1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2018-2020, Linaro Limited 4 */ 5 6 #include <assert.h> 7 #include <compiler.h> 8 #include <mbedtls/nist_kw.h> 9 #include <tee_api_defines.h> 10 #include <tee_internal_api.h> 11 #include <tee_internal_api_extensions.h> 12 13 #include "attributes.h" 14 #include "pkcs11_helpers.h" 15 #include "pkcs11_token.h" 16 #include "processing.h" 17 #include "serializer.h" 18 19 bool processing_is_tee_asymm(uint32_t proc_id) 20 { 21 switch (proc_id) { 22 /* RSA flavors */ 23 case PKCS11_CKM_RSA_AES_KEY_WRAP: 24 case PKCS11_CKM_RSA_PKCS: 25 case PKCS11_CKM_RSA_PKCS_OAEP: 26 case PKCS11_CKM_RSA_PKCS_PSS: 27 case PKCS11_CKM_MD5_RSA_PKCS: 28 case PKCS11_CKM_SHA1_RSA_PKCS: 29 case PKCS11_CKM_SHA224_RSA_PKCS: 30 case PKCS11_CKM_SHA256_RSA_PKCS: 31 case PKCS11_CKM_SHA384_RSA_PKCS: 32 case PKCS11_CKM_SHA512_RSA_PKCS: 33 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 34 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 35 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 36 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 37 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 38 /* EC flavors */ 39 case PKCS11_CKM_EDDSA: 40 case PKCS11_CKM_ECDSA: 41 case PKCS11_CKM_ECDH1_DERIVE: 42 case PKCS11_CKM_ECDSA_SHA1: 43 case PKCS11_CKM_ECDSA_SHA224: 44 case PKCS11_CKM_ECDSA_SHA256: 45 case PKCS11_CKM_ECDSA_SHA384: 46 case PKCS11_CKM_ECDSA_SHA512: 47 return true; 48 default: 49 return false; 50 } 51 } 52 53 static enum pkcs11_rc 54 pkcs2tee_algorithm(uint32_t *tee_id, uint32_t *tee_hash_id, 55 enum processing_func function __unused, 56 struct pkcs11_attribute_head *proc_params, 57 struct pkcs11_object *obj) 58 { 59 static const struct { 60 enum pkcs11_mechanism_id mech_id; 61 uint32_t tee_id; 62 uint32_t tee_hash_id; 63 } pkcs2tee_algo[] = { 64 /* RSA flavors */ 65 { PKCS11_CKM_RSA_AES_KEY_WRAP, 1, 0 }, 66 { PKCS11_CKM_RSA_PKCS, TEE_ALG_RSAES_PKCS1_V1_5, 0 }, 67 { PKCS11_CKM_RSA_PKCS_OAEP, 1, 0 }, 68 { PKCS11_CKM_RSA_PKCS_PSS, 1, 0 }, 69 { PKCS11_CKM_MD5_RSA_PKCS, TEE_ALG_RSASSA_PKCS1_V1_5_MD5, 70 TEE_ALG_MD5 }, 71 { PKCS11_CKM_SHA1_RSA_PKCS, TEE_ALG_RSASSA_PKCS1_V1_5_SHA1, 72 TEE_ALG_SHA1 }, 73 { PKCS11_CKM_SHA224_RSA_PKCS, TEE_ALG_RSASSA_PKCS1_V1_5_SHA224, 74 TEE_ALG_SHA224 }, 75 { PKCS11_CKM_SHA256_RSA_PKCS, TEE_ALG_RSASSA_PKCS1_V1_5_SHA256, 76 TEE_ALG_SHA256 }, 77 { PKCS11_CKM_SHA384_RSA_PKCS, TEE_ALG_RSASSA_PKCS1_V1_5_SHA384, 78 TEE_ALG_SHA384 }, 79 { PKCS11_CKM_SHA512_RSA_PKCS, TEE_ALG_RSASSA_PKCS1_V1_5_SHA512, 80 TEE_ALG_SHA512 }, 81 { PKCS11_CKM_SHA1_RSA_PKCS_PSS, 82 TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1, TEE_ALG_SHA1 }, 83 { PKCS11_CKM_SHA224_RSA_PKCS_PSS, 84 TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224, TEE_ALG_SHA224 }, 85 { PKCS11_CKM_SHA256_RSA_PKCS_PSS, 86 TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256, TEE_ALG_SHA256 }, 87 { PKCS11_CKM_SHA384_RSA_PKCS_PSS, 88 TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384, TEE_ALG_SHA384 }, 89 { PKCS11_CKM_SHA512_RSA_PKCS_PSS, 90 TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512, TEE_ALG_SHA512 }, 91 /* EC flavors (Must find key size from the object) */ 92 { PKCS11_CKM_ECDSA, 1, 0 }, 93 { PKCS11_CKM_ECDSA_SHA1, 1, TEE_ALG_SHA1 }, 94 { PKCS11_CKM_ECDSA_SHA224, 1, TEE_ALG_SHA224 }, 95 { PKCS11_CKM_ECDSA_SHA256, 1, TEE_ALG_SHA256 }, 96 { PKCS11_CKM_ECDSA_SHA384, 1, TEE_ALG_SHA384 }, 97 { PKCS11_CKM_ECDSA_SHA512, 1, TEE_ALG_SHA512 }, 98 { PKCS11_CKM_ECDH1_DERIVE, 1, 0 }, 99 { PKCS11_CKM_EDDSA, TEE_ALG_ED25519, 0 }, 100 }; 101 size_t n = 0; 102 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 103 104 for (n = 0; n < ARRAY_SIZE(pkcs2tee_algo); n++) { 105 if (pkcs2tee_algo[n].mech_id == proc_params->id) { 106 *tee_id = pkcs2tee_algo[n].tee_id; 107 *tee_hash_id = pkcs2tee_algo[n].tee_hash_id; 108 break; 109 } 110 } 111 112 if (n == ARRAY_SIZE(pkcs2tee_algo)) 113 return PKCS11_RV_NOT_IMPLEMENTED; 114 115 switch (proc_params->id) { 116 case PKCS11_CKM_RSA_PKCS_PSS: 117 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 118 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 119 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 120 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 121 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 122 rc = pkcs2tee_algo_rsa_pss(tee_id, proc_params); 123 break; 124 case PKCS11_CKM_RSA_PKCS_OAEP: 125 rc = pkcs2tee_algo_rsa_oaep(tee_id, tee_hash_id, proc_params); 126 break; 127 case PKCS11_CKM_RSA_AES_KEY_WRAP: 128 rc = pkcs2tee_algo_rsa_aes_wrap(tee_id, tee_hash_id, 129 proc_params); 130 break; 131 case PKCS11_CKM_ECDSA: 132 case PKCS11_CKM_ECDSA_SHA1: 133 case PKCS11_CKM_ECDSA_SHA224: 134 case PKCS11_CKM_ECDSA_SHA256: 135 case PKCS11_CKM_ECDSA_SHA384: 136 case PKCS11_CKM_ECDSA_SHA512: 137 rc = pkcs2tee_algo_ecdsa(tee_id, proc_params, obj); 138 break; 139 case PKCS11_CKM_ECDH1_DERIVE: 140 rc = pkcs2tee_algo_ecdh(tee_id, proc_params, obj); 141 break; 142 default: 143 rc = PKCS11_CKR_OK; 144 break; 145 } 146 147 /* 148 * PKCS#11 uses single mechanism CKM_RSA_PKCS for both ciphering and 149 * authentication whereas GPD TEE expects TEE_ALG_RSAES_PKCS1_V1_5 for 150 * ciphering and TEE_ALG_RSASSA_PKCS1_V1_5 for authentication. 151 */ 152 if (*tee_id == TEE_ALG_RSAES_PKCS1_V1_5 && 153 (function == PKCS11_FUNCTION_SIGN || 154 function == PKCS11_FUNCTION_VERIFY)) 155 *tee_id = TEE_ALG_RSASSA_PKCS1_V1_5; 156 157 return rc; 158 } 159 160 static enum pkcs11_rc pkcs2tee_key_type(uint32_t *tee_type, 161 struct pkcs11_object *obj, 162 enum processing_func function) 163 { 164 enum pkcs11_class_id class = get_class(obj->attributes); 165 enum pkcs11_key_type type = get_key_type(obj->attributes); 166 167 switch (class) { 168 case PKCS11_CKO_PUBLIC_KEY: 169 case PKCS11_CKO_PRIVATE_KEY: 170 break; 171 default: 172 TEE_Panic(class); 173 break; 174 } 175 176 switch (type) { 177 case PKCS11_CKK_EC: 178 if (class == PKCS11_CKO_PRIVATE_KEY) { 179 if (function == PKCS11_FUNCTION_DERIVE) 180 *tee_type = TEE_TYPE_ECDH_KEYPAIR; 181 else 182 *tee_type = TEE_TYPE_ECDSA_KEYPAIR; 183 } else { 184 if (function == PKCS11_FUNCTION_DERIVE) 185 *tee_type = TEE_TYPE_ECDH_PUBLIC_KEY; 186 else 187 *tee_type = TEE_TYPE_ECDSA_PUBLIC_KEY; 188 } 189 break; 190 case PKCS11_CKK_RSA: 191 if (class == PKCS11_CKO_PRIVATE_KEY) 192 *tee_type = TEE_TYPE_RSA_KEYPAIR; 193 else 194 *tee_type = TEE_TYPE_RSA_PUBLIC_KEY; 195 break; 196 case PKCS11_CKK_EC_EDWARDS: 197 if (class == PKCS11_CKO_PRIVATE_KEY) 198 *tee_type = TEE_TYPE_ED25519_KEYPAIR; 199 else 200 *tee_type = TEE_TYPE_ED25519_PUBLIC_KEY; 201 break; 202 default: 203 TEE_Panic(type); 204 break; 205 } 206 207 return PKCS11_CKR_OK; 208 } 209 210 static enum pkcs11_rc 211 allocate_tee_operation(struct pkcs11_session *session, 212 enum processing_func function, 213 struct pkcs11_attribute_head *params, 214 struct pkcs11_object *obj) 215 { 216 uint32_t size = (uint32_t)get_object_key_bit_size(obj); 217 uint32_t algo = 0; 218 uint32_t hash_algo = 0; 219 uint32_t mode = 0; 220 uint32_t hash_mode = 0; 221 TEE_Result res = TEE_ERROR_GENERIC; 222 struct active_processing *processing = session->processing; 223 224 assert(processing->tee_op_handle == TEE_HANDLE_NULL); 225 assert(processing->tee_op_handle2 == TEE_HANDLE_NULL); 226 227 if (pkcs2tee_algorithm(&algo, &hash_algo, function, params, obj)) 228 return PKCS11_CKR_FUNCTION_FAILED; 229 230 pkcs2tee_mode(&mode, function); 231 232 if (hash_algo) { 233 pkcs2tee_mode(&hash_mode, PKCS11_FUNCTION_DIGEST); 234 235 res = TEE_AllocateOperation(&processing->tee_op_handle2, 236 hash_algo, hash_mode, 0); 237 if (res) { 238 EMSG("TEE_AllocateOp. failed %#"PRIx32" %#"PRIx32, 239 hash_algo, hash_mode); 240 241 if (res == TEE_ERROR_NOT_SUPPORTED) 242 return PKCS11_CKR_MECHANISM_INVALID; 243 return tee2pkcs_error(res); 244 } 245 processing->tee_hash_algo = hash_algo; 246 } 247 248 res = TEE_AllocateOperation(&processing->tee_op_handle, 249 algo, mode, size); 250 if (res) 251 EMSG("TEE_AllocateOp. failed %#"PRIx32" %#"PRIx32" %#"PRIx32, 252 algo, mode, size); 253 254 if (res == TEE_ERROR_NOT_SUPPORTED) 255 return PKCS11_CKR_MECHANISM_INVALID; 256 257 if (res != TEE_SUCCESS && 258 processing->tee_op_handle2 != TEE_HANDLE_NULL) { 259 TEE_FreeOperation(session->processing->tee_op_handle2); 260 processing->tee_op_handle2 = TEE_HANDLE_NULL; 261 processing->tee_hash_algo = 0; 262 } 263 264 return tee2pkcs_error(res); 265 } 266 267 static enum pkcs11_rc load_tee_key(struct pkcs11_session *session, 268 struct pkcs11_object *obj, 269 enum processing_func function) 270 { 271 TEE_Attribute *tee_attrs = NULL; 272 size_t tee_attrs_count = 0; 273 size_t object_size = 0; 274 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 275 TEE_Result res = TEE_ERROR_GENERIC; 276 enum pkcs11_class_id __maybe_unused class = get_class(obj->attributes); 277 enum pkcs11_key_type type = get_key_type(obj->attributes); 278 279 assert(class == PKCS11_CKO_PUBLIC_KEY || 280 class == PKCS11_CKO_PRIVATE_KEY); 281 282 if (obj->key_handle != TEE_HANDLE_NULL) { 283 switch (type) { 284 case PKCS11_CKK_RSA: 285 /* RSA loaded keys can be reused */ 286 assert((obj->key_type == TEE_TYPE_RSA_PUBLIC_KEY && 287 class == PKCS11_CKO_PUBLIC_KEY) || 288 (obj->key_type == TEE_TYPE_RSA_KEYPAIR && 289 class == PKCS11_CKO_PRIVATE_KEY)); 290 goto key_ready; 291 case PKCS11_CKK_EC: 292 /* Reuse EC TEE key only if already DSA or DH */ 293 switch (obj->key_type) { 294 case TEE_TYPE_ECDSA_PUBLIC_KEY: 295 case TEE_TYPE_ECDSA_KEYPAIR: 296 if (function != PKCS11_FUNCTION_DERIVE) 297 goto key_ready; 298 break; 299 case TEE_TYPE_ECDH_PUBLIC_KEY: 300 case TEE_TYPE_ECDH_KEYPAIR: 301 if (function == PKCS11_FUNCTION_DERIVE) 302 goto key_ready; 303 break; 304 default: 305 assert(0); 306 break; 307 } 308 break; 309 default: 310 assert(0); 311 break; 312 } 313 314 TEE_CloseObject(obj->key_handle); 315 obj->key_handle = TEE_HANDLE_NULL; 316 } 317 318 rc = pkcs2tee_key_type(&obj->key_type, obj, function); 319 if (rc) 320 return rc; 321 322 object_size = get_object_key_bit_size(obj); 323 if (!object_size) 324 return PKCS11_CKR_GENERAL_ERROR; 325 326 switch (type) { 327 case PKCS11_CKK_RSA: 328 rc = load_tee_rsa_key_attrs(&tee_attrs, &tee_attrs_count, obj); 329 break; 330 case PKCS11_CKK_EC: 331 rc = load_tee_ec_key_attrs(&tee_attrs, &tee_attrs_count, obj); 332 break; 333 case PKCS11_CKK_EC_EDWARDS: 334 rc = load_tee_eddsa_key_attrs(&tee_attrs, &tee_attrs_count, 335 obj); 336 break; 337 default: 338 break; 339 } 340 if (rc) 341 return rc; 342 343 res = TEE_AllocateTransientObject(obj->key_type, object_size, 344 &obj->key_handle); 345 if (res) { 346 DMSG("TEE_AllocateTransientObject failed, %#"PRIx32, res); 347 348 return tee2pkcs_error(res); 349 } 350 351 res = TEE_PopulateTransientObject(obj->key_handle, 352 tee_attrs, tee_attrs_count); 353 354 TEE_Free(tee_attrs); 355 356 if (res) { 357 DMSG("TEE_PopulateTransientObject failed, %#"PRIx32, res); 358 359 goto error; 360 } 361 362 key_ready: 363 res = TEE_SetOperationKey(session->processing->tee_op_handle, 364 obj->key_handle); 365 if (res) { 366 DMSG("TEE_SetOperationKey failed, %#"PRIx32, res); 367 368 goto error; 369 } 370 371 return PKCS11_CKR_OK; 372 373 error: 374 TEE_FreeTransientObject(obj->key_handle); 375 obj->key_handle = TEE_HANDLE_NULL; 376 return tee2pkcs_error(res); 377 } 378 379 static enum pkcs11_rc 380 init_tee_operation(struct pkcs11_session *session, 381 struct pkcs11_attribute_head *proc_params, 382 struct pkcs11_object *obj) 383 { 384 enum pkcs11_rc rc = PKCS11_CKR_OK; 385 struct active_processing *proc = session->processing; 386 387 switch (proc_params->id) { 388 case PKCS11_CKM_RSA_PKCS_PSS: 389 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 390 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 391 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 392 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 393 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 394 rc = pkcs2tee_proc_params_rsa_pss(proc, proc_params); 395 if (rc) 396 break; 397 398 rc = pkcs2tee_validate_rsa_pss(proc, obj); 399 break; 400 case PKCS11_CKM_RSA_PKCS_OAEP: 401 rc = pkcs2tee_proc_params_rsa_oaep(proc, proc_params); 402 break; 403 case PKCS11_CKM_EDDSA: 404 rc = pkcs2tee_proc_params_eddsa(proc, proc_params); 405 break; 406 case PKCS11_CKM_RSA_AES_KEY_WRAP: 407 rc = pkcs2tee_proc_params_rsa_aes_wrap(proc, proc_params); 408 break; 409 default: 410 break; 411 } 412 413 return rc; 414 } 415 416 enum pkcs11_rc init_asymm_operation(struct pkcs11_session *session, 417 enum processing_func function, 418 struct pkcs11_attribute_head *proc_params, 419 struct pkcs11_object *obj) 420 { 421 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 422 423 assert(processing_is_tee_asymm(proc_params->id)); 424 425 rc = allocate_tee_operation(session, function, proc_params, obj); 426 if (rc) 427 return rc; 428 429 rc = load_tee_key(session, obj, function); 430 if (rc) 431 return rc; 432 433 rc = init_tee_operation(session, proc_params, obj); 434 if (!rc) 435 session->processing->mecha_type = proc_params->id; 436 437 return rc; 438 } 439 440 /* 441 * step_sym_step - step (update/oneshot/final) on a symmetric crypto operation 442 * 443 * @session - current session 444 * @function - processing function (encrypt, decrypt, sign, ...) 445 * @step - step ID in the processing (oneshot, update, final) 446 * @ptypes - invocation parameter types 447 * @params - invocation parameter references 448 */ 449 enum pkcs11_rc step_asymm_operation(struct pkcs11_session *session, 450 enum processing_func function, 451 enum processing_step step, 452 uint32_t ptypes, TEE_Param *params) 453 { 454 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 455 TEE_Result res = TEE_ERROR_GENERIC; 456 void *in_buf = NULL; 457 void *in2_buf = NULL; 458 void *out_buf = NULL; 459 void *hash_buf = NULL; 460 uint32_t in_size = 0; 461 uint32_t in2_size = 0; 462 size_t out_size = 0; 463 size_t hash_size = 0; 464 TEE_Attribute *tee_attrs = NULL; 465 size_t tee_attrs_count = 0; 466 bool output_data = false; 467 struct active_processing *proc = session->processing; 468 struct rsa_aes_key_wrap_processing_ctx *rsa_aes_ctx = NULL; 469 struct rsa_oaep_processing_ctx *rsa_oaep_ctx = NULL; 470 struct rsa_pss_processing_ctx *rsa_pss_ctx = NULL; 471 struct eddsa_processing_ctx *eddsa_ctx = NULL; 472 size_t sz = 0; 473 474 if (TEE_PARAM_TYPE_GET(ptypes, 1) == TEE_PARAM_TYPE_MEMREF_INPUT) { 475 in_buf = params[1].memref.buffer; 476 in_size = params[1].memref.size; 477 if (in_size && !in_buf) 478 return PKCS11_CKR_ARGUMENTS_BAD; 479 } 480 if (TEE_PARAM_TYPE_GET(ptypes, 2) == TEE_PARAM_TYPE_MEMREF_INPUT) { 481 in2_buf = params[2].memref.buffer; 482 in2_size = params[2].memref.size; 483 if (in2_size && !in2_buf) 484 return PKCS11_CKR_ARGUMENTS_BAD; 485 } 486 if (TEE_PARAM_TYPE_GET(ptypes, 2) == TEE_PARAM_TYPE_MEMREF_OUTPUT) { 487 out_buf = params[2].memref.buffer; 488 out_size = params[2].memref.size; 489 if (out_size && !out_buf) 490 return PKCS11_CKR_ARGUMENTS_BAD; 491 } 492 if (TEE_PARAM_TYPE_GET(ptypes, 3) != TEE_PARAM_TYPE_NONE) 493 return PKCS11_CKR_ARGUMENTS_BAD; 494 495 switch (step) { 496 case PKCS11_FUNC_STEP_ONESHOT: 497 case PKCS11_FUNC_STEP_UPDATE: 498 case PKCS11_FUNC_STEP_FINAL: 499 break; 500 default: 501 return PKCS11_CKR_GENERAL_ERROR; 502 } 503 504 /* TEE attribute(s) required by the operation */ 505 switch (proc->mecha_type) { 506 case PKCS11_CKM_RSA_PKCS_PSS: 507 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 508 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 509 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 510 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 511 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 512 tee_attrs = TEE_Malloc(sizeof(TEE_Attribute), 513 TEE_USER_MEM_HINT_NO_FILL_ZERO); 514 if (!tee_attrs) { 515 rc = PKCS11_CKR_DEVICE_MEMORY; 516 goto out; 517 } 518 519 rsa_pss_ctx = proc->extra_ctx; 520 521 TEE_InitValueAttribute(&tee_attrs[tee_attrs_count], 522 TEE_ATTR_RSA_PSS_SALT_LENGTH, 523 rsa_pss_ctx->salt_len, 0); 524 tee_attrs_count++; 525 break; 526 case PKCS11_CKM_EDDSA: 527 eddsa_ctx = proc->extra_ctx; 528 529 tee_attrs = TEE_Malloc(2 * sizeof(TEE_Attribute), 530 TEE_USER_MEM_HINT_NO_FILL_ZERO); 531 if (!tee_attrs) { 532 rc = PKCS11_CKR_DEVICE_MEMORY; 533 goto out; 534 } 535 536 if (eddsa_ctx->flag) { 537 TEE_InitValueAttribute(&tee_attrs[tee_attrs_count], 538 TEE_ATTR_EDDSA_PREHASH, 0, 0); 539 tee_attrs_count++; 540 } 541 542 if (eddsa_ctx->ctx_len > 0) { 543 TEE_InitRefAttribute(&tee_attrs[tee_attrs_count], 544 TEE_ATTR_EDDSA_CTX, eddsa_ctx->ctx, 545 eddsa_ctx->ctx_len); 546 tee_attrs_count++; 547 } 548 break; 549 case PKCS11_CKM_RSA_PKCS_OAEP: 550 rsa_oaep_ctx = proc->extra_ctx; 551 552 if (!rsa_oaep_ctx->source_data_len) 553 break; 554 555 tee_attrs = TEE_Malloc(sizeof(TEE_Attribute), 556 TEE_USER_MEM_HINT_NO_FILL_ZERO); 557 if (!tee_attrs) { 558 rc = PKCS11_CKR_DEVICE_MEMORY; 559 goto out; 560 } 561 562 TEE_InitRefAttribute(&tee_attrs[tee_attrs_count], 563 TEE_ATTR_RSA_OAEP_LABEL, 564 rsa_oaep_ctx->source_data, 565 rsa_oaep_ctx->source_data_len); 566 tee_attrs_count++; 567 break; 568 case PKCS11_CKM_RSA_AES_KEY_WRAP: 569 rsa_aes_ctx = proc->extra_ctx; 570 571 if (!rsa_aes_ctx->source_data_len) 572 break; 573 574 tee_attrs = TEE_Malloc(sizeof(TEE_Attribute), 575 TEE_USER_MEM_HINT_NO_FILL_ZERO); 576 if (!tee_attrs) { 577 rc = PKCS11_CKR_DEVICE_MEMORY; 578 goto out; 579 } 580 581 TEE_InitRefAttribute(&tee_attrs[tee_attrs_count], 582 TEE_ATTR_RSA_OAEP_LABEL, 583 rsa_aes_ctx->source_data, 584 rsa_aes_ctx->source_data_len); 585 tee_attrs_count++; 586 break; 587 default: 588 break; 589 } 590 591 /* 592 * Handle multi stage update step for mechas needing hash 593 * calculation 594 */ 595 if (step == PKCS11_FUNC_STEP_UPDATE) { 596 switch (proc->mecha_type) { 597 case PKCS11_CKM_ECDSA_SHA1: 598 case PKCS11_CKM_ECDSA_SHA224: 599 case PKCS11_CKM_ECDSA_SHA256: 600 case PKCS11_CKM_ECDSA_SHA384: 601 case PKCS11_CKM_ECDSA_SHA512: 602 case PKCS11_CKM_MD5_RSA_PKCS: 603 case PKCS11_CKM_SHA1_RSA_PKCS: 604 case PKCS11_CKM_SHA224_RSA_PKCS: 605 case PKCS11_CKM_SHA256_RSA_PKCS: 606 case PKCS11_CKM_SHA384_RSA_PKCS: 607 case PKCS11_CKM_SHA512_RSA_PKCS: 608 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 609 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 610 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 611 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 612 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 613 assert(proc->tee_op_handle2 != TEE_HANDLE_NULL); 614 615 TEE_DigestUpdate(proc->tee_op_handle2, in_buf, in_size); 616 rc = PKCS11_CKR_OK; 617 break; 618 default: 619 /* 620 * Other mechanism do not expect multi stage 621 * operation 622 */ 623 rc = PKCS11_CKR_GENERAL_ERROR; 624 break; 625 } 626 627 goto out; 628 } 629 630 /* 631 * Handle multi stage one shot and final steps for mechas needing hash 632 * calculation 633 */ 634 switch (proc->mecha_type) { 635 case PKCS11_CKM_ECDSA_SHA1: 636 case PKCS11_CKM_ECDSA_SHA224: 637 case PKCS11_CKM_ECDSA_SHA256: 638 case PKCS11_CKM_ECDSA_SHA384: 639 case PKCS11_CKM_ECDSA_SHA512: 640 case PKCS11_CKM_MD5_RSA_PKCS: 641 case PKCS11_CKM_SHA1_RSA_PKCS: 642 case PKCS11_CKM_SHA224_RSA_PKCS: 643 case PKCS11_CKM_SHA256_RSA_PKCS: 644 case PKCS11_CKM_SHA384_RSA_PKCS: 645 case PKCS11_CKM_SHA512_RSA_PKCS: 646 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 647 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 648 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 649 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 650 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 651 assert(proc->tee_op_handle2 != TEE_HANDLE_NULL); 652 653 hash_size = TEE_ALG_GET_DIGEST_SIZE(proc->tee_hash_algo); 654 hash_buf = TEE_Malloc(hash_size, 0); 655 if (!hash_buf) 656 return PKCS11_CKR_DEVICE_MEMORY; 657 658 res = TEE_DigestDoFinal(proc->tee_op_handle2, in_buf, in_size, 659 hash_buf, &hash_size); 660 661 rc = tee2pkcs_error(res); 662 if (rc != PKCS11_CKR_OK) 663 goto out; 664 665 break; 666 default: 667 break; 668 } 669 670 /* 671 * Finalize either provided hash or calculated hash with signing 672 * operation 673 */ 674 675 /* First determine amount of bytes for signing operation */ 676 switch (proc->mecha_type) { 677 case PKCS11_CKM_ECDSA: 678 sz = ecdsa_get_input_max_byte_size(proc->tee_op_handle); 679 if (!in_size || !sz) { 680 rc = PKCS11_CKR_FUNCTION_FAILED; 681 goto out; 682 } 683 684 /* 685 * Note 3) Input the entire raw digest. Internally, this will 686 * be truncated to the appropriate number of bits. 687 */ 688 if (in_size > sz) 689 in_size = sz; 690 691 if (function == PKCS11_FUNCTION_VERIFY && in2_size != 2 * sz) { 692 rc = PKCS11_CKR_SIGNATURE_LEN_RANGE; 693 goto out; 694 } 695 break; 696 case PKCS11_CKM_ECDSA_SHA1: 697 case PKCS11_CKM_ECDSA_SHA224: 698 case PKCS11_CKM_ECDSA_SHA256: 699 case PKCS11_CKM_ECDSA_SHA384: 700 case PKCS11_CKM_ECDSA_SHA512: 701 /* Get key size in bytes */ 702 sz = ecdsa_get_input_max_byte_size(proc->tee_op_handle); 703 if (!sz) { 704 rc = PKCS11_CKR_FUNCTION_FAILED; 705 goto out; 706 } 707 708 if (function == PKCS11_FUNCTION_VERIFY && 709 in2_size != 2 * sz) { 710 rc = PKCS11_CKR_SIGNATURE_LEN_RANGE; 711 goto out; 712 } 713 break; 714 case PKCS11_CKM_RSA_PKCS: 715 case PKCS11_CKM_MD5_RSA_PKCS: 716 case PKCS11_CKM_SHA1_RSA_PKCS: 717 case PKCS11_CKM_SHA224_RSA_PKCS: 718 case PKCS11_CKM_SHA256_RSA_PKCS: 719 case PKCS11_CKM_SHA384_RSA_PKCS: 720 case PKCS11_CKM_SHA512_RSA_PKCS: 721 case PKCS11_CKM_RSA_PKCS_PSS: 722 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 723 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 724 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 725 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 726 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 727 /* Get key size in bytes */ 728 sz = rsa_get_input_max_byte_size(proc->tee_op_handle); 729 if (!sz) { 730 rc = PKCS11_CKR_FUNCTION_FAILED; 731 goto out; 732 } 733 734 if (function == PKCS11_FUNCTION_VERIFY && in2_size != sz) { 735 rc = PKCS11_CKR_SIGNATURE_LEN_RANGE; 736 goto out; 737 } 738 break; 739 default: 740 break; 741 } 742 743 /* Next perform actual signing operation */ 744 switch (proc->mecha_type) { 745 case PKCS11_CKM_ECDSA: 746 case PKCS11_CKM_EDDSA: 747 case PKCS11_CKM_RSA_PKCS: 748 case PKCS11_CKM_RSA_PKCS_OAEP: 749 case PKCS11_CKM_RSA_PKCS_PSS: 750 /* For operations using provided input data */ 751 switch (function) { 752 case PKCS11_FUNCTION_ENCRYPT: 753 res = TEE_AsymmetricEncrypt(proc->tee_op_handle, 754 tee_attrs, tee_attrs_count, 755 in_buf, in_size, 756 out_buf, &out_size); 757 output_data = true; 758 rc = tee2pkcs_error(res); 759 if (rc == PKCS11_CKR_ARGUMENTS_BAD) 760 rc = PKCS11_CKR_DATA_LEN_RANGE; 761 break; 762 763 case PKCS11_FUNCTION_DECRYPT: 764 res = TEE_AsymmetricDecrypt(proc->tee_op_handle, 765 tee_attrs, tee_attrs_count, 766 in_buf, in_size, 767 out_buf, &out_size); 768 output_data = true; 769 rc = tee2pkcs_error(res); 770 if (rc == PKCS11_CKR_ARGUMENTS_BAD) 771 rc = PKCS11_CKR_ENCRYPTED_DATA_LEN_RANGE; 772 break; 773 774 case PKCS11_FUNCTION_SIGN: 775 res = TEE_AsymmetricSignDigest(proc->tee_op_handle, 776 tee_attrs, 777 tee_attrs_count, 778 in_buf, in_size, 779 out_buf, &out_size); 780 output_data = true; 781 rc = tee2pkcs_error(res); 782 break; 783 784 case PKCS11_FUNCTION_VERIFY: 785 res = TEE_AsymmetricVerifyDigest(proc->tee_op_handle, 786 tee_attrs, 787 tee_attrs_count, 788 in_buf, in_size, 789 in2_buf, in2_size); 790 rc = tee2pkcs_error(res); 791 break; 792 793 default: 794 TEE_Panic(function); 795 break; 796 } 797 break; 798 case PKCS11_CKM_ECDSA_SHA1: 799 case PKCS11_CKM_ECDSA_SHA224: 800 case PKCS11_CKM_ECDSA_SHA256: 801 case PKCS11_CKM_ECDSA_SHA384: 802 case PKCS11_CKM_ECDSA_SHA512: 803 case PKCS11_CKM_MD5_RSA_PKCS: 804 case PKCS11_CKM_SHA1_RSA_PKCS: 805 case PKCS11_CKM_SHA224_RSA_PKCS: 806 case PKCS11_CKM_SHA256_RSA_PKCS: 807 case PKCS11_CKM_SHA384_RSA_PKCS: 808 case PKCS11_CKM_SHA512_RSA_PKCS: 809 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 810 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 811 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 812 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 813 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 814 /* For operations having hash operation use calculated hash */ 815 switch (function) { 816 case PKCS11_FUNCTION_SIGN: 817 res = TEE_AsymmetricSignDigest(proc->tee_op_handle, 818 tee_attrs, 819 tee_attrs_count, 820 hash_buf, hash_size, 821 out_buf, &out_size); 822 output_data = true; 823 rc = tee2pkcs_error(res); 824 break; 825 826 case PKCS11_FUNCTION_VERIFY: 827 res = TEE_AsymmetricVerifyDigest(proc->tee_op_handle, 828 tee_attrs, 829 tee_attrs_count, 830 hash_buf, hash_size, 831 in2_buf, in2_size); 832 rc = tee2pkcs_error(res); 833 break; 834 835 default: 836 TEE_Panic(function); 837 break; 838 } 839 break; 840 default: 841 TEE_Panic(proc->mecha_type); 842 break; 843 } 844 845 out: 846 if (output_data && 847 (rc == PKCS11_CKR_OK || rc == PKCS11_CKR_BUFFER_TOO_SMALL)) { 848 switch (TEE_PARAM_TYPE_GET(ptypes, 2)) { 849 case TEE_PARAM_TYPE_MEMREF_OUTPUT: 850 case TEE_PARAM_TYPE_MEMREF_INOUT: 851 params[2].memref.size = out_size; 852 break; 853 default: 854 rc = PKCS11_CKR_GENERAL_ERROR; 855 break; 856 } 857 } 858 859 TEE_Free(hash_buf); 860 TEE_Free(tee_attrs); 861 862 return rc; 863 } 864 865 enum pkcs11_rc do_asymm_derivation(struct pkcs11_session *session, 866 struct pkcs11_attribute_head *proc_params, 867 struct obj_attrs **head) 868 { 869 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 870 TEE_ObjectHandle out_handle = TEE_HANDLE_NULL; 871 TEE_Result res = TEE_ERROR_GENERIC; 872 TEE_Attribute tee_attrs[2] = { }; 873 size_t tee_attrs_count = 0; 874 uint32_t key_byte_size = 0; 875 uint32_t key_bit_size = 0; 876 void *a_ptr = NULL; 877 size_t a_size = 0; 878 879 /* Remove default attribute set at template sanitization */ 880 if (remove_empty_attribute(head, PKCS11_CKA_VALUE)) 881 return PKCS11_CKR_FUNCTION_FAILED; 882 883 rc = get_u32_attribute(*head, PKCS11_CKA_VALUE_LEN, &key_bit_size); 884 if (rc) 885 return rc; 886 887 key_bit_size *= 8; 888 key_byte_size = (key_bit_size + 7) / 8; 889 890 res = TEE_AllocateTransientObject(TEE_TYPE_GENERIC_SECRET, 891 key_byte_size * 8, &out_handle); 892 if (res) { 893 DMSG("TEE_AllocateTransientObject failed, %#"PRIx32, res); 894 return tee2pkcs_error(res); 895 } 896 897 switch (proc_params->id) { 898 case PKCS11_CKM_ECDH1_DERIVE: 899 rc = pkcs2tee_param_ecdh(proc_params, &a_ptr, &a_size); 900 if (rc) 901 goto out; 902 903 TEE_InitRefAttribute(&tee_attrs[tee_attrs_count], 904 TEE_ATTR_ECC_PUBLIC_VALUE_X, 905 a_ptr, a_size / 2); 906 tee_attrs_count++; 907 TEE_InitRefAttribute(&tee_attrs[tee_attrs_count], 908 TEE_ATTR_ECC_PUBLIC_VALUE_Y, 909 (char *)a_ptr + a_size / 2, 910 a_size / 2); 911 tee_attrs_count++; 912 break; 913 default: 914 TEE_Panic(proc_params->id); 915 break; 916 } 917 918 TEE_DeriveKey(session->processing->tee_op_handle, &tee_attrs[0], 919 tee_attrs_count, out_handle); 920 921 rc = alloc_get_tee_attribute_data(out_handle, TEE_ATTR_SECRET_VALUE, 922 &a_ptr, &a_size); 923 if (rc) 924 goto out; 925 926 if (a_size * 8 < key_bit_size) 927 rc = PKCS11_CKR_KEY_SIZE_RANGE; 928 else 929 rc = add_attribute(head, PKCS11_CKA_VALUE, a_ptr, 930 key_byte_size); 931 TEE_Free(a_ptr); 932 out: 933 release_active_processing(session); 934 TEE_FreeTransientObject(out_handle); 935 936 return rc; 937 } 938 939 static enum pkcs11_rc wrap_rsa_aes_key(struct active_processing *proc, 940 void *data, uint32_t data_sz, 941 void *out_buf, uint32_t *out_sz) 942 { 943 enum pkcs11_rc rc = PKCS11_CKR_OK; 944 TEE_Result res = TEE_ERROR_GENERIC; 945 int mbedtls_rc = 0; 946 struct rsa_aes_key_wrap_processing_ctx *ctx = proc->extra_ctx; 947 mbedtls_nist_kw_context kw_ctx = { }; 948 uint8_t aes_key_value[32] = { }; 949 uint32_t aes_key_size = ctx->aes_key_bits / 8; 950 size_t aes_wrapped_size = *out_sz; 951 uint32_t expected_size = 0; 952 size_t target_key_size = 0; 953 const size_t kw_semiblock_len = 8; 954 955 if (ctx->aes_key_bits != 128 && 956 ctx->aes_key_bits != 192 && 957 ctx->aes_key_bits != 256) 958 return PKCS11_CKR_ARGUMENTS_BAD; 959 960 mbedtls_nist_kw_init(&kw_ctx); 961 TEE_GenerateRandom(aes_key_value, aes_key_size); 962 res = TEE_AsymmetricEncrypt(proc->tee_op_handle, 963 NULL, 0, 964 aes_key_value, aes_key_size, 965 out_buf, &aes_wrapped_size); 966 expected_size = aes_wrapped_size + data_sz + kw_semiblock_len; 967 if (res) { 968 if (res == TEE_ERROR_SHORT_BUFFER) 969 *out_sz = expected_size; 970 971 rc = tee2pkcs_error(res); 972 goto out; 973 } 974 975 if (*out_sz < expected_size) { 976 rc = PKCS11_CKR_BUFFER_TOO_SMALL; 977 *out_sz = expected_size; 978 goto out; 979 } 980 981 mbedtls_rc = mbedtls_nist_kw_setkey(&kw_ctx, MBEDTLS_CIPHER_ID_AES, 982 aes_key_value, ctx->aes_key_bits, 983 true); 984 if (mbedtls_rc) { 985 if (mbedtls_rc == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA) 986 rc = PKCS11_CKR_KEY_SIZE_RANGE; 987 else 988 rc = PKCS11_CKR_FUNCTION_FAILED; 989 990 goto out; 991 } 992 993 mbedtls_rc = mbedtls_nist_kw_wrap(&kw_ctx, MBEDTLS_KW_MODE_KWP, 994 data, data_sz, 995 (uint8_t *)out_buf + aes_wrapped_size, 996 &target_key_size, 997 *out_sz - aes_wrapped_size); 998 if (mbedtls_rc) { 999 rc = PKCS11_CKR_ARGUMENTS_BAD; 1000 goto out; 1001 } 1002 1003 assert(*out_sz >= target_key_size + aes_wrapped_size); 1004 *out_sz = target_key_size + aes_wrapped_size; 1005 1006 out: 1007 mbedtls_nist_kw_free(&kw_ctx); 1008 TEE_MemFill(aes_key_value, 0, aes_key_size); 1009 return rc; 1010 } 1011 1012 static enum pkcs11_rc unwrap_rsa_aes_key(struct active_processing *proc, 1013 void *data, uint32_t data_sz, 1014 void **out_buf, uint32_t *out_sz) 1015 { 1016 enum pkcs11_rc rc = PKCS11_CKR_OK; 1017 int mbedtls_rc = 0; 1018 TEE_Result res = TEE_ERROR_GENERIC; 1019 TEE_OperationInfo info = { }; 1020 struct rsa_aes_key_wrap_processing_ctx *ctx = proc->extra_ctx; 1021 mbedtls_nist_kw_context kw_ctx = { }; 1022 uint8_t aes_key_value[32] = { }; 1023 size_t aes_key_size = ctx->aes_key_bits / 8; 1024 uint32_t wrapped_key_size = 0; 1025 uint32_t rsa_key_size = 0; 1026 size_t target_key_size = 0; 1027 1028 if (ctx->aes_key_bits != 128 && 1029 ctx->aes_key_bits != 192 && 1030 ctx->aes_key_bits != 256) 1031 return PKCS11_CKR_ARGUMENTS_BAD; 1032 1033 TEE_GetOperationInfo(proc->tee_op_handle, &info); 1034 rsa_key_size = info.keySize / 8; 1035 wrapped_key_size = data_sz - rsa_key_size; 1036 target_key_size = wrapped_key_size - 8; 1037 1038 *out_buf = TEE_Malloc(target_key_size, TEE_MALLOC_FILL_ZERO); 1039 if (!*out_buf) 1040 return PKCS11_CKR_DEVICE_MEMORY; 1041 1042 mbedtls_nist_kw_init(&kw_ctx); 1043 res = TEE_AsymmetricDecrypt(proc->tee_op_handle, 1044 NULL, 0, 1045 data, rsa_key_size, 1046 aes_key_value, &aes_key_size); 1047 if (res) { 1048 rc = tee2pkcs_error(res); 1049 goto out; 1050 } 1051 1052 mbedtls_rc = mbedtls_nist_kw_setkey(&kw_ctx, MBEDTLS_CIPHER_ID_AES, 1053 aes_key_value, ctx->aes_key_bits, 1054 false); 1055 if (mbedtls_rc) { 1056 rc = PKCS11_CKR_WRAPPED_KEY_INVALID; 1057 goto out; 1058 } 1059 1060 mbedtls_rc = mbedtls_nist_kw_unwrap(&kw_ctx, MBEDTLS_KW_MODE_KWP, 1061 (uint8_t *)data + rsa_key_size, 1062 wrapped_key_size, *out_buf, 1063 &target_key_size, target_key_size); 1064 if (mbedtls_rc) { 1065 rc = PKCS11_CKR_WRAPPED_KEY_INVALID; 1066 goto out; 1067 } 1068 1069 *out_sz = target_key_size; 1070 out: 1071 TEE_MemFill(aes_key_value, 0, aes_key_size); 1072 mbedtls_nist_kw_free(&kw_ctx); 1073 return rc; 1074 } 1075 1076 enum pkcs11_rc wrap_data_by_asymm_enc(struct pkcs11_session *session, 1077 void *data, uint32_t data_sz, 1078 void *out_buf, uint32_t *out_sz) 1079 { 1080 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 1081 struct active_processing *proc = session->processing; 1082 1083 switch (proc->mecha_type) { 1084 case PKCS11_CKM_RSA_AES_KEY_WRAP: 1085 rc = wrap_rsa_aes_key(proc, data, data_sz, out_buf, out_sz); 1086 break; 1087 default: 1088 return PKCS11_CKR_MECHANISM_INVALID; 1089 } 1090 1091 return rc; 1092 } 1093 1094 enum pkcs11_rc unwrap_key_by_asymm(struct pkcs11_session *session, 1095 void *data, uint32_t data_sz, 1096 void **out_buf, uint32_t *out_sz) 1097 { 1098 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 1099 struct active_processing *proc = session->processing; 1100 1101 switch (proc->mecha_type) { 1102 case PKCS11_CKM_RSA_AES_KEY_WRAP: 1103 rc = unwrap_rsa_aes_key(proc, data, data_sz, out_buf, out_sz); 1104 break; 1105 default: 1106 return PKCS11_CKR_MECHANISM_INVALID; 1107 } 1108 1109 return rc; 1110 } 1111