1 // SPDX-License-Identifier: BSD-2-Clause
2 /*
3 * Copyright (c) 2017-2020, Linaro Limited
4 */
5
6 #include <assert.h>
7 #include <pkcs11_ta.h>
8 #include <string.h>
9 #include <tee_api_defines.h>
10 #include <tee_internal_api.h>
11 #include <tee_internal_api_extensions.h>
12 #include <utee_defines.h>
13 #include <util.h>
14
15 #include "attributes.h"
16 #include "object.h"
17 #include "pkcs11_attributes.h"
18 #include "pkcs11_helpers.h"
19 #include "pkcs11_token.h"
20 #include "processing.h"
21 #include "serializer.h"
22
23 struct input_data_ref {
24 size_t size;
25 void *data;
26 };
27
processing_is_tee_symm(enum pkcs11_mechanism_id proc_id)28 bool processing_is_tee_symm(enum pkcs11_mechanism_id proc_id)
29 {
30 switch (proc_id) {
31 /* Authentication */
32 case PKCS11_CKM_AES_CMAC:
33 case PKCS11_CKM_MD5_HMAC:
34 case PKCS11_CKM_SHA_1_HMAC:
35 case PKCS11_CKM_SHA224_HMAC:
36 case PKCS11_CKM_SHA256_HMAC:
37 case PKCS11_CKM_SHA384_HMAC:
38 case PKCS11_CKM_SHA512_HMAC:
39 case PKCS11_CKM_AES_CMAC_GENERAL:
40 case PKCS11_CKM_MD5_HMAC_GENERAL:
41 case PKCS11_CKM_SHA_1_HMAC_GENERAL:
42 case PKCS11_CKM_SHA224_HMAC_GENERAL:
43 case PKCS11_CKM_SHA256_HMAC_GENERAL:
44 case PKCS11_CKM_SHA384_HMAC_GENERAL:
45 case PKCS11_CKM_SHA512_HMAC_GENERAL:
46 /* Ciphering */
47 case PKCS11_CKM_AES_ECB:
48 case PKCS11_CKM_AES_CBC:
49 case PKCS11_CKM_AES_CTS:
50 case PKCS11_CKM_AES_CTR:
51 case PKCS11_CKM_AES_ECB_ENCRYPT_DATA:
52 case PKCS11_CKM_AES_CBC_ENCRYPT_DATA:
53 return true;
54 default:
55 return false;
56 }
57 }
58
59 static enum pkcs11_rc
pkcs2tee_algorithm(uint32_t * tee_id,struct pkcs11_attribute_head * proc_params)60 pkcs2tee_algorithm(uint32_t *tee_id, struct pkcs11_attribute_head *proc_params)
61 {
62 static const struct {
63 enum pkcs11_mechanism_id mech_id;
64 uint32_t tee_id;
65 } pkcs2tee_algo[] = {
66 /* AES flavors */
67 { PKCS11_CKM_AES_ECB, TEE_ALG_AES_ECB_NOPAD },
68 { PKCS11_CKM_AES_CBC, TEE_ALG_AES_CBC_NOPAD },
69 { PKCS11_CKM_AES_ECB_ENCRYPT_DATA, TEE_ALG_AES_ECB_NOPAD },
70 { PKCS11_CKM_AES_CBC_ENCRYPT_DATA, TEE_ALG_AES_CBC_NOPAD },
71 { PKCS11_CKM_AES_CTR, TEE_ALG_AES_CTR },
72 { PKCS11_CKM_AES_CTS, TEE_ALG_AES_CTS },
73 { PKCS11_CKM_AES_CMAC, TEE_ALG_AES_CMAC },
74 { PKCS11_CKM_AES_CMAC_GENERAL, TEE_ALG_AES_CMAC },
75 /* HMAC flavors */
76 { PKCS11_CKM_MD5_HMAC, TEE_ALG_HMAC_MD5 },
77 { PKCS11_CKM_SHA_1_HMAC, TEE_ALG_HMAC_SHA1 },
78 { PKCS11_CKM_SHA224_HMAC, TEE_ALG_HMAC_SHA224 },
79 { PKCS11_CKM_SHA256_HMAC, TEE_ALG_HMAC_SHA256 },
80 { PKCS11_CKM_SHA384_HMAC, TEE_ALG_HMAC_SHA384 },
81 { PKCS11_CKM_SHA512_HMAC, TEE_ALG_HMAC_SHA512 },
82 { PKCS11_CKM_MD5_HMAC_GENERAL, TEE_ALG_HMAC_MD5 },
83 { PKCS11_CKM_SHA_1_HMAC_GENERAL, TEE_ALG_HMAC_SHA1 },
84 { PKCS11_CKM_SHA224_HMAC_GENERAL, TEE_ALG_HMAC_SHA224 },
85 { PKCS11_CKM_SHA256_HMAC_GENERAL, TEE_ALG_HMAC_SHA256 },
86 { PKCS11_CKM_SHA384_HMAC_GENERAL, TEE_ALG_HMAC_SHA384 },
87 { PKCS11_CKM_SHA512_HMAC_GENERAL, TEE_ALG_HMAC_SHA512 },
88 };
89 size_t n = 0;
90
91 for (n = 0; n < ARRAY_SIZE(pkcs2tee_algo); n++) {
92 if (proc_params->id == pkcs2tee_algo[n].mech_id) {
93 *tee_id = pkcs2tee_algo[n].tee_id;
94 return PKCS11_CKR_OK;
95 }
96 }
97
98 return PKCS11_RV_NOT_IMPLEMENTED;
99 }
100
pkcs2tee_key_type(uint32_t * tee_type,struct pkcs11_object * obj)101 static enum pkcs11_rc pkcs2tee_key_type(uint32_t *tee_type,
102 struct pkcs11_object *obj)
103 {
104 static const struct {
105 enum pkcs11_key_type key_type;
106 uint32_t tee_id;
107 } pkcs2tee_key_type[] = {
108 { PKCS11_CKK_AES, TEE_TYPE_AES },
109 { PKCS11_CKK_GENERIC_SECRET, TEE_TYPE_GENERIC_SECRET },
110 { PKCS11_CKK_MD5_HMAC, TEE_TYPE_HMAC_MD5 },
111 { PKCS11_CKK_SHA_1_HMAC, TEE_TYPE_HMAC_SHA1 },
112 { PKCS11_CKK_SHA224_HMAC, TEE_TYPE_HMAC_SHA224 },
113 { PKCS11_CKK_SHA256_HMAC, TEE_TYPE_HMAC_SHA256 },
114 { PKCS11_CKK_SHA384_HMAC, TEE_TYPE_HMAC_SHA384 },
115 { PKCS11_CKK_SHA512_HMAC, TEE_TYPE_HMAC_SHA512 },
116 };
117 size_t n = 0;
118 enum pkcs11_key_type key_type = get_key_type(obj->attributes);
119
120 assert(get_class(obj->attributes) == PKCS11_CKO_SECRET_KEY);
121
122 for (n = 0; n < ARRAY_SIZE(pkcs2tee_key_type); n++) {
123 if (pkcs2tee_key_type[n].key_type == key_type) {
124 *tee_type = pkcs2tee_key_type[n].tee_id;
125 return PKCS11_CKR_OK;
126 }
127 }
128
129 return PKCS11_RV_NOT_FOUND;
130 }
131
pkcsmech2tee_key_type(uint32_t * tee_type,enum pkcs11_mechanism_id mech_id)132 static enum pkcs11_rc pkcsmech2tee_key_type(uint32_t *tee_type,
133 enum pkcs11_mechanism_id mech_id)
134 {
135 static const struct {
136 enum pkcs11_mechanism_id mech;
137 uint32_t tee_id;
138 } pkcs2tee_key_type[] = {
139 { PKCS11_CKM_MD5_HMAC, TEE_TYPE_HMAC_MD5 },
140 { PKCS11_CKM_SHA_1_HMAC, TEE_TYPE_HMAC_SHA1 },
141 { PKCS11_CKM_SHA224_HMAC, TEE_TYPE_HMAC_SHA224 },
142 { PKCS11_CKM_SHA256_HMAC, TEE_TYPE_HMAC_SHA256 },
143 { PKCS11_CKM_SHA384_HMAC, TEE_TYPE_HMAC_SHA384 },
144 { PKCS11_CKM_SHA512_HMAC, TEE_TYPE_HMAC_SHA512 },
145 { PKCS11_CKM_MD5_HMAC_GENERAL, TEE_TYPE_HMAC_MD5 },
146 { PKCS11_CKM_SHA_1_HMAC_GENERAL, TEE_TYPE_HMAC_SHA1 },
147 { PKCS11_CKM_SHA224_HMAC_GENERAL, TEE_TYPE_HMAC_SHA224 },
148 { PKCS11_CKM_SHA256_HMAC_GENERAL, TEE_TYPE_HMAC_SHA256 },
149 { PKCS11_CKM_SHA384_HMAC_GENERAL, TEE_TYPE_HMAC_SHA384 },
150 { PKCS11_CKM_SHA512_HMAC_GENERAL, TEE_TYPE_HMAC_SHA512 },
151 };
152 size_t n = 0;
153
154 for (n = 0; n < ARRAY_SIZE(pkcs2tee_key_type); n++) {
155 if (pkcs2tee_key_type[n].mech == mech_id) {
156 *tee_type = pkcs2tee_key_type[n].tee_id;
157 return PKCS11_CKR_OK;
158 }
159 }
160
161 return PKCS11_RV_NOT_FOUND;
162 }
163
hmac_to_tee_hash(uint32_t * algo,enum pkcs11_mechanism_id mech_id)164 static enum pkcs11_rc hmac_to_tee_hash(uint32_t *algo,
165 enum pkcs11_mechanism_id mech_id)
166 {
167 static const struct {
168 enum pkcs11_mechanism_id mech;
169 uint32_t tee_id;
170 } hmac_hash[] = {
171 { PKCS11_CKM_MD5_HMAC, TEE_ALG_MD5 },
172 { PKCS11_CKM_SHA_1_HMAC, TEE_ALG_SHA1 },
173 { PKCS11_CKM_SHA224_HMAC, TEE_ALG_SHA224 },
174 { PKCS11_CKM_SHA256_HMAC, TEE_ALG_SHA256 },
175 { PKCS11_CKM_SHA384_HMAC, TEE_ALG_SHA384 },
176 { PKCS11_CKM_SHA512_HMAC, TEE_ALG_SHA512 },
177 { PKCS11_CKM_MD5_HMAC_GENERAL, TEE_ALG_MD5 },
178 { PKCS11_CKM_SHA_1_HMAC_GENERAL, TEE_ALG_SHA1 },
179 { PKCS11_CKM_SHA224_HMAC_GENERAL, TEE_ALG_SHA224 },
180 { PKCS11_CKM_SHA256_HMAC_GENERAL, TEE_ALG_SHA256 },
181 { PKCS11_CKM_SHA384_HMAC_GENERAL, TEE_ALG_SHA384 },
182 { PKCS11_CKM_SHA512_HMAC_GENERAL, TEE_ALG_SHA512 },
183 };
184 size_t n = 0;
185
186 for (n = 0; n < ARRAY_SIZE(hmac_hash); n++) {
187 if (hmac_hash[n].mech == mech_id) {
188 *algo = hmac_hash[n].tee_id;
189 return PKCS11_CKR_OK;
190 }
191 }
192
193 return PKCS11_RV_NOT_FOUND;
194 }
195
196 static enum pkcs11_rc
allocate_tee_operation(struct pkcs11_session * session,enum processing_func function,struct pkcs11_attribute_head * params,struct pkcs11_object * obj)197 allocate_tee_operation(struct pkcs11_session *session,
198 enum processing_func function,
199 struct pkcs11_attribute_head *params,
200 struct pkcs11_object *obj)
201 {
202 uint32_t size = (uint32_t)get_object_key_bit_size(obj);
203 uint32_t key_size = size / 8;
204 uint32_t algo = 0;
205 uint32_t mode = 0;
206 uint32_t max_key_size = 0;
207 uint32_t min_key_size = 0;
208 TEE_Result res = TEE_ERROR_GENERIC;
209
210 assert(session->processing->tee_op_handle == TEE_HANDLE_NULL);
211
212 if (pkcs2tee_algorithm(&algo, params))
213 return PKCS11_CKR_FUNCTION_FAILED;
214
215 /* Sign/Verify with AES or generic key relate to TEE MAC operation */
216 switch (params->id) {
217 case PKCS11_CKM_MD5_HMAC:
218 case PKCS11_CKM_SHA_1_HMAC:
219 case PKCS11_CKM_SHA224_HMAC:
220 case PKCS11_CKM_SHA256_HMAC:
221 case PKCS11_CKM_SHA384_HMAC:
222 case PKCS11_CKM_SHA512_HMAC:
223 case PKCS11_CKM_MD5_HMAC_GENERAL:
224 case PKCS11_CKM_SHA_1_HMAC_GENERAL:
225 case PKCS11_CKM_SHA224_HMAC_GENERAL:
226 case PKCS11_CKM_SHA256_HMAC_GENERAL:
227 case PKCS11_CKM_SHA384_HMAC_GENERAL:
228 case PKCS11_CKM_SHA512_HMAC_GENERAL:
229 mechanism_supported_key_sizes_bytes(params->id, &min_key_size,
230 &max_key_size);
231 if (key_size < min_key_size)
232 return PKCS11_CKR_KEY_SIZE_RANGE;
233
234 /*
235 * If size of generic key is greater than the size
236 * supported by TEE API, this is not considered an
237 * error. When loading TEE key, we will hash the key
238 * to generate the appropriate key for HMAC operation.
239 * This key size will not be greater than the
240 * max_key_size. So we can use max_key_size for
241 * TEE_AllocateOperation().
242 */
243 if (key_size > max_key_size)
244 size = max_key_size * 8;
245
246 mode = TEE_MODE_MAC;
247 break;
248 case PKCS11_CKM_AES_CMAC:
249 case PKCS11_CKM_AES_CMAC_GENERAL:
250 mode = TEE_MODE_MAC;
251 break;
252 default:
253 pkcs2tee_mode(&mode, function);
254 break;
255 }
256
257 res = TEE_AllocateOperation(&session->processing->tee_op_handle,
258 algo, mode, size);
259 if (res)
260 EMSG("TEE_AllocateOp. failed %#"PRIx32" %#"PRIx32" %#"PRIx32,
261 algo, mode, size);
262
263 if (res == TEE_ERROR_NOT_SUPPORTED)
264 return PKCS11_CKR_MECHANISM_INVALID;
265
266 return tee2pkcs_error(res);
267 }
268
hash_secret_helper(enum pkcs11_mechanism_id mech_id,struct pkcs11_object * obj,TEE_Attribute * tee_attr,void ** ctx,size_t * object_size_bits)269 static enum pkcs11_rc hash_secret_helper(enum pkcs11_mechanism_id mech_id,
270 struct pkcs11_object *obj,
271 TEE_Attribute *tee_attr,
272 void **ctx,
273 size_t *object_size_bits)
274 {
275 uint32_t algo = 0;
276 void *hash_ptr = NULL;
277 uint32_t hash_size = 0;
278 enum pkcs11_rc rc = PKCS11_CKR_OK;
279
280 rc = hmac_to_tee_hash(&algo, mech_id);
281 if (rc)
282 return rc;
283
284 hash_size = TEE_ALG_GET_DIGEST_SIZE(algo);
285 hash_ptr = TEE_Malloc(hash_size, 0);
286 if (!hash_ptr)
287 return PKCS11_CKR_DEVICE_MEMORY;
288
289 rc = pkcs2tee_load_hashed_attr(tee_attr, TEE_ATTR_SECRET_VALUE, obj,
290 PKCS11_CKA_VALUE, algo, hash_ptr,
291 &hash_size);
292 if (rc) {
293 EMSG("No secret/hash error");
294 TEE_Free(hash_ptr);
295 return rc;
296 }
297
298 *ctx = hash_ptr;
299
300 *object_size_bits = hash_size * 8;
301
302 return PKCS11_CKR_OK;
303 }
304
load_tee_key(struct pkcs11_session * session,struct pkcs11_object * obj,struct pkcs11_attribute_head * proc_params)305 static enum pkcs11_rc load_tee_key(struct pkcs11_session *session,
306 struct pkcs11_object *obj,
307 struct pkcs11_attribute_head *proc_params)
308 {
309 TEE_Attribute tee_attr = { };
310 size_t object_size = 0;
311 uint32_t tee_key_type = 0;
312 enum pkcs11_key_type key_type = 0;
313 enum pkcs11_rc rc = PKCS11_CKR_OK;
314 TEE_Result res = TEE_ERROR_GENERIC;
315 uint32_t max_key_size = 0;
316 uint32_t min_key_size = 0;
317
318 if (obj->key_handle != TEE_HANDLE_NULL) {
319 /* Key was already loaded and fits current need */
320 goto key_ready;
321 }
322
323 object_size = get_object_key_bit_size(obj);
324 if (!object_size)
325 return PKCS11_CKR_GENERAL_ERROR;
326
327 switch (proc_params->id) {
328 case PKCS11_CKM_MD5_HMAC:
329 case PKCS11_CKM_SHA_1_HMAC:
330 case PKCS11_CKM_SHA224_HMAC:
331 case PKCS11_CKM_SHA256_HMAC:
332 case PKCS11_CKM_SHA384_HMAC:
333 case PKCS11_CKM_SHA512_HMAC:
334 case PKCS11_CKM_MD5_HMAC_GENERAL:
335 case PKCS11_CKM_SHA_1_HMAC_GENERAL:
336 case PKCS11_CKM_SHA224_HMAC_GENERAL:
337 case PKCS11_CKM_SHA256_HMAC_GENERAL:
338 case PKCS11_CKM_SHA384_HMAC_GENERAL:
339 case PKCS11_CKM_SHA512_HMAC_GENERAL:
340 key_type = get_key_type(obj->attributes);
341 /*
342 * If Object Key type is PKCS11_CKK_GENERIC_SECRET,
343 * determine the tee_key_type using the
344 * mechanism instead of object key_type.
345 */
346 if (key_type == PKCS11_CKK_GENERIC_SECRET)
347 rc = pkcsmech2tee_key_type(&tee_key_type,
348 proc_params->id);
349 else
350 rc = pkcs2tee_key_type(&tee_key_type, obj);
351
352 if (rc)
353 return rc;
354
355 mechanism_supported_key_sizes_bytes(proc_params->id,
356 &min_key_size,
357 &max_key_size);
358
359 if ((object_size / 8) > max_key_size) {
360 rc = hash_secret_helper(proc_params->id, obj, &tee_attr,
361 &session->processing->extra_ctx,
362 &object_size);
363 if (rc)
364 return rc;
365 } else {
366 if (!pkcs2tee_load_attr(&tee_attr,
367 TEE_ATTR_SECRET_VALUE,
368 obj,
369 PKCS11_CKA_VALUE)) {
370 EMSG("No secret found");
371 return PKCS11_CKR_FUNCTION_FAILED;
372 }
373 }
374 break;
375
376 default:
377 rc = pkcs2tee_key_type(&tee_key_type, obj);
378 if (rc)
379 return rc;
380
381 if (!pkcs2tee_load_attr(&tee_attr, TEE_ATTR_SECRET_VALUE,
382 obj, PKCS11_CKA_VALUE)) {
383 EMSG("No secret found");
384 return PKCS11_CKR_FUNCTION_FAILED;
385 }
386 break;
387 }
388
389 res = TEE_AllocateTransientObject(tee_key_type, object_size,
390 &obj->key_handle);
391 if (res) {
392 DMSG("TEE_AllocateTransientObject failed, %#"PRIx32, res);
393 return tee2pkcs_error(res);
394 }
395
396 res = TEE_PopulateTransientObject(obj->key_handle, &tee_attr, 1);
397 if (res) {
398 DMSG("TEE_PopulateTransientObject failed, %#"PRIx32, res);
399 goto error;
400 }
401
402 key_ready:
403 res = TEE_SetOperationKey(session->processing->tee_op_handle,
404 obj->key_handle);
405 if (res) {
406 DMSG("TEE_SetOperationKey failed, %#"PRIx32, res);
407 goto error;
408 }
409
410 return PKCS11_CKR_OK;
411
412 error:
413 TEE_FreeTransientObject(obj->key_handle);
414 obj->key_handle = TEE_HANDLE_NULL;
415
416 return tee2pkcs_error(res);
417 }
418
419 static enum pkcs11_rc
tee_init_derive_symm(struct active_processing * processing,struct pkcs11_attribute_head * proc_params)420 tee_init_derive_symm(struct active_processing *processing,
421 struct pkcs11_attribute_head *proc_params)
422 {
423 struct serialargs args = { };
424 enum pkcs11_rc rc = PKCS11_CKR_OK;
425 struct input_data_ref *param = NULL;
426 void *iv = NULL;
427
428 if (!proc_params)
429 return PKCS11_CKR_ARGUMENTS_BAD;
430
431 param = TEE_Malloc(sizeof(struct input_data_ref), TEE_MALLOC_FILL_ZERO);
432 if (!param)
433 return PKCS11_CKR_DEVICE_MEMORY;
434
435 serialargs_init(&args, proc_params->data, proc_params->size);
436
437 switch (proc_params->id) {
438 case PKCS11_CKM_AES_CBC_ENCRYPT_DATA:
439 rc = serialargs_get_ptr(&args, &iv, 16);
440 if (rc)
441 goto err;
442 break;
443 default:
444 break;
445 }
446
447 rc = serialargs_get(&args, ¶m->size, sizeof(uint32_t));
448 if (rc)
449 goto err;
450
451 rc = serialargs_get_ptr(&args, ¶m->data, param->size);
452 if (rc)
453 goto err;
454
455 if (serialargs_remaining_bytes(&args)) {
456 rc = PKCS11_CKR_ARGUMENTS_BAD;
457 goto err;
458 }
459
460 processing->extra_ctx = param;
461
462 switch (proc_params->id) {
463 case PKCS11_CKM_AES_ECB_ENCRYPT_DATA:
464 if (param->size % TEE_AES_BLOCK_SIZE) {
465 rc = PKCS11_CKR_DATA_LEN_RANGE;
466 goto err;
467 }
468 TEE_CipherInit(processing->tee_op_handle, NULL, 0);
469 break;
470 case PKCS11_CKM_AES_CBC_ENCRYPT_DATA:
471 if (param->size % TEE_AES_BLOCK_SIZE) {
472 rc = PKCS11_CKR_DATA_LEN_RANGE;
473 goto err;
474 }
475 TEE_CipherInit(processing->tee_op_handle, iv, 16);
476 break;
477 default:
478 TEE_Panic(proc_params->id);
479 break;
480 }
481
482 return PKCS11_CKR_OK;
483
484 err:
485 processing->extra_ctx = NULL;
486 TEE_Free(param);
487 return rc;
488 }
489
490 static enum pkcs11_rc
input_hmac_len_is_valid(struct pkcs11_attribute_head * proc_params,uint32_t hmac_len)491 input_hmac_len_is_valid(struct pkcs11_attribute_head *proc_params,
492 uint32_t hmac_len)
493 {
494 uint32_t sign_sz = 0;
495
496 switch (proc_params->id) {
497 case PKCS11_CKM_MD5_HMAC_GENERAL:
498 sign_sz = TEE_MD5_HASH_SIZE;
499 break;
500 case PKCS11_CKM_SHA_1_HMAC_GENERAL:
501 sign_sz = TEE_SHA1_HASH_SIZE;
502 break;
503 case PKCS11_CKM_SHA224_HMAC_GENERAL:
504 sign_sz = TEE_SHA224_HASH_SIZE;
505 break;
506 case PKCS11_CKM_SHA256_HMAC_GENERAL:
507 sign_sz = TEE_SHA256_HASH_SIZE;
508 break;
509 case PKCS11_CKM_SHA384_HMAC_GENERAL:
510 sign_sz = TEE_SHA384_HASH_SIZE;
511 break;
512 case PKCS11_CKM_SHA512_HMAC_GENERAL:
513 sign_sz = TEE_SHA512_HASH_SIZE;
514 break;
515 case PKCS11_CKM_AES_CMAC_GENERAL:
516 sign_sz = TEE_AES_BLOCK_SIZE;
517 break;
518 default:
519 return PKCS11_CKR_MECHANISM_INVALID;
520 }
521
522 if (!hmac_len || hmac_len > sign_sz)
523 return PKCS11_CKR_SIGNATURE_LEN_RANGE;
524
525 return PKCS11_CKR_OK;
526 }
527
528 static enum pkcs11_rc
init_tee_operation(struct pkcs11_session * session,struct pkcs11_attribute_head * proc_params)529 init_tee_operation(struct pkcs11_session *session,
530 struct pkcs11_attribute_head *proc_params)
531 {
532 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR;
533 uint32_t *pkcs11_data = NULL;
534
535 switch (proc_params->id) {
536 case PKCS11_CKM_AES_CMAC:
537 case PKCS11_CKM_MD5_HMAC:
538 case PKCS11_CKM_SHA_1_HMAC:
539 case PKCS11_CKM_SHA224_HMAC:
540 case PKCS11_CKM_SHA256_HMAC:
541 case PKCS11_CKM_SHA384_HMAC:
542 case PKCS11_CKM_SHA512_HMAC:
543 if (proc_params->size)
544 return PKCS11_CKR_MECHANISM_PARAM_INVALID;
545
546 TEE_MACInit(session->processing->tee_op_handle, NULL, 0);
547 rc = PKCS11_CKR_OK;
548 break;
549 case PKCS11_CKM_AES_CMAC_GENERAL:
550 case PKCS11_CKM_MD5_HMAC_GENERAL:
551 case PKCS11_CKM_SHA_1_HMAC_GENERAL:
552 case PKCS11_CKM_SHA224_HMAC_GENERAL:
553 case PKCS11_CKM_SHA256_HMAC_GENERAL:
554 case PKCS11_CKM_SHA384_HMAC_GENERAL:
555 case PKCS11_CKM_SHA512_HMAC_GENERAL:
556 if (proc_params->size != sizeof(uint32_t))
557 return PKCS11_CKR_MECHANISM_PARAM_INVALID;
558
559 pkcs11_data = TEE_Malloc(sizeof(uint32_t),
560 TEE_MALLOC_FILL_ZERO);
561 if (!pkcs11_data)
562 return PKCS11_CKR_DEVICE_MEMORY;
563
564 TEE_MemMove(pkcs11_data, proc_params->data, sizeof(uint32_t));
565
566 rc = input_hmac_len_is_valid(proc_params, *pkcs11_data);
567 if (rc) {
568 TEE_Free(pkcs11_data);
569 return rc;
570 }
571
572 session->processing->extra_ctx = (void *)pkcs11_data;
573
574 TEE_MACInit(session->processing->tee_op_handle, NULL, 0);
575 rc = PKCS11_CKR_OK;
576 break;
577 case PKCS11_CKM_AES_ECB:
578 if (proc_params->size)
579 return PKCS11_CKR_MECHANISM_PARAM_INVALID;
580
581 TEE_CipherInit(session->processing->tee_op_handle, NULL, 0);
582 rc = PKCS11_CKR_OK;
583 break;
584 case PKCS11_CKM_AES_CBC:
585 case PKCS11_CKM_AES_CTS:
586 if (proc_params->size != 16)
587 return PKCS11_CKR_MECHANISM_PARAM_INVALID;
588
589 TEE_CipherInit(session->processing->tee_op_handle,
590 proc_params->data, 16);
591 rc = PKCS11_CKR_OK;
592 break;
593 case PKCS11_CKM_AES_CTR:
594 rc = tee_init_ctr_operation(session->processing,
595 proc_params->data,
596 proc_params->size);
597 break;
598 case PKCS11_CKM_AES_ECB_ENCRYPT_DATA:
599 case PKCS11_CKM_AES_CBC_ENCRYPT_DATA:
600 rc = tee_init_derive_symm(session->processing, proc_params);
601 break;
602 default:
603 TEE_Panic(proc_params->id);
604 break;
605 }
606
607 return rc;
608 }
609
init_symm_operation(struct pkcs11_session * session,enum processing_func function,struct pkcs11_attribute_head * proc_params,struct pkcs11_object * obj)610 enum pkcs11_rc init_symm_operation(struct pkcs11_session *session,
611 enum processing_func function,
612 struct pkcs11_attribute_head *proc_params,
613 struct pkcs11_object *obj)
614 {
615 enum pkcs11_rc rc = PKCS11_CKR_OK;
616
617 assert(processing_is_tee_symm(proc_params->id));
618
619 rc = allocate_tee_operation(session, function, proc_params, obj);
620 if (rc)
621 return rc;
622
623 rc = load_tee_key(session, obj, proc_params);
624 if (rc)
625 return rc;
626
627 rc = init_tee_operation(session, proc_params);
628 if (!rc)
629 session->processing->mecha_type = proc_params->id;
630
631 return rc;
632 }
633
634 /* Validate input buffer size as per PKCS#11 constraints */
input_data_size_is_valid(struct active_processing * proc,enum processing_func function,size_t in_size)635 static enum pkcs11_rc input_data_size_is_valid(struct active_processing *proc,
636 enum processing_func function,
637 size_t in_size)
638 {
639 switch (proc->mecha_type) {
640 case PKCS11_CKM_AES_ECB:
641 case PKCS11_CKM_AES_CBC:
642 if (function == PKCS11_FUNCTION_ENCRYPT &&
643 in_size % TEE_AES_BLOCK_SIZE)
644 return PKCS11_CKR_DATA_LEN_RANGE;
645 if (function == PKCS11_FUNCTION_DECRYPT &&
646 in_size % TEE_AES_BLOCK_SIZE)
647 return PKCS11_CKR_ENCRYPTED_DATA_LEN_RANGE;
648 break;
649 case PKCS11_CKM_AES_CTS:
650 if (function == PKCS11_FUNCTION_ENCRYPT &&
651 in_size < TEE_AES_BLOCK_SIZE)
652 return PKCS11_CKR_DATA_LEN_RANGE;
653 if (function == PKCS11_FUNCTION_DECRYPT &&
654 in_size < TEE_AES_BLOCK_SIZE)
655 return PKCS11_CKR_ENCRYPTED_DATA_LEN_RANGE;
656 break;
657 default:
658 break;
659 }
660
661 return PKCS11_CKR_OK;
662 }
663
664 /* Validate input buffer size as per PKCS#11 constraints */
input_sign_size_is_valid(struct active_processing * proc,size_t in_size)665 static enum pkcs11_rc input_sign_size_is_valid(struct active_processing *proc,
666 size_t in_size)
667 {
668 size_t sign_sz = 0;
669
670 switch (proc->mecha_type) {
671 case PKCS11_CKM_MD5_HMAC:
672 sign_sz = TEE_MD5_HASH_SIZE;
673 break;
674 case PKCS11_CKM_SHA_1_HMAC:
675 sign_sz = TEE_SHA1_HASH_SIZE;
676 break;
677 case PKCS11_CKM_SHA224_HMAC:
678 sign_sz = TEE_SHA224_HASH_SIZE;
679 break;
680 case PKCS11_CKM_SHA256_HMAC:
681 sign_sz = TEE_SHA256_HASH_SIZE;
682 break;
683 case PKCS11_CKM_SHA384_HMAC:
684 sign_sz = TEE_SHA384_HASH_SIZE;
685 break;
686 case PKCS11_CKM_SHA512_HMAC:
687 sign_sz = TEE_SHA512_HASH_SIZE;
688 break;
689 case PKCS11_CKM_AES_CMAC:
690 sign_sz = TEE_AES_BLOCK_SIZE;
691 break;
692 default:
693 return PKCS11_CKR_GENERAL_ERROR;
694 }
695
696 if (in_size != sign_sz)
697 return PKCS11_CKR_SIGNATURE_LEN_RANGE;
698
699 return PKCS11_CKR_OK;
700 }
701
702 /*
703 * step_sym_cipher - processing symmetric (and related) cipher operation step
704 *
705 * @session - current session
706 * @function - processing function (encrypt, decrypt, sign, ...)
707 * @step - step ID in the processing (oneshot, update, final)
708 * @ptype - invocation parameter types
709 * @params - invocation parameter references
710 */
step_symm_operation(struct pkcs11_session * session,enum processing_func function,enum processing_step step,uint32_t ptypes,TEE_Param * params)711 enum pkcs11_rc step_symm_operation(struct pkcs11_session *session,
712 enum processing_func function,
713 enum processing_step step,
714 uint32_t ptypes, TEE_Param *params)
715 {
716 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR;
717 TEE_Result res = TEE_ERROR_GENERIC;
718 void *in_buf = NULL;
719 size_t in_size = 0;
720 void *out_buf = NULL;
721 uint32_t out_size = 0;
722 void *in2_buf = NULL;
723 uint32_t in2_size = 0;
724 bool output_data = false;
725 struct active_processing *proc = session->processing;
726 uint32_t hmac_len = 0;
727 uint8_t computed_mac[TEE_MAX_HASH_SIZE] = { 0 };
728 uint32_t computed_mac_size = TEE_MAX_HASH_SIZE;
729
730 if (TEE_PARAM_TYPE_GET(ptypes, 1) == TEE_PARAM_TYPE_MEMREF_INPUT) {
731 in_buf = params[1].memref.buffer;
732 in_size = params[1].memref.size;
733 if (in_size && !in_buf)
734 return PKCS11_CKR_ARGUMENTS_BAD;
735 }
736 if (TEE_PARAM_TYPE_GET(ptypes, 2) == TEE_PARAM_TYPE_MEMREF_INPUT) {
737 in2_buf = params[2].memref.buffer;
738 in2_size = params[2].memref.size;
739 if (in2_size && !in2_buf)
740 return PKCS11_CKR_ARGUMENTS_BAD;
741 }
742 if (TEE_PARAM_TYPE_GET(ptypes, 2) == TEE_PARAM_TYPE_MEMREF_OUTPUT) {
743 out_buf = params[2].memref.buffer;
744 out_size = params[2].memref.size;
745 if (out_size && !out_buf)
746 return PKCS11_CKR_ARGUMENTS_BAD;
747 }
748 if (TEE_PARAM_TYPE_GET(ptypes, 3) != TEE_PARAM_TYPE_NONE)
749 return PKCS11_CKR_ARGUMENTS_BAD;
750
751 switch (step) {
752 case PKCS11_FUNC_STEP_ONESHOT:
753 case PKCS11_FUNC_STEP_UPDATE:
754 case PKCS11_FUNC_STEP_FINAL:
755 break;
756 default:
757 return PKCS11_CKR_GENERAL_ERROR;
758 }
759
760 if (step != PKCS11_FUNC_STEP_FINAL) {
761 rc = input_data_size_is_valid(proc, function, in_size);
762 if (rc)
763 return rc;
764 }
765
766 /*
767 * Feed active operation with data
768 */
769 switch (proc->mecha_type) {
770 case PKCS11_CKM_AES_CMAC:
771 case PKCS11_CKM_MD5_HMAC:
772 case PKCS11_CKM_SHA_1_HMAC:
773 case PKCS11_CKM_SHA224_HMAC:
774 case PKCS11_CKM_SHA256_HMAC:
775 case PKCS11_CKM_SHA384_HMAC:
776 case PKCS11_CKM_SHA512_HMAC:
777 case PKCS11_CKM_AES_CMAC_GENERAL:
778 case PKCS11_CKM_MD5_HMAC_GENERAL:
779 case PKCS11_CKM_SHA_1_HMAC_GENERAL:
780 case PKCS11_CKM_SHA224_HMAC_GENERAL:
781 case PKCS11_CKM_SHA256_HMAC_GENERAL:
782 case PKCS11_CKM_SHA384_HMAC_GENERAL:
783 case PKCS11_CKM_SHA512_HMAC_GENERAL:
784 if (step == PKCS11_FUNC_STEP_FINAL ||
785 step == PKCS11_FUNC_STEP_ONESHOT)
786 break;
787
788 if (!in_buf) {
789 DMSG("No input data");
790 return PKCS11_CKR_ARGUMENTS_BAD;
791 }
792
793 switch (function) {
794 case PKCS11_FUNCTION_SIGN:
795 case PKCS11_FUNCTION_VERIFY:
796 TEE_MACUpdate(proc->tee_op_handle, in_buf, in_size);
797 rc = PKCS11_CKR_OK;
798 break;
799 default:
800 TEE_Panic(function);
801 break;
802 }
803 break;
804
805 case PKCS11_CKM_AES_ECB:
806 case PKCS11_CKM_AES_CBC:
807 case PKCS11_CKM_AES_CTS:
808 case PKCS11_CKM_AES_CTR:
809 if (step == PKCS11_FUNC_STEP_FINAL ||
810 step == PKCS11_FUNC_STEP_ONESHOT)
811 break;
812
813 if (!in_buf) {
814 EMSG("No input data");
815 return PKCS11_CKR_ARGUMENTS_BAD;
816 }
817
818 switch (function) {
819 case PKCS11_FUNCTION_ENCRYPT:
820 case PKCS11_FUNCTION_DECRYPT:
821 res = TEE_CipherUpdate(proc->tee_op_handle,
822 in_buf, in_size,
823 out_buf, &out_size);
824 output_data = true;
825 rc = tee2pkcs_error(res);
826 break;
827 default:
828 TEE_Panic(function);
829 break;
830 }
831 break;
832
833 default:
834 TEE_Panic(proc->mecha_type);
835 break;
836 }
837
838 if (step == PKCS11_FUNC_STEP_UPDATE)
839 goto out;
840
841 /*
842 * Finalize (PKCS11_FUNC_STEP_ONESHOT/_FINAL) operation
843 */
844 switch (session->processing->mecha_type) {
845 case PKCS11_CKM_AES_CMAC:
846 case PKCS11_CKM_MD5_HMAC:
847 case PKCS11_CKM_SHA_1_HMAC:
848 case PKCS11_CKM_SHA224_HMAC:
849 case PKCS11_CKM_SHA256_HMAC:
850 case PKCS11_CKM_SHA384_HMAC:
851 case PKCS11_CKM_SHA512_HMAC:
852 switch (function) {
853 case PKCS11_FUNCTION_SIGN:
854 res = TEE_MACComputeFinal(proc->tee_op_handle,
855 in_buf, in_size, out_buf,
856 &out_size);
857 output_data = true;
858 rc = tee2pkcs_error(res);
859 break;
860 case PKCS11_FUNCTION_VERIFY:
861 rc = input_sign_size_is_valid(proc, in2_size);
862 if (rc)
863 return rc;
864 res = TEE_MACCompareFinal(proc->tee_op_handle,
865 in_buf, in_size, in2_buf,
866 in2_size);
867 rc = tee2pkcs_error(res);
868 break;
869 default:
870 TEE_Panic(function);
871 break;
872 }
873
874 break;
875
876 case PKCS11_CKM_AES_CMAC_GENERAL:
877 case PKCS11_CKM_MD5_HMAC_GENERAL:
878 case PKCS11_CKM_SHA_1_HMAC_GENERAL:
879 case PKCS11_CKM_SHA224_HMAC_GENERAL:
880 case PKCS11_CKM_SHA256_HMAC_GENERAL:
881 case PKCS11_CKM_SHA384_HMAC_GENERAL:
882 case PKCS11_CKM_SHA512_HMAC_GENERAL:
883 assert(session->processing->extra_ctx);
884 hmac_len = *(uint32_t *)session->processing->extra_ctx;
885
886 switch (function) {
887 case PKCS11_FUNCTION_SIGN:
888 if (out_size < hmac_len) {
889 /* inform client of required size */
890 out_size = hmac_len;
891 output_data = true;
892 rc = PKCS11_CKR_BUFFER_TOO_SMALL;
893 goto out;
894 }
895
896 res = TEE_MACComputeFinal(proc->tee_op_handle,
897 in_buf, in_size,
898 computed_mac,
899 &computed_mac_size);
900 if (res == TEE_SUCCESS) {
901 /* truncate to hmac_len */
902 TEE_MemMove(out_buf, computed_mac, hmac_len);
903 output_data = true;
904 }
905
906 /* inform client of required size */
907 out_size = hmac_len;
908 rc = tee2pkcs_error(res);
909 break;
910 case PKCS11_FUNCTION_VERIFY:
911 /* must compute full MAC before comparing partial */
912 res = TEE_MACComputeFinal(proc->tee_op_handle, in_buf,
913 in_size, computed_mac,
914 &computed_mac_size);
915
916 if (!in2_size || in2_size > computed_mac_size) {
917 EMSG("Invalid signature size: %"PRIu32,
918 in2_size);
919 return PKCS11_CKR_SIGNATURE_LEN_RANGE;
920 }
921
922 if (res == TEE_SUCCESS) {
923 /*
924 * Only the first in2_size bytes of the
925 * signature to be verified is passed in from
926 * caller
927 */
928 if (TEE_MemCompare(in2_buf, computed_mac,
929 in2_size)) {
930 res = TEE_ERROR_MAC_INVALID;
931 }
932 }
933
934 rc = tee2pkcs_error(res);
935 break;
936 default:
937 TEE_Panic(function);
938 break;
939 }
940
941 break;
942
943 case PKCS11_CKM_AES_ECB:
944 case PKCS11_CKM_AES_CBC:
945 case PKCS11_CKM_AES_CTS:
946 case PKCS11_CKM_AES_CTR:
947 if (step == PKCS11_FUNC_STEP_ONESHOT && !in_buf) {
948 EMSG("No input data");
949 return PKCS11_CKR_ARGUMENTS_BAD;
950 }
951
952 switch (function) {
953 case PKCS11_FUNCTION_ENCRYPT:
954 case PKCS11_FUNCTION_DECRYPT:
955 res = TEE_CipherDoFinal(proc->tee_op_handle,
956 in_buf, in_size,
957 out_buf, &out_size);
958 output_data = true;
959 rc = tee2pkcs_error(res);
960 break;
961 default:
962 TEE_Panic(function);
963 break;
964 }
965 break;
966 default:
967 TEE_Panic(proc->mecha_type);
968 break;
969 }
970
971 out:
972 if (output_data &&
973 (rc == PKCS11_CKR_OK || rc == PKCS11_CKR_BUFFER_TOO_SMALL)) {
974 switch (TEE_PARAM_TYPE_GET(ptypes, 2)) {
975 case TEE_PARAM_TYPE_MEMREF_OUTPUT:
976 case TEE_PARAM_TYPE_MEMREF_INOUT:
977 params[2].memref.size = out_size;
978 break;
979 default:
980 rc = PKCS11_CKR_ARGUMENTS_BAD;
981 break;
982 }
983 }
984
985 return rc;
986 }
987
derive_key_by_symm_enc(struct pkcs11_session * session,void ** out_buf,uint32_t * out_size)988 enum pkcs11_rc derive_key_by_symm_enc(struct pkcs11_session *session,
989 void **out_buf, uint32_t *out_size)
990 {
991 enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR;
992 TEE_Result res = TEE_ERROR_GENERIC;
993 struct active_processing *proc = session->processing;
994 struct input_data_ref *input = proc->extra_ctx;
995 void *in_buf = NULL;
996 void *dest_buf = NULL;
997 uint32_t in_size = 0;
998
999 switch (proc->mecha_type) {
1000 case PKCS11_CKM_AES_ECB_ENCRYPT_DATA:
1001 case PKCS11_CKM_AES_CBC_ENCRYPT_DATA:
1002 if (!proc->extra_ctx)
1003 return PKCS11_CKR_ARGUMENTS_BAD;
1004
1005 in_buf = input->data;
1006 in_size = input->size;
1007
1008 *out_size = in_size;
1009 dest_buf = TEE_Malloc(*out_size, 0);
1010 if (!dest_buf)
1011 return PKCS11_CKR_DEVICE_MEMORY;
1012
1013 res = TEE_CipherDoFinal(proc->tee_op_handle, in_buf, in_size,
1014 dest_buf, out_size);
1015 rc = tee2pkcs_error(res);
1016 if (rc) {
1017 TEE_Free(dest_buf);
1018 return rc;
1019 }
1020
1021 *out_buf = dest_buf;
1022 break;
1023 default:
1024 return PKCS11_CKR_MECHANISM_INVALID;
1025 }
1026
1027 return rc;
1028 }
1029
wrap_data_by_symm_enc(struct pkcs11_session * session,void * data,uint32_t data_sz,void * out_buf,uint32_t * out_sz)1030 enum pkcs11_rc wrap_data_by_symm_enc(struct pkcs11_session *session,
1031 void *data, uint32_t data_sz,
1032 void *out_buf, uint32_t *out_sz)
1033 {
1034 TEE_Result res = TEE_ERROR_GENERIC;
1035 struct active_processing *proc = session->processing;
1036 void *in_buf = NULL;
1037 uint32_t align = 0;
1038 uint32_t in_sz = data_sz;
1039 uint32_t tmp_sz = *out_sz;
1040 uint8_t *tmp_buf = out_buf;
1041
1042 switch (proc->mecha_type) {
1043 case PKCS11_CKM_AES_ECB:
1044 case PKCS11_CKM_AES_CBC:
1045 align = data_sz % TEE_AES_BLOCK_SIZE;
1046 if (align)
1047 in_sz = data_sz + (TEE_AES_BLOCK_SIZE - align);
1048
1049 if (*out_sz < in_sz) {
1050 *out_sz = in_sz;
1051 return PKCS11_CKR_BUFFER_TOO_SMALL;
1052 }
1053
1054 if (align) {
1055 if (data_sz > TEE_AES_BLOCK_SIZE) {
1056 in_sz = data_sz - align;
1057 res = TEE_CipherUpdate(proc->tee_op_handle,
1058 data, in_sz, tmp_buf,
1059 &tmp_sz);
1060 if (res) {
1061 assert(res != TEE_ERROR_SHORT_BUFFER);
1062 return tee2pkcs_error(res);
1063 }
1064 tmp_buf += tmp_sz;
1065 tmp_sz = *out_sz - tmp_sz;
1066 } else {
1067 in_sz = 0;
1068 }
1069
1070 in_buf = TEE_Malloc(TEE_AES_BLOCK_SIZE,
1071 TEE_MALLOC_FILL_ZERO);
1072 if (!in_buf)
1073 return PKCS11_CKR_DEVICE_MEMORY;
1074
1075 TEE_MemMove(in_buf, (uint8_t *)data + in_sz, align);
1076 in_sz = TEE_AES_BLOCK_SIZE;
1077 } else {
1078 in_buf = data;
1079 in_sz = data_sz;
1080 }
1081
1082 res = TEE_CipherDoFinal(proc->tee_op_handle, in_buf, in_sz,
1083 tmp_buf, &tmp_sz);
1084 if (res == TEE_SUCCESS || res == TEE_ERROR_SHORT_BUFFER) {
1085 *out_sz = tmp_sz;
1086 if (align)
1087 *out_sz += tmp_buf - (uint8_t *)out_buf;
1088 }
1089
1090 if (align)
1091 TEE_Free(in_buf);
1092
1093 return tee2pkcs_error(res);
1094 default:
1095 return PKCS11_CKR_MECHANISM_INVALID;
1096 }
1097
1098 return PKCS11_CKR_GENERAL_ERROR;
1099 }
1100
unwrap_key_by_symm(struct pkcs11_session * session,void * data,uint32_t data_sz,void ** out_buf,uint32_t * out_sz)1101 enum pkcs11_rc unwrap_key_by_symm(struct pkcs11_session *session, void *data,
1102 uint32_t data_sz, void **out_buf,
1103 uint32_t *out_sz)
1104 {
1105 TEE_Result res = TEE_ERROR_GENERIC;
1106 struct active_processing *proc = session->processing;
1107
1108 if (input_data_size_is_valid(proc, PKCS11_FUNCTION_DECRYPT, data_sz))
1109 return PKCS11_CKR_WRAPPED_KEY_LEN_RANGE;
1110
1111 switch (proc->mecha_type) {
1112 case PKCS11_CKM_AES_ECB:
1113 case PKCS11_CKM_AES_CBC:
1114 *out_sz = 0;
1115 res = TEE_CipherDoFinal(proc->tee_op_handle, data, data_sz,
1116 NULL, out_sz);
1117 if (res != TEE_ERROR_SHORT_BUFFER) {
1118 DMSG("TEE_CipherDoFinal() issue: %#"PRIx32, res);
1119 return PKCS11_CKR_GENERAL_ERROR;
1120 }
1121
1122 *out_buf = TEE_Malloc(*out_sz, TEE_MALLOC_FILL_ZERO);
1123 if (!*out_buf)
1124 return PKCS11_CKR_DEVICE_MEMORY;
1125
1126 res = TEE_CipherDoFinal(proc->tee_op_handle, data, data_sz,
1127 *out_buf, out_sz);
1128 if (tee2pkcs_error(res)) {
1129 TEE_Free(*out_buf);
1130 *out_buf = NULL;
1131 return PKCS11_CKR_WRAPPED_KEY_INVALID;
1132 }
1133 break;
1134 default:
1135 return PKCS11_CKR_MECHANISM_INVALID;
1136 }
1137
1138 return PKCS11_CKR_OK;
1139 }
1140