From de8593f2fec39d531cdce93e01df207844f30008 Mon Sep 17 00:00:00 2001
From: Steven Cooreman <steven.cooreman@silabs.com>
Date: Tue, 9 Jun 2020 19:55:26 +0200
Subject: [PATCH 1/8] Implement and test mbedtls_ecp_write_key

mbedtls_ecp_write_key is a mirror function to mbedtls_ecp_read_key, which
writes a private key back into a byte buffer in the correct format.
This is a helpful convenience function, since the byte order is defined
differently between Montgomery and Weierstrass curves. Since this difference
is accounted for in mbedtls_ecp_read_key, it made sense to add
mbedtls_ecp_write_key for the purpose of abstracting this away such that
psa_export_key doesn't need to take byte order into account.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
---
 include/mbedtls/ecp.h                | 21 +++++++++++++
 library/ecp.c                        | 47 ++++++++++++++++++++++++++++
 tests/suites/test_suite_ecp.data     | 36 +++++++++++----------
 tests/suites/test_suite_ecp.function | 46 ++++++++++++++++++++++++++-
 4 files changed, 133 insertions(+), 17 deletions(-)

diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h
index 4c05b4fd0..9248fd377 100644
--- a/include/mbedtls/ecp.h
+++ b/include/mbedtls/ecp.h
@@ -1146,6 +1146,27 @@ int mbedtls_ecp_gen_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
  */
 int mbedtls_ecp_read_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
                           const unsigned char *buf, size_t buflen );
+
+/**
+ * \brief           This function exports an elliptic curve private key.
+ *
+ * \param grp_id    The ECP group identifier.
+ * \param key       The private key.
+ * \param olen      The amount of bytes written into the output buffer.
+ * \param buf       The output buffer containing the binary representation of
+ *                  the key. (Big endian integer for Weierstrass curves, byte
+ *                  string for Montgomery curves.)
+ * \param buflen    The total length of the buffer in bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if key is larger than buffer.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for
+ *                  the group is not implemented.
+ * \return          Another negative error code on different kinds of failure.
+ */
+int mbedtls_ecp_write_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
+                           size_t *olen, unsigned char *buf, size_t buflen );
+
 /**
  * \brief           This function checks that the keypair objects
  *                  \p pub and \p prv have the same group and the
diff --git a/library/ecp.c b/library/ecp.c
index 104e1f122..0aa61f170 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -2996,6 +2996,53 @@ cleanup:
     return( ret );
 }
 
+/*
+ * Write a private key.
+ */
+int mbedtls_ecp_write_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
+                           size_t *olen, unsigned char *buf, size_t buflen )
+{
+    int ret = 0;
+
+    ECP_VALIDATE_RET( key  != NULL );
+    ECP_VALIDATE_RET( buf  != NULL );
+    ECP_VALIDATE_RET( olen != NULL );
+
+    if( ( ret = mbedtls_ecp_group_load( &key->grp, grp_id ) ) != 0 )
+        return( ret );
+
+    ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+
+#if defined(ECP_MONTGOMERY)
+    if( mbedtls_ecp_get_type( &key->grp ) == MBEDTLS_ECP_TYPE_MONTGOMERY )
+    {
+        if( grp_id == MBEDTLS_ECP_DP_CURVE25519 )
+        {
+            if( buflen < ECP_CURVE25519_KEY_SIZE )
+                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary_le( &key->d, buf, buflen ) );
+            *olen = ECP_CURVE25519_KEY_SIZE;
+        }
+        else
+            ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+    }
+
+#endif
+#if defined(ECP_SHORTWEIERSTRASS)
+    if( mbedtls_ecp_get_type( &key->grp ) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &key->d, buf, buflen ) );
+        *olen = mbedtls_mpi_size( &key->d );
+    }
+
+#endif
+cleanup:
+
+    return( ret );
+}
+
+
 /*
  * Check a public-private key pair
  */
diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data
index 921917922..c180d379c 100644
--- a/tests/suites/test_suite_ecp.data
+++ b/tests/suites/test_suite_ecp.data
@@ -278,65 +278,69 @@ mbedtls_ecp_gen_key:MBEDTLS_ECP_DP_SECP192R1
 
 ECP read key #1 (short weierstrass, too small)
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_SECP192R1:"00":MBEDTLS_ERR_ECP_INVALID_KEY
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_SECP192R1:"00":MBEDTLS_ERR_ECP_INVALID_KEY:0
 
 ECP read key #2 (short weierstrass, smallest)
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_SECP192R1:"01":0
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_SECP192R1:"01":0:1
 
 ECP read key #3 (short weierstrass, biggest)
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_SECP192R1:"FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22830":0
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_SECP192R1:"FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22830":0:1
 
 ECP read key #4 (short weierstrass, too big)
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_SECP192R1:"FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831":MBEDTLS_ERR_ECP_INVALID_KEY
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_SECP192R1:"FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831":MBEDTLS_ERR_ECP_INVALID_KEY:0
 
 ECP read key #5 (Curve25519, most significant bit set)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"000000000000000000000000000000000000000000000000000000000000000C":0
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"000000000000000000000000000000000000000000000000000000000000000C":0:0
 
 ECP read key #6 (Curve25519, second most significant bit unset)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3":0
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3":0:0
 
 ECP read key #7 (Curve25519, msb OK)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"0000000000000000000000000000000000000000000000000000000000000004":0
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"0000000000000000000000000000000000000000000000000000000000000004":0:1
 
 ECP read key #8 (Curve25519, bit 0 set)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"1000000000000000000000000000000000000000000000000000000000000000":0
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"1000000000000000000000000000000000000000000000000000000000000000":0:0
 
 ECP read key #9 (Curve25519, bit 1 set)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"2000000000000000000000000000000000000000000000000000000000000004":0
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"2000000000000000000000000000000000000000000000000000000000000004":0:0
 
 ECP read key #10 (Curve25519, bit 2 set)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"4000000000000000000000000000000000000000000000000000000000000004":0
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"4000000000000000000000000000000000000000000000000000000000000004":0:0
 
 ECP read key #11 (Curve25519, OK)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7":0
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7":0:1
 
 ECP read key #12 (Curve25519, too long)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"00000000000000000000000000000000000000000000000000000000000000000C":MBEDTLS_ERR_ECP_INVALID_KEY
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"00000000000000000000000000000000000000000000000000000000000000000C":MBEDTLS_ERR_ECP_INVALID_KEY:0
 
 ECP read key #13 (Curve25519, not long enough)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3":MBEDTLS_ERR_ECP_INVALID_KEY
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3":MBEDTLS_ERR_ECP_INVALID_KEY:0
 
 ECP read key #14 (Curve448, not supported)
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE448:"FCFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE448:"FCFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:0
 
 ECP read key #15 (Curve25519, not supported)
 depends_on:!MBEDTLS_ECP_DP_CURVE25519_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:0
 
 ECP read key #15 (invalid curve)
-mbedtls_ecp_read_key:INT_MAX:"8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
+mbedtls_ecp_read_key:INT_MAX:"8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:0
+
+ECP read key #16 (Curve25519 RFC, OK)
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a":0:1
 
 ECP mod p192 small (more than 192 bits, less limbs than 2 * 192 bits)
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function
index 03c3e538b..1a464ec6e 100644
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@@ -1069,12 +1069,14 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_ecp_read_key( int grp_id, data_t* in_key, int expected )
+void mbedtls_ecp_read_key( int grp_id, data_t* in_key, int expected, int canonical )
 {
     int ret = 0;
     mbedtls_ecp_keypair key;
+    mbedtls_ecp_keypair key2;
 
     mbedtls_ecp_keypair_init( &key );
+    mbedtls_ecp_keypair_init( &key2 );
 
     ret = mbedtls_ecp_read_key( grp_id, &key, in_key->x, in_key->len );
     TEST_ASSERT( ret == expected );
@@ -1083,10 +1085,52 @@ void mbedtls_ecp_read_key( int grp_id, data_t* in_key, int expected )
     {
         ret = mbedtls_ecp_check_privkey( &key.grp, &key.d );
         TEST_ASSERT( ret == 0 );
+
+        if( canonical )
+        {
+            unsigned char buf[MBEDTLS_ECP_MAX_BYTES];
+            size_t olen;
+
+            ret = mbedtls_ecp_write_key( grp_id, &key, &olen, buf, in_key->len );
+            TEST_ASSERT( ret == 0 );
+
+            TEST_ASSERT( olen == in_key->len );
+
+            mbedtls_fprintf( stdout, "written key: ");
+            for( size_t i = 0; i < in_key->len; i++ ) {
+                mbedtls_fprintf( stdout, "%02x", buf[i]);
+            }
+            mbedtls_fprintf( stdout, "\n");
+            ASSERT_COMPARE( in_key->x, in_key->len,
+                            buf, olen );
+        }
+        else
+        {
+            unsigned char export1[MBEDTLS_ECP_MAX_BYTES];
+            size_t olen1;
+
+            unsigned char export2[MBEDTLS_ECP_MAX_BYTES];
+            size_t olen2;
+
+            ret = mbedtls_ecp_write_key( grp_id, &key, &olen1, export1, in_key->len );
+            TEST_ASSERT( ret == 0 );
+
+            ret = mbedtls_ecp_read_key( grp_id, &key2, export1, in_key->len );
+            TEST_ASSERT( ret == expected );
+
+            ret = mbedtls_ecp_write_key( grp_id, &key2, &olen2, export2, in_key->len );
+            TEST_ASSERT( ret == 0 );
+
+            TEST_ASSERT( olen2 == olen1 );
+
+            ASSERT_COMPARE( export1, olen1,
+                            export2, olen2 );
+        }
     }
 
 exit:
     mbedtls_ecp_keypair_free( &key );
+    mbedtls_ecp_keypair_free( &key2 );
 }
 /* END_CASE */
 

From 6f5cc71ad15bc65e0a4e29b810644f04c99e0450 Mon Sep 17 00:00:00 2001
From: Steven Cooreman <steven.cooreman@silabs.com>
Date: Thu, 11 Jun 2020 16:40:41 +0200
Subject: [PATCH 2/8] Document masking of Montgomery private keys in
 psa_export_key

Follow the PSA Crypto specification which was updated between 1.0 beta3
and 1.0.0.
Add corresponding test cases.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
---
 include/psa/crypto.h                    |  5 +++--
 tests/suites/test_suite_psa_crypto.data | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index 2b07b7471..a5385ebdd 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -738,8 +738,9 @@ psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
  *   `PSA_ECC_CURVE_CURVEXXX`), and in big-endian order for Weierstrass
  *   curves (curve types `PSA_ECC_CURVE_SECTXXX`, `PSA_ECC_CURVE_SECPXXX`
  *   and `PSA_ECC_CURVE_BRAINPOOL_PXXX`).
- *   This is the content of the `privateKey` field of the `ECPrivateKey`
- *   format defined by RFC 5915.
+ *   For Weierstrass curves, this is the content of the `privateKey` field of
+ *   the `ECPrivateKey` format defined by RFC 5915.  For Montgomery curves,
+ *   the format is defined by RFC 7748, and output is masked according to §5.
  * - For Diffie-Hellman key exchange key pairs (key types for which
  *   #PSA_KEY_TYPE_IS_DH_KEY_PAIR is true), the
  *   format is the representation of the private key `x` as a big-endian byte
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index ae175e448..d2428a090 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -220,6 +220,22 @@ PSA import/export-public EC brainpool512r1: good
 depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP512R1_ENABLED
 import_export_public_key:"372c9778f69f726cbca3f4a268f16b4d617d10280d79a6a029cd51879fe1012934dfe5395455337df6906dc7d6d2eea4dbb2065c0228f73b3ed716480e7d71d2":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_BRAINPOOL_P_R1):PSA_ALG_ECDSA_ANY:0:PSA_SUCCESS:"0438b7ec92b61c5c6c7fbc28a4ec759d48fcd4e2e374defd5c4968a54dbef7510e517886fbfc38ea39aa529359d70a7156c35d3cbac7ce776bdb251dd64bce71234424ee7049eed072f0dbc4d79996e175d557e263763ae97095c081e73e7db2e38adc3d4c9a0487b1ede876dc1fca61c902e9a1d8722b8612928f18a24845591a"
 
+PSA import/export EC curve25519 key pair: good (already properly masked)
+depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+import_export:"70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_MONTGOMERY):PSA_KEY_USAGE_EXPORT:PSA_ALG_ECDH:255:0:PSA_SUCCESS:1
+
+PSA import/export EC curve25519 key pair: unmasked input (check export-import-export yields properly masked output)
+depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+import_export:"77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_MONTGOMERY):PSA_KEY_USAGE_EXPORT:PSA_ALG_ECDH:255:0:PSA_SUCCESS:0
+
+PSA import/export-public EC curve25519: accept unmasked input
+depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+import_export_public_key:"77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_MONTGOMERY):PSA_ALG_ECDH:0:PSA_SUCCESS:"8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a"
+
+PSA import/export-public EC curve25519: accept masked input
+depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+import_export_public_key:"70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_MONTGOMERY):PSA_ALG_ECDH:0:PSA_SUCCESS:"8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a"
+
 PSA import/export-public: cannot export-public a symmetric key
 depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_RSA_C
 import_export_public_key:"2b7e151628aed2a6abf7158809cf4f3c":PSA_KEY_TYPE_AES:PSA_ALG_CBC_NO_PADDING:0:PSA_ERROR_INVALID_ARGUMENT:""

From e3fd39289ea15787064b00e8c29d9e9a63d2ff5d Mon Sep 17 00:00:00 2001
From: Steven Cooreman <steven.cooreman@silabs.com>
Date: Thu, 11 Jun 2020 16:50:36 +0200
Subject: [PATCH 3/8] Fix endianness and masking for Curve25519 keys handled by
 PSA

Changed PSA core (and PKWrite) from reaching into MPI to using the proper
ecp function to fetch a private key.
Added changelog.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
---
 ChangeLog.d/psa_curve25519_key_support.txt | 10 ++++++++++
 library/pkwrite.c                          |  3 ++-
 library/psa_crypto.c                       | 14 ++++++--------
 3 files changed, 18 insertions(+), 9 deletions(-)
 create mode 100644 ChangeLog.d/psa_curve25519_key_support.txt

diff --git a/ChangeLog.d/psa_curve25519_key_support.txt b/ChangeLog.d/psa_curve25519_key_support.txt
new file mode 100644
index 000000000..f0d19aa73
--- /dev/null
+++ b/ChangeLog.d/psa_curve25519_key_support.txt
@@ -0,0 +1,10 @@
+Requirement changes
+   * Clarify and test the import/export behaviour of PSA key management APIs to
+     adhere to the to-be-introduced clarification. Montgomery keys
+     (such as Curve25519) should be imported/exported in masked form.
+
+Bugfix
+   * Update and test the PSA key management against Montgomery keys, since
+     these need to be imported/exported in little-endian form. Added mirror
+     function of mbedtls_ecp_read_key called mbedtls_ecp_write_key to retrieve
+     a private key in the correct form.
diff --git a/library/pkwrite.c b/library/pkwrite.c
index b1b5f4685..914b33ff4 100644
--- a/library/pkwrite.c
+++ b/library/pkwrite.c
@@ -166,9 +166,10 @@ static int pk_write_ec_private( unsigned char **p, unsigned char *start,
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t byte_length = ( ec->grp.pbits + 7 ) / 8;
+    size_t output_length;
     unsigned char tmp[MBEDTLS_ECP_MAX_BYTES];
 
-    ret = mbedtls_mpi_write_binary( &ec->d, tmp, byte_length );
+    ret = mbedtls_ecp_write_key( ec->grp.id, ec, &output_length, tmp, byte_length );
     if( ret != 0 )
         goto exit;
     ret = mbedtls_asn1_write_octet_string( p, start, tmp, byte_length );
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 69323184d..1151d17f7 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -670,16 +670,12 @@ static psa_status_t psa_import_ec_private_key( psa_ecc_curve_t curve,
     if( status != PSA_SUCCESS )
         goto exit;
 
-    /* Load the secret value. */
+    /* Load and validate the secret key */
     status = mbedtls_to_psa_error(
-        mbedtls_mpi_read_binary( &ecp->d, data, data_length ) );
-    if( status != PSA_SUCCESS )
-        goto exit;
-    /* Validate the private key. */
-    status = mbedtls_to_psa_error(
-        mbedtls_ecp_check_privkey( &ecp->grp, &ecp->d ) );
+        mbedtls_ecp_read_key( ecp->grp.id, ecp, data, data_length ) );
     if( status != PSA_SUCCESS )
         goto exit;
+
     /* Calculate the public key from the private key. */
     status = mbedtls_to_psa_error(
         mbedtls_ecp_mul( &ecp->grp, &ecp->Q, &ecp->d, &ecp->grp.G,
@@ -1325,12 +1321,14 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
     if( PSA_KEY_TYPE_IS_ECC_KEY_PAIR( slot->attr.type ) && !export_public_key )
     {
         psa_status_t status;
+        size_t actual_data_size;
 
         size_t bytes = PSA_BITS_TO_BYTES( slot->attr.bits );
         if( bytes > data_size )
             return( PSA_ERROR_BUFFER_TOO_SMALL );
         status = mbedtls_to_psa_error(
-            mbedtls_mpi_write_binary( &slot->data.ecp->d, data, bytes ) );
+            mbedtls_ecp_write_key(slot->data.ecp->grp.id, slot->data.ecp,
+                                  &actual_data_size, data, bytes) );
         if( status != PSA_SUCCESS )
             return( status );
         memset( data + bytes, 0, data_size - bytes );

From c9b7f78647b709a2a8a671b67e841b70f54ec870 Mon Sep 17 00:00:00 2001
From: Steven Cooreman <steven.cooreman@silabs.com>
Date: Thu, 11 Jun 2020 17:00:36 +0200
Subject: [PATCH 4/8] Rework mbedtls_ecp_write_key to remove unnecessary output
 parameter

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
---
 include/mbedtls/ecp.h                | 10 +++++-----
 library/ecp.c                        |  5 +----
 library/pkwrite.c                    |  3 +--
 library/psa_crypto.c                 |  3 +--
 tests/suites/test_suite_ecp.function | 25 ++++++-------------------
 5 files changed, 14 insertions(+), 32 deletions(-)

diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h
index 9248fd377..2526273fb 100644
--- a/include/mbedtls/ecp.h
+++ b/include/mbedtls/ecp.h
@@ -1152,20 +1152,20 @@ int mbedtls_ecp_read_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
  *
  * \param grp_id    The ECP group identifier.
  * \param key       The private key.
- * \param olen      The amount of bytes written into the output buffer.
- * \param buf       The output buffer containing the binary representation of
- *                  the key. (Big endian integer for Weierstrass curves, byte
+ * \param buf       The output buffer for containing the binary representation
+ *                  of the key. (Big endian integer for Weierstrass curves, byte
  *                  string for Montgomery curves.)
  * \param buflen    The total length of the buffer in bytes.
  *
  * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if key is larger than buffer.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key
+                    representation is larger than the available space in \p buf.
  * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for
  *                  the group is not implemented.
  * \return          Another negative error code on different kinds of failure.
  */
 int mbedtls_ecp_write_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
-                           size_t *olen, unsigned char *buf, size_t buflen );
+                           unsigned char *buf, size_t buflen );
 
 /**
  * \brief           This function checks that the keypair objects
diff --git a/library/ecp.c b/library/ecp.c
index 0aa61f170..94c796049 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -3000,13 +3000,12 @@ cleanup:
  * Write a private key.
  */
 int mbedtls_ecp_write_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
-                           size_t *olen, unsigned char *buf, size_t buflen )
+                           unsigned char *buf, size_t buflen )
 {
     int ret = 0;
 
     ECP_VALIDATE_RET( key  != NULL );
     ECP_VALIDATE_RET( buf  != NULL );
-    ECP_VALIDATE_RET( olen != NULL );
 
     if( ( ret = mbedtls_ecp_group_load( &key->grp, grp_id ) ) != 0 )
         return( ret );
@@ -3022,7 +3021,6 @@ int mbedtls_ecp_write_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key
                 return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
 
             MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary_le( &key->d, buf, buflen ) );
-            *olen = ECP_CURVE25519_KEY_SIZE;
         }
         else
             ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
@@ -3033,7 +3031,6 @@ int mbedtls_ecp_write_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key
     if( mbedtls_ecp_get_type( &key->grp ) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS )
     {
         MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &key->d, buf, buflen ) );
-        *olen = mbedtls_mpi_size( &key->d );
     }
 
 #endif
diff --git a/library/pkwrite.c b/library/pkwrite.c
index 914b33ff4..4288cd769 100644
--- a/library/pkwrite.c
+++ b/library/pkwrite.c
@@ -166,10 +166,9 @@ static int pk_write_ec_private( unsigned char **p, unsigned char *start,
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t byte_length = ( ec->grp.pbits + 7 ) / 8;
-    size_t output_length;
     unsigned char tmp[MBEDTLS_ECP_MAX_BYTES];
 
-    ret = mbedtls_ecp_write_key( ec->grp.id, ec, &output_length, tmp, byte_length );
+    ret = mbedtls_ecp_write_key( ec->grp.id, ec, tmp, byte_length );
     if( ret != 0 )
         goto exit;
     ret = mbedtls_asn1_write_octet_string( p, start, tmp, byte_length );
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 1151d17f7..a620d3085 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -1321,14 +1321,13 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
     if( PSA_KEY_TYPE_IS_ECC_KEY_PAIR( slot->attr.type ) && !export_public_key )
     {
         psa_status_t status;
-        size_t actual_data_size;
 
         size_t bytes = PSA_BITS_TO_BYTES( slot->attr.bits );
         if( bytes > data_size )
             return( PSA_ERROR_BUFFER_TOO_SMALL );
         status = mbedtls_to_psa_error(
             mbedtls_ecp_write_key(slot->data.ecp->grp.id, slot->data.ecp,
-                                  &actual_data_size, data, bytes) );
+                                  data, bytes) );
         if( status != PSA_SUCCESS )
             return( status );
         memset( data + bytes, 0, data_size - bytes );
diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function
index 1a464ec6e..d014e8a7d 100644
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@@ -1089,42 +1089,29 @@ void mbedtls_ecp_read_key( int grp_id, data_t* in_key, int expected, int canonic
         if( canonical )
         {
             unsigned char buf[MBEDTLS_ECP_MAX_BYTES];
-            size_t olen;
 
-            ret = mbedtls_ecp_write_key( grp_id, &key, &olen, buf, in_key->len );
+            ret = mbedtls_ecp_write_key( grp_id, &key, buf, in_key->len );
             TEST_ASSERT( ret == 0 );
 
-            TEST_ASSERT( olen == in_key->len );
-
-            mbedtls_fprintf( stdout, "written key: ");
-            for( size_t i = 0; i < in_key->len; i++ ) {
-                mbedtls_fprintf( stdout, "%02x", buf[i]);
-            }
-            mbedtls_fprintf( stdout, "\n");
             ASSERT_COMPARE( in_key->x, in_key->len,
-                            buf, olen );
+                            buf, in_key->len );
         }
         else
         {
             unsigned char export1[MBEDTLS_ECP_MAX_BYTES];
-            size_t olen1;
-
             unsigned char export2[MBEDTLS_ECP_MAX_BYTES];
-            size_t olen2;
 
-            ret = mbedtls_ecp_write_key( grp_id, &key, &olen1, export1, in_key->len );
+            ret = mbedtls_ecp_write_key( grp_id, &key, export1, in_key->len );
             TEST_ASSERT( ret == 0 );
 
             ret = mbedtls_ecp_read_key( grp_id, &key2, export1, in_key->len );
             TEST_ASSERT( ret == expected );
 
-            ret = mbedtls_ecp_write_key( grp_id, &key2, &olen2, export2, in_key->len );
+            ret = mbedtls_ecp_write_key( grp_id, &key2, export2, in_key->len );
             TEST_ASSERT( ret == 0 );
 
-            TEST_ASSERT( olen2 == olen1 );
-
-            ASSERT_COMPARE( export1, olen1,
-                            export2, olen2 );
+            ASSERT_COMPARE( export1, in_key->len,
+                            export2, in_key->len );
         }
     }
 

From bd3a6f44976205d8d1bd3b20e02a0ff61b8dbefe Mon Sep 17 00:00:00 2001
From: Steven Cooreman <steven.cooreman@silabs.com>
Date: Fri, 12 Jun 2020 11:29:00 +0200
Subject: [PATCH 5/8] Rewrite changelog for #3425 as requested

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
---
 ChangeLog.d/psa_curve25519_key_support.txt | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/ChangeLog.d/psa_curve25519_key_support.txt b/ChangeLog.d/psa_curve25519_key_support.txt
index f0d19aa73..954ca0ff4 100644
--- a/ChangeLog.d/psa_curve25519_key_support.txt
+++ b/ChangeLog.d/psa_curve25519_key_support.txt
@@ -1,10 +1,9 @@
-Requirement changes
-   * Clarify and test the import/export behaviour of PSA key management APIs to
-     adhere to the to-be-introduced clarification. Montgomery keys
-     (such as Curve25519) should be imported/exported in masked form.
+Features
+   * The new function mbedtls_ecp_write_key() exports private ECC keys back to
+     a byte buffer. It is the inverse of the existing mbedtls_ecp_read_key().
 
 Bugfix
-   * Update and test the PSA key management against Montgomery keys, since
-     these need to be imported/exported in little-endian form. Added mirror
-     function of mbedtls_ecp_read_key called mbedtls_ecp_write_key to retrieve
-     a private key in the correct form.
+   * Fix the endianness of Curve25519 keys imported/exported through the PSA
+     APIs. psa_import_key and psa_export_key will now correctly expect/output
+     Montgomery keys in little-endian as defined by RFC7748. Contributed by
+     Steven Cooreman in #3425.

From 14f0e526fb91b19ab147b7165c90141b8dde03b5 Mon Sep 17 00:00:00 2001
From: Steven Cooreman <steven.cooreman@silabs.com>
Date: Fri, 12 Jun 2020 11:42:43 +0200
Subject: [PATCH 6/8] Fix Curve25519 ecp_read_key vectors to match description

They did not match their description, probably due to a botched manual
endianness conversion where the nibbles also got swapped.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
---
 tests/suites/test_suite_ecp.data | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data
index c180d379c..f7074372e 100644
--- a/tests/suites/test_suite_ecp.data
+++ b/tests/suites/test_suite_ecp.data
@@ -294,31 +294,31 @@ mbedtls_ecp_read_key:MBEDTLS_ECP_DP_SECP192R1:"FFFFFFFFFFFFFFFFFFFFFFFF99DEF8361
 
 ECP read key #5 (Curve25519, most significant bit set)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"000000000000000000000000000000000000000000000000000000000000000C":0:0
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"00000000000000000000000000000000000000000000000000000000000000C0":0:0
 
 ECP read key #6 (Curve25519, second most significant bit unset)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3":0:0
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"F0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3F":0:0
 
 ECP read key #7 (Curve25519, msb OK)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"0000000000000000000000000000000000000000000000000000000000000004":0:1
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"0000000000000000000000000000000000000000000000000000000000000040":0:1
 
 ECP read key #8 (Curve25519, bit 0 set)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"1000000000000000000000000000000000000000000000000000000000000000":0:0
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"0100000000000000000000000000000000000000000000000000000000000040":0:0
 
 ECP read key #9 (Curve25519, bit 1 set)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"2000000000000000000000000000000000000000000000000000000000000004":0:0
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"0200000000000000000000000000000000000000000000000000000000000040":0:0
 
 ECP read key #10 (Curve25519, bit 2 set)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"4000000000000000000000000000000000000000000000000000000000000004":0:0
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"0400000000000000000000000000000000000000000000000000000000000040":0:0
 
 ECP read key #11 (Curve25519, OK)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7":0:1
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"F8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F":0:1
 
 ECP read key #12 (Curve25519, too long)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
@@ -326,17 +326,17 @@ mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"00000000000000000000000000000000
 
 ECP read key #13 (Curve25519, not long enough)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3":MBEDTLS_ERR_ECP_INVALID_KEY:0
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"F0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3F":MBEDTLS_ERR_ECP_INVALID_KEY:0
 
 ECP read key #14 (Curve448, not supported)
 mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE448:"FCFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:0
 
 ECP read key #15 (Curve25519, not supported)
 depends_on:!MBEDTLS_ECP_DP_CURVE25519_ENABLED
-mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:0
+mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"F8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:0
 
 ECP read key #15 (invalid curve)
-mbedtls_ecp_read_key:INT_MAX:"8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:0
+mbedtls_ecp_read_key:INT_MAX:"F8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:0
 
 ECP read key #16 (Curve25519 RFC, OK)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED

From 0024df6b3744844d8b6f8fac961ec6d55b1633fe Mon Sep 17 00:00:00 2001
From: Steven Cooreman <steven.cooreman@silabs.com>
Date: Mon, 13 Jul 2020 10:59:40 +0200
Subject: [PATCH 7/8] Remove superfluous argument to ecp_write_key

Removed after feedback from PR review.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
---
 include/mbedtls/ecp.h                |  3 +--
 library/ecp.c                        | 15 +++++----------
 library/pkwrite.c                    |  2 +-
 library/psa_crypto.c                 |  4 ++--
 tests/suites/test_suite_ecp.function |  6 +++---
 5 files changed, 12 insertions(+), 18 deletions(-)

diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h
index 2526273fb..803d08efd 100644
--- a/include/mbedtls/ecp.h
+++ b/include/mbedtls/ecp.h
@@ -1150,7 +1150,6 @@ int mbedtls_ecp_read_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
 /**
  * \brief           This function exports an elliptic curve private key.
  *
- * \param grp_id    The ECP group identifier.
  * \param key       The private key.
  * \param buf       The output buffer for containing the binary representation
  *                  of the key. (Big endian integer for Weierstrass curves, byte
@@ -1164,7 +1163,7 @@ int mbedtls_ecp_read_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
  *                  the group is not implemented.
  * \return          Another negative error code on different kinds of failure.
  */
-int mbedtls_ecp_write_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
+int mbedtls_ecp_write_key( mbedtls_ecp_keypair *key,
                            unsigned char *buf, size_t buflen );
 
 /**
diff --git a/library/ecp.c b/library/ecp.c
index 94c796049..63e08dfc1 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -2999,23 +2999,18 @@ cleanup:
 /*
  * Write a private key.
  */
-int mbedtls_ecp_write_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
+int mbedtls_ecp_write_key( mbedtls_ecp_keypair *key,
                            unsigned char *buf, size_t buflen )
 {
-    int ret = 0;
+    int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
 
-    ECP_VALIDATE_RET( key  != NULL );
-    ECP_VALIDATE_RET( buf  != NULL );
-
-    if( ( ret = mbedtls_ecp_group_load( &key->grp, grp_id ) ) != 0 )
-        return( ret );
-
-    ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+    ECP_VALIDATE_RET( key != NULL );
+    ECP_VALIDATE_RET( buf != NULL );
 
 #if defined(ECP_MONTGOMERY)
     if( mbedtls_ecp_get_type( &key->grp ) == MBEDTLS_ECP_TYPE_MONTGOMERY )
     {
-        if( grp_id == MBEDTLS_ECP_DP_CURVE25519 )
+        if( key->grp.id == MBEDTLS_ECP_DP_CURVE25519 )
         {
             if( buflen < ECP_CURVE25519_KEY_SIZE )
                 return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
diff --git a/library/pkwrite.c b/library/pkwrite.c
index 4288cd769..ca5562a77 100644
--- a/library/pkwrite.c
+++ b/library/pkwrite.c
@@ -168,7 +168,7 @@ static int pk_write_ec_private( unsigned char **p, unsigned char *start,
     size_t byte_length = ( ec->grp.pbits + 7 ) / 8;
     unsigned char tmp[MBEDTLS_ECP_MAX_BYTES];
 
-    ret = mbedtls_ecp_write_key( ec->grp.id, ec, tmp, byte_length );
+    ret = mbedtls_ecp_write_key( ec, tmp, byte_length );
     if( ret != 0 )
         goto exit;
     ret = mbedtls_asn1_write_octet_string( p, start, tmp, byte_length );
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index a620d3085..b3da8f789 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -1326,8 +1326,8 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
         if( bytes > data_size )
             return( PSA_ERROR_BUFFER_TOO_SMALL );
         status = mbedtls_to_psa_error(
-            mbedtls_ecp_write_key(slot->data.ecp->grp.id, slot->data.ecp,
-                                  data, bytes) );
+            mbedtls_ecp_write_key( slot->data.ecp,
+                                   data, bytes ) );
         if( status != PSA_SUCCESS )
             return( status );
         memset( data + bytes, 0, data_size - bytes );
diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function
index d014e8a7d..ec31c11a1 100644
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@@ -1090,7 +1090,7 @@ void mbedtls_ecp_read_key( int grp_id, data_t* in_key, int expected, int canonic
         {
             unsigned char buf[MBEDTLS_ECP_MAX_BYTES];
 
-            ret = mbedtls_ecp_write_key( grp_id, &key, buf, in_key->len );
+            ret = mbedtls_ecp_write_key( &key, buf, in_key->len );
             TEST_ASSERT( ret == 0 );
 
             ASSERT_COMPARE( in_key->x, in_key->len,
@@ -1101,13 +1101,13 @@ void mbedtls_ecp_read_key( int grp_id, data_t* in_key, int expected, int canonic
             unsigned char export1[MBEDTLS_ECP_MAX_BYTES];
             unsigned char export2[MBEDTLS_ECP_MAX_BYTES];
 
-            ret = mbedtls_ecp_write_key( grp_id, &key, export1, in_key->len );
+            ret = mbedtls_ecp_write_key( &key, export1, in_key->len );
             TEST_ASSERT( ret == 0 );
 
             ret = mbedtls_ecp_read_key( grp_id, &key2, export1, in_key->len );
             TEST_ASSERT( ret == expected );
 
-            ret = mbedtls_ecp_write_key( grp_id, &key2, export2, in_key->len );
+            ret = mbedtls_ecp_write_key( &key2, export2, in_key->len );
             TEST_ASSERT( ret == 0 );
 
             ASSERT_COMPARE( export1, in_key->len,

From 5a3c210e158f8f61d843195f36e31b90a0f5cc5a Mon Sep 17 00:00:00 2001
From: Steven Cooreman <steven.cooreman@silabs.com>
Date: Mon, 13 Jul 2020 17:26:26 +0200
Subject: [PATCH 8/8] Update to renamed curve constant

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
---
 tests/suites/test_suite_psa_crypto.data | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index f102c59c7..6a2859124 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -222,19 +222,19 @@ import_export_public_key:"372c9778f69f726cbca3f4a268f16b4d617d10280d79a6a029cd51
 
 PSA import/export EC curve25519 key pair: good (already properly masked)
 depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-import_export:"70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_MONTGOMERY):PSA_KEY_USAGE_EXPORT:PSA_ALG_ECDH:255:0:PSA_SUCCESS:1
+import_export:"70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):PSA_KEY_USAGE_EXPORT:PSA_ALG_ECDH:255:0:PSA_SUCCESS:1
 
 PSA import/export EC curve25519 key pair: unmasked input (check export-import-export yields properly masked output)
 depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-import_export:"77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_MONTGOMERY):PSA_KEY_USAGE_EXPORT:PSA_ALG_ECDH:255:0:PSA_SUCCESS:0
+import_export:"77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):PSA_KEY_USAGE_EXPORT:PSA_ALG_ECDH:255:0:PSA_SUCCESS:0
 
 PSA import/export-public EC curve25519: accept unmasked input
 depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-import_export_public_key:"77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_MONTGOMERY):PSA_ALG_ECDH:0:PSA_SUCCESS:"8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a"
+import_export_public_key:"77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):PSA_ALG_ECDH:0:PSA_SUCCESS:"8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a"
 
 PSA import/export-public EC curve25519: accept masked input
 depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-import_export_public_key:"70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_MONTGOMERY):PSA_ALG_ECDH:0:PSA_SUCCESS:"8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a"
+import_export_public_key:"70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):PSA_ALG_ECDH:0:PSA_SUCCESS:"8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a"
 
 PSA import/export-public: cannot export-public a symmetric key
 depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_RSA_C