Gitiles
Code Review Sign In
gerrit.openfyde.cn / android.googlesource.com / platform / system / keymaster / b7361134bff4d3d7ef1d5a3c60e50c9952dc2b56 / . / rsa_operation.cpp
blob: 14df611b2161651a266c2eb28acdf0da5965b8a1 [file] [log] [blame]
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]1/*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]17#include <limits.h>
18
19#include <openssl/err.h>
Shawn Willden5f42dba2015-01-20 11:45:19 -0700[diff] [blame]20#include <openssl/evp.h>
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]21#include <openssl/rsa.h>
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]22
23#include "rsa_operation.h"
24#include "openssl_utils.h"
25
26namespace keymaster {
27
28struct RSA_Delete {
29 void operator()(RSA* p) const { RSA_free(p); }
30};
31
32RsaOperation::~RsaOperation() {
33 if (rsa_key_ != NULL)
34 RSA_free(rsa_key_);
35}
36
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame^]37keymaster_error_t RsaOperation::Update(const Buffer& input, Buffer* /* output */,
38 size_t* input_consumed) {
39 assert(input_consumed);
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]40 switch (purpose()) {
41 default:
42 return KM_ERROR_UNIMPLEMENTED;
43 case KM_PURPOSE_SIGN:
44 case KM_PURPOSE_VERIFY:
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]45 case KM_PURPOSE_ENCRYPT:
46 case KM_PURPOSE_DECRYPT:
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame^]47 return StoreData(input, input_consumed);
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]48 }
49}
50
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame^]51keymaster_error_t RsaOperation::StoreData(const Buffer& input, size_t* input_consumed) {
52 assert(input_consumed);
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]53 if (!data_.reserve(data_.available_read() + input.available_read()) ||
54 !data_.write(input.peek_read(), input.available_read()))
55 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame^]56 *input_consumed = input.available_read();
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]57 return KM_ERROR_OK;
58}
59
60keymaster_error_t RsaSignOperation::Finish(const Buffer& /* signature */, Buffer* output) {
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame^]61 assert(output);
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]62 output->Reinitialize(RSA_size(rsa_key_));
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]63 int bytes_encrypted = RSA_private_encrypt(data_.available_read(), data_.peek_read(),
64 output->peek_write(), rsa_key_, RSA_NO_PADDING);
65 if (bytes_encrypted < 0)
66 return KM_ERROR_UNKNOWN_ERROR;
67 assert(bytes_encrypted == RSA_size(rsa_key_));
68 output->advance_write(bytes_encrypted);
69 return KM_ERROR_OK;
70}
71
72keymaster_error_t RsaVerifyOperation::Finish(const Buffer& signature, Buffer* /* output */) {
Adam Langleyf2aefdf2014-09-26 11:16:10 -0700[diff] [blame]73#if defined(OPENSSL_IS_BORINGSSL)
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]74 size_t message_size = data_.available_read();
Adam Langleyf2aefdf2014-09-26 11:16:10 -0700[diff] [blame]75#else
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]76 if (data_.available_read() > INT_MAX)
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]77 return KM_ERROR_INVALID_INPUT_LENGTH;
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]78 int message_size = (int)data_.available_read();
Adam Langleyf2aefdf2014-09-26 11:16:10 -0700[diff] [blame]79#endif
80
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]81 if (message_size != RSA_size(rsa_key_))
82 return KM_ERROR_INVALID_INPUT_LENGTH;
83
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]84 if (data_.available_read() != signature.available_read())
85 return KM_ERROR_VERIFICATION_FAILED;
86
87 UniquePtr<uint8_t[]> decrypted_data(new uint8_t[RSA_size(rsa_key_)]);
88 int bytes_decrypted = RSA_public_decrypt(signature.available_read(), signature.peek_read(),
89 decrypted_data.get(), rsa_key_, RSA_NO_PADDING);
90 if (bytes_decrypted < 0)
91 return KM_ERROR_UNKNOWN_ERROR;
92 assert(bytes_decrypted == RSA_size(rsa_key_));
93
94 if (memcmp_s(decrypted_data.get(), data_.peek_read(), data_.available_read()) == 0)
95 return KM_ERROR_OK;
96 return KM_ERROR_VERIFICATION_FAILED;
97}
98
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]99const int OAEP_PADDING_OVERHEAD = 41;
100const int PKCS1_PADDING_OVERHEAD = 11;
101
102keymaster_error_t RsaEncryptOperation::Finish(const Buffer& /* signature */, Buffer* output) {
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame^]103 assert(output);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]104 int openssl_padding;
105
106#if defined(OPENSSL_IS_BORINGSSL)
107 size_t message_size = data_.available_read();
108#else
109 if (data_.available_read() > INT_MAX)
110 return KM_ERROR_INVALID_INPUT_LENGTH;
111 int message_size = (int)data_.available_read();
112#endif
113
114 switch (padding_) {
115 case KM_PAD_RSA_OAEP:
116 openssl_padding = RSA_PKCS1_OAEP_PADDING;
117 if (message_size >= RSA_size(rsa_key_) - OAEP_PADDING_OVERHEAD) {
118 logger().error("Cannot encrypt %d bytes with %d-byte key and OAEP padding",
119 data_.available_read(), RSA_size(rsa_key_));
120 return KM_ERROR_INVALID_INPUT_LENGTH;
121 }
122 break;
123 case KM_PAD_RSA_PKCS1_1_5_ENCRYPT:
124 openssl_padding = RSA_PKCS1_PADDING;
125 if (message_size >= RSA_size(rsa_key_) - PKCS1_PADDING_OVERHEAD) {
126 logger().error("Cannot encrypt %d bytes with %d-byte key and PKCS1 padding",
127 data_.available_read(), RSA_size(rsa_key_));
128 return KM_ERROR_INVALID_INPUT_LENGTH;
129 }
130 break;
131 default:
132 logger().error("Padding mode %d not supported", padding_);
133 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
134 }
135
136 output->Reinitialize(RSA_size(rsa_key_));
137 int bytes_encrypted = RSA_public_encrypt(data_.available_read(), data_.peek_read(),
138 output->peek_write(), rsa_key_, openssl_padding);
139
140 if (bytes_encrypted < 0) {
141 logger().error("Error %d encrypting data with RSA", ERR_get_error());
142 return KM_ERROR_UNKNOWN_ERROR;
143 }
144 assert(bytes_encrypted == RSA_size(rsa_key_));
145 output->advance_write(bytes_encrypted);
146
147 return KM_ERROR_OK;
148}
149
150keymaster_error_t RsaDecryptOperation::Finish(const Buffer& /* signature */, Buffer* output) {
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame^]151 assert(output);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]152 int openssl_padding;
153 switch (padding_) {
154 case KM_PAD_RSA_OAEP:
155 openssl_padding = RSA_PKCS1_OAEP_PADDING;
156 break;
157 case KM_PAD_RSA_PKCS1_1_5_ENCRYPT:
158 openssl_padding = RSA_PKCS1_PADDING;
159 break;
160 default:
161 logger().error("Padding mode %d not supported", padding_);
162 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
163 }
164
165 output->Reinitialize(RSA_size(rsa_key_));
166 int bytes_decrypted = RSA_private_decrypt(data_.available_read(), data_.peek_read(),
167 output->peek_write(), rsa_key_, openssl_padding);
168
169 if (bytes_decrypted < 0) {
170 logger().error("Error %d decrypting data with RSA", ERR_get_error());
171 return KM_ERROR_UNKNOWN_ERROR;
172 }
173 output->advance_write(bytes_decrypted);
174
175 return KM_ERROR_OK;
176}
177
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]178} // namespace keymaster