Switch back to non-PSA paths in PK when MBEDTLS_USE_PSA_CRYPTO is off
PK should only dispatch non-opaque operations to PSA when
MBEDTLS_USE_PSA_CRYPTO is enabled. When MBEDTLS_USE_PSA_CRYPTO is disabled
but MBEDTLS_PSA_CRYPTO_CLIENT is enabled, MBEDTLS_PK_OPAQUE should be
available but non-opaque operations should still dispatch to the built-in
legacy code. This commit fixes PK dispatch when CLIENT && !USE.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index 47c1bc8..ac17e21 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -617,7 +617,9 @@
return ecdsa_verify_psa(key, key_len, curve, curve_bits,
hash, hash_len, sig, sig_len);
}
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
mbedtls_md_type_t md_alg,
@@ -656,7 +658,7 @@
hash, hash_len, sig, sig_len);
}
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-#else /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#else /* MBEDTLS_USE_PSA_CRYPTO */
static int ecdsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
const unsigned char *sig, size_t sig_len)
@@ -673,7 +675,7 @@
return ret;
}
-#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
@@ -734,7 +736,9 @@
return ecdsa_sign_psa(pk->priv_id, md_alg, hash, hash_len, sig, sig_size,
sig_len);
}
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
/* When PK_USE_PSA_EC_DATA is defined opaque and non-opaque keys end up
* using the same function. */
@@ -794,7 +798,7 @@
return ret;
}
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-#else /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#else /* MBEDTLS_USE_PSA_CRYPTO */
static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
unsigned char *sig, size_t sig_size, size_t *sig_len,
@@ -805,7 +809,7 @@
sig, sig_size, sig_len,
f_rng, p_rng);
}
-#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
@@ -916,7 +920,7 @@
}
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
static int eckey_check_pair_psa(mbedtls_pk_context *pub, mbedtls_pk_context *prv)
{
@@ -1013,7 +1017,7 @@
(void) p_rng;
return eckey_check_pair_psa(pub, prv);
}
-#else /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#else /* MBEDTLS_USE_PSA_CRYPTO */
static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
@@ -1022,7 +1026,7 @@
(const mbedtls_ecp_keypair *) prv->pk_ctx,
f_rng, p_rng);
}
-#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data
index e744ac8..35f02cb 100644
--- a/tests/suites/test_suite_pk.data
+++ b/tests/suites/test_suite_pk.data
@@ -544,7 +544,7 @@
Check pair #2 (EC, bad)
depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PEM_PARSE_C
-mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/server5.key":MBEDTLS_ERR_PK_BAD_INPUT_DATA
+mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/server5.key":MBEDTLS_ERR_ECP_BAD_INPUT_DATA
Check pair #3 (RSA, OK)
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C