2 * Copyright (c) 2014, Linaro Limited
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are met:
8 * 1. Redistributions of source code must retain the above copyright notice,
9 * this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright notice,
12 * this list of conditions and the following disclaimer in the documentation
13 * and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
16 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
19 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
20 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
21 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
22 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
23 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
24 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
25 * POSSIBILITY OF SUCH DAMAGE.
29 #include <tee/tee_cryp_provider.h>
30 #include <tee/tee_cryp_utl.h>
36 #include <utee_defines.h>
38 #include <tee_api_types.h>
39 #include <string_ext.h>
41 #include <kernel/panic.h>
42 #include "tomcrypt_mpa.h"
44 #if defined(CFG_WITH_VFP)
45 #include <tomcrypt_arm_neon.h>
46 #include <kernel/thread.h>
49 #if !defined(CFG_WITH_SOFTWARE_PRNG)
51 /* Random generator */
52 static int prng_mpa_start(union Prng_state *prng __unused)
57 static int prng_mpa_add_entropy(const unsigned char *in __unused,
58 unsigned long inlen __unused,
59 union Prng_state *prng __unused)
61 /* No entropy is required */
65 static int prng_mpa_ready(union Prng_state *prng __unused)
70 static unsigned long prng_mpa_read(unsigned char *out, unsigned long outlen,
71 union Prng_state *prng __unused)
73 if (TEE_SUCCESS == get_rng_array(out, outlen))
79 static int prng_mpa_done(union Prng_state *prng __unused)
84 static int prng_mpa_export(unsigned char *out __unused,
85 unsigned long *outlen __unused,
86 union Prng_state *prng __unused)
91 static int prng_mpa_import(const unsigned char *in __unused,
92 unsigned long inlen __unused,
93 union Prng_state *prng __unused)
98 static int prng_mpa_test(void)
103 static const struct ltc_prng_descriptor prng_mpa_desc = {
106 .start = &prng_mpa_start,
107 .add_entropy = &prng_mpa_add_entropy,
108 .ready = &prng_mpa_ready,
109 .read = &prng_mpa_read,
110 .done = &prng_mpa_done,
111 .pexport = &prng_mpa_export,
112 .pimport = &prng_mpa_import,
113 .test = &prng_mpa_test,
116 #endif /* !CFG_WITH_SOFTWARE_PRNG */
118 struct tee_ltc_prng {
125 static struct tee_ltc_prng _tee_ltc_prng =
126 #if defined(CFG_WITH_SOFTWARE_PRNG)
128 #if defined(_CFG_CRYPTO_WITH_FORTUNA_PRNG)
132 * we need AES and SHA256 for fortuna PRNG,
133 * if the system configuration can't provide those,
145 static struct tee_ltc_prng *tee_ltc_get_prng(void)
147 return &_tee_ltc_prng;
150 static TEE_Result tee_ltc_prng_init(struct tee_ltc_prng *prng)
157 prng_index = find_prng(prng->name);
158 if (prng_index == -1)
159 return TEE_ERROR_BAD_PARAMETERS;
162 res = prng_descriptor[prng_index]->start(&prng->state);
164 return TEE_ERROR_BAD_STATE;
166 res = prng_descriptor[prng_index]->ready(&prng->state);
168 return TEE_ERROR_BAD_STATE;
172 prng->index = prng_index;
174 plat_prng_add_jitter_entropy();
180 * tee_ltc_reg_algs(): Registers
183 * - prng (pseudo random generator)
186 static void tee_ltc_reg_algs(void)
188 #if defined(CFG_CRYPTO_AES)
189 register_cipher(&aes_desc);
191 #if defined(CFG_CRYPTO_DES)
192 register_cipher(&des_desc);
193 register_cipher(&des3_desc);
195 #if defined(CFG_CRYPTO_MD5)
196 register_hash(&md5_desc);
198 #if defined(CFG_CRYPTO_SHA1)
199 register_hash(&sha1_desc);
201 #if defined(CFG_CRYPTO_SHA224)
202 register_hash(&sha224_desc);
204 #if defined(CFG_CRYPTO_SHA256)
205 register_hash(&sha256_desc);
207 #if defined(CFG_CRYPTO_SHA384)
208 register_hash(&sha384_desc);
210 #if defined(CFG_CRYPTO_SHA512)
211 register_hash(&sha512_desc);
214 #if defined(CFG_WITH_SOFTWARE_PRNG)
215 #if defined(_CFG_CRYPTO_WITH_FORTUNA_PRNG)
216 register_prng(&fortuna_desc);
218 register_prng(&rc4_desc);
221 register_prng(&prng_mpa_desc);
226 #if defined(_CFG_CRYPTO_WITH_HASH) || defined(CFG_CRYPTO_RSA) || \
227 defined(CFG_CRYPTO_HMAC)
230 * Compute the LibTomCrypt "hashindex" given a TEE Algorithm "algo"
232 * - TEE_SUCCESS in case of success,
233 * - TEE_ERROR_BAD_PARAMETERS in case algo is not a valid algo
234 * - TEE_ERROR_NOT_SUPPORTED in case algo is not supported by LTC
235 * Return -1 in case of error
237 static TEE_Result tee_algo_to_ltc_hashindex(uint32_t algo, int *ltc_hashindex)
240 #if defined(CFG_CRYPTO_SHA1)
241 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1:
242 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1:
243 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1:
245 case TEE_ALG_DSA_SHA1:
246 case TEE_ALG_HMAC_SHA1:
247 *ltc_hashindex = find_hash("sha1");
250 #if defined(CFG_CRYPTO_MD5)
251 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5:
253 case TEE_ALG_HMAC_MD5:
254 *ltc_hashindex = find_hash("md5");
257 #if defined(CFG_CRYPTO_SHA224)
258 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224:
259 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224:
260 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224:
262 case TEE_ALG_DSA_SHA224:
263 case TEE_ALG_HMAC_SHA224:
264 *ltc_hashindex = find_hash("sha224");
267 #if defined(CFG_CRYPTO_SHA256)
268 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256:
269 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256:
270 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256:
272 case TEE_ALG_DSA_SHA256:
273 case TEE_ALG_HMAC_SHA256:
274 *ltc_hashindex = find_hash("sha256");
277 #if defined(CFG_CRYPTO_SHA384)
278 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384:
279 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384:
280 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384:
282 case TEE_ALG_HMAC_SHA384:
283 *ltc_hashindex = find_hash("sha384");
286 #if defined(CFG_CRYPTO_SHA512)
287 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512:
288 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512:
289 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512:
291 case TEE_ALG_HMAC_SHA512:
292 *ltc_hashindex = find_hash("sha512");
295 case TEE_ALG_RSAES_PKCS1_V1_5:
296 /* invalid one. but it should not be used anyway */
301 return TEE_ERROR_BAD_PARAMETERS;
304 if (*ltc_hashindex < 0)
305 return TEE_ERROR_NOT_SUPPORTED;
309 #endif /* defined(_CFG_CRYPTO_WITH_HASH) ||
310 defined(_CFG_CRYPTO_WITH_ACIPHER) || defined(_CFG_CRYPTO_WITH_MAC) */
312 #if defined(_CFG_CRYPTO_WITH_CIPHER) || defined(_CFG_CRYPTO_WITH_MAC) || \
313 defined(_CFG_CRYPTO_WITH_AUTHENC)
315 * Compute the LibTomCrypt "cipherindex" given a TEE Algorithm "algo"
317 * - TEE_SUCCESS in case of success,
318 * - TEE_ERROR_BAD_PARAMETERS in case algo is not a valid algo
319 * - TEE_ERROR_NOT_SUPPORTED in case algo is not supported by LTC
320 * Return -1 in case of error
322 static TEE_Result tee_algo_to_ltc_cipherindex(uint32_t algo,
323 int *ltc_cipherindex)
326 #if defined(CFG_CRYPTO_AES)
327 case TEE_ALG_AES_CBC_MAC_NOPAD:
328 case TEE_ALG_AES_CBC_MAC_PKCS5:
329 case TEE_ALG_AES_CMAC:
330 case TEE_ALG_AES_ECB_NOPAD:
331 case TEE_ALG_AES_CBC_NOPAD:
332 case TEE_ALG_AES_CTR:
333 case TEE_ALG_AES_CTS:
334 case TEE_ALG_AES_XTS:
335 case TEE_ALG_AES_CCM:
336 case TEE_ALG_AES_GCM:
337 *ltc_cipherindex = find_cipher("aes");
340 #if defined(CFG_CRYPTO_DES)
341 case TEE_ALG_DES_CBC_MAC_NOPAD:
342 case TEE_ALG_DES_CBC_MAC_PKCS5:
343 case TEE_ALG_DES_ECB_NOPAD:
344 case TEE_ALG_DES_CBC_NOPAD:
345 *ltc_cipherindex = find_cipher("des");
348 case TEE_ALG_DES3_CBC_MAC_NOPAD:
349 case TEE_ALG_DES3_CBC_MAC_PKCS5:
350 case TEE_ALG_DES3_ECB_NOPAD:
351 case TEE_ALG_DES3_CBC_NOPAD:
352 *ltc_cipherindex = find_cipher("3des");
356 return TEE_ERROR_BAD_PARAMETERS;
359 if (*ltc_cipherindex < 0)
360 return TEE_ERROR_NOT_SUPPORTED;
364 #endif /* defined(_CFG_CRYPTO_WITH_CIPHER) ||
365 defined(_CFG_CRYPTO_WITH_HASH) || defined(_CFG_CRYPTO_WITH_AUTHENC) */
367 /******************************************************************************
368 * Message digest functions
369 ******************************************************************************/
371 #if defined(_CFG_CRYPTO_WITH_HASH)
373 static TEE_Result hash_get_ctx_size(uint32_t algo, size_t *size)
376 #if defined(CFG_CRYPTO_MD5)
379 #if defined(CFG_CRYPTO_SHA1)
382 #if defined(CFG_CRYPTO_SHA224)
385 #if defined(CFG_CRYPTO_SHA256)
388 #if defined(CFG_CRYPTO_SHA384)
391 #if defined(CFG_CRYPTO_SHA512)
394 *size = sizeof(hash_state);
397 return TEE_ERROR_NOT_SUPPORTED;
403 static TEE_Result hash_init(void *ctx, uint32_t algo)
408 ltc_res = tee_algo_to_ltc_hashindex(algo, <c_hashindex);
409 if (ltc_res != TEE_SUCCESS)
410 return TEE_ERROR_NOT_SUPPORTED;
412 if (hash_descriptor[ltc_hashindex]->init(ctx) == CRYPT_OK)
415 return TEE_ERROR_BAD_STATE;
418 static TEE_Result hash_update(void *ctx, uint32_t algo,
419 const uint8_t *data, size_t len)
424 ltc_res = tee_algo_to_ltc_hashindex(algo, <c_hashindex);
425 if (ltc_res != TEE_SUCCESS)
426 return TEE_ERROR_NOT_SUPPORTED;
428 if (hash_descriptor[ltc_hashindex]->process(ctx, data, len) == CRYPT_OK)
431 return TEE_ERROR_BAD_STATE;
434 static TEE_Result hash_final(void *ctx, uint32_t algo, uint8_t *digest,
440 uint8_t block_digest[TEE_MAX_HASH_SIZE];
443 ltc_res = tee_algo_to_ltc_hashindex(algo, <c_hashindex);
444 if (ltc_res != TEE_SUCCESS)
445 return TEE_ERROR_NOT_SUPPORTED;
448 return TEE_ERROR_BAD_PARAMETERS;
450 hash_size = hash_descriptor[ltc_hashindex]->hashsize;
452 if (hash_size > len) {
453 if (hash_size > sizeof(block_digest))
454 return TEE_ERROR_BAD_STATE;
455 tmp_digest = block_digest; /* use a tempory buffer */
459 if (hash_descriptor[ltc_hashindex]->done(ctx, tmp_digest) == CRYPT_OK) {
461 memcpy(digest, tmp_digest, len);
463 return TEE_ERROR_BAD_STATE;
469 #endif /* _CFG_CRYPTO_WITH_HASH */
471 /******************************************************************************
472 * Asymmetric algorithms
473 ******************************************************************************/
475 #if defined(_CFG_CRYPTO_WITH_ACIPHER)
477 #define LTC_MAX_BITS_PER_VARIABLE (4096)
478 #define LTC_VARIABLE_NUMBER (50)
480 #define LTC_MEMPOOL_U32_SIZE \
481 mpa_scratch_mem_size_in_U32(LTC_VARIABLE_NUMBER, \
482 LTC_MAX_BITS_PER_VARIABLE)
484 #if defined(CFG_WITH_PAGER)
485 #include <mm/tee_pager.h>
487 #include <mm/core_mmu.h>
489 static uint32_t *_ltc_mempool_u32;
491 /* allocate pageable_zi vmem for mpa scratch memory pool */
492 static mpa_scratch_mem get_mpa_scratch_memory_pool(size_t *size_pool)
496 *size_pool = ROUNDUP((LTC_MEMPOOL_U32_SIZE * sizeof(uint32_t)),
498 _ltc_mempool_u32 = tee_pager_alloc(*size_pool, 0);
499 if (!_ltc_mempool_u32)
501 pool = (void *)_ltc_mempool_u32;
502 return (mpa_scratch_mem)pool;
505 /* release unused pageable_zi vmem */
506 static void release_unused_mpa_scratch_memory(void)
508 mpa_scratch_mem pool = (mpa_scratch_mem)_ltc_mempool_u32;
509 struct mpa_scratch_item *item;
513 /* we never free the header */
514 if (pool->last_offset) {
515 item = (struct mpa_scratch_item *)
516 ((vaddr_t)pool + pool->last_offset);
517 start = (vaddr_t)item + item->size;
519 start = (vaddr_t)pool + sizeof(struct mpa_scratch_mem_struct);
521 end = (vaddr_t)pool + pool->size;
522 start = ROUNDUP(start, SMALL_PAGE_SIZE);
523 end = ROUNDDOWN(end, SMALL_PAGE_SIZE);
526 tee_pager_release_phys((void *)start, end - start);
528 #else /* CFG_WITH_PAGER */
530 static uint32_t _ltc_mempool_u32[LTC_MEMPOOL_U32_SIZE]
531 __aligned(__alignof__(mpa_scratch_mem_base));
533 static mpa_scratch_mem get_mpa_scratch_memory_pool(size_t *size_pool)
535 void *pool = (void *)_ltc_mempool_u32;
537 *size_pool = sizeof(_ltc_mempool_u32);
538 return (mpa_scratch_mem)pool;
541 static void release_unused_mpa_scratch_memory(void)
543 /* nothing to do in non-pager mode */
548 static void pool_postactions(void)
550 mpa_scratch_mem pool = (void *)_ltc_mempool_u32;
552 if (pool->last_offset)
553 panic("release issue in mpa scratch memory");
554 release_unused_mpa_scratch_memory();
557 #if defined(CFG_LTC_OPTEE_THREAD)
558 #include <kernel/thread.h>
559 static struct mpa_scratch_mem_sync {
565 .mu = MUTEX_INITIALIZER,
566 .cv = CONDVAR_INITIALIZER,
567 .owner = THREAD_ID_INVALID,
569 #elif defined(LTC_PTHREAD)
572 static struct mpa_scratch_mem_sync {
577 /* Get exclusive access to scratch memory pool */
578 #if defined(CFG_LTC_OPTEE_THREAD)
579 static void get_pool(struct mpa_scratch_mem_sync *sync)
581 mutex_lock(&sync->mu);
583 if (sync->owner != thread_get_id()) {
584 /* Wait until the pool is available */
585 while (sync->owner != THREAD_ID_INVALID)
586 condvar_wait(&sync->cv, &sync->mu);
588 sync->owner = thread_get_id();
589 assert(sync->count == 0);
594 mutex_unlock(&sync->mu);
597 /* Put (release) exclusive access to scratch memory pool */
598 static void put_pool(struct mpa_scratch_mem_sync *sync)
600 mutex_lock(&sync->mu);
602 assert(sync->owner == thread_get_id());
603 assert(sync->count > 0);
607 sync->owner = THREAD_ID_INVALID;
608 condvar_signal(&sync->cv);
612 mutex_unlock(&sync->mu);
614 #elif defined(LTC_PTHREAD)
617 static void get_pool(struct mpa_scratch_mem_sync *sync)
622 /* Put (release) exclusive access to scratch memory pool */
623 static void put_pool(struct mpa_scratch_mem_sync *sync)
631 static void tee_ltc_alloc_mpa(void)
633 mpa_scratch_mem pool;
636 pool = get_mpa_scratch_memory_pool(&size_pool);
637 init_mpa_tomcrypt(pool);
638 mpa_init_scratch_mem_sync(pool, size_pool, LTC_MAX_BITS_PER_VARIABLE,
639 get_pool, put_pool, &pool_sync);
641 mpa_set_random_generator(crypto_ops.prng.read);
644 static size_t num_bytes(struct bignum *a)
646 return mp_unsigned_bin_size(a);
649 static size_t num_bits(struct bignum *a)
651 return mp_count_bits(a);
654 static int32_t compare(struct bignum *a, struct bignum *b)
659 static void bn2bin(const struct bignum *from, uint8_t *to)
661 mp_to_unsigned_bin((struct bignum *)from, to);
664 static TEE_Result bin2bn(const uint8_t *from, size_t fromsize,
667 if (mp_read_unsigned_bin(to, (uint8_t *)from, fromsize) != CRYPT_OK)
668 return TEE_ERROR_BAD_PARAMETERS;
672 static void copy(struct bignum *to, const struct bignum *from)
674 mp_copy((void *)from, to);
677 static struct bignum *bn_allocate(size_t size_bits)
679 size_t sz = mpa_StaticVarSizeInU32(size_bits) * sizeof(uint32_t);
680 struct mpa_numbase_struct *bn = calloc(1, sz);
684 bn->alloc = sz - MPA_NUMBASE_METADATA_SIZE_IN_U32 * sizeof(uint32_t);
685 return (struct bignum *)bn;
688 static void bn_free(struct bignum *s)
693 static void bn_clear(struct bignum *s)
695 struct mpa_numbase_struct *bn = (struct mpa_numbase_struct *)s;
697 /* despite mpa_numbase_struct description, 'alloc' field a byte size */
698 memset(bn->d, 0, bn->alloc);
701 static bool bn_alloc_max(struct bignum **s)
703 size_t sz = mpa_StaticVarSizeInU32(LTC_MAX_BITS_PER_VARIABLE) *
704 sizeof(uint32_t) * 8;
706 *s = bn_allocate(sz);
710 #if defined(CFG_CRYPTO_RSA)
712 static TEE_Result alloc_rsa_keypair(struct rsa_keypair *s,
713 size_t key_size_bits __unused)
715 memset(s, 0, sizeof(*s));
716 if (!bn_alloc_max(&s->e)) {
717 return TEE_ERROR_OUT_OF_MEMORY;
719 if (!bn_alloc_max(&s->d))
721 if (!bn_alloc_max(&s->n))
723 if (!bn_alloc_max(&s->p))
725 if (!bn_alloc_max(&s->q))
727 if (!bn_alloc_max(&s->qp))
729 if (!bn_alloc_max(&s->dp))
731 if (!bn_alloc_max(&s->dq))
744 return TEE_ERROR_OUT_OF_MEMORY;
747 static TEE_Result alloc_rsa_public_key(struct rsa_public_key *s,
748 size_t key_size_bits __unused)
750 memset(s, 0, sizeof(*s));
751 if (!bn_alloc_max(&s->e)) {
752 return TEE_ERROR_OUT_OF_MEMORY;
754 if (!bn_alloc_max(&s->n))
759 return TEE_ERROR_OUT_OF_MEMORY;
762 static void free_rsa_public_key(struct rsa_public_key *s)
770 static TEE_Result gen_rsa_key(struct rsa_keypair *key, size_t key_size)
776 struct tee_ltc_prng *prng = tee_ltc_get_prng();
778 /* get the public exponent */
779 e = mp_get_int(key->e);
781 /* Generate a temporary RSA key */
782 ltc_res = rsa_make_key(&prng->state, prng->index, key_size/8, e,
784 if (ltc_res != CRYPT_OK) {
785 res = TEE_ERROR_BAD_PARAMETERS;
786 } else if ((size_t)mp_count_bits(ltc_tmp_key.N) != key_size) {
787 rsa_free(<c_tmp_key);
788 res = TEE_ERROR_BAD_PARAMETERS;
791 ltc_mp.copy(ltc_tmp_key.e, key->e);
792 ltc_mp.copy(ltc_tmp_key.d, key->d);
793 ltc_mp.copy(ltc_tmp_key.N, key->n);
794 ltc_mp.copy(ltc_tmp_key.p, key->p);
795 ltc_mp.copy(ltc_tmp_key.q, key->q);
796 ltc_mp.copy(ltc_tmp_key.qP, key->qp);
797 ltc_mp.copy(ltc_tmp_key.dP, key->dp);
798 ltc_mp.copy(ltc_tmp_key.dQ, key->dq);
800 /* Free the temporary key */
801 rsa_free(<c_tmp_key);
809 static TEE_Result rsadorep(rsa_key *ltc_key, const uint8_t *src,
810 size_t src_len, uint8_t *dst, size_t *dst_len)
812 TEE_Result res = TEE_SUCCESS;
814 unsigned long blen, offset;
818 * Use a temporary buffer since we don't know exactly how large the
819 * required size of the out buffer without doing a partial decrypt.
820 * We know the upper bound though.
822 blen = (mpa_StaticTempVarSizeInU32(LTC_MAX_BITS_PER_VARIABLE)) *
826 res = TEE_ERROR_OUT_OF_MEMORY;
830 ltc_res = rsa_exptmod(src, src_len, buf, &blen, ltc_key->type,
833 case CRYPT_PK_NOT_PRIVATE:
834 case CRYPT_PK_INVALID_TYPE:
835 case CRYPT_PK_INVALID_SIZE:
836 case CRYPT_INVALID_PACKET:
837 EMSG("rsa_exptmod() returned %d\n", ltc_res);
838 res = TEE_ERROR_BAD_PARAMETERS;
843 /* This will result in a panic */
844 EMSG("rsa_exptmod() returned %d\n", ltc_res);
845 res = TEE_ERROR_GENERIC;
849 /* Remove the zero-padding (leave one zero if buff is all zeroes) */
851 while ((offset < blen - 1) && (buf[offset] == 0))
854 if (*dst_len < blen - offset) {
855 *dst_len = blen - offset;
856 res = TEE_ERROR_SHORT_BUFFER;
861 *dst_len = blen - offset;
862 memcpy(dst, (char *)buf + offset, *dst_len);
871 static TEE_Result rsanopad_encrypt(struct rsa_public_key *key,
872 const uint8_t *src, size_t src_len,
873 uint8_t *dst, size_t *dst_len)
876 rsa_key ltc_key = { 0, };
878 ltc_key.type = PK_PUBLIC;
882 res = rsadorep(<c_key, src, src_len, dst, dst_len);
886 static TEE_Result rsanopad_decrypt(struct rsa_keypair *key,
887 const uint8_t *src, size_t src_len,
888 uint8_t *dst, size_t *dst_len)
891 rsa_key ltc_key = { 0, };
893 ltc_key.type = PK_PRIVATE;
897 if (key->p && num_bytes(key->p)) {
900 ltc_key.qP = key->qp;
901 ltc_key.dP = key->dp;
902 ltc_key.dQ = key->dq;
905 res = rsadorep(<c_key, src, src_len, dst, dst_len);
909 static TEE_Result rsaes_decrypt(uint32_t algo, struct rsa_keypair *key,
910 const uint8_t *label, size_t label_len,
911 const uint8_t *src, size_t src_len,
912 uint8_t *dst, size_t *dst_len)
914 TEE_Result res = TEE_SUCCESS;
917 int ltc_hashindex, ltc_res, ltc_stat, ltc_rsa_algo;
919 rsa_key ltc_key = { 0, };
921 ltc_key.type = PK_PRIVATE;
925 if (key->p && num_bytes(key->p)) {
928 ltc_key.qP = key->qp;
929 ltc_key.dP = key->dp;
930 ltc_key.dQ = key->dq;
933 /* Get the algorithm */
934 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex);
935 if (res != TEE_SUCCESS) {
936 EMSG("tee_algo_to_ltc_hashindex() returned %d\n", (int)res);
941 * Use a temporary buffer since we don't know exactly how large
942 * the required size of the out buffer without doing a partial
943 * decrypt. We know the upper bound though.
945 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) {
946 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N));
947 blen = mod_size - 11;
948 ltc_rsa_algo = LTC_PKCS_1_V1_5;
950 /* Decoded message is always shorter than encrypted message */
952 ltc_rsa_algo = LTC_PKCS_1_OAEP;
957 res = TEE_ERROR_OUT_OF_MEMORY;
961 ltc_res = rsa_decrypt_key_ex(src, src_len, buf, &blen,
962 ((label_len == 0) ? 0 : label), label_len,
963 ltc_hashindex, ltc_rsa_algo, <c_stat,
966 case CRYPT_PK_INVALID_PADDING:
967 case CRYPT_INVALID_PACKET:
968 case CRYPT_PK_INVALID_SIZE:
969 EMSG("rsa_decrypt_key_ex() returned %d\n", ltc_res);
970 res = TEE_ERROR_BAD_PARAMETERS;
975 /* This will result in a panic */
976 EMSG("rsa_decrypt_key_ex() returned %d\n", ltc_res);
977 res = TEE_ERROR_GENERIC;
981 /* This will result in a panic */
982 EMSG("rsa_decrypt_key_ex() returned %d and %d\n",
984 res = TEE_ERROR_GENERIC;
988 if (*dst_len < blen) {
990 res = TEE_ERROR_SHORT_BUFFER;
996 memcpy(dst, buf, blen);
1005 static TEE_Result rsaes_encrypt(uint32_t algo, struct rsa_public_key *key,
1006 const uint8_t *label, size_t label_len,
1007 const uint8_t *src, size_t src_len,
1008 uint8_t *dst, size_t *dst_len)
1012 int ltc_hashindex, ltc_res, ltc_rsa_algo;
1018 struct tee_ltc_prng *prng = tee_ltc_get_prng();
1020 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N));
1021 if (*dst_len < mod_size) {
1022 *dst_len = mod_size;
1023 res = TEE_ERROR_SHORT_BUFFER;
1026 *dst_len = mod_size;
1028 /* Get the algorithm */
1029 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex);
1030 if (res != TEE_SUCCESS)
1033 if (algo == TEE_ALG_RSAES_PKCS1_V1_5)
1034 ltc_rsa_algo = LTC_PKCS_1_V1_5;
1036 ltc_rsa_algo = LTC_PKCS_1_OAEP;
1038 ltc_res = rsa_encrypt_key_ex(src, src_len, dst,
1039 (unsigned long *)(dst_len), label,
1040 label_len, &prng->state, prng->index,
1041 ltc_hashindex, ltc_rsa_algo, <c_key);
1043 case CRYPT_PK_INVALID_PADDING:
1044 case CRYPT_INVALID_PACKET:
1045 case CRYPT_PK_INVALID_SIZE:
1046 EMSG("rsa_encrypt_key_ex() returned %d\n", ltc_res);
1047 res = TEE_ERROR_BAD_PARAMETERS;
1052 /* This will result in a panic */
1053 res = TEE_ERROR_GENERIC;
1062 static TEE_Result rsassa_sign(uint32_t algo, struct rsa_keypair *key,
1063 int salt_len, const uint8_t *msg,
1064 size_t msg_len, uint8_t *sig,
1068 size_t hash_size, mod_size;
1069 int ltc_res, ltc_rsa_algo, ltc_hashindex;
1070 unsigned long ltc_sig_len;
1071 rsa_key ltc_key = { 0, };
1072 struct tee_ltc_prng *prng = tee_ltc_get_prng();
1074 ltc_key.type = PK_PRIVATE;
1078 if (key->p && num_bytes(key->p)) {
1081 ltc_key.qP = key->qp;
1082 ltc_key.dP = key->dp;
1083 ltc_key.dQ = key->dq;
1087 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5:
1088 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1:
1089 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224:
1090 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256:
1091 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384:
1092 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512:
1093 ltc_rsa_algo = LTC_PKCS_1_V1_5;
1095 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1:
1096 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224:
1097 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256:
1098 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384:
1099 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512:
1100 ltc_rsa_algo = LTC_PKCS_1_PSS;
1103 res = TEE_ERROR_BAD_PARAMETERS;
1107 ltc_res = tee_algo_to_ltc_hashindex(algo, <c_hashindex);
1108 if (ltc_res != CRYPT_OK) {
1109 res = TEE_ERROR_BAD_PARAMETERS;
1113 res = tee_hash_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo),
1115 if (res != TEE_SUCCESS)
1118 if (msg_len != hash_size) {
1119 res = TEE_ERROR_BAD_PARAMETERS;
1123 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N));
1125 if (*sig_len < mod_size) {
1126 *sig_len = mod_size;
1127 res = TEE_ERROR_SHORT_BUFFER;
1131 ltc_sig_len = mod_size;
1133 ltc_res = rsa_sign_hash_ex(msg, msg_len, sig, <c_sig_len,
1134 ltc_rsa_algo, &prng->state, prng->index,
1135 ltc_hashindex, salt_len, <c_key);
1137 *sig_len = ltc_sig_len;
1139 if (ltc_res != CRYPT_OK) {
1140 res = TEE_ERROR_BAD_PARAMETERS;
1149 static TEE_Result rsassa_verify(uint32_t algo, struct rsa_public_key *key,
1150 int salt_len, const uint8_t *msg,
1151 size_t msg_len, const uint8_t *sig,
1155 uint32_t bigint_size;
1157 int stat, ltc_hashindex, ltc_res, ltc_rsa_algo;
1164 res = tee_hash_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo),
1166 if (res != TEE_SUCCESS)
1169 if (msg_len != hash_size) {
1170 res = TEE_ERROR_BAD_PARAMETERS;
1174 bigint_size = ltc_mp.unsigned_size(ltc_key.N);
1175 if (sig_len < bigint_size) {
1176 res = TEE_ERROR_SIGNATURE_INVALID;
1180 /* Get the algorithm */
1181 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex);
1182 if (res != TEE_SUCCESS)
1186 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5:
1187 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1:
1188 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224:
1189 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256:
1190 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384:
1191 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512:
1192 ltc_rsa_algo = LTC_PKCS_1_V1_5;
1194 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1:
1195 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224:
1196 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256:
1197 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384:
1198 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512:
1199 ltc_rsa_algo = LTC_PKCS_1_PSS;
1202 res = TEE_ERROR_BAD_PARAMETERS;
1206 ltc_res = rsa_verify_hash_ex(sig, sig_len, msg, msg_len, ltc_rsa_algo,
1207 ltc_hashindex, salt_len, &stat, <c_key);
1208 if ((ltc_res != CRYPT_OK) || (stat != 1)) {
1209 res = TEE_ERROR_SIGNATURE_INVALID;
1218 #endif /* CFG_CRYPTO_RSA */
1220 #if defined(CFG_CRYPTO_DSA)
1222 static TEE_Result alloc_dsa_keypair(struct dsa_keypair *s,
1223 size_t key_size_bits __unused)
1225 memset(s, 0, sizeof(*s));
1226 if (!bn_alloc_max(&s->g)) {
1227 return TEE_ERROR_OUT_OF_MEMORY;
1230 if (!bn_alloc_max(&s->p))
1232 if (!bn_alloc_max(&s->q))
1234 if (!bn_alloc_max(&s->y))
1236 if (!bn_alloc_max(&s->x))
1244 return TEE_ERROR_OUT_OF_MEMORY;
1247 static TEE_Result alloc_dsa_public_key(struct dsa_public_key *s,
1248 size_t key_size_bits __unused)
1250 memset(s, 0, sizeof(*s));
1251 if (!bn_alloc_max(&s->g)) {
1252 return TEE_ERROR_OUT_OF_MEMORY;
1255 if (!bn_alloc_max(&s->p))
1257 if (!bn_alloc_max(&s->q))
1259 if (!bn_alloc_max(&s->y))
1266 return TEE_ERROR_OUT_OF_MEMORY;
1269 static TEE_Result gen_dsa_key(struct dsa_keypair *key, size_t key_size)
1272 dsa_key ltc_tmp_key;
1273 size_t group_size, modulus_size = key_size/8;
1275 struct tee_ltc_prng *prng = tee_ltc_get_prng();
1277 if (modulus_size <= 128)
1279 else if (modulus_size <= 256)
1281 else if (modulus_size <= 384)
1286 /* Generate the DSA key */
1287 ltc_res = dsa_make_key(&prng->state, prng->index, group_size,
1288 modulus_size, <c_tmp_key);
1289 if (ltc_res != CRYPT_OK) {
1290 res = TEE_ERROR_BAD_PARAMETERS;
1291 } else if ((size_t)mp_count_bits(ltc_tmp_key.p) != key_size) {
1292 dsa_free(<c_tmp_key);
1293 res = TEE_ERROR_BAD_PARAMETERS;
1296 ltc_mp.copy(ltc_tmp_key.g, key->g);
1297 ltc_mp.copy(ltc_tmp_key.p, key->p);
1298 ltc_mp.copy(ltc_tmp_key.q, key->q);
1299 ltc_mp.copy(ltc_tmp_key.y, key->y);
1300 ltc_mp.copy(ltc_tmp_key.x, key->x);
1302 /* Free the tempory key */
1303 dsa_free(<c_tmp_key);
1309 static TEE_Result dsa_sign(uint32_t algo, struct dsa_keypair *key,
1310 const uint8_t *msg, size_t msg_len, uint8_t *sig,
1319 .qord = mp_unsigned_bin_size(key->g),
1326 struct tee_ltc_prng *prng = tee_ltc_get_prng();
1328 if (algo != TEE_ALG_DSA_SHA1 &&
1329 algo != TEE_ALG_DSA_SHA224 &&
1330 algo != TEE_ALG_DSA_SHA256) {
1331 res = TEE_ERROR_NOT_IMPLEMENTED;
1335 res = tee_hash_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo),
1337 if (res != TEE_SUCCESS)
1339 if (mp_unsigned_bin_size(ltc_key.q) < hash_size)
1340 hash_size = mp_unsigned_bin_size(ltc_key.q);
1341 if (msg_len != hash_size) {
1342 res = TEE_ERROR_SECURITY;
1346 if (*sig_len < 2 * mp_unsigned_bin_size(ltc_key.q)) {
1347 *sig_len = 2 * mp_unsigned_bin_size(ltc_key.q);
1348 res = TEE_ERROR_SHORT_BUFFER;
1352 ltc_res = mp_init_multi(&r, &s, NULL);
1353 if (ltc_res != CRYPT_OK) {
1354 res = TEE_ERROR_OUT_OF_MEMORY;
1358 ltc_res = dsa_sign_hash_raw(msg, msg_len, r, s, &prng->state,
1359 prng->index, <c_key);
1361 if (ltc_res == CRYPT_OK) {
1362 *sig_len = 2 * mp_unsigned_bin_size(ltc_key.q);
1363 memset(sig, 0, *sig_len);
1364 mp_to_unsigned_bin(r, (uint8_t *)sig + *sig_len/2 -
1365 mp_unsigned_bin_size(r));
1366 mp_to_unsigned_bin(s, (uint8_t *)sig + *sig_len -
1367 mp_unsigned_bin_size(s));
1370 res = TEE_ERROR_GENERIC;
1373 mp_clear_multi(r, s, NULL);
1379 static TEE_Result dsa_verify(uint32_t algo, struct dsa_public_key *key,
1380 const uint8_t *msg, size_t msg_len,
1381 const uint8_t *sig, size_t sig_len)
1384 int ltc_stat, ltc_res;
1388 .qord = mp_unsigned_bin_size(key->g),
1395 if (algo != TEE_ALG_DSA_SHA1 &&
1396 algo != TEE_ALG_DSA_SHA224 &&
1397 algo != TEE_ALG_DSA_SHA256) {
1398 res = TEE_ERROR_NOT_IMPLEMENTED;
1402 ltc_res = mp_init_multi(&r, &s, NULL);
1403 if (ltc_res != CRYPT_OK) {
1404 res = TEE_ERROR_OUT_OF_MEMORY;
1407 mp_read_unsigned_bin(r, (uint8_t *)sig, sig_len/2);
1408 mp_read_unsigned_bin(s, (uint8_t *)sig + sig_len/2, sig_len/2);
1409 ltc_res = dsa_verify_hash_raw(r, s, msg, msg_len, <c_stat, <c_key);
1410 mp_clear_multi(r, s, NULL);
1412 if ((ltc_res == CRYPT_OK) && (ltc_stat == 1))
1415 res = TEE_ERROR_GENERIC;
1421 #endif /* CFG_CRYPTO_DSA */
1423 #if defined(CFG_CRYPTO_DH)
1425 static TEE_Result alloc_dh_keypair(struct dh_keypair *s,
1426 size_t key_size_bits __unused)
1428 memset(s, 0, sizeof(*s));
1429 if (!bn_alloc_max(&s->g)) {
1430 return TEE_ERROR_OUT_OF_MEMORY;
1433 if (!bn_alloc_max(&s->p))
1435 if (!bn_alloc_max(&s->y))
1437 if (!bn_alloc_max(&s->x))
1439 if (!bn_alloc_max(&s->q))
1447 return TEE_ERROR_OUT_OF_MEMORY;
1450 static TEE_Result gen_dh_key(struct dh_keypair *key, struct bignum *q,
1456 struct tee_ltc_prng *prng = tee_ltc_get_prng();
1458 /* Generate the DH key */
1459 ltc_tmp_key.g = key->g;
1460 ltc_tmp_key.p = key->p;
1461 ltc_res = dh_make_key(&prng->state, prng->index, q, xbits,
1463 if (ltc_res != CRYPT_OK) {
1464 res = TEE_ERROR_BAD_PARAMETERS;
1466 ltc_mp.copy(ltc_tmp_key.y, key->y);
1467 ltc_mp.copy(ltc_tmp_key.x, key->x);
1469 /* Free the tempory key */
1470 dh_free(<c_tmp_key);
1476 static TEE_Result do_dh_shared_secret(struct dh_keypair *private_key,
1477 struct bignum *public_key,
1478 struct bignum *secret)
1483 .g = private_key->g,
1484 .p = private_key->p,
1485 .y = private_key->y,
1489 err = dh_shared_secret(&pk, public_key, secret);
1490 return ((err == CRYPT_OK) ? TEE_SUCCESS : TEE_ERROR_BAD_PARAMETERS);
1493 #endif /* CFG_CRYPTO_DH */
1495 #if defined(CFG_CRYPTO_ECC)
1497 static TEE_Result alloc_ecc_keypair(struct ecc_keypair *s,
1498 size_t key_size_bits __unused)
1500 memset(s, 0, sizeof(*s));
1501 if (!bn_alloc_max(&s->d))
1503 if (!bn_alloc_max(&s->x))
1505 if (!bn_alloc_max(&s->y))
1512 return TEE_ERROR_OUT_OF_MEMORY;
1515 static TEE_Result alloc_ecc_public_key(struct ecc_public_key *s,
1516 size_t key_size_bits __unused)
1518 memset(s, 0, sizeof(*s));
1519 if (!bn_alloc_max(&s->x))
1521 if (!bn_alloc_max(&s->y))
1527 return TEE_ERROR_OUT_OF_MEMORY;
1530 static void free_ecc_public_key(struct ecc_public_key *s)
1540 * curve is part of TEE_ECC_CURVE_NIST_P192,...
1541 * algo is part of TEE_ALG_ECDSA_P192,..., and 0 if we do not have it
1543 static TEE_Result ecc_get_keysize(uint32_t curve, uint32_t algo,
1544 size_t *key_size_bytes, size_t *key_size_bits)
1547 * Excerpt of libtomcrypt documentation:
1548 * ecc_make_key(... key_size ...): The keysize is the size of the
1549 * modulus in bytes desired. Currently directly supported values
1550 * are 12, 16, 20, 24, 28, 32, 48, and 65 bytes which correspond
1551 * to key sizes of 112, 128, 160, 192, 224, 256, 384, and 521 bits
1556 * Note GPv1.1 indicates TEE_ALG_ECDH_NIST_P192_DERIVE_SHARED_SECRET
1557 * but defines TEE_ALG_ECDH_P192
1561 case TEE_ECC_CURVE_NIST_P192:
1562 *key_size_bits = 192;
1563 *key_size_bytes = 24;
1564 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P192) &&
1565 (algo != TEE_ALG_ECDH_P192))
1566 return TEE_ERROR_BAD_PARAMETERS;
1568 case TEE_ECC_CURVE_NIST_P224:
1569 *key_size_bits = 224;
1570 *key_size_bytes = 28;
1571 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P224) &&
1572 (algo != TEE_ALG_ECDH_P224))
1573 return TEE_ERROR_BAD_PARAMETERS;
1575 case TEE_ECC_CURVE_NIST_P256:
1576 *key_size_bits = 256;
1577 *key_size_bytes = 32;
1578 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P256) &&
1579 (algo != TEE_ALG_ECDH_P256))
1580 return TEE_ERROR_BAD_PARAMETERS;
1582 case TEE_ECC_CURVE_NIST_P384:
1583 *key_size_bits = 384;
1584 *key_size_bytes = 48;
1585 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P384) &&
1586 (algo != TEE_ALG_ECDH_P384))
1587 return TEE_ERROR_BAD_PARAMETERS;
1589 case TEE_ECC_CURVE_NIST_P521:
1590 *key_size_bits = 521;
1592 * set 66 instead of 65 wrt to Libtomcrypt documentation as
1593 * if it the real key size
1595 *key_size_bytes = 66;
1596 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P521) &&
1597 (algo != TEE_ALG_ECDH_P521))
1598 return TEE_ERROR_BAD_PARAMETERS;
1602 *key_size_bytes = 0;
1603 return TEE_ERROR_NOT_SUPPORTED;
1609 static TEE_Result gen_ecc_key(struct ecc_keypair *key)
1612 ecc_key ltc_tmp_key;
1614 struct tee_ltc_prng *prng = tee_ltc_get_prng();
1615 size_t key_size_bytes = 0;
1616 size_t key_size_bits = 0;
1618 res = ecc_get_keysize(key->curve, 0, &key_size_bytes, &key_size_bits);
1619 if (res != TEE_SUCCESS) {
1623 /* Generate the ECC key */
1624 ltc_res = ecc_make_key(&prng->state, prng->index,
1625 key_size_bytes, <c_tmp_key);
1626 if (ltc_res != CRYPT_OK) {
1627 return TEE_ERROR_BAD_PARAMETERS;
1630 /* check the size of the keys */
1631 if (((size_t)mp_count_bits(ltc_tmp_key.pubkey.x) > key_size_bits) ||
1632 ((size_t)mp_count_bits(ltc_tmp_key.pubkey.y) > key_size_bits) ||
1633 ((size_t)mp_count_bits(ltc_tmp_key.k) > key_size_bits)) {
1634 res = TEE_ERROR_BAD_PARAMETERS;
1638 /* check LTC is returning z==1 */
1639 if (mp_count_bits(ltc_tmp_key.pubkey.z) != 1) {
1640 res = TEE_ERROR_BAD_PARAMETERS;
1645 ltc_mp.copy(ltc_tmp_key.k, key->d);
1646 ltc_mp.copy(ltc_tmp_key.pubkey.x, key->x);
1647 ltc_mp.copy(ltc_tmp_key.pubkey.y, key->y);
1652 ecc_free(<c_tmp_key); /* Free the temporary key */
1656 static TEE_Result ecc_compute_key_idx(ecc_key *ltc_key, size_t keysize)
1660 for (x = 0; ((int)keysize > ltc_ecc_sets[x].size) &&
1661 (ltc_ecc_sets[x].size != 0);
1664 keysize = (size_t)ltc_ecc_sets[x].size;
1666 if ((keysize > ECC_MAXSIZE) || (ltc_ecc_sets[x].size == 0))
1667 return TEE_ERROR_BAD_PARAMETERS;
1670 ltc_key->dp = <c_ecc_sets[x];
1676 * Given a keypair "key", populate the Libtomcrypt private key "ltc_key"
1677 * It also returns the key size, in bytes
1679 static TEE_Result ecc_populate_ltc_private_key(ecc_key *ltc_key,
1680 struct ecc_keypair *key,
1682 size_t *key_size_bytes)
1685 size_t key_size_bits;
1687 memset(ltc_key, 0, sizeof(*ltc_key));
1688 ltc_key->type = PK_PRIVATE;
1689 ltc_key->k = key->d;
1691 /* compute the index of the ecc curve */
1692 res = ecc_get_keysize(key->curve, algo,
1693 key_size_bytes, &key_size_bits);
1694 if (res != TEE_SUCCESS)
1697 return ecc_compute_key_idx(ltc_key, *key_size_bytes);
1701 * Given a public "key", populate the Libtomcrypt public key "ltc_key"
1702 * It also returns the key size, in bytes
1704 static TEE_Result ecc_populate_ltc_public_key(ecc_key *ltc_key,
1705 struct ecc_public_key *key,
1708 size_t *key_size_bytes)
1711 size_t key_size_bits;
1712 uint8_t one[1] = { 1 };
1715 memset(ltc_key, 0, sizeof(*ltc_key));
1716 ltc_key->type = PK_PUBLIC;
1717 ltc_key->pubkey.x = key->x;
1718 ltc_key->pubkey.y = key->y;
1719 ltc_key->pubkey.z = key_z;
1720 mp_read_unsigned_bin(ltc_key->pubkey.z, one, sizeof(one));
1722 /* compute the index of the ecc curve */
1723 res = ecc_get_keysize(key->curve, algo,
1724 key_size_bytes, &key_size_bits);
1725 if (res != TEE_SUCCESS)
1728 return ecc_compute_key_idx(ltc_key, *key_size_bytes);
1731 static TEE_Result ecc_sign(uint32_t algo, struct ecc_keypair *key,
1732 const uint8_t *msg, size_t msg_len, uint8_t *sig,
1738 size_t key_size_bytes;
1740 struct tee_ltc_prng *prng = tee_ltc_get_prng();
1743 res = TEE_ERROR_BAD_PARAMETERS;
1747 res = ecc_populate_ltc_private_key(<c_key, key, algo,
1749 if (res != TEE_SUCCESS)
1752 if (*sig_len < 2 * key_size_bytes) {
1753 *sig_len = 2 * key_size_bytes;
1754 res = TEE_ERROR_SHORT_BUFFER;
1758 ltc_res = mp_init_multi(&r, &s, NULL);
1759 if (ltc_res != CRYPT_OK) {
1760 res = TEE_ERROR_OUT_OF_MEMORY;
1764 ltc_res = ecc_sign_hash_raw(msg, msg_len, r, s,
1765 &prng->state, prng->index, <c_key);
1767 if (ltc_res == CRYPT_OK) {
1768 *sig_len = 2 * key_size_bytes;
1769 memset(sig, 0, *sig_len);
1770 mp_to_unsigned_bin(r, (uint8_t *)sig + *sig_len/2 -
1771 mp_unsigned_bin_size(r));
1772 mp_to_unsigned_bin(s, (uint8_t *)sig + *sig_len -
1773 mp_unsigned_bin_size(s));
1776 res = TEE_ERROR_GENERIC;
1779 mp_clear_multi(r, s, NULL);
1785 static TEE_Result ecc_verify(uint32_t algo, struct ecc_public_key *key,
1786 const uint8_t *msg, size_t msg_len,
1787 const uint8_t *sig, size_t sig_len)
1795 size_t key_size_bytes;
1799 return TEE_ERROR_BAD_PARAMETERS;
1802 ltc_res = mp_init_multi(&key_z, &r, &s, NULL);
1803 if (ltc_res != CRYPT_OK) {
1804 return TEE_ERROR_OUT_OF_MEMORY;
1807 res = ecc_populate_ltc_public_key(<c_key, key, key_z, algo,
1809 if (res != TEE_SUCCESS)
1812 /* check keysize vs sig_len */
1813 if ((key_size_bytes * 2) != sig_len) {
1814 res = TEE_ERROR_BAD_PARAMETERS;
1818 mp_read_unsigned_bin(r, (uint8_t *)sig, sig_len/2);
1819 mp_read_unsigned_bin(s, (uint8_t *)sig + sig_len/2, sig_len/2);
1821 ltc_res = ecc_verify_hash_raw(r, s, msg, msg_len, <c_stat, <c_key);
1822 if ((ltc_res == CRYPT_OK) && (ltc_stat == 1))
1825 res = TEE_ERROR_GENERIC;
1828 mp_clear_multi(key_z, r, s, NULL);
1832 static TEE_Result do_ecc_shared_secret(struct ecc_keypair *private_key,
1833 struct ecc_public_key *public_key,
1834 void *secret, unsigned long *secret_len)
1838 ecc_key ltc_private_key;
1839 ecc_key ltc_public_key;
1840 size_t key_size_bytes;
1843 /* Check the curves are the same */
1844 if (private_key->curve != public_key->curve) {
1845 return TEE_ERROR_BAD_PARAMETERS;
1848 ltc_res = mp_init_multi(&key_z, NULL);
1849 if (ltc_res != CRYPT_OK) {
1850 return TEE_ERROR_OUT_OF_MEMORY;
1853 res = ecc_populate_ltc_private_key(<c_private_key, private_key,
1854 0, &key_size_bytes);
1855 if (res != TEE_SUCCESS)
1857 res = ecc_populate_ltc_public_key(<c_public_key, public_key, key_z,
1858 0, &key_size_bytes);
1859 if (res != TEE_SUCCESS)
1862 ltc_res = ecc_shared_secret(<c_private_key, <c_public_key,
1863 secret, secret_len);
1864 if (ltc_res == CRYPT_OK)
1867 res = TEE_ERROR_BAD_PARAMETERS;
1870 mp_clear_multi(key_z, NULL);
1873 #endif /* CFG_CRYPTO_ECC */
1875 #endif /* _CFG_CRYPTO_WITH_ACIPHER */
1877 /******************************************************************************
1879 ******************************************************************************/
1881 #if defined(_CFG_CRYPTO_WITH_CIPHER)
1882 /* From libtomcrypt doc:
1883 * Ciphertext stealing is a method of dealing with messages
1884 * in CBC mode which are not a multiple of the block
1885 * length. This is accomplished by encrypting the last
1886 * ciphertext block in ECB mode, and XOR'ing the output
1887 * against the last partial block of plaintext. LibTomCrypt
1888 * does not support this mode directly but it is fairly
1889 * easy to emulate with a call to the cipher's
1890 * ecb encrypt() callback function.
1891 * The more sane way to deal with partial blocks is to pad
1892 * them with zeroes, and then use CBC normally
1896 * From Global Platform: CTS = CBC-CS3
1899 #if defined(CFG_CRYPTO_CTS)
1900 struct tee_symmetric_cts {
1906 #if defined(CFG_CRYPTO_XTS)
1907 #define XTS_TWEAK_SIZE 16
1908 struct tee_symmetric_xts {
1910 uint8_t tweak[XTS_TWEAK_SIZE];
1914 static TEE_Result cipher_get_block_size(uint32_t algo, size_t *size)
1917 int ltc_cipherindex;
1919 res = tee_algo_to_ltc_cipherindex(algo, <c_cipherindex);
1920 if (res != TEE_SUCCESS)
1921 return TEE_ERROR_NOT_SUPPORTED;
1923 *size = cipher_descriptor[ltc_cipherindex]->block_length;
1927 static TEE_Result cipher_get_ctx_size(uint32_t algo, size_t *size)
1930 #if defined(CFG_CRYPTO_AES)
1931 #if defined(CFG_CRYPTO_ECB)
1932 case TEE_ALG_AES_ECB_NOPAD:
1933 *size = sizeof(symmetric_ECB);
1936 #if defined(CFG_CRYPTO_CBC)
1937 case TEE_ALG_AES_CBC_NOPAD:
1938 *size = sizeof(symmetric_CBC);
1941 #if defined(CFG_CRYPTO_CTR)
1942 case TEE_ALG_AES_CTR:
1943 *size = sizeof(symmetric_CTR);
1946 #if defined(CFG_CRYPTO_CTS)
1947 case TEE_ALG_AES_CTS:
1948 *size = sizeof(struct tee_symmetric_cts);
1951 #if defined(CFG_CRYPTO_XTS)
1952 case TEE_ALG_AES_XTS:
1953 *size = sizeof(struct tee_symmetric_xts);
1957 #if defined(CFG_CRYPTO_DES)
1958 #if defined(CFG_CRYPTO_ECB)
1959 case TEE_ALG_DES_ECB_NOPAD:
1960 *size = sizeof(symmetric_ECB);
1962 case TEE_ALG_DES3_ECB_NOPAD:
1963 *size = sizeof(symmetric_ECB);
1966 #if defined(CFG_CRYPTO_CBC)
1967 case TEE_ALG_DES_CBC_NOPAD:
1968 *size = sizeof(symmetric_CBC);
1970 case TEE_ALG_DES3_CBC_NOPAD:
1971 *size = sizeof(symmetric_CBC);
1976 return TEE_ERROR_NOT_SUPPORTED;
1982 static void get_des2_key(const uint8_t *key, size_t key_len,
1983 uint8_t *key_intermediate,
1984 uint8_t **real_key, size_t *real_key_len)
1986 if (key_len == 16) {
1988 * This corresponds to a 2DES key. The 2DES encryption
1989 * algorithm is similar to 3DES. Both perform and
1990 * encryption step, then a decryption step, followed
1991 * by another encryption step (EDE). However 2DES uses
1992 * the same key for both of the encryption (E) steps.
1994 memcpy(key_intermediate, key, 16);
1995 memcpy(key_intermediate+16, key, 8);
1996 *real_key = key_intermediate;
1999 *real_key = (uint8_t *)key;
2000 *real_key_len = key_len;
2004 static TEE_Result cipher_init(void *ctx, uint32_t algo,
2005 TEE_OperationMode mode __maybe_unused,
2006 const uint8_t *key1, size_t key1_len,
2007 const uint8_t *key2 __maybe_unused,
2008 size_t key2_len __maybe_unused,
2009 const uint8_t *iv __maybe_unused,
2010 size_t iv_len __maybe_unused)
2013 int ltc_res, ltc_cipherindex;
2014 uint8_t *real_key, key_array[24];
2015 size_t real_key_len;
2016 #if defined(CFG_CRYPTO_CTS)
2017 struct tee_symmetric_cts *cts;
2019 #if defined(CFG_CRYPTO_XTS)
2020 struct tee_symmetric_xts *xts;
2023 res = tee_algo_to_ltc_cipherindex(algo, <c_cipherindex);
2024 if (res != TEE_SUCCESS)
2025 return TEE_ERROR_NOT_SUPPORTED;
2028 #if defined(CFG_CRYPTO_ECB)
2029 case TEE_ALG_AES_ECB_NOPAD:
2030 case TEE_ALG_DES_ECB_NOPAD:
2031 ltc_res = ecb_start(
2032 ltc_cipherindex, key1, key1_len,
2033 0, (symmetric_ECB *)ctx);
2036 case TEE_ALG_DES3_ECB_NOPAD:
2037 /* either des3 or des2, depending on the size of the key */
2038 get_des2_key(key1, key1_len, key_array,
2039 &real_key, &real_key_len);
2040 ltc_res = ecb_start(
2041 ltc_cipherindex, real_key, real_key_len,
2042 0, (symmetric_ECB *)ctx);
2045 #if defined(CFG_CRYPTO_CBC)
2046 case TEE_ALG_AES_CBC_NOPAD:
2047 case TEE_ALG_DES_CBC_NOPAD:
2049 (size_t)cipher_descriptor[ltc_cipherindex]->block_length)
2050 return TEE_ERROR_BAD_PARAMETERS;
2051 ltc_res = cbc_start(
2052 ltc_cipherindex, iv, key1, key1_len,
2053 0, (symmetric_CBC *)ctx);
2056 case TEE_ALG_DES3_CBC_NOPAD:
2057 /* either des3 or des2, depending on the size of the key */
2058 get_des2_key(key1, key1_len, key_array,
2059 &real_key, &real_key_len);
2061 (size_t)cipher_descriptor[ltc_cipherindex]->block_length)
2062 return TEE_ERROR_BAD_PARAMETERS;
2063 ltc_res = cbc_start(
2064 ltc_cipherindex, iv, real_key, real_key_len,
2065 0, (symmetric_CBC *)ctx);
2068 #if defined(CFG_CRYPTO_CTR)
2069 case TEE_ALG_AES_CTR:
2071 (size_t)cipher_descriptor[ltc_cipherindex]->block_length)
2072 return TEE_ERROR_BAD_PARAMETERS;
2073 ltc_res = ctr_start(
2074 ltc_cipherindex, iv, key1, key1_len,
2075 0, CTR_COUNTER_BIG_ENDIAN, (symmetric_CTR *)ctx);
2078 #if defined(CFG_CRYPTO_CTS)
2079 case TEE_ALG_AES_CTS:
2081 res = cipher_init((void *)(&(cts->ecb)),
2082 TEE_ALG_AES_ECB_NOPAD, mode, key1,
2083 key1_len, key2, key2_len, iv,
2085 if (res != TEE_SUCCESS)
2087 res = cipher_init((void *)(&(cts->cbc)),
2088 TEE_ALG_AES_CBC_NOPAD, mode, key1,
2089 key1_len, key2, key2_len, iv,
2091 if (res != TEE_SUCCESS)
2096 #if defined(CFG_CRYPTO_XTS)
2097 case TEE_ALG_AES_XTS:
2099 if (key1_len != key2_len)
2100 return TEE_ERROR_BAD_PARAMETERS;
2102 if (iv_len != XTS_TWEAK_SIZE)
2103 return TEE_ERROR_BAD_PARAMETERS;
2104 memcpy(xts->tweak, iv, iv_len);
2106 memset(xts->tweak, 0, XTS_TWEAK_SIZE);
2108 ltc_res = xts_start(
2109 ltc_cipherindex, key1, key2, key1_len,
2114 return TEE_ERROR_NOT_SUPPORTED;
2117 if (ltc_res == CRYPT_OK)
2120 return TEE_ERROR_BAD_STATE;
2123 static TEE_Result cipher_update(void *ctx, uint32_t algo,
2124 TEE_OperationMode mode,
2125 bool last_block __maybe_unused,
2126 const uint8_t *data, size_t len, uint8_t *dst)
2128 int ltc_res = CRYPT_OK;
2129 #if defined(CFG_CRYPTO_CTS)
2130 struct tee_symmetric_cts *cts;
2132 #if defined(CFG_CRYPTO_XTS)
2133 struct tee_symmetric_xts *xts;
2137 #if defined(CFG_CRYPTO_ECB)
2138 case TEE_ALG_AES_ECB_NOPAD:
2139 case TEE_ALG_DES_ECB_NOPAD:
2140 case TEE_ALG_DES3_ECB_NOPAD:
2141 if (mode == TEE_MODE_ENCRYPT)
2142 ltc_res = ecb_encrypt(data, dst, len, ctx);
2144 ltc_res = ecb_decrypt(data, dst, len, ctx);
2147 #if defined(CFG_CRYPTO_CBC)
2148 case TEE_ALG_AES_CBC_NOPAD:
2149 case TEE_ALG_DES_CBC_NOPAD:
2150 case TEE_ALG_DES3_CBC_NOPAD:
2151 if (mode == TEE_MODE_ENCRYPT)
2152 ltc_res = cbc_encrypt(data, dst, len, ctx);
2154 ltc_res = cbc_decrypt(data, dst, len, ctx);
2157 #if defined(CFG_CRYPTO_CTR)
2158 case TEE_ALG_AES_CTR:
2159 if (mode == TEE_MODE_ENCRYPT)
2160 ltc_res = ctr_encrypt(data, dst, len, ctx);
2162 ltc_res = ctr_decrypt(data, dst, len, ctx);
2165 #if defined(CFG_CRYPTO_XTS)
2166 case TEE_ALG_AES_XTS:
2168 if (mode == TEE_MODE_ENCRYPT)
2169 ltc_res = xts_encrypt(data, len, dst, xts->tweak,
2172 ltc_res = xts_decrypt(data, len, dst, xts->tweak,
2176 #if defined(CFG_CRYPTO_CTS)
2177 case TEE_ALG_AES_CTS:
2179 return tee_aes_cbc_cts_update(&cts->cbc, &cts->ecb, mode,
2180 last_block, data, len, dst);
2183 return TEE_ERROR_NOT_SUPPORTED;
2186 if (ltc_res == CRYPT_OK)
2189 return TEE_ERROR_BAD_STATE;
2192 static void cipher_final(void *ctx, uint32_t algo)
2195 #if defined(CFG_CRYPTO_ECB)
2196 case TEE_ALG_AES_ECB_NOPAD:
2197 case TEE_ALG_DES_ECB_NOPAD:
2198 case TEE_ALG_DES3_ECB_NOPAD:
2202 #if defined(CFG_CRYPTO_CBC)
2203 case TEE_ALG_AES_CBC_NOPAD:
2204 case TEE_ALG_DES_CBC_NOPAD:
2205 case TEE_ALG_DES3_CBC_NOPAD:
2206 case TEE_ALG_AES_CBC_MAC_NOPAD:
2207 case TEE_ALG_AES_CBC_MAC_PKCS5:
2208 case TEE_ALG_DES_CBC_MAC_NOPAD:
2209 case TEE_ALG_DES_CBC_MAC_PKCS5:
2210 case TEE_ALG_DES3_CBC_MAC_NOPAD:
2211 case TEE_ALG_DES3_CBC_MAC_PKCS5:
2215 #if defined(CFG_CRYPTO_CTR)
2216 case TEE_ALG_AES_CTR:
2220 #if defined(CFG_CRYPTO_XTS)
2221 case TEE_ALG_AES_XTS:
2222 xts_done(&(((struct tee_symmetric_xts *)ctx)->ctx));
2225 #if defined(CFG_CRYPTO_CTS)
2226 case TEE_ALG_AES_CTS:
2227 cbc_done(&(((struct tee_symmetric_cts *)ctx)->cbc));
2228 ecb_done(&(((struct tee_symmetric_cts *)ctx)->ecb));
2232 assert(!"Unhandled algo");
2236 #endif /* _CFG_CRYPTO_WITH_CIPHER */
2238 /*****************************************************************************
2239 * Message Authentication Code functions
2240 *****************************************************************************/
2242 #if defined(_CFG_CRYPTO_WITH_MAC)
2244 #if defined(CFG_CRYPTO_CBC_MAC)
2246 * CBC-MAC is not implemented in Libtomcrypt
2247 * This is implemented here as being the plain text which is encoded with IV=0.
2248 * Result of the CBC-MAC is the last 16-bytes cipher.
2251 #define CBCMAC_MAX_BLOCK_LEN 16
2254 uint8_t block[CBCMAC_MAX_BLOCK_LEN];
2255 uint8_t digest[CBCMAC_MAX_BLOCK_LEN];
2256 size_t current_block_len, block_len;
2261 static TEE_Result mac_get_ctx_size(uint32_t algo, size_t *size)
2264 #if defined(CFG_CRYPTO_HMAC)
2265 case TEE_ALG_HMAC_MD5:
2266 case TEE_ALG_HMAC_SHA224:
2267 case TEE_ALG_HMAC_SHA1:
2268 case TEE_ALG_HMAC_SHA256:
2269 case TEE_ALG_HMAC_SHA384:
2270 case TEE_ALG_HMAC_SHA512:
2271 *size = sizeof(hmac_state);
2274 #if defined(CFG_CRYPTO_CBC_MAC)
2275 case TEE_ALG_AES_CBC_MAC_NOPAD:
2276 case TEE_ALG_AES_CBC_MAC_PKCS5:
2277 case TEE_ALG_DES_CBC_MAC_NOPAD:
2278 case TEE_ALG_DES_CBC_MAC_PKCS5:
2279 case TEE_ALG_DES3_CBC_MAC_NOPAD:
2280 case TEE_ALG_DES3_CBC_MAC_PKCS5:
2281 *size = sizeof(struct cbc_state);
2284 #if defined(CFG_CRYPTO_CMAC)
2285 case TEE_ALG_AES_CMAC:
2286 *size = sizeof(omac_state);
2290 return TEE_ERROR_NOT_SUPPORTED;
2296 static TEE_Result mac_init(void *ctx, uint32_t algo, const uint8_t *key,
2300 #if defined(CFG_CRYPTO_HMAC)
2303 #if defined(CFG_CRYPTO_CBC_MAC) || defined(CFG_CRYPTO_CMAC)
2304 int ltc_cipherindex;
2306 #if defined(CFG_CRYPTO_CBC_MAC)
2308 uint8_t key_array[24];
2309 size_t real_key_len;
2310 uint8_t iv[CBCMAC_MAX_BLOCK_LEN];
2311 struct cbc_state *cbc;
2315 #if defined(CFG_CRYPTO_HMAC)
2316 case TEE_ALG_HMAC_MD5:
2317 case TEE_ALG_HMAC_SHA224:
2318 case TEE_ALG_HMAC_SHA1:
2319 case TEE_ALG_HMAC_SHA256:
2320 case TEE_ALG_HMAC_SHA384:
2321 case TEE_ALG_HMAC_SHA512:
2322 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex);
2323 if (res != TEE_SUCCESS)
2326 hmac_init((hmac_state *)ctx, ltc_hashindex, key, len))
2327 return TEE_ERROR_BAD_STATE;
2330 #if defined(CFG_CRYPTO_CBC_MAC)
2331 case TEE_ALG_AES_CBC_MAC_NOPAD:
2332 case TEE_ALG_AES_CBC_MAC_PKCS5:
2333 case TEE_ALG_DES_CBC_MAC_NOPAD:
2334 case TEE_ALG_DES_CBC_MAC_PKCS5:
2335 case TEE_ALG_DES3_CBC_MAC_NOPAD:
2336 case TEE_ALG_DES3_CBC_MAC_PKCS5:
2337 cbc = (struct cbc_state *)ctx;
2339 res = tee_algo_to_ltc_cipherindex(algo, <c_cipherindex);
2340 if (res != TEE_SUCCESS)
2344 cipher_descriptor[ltc_cipherindex]->block_length;
2345 if (CBCMAC_MAX_BLOCK_LEN < cbc->block_len)
2346 return TEE_ERROR_BAD_PARAMETERS;
2347 memset(iv, 0, cbc->block_len);
2349 if (algo == TEE_ALG_DES3_CBC_MAC_NOPAD ||
2350 algo == TEE_ALG_DES3_CBC_MAC_PKCS5) {
2351 get_des2_key(key, len, key_array,
2352 &real_key, &real_key_len);
2356 if (CRYPT_OK != cbc_start(
2357 ltc_cipherindex, iv, key, len, 0, &cbc->cbc))
2358 return TEE_ERROR_BAD_STATE;
2359 cbc->is_computed = 0;
2360 cbc->current_block_len = 0;
2363 #if defined(CFG_CRYPTO_CMAC)
2364 case TEE_ALG_AES_CMAC:
2365 res = tee_algo_to_ltc_cipherindex(algo, <c_cipherindex);
2366 if (res != TEE_SUCCESS)
2368 if (CRYPT_OK != omac_init((omac_state *)ctx, ltc_cipherindex,
2370 return TEE_ERROR_BAD_STATE;
2374 return TEE_ERROR_NOT_SUPPORTED;
2380 static TEE_Result mac_update(void *ctx, uint32_t algo, const uint8_t *data,
2383 #if defined(CFG_CRYPTO_CBC_MAC)
2385 struct cbc_state *cbc;
2393 #if defined(CFG_CRYPTO_HMAC)
2394 case TEE_ALG_HMAC_MD5:
2395 case TEE_ALG_HMAC_SHA224:
2396 case TEE_ALG_HMAC_SHA1:
2397 case TEE_ALG_HMAC_SHA256:
2398 case TEE_ALG_HMAC_SHA384:
2399 case TEE_ALG_HMAC_SHA512:
2400 if (CRYPT_OK != hmac_process((hmac_state *)ctx, data, len))
2401 return TEE_ERROR_BAD_STATE;
2404 #if defined(CFG_CRYPTO_CBC_MAC)
2405 case TEE_ALG_AES_CBC_MAC_NOPAD:
2406 case TEE_ALG_AES_CBC_MAC_PKCS5:
2407 case TEE_ALG_DES_CBC_MAC_NOPAD:
2408 case TEE_ALG_DES_CBC_MAC_PKCS5:
2409 case TEE_ALG_DES3_CBC_MAC_NOPAD:
2410 case TEE_ALG_DES3_CBC_MAC_PKCS5:
2413 if ((cbc->current_block_len > 0) &&
2414 (len + cbc->current_block_len >= cbc->block_len)) {
2415 pad_len = cbc->block_len - cbc->current_block_len;
2416 memcpy(cbc->block + cbc->current_block_len,
2420 ltc_res = cbc_encrypt(cbc->block, cbc->digest,
2421 cbc->block_len, &cbc->cbc);
2422 if (CRYPT_OK != ltc_res)
2423 return TEE_ERROR_BAD_STATE;
2424 cbc->is_computed = 1;
2427 while (len >= cbc->block_len) {
2428 ltc_res = cbc_encrypt(data, cbc->digest,
2429 cbc->block_len, &cbc->cbc);
2430 if (CRYPT_OK != ltc_res)
2431 return TEE_ERROR_BAD_STATE;
2432 cbc->is_computed = 1;
2433 data += cbc->block_len;
2434 len -= cbc->block_len;
2438 memcpy(cbc->block, data, len);
2439 cbc->current_block_len = len;
2442 #if defined(CFG_CRYPTO_CMAC)
2443 case TEE_ALG_AES_CMAC:
2444 if (CRYPT_OK != omac_process((omac_state *)ctx, data, len))
2445 return TEE_ERROR_BAD_STATE;
2449 return TEE_ERROR_NOT_SUPPORTED;
2455 static TEE_Result mac_final(void *ctx, uint32_t algo, uint8_t *digest,
2458 #if defined(CFG_CRYPTO_CBC_MAC)
2459 struct cbc_state *cbc;
2462 unsigned long ltc_digest_len = digest_len;
2465 #if defined(CFG_CRYPTO_HMAC)
2466 case TEE_ALG_HMAC_MD5:
2467 case TEE_ALG_HMAC_SHA224:
2468 case TEE_ALG_HMAC_SHA1:
2469 case TEE_ALG_HMAC_SHA256:
2470 case TEE_ALG_HMAC_SHA384:
2471 case TEE_ALG_HMAC_SHA512:
2472 if (CRYPT_OK != hmac_done((hmac_state *)ctx, digest,
2474 return TEE_ERROR_BAD_STATE;
2477 #if defined(CFG_CRYPTO_CBC_MAC)
2478 case TEE_ALG_AES_CBC_MAC_NOPAD:
2479 case TEE_ALG_AES_CBC_MAC_PKCS5:
2480 case TEE_ALG_DES_CBC_MAC_NOPAD:
2481 case TEE_ALG_DES_CBC_MAC_PKCS5:
2482 case TEE_ALG_DES3_CBC_MAC_NOPAD:
2483 case TEE_ALG_DES3_CBC_MAC_PKCS5:
2484 cbc = (struct cbc_state *)ctx;
2486 /* Padding is required */
2488 case TEE_ALG_AES_CBC_MAC_PKCS5:
2489 case TEE_ALG_DES_CBC_MAC_PKCS5:
2490 case TEE_ALG_DES3_CBC_MAC_PKCS5:
2492 * Padding is in whole bytes. The value of each added
2493 * byte is the number of bytes that are added, i.e. N
2494 * bytes, each of value N are added
2496 pad_len = cbc->block_len - cbc->current_block_len;
2497 memset(cbc->block+cbc->current_block_len,
2499 cbc->current_block_len = 0;
2500 if (TEE_SUCCESS != mac_update(
2501 ctx, algo, cbc->block, cbc->block_len))
2502 return TEE_ERROR_BAD_STATE;
2509 if ((!cbc->is_computed) || (cbc->current_block_len != 0))
2510 return TEE_ERROR_BAD_STATE;
2512 memcpy(digest, cbc->digest, MIN(ltc_digest_len,
2514 cipher_final(&cbc->cbc, algo);
2517 #if defined(CFG_CRYPTO_CMAC)
2518 case TEE_ALG_AES_CMAC:
2519 if (CRYPT_OK != omac_done((omac_state *)ctx, digest,
2521 return TEE_ERROR_BAD_STATE;
2525 return TEE_ERROR_NOT_SUPPORTED;
2530 #endif /* _CFG_CRYPTO_WITH_MAC */
2532 /******************************************************************************
2533 * Authenticated encryption
2534 ******************************************************************************/
2536 #if defined(_CFG_CRYPTO_WITH_AUTHENC)
2538 #define TEE_CCM_KEY_MAX_LENGTH 32
2539 #define TEE_CCM_NONCE_MAX_LENGTH 13
2540 #define TEE_CCM_TAG_MAX_LENGTH 16
2541 #define TEE_GCM_TAG_MAX_LENGTH 16
2542 #define TEE_xCM_TAG_MAX_LENGTH 16
2544 #if defined(CFG_CRYPTO_CCM)
2545 struct tee_ccm_state {
2546 ccm_state ctx; /* the ccm state as defined by LTC */
2547 size_t tag_len; /* tag length */
2551 #if defined(CFG_CRYPTO_GCM)
2552 struct tee_gcm_state {
2553 gcm_state ctx; /* the gcm state as defined by LTC */
2554 size_t tag_len; /* tag length */
2558 static TEE_Result authenc_get_ctx_size(uint32_t algo, size_t *size)
2561 #if defined(CFG_CRYPTO_CCM)
2562 case TEE_ALG_AES_CCM:
2563 *size = sizeof(struct tee_ccm_state);
2566 #if defined(CFG_CRYPTO_GCM)
2567 case TEE_ALG_AES_GCM:
2568 *size = sizeof(struct tee_gcm_state);
2572 return TEE_ERROR_NOT_SUPPORTED;
2577 static TEE_Result authenc_init(void *ctx, uint32_t algo,
2578 TEE_OperationMode mode __unused,
2579 const uint8_t *key, size_t key_len,
2580 const uint8_t *nonce, size_t nonce_len,
2581 size_t tag_len, size_t aad_len __maybe_unused,
2582 size_t payload_len __maybe_unused)
2586 int ltc_cipherindex;
2587 #if defined(CFG_CRYPTO_CCM)
2588 struct tee_ccm_state *ccm;
2590 #if defined(CFG_CRYPTO_GCM)
2591 struct tee_gcm_state *gcm;
2594 res = tee_algo_to_ltc_cipherindex(algo, <c_cipherindex);
2595 if (res != TEE_SUCCESS)
2596 return TEE_ERROR_NOT_SUPPORTED;
2598 #if defined(CFG_CRYPTO_CCM)
2599 case TEE_ALG_AES_CCM:
2600 /* reset the state */
2602 memset(ccm, 0, sizeof(struct tee_ccm_state));
2603 ccm->tag_len = tag_len;
2605 /* Check the key length */
2606 if ((!key) || (key_len > TEE_CCM_KEY_MAX_LENGTH))
2607 return TEE_ERROR_BAD_PARAMETERS;
2609 /* check the nonce */
2610 if (nonce_len > TEE_CCM_NONCE_MAX_LENGTH)
2611 return TEE_ERROR_BAD_PARAMETERS;
2613 /* check the tag len */
2614 if ((tag_len < 4) ||
2615 (tag_len > TEE_CCM_TAG_MAX_LENGTH) ||
2617 return TEE_ERROR_NOT_SUPPORTED;
2619 ltc_res = ccm_init(&ccm->ctx, ltc_cipherindex, key, key_len,
2620 payload_len, tag_len, aad_len);
2621 if (ltc_res != CRYPT_OK)
2622 return TEE_ERROR_BAD_STATE;
2625 ltc_res = ccm_add_nonce(&ccm->ctx, nonce, nonce_len);
2626 if (ltc_res != CRYPT_OK)
2627 return TEE_ERROR_BAD_STATE;
2630 #if defined(CFG_CRYPTO_GCM)
2631 case TEE_ALG_AES_GCM:
2632 /* reset the state */
2634 memset(gcm, 0, sizeof(struct tee_gcm_state));
2635 gcm->tag_len = tag_len;
2637 ltc_res = gcm_init(&gcm->ctx, ltc_cipherindex, key, key_len);
2638 if (ltc_res != CRYPT_OK)
2639 return TEE_ERROR_BAD_STATE;
2642 ltc_res = gcm_add_iv(&gcm->ctx, nonce, nonce_len);
2643 if (ltc_res != CRYPT_OK)
2644 return TEE_ERROR_BAD_STATE;
2648 return TEE_ERROR_NOT_SUPPORTED;
2654 static TEE_Result authenc_update_aad(void *ctx, uint32_t algo,
2655 TEE_OperationMode mode __unused,
2656 const uint8_t *data, size_t len)
2658 #if defined(CFG_CRYPTO_CCM)
2659 struct tee_ccm_state *ccm;
2661 #if defined(CFG_CRYPTO_GCM)
2662 struct tee_gcm_state *gcm;
2667 #if defined(CFG_CRYPTO_CCM)
2668 case TEE_ALG_AES_CCM:
2669 /* Add the AAD (note: aad can be NULL if aadlen == 0) */
2671 ltc_res = ccm_add_aad(&ccm->ctx, data, len);
2672 if (ltc_res != CRYPT_OK)
2673 return TEE_ERROR_BAD_STATE;
2676 #if defined(CFG_CRYPTO_GCM)
2677 case TEE_ALG_AES_GCM:
2678 /* Add the AAD (note: aad can be NULL if aadlen == 0) */
2680 ltc_res = gcm_add_aad(&gcm->ctx, data, len);
2681 if (ltc_res != CRYPT_OK)
2682 return TEE_ERROR_BAD_STATE;
2686 return TEE_ERROR_NOT_SUPPORTED;
2692 static TEE_Result authenc_update_payload(void *ctx, uint32_t algo,
2693 TEE_OperationMode mode,
2694 const uint8_t *src_data,
2699 #if defined(CFG_CRYPTO_GCM)
2703 #if defined(CFG_CRYPTO_CCM)
2704 struct tee_ccm_state *ccm;
2706 #if defined(CFG_CRYPTO_GCM)
2707 struct tee_gcm_state *gcm;
2709 unsigned char *pt, *ct; /* the plain and the cipher text */
2711 if (mode == TEE_MODE_ENCRYPT) {
2712 pt = (unsigned char *)src_data;
2716 ct = (unsigned char *)src_data;
2720 #if defined(CFG_CRYPTO_CCM)
2721 case TEE_ALG_AES_CCM:
2723 dir = (mode == TEE_MODE_ENCRYPT ? CCM_ENCRYPT : CCM_DECRYPT);
2724 ltc_res = ccm_process(&ccm->ctx, pt, src_len, ct, dir);
2725 if (ltc_res != CRYPT_OK)
2726 return TEE_ERROR_BAD_STATE;
2730 #if defined(CFG_CRYPTO_GCM)
2731 case TEE_ALG_AES_GCM:
2732 /* aad is optional ==> add one without length */
2734 if (gcm->ctx.mode == LTC_GCM_MODE_IV) {
2735 res = authenc_update_aad(gcm, algo, mode, 0, 0);
2736 if (res != TEE_SUCCESS)
2740 /* process the data */
2741 dir = (mode == TEE_MODE_ENCRYPT ? GCM_ENCRYPT : GCM_DECRYPT);
2742 ltc_res = gcm_process(&gcm->ctx, pt, src_len, ct, dir);
2743 if (ltc_res != CRYPT_OK)
2744 return TEE_ERROR_BAD_STATE;
2749 return TEE_ERROR_NOT_SUPPORTED;
2755 static TEE_Result authenc_enc_final(void *ctx, uint32_t algo,
2756 const uint8_t *src_data,
2757 size_t src_len, uint8_t *dst_data,
2758 size_t *dst_len, uint8_t *dst_tag,
2759 size_t *dst_tag_len)
2762 #if defined(CFG_CRYPTO_CCM)
2763 struct tee_ccm_state *ccm;
2765 #if defined(CFG_CRYPTO_GCM)
2766 struct tee_gcm_state *gcm;
2771 /* Check the resulting buffer is not too short */
2772 res = cipher_get_block_size(algo, &digest_size);
2773 if (res != TEE_SUCCESS)
2776 /* Finalize the remaining buffer */
2777 res = authenc_update_payload(ctx, algo, TEE_MODE_ENCRYPT, src_data,
2778 src_len, dst_data, dst_len);
2779 if (res != TEE_SUCCESS)
2783 #if defined(CFG_CRYPTO_CCM)
2784 case TEE_ALG_AES_CCM:
2785 /* Check the tag length */
2787 if (*dst_tag_len < ccm->tag_len) {
2788 *dst_tag_len = ccm->tag_len;
2789 return TEE_ERROR_SHORT_BUFFER;
2791 *dst_tag_len = ccm->tag_len;
2793 /* Compute the tag */
2794 ltc_res = ccm_done(&ccm->ctx, dst_tag,
2795 (unsigned long *)dst_tag_len);
2796 if (ltc_res != CRYPT_OK)
2797 return TEE_ERROR_BAD_STATE;
2800 #if defined(CFG_CRYPTO_GCM)
2801 case TEE_ALG_AES_GCM:
2802 /* Check the tag length */
2804 if (*dst_tag_len < gcm->tag_len) {
2805 *dst_tag_len = gcm->tag_len;
2806 return TEE_ERROR_SHORT_BUFFER;
2808 *dst_tag_len = gcm->tag_len;
2810 /* Compute the tag */
2811 ltc_res = gcm_done(&gcm->ctx, dst_tag,
2812 (unsigned long *)dst_tag_len);
2813 if (ltc_res != CRYPT_OK)
2814 return TEE_ERROR_BAD_STATE;
2818 return TEE_ERROR_NOT_SUPPORTED;
2824 static TEE_Result authenc_dec_final(void *ctx, uint32_t algo,
2825 const uint8_t *src_data, size_t src_len,
2826 uint8_t *dst_data, size_t *dst_len,
2827 const uint8_t *tag, size_t tag_len)
2829 TEE_Result res = TEE_ERROR_BAD_STATE;
2830 #if defined(CFG_CRYPTO_CCM)
2831 struct tee_ccm_state *ccm;
2833 #if defined(CFG_CRYPTO_GCM)
2834 struct tee_gcm_state *gcm;
2837 uint8_t dst_tag[TEE_xCM_TAG_MAX_LENGTH];
2838 unsigned long ltc_tag_len = tag_len;
2841 return TEE_ERROR_SHORT_BUFFER;
2842 if (tag_len > TEE_xCM_TAG_MAX_LENGTH)
2843 return TEE_ERROR_BAD_STATE;
2845 /* Process the last buffer, if any */
2846 res = authenc_update_payload(ctx, algo, TEE_MODE_DECRYPT, src_data,
2847 src_len, dst_data, dst_len);
2848 if (res != TEE_SUCCESS)
2852 #if defined(CFG_CRYPTO_CCM)
2853 case TEE_ALG_AES_CCM:
2854 /* Finalize the authentication */
2856 ltc_res = ccm_done(&ccm->ctx, dst_tag, <c_tag_len);
2857 if (ltc_res != CRYPT_OK)
2858 return TEE_ERROR_BAD_STATE;
2861 #if defined(CFG_CRYPTO_GCM)
2862 case TEE_ALG_AES_GCM:
2863 /* Finalize the authentication */
2865 ltc_res = gcm_done(&gcm->ctx, dst_tag, <c_tag_len);
2866 if (ltc_res != CRYPT_OK)
2867 return TEE_ERROR_BAD_STATE;
2871 return TEE_ERROR_NOT_SUPPORTED;
2874 if (buf_compare_ct(dst_tag, tag, tag_len) != 0)
2875 res = TEE_ERROR_MAC_INVALID;
2881 static void authenc_final(void *ctx, uint32_t algo)
2883 #if defined(CFG_CRYPTO_CCM)
2884 struct tee_ccm_state *ccm;
2886 #if defined(CFG_CRYPTO_GCM)
2887 struct tee_gcm_state *gcm;
2891 #if defined(CFG_CRYPTO_CCM)
2892 case TEE_ALG_AES_CCM:
2894 ccm_reset(&ccm->ctx);
2897 #if defined(CFG_CRYPTO_GCM)
2898 case TEE_ALG_AES_GCM:
2900 gcm_reset(&gcm->ctx);
2907 #endif /* _CFG_CRYPTO_WITH_AUTHENC */
2909 /******************************************************************************
2910 * Pseudo Random Number Generator
2911 ******************************************************************************/
2912 static TEE_Result prng_read(void *buf, size_t blen)
2915 struct tee_ltc_prng *prng = tee_ltc_get_prng();
2917 err = prng_is_valid(prng->index);
2919 if (err != CRYPT_OK)
2920 return TEE_ERROR_BAD_STATE;
2922 if (prng_descriptor[prng->index]->read(buf, blen, &prng->state) !=
2923 (unsigned long)blen)
2924 return TEE_ERROR_BAD_STATE;
2929 static TEE_Result prng_add_entropy(const uint8_t *inbuf, size_t len)
2932 struct tee_ltc_prng *prng = tee_ltc_get_prng();
2934 err = prng_is_valid(prng->index);
2936 if (err != CRYPT_OK)
2937 return TEE_ERROR_BAD_STATE;
2939 err = prng_descriptor[prng->index]->add_entropy(
2940 inbuf, len, &prng->state);
2942 if (err != CRYPT_OK)
2943 return TEE_ERROR_BAD_STATE;
2948 static TEE_Result tee_ltc_init(void)
2950 #if defined(_CFG_CRYPTO_WITH_ACIPHER)
2951 tee_ltc_alloc_mpa();
2955 return tee_ltc_prng_init(tee_ltc_get_prng());
2958 const struct crypto_ops crypto_ops = {
2959 .name = "LibTomCrypt provider",
2960 .init = tee_ltc_init,
2961 #if defined(_CFG_CRYPTO_WITH_HASH)
2963 .get_ctx_size = hash_get_ctx_size,
2965 .update = hash_update,
2966 .final = hash_final,
2969 #if defined(_CFG_CRYPTO_WITH_CIPHER)
2971 .final = cipher_final,
2972 .get_block_size = cipher_get_block_size,
2973 .get_ctx_size = cipher_get_ctx_size,
2974 .init = cipher_init,
2975 .update = cipher_update,
2978 #if defined(_CFG_CRYPTO_WITH_MAC)
2980 .get_ctx_size = mac_get_ctx_size,
2982 .update = mac_update,
2986 #if defined(_CFG_CRYPTO_WITH_AUTHENC)
2988 .dec_final = authenc_dec_final,
2989 .enc_final = authenc_enc_final,
2990 .final = authenc_final,
2991 .get_ctx_size = authenc_get_ctx_size,
2992 .init = authenc_init,
2993 .update_aad = authenc_update_aad,
2994 .update_payload = authenc_update_payload,
2997 #if defined(_CFG_CRYPTO_WITH_ACIPHER)
2999 #if defined(CFG_CRYPTO_RSA)
3000 .alloc_rsa_keypair = alloc_rsa_keypair,
3001 .alloc_rsa_public_key = alloc_rsa_public_key,
3002 .free_rsa_public_key = free_rsa_public_key,
3003 .gen_rsa_key = gen_rsa_key,
3004 .rsaes_decrypt = rsaes_decrypt,
3005 .rsaes_encrypt = rsaes_encrypt,
3006 .rsanopad_decrypt = rsanopad_decrypt,
3007 .rsanopad_encrypt = rsanopad_encrypt,
3008 .rsassa_sign = rsassa_sign,
3009 .rsassa_verify = rsassa_verify,
3011 #if defined(CFG_CRYPTO_DH)
3012 .alloc_dh_keypair = alloc_dh_keypair,
3013 .gen_dh_key = gen_dh_key,
3014 .dh_shared_secret = do_dh_shared_secret,
3016 #if defined(CFG_CRYPTO_DSA)
3017 .alloc_dsa_keypair = alloc_dsa_keypair,
3018 .alloc_dsa_public_key = alloc_dsa_public_key,
3019 .gen_dsa_key = gen_dsa_key,
3020 .dsa_sign = dsa_sign,
3021 .dsa_verify = dsa_verify,
3023 #if defined(CFG_CRYPTO_ECC)
3024 /* ECDSA and ECDH */
3025 .alloc_ecc_keypair = alloc_ecc_keypair,
3026 .alloc_ecc_public_key = alloc_ecc_public_key,
3027 .gen_ecc_key = gen_ecc_key,
3028 .free_ecc_public_key = free_ecc_public_key,
3031 .ecc_sign = ecc_sign,
3032 .ecc_verify = ecc_verify,
3034 .ecc_shared_secret = do_ecc_shared_secret,
3038 .allocate = bn_allocate,
3039 .num_bytes = num_bytes,
3040 .num_bits = num_bits,
3048 #endif /* _CFG_CRYPTO_WITH_ACIPHER */
3050 .add_entropy = prng_add_entropy,
3055 #if defined(CFG_WITH_VFP)
3056 void tomcrypt_arm_neon_enable(struct tomcrypt_arm_neon_state *state)
3058 state->state = thread_kernel_enable_vfp();
3061 void tomcrypt_arm_neon_disable(struct tomcrypt_arm_neon_state *state)
3063 thread_kernel_disable_vfp(state->state);
3067 #if defined(CFG_CRYPTO_SHA256)
3068 TEE_Result hash_sha256_check(const uint8_t *hash, const uint8_t *data,
3072 uint8_t digest[TEE_SHA256_HASH_SIZE];
3074 if (sha256_init(&hs) != CRYPT_OK)
3075 return TEE_ERROR_GENERIC;
3076 if (sha256_process(&hs, data, data_size) != CRYPT_OK)
3077 return TEE_ERROR_GENERIC;
3078 if (sha256_done(&hs, digest) != CRYPT_OK)
3079 return TEE_ERROR_GENERIC;
3080 if (buf_compare_ct(digest, hash, sizeof(digest)) != 0)
3081 return TEE_ERROR_SECURITY;
3086 TEE_Result rng_generate(void *buffer, size_t len)
3088 #if defined(CFG_WITH_SOFTWARE_PRNG)
3089 #ifdef _CFG_CRYPTO_WITH_FORTUNA_PRNG
3090 int (*start)(prng_state *) = fortuna_start;
3091 int (*ready)(prng_state *) = fortuna_ready;
3092 unsigned long (*read)(unsigned char *, unsigned long, prng_state *) =
3095 int (*start)(prng_state *) = rc4_start;
3096 int (*ready)(prng_state *) = rc4_ready;
3097 unsigned long (*read)(unsigned char *, unsigned long, prng_state *) =
3101 if (!_tee_ltc_prng.inited) {
3102 if (start(&_tee_ltc_prng.state) != CRYPT_OK)
3103 return TEE_ERROR_BAD_STATE;
3104 if (ready(&_tee_ltc_prng.state) != CRYPT_OK)
3105 return TEE_ERROR_BAD_STATE;
3106 _tee_ltc_prng.inited = true;
3108 if (read(buffer, len, &_tee_ltc_prng.state) != len)
3109 return TEE_ERROR_BAD_STATE;
3114 return get_rng_array(buffer, len);