Gitiles
Code Review Sign In
gerrit.openfyde.cn / android.googlesource.com / platform / system / keymaster / dfa1c030e941cba4e66b362854d84b19298353c9 / . / aes_operation.cpp
blob: 701e55f43493c57c7cd46863f8d9c46490c55f07 [file] [log] [blame]
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]1/*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willden6dde87c2014-12-11 14:08:48 -0700[diff] [blame]17#include <stdio.h>
18
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]19#include <openssl/aes.h>
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]20#include <openssl/err.h>
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]21#include <openssl/rand.h>
22
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]23#include <keymaster/logger.h>
24
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]25#include "aes_key.h"
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]26#include "aes_operation.h"
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]27#include "openssl_err.h"
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]28
29namespace keymaster {
30
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]31/**
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]32 * Abstract base for AES operation factories. This class does all of the work to create
33 * AES operations.
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]34 */
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]35class AesOperationFactory : public OperationFactory {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]36 public:
37 virtual KeyType registry_key() const { return KeyType(KM_ALGORITHM_AES, purpose()); }
38
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]39 virtual Operation* CreateOperation(const Key& key, keymaster_error_t* error);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]40 virtual const keymaster_block_mode_t* SupportedBlockModes(size_t* block_mode_count) const;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]41 virtual const keymaster_padding_t* SupportedPaddingModes(size_t* padding_count) const;
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]42
43 virtual keymaster_purpose_t purpose() const = 0;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]44
45 private:
46 virtual Operation* CreateOcbOperation(const SymmetricKey& key, keymaster_error_t* error);
47 virtual Operation* CreateEvpOperation(const SymmetricKey& key,
48 keymaster_block_mode_t block_mode,
49 keymaster_padding_t padding, keymaster_error_t* error);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]50};
51
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]52Operation* AesOperationFactory::CreateOperation(const Key& key, keymaster_error_t* error) {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]53 *error = KM_ERROR_OK;
54
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]55 const SymmetricKey* symmetric_key = static_cast<const SymmetricKey*>(&key);
56 if (!symmetric_key) {
57 *error = KM_ERROR_UNKNOWN_ERROR;
58 return NULL;
59 }
60
61 switch (symmetric_key->key_data_size()) {
62 case 16:
63 case 24:
64 case 32:
65 break;
66 default:
67 *error = KM_ERROR_UNSUPPORTED_KEY_SIZE;
68 return NULL;
69 }
70
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]71 keymaster_block_mode_t block_mode;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]72 if (!key.authorizations().GetTagValue(TAG_BLOCK_MODE, &block_mode) || !supported(block_mode))
73 *error = KM_ERROR_UNSUPPORTED_BLOCK_MODE;
74
75 keymaster_padding_t padding = KM_PAD_NONE;
76 key.authorizations().GetTagValue(TAG_PADDING, &padding);
77
78 if (*error != KM_ERROR_OK)
79 return NULL;
80
81 switch (block_mode) {
82 case KM_MODE_OCB:
83 if (padding != KM_PAD_NONE) {
84 *error = KM_ERROR_UNSUPPORTED_PADDING_MODE;
85 return NULL;
86 }
87 return CreateOcbOperation(*symmetric_key, error);
88 case KM_MODE_ECB:
89 case KM_MODE_CBC:
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]90 return CreateEvpOperation(*symmetric_key, block_mode, padding, error);
91 default:
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]92 *error = KM_ERROR_UNSUPPORTED_BLOCK_MODE;
93 return NULL;
94 }
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]95}
96
97Operation* AesOperationFactory::CreateOcbOperation(const SymmetricKey& key,
98 keymaster_error_t* error) {
99 *error = KM_ERROR_OK;
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]100
101 uint32_t chunk_length;
102 if (!key.authorizations().GetTagValue(TAG_CHUNK_LENGTH, &chunk_length) ||
103 chunk_length > AeadModeOperation::MAX_CHUNK_LENGTH)
104 // TODO(swillden): Create and use a better return code.
105 *error = KM_ERROR_INVALID_ARGUMENT;
106
107 uint32_t tag_length;
108 if (!key.authorizations().GetTagValue(TAG_MAC_LENGTH, &tag_length) ||
109 tag_length > AeadModeOperation::MAX_TAG_LENGTH)
110 // TODO(swillden): Create and use a better return code.
111 *error = KM_ERROR_INVALID_ARGUMENT;
112
113 keymaster_padding_t padding;
114 if (key.authorizations().GetTagValue(TAG_PADDING, &padding) && padding != KM_PAD_NONE)
115 *error = KM_ERROR_UNSUPPORTED_PADDING_MODE;
116
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]117 if (*error != KM_ERROR_OK)
118 return NULL;
119
Shawn Willdendfa1c032015-02-07 00:39:01 -0700[diff] [blame^]120 bool caller_nonce = key.authorizations().GetTagValue(TAG_CALLER_NONCE);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]121
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]122 Operation* op = new AesOcbOperation(purpose(), key.key_data(), key.key_data_size(),
Shawn Willdendfa1c032015-02-07 00:39:01 -0700[diff] [blame^]123 chunk_length, tag_length, caller_nonce);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]124 if (!op)
125 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
126 return op;
127}
128
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]129Operation* AesOperationFactory::CreateEvpOperation(const SymmetricKey& key,
130 keymaster_block_mode_t block_mode,
131 keymaster_padding_t padding,
132 keymaster_error_t* error) {
133 Operation* op = NULL;
134 switch (purpose()) {
135 case KM_PURPOSE_ENCRYPT:
136 op = new AesEvpEncryptOperation(block_mode, padding, key.key_data(), key.key_data_size());
137 break;
138 case KM_PURPOSE_DECRYPT:
139 op = new AesEvpDecryptOperation(block_mode, padding, key.key_data(), key.key_data_size());
140 break;
141 default:
142 *error = KM_ERROR_UNSUPPORTED_PURPOSE;
143 return NULL;
144 }
145
146 if (!op)
147 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
148 return op;
149}
150
151static const keymaster_block_mode_t supported_block_modes[] = {
Shawn Willden498e0aa2015-03-04 15:35:45 -0700[diff] [blame]152 KM_MODE_OCB, KM_MODE_ECB, KM_MODE_CBC};
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]153
154const keymaster_block_mode_t*
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]155AesOperationFactory::SupportedBlockModes(size_t* block_mode_count) const {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]156 *block_mode_count = array_length(supported_block_modes);
157 return supported_block_modes;
158}
159
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]160static const keymaster_padding_t supported_padding_modes[] = {KM_PAD_NONE, KM_PAD_PKCS7};
161const keymaster_padding_t*
162AesOperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const {
163 *padding_mode_count = array_length(supported_padding_modes);
164 return supported_padding_modes;
165}
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]166
167/**
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]168 * Concrete factory for AES encryption operations.
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]169 */
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]170class AesEncryptionOperationFactory : public AesOperationFactory {
171 keymaster_purpose_t purpose() const { return KM_PURPOSE_ENCRYPT; }
172};
173static OperationFactoryRegistry::Registration<AesEncryptionOperationFactory> encrypt_registration;
174
175/**
176 * Concrete factory for AES decryption operations.
177 */
178class AesDecryptionOperationFactory : public AesOperationFactory {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]179 keymaster_purpose_t purpose() const { return KM_PURPOSE_DECRYPT; }
180};
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]181static OperationFactoryRegistry::Registration<AesDecryptionOperationFactory> decrypt_registration;
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]182
Shawn Willden6dde87c2014-12-11 14:08:48 -0700[diff] [blame]183keymaster_error_t AesOcbOperation::Initialize(uint8_t* key, size_t key_size, size_t nonce_length,
184 size_t tag_length) {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]185 if (tag_length > MAX_TAG_LENGTH || nonce_length > MAX_NONCE_LENGTH)
Shawn Willden6dde87c2014-12-11 14:08:48 -0700[diff] [blame]186 return KM_ERROR_INVALID_KEY_BLOB;
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]187
Shawn Willden6dde87c2014-12-11 14:08:48 -0700[diff] [blame]188 if (ae_init(ctx(), key, key_size, nonce_length, tag_length) != AE_SUCCESS) {
189 memset_s(ctx(), 0, ae_ctx_sizeof());
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]190 return KM_ERROR_UNKNOWN_ERROR;
191 }
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]192 return KM_ERROR_OK;
193}
194
Shawn Willden6dde87c2014-12-11 14:08:48 -0700[diff] [blame]195keymaster_error_t AesOcbOperation::EncryptChunk(const uint8_t* nonce, size_t /* nonce_length */,
196 size_t tag_length,
197 const keymaster_blob_t additional_data,
198 uint8_t* chunk, size_t chunk_size, Buffer* output) {
199 if (!ctx())
200 return KM_ERROR_UNKNOWN_ERROR;
201 uint8_t __attribute__((aligned(16))) tag[MAX_TAG_LENGTH];
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]202
Shawn Willden6dde87c2014-12-11 14:08:48 -0700[diff] [blame]203 // Encrypt chunk in place.
204 int ae_err = ae_encrypt(ctx(), nonce, chunk, chunk_size, additional_data.data,
205 additional_data.data_length, chunk, tag, AE_FINALIZE);
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]206
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]207 if (ae_err < 0)
208 return KM_ERROR_UNKNOWN_ERROR;
Shawn Willden6dde87c2014-12-11 14:08:48 -0700[diff] [blame]209 assert(ae_err == (int)buffered_data_length());
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]210
Shawn Willden6dde87c2014-12-11 14:08:48 -0700[diff] [blame]211 output->write(chunk, buffered_data_length());
212 output->write(tag, tag_length);
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]213
214 return KM_ERROR_OK;
215}
216
Shawn Willden6dde87c2014-12-11 14:08:48 -0700[diff] [blame]217keymaster_error_t AesOcbOperation::DecryptChunk(const uint8_t* nonce, size_t /* nonce_length */,
218 const uint8_t* tag, size_t /* tag_length */,
219 const keymaster_blob_t additional_data,
220 uint8_t* chunk, size_t chunk_size, Buffer* output) {
221 if (!ctx())
222 return KM_ERROR_UNKNOWN_ERROR;
223
224 // Decrypt chunk in place
225 int ae_err = ae_decrypt(ctx(), nonce, chunk, chunk_size, additional_data.data,
226 additional_data.data_length, chunk, tag, AE_FINALIZE);
227 if (ae_err == AE_INVALID)
228 return KM_ERROR_VERIFICATION_FAILED;
229 else if (ae_err < 0)
230 return KM_ERROR_UNKNOWN_ERROR;
231 assert(ae_err == (int)buffered_data_length());
232 output->write(chunk, chunk_size);
233
234 return KM_ERROR_OK;
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]235}
236
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]237AesEvpOperation::AesEvpOperation(keymaster_purpose_t purpose, keymaster_block_mode_t block_mode,
238 keymaster_padding_t padding, const uint8_t* key, size_t key_size)
239 : Operation(purpose), key_size_(key_size), block_mode_(block_mode), padding_(padding),
240 cipher_initialized_(false), iv_buffered_(0) {
241 memcpy(key_, key, key_size_);
242 EVP_CIPHER_CTX_init(&ctx_);
243}
244
245AesEvpOperation::~AesEvpOperation() {
246 EVP_CIPHER_CTX_cleanup(&ctx_);
247}
248
249keymaster_error_t AesEvpOperation::InitializeCipher() {
250 const EVP_CIPHER* cipher;
251 switch (block_mode_) {
252 case KM_MODE_ECB:
253 switch (key_size_) {
254 case 16:
255 cipher = EVP_aes_128_ecb();
256 break;
257 case 24:
258 cipher = EVP_aes_192_ecb();
259 break;
260 case 32:
261 cipher = EVP_aes_256_ecb();
262 break;
263 default:
264 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
265 }
266 break;
267 case KM_MODE_CBC:
268 switch (key_size_) {
269 case 16:
270 cipher = EVP_aes_128_cbc();
271 break;
272 case 24:
273 cipher = EVP_aes_192_cbc();
274 break;
275 case 32:
276 cipher = EVP_aes_256_cbc();
277 break;
278 default:
279 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
280 }
281 break;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]282 default:
283 return KM_ERROR_UNSUPPORTED_BLOCK_MODE;
284 }
285
286 int init_result =
287 EVP_CipherInit_ex(&ctx_, cipher, NULL /* engine */, key_, iv_, evp_encrypt_mode());
288
289 if (!init_result)
290 return KM_ERROR_UNKNOWN_ERROR;
291
292 switch (padding_) {
293 case KM_PAD_NONE:
294 EVP_CIPHER_CTX_set_padding(&ctx_, 0 /* disable padding */);
295 break;
296 case KM_PAD_PKCS7:
297 // This is the default for OpenSSL EVP cipher operations.
298 break;
299 default:
300 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
301 }
302
303 cipher_initialized_ = true;
304 return KM_ERROR_OK;
305}
306
307bool AesEvpOperation::need_iv() const {
308 switch (block_mode_) {
309 case KM_MODE_CBC:
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]310 return true;
311 case KM_MODE_ECB:
312 return false;
313 default:
314 // Shouldn't get here.
315 assert(false);
316 return false;
317 }
318}
319
320keymaster_error_t AesEvpOperation::Begin(const AuthorizationSet& /* input_params */,
321 AuthorizationSet* /* output_params */) {
322 return KM_ERROR_OK;
323}
324
325inline size_t min(size_t a, size_t b) {
326 if (a < b)
327 return a;
328 return b;
329}
330
331keymaster_error_t AesEvpOperation::Update(const AuthorizationSet& /* additional_params */,
332 const Buffer& input, Buffer* output,
333 size_t* input_consumed) {
334 output->reserve(input.available_read() + AES_BLOCK_SIZE);
335
336 const uint8_t* input_pos = input.peek_read();
337 const uint8_t* input_end = input_pos + input.available_read();
338
339 if (!cipher_initialized_) {
340 if (need_iv()) {
341 switch (purpose()) {
342 case KM_PURPOSE_DECRYPT: {
343 size_t iv_bytes_to_copy = min(input_end - input_pos, AES_BLOCK_SIZE - iv_buffered_);
344 memcpy(iv_ + iv_buffered_, input_pos, iv_bytes_to_copy);
345 input_pos += iv_bytes_to_copy;
346 iv_buffered_ += iv_bytes_to_copy;
347
348 if (iv_buffered_ < AES_BLOCK_SIZE) {
349 // Don't yet have enough IV bytes. Wait for another update.
350 return KM_ERROR_OK;
351 }
352 } break;
353 case KM_PURPOSE_ENCRYPT:
354 if (!RAND_bytes(iv_, AES_BLOCK_SIZE))
355 return TranslateLastOpenSslError();
356 output->write(iv_, AES_BLOCK_SIZE);
357 break;
358 default:
359 return KM_ERROR_UNSUPPORTED_BLOCK_MODE;
360 }
361 }
362
363 keymaster_error_t error = InitializeCipher();
364 if (error != KM_ERROR_OK)
365 return error;
366 }
367
368 int output_written = -1;
369 if (!EVP_CipherUpdate(&ctx_, output->peek_write(), &output_written, input_pos,
370 input_end - input_pos))
371 return TranslateLastOpenSslError();
372
373 assert(output_written >= 0);
374 assert(output_written <= (int)output->available_write());
375 output->advance_write(output_written);
376 *input_consumed = input.available_read();
377 return KM_ERROR_OK;
378}
379
380keymaster_error_t AesEvpOperation::Finish(const AuthorizationSet& /* additional_params */,
381 const Buffer& /* signature */, Buffer* output) {
382 output->reserve(AES_BLOCK_SIZE);
383
384 int output_written = -1;
385 if (!EVP_CipherFinal_ex(&ctx_, output->peek_write(), &output_written)) {
386 LOG_E("Error encrypting final block: %s", ERR_error_string(ERR_peek_last_error(), NULL));
387 return TranslateLastOpenSslError();
388 }
389
390 assert(output_written <= AES_BLOCK_SIZE);
391 output->advance_write(output_written);
392 return KM_ERROR_OK;
393}
394
395keymaster_error_t AesEvpOperation::Abort() {
396 return KM_ERROR_OK;
397}
398
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]399} // namespace keymaster