Krzysztof Jackiewicz [Wed, 6 Mar 2024 09:08:49 +0000 (10:08 +0100)]
Release 0.1.65
* Exit with error when file lock is busy
Change-Id: Ic29fbe2543e4711c76c289cbc2a298f34af11f3a
Krzysztof Jackiewicz [Tue, 5 Mar 2024 08:56:15 +0000 (09:56 +0100)]
Exit with error when file lock is busy
Change-Id: Iee78ef372a3315c8eedbf80b0579508edb1c3843
Dariusz Michaluk [Wed, 21 Feb 2024 12:31:57 +0000 (13:31 +0100)]
Release 0.1.64
* Adjust openssl error handling to latest release
* Remove conditional statements from Native API headers
Change-Id: Ie0f9e216ce81aeec28e087476eea3112fd69208e
Dariusz Michaluk [Wed, 21 Feb 2024 12:29:07 +0000 (13:29 +0100)]
Adjust openssl error handling to latest release
Change-Id: I90b63bb4610ef02904b4f048e0259f72ff39b6ef
Krzysztof Malysa [Thu, 7 Dec 2023 15:03:09 +0000 (16:03 +0100)]
Remove conditional statements from Native API headers
Part of 9.0 Native API Public Header.
Change-Id: I960fc582ec9ccfa141a975054cb80911d2959294
Krzysztof Jackiewicz [Tue, 21 Nov 2023 08:50:46 +0000 (09:50 +0100)]
Release 0.1.63
* Implement cpu inheritance
Change-Id: Ic642ea116ca2e55a7e7c6370cd026dd824239204
Krzysztof Jackiewicz [Thu, 16 Nov 2023 21:42:25 +0000 (22:42 +0100)]
Implement cpu inheritance
Apply CPU boosting to server for high priority clients.
Change-Id: I6493362020eee6b43534166bc8442d5931cc450d
Krzysztof Jackiewicz [Wed, 11 Oct 2023 09:00:43 +0000 (11:00 +0200)]
Release 0.1.62
* Serialize AES key size as int
Change-Id: I85df03b1a4fe60a70796a405c6400188719b20c0
Krzysztof Jackiewicz [Mon, 9 Oct 2023 07:42:02 +0000 (09:42 +0200)]
Serialize AES key size as int
It was converted to size_t at some point which led to errors on 64-bit
architectures.
Change-Id: Id905e9b06219642355050cfdb5a69d2cb2162ee7
Krzysztof Jackiewicz [Tue, 3 Oct 2023 08:05:35 +0000 (10:05 +0200)]
Release 0.1.61
* Fix openssl3.0 migration code in sqlcipher
Change-Id: I5e19982b2b78362c5193ea1fd855a42d28d686db
Krzysztof Jackiewicz [Tue, 3 Oct 2023 07:32:12 +0000 (09:32 +0200)]
Fix openssl3.0 migration code in sqlcipher
Calculate the string size using strlen.
Change-Id: I541b656995bdf4f0dada21e6b4b61f91360c8eee
Krzysztof Jackiewicz [Mon, 2 Oct 2023 08:22:31 +0000 (10:22 +0200)]
Release 0.1.60
* Scheme tests fix
* Migrate to openssl3.0
* Fix AES GCM IV setting in KeyProvider
Change-Id: I133daec935c08e7dc0867357ae9a111fa95e7670
Krzysztof Jackiewicz [Thu, 28 Sep 2023 09:42:26 +0000 (11:42 +0200)]
Scheme tests fix
Change-Id: I49b8fc6c24fde53e637e1431c2b49c9022249e66
Krzysztof Jackiewicz [Thu, 21 Sep 2023 10:41:17 +0000 (12:41 +0200)]
Migrate to openssl3.0
* Update RPM and CMake dependencies.
* Replace deprecated HMAC functions in sqlcipher.
* Update openssl error handling. We can't rely on function codes any
more (all are 0 in openssl3.0).
* Adjust to argument constness changes.
* Get rid of FIPS_mode_set(). FIPS mode can be enabled in openssl
configuration.
* Fix sk_X509_free visibility issue.
* Openssl3.0 does not allow X9.31 padding withraw messages (no digest).
Update doc and tests accordingly.
* Handle new openssl errors.
* Ignore deprecation warnings.
Change-Id: I7dee7d3aa6e8b364553405202acde8f848621d4a
Krzysztof Jackiewicz [Fri, 29 Sep 2023 05:09:19 +0000 (07:09 +0200)]
Fix AES GCM IV setting in KeyProvider
The proper order of setting an IV of custom length in GCM is to firstly
pass the length and then the IV during both encryption and decryption.
The KeyProvider code was doing the opposite which resulted in
truncating the IV to 12B. In openssl3.0 The effect is somewhat
diffferent but the output is also invalid.
Openssl silently ignores this issue allowing to call the API in wrong
order and get invalid encryption/decryption results.
The issue was not detected until now because the IV truncation was
working the same way during encryption and decryption and no other
module beside key-manager was accessing the encrypted keys.
This commit modifies KeyProvider code in 2 ways:
* Modify encryption and decryption to set the IV length properly.
* If decryption fails retry it with IV truncated to 12B to handle data
encrypted the old way.
Change-Id: I72e237b0842234d80579f3e93b5e1012a0613140
Krzysztof Jackiewicz [Tue, 26 Sep 2023 08:33:44 +0000 (10:33 +0200)]
Release 0.1.59
* Implement hash selection in RSA OAEP
* Prevent using public key for decryption
* Specify the RSA OAEP encryption padding
* Check mandatory KBKFD params in TZ
* Fix key-wrapping documentation
* Adjust scheme tests to TZ
Change-Id: I08c3f15e53e569e6dcbdface9cde5f5411699847
Krzysztof Jackiewicz [Fri, 22 Sep 2023 09:34:00 +0000 (11:34 +0200)]
Implement hash selection in RSA OAEP
SW and TZ backend implementation
Unit-tests included
Change-Id: I6efd8a0477fe3137491c889d0c70eabc0d861097
Krzysztof Jackiewicz [Wed, 20 Sep 2023 10:57:56 +0000 (12:57 +0200)]
Prevent using public key for decryption
We could leave it for backends but since we have all the info, let's
fail early.
Change-Id: I7d3257370124ad19d423b859f380ce60f6da4d95
Krzysztof Jackiewicz [Wed, 20 Sep 2023 09:52:25 +0000 (11:52 +0200)]
Specify the RSA OAEP encryption padding
Change-Id: I88abe53b11230121f594728abf64c0cf1c38895f
Krzysztof Jackiewicz [Tue, 19 Sep 2023 12:56:06 +0000 (14:56 +0200)]
Check mandatory KBKFD params in TZ
Change-Id: I151207b55b1051ac3cc870c885a33b951331bc61
Krzysztof Jackiewicz [Mon, 11 Sep 2023 12:03:30 +0000 (14:03 +0200)]
Fix key-wrapping documentation
Change-Id: I67d762c719e2fc1a7cae7f3537f69760fa9eef3f
Krzysztof Jackiewicz [Fri, 11 Aug 2023 11:29:45 +0000 (13:29 +0200)]
Adjust scheme tests to TZ
TZ does not support saving asymmetric keys with password.
Change-Id: Ia6ec92b610908a52079d2f22f32a9387237faee7
Dongsun Lee [Mon, 21 Aug 2023 06:41:03 +0000 (15:41 +0900)]
Release 0.1.58
* Add compiler flags for build warnings
* Check RSA padding in TZ
* Check KBKDF parameters on key-manager side
* Pass password to CMD_GET_DATA_SIZE
* Pass public key curve info to TZ's ECDH
* Use default CTR length in TZ encryption
Change-Id: Ibe2928a9b18bba49764a9779eaed1712b9bf5b36
Dongsun Lee [Mon, 21 Aug 2023 01:16:45 +0000 (10:16 +0900)]
Set initial values to remove build warnings
Change-Id: Icf793bed432aeb72de8471bd770feb9326450936
Krzysztof Jackiewicz [Thu, 10 Aug 2023 18:27:44 +0000 (20:27 +0200)]
Check RSA padding in TZ
The only supported padding method is PKCS1
Change-Id: I3cd769d68f67b3ee2afb959bca2e74db8e6295c4
Krzysztof Jackiewicz [Wed, 9 Aug 2023 15:39:38 +0000 (17:39 +0200)]
Check KBKDF parameters on key-manager side
Change-Id: I1afb107d6fd286f5524561c1631ef65c2043f3c2
Krzysztof Jackiewicz [Wed, 9 Aug 2023 15:31:21 +0000 (17:31 +0200)]
Pass password to CMD_GET_DATA_SIZE
In case of encrypted objects the password may be necessary do get the
actual size.
Change-Id: I5636325a8a120c0226ab5cc06ddef2aa05b96992
Krzysztof Jackiewicz [Wed, 9 Aug 2023 15:26:24 +0000 (17:26 +0200)]
Pass public key curve info to TZ's ECDH
This is needed to compare curve with private EC curve in TZ.
Change-Id: I5c42b7395683bd14c391415537e31efc3dcb6fc4
Krzysztof Jackiewicz [Tue, 8 Aug 2023 15:00:00 +0000 (17:00 +0200)]
Use default CTR length in TZ encryption
According to API documentation the counter length parameter is optional.
TZ implementation should not assume its existence.
Change-Id: I89ef3b78e95f2a3a8c79688ee21c9d04a43a5116
Krzysztof Jackiewicz [Fri, 4 Aug 2023 06:18:40 +0000 (08:18 +0200)]
Release 0.1.57
* Deserialize tags only if password was given
* Add context cleanup command for TZ
* Fix bugs during exporting a wrapped key
* Use default tag length for wrapping if not given
* Allow only symmetric key wraping/unwrapping
* Add type parameter to "get" commands
* Call TA to get the max chunk size
* Pass key length to KBKDF in TZ backend
* Fix secret pwd passing in TZ backend KBKDF
Change-Id: Ia17f64eacf32400ef0f53c0d2cf82ceb1c07e45c
Krzysztof Jackiewicz [Thu, 3 Aug 2023 08:55:48 +0000 (10:55 +0200)]
Deserialize tags only if password was given
Change-Id: I1c598e17740785e4bd49edc120b6844ebe65e88a
Krzysztof Jackiewicz [Tue, 1 Aug 2023 13:26:47 +0000 (15:26 +0200)]
Add context cleanup command for TZ
If encryption fails and the "finalize" is not called the context will
not removed on TA side. Fix it by adding new command.
Change-Id: Id6bfb6821ba2c83565eb79d825fa98c096a346fc
Dongsun Lee [Sat, 29 Jul 2023 07:26:10 +0000 (16:26 +0900)]
Fix bugs during exporting a wrapped key
- generous output size check
- enlarged encryption overhead for RSA
- use type of wrap to key
Change-Id: I64367edf00d58e67df62a682a05c58dae5e2327b
Krzysztof Jackiewicz [Fri, 28 Jul 2023 11:13:19 +0000 (13:13 +0200)]
Use default tag length for wrapping if not given
Change-Id: I2ad6e13383621522af2de8500814f6d01868c828
Krzysztof Jackiewicz [Mon, 24 Jul 2023 10:59:40 +0000 (12:59 +0200)]
Allow only symmetric key wraping/unwrapping
Change-Id: I36549b09d891d0d3e34667c71aa0294389441f76
Krzysztof Jackiewicz [Mon, 24 Jul 2023 10:44:00 +0000 (12:44 +0200)]
Add type parameter to "get" commands
CMD_GET_DATA
CMD_GET_DATA_SIZE
CMD_EXPORT_WRAPPED_KEY
This may be necessary if data is encrypted.
Change-Id: Ie34d33c11e9c55958cb44adcb0bf5371c36e8a68
Krzysztof Jackiewicz [Mon, 24 Jul 2023 09:42:18 +0000 (11:42 +0200)]
Call TA to get the max chunk size
Change-Id: Iec297646564b0a49d2966fcec1ec922bac1b7615
Krzysztof Jackiewicz [Thu, 20 Jul 2023 12:20:20 +0000 (14:20 +0200)]
Pass key length to KBKDF in TZ backend
Change-Id: I5cd90b8754b7aa89371e515ffac79cd35c9b5004
Krzysztof Jackiewicz [Thu, 20 Jul 2023 12:05:22 +0000 (14:05 +0200)]
Fix secret pwd passing in TZ backend KBKDF
Change-Id: I6f1a4d588a6a0679b88f967fdbc71b436329153f
Krzysztof Jackiewicz [Fri, 14 Jul 2023 12:39:59 +0000 (14:39 +0200)]
Release 0.1.56
* Documentation fixes
* Retrieve TZ raw key data only when needed
* Reserve enough space for GCM tag in TZ backend
* Use proper memory type in TZ backend's addGcmAAD()
Change-Id: I38b89ee3a76a62420f148a2dd836d7ffe1d1072d
Krzysztof Jackiewicz [Thu, 13 Jul 2023 07:55:15 +0000 (09:55 +0200)]
Documentation fixes
* Do not use @see inside other tags
* Add missing parenthesis
Change-Id: I4b7492eb410c6f510b6848689faf622dd0b8dc5b
Krzysztof Jackiewicz [Wed, 12 Jul 2023 08:59:31 +0000 (10:59 +0200)]
Retrieve TZ raw key data only when needed
Change-Id: Ia1ef537b9696e39c53c1f4972f96ead4cb0fb81a
Krzysztof Jackiewicz [Wed, 12 Jul 2023 06:58:38 +0000 (08:58 +0200)]
Reserve enough space for GCM tag in TZ backend
Change-Id: I36f9718cfdc37f7fdac1e47fc056aeaabdeee242
Krzysztof Jackiewicz [Tue, 11 Jul 2023 11:05:27 +0000 (13:05 +0200)]
Use proper memory type in TZ backend's addGcmAAD()
We need TEEC_VALUE_INOUT to properly read the return code from
op.params[0].value.a.
Change-Id: I95eb5fd757f9e3235bb855269dd0a804ac7bb135
Krzysztof Jackiewicz [Tue, 11 Jul 2023 10:07:18 +0000 (12:07 +0200)]
Release 0.1.55
* Fix TZ backend issues
* Fixed the build error using gcc 13
* Modify decider logic
* Allow EC keys to be imported to TZ backend
Change-Id: I409287a6d1b9f14deb34041dcce904bcbb43f7ba
Krzysztof Jackiewicz [Mon, 10 Jul 2023 15:31:33 +0000 (17:31 +0200)]
Fix TZ backend issues
* Add missing namespaces
* Include ctx.cpp in TZ source list
* Add missing operation id to internal TZ calls
Change-Id: I59e71b7af5a1c418f797e7d915b8a9d1fc456edf
wchang kim [Mon, 3 Jul 2023 23:06:34 +0000 (08:06 +0900)]
Fixed the build error using gcc 13
Change-Id: I716b3be00e9e2015591af34b33031726fa1b5969
Krzysztof Jackiewicz [Mon, 3 Jul 2023 11:59:21 +0000 (13:59 +0200)]
Modify decider logic
Allow importing of all types of asymmetric keys to TZ backend.
Add unit-test
Change-Id: Iebbd0d5f37b4568b8c2473cdfe178d1ddad85a86
Krzysztof Jackiewicz [Mon, 3 Jul 2023 12:32:23 +0000 (14:32 +0200)]
Allow EC keys to be imported to TZ backend
Change-Id: I54ab75a7d30817aea1054fd13b81f2519d0bdc13
Krzysztof Jackiewicz [Thu, 29 Jun 2023 08:32:17 +0000 (10:32 +0200)]
Release 0.1.54
* Implement public key extraction in TZ backend
* add ALGO_ECDSA_SV to MAX_KEY_SIZE in tz_backend
* Return proper error for wrong wrapped key type
* Update ckmc_import_wrapped_key description
* Add missing exception guard to C++ API
* Simplify serialization calls
* Fix wrong fuction name in the documentation
* Fix typo in ckmc-manager.h
* Enable -Wshadow and fix warnings
Change-Id: I1009a607df537d843cc59fa8148f4912262480cc
Krzysztof Jackiewicz [Wed, 28 Jun 2023 08:21:21 +0000 (10:21 +0200)]
Implement public key extraction in TZ backend
Public keys are not secrets and there are scenarios like ECDH when they
have to be extracted in raw form. Exportability logic still applies.
* Separate the object id and the raw data in TZ backend objects.
* Rename function arguments to make their meaning more adequate.
* Use object id when making operations using given key or binary data.
* Return raw data only to CKMLogic via getBinary() method.
* Make getBinary() return an empty buffer for private and symmetric keys.
* Move m_type to AKey where it's used.
Change-Id: Idf6db51387d98f6560f0da18e2fc1d9bbc3abc4f
Dongsun Lee [Thu, 29 Jun 2023 07:42:00 +0000 (16:42 +0900)]
add ALGO_ECDSA_SV to MAX_KEY_SIZE in tz_backend
Change-Id: I484312a778a8587d3197132e5182af8b842646ce
Krzysztof Jackiewicz [Tue, 27 Jun 2023 15:00:29 +0000 (17:00 +0200)]
Return proper error for wrong wrapped key type
Change-Id: I72e888e9808865c9ac3178ec8821dbf79aad9fd5
Krzysztof Jackiewicz [Tue, 27 Jun 2023 11:39:48 +0000 (13:39 +0200)]
Update ckmc_import_wrapped_key description
The remark allows passing a wrapped key without any type letting the
backend autodetect it. Current implementation in SW backend does not
support it. In case of TZ backend such autodetection would unnecessarily
complicate the code.
Since the feature is not actually needed, the value CKMC_KEY_NONE option
will be forbidden from now on.
Change-Id: I2396d03bd28b0eeef0a1e922029808061beb71c8
Krzysztof Jackiewicz [Thu, 22 Jun 2023 09:04:18 +0000 (11:04 +0200)]
Add missing exception guard to C++ API
Change-Id: Ie9164be51dbea8cf8b6f1524808fbb8841c2f2bf
Krzysztof Jackiewicz [Tue, 13 Jun 2023 14:47:07 +0000 (16:47 +0200)]
Simplify serialization calls
Remove unnecessary casts and use type deduction.
Change-Id: I88d8ae4b8060a509984a6883289c4bb05a9c1015
Krzysztof Jackiewicz [Wed, 21 Jun 2023 18:50:26 +0000 (20:50 +0200)]
Fix wrong fuction name in the documentation
Change-Id: Ib83d88de1d17bd32b86cd7c99b5dd12247d0aaf8
Krzysztof Jackiewicz [Wed, 21 Jun 2023 15:16:19 +0000 (17:16 +0200)]
Fix typo in ckmc-manager.h
Change-Id: I76c95dcf4c32f3fc70abea680f757edd45676c07
Krzysztof Jackiewicz [Tue, 20 Jun 2023 15:52:03 +0000 (17:52 +0200)]
Enable -Wshadow and fix warnings
The flag is used in products an our code causes warnings/errors. Fix
existing code and enable the flag to detect possible errors in future.
Change-Id: I830696231f9a6f1b80d390f7bf3df4fff1814691
Krzysztof Jackiewicz [Wed, 14 Jun 2023 10:33:41 +0000 (12:33 +0200)]
Release 0.1.53
* Add few remarks regarding chunk size limits
* Cipher API implementation in TZ backend
* Backend info API implementation
* Alias info refactoring
* Extend E2EE API support back to 6.0
* Refactor serialization code
* Cipher API unit tests
* Cipher API implementation (server part)
* Cipher API implementation (backend part)
* Cipher API implementation (client part)
* Drop all encryption requests upon disconnection
* Update cipher api description
* Improve AAD and GCM tag handling in cipher API
* Update ckmc_generate_new_params with new algorithms
* Allow generating unexportable binary data in TZ
* Add missing KBKDF params in TZ backend
* Workaround for GCM IV length issue
* Fix GCM IV length setting
* Test proper GCM IV length handling
* Rename DataType::isSKey
* Fix backend selection logic
* Fix default value for KBKDF LLEN parameter
* Backend info API
* Multi-stage encryption API
* Fix ckmc_key_derive API description
Change-Id: If9bfbaa1fe5169412441660df3bb1a055d22ce2a
Krzysztof Jackiewicz [Wed, 14 Jun 2023 10:30:49 +0000 (12:30 +0200)]
Merge branch e2ee into tizen
Change-Id: I856e57b604e87582948e250929817fd3b7c0dd8b
Krzysztof Jackiewicz [Wed, 14 Jun 2023 10:07:09 +0000 (12:07 +0200)]
Add few remarks regarding chunk size limits
Mention the possibility of backend imposing limits on the size of
processed data in all places where it may happen.
Change-Id: Id828f15b8692859a1efad015dcb3692c9c29432e
Krzysztof Jackiewicz [Fri, 9 Jun 2023 08:51:08 +0000 (10:51 +0200)]
Cipher API implementation in TZ backend
Change-Id: I2510dfb8f7e1722ee300edce6e983075a0c5303a
Krzysztof Jackiewicz [Wed, 7 Jun 2023 11:19:02 +0000 (13:19 +0200)]
Backend info API implementation
Change-Id: Ib47c16bf5d2255c71d538b9e1009cb54b8f842ba
Krzysztof Jackiewicz [Fri, 26 May 2023 13:00:58 +0000 (15:00 +0200)]
Alias info refactoring
To extract alias backend information, the current structures and
mechanisms meant for alias & password protection status extraction have
to be modified as follows:
* Modify 'join_all_tables' view in db to include 'backendId' and other
columns from OBJECTS table. It also requires a db version bump and a
migration script
* Modify db query that lists aliases to include 'backendId'.
* Move AliasSupport to common library so it can be used in DBCrypto.
* Replace OwnerNameVector and OwnerNameEncryptionStatusVector with a
vector of AliasInfo structures.
* Add AliasInfoSerializableVector wrapper to allow AliasInfo
(de)serialization.
* Modify client to get password protection status during
ckmc_alias_info_is_password_protected() instead of checking all
accessible aliases one by one.
* Modify client to get aliases from AliasInfo vector when other info is
not required.
* Update unit-tests
Change-Id: Ic6741f7329afe858d561cab89d9616a53327a6bd
Krzysztof Jackiewicz [Wed, 7 Jun 2023 08:32:58 +0000 (10:32 +0200)]
Extend E2EE API support back to 6.0
Change-Id: I7aff7fb9a35fa26804303a11a4cf0a8c03fb287c
Krzysztof Jackiewicz [Mon, 5 Jun 2023 12:36:55 +0000 (14:36 +0200)]
Refactor serialization code
* Remove unused overloads (pointers, stl).
* Unify primitive types (de)serialization.
* Modify Serializable interface to allow passing an existing object.
* Update serialization wrappers' implementations and move them to cpp.
Change-Id: I498f9dd9cca570a1a7eb424fb481d07a1297a279
Krzysztof Jackiewicz [Wed, 7 Jun 2023 08:36:57 +0000 (10:36 +0200)]
Release 0.1.52
* Extend E2EE API support back to 6.0
Change-Id: I6f05c59bdbaf7c34b6c71ffbfb1eeea3687abab4
Krzysztof Jackiewicz [Wed, 7 Jun 2023 08:32:58 +0000 (10:32 +0200)]
Extend E2EE API support back to 6.0
Change-Id: I7aff7fb9a35fa26804303a11a4cf0a8c03fb287c
Krzysztof Jackiewicz [Wed, 17 May 2023 16:01:32 +0000 (18:01 +0200)]
Cipher API unit tests
Change-Id: I9ef5e3db62a36043d6b5691a0aaff5ce7236c302
Krzysztof Jackiewicz [Fri, 5 May 2023 08:37:23 +0000 (10:37 +0200)]
Cipher API implementation (server part)
Change-Id: Ie4a9c50378d461e659401829863bbe32cf67f305
Krzysztof Jackiewicz [Thu, 11 May 2023 12:32:56 +0000 (14:32 +0200)]
Cipher API implementation (backend part)
Change-Id: I7d2e5ef36a539a34f7e93a7fd9c16c90534d6aad
Krzysztof Jackiewicz [Wed, 26 Apr 2023 21:11:33 +0000 (23:11 +0200)]
Cipher API implementation (client part)
Change-Id: I191f606819ae306f570fe538674f943e336ec86f
Krzysztof Jackiewicz [Wed, 17 May 2023 12:35:13 +0000 (14:35 +0200)]
Drop all encryption requests upon disconnection
If client disconnects before finishing the request the request should
be removed from the map.
Change-Id: I7bb0fa71b12f0a07bac5e62e5191bd9729829bfe
Krzysztof Jackiewicz [Wed, 24 May 2023 09:02:48 +0000 (11:02 +0200)]
Update cipher api description
Encryption may return an empty buffer. Specify the return value in such
case.
Change-Id: Iabcbe30dc002d4dc7eb932fdbd5418263488ba2a
Krzysztof Jackiewicz [Mon, 15 May 2023 12:44:43 +0000 (14:44 +0200)]
Improve AAD and GCM tag handling in cipher API
* AAD may also be a subject of backend chunk size limitation. Allow
calling ckmc_cipher_init multiple time do provide consecutive AAD
portions.
* When encrypted data is split in to chunks there's no way to locate
the trailing GCM tag part. Add optional buffer argument to
ckmc_cipher_finalize() to allow passing the tag explicitly. This
function will also return the tag in the output buffer during
encryption.
Change-Id: Ic9ddb86e294f8180fb44327c1f4ac4f4650b3e4c
Krzysztof Jackiewicz [Thu, 18 May 2023 10:16:03 +0000 (12:16 +0200)]
Update ckmc_generate_new_params with new algorithms
Change-Id: I094372d55a89a9fe5b7c212bd8c2e2dc7e325c11
Krzysztof Jackiewicz [Mon, 22 May 2023 20:12:35 +0000 (22:12 +0200)]
Allow generating unexportable binary data in TZ
TZ backend already supports importing exportable binary data. Follow
the same rule for secret derivation and allow storing an exportable
secret (binary data), derived from TZ key, in TZ.
Change-Id: I61d202469a3df43e5f35746a0c09ca179d823336
Krzysztof Jackiewicz [Thu, 18 May 2023 11:50:04 +0000 (13:50 +0200)]
Add missing KBKDF params in TZ backend
Change-Id: I4cadca649889190c30868c55a2e91c9f49252d84
Krzysztof Jackiewicz [Tue, 23 May 2023 09:07:23 +0000 (11:07 +0200)]
Workaround for GCM IV length issue
GCM implementation was ignoring IV bytes except first 12B. The issue has
been fixed but we need to support the decryption of the data encrypted
the old way.
This workaround retries the decryption with an IV truncated to 12B if
the decryption with original IV length fails.
Unit-test included.
Change-Id: Ia1c06d9a7c6f3b75a69c2e1cb3e5f0801776e057
Krzysztof Jackiewicz [Mon, 22 May 2023 19:29:17 +0000 (21:29 +0200)]
Fix GCM IV length setting
IV length was not properly set in case of GCM. The default 12B IV was
used at all times.
GCM supports 1 to 2^64-1 byte long IVs. Reflect it in the SW backend
implementation, its tests and client API description.
Change-Id: Idfa18c1c3cfd06de6618b4ac7632133ace6ab8dc
Krzysztof Jackiewicz [Tue, 23 May 2023 06:45:16 +0000 (08:45 +0200)]
Test proper GCM IV length handling
GCM implementation was using only the first 12B of IV regardless of its
actual length. This modification makes the test check if the remaining
bytes of the IV are ignored.
Change-Id: I94281747bbe9363854484844fa038ae9bcd47a19
Krzysztof Jackiewicz [Thu, 18 May 2023 12:50:41 +0000 (14:50 +0200)]
Rename DataType::isSKey
Change-Id: I59e553cbf067baf3ad7209e07e5376b6601c5a6a
Krzysztof Jackiewicz [Tue, 16 May 2023 13:35:30 +0000 (15:35 +0200)]
Fix backend selection logic
In some cases the backend selection was not working properly:
- Key derivation, wrapped key import: the backend compatibility was not
checked at all. This resulted in a possibility of saving an exportable
key in TZ backend which normally is not allowed.
- Encrypted initial values could have been imported to incompatible SW
backend if the TZ backend fails to initialize or the SW backend is
forced.
The Decider API was also unclear and different policies were in force
depending on the usecase.
This commit introduces following changes:
* Keep the policy in a single place.
* Return a prioritized list of backends compatible with given use case.
* Add backend check to key derivation and wrapped key import.
* Do not assume SW backend is suitable for all cases.
* Handle illegal cases by returning empty list of compatible backends.
Change-Id: I2d5dbbb3c4ba9385ac756eb419f95ac877cdd532
Krzysztof Jackiewicz [Mon, 8 May 2023 18:43:51 +0000 (20:43 +0200)]
Fix default value for KBKDF LLEN parameter
Change the default value of CKMC_PARAM_KBKDF_LLEN from 0 to 32
according to API description.
Change-Id: I972d95227b047394c5f59addc9242d43c9c68be7
Krzysztof Jackiewicz [Thu, 27 Apr 2023 09:33:20 +0000 (11:33 +0200)]
Backend info API
New API:
- getting backend associated with given object
- getting backend information for given backend
- getting max encryption chunk size from backend information
Change-Id: I8c66e623ba49ebda0a9fad28dcb3b48bd21b175f
Krzysztof Jackiewicz [Wed, 26 Apr 2023 10:17:14 +0000 (12:17 +0200)]
Multi-stage encryption API
Change-Id: If56a367a40f1ca3a6d4dcebfbb38543c7ec44fd5
Krzysztof Jackiewicz [Fri, 5 May 2023 12:38:16 +0000 (14:38 +0200)]
Fix ckmc_key_derive API description
Describe input and output key/secret types in detail.
Change-Id: I1f82fe45f4a8b5145b7236b9b8d5db998959b1ed
Krzysztof Jackiewicz [Tue, 18 Apr 2023 09:08:24 +0000 (11:08 +0200)]
Release 0.1.51
* Unify variable naming in key export
* Fix documentation issues in E2EE API
* Fix documentation issues
Change-Id: I211ecfb0a2fa8fb705fc355158e17e5cd9021356
Krzysztof Jackiewicz [Mon, 17 Apr 2023 10:01:09 +0000 (12:01 +0200)]
Unify variable naming in key export
Change-Id: Ic89b6105e420b9eceb93e9e6bdf112c4de3c1a65
Krzysztof Jackiewicz [Thu, 6 Apr 2023 13:41:12 +0000 (15:41 +0200)]
Fix documentation issues in E2EE API
* Issues raised by check-header.py (see:
https://github.sec.samsung.net/RPO7-TIZEN/tizen-native-api-review-script)
* Other issues raised during ACR.
* Own initiative cleanup.
Changes done separately to simplify ACR review.
Change-Id: I346b979cd16f1cda8a0fd970ae38f7db7bb093d7
Krzysztof Jackiewicz [Thu, 6 Apr 2023 14:37:45 +0000 (16:37 +0200)]
Fix documentation issues
* Issues raised by check-header.py (see:
https://github.sec.samsung.net/RPO7-TIZEN/tizen-native-api-review-script)
* Other issues raised during ACR.
* Own initiative cleanup.
Change-Id: If38c6477ecb782e12651766bd2ef344ccaae1e84
Krzysztof Jackiewicz [Tue, 4 Apr 2023 13:18:42 +0000 (15:18 +0200)]
Release 0.1.50
* Fix svace/coverity issues
Change-Id: I618080688b381fd110248331f615fce26cc30b30
Krzysztof Jackiewicz [Mon, 3 Apr 2023 15:46:07 +0000 (17:46 +0200)]
Fix svace/coverity issues
Change-Id: I681fd80cddf5f56bc99b35546940e111d29a5311
Tomasz Swierczek [Mon, 3 Apr 2023 05:47:41 +0000 (07:47 +0200)]
Release 0.1.49
* Fix build for 64-bit architectures
Change-Id: Ib0e29f479d86f012872a25388d927a4c37f77e26
Tomasz Swierczek [Mon, 3 Apr 2023 05:41:27 +0000 (07:41 +0200)]
Fix build for 64-bit architectures.
Change-Id: I5d658ee32d7d631145ea759c8bb3cb72b13359cd
Krzysztof Jackiewicz [Fri, 31 Mar 2023 12:50:02 +0000 (14:50 +0200)]
Release 0.1.48
* E2EE implementation
Change-Id: Id51fe9009dbc7ef78322274415153df855dde8ea
Krzysztof Jackiewicz [Fri, 31 Mar 2023 12:44:54 +0000 (14:44 +0200)]
Merge branch 'e2ee' into 'tizen'
Change-Id: I61dd5bf5a3d73b766e4d4f126783f8ded90a6f62
Krzysztof Jackiewicz [Thu, 23 Mar 2023 08:21:05 +0000 (09:21 +0100)]
Key wrapping implementation in TZ backend
Change-Id: I3d33a0b41e8eb4b58706a32fb298b0476a0525cc
Krzysztof Jackiewicz [Wed, 22 Mar 2023 08:48:31 +0000 (09:48 +0100)]
Key unwrapping implementation in TZ backend
Change-Id: I1ada1788c7f436b9cdd22cc7734eb3ab0159c544
projects / platform / core / security / key-manager.git / log