1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014-2019, 2022 Linaro Limited 4 */ 5 6 #include <crypto/crypto.h> 7 #include <crypto/crypto_impl.h> 8 #include <fault_mitigation.h> 9 #include <mempool.h> 10 #include <stdlib.h> 11 #include <string.h> 12 #include <tee_api_defines_extensions.h> 13 #include <tee_api_types.h> 14 #include <tee/tee_cryp_utl.h> 15 #include <trace.h> 16 #include <utee_defines.h> 17 18 #include "acipher_helpers.h" 19 20 21 /* 22 * Compute the LibTomCrypt "hashindex" given a TEE Algorithm "algo" 23 * Return 24 * - TEE_SUCCESS in case of success, 25 * - TEE_ERROR_BAD_PARAMETERS in case algo is not a valid algo 26 * - TEE_ERROR_NOT_SUPPORTED in case algo is not supported by LTC 27 * Return -1 in case of error 28 */ 29 static TEE_Result tee_algo_to_ltc_hashindex(uint32_t algo, int *ltc_hashindex) 30 { 31 switch (algo) { 32 #if defined(_CFG_CORE_LTC_SHA1_DESC) 33 case TEE_ALG_SHA1: 34 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 35 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 36 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1: 37 *ltc_hashindex = find_hash("sha1"); 38 break; 39 #endif 40 #if defined(_CFG_CORE_LTC_MD5_DESC) 41 case TEE_ALG_MD5: 42 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 43 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_MD5: 44 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_MD5: 45 *ltc_hashindex = find_hash("md5"); 46 break; 47 #endif 48 #if defined(_CFG_CORE_LTC_SHA224_DESC) 49 case TEE_ALG_SHA224: 50 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 51 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 52 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224: 53 *ltc_hashindex = find_hash("sha224"); 54 break; 55 #endif 56 #if defined(_CFG_CORE_LTC_SHA256_DESC) 57 case TEE_ALG_SHA256: 58 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 59 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 60 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256: 61 *ltc_hashindex = find_hash("sha256"); 62 break; 63 #endif 64 #if defined(_CFG_CORE_LTC_SHA384_DESC) 65 case TEE_ALG_SHA384: 66 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 67 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 68 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384: 69 *ltc_hashindex = find_hash("sha384"); 70 break; 71 #endif 72 #if defined(_CFG_CORE_LTC_SHA512_DESC) 73 case TEE_ALG_SHA512: 74 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 75 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 76 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512: 77 *ltc_hashindex = find_hash("sha512"); 78 break; 79 #endif 80 case TEE_ALG_RSASSA_PKCS1_V1_5: 81 case TEE_ALG_RSAES_PKCS1_V1_5: 82 /* invalid one. but it should not be used anyway */ 83 *ltc_hashindex = -1; 84 return TEE_SUCCESS; 85 86 default: 87 return TEE_ERROR_BAD_PARAMETERS; 88 } 89 90 if (*ltc_hashindex < 0) 91 return TEE_ERROR_NOT_SUPPORTED; 92 else 93 return TEE_SUCCESS; 94 } 95 96 TEE_Result crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s, 97 size_t key_size_bits __unused) 98 __weak __alias("sw_crypto_acipher_alloc_rsa_keypair"); 99 100 TEE_Result sw_crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s, 101 size_t key_size_bits __unused) 102 { 103 memset(s, 0, sizeof(*s)); 104 if (!bn_alloc_max(&s->e)) 105 return TEE_ERROR_OUT_OF_MEMORY; 106 if (!bn_alloc_max(&s->d)) 107 goto err; 108 if (!bn_alloc_max(&s->n)) 109 goto err; 110 if (!bn_alloc_max(&s->p)) 111 goto err; 112 if (!bn_alloc_max(&s->q)) 113 goto err; 114 if (!bn_alloc_max(&s->qp)) 115 goto err; 116 if (!bn_alloc_max(&s->dp)) 117 goto err; 118 if (!bn_alloc_max(&s->dq)) 119 goto err; 120 121 return TEE_SUCCESS; 122 err: 123 crypto_acipher_free_rsa_keypair(s); 124 return TEE_ERROR_OUT_OF_MEMORY; 125 } 126 127 128 TEE_Result crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s, 129 size_t key_size_bits __unused) 130 __weak __alias("sw_crypto_acipher_alloc_rsa_public_key"); 131 132 TEE_Result sw_crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s, 133 size_t key_size_bits __unused) 134 { 135 memset(s, 0, sizeof(*s)); 136 if (!bn_alloc_max(&s->e)) 137 return TEE_ERROR_OUT_OF_MEMORY; 138 if (!bn_alloc_max(&s->n)) 139 goto err; 140 return TEE_SUCCESS; 141 err: 142 crypto_bignum_free(&s->e); 143 return TEE_ERROR_OUT_OF_MEMORY; 144 } 145 146 147 void crypto_acipher_free_rsa_public_key(struct rsa_public_key *s) 148 __weak __alias("sw_crypto_acipher_free_rsa_public_key"); 149 150 void sw_crypto_acipher_free_rsa_public_key(struct rsa_public_key *s) 151 { 152 if (!s) 153 return; 154 crypto_bignum_free(&s->n); 155 crypto_bignum_free(&s->e); 156 } 157 158 159 void crypto_acipher_free_rsa_keypair(struct rsa_keypair *s) 160 __weak __alias("sw_crypto_acipher_free_rsa_keypair"); 161 162 void sw_crypto_acipher_free_rsa_keypair(struct rsa_keypair *s) 163 { 164 if (!s) 165 return; 166 crypto_bignum_free(&s->e); 167 crypto_bignum_free(&s->d); 168 crypto_bignum_free(&s->n); 169 crypto_bignum_free(&s->p); 170 crypto_bignum_free(&s->q); 171 crypto_bignum_free(&s->qp); 172 crypto_bignum_free(&s->dp); 173 crypto_bignum_free(&s->dq); 174 } 175 176 TEE_Result crypto_acipher_gen_rsa_key(struct rsa_keypair *key, 177 size_t key_size) 178 __weak __alias("sw_crypto_acipher_gen_rsa_key"); 179 180 TEE_Result sw_crypto_acipher_gen_rsa_key(struct rsa_keypair *key, 181 size_t key_size) 182 { 183 TEE_Result res; 184 rsa_key ltc_tmp_key; 185 int ltc_res; 186 187 /* Generate a temporary RSA key */ 188 ltc_res = rsa_make_key_bn_e(NULL, find_prng("prng_crypto"), 189 key_size / 8, key->e, <c_tmp_key); 190 if (ltc_res != CRYPT_OK) { 191 res = TEE_ERROR_BAD_PARAMETERS; 192 } else if ((size_t)mp_count_bits(ltc_tmp_key.N) != key_size) { 193 rsa_free(<c_tmp_key); 194 res = TEE_ERROR_BAD_PARAMETERS; 195 } else { 196 /* Copy the key */ 197 ltc_mp.copy(ltc_tmp_key.d, key->d); 198 ltc_mp.copy(ltc_tmp_key.N, key->n); 199 ltc_mp.copy(ltc_tmp_key.p, key->p); 200 ltc_mp.copy(ltc_tmp_key.q, key->q); 201 ltc_mp.copy(ltc_tmp_key.qP, key->qp); 202 ltc_mp.copy(ltc_tmp_key.dP, key->dp); 203 ltc_mp.copy(ltc_tmp_key.dQ, key->dq); 204 205 /* Free the temporary key */ 206 rsa_free(<c_tmp_key); 207 res = TEE_SUCCESS; 208 } 209 210 return res; 211 } 212 213 static TEE_Result rsadorep(rsa_key *ltc_key, const uint8_t *src, 214 size_t src_len, uint8_t *dst, size_t *dst_len) 215 { 216 TEE_Result res = TEE_SUCCESS; 217 uint8_t *buf = NULL; 218 unsigned long blen, offset; 219 int ltc_res; 220 221 /* 222 * Use a temporary buffer since we don't know exactly how large the 223 * required size of the out buffer without doing a partial decrypt. 224 * We know the upper bound though. 225 */ 226 blen = _CFG_CORE_LTC_BIGNUM_MAX_BITS / sizeof(uint8_t); 227 buf = mempool_alloc(mempool_default, blen); 228 if (!buf) { 229 res = TEE_ERROR_OUT_OF_MEMORY; 230 goto out; 231 } 232 233 ltc_res = rsa_exptmod(src, src_len, buf, &blen, ltc_key->type, 234 ltc_key); 235 switch (ltc_res) { 236 case CRYPT_PK_NOT_PRIVATE: 237 case CRYPT_PK_INVALID_TYPE: 238 case CRYPT_PK_INVALID_SIZE: 239 case CRYPT_INVALID_PACKET: 240 EMSG("rsa_exptmod() returned %d", ltc_res); 241 res = TEE_ERROR_BAD_PARAMETERS; 242 goto out; 243 case CRYPT_OK: 244 break; 245 default: 246 /* This will result in a panic */ 247 EMSG("rsa_exptmod() returned %d", ltc_res); 248 res = TEE_ERROR_GENERIC; 249 goto out; 250 } 251 252 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 253 offset = 0; 254 while ((offset < blen - 1) && (buf[offset] == 0)) 255 offset++; 256 257 if (*dst_len < blen - offset) { 258 *dst_len = blen - offset; 259 res = TEE_ERROR_SHORT_BUFFER; 260 goto out; 261 } 262 263 res = TEE_SUCCESS; 264 *dst_len = blen - offset; 265 memcpy(dst, (char *)buf + offset, *dst_len); 266 267 out: 268 mempool_free(mempool_default, buf); 269 270 return res; 271 } 272 273 TEE_Result crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key, 274 const uint8_t *src, 275 size_t src_len, uint8_t *dst, 276 size_t *dst_len) 277 __weak __alias("sw_crypto_acipher_rsanopad_encrypt"); 278 279 TEE_Result sw_crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key, 280 const uint8_t *src, 281 size_t src_len, uint8_t *dst, 282 size_t *dst_len) 283 { 284 TEE_Result res; 285 rsa_key ltc_key = { 0, }; 286 287 ltc_key.type = PK_PUBLIC; 288 ltc_key.e = key->e; 289 ltc_key.N = key->n; 290 291 res = rsadorep(<c_key, src, src_len, dst, dst_len); 292 return res; 293 } 294 295 TEE_Result crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key, 296 const uint8_t *src, 297 size_t src_len, uint8_t *dst, 298 size_t *dst_len) 299 __weak __alias("sw_crypto_acipher_rsanopad_decrypt"); 300 301 TEE_Result sw_crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key, 302 const uint8_t *src, 303 size_t src_len, uint8_t *dst, 304 size_t *dst_len) 305 { 306 TEE_Result res; 307 rsa_key ltc_key = { 0, }; 308 309 ltc_key.type = PK_PRIVATE; 310 ltc_key.e = key->e; 311 ltc_key.N = key->n; 312 ltc_key.d = key->d; 313 if (key->p && crypto_bignum_num_bytes(key->p)) { 314 ltc_key.p = key->p; 315 ltc_key.q = key->q; 316 ltc_key.qP = key->qp; 317 ltc_key.dP = key->dp; 318 ltc_key.dQ = key->dq; 319 } 320 321 res = rsadorep(<c_key, src, src_len, dst, dst_len); 322 return res; 323 } 324 325 TEE_Result crypto_acipher_rsaes_decrypt(uint32_t algo, 326 struct rsa_keypair *key, 327 const uint8_t *label, 328 size_t label_len, 329 uint32_t mgf_algo, 330 const uint8_t *src, 331 size_t src_len, uint8_t *dst, 332 size_t *dst_len) 333 __weak __alias("sw_crypto_acipher_rsaes_decrypt"); 334 335 TEE_Result sw_crypto_acipher_rsaes_decrypt(uint32_t algo, 336 struct rsa_keypair *key, 337 const uint8_t *label, 338 size_t label_len, 339 uint32_t mgf_algo, 340 const uint8_t *src, 341 size_t src_len, uint8_t *dst, 342 size_t *dst_len) 343 { 344 TEE_Result res = TEE_SUCCESS; 345 void *buf = NULL; 346 unsigned long blen; 347 int ltc_hashindex, ltc_mgfindex, ltc_res, ltc_stat, ltc_rsa_algo; 348 size_t mod_size; 349 rsa_key ltc_key = { 0, }; 350 351 ltc_key.type = PK_PRIVATE; 352 ltc_key.e = key->e; 353 ltc_key.d = key->d; 354 ltc_key.N = key->n; 355 if (key->p && crypto_bignum_num_bytes(key->p)) { 356 ltc_key.p = key->p; 357 ltc_key.q = key->q; 358 ltc_key.qP = key->qp; 359 ltc_key.dP = key->dp; 360 ltc_key.dQ = key->dq; 361 } 362 363 /* Get the algorithm */ 364 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 365 if (res != TEE_SUCCESS) { 366 EMSG("tee_algo_to_ltc_hashindex() returned %#"PRIx32, res); 367 goto out; 368 } 369 if (algo != TEE_ALG_RSAES_PKCS1_V1_5) { 370 res = tee_algo_to_ltc_hashindex(mgf_algo, <c_mgfindex); 371 if (res != TEE_SUCCESS) { 372 EMSG("tee_algo_to_ltc_hashindex() returned %#"PRIx32"for mgf algo %#"PRIx32, 373 res, mgf_algo); 374 goto out; 375 } 376 } else { 377 ltc_mgfindex = -1; 378 } 379 380 /* 381 * Use a temporary buffer since we don't know exactly how large 382 * the required size of the out buffer without doing a partial 383 * decrypt. We know the upper bound though. 384 */ 385 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) { 386 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 387 blen = mod_size - 11; 388 ltc_rsa_algo = LTC_PKCS_1_V1_5; 389 } else { 390 /* Decoded message is always shorter than encrypted message */ 391 blen = src_len; 392 ltc_rsa_algo = LTC_PKCS_1_OAEP; 393 } 394 395 buf = mempool_alloc(mempool_default, blen); 396 if (!buf) { 397 res = TEE_ERROR_OUT_OF_MEMORY; 398 goto out; 399 } 400 401 ltc_res = rsa_decrypt_key_ex(src, src_len, buf, &blen, 402 ((label_len == 0) ? 0 : label), label_len, 403 ltc_mgfindex, ltc_hashindex, ltc_rsa_algo, 404 <c_stat, <c_key); 405 switch (ltc_res) { 406 case CRYPT_PK_INVALID_PADDING: 407 case CRYPT_INVALID_PACKET: 408 case CRYPT_PK_INVALID_SIZE: 409 EMSG("rsa_decrypt_key_ex() returned %d", ltc_res); 410 res = TEE_ERROR_BAD_PARAMETERS; 411 goto out; 412 case CRYPT_OK: 413 break; 414 default: 415 /* This will result in a panic */ 416 EMSG("rsa_decrypt_key_ex() returned %d", ltc_res); 417 res = TEE_ERROR_GENERIC; 418 goto out; 419 } 420 if (ltc_stat != 1) { 421 /* This will result in a panic */ 422 EMSG("rsa_decrypt_key_ex() returned %d and %d", 423 ltc_res, ltc_stat); 424 res = TEE_ERROR_GENERIC; 425 goto out; 426 } 427 428 if (*dst_len < blen) { 429 *dst_len = blen; 430 res = TEE_ERROR_SHORT_BUFFER; 431 goto out; 432 } 433 434 res = TEE_SUCCESS; 435 *dst_len = blen; 436 memcpy(dst, buf, blen); 437 438 out: 439 mempool_free(mempool_default, buf); 440 441 return res; 442 } 443 444 TEE_Result crypto_acipher_rsaes_encrypt(uint32_t algo, 445 struct rsa_public_key *key, 446 const uint8_t *label, 447 size_t label_len, 448 uint32_t mgf_algo, 449 const uint8_t *src, 450 size_t src_len, uint8_t *dst, 451 size_t *dst_len) 452 __weak __alias("sw_crypto_acipher_rsaes_encrypt"); 453 454 TEE_Result sw_crypto_acipher_rsaes_encrypt(uint32_t algo, 455 struct rsa_public_key *key, 456 const uint8_t *label, 457 size_t label_len, 458 uint32_t mgf_algo, 459 const uint8_t *src, 460 size_t src_len, uint8_t *dst, 461 size_t *dst_len) 462 { 463 TEE_Result res; 464 uint32_t mod_size; 465 int ltc_hashindex, ltc_mgfindex, ltc_res, ltc_rsa_algo; 466 rsa_key ltc_key = { 467 .type = PK_PUBLIC, 468 .e = key->e, 469 .N = key->n 470 }; 471 472 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 473 if (*dst_len < mod_size) { 474 *dst_len = mod_size; 475 res = TEE_ERROR_SHORT_BUFFER; 476 goto out; 477 } 478 *dst_len = mod_size; 479 480 /* Get the algorithm */ 481 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 482 if (res != TEE_SUCCESS) 483 goto out; 484 485 if (algo != TEE_ALG_RSAES_PKCS1_V1_5) { 486 res = tee_algo_to_ltc_hashindex(mgf_algo, <c_mgfindex); 487 if (res != TEE_SUCCESS) 488 goto out; 489 } else { 490 ltc_mgfindex = -1; 491 } 492 493 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) 494 ltc_rsa_algo = LTC_PKCS_1_V1_5; 495 else 496 ltc_rsa_algo = LTC_PKCS_1_OAEP; 497 498 ltc_res = rsa_encrypt_key_ex(src, src_len, dst, 499 (unsigned long *)(dst_len), label, 500 label_len, NULL, find_prng("prng_crypto"), 501 ltc_mgfindex, ltc_hashindex, ltc_rsa_algo, 502 <c_key); 503 switch (ltc_res) { 504 case CRYPT_PK_INVALID_PADDING: 505 case CRYPT_INVALID_PACKET: 506 case CRYPT_PK_INVALID_SIZE: 507 EMSG("rsa_encrypt_key_ex() returned %d", ltc_res); 508 res = TEE_ERROR_BAD_PARAMETERS; 509 goto out; 510 case CRYPT_OK: 511 break; 512 default: 513 /* This will result in a panic */ 514 res = TEE_ERROR_GENERIC; 515 goto out; 516 } 517 res = TEE_SUCCESS; 518 519 out: 520 return res; 521 } 522 523 TEE_Result crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key, 524 int salt_len, const uint8_t *msg, 525 size_t msg_len, uint8_t *sig, 526 size_t *sig_len) 527 __weak __alias("sw_crypto_acipher_rsassa_sign"); 528 529 TEE_Result sw_crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key, 530 int salt_len, const uint8_t *msg, 531 size_t msg_len, uint8_t *sig, 532 size_t *sig_len) 533 { 534 TEE_Result res; 535 size_t hash_size, mod_size; 536 int ltc_res, ltc_rsa_algo, ltc_hashindex; 537 unsigned long ltc_sig_len; 538 rsa_key ltc_key = { 0, }; 539 540 ltc_key.type = PK_PRIVATE; 541 ltc_key.e = key->e; 542 ltc_key.N = key->n; 543 ltc_key.d = key->d; 544 if (key->p && crypto_bignum_num_bytes(key->p)) { 545 ltc_key.p = key->p; 546 ltc_key.q = key->q; 547 ltc_key.qP = key->qp; 548 ltc_key.dP = key->dp; 549 ltc_key.dQ = key->dq; 550 } 551 552 switch (algo) { 553 case TEE_ALG_RSASSA_PKCS1_V1_5: 554 ltc_rsa_algo = LTC_PKCS_1_V1_5_NA1; 555 break; 556 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 557 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 558 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 559 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 560 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 561 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 562 ltc_rsa_algo = LTC_PKCS_1_V1_5; 563 break; 564 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_MD5: 565 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 566 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 567 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 568 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 569 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 570 ltc_rsa_algo = LTC_PKCS_1_PSS; 571 break; 572 default: 573 res = TEE_ERROR_BAD_PARAMETERS; 574 goto err; 575 } 576 577 if (ltc_rsa_algo != LTC_PKCS_1_V1_5_NA1) { 578 ltc_res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 579 if (ltc_res != CRYPT_OK) { 580 res = TEE_ERROR_BAD_PARAMETERS; 581 goto err; 582 } 583 584 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 585 &hash_size); 586 if (res != TEE_SUCCESS) 587 goto err; 588 589 if (msg_len != hash_size) { 590 res = TEE_ERROR_BAD_PARAMETERS; 591 goto err; 592 } 593 } 594 595 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 596 597 if (*sig_len < mod_size) { 598 *sig_len = mod_size; 599 res = TEE_ERROR_SHORT_BUFFER; 600 goto err; 601 } 602 603 ltc_sig_len = mod_size; 604 605 ltc_res = rsa_sign_hash_ex(msg, msg_len, sig, <c_sig_len, 606 ltc_rsa_algo, NULL, find_prng("prng_crypto"), 607 ltc_hashindex, salt_len, <c_key); 608 609 *sig_len = ltc_sig_len; 610 611 if (ltc_res != CRYPT_OK) { 612 res = TEE_ERROR_BAD_PARAMETERS; 613 goto err; 614 } 615 res = TEE_SUCCESS; 616 617 err: 618 return res; 619 } 620 621 TEE_Result crypto_acipher_rsassa_verify(uint32_t algo, 622 struct rsa_public_key *key, 623 int salt_len, const uint8_t *msg, 624 size_t msg_len, const uint8_t *sig, 625 size_t sig_len) 626 __weak __alias("sw_crypto_acipher_rsassa_verify"); 627 628 TEE_Result sw_crypto_acipher_rsassa_verify(uint32_t algo, 629 struct rsa_public_key *key, 630 int salt_len, const uint8_t *msg, 631 size_t msg_len, const uint8_t *sig, 632 size_t sig_len) 633 { 634 TEE_Result res; 635 uint32_t bigint_size; 636 size_t hash_size; 637 int stat, ltc_hashindex, ltc_res, ltc_rsa_algo; 638 rsa_key ltc_key = { 639 .type = PK_PUBLIC, 640 .e = key->e, 641 .N = key->n 642 }; 643 struct ftmn ftmn = { }; 644 645 /* 646 * The caller expects to call crypto_acipher_rsassa_verify(), 647 * update the hash as needed. 648 */ 649 FTMN_CALLEE_SWAP_HASH(FTMN_FUNC_HASH("crypto_acipher_rsassa_verify")); 650 651 if (algo != TEE_ALG_RSASSA_PKCS1_V1_5) { 652 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 653 &hash_size); 654 if (res != TEE_SUCCESS) 655 goto err; 656 657 if (msg_len != hash_size) { 658 res = TEE_ERROR_BAD_PARAMETERS; 659 goto err; 660 } 661 } 662 663 bigint_size = ltc_mp.unsigned_size(ltc_key.N); 664 if (sig_len < bigint_size) { 665 res = TEE_ERROR_SIGNATURE_INVALID; 666 goto err; 667 } 668 669 /* Get the algorithm */ 670 if (algo != TEE_ALG_RSASSA_PKCS1_V1_5) { 671 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 672 if (res != TEE_SUCCESS) 673 goto err; 674 } 675 676 switch (algo) { 677 case TEE_ALG_RSASSA_PKCS1_V1_5: 678 ltc_rsa_algo = LTC_PKCS_1_V1_5_NA1; 679 break; 680 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 681 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 682 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 683 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 684 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 685 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 686 ltc_rsa_algo = LTC_PKCS_1_V1_5; 687 break; 688 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_MD5: 689 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 690 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 691 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 692 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 693 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 694 ltc_rsa_algo = LTC_PKCS_1_PSS; 695 break; 696 default: 697 res = TEE_ERROR_BAD_PARAMETERS; 698 goto err; 699 } 700 701 FTMN_PUSH_LINKED_CALL(&ftmn, FTMN_FUNC_HASH("rsa_verify_hash_ex")); 702 ltc_res = rsa_verify_hash_ex(sig, sig_len, msg, msg_len, ltc_rsa_algo, 703 ltc_hashindex, salt_len, &stat, <c_key); 704 res = convert_ltc_verify_status(ltc_res, stat); 705 if (res) 706 FTMN_SET_CHECK_RES_NOT_ZERO(&ftmn, FTMN_INCR0, res); 707 else 708 FTMN_SET_CHECK_RES_FROM_CALL(&ftmn, FTMN_INCR0, 0); 709 FTMN_POP_LINKED_CALL(&ftmn); 710 FTMN_CALLEE_DONE_CHECK(&ftmn, FTMN_INCR0, FTMN_STEP_COUNT(1), res); 711 return res; 712 err: 713 FTMN_CALLEE_DONE_NOT_ZERO(res); 714 return res; 715 } 716