Add ECDSA support to PSA crypto configuration

Initial changes to PSA crypto core to support configuration of ECDSA algorithm using PSA crypto configuration mechanism. Guards using MBEDTLS_ECDSA_C and MBEDTLS_ECDSA_DETERMINISTIC have been changed to be based off PSA_WANT_ALG_ECDSA and PSA_WANT_ALG_ECDSA_DETERMINISTIC. Added new tests to all.sh to confirm new settings are working properly. Current code does not pass the tests since built in signature verification is not in place. Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-20 23:09:17 -07:00 · 2020-09-20 23:09:17 -07:00 · d8959390c5
commit d8959390c5
parent 7758c858ae
3 changed files with 61 additions and 10 deletions
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@ -32,6 +32,23 @@
 extern "C" {
 #endif

+//#define PSA_WANT_ALG_ECDSA
+//#define MBEDTLS_PSA_ACCEL_ALG_ECDSA
+//#define PSA_WANT_ALG_ECDSA_DETERMINISTIC
+//#define MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC
+
+#if defined(PSA_WANT_ALG_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA
+#else /* defined(PSA_WANT_ALG_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)*/
+#define MBEDTLS_ECDSA_C
+#endif /* defined(PSA_WANT_ALG_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)*/
+
+#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC)
+#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA
+#else /* defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) */
+#define MBEDTLS_ECDSA_DETERMINISTIC
+#endif /* defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) */
+
 #ifdef __cplusplus
 }
 #endif
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@ -2256,7 +2256,7 @@ exit:
 /* Message digests */
 /****************************************************************/

-#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#if defined(MBEDTLS_RSA_C) || defined(PSA_WANT_ALG_ECDSA_DETERMINISTIC)
 static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg )
 {
    switch( alg )
@ -3530,7 +3530,7 @@ static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
 }
 #endif /* MBEDTLS_RSA_C */

-#if defined(MBEDTLS_ECDSA_C)
+#if defined(PSA_WANT_ALG_ECDSA)
 /* `ecp` cannot be const because `ecp->grp` needs to be non-const
 * for mbedtls_ecdsa_sign() and mbedtls_ecdsa_sign_det()
 * (even though these functions don't modify it). */
@ -3554,7 +3554,7 @@ static psa_status_t psa_ecdsa_sign( mbedtls_ecp_keypair *ecp,
        goto cleanup;
    }

-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#if defined(PSA_WANT_ALG_ECDSA_DETERMINISTIC)
    if( PSA_ALG_DSA_IS_DETERMINISTIC( alg ) )
    {
        psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg );
@ -3567,7 +3567,7 @@ static psa_status_t psa_ecdsa_sign( mbedtls_ecp_keypair *ecp,
                                                     &global_data.ctr_drbg ) );
    }
    else
-#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+#endif /* PSA_WANT_ALG_ECDSA_DETERMINISTIC */
    {
        (void) alg;
        MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ecp->grp, &r, &s, &ecp->d,
@ -3629,7 +3629,7 @@ cleanup:
    mbedtls_mpi_free( &s );
    return( mbedtls_to_psa_error( ret ) );
 }
-#endif /* MBEDTLS_ECDSA_C */
+#endif /* PSA_WANT_ALG_ECDSA */

 psa_status_t psa_sign_hash( psa_key_handle_t handle,
                            psa_algorithm_t alg,
@ -3698,9 +3698,9 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
 #if defined(MBEDTLS_ECP_C)
    if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
    {
-#if defined(MBEDTLS_ECDSA_C)
+#if defined(PSA_WANT_ALG_ECDSA)
        if(
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#if defined(PSA_WANT_ALG_ECDSA_DETERMINISTIC)
            PSA_ALG_IS_ECDSA( alg )
 #else
            PSA_ALG_IS_RANDOMIZED_ECDSA( alg )
@ -3723,7 +3723,7 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
            mbedtls_free( ecp );
        }
        else
-#endif /* defined(MBEDTLS_ECDSA_C) */
+#endif /* defined(PSA_WANT_ALG_ECDSA) */
        {
            status = PSA_ERROR_INVALID_ARGUMENT;
        }
@ -3799,7 +3799,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
 #if defined(MBEDTLS_ECP_C)
    if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
    {
-#if defined(MBEDTLS_ECDSA_C)
+#if defined(PSA_WANT_ALG_ECDSA)
        if( PSA_ALG_IS_ECDSA( alg ) )
        {
            mbedtls_ecp_keypair *ecp = NULL;
@ -3817,7 +3817,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
            return( status );
        }
        else
-#endif /* defined(MBEDTLS_ECDSA_C) */
+#endif /* defined(PSA_WANT_ALG_ECDSA) */
        {
            return( PSA_ERROR_INVALID_ARGUMENT );
        }
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@ -1290,6 +1290,40 @@ component_test_no_use_psa_crypto_full_cmake_asan() {
    if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
 }

+component_test_psa_crypto_config_basic() {
+    # full plus MBEDTLS_PSA_CRYPTO_CONFIG, MBEDTLS_PSA_CRYPTO_DRIVERS,
+    # and PSA_CRYPTO_DRIVER_TEST minus MBEDTLS_USE_PSA_CRYPTO
+    msg "build: full config plus MBEDTLS_PSA_CRYPTO_CONFIG MBEDTLS_PSA_CRYPTO_DRIVERS"
+    msg "build: minus MBEDTLS_USE_PSA_CRYPTO"
+    scripts/config.py full
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+
+    msg "test: psa crypto config basic"
+    make test
+}
+
+component_test_psa_crypto_config_want_ecdsa() {
+    # full plus MBEDTLS_PSA_CRYPTO_CONFIG, MBEDTLS_PSA_CRYPTO_DRIVERS,
+    # and PSA_CRYPTO_DRIVER_TEST minus MBEDTLS_USE_PSA_CRYPTO
+    msg "build: full config plus MBEDTLS_PSA_CRYPTO_CONFIG, MBEDTLS_PSA_CRYPTO_DRIVERS,"
+    msg "build: PSA_CRYPTO_DRIVER_TEST, MBEDTLS_PSA_ACCEL_ALG_ECDSA,"
+    msg "build: PSA_WANT_ALG_ECDSA minus MBEDTLS_USE_PSA_CRYPTO"
+    scripts/config.py full
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+    scripts/config.py unset MBEDTLS_ECDSA_C
+    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -DMBEDTLS_PSA_ACCEL_ALG_ECDSA -DPSA_WANT_ALG_ECDSA -DPSA_CRYPTO_DRIVER_TEST -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+
+    msg "test: psa crypto config want ECDSA"
+    make test
+}
+
 component_test_check_params_functionality () {
    msg "build+test: MBEDTLS_CHECK_PARAMS functionality"
    scripts/config.py full # includes CHECK_PARAMS