1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2017-2020, Linaro Limited 4 */ 5 6 #include <assert.h> 7 #include <pkcs11_ta.h> 8 #include <string.h> 9 #include <tee_api_defines.h> 10 #include <tee_internal_api.h> 11 #include <tee_internal_api_extensions.h> 12 #include <utee_defines.h> 13 #include <util.h> 14 15 #include "attributes.h" 16 #include "object.h" 17 #include "pkcs11_attributes.h" 18 #include "pkcs11_helpers.h" 19 #include "pkcs11_token.h" 20 #include "processing.h" 21 #include "serializer.h" 22 23 struct input_data_ref { 24 size_t size; 25 void *data; 26 }; 27 28 bool processing_is_tee_symm(enum pkcs11_mechanism_id proc_id) 29 { 30 switch (proc_id) { 31 /* Authentication */ 32 case PKCS11_CKM_AES_CMAC: 33 case PKCS11_CKM_MD5_HMAC: 34 case PKCS11_CKM_SHA_1_HMAC: 35 case PKCS11_CKM_SHA224_HMAC: 36 case PKCS11_CKM_SHA256_HMAC: 37 case PKCS11_CKM_SHA384_HMAC: 38 case PKCS11_CKM_SHA512_HMAC: 39 case PKCS11_CKM_AES_CMAC_GENERAL: 40 case PKCS11_CKM_MD5_HMAC_GENERAL: 41 case PKCS11_CKM_SHA_1_HMAC_GENERAL: 42 case PKCS11_CKM_SHA224_HMAC_GENERAL: 43 case PKCS11_CKM_SHA256_HMAC_GENERAL: 44 case PKCS11_CKM_SHA384_HMAC_GENERAL: 45 case PKCS11_CKM_SHA512_HMAC_GENERAL: 46 /* Ciphering */ 47 case PKCS11_CKM_AES_ECB: 48 case PKCS11_CKM_AES_CBC: 49 case PKCS11_CKM_AES_CBC_PAD: 50 case PKCS11_CKM_AES_CTS: 51 case PKCS11_CKM_AES_CTR: 52 case PKCS11_CKM_AES_ECB_ENCRYPT_DATA: 53 case PKCS11_CKM_AES_CBC_ENCRYPT_DATA: 54 return true; 55 default: 56 return false; 57 } 58 } 59 60 static enum pkcs11_rc 61 pkcs2tee_algorithm(uint32_t *tee_id, struct pkcs11_attribute_head *proc_params) 62 { 63 static const struct { 64 enum pkcs11_mechanism_id mech_id; 65 uint32_t tee_id; 66 } pkcs2tee_algo[] = { 67 /* AES flavors */ 68 { PKCS11_CKM_AES_ECB, TEE_ALG_AES_ECB_NOPAD }, 69 { PKCS11_CKM_AES_CBC, TEE_ALG_AES_CBC_NOPAD }, 70 { PKCS11_CKM_AES_CBC_PAD, TEE_ALG_AES_CBC_NOPAD }, 71 { PKCS11_CKM_AES_ECB_ENCRYPT_DATA, TEE_ALG_AES_ECB_NOPAD }, 72 { PKCS11_CKM_AES_CBC_ENCRYPT_DATA, TEE_ALG_AES_CBC_NOPAD }, 73 { PKCS11_CKM_AES_CTR, TEE_ALG_AES_CTR }, 74 { PKCS11_CKM_AES_CTS, TEE_ALG_AES_CTS }, 75 { PKCS11_CKM_AES_CMAC, TEE_ALG_AES_CMAC }, 76 { PKCS11_CKM_AES_CMAC_GENERAL, TEE_ALG_AES_CMAC }, 77 /* HMAC flavors */ 78 { PKCS11_CKM_MD5_HMAC, TEE_ALG_HMAC_MD5 }, 79 { PKCS11_CKM_SHA_1_HMAC, TEE_ALG_HMAC_SHA1 }, 80 { PKCS11_CKM_SHA224_HMAC, TEE_ALG_HMAC_SHA224 }, 81 { PKCS11_CKM_SHA256_HMAC, TEE_ALG_HMAC_SHA256 }, 82 { PKCS11_CKM_SHA384_HMAC, TEE_ALG_HMAC_SHA384 }, 83 { PKCS11_CKM_SHA512_HMAC, TEE_ALG_HMAC_SHA512 }, 84 { PKCS11_CKM_MD5_HMAC_GENERAL, TEE_ALG_HMAC_MD5 }, 85 { PKCS11_CKM_SHA_1_HMAC_GENERAL, TEE_ALG_HMAC_SHA1 }, 86 { PKCS11_CKM_SHA224_HMAC_GENERAL, TEE_ALG_HMAC_SHA224 }, 87 { PKCS11_CKM_SHA256_HMAC_GENERAL, TEE_ALG_HMAC_SHA256 }, 88 { PKCS11_CKM_SHA384_HMAC_GENERAL, TEE_ALG_HMAC_SHA384 }, 89 { PKCS11_CKM_SHA512_HMAC_GENERAL, TEE_ALG_HMAC_SHA512 }, 90 }; 91 size_t n = 0; 92 93 for (n = 0; n < ARRAY_SIZE(pkcs2tee_algo); n++) { 94 if (proc_params->id == pkcs2tee_algo[n].mech_id) { 95 *tee_id = pkcs2tee_algo[n].tee_id; 96 return PKCS11_CKR_OK; 97 } 98 } 99 100 return PKCS11_RV_NOT_IMPLEMENTED; 101 } 102 103 static enum pkcs11_rc pkcs2tee_key_type(uint32_t *tee_type, 104 struct pkcs11_object *obj) 105 { 106 static const struct { 107 enum pkcs11_key_type key_type; 108 uint32_t tee_id; 109 } pkcs2tee_key_type[] = { 110 { PKCS11_CKK_AES, TEE_TYPE_AES }, 111 { PKCS11_CKK_GENERIC_SECRET, TEE_TYPE_GENERIC_SECRET }, 112 { PKCS11_CKK_MD5_HMAC, TEE_TYPE_HMAC_MD5 }, 113 { PKCS11_CKK_SHA_1_HMAC, TEE_TYPE_HMAC_SHA1 }, 114 { PKCS11_CKK_SHA224_HMAC, TEE_TYPE_HMAC_SHA224 }, 115 { PKCS11_CKK_SHA256_HMAC, TEE_TYPE_HMAC_SHA256 }, 116 { PKCS11_CKK_SHA384_HMAC, TEE_TYPE_HMAC_SHA384 }, 117 { PKCS11_CKK_SHA512_HMAC, TEE_TYPE_HMAC_SHA512 }, 118 }; 119 size_t n = 0; 120 enum pkcs11_key_type key_type = get_key_type(obj->attributes); 121 122 assert(get_class(obj->attributes) == PKCS11_CKO_SECRET_KEY); 123 124 for (n = 0; n < ARRAY_SIZE(pkcs2tee_key_type); n++) { 125 if (pkcs2tee_key_type[n].key_type == key_type) { 126 *tee_type = pkcs2tee_key_type[n].tee_id; 127 return PKCS11_CKR_OK; 128 } 129 } 130 131 return PKCS11_RV_NOT_FOUND; 132 } 133 134 static enum pkcs11_rc pkcsmech2tee_key_type(uint32_t *tee_type, 135 enum pkcs11_mechanism_id mech_id) 136 { 137 static const struct { 138 enum pkcs11_mechanism_id mech; 139 uint32_t tee_id; 140 } pkcs2tee_key_type[] = { 141 { PKCS11_CKM_MD5_HMAC, TEE_TYPE_HMAC_MD5 }, 142 { PKCS11_CKM_SHA_1_HMAC, TEE_TYPE_HMAC_SHA1 }, 143 { PKCS11_CKM_SHA224_HMAC, TEE_TYPE_HMAC_SHA224 }, 144 { PKCS11_CKM_SHA256_HMAC, TEE_TYPE_HMAC_SHA256 }, 145 { PKCS11_CKM_SHA384_HMAC, TEE_TYPE_HMAC_SHA384 }, 146 { PKCS11_CKM_SHA512_HMAC, TEE_TYPE_HMAC_SHA512 }, 147 { PKCS11_CKM_MD5_HMAC_GENERAL, TEE_TYPE_HMAC_MD5 }, 148 { PKCS11_CKM_SHA_1_HMAC_GENERAL, TEE_TYPE_HMAC_SHA1 }, 149 { PKCS11_CKM_SHA224_HMAC_GENERAL, TEE_TYPE_HMAC_SHA224 }, 150 { PKCS11_CKM_SHA256_HMAC_GENERAL, TEE_TYPE_HMAC_SHA256 }, 151 { PKCS11_CKM_SHA384_HMAC_GENERAL, TEE_TYPE_HMAC_SHA384 }, 152 { PKCS11_CKM_SHA512_HMAC_GENERAL, TEE_TYPE_HMAC_SHA512 }, 153 }; 154 size_t n = 0; 155 156 for (n = 0; n < ARRAY_SIZE(pkcs2tee_key_type); n++) { 157 if (pkcs2tee_key_type[n].mech == mech_id) { 158 *tee_type = pkcs2tee_key_type[n].tee_id; 159 return PKCS11_CKR_OK; 160 } 161 } 162 163 return PKCS11_RV_NOT_FOUND; 164 } 165 166 static enum pkcs11_rc hmac_to_tee_hash(uint32_t *algo, 167 enum pkcs11_mechanism_id mech_id) 168 { 169 static const struct { 170 enum pkcs11_mechanism_id mech; 171 uint32_t tee_id; 172 } hmac_hash[] = { 173 { PKCS11_CKM_MD5_HMAC, TEE_ALG_MD5 }, 174 { PKCS11_CKM_SHA_1_HMAC, TEE_ALG_SHA1 }, 175 { PKCS11_CKM_SHA224_HMAC, TEE_ALG_SHA224 }, 176 { PKCS11_CKM_SHA256_HMAC, TEE_ALG_SHA256 }, 177 { PKCS11_CKM_SHA384_HMAC, TEE_ALG_SHA384 }, 178 { PKCS11_CKM_SHA512_HMAC, TEE_ALG_SHA512 }, 179 { PKCS11_CKM_MD5_HMAC_GENERAL, TEE_ALG_MD5 }, 180 { PKCS11_CKM_SHA_1_HMAC_GENERAL, TEE_ALG_SHA1 }, 181 { PKCS11_CKM_SHA224_HMAC_GENERAL, TEE_ALG_SHA224 }, 182 { PKCS11_CKM_SHA256_HMAC_GENERAL, TEE_ALG_SHA256 }, 183 { PKCS11_CKM_SHA384_HMAC_GENERAL, TEE_ALG_SHA384 }, 184 { PKCS11_CKM_SHA512_HMAC_GENERAL, TEE_ALG_SHA512 }, 185 }; 186 size_t n = 0; 187 188 for (n = 0; n < ARRAY_SIZE(hmac_hash); n++) { 189 if (hmac_hash[n].mech == mech_id) { 190 *algo = hmac_hash[n].tee_id; 191 return PKCS11_CKR_OK; 192 } 193 } 194 195 return PKCS11_RV_NOT_FOUND; 196 } 197 198 static enum pkcs11_rc 199 allocate_tee_operation(struct pkcs11_session *session, 200 enum processing_func function, 201 struct pkcs11_attribute_head *params, 202 struct pkcs11_object *obj) 203 { 204 uint32_t size = (uint32_t)get_object_key_bit_size(obj); 205 uint32_t key_size = size / 8; 206 uint32_t algo = 0; 207 uint32_t mode = 0; 208 uint32_t max_key_size = 0; 209 uint32_t min_key_size = 0; 210 TEE_Result res = TEE_ERROR_GENERIC; 211 212 assert(session->processing->tee_op_handle == TEE_HANDLE_NULL); 213 214 if (pkcs2tee_algorithm(&algo, params)) 215 return PKCS11_CKR_FUNCTION_FAILED; 216 217 /* Sign/Verify with AES or generic key relate to TEE MAC operation */ 218 switch (params->id) { 219 case PKCS11_CKM_MD5_HMAC: 220 case PKCS11_CKM_SHA_1_HMAC: 221 case PKCS11_CKM_SHA224_HMAC: 222 case PKCS11_CKM_SHA256_HMAC: 223 case PKCS11_CKM_SHA384_HMAC: 224 case PKCS11_CKM_SHA512_HMAC: 225 case PKCS11_CKM_MD5_HMAC_GENERAL: 226 case PKCS11_CKM_SHA_1_HMAC_GENERAL: 227 case PKCS11_CKM_SHA224_HMAC_GENERAL: 228 case PKCS11_CKM_SHA256_HMAC_GENERAL: 229 case PKCS11_CKM_SHA384_HMAC_GENERAL: 230 case PKCS11_CKM_SHA512_HMAC_GENERAL: 231 mechanism_supported_key_sizes_bytes(params->id, &min_key_size, 232 &max_key_size); 233 if (key_size < min_key_size) 234 return PKCS11_CKR_KEY_SIZE_RANGE; 235 236 /* 237 * If size of generic key is greater than the size 238 * supported by TEE API, this is not considered an 239 * error. When loading TEE key, we will hash the key 240 * to generate the appropriate key for HMAC operation. 241 * This key size will not be greater than the 242 * max_key_size. So we can use max_key_size for 243 * TEE_AllocateOperation(). 244 */ 245 if (key_size > max_key_size) 246 size = max_key_size * 8; 247 248 mode = TEE_MODE_MAC; 249 break; 250 case PKCS11_CKM_AES_CMAC: 251 case PKCS11_CKM_AES_CMAC_GENERAL: 252 mode = TEE_MODE_MAC; 253 break; 254 default: 255 pkcs2tee_mode(&mode, function); 256 break; 257 } 258 259 res = TEE_AllocateOperation(&session->processing->tee_op_handle, 260 algo, mode, size); 261 if (res) 262 EMSG("TEE_AllocateOp. failed %#"PRIx32" %#"PRIx32" %#"PRIx32, 263 algo, mode, size); 264 265 if (res == TEE_ERROR_NOT_SUPPORTED) 266 return PKCS11_CKR_MECHANISM_INVALID; 267 268 return tee2pkcs_error(res); 269 } 270 271 static enum pkcs11_rc hash_secret_helper(enum pkcs11_mechanism_id mech_id, 272 struct pkcs11_object *obj, 273 TEE_Attribute *tee_attr, 274 void **ctx, 275 size_t *object_size_bits) 276 { 277 uint32_t algo = 0; 278 void *hash_ptr = NULL; 279 uint32_t hash_size = 0; 280 enum pkcs11_rc rc = PKCS11_CKR_OK; 281 282 rc = hmac_to_tee_hash(&algo, mech_id); 283 if (rc) 284 return rc; 285 286 hash_size = TEE_ALG_GET_DIGEST_SIZE(algo); 287 hash_ptr = TEE_Malloc(hash_size, 0); 288 if (!hash_ptr) 289 return PKCS11_CKR_DEVICE_MEMORY; 290 291 rc = pkcs2tee_load_hashed_attr(tee_attr, TEE_ATTR_SECRET_VALUE, obj, 292 PKCS11_CKA_VALUE, algo, hash_ptr, 293 &hash_size); 294 if (rc) { 295 EMSG("No secret/hash error"); 296 TEE_Free(hash_ptr); 297 return rc; 298 } 299 300 *ctx = hash_ptr; 301 302 *object_size_bits = hash_size * 8; 303 304 return PKCS11_CKR_OK; 305 } 306 307 static enum pkcs11_rc load_tee_key(struct pkcs11_session *session, 308 struct pkcs11_object *obj, 309 struct pkcs11_attribute_head *proc_params) 310 { 311 TEE_Attribute tee_attr = { }; 312 size_t object_size = 0; 313 uint32_t tee_key_type = 0; 314 enum pkcs11_key_type key_type = 0; 315 enum pkcs11_rc rc = PKCS11_CKR_OK; 316 TEE_Result res = TEE_ERROR_GENERIC; 317 uint32_t max_key_size = 0; 318 uint32_t min_key_size = 0; 319 320 if (obj->key_handle != TEE_HANDLE_NULL) { 321 /* Key was already loaded and fits current need */ 322 goto key_ready; 323 } 324 325 object_size = get_object_key_bit_size(obj); 326 if (!object_size) 327 return PKCS11_CKR_GENERAL_ERROR; 328 329 switch (proc_params->id) { 330 case PKCS11_CKM_MD5_HMAC: 331 case PKCS11_CKM_SHA_1_HMAC: 332 case PKCS11_CKM_SHA224_HMAC: 333 case PKCS11_CKM_SHA256_HMAC: 334 case PKCS11_CKM_SHA384_HMAC: 335 case PKCS11_CKM_SHA512_HMAC: 336 case PKCS11_CKM_MD5_HMAC_GENERAL: 337 case PKCS11_CKM_SHA_1_HMAC_GENERAL: 338 case PKCS11_CKM_SHA224_HMAC_GENERAL: 339 case PKCS11_CKM_SHA256_HMAC_GENERAL: 340 case PKCS11_CKM_SHA384_HMAC_GENERAL: 341 case PKCS11_CKM_SHA512_HMAC_GENERAL: 342 key_type = get_key_type(obj->attributes); 343 /* 344 * If Object Key type is PKCS11_CKK_GENERIC_SECRET, 345 * determine the tee_key_type using the 346 * mechanism instead of object key_type. 347 */ 348 if (key_type == PKCS11_CKK_GENERIC_SECRET) 349 rc = pkcsmech2tee_key_type(&tee_key_type, 350 proc_params->id); 351 else 352 rc = pkcs2tee_key_type(&tee_key_type, obj); 353 354 if (rc) 355 return rc; 356 357 mechanism_supported_key_sizes_bytes(proc_params->id, 358 &min_key_size, 359 &max_key_size); 360 361 if ((object_size / 8) > max_key_size) { 362 rc = hash_secret_helper(proc_params->id, obj, &tee_attr, 363 &session->processing->extra_ctx, 364 &object_size); 365 if (rc) 366 return rc; 367 } else { 368 if (!pkcs2tee_load_attr(&tee_attr, 369 TEE_ATTR_SECRET_VALUE, 370 obj, 371 PKCS11_CKA_VALUE)) { 372 EMSG("No secret found"); 373 return PKCS11_CKR_FUNCTION_FAILED; 374 } 375 } 376 break; 377 378 default: 379 rc = pkcs2tee_key_type(&tee_key_type, obj); 380 if (rc) 381 return rc; 382 383 if (!pkcs2tee_load_attr(&tee_attr, TEE_ATTR_SECRET_VALUE, 384 obj, PKCS11_CKA_VALUE)) { 385 EMSG("No secret found"); 386 return PKCS11_CKR_FUNCTION_FAILED; 387 } 388 break; 389 } 390 391 res = TEE_AllocateTransientObject(tee_key_type, object_size, 392 &obj->key_handle); 393 if (res) { 394 DMSG("TEE_AllocateTransientObject failed, %#"PRIx32, res); 395 return tee2pkcs_error(res); 396 } 397 398 res = TEE_PopulateTransientObject(obj->key_handle, &tee_attr, 1); 399 if (res) { 400 DMSG("TEE_PopulateTransientObject failed, %#"PRIx32, res); 401 goto error; 402 } 403 404 key_ready: 405 res = TEE_SetOperationKey(session->processing->tee_op_handle, 406 obj->key_handle); 407 if (res) { 408 DMSG("TEE_SetOperationKey failed, %#"PRIx32, res); 409 goto error; 410 } 411 412 return PKCS11_CKR_OK; 413 414 error: 415 TEE_FreeTransientObject(obj->key_handle); 416 obj->key_handle = TEE_HANDLE_NULL; 417 418 return tee2pkcs_error(res); 419 } 420 421 static enum pkcs11_rc 422 tee_init_derive_symm(struct active_processing *processing, 423 struct pkcs11_attribute_head *proc_params) 424 { 425 struct serialargs args = { }; 426 enum pkcs11_rc rc = PKCS11_CKR_OK; 427 struct input_data_ref *param = NULL; 428 void *iv = NULL; 429 430 if (!proc_params) 431 return PKCS11_CKR_ARGUMENTS_BAD; 432 433 param = TEE_Malloc(sizeof(struct input_data_ref), TEE_MALLOC_FILL_ZERO); 434 if (!param) 435 return PKCS11_CKR_DEVICE_MEMORY; 436 437 serialargs_init(&args, proc_params->data, proc_params->size); 438 439 switch (proc_params->id) { 440 case PKCS11_CKM_AES_CBC_ENCRYPT_DATA: 441 rc = serialargs_get_ptr(&args, &iv, 16); 442 if (rc) 443 goto err; 444 break; 445 default: 446 break; 447 } 448 449 rc = serialargs_get(&args, ¶m->size, sizeof(uint32_t)); 450 if (rc) 451 goto err; 452 453 rc = serialargs_get_ptr(&args, ¶m->data, param->size); 454 if (rc) 455 goto err; 456 457 if (serialargs_remaining_bytes(&args)) { 458 rc = PKCS11_CKR_ARGUMENTS_BAD; 459 goto err; 460 } 461 462 processing->extra_ctx = param; 463 464 switch (proc_params->id) { 465 case PKCS11_CKM_AES_ECB_ENCRYPT_DATA: 466 if (param->size % TEE_AES_BLOCK_SIZE) { 467 rc = PKCS11_CKR_DATA_LEN_RANGE; 468 goto err; 469 } 470 TEE_CipherInit(processing->tee_op_handle, NULL, 0); 471 break; 472 case PKCS11_CKM_AES_CBC_ENCRYPT_DATA: 473 if (param->size % TEE_AES_BLOCK_SIZE) { 474 rc = PKCS11_CKR_DATA_LEN_RANGE; 475 goto err; 476 } 477 TEE_CipherInit(processing->tee_op_handle, iv, 16); 478 break; 479 default: 480 TEE_Panic(proc_params->id); 481 break; 482 } 483 484 return PKCS11_CKR_OK; 485 486 err: 487 processing->extra_ctx = NULL; 488 TEE_Free(param); 489 return rc; 490 } 491 492 static enum pkcs11_rc 493 input_hmac_len_is_valid(struct pkcs11_attribute_head *proc_params, 494 uint32_t hmac_len) 495 { 496 uint32_t sign_sz = 0; 497 498 switch (proc_params->id) { 499 case PKCS11_CKM_MD5_HMAC_GENERAL: 500 sign_sz = TEE_MD5_HASH_SIZE; 501 break; 502 case PKCS11_CKM_SHA_1_HMAC_GENERAL: 503 sign_sz = TEE_SHA1_HASH_SIZE; 504 break; 505 case PKCS11_CKM_SHA224_HMAC_GENERAL: 506 sign_sz = TEE_SHA224_HASH_SIZE; 507 break; 508 case PKCS11_CKM_SHA256_HMAC_GENERAL: 509 sign_sz = TEE_SHA256_HASH_SIZE; 510 break; 511 case PKCS11_CKM_SHA384_HMAC_GENERAL: 512 sign_sz = TEE_SHA384_HASH_SIZE; 513 break; 514 case PKCS11_CKM_SHA512_HMAC_GENERAL: 515 sign_sz = TEE_SHA512_HASH_SIZE; 516 break; 517 case PKCS11_CKM_AES_CMAC_GENERAL: 518 sign_sz = TEE_AES_BLOCK_SIZE; 519 break; 520 default: 521 return PKCS11_CKR_MECHANISM_INVALID; 522 } 523 524 if (!hmac_len || hmac_len > sign_sz) 525 return PKCS11_CKR_SIGNATURE_LEN_RANGE; 526 527 return PKCS11_CKR_OK; 528 } 529 530 static enum pkcs11_rc 531 init_tee_operation(struct pkcs11_session *session, 532 struct pkcs11_attribute_head *proc_params) 533 { 534 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 535 uint32_t *pkcs11_data = NULL; 536 537 switch (proc_params->id) { 538 case PKCS11_CKM_AES_CMAC: 539 case PKCS11_CKM_MD5_HMAC: 540 case PKCS11_CKM_SHA_1_HMAC: 541 case PKCS11_CKM_SHA224_HMAC: 542 case PKCS11_CKM_SHA256_HMAC: 543 case PKCS11_CKM_SHA384_HMAC: 544 case PKCS11_CKM_SHA512_HMAC: 545 if (proc_params->size) 546 return PKCS11_CKR_MECHANISM_PARAM_INVALID; 547 548 TEE_MACInit(session->processing->tee_op_handle, NULL, 0); 549 rc = PKCS11_CKR_OK; 550 break; 551 case PKCS11_CKM_AES_CMAC_GENERAL: 552 case PKCS11_CKM_MD5_HMAC_GENERAL: 553 case PKCS11_CKM_SHA_1_HMAC_GENERAL: 554 case PKCS11_CKM_SHA224_HMAC_GENERAL: 555 case PKCS11_CKM_SHA256_HMAC_GENERAL: 556 case PKCS11_CKM_SHA384_HMAC_GENERAL: 557 case PKCS11_CKM_SHA512_HMAC_GENERAL: 558 if (proc_params->size != sizeof(uint32_t)) 559 return PKCS11_CKR_MECHANISM_PARAM_INVALID; 560 561 pkcs11_data = TEE_Malloc(sizeof(uint32_t), 562 TEE_MALLOC_FILL_ZERO); 563 if (!pkcs11_data) 564 return PKCS11_CKR_DEVICE_MEMORY; 565 566 TEE_MemMove(pkcs11_data, proc_params->data, sizeof(uint32_t)); 567 568 rc = input_hmac_len_is_valid(proc_params, *pkcs11_data); 569 if (rc) { 570 TEE_Free(pkcs11_data); 571 return rc; 572 } 573 574 session->processing->extra_ctx = (void *)pkcs11_data; 575 576 TEE_MACInit(session->processing->tee_op_handle, NULL, 0); 577 rc = PKCS11_CKR_OK; 578 break; 579 case PKCS11_CKM_AES_ECB: 580 if (proc_params->size) 581 return PKCS11_CKR_MECHANISM_PARAM_INVALID; 582 583 TEE_CipherInit(session->processing->tee_op_handle, NULL, 0); 584 rc = PKCS11_CKR_OK; 585 break; 586 case PKCS11_CKM_AES_CBC: 587 case PKCS11_CKM_AES_CBC_PAD: 588 case PKCS11_CKM_AES_CTS: 589 if (proc_params->size != 16) 590 return PKCS11_CKR_MECHANISM_PARAM_INVALID; 591 592 TEE_CipherInit(session->processing->tee_op_handle, 593 proc_params->data, 16); 594 rc = PKCS11_CKR_OK; 595 break; 596 case PKCS11_CKM_AES_CTR: 597 rc = tee_init_ctr_operation(session->processing, 598 proc_params->data, 599 proc_params->size); 600 break; 601 case PKCS11_CKM_AES_ECB_ENCRYPT_DATA: 602 case PKCS11_CKM_AES_CBC_ENCRYPT_DATA: 603 rc = tee_init_derive_symm(session->processing, proc_params); 604 break; 605 default: 606 TEE_Panic(proc_params->id); 607 break; 608 } 609 610 return rc; 611 } 612 613 enum pkcs11_rc init_symm_operation(struct pkcs11_session *session, 614 enum processing_func function, 615 struct pkcs11_attribute_head *proc_params, 616 struct pkcs11_object *obj) 617 { 618 enum pkcs11_rc rc = PKCS11_CKR_OK; 619 620 assert(processing_is_tee_symm(proc_params->id)); 621 622 rc = allocate_tee_operation(session, function, proc_params, obj); 623 if (rc) 624 return rc; 625 626 rc = load_tee_key(session, obj, proc_params); 627 if (rc) 628 return rc; 629 630 return init_tee_operation(session, proc_params); 631 } 632 633 /* Validate input buffer size as per PKCS#11 constraints */ 634 static enum pkcs11_rc input_data_size_is_valid(struct active_processing *proc, 635 enum processing_func function, 636 size_t in_size) 637 { 638 switch (proc->mecha_type) { 639 case PKCS11_CKM_AES_ECB: 640 case PKCS11_CKM_AES_CBC: 641 if (function == PKCS11_FUNCTION_ENCRYPT && 642 in_size % TEE_AES_BLOCK_SIZE) 643 return PKCS11_CKR_DATA_LEN_RANGE; 644 if (function == PKCS11_FUNCTION_DECRYPT && 645 in_size % TEE_AES_BLOCK_SIZE) 646 return PKCS11_CKR_ENCRYPTED_DATA_LEN_RANGE; 647 break; 648 case PKCS11_CKM_AES_CBC_PAD: 649 if (function == PKCS11_FUNCTION_DECRYPT && 650 in_size % TEE_AES_BLOCK_SIZE) 651 return PKCS11_CKR_ENCRYPTED_DATA_LEN_RANGE; 652 break; 653 case PKCS11_CKM_AES_CTS: 654 if (function == PKCS11_FUNCTION_ENCRYPT && 655 in_size < TEE_AES_BLOCK_SIZE) 656 return PKCS11_CKR_DATA_LEN_RANGE; 657 if (function == PKCS11_FUNCTION_DECRYPT && 658 in_size < TEE_AES_BLOCK_SIZE) 659 return PKCS11_CKR_ENCRYPTED_DATA_LEN_RANGE; 660 break; 661 default: 662 break; 663 } 664 665 return PKCS11_CKR_OK; 666 } 667 668 /* Validate input buffer size as per PKCS#11 constraints */ 669 static enum pkcs11_rc input_sign_size_is_valid(struct active_processing *proc, 670 size_t in_size) 671 { 672 size_t sign_sz = 0; 673 674 switch (proc->mecha_type) { 675 case PKCS11_CKM_MD5_HMAC: 676 sign_sz = TEE_MD5_HASH_SIZE; 677 break; 678 case PKCS11_CKM_SHA_1_HMAC: 679 sign_sz = TEE_SHA1_HASH_SIZE; 680 break; 681 case PKCS11_CKM_SHA224_HMAC: 682 sign_sz = TEE_SHA224_HASH_SIZE; 683 break; 684 case PKCS11_CKM_SHA256_HMAC: 685 sign_sz = TEE_SHA256_HASH_SIZE; 686 break; 687 case PKCS11_CKM_SHA384_HMAC: 688 sign_sz = TEE_SHA384_HASH_SIZE; 689 break; 690 case PKCS11_CKM_SHA512_HMAC: 691 sign_sz = TEE_SHA512_HASH_SIZE; 692 break; 693 case PKCS11_CKM_AES_CMAC: 694 sign_sz = TEE_AES_BLOCK_SIZE; 695 break; 696 default: 697 return PKCS11_CKR_GENERAL_ERROR; 698 } 699 700 if (in_size != sign_sz) 701 return PKCS11_CKR_SIGNATURE_LEN_RANGE; 702 703 return PKCS11_CKR_OK; 704 } 705 706 /* 707 * step_sym_cipher - processing symmetric (and related) cipher operation step 708 * 709 * @session - current session 710 * @function - processing function (encrypt, decrypt, sign, ...) 711 * @step - step ID in the processing (oneshot, update, final) 712 * @ptype - invocation parameter types 713 * @params - invocation parameter references 714 */ 715 enum pkcs11_rc step_symm_operation(struct pkcs11_session *session, 716 enum processing_func function, 717 enum processing_step step, 718 uint32_t ptypes, TEE_Param *params) 719 { 720 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 721 TEE_Result res = TEE_ERROR_GENERIC; 722 void *in_buf = NULL; 723 size_t in_size = 0; 724 void *out_buf = NULL; 725 uint32_t out_size = 0; 726 void *in2_buf = NULL; 727 uint32_t in2_size = 0; 728 bool output_data = false; 729 struct active_processing *proc = session->processing; 730 uint32_t hmac_len = 0; 731 uint8_t computed_mac[TEE_MAX_HASH_SIZE] = { 0 }; 732 uint32_t computed_mac_size = TEE_MAX_HASH_SIZE; 733 734 if (TEE_PARAM_TYPE_GET(ptypes, 1) == TEE_PARAM_TYPE_MEMREF_INPUT) { 735 in_buf = params[1].memref.buffer; 736 in_size = params[1].memref.size; 737 if (in_size && !in_buf) 738 return PKCS11_CKR_ARGUMENTS_BAD; 739 } 740 if (TEE_PARAM_TYPE_GET(ptypes, 2) == TEE_PARAM_TYPE_MEMREF_INPUT) { 741 in2_buf = params[2].memref.buffer; 742 in2_size = params[2].memref.size; 743 if (in2_size && !in2_buf) 744 return PKCS11_CKR_ARGUMENTS_BAD; 745 } 746 if (TEE_PARAM_TYPE_GET(ptypes, 2) == TEE_PARAM_TYPE_MEMREF_OUTPUT) { 747 out_buf = params[2].memref.buffer; 748 out_size = params[2].memref.size; 749 if (out_size && !out_buf) 750 return PKCS11_CKR_ARGUMENTS_BAD; 751 } 752 if (TEE_PARAM_TYPE_GET(ptypes, 3) != TEE_PARAM_TYPE_NONE) 753 return PKCS11_CKR_ARGUMENTS_BAD; 754 755 switch (step) { 756 case PKCS11_FUNC_STEP_ONESHOT: 757 case PKCS11_FUNC_STEP_UPDATE: 758 case PKCS11_FUNC_STEP_FINAL: 759 break; 760 default: 761 return PKCS11_CKR_GENERAL_ERROR; 762 } 763 764 if (step != PKCS11_FUNC_STEP_FINAL) { 765 rc = input_data_size_is_valid(proc, function, in_size); 766 if (rc) 767 return rc; 768 } 769 770 /* 771 * Feed active operation with data 772 */ 773 switch (proc->mecha_type) { 774 case PKCS11_CKM_AES_CMAC: 775 case PKCS11_CKM_MD5_HMAC: 776 case PKCS11_CKM_SHA_1_HMAC: 777 case PKCS11_CKM_SHA224_HMAC: 778 case PKCS11_CKM_SHA256_HMAC: 779 case PKCS11_CKM_SHA384_HMAC: 780 case PKCS11_CKM_SHA512_HMAC: 781 case PKCS11_CKM_AES_CMAC_GENERAL: 782 case PKCS11_CKM_MD5_HMAC_GENERAL: 783 case PKCS11_CKM_SHA_1_HMAC_GENERAL: 784 case PKCS11_CKM_SHA224_HMAC_GENERAL: 785 case PKCS11_CKM_SHA256_HMAC_GENERAL: 786 case PKCS11_CKM_SHA384_HMAC_GENERAL: 787 case PKCS11_CKM_SHA512_HMAC_GENERAL: 788 if (step == PKCS11_FUNC_STEP_FINAL || 789 step == PKCS11_FUNC_STEP_ONESHOT) 790 break; 791 792 if (!in_buf) { 793 DMSG("No input data"); 794 return PKCS11_CKR_ARGUMENTS_BAD; 795 } 796 797 switch (function) { 798 case PKCS11_FUNCTION_SIGN: 799 case PKCS11_FUNCTION_VERIFY: 800 TEE_MACUpdate(proc->tee_op_handle, in_buf, in_size); 801 rc = PKCS11_CKR_OK; 802 break; 803 default: 804 TEE_Panic(function); 805 break; 806 } 807 break; 808 809 case PKCS11_CKM_AES_ECB: 810 case PKCS11_CKM_AES_CBC: 811 case PKCS11_CKM_AES_CBC_PAD: 812 case PKCS11_CKM_AES_CTS: 813 case PKCS11_CKM_AES_CTR: 814 if (step == PKCS11_FUNC_STEP_FINAL || 815 step == PKCS11_FUNC_STEP_ONESHOT) 816 break; 817 818 if (!in_buf) { 819 EMSG("No input data"); 820 return PKCS11_CKR_ARGUMENTS_BAD; 821 } 822 823 switch (function) { 824 case PKCS11_FUNCTION_ENCRYPT: 825 case PKCS11_FUNCTION_DECRYPT: 826 res = TEE_CipherUpdate(proc->tee_op_handle, 827 in_buf, in_size, 828 out_buf, &out_size); 829 output_data = true; 830 rc = tee2pkcs_error(res); 831 break; 832 default: 833 TEE_Panic(function); 834 break; 835 } 836 break; 837 838 default: 839 TEE_Panic(proc->mecha_type); 840 break; 841 } 842 843 if (step == PKCS11_FUNC_STEP_UPDATE) 844 goto out; 845 846 /* 847 * Finalize (PKCS11_FUNC_STEP_ONESHOT/_FINAL) operation 848 */ 849 switch (session->processing->mecha_type) { 850 case PKCS11_CKM_AES_CMAC: 851 case PKCS11_CKM_MD5_HMAC: 852 case PKCS11_CKM_SHA_1_HMAC: 853 case PKCS11_CKM_SHA224_HMAC: 854 case PKCS11_CKM_SHA256_HMAC: 855 case PKCS11_CKM_SHA384_HMAC: 856 case PKCS11_CKM_SHA512_HMAC: 857 switch (function) { 858 case PKCS11_FUNCTION_SIGN: 859 res = TEE_MACComputeFinal(proc->tee_op_handle, 860 in_buf, in_size, out_buf, 861 &out_size); 862 output_data = true; 863 rc = tee2pkcs_error(res); 864 break; 865 case PKCS11_FUNCTION_VERIFY: 866 rc = input_sign_size_is_valid(proc, in2_size); 867 if (rc) 868 return rc; 869 res = TEE_MACCompareFinal(proc->tee_op_handle, 870 in_buf, in_size, in2_buf, 871 in2_size); 872 rc = tee2pkcs_error(res); 873 break; 874 default: 875 TEE_Panic(function); 876 break; 877 } 878 879 break; 880 881 case PKCS11_CKM_AES_CMAC_GENERAL: 882 case PKCS11_CKM_MD5_HMAC_GENERAL: 883 case PKCS11_CKM_SHA_1_HMAC_GENERAL: 884 case PKCS11_CKM_SHA224_HMAC_GENERAL: 885 case PKCS11_CKM_SHA256_HMAC_GENERAL: 886 case PKCS11_CKM_SHA384_HMAC_GENERAL: 887 case PKCS11_CKM_SHA512_HMAC_GENERAL: 888 assert(session->processing->extra_ctx); 889 hmac_len = *(uint32_t *)session->processing->extra_ctx; 890 891 switch (function) { 892 case PKCS11_FUNCTION_SIGN: 893 if (out_size < hmac_len) { 894 /* inform client of required size */ 895 out_size = hmac_len; 896 output_data = true; 897 rc = PKCS11_CKR_BUFFER_TOO_SMALL; 898 goto out; 899 } 900 901 res = TEE_MACComputeFinal(proc->tee_op_handle, 902 in_buf, in_size, 903 computed_mac, 904 &computed_mac_size); 905 if (res == TEE_SUCCESS) { 906 /* truncate to hmac_len */ 907 TEE_MemMove(out_buf, computed_mac, hmac_len); 908 output_data = true; 909 } 910 911 /* inform client of required size */ 912 out_size = hmac_len; 913 rc = tee2pkcs_error(res); 914 break; 915 case PKCS11_FUNCTION_VERIFY: 916 /* must compute full MAC before comparing partial */ 917 res = TEE_MACComputeFinal(proc->tee_op_handle, in_buf, 918 in_size, computed_mac, 919 &computed_mac_size); 920 921 if (!in2_size || in2_size > computed_mac_size) { 922 EMSG("Invalid signature size: %"PRIu32, 923 in2_size); 924 return PKCS11_CKR_SIGNATURE_LEN_RANGE; 925 } 926 927 if (res == TEE_SUCCESS) { 928 /* 929 * Only the first in2_size bytes of the 930 * signature to be verified is passed in from 931 * caller 932 */ 933 if (TEE_MemCompare(in2_buf, computed_mac, 934 in2_size)) { 935 res = TEE_ERROR_MAC_INVALID; 936 } 937 } 938 939 rc = tee2pkcs_error(res); 940 break; 941 default: 942 TEE_Panic(function); 943 break; 944 } 945 946 break; 947 948 case PKCS11_CKM_AES_ECB: 949 case PKCS11_CKM_AES_CBC: 950 case PKCS11_CKM_AES_CBC_PAD: 951 case PKCS11_CKM_AES_CTS: 952 case PKCS11_CKM_AES_CTR: 953 if (step == PKCS11_FUNC_STEP_ONESHOT && !in_buf) { 954 EMSG("No input data"); 955 return PKCS11_CKR_ARGUMENTS_BAD; 956 } 957 958 switch (function) { 959 case PKCS11_FUNCTION_ENCRYPT: 960 case PKCS11_FUNCTION_DECRYPT: 961 res = TEE_CipherDoFinal(proc->tee_op_handle, 962 in_buf, in_size, 963 out_buf, &out_size); 964 output_data = true; 965 rc = tee2pkcs_error(res); 966 break; 967 default: 968 TEE_Panic(function); 969 break; 970 } 971 break; 972 default: 973 TEE_Panic(proc->mecha_type); 974 break; 975 } 976 977 out: 978 if (output_data && 979 (rc == PKCS11_CKR_OK || rc == PKCS11_CKR_BUFFER_TOO_SMALL)) { 980 switch (TEE_PARAM_TYPE_GET(ptypes, 2)) { 981 case TEE_PARAM_TYPE_MEMREF_OUTPUT: 982 case TEE_PARAM_TYPE_MEMREF_INOUT: 983 params[2].memref.size = out_size; 984 break; 985 default: 986 rc = PKCS11_CKR_ARGUMENTS_BAD; 987 break; 988 } 989 } 990 991 return rc; 992 } 993 994 enum pkcs11_rc derive_key_by_symm_enc(struct pkcs11_session *session, 995 void **out_buf, uint32_t *out_size) 996 { 997 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR; 998 TEE_Result res = TEE_ERROR_GENERIC; 999 struct active_processing *proc = session->processing; 1000 struct input_data_ref *input = proc->extra_ctx; 1001 void *in_buf = NULL; 1002 void *dest_buf = NULL; 1003 uint32_t in_size = 0; 1004 1005 switch (proc->mecha_type) { 1006 case PKCS11_CKM_AES_ECB_ENCRYPT_DATA: 1007 case PKCS11_CKM_AES_CBC_ENCRYPT_DATA: 1008 if (!proc->extra_ctx) 1009 return PKCS11_CKR_ARGUMENTS_BAD; 1010 1011 in_buf = input->data; 1012 in_size = input->size; 1013 1014 *out_size = in_size; 1015 dest_buf = TEE_Malloc(*out_size, 0); 1016 if (!dest_buf) 1017 return PKCS11_CKR_DEVICE_MEMORY; 1018 1019 res = TEE_CipherDoFinal(proc->tee_op_handle, in_buf, in_size, 1020 dest_buf, out_size); 1021 rc = tee2pkcs_error(res); 1022 if (rc) { 1023 TEE_Free(dest_buf); 1024 return rc; 1025 } 1026 1027 *out_buf = dest_buf; 1028 break; 1029 default: 1030 return PKCS11_CKR_MECHANISM_INVALID; 1031 } 1032 1033 return rc; 1034 } 1035 1036 enum pkcs11_rc wrap_data_by_symm_enc(struct pkcs11_session *session, 1037 void *data, uint32_t data_sz, 1038 void *out_buf, uint32_t *out_sz) 1039 { 1040 TEE_Result res = TEE_ERROR_GENERIC; 1041 struct active_processing *proc = session->processing; 1042 void *in_buf = NULL; 1043 uint32_t align = 0; 1044 uint32_t in_sz = data_sz; 1045 uint32_t tmp_sz = *out_sz; 1046 uint8_t *tmp_buf = out_buf; 1047 1048 switch (proc->mecha_type) { 1049 case PKCS11_CKM_AES_ECB: 1050 case PKCS11_CKM_AES_CBC: 1051 align = data_sz % TEE_AES_BLOCK_SIZE; 1052 if (align) 1053 in_sz = data_sz + (TEE_AES_BLOCK_SIZE - align); 1054 1055 if (*out_sz < in_sz) { 1056 *out_sz = in_sz; 1057 return PKCS11_CKR_BUFFER_TOO_SMALL; 1058 } 1059 1060 if (align) { 1061 if (data_sz > TEE_AES_BLOCK_SIZE) { 1062 in_sz = data_sz - align; 1063 res = TEE_CipherUpdate(proc->tee_op_handle, 1064 data, in_sz, tmp_buf, 1065 &tmp_sz); 1066 if (res) { 1067 assert(res != TEE_ERROR_SHORT_BUFFER); 1068 return tee2pkcs_error(res); 1069 } 1070 tmp_buf += tmp_sz; 1071 tmp_sz = *out_sz - tmp_sz; 1072 } else { 1073 in_sz = 0; 1074 } 1075 1076 in_buf = TEE_Malloc(TEE_AES_BLOCK_SIZE, 1077 TEE_MALLOC_FILL_ZERO); 1078 if (!in_buf) 1079 return PKCS11_CKR_DEVICE_MEMORY; 1080 1081 TEE_MemMove(in_buf, (uint8_t *)data + in_sz, align); 1082 in_sz = TEE_AES_BLOCK_SIZE; 1083 } else { 1084 in_buf = data; 1085 in_sz = data_sz; 1086 } 1087 1088 res = TEE_CipherDoFinal(proc->tee_op_handle, in_buf, in_sz, 1089 tmp_buf, &tmp_sz); 1090 if (res == TEE_SUCCESS || res == TEE_ERROR_SHORT_BUFFER) { 1091 *out_sz = tmp_sz; 1092 if (align) 1093 *out_sz += tmp_buf - (uint8_t *)out_buf; 1094 } 1095 1096 if (align) 1097 TEE_Free(in_buf); 1098 1099 return tee2pkcs_error(res); 1100 default: 1101 return PKCS11_CKR_MECHANISM_INVALID; 1102 } 1103 1104 return PKCS11_CKR_GENERAL_ERROR; 1105 } 1106 1107 enum pkcs11_rc unwrap_key_by_symm(struct pkcs11_session *session, void *data, 1108 uint32_t data_sz, void **out_buf, 1109 uint32_t *out_sz) 1110 { 1111 TEE_Result res = TEE_ERROR_GENERIC; 1112 struct active_processing *proc = session->processing; 1113 1114 if (input_data_size_is_valid(proc, PKCS11_FUNCTION_DECRYPT, data_sz)) 1115 return PKCS11_CKR_WRAPPED_KEY_LEN_RANGE; 1116 1117 switch (proc->mecha_type) { 1118 case PKCS11_CKM_AES_ECB: 1119 case PKCS11_CKM_AES_CBC: 1120 *out_sz = 0; 1121 res = TEE_CipherDoFinal(proc->tee_op_handle, data, data_sz, 1122 NULL, out_sz); 1123 if (res != TEE_ERROR_SHORT_BUFFER) { 1124 DMSG("TEE_CipherDoFinal() issue: %#"PRIx32, res); 1125 return PKCS11_CKR_GENERAL_ERROR; 1126 } 1127 1128 *out_buf = TEE_Malloc(*out_sz, TEE_MALLOC_FILL_ZERO); 1129 if (!*out_buf) 1130 return PKCS11_CKR_DEVICE_MEMORY; 1131 1132 res = TEE_CipherDoFinal(proc->tee_op_handle, data, data_sz, 1133 *out_buf, out_sz); 1134 if (tee2pkcs_error(res)) { 1135 TEE_Free(*out_buf); 1136 *out_buf = NULL; 1137 return PKCS11_CKR_WRAPPED_KEY_INVALID; 1138 } 1139 break; 1140 default: 1141 return PKCS11_CKR_MECHANISM_INVALID; 1142 } 1143 1144 return PKCS11_CKR_OK; 1145 } 1146