aes_operation.cpp revision 31e063f8ed913369eb30648537fb5827dfd7a0d3
1/* 2 * Copyright 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#include <stdio.h> 18 19#include <openssl/aes.h> 20#include <openssl/err.h> 21#include <openssl/rand.h> 22 23#include <keymaster/logger.h> 24 25#include "aes_key.h" 26#include "aes_operation.h" 27#include "openssl_err.h" 28 29namespace keymaster { 30 31/** 32 * Abstract base for AES operation factories. This class does all of the work to create 33 * AES operations. 34 */ 35class AesOperationFactory : public OperationFactory { 36 public: 37 virtual KeyType registry_key() const { return KeyType(KM_ALGORITHM_AES, purpose()); } 38 39 virtual Operation* CreateOperation(const Key& key, const AuthorizationSet& begin_params, 40 keymaster_error_t* error); 41 virtual const keymaster_block_mode_t* SupportedBlockModes(size_t* block_mode_count) const; 42 virtual const keymaster_padding_t* SupportedPaddingModes(size_t* padding_count) const; 43 44 virtual keymaster_purpose_t purpose() const = 0; 45 46 private: 47 virtual Operation* CreateEvpOperation(const SymmetricKey& key, 48 keymaster_block_mode_t block_mode, 49 keymaster_padding_t padding, bool caller_iv, 50 keymaster_error_t* error); 51}; 52 53Operation* AesOperationFactory::CreateOperation(const Key& key, 54 const AuthorizationSet& begin_params, 55 keymaster_error_t* error) { 56 *error = KM_ERROR_OK; 57 const SymmetricKey* symmetric_key = static_cast<const SymmetricKey*>(&key); 58 59 switch (symmetric_key->key_data_size()) { 60 case 16: 61 case 24: 62 case 32: 63 break; 64 default: 65 *error = KM_ERROR_UNSUPPORTED_KEY_SIZE; 66 return nullptr; 67 } 68 69 keymaster_block_mode_t block_mode; 70 if (!begin_params.GetTagValue(TAG_BLOCK_MODE, &block_mode)) { 71 LOG_E("%d block modes specified in begin params", begin_params.GetTagCount(TAG_BLOCK_MODE)); 72 *error = KM_ERROR_UNSUPPORTED_BLOCK_MODE; 73 return nullptr; 74 } else if (!supported(block_mode)) { 75 LOG_E("Block mode %d not supported", block_mode); 76 *error = KM_ERROR_UNSUPPORTED_BLOCK_MODE; 77 return nullptr; 78 } else if (!key.authorizations().Contains(TAG_BLOCK_MODE, block_mode)) { 79 LOG_E("Block mode %d was specified, but not authorized by key", block_mode); 80 *error = KM_ERROR_INCOMPATIBLE_BLOCK_MODE; 81 return nullptr; 82 } 83 84 keymaster_padding_t padding = KM_PAD_NONE; 85 begin_params.GetTagValue(TAG_PADDING, &padding); 86 if (!key.authorizations().GetTagValue(TAG_PADDING, &padding)) { 87 LOG_E("Padding mode %d was specified, but not authorized by key", padding); 88 *error = KM_ERROR_INCOMPATIBLE_PADDING_MODE; 89 } 90 91 bool caller_nonce = key.authorizations().GetTagValue(TAG_CALLER_NONCE); 92 93 if (*error != KM_ERROR_OK) 94 return nullptr; 95 96 switch (block_mode) { 97 case KM_MODE_ECB: 98 case KM_MODE_CBC: 99 return CreateEvpOperation(*symmetric_key, block_mode, padding, caller_nonce, error); 100 case KM_MODE_CTR: 101 if (padding != KM_PAD_NONE) { 102 *error = KM_ERROR_INCOMPATIBLE_PADDING_MODE; 103 return nullptr; 104 } 105 return CreateEvpOperation(*symmetric_key, block_mode, padding, caller_nonce, error); 106 default: 107 *error = KM_ERROR_UNSUPPORTED_BLOCK_MODE; 108 return nullptr; 109 } 110} 111 112Operation* AesOperationFactory::CreateEvpOperation(const SymmetricKey& key, 113 keymaster_block_mode_t block_mode, 114 keymaster_padding_t padding, bool caller_iv, 115 keymaster_error_t* error) { 116 Operation* op = NULL; 117 switch (purpose()) { 118 case KM_PURPOSE_ENCRYPT: 119 op = new AesEvpEncryptOperation(block_mode, padding, caller_iv, key.key_data(), 120 key.key_data_size()); 121 break; 122 case KM_PURPOSE_DECRYPT: 123 op = new AesEvpDecryptOperation(block_mode, padding, key.key_data(), key.key_data_size()); 124 break; 125 default: 126 *error = KM_ERROR_UNSUPPORTED_PURPOSE; 127 return NULL; 128 } 129 130 if (!op) 131 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED; 132 return op; 133} 134 135static const keymaster_block_mode_t supported_block_modes[] = {KM_MODE_ECB, KM_MODE_CBC, 136 KM_MODE_CTR}; 137 138const keymaster_block_mode_t* 139AesOperationFactory::SupportedBlockModes(size_t* block_mode_count) const { 140 *block_mode_count = array_length(supported_block_modes); 141 return supported_block_modes; 142} 143 144static const keymaster_padding_t supported_padding_modes[] = {KM_PAD_NONE, KM_PAD_PKCS7}; 145const keymaster_padding_t* 146AesOperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const { 147 *padding_mode_count = array_length(supported_padding_modes); 148 return supported_padding_modes; 149} 150 151/** 152 * Concrete factory for AES encryption operations. 153 */ 154class AesEncryptionOperationFactory : public AesOperationFactory { 155 keymaster_purpose_t purpose() const { return KM_PURPOSE_ENCRYPT; } 156}; 157static OperationFactoryRegistry::Registration<AesEncryptionOperationFactory> encrypt_registration; 158 159/** 160 * Concrete factory for AES decryption operations. 161 */ 162class AesDecryptionOperationFactory : public AesOperationFactory { 163 keymaster_purpose_t purpose() const { return KM_PURPOSE_DECRYPT; } 164}; 165static OperationFactoryRegistry::Registration<AesDecryptionOperationFactory> decrypt_registration; 166 167AesEvpOperation::AesEvpOperation(keymaster_purpose_t purpose, keymaster_block_mode_t block_mode, 168 keymaster_padding_t padding, bool caller_iv, const uint8_t* key, 169 size_t key_size) 170 : Operation(purpose), key_size_(key_size), block_mode_(block_mode), padding_(padding), 171 caller_iv_(caller_iv) { 172 memcpy(key_, key, key_size_); 173 EVP_CIPHER_CTX_init(&ctx_); 174} 175 176AesEvpOperation::~AesEvpOperation() { 177 EVP_CIPHER_CTX_cleanup(&ctx_); 178} 179 180keymaster_error_t AesEvpOperation::InitializeCipher() { 181 const EVP_CIPHER* cipher; 182 switch (block_mode_) { 183 case KM_MODE_ECB: 184 switch (key_size_) { 185 case 16: 186 cipher = EVP_aes_128_ecb(); 187 break; 188 case 24: 189 cipher = EVP_aes_192_ecb(); 190 break; 191 case 32: 192 cipher = EVP_aes_256_ecb(); 193 break; 194 default: 195 return KM_ERROR_UNSUPPORTED_KEY_SIZE; 196 } 197 break; 198 case KM_MODE_CBC: 199 switch (key_size_) { 200 case 16: 201 cipher = EVP_aes_128_cbc(); 202 break; 203 case 24: 204 cipher = EVP_aes_192_cbc(); 205 break; 206 case 32: 207 cipher = EVP_aes_256_cbc(); 208 break; 209 default: 210 return KM_ERROR_UNSUPPORTED_KEY_SIZE; 211 } 212 break; 213 case KM_MODE_CTR: 214 switch (key_size_) { 215 case 16: 216 cipher = EVP_aes_128_ctr(); 217 break; 218 case 24: 219 cipher = EVP_aes_192_ctr(); 220 break; 221 case 32: 222 cipher = EVP_aes_256_ctr(); 223 break; 224 default: 225 return KM_ERROR_UNSUPPORTED_KEY_SIZE; 226 } 227 break; 228 default: 229 return KM_ERROR_UNSUPPORTED_BLOCK_MODE; 230 } 231 232 int init_result = 233 EVP_CipherInit_ex(&ctx_, cipher, NULL /* engine */, key_, iv_.get(), evp_encrypt_mode()); 234 235 if (!init_result) 236 return TranslateLastOpenSslError(); 237 238 switch (padding_) { 239 case KM_PAD_NONE: 240 EVP_CIPHER_CTX_set_padding(&ctx_, 0 /* disable padding */); 241 break; 242 case KM_PAD_PKCS7: 243 // This is the default for OpenSSL EVP cipher operations. 244 break; 245 default: 246 return KM_ERROR_UNSUPPORTED_PADDING_MODE; 247 } 248 249 return KM_ERROR_OK; 250} 251 252bool AesEvpOperation::need_iv() const { 253 switch (block_mode_) { 254 case KM_MODE_CBC: 255 case KM_MODE_CTR: 256 return true; 257 case KM_MODE_ECB: 258 return false; 259 default: 260 // Shouldn't get here. 261 assert(false); 262 return false; 263 } 264} 265 266keymaster_error_t AesEvpOperation::Begin(const AuthorizationSet& input_params, 267 AuthorizationSet* output_params) { 268 if (!output_params) 269 return KM_ERROR_OUTPUT_PARAMETER_NULL; 270 271 keymaster_error_t error = KM_ERROR_OK; 272 if (need_iv()) { 273 switch (purpose()) { 274 case KM_PURPOSE_ENCRYPT: 275 if (input_params.find(TAG_NONCE) == -1) 276 error = GenerateIv(); 277 else if (caller_iv_) 278 error = GetIv(input_params); 279 else 280 error = KM_ERROR_CALLER_NONCE_PROHIBITED; 281 282 if (error == KM_ERROR_OK) 283 output_params->push_back(TAG_NONCE, iv_.get(), AES_BLOCK_SIZE); 284 break; 285 286 case KM_PURPOSE_DECRYPT: 287 error = GetIv(input_params); 288 break; 289 default: 290 return KM_ERROR_UNSUPPORTED_PURPOSE; 291 } 292 } 293 294 if (error == KM_ERROR_OK) 295 error = InitializeCipher(); 296 297 return error; 298} 299 300keymaster_error_t AesEvpOperation::GetIv(const AuthorizationSet& input_params) { 301 keymaster_blob_t iv_blob; 302 if (!input_params.GetTagValue(TAG_NONCE, &iv_blob)) { 303 LOG_E("No IV provided", 0); 304 return KM_ERROR_INVALID_ARGUMENT; 305 } 306 if (iv_blob.data_length != AES_BLOCK_SIZE) { 307 LOG_E("Expected %d-byte IV for AES operation, but got %d bytes", AES_BLOCK_SIZE, 308 iv_blob.data_length); 309 return KM_ERROR_INVALID_NONCE; 310 } 311 iv_.reset(dup_array(iv_blob.data, iv_blob.data_length)); 312 if (!iv_.get()) 313 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 314 return KM_ERROR_OK; 315} 316 317keymaster_error_t AesEvpOperation::GenerateIv() { 318 iv_.reset(new uint8_t[AES_BLOCK_SIZE]); 319 if (!iv_.get()) 320 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 321 if (RAND_bytes(iv_.get(), AES_BLOCK_SIZE) != 1) 322 return TranslateLastOpenSslError(); 323 return KM_ERROR_OK; 324} 325 326inline size_t min(size_t a, size_t b) { 327 if (a < b) 328 return a; 329 return b; 330} 331 332keymaster_error_t AesEvpOperation::Update(const AuthorizationSet& /* additional_params */, 333 const Buffer& input, Buffer* output, 334 size_t* input_consumed) { 335 output->reserve(input.available_read() + AES_BLOCK_SIZE); 336 337 const uint8_t* input_pos = input.peek_read(); 338 const uint8_t* input_end = input_pos + input.available_read(); 339 340 int output_written = -1; 341 if (!EVP_CipherUpdate(&ctx_, output->peek_write(), &output_written, input_pos, 342 input_end - input_pos)) 343 return TranslateLastOpenSslError(); 344 345 assert(output_written >= 0); 346 assert(output_written <= (int)output->available_write()); 347 output->advance_write(output_written); 348 *input_consumed = input.available_read(); 349 return KM_ERROR_OK; 350} 351 352keymaster_error_t AesEvpOperation::Finish(const AuthorizationSet& /* additional_params */, 353 const Buffer& /* signature */, Buffer* output) { 354 output->reserve(AES_BLOCK_SIZE); 355 356 int output_written = -1; 357 if (!EVP_CipherFinal_ex(&ctx_, output->peek_write(), &output_written)) { 358 LOG_E("Error encrypting final block: %s", ERR_error_string(ERR_peek_last_error(), NULL)); 359 return TranslateLastOpenSslError(); 360 } 361 362 assert(output_written <= AES_BLOCK_SIZE); 363 output->advance_write(output_written); 364 return KM_ERROR_OK; 365} 366 367keymaster_error_t AesEvpOperation::Abort() { 368 return KM_ERROR_OK; 369} 370 371} // namespace keymaster 372