Added additional support for ECP for PSA_CRYPTO_CONFIG

The KEY_TYPE_ECC_KEY_PAIR and KEY_TYPE_ECC_PUBLIC_KEY were previously
being guarded by MBEDTLS_ECP_C in the PSA crypto library code. This change
moves it to the new MBEDTLS_PSA_BUILTIN_xxx and separates KEY_PAIR
and PUBLIC_KEY as needed. Tests have also been added to validate the new
settings.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>

include/mbedtls/config_psa.h

@@ -63,23 +63,35 @@ extern "C" {
 #define MBEDTLS_ECDH_C
 #define MBEDTLS_ECP_C
 #define MBEDTLS_BIGNUM_C
-#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_ECDH) */
-#endif /* defined(PSA_WANT_ALG_ECDH) */
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_ECDH */
+#endif /* PSA_WANT_ALG_ECDH */
+
+#if defined(PSA_WANT_ECC_KEY_PAIR)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_KEY_PAIR)
+#define MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR                1
+#endif /* !MBEDTLS_PSA_ACCEL_ECC_KEY_PAIR */
+#endif /* PSA_WANT_ECC_KEY_PAIR */
+
+#if defined(PSA_WANT_ECC_PUBLIC_KEY)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_PUBLIC_KEY)
+#define MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY              1
+#endif /* !MBEDTLS_PSA_ACCEL_ECC_PUBLIC_KEY */
+#endif /* PSA_WANT_ECC_PUBLIC_KEY */
 
 #if defined(PSA_WANT_ALG_HMAC)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
 #define MBEDTLS_PSA_BUILTIN_ALG_HMAC                    1
 #define MBEDTLS_MD_C
-#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC) */
-#endif /* defined(PSA_WANT_ALG_HMAC) */
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HMAC */
+#endif /* PSA_WANT_ALG_HMAC */
 
 #if defined(PSA_WANT_ALG_HKDF)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)
 #define MBEDTLS_PSA_BUILTIN_ALG_HKDF                    1
 #define MBEDTLS_HKDF_C
 #define MBEDTLS_MD_C
-#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF) */
-#endif /* defined(PSA_WANT_ALG_HKDF) */
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF */
+#endif /* PSA_WANT_ALG_HKDF */
 
 #if defined(PSA_WANT_ALG_RSA)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA)
@@ -87,8 +99,8 @@ extern "C" {
 #define MBEDTLS_RSA_C
 #define MBEDTLS_BIGNUM_C
 #define MBEDTLS_OID_C
-#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_RSA) */
-#endif /* defined(PSA_WANT_ALG_RSA) */
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA */
+#endif /* PSA_WANT_ALG_RSA */
 
 #else /* MBEDTLS_PSA_CRYPTO_CONFIG */
 
@@ -110,6 +122,11 @@ extern "C" {
 #define MBEDTLS_PSA_BUILTIN_ALG_ECDH                    1
 #endif /* MBEDTLS_ECDH_C */
 
+#if defined(MBEDTLS_ECP_C)
+#define MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR                1
+#define MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY              1
+#endif /* MBEDTLS_ECP_C */
+
 #if defined(MBEDTLS_MD_C)
 #define MBEDTLS_PSA_BUILTIN_ALG_HMAC                    1
 #endif /* MBEDTLS_MD_C */
@@ -118,7 +135,7 @@ extern "C" {
 #define MBEDTLS_PSA_BUILTIN_ALG_HKDF                    1
 #endif /* MBEDTLS_HKDF_C */
 
-#ifdef MBEDTLS_RSA_C
+#if defined(MBEDTLS_RSA_C)
 #define MBEDTLS_PSA_BUILTIN_ALG_RSA                     1
 #endif /* MBEDTLS_RSA_C */
 

include/psa/crypto_config.h

@@ -53,6 +53,8 @@
 #define PSA_WANT_ALG_ECDSA                      1
 #define PSA_WANT_ALG_DETERMINISTIC_ECDSA        1
 #define PSA_WANT_ALG_ECDH                       1
+#define PSA_WANT_ECC_KEY_PAIR                   1
+#define PSA_WANT_ECC_PUBLIC_KEY                 1
 #define PSA_WANT_ALG_HMAC                       1
 #define PSA_WANT_ALG_HKDF                       1
 #define PSA_WANT_ALG_RSA                        1

library/psa_crypto.c

@@ -370,7 +370,7 @@ static inline int psa_key_slot_is_external( const psa_key_slot_t *slot )
 }
 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
 
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
 mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve,
                                                size_t byte_length )
 {
@@ -438,7 +438,7 @@ mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve,
             return( MBEDTLS_ECP_DP_NONE );
     }
 }
-#endif /* defined(MBEDTLS_ECP_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
 
 static psa_status_t validate_unstructured_key_bit_size( psa_key_type_t type,
                                                         size_t bits )
@@ -711,7 +711,7 @@ exit:
 }
 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
 
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
 /** Load the contents of a key buffer into an internal ECP representation
  *
  * \param[in] type          The type of key contained in \p data.
@@ -930,7 +930,7 @@ exit:
 
     return( PSA_SUCCESS );
 }
-#endif /* defined(MBEDTLS_ECP_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
 
 /** Return the size of the key in the given slot, in bits.
  *
@@ -1069,12 +1069,12 @@ static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
 
         /* Key format is not supported by any accelerator, try software fallback
          * if present. */
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
         if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
         {
             return( psa_import_ecp_key( slot, data, data_length ) );
         }
-#endif /* defined(MBEDTLS_ECP_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
         if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
         {
@@ -1647,7 +1647,7 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
         }
         else
         {
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
             mbedtls_ecp_keypair *ecp = NULL;
             psa_status_t status = psa_load_ecp_representation(
                                     slot->attr.type,
@@ -1671,7 +1671,7 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
 #else
             /* We don't know how to convert a private ECC key to public */
             return( PSA_ERROR_NOT_SUPPORTED );
-#endif
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
         }
     }
     else
@@ -3728,7 +3728,7 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
     }
     else
 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
     if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
     {
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA)
@@ -3762,7 +3762,7 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
         }
     }
     else
-#endif /* defined(MBEDTLS_ECP_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
     {
         status = PSA_ERROR_NOT_SUPPORTED;
     }
@@ -3829,7 +3829,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
     }
     else
 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
     if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
     {
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
@@ -3856,7 +3856,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
         }
     }
     else
-#endif /* defined(MBEDTLS_ECP_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
     {
         return( PSA_ERROR_NOT_SUPPORTED );
     }
@@ -5782,7 +5782,7 @@ psa_status_t psa_key_derivation_input_key(
 /* Key agreement */
 /****************************************************************/
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) && defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR)
 static psa_status_t psa_key_agreement_ecdh( const uint8_t *peer_key,
                                             size_t peer_key_length,
                                             const mbedtls_ecp_keypair *our_key,
@@ -5833,7 +5833,7 @@ exit:
 
     return( status );
 }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH && MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR */
 
 #define PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE MBEDTLS_ECP_MAX_BYTES
 
@@ -5847,7 +5847,7 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg,
 {
     switch( alg )
     {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) && defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR)
         case PSA_ALG_ECDH:
             if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( private_key->attr.type ) )
                 return( PSA_ERROR_INVALID_ARGUMENT );
@@ -5866,7 +5866,7 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg,
             mbedtls_ecp_keypair_free( ecp );
             mbedtls_free( ecp );
             return( status );
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH && MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR */
         default:
             (void) private_key;
             (void) peer_key;
@@ -6144,7 +6144,7 @@ static psa_status_t psa_generate_key_internal(
     else
 #endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA && MBEDTLS_GENPRIME */
 
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR)
     if ( PSA_KEY_TYPE_IS_ECC( type ) && PSA_KEY_TYPE_IS_KEY_PAIR( type ) )
     {
         psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( type );
@@ -6189,7 +6189,7 @@ static psa_status_t psa_generate_key_internal(
         return( status );
     }
     else
-#endif /* MBEDTLS_ECP_C */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) */
     {
         return( PSA_ERROR_NOT_SUPPORTED );
     }

tests/scripts/all.sh

@@ -1354,6 +1354,30 @@ component_build_psa_want_ecdh_disabled_software() {
     make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDH -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
 }
 
+# This should be renamed to test and updated once the accelerator ECC key pair code is in place and ready to test.
+component_build_psa_want_ecc_key_pair_disabled_software() {
+    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ECC_KEY_PAIR
+    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ECC_KEY_PAIR"
+    scripts/config.py full
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ECC_KEY_PAIR -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+}
+
+# This should be renamed to test and updated once the accelerator ECC public key code is in place and ready to test.
+component_build_psa_want_ecc_public_key_disabled_software() {
+    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ECC_PUBLIC_KEY
+    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ECC_PUBLIC_KEY"
+    scripts/config.py full
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ECC_PUBLIC_KEY -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+}
+
 # This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test.
 component_build_psa_want_hmac_disabled_software() {
     # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_HMAC