psa: fix guards for EC key derivation

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-02-22 09:40:09 +00:00 · 2023-06-22 13:09:36 +02:00 · 2023-06-22 13:09:36 +02:00 · 2a63460248
commit 2a63460248
parent f6587be09a
2 changed files with 12 additions and 32 deletions
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@ -5776,10 +5776,7 @@ static void psa_des_set_key_parity(uint8_t *data, size_t data_size)
 *       always NULL.
 */
 #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || \
-    defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
+    defined(MBEDTLS_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
 static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper(
    psa_key_slot_t *slot,
    size_t bits,
@ -5787,7 +5784,6 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper(
    uint8_t **data
    )
 {
-#if defined(MBEDTLS_ECP_LIGHT)
    unsigned key_out_of_range = 1;
    mbedtls_mpi k;
    mbedtls_mpi diff_N_2;
@ -5871,13 +5867,6 @@ cleanup:
    mbedtls_mpi_free(&k);
    mbedtls_mpi_free(&diff_N_2);
    return status;
-#else /* MBEDTLS_ECP_LIGHT */
-    (void) slot;
-    (void) bits;
-    (void) operation;
-    (void) data;
-    return PSA_ERROR_NOT_SUPPORTED;
-#endif /* MBEDTLS_ECP_LIGHT */
 }

 /* ECC keys on a Montgomery elliptic curve draws a byte string whose length
@ -5945,10 +5934,7 @@ static psa_status_t psa_generate_derived_ecc_key_montgomery_helper(
    return status;
 }
 #endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) ||
-          defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) ||
-          defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
-          defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) ||
-          defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) */
+          defined(MBEDTLS_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE) */

 static psa_status_t psa_generate_derived_key_internal(
    psa_key_slot_t *slot,
@ -5965,10 +5951,7 @@ static psa_status_t psa_generate_derived_key_internal(
    }

 #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || \
-    defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
+    defined(MBEDTLS_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
    if (PSA_KEY_TYPE_IS_ECC(slot->attr.type)) {
        psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(slot->attr.type);
        if (PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
@ -5986,10 +5969,7 @@ static psa_status_t psa_generate_derived_key_internal(
        }
    } else
 #endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) ||
-          defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) ||
-          defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
-          defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) ||
-          defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) */
+          defined(MBEDTLS_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE) */
    if (key_type_is_raw_bytes(slot->attr.type)) {
        if (bits % 8 != 0) {
            return PSA_ERROR_INVALID_ARGUMENT;
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@ -6589,7 +6589,7 @@ derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
 PSA key derivation: bits=7 invalid for ECC SECP_R1 (ECC disabled)
 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED
-derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):7:PSA_ERROR_INVALID_ARGUMENT:0
+derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):7:PSA_ERROR_NOT_SUPPORTED:0

 PSA key derivation: bits=0 invalid for ECC SECP_K1
 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
@ -6604,7 +6604,7 @@ derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
 PSA key derivation: bits=7 invalid for ECC SECP_K1 (ECC disabled)
 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED
-derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):7:PSA_ERROR_INVALID_ARGUMENT:0
+derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):7:PSA_ERROR_NOT_SUPPORTED:0

 PSA key derivation: bits=0 invalid for ECC SECP_R2
 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
@ -6619,7 +6619,7 @@ derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
 PSA key derivation: bits=7 invalid for ECC SECP_R2 (ECC disabled)
 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED
-derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R2):7:PSA_ERROR_INVALID_ARGUMENT:0
+derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R2):7:PSA_ERROR_NOT_SUPPORTED:0

 PSA key derivation: bits=0 invalid for ECC SECT_K1
 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
@ -6634,7 +6634,7 @@ derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
 PSA key derivation: bits=7 invalid for ECC SECT_K1 (ECC disabled)
 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED
-derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):7:PSA_ERROR_INVALID_ARGUMENT:0
+derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):7:PSA_ERROR_NOT_SUPPORTED:0

 PSA key derivation: bits=0 invalid for ECC SECT_R1
 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
@ -6649,7 +6649,7 @@ derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
 PSA key derivation: bits=7 invalid for ECC SECT_R1 (ECC disabled)
 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED
-derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):7:PSA_ERROR_INVALID_ARGUMENT:0
+derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):7:PSA_ERROR_NOT_SUPPORTED:0

 PSA key derivation: bits=0 invalid for ECC SECT_R2
 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
@ -6664,7 +6664,7 @@ derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
 PSA key derivation: bits=7 invalid for ECC SECT_R2 (ECC disabled)
 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED
-derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R2):7:PSA_ERROR_INVALID_ARGUMENT:0
+derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R2):7:PSA_ERROR_NOT_SUPPORTED:0

 PSA key derivation: bits=0 invalid for ECC BRAINPOOL_P_R1
 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
@ -6679,7 +6679,7 @@ derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
 PSA key derivation: bits=7 invalid for ECC BRAINPOOL_P_R1 (ECC disabled)
 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED
-derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):7:PSA_ERROR_INVALID_ARGUMENT:0
+derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):7:PSA_ERROR_NOT_SUPPORTED:0

 PSA key derivation: bits=0 invalid for ECC MONTGOMERY
 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
@ -6694,7 +6694,7 @@ derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
 PSA key derivation: bits=7 invalid for ECC MONTGOMERY (ECC disabled)
 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED
-derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):7:PSA_ERROR_INVALID_ARGUMENT:0
+derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):7:PSA_ERROR_NOT_SUPPORTED:0


 PSA key derivation: raw data, 8 bits