1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (C) 2018, ARM Limited 4 * Copyright (C) 2019, Linaro Limited 5 */ 6 7 #include <assert.h> 8 #include <crypto/crypto.h> 9 #include <mbedtls/ctr_drbg.h> 10 #include <mbedtls/entropy.h> 11 #include <mbedtls/pk.h> 12 #include <mbedtls/pk_internal.h> 13 #include <stdlib.h> 14 #include <string.h> 15 #include <tee/tee_cryp_utl.h> 16 #include <utee_defines.h> 17 18 #include "mbd_rand.h" 19 20 static TEE_Result get_tee_result(int lmd_res) 21 { 22 switch (lmd_res) { 23 case 0: 24 return TEE_SUCCESS; 25 case MBEDTLS_ERR_RSA_BAD_INPUT_DATA: 26 case MBEDTLS_ERR_RSA_INVALID_PADDING: 27 case MBEDTLS_ERR_PK_TYPE_MISMATCH: 28 return TEE_ERROR_BAD_PARAMETERS; 29 case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE: 30 return TEE_ERROR_SHORT_BUFFER; 31 default: 32 return TEE_ERROR_BAD_STATE; 33 } 34 } 35 36 static uint32_t tee_algo_to_mbedtls_hash_algo(uint32_t algo) 37 { 38 switch (algo) { 39 #if defined(CFG_CRYPTO_SHA1) 40 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 41 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 42 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1: 43 case TEE_ALG_SHA1: 44 case TEE_ALG_DSA_SHA1: 45 case TEE_ALG_HMAC_SHA1: 46 return MBEDTLS_MD_SHA1; 47 #endif 48 #if defined(CFG_CRYPTO_MD5) 49 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 50 case TEE_ALG_MD5: 51 case TEE_ALG_HMAC_MD5: 52 return MBEDTLS_MD_MD5; 53 #endif 54 #if defined(CFG_CRYPTO_SHA224) 55 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 56 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 57 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224: 58 case TEE_ALG_SHA224: 59 case TEE_ALG_DSA_SHA224: 60 case TEE_ALG_HMAC_SHA224: 61 return MBEDTLS_MD_SHA224; 62 #endif 63 #if defined(CFG_CRYPTO_SHA256) 64 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 65 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 66 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256: 67 case TEE_ALG_SHA256: 68 case TEE_ALG_DSA_SHA256: 69 case TEE_ALG_HMAC_SHA256: 70 return MBEDTLS_MD_SHA256; 71 #endif 72 #if defined(CFG_CRYPTO_SHA384) 73 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 74 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 75 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384: 76 case TEE_ALG_SHA384: 77 case TEE_ALG_HMAC_SHA384: 78 return MBEDTLS_MD_SHA384; 79 #endif 80 #if defined(CFG_CRYPTO_SHA512) 81 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 82 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 83 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512: 84 case TEE_ALG_SHA512: 85 case TEE_ALG_HMAC_SHA512: 86 return MBEDTLS_MD_SHA512; 87 #endif 88 default: 89 return MBEDTLS_MD_NONE; 90 } 91 } 92 93 static void rsa_init_from_key_pair(mbedtls_rsa_context *rsa, 94 struct rsa_keypair *key) 95 { 96 mbedtls_rsa_init(rsa, 0, 0); 97 98 rsa->E = *(mbedtls_mpi *)key->e; 99 rsa->N = *(mbedtls_mpi *)key->n; 100 rsa->D = *(mbedtls_mpi *)key->d; 101 if (key->p && crypto_bignum_num_bytes(key->p)) { 102 rsa->P = *(mbedtls_mpi *)key->p; 103 rsa->Q = *(mbedtls_mpi *)key->q; 104 rsa->QP = *(mbedtls_mpi *)key->qp; 105 rsa->DP = *(mbedtls_mpi *)key->dp; 106 rsa->DQ = *(mbedtls_mpi *)key->dq; 107 } 108 rsa->len = mbedtls_mpi_size(&rsa->N); 109 } 110 111 static void mbd_rsa_free(mbedtls_rsa_context *rsa) 112 { 113 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 114 mbedtls_mpi_init(&rsa->E); 115 mbedtls_mpi_init(&rsa->N); 116 mbedtls_mpi_init(&rsa->D); 117 if (mbedtls_mpi_size(&rsa->P)) { 118 mbedtls_mpi_init(&rsa->P); 119 mbedtls_mpi_init(&rsa->Q); 120 mbedtls_mpi_init(&rsa->QP); 121 mbedtls_mpi_init(&rsa->DP); 122 mbedtls_mpi_init(&rsa->DQ); 123 } 124 mbedtls_rsa_free(rsa); 125 } 126 127 TEE_Result crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s, 128 size_t key_size_bits) 129 { 130 memset(s, 0, sizeof(*s)); 131 s->e = crypto_bignum_allocate(key_size_bits); 132 if (!s->e) 133 goto err; 134 s->d = crypto_bignum_allocate(key_size_bits); 135 if (!s->d) 136 goto err; 137 s->n = crypto_bignum_allocate(key_size_bits); 138 if (!s->n) 139 goto err; 140 s->p = crypto_bignum_allocate(key_size_bits); 141 if (!s->p) 142 goto err; 143 s->q = crypto_bignum_allocate(key_size_bits); 144 if (!s->q) 145 goto err; 146 s->qp = crypto_bignum_allocate(key_size_bits); 147 if (!s->qp) 148 goto err; 149 s->dp = crypto_bignum_allocate(key_size_bits); 150 if (!s->dp) 151 goto err; 152 s->dq = crypto_bignum_allocate(key_size_bits); 153 if (!s->dq) 154 goto err; 155 156 return TEE_SUCCESS; 157 err: 158 crypto_bignum_free(s->e); 159 crypto_bignum_free(s->d); 160 crypto_bignum_free(s->n); 161 crypto_bignum_free(s->p); 162 crypto_bignum_free(s->q); 163 crypto_bignum_free(s->qp); 164 crypto_bignum_free(s->dp); 165 166 return TEE_ERROR_OUT_OF_MEMORY; 167 } 168 169 TEE_Result crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s, 170 size_t key_size_bits) 171 { 172 memset(s, 0, sizeof(*s)); 173 s->e = crypto_bignum_allocate(key_size_bits); 174 if (!s->e) 175 return TEE_ERROR_OUT_OF_MEMORY; 176 s->n = crypto_bignum_allocate(key_size_bits); 177 if (!s->n) 178 goto err; 179 return TEE_SUCCESS; 180 err: 181 crypto_bignum_free(s->e); 182 return TEE_ERROR_OUT_OF_MEMORY; 183 } 184 185 void crypto_acipher_free_rsa_public_key(struct rsa_public_key *s) 186 { 187 if (!s) 188 return; 189 crypto_bignum_free(s->n); 190 crypto_bignum_free(s->e); 191 } 192 193 TEE_Result crypto_acipher_gen_rsa_key(struct rsa_keypair *key, size_t key_size) 194 { 195 TEE_Result res = TEE_SUCCESS; 196 mbedtls_rsa_context rsa; 197 int lmd_res = 0; 198 uint32_t e = 0; 199 200 memset(&rsa, 0, sizeof(rsa)); 201 mbedtls_rsa_init(&rsa, 0, 0); 202 203 /* get the public exponent */ 204 mbedtls_mpi_write_binary((mbedtls_mpi *)key->e, 205 (unsigned char *)&e, sizeof(uint32_t)); 206 207 e = TEE_U32_FROM_BIG_ENDIAN(e); 208 lmd_res = mbedtls_rsa_gen_key(&rsa, mbd_rand, NULL, key_size, (int)e); 209 if (lmd_res != 0) { 210 res = get_tee_result(lmd_res); 211 } else if ((size_t)mbedtls_mpi_bitlen(&rsa.N) != key_size) { 212 res = TEE_ERROR_BAD_PARAMETERS; 213 } else { 214 /* Copy the key */ 215 crypto_bignum_copy(key->e, (void *)&rsa.E); 216 crypto_bignum_copy(key->d, (void *)&rsa.D); 217 crypto_bignum_copy(key->n, (void *)&rsa.N); 218 crypto_bignum_copy(key->p, (void *)&rsa.P); 219 220 crypto_bignum_copy(key->q, (void *)&rsa.Q); 221 crypto_bignum_copy(key->qp, (void *)&rsa.QP); 222 crypto_bignum_copy(key->dp, (void *)&rsa.DP); 223 crypto_bignum_copy(key->dq, (void *)&rsa.DQ); 224 225 res = TEE_SUCCESS; 226 } 227 228 mbedtls_rsa_free(&rsa); 229 230 return res; 231 } 232 233 TEE_Result crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key, 234 const uint8_t *src, size_t src_len, 235 uint8_t *dst, size_t *dst_len) 236 { 237 TEE_Result res = TEE_SUCCESS; 238 mbedtls_rsa_context rsa; 239 int lmd_res = 0; 240 uint8_t *buf = NULL; 241 unsigned long blen = 0; 242 unsigned long offset = 0; 243 244 memset(&rsa, 0, sizeof(rsa)); 245 mbedtls_rsa_init(&rsa, 0, 0); 246 247 rsa.E = *(mbedtls_mpi *)key->e; 248 rsa.N = *(mbedtls_mpi *)key->n; 249 250 rsa.len = crypto_bignum_num_bytes((void *)&rsa.N); 251 252 blen = CFG_CORE_BIGNUM_MAX_BITS / 8; 253 buf = malloc(blen); 254 if (!buf) { 255 res = TEE_ERROR_OUT_OF_MEMORY; 256 goto out; 257 } 258 259 memset(buf, 0, blen); 260 memcpy(buf + rsa.len - src_len, src, src_len); 261 262 lmd_res = mbedtls_rsa_public(&rsa, buf, buf); 263 if (lmd_res != 0) { 264 FMSG("mbedtls_rsa_public() returned 0x%x", -lmd_res); 265 res = get_tee_result(lmd_res); 266 goto out; 267 } 268 269 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 270 offset = 0; 271 while ((offset < rsa.len - 1) && (buf[offset] == 0)) 272 offset++; 273 274 if (*dst_len < rsa.len - offset) { 275 *dst_len = rsa.len - offset; 276 res = TEE_ERROR_SHORT_BUFFER; 277 goto out; 278 } 279 *dst_len = rsa.len - offset; 280 memcpy(dst, buf + offset, *dst_len); 281 out: 282 free(buf); 283 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 284 mbedtls_mpi_init(&rsa.E); 285 mbedtls_mpi_init(&rsa.N); 286 mbedtls_rsa_free(&rsa); 287 288 return res; 289 } 290 291 TEE_Result crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key, 292 const uint8_t *src, size_t src_len, 293 uint8_t *dst, size_t *dst_len) 294 { 295 TEE_Result res = TEE_SUCCESS; 296 mbedtls_rsa_context rsa; 297 int lmd_res = 0; 298 uint8_t *buf = NULL; 299 unsigned long blen = 0; 300 unsigned long offset = 0; 301 302 memset(&rsa, 0, sizeof(rsa)); 303 rsa_init_from_key_pair(&rsa, key); 304 305 blen = CFG_CORE_BIGNUM_MAX_BITS / 8; 306 buf = malloc(blen); 307 if (!buf) { 308 res = TEE_ERROR_OUT_OF_MEMORY; 309 goto out; 310 } 311 312 memset(buf, 0, blen); 313 memcpy(buf + rsa.len - src_len, src, src_len); 314 315 lmd_res = mbedtls_rsa_private(&rsa, NULL, NULL, buf, buf); 316 if (lmd_res != 0) { 317 FMSG("mbedtls_rsa_private() returned 0x%x", -lmd_res); 318 res = get_tee_result(lmd_res); 319 goto out; 320 } 321 322 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 323 offset = 0; 324 while ((offset < rsa.len - 1) && (buf[offset] == 0)) 325 offset++; 326 327 if (*dst_len < rsa.len - offset) { 328 *dst_len = rsa.len - offset; 329 res = TEE_ERROR_SHORT_BUFFER; 330 goto out; 331 } 332 *dst_len = rsa.len - offset; 333 memcpy(dst, (char *)buf + offset, *dst_len); 334 out: 335 if (buf) 336 free(buf); 337 mbd_rsa_free(&rsa); 338 return res; 339 } 340 341 TEE_Result crypto_acipher_rsaes_decrypt(uint32_t algo, struct rsa_keypair *key, 342 const uint8_t *label __unused, 343 size_t label_len __unused, 344 const uint8_t *src, size_t src_len, 345 uint8_t *dst, size_t *dst_len) 346 { 347 TEE_Result res = TEE_SUCCESS; 348 int lmd_res = 0; 349 int lmd_padding = 0; 350 size_t blen = 0; 351 size_t mod_size = 0; 352 void *buf = NULL; 353 mbedtls_rsa_context rsa; 354 const mbedtls_pk_info_t *pk_info = NULL; 355 uint32_t md_algo = MBEDTLS_MD_NONE; 356 357 memset(&rsa, 0, sizeof(rsa)); 358 rsa_init_from_key_pair(&rsa, key); 359 360 /* 361 * Use a temporary buffer since we don't know exactly how large 362 * the required size of the out buffer without doing a partial 363 * decrypt. We know the upper bound though. 364 */ 365 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) { 366 mod_size = crypto_bignum_num_bytes(key->n); 367 blen = mod_size - 11; 368 lmd_padding = MBEDTLS_RSA_PKCS_V15; 369 } else { 370 /* Decoded message is always shorter than encrypted message */ 371 blen = src_len; 372 lmd_padding = MBEDTLS_RSA_PKCS_V21; 373 } 374 375 buf = malloc(blen); 376 if (!buf) { 377 res = TEE_ERROR_OUT_OF_MEMORY; 378 goto out; 379 } 380 381 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 382 if (!pk_info) { 383 res = TEE_ERROR_NOT_SUPPORTED; 384 goto out; 385 } 386 387 /* 388 * TEE_ALG_RSAES_PKCS1_V1_5 is invalid in hash. But its hash algo will 389 * not be used in rsa, so skip it here. 390 */ 391 if (algo != TEE_ALG_RSAES_PKCS1_V1_5) { 392 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 393 if (md_algo == MBEDTLS_MD_NONE) { 394 res = TEE_ERROR_NOT_SUPPORTED; 395 goto out; 396 } 397 } 398 399 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 400 401 if (lmd_padding == MBEDTLS_RSA_PKCS_V15) 402 lmd_res = pk_info->decrypt_func(&rsa, src, src_len, buf, &blen, 403 blen, NULL, NULL); 404 else 405 lmd_res = pk_info->decrypt_func(&rsa, src, src_len, buf, &blen, 406 blen, mbd_rand, NULL); 407 if (lmd_res != 0) { 408 FMSG("decrypt_func() returned 0x%x", -lmd_res); 409 res = get_tee_result(lmd_res); 410 goto out; 411 } 412 413 if (*dst_len < blen) { 414 *dst_len = blen; 415 res = TEE_ERROR_SHORT_BUFFER; 416 goto out; 417 } 418 419 res = TEE_SUCCESS; 420 *dst_len = blen; 421 memcpy(dst, buf, blen); 422 out: 423 if (buf) 424 free(buf); 425 mbd_rsa_free(&rsa); 426 return res; 427 } 428 429 TEE_Result crypto_acipher_rsaes_encrypt(uint32_t algo, 430 struct rsa_public_key *key, 431 const uint8_t *label __unused, 432 size_t label_len __unused, 433 const uint8_t *src, size_t src_len, 434 uint8_t *dst, size_t *dst_len) 435 { 436 TEE_Result res = TEE_SUCCESS; 437 int lmd_res = 0; 438 int lmd_padding = 0; 439 size_t mod_size = 0; 440 mbedtls_rsa_context rsa; 441 const mbedtls_pk_info_t *pk_info = NULL; 442 uint32_t md_algo = MBEDTLS_MD_NONE; 443 444 memset(&rsa, 0, sizeof(rsa)); 445 mbedtls_rsa_init(&rsa, 0, 0); 446 447 rsa.E = *(mbedtls_mpi *)key->e; 448 rsa.N = *(mbedtls_mpi *)key->n; 449 450 mod_size = crypto_bignum_num_bytes(key->n); 451 if (*dst_len < mod_size) { 452 *dst_len = mod_size; 453 res = TEE_ERROR_SHORT_BUFFER; 454 goto out; 455 } 456 *dst_len = mod_size; 457 rsa.len = mod_size; 458 459 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) 460 lmd_padding = MBEDTLS_RSA_PKCS_V15; 461 else 462 lmd_padding = MBEDTLS_RSA_PKCS_V21; 463 464 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 465 if (!pk_info) { 466 res = TEE_ERROR_NOT_SUPPORTED; 467 goto out; 468 } 469 470 /* 471 * TEE_ALG_RSAES_PKCS1_V1_5 is invalid in hash. But its hash algo will 472 * not be used in rsa, so skip it here. 473 */ 474 if (algo != TEE_ALG_RSAES_PKCS1_V1_5) { 475 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 476 if (md_algo == MBEDTLS_MD_NONE) { 477 res = TEE_ERROR_NOT_SUPPORTED; 478 goto out; 479 } 480 } 481 482 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 483 484 lmd_res = pk_info->encrypt_func(&rsa, src, src_len, dst, dst_len, 485 *dst_len, mbd_rand, NULL); 486 if (lmd_res != 0) { 487 FMSG("encrypt_func() returned 0x%x", -lmd_res); 488 res = get_tee_result(lmd_res); 489 goto out; 490 } 491 res = TEE_SUCCESS; 492 out: 493 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 494 mbedtls_mpi_init(&rsa.E); 495 mbedtls_mpi_init(&rsa.N); 496 mbedtls_rsa_free(&rsa); 497 return res; 498 } 499 500 TEE_Result crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key, 501 int salt_len __unused, const uint8_t *msg, 502 size_t msg_len, uint8_t *sig, 503 size_t *sig_len) 504 { 505 TEE_Result res = TEE_SUCCESS; 506 int lmd_res = 0; 507 int lmd_padding = 0; 508 size_t mod_size = 0; 509 size_t hash_size = 0; 510 mbedtls_rsa_context rsa; 511 const mbedtls_pk_info_t *pk_info = NULL; 512 uint32_t md_algo = 0; 513 514 memset(&rsa, 0, sizeof(rsa)); 515 rsa_init_from_key_pair(&rsa, key); 516 517 switch (algo) { 518 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 519 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 520 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 521 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 522 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 523 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 524 lmd_padding = MBEDTLS_RSA_PKCS_V15; 525 break; 526 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 527 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 528 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 529 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 530 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 531 lmd_padding = MBEDTLS_RSA_PKCS_V21; 532 break; 533 default: 534 res = TEE_ERROR_BAD_PARAMETERS; 535 goto err; 536 } 537 538 res = tee_hash_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 539 &hash_size); 540 if (res != TEE_SUCCESS) 541 goto err; 542 543 if (msg_len != hash_size) { 544 res = TEE_ERROR_BAD_PARAMETERS; 545 goto err; 546 } 547 548 mod_size = crypto_bignum_num_bytes(key->n); 549 if (*sig_len < mod_size) { 550 *sig_len = mod_size; 551 res = TEE_ERROR_SHORT_BUFFER; 552 goto err; 553 } 554 rsa.len = mod_size; 555 556 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 557 if (md_algo == MBEDTLS_MD_NONE) { 558 res = TEE_ERROR_NOT_SUPPORTED; 559 goto err; 560 } 561 562 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 563 if (!pk_info) { 564 res = TEE_ERROR_NOT_SUPPORTED; 565 goto err; 566 } 567 568 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 569 570 if (lmd_padding == MBEDTLS_RSA_PKCS_V15) 571 lmd_res = pk_info->sign_func(&rsa, md_algo, msg, msg_len, sig, 572 sig_len, NULL, NULL); 573 else 574 lmd_res = pk_info->sign_func(&rsa, md_algo, msg, msg_len, sig, 575 sig_len, mbd_rand, NULL); 576 if (lmd_res != 0) { 577 FMSG("sign_func failed, returned 0x%x", -lmd_res); 578 res = get_tee_result(lmd_res); 579 goto err; 580 } 581 res = TEE_SUCCESS; 582 err: 583 mbd_rsa_free(&rsa); 584 return res; 585 } 586 587 TEE_Result crypto_acipher_rsassa_verify(uint32_t algo, 588 struct rsa_public_key *key, 589 int salt_len __unused, 590 const uint8_t *msg, 591 size_t msg_len, const uint8_t *sig, 592 size_t sig_len) 593 { 594 TEE_Result res = TEE_SUCCESS; 595 int lmd_res = 0; 596 int lmd_padding = 0; 597 size_t hash_size = 0; 598 size_t bigint_size = 0; 599 mbedtls_rsa_context rsa; 600 const mbedtls_pk_info_t *pk_info = NULL; 601 uint32_t md_algo = 0; 602 603 memset(&rsa, 0, sizeof(rsa)); 604 mbedtls_rsa_init(&rsa, 0, 0); 605 606 rsa.E = *(mbedtls_mpi *)key->e; 607 rsa.N = *(mbedtls_mpi *)key->n; 608 609 res = tee_hash_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 610 &hash_size); 611 if (res != TEE_SUCCESS) 612 goto err; 613 614 if (msg_len != hash_size) { 615 res = TEE_ERROR_BAD_PARAMETERS; 616 goto err; 617 } 618 619 bigint_size = crypto_bignum_num_bytes(key->n); 620 if (sig_len < bigint_size) { 621 res = TEE_ERROR_MAC_INVALID; 622 goto err; 623 } 624 625 rsa.len = bigint_size; 626 627 switch (algo) { 628 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 629 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 630 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 631 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 632 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 633 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 634 lmd_padding = MBEDTLS_RSA_PKCS_V15; 635 break; 636 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 637 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 638 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 639 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 640 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 641 lmd_padding = MBEDTLS_RSA_PKCS_V21; 642 break; 643 default: 644 res = TEE_ERROR_BAD_PARAMETERS; 645 goto err; 646 } 647 648 md_algo = tee_algo_to_mbedtls_hash_algo(algo); 649 if (md_algo == MBEDTLS_MD_NONE) { 650 res = TEE_ERROR_NOT_SUPPORTED; 651 goto err; 652 } 653 654 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 655 if (!pk_info) { 656 res = TEE_ERROR_NOT_SUPPORTED; 657 goto err; 658 } 659 660 mbedtls_rsa_set_padding(&rsa, lmd_padding, md_algo); 661 662 lmd_res = pk_info->verify_func(&rsa, md_algo, msg, msg_len, 663 sig, sig_len); 664 if (lmd_res != 0) { 665 FMSG("verify_func failed, returned 0x%x", -lmd_res); 666 res = TEE_ERROR_SIGNATURE_INVALID; 667 goto err; 668 } 669 res = TEE_SUCCESS; 670 err: 671 /* Reset mpi to skip freeing here, those mpis will be freed with key */ 672 mbedtls_mpi_init(&rsa.E); 673 mbedtls_mpi_init(&rsa.N); 674 mbedtls_rsa_free(&rsa); 675 return res; 676 } 677