1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (C) 2018, ARM Limited 4 * Copyright (C) 2019, Linaro Limited 5 */ 6 7 #include <assert.h> 8 #include <crypto/crypto.h> 9 #include <mbedtls/ctr_drbg.h> 10 #include <mbedtls/entropy.h> 11 #include <mbedtls/pk.h> 12 #include <mbedtls/pk_internal.h> 13 #include <stdlib.h> 14 #include <string.h> 15 #include <tee/tee_cryp_utl.h> 16 #include <utee_defines.h> 17 18 #include "mbed_helpers.h" 19 20 static TEE_Result get_tee_result(int lmd_res) 21 { 22 switch (lmd_res) { 23 case 0: 24 return TEE_SUCCESS; 25 case MBEDTLS_ERR_RSA_PRIVATE_FAILED + 26 MBEDTLS_ERR_MPI_BAD_INPUT_DATA: 27 case MBEDTLS_ERR_RSA_BAD_INPUT_DATA: 28 case MBEDTLS_ERR_RSA_INVALID_PADDING: 29 case MBEDTLS_ERR_PK_TYPE_MISMATCH: 30 return TEE_ERROR_BAD_PARAMETERS; 31 case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE: 32 return TEE_ERROR_SHORT_BUFFER; 33 default: 34 return TEE_ERROR_BAD_STATE; 35 } 36 } 37 38 static uint32_t tee_algo_to_mbedtls_hash_algo(uint32_t algo) 39 { 40 switch (algo) { 41 #if defined(CFG_CRYPTO_SHA1) 42 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 43 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 44 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1: 45 case TEE_ALG_SHA1: 46 case TEE_ALG_DSA_SHA1: 47 case TEE_ALG_HMAC_SHA1: 48 return MBEDTLS_MD_SHA1; 49 #endif 50 #if defined(CFG_CRYPTO_MD5) 51 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 52 case TEE_ALG_MD5: 53 case TEE_ALG_HMAC_MD5: 54 return MBEDTLS_MD_MD5; 55 #endif 56 #if defined(CFG_CRYPTO_SHA224) 57 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 58 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 59 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224: 60 case TEE_ALG_SHA224: 61 case TEE_ALG_DSA_SHA224: 62 case TEE_ALG_HMAC_SHA224: 63 return MBEDTLS_MD_SHA224; 64 #endif 65 #if defined(CFG_CRYPTO_SHA256) 66 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 67 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 68 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256: 69 case TEE_ALG_SHA256: 70 case TEE_ALG_DSA_SHA256: 71 case TEE_ALG_HMAC_SHA256: 72 return MBEDTLS_MD_SHA256; 73 #endif 74 #if defined(CFG_CRYPTO_SHA384) 75 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 76 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 77 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384: 78 case TEE_ALG_SHA384: 79 case TEE_ALG_HMAC_SHA384: 80 return MBEDTLS_MD_SHA384; 81 #endif 82 #if defined(CFG_CRYPTO_SHA512) 83 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 84 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 85 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512: 86 case TEE_ALG_SHA512: 87 case TEE_ALG_HMAC_SHA512: 88 return MBEDTLS_MD_SHA512; 89 #endif 90 default: 91 return MBEDTLS_MD_NONE; 92 } 93 } 94 95 static void rsa_init_from_key_pair(mbedtls_rsa_context *rsa, 96 struct rsa_keypair *key) 97 { 98 mbedtls_rsa_init(rsa, 0, 0); 99 100 rsa->E = *(mbedtls_mpi *)key->e; 101 rsa->N = *(mbedtls_mpi *)key->n; 102 rsa->D = *(mbedtls_mpi *)key->d; 103 if (key->p && crypto_bignum_num_bytes(key->p)) { 104 rsa->P = *(mbedtls_mpi *)key->p; 105 rsa->Q = *(mbedtls_mpi *)key->q; 106 rsa->QP = *(mbedtls_mpi *)key->qp; 107 rsa->DP = *(mbedtls_mpi *)key->dp; 108 rsa->DQ = *(mbedtls_mpi *)key->dq; 109 } 110 rsa->len = mbedtls_mpi_size(&rsa->N); 111 } 112 113 static void mbd_rsa_free(mbedtls_rsa_context *rsa) 114 { 115 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 116 mbedtls_mpi_init(&rsa->E); 117 mbedtls_mpi_init(&rsa->N); 118 mbedtls_mpi_init(&rsa->D); 119 if (mbedtls_mpi_size(&rsa->P)) { 120 mbedtls_mpi_init(&rsa->P); 121 mbedtls_mpi_init(&rsa->Q); 122 mbedtls_mpi_init(&rsa->QP); 123 mbedtls_mpi_init(&rsa->DP); 124 mbedtls_mpi_init(&rsa->DQ); 125 } 126 mbedtls_rsa_free(rsa); 127 } 128 129 TEE_Result crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s, 130 size_t key_size_bits) 131 { 132 memset(s, 0, sizeof(*s)); 133 s->e = crypto_bignum_allocate(key_size_bits); 134 if (!s->e) 135 goto err; 136 s->d = crypto_bignum_allocate(key_size_bits); 137 if (!s->d) 138 goto err; 139 s->n = crypto_bignum_allocate(key_size_bits); 140 if (!s->n) 141 goto err; 142 s->p = crypto_bignum_allocate(key_size_bits); 143 if (!s->p) 144 goto err; 145 s->q = crypto_bignum_allocate(key_size_bits); 146 if (!s->q) 147 goto err; 148 s->qp = crypto_bignum_allocate(key_size_bits); 149 if (!s->qp) 150 goto err; 151 s->dp = crypto_bignum_allocate(key_size_bits); 152 if (!s->dp) 153 goto err; 154 s->dq = crypto_bignum_allocate(key_size_bits); 155 if (!s->dq) 156 goto err; 157 158 return TEE_SUCCESS; 159 err: 160 crypto_acipher_free_rsa_keypair(s); 161 return TEE_ERROR_OUT_OF_MEMORY; 162 } 163 164 TEE_Result crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s, 165 size_t key_size_bits) 166 { 167 memset(s, 0, sizeof(*s)); 168 s->e = crypto_bignum_allocate(key_size_bits); 169 if (!s->e) 170 return TEE_ERROR_OUT_OF_MEMORY; 171 s->n = crypto_bignum_allocate(key_size_bits); 172 if (!s->n) 173 goto err; 174 return TEE_SUCCESS; 175 err: 176 crypto_bignum_free(s->e); 177 return TEE_ERROR_OUT_OF_MEMORY; 178 } 179 180 void crypto_acipher_free_rsa_public_key(struct rsa_public_key *s) 181 { 182 if (!s) 183 return; 184 crypto_bignum_free(s->n); 185 crypto_bignum_free(s->e); 186 } 187 188 void crypto_acipher_free_rsa_keypair(struct rsa_keypair *s) 189 { 190 if (!s) 191 return; 192 crypto_bignum_free(s->e); 193 crypto_bignum_free(s->d); 194 crypto_bignum_free(s->n); 195 crypto_bignum_free(s->p); 196 crypto_bignum_free(s->q); 197 crypto_bignum_free(s->qp); 198 crypto_bignum_free(s->dp); 199 crypto_bignum_free(s->dq); 200 } 201 202 TEE_Result crypto_acipher_gen_rsa_key(struct rsa_keypair *key, size_t key_size) 203 { 204 TEE_Result res = TEE_SUCCESS; 205 mbedtls_rsa_context rsa; 206 mbedtls_ctr_drbg_context rngctx; 207 int lmd_res = 0; 208 uint32_t e = 0; 209 210 mbedtls_ctr_drbg_init(&rngctx); 211 if (mbedtls_ctr_drbg_seed(&rngctx, mbd_rand, NULL, NULL, 0)) 212 return TEE_ERROR_BAD_STATE; 213 214 memset(&rsa, 0, sizeof(rsa)); 215 mbedtls_rsa_init(&rsa, 0, 0); 216 217 /* get the public exponent */ 218 mbedtls_mpi_write_binary((mbedtls_mpi *)key->e, 219 (unsigned char *)&e, sizeof(uint32_t)); 220 221 e = TEE_U32_FROM_BIG_ENDIAN(e); 222 lmd_res = mbedtls_rsa_gen_key(&rsa, mbedtls_ctr_drbg_random, &rngctx, 223 key_size, (int)e); 224 mbedtls_ctr_drbg_free(&rngctx); 225 if (lmd_res != 0) { 226 res = get_tee_result(lmd_res); 227 } else if ((size_t)mbedtls_mpi_bitlen(&rsa.N) != key_size) { 228 res = TEE_ERROR_BAD_PARAMETERS; 229 } else { 230 /* Copy the key */ 231 crypto_bignum_copy(key->e, (void *)&rsa.E); 232 crypto_bignum_copy(key->d, (void *)&rsa.D); 233 crypto_bignum_copy(key->n, (void *)&rsa.N); 234 crypto_bignum_copy(key->p, (void *)&rsa.P); 235 236 crypto_bignum_copy(key->q, (void *)&rsa.Q); 237 crypto_bignum_copy(key->qp, (void *)&rsa.QP); 238 crypto_bignum_copy(key->dp, (void *)&rsa.DP); 239 crypto_bignum_copy(key->dq, (void *)&rsa.DQ); 240 241 res = TEE_SUCCESS; 242 } 243 244 mbedtls_rsa_free(&rsa); 245 246 return res; 247 } 248 249 TEE_Result crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key, 250 const uint8_t *src, size_t src_len, 251 uint8_t *dst, size_t *dst_len) 252 { 253 TEE_Result res = TEE_SUCCESS; 254 mbedtls_rsa_context rsa; 255 int lmd_res = 0; 256 uint8_t *buf = NULL; 257 unsigned long blen = 0; 258 unsigned long offset = 0; 259 260 memset(&rsa, 0, sizeof(rsa)); 261 mbedtls_rsa_init(&rsa, 0, 0); 262 263 rsa.E = *(mbedtls_mpi *)key->e; 264 rsa.N = *(mbedtls_mpi *)key->n; 265 266 rsa.len = crypto_bignum_num_bytes((void *)&rsa.N); 267 268 blen = CFG_CORE_BIGNUM_MAX_BITS / 8; 269 buf = malloc(blen); 270 if (!buf) { 271 res = TEE_ERROR_OUT_OF_MEMORY; 272 goto out; 273 } 274 275 memset(buf, 0, blen); 276 memcpy(buf + rsa.len - src_len, src, src_len); 277 278 lmd_res = mbedtls_rsa_public(&rsa, buf, buf); 279 if (lmd_res != 0) { 280 FMSG("mbedtls_rsa_public() returned 0x%x", -lmd_res); 281 res = get_tee_result(lmd_res); 282 goto out; 283 } 284 285 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 286 offset = 0; 287 while ((offset < rsa.len - 1) && (buf[offset] == 0)) 288 offset++; 289 290 if (*dst_len < rsa.len - offset) { 291 *dst_len = rsa.len - offset; 292 res = TEE_ERROR_SHORT_BUFFER; 293 goto out; 294 } 295 *dst_len = rsa.len - offset; 296 memcpy(dst, buf + offset, *dst_len); 297 out: 298 free(buf); 299 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 300 mbedtls_mpi_init(&rsa.E); 301 mbedtls_mpi_init(&rsa.N); 302 mbedtls_rsa_free(&rsa); 303 304 return res; 305 } 306 307 TEE_Result crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key, 308 const uint8_t *src, size_t src_len, 309 uint8_t *dst, size_t *dst_len) 310 { 311 TEE_Result res = TEE_SUCCESS; 312 mbedtls_rsa_context rsa; 313 int lmd_res = 0; 314 uint8_t *buf = NULL; 315 unsigned long blen = 0; 316 unsigned long offset = 0; 317 318 memset(&rsa, 0, sizeof(rsa)); 319 rsa_init_from_key_pair(&rsa, key); 320 321 blen = CFG_CORE_BIGNUM_MAX_BITS / 8; 322 buf = malloc(blen); 323 if (!buf) { 324 res = TEE_ERROR_OUT_OF_MEMORY; 325 goto out; 326 } 327 328 memset(buf, 0, blen); 329 memcpy(buf + rsa.len - src_len, src, src_len); 330 331 lmd_res = mbedtls_rsa_private(&rsa, NULL, NULL, buf, buf); 332 if (lmd_res != 0) { 333 FMSG("mbedtls_rsa_private() returned 0x%x", -lmd_res); 334 res = get_tee_result(lmd_res); 335 goto out; 336 } 337 338 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 339 offset = 0; 340 while ((offset < rsa.len - 1) && (buf[offset] == 0)) 341 offset++; 342 343 if (*dst_len < rsa.len - offset) { 344 *dst_len = rsa.len - offset; 345 res = TEE_ERROR_SHORT_BUFFER; 346 goto out; 347 } 348 *dst_len = rsa.len - offset; 349 memcpy(dst, (char *)buf + offset, *dst_len); 350 out: 351 if (buf) 352 free(buf); 353 mbd_rsa_free(&rsa); 354 return res; 355 } 356 357 TEE_Result crypto_acipher_rsaes_decrypt(uint32_t algo, struct rsa_keypair *key, 358 const uint8_t *label __unused, 359 size_t label_len __unused, 360 const uint8_t *src, size_t src_len, 361 uint8_t *dst, size_t *dst_len) 362 { 363 TEE_Result res = TEE_SUCCESS; 364 int lmd_res = 0; 365 int lmd_padding = 0; 366 size_t blen = 0; 367 size_t mod_size = 0; 368 void *buf = NULL; 369 mbedtls_rsa_context rsa; 370 const mbedtls_pk_info_t *pk_info = NULL; 371 uint32_t md_algo = MBEDTLS_MD_NONE; 372 373 memset(&rsa, 0, sizeof(rsa)); 374 rsa_init_from_key_pair(&rsa, key); 375 376 /* 377 * Use a temporary buffer since we don't know exactly how large 378 * the required size of the out buffer without doing a partial 379 * decrypt. We know the upper bound though. 380 */ 381 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) { 382 mod_size = crypto_bignum_num_bytes(key->n); 383 blen = mod_size - 11; 384 lmd_padding = MBEDTLS_RSA_PKCS_V15; 385 } else { 386 /* Decoded message is always shorter than encrypted message */ 387 blen = src_len; 388 lmd_padding = MBEDTLS_RSA_PKCS_V21; 389 } 390 391 buf = malloc(blen); 392 if (!buf) { 393 res = TEE_ERROR_OUT_OF_MEMORY; 394 goto out; 395 } 396 397 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 398 if (!pk_info) { 399 res = TEE_ERROR_NOT_SUPPORTED; 400 goto out; 401 } 402 403 /* 404 * TEE_ALG_RSAES_PKCS1_V1_5 is invalid in hash. But its hash algo will 405 * not be used in rsa, so skip it here. 406 */ 407 if (algo != TEE_ALG_RSAES_PKCS1_V1_5) { 408 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 409 if (md_algo == MBEDTLS_MD_NONE) { 410 res = TEE_ERROR_NOT_SUPPORTED; 411 goto out; 412 } 413 } 414 415 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 416 417 if (lmd_padding == MBEDTLS_RSA_PKCS_V15) 418 lmd_res = pk_info->decrypt_func(&rsa, src, src_len, buf, &blen, 419 blen, NULL, NULL); 420 else 421 lmd_res = pk_info->decrypt_func(&rsa, src, src_len, buf, &blen, 422 blen, mbd_rand, NULL); 423 if (lmd_res != 0) { 424 FMSG("decrypt_func() returned 0x%x", -lmd_res); 425 res = get_tee_result(lmd_res); 426 goto out; 427 } 428 429 if (*dst_len < blen) { 430 *dst_len = blen; 431 res = TEE_ERROR_SHORT_BUFFER; 432 goto out; 433 } 434 435 res = TEE_SUCCESS; 436 *dst_len = blen; 437 memcpy(dst, buf, blen); 438 out: 439 if (buf) 440 free(buf); 441 mbd_rsa_free(&rsa); 442 return res; 443 } 444 445 TEE_Result crypto_acipher_rsaes_encrypt(uint32_t algo, 446 struct rsa_public_key *key, 447 const uint8_t *label __unused, 448 size_t label_len __unused, 449 const uint8_t *src, size_t src_len, 450 uint8_t *dst, size_t *dst_len) 451 { 452 TEE_Result res = TEE_SUCCESS; 453 int lmd_res = 0; 454 int lmd_padding = 0; 455 size_t mod_size = 0; 456 mbedtls_rsa_context rsa; 457 const mbedtls_pk_info_t *pk_info = NULL; 458 uint32_t md_algo = MBEDTLS_MD_NONE; 459 460 memset(&rsa, 0, sizeof(rsa)); 461 mbedtls_rsa_init(&rsa, 0, 0); 462 463 rsa.E = *(mbedtls_mpi *)key->e; 464 rsa.N = *(mbedtls_mpi *)key->n; 465 466 mod_size = crypto_bignum_num_bytes(key->n); 467 if (*dst_len < mod_size) { 468 *dst_len = mod_size; 469 res = TEE_ERROR_SHORT_BUFFER; 470 goto out; 471 } 472 *dst_len = mod_size; 473 rsa.len = mod_size; 474 475 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) 476 lmd_padding = MBEDTLS_RSA_PKCS_V15; 477 else 478 lmd_padding = MBEDTLS_RSA_PKCS_V21; 479 480 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 481 if (!pk_info) { 482 res = TEE_ERROR_NOT_SUPPORTED; 483 goto out; 484 } 485 486 /* 487 * TEE_ALG_RSAES_PKCS1_V1_5 is invalid in hash. But its hash algo will 488 * not be used in rsa, so skip it here. 489 */ 490 if (algo != TEE_ALG_RSAES_PKCS1_V1_5) { 491 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 492 if (md_algo == MBEDTLS_MD_NONE) { 493 res = TEE_ERROR_NOT_SUPPORTED; 494 goto out; 495 } 496 } 497 498 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 499 500 lmd_res = pk_info->encrypt_func(&rsa, src, src_len, dst, dst_len, 501 *dst_len, mbd_rand, NULL); 502 if (lmd_res != 0) { 503 FMSG("encrypt_func() returned 0x%x", -lmd_res); 504 res = get_tee_result(lmd_res); 505 goto out; 506 } 507 res = TEE_SUCCESS; 508 out: 509 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 510 mbedtls_mpi_init(&rsa.E); 511 mbedtls_mpi_init(&rsa.N); 512 mbedtls_rsa_free(&rsa); 513 return res; 514 } 515 516 TEE_Result crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key, 517 int salt_len __unused, const uint8_t *msg, 518 size_t msg_len, uint8_t *sig, 519 size_t *sig_len) 520 { 521 TEE_Result res = TEE_SUCCESS; 522 int lmd_res = 0; 523 int lmd_padding = 0; 524 size_t mod_size = 0; 525 size_t hash_size = 0; 526 mbedtls_rsa_context rsa; 527 const mbedtls_pk_info_t *pk_info = NULL; 528 uint32_t md_algo = 0; 529 530 memset(&rsa, 0, sizeof(rsa)); 531 rsa_init_from_key_pair(&rsa, key); 532 533 switch (algo) { 534 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 535 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 536 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 537 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 538 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 539 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 540 lmd_padding = MBEDTLS_RSA_PKCS_V15; 541 break; 542 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 543 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 544 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 545 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 546 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 547 lmd_padding = MBEDTLS_RSA_PKCS_V21; 548 break; 549 default: 550 res = TEE_ERROR_BAD_PARAMETERS; 551 goto err; 552 } 553 554 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 555 &hash_size); 556 if (res != TEE_SUCCESS) 557 goto err; 558 559 if (msg_len != hash_size) { 560 res = TEE_ERROR_BAD_PARAMETERS; 561 goto err; 562 } 563 564 mod_size = crypto_bignum_num_bytes(key->n); 565 if (*sig_len < mod_size) { 566 *sig_len = mod_size; 567 res = TEE_ERROR_SHORT_BUFFER; 568 goto err; 569 } 570 rsa.len = mod_size; 571 572 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 573 if (md_algo == MBEDTLS_MD_NONE) { 574 res = TEE_ERROR_NOT_SUPPORTED; 575 goto err; 576 } 577 578 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 579 if (!pk_info) { 580 res = TEE_ERROR_NOT_SUPPORTED; 581 goto err; 582 } 583 584 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 585 586 if (lmd_padding == MBEDTLS_RSA_PKCS_V15) 587 lmd_res = pk_info->sign_func(&rsa, md_algo, msg, msg_len, sig, 588 sig_len, NULL, NULL); 589 else 590 lmd_res = pk_info->sign_func(&rsa, md_algo, msg, msg_len, sig, 591 sig_len, mbd_rand, NULL); 592 if (lmd_res != 0) { 593 FMSG("sign_func failed, returned 0x%x", -lmd_res); 594 res = get_tee_result(lmd_res); 595 goto err; 596 } 597 res = TEE_SUCCESS; 598 err: 599 mbd_rsa_free(&rsa); 600 return res; 601 } 602 603 TEE_Result crypto_acipher_rsassa_verify(uint32_t algo, 604 struct rsa_public_key *key, 605 int salt_len __unused, 606 const uint8_t *msg, 607 size_t msg_len, const uint8_t *sig, 608 size_t sig_len) 609 { 610 TEE_Result res = TEE_SUCCESS; 611 int lmd_res = 0; 612 int lmd_padding = 0; 613 size_t hash_size = 0; 614 size_t bigint_size = 0; 615 mbedtls_rsa_context rsa; 616 const mbedtls_pk_info_t *pk_info = NULL; 617 uint32_t md_algo = 0; 618 619 memset(&rsa, 0, sizeof(rsa)); 620 mbedtls_rsa_init(&rsa, 0, 0); 621 622 rsa.E = *(mbedtls_mpi *)key->e; 623 rsa.N = *(mbedtls_mpi *)key->n; 624 625 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 626 &hash_size); 627 if (res != TEE_SUCCESS) 628 goto err; 629 630 if (msg_len != hash_size) { 631 res = TEE_ERROR_BAD_PARAMETERS; 632 goto err; 633 } 634 635 bigint_size = crypto_bignum_num_bytes(key->n); 636 if (sig_len < bigint_size) { 637 res = TEE_ERROR_SIGNATURE_INVALID; 638 goto err; 639 } 640 641 rsa.len = bigint_size; 642 643 switch (algo) { 644 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 645 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 646 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 647 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 648 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 649 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 650 lmd_padding = MBEDTLS_RSA_PKCS_V15; 651 break; 652 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 653 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 654 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 655 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 656 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 657 lmd_padding = MBEDTLS_RSA_PKCS_V21; 658 break; 659 default: 660 res = TEE_ERROR_BAD_PARAMETERS; 661 goto err; 662 } 663 664 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 665 if (md_algo == MBEDTLS_MD_NONE) { 666 res = TEE_ERROR_NOT_SUPPORTED; 667 goto err; 668 } 669 670 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 671 if (!pk_info) { 672 res = TEE_ERROR_NOT_SUPPORTED; 673 goto err; 674 } 675 676 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 677 678 lmd_res = pk_info->verify_func(&rsa, md_algo, msg, msg_len, 679 sig, sig_len); 680 if (lmd_res != 0) { 681 FMSG("verify_func failed, returned 0x%x", -lmd_res); 682 res = TEE_ERROR_SIGNATURE_INVALID; 683 goto err; 684 } 685 res = TEE_SUCCESS; 686 err: 687 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 688 mbedtls_mpi_init(&rsa.E); 689 mbedtls_mpi_init(&rsa.N); 690 mbedtls_rsa_free(&rsa); 691 return res; 692 } 693