Add ECDSA support to PSA crypto configuration
Initial changes to PSA crypto core to support configuration
of ECDSA algorithm using PSA crypto configuration mechanism.
Guards using MBEDTLS_ECDSA_C and MBEDTLS_ECDSA_DETERMINISTIC have
been changed to be based off PSA_WANT_ALG_ECDSA and
PSA_WANT_ALG_ECDSA_DETERMINISTIC. Added new tests to all.sh to
confirm new settings are working properly. Current code does not
pass the tests since built in signature verification is not in place.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index dde12b8..376834a 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -32,6 +32,23 @@
extern "C" {
#endif
+//#define PSA_WANT_ALG_ECDSA
+//#define MBEDTLS_PSA_ACCEL_ALG_ECDSA
+//#define PSA_WANT_ALG_ECDSA_DETERMINISTIC
+//#define MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC
+
+#if defined(PSA_WANT_ALG_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA
+#else /* defined(PSA_WANT_ALG_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)*/
+#define MBEDTLS_ECDSA_C
+#endif /* defined(PSA_WANT_ALG_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)*/
+
+#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC)
+#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA
+#else /* defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) */
+#define MBEDTLS_ECDSA_DETERMINISTIC
+#endif /* defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) */
+
#ifdef __cplusplus
}
#endif
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 931e2e9..fa3cea3 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -2256,7 +2256,7 @@
/* Message digests */
/****************************************************************/
-#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#if defined(MBEDTLS_RSA_C) || defined(PSA_WANT_ALG_ECDSA_DETERMINISTIC)
static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg )
{
switch( alg )
@@ -3530,7 +3530,7 @@
}
#endif /* MBEDTLS_RSA_C */
-#if defined(MBEDTLS_ECDSA_C)
+#if defined(PSA_WANT_ALG_ECDSA)
/* `ecp` cannot be const because `ecp->grp` needs to be non-const
* for mbedtls_ecdsa_sign() and mbedtls_ecdsa_sign_det()
* (even though these functions don't modify it). */
@@ -3554,7 +3554,7 @@
goto cleanup;
}
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#if defined(PSA_WANT_ALG_ECDSA_DETERMINISTIC)
if( PSA_ALG_DSA_IS_DETERMINISTIC( alg ) )
{
psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg );
@@ -3567,7 +3567,7 @@
&global_data.ctr_drbg ) );
}
else
-#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+#endif /* PSA_WANT_ALG_ECDSA_DETERMINISTIC */
{
(void) alg;
MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ecp->grp, &r, &s, &ecp->d,
@@ -3629,7 +3629,7 @@
mbedtls_mpi_free( &s );
return( mbedtls_to_psa_error( ret ) );
}
-#endif /* MBEDTLS_ECDSA_C */
+#endif /* PSA_WANT_ALG_ECDSA */
psa_status_t psa_sign_hash( psa_key_handle_t handle,
psa_algorithm_t alg,
@@ -3698,9 +3698,9 @@
#if defined(MBEDTLS_ECP_C)
if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
{
-#if defined(MBEDTLS_ECDSA_C)
+#if defined(PSA_WANT_ALG_ECDSA)
if(
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#if defined(PSA_WANT_ALG_ECDSA_DETERMINISTIC)
PSA_ALG_IS_ECDSA( alg )
#else
PSA_ALG_IS_RANDOMIZED_ECDSA( alg )
@@ -3723,7 +3723,7 @@
mbedtls_free( ecp );
}
else
-#endif /* defined(MBEDTLS_ECDSA_C) */
+#endif /* defined(PSA_WANT_ALG_ECDSA) */
{
status = PSA_ERROR_INVALID_ARGUMENT;
}
@@ -3799,7 +3799,7 @@
#if defined(MBEDTLS_ECP_C)
if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
{
-#if defined(MBEDTLS_ECDSA_C)
+#if defined(PSA_WANT_ALG_ECDSA)
if( PSA_ALG_IS_ECDSA( alg ) )
{
mbedtls_ecp_keypair *ecp = NULL;
@@ -3817,7 +3817,7 @@
return( status );
}
else
-#endif /* defined(MBEDTLS_ECDSA_C) */
+#endif /* defined(PSA_WANT_ALG_ECDSA) */
{
return( PSA_ERROR_INVALID_ARGUMENT );
}
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 578d03e..f079334 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1290,6 +1290,40 @@
if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
}
+component_test_psa_crypto_config_basic() {
+ # full plus MBEDTLS_PSA_CRYPTO_CONFIG, MBEDTLS_PSA_CRYPTO_DRIVERS,
+ # and PSA_CRYPTO_DRIVER_TEST minus MBEDTLS_USE_PSA_CRYPTO
+ msg "build: full config plus MBEDTLS_PSA_CRYPTO_CONFIG MBEDTLS_PSA_CRYPTO_DRIVERS"
+ msg "build: minus MBEDTLS_USE_PSA_CRYPTO"
+ scripts/config.py full
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+ scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+ # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+ make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+
+ msg "test: psa crypto config basic"
+ make test
+}
+
+component_test_psa_crypto_config_want_ecdsa() {
+ # full plus MBEDTLS_PSA_CRYPTO_CONFIG, MBEDTLS_PSA_CRYPTO_DRIVERS,
+ # and PSA_CRYPTO_DRIVER_TEST minus MBEDTLS_USE_PSA_CRYPTO
+ msg "build: full config plus MBEDTLS_PSA_CRYPTO_CONFIG, MBEDTLS_PSA_CRYPTO_DRIVERS,"
+ msg "build: PSA_CRYPTO_DRIVER_TEST, MBEDTLS_PSA_ACCEL_ALG_ECDSA,"
+ msg "build: PSA_WANT_ALG_ECDSA minus MBEDTLS_USE_PSA_CRYPTO"
+ scripts/config.py full
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+ scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+ scripts/config.py unset MBEDTLS_ECDSA_C
+ # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+ make CC=gcc CFLAGS="$ASAN_CFLAGS -DMBEDTLS_PSA_ACCEL_ALG_ECDSA -DPSA_WANT_ALG_ECDSA -DPSA_CRYPTO_DRIVER_TEST -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+
+ msg "test: psa crypto config want ECDSA"
+ make test
+}
+
component_test_check_params_functionality () {
msg "build+test: MBEDTLS_CHECK_PARAMS functionality"
scripts/config.py full # includes CHECK_PARAMS