1 /*
2 * Copyright (C) 2022 Huawei Technologies Co., Ltd.
3 * Licensed under the Mulan PSL v2.
4 * You can use this software according to the terms and conditions of the Mulan PSL v2.
5 * You may obtain a copy of Mulan PSL v2 at:
6 * http://license.coscl.org.cn/MulanPSL2
7 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
8 * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
9 * PURPOSE.
10 * See the Mulan PSL v2 for more details.
11 */
12 #include "crypto_alg_config.h"
13 #include <tee_crypto_api.h>
14 #include <crypto/siphash.h>
15 #include "crypto_inner_defines.h"
16 #include "tee_log.h"
17
18 #define TEE_OPERATION_INVALID 0xFFFFFFFF
19 #define TEE_TYPE_INVALID 0xFFFFFFFF
20 #define ELEM_NUMS(array) (sizeof(array) / sizeof((array)[0]))
21
22 #define RSA_SAFE_KEY_SIZE_MIN 2048
23 #define DH_SAFE_KEY_SIZE_MIN 256
24 #define ECDSA_SAFE_KEY_SIZE_MIN 224
25 #define ECDH_SAFE_KEY_SIZE_MIN 224
26
27 typedef TEE_Result (*op_keysize_check)(uint32_t max_key_size);
28
29 struct alg_config_t {
30 uint32_t alg;
31 uint32_t mode;
32 uint32_t class;
33 op_keysize_check check_keysize;
34 uint32_t keytype;
35 uint32_t element;
36 };
37
check_keysize_for_aes(uint32_t max_key_size)38 static TEE_Result check_keysize_for_aes(uint32_t max_key_size)
39 {
40 if (max_key_size != AES_KEY_SIZE_128 * BIT_TO_BYTE && max_key_size != AES_KEY_SIZE_192 * BIT_TO_BYTE &&
41 max_key_size != AES_KEY_SIZE_256 * BIT_TO_BYTE)
42 return TEE_ERROR_BAD_PARAMETERS;
43
44 return TEE_SUCCESS;
45 }
46
check_keysize_for_rsa(uint32_t max_key_size)47 static TEE_Result check_keysize_for_rsa(uint32_t max_key_size)
48 {
49 if (max_key_size >= RSA_KEY_MIN && max_key_size <= RSA_KEY_MAX &&
50 max_key_size % RSA_KEY_BLOCK == 0)
51 return TEE_SUCCESS;
52 return TEE_ERROR_BAD_PARAMETERS;
53 }
54
check_keysize_for_dh_derive(uint32_t max_key_size)55 static TEE_Result check_keysize_for_dh_derive(uint32_t max_key_size)
56 {
57 if (max_key_size < DH_MIN_KEY_SIZE * BIT_TO_BYTE || max_key_size > DH_MAX_KEY_SIZE * BIT_TO_BYTE ||
58 max_key_size % BIT_TO_BYTE != 0)
59 return TEE_ERROR_BAD_PARAMETERS;
60
61 return TEE_SUCCESS;
62 }
63
check_keysize_for_hmac(uint32_t max_key_size)64 static TEE_Result check_keysize_for_hmac(uint32_t max_key_size)
65 {
66 if (max_key_size < HMAC_MIN_KEY || max_key_size > HMAC_MAX_KEY ||
67 max_key_size % BIT_TO_BYTE != 0)
68 return TEE_ERROR_BAD_PARAMETERS;
69
70 return TEE_SUCCESS;
71 }
check_keysize_for_hmac_sm3(uint32_t max_key_size)72 static TEE_Result check_keysize_for_hmac_sm3(uint32_t max_key_size)
73 {
74 if (max_key_size < HMAC_SM3_MIN_KEY || max_key_size > HMAC_SM3_MAX_KEY ||
75 max_key_size % BIT_TO_BYTE != 0)
76 return TEE_ERROR_BAD_PARAMETERS;
77
78 return TEE_SUCCESS;
79 }
80
check_keysize_for_sip_hash(uint32_t max_key_size)81 static TEE_Result check_keysize_for_sip_hash(uint32_t max_key_size)
82 {
83 if (max_key_size != SIPHASH_KEY_SIZE * BIT_TO_BYTE)
84 return TEE_ERROR_BAD_PARAMETERS;
85
86 return TEE_SUCCESS;
87 }
88
check_keysize_for_ecdsa_sha_x(uint32_t max_key_size)89 static TEE_Result check_keysize_for_ecdsa_sha_x(uint32_t max_key_size)
90 {
91 if (
92 max_key_size != ECDSA_KEY_224 &&
93 max_key_size != ECDSA_KEY_256 && max_key_size != ECDSA_KEY_320 &&
94 max_key_size != ECDSA_KEY_384 && max_key_size != ECDSA_KEY_521)
95 return TEE_ERROR_BAD_PARAMETERS;
96 return TEE_SUCCESS;
97 }
98
check_keysize_for_ecdh_p224(uint32_t max_key_size)99 static TEE_Result check_keysize_for_ecdh_p224(uint32_t max_key_size)
100 {
101 if (max_key_size != ECDSA_KEY_224)
102 return TEE_ERROR_BAD_PARAMETERS;
103
104 return TEE_SUCCESS;
105 }
check_keysize_for_ecdh_p256(uint32_t max_key_size)106 static TEE_Result check_keysize_for_ecdh_p256(uint32_t max_key_size)
107 {
108 if (max_key_size != ECDSA_KEY_256)
109 return TEE_ERROR_BAD_PARAMETERS;
110
111 return TEE_SUCCESS;
112 }
check_keysize_for_ecdh_p384(uint32_t max_key_size)113 static TEE_Result check_keysize_for_ecdh_p384(uint32_t max_key_size)
114 {
115 if (max_key_size != ECDSA_KEY_384)
116 return TEE_ERROR_BAD_PARAMETERS;
117
118 return TEE_SUCCESS;
119 }
check_keysize_for_ecdh_p521(uint32_t max_key_size)120 static TEE_Result check_keysize_for_ecdh_p521(uint32_t max_key_size)
121 {
122 if (max_key_size != ECDSA_KEY_521)
123 return TEE_ERROR_BAD_PARAMETERS;
124
125 return TEE_SUCCESS;
126 }
127 #ifdef CRYPTO_SSL_SUPPORT_EC25519
check_keysize_for_25519(uint32_t max_key_size)128 static TEE_Result check_keysize_for_25519(uint32_t max_key_size)
129 {
130 if (max_key_size != ECDSA_KEY_256)
131 return TEE_ERROR_BAD_PARAMETERS;
132
133 return TEE_SUCCESS;
134 }
135 #endif
check_keysize_for_sm2(uint32_t max_key_size)136 static TEE_Result check_keysize_for_sm2(uint32_t max_key_size)
137 {
138 if (max_key_size != ECDSA_KEY_256)
139 return TEE_ERROR_BAD_PARAMETERS;
140
141 return TEE_SUCCESS;
142 }
check_keysize_for_sm4(uint32_t max_key_size)143 static TEE_Result check_keysize_for_sm4(uint32_t max_key_size)
144 {
145 if (max_key_size != SM4_KEY_SIZE)
146 return TEE_ERROR_BAD_PARAMETERS;
147
148 return TEE_SUCCESS;
149 }
check_keysize_for_others(uint32_t max_key_size)150 static TEE_Result check_keysize_for_others(uint32_t max_key_size)
151 {
152 if (max_key_size % BIT_TO_BYTE != 0)
153 return TEE_ERROR_BAD_PARAMETERS;
154
155 return TEE_SUCCESS;
156 }
157
158 static const struct alg_config_t g_alg_config[] = {
159 {
160 TEE_ALG_AES_ECB_NOPAD, TEE_MODE_ENCRYPT, TEE_OPERATION_CIPHER,
161 check_keysize_for_aes, TEE_TYPE_AES, TEE_OPTIONAL_ELEMENT_NONE
162 },
163 {
164 TEE_ALG_AES_CBC_NOPAD, TEE_MODE_ENCRYPT, TEE_OPERATION_CIPHER,
165 check_keysize_for_aes, TEE_TYPE_AES, TEE_OPTIONAL_ELEMENT_NONE
166 },
167 {
168 TEE_ALG_AES_CTR, TEE_MODE_ENCRYPT, TEE_OPERATION_CIPHER,
169 check_keysize_for_aes, TEE_TYPE_AES, TEE_OPTIONAL_ELEMENT_NONE
170 },
171 {
172 TEE_ALG_AES_CTS, TEE_MODE_ENCRYPT, TEE_OPERATION_CIPHER,
173 check_keysize_for_aes, TEE_TYPE_AES, TEE_OPTIONAL_ELEMENT_NONE
174 },
175 {
176 TEE_ALG_AES_XTS, TEE_MODE_ENCRYPT, TEE_OPERATION_CIPHER,
177 check_keysize_for_aes, TEE_TYPE_AES, TEE_OPTIONAL_ELEMENT_NONE
178 },
179 {
180 TEE_ALG_AES_CBC_MAC_NOPAD, TEE_MODE_MAC, TEE_OPERATION_MAC,
181 check_keysize_for_aes, TEE_TYPE_AES, TEE_OPTIONAL_ELEMENT_NONE
182 },
183 {
184 TEE_ALG_AES_CMAC, TEE_MODE_MAC, TEE_OPERATION_MAC,
185 check_keysize_for_aes, TEE_TYPE_AES, TEE_OPTIONAL_ELEMENT_NONE
186 },
187 {
188 TEE_ALG_AES_CCM, TEE_MODE_ENCRYPT, TEE_OPERATION_AE,
189 check_keysize_for_aes, TEE_TYPE_AES, TEE_OPTIONAL_ELEMENT_NONE
190 },
191 {
192 TEE_ALG_AES_GCM, TEE_MODE_ENCRYPT, TEE_OPERATION_AE,
193 check_keysize_for_aes, TEE_TYPE_AES, TEE_OPTIONAL_ELEMENT_NONE
194 },
195 {
196 TEE_ALG_AES_ECB_PKCS5, TEE_MODE_ENCRYPT, TEE_OPERATION_CIPHER,
197 check_keysize_for_aes, TEE_TYPE_AES, TEE_OPTIONAL_ELEMENT_NONE
198 },
199 {
200 TEE_ALG_AES_CBC_PKCS5, TEE_MODE_ENCRYPT, TEE_OPERATION_CIPHER,
201 check_keysize_for_aes, TEE_TYPE_AES, TEE_OPTIONAL_ELEMENT_NONE
202 },
203 {
204 TEE_ALG_RSASSA_PKCS1_V1_5_SHA256, TEE_MODE_SIGN, TEE_OPERATION_ASYMMETRIC_SIGNATURE,
205 check_keysize_for_rsa, TEE_TYPE_RSA_PUBLIC_KEY, TEE_OPTIONAL_ELEMENT_NONE
206 },
207 {
208 TEE_ALG_RSASSA_PKCS1_V1_5_SHA384, TEE_MODE_SIGN, TEE_OPERATION_ASYMMETRIC_SIGNATURE,
209 check_keysize_for_rsa, TEE_TYPE_RSA_PUBLIC_KEY, TEE_OPTIONAL_ELEMENT_NONE
210 },
211 {
212 TEE_ALG_RSASSA_PKCS1_V1_5_SHA512, TEE_MODE_SIGN, TEE_OPERATION_ASYMMETRIC_SIGNATURE,
213 check_keysize_for_rsa, TEE_TYPE_RSA_PUBLIC_KEY, TEE_OPTIONAL_ELEMENT_NONE
214 },
215 {
216 TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1, TEE_MODE_SIGN, TEE_OPERATION_ASYMMETRIC_SIGNATURE,
217 check_keysize_for_rsa, TEE_TYPE_RSA_PUBLIC_KEY, TEE_OPTIONAL_ELEMENT_NONE
218 },
219 {
220 TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256, TEE_MODE_SIGN, TEE_OPERATION_ASYMMETRIC_SIGNATURE,
221 check_keysize_for_rsa, TEE_TYPE_RSA_PUBLIC_KEY, TEE_OPTIONAL_ELEMENT_NONE
222 },
223 {
224 TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384, TEE_MODE_SIGN, TEE_OPERATION_ASYMMETRIC_SIGNATURE,
225 check_keysize_for_rsa, TEE_TYPE_RSA_PUBLIC_KEY, TEE_OPTIONAL_ELEMENT_NONE
226 },
227 {
228 TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512, TEE_MODE_SIGN, TEE_OPERATION_ASYMMETRIC_SIGNATURE,
229 check_keysize_for_rsa, TEE_TYPE_RSA_PUBLIC_KEY, TEE_OPTIONAL_ELEMENT_NONE
230 },
231 {
232 TEE_ALG_RSAES_PKCS1_V1_5, TEE_MODE_ENCRYPT, TEE_OPERATION_ASYMMETRIC_CIPHER,
233 check_keysize_for_rsa, TEE_TYPE_RSA_PUBLIC_KEY, TEE_OPTIONAL_ELEMENT_NONE
234 },
235 {
236 TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1, TEE_MODE_ENCRYPT, TEE_OPERATION_ASYMMETRIC_CIPHER,
237 check_keysize_for_rsa, TEE_TYPE_RSA_PUBLIC_KEY, TEE_OPTIONAL_ELEMENT_NONE
238 },
239 {
240 TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256, TEE_MODE_ENCRYPT, TEE_OPERATION_ASYMMETRIC_CIPHER,
241 check_keysize_for_rsa, TEE_TYPE_RSA_PUBLIC_KEY, TEE_OPTIONAL_ELEMENT_NONE
242 },
243 {
244 TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384, TEE_MODE_ENCRYPT, TEE_OPERATION_ASYMMETRIC_CIPHER,
245 check_keysize_for_rsa, TEE_TYPE_RSA_PUBLIC_KEY, TEE_OPTIONAL_ELEMENT_NONE
246 },
247 {
248 TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512, TEE_MODE_ENCRYPT, TEE_OPERATION_ASYMMETRIC_CIPHER,
249 check_keysize_for_rsa, TEE_TYPE_RSA_PUBLIC_KEY, TEE_OPTIONAL_ELEMENT_NONE
250 },
251 {
252 TEE_ALG_RSA_NOPAD, TEE_MODE_ENCRYPT, TEE_OPERATION_ASYMMETRIC_CIPHER,
253 check_keysize_for_rsa, TEE_TYPE_RSA_PUBLIC_KEY, TEE_OPTIONAL_ELEMENT_NONE
254 },
255 {
256 TEE_ALG_DH_DERIVE_SHARED_SECRET, TEE_MODE_DERIVE, TEE_OPERATION_KEY_DERIVATION,
257 check_keysize_for_dh_derive, TEE_TYPE_DH_KEYPAIR, TEE_OPTIONAL_ELEMENT_NONE
258 },
259 {
260 TEE_ALG_HMAC_SHA1, TEE_MODE_MAC, TEE_OPERATION_MAC,
261 check_keysize_for_hmac, TEE_TYPE_HMAC_SHA1, TEE_OPTIONAL_ELEMENT_NONE
262 },
263 {
264 TEE_ALG_HMAC_SHA256, TEE_MODE_MAC, TEE_OPERATION_MAC,
265 check_keysize_for_hmac, TEE_TYPE_HMAC_SHA256, TEE_OPTIONAL_ELEMENT_NONE
266 },
267 {
268 TEE_ALG_HMAC_SHA384, TEE_MODE_MAC, TEE_OPERATION_MAC,
269 check_keysize_for_hmac, TEE_TYPE_HMAC_SHA384, TEE_OPTIONAL_ELEMENT_NONE
270 },
271 {
272 TEE_ALG_HMAC_SHA512, TEE_MODE_MAC, TEE_OPERATION_MAC,
273 check_keysize_for_hmac, TEE_TYPE_HMAC_SHA512, TEE_OPTIONAL_ELEMENT_NONE
274 },
275 {
276 TEE_ALG_HMAC_SM3, TEE_MODE_MAC, TEE_OPERATION_MAC,
277 check_keysize_for_hmac_sm3, TEE_TYPE_HMAC_SM3, TEE_OPTIONAL_ELEMENT_NONE
278 },
279 {
280 TEE_ALG_SIP_HASH, TEE_MODE_MAC, TEE_OPERATION_MAC,
281 check_keysize_for_sip_hash, TEE_TYPE_SIP_HASH, TEE_OPTIONAL_ELEMENT_NONE
282 },
283 {
284 TEE_ALG_ECDSA_SHA256, TEE_MODE_SIGN, TEE_OPERATION_ASYMMETRIC_SIGNATURE,
285 check_keysize_for_ecdsa_sha_x, TEE_TYPE_ECDSA_PUBLIC_KEY, TEE_ECC_CURVE_NIST_P256
286 },
287 {
288 TEE_ALG_ECDSA_SHA384, TEE_MODE_SIGN, TEE_OPERATION_ASYMMETRIC_SIGNATURE,
289 check_keysize_for_ecdsa_sha_x, TEE_TYPE_ECDSA_PUBLIC_KEY, TEE_ECC_CURVE_NIST_P384
290 },
291 {
292 TEE_ALG_ECDSA_SHA512, TEE_MODE_SIGN, TEE_OPERATION_ASYMMETRIC_SIGNATURE,
293 check_keysize_for_ecdsa_sha_x, TEE_TYPE_ECDSA_PUBLIC_KEY, TEE_ECC_CURVE_NIST_P521
294 },
295 {
296 TEE_ALG_ECDH_DERIVE_SHARED_SECRET, TEE_MODE_DERIVE, TEE_OPERATION_KEY_DERIVATION,
297 check_keysize_for_ecdsa_sha_x, TEE_TYPE_ECDH_PUBLIC_KEY, TEE_ECC_CURVE_NIST_P521
298 },
299 {
300 TEE_ALG_ECDH_P224, TEE_MODE_DERIVE, TEE_OPERATION_KEY_DERIVATION,
301 check_keysize_for_ecdh_p224, TEE_TYPE_ECDH_PUBLIC_KEY, TEE_ECC_CURVE_NIST_P224
302 },
303 {
304 TEE_ALG_ECDH_P256, TEE_MODE_DERIVE, TEE_OPERATION_KEY_DERIVATION,
305 check_keysize_for_ecdh_p256, TEE_TYPE_ECDH_PUBLIC_KEY, TEE_ECC_CURVE_NIST_P256
306 },
307 {
308 TEE_ALG_ECDH_P384, TEE_MODE_DERIVE, TEE_OPERATION_KEY_DERIVATION,
309 check_keysize_for_ecdh_p384, TEE_TYPE_ECDH_PUBLIC_KEY, TEE_ECC_CURVE_NIST_P384
310 },
311 {
312 TEE_ALG_ECDH_P521, TEE_MODE_DERIVE, TEE_OPERATION_KEY_DERIVATION,
313 check_keysize_for_ecdh_p521, TEE_TYPE_ECDH_PUBLIC_KEY, TEE_ECC_CURVE_NIST_P521
314 },
315 {
316 TEE_ALG_SM2_DSA_SM3, TEE_MODE_SIGN, TEE_OPERATION_ASYMMETRIC_SIGNATURE,
317 check_keysize_for_sm2, TEE_TYPE_SM2_DSA_PUBLIC_KEY, TEE_ECC_CURVE_SM2
318 },
319 {
320 TEE_ALG_SM2_PKE, TEE_MODE_ENCRYPT, TEE_OPERATION_ASYMMETRIC_CIPHER,
321 check_keysize_for_sm2, TEE_TYPE_SM2_PKE_PUBLIC_KEY, TEE_ECC_CURVE_SM2
322 },
323 {
324 TEE_ALG_SM4_ECB_NOPAD, TEE_MODE_ENCRYPT, TEE_OPERATION_CIPHER,
325 check_keysize_for_sm4, TEE_TYPE_SM4, TEE_OPTIONAL_ELEMENT_NONE
326 },
327 {
328 TEE_ALG_SM4_CBC_NOPAD, TEE_MODE_ENCRYPT, TEE_OPERATION_CIPHER,
329 check_keysize_for_sm4, TEE_TYPE_SM4, TEE_OPTIONAL_ELEMENT_NONE
330 },
331 {
332 TEE_ALG_SM4_CBC_PKCS7, TEE_MODE_ENCRYPT, TEE_OPERATION_CIPHER,
333 check_keysize_for_sm4, TEE_TYPE_SM4, TEE_OPTIONAL_ELEMENT_NONE
334 },
335 {
336 TEE_ALG_SM4_CTR, TEE_MODE_ENCRYPT, TEE_OPERATION_CIPHER,
337 check_keysize_for_sm4, TEE_TYPE_SM4, TEE_OPTIONAL_ELEMENT_NONE
338 },
339 {
340 TEE_ALG_SM4_GCM, TEE_MODE_ENCRYPT, TEE_OPERATION_AE,
341 check_keysize_for_sm4, TEE_TYPE_SM4, TEE_OPTIONAL_ELEMENT_NONE
342 },
343 {
344 TEE_ALG_SM4_CFB128, TEE_MODE_ENCRYPT, TEE_OPERATION_CIPHER,
345 check_keysize_for_sm4, TEE_TYPE_SM4, TEE_OPTIONAL_ELEMENT_NONE
346 },
347 {
348 TEE_ALG_SM4_GCM, TEE_MODE_ENCRYPT, TEE_OPERATION_AE,
349 check_keysize_for_sm4, TEE_TYPE_SM4, TEE_OPTIONAL_ELEMENT_NONE
350 },
351 {
352 TEE_ALG_SM3, TEE_MODE_DIGEST, TEE_OPERATION_DIGEST,
353 check_keysize_for_others, TEE_TYPE_INVALID, TEE_OPTIONAL_ELEMENT_NONE
354 },
355 {
356 TEE_ALG_SHA256, TEE_MODE_DIGEST, TEE_OPERATION_DIGEST,
357 check_keysize_for_others, TEE_TYPE_INVALID, TEE_OPTIONAL_ELEMENT_NONE
358 },
359 {
360 TEE_ALG_SHA384, TEE_MODE_DIGEST, TEE_OPERATION_DIGEST,
361 check_keysize_for_others, TEE_TYPE_INVALID, TEE_OPTIONAL_ELEMENT_NONE
362 },
363 {
364 TEE_ALG_SHA512, TEE_MODE_DIGEST, TEE_OPERATION_DIGEST,
365 check_keysize_for_others, TEE_TYPE_INVALID, TEE_OPTIONAL_ELEMENT_NONE
366 },
367 #ifdef CRYPTO_SSL_SUPPORT_EC25519
368 {
369 TEE_ALG_ED25519, TEE_MODE_SIGN, TEE_OPERATION_ASYMMETRIC_SIGNATURE,
370 check_keysize_for_25519, TEE_TYPE_ED25519_PUBLIC_KEY, TEE_OPTIONAL_ELEMENT_NONE
371 },
372 {
373 TEE_ALG_X25519, TEE_MODE_DERIVE, TEE_OPERATION_KEY_DERIVATION,
374 check_keysize_for_25519, TEE_TYPE_X25519_PUBLIC_KEY, TEE_OPTIONAL_ELEMENT_NONE
375 },
376 #endif
377 };
378
crypto_check_alg_valid(uint32_t alg,uint32_t mode)379 bool crypto_check_alg_valid(uint32_t alg, uint32_t mode)
380 {
381 size_t index;
382
383 for (index = 0; index < ELEM_NUMS(g_alg_config); index++) {
384 if ((alg == g_alg_config[index].alg) && (mode == g_alg_config[index].mode))
385 return true;
386 }
387
388 return false;
389 }
390
crypto_get_op_class(uint32_t alg)391 uint32_t crypto_get_op_class(uint32_t alg)
392 {
393 size_t index;
394
395 for (index = 0; index < ELEM_NUMS(g_alg_config); index++) {
396 if (alg == g_alg_config[index].alg)
397 return g_alg_config[index].class;
398 }
399
400 return TEE_OPERATION_INVALID;
401 }
402
crypto_check_keysize(uint32_t algorithm,uint32_t max_key_size)403 TEE_Result crypto_check_keysize(uint32_t algorithm, uint32_t max_key_size)
404 {
405 size_t index;
406
407 for (index = 0; index < ELEM_NUMS(g_alg_config); index++) {
408 if (algorithm == g_alg_config[index].alg)
409 return g_alg_config[index].check_keysize(max_key_size);
410 }
411
412 return TEE_ERROR_NOT_SUPPORTED;
413 }
414
415 #define TEE_TYPE_KEYPAIR_OFFSET 0x1000000
416 /* Check if key object type is compatible with operation algorithm */
crypto_check_keytype_valid(uint32_t alg,uint32_t type)417 bool crypto_check_keytype_valid(uint32_t alg, uint32_t type)
418 {
419 size_t index;
420
421 for (index = 0; index < ELEM_NUMS(g_alg_config); index++) {
422 if (alg == g_alg_config[index].alg)
423 break;
424 }
425 if (index == ELEM_NUMS(g_alg_config))
426 return false;
427
428 if (type == g_alg_config[index].keytype)
429 return true;
430
431 switch (g_alg_config[index].keytype) {
432 case TEE_TYPE_RSA_PUBLIC_KEY:
433 case TEE_TYPE_DSA_PUBLIC_KEY:
434 case TEE_TYPE_ECDSA_PUBLIC_KEY:
435 case TEE_TYPE_ECDH_PUBLIC_KEY:
436 case TEE_TYPE_ED25519_PUBLIC_KEY:
437 case TEE_TYPE_X25519_PUBLIC_KEY:
438 case TEE_TYPE_SM2_DSA_PUBLIC_KEY:
439 case TEE_TYPE_SM2_KEP_PUBLIC_KEY:
440 case TEE_TYPE_SM2_PKE_PUBLIC_KEY:
441 if (type == (g_alg_config[index].keytype + TEE_TYPE_KEYPAIR_OFFSET))
442 return true;
443 break;
444 default:
445 return false;
446 }
447 return false;
448 }
449
crypto_check_alg_supported(uint32_t alg,uint32_t element)450 bool crypto_check_alg_supported(uint32_t alg, uint32_t element)
451 {
452 size_t index;
453
454 if (alg == TEE_ALG_ECDH_DERIVE_SHARED_SECRET) {
455 if ((element == TEE_ECC_CURVE_NIST_P192) || (element == TEE_ECC_CURVE_NIST_P224) ||
456 (element == TEE_ECC_CURVE_NIST_P256) || (element == TEE_ECC_CURVE_NIST_P384) ||
457 (element == TEE_ECC_CURVE_NIST_P521))
458 return true;
459 }
460 for (index = 0; index < ELEM_NUMS(g_alg_config); index++) {
461 if ((alg == g_alg_config[index].alg) && (element == g_alg_config[index].element))
462 return true;
463 }
464
465 return false;
466 }
467
468 static const uint32_t g_supported_object_type[] = {
469 TEE_TYPE_AES,
470 TEE_TYPE_SM4,
471 TEE_TYPE_HMAC_SM3,
472 TEE_TYPE_HMAC_SHA1,
473 TEE_TYPE_HMAC_SHA224,
474 TEE_TYPE_HMAC_SHA256,
475 TEE_TYPE_HMAC_SHA384,
476 TEE_TYPE_HMAC_SHA512,
477 TEE_TYPE_GENERIC_SECRET,
478 TEE_TYPE_RSA_PUBLIC_KEY,
479 TEE_TYPE_RSA_KEYPAIR,
480 TEE_TYPE_DSA_PUBLIC_KEY,
481 TEE_TYPE_DSA_KEYPAIR,
482 TEE_TYPE_DH_KEYPAIR,
483 TEE_TYPE_ECDSA_PUBLIC_KEY,
484 TEE_TYPE_ECDH_PUBLIC_KEY,
485 TEE_TYPE_ECDSA_KEYPAIR,
486 TEE_TYPE_ECDH_KEYPAIR,
487 TEE_TYPE_SM2_DSA_PUBLIC_KEY,
488 TEE_TYPE_SM2_KEP_PUBLIC_KEY,
489 TEE_TYPE_SM2_PKE_PUBLIC_KEY,
490 TEE_TYPE_SM2_DSA_KEYPAIR,
491 TEE_TYPE_SM2_KEP_KEYPAIR,
492 TEE_TYPE_SM2_PKE_KEYPAIR,
493 TEE_TYPE_SIP_HASH,
494 #ifdef CRYPTO_SSL_SUPPORT_EC25519
495 TEE_TYPE_ED25519_PUBLIC_KEY,
496 TEE_TYPE_ED25519_KEYPAIR,
497 TEE_TYPE_X25519_PUBLIC_KEY,
498 TEE_TYPE_X25519_KEYPAIR,
499 #endif
500 TEE_TYPE_DATA,
501 TEE_TYPE_DATA_GP1_1,
502 TEE_TYPE_PBKDF2_HMAC,
503 };
crypto_object_type_supported(uint32_t object_type)504 bool crypto_object_type_supported(uint32_t object_type)
505 {
506 size_t index;
507
508 for (index = 0; index < ELEM_NUMS(g_supported_object_type); index++) {
509 if (object_type == g_supported_object_type[index])
510 return true;
511 }
512
513 return false;
514 }
515
516 #define ARRAY_END 0
517 struct safe_alg_and_key_size_t {
518 uint32_t alg_or_type;
519 uint32_t min_safe_key_size;
520 };
521
522 static const struct safe_alg_and_key_size_t g_unsafe_alg_with_key[] = {
523 { TEE_ALG_RSASSA_PKCS1_V1_5_MD5, RSA_SAFE_KEY_SIZE_MIN},
524 { TEE_ALG_RSASSA_PKCS1_V1_5_SHA1, RSA_SAFE_KEY_SIZE_MIN},
525 { TEE_ALG_RSASSA_PKCS1_V1_5_SHA224, RSA_SAFE_KEY_SIZE_MIN},
526 { TEE_ALG_RSASSA_PKCS1_V1_5_SHA256, RSA_SAFE_KEY_SIZE_MIN},
527 { TEE_ALG_RSASSA_PKCS1_V1_5_SHA384, RSA_SAFE_KEY_SIZE_MIN},
528 { TEE_ALG_RSASSA_PKCS1_V1_5_SHA512, RSA_SAFE_KEY_SIZE_MIN},
529 { TEE_ALG_RSASSA_PKCS1_PSS_MGF1_MD5, RSA_SAFE_KEY_SIZE_MIN},
530 { TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1, RSA_SAFE_KEY_SIZE_MIN},
531 { TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224, RSA_SAFE_KEY_SIZE_MIN},
532 { TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256, RSA_SAFE_KEY_SIZE_MIN},
533 { TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384, RSA_SAFE_KEY_SIZE_MIN},
534 { TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512, RSA_SAFE_KEY_SIZE_MIN},
535 { TEE_ALG_RSAES_PKCS1_V1_5, RSA_SAFE_KEY_SIZE_MIN},
536 { TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1, RSA_SAFE_KEY_SIZE_MIN},
537 { TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224, RSA_SAFE_KEY_SIZE_MIN},
538 { TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256, RSA_SAFE_KEY_SIZE_MIN},
539 { TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384, RSA_SAFE_KEY_SIZE_MIN},
540 { TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512, RSA_SAFE_KEY_SIZE_MIN},
541 { TEE_ALG_RSA_NOPAD, RSA_SAFE_KEY_SIZE_MIN},
542 { TEE_ALG_DH_DERIVE_SHARED_SECRET, DH_SAFE_KEY_SIZE_MIN },
543 { TEE_ALG_ECDSA_SHA1, ECDSA_SAFE_KEY_SIZE_MIN},
544 { TEE_ALG_ECDSA_SHA224, ECDSA_SAFE_KEY_SIZE_MIN},
545 { TEE_ALG_ECDSA_SHA256, ECDSA_SAFE_KEY_SIZE_MIN},
546 { TEE_ALG_ECDSA_SHA384, ECDSA_SAFE_KEY_SIZE_MIN},
547 { TEE_ALG_ECDSA_SHA512, ECDSA_SAFE_KEY_SIZE_MIN},
548 { TEE_ALG_ECDH_DERIVE_SHARED_SECRET, ECDH_SAFE_KEY_SIZE_MIN},
549 { TEE_ALG_ECDH_P224, ECDH_SAFE_KEY_SIZE_MIN},
550 { TEE_ALG_ECDH_P256, ECDH_SAFE_KEY_SIZE_MIN},
551 { TEE_ALG_ECDH_P384, ECDH_SAFE_KEY_SIZE_MIN},
552 { TEE_ALG_ECDH_P521, ECDH_SAFE_KEY_SIZE_MIN},
553 { ARRAY_END, ARRAY_END },
554 };
555
556 static const struct safe_alg_and_key_size_t g_unsafe_type_with_key[] = {
557 { TEE_TYPE_RSA_PUBLIC_KEY, RSA_SAFE_KEY_SIZE_MIN},
558 { TEE_TYPE_RSA_KEYPAIR, RSA_SAFE_KEY_SIZE_MIN},
559 { TEE_TYPE_DH_KEYPAIR, DH_SAFE_KEY_SIZE_MIN },
560 { TEE_TYPE_ECDSA_PUBLIC_KEY, ECDSA_SAFE_KEY_SIZE_MIN},
561 { TEE_TYPE_ECDSA_KEYPAIR, ECDSA_SAFE_KEY_SIZE_MIN},
562 { TEE_TYPE_ECDH_PUBLIC_KEY, ECDH_SAFE_KEY_SIZE_MIN},
563 { TEE_TYPE_ECDH_KEYPAIR, ECDH_SAFE_KEY_SIZE_MIN},
564 { ARRAY_END, ARRAY_END },
565 };
566
check_if_unsafe_alg(uint32_t alg,uint32_t key_size)567 TEE_Result check_if_unsafe_alg(uint32_t alg, uint32_t key_size)
568 {
569 for (size_t index = 0; index < ELEM_NUM(g_unsafe_alg_with_key); index++) {
570 if (alg == g_unsafe_alg_with_key[index].alg_or_type) {
571 if (key_size < g_unsafe_alg_with_key[index].min_safe_key_size) {
572 tloge("the algorithm 0x%x with key size %u is unsafe and not support\n", alg, key_size);
573 return TEE_ERROR_NOT_SUPPORTED;
574 }
575 }
576 }
577 return TEE_SUCCESS;
578 }
579
check_if_unsafe_type(uint32_t obj_type,uint32_t key_size)580 TEE_Result check_if_unsafe_type(uint32_t obj_type, uint32_t key_size)
581 {
582 for (size_t index = 0; index < ELEM_NUM(g_unsafe_type_with_key); index++) {
583 if (obj_type == g_unsafe_type_with_key[index].alg_or_type) {
584 if (key_size < g_unsafe_type_with_key[index].min_safe_key_size) {
585 tloge("the algorithm 0x%x with key size %u is unsafe and not support\n", obj_type, key_size);
586 return TEE_ERROR_NOT_SUPPORTED;
587 }
588 }
589 }
590 return TEE_SUCCESS;
591 }
592