pk: guard mbedtls_pk_setup_opaque() with CRYPTO_CLIENT instead of USE_PSA

This commit also solves related issues in order to have test components related to CRYPTO_CLIENT passing. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-03-30 07:20:59 +00:00 · 2024-02-19 12:03:59 +01:00 · 2024-02-19 12:03:59 +01:00 · 7986c77bbd
commit 7986c77bbd
parent 3f031f7c66
9 changed files with 39 additions and 35 deletions
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@ -233,9 +233,9 @@ typedef struct mbedtls_pk_context {
     * Note: this private key storing solution only affects EC keys, not the
     *       other ones. The latters still use the pk_ctx to store their own
     *       context. */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
    mbedtls_svc_key_id_t MBEDTLS_PRIVATE(priv_id);      /**< Key ID for opaque keys */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
    /* The following fields are meant for storing the public key in raw format
     * which is handy for:
     * - easily importing it into the PSA context
@ -357,7 +357,7 @@ void mbedtls_pk_restart_free(mbedtls_pk_restart_ctx *ctx);
 */
 int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info);

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
 /**
 * \brief           Initialize a PK context to wrap a PSA key.
 *
@ -388,7 +388,7 @@ int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info);
 */
 int mbedtls_pk_setup_opaque(mbedtls_pk_context *ctx,
                            const mbedtls_svc_key_id_t key);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */

 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
 /**
--- a/library/pk.c
+++ b/library/pk.c
@ -151,7 +151,7 @@ int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info)
    return 0;
 }

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
 /*
 * Initialise a PSA-wrapping context
 */
@ -188,7 +188,7 @@ int mbedtls_pk_setup_opaque(mbedtls_pk_context *ctx,

    return 0;
 }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */

 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
 /*
--- a/library/pk_internal.h
+++ b/library/pk_internal.h
@ -17,7 +17,7 @@
 #include "mbedtls/ecp.h"
 #endif

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
 #include "psa/crypto.h"

 #include "psa_util_internal.h"
@ -28,7 +28,7 @@
 #define PSA_PK_ECDSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status,   \
                                                                    psa_to_pk_ecdsa_errors,        \
                                                                    psa_pk_status_to_mbedtls)
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */

 /* Headers/footers for PEM files */
 #define PEM_BEGIN_PUBLIC_KEY    "-----BEGIN PUBLIC KEY-----"
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@ -522,7 +522,7 @@ static size_t eckey_get_bitlen(mbedtls_pk_context *pk)
 }

 #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
 /* Common helper for ECDSA verify using PSA functions. */
 static int ecdsa_verify_psa(unsigned char *key, size_t key_len,
                            psa_ecc_family_t curve, size_t curve_bits,
@ -656,7 +656,7 @@ static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
                            hash, hash_len, sig, sig_len);
 }
 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-#else /* MBEDTLS_USE_PSA_CRYPTO */
+#else /* MBEDTLS_PSA_CRYPTO_CLIENT */
 static int ecdsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
                             const unsigned char *hash, size_t hash_len,
                             const unsigned char *sig, size_t sig_len)
@ -673,11 +673,11 @@ static int ecdsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,

    return ret;
 }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
 #endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */

 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
 /* Common helper for ECDSA sign using PSA functions.
 * Instead of extracting key's properties in order to check which kind of ECDSA
 * signature it supports, we try both deterministic and non-deterministic.
@ -794,7 +794,7 @@ cleanup:
    return ret;
 }
 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-#else /* MBEDTLS_USE_PSA_CRYPTO */
+#else /* MBEDTLS_PSA_CRYPTO_CLIENT */
 static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
                           const unsigned char *hash, size_t hash_len,
                           unsigned char *sig, size_t sig_size, size_t *sig_len,
@ -805,7 +805,7 @@ static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
                                         sig, sig_size, sig_len,
                                         f_rng, p_rng);
 }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
 #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */

 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
@ -916,7 +916,7 @@ cleanup:
 }
 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
 static int eckey_check_pair_psa(mbedtls_pk_context *pub, mbedtls_pk_context *prv)
 {
@ -1013,7 +1013,7 @@ static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *pr
    (void) p_rng;
    return eckey_check_pair_psa(pub, prv);
 }
-#else /* MBEDTLS_USE_PSA_CRYPTO */
+#else /* MBEDTLS_PSA_CRYPTO_CLIENT */
 static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
                                 int (*f_rng)(void *, unsigned char *, size_t),
                                 void *p_rng)
@ -1022,9 +1022,9 @@ static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *pr
                                      (const mbedtls_ecp_keypair *) prv->pk_ctx,
                                      f_rng, p_rng);
 }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
 /* When PK_USE_PSA_EC_DATA is defined opaque and non-opaque keys end up
 * using the same function. */
@ -1064,7 +1064,7 @@ static int ecdsa_opaque_check_pair_wrap(mbedtls_pk_context *pub,
    return 0;
 }
 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */

 #if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
 static void *eckey_alloc_wrap(void)
@ -1394,7 +1394,7 @@ const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
 };
 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
 static size_t opaque_get_bitlen(mbedtls_pk_context *pk)
 {
    size_t bits;
@ -1556,6 +1556,6 @@ const mbedtls_pk_info_t mbedtls_rsa_opaque_info = {
    .debug_func = NULL,
 };

-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */

 #endif /* MBEDTLS_PK_C */
--- a/library/pk_wrap.h
+++ b/library/pk_wrap.h
@ -121,7 +121,7 @@ extern const mbedtls_pk_info_t mbedtls_ecdsa_info;
 extern const mbedtls_pk_info_t mbedtls_rsa_alt_info;
 #endif

-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
 extern const mbedtls_pk_info_t mbedtls_ecdsa_opaque_info;
 extern const mbedtls_pk_info_t mbedtls_rsa_opaque_info;

@ -133,6 +133,6 @@ int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t psa_alg_md,
                                size_t *sig_len);
 #endif /* MBEDTLS_RSA_C */

-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */

 #endif /* MBEDTLS_PK_WRAP_H */
--- a/library/psa_util.c
+++ b/library/psa_util.c
@ -107,7 +107,7 @@ const mbedtls_error_pair_t psa_to_pk_rsa_errors[] =
 };
 #endif

-#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && \
    defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
 const mbedtls_error_pair_t psa_to_pk_ecdsa_errors[] =
 {
--- a/library/psa_util_internal.h
+++ b/library/psa_util_internal.h
@ -69,7 +69,7 @@ extern const mbedtls_error_pair_t psa_to_ssl_errors[7];
 extern const mbedtls_error_pair_t psa_to_pk_rsa_errors[8];
 #endif

-#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && \
    defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
 extern const mbedtls_error_pair_t psa_to_pk_ecdsa_errors[7];
 #endif
--- a/tests/include/test/psa_crypto_helpers.h
+++ b/tests/include/test/psa_crypto_helpers.h
@ -318,9 +318,9 @@ uint64_t mbedtls_test_parse_binary_string(data_t *bin_string);

 /** \def USE_PSA_INIT
 *
- * Call this macro to initialize the PSA subsystem if #MBEDTLS_USE_PSA_CRYPTO
- * or #MBEDTLS_SSL_PROTO_TLS1_3 (In contrast to TLS 1.2 implementation, the
- * TLS 1.3 one uses PSA independently of the definition of
+ * Call this macro to initialize the PSA subsystem if #MBEDTLS_USE_PSA_CRYPTO or
+ * #MBEDTLS_PSA_CRYPTO_CLIENT or #MBEDTLS_SSL_PROTO_TLS1_3 (In contrast to
+ * TLS 1.2 implementation, the TLS 1.3 one uses PSA independently of the definition of
 * #MBEDTLS_USE_PSA_CRYPTO) is enabled and do nothing otherwise.
 *
 * If the initialization fails, mark the test case as failed and jump to the
@ -333,16 +333,19 @@ uint64_t mbedtls_test_parse_binary_string(data_t *bin_string);
 * This is like #PSA_DONE except it does nothing under the same conditions as
 * #USE_PSA_INIT.
 */
-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) || \
+    defined(MBEDTLS_PSA_CRYPTO_CLIENT)
 #define USE_PSA_INIT() PSA_INIT()
 #define USE_PSA_DONE() PSA_DONE()
-#else /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
+#else /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 ||
+         MBEDTLS_PSA_CRYPTO_CLIENT */
 /* Define empty macros so that we can use them in the preamble and teardown
 * of every test function that uses PSA conditionally based on
 * MBEDTLS_USE_PSA_CRYPTO. */
 #define USE_PSA_INIT() ((void) 0)
 #define USE_PSA_DONE() ((void) 0)
-#endif /* !MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_SSL_PROTO_TLS1_3 */
+#endif /* !MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_SSL_PROTO_TLS1_3 &&
+          !MBEDTLS_PSA_CRYPTO_CLIENT */

 /** \def MD_PSA_INIT
 *
@ -394,8 +397,8 @@ uint64_t mbedtls_test_parse_binary_string(data_t *bin_string);
 /** \def MD_OR_USE_PSA_INIT
 *
 * Call this macro to initialize the PSA subsystem if MD uses a driver,
- * or if #MBEDTLS_USE_PSA_CRYPTO or #MBEDTLS_SSL_PROTO_TLS1_3 is enabled,
- * and do nothing otherwise.
+ * or if #MBEDTLS_USE_PSA_CRYPTO or #MBEDTLS_PSA_CRYPTO_CLIENT or
+ * #MBEDTLS_SSL_PROTO_TLS1_3 is enabled, and do nothing otherwise.
 *
 * If the initialization fails, mark the test case as failed and jump to the
 * \p exit label.
@ -408,7 +411,8 @@ uint64_t mbedtls_test_parse_binary_string(data_t *bin_string);
 * #MD_OR_USE_PSA_INIT.
 */
 #if defined(MBEDTLS_MD_SOME_PSA) || \
-    defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+    defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) || \
+    defined(MBEDTLS_PSA_CRYPTO_CLIENT)
 #define MD_OR_USE_PSA_INIT()   PSA_INIT()
 #define MD_OR_USE_PSA_DONE()   PSA_DONE()
 #else
--- a/tests/suites/test_suite_pk.data
+++ b/tests/suites/test_suite_pk.data
@ -544,7 +544,7 @@ mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/ec_256_prv.pem":0

 Check pair #2 (EC, bad)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PEM_PARSE_C
-mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/server5.key":MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/server5.key":MBEDTLS_ERR_PK_BAD_INPUT_DATA

 Check pair #3 (RSA, OK)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C