1 // SPDX-License-Identifier: BSD-2-Clause
2 /*
3 * Copyright (c) 2014-2019, 2022 Linaro Limited
4 */
5
6 #include <crypto/crypto.h>
7 #include <crypto/crypto_impl.h>
8 #include <fault_mitigation.h>
9 #include <mempool.h>
10 #include <stdlib.h>
11 #include <string.h>
12 #include <tee_api_defines_extensions.h>
13 #include <tee_api_types.h>
14 #include <tee/tee_cryp_utl.h>
15 #include <trace.h>
16 #include <utee_defines.h>
17
18 #include "acipher_helpers.h"
19
20
21 /*
22 * Compute the LibTomCrypt "hashindex" given a TEE Algorithm "algo"
23 * Return
24 * - TEE_SUCCESS in case of success,
25 * - TEE_ERROR_BAD_PARAMETERS in case algo is not a valid algo
26 * - TEE_ERROR_NOT_SUPPORTED in case algo is not supported by LTC
27 * Return -1 in case of error
28 */
tee_algo_to_ltc_hashindex(uint32_t algo,int * ltc_hashindex)29 static TEE_Result tee_algo_to_ltc_hashindex(uint32_t algo, int *ltc_hashindex)
30 {
31 switch (algo) {
32 #if defined(_CFG_CORE_LTC_SHA1)
33 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1:
34 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1:
35 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1:
36 *ltc_hashindex = find_hash("sha1");
37 break;
38 #endif
39 #if defined(_CFG_CORE_LTC_MD5)
40 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5:
41 *ltc_hashindex = find_hash("md5");
42 break;
43 #endif
44 #if defined(_CFG_CORE_LTC_SHA224)
45 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224:
46 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224:
47 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224:
48 *ltc_hashindex = find_hash("sha224");
49 break;
50 #endif
51 #if defined(_CFG_CORE_LTC_SHA256)
52 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256:
53 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256:
54 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256:
55 *ltc_hashindex = find_hash("sha256");
56 break;
57 #endif
58 #if defined(_CFG_CORE_LTC_SHA384)
59 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384:
60 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384:
61 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384:
62 *ltc_hashindex = find_hash("sha384");
63 break;
64 #endif
65 #if defined(_CFG_CORE_LTC_SHA512)
66 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512:
67 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512:
68 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512:
69 *ltc_hashindex = find_hash("sha512");
70 break;
71 #endif
72 case TEE_ALG_RSASSA_PKCS1_V1_5:
73 case TEE_ALG_RSAES_PKCS1_V1_5:
74 /* invalid one. but it should not be used anyway */
75 *ltc_hashindex = -1;
76 return TEE_SUCCESS;
77
78 default:
79 return TEE_ERROR_BAD_PARAMETERS;
80 }
81
82 if (*ltc_hashindex < 0)
83 return TEE_ERROR_NOT_SUPPORTED;
84 else
85 return TEE_SUCCESS;
86 }
87
88 TEE_Result crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s,
89 size_t key_size_bits __unused)
90 __weak __alias("sw_crypto_acipher_alloc_rsa_keypair");
91
sw_crypto_acipher_alloc_rsa_keypair(struct rsa_keypair * s,size_t key_size_bits __unused)92 TEE_Result sw_crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s,
93 size_t key_size_bits __unused)
94 {
95 memset(s, 0, sizeof(*s));
96 if (!bn_alloc_max(&s->e))
97 return TEE_ERROR_OUT_OF_MEMORY;
98 if (!bn_alloc_max(&s->d))
99 goto err;
100 if (!bn_alloc_max(&s->n))
101 goto err;
102 if (!bn_alloc_max(&s->p))
103 goto err;
104 if (!bn_alloc_max(&s->q))
105 goto err;
106 if (!bn_alloc_max(&s->qp))
107 goto err;
108 if (!bn_alloc_max(&s->dp))
109 goto err;
110 if (!bn_alloc_max(&s->dq))
111 goto err;
112
113 return TEE_SUCCESS;
114 err:
115 crypto_acipher_free_rsa_keypair(s);
116 return TEE_ERROR_OUT_OF_MEMORY;
117 }
118
119
120 TEE_Result crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s,
121 size_t key_size_bits __unused)
122 __weak __alias("sw_crypto_acipher_alloc_rsa_public_key");
123
sw_crypto_acipher_alloc_rsa_public_key(struct rsa_public_key * s,size_t key_size_bits __unused)124 TEE_Result sw_crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s,
125 size_t key_size_bits __unused)
126 {
127 memset(s, 0, sizeof(*s));
128 if (!bn_alloc_max(&s->e))
129 return TEE_ERROR_OUT_OF_MEMORY;
130 if (!bn_alloc_max(&s->n))
131 goto err;
132 return TEE_SUCCESS;
133 err:
134 crypto_bignum_free(s->e);
135 return TEE_ERROR_OUT_OF_MEMORY;
136 }
137
138
139 void crypto_acipher_free_rsa_public_key(struct rsa_public_key *s)
140 __weak __alias("sw_crypto_acipher_free_rsa_public_key");
141
sw_crypto_acipher_free_rsa_public_key(struct rsa_public_key * s)142 void sw_crypto_acipher_free_rsa_public_key(struct rsa_public_key *s)
143 {
144 if (!s)
145 return;
146 crypto_bignum_free(s->n);
147 crypto_bignum_free(s->e);
148 }
149
150
151 void crypto_acipher_free_rsa_keypair(struct rsa_keypair *s)
152 __weak __alias("sw_crypto_acipher_free_rsa_keypair");
153
sw_crypto_acipher_free_rsa_keypair(struct rsa_keypair * s)154 void sw_crypto_acipher_free_rsa_keypair(struct rsa_keypair *s)
155 {
156 if (!s)
157 return;
158 crypto_bignum_free(s->e);
159 crypto_bignum_free(s->d);
160 crypto_bignum_free(s->n);
161 crypto_bignum_free(s->p);
162 crypto_bignum_free(s->q);
163 crypto_bignum_free(s->qp);
164 crypto_bignum_free(s->dp);
165 crypto_bignum_free(s->dq);
166 }
167
168 TEE_Result crypto_acipher_gen_rsa_key(struct rsa_keypair *key,
169 size_t key_size)
170 __weak __alias("sw_crypto_acipher_gen_rsa_key");
171
sw_crypto_acipher_gen_rsa_key(struct rsa_keypair * key,size_t key_size)172 TEE_Result sw_crypto_acipher_gen_rsa_key(struct rsa_keypair *key,
173 size_t key_size)
174 {
175 TEE_Result res;
176 rsa_key ltc_tmp_key;
177 int ltc_res;
178
179 /* Generate a temporary RSA key */
180 ltc_res = rsa_make_key_bn_e(NULL, find_prng("prng_crypto"),
181 key_size / 8, key->e, <c_tmp_key);
182 if (ltc_res != CRYPT_OK) {
183 res = TEE_ERROR_BAD_PARAMETERS;
184 } else if ((size_t)mp_count_bits(ltc_tmp_key.N) != key_size) {
185 rsa_free(<c_tmp_key);
186 res = TEE_ERROR_BAD_PARAMETERS;
187 } else {
188 /* Copy the key */
189 ltc_mp.copy(ltc_tmp_key.d, key->d);
190 ltc_mp.copy(ltc_tmp_key.N, key->n);
191 ltc_mp.copy(ltc_tmp_key.p, key->p);
192 ltc_mp.copy(ltc_tmp_key.q, key->q);
193 ltc_mp.copy(ltc_tmp_key.qP, key->qp);
194 ltc_mp.copy(ltc_tmp_key.dP, key->dp);
195 ltc_mp.copy(ltc_tmp_key.dQ, key->dq);
196
197 /* Free the temporary key */
198 rsa_free(<c_tmp_key);
199 res = TEE_SUCCESS;
200 }
201
202 return res;
203 }
204
rsadorep(rsa_key * ltc_key,const uint8_t * src,size_t src_len,uint8_t * dst,size_t * dst_len)205 static TEE_Result rsadorep(rsa_key *ltc_key, const uint8_t *src,
206 size_t src_len, uint8_t *dst, size_t *dst_len)
207 {
208 TEE_Result res = TEE_SUCCESS;
209 uint8_t *buf = NULL;
210 unsigned long blen, offset;
211 int ltc_res;
212
213 /*
214 * Use a temporary buffer since we don't know exactly how large the
215 * required size of the out buffer without doing a partial decrypt.
216 * We know the upper bound though.
217 */
218 blen = _CFG_CORE_LTC_BIGNUM_MAX_BITS / sizeof(uint8_t);
219 buf = mempool_alloc(mempool_default, blen);
220 if (!buf) {
221 res = TEE_ERROR_OUT_OF_MEMORY;
222 goto out;
223 }
224
225 ltc_res = rsa_exptmod(src, src_len, buf, &blen, ltc_key->type,
226 ltc_key);
227 switch (ltc_res) {
228 case CRYPT_PK_NOT_PRIVATE:
229 case CRYPT_PK_INVALID_TYPE:
230 case CRYPT_PK_INVALID_SIZE:
231 case CRYPT_INVALID_PACKET:
232 EMSG("rsa_exptmod() returned %d", ltc_res);
233 res = TEE_ERROR_BAD_PARAMETERS;
234 goto out;
235 case CRYPT_OK:
236 break;
237 default:
238 /* This will result in a panic */
239 EMSG("rsa_exptmod() returned %d", ltc_res);
240 res = TEE_ERROR_GENERIC;
241 goto out;
242 }
243
244 /* Remove the zero-padding (leave one zero if buff is all zeroes) */
245 offset = 0;
246 while ((offset < blen - 1) && (buf[offset] == 0))
247 offset++;
248
249 if (*dst_len < blen - offset) {
250 *dst_len = blen - offset;
251 res = TEE_ERROR_SHORT_BUFFER;
252 goto out;
253 }
254
255 res = TEE_SUCCESS;
256 *dst_len = blen - offset;
257 memcpy(dst, (char *)buf + offset, *dst_len);
258
259 out:
260 mempool_free(mempool_default, buf);
261
262 return res;
263 }
264
265 TEE_Result crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key,
266 const uint8_t *src,
267 size_t src_len, uint8_t *dst,
268 size_t *dst_len)
269 __weak __alias("sw_crypto_acipher_rsanopad_encrypt");
270
sw_crypto_acipher_rsanopad_encrypt(struct rsa_public_key * key,const uint8_t * src,size_t src_len,uint8_t * dst,size_t * dst_len)271 TEE_Result sw_crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key,
272 const uint8_t *src,
273 size_t src_len, uint8_t *dst,
274 size_t *dst_len)
275 {
276 TEE_Result res;
277 rsa_key ltc_key = { 0, };
278
279 ltc_key.type = PK_PUBLIC;
280 ltc_key.e = key->e;
281 ltc_key.N = key->n;
282
283 res = rsadorep(<c_key, src, src_len, dst, dst_len);
284 return res;
285 }
286
287 TEE_Result crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key,
288 const uint8_t *src,
289 size_t src_len, uint8_t *dst,
290 size_t *dst_len)
291 __weak __alias("sw_crypto_acipher_rsanopad_decrypt");
292
sw_crypto_acipher_rsanopad_decrypt(struct rsa_keypair * key,const uint8_t * src,size_t src_len,uint8_t * dst,size_t * dst_len)293 TEE_Result sw_crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key,
294 const uint8_t *src,
295 size_t src_len, uint8_t *dst,
296 size_t *dst_len)
297 {
298 TEE_Result res;
299 rsa_key ltc_key = { 0, };
300
301 ltc_key.type = PK_PRIVATE;
302 ltc_key.e = key->e;
303 ltc_key.N = key->n;
304 ltc_key.d = key->d;
305 if (key->p && crypto_bignum_num_bytes(key->p)) {
306 ltc_key.p = key->p;
307 ltc_key.q = key->q;
308 ltc_key.qP = key->qp;
309 ltc_key.dP = key->dp;
310 ltc_key.dQ = key->dq;
311 }
312
313 res = rsadorep(<c_key, src, src_len, dst, dst_len);
314 return res;
315 }
316
317 TEE_Result crypto_acipher_rsaes_decrypt(uint32_t algo,
318 struct rsa_keypair *key,
319 const uint8_t *label,
320 size_t label_len, const uint8_t *src,
321 size_t src_len, uint8_t *dst,
322 size_t *dst_len)
323 __weak __alias("sw_crypto_acipher_rsaes_decrypt");
324
sw_crypto_acipher_rsaes_decrypt(uint32_t algo,struct rsa_keypair * key,const uint8_t * label,size_t label_len,const uint8_t * src,size_t src_len,uint8_t * dst,size_t * dst_len)325 TEE_Result sw_crypto_acipher_rsaes_decrypt(uint32_t algo,
326 struct rsa_keypair *key,
327 const uint8_t *label,
328 size_t label_len, const uint8_t *src,
329 size_t src_len, uint8_t *dst,
330 size_t *dst_len)
331 {
332 TEE_Result res = TEE_SUCCESS;
333 void *buf = NULL;
334 unsigned long blen;
335 int ltc_hashindex, ltc_res, ltc_stat, ltc_rsa_algo;
336 size_t mod_size;
337 rsa_key ltc_key = { 0, };
338
339 ltc_key.type = PK_PRIVATE;
340 ltc_key.e = key->e;
341 ltc_key.d = key->d;
342 ltc_key.N = key->n;
343 if (key->p && crypto_bignum_num_bytes(key->p)) {
344 ltc_key.p = key->p;
345 ltc_key.q = key->q;
346 ltc_key.qP = key->qp;
347 ltc_key.dP = key->dp;
348 ltc_key.dQ = key->dq;
349 }
350
351 /* Get the algorithm */
352 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex);
353 if (res != TEE_SUCCESS) {
354 EMSG("tee_algo_to_ltc_hashindex() returned %d", (int)res);
355 goto out;
356 }
357
358 /*
359 * Use a temporary buffer since we don't know exactly how large
360 * the required size of the out buffer without doing a partial
361 * decrypt. We know the upper bound though.
362 */
363 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) {
364 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N));
365 blen = mod_size - 11;
366 ltc_rsa_algo = LTC_PKCS_1_V1_5;
367 } else {
368 /* Decoded message is always shorter than encrypted message */
369 blen = src_len;
370 ltc_rsa_algo = LTC_PKCS_1_OAEP;
371 }
372
373 buf = mempool_alloc(mempool_default, blen);
374 if (!buf) {
375 res = TEE_ERROR_OUT_OF_MEMORY;
376 goto out;
377 }
378
379 ltc_res = rsa_decrypt_key_ex(src, src_len, buf, &blen,
380 ((label_len == 0) ? 0 : label), label_len,
381 ltc_hashindex, ltc_rsa_algo, <c_stat,
382 <c_key);
383 switch (ltc_res) {
384 case CRYPT_PK_INVALID_PADDING:
385 case CRYPT_INVALID_PACKET:
386 case CRYPT_PK_INVALID_SIZE:
387 EMSG("rsa_decrypt_key_ex() returned %d", ltc_res);
388 res = TEE_ERROR_BAD_PARAMETERS;
389 goto out;
390 case CRYPT_OK:
391 break;
392 default:
393 /* This will result in a panic */
394 EMSG("rsa_decrypt_key_ex() returned %d", ltc_res);
395 res = TEE_ERROR_GENERIC;
396 goto out;
397 }
398 if (ltc_stat != 1) {
399 /* This will result in a panic */
400 EMSG("rsa_decrypt_key_ex() returned %d and %d",
401 ltc_res, ltc_stat);
402 res = TEE_ERROR_GENERIC;
403 goto out;
404 }
405
406 if (*dst_len < blen) {
407 *dst_len = blen;
408 res = TEE_ERROR_SHORT_BUFFER;
409 goto out;
410 }
411
412 res = TEE_SUCCESS;
413 *dst_len = blen;
414 memcpy(dst, buf, blen);
415
416 out:
417 mempool_free(mempool_default, buf);
418
419 return res;
420 }
421
422 TEE_Result crypto_acipher_rsaes_encrypt(uint32_t algo,
423 struct rsa_public_key *key,
424 const uint8_t *label,
425 size_t label_len, const uint8_t *src,
426 size_t src_len, uint8_t *dst,
427 size_t *dst_len)
428 __weak __alias("sw_crypto_acipher_rsaes_encrypt");
429
sw_crypto_acipher_rsaes_encrypt(uint32_t algo,struct rsa_public_key * key,const uint8_t * label,size_t label_len,const uint8_t * src,size_t src_len,uint8_t * dst,size_t * dst_len)430 TEE_Result sw_crypto_acipher_rsaes_encrypt(uint32_t algo,
431 struct rsa_public_key *key,
432 const uint8_t *label,
433 size_t label_len, const uint8_t *src,
434 size_t src_len, uint8_t *dst,
435 size_t *dst_len)
436 {
437 TEE_Result res;
438 uint32_t mod_size;
439 int ltc_hashindex, ltc_res, ltc_rsa_algo;
440 rsa_key ltc_key = {
441 .type = PK_PUBLIC,
442 .e = key->e,
443 .N = key->n
444 };
445
446 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N));
447 if (*dst_len < mod_size) {
448 *dst_len = mod_size;
449 res = TEE_ERROR_SHORT_BUFFER;
450 goto out;
451 }
452 *dst_len = mod_size;
453
454 /* Get the algorithm */
455 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex);
456 if (res != TEE_SUCCESS)
457 goto out;
458
459 if (algo == TEE_ALG_RSAES_PKCS1_V1_5)
460 ltc_rsa_algo = LTC_PKCS_1_V1_5;
461 else
462 ltc_rsa_algo = LTC_PKCS_1_OAEP;
463
464 ltc_res = rsa_encrypt_key_ex(src, src_len, dst,
465 (unsigned long *)(dst_len), label,
466 label_len, NULL, find_prng("prng_crypto"),
467 ltc_hashindex, ltc_rsa_algo, <c_key);
468 switch (ltc_res) {
469 case CRYPT_PK_INVALID_PADDING:
470 case CRYPT_INVALID_PACKET:
471 case CRYPT_PK_INVALID_SIZE:
472 EMSG("rsa_encrypt_key_ex() returned %d", ltc_res);
473 res = TEE_ERROR_BAD_PARAMETERS;
474 goto out;
475 case CRYPT_OK:
476 break;
477 default:
478 /* This will result in a panic */
479 res = TEE_ERROR_GENERIC;
480 goto out;
481 }
482 res = TEE_SUCCESS;
483
484 out:
485 return res;
486 }
487
488 TEE_Result crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key,
489 int salt_len, const uint8_t *msg,
490 size_t msg_len, uint8_t *sig,
491 size_t *sig_len)
492 __weak __alias("sw_crypto_acipher_rsassa_sign");
493
sw_crypto_acipher_rsassa_sign(uint32_t algo,struct rsa_keypair * key,int salt_len,const uint8_t * msg,size_t msg_len,uint8_t * sig,size_t * sig_len)494 TEE_Result sw_crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key,
495 int salt_len, const uint8_t *msg,
496 size_t msg_len, uint8_t *sig,
497 size_t *sig_len)
498 {
499 TEE_Result res;
500 size_t hash_size, mod_size;
501 int ltc_res, ltc_rsa_algo, ltc_hashindex;
502 unsigned long ltc_sig_len;
503 rsa_key ltc_key = { 0, };
504
505 ltc_key.type = PK_PRIVATE;
506 ltc_key.e = key->e;
507 ltc_key.N = key->n;
508 ltc_key.d = key->d;
509 if (key->p && crypto_bignum_num_bytes(key->p)) {
510 ltc_key.p = key->p;
511 ltc_key.q = key->q;
512 ltc_key.qP = key->qp;
513 ltc_key.dP = key->dp;
514 ltc_key.dQ = key->dq;
515 }
516
517 switch (algo) {
518 case TEE_ALG_RSASSA_PKCS1_V1_5:
519 ltc_rsa_algo = LTC_PKCS_1_V1_5_NA1;
520 break;
521 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5:
522 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1:
523 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224:
524 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256:
525 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384:
526 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512:
527 ltc_rsa_algo = LTC_PKCS_1_V1_5;
528 break;
529 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1:
530 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224:
531 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256:
532 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384:
533 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512:
534 ltc_rsa_algo = LTC_PKCS_1_PSS;
535 break;
536 default:
537 res = TEE_ERROR_BAD_PARAMETERS;
538 goto err;
539 }
540
541 if (ltc_rsa_algo != LTC_PKCS_1_V1_5_NA1) {
542 ltc_res = tee_algo_to_ltc_hashindex(algo, <c_hashindex);
543 if (ltc_res != CRYPT_OK) {
544 res = TEE_ERROR_BAD_PARAMETERS;
545 goto err;
546 }
547
548 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo),
549 &hash_size);
550 if (res != TEE_SUCCESS)
551 goto err;
552
553 if (msg_len != hash_size) {
554 res = TEE_ERROR_BAD_PARAMETERS;
555 goto err;
556 }
557 }
558
559 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N));
560
561 if (*sig_len < mod_size) {
562 *sig_len = mod_size;
563 res = TEE_ERROR_SHORT_BUFFER;
564 goto err;
565 }
566
567 ltc_sig_len = mod_size;
568
569 ltc_res = rsa_sign_hash_ex(msg, msg_len, sig, <c_sig_len,
570 ltc_rsa_algo, NULL, find_prng("prng_crypto"),
571 ltc_hashindex, salt_len, <c_key);
572
573 *sig_len = ltc_sig_len;
574
575 if (ltc_res != CRYPT_OK) {
576 res = TEE_ERROR_BAD_PARAMETERS;
577 goto err;
578 }
579 res = TEE_SUCCESS;
580
581 err:
582 return res;
583 }
584
585 TEE_Result crypto_acipher_rsassa_verify(uint32_t algo,
586 struct rsa_public_key *key,
587 int salt_len, const uint8_t *msg,
588 size_t msg_len, const uint8_t *sig,
589 size_t sig_len)
590 __weak __alias("sw_crypto_acipher_rsassa_verify");
591
sw_crypto_acipher_rsassa_verify(uint32_t algo,struct rsa_public_key * key,int salt_len,const uint8_t * msg,size_t msg_len,const uint8_t * sig,size_t sig_len)592 TEE_Result sw_crypto_acipher_rsassa_verify(uint32_t algo,
593 struct rsa_public_key *key,
594 int salt_len, const uint8_t *msg,
595 size_t msg_len, const uint8_t *sig,
596 size_t sig_len)
597 {
598 TEE_Result res;
599 uint32_t bigint_size;
600 size_t hash_size;
601 int stat, ltc_hashindex, ltc_res, ltc_rsa_algo;
602 rsa_key ltc_key = {
603 .type = PK_PUBLIC,
604 .e = key->e,
605 .N = key->n
606 };
607 struct ftmn ftmn = { };
608
609 /*
610 * The caller expects to call crypto_acipher_rsassa_verify(),
611 * update the hash as needed.
612 */
613 FTMN_CALLEE_SWAP_HASH(FTMN_FUNC_HASH("crypto_acipher_rsassa_verify"));
614
615 if (algo != TEE_ALG_RSASSA_PKCS1_V1_5) {
616 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo),
617 &hash_size);
618 if (res != TEE_SUCCESS)
619 goto err;
620
621 if (msg_len != hash_size) {
622 res = TEE_ERROR_BAD_PARAMETERS;
623 goto err;
624 }
625 }
626
627 bigint_size = ltc_mp.unsigned_size(ltc_key.N);
628 if (sig_len < bigint_size) {
629 res = TEE_ERROR_SIGNATURE_INVALID;
630 goto err;
631 }
632
633 /* Get the algorithm */
634 if (algo != TEE_ALG_RSASSA_PKCS1_V1_5) {
635 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex);
636 if (res != TEE_SUCCESS)
637 goto err;
638 }
639
640 switch (algo) {
641 case TEE_ALG_RSASSA_PKCS1_V1_5:
642 ltc_rsa_algo = LTC_PKCS_1_V1_5_NA1;
643 break;
644 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5:
645 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1:
646 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224:
647 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256:
648 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384:
649 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512:
650 ltc_rsa_algo = LTC_PKCS_1_V1_5;
651 break;
652 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1:
653 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224:
654 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256:
655 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384:
656 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512:
657 ltc_rsa_algo = LTC_PKCS_1_PSS;
658 break;
659 default:
660 res = TEE_ERROR_BAD_PARAMETERS;
661 goto err;
662 }
663
664 FTMN_PUSH_LINKED_CALL(&ftmn, FTMN_FUNC_HASH("rsa_verify_hash_ex"));
665 ltc_res = rsa_verify_hash_ex(sig, sig_len, msg, msg_len, ltc_rsa_algo,
666 ltc_hashindex, salt_len, &stat, <c_key);
667 res = convert_ltc_verify_status(ltc_res, stat);
668 if (res)
669 FTMN_SET_CHECK_RES_NOT_ZERO(&ftmn, FTMN_INCR0, res);
670 else
671 FTMN_SET_CHECK_RES_FROM_CALL(&ftmn, FTMN_INCR0, 0);
672 FTMN_POP_LINKED_CALL(&ftmn);
673 FTMN_CALLEE_DONE_CHECK(&ftmn, FTMN_INCR0, FTMN_STEP_COUNT(1), res);
674 return res;
675 err:
676 FTMN_CALLEE_DONE_NOT_ZERO(res);
677 return res;
678 }
679