Added additional support for ECP for PSA_CRYPTO_CONFIG
The KEY_TYPE_ECC_KEY_PAIR and KEY_TYPE_ECC_PUBLIC_KEY were previously
being guarded by MBEDTLS_ECP_C in the PSA crypto library code. This change
moves it to the new MBEDTLS_PSA_BUILTIN_xxx and separates KEY_PAIR
and PUBLIC_KEY as needed. Tests have also been added to validate the new
settings.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index 8f90630..c5d284c 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -63,23 +63,35 @@
#define MBEDTLS_ECDH_C
#define MBEDTLS_ECP_C
#define MBEDTLS_BIGNUM_C
-#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_ECDH) */
-#endif /* defined(PSA_WANT_ALG_ECDH) */
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_ECDH */
+#endif /* PSA_WANT_ALG_ECDH */
+
+#if defined(PSA_WANT_ECC_KEY_PAIR)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_KEY_PAIR)
+#define MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR 1
+#endif /* !MBEDTLS_PSA_ACCEL_ECC_KEY_PAIR */
+#endif /* PSA_WANT_ECC_KEY_PAIR */
+
+#if defined(PSA_WANT_ECC_PUBLIC_KEY)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_PUBLIC_KEY)
+#define MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY 1
+#endif /* !MBEDTLS_PSA_ACCEL_ECC_PUBLIC_KEY */
+#endif /* PSA_WANT_ECC_PUBLIC_KEY */
#if defined(PSA_WANT_ALG_HMAC)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
#define MBEDTLS_MD_C
-#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC) */
-#endif /* defined(PSA_WANT_ALG_HMAC) */
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HMAC */
+#endif /* PSA_WANT_ALG_HMAC */
#if defined(PSA_WANT_ALG_HKDF)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)
#define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1
#define MBEDTLS_HKDF_C
#define MBEDTLS_MD_C
-#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF) */
-#endif /* defined(PSA_WANT_ALG_HKDF) */
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF */
+#endif /* PSA_WANT_ALG_HKDF */
#if defined(PSA_WANT_ALG_RSA)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA)
@@ -87,8 +99,8 @@
#define MBEDTLS_RSA_C
#define MBEDTLS_BIGNUM_C
#define MBEDTLS_OID_C
-#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_RSA) */
-#endif /* defined(PSA_WANT_ALG_RSA) */
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA */
+#endif /* PSA_WANT_ALG_RSA */
#else /* MBEDTLS_PSA_CRYPTO_CONFIG */
@@ -110,6 +122,11 @@
#define MBEDTLS_PSA_BUILTIN_ALG_ECDH 1
#endif /* MBEDTLS_ECDH_C */
+#if defined(MBEDTLS_ECP_C)
+#define MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR 1
+#define MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY 1
+#endif /* MBEDTLS_ECP_C */
+
#if defined(MBEDTLS_MD_C)
#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
#endif /* MBEDTLS_MD_C */
@@ -118,7 +135,7 @@
#define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1
#endif /* MBEDTLS_HKDF_C */
-#ifdef MBEDTLS_RSA_C
+#if defined(MBEDTLS_RSA_C)
#define MBEDTLS_PSA_BUILTIN_ALG_RSA 1
#endif /* MBEDTLS_RSA_C */
diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h
index 8549813..c7605aa 100644
--- a/include/psa/crypto_config.h
+++ b/include/psa/crypto_config.h
@@ -53,6 +53,8 @@
#define PSA_WANT_ALG_ECDSA 1
#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1
#define PSA_WANT_ALG_ECDH 1
+#define PSA_WANT_ECC_KEY_PAIR 1
+#define PSA_WANT_ECC_PUBLIC_KEY 1
#define PSA_WANT_ALG_HMAC 1
#define PSA_WANT_ALG_HKDF 1
#define PSA_WANT_ALG_RSA 1
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index f349ff5..c45d0ee 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -370,7 +370,7 @@
}
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve,
size_t byte_length )
{
@@ -438,7 +438,7 @@
return( MBEDTLS_ECP_DP_NONE );
}
}
-#endif /* defined(MBEDTLS_ECP_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
static psa_status_t validate_unstructured_key_bit_size( psa_key_type_t type,
size_t bits )
@@ -711,7 +711,7 @@
}
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
/** Load the contents of a key buffer into an internal ECP representation
*
* \param[in] type The type of key contained in \p data.
@@ -930,7 +930,7 @@
return( PSA_SUCCESS );
}
-#endif /* defined(MBEDTLS_ECP_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
/** Return the size of the key in the given slot, in bits.
*
@@ -1069,12 +1069,12 @@
/* Key format is not supported by any accelerator, try software fallback
* if present. */
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
{
return( psa_import_ecp_key( slot, data, data_length ) );
}
-#endif /* defined(MBEDTLS_ECP_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
{
@@ -1647,7 +1647,7 @@
}
else
{
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
mbedtls_ecp_keypair *ecp = NULL;
psa_status_t status = psa_load_ecp_representation(
slot->attr.type,
@@ -1671,7 +1671,7 @@
#else
/* We don't know how to convert a private ECC key to public */
return( PSA_ERROR_NOT_SUPPORTED );
-#endif
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
}
}
else
@@ -3728,7 +3728,7 @@
}
else
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
{
#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA)
@@ -3762,7 +3762,7 @@
}
}
else
-#endif /* defined(MBEDTLS_ECP_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
{
status = PSA_ERROR_NOT_SUPPORTED;
}
@@ -3829,7 +3829,7 @@
}
else
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
{
#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
@@ -3856,7 +3856,7 @@
}
}
else
-#endif /* defined(MBEDTLS_ECP_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
{
return( PSA_ERROR_NOT_SUPPORTED );
}
@@ -5782,7 +5782,7 @@
/* Key agreement */
/****************************************************************/
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) && defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR)
static psa_status_t psa_key_agreement_ecdh( const uint8_t *peer_key,
size_t peer_key_length,
const mbedtls_ecp_keypair *our_key,
@@ -5833,7 +5833,7 @@
return( status );
}
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH && MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR */
#define PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE MBEDTLS_ECP_MAX_BYTES
@@ -5847,7 +5847,7 @@
{
switch( alg )
{
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) && defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR)
case PSA_ALG_ECDH:
if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( private_key->attr.type ) )
return( PSA_ERROR_INVALID_ARGUMENT );
@@ -5866,7 +5866,7 @@
mbedtls_ecp_keypair_free( ecp );
mbedtls_free( ecp );
return( status );
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH && MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR */
default:
(void) private_key;
(void) peer_key;
@@ -6144,7 +6144,7 @@
else
#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA && MBEDTLS_GENPRIME */
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR)
if ( PSA_KEY_TYPE_IS_ECC( type ) && PSA_KEY_TYPE_IS_KEY_PAIR( type ) )
{
psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( type );
@@ -6189,7 +6189,7 @@
return( status );
}
else
-#endif /* MBEDTLS_ECP_C */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) */
{
return( PSA_ERROR_NOT_SUPPORTED );
}
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index a99dd4f..7ad4c49 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1354,6 +1354,30 @@
make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDH -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
}
+# This should be renamed to test and updated once the accelerator ECC key pair code is in place and ready to test.
+component_build_psa_want_ecc_key_pair_disabled_software() {
+ # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ECC_KEY_PAIR
+ msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ECC_KEY_PAIR"
+ scripts/config.py full
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+ scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+ # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+ make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ECC_KEY_PAIR -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+}
+
+# This should be renamed to test and updated once the accelerator ECC public key code is in place and ready to test.
+component_build_psa_want_ecc_public_key_disabled_software() {
+ # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ECC_PUBLIC_KEY
+ msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ECC_PUBLIC_KEY"
+ scripts/config.py full
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+ scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+ # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+ make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ECC_PUBLIC_KEY -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+}
+
# This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test.
component_build_psa_want_hmac_disabled_software() {
# full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_HMAC