1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (C) 2018, ARM Limited 4 * Copyright (C) 2019, Linaro Limited 5 */ 6 7 #include <assert.h> 8 #include <crypto/crypto.h> 9 #include <mbedtls/ctr_drbg.h> 10 #include <mbedtls/entropy.h> 11 #include <mbedtls/pk.h> 12 #include <mbedtls/pk_internal.h> 13 #include <stdlib.h> 14 #include <string.h> 15 #include <tee/tee_cryp_utl.h> 16 #include <utee_defines.h> 17 18 #include "mbd_rand.h" 19 20 static TEE_Result get_tee_result(int lmd_res) 21 { 22 switch (lmd_res) { 23 case 0: 24 return TEE_SUCCESS; 25 case MBEDTLS_ERR_RSA_BAD_INPUT_DATA: 26 case MBEDTLS_ERR_RSA_INVALID_PADDING: 27 case MBEDTLS_ERR_PK_TYPE_MISMATCH: 28 return TEE_ERROR_BAD_PARAMETERS; 29 case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE: 30 return TEE_ERROR_SHORT_BUFFER; 31 default: 32 return TEE_ERROR_BAD_STATE; 33 } 34 } 35 36 static uint32_t tee_algo_to_mbedtls_hash_algo(uint32_t algo) 37 { 38 switch (algo) { 39 #if defined(CFG_CRYPTO_SHA1) 40 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 41 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 42 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1: 43 case TEE_ALG_SHA1: 44 case TEE_ALG_DSA_SHA1: 45 case TEE_ALG_HMAC_SHA1: 46 return MBEDTLS_MD_SHA1; 47 #endif 48 #if defined(CFG_CRYPTO_MD5) 49 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 50 case TEE_ALG_MD5: 51 case TEE_ALG_HMAC_MD5: 52 return MBEDTLS_MD_MD5; 53 #endif 54 #if defined(CFG_CRYPTO_SHA224) 55 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 56 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 57 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224: 58 case TEE_ALG_SHA224: 59 case TEE_ALG_DSA_SHA224: 60 case TEE_ALG_HMAC_SHA224: 61 return MBEDTLS_MD_SHA224; 62 #endif 63 #if defined(CFG_CRYPTO_SHA256) 64 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 65 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 66 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256: 67 case TEE_ALG_SHA256: 68 case TEE_ALG_DSA_SHA256: 69 case TEE_ALG_HMAC_SHA256: 70 return MBEDTLS_MD_SHA256; 71 #endif 72 #if defined(CFG_CRYPTO_SHA384) 73 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 74 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 75 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384: 76 case TEE_ALG_SHA384: 77 case TEE_ALG_HMAC_SHA384: 78 return MBEDTLS_MD_SHA384; 79 #endif 80 #if defined(CFG_CRYPTO_SHA512) 81 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 82 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 83 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512: 84 case TEE_ALG_SHA512: 85 case TEE_ALG_HMAC_SHA512: 86 return MBEDTLS_MD_SHA512; 87 #endif 88 default: 89 return MBEDTLS_MD_NONE; 90 } 91 } 92 93 static void rsa_init_from_key_pair(mbedtls_rsa_context *rsa, 94 struct rsa_keypair *key) 95 { 96 mbedtls_rsa_init(rsa, 0, 0); 97 98 rsa->E = *(mbedtls_mpi *)key->e; 99 rsa->N = *(mbedtls_mpi *)key->n; 100 rsa->D = *(mbedtls_mpi *)key->d; 101 if (key->p && crypto_bignum_num_bytes(key->p)) { 102 rsa->P = *(mbedtls_mpi *)key->p; 103 rsa->Q = *(mbedtls_mpi *)key->q; 104 rsa->QP = *(mbedtls_mpi *)key->qp; 105 rsa->DP = *(mbedtls_mpi *)key->dp; 106 rsa->DQ = *(mbedtls_mpi *)key->dq; 107 } 108 rsa->len = mbedtls_mpi_size(&rsa->N); 109 } 110 111 static void mbd_rsa_free(mbedtls_rsa_context *rsa) 112 { 113 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 114 mbedtls_mpi_init(&rsa->E); 115 mbedtls_mpi_init(&rsa->N); 116 mbedtls_mpi_init(&rsa->D); 117 if (mbedtls_mpi_size(&rsa->P)) { 118 mbedtls_mpi_init(&rsa->P); 119 mbedtls_mpi_init(&rsa->Q); 120 mbedtls_mpi_init(&rsa->QP); 121 mbedtls_mpi_init(&rsa->DP); 122 mbedtls_mpi_init(&rsa->DQ); 123 } 124 mbedtls_rsa_free(rsa); 125 } 126 127 TEE_Result crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s, 128 size_t key_size_bits) 129 { 130 memset(s, 0, sizeof(*s)); 131 s->e = crypto_bignum_allocate(key_size_bits); 132 if (!s->e) 133 goto err; 134 s->d = crypto_bignum_allocate(key_size_bits); 135 if (!s->d) 136 goto err; 137 s->n = crypto_bignum_allocate(key_size_bits); 138 if (!s->n) 139 goto err; 140 s->p = crypto_bignum_allocate(key_size_bits); 141 if (!s->p) 142 goto err; 143 s->q = crypto_bignum_allocate(key_size_bits); 144 if (!s->q) 145 goto err; 146 s->qp = crypto_bignum_allocate(key_size_bits); 147 if (!s->qp) 148 goto err; 149 s->dp = crypto_bignum_allocate(key_size_bits); 150 if (!s->dp) 151 goto err; 152 s->dq = crypto_bignum_allocate(key_size_bits); 153 if (!s->dq) 154 goto err; 155 156 return TEE_SUCCESS; 157 err: 158 crypto_bignum_free(s->e); 159 crypto_bignum_free(s->d); 160 crypto_bignum_free(s->n); 161 crypto_bignum_free(s->p); 162 crypto_bignum_free(s->q); 163 crypto_bignum_free(s->qp); 164 crypto_bignum_free(s->dp); 165 166 return TEE_ERROR_OUT_OF_MEMORY; 167 } 168 169 TEE_Result crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s, 170 size_t key_size_bits) 171 { 172 memset(s, 0, sizeof(*s)); 173 s->e = crypto_bignum_allocate(key_size_bits); 174 if (!s->e) 175 return TEE_ERROR_OUT_OF_MEMORY; 176 s->n = crypto_bignum_allocate(key_size_bits); 177 if (!s->n) 178 goto err; 179 return TEE_SUCCESS; 180 err: 181 crypto_bignum_free(s->e); 182 return TEE_ERROR_OUT_OF_MEMORY; 183 } 184 185 void crypto_acipher_free_rsa_public_key(struct rsa_public_key *s) 186 { 187 if (!s) 188 return; 189 crypto_bignum_free(s->n); 190 crypto_bignum_free(s->e); 191 } 192 193 void crypto_acipher_free_rsa_keypair(struct rsa_keypair *s) 194 { 195 if (!s) 196 return; 197 crypto_bignum_free(s->e); 198 crypto_bignum_free(s->d); 199 crypto_bignum_free(s->n); 200 crypto_bignum_free(s->p); 201 crypto_bignum_free(s->q); 202 crypto_bignum_free(s->qp); 203 crypto_bignum_free(s->dp); 204 crypto_bignum_free(s->dq); 205 } 206 207 TEE_Result crypto_acipher_gen_rsa_key(struct rsa_keypair *key, size_t key_size) 208 { 209 TEE_Result res = TEE_SUCCESS; 210 mbedtls_rsa_context rsa; 211 int lmd_res = 0; 212 uint32_t e = 0; 213 214 memset(&rsa, 0, sizeof(rsa)); 215 mbedtls_rsa_init(&rsa, 0, 0); 216 217 /* get the public exponent */ 218 mbedtls_mpi_write_binary((mbedtls_mpi *)key->e, 219 (unsigned char *)&e, sizeof(uint32_t)); 220 221 e = TEE_U32_FROM_BIG_ENDIAN(e); 222 lmd_res = mbedtls_rsa_gen_key(&rsa, mbd_rand, NULL, key_size, (int)e); 223 if (lmd_res != 0) { 224 res = get_tee_result(lmd_res); 225 } else if ((size_t)mbedtls_mpi_bitlen(&rsa.N) != key_size) { 226 res = TEE_ERROR_BAD_PARAMETERS; 227 } else { 228 /* Copy the key */ 229 crypto_bignum_copy(key->e, (void *)&rsa.E); 230 crypto_bignum_copy(key->d, (void *)&rsa.D); 231 crypto_bignum_copy(key->n, (void *)&rsa.N); 232 crypto_bignum_copy(key->p, (void *)&rsa.P); 233 234 crypto_bignum_copy(key->q, (void *)&rsa.Q); 235 crypto_bignum_copy(key->qp, (void *)&rsa.QP); 236 crypto_bignum_copy(key->dp, (void *)&rsa.DP); 237 crypto_bignum_copy(key->dq, (void *)&rsa.DQ); 238 239 res = TEE_SUCCESS; 240 } 241 242 mbedtls_rsa_free(&rsa); 243 244 return res; 245 } 246 247 TEE_Result crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key, 248 const uint8_t *src, size_t src_len, 249 uint8_t *dst, size_t *dst_len) 250 { 251 TEE_Result res = TEE_SUCCESS; 252 mbedtls_rsa_context rsa; 253 int lmd_res = 0; 254 uint8_t *buf = NULL; 255 unsigned long blen = 0; 256 unsigned long offset = 0; 257 258 memset(&rsa, 0, sizeof(rsa)); 259 mbedtls_rsa_init(&rsa, 0, 0); 260 261 rsa.E = *(mbedtls_mpi *)key->e; 262 rsa.N = *(mbedtls_mpi *)key->n; 263 264 rsa.len = crypto_bignum_num_bytes((void *)&rsa.N); 265 266 blen = CFG_CORE_BIGNUM_MAX_BITS / 8; 267 buf = malloc(blen); 268 if (!buf) { 269 res = TEE_ERROR_OUT_OF_MEMORY; 270 goto out; 271 } 272 273 memset(buf, 0, blen); 274 memcpy(buf + rsa.len - src_len, src, src_len); 275 276 lmd_res = mbedtls_rsa_public(&rsa, buf, buf); 277 if (lmd_res != 0) { 278 FMSG("mbedtls_rsa_public() returned 0x%x", -lmd_res); 279 res = get_tee_result(lmd_res); 280 goto out; 281 } 282 283 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 284 offset = 0; 285 while ((offset < rsa.len - 1) && (buf[offset] == 0)) 286 offset++; 287 288 if (*dst_len < rsa.len - offset) { 289 *dst_len = rsa.len - offset; 290 res = TEE_ERROR_SHORT_BUFFER; 291 goto out; 292 } 293 *dst_len = rsa.len - offset; 294 memcpy(dst, buf + offset, *dst_len); 295 out: 296 free(buf); 297 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 298 mbedtls_mpi_init(&rsa.E); 299 mbedtls_mpi_init(&rsa.N); 300 mbedtls_rsa_free(&rsa); 301 302 return res; 303 } 304 305 TEE_Result crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key, 306 const uint8_t *src, size_t src_len, 307 uint8_t *dst, size_t *dst_len) 308 { 309 TEE_Result res = TEE_SUCCESS; 310 mbedtls_rsa_context rsa; 311 int lmd_res = 0; 312 uint8_t *buf = NULL; 313 unsigned long blen = 0; 314 unsigned long offset = 0; 315 316 memset(&rsa, 0, sizeof(rsa)); 317 rsa_init_from_key_pair(&rsa, key); 318 319 blen = CFG_CORE_BIGNUM_MAX_BITS / 8; 320 buf = malloc(blen); 321 if (!buf) { 322 res = TEE_ERROR_OUT_OF_MEMORY; 323 goto out; 324 } 325 326 memset(buf, 0, blen); 327 memcpy(buf + rsa.len - src_len, src, src_len); 328 329 lmd_res = mbedtls_rsa_private(&rsa, NULL, NULL, buf, buf); 330 if (lmd_res != 0) { 331 FMSG("mbedtls_rsa_private() returned 0x%x", -lmd_res); 332 res = get_tee_result(lmd_res); 333 goto out; 334 } 335 336 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 337 offset = 0; 338 while ((offset < rsa.len - 1) && (buf[offset] == 0)) 339 offset++; 340 341 if (*dst_len < rsa.len - offset) { 342 *dst_len = rsa.len - offset; 343 res = TEE_ERROR_SHORT_BUFFER; 344 goto out; 345 } 346 *dst_len = rsa.len - offset; 347 memcpy(dst, (char *)buf + offset, *dst_len); 348 out: 349 if (buf) 350 free(buf); 351 mbd_rsa_free(&rsa); 352 return res; 353 } 354 355 TEE_Result crypto_acipher_rsaes_decrypt(uint32_t algo, struct rsa_keypair *key, 356 const uint8_t *label __unused, 357 size_t label_len __unused, 358 const uint8_t *src, size_t src_len, 359 uint8_t *dst, size_t *dst_len) 360 { 361 TEE_Result res = TEE_SUCCESS; 362 int lmd_res = 0; 363 int lmd_padding = 0; 364 size_t blen = 0; 365 size_t mod_size = 0; 366 void *buf = NULL; 367 mbedtls_rsa_context rsa; 368 const mbedtls_pk_info_t *pk_info = NULL; 369 uint32_t md_algo = MBEDTLS_MD_NONE; 370 371 memset(&rsa, 0, sizeof(rsa)); 372 rsa_init_from_key_pair(&rsa, key); 373 374 /* 375 * Use a temporary buffer since we don't know exactly how large 376 * the required size of the out buffer without doing a partial 377 * decrypt. We know the upper bound though. 378 */ 379 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) { 380 mod_size = crypto_bignum_num_bytes(key->n); 381 blen = mod_size - 11; 382 lmd_padding = MBEDTLS_RSA_PKCS_V15; 383 } else { 384 /* Decoded message is always shorter than encrypted message */ 385 blen = src_len; 386 lmd_padding = MBEDTLS_RSA_PKCS_V21; 387 } 388 389 buf = malloc(blen); 390 if (!buf) { 391 res = TEE_ERROR_OUT_OF_MEMORY; 392 goto out; 393 } 394 395 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 396 if (!pk_info) { 397 res = TEE_ERROR_NOT_SUPPORTED; 398 goto out; 399 } 400 401 /* 402 * TEE_ALG_RSAES_PKCS1_V1_5 is invalid in hash. But its hash algo will 403 * not be used in rsa, so skip it here. 404 */ 405 if (algo != TEE_ALG_RSAES_PKCS1_V1_5) { 406 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 407 if (md_algo == MBEDTLS_MD_NONE) { 408 res = TEE_ERROR_NOT_SUPPORTED; 409 goto out; 410 } 411 } 412 413 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 414 415 if (lmd_padding == MBEDTLS_RSA_PKCS_V15) 416 lmd_res = pk_info->decrypt_func(&rsa, src, src_len, buf, &blen, 417 blen, NULL, NULL); 418 else 419 lmd_res = pk_info->decrypt_func(&rsa, src, src_len, buf, &blen, 420 blen, mbd_rand, NULL); 421 if (lmd_res != 0) { 422 FMSG("decrypt_func() returned 0x%x", -lmd_res); 423 res = get_tee_result(lmd_res); 424 goto out; 425 } 426 427 if (*dst_len < blen) { 428 *dst_len = blen; 429 res = TEE_ERROR_SHORT_BUFFER; 430 goto out; 431 } 432 433 res = TEE_SUCCESS; 434 *dst_len = blen; 435 memcpy(dst, buf, blen); 436 out: 437 if (buf) 438 free(buf); 439 mbd_rsa_free(&rsa); 440 return res; 441 } 442 443 TEE_Result crypto_acipher_rsaes_encrypt(uint32_t algo, 444 struct rsa_public_key *key, 445 const uint8_t *label __unused, 446 size_t label_len __unused, 447 const uint8_t *src, size_t src_len, 448 uint8_t *dst, size_t *dst_len) 449 { 450 TEE_Result res = TEE_SUCCESS; 451 int lmd_res = 0; 452 int lmd_padding = 0; 453 size_t mod_size = 0; 454 mbedtls_rsa_context rsa; 455 const mbedtls_pk_info_t *pk_info = NULL; 456 uint32_t md_algo = MBEDTLS_MD_NONE; 457 458 memset(&rsa, 0, sizeof(rsa)); 459 mbedtls_rsa_init(&rsa, 0, 0); 460 461 rsa.E = *(mbedtls_mpi *)key->e; 462 rsa.N = *(mbedtls_mpi *)key->n; 463 464 mod_size = crypto_bignum_num_bytes(key->n); 465 if (*dst_len < mod_size) { 466 *dst_len = mod_size; 467 res = TEE_ERROR_SHORT_BUFFER; 468 goto out; 469 } 470 *dst_len = mod_size; 471 rsa.len = mod_size; 472 473 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) 474 lmd_padding = MBEDTLS_RSA_PKCS_V15; 475 else 476 lmd_padding = MBEDTLS_RSA_PKCS_V21; 477 478 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 479 if (!pk_info) { 480 res = TEE_ERROR_NOT_SUPPORTED; 481 goto out; 482 } 483 484 /* 485 * TEE_ALG_RSAES_PKCS1_V1_5 is invalid in hash. But its hash algo will 486 * not be used in rsa, so skip it here. 487 */ 488 if (algo != TEE_ALG_RSAES_PKCS1_V1_5) { 489 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 490 if (md_algo == MBEDTLS_MD_NONE) { 491 res = TEE_ERROR_NOT_SUPPORTED; 492 goto out; 493 } 494 } 495 496 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 497 498 lmd_res = pk_info->encrypt_func(&rsa, src, src_len, dst, dst_len, 499 *dst_len, mbd_rand, NULL); 500 if (lmd_res != 0) { 501 FMSG("encrypt_func() returned 0x%x", -lmd_res); 502 res = get_tee_result(lmd_res); 503 goto out; 504 } 505 res = TEE_SUCCESS; 506 out: 507 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 508 mbedtls_mpi_init(&rsa.E); 509 mbedtls_mpi_init(&rsa.N); 510 mbedtls_rsa_free(&rsa); 511 return res; 512 } 513 514 TEE_Result crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key, 515 int salt_len __unused, const uint8_t *msg, 516 size_t msg_len, uint8_t *sig, 517 size_t *sig_len) 518 { 519 TEE_Result res = TEE_SUCCESS; 520 int lmd_res = 0; 521 int lmd_padding = 0; 522 size_t mod_size = 0; 523 size_t hash_size = 0; 524 mbedtls_rsa_context rsa; 525 const mbedtls_pk_info_t *pk_info = NULL; 526 uint32_t md_algo = 0; 527 528 memset(&rsa, 0, sizeof(rsa)); 529 rsa_init_from_key_pair(&rsa, key); 530 531 switch (algo) { 532 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 533 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 534 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 535 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 536 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 537 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 538 lmd_padding = MBEDTLS_RSA_PKCS_V15; 539 break; 540 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 541 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 542 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 543 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 544 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 545 lmd_padding = MBEDTLS_RSA_PKCS_V21; 546 break; 547 default: 548 res = TEE_ERROR_BAD_PARAMETERS; 549 goto err; 550 } 551 552 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 553 &hash_size); 554 if (res != TEE_SUCCESS) 555 goto err; 556 557 if (msg_len != hash_size) { 558 res = TEE_ERROR_BAD_PARAMETERS; 559 goto err; 560 } 561 562 mod_size = crypto_bignum_num_bytes(key->n); 563 if (*sig_len < mod_size) { 564 *sig_len = mod_size; 565 res = TEE_ERROR_SHORT_BUFFER; 566 goto err; 567 } 568 rsa.len = mod_size; 569 570 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 571 if (md_algo == MBEDTLS_MD_NONE) { 572 res = TEE_ERROR_NOT_SUPPORTED; 573 goto err; 574 } 575 576 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 577 if (!pk_info) { 578 res = TEE_ERROR_NOT_SUPPORTED; 579 goto err; 580 } 581 582 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 583 584 if (lmd_padding == MBEDTLS_RSA_PKCS_V15) 585 lmd_res = pk_info->sign_func(&rsa, md_algo, msg, msg_len, sig, 586 sig_len, NULL, NULL); 587 else 588 lmd_res = pk_info->sign_func(&rsa, md_algo, msg, msg_len, sig, 589 sig_len, mbd_rand, NULL); 590 if (lmd_res != 0) { 591 FMSG("sign_func failed, returned 0x%x", -lmd_res); 592 res = get_tee_result(lmd_res); 593 goto err; 594 } 595 res = TEE_SUCCESS; 596 err: 597 mbd_rsa_free(&rsa); 598 return res; 599 } 600 601 TEE_Result crypto_acipher_rsassa_verify(uint32_t algo, 602 struct rsa_public_key *key, 603 int salt_len __unused, 604 const uint8_t *msg, 605 size_t msg_len, const uint8_t *sig, 606 size_t sig_len) 607 { 608 TEE_Result res = TEE_SUCCESS; 609 int lmd_res = 0; 610 int lmd_padding = 0; 611 size_t hash_size = 0; 612 size_t bigint_size = 0; 613 mbedtls_rsa_context rsa; 614 const mbedtls_pk_info_t *pk_info = NULL; 615 uint32_t md_algo = 0; 616 617 memset(&rsa, 0, sizeof(rsa)); 618 mbedtls_rsa_init(&rsa, 0, 0); 619 620 rsa.E = *(mbedtls_mpi *)key->e; 621 rsa.N = *(mbedtls_mpi *)key->n; 622 623 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 624 &hash_size); 625 if (res != TEE_SUCCESS) 626 goto err; 627 628 if (msg_len != hash_size) { 629 res = TEE_ERROR_BAD_PARAMETERS; 630 goto err; 631 } 632 633 bigint_size = crypto_bignum_num_bytes(key->n); 634 if (sig_len < bigint_size) { 635 res = TEE_ERROR_MAC_INVALID; 636 goto err; 637 } 638 639 rsa.len = bigint_size; 640 641 switch (algo) { 642 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 643 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 644 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 645 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 646 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 647 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 648 lmd_padding = MBEDTLS_RSA_PKCS_V15; 649 break; 650 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 651 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 652 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 653 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 654 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 655 lmd_padding = MBEDTLS_RSA_PKCS_V21; 656 break; 657 default: 658 res = TEE_ERROR_BAD_PARAMETERS; 659 goto err; 660 } 661 662 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 663 if (md_algo == MBEDTLS_MD_NONE) { 664 res = TEE_ERROR_NOT_SUPPORTED; 665 goto err; 666 } 667 668 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 669 if (!pk_info) { 670 res = TEE_ERROR_NOT_SUPPORTED; 671 goto err; 672 } 673 674 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 675 676 lmd_res = pk_info->verify_func(&rsa, md_algo, msg, msg_len, 677 sig, sig_len); 678 if (lmd_res != 0) { 679 FMSG("verify_func failed, returned 0x%x", -lmd_res); 680 res = TEE_ERROR_SIGNATURE_INVALID; 681 goto err; 682 } 683 res = TEE_SUCCESS; 684 err: 685 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 686 mbedtls_mpi_init(&rsa.E); 687 mbedtls_mpi_init(&rsa.N); 688 mbedtls_rsa_free(&rsa); 689 return res; 690 } 691