1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (C) 2018, ARM Limited 4 * Copyright (C) 2019, Linaro Limited 5 */ 6 7 #include <assert.h> 8 #include <crypto/crypto.h> 9 #include <mbedtls/ctr_drbg.h> 10 #include <mbedtls/entropy.h> 11 #include <mbedtls/pk.h> 12 #include <mbedtls/pk_internal.h> 13 #include <stdlib.h> 14 #include <string.h> 15 #include <tee/tee_cryp_utl.h> 16 #include <utee_defines.h> 17 18 #include "mbed_helpers.h" 19 20 static TEE_Result get_tee_result(int lmd_res) 21 { 22 switch (lmd_res) { 23 case 0: 24 return TEE_SUCCESS; 25 case MBEDTLS_ERR_RSA_PRIVATE_FAILED + 26 MBEDTLS_ERR_MPI_BAD_INPUT_DATA: 27 case MBEDTLS_ERR_RSA_BAD_INPUT_DATA: 28 case MBEDTLS_ERR_RSA_INVALID_PADDING: 29 case MBEDTLS_ERR_PK_TYPE_MISMATCH: 30 return TEE_ERROR_BAD_PARAMETERS; 31 case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE: 32 return TEE_ERROR_SHORT_BUFFER; 33 default: 34 return TEE_ERROR_BAD_STATE; 35 } 36 } 37 38 static uint32_t tee_algo_to_mbedtls_hash_algo(uint32_t algo) 39 { 40 switch (algo) { 41 #if defined(CFG_CRYPTO_SHA1) 42 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 43 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 44 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1: 45 case TEE_ALG_SHA1: 46 case TEE_ALG_DSA_SHA1: 47 case TEE_ALG_HMAC_SHA1: 48 return MBEDTLS_MD_SHA1; 49 #endif 50 #if defined(CFG_CRYPTO_MD5) 51 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 52 case TEE_ALG_MD5: 53 case TEE_ALG_HMAC_MD5: 54 return MBEDTLS_MD_MD5; 55 #endif 56 #if defined(CFG_CRYPTO_SHA224) 57 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 58 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 59 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224: 60 case TEE_ALG_SHA224: 61 case TEE_ALG_DSA_SHA224: 62 case TEE_ALG_HMAC_SHA224: 63 return MBEDTLS_MD_SHA224; 64 #endif 65 #if defined(CFG_CRYPTO_SHA256) 66 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 67 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 68 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256: 69 case TEE_ALG_SHA256: 70 case TEE_ALG_DSA_SHA256: 71 case TEE_ALG_HMAC_SHA256: 72 return MBEDTLS_MD_SHA256; 73 #endif 74 #if defined(CFG_CRYPTO_SHA384) 75 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 76 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 77 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384: 78 case TEE_ALG_SHA384: 79 case TEE_ALG_HMAC_SHA384: 80 return MBEDTLS_MD_SHA384; 81 #endif 82 #if defined(CFG_CRYPTO_SHA512) 83 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 84 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 85 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512: 86 case TEE_ALG_SHA512: 87 case TEE_ALG_HMAC_SHA512: 88 return MBEDTLS_MD_SHA512; 89 #endif 90 default: 91 return MBEDTLS_MD_NONE; 92 } 93 } 94 95 static void rsa_init_from_key_pair(mbedtls_rsa_context *rsa, 96 struct rsa_keypair *key) 97 { 98 mbedtls_rsa_init(rsa, 0, 0); 99 100 rsa->E = *(mbedtls_mpi *)key->e; 101 rsa->N = *(mbedtls_mpi *)key->n; 102 rsa->D = *(mbedtls_mpi *)key->d; 103 if (key->p && crypto_bignum_num_bytes(key->p)) { 104 rsa->P = *(mbedtls_mpi *)key->p; 105 rsa->Q = *(mbedtls_mpi *)key->q; 106 rsa->QP = *(mbedtls_mpi *)key->qp; 107 rsa->DP = *(mbedtls_mpi *)key->dp; 108 rsa->DQ = *(mbedtls_mpi *)key->dq; 109 } 110 rsa->len = mbedtls_mpi_size(&rsa->N); 111 } 112 113 static void mbd_rsa_free(mbedtls_rsa_context *rsa) 114 { 115 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 116 mbedtls_mpi_init(&rsa->E); 117 mbedtls_mpi_init(&rsa->N); 118 mbedtls_mpi_init(&rsa->D); 119 if (mbedtls_mpi_size(&rsa->P)) { 120 mbedtls_mpi_init(&rsa->P); 121 mbedtls_mpi_init(&rsa->Q); 122 mbedtls_mpi_init(&rsa->QP); 123 mbedtls_mpi_init(&rsa->DP); 124 mbedtls_mpi_init(&rsa->DQ); 125 } 126 mbedtls_rsa_free(rsa); 127 } 128 129 TEE_Result crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s, 130 size_t key_size_bits) 131 { 132 memset(s, 0, sizeof(*s)); 133 s->e = crypto_bignum_allocate(key_size_bits); 134 if (!s->e) 135 goto err; 136 s->d = crypto_bignum_allocate(key_size_bits); 137 if (!s->d) 138 goto err; 139 s->n = crypto_bignum_allocate(key_size_bits); 140 if (!s->n) 141 goto err; 142 s->p = crypto_bignum_allocate(key_size_bits); 143 if (!s->p) 144 goto err; 145 s->q = crypto_bignum_allocate(key_size_bits); 146 if (!s->q) 147 goto err; 148 s->qp = crypto_bignum_allocate(key_size_bits); 149 if (!s->qp) 150 goto err; 151 s->dp = crypto_bignum_allocate(key_size_bits); 152 if (!s->dp) 153 goto err; 154 s->dq = crypto_bignum_allocate(key_size_bits); 155 if (!s->dq) 156 goto err; 157 158 return TEE_SUCCESS; 159 err: 160 crypto_acipher_free_rsa_keypair(s); 161 return TEE_ERROR_OUT_OF_MEMORY; 162 } 163 164 TEE_Result crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s, 165 size_t key_size_bits) 166 { 167 memset(s, 0, sizeof(*s)); 168 s->e = crypto_bignum_allocate(key_size_bits); 169 if (!s->e) 170 return TEE_ERROR_OUT_OF_MEMORY; 171 s->n = crypto_bignum_allocate(key_size_bits); 172 if (!s->n) 173 goto err; 174 return TEE_SUCCESS; 175 err: 176 crypto_bignum_free(s->e); 177 return TEE_ERROR_OUT_OF_MEMORY; 178 } 179 180 void crypto_acipher_free_rsa_public_key(struct rsa_public_key *s) 181 { 182 if (!s) 183 return; 184 crypto_bignum_free(s->n); 185 crypto_bignum_free(s->e); 186 } 187 188 void crypto_acipher_free_rsa_keypair(struct rsa_keypair *s) 189 { 190 if (!s) 191 return; 192 crypto_bignum_free(s->e); 193 crypto_bignum_free(s->d); 194 crypto_bignum_free(s->n); 195 crypto_bignum_free(s->p); 196 crypto_bignum_free(s->q); 197 crypto_bignum_free(s->qp); 198 crypto_bignum_free(s->dp); 199 crypto_bignum_free(s->dq); 200 } 201 202 TEE_Result crypto_acipher_gen_rsa_key(struct rsa_keypair *key, size_t key_size) 203 { 204 TEE_Result res = TEE_SUCCESS; 205 mbedtls_rsa_context rsa; 206 int lmd_res = 0; 207 uint32_t e = 0; 208 209 memset(&rsa, 0, sizeof(rsa)); 210 mbedtls_rsa_init(&rsa, 0, 0); 211 212 /* get the public exponent */ 213 mbedtls_mpi_write_binary((mbedtls_mpi *)key->e, 214 (unsigned char *)&e, sizeof(uint32_t)); 215 216 e = TEE_U32_FROM_BIG_ENDIAN(e); 217 lmd_res = mbedtls_rsa_gen_key(&rsa, mbd_rand, NULL, key_size, (int)e); 218 if (lmd_res != 0) { 219 res = get_tee_result(lmd_res); 220 } else if ((size_t)mbedtls_mpi_bitlen(&rsa.N) != key_size) { 221 res = TEE_ERROR_BAD_PARAMETERS; 222 } else { 223 /* Copy the key */ 224 crypto_bignum_copy(key->e, (void *)&rsa.E); 225 crypto_bignum_copy(key->d, (void *)&rsa.D); 226 crypto_bignum_copy(key->n, (void *)&rsa.N); 227 crypto_bignum_copy(key->p, (void *)&rsa.P); 228 229 crypto_bignum_copy(key->q, (void *)&rsa.Q); 230 crypto_bignum_copy(key->qp, (void *)&rsa.QP); 231 crypto_bignum_copy(key->dp, (void *)&rsa.DP); 232 crypto_bignum_copy(key->dq, (void *)&rsa.DQ); 233 234 res = TEE_SUCCESS; 235 } 236 237 mbedtls_rsa_free(&rsa); 238 239 return res; 240 } 241 242 TEE_Result crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key, 243 const uint8_t *src, size_t src_len, 244 uint8_t *dst, size_t *dst_len) 245 { 246 TEE_Result res = TEE_SUCCESS; 247 mbedtls_rsa_context rsa; 248 int lmd_res = 0; 249 uint8_t *buf = NULL; 250 unsigned long blen = 0; 251 unsigned long offset = 0; 252 253 memset(&rsa, 0, sizeof(rsa)); 254 mbedtls_rsa_init(&rsa, 0, 0); 255 256 rsa.E = *(mbedtls_mpi *)key->e; 257 rsa.N = *(mbedtls_mpi *)key->n; 258 259 rsa.len = crypto_bignum_num_bytes((void *)&rsa.N); 260 261 blen = CFG_CORE_BIGNUM_MAX_BITS / 8; 262 buf = malloc(blen); 263 if (!buf) { 264 res = TEE_ERROR_OUT_OF_MEMORY; 265 goto out; 266 } 267 268 memset(buf, 0, blen); 269 memcpy(buf + rsa.len - src_len, src, src_len); 270 271 lmd_res = mbedtls_rsa_public(&rsa, buf, buf); 272 if (lmd_res != 0) { 273 FMSG("mbedtls_rsa_public() returned 0x%x", -lmd_res); 274 res = get_tee_result(lmd_res); 275 goto out; 276 } 277 278 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 279 offset = 0; 280 while ((offset < rsa.len - 1) && (buf[offset] == 0)) 281 offset++; 282 283 if (*dst_len < rsa.len - offset) { 284 *dst_len = rsa.len - offset; 285 res = TEE_ERROR_SHORT_BUFFER; 286 goto out; 287 } 288 *dst_len = rsa.len - offset; 289 memcpy(dst, buf + offset, *dst_len); 290 out: 291 free(buf); 292 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 293 mbedtls_mpi_init(&rsa.E); 294 mbedtls_mpi_init(&rsa.N); 295 mbedtls_rsa_free(&rsa); 296 297 return res; 298 } 299 300 TEE_Result crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key, 301 const uint8_t *src, size_t src_len, 302 uint8_t *dst, size_t *dst_len) 303 { 304 TEE_Result res = TEE_SUCCESS; 305 mbedtls_rsa_context rsa; 306 int lmd_res = 0; 307 uint8_t *buf = NULL; 308 unsigned long blen = 0; 309 unsigned long offset = 0; 310 311 memset(&rsa, 0, sizeof(rsa)); 312 rsa_init_from_key_pair(&rsa, key); 313 314 blen = CFG_CORE_BIGNUM_MAX_BITS / 8; 315 buf = malloc(blen); 316 if (!buf) { 317 res = TEE_ERROR_OUT_OF_MEMORY; 318 goto out; 319 } 320 321 memset(buf, 0, blen); 322 memcpy(buf + rsa.len - src_len, src, src_len); 323 324 lmd_res = mbedtls_rsa_private(&rsa, NULL, NULL, buf, buf); 325 if (lmd_res != 0) { 326 FMSG("mbedtls_rsa_private() returned 0x%x", -lmd_res); 327 res = get_tee_result(lmd_res); 328 goto out; 329 } 330 331 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 332 offset = 0; 333 while ((offset < rsa.len - 1) && (buf[offset] == 0)) 334 offset++; 335 336 if (*dst_len < rsa.len - offset) { 337 *dst_len = rsa.len - offset; 338 res = TEE_ERROR_SHORT_BUFFER; 339 goto out; 340 } 341 *dst_len = rsa.len - offset; 342 memcpy(dst, (char *)buf + offset, *dst_len); 343 out: 344 if (buf) 345 free(buf); 346 mbd_rsa_free(&rsa); 347 return res; 348 } 349 350 TEE_Result crypto_acipher_rsaes_decrypt(uint32_t algo, struct rsa_keypair *key, 351 const uint8_t *label __unused, 352 size_t label_len __unused, 353 const uint8_t *src, size_t src_len, 354 uint8_t *dst, size_t *dst_len) 355 { 356 TEE_Result res = TEE_SUCCESS; 357 int lmd_res = 0; 358 int lmd_padding = 0; 359 size_t blen = 0; 360 size_t mod_size = 0; 361 void *buf = NULL; 362 mbedtls_rsa_context rsa; 363 const mbedtls_pk_info_t *pk_info = NULL; 364 uint32_t md_algo = MBEDTLS_MD_NONE; 365 366 memset(&rsa, 0, sizeof(rsa)); 367 rsa_init_from_key_pair(&rsa, key); 368 369 /* 370 * Use a temporary buffer since we don't know exactly how large 371 * the required size of the out buffer without doing a partial 372 * decrypt. We know the upper bound though. 373 */ 374 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) { 375 mod_size = crypto_bignum_num_bytes(key->n); 376 blen = mod_size - 11; 377 lmd_padding = MBEDTLS_RSA_PKCS_V15; 378 } else { 379 /* Decoded message is always shorter than encrypted message */ 380 blen = src_len; 381 lmd_padding = MBEDTLS_RSA_PKCS_V21; 382 } 383 384 buf = malloc(blen); 385 if (!buf) { 386 res = TEE_ERROR_OUT_OF_MEMORY; 387 goto out; 388 } 389 390 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 391 if (!pk_info) { 392 res = TEE_ERROR_NOT_SUPPORTED; 393 goto out; 394 } 395 396 /* 397 * TEE_ALG_RSAES_PKCS1_V1_5 is invalid in hash. But its hash algo will 398 * not be used in rsa, so skip it here. 399 */ 400 if (algo != TEE_ALG_RSAES_PKCS1_V1_5) { 401 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 402 if (md_algo == MBEDTLS_MD_NONE) { 403 res = TEE_ERROR_NOT_SUPPORTED; 404 goto out; 405 } 406 } 407 408 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 409 410 if (lmd_padding == MBEDTLS_RSA_PKCS_V15) 411 lmd_res = pk_info->decrypt_func(&rsa, src, src_len, buf, &blen, 412 blen, NULL, NULL); 413 else 414 lmd_res = pk_info->decrypt_func(&rsa, src, src_len, buf, &blen, 415 blen, mbd_rand, NULL); 416 if (lmd_res != 0) { 417 FMSG("decrypt_func() returned 0x%x", -lmd_res); 418 res = get_tee_result(lmd_res); 419 goto out; 420 } 421 422 if (*dst_len < blen) { 423 *dst_len = blen; 424 res = TEE_ERROR_SHORT_BUFFER; 425 goto out; 426 } 427 428 res = TEE_SUCCESS; 429 *dst_len = blen; 430 memcpy(dst, buf, blen); 431 out: 432 if (buf) 433 free(buf); 434 mbd_rsa_free(&rsa); 435 return res; 436 } 437 438 TEE_Result crypto_acipher_rsaes_encrypt(uint32_t algo, 439 struct rsa_public_key *key, 440 const uint8_t *label __unused, 441 size_t label_len __unused, 442 const uint8_t *src, size_t src_len, 443 uint8_t *dst, size_t *dst_len) 444 { 445 TEE_Result res = TEE_SUCCESS; 446 int lmd_res = 0; 447 int lmd_padding = 0; 448 size_t mod_size = 0; 449 mbedtls_rsa_context rsa; 450 const mbedtls_pk_info_t *pk_info = NULL; 451 uint32_t md_algo = MBEDTLS_MD_NONE; 452 453 memset(&rsa, 0, sizeof(rsa)); 454 mbedtls_rsa_init(&rsa, 0, 0); 455 456 rsa.E = *(mbedtls_mpi *)key->e; 457 rsa.N = *(mbedtls_mpi *)key->n; 458 459 mod_size = crypto_bignum_num_bytes(key->n); 460 if (*dst_len < mod_size) { 461 *dst_len = mod_size; 462 res = TEE_ERROR_SHORT_BUFFER; 463 goto out; 464 } 465 *dst_len = mod_size; 466 rsa.len = mod_size; 467 468 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) 469 lmd_padding = MBEDTLS_RSA_PKCS_V15; 470 else 471 lmd_padding = MBEDTLS_RSA_PKCS_V21; 472 473 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 474 if (!pk_info) { 475 res = TEE_ERROR_NOT_SUPPORTED; 476 goto out; 477 } 478 479 /* 480 * TEE_ALG_RSAES_PKCS1_V1_5 is invalid in hash. But its hash algo will 481 * not be used in rsa, so skip it here. 482 */ 483 if (algo != TEE_ALG_RSAES_PKCS1_V1_5) { 484 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 485 if (md_algo == MBEDTLS_MD_NONE) { 486 res = TEE_ERROR_NOT_SUPPORTED; 487 goto out; 488 } 489 } 490 491 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 492 493 lmd_res = pk_info->encrypt_func(&rsa, src, src_len, dst, dst_len, 494 *dst_len, mbd_rand, NULL); 495 if (lmd_res != 0) { 496 FMSG("encrypt_func() returned 0x%x", -lmd_res); 497 res = get_tee_result(lmd_res); 498 goto out; 499 } 500 res = TEE_SUCCESS; 501 out: 502 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 503 mbedtls_mpi_init(&rsa.E); 504 mbedtls_mpi_init(&rsa.N); 505 mbedtls_rsa_free(&rsa); 506 return res; 507 } 508 509 TEE_Result crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key, 510 int salt_len __unused, const uint8_t *msg, 511 size_t msg_len, uint8_t *sig, 512 size_t *sig_len) 513 { 514 TEE_Result res = TEE_SUCCESS; 515 int lmd_res = 0; 516 int lmd_padding = 0; 517 size_t mod_size = 0; 518 size_t hash_size = 0; 519 mbedtls_rsa_context rsa; 520 const mbedtls_pk_info_t *pk_info = NULL; 521 uint32_t md_algo = 0; 522 523 memset(&rsa, 0, sizeof(rsa)); 524 rsa_init_from_key_pair(&rsa, key); 525 526 switch (algo) { 527 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 528 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 529 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 530 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 531 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 532 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 533 lmd_padding = MBEDTLS_RSA_PKCS_V15; 534 break; 535 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 536 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 537 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 538 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 539 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 540 lmd_padding = MBEDTLS_RSA_PKCS_V21; 541 break; 542 default: 543 res = TEE_ERROR_BAD_PARAMETERS; 544 goto err; 545 } 546 547 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 548 &hash_size); 549 if (res != TEE_SUCCESS) 550 goto err; 551 552 if (msg_len != hash_size) { 553 res = TEE_ERROR_BAD_PARAMETERS; 554 goto err; 555 } 556 557 mod_size = crypto_bignum_num_bytes(key->n); 558 if (*sig_len < mod_size) { 559 *sig_len = mod_size; 560 res = TEE_ERROR_SHORT_BUFFER; 561 goto err; 562 } 563 rsa.len = mod_size; 564 565 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 566 if (md_algo == MBEDTLS_MD_NONE) { 567 res = TEE_ERROR_NOT_SUPPORTED; 568 goto err; 569 } 570 571 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 572 if (!pk_info) { 573 res = TEE_ERROR_NOT_SUPPORTED; 574 goto err; 575 } 576 577 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 578 579 if (lmd_padding == MBEDTLS_RSA_PKCS_V15) 580 lmd_res = pk_info->sign_func(&rsa, md_algo, msg, msg_len, sig, 581 sig_len, NULL, NULL); 582 else 583 lmd_res = pk_info->sign_func(&rsa, md_algo, msg, msg_len, sig, 584 sig_len, mbd_rand, NULL); 585 if (lmd_res != 0) { 586 FMSG("sign_func failed, returned 0x%x", -lmd_res); 587 res = get_tee_result(lmd_res); 588 goto err; 589 } 590 res = TEE_SUCCESS; 591 err: 592 mbd_rsa_free(&rsa); 593 return res; 594 } 595 596 TEE_Result crypto_acipher_rsassa_verify(uint32_t algo, 597 struct rsa_public_key *key, 598 int salt_len __unused, 599 const uint8_t *msg, 600 size_t msg_len, const uint8_t *sig, 601 size_t sig_len) 602 { 603 TEE_Result res = TEE_SUCCESS; 604 int lmd_res = 0; 605 int lmd_padding = 0; 606 size_t hash_size = 0; 607 size_t bigint_size = 0; 608 mbedtls_rsa_context rsa; 609 const mbedtls_pk_info_t *pk_info = NULL; 610 uint32_t md_algo = 0; 611 612 memset(&rsa, 0, sizeof(rsa)); 613 mbedtls_rsa_init(&rsa, 0, 0); 614 615 rsa.E = *(mbedtls_mpi *)key->e; 616 rsa.N = *(mbedtls_mpi *)key->n; 617 618 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 619 &hash_size); 620 if (res != TEE_SUCCESS) 621 goto err; 622 623 if (msg_len != hash_size) { 624 res = TEE_ERROR_BAD_PARAMETERS; 625 goto err; 626 } 627 628 bigint_size = crypto_bignum_num_bytes(key->n); 629 if (sig_len < bigint_size) { 630 res = TEE_ERROR_MAC_INVALID; 631 goto err; 632 } 633 634 rsa.len = bigint_size; 635 636 switch (algo) { 637 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 638 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 639 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 640 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 641 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 642 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 643 lmd_padding = MBEDTLS_RSA_PKCS_V15; 644 break; 645 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 646 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 647 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 648 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 649 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 650 lmd_padding = MBEDTLS_RSA_PKCS_V21; 651 break; 652 default: 653 res = TEE_ERROR_BAD_PARAMETERS; 654 goto err; 655 } 656 657 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 658 if (md_algo == MBEDTLS_MD_NONE) { 659 res = TEE_ERROR_NOT_SUPPORTED; 660 goto err; 661 } 662 663 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 664 if (!pk_info) { 665 res = TEE_ERROR_NOT_SUPPORTED; 666 goto err; 667 } 668 669 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 670 671 lmd_res = pk_info->verify_func(&rsa, md_algo, msg, msg_len, 672 sig, sig_len); 673 if (lmd_res != 0) { 674 FMSG("verify_func failed, returned 0x%x", -lmd_res); 675 res = TEE_ERROR_SIGNATURE_INVALID; 676 goto err; 677 } 678 res = TEE_SUCCESS; 679 err: 680 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 681 mbedtls_mpi_init(&rsa.E); 682 mbedtls_mpi_init(&rsa.N); 683 mbedtls_rsa_free(&rsa); 684 return res; 685 } 686