Switch back to non-PSA paths in PK when MBEDTLS_USE_PSA_CRYPTO is off

PK should only dispatch non-opaque operations to PSA when MBEDTLS_USE_PSA_CRYPTO is enabled. When MBEDTLS_USE_PSA_CRYPTO is disabled but MBEDTLS_PSA_CRYPTO_CLIENT is enabled, MBEDTLS_PK_OPAQUE should be available but non-opaque operations should still dispatch to the built-in legacy code. This commit fixes PK dispatch when CLIENT && !USE. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-04-09 21:44:28 +00:00 · 2024-02-19 20:27:36 +01:00 · 2024-02-19 20:27:36 +01:00 · a26a1b7acd
commit a26a1b7acd
parent 7986c77bbd
2 changed files with 12 additions and 8 deletions
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@ -617,7 +617,9 @@ static int ecdsa_opaque_verify_wrap(mbedtls_pk_context *pk,
    return ecdsa_verify_psa(key, key_len, curve, curve_bits,
                            hash, hash_len, sig, sig_len);
 }
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */

+#if defined(MBEDTLS_USE_PSA_CRYPTO)
 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
 static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
                             mbedtls_md_type_t md_alg,
@ -656,7 +658,7 @@ static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
                            hash, hash_len, sig, sig_len);
 }
 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-#else /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#else /* MBEDTLS_USE_PSA_CRYPTO */
 static int ecdsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
                             const unsigned char *hash, size_t hash_len,
                             const unsigned char *sig, size_t sig_len)
@ -673,7 +675,7 @@ static int ecdsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,

    return ret;
 }
-#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 #endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */

 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
@ -734,7 +736,9 @@ static int ecdsa_opaque_sign_wrap(mbedtls_pk_context *pk,
    return ecdsa_sign_psa(pk->priv_id, md_alg, hash, hash_len, sig, sig_size,
                          sig_len);
 }
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */

+#if defined(MBEDTLS_USE_PSA_CRYPTO)
 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
 /* When PK_USE_PSA_EC_DATA is defined opaque and non-opaque keys end up
 * using the same function. */
@ -794,7 +798,7 @@ cleanup:
    return ret;
 }
 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-#else /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#else /* MBEDTLS_USE_PSA_CRYPTO */
 static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
                           const unsigned char *hash, size_t hash_len,
                           unsigned char *sig, size_t sig_size, size_t *sig_len,
@ -805,7 +809,7 @@ static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
                                         sig, sig_size, sig_len,
                                         f_rng, p_rng);
 }
-#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */

 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
@ -916,7 +920,7 @@ cleanup:
 }
 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */

-#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
 static int eckey_check_pair_psa(mbedtls_pk_context *pub, mbedtls_pk_context *prv)
 {
@ -1013,7 +1017,7 @@ static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *pr
    (void) p_rng;
    return eckey_check_pair_psa(pub, prv);
 }
-#else /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#else /* MBEDTLS_USE_PSA_CRYPTO */
 static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
                                 int (*f_rng)(void *, unsigned char *, size_t),
                                 void *p_rng)
@ -1022,7 +1026,7 @@ static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *pr
                                      (const mbedtls_ecp_keypair *) prv->pk_ctx,
                                      f_rng, p_rng);
 }
-#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */

 #if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
--- a/tests/suites/test_suite_pk.data
+++ b/tests/suites/test_suite_pk.data
@ -544,7 +544,7 @@ mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/ec_256_prv.pem":0

 Check pair #2 (EC, bad)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PEM_PARSE_C
-mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/server5.key":MBEDTLS_ERR_PK_BAD_INPUT_DATA
+mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/server5.key":MBEDTLS_ERR_ECP_BAD_INPUT_DATA

 Check pair #3 (RSA, OK)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C