PSA RSA needs pk_write
The PSA crypto code needs mbedtls_pk_write_key_der() and
mbedtls_pk_write_pubkey() when using RSA without drivers. We were already
forcing MBEDTLS_PK_WRITE_C when MBEDTLS_USE_PSA_CRYPTO is enabled. Do so
also when MBEDTLS_PSA_CRYPTO_C is enabled as well as MBEDTLS_RSA_C, even
without MBEDTLS_USE_PSA_CRYPTO. Fixes #6408.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/ChangeLog.d/psa_rsa_needs_pk.txt b/ChangeLog.d/psa_rsa_needs_pk.txt
new file mode 100644
index 0000000..3421aff
--- /dev/null
+++ b/ChangeLog.d/psa_rsa_needs_pk.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
+ MBEDTLS_USE_PSA_CRYPTO or MBEDTLS_PK_WRITE_C. Fixes #6408.
diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index 6195ac9..21e63f1 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -74,7 +74,22 @@
#include MBEDTLS_USER_CONFIG_FILE
#endif
-#if defined(MBEDTLS_PK_C) && defined(MBEDTLS_USE_PSA_CRYPTO)
+/* The PK wrappers need pk_write functions to format RSA key objects
+ * when they are dispatching to the PSA API. This happens under USE_PSA_CRYPTO,
+ * and also even without USE_PSA_CRYPTO for mbedtls_pk_sign_ext().
+ * PSA crypto also needs pk_write to export RSA keys (otherwise the build
+ * goes through but psa_export_key() and psa_export_public_key() fail on
+ * RSA keys).
+ */
+#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_RSA_C)
+#define MBEDTLS_PK_C
+#define MBEDTLS_PK_WRITE_C
+#endif
+
+/* Under MBEDTLS_USE_PSA_CRYPTO, the pk module needs pk_write functions
+ * to pass ECC keys to PSA. */
+#if defined(MBEDTLS_PK_C) && \
+ defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECP_C)
#define MBEDTLS_PK_WRITE_C
#endif