1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014-2019, 2022 Linaro Limited 4 */ 5 6 #include <crypto/crypto.h> 7 #include <crypto/crypto_impl.h> 8 #include <fault_mitigation.h> 9 #include <mempool.h> 10 #include <stdlib.h> 11 #include <string.h> 12 #include <tee_api_defines_extensions.h> 13 #include <tee_api_types.h> 14 #include <tee/tee_cryp_utl.h> 15 #include <trace.h> 16 #include <utee_defines.h> 17 18 #include "acipher_helpers.h" 19 20 21 /* 22 * Compute the LibTomCrypt "hashindex" given a TEE Algorithm "algo" 23 * Return 24 * - TEE_SUCCESS in case of success, 25 * - TEE_ERROR_BAD_PARAMETERS in case algo is not a valid algo 26 * - TEE_ERROR_NOT_SUPPORTED in case algo is not supported by LTC 27 * Return -1 in case of error 28 */ 29 static TEE_Result tee_algo_to_ltc_hashindex(uint32_t algo, int *ltc_hashindex) 30 { 31 switch (algo) { 32 #if defined(_CFG_CORE_LTC_SHA1) 33 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 34 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 35 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1: 36 *ltc_hashindex = find_hash("sha1"); 37 break; 38 #endif 39 #if defined(_CFG_CORE_LTC_MD5) 40 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 41 *ltc_hashindex = find_hash("md5"); 42 break; 43 #endif 44 #if defined(_CFG_CORE_LTC_SHA224) 45 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 46 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 47 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224: 48 *ltc_hashindex = find_hash("sha224"); 49 break; 50 #endif 51 #if defined(_CFG_CORE_LTC_SHA256) 52 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 53 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 54 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256: 55 *ltc_hashindex = find_hash("sha256"); 56 break; 57 #endif 58 #if defined(_CFG_CORE_LTC_SHA384) 59 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 60 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 61 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384: 62 *ltc_hashindex = find_hash("sha384"); 63 break; 64 #endif 65 #if defined(_CFG_CORE_LTC_SHA512) 66 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 67 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 68 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512: 69 *ltc_hashindex = find_hash("sha512"); 70 break; 71 #endif 72 case TEE_ALG_RSASSA_PKCS1_V1_5: 73 case TEE_ALG_RSAES_PKCS1_V1_5: 74 /* invalid one. but it should not be used anyway */ 75 *ltc_hashindex = -1; 76 return TEE_SUCCESS; 77 78 default: 79 return TEE_ERROR_BAD_PARAMETERS; 80 } 81 82 if (*ltc_hashindex < 0) 83 return TEE_ERROR_NOT_SUPPORTED; 84 else 85 return TEE_SUCCESS; 86 } 87 88 TEE_Result crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s, 89 size_t key_size_bits __unused) 90 __weak __alias("sw_crypto_acipher_alloc_rsa_keypair"); 91 92 TEE_Result sw_crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s, 93 size_t key_size_bits __unused) 94 { 95 memset(s, 0, sizeof(*s)); 96 if (!bn_alloc_max(&s->e)) 97 return TEE_ERROR_OUT_OF_MEMORY; 98 if (!bn_alloc_max(&s->d)) 99 goto err; 100 if (!bn_alloc_max(&s->n)) 101 goto err; 102 if (!bn_alloc_max(&s->p)) 103 goto err; 104 if (!bn_alloc_max(&s->q)) 105 goto err; 106 if (!bn_alloc_max(&s->qp)) 107 goto err; 108 if (!bn_alloc_max(&s->dp)) 109 goto err; 110 if (!bn_alloc_max(&s->dq)) 111 goto err; 112 113 return TEE_SUCCESS; 114 err: 115 crypto_acipher_free_rsa_keypair(s); 116 return TEE_ERROR_OUT_OF_MEMORY; 117 } 118 119 120 TEE_Result crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s, 121 size_t key_size_bits __unused) 122 __weak __alias("sw_crypto_acipher_alloc_rsa_public_key"); 123 124 TEE_Result sw_crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s, 125 size_t key_size_bits __unused) 126 { 127 memset(s, 0, sizeof(*s)); 128 if (!bn_alloc_max(&s->e)) 129 return TEE_ERROR_OUT_OF_MEMORY; 130 if (!bn_alloc_max(&s->n)) 131 goto err; 132 return TEE_SUCCESS; 133 err: 134 crypto_bignum_free(s->e); 135 return TEE_ERROR_OUT_OF_MEMORY; 136 } 137 138 139 void crypto_acipher_free_rsa_public_key(struct rsa_public_key *s) 140 __weak __alias("sw_crypto_acipher_free_rsa_public_key"); 141 142 void sw_crypto_acipher_free_rsa_public_key(struct rsa_public_key *s) 143 { 144 if (!s) 145 return; 146 crypto_bignum_free(s->n); 147 crypto_bignum_free(s->e); 148 } 149 150 151 void crypto_acipher_free_rsa_keypair(struct rsa_keypair *s) 152 __weak __alias("sw_crypto_acipher_free_rsa_keypair"); 153 154 void sw_crypto_acipher_free_rsa_keypair(struct rsa_keypair *s) 155 { 156 if (!s) 157 return; 158 crypto_bignum_free(s->e); 159 crypto_bignum_free(s->d); 160 crypto_bignum_free(s->n); 161 crypto_bignum_free(s->p); 162 crypto_bignum_free(s->q); 163 crypto_bignum_free(s->qp); 164 crypto_bignum_free(s->dp); 165 crypto_bignum_free(s->dq); 166 } 167 168 TEE_Result crypto_acipher_gen_rsa_key(struct rsa_keypair *key, 169 size_t key_size) 170 __weak __alias("sw_crypto_acipher_gen_rsa_key"); 171 172 TEE_Result sw_crypto_acipher_gen_rsa_key(struct rsa_keypair *key, 173 size_t key_size) 174 { 175 TEE_Result res; 176 rsa_key ltc_tmp_key; 177 int ltc_res; 178 179 /* Generate a temporary RSA key */ 180 ltc_res = rsa_make_key_bn_e(NULL, find_prng("prng_crypto"), 181 key_size / 8, key->e, <c_tmp_key); 182 if (ltc_res != CRYPT_OK) { 183 res = TEE_ERROR_BAD_PARAMETERS; 184 } else if ((size_t)mp_count_bits(ltc_tmp_key.N) != key_size) { 185 rsa_free(<c_tmp_key); 186 res = TEE_ERROR_BAD_PARAMETERS; 187 } else { 188 /* Copy the key */ 189 ltc_mp.copy(ltc_tmp_key.d, key->d); 190 ltc_mp.copy(ltc_tmp_key.N, key->n); 191 ltc_mp.copy(ltc_tmp_key.p, key->p); 192 ltc_mp.copy(ltc_tmp_key.q, key->q); 193 ltc_mp.copy(ltc_tmp_key.qP, key->qp); 194 ltc_mp.copy(ltc_tmp_key.dP, key->dp); 195 ltc_mp.copy(ltc_tmp_key.dQ, key->dq); 196 197 /* Free the temporary key */ 198 rsa_free(<c_tmp_key); 199 res = TEE_SUCCESS; 200 } 201 202 return res; 203 } 204 205 static TEE_Result rsadorep(rsa_key *ltc_key, const uint8_t *src, 206 size_t src_len, uint8_t *dst, size_t *dst_len) 207 { 208 TEE_Result res = TEE_SUCCESS; 209 uint8_t *buf = NULL; 210 unsigned long blen, offset; 211 int ltc_res; 212 213 /* 214 * Use a temporary buffer since we don't know exactly how large the 215 * required size of the out buffer without doing a partial decrypt. 216 * We know the upper bound though. 217 */ 218 blen = _CFG_CORE_LTC_BIGNUM_MAX_BITS / sizeof(uint8_t); 219 buf = mempool_alloc(mempool_default, blen); 220 if (!buf) { 221 res = TEE_ERROR_OUT_OF_MEMORY; 222 goto out; 223 } 224 225 ltc_res = rsa_exptmod(src, src_len, buf, &blen, ltc_key->type, 226 ltc_key); 227 switch (ltc_res) { 228 case CRYPT_PK_NOT_PRIVATE: 229 case CRYPT_PK_INVALID_TYPE: 230 case CRYPT_PK_INVALID_SIZE: 231 case CRYPT_INVALID_PACKET: 232 EMSG("rsa_exptmod() returned %d", ltc_res); 233 res = TEE_ERROR_BAD_PARAMETERS; 234 goto out; 235 case CRYPT_OK: 236 break; 237 default: 238 /* This will result in a panic */ 239 EMSG("rsa_exptmod() returned %d", ltc_res); 240 res = TEE_ERROR_GENERIC; 241 goto out; 242 } 243 244 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 245 offset = 0; 246 while ((offset < blen - 1) && (buf[offset] == 0)) 247 offset++; 248 249 if (*dst_len < blen - offset) { 250 *dst_len = blen - offset; 251 res = TEE_ERROR_SHORT_BUFFER; 252 goto out; 253 } 254 255 res = TEE_SUCCESS; 256 *dst_len = blen - offset; 257 memcpy(dst, (char *)buf + offset, *dst_len); 258 259 out: 260 mempool_free(mempool_default, buf); 261 262 return res; 263 } 264 265 TEE_Result crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key, 266 const uint8_t *src, 267 size_t src_len, uint8_t *dst, 268 size_t *dst_len) 269 __weak __alias("sw_crypto_acipher_rsanopad_encrypt"); 270 271 TEE_Result sw_crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key, 272 const uint8_t *src, 273 size_t src_len, uint8_t *dst, 274 size_t *dst_len) 275 { 276 TEE_Result res; 277 rsa_key ltc_key = { 0, }; 278 279 ltc_key.type = PK_PUBLIC; 280 ltc_key.e = key->e; 281 ltc_key.N = key->n; 282 283 res = rsadorep(<c_key, src, src_len, dst, dst_len); 284 return res; 285 } 286 287 TEE_Result crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key, 288 const uint8_t *src, 289 size_t src_len, uint8_t *dst, 290 size_t *dst_len) 291 __weak __alias("sw_crypto_acipher_rsanopad_decrypt"); 292 293 TEE_Result sw_crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key, 294 const uint8_t *src, 295 size_t src_len, uint8_t *dst, 296 size_t *dst_len) 297 { 298 TEE_Result res; 299 rsa_key ltc_key = { 0, }; 300 301 ltc_key.type = PK_PRIVATE; 302 ltc_key.e = key->e; 303 ltc_key.N = key->n; 304 ltc_key.d = key->d; 305 if (key->p && crypto_bignum_num_bytes(key->p)) { 306 ltc_key.p = key->p; 307 ltc_key.q = key->q; 308 ltc_key.qP = key->qp; 309 ltc_key.dP = key->dp; 310 ltc_key.dQ = key->dq; 311 } 312 313 res = rsadorep(<c_key, src, src_len, dst, dst_len); 314 return res; 315 } 316 317 TEE_Result crypto_acipher_rsaes_decrypt(uint32_t algo, 318 struct rsa_keypair *key, 319 const uint8_t *label, 320 size_t label_len, const uint8_t *src, 321 size_t src_len, uint8_t *dst, 322 size_t *dst_len) 323 __weak __alias("sw_crypto_acipher_rsaes_decrypt"); 324 325 TEE_Result sw_crypto_acipher_rsaes_decrypt(uint32_t algo, 326 struct rsa_keypair *key, 327 const uint8_t *label, 328 size_t label_len, const uint8_t *src, 329 size_t src_len, uint8_t *dst, 330 size_t *dst_len) 331 { 332 TEE_Result res = TEE_SUCCESS; 333 void *buf = NULL; 334 unsigned long blen; 335 int ltc_hashindex, ltc_res, ltc_stat, ltc_rsa_algo; 336 size_t mod_size; 337 rsa_key ltc_key = { 0, }; 338 339 ltc_key.type = PK_PRIVATE; 340 ltc_key.e = key->e; 341 ltc_key.d = key->d; 342 ltc_key.N = key->n; 343 if (key->p && crypto_bignum_num_bytes(key->p)) { 344 ltc_key.p = key->p; 345 ltc_key.q = key->q; 346 ltc_key.qP = key->qp; 347 ltc_key.dP = key->dp; 348 ltc_key.dQ = key->dq; 349 } 350 351 /* Get the algorithm */ 352 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 353 if (res != TEE_SUCCESS) { 354 EMSG("tee_algo_to_ltc_hashindex() returned %d", (int)res); 355 goto out; 356 } 357 358 /* 359 * Use a temporary buffer since we don't know exactly how large 360 * the required size of the out buffer without doing a partial 361 * decrypt. We know the upper bound though. 362 */ 363 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) { 364 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 365 blen = mod_size - 11; 366 ltc_rsa_algo = LTC_PKCS_1_V1_5; 367 } else { 368 /* Decoded message is always shorter than encrypted message */ 369 blen = src_len; 370 ltc_rsa_algo = LTC_PKCS_1_OAEP; 371 } 372 373 buf = mempool_alloc(mempool_default, blen); 374 if (!buf) { 375 res = TEE_ERROR_OUT_OF_MEMORY; 376 goto out; 377 } 378 379 ltc_res = rsa_decrypt_key_ex(src, src_len, buf, &blen, 380 ((label_len == 0) ? 0 : label), label_len, 381 ltc_hashindex, ltc_rsa_algo, <c_stat, 382 <c_key); 383 switch (ltc_res) { 384 case CRYPT_PK_INVALID_PADDING: 385 case CRYPT_INVALID_PACKET: 386 case CRYPT_PK_INVALID_SIZE: 387 EMSG("rsa_decrypt_key_ex() returned %d", ltc_res); 388 res = TEE_ERROR_BAD_PARAMETERS; 389 goto out; 390 case CRYPT_OK: 391 break; 392 default: 393 /* This will result in a panic */ 394 EMSG("rsa_decrypt_key_ex() returned %d", ltc_res); 395 res = TEE_ERROR_GENERIC; 396 goto out; 397 } 398 if (ltc_stat != 1) { 399 /* This will result in a panic */ 400 EMSG("rsa_decrypt_key_ex() returned %d and %d", 401 ltc_res, ltc_stat); 402 res = TEE_ERROR_GENERIC; 403 goto out; 404 } 405 406 if (*dst_len < blen) { 407 *dst_len = blen; 408 res = TEE_ERROR_SHORT_BUFFER; 409 goto out; 410 } 411 412 res = TEE_SUCCESS; 413 *dst_len = blen; 414 memcpy(dst, buf, blen); 415 416 out: 417 mempool_free(mempool_default, buf); 418 419 return res; 420 } 421 422 TEE_Result crypto_acipher_rsaes_encrypt(uint32_t algo, 423 struct rsa_public_key *key, 424 const uint8_t *label, 425 size_t label_len, const uint8_t *src, 426 size_t src_len, uint8_t *dst, 427 size_t *dst_len) 428 __weak __alias("sw_crypto_acipher_rsaes_encrypt"); 429 430 TEE_Result sw_crypto_acipher_rsaes_encrypt(uint32_t algo, 431 struct rsa_public_key *key, 432 const uint8_t *label, 433 size_t label_len, const uint8_t *src, 434 size_t src_len, uint8_t *dst, 435 size_t *dst_len) 436 { 437 TEE_Result res; 438 uint32_t mod_size; 439 int ltc_hashindex, ltc_res, ltc_rsa_algo; 440 rsa_key ltc_key = { 441 .type = PK_PUBLIC, 442 .e = key->e, 443 .N = key->n 444 }; 445 446 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 447 if (*dst_len < mod_size) { 448 *dst_len = mod_size; 449 res = TEE_ERROR_SHORT_BUFFER; 450 goto out; 451 } 452 *dst_len = mod_size; 453 454 /* Get the algorithm */ 455 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 456 if (res != TEE_SUCCESS) 457 goto out; 458 459 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) 460 ltc_rsa_algo = LTC_PKCS_1_V1_5; 461 else 462 ltc_rsa_algo = LTC_PKCS_1_OAEP; 463 464 ltc_res = rsa_encrypt_key_ex(src, src_len, dst, 465 (unsigned long *)(dst_len), label, 466 label_len, NULL, find_prng("prng_crypto"), 467 ltc_hashindex, ltc_rsa_algo, <c_key); 468 switch (ltc_res) { 469 case CRYPT_PK_INVALID_PADDING: 470 case CRYPT_INVALID_PACKET: 471 case CRYPT_PK_INVALID_SIZE: 472 EMSG("rsa_encrypt_key_ex() returned %d", ltc_res); 473 res = TEE_ERROR_BAD_PARAMETERS; 474 goto out; 475 case CRYPT_OK: 476 break; 477 default: 478 /* This will result in a panic */ 479 res = TEE_ERROR_GENERIC; 480 goto out; 481 } 482 res = TEE_SUCCESS; 483 484 out: 485 return res; 486 } 487 488 TEE_Result crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key, 489 int salt_len, const uint8_t *msg, 490 size_t msg_len, uint8_t *sig, 491 size_t *sig_len) 492 __weak __alias("sw_crypto_acipher_rsassa_sign"); 493 494 TEE_Result sw_crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key, 495 int salt_len, const uint8_t *msg, 496 size_t msg_len, uint8_t *sig, 497 size_t *sig_len) 498 { 499 TEE_Result res; 500 size_t hash_size, mod_size; 501 int ltc_res, ltc_rsa_algo, ltc_hashindex; 502 unsigned long ltc_sig_len; 503 rsa_key ltc_key = { 0, }; 504 505 ltc_key.type = PK_PRIVATE; 506 ltc_key.e = key->e; 507 ltc_key.N = key->n; 508 ltc_key.d = key->d; 509 if (key->p && crypto_bignum_num_bytes(key->p)) { 510 ltc_key.p = key->p; 511 ltc_key.q = key->q; 512 ltc_key.qP = key->qp; 513 ltc_key.dP = key->dp; 514 ltc_key.dQ = key->dq; 515 } 516 517 switch (algo) { 518 case TEE_ALG_RSASSA_PKCS1_V1_5: 519 ltc_rsa_algo = LTC_PKCS_1_V1_5_NA1; 520 break; 521 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 522 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 523 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 524 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 525 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 526 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 527 ltc_rsa_algo = LTC_PKCS_1_V1_5; 528 break; 529 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 530 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 531 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 532 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 533 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 534 ltc_rsa_algo = LTC_PKCS_1_PSS; 535 break; 536 default: 537 res = TEE_ERROR_BAD_PARAMETERS; 538 goto err; 539 } 540 541 if (ltc_rsa_algo != LTC_PKCS_1_V1_5_NA1) { 542 ltc_res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 543 if (ltc_res != CRYPT_OK) { 544 res = TEE_ERROR_BAD_PARAMETERS; 545 goto err; 546 } 547 548 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 549 &hash_size); 550 if (res != TEE_SUCCESS) 551 goto err; 552 553 if (msg_len != hash_size) { 554 res = TEE_ERROR_BAD_PARAMETERS; 555 goto err; 556 } 557 } 558 559 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 560 561 if (*sig_len < mod_size) { 562 *sig_len = mod_size; 563 res = TEE_ERROR_SHORT_BUFFER; 564 goto err; 565 } 566 567 ltc_sig_len = mod_size; 568 569 ltc_res = rsa_sign_hash_ex(msg, msg_len, sig, <c_sig_len, 570 ltc_rsa_algo, NULL, find_prng("prng_crypto"), 571 ltc_hashindex, salt_len, <c_key); 572 573 *sig_len = ltc_sig_len; 574 575 if (ltc_res != CRYPT_OK) { 576 res = TEE_ERROR_BAD_PARAMETERS; 577 goto err; 578 } 579 res = TEE_SUCCESS; 580 581 err: 582 return res; 583 } 584 585 TEE_Result crypto_acipher_rsassa_verify(uint32_t algo, 586 struct rsa_public_key *key, 587 int salt_len, const uint8_t *msg, 588 size_t msg_len, const uint8_t *sig, 589 size_t sig_len) 590 __weak __alias("sw_crypto_acipher_rsassa_verify"); 591 592 TEE_Result sw_crypto_acipher_rsassa_verify(uint32_t algo, 593 struct rsa_public_key *key, 594 int salt_len, const uint8_t *msg, 595 size_t msg_len, const uint8_t *sig, 596 size_t sig_len) 597 { 598 TEE_Result res; 599 uint32_t bigint_size; 600 size_t hash_size; 601 int stat, ltc_hashindex, ltc_res, ltc_rsa_algo; 602 rsa_key ltc_key = { 603 .type = PK_PUBLIC, 604 .e = key->e, 605 .N = key->n 606 }; 607 struct ftmn ftmn = { }; 608 609 /* 610 * The caller expects to call crypto_acipher_rsassa_verify(), 611 * update the hash as needed. 612 */ 613 FTMN_CALLEE_SWAP_HASH(FTMN_FUNC_HASH("crypto_acipher_rsassa_verify")); 614 615 if (algo != TEE_ALG_RSASSA_PKCS1_V1_5) { 616 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 617 &hash_size); 618 if (res != TEE_SUCCESS) 619 goto err; 620 621 if (msg_len != hash_size) { 622 res = TEE_ERROR_BAD_PARAMETERS; 623 goto err; 624 } 625 } 626 627 bigint_size = ltc_mp.unsigned_size(ltc_key.N); 628 if (sig_len < bigint_size) { 629 res = TEE_ERROR_SIGNATURE_INVALID; 630 goto err; 631 } 632 633 /* Get the algorithm */ 634 if (algo != TEE_ALG_RSASSA_PKCS1_V1_5) { 635 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 636 if (res != TEE_SUCCESS) 637 goto err; 638 } 639 640 switch (algo) { 641 case TEE_ALG_RSASSA_PKCS1_V1_5: 642 ltc_rsa_algo = LTC_PKCS_1_V1_5_NA1; 643 break; 644 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 645 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 646 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 647 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 648 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 649 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 650 ltc_rsa_algo = LTC_PKCS_1_V1_5; 651 break; 652 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 653 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 654 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 655 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 656 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 657 ltc_rsa_algo = LTC_PKCS_1_PSS; 658 break; 659 default: 660 res = TEE_ERROR_BAD_PARAMETERS; 661 goto err; 662 } 663 664 FTMN_PUSH_LINKED_CALL(&ftmn, FTMN_FUNC_HASH("rsa_verify_hash_ex")); 665 ltc_res = rsa_verify_hash_ex(sig, sig_len, msg, msg_len, ltc_rsa_algo, 666 ltc_hashindex, salt_len, &stat, <c_key); 667 res = convert_ltc_verify_status(ltc_res, stat); 668 if (res) 669 FTMN_SET_CHECK_RES_NOT_ZERO(&ftmn, FTMN_INCR0, res); 670 else 671 FTMN_SET_CHECK_RES_FROM_CALL(&ftmn, FTMN_INCR0, 0); 672 FTMN_POP_LINKED_CALL(&ftmn); 673 FTMN_CALLEE_DONE_CHECK(&ftmn, FTMN_INCR0, FTMN_STEP_COUNT(1), res); 674 return res; 675 err: 676 FTMN_CALLEE_DONE_NOT_ZERO(res); 677 return res; 678 } 679