1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014-2019, 2022 Linaro Limited 4 */ 5 6 #include <crypto/crypto.h> 7 #include <crypto/crypto_impl.h> 8 #include <fault_mitigation.h> 9 #include <mempool.h> 10 #include <stdlib.h> 11 #include <string.h> 12 #include <tee_api_defines_extensions.h> 13 #include <tee_api_types.h> 14 #include <tee/tee_cryp_utl.h> 15 #include <trace.h> 16 #include <utee_defines.h> 17 18 #include "acipher_helpers.h" 19 20 21 /* 22 * Compute the LibTomCrypt "hashindex" given a TEE Algorithm "algo" 23 * Return 24 * - TEE_SUCCESS in case of success, 25 * - TEE_ERROR_BAD_PARAMETERS in case algo is not a valid algo 26 * - TEE_ERROR_NOT_SUPPORTED in case algo is not supported by LTC 27 * Return -1 in case of error 28 */ 29 static TEE_Result tee_algo_to_ltc_hashindex(uint32_t algo, int *ltc_hashindex) 30 { 31 switch (algo) { 32 #if defined(_CFG_CORE_LTC_SHA1) 33 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 34 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 35 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1: 36 *ltc_hashindex = find_hash("sha1"); 37 break; 38 #endif 39 #if defined(_CFG_CORE_LTC_MD5) 40 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 41 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_MD5: 42 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_MD5: 43 *ltc_hashindex = find_hash("md5"); 44 break; 45 #endif 46 #if defined(_CFG_CORE_LTC_SHA224) 47 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 48 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 49 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224: 50 *ltc_hashindex = find_hash("sha224"); 51 break; 52 #endif 53 #if defined(_CFG_CORE_LTC_SHA256) 54 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 55 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 56 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256: 57 *ltc_hashindex = find_hash("sha256"); 58 break; 59 #endif 60 #if defined(_CFG_CORE_LTC_SHA384) 61 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 62 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 63 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384: 64 *ltc_hashindex = find_hash("sha384"); 65 break; 66 #endif 67 #if defined(_CFG_CORE_LTC_SHA512) 68 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 69 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 70 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512: 71 *ltc_hashindex = find_hash("sha512"); 72 break; 73 #endif 74 case TEE_ALG_RSASSA_PKCS1_V1_5: 75 case TEE_ALG_RSAES_PKCS1_V1_5: 76 /* invalid one. but it should not be used anyway */ 77 *ltc_hashindex = -1; 78 return TEE_SUCCESS; 79 80 default: 81 return TEE_ERROR_BAD_PARAMETERS; 82 } 83 84 if (*ltc_hashindex < 0) 85 return TEE_ERROR_NOT_SUPPORTED; 86 else 87 return TEE_SUCCESS; 88 } 89 90 TEE_Result crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s, 91 size_t key_size_bits __unused) 92 __weak __alias("sw_crypto_acipher_alloc_rsa_keypair"); 93 94 TEE_Result sw_crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s, 95 size_t key_size_bits __unused) 96 { 97 memset(s, 0, sizeof(*s)); 98 if (!bn_alloc_max(&s->e)) 99 return TEE_ERROR_OUT_OF_MEMORY; 100 if (!bn_alloc_max(&s->d)) 101 goto err; 102 if (!bn_alloc_max(&s->n)) 103 goto err; 104 if (!bn_alloc_max(&s->p)) 105 goto err; 106 if (!bn_alloc_max(&s->q)) 107 goto err; 108 if (!bn_alloc_max(&s->qp)) 109 goto err; 110 if (!bn_alloc_max(&s->dp)) 111 goto err; 112 if (!bn_alloc_max(&s->dq)) 113 goto err; 114 115 return TEE_SUCCESS; 116 err: 117 crypto_acipher_free_rsa_keypair(s); 118 return TEE_ERROR_OUT_OF_MEMORY; 119 } 120 121 122 TEE_Result crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s, 123 size_t key_size_bits __unused) 124 __weak __alias("sw_crypto_acipher_alloc_rsa_public_key"); 125 126 TEE_Result sw_crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s, 127 size_t key_size_bits __unused) 128 { 129 memset(s, 0, sizeof(*s)); 130 if (!bn_alloc_max(&s->e)) 131 return TEE_ERROR_OUT_OF_MEMORY; 132 if (!bn_alloc_max(&s->n)) 133 goto err; 134 return TEE_SUCCESS; 135 err: 136 crypto_bignum_free(s->e); 137 return TEE_ERROR_OUT_OF_MEMORY; 138 } 139 140 141 void crypto_acipher_free_rsa_public_key(struct rsa_public_key *s) 142 __weak __alias("sw_crypto_acipher_free_rsa_public_key"); 143 144 void sw_crypto_acipher_free_rsa_public_key(struct rsa_public_key *s) 145 { 146 if (!s) 147 return; 148 crypto_bignum_free(s->n); 149 crypto_bignum_free(s->e); 150 } 151 152 153 void crypto_acipher_free_rsa_keypair(struct rsa_keypair *s) 154 __weak __alias("sw_crypto_acipher_free_rsa_keypair"); 155 156 void sw_crypto_acipher_free_rsa_keypair(struct rsa_keypair *s) 157 { 158 if (!s) 159 return; 160 crypto_bignum_free(s->e); 161 crypto_bignum_free(s->d); 162 crypto_bignum_free(s->n); 163 crypto_bignum_free(s->p); 164 crypto_bignum_free(s->q); 165 crypto_bignum_free(s->qp); 166 crypto_bignum_free(s->dp); 167 crypto_bignum_free(s->dq); 168 } 169 170 TEE_Result crypto_acipher_gen_rsa_key(struct rsa_keypair *key, 171 size_t key_size) 172 __weak __alias("sw_crypto_acipher_gen_rsa_key"); 173 174 TEE_Result sw_crypto_acipher_gen_rsa_key(struct rsa_keypair *key, 175 size_t key_size) 176 { 177 TEE_Result res; 178 rsa_key ltc_tmp_key; 179 int ltc_res; 180 181 /* Generate a temporary RSA key */ 182 ltc_res = rsa_make_key_bn_e(NULL, find_prng("prng_crypto"), 183 key_size / 8, key->e, <c_tmp_key); 184 if (ltc_res != CRYPT_OK) { 185 res = TEE_ERROR_BAD_PARAMETERS; 186 } else if ((size_t)mp_count_bits(ltc_tmp_key.N) != key_size) { 187 rsa_free(<c_tmp_key); 188 res = TEE_ERROR_BAD_PARAMETERS; 189 } else { 190 /* Copy the key */ 191 ltc_mp.copy(ltc_tmp_key.d, key->d); 192 ltc_mp.copy(ltc_tmp_key.N, key->n); 193 ltc_mp.copy(ltc_tmp_key.p, key->p); 194 ltc_mp.copy(ltc_tmp_key.q, key->q); 195 ltc_mp.copy(ltc_tmp_key.qP, key->qp); 196 ltc_mp.copy(ltc_tmp_key.dP, key->dp); 197 ltc_mp.copy(ltc_tmp_key.dQ, key->dq); 198 199 /* Free the temporary key */ 200 rsa_free(<c_tmp_key); 201 res = TEE_SUCCESS; 202 } 203 204 return res; 205 } 206 207 static TEE_Result rsadorep(rsa_key *ltc_key, const uint8_t *src, 208 size_t src_len, uint8_t *dst, size_t *dst_len) 209 { 210 TEE_Result res = TEE_SUCCESS; 211 uint8_t *buf = NULL; 212 unsigned long blen, offset; 213 int ltc_res; 214 215 /* 216 * Use a temporary buffer since we don't know exactly how large the 217 * required size of the out buffer without doing a partial decrypt. 218 * We know the upper bound though. 219 */ 220 blen = _CFG_CORE_LTC_BIGNUM_MAX_BITS / sizeof(uint8_t); 221 buf = mempool_alloc(mempool_default, blen); 222 if (!buf) { 223 res = TEE_ERROR_OUT_OF_MEMORY; 224 goto out; 225 } 226 227 ltc_res = rsa_exptmod(src, src_len, buf, &blen, ltc_key->type, 228 ltc_key); 229 switch (ltc_res) { 230 case CRYPT_PK_NOT_PRIVATE: 231 case CRYPT_PK_INVALID_TYPE: 232 case CRYPT_PK_INVALID_SIZE: 233 case CRYPT_INVALID_PACKET: 234 EMSG("rsa_exptmod() returned %d", ltc_res); 235 res = TEE_ERROR_BAD_PARAMETERS; 236 goto out; 237 case CRYPT_OK: 238 break; 239 default: 240 /* This will result in a panic */ 241 EMSG("rsa_exptmod() returned %d", ltc_res); 242 res = TEE_ERROR_GENERIC; 243 goto out; 244 } 245 246 /* Remove the zero-padding (leave one zero if buff is all zeroes) */ 247 offset = 0; 248 while ((offset < blen - 1) && (buf[offset] == 0)) 249 offset++; 250 251 if (*dst_len < blen - offset) { 252 *dst_len = blen - offset; 253 res = TEE_ERROR_SHORT_BUFFER; 254 goto out; 255 } 256 257 res = TEE_SUCCESS; 258 *dst_len = blen - offset; 259 memcpy(dst, (char *)buf + offset, *dst_len); 260 261 out: 262 mempool_free(mempool_default, buf); 263 264 return res; 265 } 266 267 TEE_Result crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key, 268 const uint8_t *src, 269 size_t src_len, uint8_t *dst, 270 size_t *dst_len) 271 __weak __alias("sw_crypto_acipher_rsanopad_encrypt"); 272 273 TEE_Result sw_crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key, 274 const uint8_t *src, 275 size_t src_len, uint8_t *dst, 276 size_t *dst_len) 277 { 278 TEE_Result res; 279 rsa_key ltc_key = { 0, }; 280 281 ltc_key.type = PK_PUBLIC; 282 ltc_key.e = key->e; 283 ltc_key.N = key->n; 284 285 res = rsadorep(<c_key, src, src_len, dst, dst_len); 286 return res; 287 } 288 289 TEE_Result crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key, 290 const uint8_t *src, 291 size_t src_len, uint8_t *dst, 292 size_t *dst_len) 293 __weak __alias("sw_crypto_acipher_rsanopad_decrypt"); 294 295 TEE_Result sw_crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key, 296 const uint8_t *src, 297 size_t src_len, uint8_t *dst, 298 size_t *dst_len) 299 { 300 TEE_Result res; 301 rsa_key ltc_key = { 0, }; 302 303 ltc_key.type = PK_PRIVATE; 304 ltc_key.e = key->e; 305 ltc_key.N = key->n; 306 ltc_key.d = key->d; 307 if (key->p && crypto_bignum_num_bytes(key->p)) { 308 ltc_key.p = key->p; 309 ltc_key.q = key->q; 310 ltc_key.qP = key->qp; 311 ltc_key.dP = key->dp; 312 ltc_key.dQ = key->dq; 313 } 314 315 res = rsadorep(<c_key, src, src_len, dst, dst_len); 316 return res; 317 } 318 319 TEE_Result crypto_acipher_rsaes_decrypt(uint32_t algo, 320 struct rsa_keypair *key, 321 const uint8_t *label, 322 size_t label_len, const uint8_t *src, 323 size_t src_len, uint8_t *dst, 324 size_t *dst_len) 325 __weak __alias("sw_crypto_acipher_rsaes_decrypt"); 326 327 TEE_Result sw_crypto_acipher_rsaes_decrypt(uint32_t algo, 328 struct rsa_keypair *key, 329 const uint8_t *label, 330 size_t label_len, const uint8_t *src, 331 size_t src_len, uint8_t *dst, 332 size_t *dst_len) 333 { 334 TEE_Result res = TEE_SUCCESS; 335 void *buf = NULL; 336 unsigned long blen; 337 int ltc_hashindex, ltc_res, ltc_stat, ltc_rsa_algo; 338 size_t mod_size; 339 rsa_key ltc_key = { 0, }; 340 341 ltc_key.type = PK_PRIVATE; 342 ltc_key.e = key->e; 343 ltc_key.d = key->d; 344 ltc_key.N = key->n; 345 if (key->p && crypto_bignum_num_bytes(key->p)) { 346 ltc_key.p = key->p; 347 ltc_key.q = key->q; 348 ltc_key.qP = key->qp; 349 ltc_key.dP = key->dp; 350 ltc_key.dQ = key->dq; 351 } 352 353 /* Get the algorithm */ 354 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 355 if (res != TEE_SUCCESS) { 356 EMSG("tee_algo_to_ltc_hashindex() returned %d", (int)res); 357 goto out; 358 } 359 360 /* 361 * Use a temporary buffer since we don't know exactly how large 362 * the required size of the out buffer without doing a partial 363 * decrypt. We know the upper bound though. 364 */ 365 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) { 366 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 367 blen = mod_size - 11; 368 ltc_rsa_algo = LTC_PKCS_1_V1_5; 369 } else { 370 /* Decoded message is always shorter than encrypted message */ 371 blen = src_len; 372 ltc_rsa_algo = LTC_PKCS_1_OAEP; 373 } 374 375 buf = mempool_alloc(mempool_default, blen); 376 if (!buf) { 377 res = TEE_ERROR_OUT_OF_MEMORY; 378 goto out; 379 } 380 381 ltc_res = rsa_decrypt_key_ex(src, src_len, buf, &blen, 382 ((label_len == 0) ? 0 : label), label_len, 383 ltc_hashindex, ltc_rsa_algo, <c_stat, 384 <c_key); 385 switch (ltc_res) { 386 case CRYPT_PK_INVALID_PADDING: 387 case CRYPT_INVALID_PACKET: 388 case CRYPT_PK_INVALID_SIZE: 389 EMSG("rsa_decrypt_key_ex() returned %d", ltc_res); 390 res = TEE_ERROR_BAD_PARAMETERS; 391 goto out; 392 case CRYPT_OK: 393 break; 394 default: 395 /* This will result in a panic */ 396 EMSG("rsa_decrypt_key_ex() returned %d", ltc_res); 397 res = TEE_ERROR_GENERIC; 398 goto out; 399 } 400 if (ltc_stat != 1) { 401 /* This will result in a panic */ 402 EMSG("rsa_decrypt_key_ex() returned %d and %d", 403 ltc_res, ltc_stat); 404 res = TEE_ERROR_GENERIC; 405 goto out; 406 } 407 408 if (*dst_len < blen) { 409 *dst_len = blen; 410 res = TEE_ERROR_SHORT_BUFFER; 411 goto out; 412 } 413 414 res = TEE_SUCCESS; 415 *dst_len = blen; 416 memcpy(dst, buf, blen); 417 418 out: 419 mempool_free(mempool_default, buf); 420 421 return res; 422 } 423 424 TEE_Result crypto_acipher_rsaes_encrypt(uint32_t algo, 425 struct rsa_public_key *key, 426 const uint8_t *label, 427 size_t label_len, const uint8_t *src, 428 size_t src_len, uint8_t *dst, 429 size_t *dst_len) 430 __weak __alias("sw_crypto_acipher_rsaes_encrypt"); 431 432 TEE_Result sw_crypto_acipher_rsaes_encrypt(uint32_t algo, 433 struct rsa_public_key *key, 434 const uint8_t *label, 435 size_t label_len, const uint8_t *src, 436 size_t src_len, uint8_t *dst, 437 size_t *dst_len) 438 { 439 TEE_Result res; 440 uint32_t mod_size; 441 int ltc_hashindex, ltc_res, ltc_rsa_algo; 442 rsa_key ltc_key = { 443 .type = PK_PUBLIC, 444 .e = key->e, 445 .N = key->n 446 }; 447 448 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 449 if (*dst_len < mod_size) { 450 *dst_len = mod_size; 451 res = TEE_ERROR_SHORT_BUFFER; 452 goto out; 453 } 454 *dst_len = mod_size; 455 456 /* Get the algorithm */ 457 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 458 if (res != TEE_SUCCESS) 459 goto out; 460 461 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) 462 ltc_rsa_algo = LTC_PKCS_1_V1_5; 463 else 464 ltc_rsa_algo = LTC_PKCS_1_OAEP; 465 466 ltc_res = rsa_encrypt_key_ex(src, src_len, dst, 467 (unsigned long *)(dst_len), label, 468 label_len, NULL, find_prng("prng_crypto"), 469 ltc_hashindex, ltc_rsa_algo, <c_key); 470 switch (ltc_res) { 471 case CRYPT_PK_INVALID_PADDING: 472 case CRYPT_INVALID_PACKET: 473 case CRYPT_PK_INVALID_SIZE: 474 EMSG("rsa_encrypt_key_ex() returned %d", ltc_res); 475 res = TEE_ERROR_BAD_PARAMETERS; 476 goto out; 477 case CRYPT_OK: 478 break; 479 default: 480 /* This will result in a panic */ 481 res = TEE_ERROR_GENERIC; 482 goto out; 483 } 484 res = TEE_SUCCESS; 485 486 out: 487 return res; 488 } 489 490 TEE_Result crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key, 491 int salt_len, const uint8_t *msg, 492 size_t msg_len, uint8_t *sig, 493 size_t *sig_len) 494 __weak __alias("sw_crypto_acipher_rsassa_sign"); 495 496 TEE_Result sw_crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key, 497 int salt_len, const uint8_t *msg, 498 size_t msg_len, uint8_t *sig, 499 size_t *sig_len) 500 { 501 TEE_Result res; 502 size_t hash_size, mod_size; 503 int ltc_res, ltc_rsa_algo, ltc_hashindex; 504 unsigned long ltc_sig_len; 505 rsa_key ltc_key = { 0, }; 506 507 ltc_key.type = PK_PRIVATE; 508 ltc_key.e = key->e; 509 ltc_key.N = key->n; 510 ltc_key.d = key->d; 511 if (key->p && crypto_bignum_num_bytes(key->p)) { 512 ltc_key.p = key->p; 513 ltc_key.q = key->q; 514 ltc_key.qP = key->qp; 515 ltc_key.dP = key->dp; 516 ltc_key.dQ = key->dq; 517 } 518 519 switch (algo) { 520 case TEE_ALG_RSASSA_PKCS1_V1_5: 521 ltc_rsa_algo = LTC_PKCS_1_V1_5_NA1; 522 break; 523 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 524 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 525 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 526 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 527 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 528 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 529 ltc_rsa_algo = LTC_PKCS_1_V1_5; 530 break; 531 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_MD5: 532 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 533 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 534 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 535 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 536 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 537 ltc_rsa_algo = LTC_PKCS_1_PSS; 538 break; 539 default: 540 res = TEE_ERROR_BAD_PARAMETERS; 541 goto err; 542 } 543 544 if (ltc_rsa_algo != LTC_PKCS_1_V1_5_NA1) { 545 ltc_res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 546 if (ltc_res != CRYPT_OK) { 547 res = TEE_ERROR_BAD_PARAMETERS; 548 goto err; 549 } 550 551 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 552 &hash_size); 553 if (res != TEE_SUCCESS) 554 goto err; 555 556 if (msg_len != hash_size) { 557 res = TEE_ERROR_BAD_PARAMETERS; 558 goto err; 559 } 560 } 561 562 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N)); 563 564 if (*sig_len < mod_size) { 565 *sig_len = mod_size; 566 res = TEE_ERROR_SHORT_BUFFER; 567 goto err; 568 } 569 570 ltc_sig_len = mod_size; 571 572 ltc_res = rsa_sign_hash_ex(msg, msg_len, sig, <c_sig_len, 573 ltc_rsa_algo, NULL, find_prng("prng_crypto"), 574 ltc_hashindex, salt_len, <c_key); 575 576 *sig_len = ltc_sig_len; 577 578 if (ltc_res != CRYPT_OK) { 579 res = TEE_ERROR_BAD_PARAMETERS; 580 goto err; 581 } 582 res = TEE_SUCCESS; 583 584 err: 585 return res; 586 } 587 588 TEE_Result crypto_acipher_rsassa_verify(uint32_t algo, 589 struct rsa_public_key *key, 590 int salt_len, const uint8_t *msg, 591 size_t msg_len, const uint8_t *sig, 592 size_t sig_len) 593 __weak __alias("sw_crypto_acipher_rsassa_verify"); 594 595 TEE_Result sw_crypto_acipher_rsassa_verify(uint32_t algo, 596 struct rsa_public_key *key, 597 int salt_len, const uint8_t *msg, 598 size_t msg_len, const uint8_t *sig, 599 size_t sig_len) 600 { 601 TEE_Result res; 602 uint32_t bigint_size; 603 size_t hash_size; 604 int stat, ltc_hashindex, ltc_res, ltc_rsa_algo; 605 rsa_key ltc_key = { 606 .type = PK_PUBLIC, 607 .e = key->e, 608 .N = key->n 609 }; 610 struct ftmn ftmn = { }; 611 612 /* 613 * The caller expects to call crypto_acipher_rsassa_verify(), 614 * update the hash as needed. 615 */ 616 FTMN_CALLEE_SWAP_HASH(FTMN_FUNC_HASH("crypto_acipher_rsassa_verify")); 617 618 if (algo != TEE_ALG_RSASSA_PKCS1_V1_5) { 619 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo), 620 &hash_size); 621 if (res != TEE_SUCCESS) 622 goto err; 623 624 if (msg_len != hash_size) { 625 res = TEE_ERROR_BAD_PARAMETERS; 626 goto err; 627 } 628 } 629 630 bigint_size = ltc_mp.unsigned_size(ltc_key.N); 631 if (sig_len < bigint_size) { 632 res = TEE_ERROR_SIGNATURE_INVALID; 633 goto err; 634 } 635 636 /* Get the algorithm */ 637 if (algo != TEE_ALG_RSASSA_PKCS1_V1_5) { 638 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex); 639 if (res != TEE_SUCCESS) 640 goto err; 641 } 642 643 switch (algo) { 644 case TEE_ALG_RSASSA_PKCS1_V1_5: 645 ltc_rsa_algo = LTC_PKCS_1_V1_5_NA1; 646 break; 647 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 648 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 649 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 650 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 651 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 652 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 653 ltc_rsa_algo = LTC_PKCS_1_V1_5; 654 break; 655 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_MD5: 656 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 657 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 658 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 659 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 660 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 661 ltc_rsa_algo = LTC_PKCS_1_PSS; 662 break; 663 default: 664 res = TEE_ERROR_BAD_PARAMETERS; 665 goto err; 666 } 667 668 FTMN_PUSH_LINKED_CALL(&ftmn, FTMN_FUNC_HASH("rsa_verify_hash_ex")); 669 ltc_res = rsa_verify_hash_ex(sig, sig_len, msg, msg_len, ltc_rsa_algo, 670 ltc_hashindex, salt_len, &stat, <c_key); 671 res = convert_ltc_verify_status(ltc_res, stat); 672 if (res) 673 FTMN_SET_CHECK_RES_NOT_ZERO(&ftmn, FTMN_INCR0, res); 674 else 675 FTMN_SET_CHECK_RES_FROM_CALL(&ftmn, FTMN_INCR0, 0); 676 FTMN_POP_LINKED_CALL(&ftmn); 677 FTMN_CALLEE_DONE_CHECK(&ftmn, FTMN_INCR0, FTMN_STEP_COUNT(1), res); 678 return res; 679 err: 680 FTMN_CALLEE_DONE_NOT_ZERO(res); 681 return res; 682 } 683