1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (C) 2018, ARM Limited 4 * Copyright (C) 2019, Linaro Limited 5 */ 6 7 #include <assert.h> 8 #include <crypto/crypto.h> 9 #include <mbedtls/ctr_drbg.h> 10 #include <mbedtls/entropy.h> 11 #include <mbedtls/pk.h> 12 #include <mbedtls/pk_internal.h> 13 #include <stdlib.h> 14 #include <string.h> 15 #include <tee/tee_cryp_utl.h> 16 #include <utee_defines.h> 17 18 #include "mbed_helpers.h" 19 20 static TEE_Result get_tee_result(int lmd_res) 21 { 22 switch (lmd_res) { 23 case 0: 24 return TEE_SUCCESS; 25 case MBEDTLS_ERR_RSA_BAD_INPUT_DATA: 26 case MBEDTLS_ERR_RSA_INVALID_PADDING: 27 case MBEDTLS_ERR_PK_TYPE_MISMATCH: 28 return TEE_ERROR_BAD_PARAMETERS; 29 case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE: 30 return TEE_ERROR_SHORT_BUFFER; 31 default: 32 return TEE_ERROR_BAD_STATE; 33 } 34 } 35 36 static uint32_t tee_algo_to_mbedtls_hash_algo(uint32_t algo) 37 { 38 switch (algo) { 39 #if defined(CFG_CRYPTO_SHA1) 40 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 41 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 42 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1: 43 case TEE_ALG_SHA1: 44 case TEE_ALG_DSA_SHA1: 45 case TEE_ALG_HMAC_SHA1: 46 return MBEDTLS_MD_SHA1; 47 #endif 48 #if defined(CFG_CRYPTO_MD5) 49 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 50 case TEE_ALG_MD5: 51 case TEE_ALG_HMAC_MD5: 52 return MBEDTLS_MD_MD5; 53 #endif 54 #if defined(CFG_CRYPTO_SHA224) 55 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 56 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 57 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224: 58 case TEE_ALG_SHA224: 59 case TEE_ALG_DSA_SHA224: 60 case TEE_ALG_HMAC_SHA224: 61 return MBEDTLS_MD_SHA224; 62 #endif 63 #if defined(CFG_CRYPTO_SHA256) 64 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 65 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 66 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256: 67 case TEE_ALG_SHA256: 68 case TEE_ALG_DSA_SHA256: 69 case TEE_ALG_HMAC_SHA256: 70 return MBEDTLS_MD_SHA256; 71 #endif 72 #if defined(CFG_CRYPTO_SHA384) 73 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 74 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 75 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384: 76 case TEE_ALG_SHA384: 77 case TEE_ALG_HMAC_SHA384: 78 return MBEDTLS_MD_SHA384; 79 #endif 80 #if defined(CFG_CRYPTO_SHA512) 81 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 82 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 83 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512: 84 case TEE_ALG_SHA512: 85 case TEE_ALG_HMAC_SHA512: 86 return MBEDTLS_MD_SHA512; 87 #endif 88 default: 89 return MBEDTLS_MD_NONE; 90 } 91 } 92 93 static void rsa_init_from_key_pair(mbedtls_rsa_context *rsa, 94 struct rsa_keypair *key) 95 { 96 mbedtls_rsa_init(rsa, 0, 0); 97 98 rsa->E = *(mbedtls_mpi *)key->e; 99 rsa->N = *(mbedtls_mpi *)key->n; 100 rsa->D = *(mbedtls_mpi *)key->d; 101 if (key->p && crypto_bignum_num_bytes(key->p)) { 102 rsa->P = *(mbedtls_mpi *)key->p; 103 rsa->Q = *(mbedtls_mpi *)key->q; 104 rsa->QP = *(mbedtls_mpi *)key->qp; 105 rsa->DP = *(mbedtls_mpi *)key->dp; 106 rsa->DQ = *(mbedtls_mpi *)key->dq; 107 } 108 rsa->len = mbedtls_mpi_size(&rsa->N); 109 } 110 111 static void mbd_rsa_free(mbedtls_rsa_context *rsa) 112 { 113 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 114 mbedtls_mpi_init(&rsa->E); 115 mbedtls_mpi_init(&rsa->N); 116 mbedtls_mpi_init(&rsa->D); 117 if (mbedtls_mpi_size(&rsa->P)) { 118 mbedtls_mpi_init(&rsa->P); 119 mbedtls_mpi_init(&rsa->Q); 120 mbedtls_mpi_init(&rsa->QP); 121 mbedtls_mpi_init(&rsa->DP); 122 mbedtls_mpi_init(&rsa->DQ); 123 } 124 mbedtls_rsa_free(rsa); 125 } 126 127 TEE_Result crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s, 128 size_t key_size_bits) 129 { 130 memset(s, 0, sizeof(*s)); 131 s->e = crypto_bignum_allocate(key_size_bits); 132 if (!s->e) 133 goto err; 134 s->d = crypto_bignum_allocate(key_size_bits); 135 if (!s->d) 136 goto err; 137 s->n = crypto_bignum_allocate(key_size_bits); 138 if (!s->n) 139 goto err; 140 s->p = crypto_bignum_allocate(key_size_bits); 141 if (!s->p) 142 goto err; 143 s->q = crypto_bignum_allocate(key_size_bits); 144 if (!s->q) 145 goto err; 146 s->qp = crypto_bignum_allocate(key_size_bits); 147 if (!s->qp) 148 goto err; 149 s->dp = crypto_bignum_allocate(key_size_bits); 150 if (!s->dp) 151 goto err; 152 s->dq = crypto_bignum_allocate(key_size_bits); 153 if (!s->dq) 154 goto err; 155 156 return TEE_SUCCESS; 157 err: 158 crypto_acipher_free_rsa_keypair(s); 159 return TEE_ERROR_OUT_OF_MEMORY; 160 } 161 162 TEE_Result crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s, 163 size_t key_size_bits) 164 { 165 memset(s, 0, sizeof(*s)); 166 s->e = crypto_bignum_allocate(key_size_bits); 167 if (!s->e) 168 return TEE_ERROR_OUT_OF_MEMORY; 169 s->n = crypto_bignum_allocate(key_size_bits); 170 if (!s->n) 171 goto err; 172 return TEE_SUCCESS; 173 err: 174 crypto_bignum_free(s->e); 175 return TEE_ERROR_OUT_OF_MEMORY; 176 } 177 178 void crypto_acipher_free_rsa_public_key(struct rsa_public_key *s) 179 { 180 if (!s) 181 return; 182 crypto_bignum_free(s->n); 183 crypto_bignum_free(s->e); 184 } 185 186 void crypto_acipher_free_rsa_keypair(struct rsa_keypair *s) 187 { 188 if (!s) 189 return; 190 crypto_bignum_free(s->e); 191 crypto_bignum_free(s->d); 192 crypto_bignum_free(s->n); 193 crypto_bignum_free(s->p); 194 crypto_bignum_free(s->q); 195 crypto_bignum_free(s->qp); 196 crypto_bignum_free(s->dp); 197 crypto_bignum_free(s->dq); 198 } 199 200 TEE_Result crypto_acipher_gen_rsa_key(struct rsa_keypair *key, size_t key_size) 201 { 202 TEE_Result res = TEE_SUCCESS; 203 mbedtls_rsa_context rsa; 204 int lmd_res = 0; 205 uint32_t e = 0; 206 207 memset(&rsa, 0, sizeof(rsa)); 208 mbedtls_rsa_init(&rsa, 0, 0); 209 210 /* get the public exponent */ 211 mbedtls_mpi_write_binary((mbedtls_mpi *)key->e, 212 (unsigned char *)&e, sizeof(uint32_t)); 213 214 e = TEE_U32_FROM_BIG_ENDIAN(e); 215 lmd_res = mbedtls_rsa_gen_key(&rsa, mbd_rand, NULL, key_size, (int)e); 216 if (lmd_res != 0) { 217 res = get_tee_result(lmd_res); 218 } else if ((size_t)mbedtls_mpi_bitlen(&rsa.N) != key_size) { 219 res = TEE_ERROR_BAD_PARAMETERS; 220 } else { 221 /* Copy the key */ 222 crypto_bignum_copy(key->e, (void *)&rsa.E); 223 crypto_bignum_copy(key->d, (void *)&rsa.D); 224 crypto_bignum_copy(key->n, (void *)&rsa.N); 225 crypto_bignum_copy(key->p, (void *)&rsa.P); 226 227 crypto_bignum_copy(key->q, (void *)&rsa.Q); 228 crypto_bignum_copy(key->qp, (void *)&rsa.QP); 229 crypto_bignum_copy(key->dp, (void *)&rsa.DP); 230 crypto_bignum_copy(key->dq, (void *)&rsa.DQ); 231 232 res = TEE_SUCCESS; 233 } 234 235 mbedtls_rsa_free(&rsa); 236 237 return res; 238 } 239 240 TEE_Result crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key, 241 const uint8_t *src, size_t src_len, 242 uint8_t *dst, size_t *dst_len) 243 { 244 TEE_Result res = TEE_SUCCESS; 245 mbedtls_rsa_context rsa; 246 int lmd_res = 0; 247 uint8_t *buf = NULL; 248 unsigned long blen = 0; 249 unsigned long offset = 0; 250 251 memset(&rsa, 0, sizeof(rsa)); 252 mbedtls_rsa_init(&rsa, 0, 0); 253 254 rsa.E = *(mbedtls_mpi *)key->e; 255 rsa.N = *(mbedtls_mpi *)key->n; 256 257 rsa.len = crypto_bignum_num_bytes((void *)&rsa.N); 258 259 blen = CFG_CORE_BIGNUM_MAX_BITS / 8; 260 buf = malloc(blen); 261 if (!buf) { 262 res = TEE_ERROR_OUT_OF_MEMORY; 263 goto out; 264 } 265 266 memset(buf, 0, blen); 267 memcpy(buf + rsa.len - src_len, src, src_len); 268 269 lmd_res = mbedtls_rsa_public(&rsa, buf, buf); 270 if (lmd_res != 0) { 271 FMSG("mbedtls_rsa_public() returned 0x%x", -lmd_res); 272 res = get_tee_result(lmd_res); 273 goto out; 274 } 275 276 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 277 offset = 0; 278 while ((offset < rsa.len - 1) && (buf[offset] == 0)) 279 offset++; 280 281 if (*dst_len < rsa.len - offset) { 282 *dst_len = rsa.len - offset; 283 res = TEE_ERROR_SHORT_BUFFER; 284 goto out; 285 } 286 *dst_len = rsa.len - offset; 287 memcpy(dst, buf + offset, *dst_len); 288 out: 289 free(buf); 290 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 291 mbedtls_mpi_init(&rsa.E); 292 mbedtls_mpi_init(&rsa.N); 293 mbedtls_rsa_free(&rsa); 294 295 return res; 296 } 297 298 TEE_Result crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key, 299 const uint8_t *src, size_t src_len, 300 uint8_t *dst, size_t *dst_len) 301 { 302 TEE_Result res = TEE_SUCCESS; 303 mbedtls_rsa_context rsa; 304 int lmd_res = 0; 305 uint8_t *buf = NULL; 306 unsigned long blen = 0; 307 unsigned long offset = 0; 308 309 memset(&rsa, 0, sizeof(rsa)); 310 rsa_init_from_key_pair(&rsa, key); 311 312 blen = CFG_CORE_BIGNUM_MAX_BITS / 8; 313 buf = malloc(blen); 314 if (!buf) { 315 res = TEE_ERROR_OUT_OF_MEMORY; 316 goto out; 317 } 318 319 memset(buf, 0, blen); 320 memcpy(buf + rsa.len - src_len, src, src_len); 321 322 lmd_res = mbedtls_rsa_private(&rsa, NULL, NULL, buf, buf); 323 if (lmd_res != 0) { 324 FMSG("mbedtls_rsa_private() returned 0x%x", -lmd_res); 325 res = get_tee_result(lmd_res); 326 goto out; 327 } 328 329 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 330 offset = 0; 331 while ((offset < rsa.len - 1) && (buf[offset] == 0)) 332 offset++; 333 334 if (*dst_len < rsa.len - offset) { 335 *dst_len = rsa.len - offset; 336 res = TEE_ERROR_SHORT_BUFFER; 337 goto out; 338 } 339 *dst_len = rsa.len - offset; 340 memcpy(dst, (char *)buf + offset, *dst_len); 341 out: 342 if (buf) 343 free(buf); 344 mbd_rsa_free(&rsa); 345 return res; 346 } 347 348 TEE_Result crypto_acipher_rsaes_decrypt(uint32_t algo, struct rsa_keypair *key, 349 const uint8_t *label __unused, 350 size_t label_len __unused, 351 const uint8_t *src, size_t src_len, 352 uint8_t *dst, size_t *dst_len) 353 { 354 TEE_Result res = TEE_SUCCESS; 355 int lmd_res = 0; 356 int lmd_padding = 0; 357 size_t blen = 0; 358 size_t mod_size = 0; 359 void *buf = NULL; 360 mbedtls_rsa_context rsa; 361 const mbedtls_pk_info_t *pk_info = NULL; 362 uint32_t md_algo = MBEDTLS_MD_NONE; 363 364 memset(&rsa, 0, sizeof(rsa)); 365 rsa_init_from_key_pair(&rsa, key); 366 367 /* 368 * Use a temporary buffer since we don't know exactly how large 369 * the required size of the out buffer without doing a partial 370 * decrypt. We know the upper bound though. 371 */ 372 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) { 373 mod_size = crypto_bignum_num_bytes(key->n); 374 blen = mod_size - 11; 375 lmd_padding = MBEDTLS_RSA_PKCS_V15; 376 } else { 377 /* Decoded message is always shorter than encrypted message */ 378 blen = src_len; 379 lmd_padding = MBEDTLS_RSA_PKCS_V21; 380 } 381 382 buf = malloc(blen); 383 if (!buf) { 384 res = TEE_ERROR_OUT_OF_MEMORY; 385 goto out; 386 } 387 388 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 389 if (!pk_info) { 390 res = TEE_ERROR_NOT_SUPPORTED; 391 goto out; 392 } 393 394 /* 395 * TEE_ALG_RSAES_PKCS1_V1_5 is invalid in hash. But its hash algo will 396 * not be used in rsa, so skip it here. 397 */ 398 if (algo != TEE_ALG_RSAES_PKCS1_V1_5) { 399 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 400 if (md_algo == MBEDTLS_MD_NONE) { 401 res = TEE_ERROR_NOT_SUPPORTED; 402 goto out; 403 } 404 } 405 406 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 407 408 if (lmd_padding == MBEDTLS_RSA_PKCS_V15) 409 lmd_res = pk_info->decrypt_func(&rsa, src, src_len, buf, &blen, 410 blen, NULL, NULL); 411 else 412 lmd_res = pk_info->decrypt_func(&rsa, src, src_len, buf, &blen, 413 blen, mbd_rand, NULL); 414 if (lmd_res != 0) { 415 FMSG("decrypt_func() returned 0x%x", -lmd_res); 416 res = get_tee_result(lmd_res); 417 goto out; 418 } 419 420 if (*dst_len < blen) { 421 *dst_len = blen; 422 res = TEE_ERROR_SHORT_BUFFER; 423 goto out; 424 } 425 426 res = TEE_SUCCESS; 427 *dst_len = blen; 428 memcpy(dst, buf, blen); 429 out: 430 if (buf) 431 free(buf); 432 mbd_rsa_free(&rsa); 433 return res; 434 } 435 436 TEE_Result crypto_acipher_rsaes_encrypt(uint32_t algo, 437 struct rsa_public_key *key, 438 const uint8_t *label __unused, 439 size_t label_len __unused, 440 const uint8_t *src, size_t src_len, 441 uint8_t *dst, size_t *dst_len) 442 { 443 TEE_Result res = TEE_SUCCESS; 444 int lmd_res = 0; 445 int lmd_padding = 0; 446 size_t mod_size = 0; 447 mbedtls_rsa_context rsa; 448 const mbedtls_pk_info_t *pk_info = NULL; 449 uint32_t md_algo = MBEDTLS_MD_NONE; 450 451 memset(&rsa, 0, sizeof(rsa)); 452 mbedtls_rsa_init(&rsa, 0, 0); 453 454 rsa.E = *(mbedtls_mpi *)key->e; 455 rsa.N = *(mbedtls_mpi *)key->n; 456 457 mod_size = crypto_bignum_num_bytes(key->n); 458 if (*dst_len < mod_size) { 459 *dst_len = mod_size; 460 res = TEE_ERROR_SHORT_BUFFER; 461 goto out; 462 } 463 *dst_len = mod_size; 464 rsa.len = mod_size; 465 466 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) 467 lmd_padding = MBEDTLS_RSA_PKCS_V15; 468 else 469 lmd_padding = MBEDTLS_RSA_PKCS_V21; 470 471 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 472 if (!pk_info) { 473 res = TEE_ERROR_NOT_SUPPORTED; 474 goto out; 475 } 476 477 /* 478 * TEE_ALG_RSAES_PKCS1_V1_5 is invalid in hash. But its hash algo will 479 * not be used in rsa, so skip it here. 480 */ 481 if (algo != TEE_ALG_RSAES_PKCS1_V1_5) { 482 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 483 if (md_algo == MBEDTLS_MD_NONE) { 484 res = TEE_ERROR_NOT_SUPPORTED; 485 goto out; 486 } 487 } 488 489 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 490 491 lmd_res = pk_info->encrypt_func(&rsa, src, src_len, dst, dst_len, 492 *dst_len, mbd_rand, NULL); 493 if (lmd_res != 0) { 494 FMSG("encrypt_func() returned 0x%x", -lmd_res); 495 res = get_tee_result(lmd_res); 496 goto out; 497 } 498 res = TEE_SUCCESS; 499 out: 500 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 501 mbedtls_mpi_init(&rsa.E); 502 mbedtls_mpi_init(&rsa.N); 503 mbedtls_rsa_free(&rsa); 504 return res; 505 } 506 507 TEE_Result crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key, 508 int salt_len __unused, const uint8_t *msg, 509 size_t msg_len, uint8_t *sig, 510 size_t *sig_len) 511 { 512 TEE_Result res = TEE_SUCCESS; 513 int lmd_res = 0; 514 int lmd_padding = 0; 515 size_t mod_size = 0; 516 size_t hash_size = 0; 517 mbedtls_rsa_context rsa; 518 const mbedtls_pk_info_t *pk_info = NULL; 519 uint32_t md_algo = 0; 520 521 memset(&rsa, 0, sizeof(rsa)); 522 rsa_init_from_key_pair(&rsa, key); 523 524 switch (algo) { 525 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 526 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 527 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 528 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 529 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 530 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 531 lmd_padding = MBEDTLS_RSA_PKCS_V15; 532 break; 533 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 534 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 535 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 536 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 537 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 538 lmd_padding = MBEDTLS_RSA_PKCS_V21; 539 break; 540 default: 541 res = TEE_ERROR_BAD_PARAMETERS; 542 goto err; 543 } 544 545 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 546 &hash_size); 547 if (res != TEE_SUCCESS) 548 goto err; 549 550 if (msg_len != hash_size) { 551 res = TEE_ERROR_BAD_PARAMETERS; 552 goto err; 553 } 554 555 mod_size = crypto_bignum_num_bytes(key->n); 556 if (*sig_len < mod_size) { 557 *sig_len = mod_size; 558 res = TEE_ERROR_SHORT_BUFFER; 559 goto err; 560 } 561 rsa.len = mod_size; 562 563 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 564 if (md_algo == MBEDTLS_MD_NONE) { 565 res = TEE_ERROR_NOT_SUPPORTED; 566 goto err; 567 } 568 569 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 570 if (!pk_info) { 571 res = TEE_ERROR_NOT_SUPPORTED; 572 goto err; 573 } 574 575 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 576 577 if (lmd_padding == MBEDTLS_RSA_PKCS_V15) 578 lmd_res = pk_info->sign_func(&rsa, md_algo, msg, msg_len, sig, 579 sig_len, NULL, NULL); 580 else 581 lmd_res = pk_info->sign_func(&rsa, md_algo, msg, msg_len, sig, 582 sig_len, mbd_rand, NULL); 583 if (lmd_res != 0) { 584 FMSG("sign_func failed, returned 0x%x", -lmd_res); 585 res = get_tee_result(lmd_res); 586 goto err; 587 } 588 res = TEE_SUCCESS; 589 err: 590 mbd_rsa_free(&rsa); 591 return res; 592 } 593 594 TEE_Result crypto_acipher_rsassa_verify(uint32_t algo, 595 struct rsa_public_key *key, 596 int salt_len __unused, 597 const uint8_t *msg, 598 size_t msg_len, const uint8_t *sig, 599 size_t sig_len) 600 { 601 TEE_Result res = TEE_SUCCESS; 602 int lmd_res = 0; 603 int lmd_padding = 0; 604 size_t hash_size = 0; 605 size_t bigint_size = 0; 606 mbedtls_rsa_context rsa; 607 const mbedtls_pk_info_t *pk_info = NULL; 608 uint32_t md_algo = 0; 609 610 memset(&rsa, 0, sizeof(rsa)); 611 mbedtls_rsa_init(&rsa, 0, 0); 612 613 rsa.E = *(mbedtls_mpi *)key->e; 614 rsa.N = *(mbedtls_mpi *)key->n; 615 616 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 617 &hash_size); 618 if (res != TEE_SUCCESS) 619 goto err; 620 621 if (msg_len != hash_size) { 622 res = TEE_ERROR_BAD_PARAMETERS; 623 goto err; 624 } 625 626 bigint_size = crypto_bignum_num_bytes(key->n); 627 if (sig_len < bigint_size) { 628 res = TEE_ERROR_MAC_INVALID; 629 goto err; 630 } 631 632 rsa.len = bigint_size; 633 634 switch (algo) { 635 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 636 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 637 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 638 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 639 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 640 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 641 lmd_padding = MBEDTLS_RSA_PKCS_V15; 642 break; 643 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 644 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 645 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 646 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 647 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 648 lmd_padding = MBEDTLS_RSA_PKCS_V21; 649 break; 650 default: 651 res = TEE_ERROR_BAD_PARAMETERS; 652 goto err; 653 } 654 655 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 656 if (md_algo == MBEDTLS_MD_NONE) { 657 res = TEE_ERROR_NOT_SUPPORTED; 658 goto err; 659 } 660 661 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 662 if (!pk_info) { 663 res = TEE_ERROR_NOT_SUPPORTED; 664 goto err; 665 } 666 667 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 668 669 lmd_res = pk_info->verify_func(&rsa, md_algo, msg, msg_len, 670 sig, sig_len); 671 if (lmd_res != 0) { 672 FMSG("verify_func failed, returned 0x%x", -lmd_res); 673 res = TEE_ERROR_SIGNATURE_INVALID; 674 goto err; 675 } 676 res = TEE_SUCCESS; 677 err: 678 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 679 mbedtls_mpi_init(&rsa.E); 680 mbedtls_mpi_init(&rsa.N); 681 mbedtls_rsa_free(&rsa); 682 return res; 683 } 684