psa: Change psa_ecdsa_sign/verify signature
Change psa_ecdsa_sign/verify signature to that of
a sign/verify_hash driver entry point before to
move them to the psa_crypto_ecp.c ECP specific file.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 6d5256a..a9ce664 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3073,20 +3073,28 @@
#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
-/* `ecp` cannot be const because `ecp->grp` needs to be non-const
- * for mbedtls_ecdsa_sign() and mbedtls_ecdsa_sign_det()
- * (even though these functions don't modify it). */
-static psa_status_t psa_ecdsa_sign( mbedtls_ecp_keypair *ecp,
- psa_algorithm_t alg,
- const uint8_t *hash,
- size_t hash_length,
- uint8_t *signature,
- size_t signature_size,
- size_t *signature_length )
+
+static psa_status_t psa_ecdsa_sign(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length )
{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecp_keypair *ecp = NULL;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t curve_bytes;
mbedtls_mpi r, s;
- size_t curve_bytes = PSA_BITS_TO_BYTES( ecp->grp.pbits );
+
+ status = mbedtls_psa_ecp_load_representation( attributes->core.type,
+ attributes->core.bits,
+ key_buffer,
+ key_buffer_size,
+ &ecp );
+ if( status != PSA_SUCCESS )
+ return( status );
+
+ curve_bytes = PSA_BITS_TO_BYTES( ecp->grp.pbits );
mbedtls_mpi_init( &r );
mbedtls_mpi_init( &s );
@@ -3102,11 +3110,12 @@
psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg );
const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa( hash_alg );
mbedtls_md_type_t md_alg = mbedtls_md_get_type( md_info );
- MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign_det_ext( &ecp->grp, &r, &s,
- &ecp->d, hash,
- hash_length, md_alg,
- mbedtls_psa_get_random,
- MBEDTLS_PSA_RANDOM_STATE ) );
+ MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign_det_ext(
+ &ecp->grp, &r, &s,
+ &ecp->d, hash,
+ hash_length, md_alg,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE ) );
}
else
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
@@ -3124,29 +3133,49 @@
MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &s,
signature + curve_bytes,
curve_bytes ) );
-
cleanup:
mbedtls_mpi_free( &r );
mbedtls_mpi_free( &s );
if( ret == 0 )
*signature_length = 2 * curve_bytes;
+
+ mbedtls_ecp_keypair_free( ecp );
+ mbedtls_free( ecp );
+
return( mbedtls_to_psa_error( ret ) );
}
-static psa_status_t psa_ecdsa_verify( mbedtls_ecp_keypair *ecp,
- const uint8_t *hash,
- size_t hash_length,
- const uint8_t *signature,
- size_t signature_length )
+static psa_status_t psa_ecdsa_verify(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length )
{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecp_keypair *ecp = NULL;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t curve_bytes;
mbedtls_mpi r, s;
- size_t curve_bytes = PSA_BITS_TO_BYTES( ecp->grp.pbits );
+
+ (void)alg;
+
+ status = mbedtls_psa_ecp_load_representation( attributes->core.type,
+ attributes->core.bits,
+ key_buffer,
+ key_buffer_size,
+ &ecp );
+ if( status != PSA_SUCCESS )
+ return( status );
+
+ curve_bytes = PSA_BITS_TO_BYTES( ecp->grp.pbits );
mbedtls_mpi_init( &r );
mbedtls_mpi_init( &s );
if( signature_length != 2 * curve_bytes )
- return( PSA_ERROR_INVALID_SIGNATURE );
+ {
+ ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+ goto cleanup;
+ }
MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &r,
signature,
@@ -3169,6 +3198,9 @@
cleanup:
mbedtls_mpi_free( &r );
mbedtls_mpi_free( &s );
+ mbedtls_ecp_keypair_free( ecp );
+ mbedtls_free( ecp );
+
return( mbedtls_to_psa_error( ret ) );
}
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
@@ -3207,21 +3239,11 @@
#endif
)
{
- mbedtls_ecp_keypair *ecp = NULL;
- status = mbedtls_psa_ecp_load_representation( attributes->core.type,
- attributes->core.bits,
- key_buffer,
- key_buffer_size,
- &ecp );
- if( status != PSA_SUCCESS )
- goto exit;
- status = psa_ecdsa_sign( ecp,
- alg,
- hash, hash_length,
- signature, signature_size,
- signature_length );
- mbedtls_ecp_keypair_free( ecp );
- mbedtls_free( ecp );
+ return( psa_ecdsa_sign( attributes,
+ key_buffer, key_buffer_size,
+ alg, hash, hash_length,
+ signature, signature_size,
+ signature_length ) );
}
else
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
@@ -3235,7 +3257,6 @@
status = PSA_ERROR_NOT_SUPPORTED;
}
-exit:
return( status );
}
@@ -3325,20 +3346,10 @@
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
if( PSA_ALG_IS_ECDSA( alg ) )
{
- mbedtls_ecp_keypair *ecp = NULL;
- status = mbedtls_psa_ecp_load_representation( attributes->core.type,
- attributes->core.bits,
- key_buffer,
- key_buffer_size,
- &ecp );
- if( status != PSA_SUCCESS )
- goto exit;
- status = psa_ecdsa_verify( ecp,
- hash, hash_length,
- signature, signature_length );
- mbedtls_ecp_keypair_free( ecp );
- mbedtls_free( ecp );
- goto exit;
+ return( psa_ecdsa_verify( attributes,
+ key_buffer, key_buffer_size,
+ alg, hash, hash_length,
+ signature, signature_length ) );
}
else
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||