1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (C) 2018, ARM Limited 4 * Copyright (C) 2019, Linaro Limited 5 */ 6 7 #include <assert.h> 8 #include <crypto/crypto.h> 9 #include <crypto/crypto_impl.h> 10 #include <mbedtls/ctr_drbg.h> 11 #include <mbedtls/entropy.h> 12 #include <mbedtls/pk.h> 13 #include <stdlib.h> 14 #include <string.h> 15 #include <tee/tee_cryp_utl.h> 16 #include <utee_defines.h> 17 #include <fault_mitigation.h> 18 19 #include "mbed_helpers.h" 20 #include "../mbedtls/library/pk_wrap.h" 21 #include "../mbedtls/library/rsa_alt_helpers.h" 22 23 static TEE_Result get_tee_result(int lmd_res) 24 { 25 switch (lmd_res) { 26 case 0: 27 return TEE_SUCCESS; 28 case MBEDTLS_ERR_RSA_PRIVATE_FAILED + 29 MBEDTLS_ERR_MPI_BAD_INPUT_DATA: 30 case MBEDTLS_ERR_RSA_BAD_INPUT_DATA: 31 case MBEDTLS_ERR_RSA_INVALID_PADDING: 32 case MBEDTLS_ERR_PK_TYPE_MISMATCH: 33 return TEE_ERROR_BAD_PARAMETERS; 34 case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE: 35 return TEE_ERROR_SHORT_BUFFER; 36 default: 37 return TEE_ERROR_BAD_STATE; 38 } 39 } 40 41 static uint32_t tee_algo_to_mbedtls_hash_algo(uint32_t algo) 42 { 43 switch (algo) { 44 #if defined(CFG_CRYPTO_SHA1) 45 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 46 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 47 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1: 48 case TEE_ALG_SHA1: 49 case TEE_ALG_DSA_SHA1: 50 case TEE_ALG_HMAC_SHA1: 51 return MBEDTLS_MD_SHA1; 52 #endif 53 #if defined(CFG_CRYPTO_MD5) 54 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 55 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_MD5: 56 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_MD5: 57 case TEE_ALG_MD5: 58 case TEE_ALG_HMAC_MD5: 59 return MBEDTLS_MD_MD5; 60 #endif 61 #if defined(CFG_CRYPTO_SHA224) 62 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 63 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 64 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224: 65 case TEE_ALG_SHA224: 66 case TEE_ALG_DSA_SHA224: 67 case TEE_ALG_HMAC_SHA224: 68 return MBEDTLS_MD_SHA224; 69 #endif 70 #if defined(CFG_CRYPTO_SHA256) 71 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 72 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 73 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256: 74 case TEE_ALG_SHA256: 75 case TEE_ALG_DSA_SHA256: 76 case TEE_ALG_HMAC_SHA256: 77 return MBEDTLS_MD_SHA256; 78 #endif 79 #if defined(CFG_CRYPTO_SHA384) 80 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 81 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 82 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384: 83 case TEE_ALG_SHA384: 84 case TEE_ALG_HMAC_SHA384: 85 return MBEDTLS_MD_SHA384; 86 #endif 87 #if defined(CFG_CRYPTO_SHA512) 88 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 89 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 90 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512: 91 case TEE_ALG_SHA512: 92 case TEE_ALG_HMAC_SHA512: 93 return MBEDTLS_MD_SHA512; 94 #endif 95 default: 96 return MBEDTLS_MD_NONE; 97 } 98 } 99 100 static TEE_Result rsa_init_and_complete_from_key_pair(mbedtls_rsa_context *rsa, 101 struct rsa_keypair *key) 102 { 103 int lmd_res = 0; 104 105 mbedtls_rsa_init(rsa); 106 107 rsa->E = *(mbedtls_mpi *)key->e; 108 rsa->N = *(mbedtls_mpi *)key->n; 109 rsa->D = *(mbedtls_mpi *)key->d; 110 rsa->len = mbedtls_mpi_size(&rsa->N); 111 112 if (key->p && crypto_bignum_num_bytes(key->p)) { 113 rsa->P = *(mbedtls_mpi *)key->p; 114 rsa->Q = *(mbedtls_mpi *)key->q; 115 rsa->QP = *(mbedtls_mpi *)key->qp; 116 rsa->DP = *(mbedtls_mpi *)key->dp; 117 rsa->DQ = *(mbedtls_mpi *)key->dq; 118 } else { 119 mbedtls_mpi_init_mempool(&rsa->P); 120 mbedtls_mpi_init_mempool(&rsa->Q); 121 mbedtls_mpi_init_mempool(&rsa->QP); 122 mbedtls_mpi_init_mempool(&rsa->DP); 123 mbedtls_mpi_init_mempool(&rsa->DQ); 124 125 lmd_res = mbedtls_rsa_deduce_primes(&rsa->N, &rsa->E, &rsa->D, 126 &rsa->P, &rsa->Q); 127 if (lmd_res) { 128 DMSG("mbedtls_rsa_deduce_primes() returned 0x%x", 129 -lmd_res); 130 goto err; 131 } 132 133 lmd_res = mbedtls_rsa_deduce_crt(&rsa->P, &rsa->Q, &rsa->D, 134 &rsa->DP, &rsa->DQ, &rsa->QP); 135 if (lmd_res) { 136 DMSG("mbedtls_rsa_deduce_crt() returned 0x%x", 137 -lmd_res); 138 goto err; 139 } 140 } 141 142 return TEE_SUCCESS; 143 err: 144 mbedtls_mpi_free(&rsa->P); 145 mbedtls_mpi_free(&rsa->Q); 146 mbedtls_mpi_free(&rsa->QP); 147 mbedtls_mpi_free(&rsa->DP); 148 mbedtls_mpi_free(&rsa->DQ); 149 150 return get_tee_result(lmd_res); 151 } 152 153 static void mbd_rsa_free(mbedtls_rsa_context *rsa, struct rsa_keypair *key) 154 { 155 /* 156 * The mpi's in @rsa are initialized from @key, but the primes and 157 * CRT part are generated if @key doesn't have them. When freeing 158 * we should only free the generated mpi's, the ones copied are 159 * reset instead. 160 */ 161 mbedtls_mpi_init(&rsa->E); 162 mbedtls_mpi_init(&rsa->N); 163 mbedtls_mpi_init(&rsa->D); 164 if (key->p && crypto_bignum_num_bytes(key->p)) { 165 mbedtls_mpi_init(&rsa->P); 166 mbedtls_mpi_init(&rsa->Q); 167 mbedtls_mpi_init(&rsa->QP); 168 mbedtls_mpi_init(&rsa->DP); 169 mbedtls_mpi_init(&rsa->DQ); 170 } 171 mbedtls_rsa_free(rsa); 172 } 173 174 TEE_Result crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s, 175 size_t key_size_bits) 176 __weak __alias("sw_crypto_acipher_alloc_rsa_keypair"); 177 178 TEE_Result sw_crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s, 179 size_t key_size_bits) 180 { 181 memset(s, 0, sizeof(*s)); 182 s->e = crypto_bignum_allocate(key_size_bits); 183 if (!s->e) 184 goto err; 185 s->d = crypto_bignum_allocate(key_size_bits); 186 if (!s->d) 187 goto err; 188 s->n = crypto_bignum_allocate(key_size_bits); 189 if (!s->n) 190 goto err; 191 s->p = crypto_bignum_allocate(key_size_bits); 192 if (!s->p) 193 goto err; 194 s->q = crypto_bignum_allocate(key_size_bits); 195 if (!s->q) 196 goto err; 197 s->qp = crypto_bignum_allocate(key_size_bits); 198 if (!s->qp) 199 goto err; 200 s->dp = crypto_bignum_allocate(key_size_bits); 201 if (!s->dp) 202 goto err; 203 s->dq = crypto_bignum_allocate(key_size_bits); 204 if (!s->dq) 205 goto err; 206 207 return TEE_SUCCESS; 208 err: 209 crypto_acipher_free_rsa_keypair(s); 210 return TEE_ERROR_OUT_OF_MEMORY; 211 } 212 213 TEE_Result crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s, 214 size_t key_size_bits) 215 __weak __alias("sw_crypto_acipher_alloc_rsa_public_key"); 216 217 TEE_Result sw_crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s, 218 size_t key_size_bits) 219 { 220 memset(s, 0, sizeof(*s)); 221 s->e = crypto_bignum_allocate(key_size_bits); 222 if (!s->e) 223 return TEE_ERROR_OUT_OF_MEMORY; 224 s->n = crypto_bignum_allocate(key_size_bits); 225 if (!s->n) 226 goto err; 227 return TEE_SUCCESS; 228 err: 229 crypto_bignum_free(&s->e); 230 return TEE_ERROR_OUT_OF_MEMORY; 231 } 232 233 void crypto_acipher_free_rsa_public_key(struct rsa_public_key *s) 234 __weak __alias("sw_crypto_acipher_free_rsa_public_key"); 235 236 void sw_crypto_acipher_free_rsa_public_key(struct rsa_public_key *s) 237 { 238 if (!s) 239 return; 240 crypto_bignum_free(&s->n); 241 crypto_bignum_free(&s->e); 242 } 243 244 void crypto_acipher_free_rsa_keypair(struct rsa_keypair *s) 245 __weak __alias("sw_crypto_acipher_free_rsa_keypair"); 246 247 void sw_crypto_acipher_free_rsa_keypair(struct rsa_keypair *s) 248 { 249 if (!s) 250 return; 251 crypto_bignum_free(&s->e); 252 crypto_bignum_free(&s->d); 253 crypto_bignum_free(&s->n); 254 crypto_bignum_free(&s->p); 255 crypto_bignum_free(&s->q); 256 crypto_bignum_free(&s->qp); 257 crypto_bignum_free(&s->dp); 258 crypto_bignum_free(&s->dq); 259 } 260 261 TEE_Result crypto_acipher_gen_rsa_key(struct rsa_keypair *key, 262 size_t key_size) 263 __weak __alias("sw_crypto_acipher_gen_rsa_key"); 264 265 TEE_Result sw_crypto_acipher_gen_rsa_key(struct rsa_keypair *key, 266 size_t key_size) 267 { 268 TEE_Result res = TEE_SUCCESS; 269 mbedtls_rsa_context rsa; 270 mbedtls_ctr_drbg_context rngctx; 271 int lmd_res = 0; 272 uint32_t e = 0; 273 274 mbedtls_ctr_drbg_init(&rngctx); 275 if (mbedtls_ctr_drbg_seed(&rngctx, mbd_rand, NULL, NULL, 0)) 276 return TEE_ERROR_BAD_STATE; 277 278 memset(&rsa, 0, sizeof(rsa)); 279 mbedtls_rsa_init(&rsa); 280 281 /* get the public exponent */ 282 mbedtls_mpi_write_binary((mbedtls_mpi *)key->e, 283 (unsigned char *)&e, sizeof(uint32_t)); 284 285 e = TEE_U32_FROM_BIG_ENDIAN(e); 286 lmd_res = mbedtls_rsa_gen_key(&rsa, mbedtls_ctr_drbg_random, &rngctx, 287 key_size, (int)e); 288 mbedtls_ctr_drbg_free(&rngctx); 289 if (lmd_res != 0) { 290 res = get_tee_result(lmd_res); 291 } else if ((size_t)mbedtls_mpi_bitlen(&rsa.N) != key_size) { 292 res = TEE_ERROR_BAD_PARAMETERS; 293 } else { 294 /* Copy the key */ 295 crypto_bignum_copy(key->e, (void *)&rsa.E); 296 crypto_bignum_copy(key->d, (void *)&rsa.D); 297 crypto_bignum_copy(key->n, (void *)&rsa.N); 298 crypto_bignum_copy(key->p, (void *)&rsa.P); 299 300 crypto_bignum_copy(key->q, (void *)&rsa.Q); 301 crypto_bignum_copy(key->qp, (void *)&rsa.QP); 302 crypto_bignum_copy(key->dp, (void *)&rsa.DP); 303 crypto_bignum_copy(key->dq, (void *)&rsa.DQ); 304 305 res = TEE_SUCCESS; 306 } 307 308 mbedtls_rsa_free(&rsa); 309 310 return res; 311 } 312 313 TEE_Result crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key, 314 const uint8_t *src, 315 size_t src_len, uint8_t *dst, 316 size_t *dst_len) 317 __weak __alias("sw_crypto_acipher_rsanopad_encrypt"); 318 319 TEE_Result sw_crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key, 320 const uint8_t *src, 321 size_t src_len, uint8_t *dst, 322 size_t *dst_len) 323 { 324 TEE_Result res = TEE_SUCCESS; 325 mbedtls_rsa_context rsa; 326 int lmd_res = 0; 327 uint8_t *buf = NULL; 328 unsigned long blen = 0; 329 unsigned long offset = 0; 330 331 memset(&rsa, 0, sizeof(rsa)); 332 mbedtls_rsa_init(&rsa); 333 334 rsa.E = *(mbedtls_mpi *)key->e; 335 rsa.N = *(mbedtls_mpi *)key->n; 336 337 rsa.len = crypto_bignum_num_bytes((void *)&rsa.N); 338 339 blen = CFG_CORE_BIGNUM_MAX_BITS / 8; 340 buf = malloc(blen); 341 if (!buf) { 342 res = TEE_ERROR_OUT_OF_MEMORY; 343 goto out; 344 } 345 346 memset(buf, 0, blen); 347 memcpy(buf + rsa.len - src_len, src, src_len); 348 349 lmd_res = mbedtls_rsa_public(&rsa, buf, buf); 350 if (lmd_res != 0) { 351 FMSG("mbedtls_rsa_public() returned 0x%x", -lmd_res); 352 res = get_tee_result(lmd_res); 353 goto out; 354 } 355 356 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 357 offset = 0; 358 while ((offset < rsa.len - 1) && (buf[offset] == 0)) 359 offset++; 360 361 if (*dst_len < rsa.len - offset) { 362 *dst_len = rsa.len - offset; 363 res = TEE_ERROR_SHORT_BUFFER; 364 goto out; 365 } 366 *dst_len = rsa.len - offset; 367 memcpy(dst, buf + offset, *dst_len); 368 out: 369 free(buf); 370 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 371 mbedtls_mpi_init(&rsa.E); 372 mbedtls_mpi_init(&rsa.N); 373 mbedtls_rsa_free(&rsa); 374 375 return res; 376 } 377 378 TEE_Result crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key, 379 const uint8_t *src, 380 size_t src_len, uint8_t *dst, 381 size_t *dst_len) 382 __weak __alias("sw_crypto_acipher_rsanopad_decrypt"); 383 384 TEE_Result sw_crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key, 385 const uint8_t *src, 386 size_t src_len, uint8_t *dst, 387 size_t *dst_len) 388 { 389 TEE_Result res = TEE_SUCCESS; 390 mbedtls_rsa_context rsa = { }; 391 int lmd_res = 0; 392 uint8_t *buf = NULL; 393 unsigned long blen = 0; 394 unsigned long offset = 0; 395 396 res = rsa_init_and_complete_from_key_pair(&rsa, key); 397 if (res) 398 return res; 399 400 blen = CFG_CORE_BIGNUM_MAX_BITS / 8; 401 buf = malloc(blen); 402 if (!buf) { 403 res = TEE_ERROR_OUT_OF_MEMORY; 404 goto out; 405 } 406 407 memset(buf, 0, blen); 408 memcpy(buf + rsa.len - src_len, src, src_len); 409 410 lmd_res = mbedtls_rsa_private(&rsa, mbd_rand, NULL, buf, buf); 411 if (lmd_res != 0) { 412 FMSG("mbedtls_rsa_private() returned 0x%x", -lmd_res); 413 res = get_tee_result(lmd_res); 414 goto out; 415 } 416 417 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 418 offset = 0; 419 while ((offset < rsa.len - 1) && (buf[offset] == 0)) 420 offset++; 421 422 if (*dst_len < rsa.len - offset) { 423 *dst_len = rsa.len - offset; 424 res = TEE_ERROR_SHORT_BUFFER; 425 goto out; 426 } 427 *dst_len = rsa.len - offset; 428 memcpy(dst, (char *)buf + offset, *dst_len); 429 out: 430 if (buf) 431 free(buf); 432 mbd_rsa_free(&rsa, key); 433 return res; 434 } 435 436 TEE_Result crypto_acipher_rsaes_decrypt(uint32_t algo, 437 struct rsa_keypair *key, 438 const uint8_t *label __unused, 439 size_t label_len __unused, 440 uint32_t mgf_algo, 441 const uint8_t *src, size_t src_len, 442 uint8_t *dst, size_t *dst_len) 443 __weak __alias("sw_crypto_acipher_rsaes_decrypt"); 444 445 TEE_Result sw_crypto_acipher_rsaes_decrypt(uint32_t algo, 446 struct rsa_keypair *key, 447 const uint8_t *label __unused, 448 size_t label_len __unused, 449 uint32_t mgf_algo, 450 const uint8_t *src, size_t src_len, 451 uint8_t *dst, size_t *dst_len) 452 { 453 TEE_Result res = TEE_SUCCESS; 454 int lmd_res = 0; 455 int lmd_padding = 0; 456 size_t blen = 0; 457 size_t mod_size = 0; 458 void *buf = NULL; 459 mbedtls_rsa_context rsa = { }; 460 const mbedtls_pk_info_t *pk_info = NULL; 461 uint32_t md_algo = MBEDTLS_MD_NONE; 462 463 res = rsa_init_and_complete_from_key_pair(&rsa, key); 464 if (res) 465 return res; 466 467 /* 468 * Use a temporary buffer since we don't know exactly how large 469 * the required size of the out buffer without doing a partial 470 * decrypt. We know the upper bound though. 471 */ 472 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) { 473 mod_size = crypto_bignum_num_bytes(key->n); 474 blen = mod_size - 11; 475 lmd_padding = MBEDTLS_RSA_PKCS_V15; 476 } else { 477 /* Decoded message is always shorter than encrypted message */ 478 blen = src_len; 479 lmd_padding = MBEDTLS_RSA_PKCS_V21; 480 } 481 482 buf = malloc(blen); 483 if (!buf) { 484 res = TEE_ERROR_OUT_OF_MEMORY; 485 goto out; 486 } 487 488 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 489 if (!pk_info) { 490 res = TEE_ERROR_NOT_SUPPORTED; 491 goto out; 492 } 493 494 /* 495 * TEE_ALG_RSAES_PKCS1_V1_5 is invalid in hash. But its hash algo will 496 * not be used in rsa, so skip it here. 497 */ 498 if (algo != TEE_ALG_RSAES_PKCS1_V1_5) { 499 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 500 if (md_algo == MBEDTLS_MD_NONE) { 501 res = TEE_ERROR_NOT_SUPPORTED; 502 goto out; 503 } 504 if (md_algo != tee_algo_to_mbedtls_hash_algo(mgf_algo)) { 505 DMSG("Using a different MGF1 algorithm is not supported"); 506 res = TEE_ERROR_NOT_SUPPORTED; 507 goto out; 508 } 509 } 510 511 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 512 513 lmd_res = pk_info->decrypt_func(&rsa, src, src_len, buf, &blen, 514 blen, mbd_rand, NULL); 515 if (lmd_res != 0) { 516 FMSG("decrypt_func() returned 0x%x", -lmd_res); 517 res = get_tee_result(lmd_res); 518 goto out; 519 } 520 521 if (*dst_len < blen) { 522 *dst_len = blen; 523 res = TEE_ERROR_SHORT_BUFFER; 524 goto out; 525 } 526 527 res = TEE_SUCCESS; 528 *dst_len = blen; 529 memcpy(dst, buf, blen); 530 out: 531 if (buf) 532 free(buf); 533 mbd_rsa_free(&rsa, key); 534 return res; 535 } 536 537 TEE_Result crypto_acipher_rsaes_encrypt(uint32_t algo, 538 struct rsa_public_key *key, 539 const uint8_t *label __unused, 540 size_t label_len __unused, 541 uint32_t mgf_algo, 542 const uint8_t *src, size_t src_len, 543 uint8_t *dst, size_t *dst_len) 544 __weak __alias("sw_crypto_acipher_rsaes_encrypt"); 545 546 TEE_Result sw_crypto_acipher_rsaes_encrypt(uint32_t algo, 547 struct rsa_public_key *key, 548 const uint8_t *label __unused, 549 size_t label_len __unused, 550 uint32_t mgf_algo, 551 const uint8_t *src, size_t src_len, 552 uint8_t *dst, size_t *dst_len) 553 { 554 TEE_Result res = TEE_SUCCESS; 555 int lmd_res = 0; 556 int lmd_padding = 0; 557 size_t mod_size = 0; 558 mbedtls_rsa_context rsa; 559 const mbedtls_pk_info_t *pk_info = NULL; 560 uint32_t md_algo = MBEDTLS_MD_NONE; 561 562 memset(&rsa, 0, sizeof(rsa)); 563 mbedtls_rsa_init(&rsa); 564 565 rsa.E = *(mbedtls_mpi *)key->e; 566 rsa.N = *(mbedtls_mpi *)key->n; 567 568 mod_size = crypto_bignum_num_bytes(key->n); 569 if (*dst_len < mod_size) { 570 *dst_len = mod_size; 571 res = TEE_ERROR_SHORT_BUFFER; 572 goto out; 573 } 574 *dst_len = mod_size; 575 rsa.len = mod_size; 576 577 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) 578 lmd_padding = MBEDTLS_RSA_PKCS_V15; 579 else 580 lmd_padding = MBEDTLS_RSA_PKCS_V21; 581 582 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 583 if (!pk_info) { 584 res = TEE_ERROR_NOT_SUPPORTED; 585 goto out; 586 } 587 588 /* 589 * TEE_ALG_RSAES_PKCS1_V1_5 is invalid in hash. But its hash algo will 590 * not be used in rsa, so skip it here. 591 */ 592 if (algo != TEE_ALG_RSAES_PKCS1_V1_5) { 593 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 594 /* Using a different MGF1 algorithm is not supported. */ 595 if (md_algo == MBEDTLS_MD_NONE || 596 md_algo != tee_algo_to_mbedtls_hash_algo(mgf_algo)) { 597 res = TEE_ERROR_NOT_SUPPORTED; 598 goto out; 599 } 600 } 601 602 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 603 604 lmd_res = pk_info->encrypt_func(&rsa, src, src_len, dst, dst_len, 605 *dst_len, mbd_rand, NULL); 606 if (lmd_res != 0) { 607 FMSG("encrypt_func() returned 0x%x", -lmd_res); 608 res = get_tee_result(lmd_res); 609 goto out; 610 } 611 res = TEE_SUCCESS; 612 out: 613 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 614 mbedtls_mpi_init(&rsa.E); 615 mbedtls_mpi_init(&rsa.N); 616 mbedtls_rsa_free(&rsa); 617 return res; 618 } 619 620 TEE_Result crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key, 621 int salt_len __unused, 622 const uint8_t *msg, size_t msg_len, 623 uint8_t *sig, size_t *sig_len) 624 __weak __alias("sw_crypto_acipher_rsassa_sign"); 625 626 TEE_Result sw_crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key, 627 int salt_len __unused, 628 const uint8_t *msg, size_t msg_len, 629 uint8_t *sig, size_t *sig_len) 630 { 631 TEE_Result res = TEE_SUCCESS; 632 int lmd_res = 0; 633 int lmd_padding = 0; 634 size_t mod_size = 0; 635 size_t hash_size = 0; 636 mbedtls_rsa_context rsa = { }; 637 const mbedtls_pk_info_t *pk_info = NULL; 638 uint32_t md_algo = 0; 639 640 res = rsa_init_and_complete_from_key_pair(&rsa, key); 641 if (res) 642 return res; 643 644 switch (algo) { 645 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 646 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 647 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 648 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 649 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 650 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 651 lmd_padding = MBEDTLS_RSA_PKCS_V15; 652 break; 653 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_MD5: 654 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 655 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 656 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 657 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 658 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 659 lmd_padding = MBEDTLS_RSA_PKCS_V21; 660 break; 661 default: 662 res = TEE_ERROR_BAD_PARAMETERS; 663 goto err; 664 } 665 666 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 667 &hash_size); 668 if (res != TEE_SUCCESS) 669 goto err; 670 671 if (msg_len != hash_size) { 672 res = TEE_ERROR_BAD_PARAMETERS; 673 goto err; 674 } 675 676 mod_size = crypto_bignum_num_bytes(key->n); 677 if (*sig_len < mod_size) { 678 *sig_len = mod_size; 679 res = TEE_ERROR_SHORT_BUFFER; 680 goto err; 681 } 682 rsa.len = mod_size; 683 684 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 685 if (md_algo == MBEDTLS_MD_NONE) { 686 res = TEE_ERROR_NOT_SUPPORTED; 687 goto err; 688 } 689 690 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 691 if (!pk_info) { 692 res = TEE_ERROR_NOT_SUPPORTED; 693 goto err; 694 } 695 696 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 697 698 lmd_res = pk_info->sign_func(&rsa, md_algo, msg, msg_len, sig, 699 *sig_len, sig_len, mbd_rand, NULL); 700 if (lmd_res != 0) { 701 FMSG("sign_func failed, returned 0x%x", -lmd_res); 702 res = get_tee_result(lmd_res); 703 goto err; 704 } 705 res = TEE_SUCCESS; 706 err: 707 mbd_rsa_free(&rsa, key); 708 return res; 709 } 710 711 TEE_Result crypto_acipher_rsassa_verify(uint32_t algo, 712 struct rsa_public_key *key, 713 int salt_len __unused, 714 const uint8_t *msg, 715 size_t msg_len, const uint8_t *sig, 716 size_t sig_len) 717 __weak __alias("sw_crypto_acipher_rsassa_verify"); 718 719 TEE_Result sw_crypto_acipher_rsassa_verify(uint32_t algo, 720 struct rsa_public_key *key, 721 int salt_len __unused, 722 const uint8_t *msg, 723 size_t msg_len, const uint8_t *sig, 724 size_t sig_len) 725 { 726 TEE_Result res = TEE_SUCCESS; 727 int lmd_res = 0; 728 int lmd_padding = 0; 729 size_t hash_size = 0; 730 size_t bigint_size = 0; 731 mbedtls_rsa_context rsa; 732 const mbedtls_pk_info_t *pk_info = NULL; 733 uint32_t md_algo = 0; 734 struct ftmn ftmn = { }; 735 unsigned long arg_hash = 0; 736 737 /* 738 * The caller expects to call crypto_acipher_rsassa_verify(), 739 * update the hash as needed. 740 */ 741 FTMN_CALLEE_SWAP_HASH(FTMN_FUNC_HASH("crypto_acipher_rsassa_verify")); 742 743 memset(&rsa, 0, sizeof(rsa)); 744 mbedtls_rsa_init(&rsa); 745 746 rsa.E = *(mbedtls_mpi *)key->e; 747 rsa.N = *(mbedtls_mpi *)key->n; 748 749 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 750 &hash_size); 751 if (res != TEE_SUCCESS) 752 goto err; 753 754 if (msg_len != hash_size) { 755 res = TEE_ERROR_BAD_PARAMETERS; 756 goto err; 757 } 758 759 bigint_size = crypto_bignum_num_bytes(key->n); 760 if (sig_len < bigint_size) { 761 res = TEE_ERROR_SIGNATURE_INVALID; 762 goto err; 763 } 764 765 rsa.len = bigint_size; 766 767 switch (algo) { 768 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 769 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 770 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 771 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 772 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 773 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 774 arg_hash = FTMN_FUNC_HASH("mbedtls_rsa_rsassa_pkcs1_v15_verify"); 775 lmd_padding = MBEDTLS_RSA_PKCS_V15; 776 break; 777 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_MD5: 778 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 779 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 780 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 781 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 782 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 783 arg_hash = FTMN_FUNC_HASH("mbedtls_rsa_rsassa_pss_verify_ext"); 784 lmd_padding = MBEDTLS_RSA_PKCS_V21; 785 break; 786 default: 787 res = TEE_ERROR_BAD_PARAMETERS; 788 goto err; 789 } 790 791 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 792 if (md_algo == MBEDTLS_MD_NONE) { 793 res = TEE_ERROR_NOT_SUPPORTED; 794 goto err; 795 } 796 797 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 798 if (!pk_info) { 799 res = TEE_ERROR_NOT_SUPPORTED; 800 goto err; 801 } 802 803 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 804 805 FTMN_PUSH_LINKED_CALL(&ftmn, arg_hash); 806 lmd_res = pk_info->verify_func(&rsa, md_algo, msg, msg_len, 807 sig, sig_len); 808 if (!lmd_res) 809 FTMN_SET_CHECK_RES_FROM_CALL(&ftmn, FTMN_INCR0, lmd_res); 810 FTMN_POP_LINKED_CALL(&ftmn); 811 if (lmd_res != 0) { 812 FMSG("verify_func failed, returned 0x%x", -lmd_res); 813 res = TEE_ERROR_SIGNATURE_INVALID; 814 goto err; 815 } 816 res = TEE_SUCCESS; 817 goto out; 818 819 err: 820 FTMN_SET_CHECK_RES_NOT_ZERO(&ftmn, FTMN_INCR0, res); 821 out: 822 FTMN_CALLEE_DONE_CHECK(&ftmn, FTMN_INCR0, FTMN_STEP_COUNT(1), res); 823 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 824 mbedtls_mpi_init(&rsa.E); 825 mbedtls_mpi_init(&rsa.N); 826 mbedtls_rsa_free(&rsa); 827 return res; 828 } 829