1 // SPDX-License-Identifier: BSD-2-Clause
2 /*
3 * Copyright (c) 2014-2019, 2022 Linaro Limited
4 */
5
6 #include <crypto/crypto.h>
7 #include <crypto/crypto_impl.h>
8 #include <fault_mitigation.h>
9 #include <mempool.h>
10 #include <stdlib.h>
11 #include <string.h>
12 #include <tee_api_defines_extensions.h>
13 #include <tee_api_types.h>
14 #include <tee/tee_cryp_utl.h>
15 #include <trace.h>
16 #include <utee_defines.h>
17
18 #include "acipher_helpers.h"
19
20
21 /*
22 * Compute the LibTomCrypt "hashindex" given a TEE Algorithm "algo"
23 * Return
24 * - TEE_SUCCESS in case of success,
25 * - TEE_ERROR_BAD_PARAMETERS in case algo is not a valid algo
26 * - TEE_ERROR_NOT_SUPPORTED in case algo is not supported by LTC
27 * Return -1 in case of error
28 */
tee_algo_to_ltc_hashindex(uint32_t algo,int * ltc_hashindex)29 static TEE_Result tee_algo_to_ltc_hashindex(uint32_t algo, int *ltc_hashindex)
30 {
31 switch (algo) {
32 #if defined(_CFG_CORE_LTC_SHA1_DESC)
33 case TEE_ALG_SHA1:
34 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1:
35 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1:
36 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1:
37 *ltc_hashindex = find_hash("sha1");
38 break;
39 #endif
40 #if defined(_CFG_CORE_LTC_MD5_DESC)
41 case TEE_ALG_MD5:
42 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5:
43 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_MD5:
44 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_MD5:
45 *ltc_hashindex = find_hash("md5");
46 break;
47 #endif
48 #if defined(_CFG_CORE_LTC_SHA224_DESC)
49 case TEE_ALG_SHA224:
50 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224:
51 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224:
52 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224:
53 *ltc_hashindex = find_hash("sha224");
54 break;
55 #endif
56 #if defined(_CFG_CORE_LTC_SHA256_DESC)
57 case TEE_ALG_SHA256:
58 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256:
59 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256:
60 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256:
61 *ltc_hashindex = find_hash("sha256");
62 break;
63 #endif
64 #if defined(_CFG_CORE_LTC_SHA384_DESC)
65 case TEE_ALG_SHA384:
66 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384:
67 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384:
68 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384:
69 *ltc_hashindex = find_hash("sha384");
70 break;
71 #endif
72 #if defined(_CFG_CORE_LTC_SHA512_DESC)
73 case TEE_ALG_SHA512:
74 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512:
75 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512:
76 case TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512:
77 *ltc_hashindex = find_hash("sha512");
78 break;
79 #endif
80 case TEE_ALG_RSASSA_PKCS1_V1_5:
81 case TEE_ALG_RSAES_PKCS1_V1_5:
82 /* invalid one. but it should not be used anyway */
83 *ltc_hashindex = -1;
84 return TEE_SUCCESS;
85
86 default:
87 return TEE_ERROR_BAD_PARAMETERS;
88 }
89
90 if (*ltc_hashindex < 0)
91 return TEE_ERROR_NOT_SUPPORTED;
92 else
93 return TEE_SUCCESS;
94 }
95
96 TEE_Result crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s,
97 size_t key_size_bits __unused)
98 __weak __alias("sw_crypto_acipher_alloc_rsa_keypair");
99
sw_crypto_acipher_alloc_rsa_keypair(struct rsa_keypair * s,size_t key_size_bits __unused)100 TEE_Result sw_crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s,
101 size_t key_size_bits __unused)
102 {
103 memset(s, 0, sizeof(*s));
104 if (!bn_alloc_max(&s->e))
105 return TEE_ERROR_OUT_OF_MEMORY;
106 if (!bn_alloc_max(&s->d))
107 goto err;
108 if (!bn_alloc_max(&s->n))
109 goto err;
110 if (!bn_alloc_max(&s->p))
111 goto err;
112 if (!bn_alloc_max(&s->q))
113 goto err;
114 if (!bn_alloc_max(&s->qp))
115 goto err;
116 if (!bn_alloc_max(&s->dp))
117 goto err;
118 if (!bn_alloc_max(&s->dq))
119 goto err;
120
121 return TEE_SUCCESS;
122 err:
123 crypto_acipher_free_rsa_keypair(s);
124 return TEE_ERROR_OUT_OF_MEMORY;
125 }
126
127
128 TEE_Result crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s,
129 size_t key_size_bits __unused)
130 __weak __alias("sw_crypto_acipher_alloc_rsa_public_key");
131
sw_crypto_acipher_alloc_rsa_public_key(struct rsa_public_key * s,size_t key_size_bits __unused)132 TEE_Result sw_crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s,
133 size_t key_size_bits __unused)
134 {
135 memset(s, 0, sizeof(*s));
136 if (!bn_alloc_max(&s->e))
137 return TEE_ERROR_OUT_OF_MEMORY;
138 if (!bn_alloc_max(&s->n))
139 goto err;
140 return TEE_SUCCESS;
141 err:
142 crypto_bignum_free(&s->e);
143 return TEE_ERROR_OUT_OF_MEMORY;
144 }
145
146
147 void crypto_acipher_free_rsa_public_key(struct rsa_public_key *s)
148 __weak __alias("sw_crypto_acipher_free_rsa_public_key");
149
sw_crypto_acipher_free_rsa_public_key(struct rsa_public_key * s)150 void sw_crypto_acipher_free_rsa_public_key(struct rsa_public_key *s)
151 {
152 if (!s)
153 return;
154 crypto_bignum_free(&s->n);
155 crypto_bignum_free(&s->e);
156 }
157
158
159 void crypto_acipher_free_rsa_keypair(struct rsa_keypair *s)
160 __weak __alias("sw_crypto_acipher_free_rsa_keypair");
161
sw_crypto_acipher_free_rsa_keypair(struct rsa_keypair * s)162 void sw_crypto_acipher_free_rsa_keypair(struct rsa_keypair *s)
163 {
164 if (!s)
165 return;
166 crypto_bignum_free(&s->e);
167 crypto_bignum_free(&s->d);
168 crypto_bignum_free(&s->n);
169 crypto_bignum_free(&s->p);
170 crypto_bignum_free(&s->q);
171 crypto_bignum_free(&s->qp);
172 crypto_bignum_free(&s->dp);
173 crypto_bignum_free(&s->dq);
174 }
175
176 TEE_Result crypto_acipher_gen_rsa_key(struct rsa_keypair *key,
177 size_t key_size)
178 __weak __alias("sw_crypto_acipher_gen_rsa_key");
179
sw_crypto_acipher_gen_rsa_key(struct rsa_keypair * key,size_t key_size)180 TEE_Result sw_crypto_acipher_gen_rsa_key(struct rsa_keypair *key,
181 size_t key_size)
182 {
183 TEE_Result res;
184 rsa_key ltc_tmp_key;
185 int ltc_res;
186
187 /* Generate a temporary RSA key */
188 ltc_res = rsa_make_key_bn_e(NULL, find_prng("prng_crypto"),
189 key_size / 8, key->e, <c_tmp_key);
190 if (ltc_res != CRYPT_OK) {
191 res = TEE_ERROR_BAD_PARAMETERS;
192 } else if ((size_t)mp_count_bits(ltc_tmp_key.N) != key_size) {
193 rsa_free(<c_tmp_key);
194 res = TEE_ERROR_BAD_PARAMETERS;
195 } else {
196 /* Copy the key */
197 ltc_mp.copy(ltc_tmp_key.d, key->d);
198 ltc_mp.copy(ltc_tmp_key.N, key->n);
199 ltc_mp.copy(ltc_tmp_key.p, key->p);
200 ltc_mp.copy(ltc_tmp_key.q, key->q);
201 ltc_mp.copy(ltc_tmp_key.qP, key->qp);
202 ltc_mp.copy(ltc_tmp_key.dP, key->dp);
203 ltc_mp.copy(ltc_tmp_key.dQ, key->dq);
204
205 /* Free the temporary key */
206 rsa_free(<c_tmp_key);
207 res = TEE_SUCCESS;
208 }
209
210 return res;
211 }
212
rsadorep(rsa_key * ltc_key,const uint8_t * src,size_t src_len,uint8_t * dst,size_t * dst_len)213 static TEE_Result rsadorep(rsa_key *ltc_key, const uint8_t *src,
214 size_t src_len, uint8_t *dst, size_t *dst_len)
215 {
216 TEE_Result res = TEE_SUCCESS;
217 uint8_t *buf = NULL;
218 unsigned long blen, offset;
219 int ltc_res;
220
221 /*
222 * Use a temporary buffer since we don't know exactly how large the
223 * required size of the out buffer without doing a partial decrypt.
224 * We know the upper bound though.
225 */
226 blen = _CFG_CORE_LTC_BIGNUM_MAX_BITS / sizeof(uint8_t);
227 buf = mempool_alloc(mempool_default, blen);
228 if (!buf) {
229 res = TEE_ERROR_OUT_OF_MEMORY;
230 goto out;
231 }
232
233 ltc_res = rsa_exptmod(src, src_len, buf, &blen, ltc_key->type,
234 ltc_key);
235 switch (ltc_res) {
236 case CRYPT_PK_NOT_PRIVATE:
237 case CRYPT_PK_INVALID_TYPE:
238 case CRYPT_PK_INVALID_SIZE:
239 case CRYPT_INVALID_PACKET:
240 EMSG("rsa_exptmod() returned %d", ltc_res);
241 res = TEE_ERROR_BAD_PARAMETERS;
242 goto out;
243 case CRYPT_OK:
244 break;
245 default:
246 /* This will result in a panic */
247 EMSG("rsa_exptmod() returned %d", ltc_res);
248 res = TEE_ERROR_GENERIC;
249 goto out;
250 }
251
252 /* Remove the zero-padding (leave one zero if buff is all zeroes) */
253 offset = 0;
254 while ((offset < blen - 1) && (buf[offset] == 0))
255 offset++;
256
257 if (*dst_len < blen - offset) {
258 *dst_len = blen - offset;
259 res = TEE_ERROR_SHORT_BUFFER;
260 goto out;
261 }
262
263 res = TEE_SUCCESS;
264 *dst_len = blen - offset;
265 memcpy(dst, (char *)buf + offset, *dst_len);
266
267 out:
268 mempool_free(mempool_default, buf);
269
270 return res;
271 }
272
273 TEE_Result crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key,
274 const uint8_t *src,
275 size_t src_len, uint8_t *dst,
276 size_t *dst_len)
277 __weak __alias("sw_crypto_acipher_rsanopad_encrypt");
278
sw_crypto_acipher_rsanopad_encrypt(struct rsa_public_key * key,const uint8_t * src,size_t src_len,uint8_t * dst,size_t * dst_len)279 TEE_Result sw_crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key,
280 const uint8_t *src,
281 size_t src_len, uint8_t *dst,
282 size_t *dst_len)
283 {
284 TEE_Result res;
285 rsa_key ltc_key = { 0, };
286
287 ltc_key.type = PK_PUBLIC;
288 ltc_key.e = key->e;
289 ltc_key.N = key->n;
290
291 res = rsadorep(<c_key, src, src_len, dst, dst_len);
292 return res;
293 }
294
295 TEE_Result crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key,
296 const uint8_t *src,
297 size_t src_len, uint8_t *dst,
298 size_t *dst_len)
299 __weak __alias("sw_crypto_acipher_rsanopad_decrypt");
300
sw_crypto_acipher_rsanopad_decrypt(struct rsa_keypair * key,const uint8_t * src,size_t src_len,uint8_t * dst,size_t * dst_len)301 TEE_Result sw_crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key,
302 const uint8_t *src,
303 size_t src_len, uint8_t *dst,
304 size_t *dst_len)
305 {
306 TEE_Result res;
307 rsa_key ltc_key = { 0, };
308
309 ltc_key.type = PK_PRIVATE;
310 ltc_key.e = key->e;
311 ltc_key.N = key->n;
312 ltc_key.d = key->d;
313 if (key->p && crypto_bignum_num_bytes(key->p)) {
314 ltc_key.p = key->p;
315 ltc_key.q = key->q;
316 ltc_key.qP = key->qp;
317 ltc_key.dP = key->dp;
318 ltc_key.dQ = key->dq;
319 }
320
321 res = rsadorep(<c_key, src, src_len, dst, dst_len);
322 return res;
323 }
324
325 TEE_Result crypto_acipher_rsaes_decrypt(uint32_t algo,
326 struct rsa_keypair *key,
327 const uint8_t *label,
328 size_t label_len,
329 uint32_t mgf_algo,
330 const uint8_t *src,
331 size_t src_len, uint8_t *dst,
332 size_t *dst_len)
333 __weak __alias("sw_crypto_acipher_rsaes_decrypt");
334
sw_crypto_acipher_rsaes_decrypt(uint32_t algo,struct rsa_keypair * key,const uint8_t * label,size_t label_len,uint32_t mgf_algo,const uint8_t * src,size_t src_len,uint8_t * dst,size_t * dst_len)335 TEE_Result sw_crypto_acipher_rsaes_decrypt(uint32_t algo,
336 struct rsa_keypair *key,
337 const uint8_t *label,
338 size_t label_len,
339 uint32_t mgf_algo,
340 const uint8_t *src,
341 size_t src_len, uint8_t *dst,
342 size_t *dst_len)
343 {
344 TEE_Result res = TEE_SUCCESS;
345 void *buf = NULL;
346 unsigned long blen;
347 int ltc_hashindex, ltc_mgfindex, ltc_res, ltc_stat, ltc_rsa_algo;
348 size_t mod_size;
349 rsa_key ltc_key = { 0, };
350
351 ltc_key.type = PK_PRIVATE;
352 ltc_key.e = key->e;
353 ltc_key.d = key->d;
354 ltc_key.N = key->n;
355 if (key->p && crypto_bignum_num_bytes(key->p)) {
356 ltc_key.p = key->p;
357 ltc_key.q = key->q;
358 ltc_key.qP = key->qp;
359 ltc_key.dP = key->dp;
360 ltc_key.dQ = key->dq;
361 }
362
363 /* Get the algorithm */
364 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex);
365 if (res != TEE_SUCCESS) {
366 EMSG("tee_algo_to_ltc_hashindex() returned %#"PRIx32, res);
367 goto out;
368 }
369 if (algo != TEE_ALG_RSAES_PKCS1_V1_5) {
370 res = tee_algo_to_ltc_hashindex(mgf_algo, <c_mgfindex);
371 if (res != TEE_SUCCESS) {
372 EMSG("tee_algo_to_ltc_hashindex() returned %#"PRIx32"for mgf algo %#"PRIx32,
373 res, mgf_algo);
374 goto out;
375 }
376 } else {
377 ltc_mgfindex = -1;
378 }
379
380 /*
381 * Use a temporary buffer since we don't know exactly how large
382 * the required size of the out buffer without doing a partial
383 * decrypt. We know the upper bound though.
384 */
385 if (algo == TEE_ALG_RSAES_PKCS1_V1_5) {
386 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N));
387 blen = mod_size - 11;
388 ltc_rsa_algo = LTC_PKCS_1_V1_5;
389 } else {
390 /* Decoded message is always shorter than encrypted message */
391 blen = src_len;
392 ltc_rsa_algo = LTC_PKCS_1_OAEP;
393 }
394
395 buf = mempool_alloc(mempool_default, blen);
396 if (!buf) {
397 res = TEE_ERROR_OUT_OF_MEMORY;
398 goto out;
399 }
400
401 ltc_res = rsa_decrypt_key_ex(src, src_len, buf, &blen,
402 ((label_len == 0) ? 0 : label), label_len,
403 ltc_mgfindex, ltc_hashindex, ltc_rsa_algo,
404 <c_stat, <c_key);
405 switch (ltc_res) {
406 case CRYPT_PK_INVALID_PADDING:
407 case CRYPT_INVALID_PACKET:
408 case CRYPT_PK_INVALID_SIZE:
409 EMSG("rsa_decrypt_key_ex() returned %d", ltc_res);
410 res = TEE_ERROR_BAD_PARAMETERS;
411 goto out;
412 case CRYPT_OK:
413 break;
414 default:
415 /* This will result in a panic */
416 EMSG("rsa_decrypt_key_ex() returned %d", ltc_res);
417 res = TEE_ERROR_GENERIC;
418 goto out;
419 }
420 if (ltc_stat != 1) {
421 /* This will result in a panic */
422 EMSG("rsa_decrypt_key_ex() returned %d and %d",
423 ltc_res, ltc_stat);
424 res = TEE_ERROR_GENERIC;
425 goto out;
426 }
427
428 if (*dst_len < blen) {
429 *dst_len = blen;
430 res = TEE_ERROR_SHORT_BUFFER;
431 goto out;
432 }
433
434 res = TEE_SUCCESS;
435 *dst_len = blen;
436 memcpy(dst, buf, blen);
437
438 out:
439 mempool_free(mempool_default, buf);
440
441 return res;
442 }
443
444 TEE_Result crypto_acipher_rsaes_encrypt(uint32_t algo,
445 struct rsa_public_key *key,
446 const uint8_t *label,
447 size_t label_len,
448 uint32_t mgf_algo,
449 const uint8_t *src,
450 size_t src_len, uint8_t *dst,
451 size_t *dst_len)
452 __weak __alias("sw_crypto_acipher_rsaes_encrypt");
453
sw_crypto_acipher_rsaes_encrypt(uint32_t algo,struct rsa_public_key * key,const uint8_t * label,size_t label_len,uint32_t mgf_algo,const uint8_t * src,size_t src_len,uint8_t * dst,size_t * dst_len)454 TEE_Result sw_crypto_acipher_rsaes_encrypt(uint32_t algo,
455 struct rsa_public_key *key,
456 const uint8_t *label,
457 size_t label_len,
458 uint32_t mgf_algo,
459 const uint8_t *src,
460 size_t src_len, uint8_t *dst,
461 size_t *dst_len)
462 {
463 TEE_Result res;
464 uint32_t mod_size;
465 int ltc_hashindex, ltc_mgfindex, ltc_res, ltc_rsa_algo;
466 rsa_key ltc_key = {
467 .type = PK_PUBLIC,
468 .e = key->e,
469 .N = key->n
470 };
471
472 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N));
473 if (*dst_len < mod_size) {
474 *dst_len = mod_size;
475 res = TEE_ERROR_SHORT_BUFFER;
476 goto out;
477 }
478 *dst_len = mod_size;
479
480 /* Get the algorithm */
481 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex);
482 if (res != TEE_SUCCESS)
483 goto out;
484
485 if (algo != TEE_ALG_RSAES_PKCS1_V1_5) {
486 res = tee_algo_to_ltc_hashindex(mgf_algo, <c_mgfindex);
487 if (res != TEE_SUCCESS)
488 goto out;
489 } else {
490 ltc_mgfindex = -1;
491 }
492
493 if (algo == TEE_ALG_RSAES_PKCS1_V1_5)
494 ltc_rsa_algo = LTC_PKCS_1_V1_5;
495 else
496 ltc_rsa_algo = LTC_PKCS_1_OAEP;
497
498 ltc_res = rsa_encrypt_key_ex(src, src_len, dst,
499 (unsigned long *)(dst_len), label,
500 label_len, NULL, find_prng("prng_crypto"),
501 ltc_mgfindex, ltc_hashindex, ltc_rsa_algo,
502 <c_key);
503 switch (ltc_res) {
504 case CRYPT_PK_INVALID_PADDING:
505 case CRYPT_INVALID_PACKET:
506 case CRYPT_PK_INVALID_SIZE:
507 EMSG("rsa_encrypt_key_ex() returned %d", ltc_res);
508 res = TEE_ERROR_BAD_PARAMETERS;
509 goto out;
510 case CRYPT_OK:
511 break;
512 default:
513 /* This will result in a panic */
514 res = TEE_ERROR_GENERIC;
515 goto out;
516 }
517 res = TEE_SUCCESS;
518
519 out:
520 return res;
521 }
522
523 TEE_Result crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key,
524 int salt_len, const uint8_t *msg,
525 size_t msg_len, uint8_t *sig,
526 size_t *sig_len)
527 __weak __alias("sw_crypto_acipher_rsassa_sign");
528
sw_crypto_acipher_rsassa_sign(uint32_t algo,struct rsa_keypair * key,int salt_len,const uint8_t * msg,size_t msg_len,uint8_t * sig,size_t * sig_len)529 TEE_Result sw_crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key,
530 int salt_len, const uint8_t *msg,
531 size_t msg_len, uint8_t *sig,
532 size_t *sig_len)
533 {
534 TEE_Result res;
535 size_t hash_size, mod_size;
536 int ltc_res, ltc_rsa_algo, ltc_hashindex;
537 unsigned long ltc_sig_len;
538 rsa_key ltc_key = { 0, };
539
540 ltc_key.type = PK_PRIVATE;
541 ltc_key.e = key->e;
542 ltc_key.N = key->n;
543 ltc_key.d = key->d;
544 if (key->p && crypto_bignum_num_bytes(key->p)) {
545 ltc_key.p = key->p;
546 ltc_key.q = key->q;
547 ltc_key.qP = key->qp;
548 ltc_key.dP = key->dp;
549 ltc_key.dQ = key->dq;
550 }
551
552 switch (algo) {
553 case TEE_ALG_RSASSA_PKCS1_V1_5:
554 ltc_rsa_algo = LTC_PKCS_1_V1_5_NA1;
555 break;
556 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5:
557 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1:
558 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224:
559 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256:
560 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384:
561 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512:
562 ltc_rsa_algo = LTC_PKCS_1_V1_5;
563 break;
564 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_MD5:
565 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1:
566 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224:
567 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256:
568 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384:
569 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512:
570 ltc_rsa_algo = LTC_PKCS_1_PSS;
571 break;
572 default:
573 res = TEE_ERROR_BAD_PARAMETERS;
574 goto err;
575 }
576
577 if (ltc_rsa_algo != LTC_PKCS_1_V1_5_NA1) {
578 ltc_res = tee_algo_to_ltc_hashindex(algo, <c_hashindex);
579 if (ltc_res != CRYPT_OK) {
580 res = TEE_ERROR_BAD_PARAMETERS;
581 goto err;
582 }
583
584 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo),
585 &hash_size);
586 if (res != TEE_SUCCESS)
587 goto err;
588
589 if (msg_len != hash_size) {
590 res = TEE_ERROR_BAD_PARAMETERS;
591 goto err;
592 }
593 }
594
595 mod_size = ltc_mp.unsigned_size((void *)(ltc_key.N));
596
597 if (*sig_len < mod_size) {
598 *sig_len = mod_size;
599 res = TEE_ERROR_SHORT_BUFFER;
600 goto err;
601 }
602
603 ltc_sig_len = mod_size;
604
605 ltc_res = rsa_sign_hash_ex(msg, msg_len, sig, <c_sig_len,
606 ltc_rsa_algo, NULL, find_prng("prng_crypto"),
607 ltc_hashindex, salt_len, <c_key);
608
609 *sig_len = ltc_sig_len;
610
611 if (ltc_res != CRYPT_OK) {
612 res = TEE_ERROR_BAD_PARAMETERS;
613 goto err;
614 }
615 res = TEE_SUCCESS;
616
617 err:
618 return res;
619 }
620
621 TEE_Result crypto_acipher_rsassa_verify(uint32_t algo,
622 struct rsa_public_key *key,
623 int salt_len, const uint8_t *msg,
624 size_t msg_len, const uint8_t *sig,
625 size_t sig_len)
626 __weak __alias("sw_crypto_acipher_rsassa_verify");
627
sw_crypto_acipher_rsassa_verify(uint32_t algo,struct rsa_public_key * key,int salt_len,const uint8_t * msg,size_t msg_len,const uint8_t * sig,size_t sig_len)628 TEE_Result sw_crypto_acipher_rsassa_verify(uint32_t algo,
629 struct rsa_public_key *key,
630 int salt_len, const uint8_t *msg,
631 size_t msg_len, const uint8_t *sig,
632 size_t sig_len)
633 {
634 TEE_Result res;
635 uint32_t bigint_size;
636 size_t hash_size;
637 int stat, ltc_hashindex, ltc_res, ltc_rsa_algo;
638 rsa_key ltc_key = {
639 .type = PK_PUBLIC,
640 .e = key->e,
641 .N = key->n
642 };
643 struct ftmn ftmn = { };
644
645 /*
646 * The caller expects to call crypto_acipher_rsassa_verify(),
647 * update the hash as needed.
648 */
649 FTMN_CALLEE_SWAP_HASH(FTMN_FUNC_HASH("crypto_acipher_rsassa_verify"));
650
651 if (algo != TEE_ALG_RSASSA_PKCS1_V1_5) {
652 res = tee_alg_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(algo),
653 &hash_size);
654 if (res != TEE_SUCCESS)
655 goto err;
656
657 if (msg_len != hash_size) {
658 res = TEE_ERROR_BAD_PARAMETERS;
659 goto err;
660 }
661 }
662
663 bigint_size = ltc_mp.unsigned_size(ltc_key.N);
664 if (sig_len < bigint_size) {
665 res = TEE_ERROR_SIGNATURE_INVALID;
666 goto err;
667 }
668
669 /* Get the algorithm */
670 if (algo != TEE_ALG_RSASSA_PKCS1_V1_5) {
671 res = tee_algo_to_ltc_hashindex(algo, <c_hashindex);
672 if (res != TEE_SUCCESS)
673 goto err;
674 }
675
676 switch (algo) {
677 case TEE_ALG_RSASSA_PKCS1_V1_5:
678 ltc_rsa_algo = LTC_PKCS_1_V1_5_NA1;
679 break;
680 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5:
681 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1:
682 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224:
683 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256:
684 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384:
685 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512:
686 ltc_rsa_algo = LTC_PKCS_1_V1_5;
687 break;
688 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_MD5:
689 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1:
690 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224:
691 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256:
692 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384:
693 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512:
694 ltc_rsa_algo = LTC_PKCS_1_PSS;
695 break;
696 default:
697 res = TEE_ERROR_BAD_PARAMETERS;
698 goto err;
699 }
700
701 FTMN_PUSH_LINKED_CALL(&ftmn, FTMN_FUNC_HASH("rsa_verify_hash_ex"));
702 ltc_res = rsa_verify_hash_ex(sig, sig_len, msg, msg_len, ltc_rsa_algo,
703 ltc_hashindex, salt_len, &stat, <c_key);
704 res = convert_ltc_verify_status(ltc_res, stat);
705 if (res)
706 FTMN_SET_CHECK_RES_NOT_ZERO(&ftmn, FTMN_INCR0, res);
707 else
708 FTMN_SET_CHECK_RES_FROM_CALL(&ftmn, FTMN_INCR0, 0);
709 FTMN_POP_LINKED_CALL(&ftmn);
710 FTMN_CALLEE_DONE_CHECK(&ftmn, FTMN_INCR0, FTMN_STEP_COUNT(1), res);
711 return res;
712 err:
713 FTMN_CALLEE_DONE_NOT_ZERO(res);
714 return res;
715 }
716