEE_Panic(proc->mecha_type); 840 break; 841 } 842 843 out: 844 if (output_data && 845 (rc == PKCS11_CKR_OK || rc == PKCS11_CKR_BUFFER_TOO_SMALL)) { 846 switch (TEE_PARAM_TYPE_GET(ptypes, 2)) { 847 case TEE_PARAM_TYPE_MEMREF_OUTPUT: 848 case TEE_PARAM_TYPE_MEMREF_INOUT: 849 params[2].memref.size = out_size; 850 break; 851 default: 852 rc = PKCS11_CKR_GENERAL_ERROR; 853 break; 854 } 855 } 856 857 TEE_Free(hash_buf); 858 TEE_Free(tee_attrs); 859 860 return rc; 861 } 862 863 enum pkcs11_rc do_asymm_derivation(struct pkcs11_session *session, 864 struct pkcs11_attribute_head *proc_params, 865 struct obj_attrs **head) 866 { 867 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 868 TEE_ObjectHandle out_handle = TEE_HANDLE_NULL; 869 TEE_Result res = TEE_ERROR_GENERIC; 870 TEE_Attribute tee_attrs[2] = { }; 871 size_t tee_attrs_count = 0; 872 uint32_t key_byte_size = 0; 873 uint32_t key_bit_size = 0; 874 void *a_ptr = NULL; 875 size_t a_size = 0; 876 877 /* Remove default attribute set at template sanitization */ 878 if (remove_empty_attribute(head, PKCS11_CKA_VALUE)) 879 return PKCS11_CKR_FUNCTION_FAILED; 880 881 rc = get_u32_attribute(*head, PKCS11_CKA_VALUE_LEN, &key_bit_size); 882 if (rc) 883 return rc; 884 885 key_bit_size *= 8; 886 key_byte_size = (key_bit_size + 7) / 8; 887 888 res = TEE_AllocateTransientObject(TEE_TYPE_GENERIC_SECRET, 889 key_byte_size * 8, &out_handle); 890 if (res) { 891 DMSG("TEE_AllocateTransientObject failed, %#"PRIx32, res); 892 return tee2pkcs_error(res); 893 } 894 895 switch (proc_params->id) { 896 case PKCS11_CKM_ECDH1_DERIVE: 897 rc = pkcs2tee_param_ecdh(proc_params, &a_ptr, &a_size); 898 if (rc) 899 goto out; 900 901 TEE_InitRefAttribute(&tee_attrs[tee_attrs_count], 902 TEE_ATTR_ECC_PUBLIC_VALUE_X, 903 a_ptr, a_size / 2); 904 tee_attrs_count++; 905 TEE_InitRefAttribute(&tee_attrs[tee_attrs_count], 906 TEE_ATTR_ECC_PUBLIC_VALUE_Y, 907 (char *)a_ptr + a_size / 2, 908 a_size / 2); 909 tee_attrs_count++; 910 break; 911 default: 912 TEE_Panic(proc_params->id); 913 break; 914 } 915 916 TEE_DeriveKey(session->processing->tee_op_handle, &tee_attrs[0], 917 tee_attrs_count, out_handle); 918 919 rc = alloc_get_tee_attribute_data(out_handle, TEE_ATTR_SECRET_VALUE, 920 &a_ptr, &a_size); 921 if (rc) 922 goto out; 923 924 if (a_size * 8 < key_bit_size) 925 rc = PKCS11_CKR_KEY_SIZE_RANGE; 926 else 927 rc = add_attribute(head, PKCS11_CKA_VALUE, a_ptr, 928 key_byte_size); 929 TEE_Free(a_ptr); 930 out: 931 release_active_processing(session); 932 TEE_FreeTransientObject(out_handle); 933 934 return rc; 935 } 936 937 static enum pkcs11_rc wrap_rsa_aes_key(struct active_processing *proc, 938 void *data, uint32_t data_sz, 939 void *out_buf, uint32_t *out_sz) 940 { 941 enum pkcs11_rc rc = PKCS11_CKR_OK; 942 TEE_Result res = TEE_ERROR_GENERIC; 943 int mbedtls_rc = 0; 944 struct rsa_aes_key_wrap_processing_ctx *ctx = proc->extra_ctx; 945 mbedtls_nist_kw_context kw_ctx = { }; 946 uint8_t aes_key_value[32] = { }; 947 uint32_t aes_key_size = ctx->aes_key_bits / 8; 948 uint32_t aes_wrapped_size = *out_sz; 949 uint32_t expected_size = 0; 950 size_t target_key_size = 0; 951 const size_t kw_semiblock_len = 8; 952 953 if (ctx->aes_key_bits != 128 && 954 ctx->aes_key_bits != 192 && 955 ctx->aes_key_bits != 256) 956 return PKCS11_CKR_ARGUMENTS_BAD; 957 958 mbedtls_nist_kw_init(&kw_ctx); 959 TEE_GenerateRandom(aes_key_value, aes_key_size); 960 res = TEE_AsymmetricEncrypt(proc->tee_op_handle, 961 NULL, 0, 962 aes_key_value, aes_key_size, 963 out_buf, &aes_wrapped_size); 964 expected_size = aes_wrapped_size + data_sz + kw_semiblock_len; 965 if (res) { 966 if (res == TEE_ERROR_SHORT_BUFFER) 967 *out_sz = expected_size; 968 969 rc = tee2pkcs_error(res); 970 goto out; 971 } 972 973 if (*out_sz < expected_size) { 974 rc = PKCS11_CKR_BUFFER_TOO_SMALL; 975 *out_sz = expected_size; 976 goto out; 977 } 978 979 mbedtls_rc = mbedtls_nist_kw_setkey(&kw_ctx, MBEDTLS_CIPHER_ID_AES, 980 aes_key_value, ctx->aes_key_bits, 981 true); 982 if (mbedtls_rc) { 983 if (mbedtls_rc == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA) 984 rc = PKCS11_CKR_KEY_SIZE_RANGE; 985 else 986 rc = PKCS11_CKR_FUNCTION_FAILED; 987 988 goto out; 989 } 990 991 mbedtls_rc = mbedtls_nist_kw_wrap(&kw_ctx, MBEDTLS_KW_MODE_KWP, 992 data, data_sz, 993 (uint8_t *)out_buf + aes_wrapped_size, 994 &target_key_size, 995 *out_sz - aes_wrapped_size); 996 if (mbedtls_rc) { 997 rc = PKCS11_CKR_ARGUMENTS_BAD; 998 goto out; 999 } 1000 1001 assert(*out_sz >= target_key_size + aes_wrapped_size); 1002 *out_sz = target_key_size + aes_wrapped_size; 1003 1004 out: 1005 mbedtls_nist_kw_free(&kw_ctx); 1006 TEE_MemFill(aes_key_value, 0, aes_key_size); 1007 return rc; 1008 } 1009 1010 static enum pkcs11_rc unwrap_rsa_aes_key(struct active_processing *proc, 1011 void *data, uint32_t data_sz, 1012 void **out_buf, uint32_t *out_sz) 1013 { 1014 enum pkcs11_rc rc = PKCS11_CKR_OK; 1015 int mbedtls_rc = 0; 1016 TEE_Result res = TEE_ERROR_GENERIC; 1017 TEE_OperationInfo info = { }; 1018 struct rsa_aes_key_wrap_processing_ctx *ctx = proc->extra_ctx; 1019 mbedtls_nist_kw_context kw_ctx = { }; 1020 uint8_t aes_key_value[32] = { }; 1021 uint32_t aes_key_size = ctx->aes_key_bits / 8; 1022 uint32_t wrapped_key_size = 0; 1023 uint32_t rsa_key_size = 0; 1024 size_t target_key_size = 0; 1025 1026 if (ctx->aes_key_bits != 128 && 1027 ctx->aes_key_bits != 192 && 1028 ctx->aes_key_bits != 256) 1029 return PKCS11_CKR_ARGUMENTS_BAD; 1030 1031 TEE_GetOperationInfo(proc->tee_op_handle, &info); 1032 rsa_key_size = info.keySize / 8; 1033 wrapped_key_size = data_sz - rsa_key_size; 1034 target_key_size = wrapped_key_size - 8; 1035 1036 *out_buf = TEE_Malloc(target_key_size, TEE_MALLOC_FILL_ZERO); 1037 if (!*out_buf) 1038 return PKCS11_CKR_DEVICE_MEMORY; 1039 1040 mbedtls_nist_kw_init(&kw_ctx); 1041 res = TEE_AsymmetricDecrypt(proc->tee_op_handle, 1042 NULL, 0, 1043 data, rsa_key_size, 1044 aes_key_value, &aes_key_size); 1045 if (res) { 1046 rc = tee2pkcs_error(res); 1047 goto out; 1048 } 1049 1050 mbedtls_rc = mbedtls_nist_kw_setkey(&kw_ctx, MBEDTLS_CIPHER_ID_AES, 1051 aes_key_value, ctx->aes_key_bits, 1052 false); 1053 if (mbedtls_rc) { 1054 rc = PKCS11_CKR_WRAPPED_KEY_INVALID; 1055 goto out; 1056 } 1057 1058 mbedtls_rc = mbedtls_nist_kw_unwrap(&kw_ctx, MBEDTLS_KW_MODE_KWP, 1059 (uint8_t *)data + rsa_key_size, 1060 wrapped_key_size, *out_buf, 1061 &target_key_size, target_key_size); 1062 if (mbedtls_rc) { 1063 rc = PKCS11_CKR_WRAPPED_KEY_INVALID; 1064 goto out; 1065 } 1066 1067 *out_sz = target_key_size; 1068 out: 1069 TEE_MemFill(aes_key_value, 0, aes_key_size); 1070 mbedtls_nist_kw_free(&kw_ctx); 1071 return rc; 1072 } 1073 1074 enum pkcs11_rc wrap_data_by_asymm_enc(struct pkcs11_session *session, 1075 void *data, uint32_t data_sz, 1076 void *out_buf, uint32_t *out_sz) 1077 { 1078 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 1079 struct active_processing *proc = session->processing; 1080 1081 switch (proc->mecha_type) { 1082 case PKCS11_CKM_RSA_AES_KEY_WRAP: 1083 rc = wrap_rsa_aes_key(proc, data, data_sz, out_buf, out_sz); 1084 break; 1085 default: 1086 return PKCS11_CKR_MECHANISM_INVALID; 1087 } 1088 1089 return rc; 1090 } 1091 1092 enum pkcs11_rc unwrap_key_by_asymm(struct pkcs11_session *session, 1093 void *data, uint32_t data_sz, 1094 void **out_buf, uint32_t *out_sz) 1095 { 1096 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 1097 struct active_processing *proc = session->processing; 1098 1099 switch (proc->mecha_type) { 1100 case PKCS11_CKM_RSA_AES_KEY_WRAP: 1101 rc = unwrap_rsa_aes_key(proc, data, data_sz, out_buf, out_sz); 1102 break; 1103 default: 1104 return PKCS11_CKR_MECHANISM_INVALID; 1105 } 1106 1107 return rc; 1108 } 1109