From f87e3aea167df8061067ca87992f485297c0c876 Mon Sep 17 00:00:00 2001
From: John Durkop <john.durkop@fermatsoftware.com>
Date: Mon, 26 Oct 2020 15:25:23 -0700
Subject: [PATCH] Update guards in PSA crypto library for ECDSA and
 DETERMINISTIC support

In the PSA crypto library, the code for verification of ECDSA is the same for
both MBEDTLS_PSA_BUILTIN_ALG_ECDSA and
MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA. So, the guards should allow for
either one to enable the code blocks. The original implementation only had
the check for ECDSA. In order to make this work, config_psa.h was updated
to ensure when MBEDTLS_CRYPTO_CONFIG is disabled, the setting for DETERMINISTIC
is only updated if MBEDTLS_ECDSA_C is also enabled.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
---
 include/mbedtls/config_psa.h | 4 +++-
 library/psa_crypto.c         | 8 ++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index 31c5e1d998..6af4d19995 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -65,12 +65,14 @@ extern "C" {
  */
 #if defined(MBEDTLS_ECDSA_C)
 #define MBEDTLS_PSA_BUILTIN_ALG_ECDSA
-#endif /* MBEDTLS_ECDSA_C */
 
+// Only add in DETERMINISTIC support if ECDSA is also enabled
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
 #define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA
 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
 
+#endif /* MBEDTLS_ECDSA_C */
+
 #endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
 
 #ifdef __cplusplus
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index a73c6c7bcf..45b6890074 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3530,7 +3530,7 @@ static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
 }
 #endif /* MBEDTLS_RSA_C */
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
 /* `ecp` cannot be const because `ecp->grp` needs to be non-const
  * for mbedtls_ecdsa_sign() and mbedtls_ecdsa_sign_det()
  * (even though these functions don't modify it). */
@@ -3629,7 +3629,7 @@ cleanup:
     mbedtls_mpi_free( &s );
     return( mbedtls_to_psa_error( ret ) );
 }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA */
 
 psa_status_t psa_sign_hash( psa_key_handle_t handle,
                             psa_algorithm_t alg,
@@ -3799,7 +3799,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
 #if defined(MBEDTLS_ECP_C)
     if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
     {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
         if( PSA_ALG_IS_ECDSA( alg ) )
         {
             mbedtls_ecp_keypair *ecp = NULL;
@@ -3817,7 +3817,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
             return( status );
         }
         else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
         {
             return( PSA_ERROR_INVALID_ARGUMENT );
         }