psa: Support RSA signature without MBEDTLS_GENPRIME

On space-constrained platforms, it is a useful configuration to be able to import/export and perform RSA key pair operations, but to exclude RSA key generation, potentially saving flash space. It is not possible to express this with the PSA_WANT_ configuration system at the present time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it was possible to configure a software PSA implementation which was capable of making RSA signatures but not capable of generating RSA keys. To do this, one unset MBEDTLS_GENPRIME. Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this expressivity was lost. Expressing that you wanted to work with RSA key pairs forced you to include the ability to generate key pairs as well. Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if MBEDTLS_GENPRIME is also set. This restores the configuration behavior present in Mbed TLS v2.24.0 and earlier versions. It left as a future exercise to add the ability to PSA to be able to express a desire for a software or accelerator configuration that includes RSA key pair operations, like signature, but excludes key pair generation. Without this change, linker errors will occur when attempts to call, which doesn't exist when MBEDTLS_GENPRIME is unset. psa_crypto_rsa.c.obj: in function `rsa_generate_key': psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key' Fixes #4512 Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
2021-05-14 08:34:32 +01:00 · 2021-05-14 08:34:32 +01:00 · 424fa93efd
commit 424fa93efd
parent ff143c0a34
4 changed files with 26 additions and 6 deletions
--- a/ChangeLog.d/psa-without-genprime-fix.txt
+++ b/ChangeLog.d/psa-without-genprime-fix.txt
@ -0,0 +1,5 @@
+Bugfix
+   * Restore the ability to configure PSA via Mbed TLS options to support RSA
+     key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME
+     is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
+     Fixes #4512.
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@ -4637,7 +4637,8 @@ psa_status_t psa_generate_key_internal(
    }
    else

-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && \
+    defined(MBEDTLS_GENPRIME)
    if ( type == PSA_KEY_TYPE_RSA_KEY_PAIR )
    {
        return( mbedtls_psa_rsa_generate_key( attributes,
@ -4646,7 +4647,8 @@ psa_status_t psa_generate_key_internal(
                                              key_buffer_length ) );
    }
    else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
+        * defined(MBEDTLS_GENPRIME) */

 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR)
    if ( PSA_KEY_TYPE_IS_ECC( type ) && PSA_KEY_TYPE_IS_KEY_PAIR( type ) )
--- a/library/psa_crypto_rsa.c
+++ b/library/psa_crypto_rsa.c
@ -274,7 +274,8 @@ static psa_status_t rsa_export_public_key(
 #endif /* defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
        * defined(BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */

-#if defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
+#if defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && \
+    defined(MBEDTLS_GENPRIME)
 static psa_status_t psa_rsa_read_exponent( const uint8_t *domain_parameters,
                                           size_t domain_parameters_size,
                                           int *exponent )
@ -332,7 +333,8 @@ static psa_status_t rsa_generate_key(

    return( status );
 }
-#endif /* defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */
+#endif /* defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
+        * defined(MBEDTLS_GENPRIME) */

 /****************************************************************/
 /* Sign/verify hashes */
@ -565,7 +567,8 @@ psa_status_t mbedtls_psa_rsa_export_public_key(
 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */

-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && \
+    defined(MBEDTLS_GENPRIME)
 psa_status_t mbedtls_psa_rsa_generate_key(
    const psa_key_attributes_t *attributes,
    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length )
@ -573,7 +576,8 @@ psa_status_t mbedtls_psa_rsa_generate_key(
    return( rsa_generate_key( attributes, key_buffer, key_buffer_size,
                              key_buffer_length ) );
 }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
+        * defined(MBEDTLS_GENPRIME) */

 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@ -809,6 +809,15 @@ component_test_psa_crypto_client () {
    make test
 }

+component_test_psa_crypto_rsa_no_genprime() {
+    msg "build: default config minus MBEDTLS_GENPRIME"
+    scripts/config.py unset MBEDTLS_GENPRIME
+    make
+
+    msg "test: default config minus MBEDTLS_GENPRIME"
+    make test
+}
+
 component_test_ref_configs () {
    msg "test/build: ref-configs (ASan build)" # ~ 6 min 20s
    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .