xref: /optee_os/core/lib/libtomcrypt/rsa.c (revision 8f6ac972b8bbda36443ebb88bf50553acd8d7be7) 
1 // SPDX-License-Identifier: BSD-2-Clause
2 /*
3  * Copyright (c) 2014-2019, 2022 Linaro Limited
4  */
5 
6 #include <crypto/crypto.h>
7 #include <crypto/crypto_impl.h>
8 #include <fault_mitigation.h>
9 #include <stdlib.h>
10 #include <string.h>
11 #include <tee_api_defines_extensions.h>
12 #include <tee_api_types.h>
13 #include <tee/tee_cryp_utl.h>
14 #include <trace.h>
15 #include <utee_defines.h>
16 
17 #include "acipher_helpers.h"
18 
19 
20 /*
21  * Compute the LibTomCrypt "hashindex" given a TEE Algorithm "algo"
22  * Return
23  * - TEE_SUCCESS in case of success,
24  * - TEE_ERROR_BAD_PARAMETERS in case algo is not a valid algo
25  * - TEE_ERROR_NOT_SUPPORTED in case algo is not supported by LTC
26  * Return -1 in case of error
27  */
28 static TEE_Result tee_algo_to_ltc_hashindex(uint32_t algo, int *ltc_hashindex)
29 {
30 	switch (algo) {
31 #if defined(_CFG_CORE_LTC_SHA1)
32 	case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1:
33 	case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1:
34 	case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1:
35 		*ltc_hashindex = find_hash("sha1");
36 		break;
37 #endif
38 #if defined(_CFG_CORE_LTC_MD5)
39 	case TEE_ALG_RSASSA_PKCS1_V1_5_MD5:
40 		*ltc_hashindex = find_hash("md5");
41 		break;
42 #endif
43 #if defined(_CFG_CORE_LTC_SHA224)
44 	case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224:
45 	case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224:
46 	case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224:
47 		*ltc_hashindex = find_hash("sha224");
48 		break;
49 #endif
50 #if defined(_CFG_CORE_LTC_SHA256)
51 	case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256:
52 	case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256:
53 	case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256:
54 		*ltc_hashindex = find_hash("sha256");
55 		break;
56 #endif
57 #if defined(_CFG_CORE_LTC_SHA384)
58 	case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384:
59 	case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384:
60 	case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384:
61 		*ltc_hashindex = find_hash("sha384");
62 		break;
63 #endif
64 #if defined(_CFG_CORE_LTC_SHA512)
65 	case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512:
66 	case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512:
67 	case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512:
68 		*ltc_hashindex = find_hash("sha512");
69 		break;
70 #endif
71 	case TEE_ALG_RSASSA_PKCS1_V1_5:
72 	case TEE_ALG_RSAES_PKCS1_V1_5:
73 		/* invalid one. but it should not be used anyway */
74 		*ltc_hashindex = -1;
75 		return TEE_SUCCESS;
76 
77 	default:
78 		return TEE_ERROR_BAD_PARAMETERS;
79 	}
80 
81 	if (*ltc_hashindex < 0)
82 		return TEE_ERROR_NOT_SUPPORTED;
83 	else
84 		return TEE_SUCCESS;
85 }
86 
87 TEE_Result crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s,
88 					    size_t key_size_bits __unused)
89 __weak __alias("sw_crypto_acipher_alloc_rsa_keypair");
90 
91 TEE_Result sw_crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s,
92 					       size_t key_size_bits __unused)
93 {
94 	memset(s, 0, sizeof(*s));
95 	if (!bn_alloc_max(&s->e))
96 		return TEE_ERROR_OUT_OF_MEMORY;
97 	if (!bn_alloc_max(&s->d))
98 		goto err;
99 	if (!bn_alloc_max(&s->n))
100 		goto err;
101 	if (!bn_alloc_max(&s->p))
102 		goto err;
103 	if (!bn_alloc_max(&s->q))
104 		goto err;
105 	if (!bn_alloc_max(&s->qp))
106 		goto err;
107 	if (!bn_alloc_max(&s->dp))
108 		goto err;
109 	if (!bn_alloc_max(&s->dq))
110 		goto err;
111 
112 	return TEE_SUCCESS;
113 err:
114 	crypto_acipher_free_rsa_keypair(s);
115 	return TEE_ERROR_OUT_OF_MEMORY;
116 }
117 
118 
119 TEE_Result crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s,
120 					       size_t key_size_bits __unused)
121 __weak __alias("sw_crypto_acipher_alloc_rsa_public_key");
122 
123 TEE_Result sw_crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s,
124 						  size_t key_size_bits __unused)
125 {
126 	memset(s, 0, sizeof(*s));
127 	if (!bn_alloc_max(&s->e))
128 		return TEE_ERROR_OUT_OF_MEMORY;
129 	if (!bn_alloc_max(&s->n))
130 		goto err;
131 	return TEE_SUCCESS;
132 err:
133 	crypto_bignum_free(s->e);
134 	return TEE_ERROR_OUT_OF_MEMORY;
135 }
136 
137 
138 void crypto_acipher_free_rsa_public_key(struct rsa_public_key *s)
139 __weak __alias("sw_crypto_acipher_free_rsa_public_key");
140 
141 void sw_crypto_acipher_free_rsa_public_key(struct rsa_public_key *s)
142 {
143 	if (!s)
144 		return;
145 	crypto_bignum_free(s->n);
146 	crypto_bignum_free(s->e);
147 }
148 
149 
150 void crypto_acipher_free_rsa_keypair(struct rsa_keypair *s)
151 __weak __alias("sw_crypto_acipher_free_rsa_keypair");
152 
153 void sw_crypto_acipher_free_rsa_keypair(struct rsa_keypair *s)
154 {
155 	if (!s)
156 		return;
157 	crypto_bignum_free(s->e);
158 	crypto_bignum_free(s->d);
159 	crypto_bignum_free(s->n);
160 	crypto_bignum_free(s->p);
161 	crypto_bignum_free(s->q);
162 	crypto_bignum_free(s->qp);
163 	crypto_bignum_free(s->dp);
164 	crypto_bignum_free(s->dq);
165 }
166 
167 TEE_Result crypto_acipher_gen_rsa_key(struct rsa_keypair *key,
168 				      size_t key_size)
169 __weak __alias("sw_crypto_acipher_gen_rsa_key");
170 
171 TEE_Result sw_crypto_acipher_gen_rsa_key(struct rsa_keypair *key,
172 					 size_t key_size)
173 {
174 	TEE_Result res;
175 	rsa_key ltc_tmp_key;
176 	int ltc_res;
177 
178 	/* Generate a temporary RSA key */
179 	ltc_res = rsa_make_key_bn_e(NULL, find_prng("prng_crypto"),
180 				    key_size / 8, key->e, &ltc_tmp_key);
181 	if (ltc_res != CRYPT_OK) {
182 		res = TEE_ERROR_BAD_PARAMETERS;
183 	} else if ((size_t)mp_count_bits(ltc_tmp_key.N) != key_size) {
184 		rsa_free(&ltc_tmp_key);
185 		res = TEE_ERROR_BAD_PARAMETERS;
186 	} else {
187 		/* Copy the key */
188 		ltc_mp.copy(ltc_tmp_key.d,  key->d);
189 		ltc_mp.copy(ltc_tmp_key.N,  key->n);
190 		ltc_mp.copy(ltc_tmp_key.p,  key->p);
191 		ltc_mp.copy(ltc_tmp_key.q,  key->q);
192 		ltc_mp.copy(ltc_tmp_key.qP, key->qp);
193 		ltc_mp.copy(ltc_tmp_key.dP, key->dp);
194 		ltc_mp.copy(ltc_tmp_key.dQ, key->dq);
195 
196 		/* Free the temporary key */
197 		rsa_free(&ltc_tmp_key);
198 		res = TEE_SUCCESS;
199 	}
200 
201 	return res;
202 }
203 
204 static TEE_Result rsadorep(rsa_key *ltc_key, const uint8_t *src,
205 			   size_t src_len, uint8_t *dst, size_t *dst_len)
206 {
207 	TEE_Result res = TEE_SUCCESS;
208 	uint8_t *buf = NULL;
209 	unsigned long blen, offset;
210 	int ltc_res;
211 
212 	/*
213 	 * Use a temporary buffer since we don't know exactly how large the
214 	 * required size of the out buffer without doing a partial decrypt.
215 	 * We know the upper bound though.
216 	 */
217 	blen = _CFG_CORE_LTC_BIGNUM_MAX_BITS / sizeof(uint8_t);
218 	buf = malloc(blen);
219 	if (!buf) {
220 		res = TEE_ERROR_OUT_OF_MEMORY;
221 		goto out;
222 	}
223 
224 	ltc_res = rsa_exptmod(src, src_len, buf, &blen, ltc_key->type,
225 			      ltc_key);
226 	switch (ltc_res) {
227 	case CRYPT_PK_NOT_PRIVATE:
228 	case CRYPT_PK_INVALID_TYPE:
229 	case CRYPT_PK_INVALID_SIZE:
230 	case CRYPT_INVALID_PACKET:
231 		EMSG("rsa_exptmod() returned %d", ltc_res);
232 		res = TEE_ERROR_BAD_PARAMETERS;
233 		goto out;
234 	case CRYPT_OK:
235 		break;
236 	default:
237 		/* This will result in a panic */
238 		EMSG("rsa_exptmod() returned %d", ltc_res);
239 		res = TEE_ERROR_GENERIC;
240 		goto out;
241 	}
242 
243 	/* Remove the zero-padding (leave one zero if buff is all zeroes) */
244 	offset = 0;
245 	while ((offset < blen - 1) && (buf[offset] == 0))
246 		offset++;
247 
248 	if (*dst_len < blen - offset) {
249 		*dst_len = blen - offset;
250 		res = TEE_ERROR_SHORT_BUFFER;
251 		goto out;
252 	}
253 
254 	res = TEE_SUCCESS;
255 	*dst_len = blen - offset;
256 	memcpy(dst, (char *)buf + offset, *dst_len);
257 
258 out:
259 	if (buf)
260 		free(buf);
261 
262 	return res;
263 }
264 
265 TEE_Result crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key,
266 					   const uint8_t *src,
267 					   size_t src_len, uint8_t *dst,
268 					   size_t *dst_len)
269 __weak __alias("sw_crypto_acipher_rsanopad_encrypt");
270 
271 TEE_Result sw_crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key,
272 					      const uint8_t *src,
273 					      size_t src_len, uint8_t *dst,
274 					      size_t *dst_len)
275 {
276 	TEE_Result res;
277 	rsa_key ltc_key = { 0, };
278 
279 	ltc_key.type = PK_PUBLIC;
280 	ltc_key.e = key->e;
281 	ltc_key.N = key->n;
282 
283 	res = rsadorep(&ltc_key, src, src_len, dst, dst_len);
284 	return res;
285 }
286 
287 TEE_Result crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key,
288 					   const uint8_t *src,
289 					   size_t src_len, uint8_t *dst,
290 					   size_t *dst_len)
291 __weak __alias("sw_crypto_acipher_rsanopad_decrypt");
292 
293 TEE_Result sw_crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key,
294 					      const uint8_t *src,
295 					      size_t src_len, uint8_t *dst,
296 					      size_t *dst_len)
297 {
298 	TEE_Result res;
299 	rsa_key ltc_key = { 0, };
300 
301 	ltc_key.type = PK_PRIVATE;
302 	ltc_key.e = key->e;
303 	ltc_key.N = key->n;
304 	ltc_key.d = key->d;
305 	if (key->p && crypto_bignum_num_bytes(key->p)) {
306 		ltc_key.p = key->p;
307 		ltc_key.q = key->q;
308 		ltc_key.qP = key->qp;
309 		ltc_key.dP = key->dp;
310 		ltc_key.dQ = key->dq;
311 	}
312 
313 	res = rsadorep(&ltc_key, src, src_len, dst, dst_len);
314 	return res;
315 }
316 
317 TEE_Result crypto_acipher_rsaes_decrypt(uint32_t algo,
318 					struct rsa_keypair *key,
319 					const uint8_t *label,
320 					size_t label_len, const uint8_t *src,
321 					size_t src_len, uint8_t *dst,
322 					size_t *dst_len)
323 __weak __alias("sw_crypto_acipher_rsaes_decrypt");
324 
325 TEE_Result sw_crypto_acipher_rsaes_decrypt(uint32_t algo,
326 					   struct rsa_keypair *key,
327 					   const uint8_t *label,
328 					   size_t label_len, const uint8_t *src,
329 					   size_t src_len, uint8_t *dst,
330 					   size_t *dst_len)
331 {
332 	TEE_Result res = TEE_SUCCESS;
333 	void *buf = NULL;
334 	unsigned long blen;
335 	int ltc_hashindex, ltc_res, ltc_stat, ltc_rsa_algo;
336 	size_t mod_size;
337 	rsa_key ltc_key = { 0, };
338 
339 	ltc_key.type = PK_PRIVATE;
340 	ltc_key.e = key->e;
341 	ltc_key.d = key->d;
342 	ltc_key.N = key->n;
343 	if (key->p && crypto_bignum_num_bytes(key->p)) {
344 		ltc_key.p = key->p;
345 		ltc_key.q = key->q;
346 		ltc_key.qP = key->qp;
347 		ltc_key.dP = key->dp;
348 		ltc_key.dQ = key->dq;
349 	}
350 
351 	/* Get the algorithm */
352 	res = tee_algo_to_ltc_hashindex(algo, &ltc_hashindex);
353 	if (res != TEE_SUCCESS) {
354 		EMSG("tee_algo_to_ltc_hashindex() returned %d", (int)res);
355 		goto out;
356 	}
357 
358 	/*
359 	 * Use a temporary buffer since we don't know exactly how large
360 	 * the required size of the out buffer without doing a partial
361 	 * decrypt. We know the upper bound though.
362 	 */
363 	if (algo == TEE_ALG_RSAES_PKCS1_V1_5) {
364 		mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N));
365 		blen = mod_size - 11;
366 		ltc_rsa_algo = LTC_PKCS_1_V1_5;
367 	} else {
368 		/* Decoded message is always shorter than encrypted message */
369 		blen = src_len;
370 		ltc_rsa_algo = LTC_PKCS_1_OAEP;
371 	}
372 
373 	buf = malloc(blen);
374 	if (!buf) {
375 		res = TEE_ERROR_OUT_OF_MEMORY;
376 		goto out;
377 	}
378 
379 	ltc_res = rsa_decrypt_key_ex(src, src_len, buf, &blen,
380 				     ((label_len == 0) ? 0 : label), label_len,
381 				     ltc_hashindex, ltc_rsa_algo, &ltc_stat,
382 				     &ltc_key);
383 	switch (ltc_res) {
384 	case CRYPT_PK_INVALID_PADDING:
385 	case CRYPT_INVALID_PACKET:
386 	case CRYPT_PK_INVALID_SIZE:
387 		EMSG("rsa_decrypt_key_ex() returned %d", ltc_res);
388 		res = TEE_ERROR_BAD_PARAMETERS;
389 		goto out;
390 	case CRYPT_OK:
391 		break;
392 	default:
393 		/* This will result in a panic */
394 		EMSG("rsa_decrypt_key_ex() returned %d", ltc_res);
395 		res = TEE_ERROR_GENERIC;
396 		goto out;
397 	}
398 	if (ltc_stat != 1) {
399 		/* This will result in a panic */
400 		EMSG("rsa_decrypt_key_ex() returned %d and %d",
401 		     ltc_res, ltc_stat);
402 		res = TEE_ERROR_GENERIC;
403 		goto out;
404 	}
405 
406 	if (*dst_len < blen) {
407 		*dst_len = blen;
408 		res = TEE_ERROR_SHORT_BUFFER;
409 		goto out;
410 	}
411 
412 	res = TEE_SUCCESS;
413 	*dst_len = blen;
414 	memcpy(dst, buf, blen);
415 
416 out:
417 	if (buf)
418 		free(buf);
419 
420 	return res;
421 }
422 
423 TEE_Result crypto_acipher_rsaes_encrypt(uint32_t algo,
424 					struct rsa_public_key *key,
425 					const uint8_t *label,
426 					size_t label_len, const uint8_t *src,
427 					size_t src_len, uint8_t *dst,
428 					size_t *dst_len)
429 __weak __alias("sw_crypto_acipher_rsaes_encrypt");
430 
431 TEE_Result sw_crypto_acipher_rsaes_encrypt(uint32_t algo,
432 					   struct rsa_public_key *key,
433 					   const uint8_t *label,
434 					   size_t label_len, const uint8_t *src,
435 					   size_t src_len, uint8_t *dst,
436 					   size_t *dst_len)
437 {
438 	TEE_Result res;
439 	uint32_t mod_size;
440 	int ltc_hashindex, ltc_res, ltc_rsa_algo;
441 	rsa_key ltc_key = {
442 		.type = PK_PUBLIC,
443 		.e = key->e,
444 		.N = key->n
445 	};
446 
447 	mod_size =  ltc_mp.unsigned_size((void *)(ltc_key.N));
448 	if (*dst_len < mod_size) {
449 		*dst_len = mod_size;
450 		res = TEE_ERROR_SHORT_BUFFER;
451 		goto out;
452 	}
453 	*dst_len = mod_size;
454 
455 	/* Get the algorithm */
456 	res = tee_algo_to_ltc_hashindex(algo, &ltc_hashindex);
457 	if (res != TEE_SUCCESS)
458 		goto out;
459 
460 	if (algo == TEE_ALG_RSAES_PKCS1_V1_5)
461 		ltc_rsa_algo = LTC_PKCS_1_V1_5;
462 	else
463 		ltc_rsa_algo = LTC_PKCS_1_OAEP;
464 
465 	ltc_res = rsa_encrypt_key_ex(src, src_len, dst,
466 				     (unsigned long *)(dst_len), label,
467 				     label_len, NULL, find_prng("prng_crypto"),
468 				     ltc_hashindex, ltc_rsa_algo, &ltc_key);
469 	switch (ltc_res) {
470 	case CRYPT_PK_INVALID_PADDING:
471 	case CRYPT_INVALID_PACKET:
472 	case CRYPT_PK_INVALID_SIZE:
473 		EMSG("rsa_encrypt_key_ex() returned %d", ltc_res);
474 		res = TEE_ERROR_BAD_PARAMETERS;
475 		goto out;
476 	case CRYPT_OK:
477 		break;
478 	default:
479 		/* This will result in a panic */
480 		res = TEE_ERROR_GENERIC;
481 		goto out;
482 	}
483 	res = TEE_SUCCESS;
484 
485 out:
486 	return res;
487 }
488 
489 TEE_Result crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key,
490 				      int salt_len, const uint8_t *msg,
491 				      size_t msg_len, uint8_t *sig,
492 				      size_t *sig_len)
493 __weak __alias("sw_crypto_acipher_rsassa_sign");
494 
495 TEE_Result sw_crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key,
496 					 int salt_len, const uint8_t *msg,
497 					 size_t msg_len, uint8_t *sig,
498 					 size_t *sig_len)
499 {
500 	TEE_Result res;
501 	size_t hash_size, mod_size;
502 	int ltc_res, ltc_rsa_algo, ltc_hashindex;
503 	unsigned long ltc_sig_len;
504 	rsa_key ltc_key = { 0, };
505 
506 	ltc_key.type = PK_PRIVATE;
507 	ltc_key.e = key->e;
508 	ltc_key.N = key->n;
509 	ltc_key.d = key->d;
510 	if (key->p && crypto_bignum_num_bytes(key->p)) {
511 		ltc_key.p = key->p;
512 		ltc_key.q = key->q;
513 		ltc_key.qP = key->qp;
514 		ltc_key.dP = key->dp;
515 		ltc_key.dQ = key->dq;
516 	}
517 
518 	switch (algo) {
519 	case TEE_ALG_RSASSA_PKCS1_V1_5:
520 		ltc_rsa_algo = LTC_PKCS_1_V1_5_NA1;
521 		break;
522 	case TEE_ALG_RSASSA_PKCS1_V1_5_MD5:
523 	case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1:
524 	case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224:
525 	case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256:
526 	case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384:
527 	case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512:
528 		ltc_rsa_algo = LTC_PKCS_1_V1_5;
529 		break;
530 	case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1:
531 	case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224:
532 	case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256:
533 	case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384:
534 	case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512:
535 		ltc_rsa_algo = LTC_PKCS_1_PSS;
536 		break;
537 	default:
538 		res = TEE_ERROR_BAD_PARAMETERS;
539 		goto err;
540 	}
541 
542 	if (ltc_rsa_algo != LTC_PKCS_1_V1_5_NA1) {
543 		ltc_res = tee_algo_to_ltc_hashindex(algo, &ltc_hashindex);
544 		if (ltc_res != CRYPT_OK) {
545 			res = TEE_ERROR_BAD_PARAMETERS;
546 			goto err;
547 		}
548 
549 		res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo),
550 					      &hash_size);
551 		if (res != TEE_SUCCESS)
552 			goto err;
553 
554 		if (msg_len != hash_size) {
555 			res = TEE_ERROR_BAD_PARAMETERS;
556 			goto err;
557 		}
558 	}
559 
560 	mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N));
561 
562 	if (*sig_len < mod_size) {
563 		*sig_len = mod_size;
564 		res = TEE_ERROR_SHORT_BUFFER;
565 		goto err;
566 	}
567 
568 	ltc_sig_len = mod_size;
569 
570 	ltc_res = rsa_sign_hash_ex(msg, msg_len, sig, &ltc_sig_len,
571 				   ltc_rsa_algo, NULL, find_prng("prng_crypto"),
572 				   ltc_hashindex, salt_len, &ltc_key);
573 
574 	*sig_len = ltc_sig_len;
575 
576 	if (ltc_res != CRYPT_OK) {
577 		res = TEE_ERROR_BAD_PARAMETERS;
578 		goto err;
579 	}
580 	res = TEE_SUCCESS;
581 
582 err:
583 	return res;
584 }
585 
586 TEE_Result crypto_acipher_rsassa_verify(uint32_t algo,
587 					struct rsa_public_key *key,
588 					int salt_len, const uint8_t *msg,
589 					size_t msg_len, const uint8_t *sig,
590 					size_t sig_len)
591 __weak __alias("sw_crypto_acipher_rsassa_verify");
592 
593 TEE_Result sw_crypto_acipher_rsassa_verify(uint32_t algo,
594 					   struct rsa_public_key *key,
595 					   int salt_len, const uint8_t *msg,
596 					   size_t msg_len, const uint8_t *sig,
597 					   size_t sig_len)
598 {
599 	TEE_Result res;
600 	uint32_t bigint_size;
601 	size_t hash_size;
602 	int stat, ltc_hashindex, ltc_res, ltc_rsa_algo;
603 	rsa_key ltc_key = {
604 		.type = PK_PUBLIC,
605 		.e = key->e,
606 		.N = key->n
607 	};
608 	struct ftmn   ftmn = { };
609 
610 	/*
611 	 * The caller expects to call crypto_acipher_rsassa_verify(),
612 	 * update the hash as needed.
613 	 */
614 	FTMN_CALLEE_SWAP_HASH(FTMN_FUNC_HASH("crypto_acipher_rsassa_verify"));
615 
616 	if (algo != TEE_ALG_RSASSA_PKCS1_V1_5) {
617 		res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo),
618 					      &hash_size);
619 		if (res != TEE_SUCCESS)
620 			goto err;
621 
622 		if (msg_len != hash_size) {
623 			res = TEE_ERROR_BAD_PARAMETERS;
624 			goto err;
625 		}
626 	}
627 
628 	bigint_size = ltc_mp.unsigned_size(ltc_key.N);
629 	if (sig_len < bigint_size) {
630 		res = TEE_ERROR_SIGNATURE_INVALID;
631 		goto err;
632 	}
633 
634 	/* Get the algorithm */
635 	if (algo != TEE_ALG_RSASSA_PKCS1_V1_5) {
636 		res = tee_algo_to_ltc_hashindex(algo, &ltc_hashindex);
637 		if (res != TEE_SUCCESS)
638 			goto err;
639 	}
640 
641 	switch (algo) {
642 	case TEE_ALG_RSASSA_PKCS1_V1_5:
643 		ltc_rsa_algo = LTC_PKCS_1_V1_5_NA1;
644 		break;
645 	case TEE_ALG_RSASSA_PKCS1_V1_5_MD5:
646 	case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1:
647 	case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224:
648 	case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256:
649 	case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384:
650 	case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512:
651 		ltc_rsa_algo = LTC_PKCS_1_V1_5;
652 		break;
653 	case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1:
654 	case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224:
655 	case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256:
656 	case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384:
657 	case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512:
658 		ltc_rsa_algo = LTC_PKCS_1_PSS;
659 		break;
660 	default:
661 		res = TEE_ERROR_BAD_PARAMETERS;
662 		goto err;
663 	}
664 
665 	FTMN_PUSH_LINKED_CALL(&ftmn, FTMN_FUNC_HASH("rsa_verify_hash_ex"));
666 	ltc_res = rsa_verify_hash_ex(sig, sig_len, msg, msg_len, ltc_rsa_algo,
667 				     ltc_hashindex, salt_len, &stat, &ltc_key);
668 	res = convert_ltc_verify_status(ltc_res, stat);
669 	if (res)
670 		FTMN_SET_CHECK_RES_NOT_ZERO(&ftmn, FTMN_INCR0, res);
671 	else
672 		FTMN_SET_CHECK_RES_FROM_CALL(&ftmn, FTMN_INCR0, 0);
673 	FTMN_POP_LINKED_CALL(&ftmn);
674 	FTMN_CALLEE_DONE_CHECK(&ftmn, FTMN_INCR0, FTMN_STEP_COUNT(1), res);
675 	return res;
676 err:
677 	FTMN_CALLEE_DONE_NOT_ZERO(res);
678 	return res;
679 }
680