2 * Copyright (c) 2014, Linaro Limited
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are met:
8 * 1. Redistributions of source code must retain the above copyright notice,
9 * this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright notice,
12 * this list of conditions and the following disclaimer in the documentation
13 * and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
16 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
19 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
20 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
21 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
22 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
23 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
24 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
25 * POSSIBILITY OF SUCH DAMAGE.
30 #include <string_ext.h>
31 #include <utee_defines.h>
32 #include <tee/tee_cryp_utl.h>
33 #include <tee/tee_cryp_provider.h>
34 #include <kernel/tee_time.h>
35 #include <rng_support.h>
38 #if !defined(CFG_WITH_SOFTWARE_PRNG)
39 TEE_Result get_rng_array(void *buffer, int len)
41 char *buf_char = buffer;
46 return TEE_ERROR_BAD_PARAMETERS;
48 for (i = 0; i < len; i++)
49 buf_char[i] = hw_get_random_byte();
55 TEE_Result tee_hash_get_digest_size(uint32_t algo, size_t *size)
59 case TEE_ALG_HMAC_MD5:
60 *size = TEE_MD5_HASH_SIZE;
63 case TEE_ALG_HMAC_SHA1:
64 case TEE_ALG_DSA_SHA1:
65 *size = TEE_SHA1_HASH_SIZE;
68 case TEE_ALG_HMAC_SHA224:
69 case TEE_ALG_DSA_SHA224:
70 *size = TEE_SHA224_HASH_SIZE;
73 case TEE_ALG_HMAC_SHA256:
74 case TEE_ALG_DSA_SHA256:
75 *size = TEE_SHA256_HASH_SIZE;
78 case TEE_ALG_HMAC_SHA384:
79 *size = TEE_SHA384_HASH_SIZE;
82 case TEE_ALG_HMAC_SHA512:
83 *size = TEE_SHA512_HASH_SIZE;
86 return TEE_ERROR_NOT_SUPPORTED;
92 TEE_Result tee_hash_createdigest(uint32_t algo, const uint8_t *data,
93 size_t datalen, uint8_t *digest,
96 TEE_Result res = TEE_ERROR_BAD_STATE;
100 if (crypto_ops.hash.get_ctx_size == NULL ||
101 crypto_ops.hash.init == NULL ||
102 crypto_ops.hash.update == NULL ||
103 crypto_ops.hash.final == NULL)
104 return TEE_ERROR_NOT_IMPLEMENTED;
106 if (crypto_ops.hash.get_ctx_size(algo, &ctxsize) != TEE_SUCCESS) {
107 res = TEE_ERROR_NOT_SUPPORTED;
111 ctx = malloc(ctxsize);
113 res = TEE_ERROR_OUT_OF_MEMORY;
117 if (crypto_ops.hash.init(ctx, algo) != TEE_SUCCESS)
121 if (crypto_ops.hash.update(ctx, algo, data, datalen)
126 if (crypto_ops.hash.final(ctx, algo, digest, digestlen) != TEE_SUCCESS)
138 TEE_Result tee_mac_get_digest_size(uint32_t algo, size_t *size)
141 case TEE_ALG_HMAC_MD5:
142 case TEE_ALG_HMAC_SHA224:
143 case TEE_ALG_HMAC_SHA1:
144 case TEE_ALG_HMAC_SHA256:
145 case TEE_ALG_HMAC_SHA384:
146 case TEE_ALG_HMAC_SHA512:
147 return tee_hash_get_digest_size(algo, size);
148 case TEE_ALG_AES_CBC_MAC_NOPAD:
149 case TEE_ALG_AES_CBC_MAC_PKCS5:
150 case TEE_ALG_AES_CMAC:
151 *size = TEE_AES_BLOCK_SIZE;
153 case TEE_ALG_DES_CBC_MAC_NOPAD:
154 case TEE_ALG_DES_CBC_MAC_PKCS5:
155 case TEE_ALG_DES3_CBC_MAC_NOPAD:
156 case TEE_ALG_DES3_CBC_MAC_PKCS5:
157 *size = TEE_DES_BLOCK_SIZE;
160 return TEE_ERROR_NOT_SUPPORTED;
164 TEE_Result tee_cipher_get_block_size(uint32_t algo, size_t *size)
167 case TEE_ALG_AES_CBC_MAC_NOPAD:
168 case TEE_ALG_AES_CBC_MAC_PKCS5:
169 case TEE_ALG_AES_CMAC:
170 case TEE_ALG_AES_ECB_NOPAD:
171 case TEE_ALG_AES_CBC_NOPAD:
172 case TEE_ALG_AES_CTR:
173 case TEE_ALG_AES_CTS:
174 case TEE_ALG_AES_XTS:
175 case TEE_ALG_AES_CCM:
176 case TEE_ALG_AES_GCM:
180 case TEE_ALG_DES_CBC_MAC_NOPAD:
181 case TEE_ALG_DES_CBC_MAC_PKCS5:
182 case TEE_ALG_DES_ECB_NOPAD:
183 case TEE_ALG_DES_CBC_NOPAD:
184 case TEE_ALG_DES3_CBC_MAC_NOPAD:
185 case TEE_ALG_DES3_CBC_MAC_PKCS5:
186 case TEE_ALG_DES3_ECB_NOPAD:
187 case TEE_ALG_DES3_CBC_NOPAD:
192 return TEE_ERROR_NOT_SUPPORTED;
198 TEE_Result tee_do_cipher_update(void *ctx, uint32_t algo,
199 TEE_OperationMode mode, bool last_block,
200 const uint8_t *data, size_t len, uint8_t *dst)
205 if (mode != TEE_MODE_ENCRYPT && mode != TEE_MODE_DECRYPT)
206 return TEE_ERROR_BAD_PARAMETERS;
208 if (crypto_ops.cipher.update == NULL)
209 return TEE_ERROR_NOT_IMPLEMENTED;
211 * Check that the block contains the correct number of data, apart
212 * for the last block in some XTS / CTR / XTS mode
214 res = tee_cipher_get_block_size(algo, &block_size);
215 if (res != TEE_SUCCESS)
217 if ((len % block_size) != 0) {
219 return TEE_ERROR_BAD_PARAMETERS;
222 case TEE_ALG_AES_ECB_NOPAD:
223 case TEE_ALG_DES_ECB_NOPAD:
224 case TEE_ALG_DES3_ECB_NOPAD:
225 case TEE_ALG_AES_CBC_NOPAD:
226 case TEE_ALG_DES_CBC_NOPAD:
227 case TEE_ALG_DES3_CBC_NOPAD:
228 return TEE_ERROR_BAD_PARAMETERS;
230 case TEE_ALG_AES_CTR:
231 case TEE_ALG_AES_XTS:
232 case TEE_ALG_AES_CTS:
234 * These modes doesn't require padding for the last
237 * This isn't entirely true, both XTS and CTS can only
238 * encrypt minimum one block and also they need at least
239 * one complete block in the last update to finish the
240 * encryption. The algorithms are supposed to detect
241 * that, we're only making sure that all data fed up to
242 * that point consists of complete blocks.
247 return TEE_ERROR_NOT_SUPPORTED;
251 return crypto_ops.cipher.update(ctx, algo, mode, last_block, data, len,
256 * From http://en.wikipedia.org/wiki/Ciphertext_stealing
257 * CBC ciphertext stealing encryption using a standard
259 * 1. Pad the last partial plaintext block with 0.
260 * 2. Encrypt the whole padded plaintext using the
262 * 3. Swap the last two ciphertext blocks.
263 * 4. Truncate the ciphertext to the length of the
264 * original plaintext.
266 * CBC ciphertext stealing decryption using a standard
268 * 1. Dn = Decrypt (K, Cn-1). Decrypt the second to last
270 * 2. Cn = Cn || Tail (Dn, B-M). Pad the ciphertext to the
271 * nearest multiple of the block size using the last
272 * B-M bits of block cipher decryption of the
273 * second-to-last ciphertext block.
274 * 3. Swap the last two ciphertext blocks.
275 * 4. Decrypt the (modified) ciphertext using the standard
277 * 5. Truncate the plaintext to the length of the original
280 TEE_Result tee_aes_cbc_cts_update(void *cbc_ctx, void *ecb_ctx,
281 TEE_OperationMode mode, bool last_block,
282 const uint8_t *data, size_t len,
286 int nb_blocks, len_last_block, block_size = 16;
287 uint8_t tmp_block[64], tmp2_block[64];
290 return tee_do_cipher_update(cbc_ctx, TEE_ALG_AES_CBC_NOPAD,
291 mode, last_block, data, len, dst);
293 /* Compute the last block length and check constraints */
294 nb_blocks = ((len + block_size - 1) / block_size);
296 return TEE_ERROR_BAD_STATE;
297 len_last_block = len % block_size;
298 if (len_last_block == 0)
299 len_last_block = block_size;
301 if (mode == TEE_MODE_ENCRYPT) {
303 data + ((nb_blocks - 1) * block_size),
305 memset(tmp_block + len_last_block,
307 block_size - len_last_block);
309 res = tee_do_cipher_update(cbc_ctx, TEE_ALG_AES_CBC_NOPAD,
311 (nb_blocks - 1) * block_size, dst);
312 if (res != TEE_SUCCESS)
315 memcpy(dst + (nb_blocks - 1) * block_size,
316 dst + (nb_blocks - 2) * block_size,
319 res = tee_do_cipher_update(cbc_ctx, TEE_ALG_AES_CBC_NOPAD,
320 mode, 0, tmp_block, block_size,
321 dst + (nb_blocks - 2) * block_size);
322 if (res != TEE_SUCCESS)
325 /* 1. Decrypt the second to last ciphertext block */
326 res = tee_do_cipher_update(ecb_ctx, TEE_ALG_AES_ECB_NOPAD,
328 data + (nb_blocks - 2) * block_size,
329 block_size, tmp2_block);
330 if (res != TEE_SUCCESS)
333 /* 2. Cn = Cn || Tail (Dn, B-M) */
334 memcpy(tmp_block, data + ((nb_blocks - 1) * block_size),
336 memcpy(tmp_block + len_last_block, tmp2_block + len_last_block,
337 block_size - len_last_block);
339 /* 3. Swap the last two ciphertext blocks */
340 /* done by passing the correct buffers in step 4. */
342 /* 4. Decrypt the (modified) ciphertext */
344 res = tee_do_cipher_update(cbc_ctx,
345 TEE_ALG_AES_CBC_NOPAD, mode,
349 if (res != TEE_SUCCESS)
353 res = tee_do_cipher_update(cbc_ctx, TEE_ALG_AES_CBC_NOPAD,
354 mode, 0, tmp_block, block_size,
356 ((nb_blocks - 2) * block_size));
357 if (res != TEE_SUCCESS)
360 res = tee_do_cipher_update(cbc_ctx, TEE_ALG_AES_CBC_NOPAD,
362 ((nb_blocks - 2) * block_size),
363 block_size, tmp_block);
364 if (res != TEE_SUCCESS)
367 /* 5. Truncate the plaintext */
368 memcpy(dst + (nb_blocks - 1) * block_size, tmp_block,
374 TEE_Result tee_prng_add_entropy(const uint8_t *in, size_t len)
376 if (crypto_ops.prng.add_entropy)
377 return crypto_ops.prng.add_entropy(in, len);
383 * Override this in your platform code to feed the PRNG platform-specific
384 * jitter entropy. This implementation does not efficiently deliver entropy
385 * and is here for backwards-compatibility.
387 __weak void plat_prng_add_jitter_entropy(void)
391 if (tee_time_get_sys_time(¤t) == TEE_SUCCESS)
392 tee_prng_add_entropy((uint8_t *)¤t, sizeof(current));
395 static TEE_Result tee_cryp_init(void)
398 return crypto_ops.init();
403 service_init(tee_cryp_init);