1 // SPDX-License-Identifier: BSD-2-Clause
2 /*
3 * Copyright (C) 2018, ARM Limited
4 * Copyright (C) 2019, Linaro Limited
5 */
6
7 #include <assert.h>
8 #include <config.h>
9 #include <crypto/crypto_impl.h>
10 #include <mbedtls/ctr_drbg.h>
11 #include <mbedtls/ecdh.h>
12 #include <mbedtls/ecdsa.h>
13 #include <mbedtls/ecp.h>
14 #include <mbedtls/entropy.h>
15 #include <mbedtls/pk.h>
16 #include <stdlib.h>
17 #include <string.h>
18
19 #include "mbed_helpers.h"
20 #include "sm2-dsa.h"
21 #include "sm2-pke.h"
22
23 /* Translate mbedtls result to TEE result */
get_tee_result(int lmd_res)24 static TEE_Result get_tee_result(int lmd_res)
25 {
26 switch (lmd_res) {
27 case 0:
28 return TEE_SUCCESS;
29 case MBEDTLS_ERR_ECP_VERIFY_FAILED:
30 return TEE_ERROR_SIGNATURE_INVALID;
31 case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL:
32 return TEE_ERROR_SHORT_BUFFER;
33 default:
34 return TEE_ERROR_BAD_STATE;
35 }
36 }
37
ecc_free_public_key(struct ecc_public_key * s)38 static void ecc_free_public_key(struct ecc_public_key *s)
39 {
40 if (!s)
41 return;
42
43 crypto_bignum_free(s->x);
44 crypto_bignum_free(s->y);
45 }
46
47 /*
48 * curve is part of TEE_ECC_CURVE_NIST_P192,...
49 * algo is part of TEE_ALG_ECDSA_P192,..., and 0 if we do not have it
50 */
ecc_get_keysize(uint32_t curve,uint32_t algo,size_t * key_size_bytes,size_t * key_size_bits)51 static TEE_Result ecc_get_keysize(uint32_t curve, uint32_t algo,
52 size_t *key_size_bytes, size_t *key_size_bits)
53 {
54 /*
55 * Note GPv1.1 indicates TEE_ALG_ECDH_NIST_P192_DERIVE_SHARED_SECRET
56 * but defines TEE_ALG_ECDH_P192
57 */
58 switch (curve) {
59 case TEE_ECC_CURVE_NIST_P192:
60 *key_size_bits = 192;
61 *key_size_bytes = 24;
62 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P192) &&
63 (algo != TEE_ALG_ECDH_P192))
64 return TEE_ERROR_BAD_PARAMETERS;
65 break;
66 case TEE_ECC_CURVE_NIST_P224:
67 *key_size_bits = 224;
68 *key_size_bytes = 28;
69 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P224) &&
70 (algo != TEE_ALG_ECDH_P224))
71 return TEE_ERROR_BAD_PARAMETERS;
72 break;
73 case TEE_ECC_CURVE_NIST_P256:
74 *key_size_bits = 256;
75 *key_size_bytes = 32;
76 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P256) &&
77 (algo != TEE_ALG_ECDH_P256))
78 return TEE_ERROR_BAD_PARAMETERS;
79 break;
80 case TEE_ECC_CURVE_NIST_P384:
81 *key_size_bits = 384;
82 *key_size_bytes = 48;
83 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P384) &&
84 (algo != TEE_ALG_ECDH_P384))
85 return TEE_ERROR_BAD_PARAMETERS;
86 break;
87 case TEE_ECC_CURVE_NIST_P521:
88 *key_size_bits = 521;
89 *key_size_bytes = 66;
90 if ((algo != 0) && (algo != TEE_ALG_ECDSA_P521) &&
91 (algo != TEE_ALG_ECDH_P521))
92 return TEE_ERROR_BAD_PARAMETERS;
93 break;
94 default:
95 *key_size_bits = 0;
96 *key_size_bytes = 0;
97 return TEE_ERROR_NOT_SUPPORTED;
98 }
99
100 return TEE_SUCCESS;
101 }
102
103 /*
104 * Clear some memory that was used to prepare the context
105 */
ecc_clear_precomputed(mbedtls_ecp_group * grp)106 static void ecc_clear_precomputed(mbedtls_ecp_group *grp)
107 {
108 size_t i = 0;
109
110 if (grp->T) {
111 for (i = 0; i < grp->T_size; i++)
112 mbedtls_ecp_point_free(&grp->T[i]);
113 free(grp->T);
114 }
115 grp->T = NULL;
116 grp->T_size = 0;
117 }
118
ecc_generate_keypair(struct ecc_keypair * key,size_t key_size)119 static TEE_Result ecc_generate_keypair(struct ecc_keypair *key, size_t key_size)
120 {
121 TEE_Result res = TEE_SUCCESS;
122 int lmd_res = 0;
123 mbedtls_ecdsa_context ecdsa;
124 size_t key_size_bytes = 0;
125 size_t key_size_bits = 0;
126
127 memset(&ecdsa, 0, sizeof(ecdsa));
128
129 res = ecc_get_keysize(key->curve, 0, &key_size_bytes, &key_size_bits);
130 if (res != TEE_SUCCESS)
131 return res;
132
133 if (key_size != key_size_bits)
134 return TEE_ERROR_BAD_PARAMETERS;
135
136 mbedtls_ecdsa_init(&ecdsa);
137
138 /* Generate the ECC key */
139 lmd_res = mbedtls_ecdsa_genkey(&ecdsa, key->curve, mbd_rand, NULL);
140 if (lmd_res != 0) {
141 res = TEE_ERROR_BAD_PARAMETERS;
142 FMSG("mbedtls_ecdsa_genkey failed.");
143 goto exit;
144 }
145 ecc_clear_precomputed(&ecdsa.grp);
146
147 /* check the size of the keys */
148 if ((mbedtls_mpi_bitlen(&ecdsa.Q.X) > key_size_bits) ||
149 (mbedtls_mpi_bitlen(&ecdsa.Q.Y) > key_size_bits) ||
150 (mbedtls_mpi_bitlen(&ecdsa.d) > key_size_bits)) {
151 res = TEE_ERROR_BAD_PARAMETERS;
152 FMSG("Check the size of the keys failed.");
153 goto exit;
154 }
155
156 /* check LMD is returning z==1 */
157 if (mbedtls_mpi_bitlen(&ecdsa.Q.Z) != 1) {
158 res = TEE_ERROR_BAD_PARAMETERS;
159 FMSG("Check LMD failed.");
160 goto exit;
161 }
162
163 /* Copy the key */
164 crypto_bignum_copy(key->d, (void *)&ecdsa.d);
165 crypto_bignum_copy(key->x, (void *)&ecdsa.Q.X);
166 crypto_bignum_copy(key->y, (void *)&ecdsa.Q.Y);
167
168 res = TEE_SUCCESS;
169 exit:
170 mbedtls_ecdsa_free(&ecdsa); /* Free the temporary key */
171 return res;
172 }
173
ecc_sign(uint32_t algo,struct ecc_keypair * key,const uint8_t * msg,size_t msg_len,uint8_t * sig,size_t * sig_len)174 static TEE_Result ecc_sign(uint32_t algo, struct ecc_keypair *key,
175 const uint8_t *msg, size_t msg_len, uint8_t *sig,
176 size_t *sig_len)
177 {
178 TEE_Result res = TEE_SUCCESS;
179 int lmd_res = 0;
180 const mbedtls_pk_info_t *pk_info = NULL;
181 mbedtls_ecdsa_context ecdsa;
182 size_t key_size_bytes = 0;
183 size_t key_size_bits = 0;
184 mbedtls_mpi r;
185 mbedtls_mpi s;
186
187 memset(&ecdsa, 0, sizeof(ecdsa));
188 memset(&r, 0, sizeof(r));
189 memset(&s, 0, sizeof(s));
190
191 if (algo == 0)
192 return TEE_ERROR_BAD_PARAMETERS;
193
194 mbedtls_mpi_init(&r);
195 mbedtls_mpi_init(&s);
196
197 mbedtls_ecdsa_init(&ecdsa);
198 lmd_res = mbedtls_ecp_group_load(&ecdsa.grp, key->curve);
199 if (lmd_res != 0) {
200 res = TEE_ERROR_NOT_SUPPORTED;
201 goto out;
202 }
203
204 ecdsa.d = *(mbedtls_mpi *)key->d;
205
206 res = ecc_get_keysize(key->curve, algo, &key_size_bytes,
207 &key_size_bits);
208 if (res != TEE_SUCCESS)
209 goto out;
210
211 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECDSA);
212 if (pk_info == NULL) {
213 res = TEE_ERROR_NOT_SUPPORTED;
214 goto out;
215 }
216
217 lmd_res = mbedtls_ecdsa_sign(&ecdsa.grp, &r, &s, &ecdsa.d, msg,
218 msg_len, mbd_rand, NULL);
219 if (lmd_res == 0) {
220 *sig_len = 2 * key_size_bytes;
221 memset(sig, 0, *sig_len);
222 mbedtls_mpi_write_binary(&r, sig + *sig_len / 2 -
223 mbedtls_mpi_size(&r),
224 mbedtls_mpi_size(&r));
225
226 mbedtls_mpi_write_binary(&s, sig + *sig_len -
227 mbedtls_mpi_size(&s),
228 mbedtls_mpi_size(&s));
229 res = TEE_SUCCESS;
230 } else {
231 FMSG("mbedtls_ecdsa_sign failed, returned 0x%x\n", -lmd_res);
232 res = TEE_ERROR_GENERIC;
233 }
234 out:
235 mbedtls_mpi_free(&r);
236 mbedtls_mpi_free(&s);
237 /* Reset mpi to skip freeing here, those mpis will be freed with key */
238 mbedtls_mpi_init(&ecdsa.d);
239 mbedtls_ecdsa_free(&ecdsa);
240 return res;
241 }
242
ecc_verify(uint32_t algo,struct ecc_public_key * key,const uint8_t * msg,size_t msg_len,const uint8_t * sig,size_t sig_len)243 static TEE_Result ecc_verify(uint32_t algo, struct ecc_public_key *key,
244 const uint8_t *msg, size_t msg_len,
245 const uint8_t *sig, size_t sig_len)
246 {
247 TEE_Result res = TEE_SUCCESS;
248 int lmd_res = 0;
249 mbedtls_ecdsa_context ecdsa;
250 size_t key_size_bytes, key_size_bits = 0;
251 uint8_t one[1] = { 1 };
252 mbedtls_mpi r;
253 mbedtls_mpi s;
254
255 memset(&ecdsa, 0, sizeof(ecdsa));
256 memset(&r, 0, sizeof(r));
257 memset(&s, 0, sizeof(s));
258
259 if (algo == 0)
260 return TEE_ERROR_BAD_PARAMETERS;
261
262 mbedtls_mpi_init(&r);
263 mbedtls_mpi_init(&s);
264
265 mbedtls_ecdsa_init(&ecdsa);
266
267 lmd_res = mbedtls_ecp_group_load(&ecdsa.grp, key->curve);
268 if (lmd_res != 0) {
269 res = TEE_ERROR_NOT_SUPPORTED;
270 goto out;
271 }
272
273 ecdsa.Q.X = *(mbedtls_mpi *)key->x;
274 ecdsa.Q.Y = *(mbedtls_mpi *)key->y;
275 mbedtls_mpi_read_binary(&ecdsa.Q.Z, one, sizeof(one));
276
277 res = ecc_get_keysize(key->curve, algo,
278 &key_size_bytes, &key_size_bits);
279 if (res != TEE_SUCCESS) {
280 res = TEE_ERROR_BAD_PARAMETERS;
281 goto out;
282 }
283
284 /* check keysize vs sig_len */
285 if ((key_size_bytes * 2) != sig_len) {
286 res = TEE_ERROR_BAD_PARAMETERS;
287 goto out;
288 }
289
290 mbedtls_mpi_read_binary(&r, sig, sig_len / 2);
291 mbedtls_mpi_read_binary(&s, sig + sig_len / 2, sig_len / 2);
292
293 lmd_res = mbedtls_ecdsa_verify(&ecdsa.grp, msg, msg_len, &ecdsa.Q,
294 &r, &s);
295 if (lmd_res != 0) {
296 FMSG("mbedtls_ecdsa_verify failed, returned 0x%x", -lmd_res);
297 res = get_tee_result(lmd_res);
298 }
299 out:
300 mbedtls_mpi_free(&r);
301 mbedtls_mpi_free(&s);
302 /* Reset mpi to skip freeing here, those mpis will be freed with key */
303 mbedtls_mpi_init(&ecdsa.Q.X);
304 mbedtls_mpi_init(&ecdsa.Q.Y);
305 mbedtls_ecdsa_free(&ecdsa);
306 return res;
307 }
308
ecc_shared_secret(struct ecc_keypair * private_key,struct ecc_public_key * public_key,void * secret,unsigned long * secret_len)309 static TEE_Result ecc_shared_secret(struct ecc_keypair *private_key,
310 struct ecc_public_key *public_key,
311 void *secret, unsigned long *secret_len)
312 {
313 TEE_Result res = TEE_SUCCESS;
314 int lmd_res = 0;
315 uint8_t one[1] = { 1 };
316 mbedtls_ecdh_context ecdh;
317 size_t out_len = 0;
318
319 memset(&ecdh, 0, sizeof(ecdh));
320 mbedtls_ecdh_init(&ecdh);
321 lmd_res = mbedtls_ecp_group_load(&ecdh.grp, private_key->curve);
322 if (lmd_res != 0) {
323 res = TEE_ERROR_NOT_SUPPORTED;
324 goto out;
325 }
326
327 ecdh.d = *(mbedtls_mpi *)private_key->d;
328 ecdh.Qp.X = *(mbedtls_mpi *)public_key->x;
329 ecdh.Qp.Y = *(mbedtls_mpi *)public_key->y;
330 mbedtls_mpi_read_binary(&ecdh.Qp.Z, one, sizeof(one));
331
332 lmd_res = mbedtls_ecdh_calc_secret(&ecdh, &out_len, secret,
333 *secret_len, mbd_rand, NULL);
334 if (lmd_res != 0) {
335 res = get_tee_result(lmd_res);
336 goto out;
337 }
338 *secret_len = out_len;
339 out:
340 /* Reset mpi to skip freeing here, those mpis will be freed with key */
341 mbedtls_mpi_init(&ecdh.d);
342 mbedtls_mpi_init(&ecdh.Qp.X);
343 mbedtls_mpi_init(&ecdh.Qp.Y);
344 mbedtls_ecdh_free(&ecdh);
345 return res;
346 }
347
348 static const struct crypto_ecc_keypair_ops ecc_keypair_ops = {
349 .generate = ecc_generate_keypair,
350 .sign = ecc_sign,
351 .shared_secret = ecc_shared_secret,
352 };
353
354 static const struct crypto_ecc_keypair_ops sm2_pke_keypair_ops = {
355 .generate = ecc_generate_keypair,
356 .decrypt = sm2_mbedtls_pke_decrypt,
357 };
358
359 static const struct crypto_ecc_keypair_ops sm2_kep_keypair_ops = {
360 .generate = ecc_generate_keypair,
361 };
362
363 static const struct crypto_ecc_keypair_ops sm2_dsa_keypair_ops = {
364 .generate = ecc_generate_keypair,
365 .sign = sm2_mbedtls_dsa_sign,
366 };
367
crypto_asym_alloc_ecc_keypair(struct ecc_keypair * s,uint32_t key_type,size_t key_size_bits)368 TEE_Result crypto_asym_alloc_ecc_keypair(struct ecc_keypair *s,
369 uint32_t key_type,
370 size_t key_size_bits)
371 {
372 memset(s, 0, sizeof(*s));
373
374 switch (key_type) {
375 case TEE_TYPE_ECDSA_KEYPAIR:
376 case TEE_TYPE_ECDH_KEYPAIR:
377 s->ops = &ecc_keypair_ops;
378 break;
379 case TEE_TYPE_SM2_DSA_KEYPAIR:
380 if (!IS_ENABLED(CFG_CRYPTO_SM2_DSA))
381 return TEE_ERROR_NOT_IMPLEMENTED;
382
383 s->ops = &sm2_dsa_keypair_ops;
384 break;
385 case TEE_TYPE_SM2_PKE_KEYPAIR:
386 if (!IS_ENABLED(CFG_CRYPTO_SM2_PKE))
387 return TEE_ERROR_NOT_IMPLEMENTED;
388
389 s->ops = &sm2_pke_keypair_ops;
390 break;
391 case TEE_TYPE_SM2_KEP_KEYPAIR:
392 if (!IS_ENABLED(CFG_CRYPTO_SM2_KEP))
393 return TEE_ERROR_NOT_IMPLEMENTED;
394
395 s->ops = &sm2_kep_keypair_ops;
396 break;
397 default:
398 return TEE_ERROR_NOT_IMPLEMENTED;
399 }
400
401 s->d = crypto_bignum_allocate(key_size_bits);
402 if (!s->d)
403 goto err;
404 s->x = crypto_bignum_allocate(key_size_bits);
405 if (!s->x)
406 goto err;
407 s->y = crypto_bignum_allocate(key_size_bits);
408 if (!s->y)
409 goto err;
410
411 return TEE_SUCCESS;
412
413 err:
414 crypto_bignum_free(s->d);
415 crypto_bignum_free(s->x);
416
417 return TEE_ERROR_OUT_OF_MEMORY;
418 }
419
420 static const struct crypto_ecc_public_ops ecc_public_key_ops = {
421 .free = ecc_free_public_key,
422 .verify = ecc_verify,
423 };
424
425 static const struct crypto_ecc_public_ops sm2_pke_public_key_ops = {
426 .free = ecc_free_public_key,
427 .encrypt = sm2_mbedtls_pke_encrypt,
428 };
429
430 static const struct crypto_ecc_public_ops sm2_kep_public_key_ops = {
431 .free = ecc_free_public_key,
432 };
433
434 static const struct crypto_ecc_public_ops sm2_dsa_public_key_ops = {
435 .free = ecc_free_public_key,
436 .verify = sm2_mbedtls_dsa_verify,
437 };
438
crypto_asym_alloc_ecc_public_key(struct ecc_public_key * s,uint32_t key_type,size_t key_size_bits)439 TEE_Result crypto_asym_alloc_ecc_public_key(struct ecc_public_key *s,
440 uint32_t key_type,
441 size_t key_size_bits)
442 {
443 memset(s, 0, sizeof(*s));
444
445 switch (key_type) {
446 case TEE_TYPE_ECDSA_PUBLIC_KEY:
447 case TEE_TYPE_ECDH_PUBLIC_KEY:
448 s->ops = &ecc_public_key_ops;
449 break;
450 case TEE_TYPE_SM2_DSA_PUBLIC_KEY:
451 if (!IS_ENABLED(CFG_CRYPTO_SM2_DSA))
452 return TEE_ERROR_NOT_IMPLEMENTED;
453
454 s->ops = &sm2_dsa_public_key_ops;
455 break;
456 case TEE_TYPE_SM2_PKE_PUBLIC_KEY:
457 if (!IS_ENABLED(CFG_CRYPTO_SM2_PKE))
458 return TEE_ERROR_NOT_IMPLEMENTED;
459
460 s->ops = &sm2_pke_public_key_ops;
461 break;
462 case TEE_TYPE_SM2_KEP_PUBLIC_KEY:
463 if (!IS_ENABLED(CFG_CRYPTO_SM2_KEP))
464 return TEE_ERROR_NOT_IMPLEMENTED;
465
466 s->ops = &sm2_kep_public_key_ops;
467 break;
468 default:
469 return TEE_ERROR_NOT_IMPLEMENTED;
470 }
471
472 s->x = crypto_bignum_allocate(key_size_bits);
473 if (!s->x)
474 goto err;
475 s->y = crypto_bignum_allocate(key_size_bits);
476 if (!s->y)
477 goto err;
478
479 return TEE_SUCCESS;
480
481 err:
482 crypto_bignum_free(s->x);
483
484 return TEE_ERROR_OUT_OF_MEMORY;
485 }
486