1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (C) 2018, ARM Limited 4 * Copyright (C) 2019, Linaro Limited 5 */ 6 7 #include <assert.h> 8 #include <crypto/crypto.h> 9 #include <mbedtls/ctr_drbg.h> 10 #include <mbedtls/entropy.h> 11 #include <mbedtls/pk.h> 12 #include <mbedtls/pk_internal.h> 13 #include <stdlib.h> 14 #include <string.h> 15 #include <tee/tee_cryp_utl.h> 16 #include <utee_defines.h> 17 18 #include "mbd_rand.h" 19 20 static TEE_Result get_tee_result(int lmd_res) 21 { 22 switch (lmd_res) { 23 case 0: 24 return TEE_SUCCESS; 25 case MBEDTLS_ERR_RSA_BAD_INPUT_DATA: 26 case MBEDTLS_ERR_RSA_INVALID_PADDING: 27 case MBEDTLS_ERR_PK_TYPE_MISMATCH: 28 return TEE_ERROR_BAD_PARAMETERS; 29 case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE: 30 return TEE_ERROR_SHORT_BUFFER; 31 default: 32 return TEE_ERROR_BAD_STATE; 33 } 34 } 35 36 static uint32_t tee_algo_to_mbedtls_hash_algo(uint32_t algo) 37 { 38 switch (algo) { 39 #if defined(CFG_CRYPTO_SHA1) 40 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 41 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 42 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1: 43 case TEE_ALG_SHA1: 44 case TEE_ALG_DSA_SHA1: 45 case TEE_ALG_HMAC_SHA1: 46 return MBEDTLS_MD_SHA1; 47 #endif 48 #if defined(CFG_CRYPTO_MD5) 49 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 50 case TEE_ALG_MD5: 51 case TEE_ALG_HMAC_MD5: 52 return MBEDTLS_MD_MD5; 53 #endif 54 #if defined(CFG_CRYPTO_SHA224) 55 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 56 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 57 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224: 58 case TEE_ALG_SHA224: 59 case TEE_ALG_DSA_SHA224: 60 case TEE_ALG_HMAC_SHA224: 61 return MBEDTLS_MD_SHA224; 62 #endif 63 #if defined(CFG_CRYPTO_SHA256) 64 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 65 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 66 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256: 67 case TEE_ALG_SHA256: 68 case TEE_ALG_DSA_SHA256: 69 case TEE_ALG_HMAC_SHA256: 70 return MBEDTLS_MD_SHA256; 71 #endif 72 #if defined(CFG_CRYPTO_SHA384) 73 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 74 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 75 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384: 76 case TEE_ALG_SHA384: 77 case TEE_ALG_HMAC_SHA384: 78 return MBEDTLS_MD_SHA384; 79 #endif 80 #if defined(CFG_CRYPTO_SHA512) 81 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 82 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 83 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512: 84 case TEE_ALG_SHA512: 85 case TEE_ALG_HMAC_SHA512: 86 return MBEDTLS_MD_SHA512; 87 #endif 88 default: 89 return MBEDTLS_MD_NONE; 90 } 91 } 92 93 static void rsa_init_from_key_pair(mbedtls_rsa_context *rsa, 94 struct rsa_keypair *key) 95 { 96 mbedtls_rsa_init(rsa, 0, 0); 97 98 rsa->E = *(mbedtls_mpi *)key->e; 99 rsa->N = *(mbedtls_mpi *)key->n; 100 rsa->D = *(mbedtls_mpi *)key->d; 101 if (key->p && crypto_bignum_num_bytes(key->p)) { 102 rsa->P = *(mbedtls_mpi *)key->p; 103 rsa->Q = *(mbedtls_mpi *)key->q; 104 rsa->QP = *(mbedtls_mpi *)key->qp; 105 rsa->DP = *(mbedtls_mpi *)key->dp; 106 rsa->DQ = *(mbedtls_mpi *)key->dq; 107 } 108 rsa->len = mbedtls_mpi_size(&rsa->N); 109 } 110 111 static void mbd_rsa_free(mbedtls_rsa_context *rsa) 112 { 113 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 114 mbedtls_mpi_init(&rsa->E); 115 mbedtls_mpi_init(&rsa->N); 116 mbedtls_mpi_init(&rsa->D); 117 if (mbedtls_mpi_size(&rsa->P)) { 118 mbedtls_mpi_init(&rsa->P); 119 mbedtls_mpi_init(&rsa->Q); 120 mbedtls_mpi_init(&rsa->QP); 121 mbedtls_mpi_init(&rsa->DP); 122 mbedtls_mpi_init(&rsa->DQ); 123 } 124 mbedtls_rsa_free(rsa); 125 } 126 127 TEE_Result crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s, 128 size_t key_size_bits) 129 { 130 memset(s, 0, sizeof(*s)); 131 s->e = crypto_bignum_allocate(key_size_bits); 132 if (!s->e) 133 goto err; 134 s->d = crypto_bignum_allocate(key_size_bits); 135 if (!s->d) 136 goto err; 137 s->n = crypto_bignum_allocate(key_size_bits); 138 if (!s->n) 139 goto err; 140 s->p = crypto_bignum_allocate(key_size_bits); 141 if (!s->p) 142 goto err; 143 s->q = crypto_bignum_allocate(key_size_bits); 144 if (!s->q) 145 goto err; 146 s->qp = crypto_bignum_allocate(key_size_bits); 147 if (!s->qp) 148 goto err; 149 s->dp = crypto_bignum_allocate(key_size_bits); 150 if (!s->dp) 151 goto err; 152 s->dq = crypto_bignum_allocate(key_size_bits); 153 if (!s->dq) 154 goto err; 155 156 return TEE_SUCCESS; 157 err: 158 crypto_bignum_free(s->e); 159 crypto_bignum_free(s->d); 160 crypto_bignum_free(s->n); 161 crypto_bignum_free(s->p); 162 crypto_bignum_free(s->q); 163 crypto_bignum_free(s->qp); 164 crypto_bignum_free(s->dp); 165 166 return TEE_ERROR_OUT_OF_MEMORY; 167 } 168 169 TEE_Result crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s, 170 size_t key_size_bits) 171 { 172 memset(s, 0, sizeof(*s)); 173 s->e = crypto_bignum_allocate(key_size_bits); 174 if (!s->e) 175 return TEE_ERROR_OUT_OF_MEMORY; 176 s->n = crypto_bignum_allocate(key_size_bits); 177 if (!s->n) 178 goto err; 179 return TEE_SUCCESS; 180 err: 181 crypto_bignum_free(s->e); 182 return TEE_ERROR_OUT_OF_MEMORY; 183 } 184 185 void crypto_acipher_free_rsa_public_key(struct rsa_public_key *s) 186 { 187 if (!s) 188 return; 189 crypto_bignum_free(s->n); 190 crypto_bignum_free(s->e); 191 } 192 193 void crypto_acipher_free_rsa_keypair(struct rsa_keypair *s) 194 { 195 if (!s) 196 return; 197 crypto_bignum_free(s->e); 198 crypto_bignum_free(s->d); 199 crypto_bignum_free(s->n); 200 crypto_bignum_free(s->p); 201 crypto_bignum_free(s->q); 202 crypto_bignum_free(s->qp); 203 crypto_bignum_free(s->dp); 204 } 205 206 TEE_Result crypto_acipher_gen_rsa_key(struct rsa_keypair *key, size_t key_size) 207 { 208 TEE_Result res = TEE_SUCCESS; 209 mbedtls_rsa_context rsa; 210 int lmd_res = 0; 211 uint32_t e = 0; 212 213 memset(&rsa, 0, sizeof(rsa)); 214 mbedtls_rsa_init(&rsa, 0, 0); 215 216 /* get the public exponent */ 217 mbedtls_mpi_write_binary((mbedtls_mpi *)key->e, 218 (unsigned char *)&e, sizeof(uint32_t)); 219 220 e = TEE_U32_FROM_BIG_ENDIAN(e); 221 lmd_res = mbedtls_rsa_gen_key(&rsa, mbd_rand, NULL, key_size, (int)e); 222 if (lmd_res != 0) { 223 res = get_tee_result(lmd_res); 224 } else if ((size_t)mbedtls_mpi_bitlen(&rsa.N) != key_size) { 225 res = TEE_ERROR_BAD_PARAMETERS; 226 } else { 227 /* Copy the key */ 228 crypto_bignum_copy(key->e, (void *)&rsa.E); 229 crypto_bignum_copy(key->d, (void *)&rsa.D); 230 crypto_bignum_copy(key->n, (void *)&rsa.N); 231 crypto_bignum_copy(key->p, (void *)&rsa.P); 232 233 crypto_bignum_copy(key->q, (void *)&rsa.Q); 234 crypto_bignum_copy(key->qp, (void *)&rsa.QP); 235 crypto_bignum_copy(key->dp, (void *)&rsa.DP); 236 crypto_bignum_copy(key->dq, (void *)&rsa.DQ); 237 238 res = TEE_SUCCESS; 239 } 240 241 mbedtls_rsa_free(&rsa); 242 243 return res; 244 } 245 246 TEE_Result crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key, 247 const uint8_t *src, size_t src_len, 248 uint8_t *dst, size_t *dst_len) 249 { 250 TEE_Result res = TEE_SUCCESS; 251 mbedtls_rsa_context rsa; 252 int lmd_res = 0; 253 uint8_t *buf = NULL; 254 unsigned long blen = 0; 255 unsigned long offset = 0; 256 257 memset(&rsa, 0, sizeof(rsa)); 258 mbedtls_rsa_init(&rsa, 0, 0); 259 260 rsa.E = *(mbedtls_mpi *)key->e; 261 rsa.N = *(mbedtls_mpi *)key->n; 262 263 rsa.len = crypto_bignum_num_bytes((void *)&rsa.N); 264 265 blen = CFG_CORE_BIGNUM_MAX_BITS / 8; 266 buf = malloc(blen); 267 if (!buf) { 268 res = TEE_ERROR_OUT_OF_MEMORY; 269 goto out; 270 } 271 272 memset(buf, 0, blen); 273 memcpy(buf + rsa.len - src_len, src, src_len); 274 275 lmd_res = mbedtls_rsa_public(&rsa, buf, buf); 276 if (lmd_res != 0) { 277 FMSG("mbedtls_rsa_public() returned 0x%x", -lmd_res); 278 res = get_tee_result(lmd_res); 279 goto out; 280 } 281 282 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 283 offset = 0; 284 while ((offset < rsa.len - 1) && (buf[offset] == 0)) 285 offset++; 286 287 if (*dst_len < rsa.len - offset) { 288 *dst_len = rsa.len - offset; 289 res = TEE_ERROR_SHORT_BUFFER; 290 goto out; 291 } 292 *dst_len = rsa.len - offset; 293 memcpy(dst, buf + offset, *dst_len); 294 out: 295 free(buf); 296 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 297 mbedtls_mpi_init(&rsa.E); 298 mbedtls_mpi_init(&rsa.N); 299 mbedtls_rsa_free(&rsa); 300 301 return res; 302 } 303 304 TEE_Result crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key, 305 const uint8_t *src, size_t src_len, 306 uint8_t *dst, size_t *dst_len) 307 { 308 TEE_Result res = TEE_SUCCESS; 309 mbedtls_rsa_context rsa; 310 int lmd_res = 0; 311 uint8_t *buf = NULL; 312 unsigned long blen = 0; 313 unsigned long offset = 0; 314 315 memset(&rsa, 0, sizeof(rsa)); 316 rsa_init_from_key_pair(&rsa, key); 317 318 blen = CFG_CORE_BIGNUM_MAX_BITS / 8; 319 buf = malloc(blen); 320 if (!buf) { 321 res = TEE_ERROR_OUT_OF_MEMORY; 322 goto out; 323 } 324 325 memset(buf, 0, blen); 326 memcpy(buf + rsa.len - src_len, src, src_len); 327 328 lmd_res = mbedtls_rsa_private(&rsa, NULL, NULL, buf, buf); 329 if (lmd_res != 0) { 330 FMSG("mbedtls_rsa_private() returned 0x%x", -lmd_res); 331 res = get_tee_result(lmd_res); 332 goto out; 333 } 334 335 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 336 offset = 0; 337 while ((offset < rsa.len - 1) && (buf[offset] == 0)) 338 offset++; 339 340 if (*dst_len < rsa.len - offset) { 341 *dst_len = rsa.len - offset; 342 res = TEE_ERROR_SHORT_BUFFER; 343 goto out; 344 } 345 *dst_len = rsa.len - offset; 346 memcpy(dst, (char *)buf + offset, *dst_len); 347 out: 348 if (buf) 349 free(buf); 350 mbd_rsa_free(&rsa); 351 return res; 352 } 353 354 TEE_Result crypto_acipher_rsaes_decrypt(uint32_t algo, struct rsa_keypair *key, 355 const uint8_t *label __unused, 356 size_t label_len __unused, 357 const uint8_t *src, size_t src_len, 358 uint8_t *dst, size_t *dst_len) 359 { 360 TEE_Result res = TEE_SUCCESS; 361 int lmd_res = 0; 362 int lmd_padding = 0; 363 size_t blen = 0; 364 size_t mod_size = 0; 365 void *buf = NULL; 366 mbedtls_rsa_context rsa; 367 const mbedtls_pk_info_t *pk_info = NULL; 368 uint32_t md_algo = MBEDTLS_MD_NONE; 369 370 memset(&rsa, 0, sizeof(rsa)); 371 rsa_init_from_key_pair(&rsa, key); 372 373 /* 374 * Use a temporary buffer since we don't know exactly how large 375 * the required size of the out buffer without doing a partial 376 * decrypt. We know the upper bound though. 377 */ 378 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) { 379 mod_size = crypto_bignum_num_bytes(key->n); 380 blen = mod_size - 11; 381 lmd_padding = MBEDTLS_RSA_PKCS_V15; 382 } else { 383 /* Decoded message is always shorter than encrypted message */ 384 blen = src_len; 385 lmd_padding = MBEDTLS_RSA_PKCS_V21; 386 } 387 388 buf = malloc(blen); 389 if (!buf) { 390 res = TEE_ERROR_OUT_OF_MEMORY; 391 goto out; 392 } 393 394 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 395 if (!pk_info) { 396 res = TEE_ERROR_NOT_SUPPORTED; 397 goto out; 398 } 399 400 /* 401 * TEE_ALG_RSAES_PKCS1_V1_5 is invalid in hash. But its hash algo will 402 * not be used in rsa, so skip it here. 403 */ 404 if (algo != TEE_ALG_RSAES_PKCS1_V1_5) { 405 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 406 if (md_algo == MBEDTLS_MD_NONE) { 407 res = TEE_ERROR_NOT_SUPPORTED; 408 goto out; 409 } 410 } 411 412 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 413 414 if (lmd_padding == MBEDTLS_RSA_PKCS_V15) 415 lmd_res = pk_info->decrypt_func(&rsa, src, src_len, buf, &blen, 416 blen, NULL, NULL); 417 else 418 lmd_res = pk_info->decrypt_func(&rsa, src, src_len, buf, &blen, 419 blen, mbd_rand, NULL); 420 if (lmd_res != 0) { 421 FMSG("decrypt_func() returned 0x%x", -lmd_res); 422 res = get_tee_result(lmd_res); 423 goto out; 424 } 425 426 if (*dst_len < blen) { 427 *dst_len = blen; 428 res = TEE_ERROR_SHORT_BUFFER; 429 goto out; 430 } 431 432 res = TEE_SUCCESS; 433 *dst_len = blen; 434 memcpy(dst, buf, blen); 435 out: 436 if (buf) 437 free(buf); 438 mbd_rsa_free(&rsa); 439 return res; 440 } 441 442 TEE_Result crypto_acipher_rsaes_encrypt(uint32_t algo, 443 struct rsa_public_key *key, 444 const uint8_t *label __unused, 445 size_t label_len __unused, 446 const uint8_t *src, size_t src_len, 447 uint8_t *dst, size_t *dst_len) 448 { 449 TEE_Result res = TEE_SUCCESS; 450 int lmd_res = 0; 451 int lmd_padding = 0; 452 size_t mod_size = 0; 453 mbedtls_rsa_context rsa; 454 const mbedtls_pk_info_t *pk_info = NULL; 455 uint32_t md_algo = MBEDTLS_MD_NONE; 456 457 memset(&rsa, 0, sizeof(rsa)); 458 mbedtls_rsa_init(&rsa, 0, 0); 459 460 rsa.E = *(mbedtls_mpi *)key->e; 461 rsa.N = *(mbedtls_mpi *)key->n; 462 463 mod_size = crypto_bignum_num_bytes(key->n); 464 if (*dst_len < mod_size) { 465 *dst_len = mod_size; 466 res = TEE_ERROR_SHORT_BUFFER; 467 goto out; 468 } 469 *dst_len = mod_size; 470 rsa.len = mod_size; 471 472 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) 473 lmd_padding = MBEDTLS_RSA_PKCS_V15; 474 else 475 lmd_padding = MBEDTLS_RSA_PKCS_V21; 476 477 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 478 if (!pk_info) { 479 res = TEE_ERROR_NOT_SUPPORTED; 480 goto out; 481 } 482 483 /* 484 * TEE_ALG_RSAES_PKCS1_V1_5 is invalid in hash. But its hash algo will 485 * not be used in rsa, so skip it here. 486 */ 487 if (algo != TEE_ALG_RSAES_PKCS1_V1_5) { 488 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 489 if (md_algo == MBEDTLS_MD_NONE) { 490 res = TEE_ERROR_NOT_SUPPORTED; 491 goto out; 492 } 493 } 494 495 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 496 497 lmd_res = pk_info->encrypt_func(&rsa, src, src_len, dst, dst_len, 498 *dst_len, mbd_rand, NULL); 499 if (lmd_res != 0) { 500 FMSG("encrypt_func() returned 0x%x", -lmd_res); 501 res = get_tee_result(lmd_res); 502 goto out; 503 } 504 res = TEE_SUCCESS; 505 out: 506 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 507 mbedtls_mpi_init(&rsa.E); 508 mbedtls_mpi_init(&rsa.N); 509 mbedtls_rsa_free(&rsa); 510 return res; 511 } 512 513 TEE_Result crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key, 514 int salt_len __unused, const uint8_t *msg, 515 size_t msg_len, uint8_t *sig, 516 size_t *sig_len) 517 { 518 TEE_Result res = TEE_SUCCESS; 519 int lmd_res = 0; 520 int lmd_padding = 0; 521 size_t mod_size = 0; 522 size_t hash_size = 0; 523 mbedtls_rsa_context rsa; 524 const mbedtls_pk_info_t *pk_info = NULL; 525 uint32_t md_algo = 0; 526 527 memset(&rsa, 0, sizeof(rsa)); 528 rsa_init_from_key_pair(&rsa, key); 529 530 switch (algo) { 531 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 532 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 533 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 534 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 535 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 536 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 537 lmd_padding = MBEDTLS_RSA_PKCS_V15; 538 break; 539 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 540 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 541 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 542 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 543 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 544 lmd_padding = MBEDTLS_RSA_PKCS_V21; 545 break; 546 default: 547 res = TEE_ERROR_BAD_PARAMETERS; 548 goto err; 549 } 550 551 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 552 &hash_size); 553 if (res != TEE_SUCCESS) 554 goto err; 555 556 if (msg_len != hash_size) { 557 res = TEE_ERROR_BAD_PARAMETERS; 558 goto err; 559 } 560 561 mod_size = crypto_bignum_num_bytes(key->n); 562 if (*sig_len < mod_size) { 563 *sig_len = mod_size; 564 res = TEE_ERROR_SHORT_BUFFER; 565 goto err; 566 } 567 rsa.len = mod_size; 568 569 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 570 if (md_algo == MBEDTLS_MD_NONE) { 571 res = TEE_ERROR_NOT_SUPPORTED; 572 goto err; 573 } 574 575 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 576 if (!pk_info) { 577 res = TEE_ERROR_NOT_SUPPORTED; 578 goto err; 579 } 580 581 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 582 583 if (lmd_padding == MBEDTLS_RSA_PKCS_V15) 584 lmd_res = pk_info->sign_func(&rsa, md_algo, msg, msg_len, sig, 585 sig_len, NULL, NULL); 586 else 587 lmd_res = pk_info->sign_func(&rsa, md_algo, msg, msg_len, sig, 588 sig_len, mbd_rand, NULL); 589 if (lmd_res != 0) { 590 FMSG("sign_func failed, returned 0x%x", -lmd_res); 591 res = get_tee_result(lmd_res); 592 goto err; 593 } 594 res = TEE_SUCCESS; 595 err: 596 mbd_rsa_free(&rsa); 597 return res; 598 } 599 600 TEE_Result crypto_acipher_rsassa_verify(uint32_t algo, 601 struct rsa_public_key *key, 602 int salt_len __unused, 603 const uint8_t *msg, 604 size_t msg_len, const uint8_t *sig, 605 size_t sig_len) 606 { 607 TEE_Result res = TEE_SUCCESS; 608 int lmd_res = 0; 609 int lmd_padding = 0; 610 size_t hash_size = 0; 611 size_t bigint_size = 0; 612 mbedtls_rsa_context rsa; 613 const mbedtls_pk_info_t *pk_info = NULL; 614 uint32_t md_algo = 0; 615 616 memset(&rsa, 0, sizeof(rsa)); 617 mbedtls_rsa_init(&rsa, 0, 0); 618 619 rsa.E = *(mbedtls_mpi *)key->e; 620 rsa.N = *(mbedtls_mpi *)key->n; 621 622 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 623 &hash_size); 624 if (res != TEE_SUCCESS) 625 goto err; 626 627 if (msg_len != hash_size) { 628 res = TEE_ERROR_BAD_PARAMETERS; 629 goto err; 630 } 631 632 bigint_size = crypto_bignum_num_bytes(key->n); 633 if (sig_len < bigint_size) { 634 res = TEE_ERROR_MAC_INVALID; 635 goto err; 636 } 637 638 rsa.len = bigint_size; 639 640 switch (algo) { 641 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 642 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 643 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 644 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 645 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 646 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 647 lmd_padding = MBEDTLS_RSA_PKCS_V15; 648 break; 649 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 650 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 651 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 652 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 653 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 654 lmd_padding = MBEDTLS_RSA_PKCS_V21; 655 break; 656 default: 657 res = TEE_ERROR_BAD_PARAMETERS; 658 goto err; 659 } 660 661 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 662 if (md_algo == MBEDTLS_MD_NONE) { 663 res = TEE_ERROR_NOT_SUPPORTED; 664 goto err; 665 } 666 667 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 668 if (!pk_info) { 669 res = TEE_ERROR_NOT_SUPPORTED; 670 goto err; 671 } 672 673 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 674 675 lmd_res = pk_info->verify_func(&rsa, md_algo, msg, msg_len, 676 sig, sig_len); 677 if (lmd_res != 0) { 678 FMSG("verify_func failed, returned 0x%x", -lmd_res); 679 res = TEE_ERROR_SIGNATURE_INVALID; 680 goto err; 681 } 682 res = TEE_SUCCESS; 683 err: 684 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 685 mbedtls_mpi_init(&rsa.E); 686 mbedtls_mpi_init(&rsa.N); 687 mbedtls_rsa_free(&rsa); 688 return res; 689 } 690