crypto: don't check hash size when the main algorithm is ECDSA

syscall_asymm_verify() (and therefore TEE_AsymmetricVerifyDigest()) incorrectly assumes that the hash algorithm is SHA1 when the main algorithm is ECDSA, and will panic the TA if the hash size is not set accordingly. This behavior does not comply with the TEE Internal Core API v1.1, which states: "Where a hash algorithm is specified in the algorithm, digestLen SHALL be equal to the digest length of this hash algorithm". For TEE_ALG_ECDSA_P192, TEE_ALG_ECDSA_P224, TEE_ALG_ECDSA_P256, TEE_ALG_ECDSA_P384 and TEE_ALG_ECDSA_P521, no hash algorithm is specified, and so we must not restrict the hash size to any specific value. Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Reported-by: Henrik Andersson <Henrik.Andersson@se.bosch.com> Acked-by: Etienne Carriere <etienne.carriere@linaro.org> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
OP-TEE · Apr 26, 2017 · fa05bd2 · fa05bd2
1 parent 03b03fa
commit fa05bd2
Showing 1 changed file with 20 additions and 25 deletions.
diff --git a/core/tee/tee_svc_cryp.c b/core/tee/tee_svc_cryp.c
@@ -3487,35 +3487,16 @@ TEE_Result syscall_asymm_verify(unsigned long state,
 		goto out;
 	}
 
-	if (TEE_ALG_GET_MAIN_ALG(cs->algo) == TEE_MAIN_ALGO_ECDSA)
-		hash_algo = TEE_ALG_SHA1;
-	else
+	switch (TEE_ALG_GET_MAIN_ALG(cs->algo)) {
+	case TEE_MAIN_ALGO_RSA:
 		hash_algo = TEE_DIGEST_HASH_TO_ALGO(cs->algo);
-
-	res = tee_hash_get_digest_size(hash_algo, &hash_size);
-	if (res != TEE_SUCCESS)
-		goto out;
-
-	if (TEE_ALG_GET_MAIN_ALG(cs->algo) == TEE_MAIN_ALGO_DSA) {
-		/*
-		 * Depending on the DSA algorithm (NIST), the digital signature
-		 * output size may be truncated to the size of a key pair
-		 * (Q prime size). Q prime size must be less or equal than the
-		 * hash output length of the hash algorithm involved.
-		 */
-		if (data_len > hash_size) {
-			res = TEE_ERROR_BAD_PARAMETERS;
-			goto out;
-		}
-	} else {
+		res = tee_hash_get_digest_size(hash_algo, &hash_size);
+		if (res != TEE_SUCCESS)
+			break;
 		if (data_len != hash_size) {
 			res = TEE_ERROR_BAD_PARAMETERS;
-			goto out;
+			break;
 		}
-	}
-
-	switch (TEE_ALG_GET_MAIN_ALG(cs->algo)) {
-	case TEE_MAIN_ALGO_RSA:
 		salt_len = pkcs1_get_salt_len(params, num_params, hash_size);
 		if (!crypto_ops.acipher.rsassa_verify) {
 			res = TEE_ERROR_NOT_IMPLEMENTED;
@@ -3527,6 +3508,20 @@ TEE_Result syscall_asymm_verify(unsigned long state,
 		break;
 
 	case TEE_MAIN_ALGO_DSA:
+		hash_algo = TEE_DIGEST_HASH_TO_ALGO(cs->algo);
+		res = tee_hash_get_digest_size(hash_algo, &hash_size);
+		if (res != TEE_SUCCESS)
+			break;
+		/*
+		 * Depending on the DSA algorithm (NIST), the digital signature
+		 * output size may be truncated to the size of a key pair
+		 * (Q prime size). Q prime size must be less or equal than the
+		 * hash output length of the hash algorithm involved.
+		 */
+		if (data_len > hash_size) {
+			res = TEE_ERROR_BAD_PARAMETERS;
+			break;
+		}
 		if (!crypto_ops.acipher.dsa_verify) {
 			res = TEE_ERROR_NOT_IMPLEMENTED;
 			break;