1 // SPDX-License-Identifier: BSD-2-Clause
2 /*
3 * Copyright 2018-2020 NXP
4 *
5 * RSA Signature Software common implementation.
6 * Functions preparing and/or verifying the signature
7 * encoded string.
8 *
9 * PKCS #1 v2.1: RSA Cryptography Standard
10 * https://www.ietf.org/rfc/rfc3447.txt
11 */
12 #include <crypto/crypto.h>
13 #include <drvcrypt.h>
14 #include <drvcrypt_asn1_oid.h>
15 #include <drvcrypt_math.h>
16 #include <malloc.h>
17 #include <string.h>
18 #include <tee_api_defines_extensions.h>
19 #include <tee/tee_cryp_utl.h>
20 #include <utee_defines.h>
21 #include <util.h>
22
23 #include "local.h"
24
25 /*
26 * PKCS#1 V1.5 - Encode the message in Distinguished Encoding Rules
27 * (DER) format.
28 * Refer to EMSA-PKCS1-v1_5 chapter of the PKCS#1 v2.1
29 *
30 * @ssa_data RSA data to encode
31 * @EM [out] Encoded Message
32 */
emsa_pkcs1_v1_5_encode(struct drvcrypt_rsa_ssa * ssa_data,struct drvcrypt_buf * EM)33 static TEE_Result emsa_pkcs1_v1_5_encode(struct drvcrypt_rsa_ssa *ssa_data,
34 struct drvcrypt_buf *EM)
35 {
36 const struct drvcrypt_oid *hash_oid = NULL;
37 size_t ps_size = 0;
38 uint8_t *buf = NULL;
39
40 hash_oid = drvcrypt_get_alg_hash_oid(ssa_data->hash_algo);
41 if (!hash_oid)
42 return TEE_ERROR_NOT_SUPPORTED;
43
44 /*
45 * Calculate the PS size
46 * EM Size (modulus size) - 3 bytes - DigestInfo DER format size
47 */
48 ps_size = ssa_data->key.n_size - 3;
49 ps_size -= ssa_data->digest_size;
50 ps_size -= 10 + hash_oid->asn1_length;
51
52 CRYPTO_TRACE("PS size = %zu (n %zu)", ps_size, ssa_data->key.n_size);
53
54 /*
55 * EM = 0x00 || 0x01 || PS || 0x00 || T
56 *
57 * where T represent the message DigestInfo in DER:
58 * DigestInfo ::= SEQUENCE {
59 * digestAlgorithm AlgorithmIdentifier,
60 * digest OCTET STRING
61 * }
62 *
63 * T Length = digest length + oid length
64 * EM Length = T Length + 11 + PS Length
65 */
66 buf = EM->data;
67
68 /* Set the EM first byte to 0x00 */
69 *buf++ = 0x00;
70
71 /* Set the EM second byte to 0x01 */
72 *buf++ = 0x01;
73
74 /* Fill PS with 0xFF */
75 memset(buf, UINT8_MAX, ps_size);
76 buf += ps_size;
77
78 /* Set the Byte after PS to 0x00 */
79 *buf++ = 0x00;
80
81 /*
82 * Create the DigestInfo DER Sequence
83 *
84 * DigestInfo ::= SEQUENCE {
85 * digestAlgorithm AlgorithmIdentifier,
86 * digest OCTET STRING
87 * }
88 *
89 */
90 /* SEQUENCE { */
91 *buf++ = DRVCRYPT_ASN1_SEQUENCE | DRVCRYPT_ASN1_CONSTRUCTED;
92 *buf++ = 0x08 + hash_oid->asn1_length + ssa_data->digest_size;
93
94 /* digestAlgorithm AlgorithmIdentifier */
95 *buf++ = DRVCRYPT_ASN1_SEQUENCE | DRVCRYPT_ASN1_CONSTRUCTED;
96 *buf++ = 0x04 + hash_oid->asn1_length;
97 *buf++ = DRVCRYPT_ASN1_OID;
98 *buf++ = hash_oid->asn1_length;
99
100 /* digest OCTET STRING */
101 memcpy(buf, hash_oid->asn1, hash_oid->asn1_length);
102 buf += hash_oid->asn1_length;
103 *buf++ = DRVCRYPT_ASN1_NULL;
104 *buf++ = 0x00;
105 *buf++ = DRVCRYPT_ASN1_OCTET_STRING;
106 *buf++ = ssa_data->digest_size;
107 /* } */
108
109 memcpy(buf, ssa_data->message.data, ssa_data->digest_size);
110
111 CRYPTO_DUMPBUF("Encoded Message", EM->data, (size_t)EM->length);
112
113 return TEE_SUCCESS;
114 }
115
116 /*
117 * PKCS#1 V1.5 - Encode the message in Distinguished Encoding Rules
118 * (DER) format.
119 * Refer to EMSA-PKCS1-v1_5 chapter of the PKCS#1 v2.1
120 *
121 * @ssa_data RSA data to encode
122 * @EM [out] Encoded Message
123 */
124 static TEE_Result
emsa_pkcs1_v1_5_encode_noasn1(struct drvcrypt_rsa_ssa * ssa_data,struct drvcrypt_buf * EM)125 emsa_pkcs1_v1_5_encode_noasn1(struct drvcrypt_rsa_ssa *ssa_data,
126 struct drvcrypt_buf *EM)
127 {
128 size_t ps_size = 0;
129 uint8_t *buf = NULL;
130
131 /*
132 * Calculate the PS size
133 * EM Size (modulus size) - 3 bytes - Message Length
134 */
135 ps_size = ssa_data->key.n_size - 3;
136
137 if (ps_size < ssa_data->message.length)
138 return TEE_ERROR_BAD_PARAMETERS;
139
140 ps_size -= ssa_data->message.length;
141
142 CRYPTO_TRACE("PS size = %zu (n %zu)", ps_size, ssa_data->key.n_size);
143
144 /*
145 * EM = 0x00 || 0x01 || PS || 0x00 || T
146 *
147 * T Length = message length
148 * EM Length = T Length + PS Length
149 */
150 buf = EM->data;
151
152 /* Set the EM first byte to 0x00 */
153 *buf++ = 0x00;
154
155 /* Set the EM second byte to 0x01 */
156 *buf++ = 0x01;
157
158 /* Fill PS with 0xFF */
159 memset(buf, UINT8_MAX, ps_size);
160 buf += ps_size;
161
162 /* Set the Byte after PS to 0x00 */
163 *buf++ = 0x00;
164
165 memcpy(buf, ssa_data->message.data, ssa_data->message.length);
166
167 CRYPTO_DUMPBUF("Encoded Message", EM->data, EM->length);
168
169 return TEE_SUCCESS;
170 }
171
172 /*
173 * PKCS#1 V1.5 - Signature of RSA message and encodes the signature.
174 * Refer to RSASSA-PKCS1-v1_5 chapter of the PKCS#1 v2.1
175 *
176 * @ssa_data [in/out] RSA data to sign / Signature
177 */
rsassa_pkcs1_v1_5_sign(struct drvcrypt_rsa_ssa * ssa_data)178 static TEE_Result rsassa_pkcs1_v1_5_sign(struct drvcrypt_rsa_ssa *ssa_data)
179 {
180 TEE_Result ret = TEE_ERROR_BAD_PARAMETERS;
181 struct drvcrypt_buf EM = { };
182 struct drvcrypt_rsa_ed rsa_data = { };
183 struct drvcrypt_rsa *rsa = NULL;
184
185 EM.length = ssa_data->key.n_size;
186 EM.data = malloc(EM.length);
187 if (!EM.data)
188 return TEE_ERROR_OUT_OF_MEMORY;
189
190 /* Encode the Message */
191 if (ssa_data->algo != TEE_ALG_RSASSA_PKCS1_V1_5)
192 ret = emsa_pkcs1_v1_5_encode(ssa_data, &EM);
193 else
194 ret = emsa_pkcs1_v1_5_encode_noasn1(ssa_data, &EM);
195
196 if (ret != TEE_SUCCESS)
197 goto out;
198
199 /*
200 * RSA Encrypt/Decrypt are doing the same operation except
201 * that decrypt takes a RSA Private key in parameter
202 */
203 rsa_data.key.key = ssa_data->key.key;
204 rsa_data.key.isprivate = true;
205 rsa_data.key.n_size = ssa_data->key.n_size;
206
207 rsa = drvcrypt_get_ops(CRYPTO_RSA);
208 if (!rsa) {
209 ret = TEE_ERROR_NOT_IMPLEMENTED;
210 goto out;
211 }
212
213 /* Prepare the decryption data parameters */
214 rsa_data.rsa_id = DRVCRYPT_RSASSA_PKCS_V1_5;
215 rsa_data.message.data = ssa_data->signature.data;
216 rsa_data.message.length = ssa_data->signature.length;
217 rsa_data.cipher.data = EM.data;
218 rsa_data.cipher.length = EM.length;
219
220 ret = rsa->decrypt(&rsa_data);
221
222 /* Set the message decrypted size */
223 ssa_data->signature.length = rsa_data.message.length;
224
225 out:
226 free(EM.data);
227
228 return ret;
229 }
230
231 /*
232 * PKCS#1 V1.5 - Verification of the RSA message's signature.
233 * Refer to RSASSA-PKCS1-v1_5 chapter of the PKCS#1 v2.1
234 *
235 * @ssa_data [int/out] RSA data signed and encoded signature
236 */
rsassa_pkcs1_v1_5_verify(struct drvcrypt_rsa_ssa * ssa_data)237 static TEE_Result rsassa_pkcs1_v1_5_verify(struct drvcrypt_rsa_ssa *ssa_data)
238 {
239 TEE_Result ret = TEE_ERROR_BAD_PARAMETERS;
240 struct drvcrypt_buf EM = { };
241 struct drvcrypt_buf EM_gen = { };
242 struct drvcrypt_rsa_ed rsa_data = { };
243 struct drvcrypt_rsa *rsa = NULL;
244
245 EM.length = ssa_data->key.n_size;
246 EM.data = malloc(EM.length);
247
248 EM_gen.length = ssa_data->key.n_size;
249 EM_gen.data = malloc(EM.length);
250
251 if (!EM.data || !EM_gen.data) {
252 ret = TEE_ERROR_OUT_OF_MEMORY;
253 goto end_verify;
254 }
255
256 /*
257 * RSA Encrypt/Decrypt are doing the same operation except
258 * that the encrypt takes a RSA Public key in parameter
259 */
260 rsa_data.key.key = ssa_data->key.key;
261 rsa_data.key.isprivate = false;
262 rsa_data.key.n_size = ssa_data->key.n_size;
263
264 rsa = drvcrypt_get_ops(CRYPTO_RSA);
265 if (rsa) {
266 /* Prepare the encryption data parameters */
267 rsa_data.rsa_id = DRVCRYPT_RSASSA_PKCS_V1_5;
268 rsa_data.message.data = ssa_data->signature.data;
269 rsa_data.message.length = ssa_data->signature.length;
270 rsa_data.cipher.data = EM.data;
271 rsa_data.cipher.length = EM.length;
272
273 ret = rsa->encrypt(&rsa_data);
274
275 /* Set the cipher size */
276 EM.length = rsa_data.cipher.length;
277 } else {
278 ret = TEE_ERROR_NOT_IMPLEMENTED;
279 }
280
281 if (ret != TEE_SUCCESS)
282 goto end_verify;
283
284 /* Encode the Message */
285 if (ssa_data->algo != TEE_ALG_RSASSA_PKCS1_V1_5)
286 ret = emsa_pkcs1_v1_5_encode(ssa_data, &EM_gen);
287 else
288 ret = emsa_pkcs1_v1_5_encode_noasn1(ssa_data, &EM_gen);
289
290 if (ret != TEE_SUCCESS)
291 goto end_verify;
292
293 /* Check if EM decrypted and EM re-generated are identical */
294 ret = TEE_ERROR_SIGNATURE_INVALID;
295 if (EM.length == EM_gen.length) {
296 if (!memcmp(EM.data, EM_gen.data, EM.length))
297 ret = TEE_SUCCESS;
298 }
299
300 end_verify:
301 free(EM.data);
302 free(EM_gen.data);
303
304 return ret;
305 }
306
307 /*
308 * PSS - Encode the message using a Probabilistic Signature Scheme (PSS)
309 * Refer to EMSA-PSS (encoding) chapter of the PKCS#1 v2.1
310 *
311 * @ssa_data RSA data to encode
312 * @emBits EM size in bits
313 * @EM [out] Encoded Message
314 */
emsa_pss_encode(struct drvcrypt_rsa_ssa * ssa_data,size_t emBits,struct drvcrypt_buf * EM)315 static TEE_Result emsa_pss_encode(struct drvcrypt_rsa_ssa *ssa_data,
316 size_t emBits, struct drvcrypt_buf *EM)
317 {
318 TEE_Result ret = TEE_ERROR_GENERIC;
319 struct drvcrypt_rsa_mgf mgf_data = { };
320 struct drvcrypt_buf hash = { };
321 struct drvcrypt_buf dbMask = { };
322 struct drvcrypt_buf DB = { };
323 size_t db_size = 0;
324 size_t ps_size = 0;
325 size_t msg_size = 0;
326 uint8_t *buf = NULL;
327 uint8_t *msg_db = NULL;
328 uint8_t *salt = NULL;
329 struct drvcrypt_mod_op mod_op = { };
330
331 /*
332 * Build EM = maskedDB || H || 0xbc
333 *
334 * where
335 * maskedDB = DB xor dbMask
336 * DB = PS || 0x01 || salt
337 * dbMask = MGF(H, emLen - hLen - 1)
338 *
339 * H = Hash(M')
340 * M' = (0x)00 00 00 00 00 00 00 00 || mHash || salt
341 *
342 * PS size = emLen - sLen - hLen - 2 (may be = 0)
343 */
344
345 /*
346 * Calculate the M' and DB size to allocate a temporary buffer
347 * used for both object
348 */
349 ps_size = EM->length - ssa_data->digest_size - ssa_data->salt_len - 2;
350 db_size = EM->length - ssa_data->digest_size - 1;
351 msg_size = 8 + ssa_data->digest_size + ssa_data->salt_len;
352
353 CRYPTO_TRACE("PS Len = %zu, DB Len = %zu, M' Len = %zu", ps_size,
354 db_size, msg_size);
355
356 msg_db = malloc(MAX(db_size, msg_size));
357 if (!msg_db)
358 return TEE_ERROR_OUT_OF_MEMORY;
359
360 if (ssa_data->salt_len) {
361 salt = malloc(ssa_data->salt_len);
362
363 if (!salt) {
364 ret = TEE_ERROR_OUT_OF_MEMORY;
365 goto end_pss_encode;
366 }
367 }
368
369 /*
370 * Step 4 and 5
371 * Generate the M' = (0x)00 00 00 00 00 00 00 00 || mHash || salt
372 *
373 * where
374 * mHash is the input message (already hash)
375 * salt is a random number of salt_len (input data) can be empty
376 */
377 buf = msg_db;
378
379 memset(buf, 0, 8);
380 buf += 8;
381
382 memcpy(buf, ssa_data->message.data, ssa_data->message.length);
383 buf += ssa_data->message.length;
384
385 /* Get salt random number if salt length not 0 */
386 if (ssa_data->salt_len) {
387 ret = crypto_rng_read(salt, ssa_data->salt_len);
388 CRYPTO_TRACE("Get salt of %zu bytes (ret = 0x%08" PRIx32 ")",
389 ssa_data->salt_len, ret);
390 if (ret != TEE_SUCCESS)
391 goto end_pss_encode;
392
393 memcpy(buf, salt, ssa_data->salt_len);
394 }
395
396 /*
397 * Step 6
398 * Hash the M' generated new message
399 * H = hash(M')
400 */
401 hash.data = &EM->data[db_size];
402 hash.length = ssa_data->digest_size;
403
404 ret = tee_hash_createdigest(ssa_data->hash_algo, msg_db, msg_size,
405 hash.data, hash.length);
406
407 CRYPTO_TRACE("H = hash(M') returned 0x%08" PRIx32, ret);
408 if (ret != TEE_SUCCESS)
409 goto end_pss_encode;
410
411 CRYPTO_DUMPBUF("H = hash(M')", hash.data, hash.length);
412
413 /*
414 * Step 7 and 8
415 * DB = PS || 0x01 || salt
416 */
417 buf = msg_db;
418 if (ps_size)
419 memset(buf, 0, ps_size);
420 buf += ps_size;
421 *buf++ = 0x01;
422
423 if (ssa_data->salt_len)
424 memcpy(buf, salt, ssa_data->salt_len);
425
426 DB.data = msg_db;
427 DB.length = db_size;
428
429 CRYPTO_DUMPBUF("DB", DB.data, DB.length);
430
431 /*
432 * Step 9
433 * Generate a Mask of the seed value
434 * dbMask = MGF(H, emLen - hLen - 1)
435 *
436 * Note: Will use the same buffer for the dbMask and maskedDB
437 * maskedDB is in the EM output
438 */
439 dbMask.data = EM->data;
440 dbMask.length = db_size;
441
442 mgf_data.hash_algo = ssa_data->hash_algo;
443 mgf_data.digest_size = ssa_data->digest_size;
444 mgf_data.seed.data = hash.data;
445 mgf_data.seed.length = hash.length;
446 mgf_data.mask.data = dbMask.data;
447 mgf_data.mask.length = dbMask.length;
448 ret = ssa_data->mgf(&mgf_data);
449
450 CRYPTO_TRACE("dbMask = MGF(H, emLen - hLen - 1) returned 0x%08" PRIx32,
451 ret);
452 if (ret != TEE_SUCCESS)
453 goto end_pss_encode;
454
455 CRYPTO_DUMPBUF("dbMask", dbMask.data, dbMask.length);
456
457 /*
458 * Step 10
459 * maskedDB = DB xor dbMask
460 */
461 mod_op.n.length = dbMask.length;
462 mod_op.a.data = DB.data;
463 mod_op.a.length = DB.length;
464 mod_op.b.data = dbMask.data;
465 mod_op.b.length = dbMask.length;
466 mod_op.result.data = dbMask.data;
467 mod_op.result.length = dbMask.length;
468
469 ret = drvcrypt_xor_mod_n(&mod_op);
470 CRYPTO_TRACE("maskedDB = DB xor dbMask returned 0x%08" PRIx32, ret);
471 if (ret != TEE_SUCCESS)
472 goto end_pss_encode;
473
474 CRYPTO_DUMPBUF("maskedDB", dbMask.data, dbMask.length);
475
476 /*
477 * Step 11
478 * Set the leftmost 8emLen - emBits of the leftmost octet
479 * in maskedDB to 0'
480 */
481 EM->data[0] &= (UINT8_MAX >> ((EM->length * 8) - emBits));
482
483 /*
484 * Step 12
485 * EM = maskedDB || H || 0xbc
486 */
487 EM->data[EM->length - 1] = 0xbc;
488
489 CRYPTO_DUMPBUF("EM", EM->data, EM->length);
490
491 ret = TEE_SUCCESS;
492 end_pss_encode:
493 free(msg_db);
494 free(salt);
495
496 return ret;
497 }
498
499 /*
500 * PSS - Verify the message using a Probabilistic Signature Scheme (PSS)
501 * Refer to EMSA-PSS (verification) chapter of the PKCS#1 v2.1
502 *
503 * @ssa_data RSA data to encode
504 * @emBits EM size in bits
505 * @EM [out] Encoded Message
506 */
emsa_pss_verify(struct drvcrypt_rsa_ssa * ssa_data,size_t emBits,struct drvcrypt_buf * EM)507 static TEE_Result emsa_pss_verify(struct drvcrypt_rsa_ssa *ssa_data,
508 size_t emBits, struct drvcrypt_buf *EM)
509 {
510 TEE_Result ret = TEE_ERROR_GENERIC;
511 struct drvcrypt_rsa_mgf mgf_data = { };
512 struct drvcrypt_buf hash = { };
513 struct drvcrypt_buf hash_gen = { };
514 size_t db_size = 0;
515 size_t ps_size = 0;
516 size_t msg_size = 0;
517 uint8_t *msg_db = NULL;
518 uint8_t *salt = NULL;
519 uint8_t *buf = NULL;
520 struct drvcrypt_mod_op mod_op = { };
521
522 /*
523 * EM = maskedDB || H || 0xbc
524 *
525 * where
526 * maskedDB = DB xor dbMask
527 * DB = PS || 0x01 || salt
528 * dbMask = MGF(H, emLen - hLen - 1)
529 *
530 * H = Hash(M')
531 * M' = (0x)00 00 00 00 00 00 00 00 || mHash || salt
532 *
533 * PS size = emLen - sLen - hLen - 2 (may be = 0)
534 */
535
536 /*
537 * Calculate the M' and DB size to allocate a temporary buffer
538 * used for both object
539 */
540 ps_size = EM->length - ssa_data->digest_size - ssa_data->salt_len - 2;
541 db_size = EM->length - ssa_data->digest_size - 1;
542 msg_size = 8 + ssa_data->digest_size + ssa_data->salt_len;
543
544 CRYPTO_TRACE("PS Len = %zu, DB Len = %zu, M' Len = %zu", ps_size,
545 db_size, msg_size);
546
547 msg_db = malloc(MAX(db_size, msg_size));
548 if (!msg_db)
549 return TEE_ERROR_OUT_OF_MEMORY;
550
551 /*
552 * Step 4
553 * Check if rightmost octet of EM is 0xbc
554 */
555 if (EM->data[EM->length - 1] != 0xbc) {
556 CRYPTO_TRACE("rigthmost octet != 0xbc (0x%" PRIX8 ")",
557 EM->data[EM->length - 1]);
558 ret = TEE_ERROR_SIGNATURE_INVALID;
559 goto end_pss_verify;
560 }
561
562 /*
563 * Step 6
564 * Check if the leftmost 8emLen - emBits of the leftmost octet
565 * in maskedDB are 0's
566 */
567 if (EM->data[0] & ~(UINT8_MAX >> (EM->length * 8 - emBits))) {
568 CRYPTO_TRACE("Error leftmost octet maskedDB not 0's");
569 CRYPTO_TRACE("EM[0] = 0x%" PRIX8
570 " - EM Len = %zu, emBits = %zu",
571 EM->data[0], EM->length, emBits);
572 ret = TEE_ERROR_SIGNATURE_INVALID;
573 goto end_pss_verify;
574 }
575
576 hash.data = &EM->data[db_size];
577 hash.length = ssa_data->digest_size;
578
579 /*
580 * Step 7
581 * dbMask = MGF(H, emLen - hLen - 1)
582 *
583 * Note: Will use the same buffer for the dbMask and DB
584 */
585 mgf_data.hash_algo = ssa_data->hash_algo;
586 mgf_data.digest_size = ssa_data->digest_size;
587 mgf_data.seed.data = hash.data;
588 mgf_data.seed.length = hash.length;
589 mgf_data.mask.data = msg_db;
590 mgf_data.mask.length = db_size;
591 ret = ssa_data->mgf(&mgf_data);
592
593 CRYPTO_TRACE("dbMask = MGF(H, emLen - hLen - 1) returned 0x%08" PRIx32,
594 ret);
595 if (ret != TEE_SUCCESS)
596 goto end_pss_verify;
597
598 CRYPTO_DUMPBUF("dbMask", msg_db, db_size);
599
600 /*
601 * Step 8
602 * DB = maskedDB xor dbMask
603 *
604 *
605 * Note: maskedDB is in the EM input
606 */
607 mod_op.n.length = db_size;
608 mod_op.a.data = EM->data;
609 mod_op.a.length = db_size;
610 mod_op.b.data = msg_db;
611 mod_op.b.length = db_size;
612 mod_op.result.data = msg_db;
613 mod_op.result.length = db_size;
614
615 ret = drvcrypt_xor_mod_n(&mod_op);
616 CRYPTO_TRACE("DB = maskedDB xor dbMask returned 0x%08" PRIx32, ret);
617 if (ret != TEE_SUCCESS)
618 goto end_pss_verify;
619
620 /*
621 * Step 9
622 * Set the leftmost 8emLen - emBits of the leftmost octet in
623 * DB to zero
624 */
625 *msg_db &= UINT8_MAX >> (EM->length * 8 - emBits);
626
627 CRYPTO_DUMPBUF("DB", msg_db, db_size);
628
629 /*
630 * Step 10
631 * Expected to have
632 * DB = PS || 0x01 || salt
633 *
634 * PS must be 0
635 * PS size = emLen - sLen - hLen - 2 (may be = 0)
636 */
637 buf = msg_db;
638 while (buf < msg_db + ps_size) {
639 if (*buf++ != 0) {
640 ret = TEE_ERROR_SIGNATURE_INVALID;
641 goto end_pss_verify;
642 }
643 }
644
645 if (*buf++ != 0x01) {
646 ret = TEE_ERROR_SIGNATURE_INVALID;
647 goto end_pss_verify;
648 }
649
650 /*
651 * Step 11
652 * Get the salt value
653 */
654 if (ssa_data->salt_len) {
655 salt = malloc(ssa_data->salt_len);
656 if (!salt) {
657 ret = TEE_ERROR_OUT_OF_MEMORY;
658 goto end_pss_verify;
659 }
660
661 memcpy(salt, buf, ssa_data->salt_len);
662 }
663
664 /*
665 * Step 12
666 * Generate the M' = (0x)00 00 00 00 00 00 00 00 || mHash || salt
667 *
668 * where
669 * mHash is the input message (already hash)
670 * salt is a random number of salt_len (input data) can be empty
671 */
672 buf = msg_db;
673
674 memset(buf, 0, 8);
675 buf += 8;
676
677 memcpy(buf, ssa_data->message.data, ssa_data->message.length);
678 buf += ssa_data->message.length;
679
680 if (ssa_data->salt_len)
681 memcpy(buf, salt, ssa_data->salt_len);
682
683 /*
684 * Step 13
685 * Hash the M' generated new message
686 * H' = hash(M')
687 *
688 * Note: reuse the msg_db buffer as Hash result
689 */
690 hash_gen.data = msg_db;
691 hash_gen.length = ssa_data->digest_size;
692
693 ret = tee_hash_createdigest(ssa_data->hash_algo, msg_db, msg_size,
694 hash_gen.data, hash_gen.length);
695
696 CRYPTO_TRACE("H' = hash(M') returned 0x%08" PRIx32, ret);
697 if (ret != TEE_SUCCESS)
698 goto end_pss_verify;
699
700 CRYPTO_DUMPBUF("H' = hash(M')", hash_gen.data, hash_gen.length);
701
702 /*
703 * Step 14
704 * Compare H and H'
705 */
706 ret = TEE_ERROR_SIGNATURE_INVALID;
707 if (!memcmp(hash_gen.data, hash.data, hash_gen.length))
708 ret = TEE_SUCCESS;
709
710 end_pss_verify:
711 free(msg_db);
712 free(salt);
713
714 return ret;
715 }
716
717 /*
718 * PSS - Signature of RSA message and encodes the signature.
719 * Refer to RSASSA-PSS chapter of the PKCS#1 v2.1
720 *
721 * @ssa_data [in/out] RSA data to sign / Signature
722 */
rsassa_pss_sign(struct drvcrypt_rsa_ssa * ssa_data)723 static TEE_Result rsassa_pss_sign(struct drvcrypt_rsa_ssa *ssa_data)
724 {
725 TEE_Result ret = TEE_ERROR_GENERIC;
726 struct rsa_keypair *key = NULL;
727 struct drvcrypt_buf EM = { };
728 size_t modBits = 0;
729 struct drvcrypt_rsa_ed rsa_data = { };
730 struct drvcrypt_rsa *rsa = NULL;
731
732 key = ssa_data->key.key;
733
734 /* Get modulus length in bits */
735 modBits = crypto_bignum_num_bits(key->n);
736 if (modBits <= 0)
737 return TEE_ERROR_BAD_PARAMETERS;
738
739 /*
740 * EM Length = (modBits - 1) / 8
741 * if (modBits - 1) is not divisible by 8, one more byte is needed
742 */
743 modBits--;
744 EM.length = ROUNDUP(modBits, 8) / 8;
745
746 EM.data = malloc(EM.length);
747 if (!EM.data)
748 return TEE_ERROR_OUT_OF_MEMORY;
749
750 CRYPTO_TRACE("modBits = %zu, hence EM Length = %zu", modBits + 1,
751 EM.length);
752
753 /* Encode the Message */
754 ret = emsa_pss_encode(ssa_data, modBits, &EM);
755 CRYPTO_TRACE("EMSA PSS Encode returned 0x%08" PRIx32, ret);
756
757 /*
758 * RSA Encrypt/Decrypt are doing the same operation
759 * expect that the decrypt takes a RSA Private key in parameter
760 */
761 if (ret == TEE_SUCCESS) {
762 rsa_data.key.key = ssa_data->key.key;
763 rsa_data.key.isprivate = true;
764 rsa_data.key.n_size = ssa_data->key.n_size;
765
766 rsa = drvcrypt_get_ops(CRYPTO_RSA);
767 if (rsa) {
768 /* Prepare the decryption data parameters */
769 rsa_data.rsa_id = DRVCRYPT_RSASSA_PSS;
770 rsa_data.message.data = ssa_data->signature.data;
771 rsa_data.message.length = ssa_data->signature.length;
772 rsa_data.cipher.data = EM.data;
773 rsa_data.cipher.length = EM.length;
774
775 ret = rsa->decrypt(&rsa_data);
776
777 /* Set the message decrypted size */
778 ssa_data->signature.length = rsa_data.message.length;
779 } else {
780 ret = TEE_ERROR_NOT_IMPLEMENTED;
781 }
782 }
783 free(EM.data);
784
785 return ret;
786 }
787
788 /*
789 * PSS - Signature verification of RSA message.
790 * Refer to RSASSA-PSS chapter of the PKCS#1 v2.1
791 *
792 * @ssa_data [in/out] RSA Signature vs. message to verify
793 */
rsassa_pss_verify(struct drvcrypt_rsa_ssa * ssa_data)794 static TEE_Result rsassa_pss_verify(struct drvcrypt_rsa_ssa *ssa_data)
795 {
796 TEE_Result ret = TEE_ERROR_GENERIC;
797 struct rsa_public_key *key = NULL;
798 struct drvcrypt_buf EM = { };
799 size_t modBits = 0;
800 struct drvcrypt_rsa_ed rsa_data = { };
801 struct drvcrypt_rsa *rsa = NULL;
802
803 key = ssa_data->key.key;
804
805 /* Get modulus length in bits */
806 modBits = crypto_bignum_num_bits(key->n);
807 if (modBits <= 0)
808 return TEE_ERROR_BAD_PARAMETERS;
809
810 /*
811 * EM Length = (modBits - 1) / 8
812 * if (modBits - 1) is not divisible by 8, one more byte is needed
813 */
814 modBits--;
815 EM.length = ROUNDUP(modBits, 8) / 8;
816
817 EM.data = malloc(EM.length);
818 if (!EM.data)
819 return TEE_ERROR_OUT_OF_MEMORY;
820
821 CRYPTO_TRACE("modBits = %zu, hence EM Length = %zu", modBits + 1,
822 EM.length);
823
824 /*
825 * RSA Encrypt/Decrypt are doing the same operation
826 * expect that the encrypt takes a RSA Public key in parameter
827 */
828 rsa_data.key.key = ssa_data->key.key;
829 rsa_data.key.isprivate = false;
830 rsa_data.key.n_size = ssa_data->key.n_size;
831
832 rsa = drvcrypt_get_ops(CRYPTO_RSA);
833 if (rsa) {
834 /* Prepare the encryption data parameters */
835 rsa_data.rsa_id = DRVCRYPT_RSASSA_PSS;
836 rsa_data.message.data = ssa_data->signature.data;
837 rsa_data.message.length = ssa_data->signature.length;
838 rsa_data.cipher.data = EM.data;
839 rsa_data.cipher.length = EM.length;
840
841 ret = rsa->encrypt(&rsa_data);
842
843 /* Set the cipher size */
844 EM.length = rsa_data.cipher.length;
845 } else {
846 ret = TEE_ERROR_NOT_IMPLEMENTED;
847 goto end_pss_verify;
848 }
849
850 if (ret == TEE_SUCCESS) {
851 /* Verify the Message */
852 ret = emsa_pss_verify(ssa_data, modBits, &EM);
853 CRYPTO_TRACE("EMSA PSS Verify returned 0x%08" PRIx32, ret);
854 } else {
855 CRYPTO_TRACE("RSA NO PAD returned 0x%08" PRIx32, ret);
856 ret = TEE_ERROR_SIGNATURE_INVALID;
857 }
858
859 end_pss_verify:
860 free(EM.data);
861
862 return ret;
863 }
864
drvcrypt_rsassa_sign(struct drvcrypt_rsa_ssa * ssa_data)865 TEE_Result drvcrypt_rsassa_sign(struct drvcrypt_rsa_ssa *ssa_data)
866 {
867 switch (ssa_data->algo) {
868 case TEE_ALG_RSASSA_PKCS1_V1_5:
869 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5:
870 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1:
871 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224:
872 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256:
873 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384:
874 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512:
875 return rsassa_pkcs1_v1_5_sign(ssa_data);
876
877 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1:
878 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224:
879 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256:
880 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384:
881 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512:
882 return rsassa_pss_sign(ssa_data);
883
884 default:
885 break;
886 }
887
888 return TEE_ERROR_BAD_PARAMETERS;
889 }
890
drvcrypt_rsassa_verify(struct drvcrypt_rsa_ssa * ssa_data)891 TEE_Result drvcrypt_rsassa_verify(struct drvcrypt_rsa_ssa *ssa_data)
892 {
893 switch (ssa_data->algo) {
894 case TEE_ALG_RSASSA_PKCS1_V1_5:
895 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5:
896 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1:
897 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224:
898 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256:
899 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384:
900 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512:
901 return rsassa_pkcs1_v1_5_verify(ssa_data);
902
903 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1:
904 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224:
905 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256:
906 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384:
907 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512:
908 return rsassa_pss_verify(ssa_data);
909
910 default:
911 break;
912 }
913
914 return TEE_ERROR_BAD_PARAMETERS;
915 }
916