1 // SPDX-License-Identifier: BSD-2-Clause
2 /*
3 * Copyright (c) 2014-2019, Linaro Limited
4 */
5
6 #include <config.h>
7 #include <crypto/crypto_impl.h>
8 #include <stdlib.h>
9 #include <string.h>
10 #include <tee_api_types.h>
11 #include <trace.h>
12 #include <utee_defines.h>
13
14 #include "acipher_helpers.h"
15
_ltc_ecc_free_public_key(struct ecc_public_key * s)16 static void _ltc_ecc_free_public_key(struct ecc_public_key *s)
17 {
18 if (!s)
19 return;
20
21 crypto_bignum_free(s->x);
22 crypto_bignum_free(s->y);
23 }
24
25 /*
26 * For a given TEE @curve, return key size and LTC curve name. Also check that
27 * @algo is compatible with this curve.
28 * @curve: TEE_ECC_CURVE_NIST_P192, ...
29 * @algo: TEE_ALG_ECDSA_P192, ...
30 */
ecc_get_curve_info(uint32_t curve,uint32_t algo,size_t * key_size_bytes,size_t * key_size_bits,const char ** curve_name)31 static TEE_Result ecc_get_curve_info(uint32_t curve, uint32_t algo,
32 size_t *key_size_bytes,
33 size_t *key_size_bits,
34 const char **curve_name)
35 {
36 size_t size_bytes = 0;
37 size_t size_bits = 0;
38 const char *name = NULL;
39
40 /*
41 * Excerpt of libtomcrypt documentation:
42 * ecc_make_key(... key_size ...): The keysize is the size of the
43 * modulus in bytes desired. Currently directly supported values
44 * are 12, 16, 20, 24, 28, 32, 48, and 65 bytes which correspond
45 * to key sizes of 112, 128, 160, 192, 224, 256, 384, and 521 bits
46 * respectively.
47 */
48
49 /*
50 * Note GPv1.1 indicates TEE_ALG_ECDH_NIST_P192_DERIVE_SHARED_SECRET
51 * but defines TEE_ALG_ECDH_P192
52 */
53
54 switch (curve) {
55 case TEE_ECC_CURVE_NIST_P192:
56 size_bits = 192;
57 size_bytes = 24;
58 name = "NISTP192";
59 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P192) &&
60 (algo != TEE_ALG_ECDH_P192))
61 return TEE_ERROR_BAD_PARAMETERS;
62 break;
63 case TEE_ECC_CURVE_NIST_P224:
64 size_bits = 224;
65 size_bytes = 28;
66 name = "NISTP224";
67 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P224) &&
68 (algo != TEE_ALG_ECDH_P224))
69 return TEE_ERROR_BAD_PARAMETERS;
70 break;
71 case TEE_ECC_CURVE_NIST_P256:
72 size_bits = 256;
73 size_bytes = 32;
74 name = "NISTP256";
75 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P256) &&
76 (algo != TEE_ALG_ECDH_P256))
77 return TEE_ERROR_BAD_PARAMETERS;
78 break;
79 case TEE_ECC_CURVE_NIST_P384:
80 size_bits = 384;
81 size_bytes = 48;
82 name = "NISTP384";
83 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P384) &&
84 (algo != TEE_ALG_ECDH_P384))
85 return TEE_ERROR_BAD_PARAMETERS;
86 break;
87 case TEE_ECC_CURVE_NIST_P521:
88 size_bits = 521;
89 size_bytes = 66;
90 name = "NISTP521";
91 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P521) &&
92 (algo != TEE_ALG_ECDH_P521))
93 return TEE_ERROR_BAD_PARAMETERS;
94 break;
95 case TEE_ECC_CURVE_SM2:
96 size_bits = 256;
97 size_bytes = 32;
98 name = "SM2";
99 if ((algo != 0) && (algo != TEE_ALG_SM2_PKE) &&
100 (algo != TEE_ALG_SM2_DSA_SM3) &&
101 (algo != TEE_ALG_SM2_KEP))
102 return TEE_ERROR_BAD_PARAMETERS;
103 break;
104 default:
105 return TEE_ERROR_NOT_SUPPORTED;
106 }
107
108 if (key_size_bytes)
109 *key_size_bytes = size_bytes;
110 if (key_size_bits)
111 *key_size_bits = size_bits;
112 if (curve_name)
113 *curve_name = name;
114 return TEE_SUCCESS;
115 }
116
_ltc_ecc_generate_keypair(struct ecc_keypair * key,size_t key_size)117 static TEE_Result _ltc_ecc_generate_keypair(struct ecc_keypair *key,
118 size_t key_size)
119 {
120 TEE_Result res;
121 ecc_key ltc_tmp_key;
122 int ltc_res;
123 size_t key_size_bytes = 0;
124 size_t key_size_bits = 0;
125
126 res = ecc_get_curve_info(key->curve, 0, &key_size_bytes, &key_size_bits,
127 NULL);
128 if (res != TEE_SUCCESS)
129 return res;
130
131 if (key_size != key_size_bits)
132 return TEE_ERROR_BAD_PARAMETERS;
133
134 /* Generate the ECC key */
135 ltc_res = ecc_make_key(NULL, find_prng("prng_crypto"),
136 key_size_bytes, <c_tmp_key);
137 if (ltc_res != CRYPT_OK)
138 return TEE_ERROR_BAD_PARAMETERS;
139
140 /* check the size of the keys */
141 if (((size_t)mp_count_bits(ltc_tmp_key.pubkey.x) > key_size_bits) ||
142 ((size_t)mp_count_bits(ltc_tmp_key.pubkey.y) > key_size_bits) ||
143 ((size_t)mp_count_bits(ltc_tmp_key.k) > key_size_bits)) {
144 res = TEE_ERROR_BAD_PARAMETERS;
145 goto exit;
146 }
147
148 /* check LTC is returning z==1 */
149 if (mp_count_bits(ltc_tmp_key.pubkey.z) != 1) {
150 res = TEE_ERROR_BAD_PARAMETERS;
151 goto exit;
152 }
153
154 /* Copy the key */
155 ltc_mp.copy(ltc_tmp_key.k, key->d);
156 ltc_mp.copy(ltc_tmp_key.pubkey.x, key->x);
157 ltc_mp.copy(ltc_tmp_key.pubkey.y, key->y);
158
159 res = TEE_SUCCESS;
160
161 exit:
162 ecc_free(<c_tmp_key); /* Free the temporary key */
163 return res;
164 }
165
166 /* Note: this function clears the key before setting the curve */
ecc_set_curve_from_name(ecc_key * ltc_key,const char * curve_name)167 static TEE_Result ecc_set_curve_from_name(ecc_key *ltc_key,
168 const char *curve_name)
169 {
170 const ltc_ecc_curve *curve = NULL;
171 int ltc_res = 0;
172
173 ltc_res = ecc_find_curve(curve_name, &curve);
174 if (ltc_res != CRYPT_OK)
175 return TEE_ERROR_NOT_SUPPORTED;
176
177 ltc_res = ecc_set_curve(curve, ltc_key);
178 if (ltc_res != CRYPT_OK)
179 return TEE_ERROR_GENERIC;
180
181 return TEE_SUCCESS;
182 }
183
184 /*
185 * Given a keypair "key", populate the Libtomcrypt private key "ltc_key"
186 * It also returns the key size, in bytes
187 */
ecc_populate_ltc_private_key(ecc_key * ltc_key,struct ecc_keypair * key,uint32_t algo,size_t * key_size_bytes)188 TEE_Result ecc_populate_ltc_private_key(ecc_key *ltc_key,
189 struct ecc_keypair *key,
190 uint32_t algo, size_t *key_size_bytes)
191 {
192 TEE_Result res = TEE_ERROR_GENERIC;
193 const char *name = NULL;
194
195 res = ecc_get_curve_info(key->curve, algo, key_size_bytes, NULL, &name);
196 if (res)
197 return res;
198
199 memset(ltc_key, 0, sizeof(*ltc_key));
200
201 res = ecc_set_curve_from_name(ltc_key, name);
202 if (res)
203 return res;
204
205 ltc_key->type = PK_PRIVATE;
206 mp_copy(key->d, ltc_key->k);
207 mp_copy(key->x, ltc_key->pubkey.x);
208 mp_copy(key->y, ltc_key->pubkey.y);
209 mp_set_int(ltc_key->pubkey.z, 1);
210
211 return TEE_SUCCESS;
212 }
213
214 /*
215 * Given a public "key", populate the Libtomcrypt public key "ltc_key"
216 * It also returns the key size, in bytes
217 */
ecc_populate_ltc_public_key(ecc_key * ltc_key,struct ecc_public_key * key,uint32_t algo,size_t * key_size_bytes)218 TEE_Result ecc_populate_ltc_public_key(ecc_key *ltc_key,
219 struct ecc_public_key *key,
220 uint32_t algo, size_t *key_size_bytes)
221 {
222 TEE_Result res = TEE_ERROR_GENERIC;
223 const char *name = NULL;
224 uint8_t one[1] = { 1 };
225
226 res = ecc_get_curve_info(key->curve, algo, key_size_bytes, NULL, &name);
227 if (res)
228 return res;
229
230 memset(ltc_key, 0, sizeof(*ltc_key));
231
232 res = ecc_set_curve_from_name(ltc_key, name);
233 if (res)
234 return res;
235
236 ltc_key->type = PK_PUBLIC;
237
238 mp_copy(key->x, ltc_key->pubkey.x);
239 mp_copy(key->y, ltc_key->pubkey.y);
240 mp_read_unsigned_bin(ltc_key->pubkey.z, one, sizeof(one));
241
242 return TEE_SUCCESS;
243 }
244
_ltc_ecc_sign(uint32_t algo,struct ecc_keypair * key,const uint8_t * msg,size_t msg_len,uint8_t * sig,size_t * sig_len)245 static TEE_Result _ltc_ecc_sign(uint32_t algo, struct ecc_keypair *key,
246 const uint8_t *msg, size_t msg_len,
247 uint8_t *sig, size_t *sig_len)
248 {
249 TEE_Result res = TEE_ERROR_GENERIC;
250 int ltc_res = 0;
251 size_t key_size_bytes = 0;
252 ecc_key ltc_key = { };
253 unsigned long ltc_sig_len = 0;
254
255 if (algo == 0)
256 return TEE_ERROR_BAD_PARAMETERS;
257
258 res = ecc_populate_ltc_private_key(<c_key, key, algo,
259 &key_size_bytes);
260 if (res != TEE_SUCCESS)
261 return res;
262
263 if (*sig_len < 2 * key_size_bytes) {
264 *sig_len = 2 * key_size_bytes;
265 res = TEE_ERROR_SHORT_BUFFER;
266 goto out;
267 }
268
269 ltc_sig_len = *sig_len;
270 ltc_res = ecc_sign_hash_rfc7518(msg, msg_len, sig, <c_sig_len,
271 NULL, find_prng("prng_crypto"), <c_key);
272 if (ltc_res == CRYPT_OK) {
273 res = TEE_SUCCESS;
274 } else {
275 res = TEE_ERROR_GENERIC;
276 }
277 *sig_len = ltc_sig_len;
278
279 out:
280 ecc_free(<c_key);
281 return res;
282 }
283
_ltc_ecc_verify(uint32_t algo,struct ecc_public_key * key,const uint8_t * msg,size_t msg_len,const uint8_t * sig,size_t sig_len)284 static TEE_Result _ltc_ecc_verify(uint32_t algo, struct ecc_public_key *key,
285 const uint8_t *msg, size_t msg_len,
286 const uint8_t *sig, size_t sig_len)
287 {
288 TEE_Result res = TEE_ERROR_GENERIC;
289 int ltc_stat = 0;
290 int ltc_res = 0;
291 size_t key_size_bytes = 0;
292 ecc_key ltc_key = { };
293
294 if (algo == 0)
295 return TEE_ERROR_BAD_PARAMETERS;
296
297 res = ecc_populate_ltc_public_key(<c_key, key, algo, &key_size_bytes);
298 if (res != TEE_SUCCESS)
299 goto out;
300
301 /* check keysize vs sig_len */
302 if ((key_size_bytes * 2) != sig_len) {
303 res = TEE_ERROR_BAD_PARAMETERS;
304 goto out;
305 }
306
307 ltc_res = ecc_verify_hash_rfc7518(sig, sig_len, msg, msg_len, <c_stat,
308 <c_key);
309 res = convert_ltc_verify_status(ltc_res, ltc_stat);
310 out:
311 ecc_free(<c_key);
312 return res;
313 }
314
_ltc_ecc_shared_secret(struct ecc_keypair * private_key,struct ecc_public_key * public_key,void * secret,unsigned long * secret_len)315 static TEE_Result _ltc_ecc_shared_secret(struct ecc_keypair *private_key,
316 struct ecc_public_key *public_key,
317 void *secret,
318 unsigned long *secret_len)
319 {
320 TEE_Result res = TEE_ERROR_GENERIC;
321 int ltc_res = 0;
322 ecc_key ltc_private_key = { };
323 ecc_key ltc_public_key = { };
324 size_t key_size_bytes = 0;
325
326 /* Check the curves are the same */
327 if (private_key->curve != public_key->curve)
328 return TEE_ERROR_BAD_PARAMETERS;
329
330 res = ecc_populate_ltc_private_key(<c_private_key, private_key,
331 0, &key_size_bytes);
332 if (res != TEE_SUCCESS)
333 goto out;
334 res = ecc_populate_ltc_public_key(<c_public_key, public_key,
335 0, &key_size_bytes);
336 if (res != TEE_SUCCESS)
337 goto out;
338
339 ltc_res = ecc_shared_secret(<c_private_key, <c_public_key,
340 secret, secret_len);
341 if (ltc_res == CRYPT_OK)
342 res = TEE_SUCCESS;
343 else
344 res = TEE_ERROR_BAD_PARAMETERS;
345
346 out:
347 ecc_free(<c_private_key);
348 ecc_free(<c_public_key);
349 return res;
350 }
351
352 static const struct crypto_ecc_keypair_ops ecc_keypair_ops = {
353 .generate = _ltc_ecc_generate_keypair,
354 .sign = _ltc_ecc_sign,
355 .shared_secret = _ltc_ecc_shared_secret,
356 };
357
358 static const struct crypto_ecc_public_ops ecc_public_key_ops = {
359 .free = _ltc_ecc_free_public_key,
360 .verify = _ltc_ecc_verify,
361 };
362
363 static const struct crypto_ecc_keypair_ops sm2_dsa_keypair_ops = {
364 .generate = _ltc_ecc_generate_keypair,
365 .sign = sm2_ltc_dsa_sign,
366 };
367
368 static const struct crypto_ecc_public_ops sm2_dsa_public_key_ops = {
369 .free = _ltc_ecc_free_public_key,
370 .verify = sm2_ltc_dsa_verify,
371 };
372
373 static const struct crypto_ecc_keypair_ops sm2_pke_keypair_ops = {
374 .generate = _ltc_ecc_generate_keypair,
375 .decrypt = sm2_ltc_pke_decrypt,
376 };
377
378 static const struct crypto_ecc_public_ops sm2_pke_public_key_ops = {
379 .free = _ltc_ecc_free_public_key,
380 .encrypt = sm2_ltc_pke_encrypt,
381 };
382
383 static const struct crypto_ecc_keypair_ops sm2_kep_keypair_ops = {
384 .generate = _ltc_ecc_generate_keypair,
385 };
386
387 static const struct crypto_ecc_public_ops sm2_kep_public_key_ops = {
388 .free = _ltc_ecc_free_public_key,
389 };
390
crypto_asym_alloc_ecc_keypair(struct ecc_keypair * s,uint32_t key_type,size_t key_size_bits __unused)391 TEE_Result crypto_asym_alloc_ecc_keypair(struct ecc_keypair *s,
392 uint32_t key_type,
393 size_t key_size_bits __unused)
394 {
395 memset(s, 0, sizeof(*s));
396
397 switch (key_type) {
398 case TEE_TYPE_ECDSA_KEYPAIR:
399 case TEE_TYPE_ECDH_KEYPAIR:
400 s->ops = &ecc_keypair_ops;
401 break;
402 case TEE_TYPE_SM2_DSA_KEYPAIR:
403 if (!IS_ENABLED(_CFG_CORE_LTC_SM2_DSA))
404 return TEE_ERROR_NOT_IMPLEMENTED;
405
406 s->ops = &sm2_dsa_keypair_ops;
407 break;
408 case TEE_TYPE_SM2_PKE_KEYPAIR:
409 if (!IS_ENABLED(_CFG_CORE_LTC_SM2_PKE))
410 return TEE_ERROR_NOT_IMPLEMENTED;
411
412 s->ops = &sm2_pke_keypair_ops;
413 break;
414 case TEE_TYPE_SM2_KEP_KEYPAIR:
415 if (!IS_ENABLED(_CFG_CORE_LTC_SM2_KEP))
416 return TEE_ERROR_NOT_IMPLEMENTED;
417
418 s->ops = &sm2_kep_keypair_ops;
419 break;
420 default:
421 return TEE_ERROR_NOT_IMPLEMENTED;
422 }
423
424 if (!bn_alloc_max(&s->d))
425 goto err;
426 if (!bn_alloc_max(&s->x))
427 goto err;
428 if (!bn_alloc_max(&s->y))
429 goto err;
430
431 return TEE_SUCCESS;
432
433 err:
434 s->ops = NULL;
435
436 crypto_bignum_free(s->d);
437 crypto_bignum_free(s->x);
438
439 return TEE_ERROR_OUT_OF_MEMORY;
440 }
441
crypto_asym_alloc_ecc_public_key(struct ecc_public_key * s,uint32_t key_type,size_t key_size_bits __unused)442 TEE_Result crypto_asym_alloc_ecc_public_key(struct ecc_public_key *s,
443 uint32_t key_type,
444 size_t key_size_bits __unused)
445 {
446 memset(s, 0, sizeof(*s));
447
448 switch (key_type) {
449 case TEE_TYPE_ECDSA_PUBLIC_KEY:
450 case TEE_TYPE_ECDH_PUBLIC_KEY:
451 s->ops = &ecc_public_key_ops;
452 break;
453 case TEE_TYPE_SM2_DSA_PUBLIC_KEY:
454 if (!IS_ENABLED(_CFG_CORE_LTC_SM2_DSA))
455 return TEE_ERROR_NOT_IMPLEMENTED;
456
457 s->ops = &sm2_dsa_public_key_ops;
458 break;
459 case TEE_TYPE_SM2_PKE_PUBLIC_KEY:
460 if (!IS_ENABLED(_CFG_CORE_LTC_SM2_PKE))
461 return TEE_ERROR_NOT_IMPLEMENTED;
462
463 s->ops = &sm2_pke_public_key_ops;
464 break;
465 case TEE_TYPE_SM2_KEP_PUBLIC_KEY:
466 if (!IS_ENABLED(_CFG_CORE_LTC_SM2_KEP))
467 return TEE_ERROR_NOT_IMPLEMENTED;
468
469 s->ops = &sm2_kep_public_key_ops;
470 break;
471 default:
472 return TEE_ERROR_NOT_IMPLEMENTED;
473 }
474
475 if (!bn_alloc_max(&s->x))
476 goto err;
477 if (!bn_alloc_max(&s->y))
478 goto err;
479
480 return TEE_SUCCESS;
481
482 err:
483 s->ops = NULL;
484
485 crypto_bignum_free(s->x);
486
487 return TEE_ERROR_OUT_OF_MEMORY;
488 }
489