Add HMAC-based extract-and-expand key derivation function (HKDF)

HKDF (http://tools.ietf.org/html/rfc5869) is a key derivation algorithm.
As per the RFC:

   A key derivation function (KDF) is a basic and essential component of
   cryptographic systems.  Its goal is to take some source of initial
   keying material and derive from it one or more cryptographically
   strong secret keys.
   [...]
   HKDF follows the "extract-then-expand" paradigm, where the KDF
   logically consists of two modules.
   [...]
   The goal of the "extract" stage is to "concentrate" the possibly
   dispersed entropy of the input keying material into a short, but
   cryptographically strong, pseudorandom key.
   [...]
   The second stage "expands" the pseudorandom key to the desired
   length; the number and lengths of the output keys depend on the
   specific cryptographic algorithms for which the keys are needed.

Since HKDF is not covered by the GlobalPlatform Internal API specification
v1.0/v1.1, this commit introduces extensions to the specification.
More specifically: it defines new algorithms, a new object type and new
object attributes. This implementation supports all the usual hash
functions (MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512) and may
produce output keys of length up to 4096 bits (currently limited only by
the maximum size allowed for an object of type TEE_TYPE_GENERIC_SECRET).
Aside from minor updates to object manipulation functions to support
the new data, the function TEE_DeriveKey() is mostly impacted.

The file documentation/extensions/crypto_hkdf.md contains the modifications
to the GP Internal API v1.0 spec in order to support HKDF.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Xiaoqiang Du <xiaoqiang.du@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

5 files changed, 368 insertions, 9 deletions

diff --git a/core/include/tee/tee_cryp_hkdf.h b/core/include/tee/tee_cryp_hkdf.h
new file mode 100644
index 0000000..30ec8ad
--- /dev/null
+++ b/core/include/tee/tee_cryp_hkdf.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2014, Linaro Limited
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef TEE_CRYP_HKDF_H
+#define TEE_CRYP_HKDF_H
+
+#include <tee_api_types.h>
+
+TEE_Result tee_cryp_hkdf(uint32_t hash_id, const uint8_t *ikm, size_t ikm_len,
+			 const uint8_t *salt, size_t salt_len,
+			 const uint8_t *info, size_t info_len, uint8_t *okm,
+			 size_t okm_len);
+
+#endif /* TEE_CRYP_HKDF_H */
diff --git a/core/lib/libtomcrypt/src/tee_ltc_provider.c b/core/lib/libtomcrypt/src/tee_ltc_provider.c
index c167897..6e736a8 100644
--- a/core/lib/libtomcrypt/src/tee_ltc_provider.c
+++ b/core/lib/libtomcrypt/src/tee_ltc_provider.c
@@ -1693,8 +1693,8 @@ static TEE_Result mac_init(void *ctx, uint32_t algo, const uint8_t *key,
 	return TEE_SUCCESS;
 }
 
-static TEE_Result mac_update(void *ctx, uint32_t algo,
-				     const uint8_t *data, size_t len)
+static TEE_Result mac_update(void *ctx, uint32_t algo, const uint8_t *data,
+			     size_t len)
 {
 #if defined(CFG_CRYPTO_CBC_MAC)
 	int ltc_res;
@@ -1702,6 +1702,9 @@ static TEE_Result mac_update(void *ctx, uint32_t algo,
 	size_t pad_len;
 #endif
 
+	if (!data || !len)
+		return TEE_SUCCESS;
+
 	switch (algo) {
 #if defined(CFG_CRYPTO_HMAC)
 	case TEE_ALG_HMAC_MD5:
diff --git a/core/tee/sub.mk b/core/tee/sub.mk
index 3c72c1f..0d3ab40 100644
--- a/core/tee/sub.mk
+++ b/core/tee/sub.mk
@@ -1,16 +1,23 @@
 CFG_CRYPTO ?= y
 
 ifeq (y,$(CFG_CRYPTO))
+
+# HMAC-based Extract-and-Expand Key Derivation Function
+# http://tools.ietf.org/html/rfc5869
+# This is an OP-TEE extension, not part of the GlobalPlatform Internal API v1.0
+CFG_CRYPTO_HKDF ?= y
+
 # NIST SP800-56A Concatenation Key Derivation Function
 # This is an OP-TEE extension
 CFG_CRYPTO_CONCAT_KDF ?= y
+
 endif
 
 srcs-y += tee_svc.c
 srcs-y += tee_svc_cryp.c
 srcs-y += tee_svc_storage.c
-
 srcs-y += tee_cryp_utl.c
+srcs-$(CFG_CRYPTO_HKDF) += tee_cryp_hkdf.c
 srcs-$(CFG_CRYPTO_CONCAT_KDF) += tee_cryp_concat_kdf.c
 srcs-y += tee_fs.c
 srcs-y += tee_obj.c
diff --git a/core/tee/tee_cryp_hkdf.c b/core/tee/tee_cryp_hkdf.c
new file mode 100644
index 0000000..5b34efe
--- /dev/null
+++ b/core/tee/tee_cryp_hkdf.c
@@ -0,0 +1,208 @@
+/*
+ * Copyright (c) 2014, Linaro Limited
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <tee/tee_cryp_hkdf.h>
+#include <tee/tee_cryp_provider.h>
+#include <tee/tee_cryp_utl.h>
+#include <stdlib.h>
+#include <string.h>
+#include <utee_defines.h>
+
+
+static const uint8_t zero_salt[TEE_MAX_HASH_SIZE];
+
+static TEE_Result hkdf_extract(uint32_t hash_id, const uint8_t *ikm,
+			       size_t ikm_len, const uint8_t *salt,
+			       size_t salt_len, uint8_t *prk, size_t *prk_len)
+{
+	TEE_Result res;
+	size_t ctx_size;
+	void *ctx = NULL;
+	uint32_t hash_algo = TEE_ALG_HASH_ALGO(hash_id);
+	uint32_t hmac_algo = (TEE_OPERATION_MAC << 28) | hash_id;
+	struct mac_ops *m = &crypto_ops.mac;
+
+	if (!m->get_ctx_size || !m->init || !m->update) {
+		res = TEE_ERROR_NOT_IMPLEMENTED;
+		goto out;
+	}
+
+	if (!salt || !salt_len) {
+		/*
+		 * RFC 5869 section 2.2:
+		 * If not provided, [the salt] is set to a string of HashLen
+		 * zeros
+		 */
+		salt = zero_salt;
+		res = tee_hash_get_digest_size(hash_algo, &salt_len);
+		if (res != TEE_SUCCESS)
+			goto out;
+	}
+
+	res = m->get_ctx_size(hmac_algo, &ctx_size);
+	if (res != TEE_SUCCESS)
+		goto out;
+
+	ctx = malloc(ctx_size);
+	if (!ctx) {
+		res = TEE_ERROR_OUT_OF_MEMORY;
+		goto out;
+	}
+
+	/*
+	 * RFC 5869 section 2.1: "Note that in the extract step, 'IKM' is used
+	 * as the HMAC input, not as the HMAC key."
+	 * Therefore, salt is the HMAC key in the formula from section 2.2:
+	 * "PRK = HMAC-Hash(salt, IKM)"
+	 */
+	res = m->init(ctx, hmac_algo, salt, salt_len);
+	if (res != TEE_SUCCESS)
+		goto out;
+
+	res = m->update(ctx, hmac_algo, ikm, ikm_len);
+	if (res != TEE_SUCCESS)
+		goto out;
+
+	res = m->final(ctx, hmac_algo, prk, *prk_len);
+	if (res != TEE_SUCCESS)
+		goto out;
+
+	res = tee_hash_get_digest_size(hash_algo, prk_len);
+out:
+	free(ctx);
+	return res;
+}
+
+static TEE_Result hkdf_expand(uint32_t hash_id, const uint8_t *prk,
+			      size_t prk_len, const uint8_t *info,
+			      size_t info_len, uint8_t *okm, size_t okm_len)
+{
+	uint8_t tn[TEE_MAX_HASH_SIZE];
+	size_t tn_len, hash_len, i, n, where, ctx_size;
+	TEE_Result res = TEE_SUCCESS;
+	void *ctx = NULL;
+	struct mac_ops *m = &crypto_ops.mac;
+	uint32_t hash_algo = TEE_ALG_HASH_ALGO(hash_id);
+	uint32_t hmac_algo = TEE_ALG_HMAC_ALGO(hash_id);
+
+	if (!m->get_ctx_size || !m->init || !m->update || !m->final) {
+		res = TEE_ERROR_NOT_IMPLEMENTED;
+		goto out;
+	}
+
+	res = tee_hash_get_digest_size(hash_algo, &hash_len);
+	if (res != TEE_SUCCESS)
+		goto out;
+
+	if (!okm || prk_len < hash_len) {
+		res = TEE_ERROR_BAD_STATE;
+		goto out;
+	}
+
+	if (!info)
+		info_len = 0;
+
+	res = m->get_ctx_size(hmac_algo, &ctx_size);
+	if (res != TEE_SUCCESS)
+		goto out;
+
+	ctx = malloc(ctx_size);
+	if (!ctx) {
+		res = TEE_ERROR_OUT_OF_MEMORY;
+		goto out;
+	}
+
+	/* N = ceil(L/HashLen) */
+	n = okm_len / hash_len;
+	if ((okm_len % hash_len) != 0)
+		n++;
+
+	if (n > 255) {
+		res = TEE_ERROR_BAD_PARAMETERS;
+		goto out;
+	}
+
+
+	/*
+	 * RFC 5869 section 2.3
+	 *   T = T(1) | T(2) | T(3) | ... | T(N)
+	 *   OKM = first L octets of T
+	 *   T(0) = empty string (zero length)
+	 *   T(1) = HMAC-Hash(PRK, T(0) | info | 0x01)
+	 *   T(2) = HMAC-Hash(PRK, T(1) | info | 0x02)
+	 *   T(3) = HMAC-Hash(PRK, T(2) | info | 0x03)
+	 *   ...
+	 */
+	tn_len = 0;
+	where = 0;
+	for (i = 1; i <= n; i++) {
+		uint8_t c = i;
+
+		res = m->init(ctx, hmac_algo, prk, prk_len);
+		if (res != TEE_SUCCESS)
+			goto out;
+		res = m->update(ctx, hmac_algo, tn, tn_len);
+		if (res != TEE_SUCCESS)
+			goto out;
+		res = m->update(ctx, hmac_algo, info, info_len);
+		if (res != TEE_SUCCESS)
+			goto out;
+		res = m->update(ctx, hmac_algo, &c, 1);
+		if (res != TEE_SUCCESS)
+			goto out;
+		res = m->final(ctx, hmac_algo, tn, sizeof(tn));
+		if (res != TEE_SUCCESS)
+			goto out;
+
+		memcpy(okm + where, tn, (i < n) ? hash_len : (okm_len - where));
+		where += hash_len;
+		tn_len = hash_len;
+	}
+
+out:
+	free(ctx);
+	return res;
+}
+
+TEE_Result tee_cryp_hkdf(uint32_t hash_id, const uint8_t *ikm, size_t ikm_len,
+			 const uint8_t *salt, size_t salt_len,
+			 const uint8_t *info, size_t info_len, uint8_t *okm,
+			 size_t okm_len)
+{
+	TEE_Result res;
+	uint8_t prk[TEE_MAX_HASH_SIZE];
+	size_t prk_len = sizeof(prk);
+
+	res = hkdf_extract(hash_id, ikm, ikm_len, salt, salt_len, prk,
+			   &prk_len);
+	if (res != TEE_SUCCESS)
+		return res;
+	res = hkdf_expand(hash_id, prk, prk_len, info, info_len, okm,
+			  okm_len);
+
+	return res;
+}
diff --git a/core/tee/tee_svc_cryp.c b/core/tee/tee_svc_cryp.c
index 5fafb15..cc829f7 100644
--- a/core/tee/tee_svc_cryp.c
+++ b/core/tee/tee_svc_cryp.c
@@ -36,9 +36,13 @@
 #include <tee/tee_cryp_provider.h>
 #include <trace.h>
 #include <string_ext.h>
-
-#if defined(CFG_CRYPTO_CONCAT_KDF)
+#if defined(CFG_CRYPTO_HKDF) || defined(CFG_CRYPTO_CONCAT_KDF)
 #include <tee_api_defines_extensions.h>
+#endif
+#if defined(CFG_CRYPTO_HKDF)
+#include <tee/tee_cryp_hkdf.h>
+#endif
+#if defined(CFG_CRYPTO_CONCAT_KDF)
 #include <tee/tee_cryp_concat_kdf.h>
 #endif
 
@@ -303,6 +307,19 @@ static const struct tee_cryp_obj_type_attrs tee_cryp_obj_dh_keypair_attrs[] = {
 	},
 };
 
+#if defined(CFG_CRYPTO_HKDF)
+static const struct tee_cryp_obj_type_attrs
+	tee_cryp_obj_hkdf_ikm_attrs[] = {
+	{
+	.attr_id = TEE_ATTR_HKDF_IKM,
+	.flags = TEE_TYPE_ATTR_REQUIRED | TEE_TYPE_ATTR_SIZE_INDICATOR,
+	.conv_func = TEE_TYPE_CONV_FUNC_SECRET,
+	.raw_offs = 0,
+	.raw_size = 0
+	},
+};
+#endif
+
 #if defined(CFG_CRYPTO_CONCAT_KDF)
 static const struct tee_cryp_obj_type_attrs
 	tee_cryp_obj_concat_kdf_z_attrs[] = {
@@ -371,12 +388,16 @@ static const struct tee_cryp_obj_type_props tee_cryp_obj_props[] = {
 	PROP(TEE_TYPE_GENERIC_SECRET, 8, 0, 4096,
 		4096 / 8 + sizeof(struct tee_cryp_obj_secret),
 		tee_cryp_obj_secret_value_attrs),
+#if defined(CFG_CRYPTO_HKDF)
+	PROP(TEE_TYPE_HKDF_IKM, 8, 0, 4096,
+		4096 / 8 + sizeof(struct tee_cryp_obj_secret),
+		tee_cryp_obj_hkdf_ikm_attrs),
+#endif
 #if defined(CFG_CRYPTO_CONCAT_KDF)
 	PROP(TEE_TYPE_CONCAT_KDF_Z, 8, 0, 4096,
 		4096 / 8 + sizeof(struct tee_cryp_obj_secret),
 		tee_cryp_obj_concat_kdf_z_attrs),
 #endif
-
 	PROP(TEE_TYPE_RSA_PUBLIC_KEY, 1, 256, 2048,
 		sizeof(struct rsa_public_key),
 		tee_cryp_obj_rsa_pub_key_attrs),
@@ -1536,6 +1557,11 @@ static TEE_Result tee_svc_cryp_check_key_type(const struct tee_obj *o,
 	case TEE_MAIN_ALGO_DH:
 		req_key_type = TEE_TYPE_DH_KEYPAIR;
 		break;
+#if defined(CFG_CRYPTO_HKDF)
+	case TEE_MAIN_ALGO_HKDF:
+		req_key_type = TEE_TYPE_HKDF_IKM;
+		break;
+#endif
 #if defined(CFG_CRYPTO_CONCAT_KDF)
 	case TEE_MAIN_ALGO_CONCAT_KDF:
 		req_key_type = TEE_TYPE_CONCAT_KDF_Z;
@@ -2098,6 +2124,55 @@ TEE_Result tee_svc_cipher_final(uint32_t state, const void *src,
 					    src, src_len, dst, dst_len);
 }
 
+#if defined(CFG_CRYPTO_HKDF)
+static TEE_Result get_hkdf_params(const TEE_Attribute *params,
+				  uint32_t param_count,
+				  void **salt, size_t *salt_len, void **info,
+				  size_t *info_len, size_t *okm_len)
+{
+	size_t n;
+	enum { SALT = 0x1, LENGTH = 0x2, INFO = 0x4 };
+	uint8_t found = 0;
+
+	*salt = *info = NULL;
+	*salt_len = *info_len = *okm_len = 0;
+
+	for (n = 0; n < param_count; n++) {
+		switch (params[n].attributeID) {
+		case TEE_ATTR_HKDF_SALT:
+			if (!(found & SALT)) {
+				*salt = params[n].content.ref.buffer;
+				*salt_len = params[n].content.ref.length;
+				found |= SALT;
+			}
+			break;
+		case TEE_ATTR_HKDF_OKM_LENGTH:
+			if (!(found & LENGTH)) {
+				*okm_len = params[n].content.value.a;
+				found |= LENGTH;
+			}
+			break;
+		case TEE_ATTR_HKDF_INFO:
+			if (!(found & INFO)) {
+				*info = params[n].content.ref.buffer;
+				*info_len = params[n].content.ref.length;
+				found |= INFO;
+			}
+			break;
+		default:
+			/* Unexpected attribute */
+			return TEE_ERROR_BAD_PARAMETERS;
+		}
+
+	}
+
+	if (!(found & LENGTH))
+		return TEE_ERROR_BAD_PARAMETERS;
+
+	return TEE_SUCCESS;
+}
+#endif
+
 #if defined(CFG_CRYPTO_CONCAT_KDF)
 static TEE_Result get_concat_kdf_params(const TEE_Attribute *params,
 					uint32_t param_count,
@@ -2143,7 +2218,7 @@ static TEE_Result get_concat_kdf_params(const TEE_Attribute *params,
 TEE_Result tee_svc_cryp_derive_key(uint32_t state, const TEE_Attribute *params,
 				   uint32_t param_count, uint32_t derived_key)
 {
-	TEE_Result res;
+	TEE_Result res = TEE_ERROR_NOT_SUPPORTED;
 	struct tee_ta_session *sess;
 	struct tee_obj *ko;
 	struct tee_obj *so;
@@ -2159,7 +2234,7 @@ TEE_Result tee_svc_cryp_derive_key(uint32_t state, const TEE_Attribute *params,
 	if (res != TEE_SUCCESS)
 		return res;
 
-	/* get key set in operation */
+	/* Get key set in operation */
 	res = tee_obj_get(sess->ctx, cs->key1, &ko);
 	if (res != TEE_SUCCESS)
 		return res;
@@ -2215,6 +2290,34 @@ TEE_Result tee_svc_cryp_derive_key(uint32_t state, const TEE_Attribute *params,
 		crypto_ops.bignum.free(pub);
 		crypto_ops.bignum.free(ss);
 	}
+#if defined(CFG_CRYPTO_HKDF)
+	else if (TEE_ALG_GET_MAIN_ALG(cs->algo) == TEE_MAIN_ALGO_HKDF) {
+		void *salt, *info;
+		size_t salt_len, info_len, okm_len;
+		uint32_t hash_id = TEE_ALG_GET_DIGEST_HASH(cs->algo);
+		struct tee_cryp_obj_secret *ik = ko->data;
+		const uint8_t *ikm = (const uint8_t *)(ik + 1);
+
+		res = get_hkdf_params(params, param_count, &salt, &salt_len,
+				      &info, &info_len, &okm_len);
+		if (res != TEE_SUCCESS)
+			return res;
+
+		/* Requested size must fit into the output object's buffer */
+		if (okm_len >
+			ko->data_size - sizeof(struct tee_cryp_obj_secret))
+			return TEE_ERROR_BAD_PARAMETERS;
+
+		res = tee_cryp_hkdf(hash_id, ikm, ik->key_size, salt, salt_len,
+				    info, info_len, (uint8_t *)(sk + 1),
+				    okm_len);
+		if (res == TEE_SUCCESS) {
+			sk->key_size = okm_len;
+			so->info.handleFlags |= TEE_HANDLE_FLAG_INITIALIZED;
+			SET_ATTRIBUTE(so, type_props, TEE_ATTR_SECRET_VALUE);
+		}
+	}
+#endif
 #if defined(CFG_CRYPTO_CONCAT_KDF)
 	else if (TEE_ALG_GET_MAIN_ALG(cs->algo) == TEE_MAIN_ALGO_CONCAT_KDF) {
 		void *info;
@@ -2230,7 +2333,7 @@ TEE_Result tee_svc_cryp_derive_key(uint32_t state, const TEE_Attribute *params,
 
 		/* Requested size must fit into the output object's buffer */
 		if (derived_key_len >
-			ko->data_size - sizeof(struct tee_cryp_obj_secret))
+		    ko->data_size - sizeof(struct tee_cryp_obj_secret))
 			return TEE_ERROR_BAD_PARAMETERS;
 
 		res = tee_cryp_concat_kdf(hash_id, shared_secret, ss->key_size,