PK: don't use mbedtls_ecp_check_pub_priv() when USE_PSA is enabled #7391
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Instead of using the legacy mbedtls_ecp_check_pub_priv() function which was based on ECP math, we add a new option named eckey_check_pair_psa() which takes advantage of PSA. Of course, this is available when MBEDTLS_USE_PSA_CRYPTO in enabled. Tests were also fixed accordingly. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
valeriosetti
added
enhancement
needs-review
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
3 tasks
mpg
requested changes
Apr 4, 2023
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
mpg
removed
needs-ci
mprse
reviewed
Apr 6, 2023
library/pk_wrap.c
Outdated
Comment on lines
1145
to
1154
| if (status != PSA_SUCCESS) { | ||
| ret = PSA_PK_TO_MBEDTLS_ERR(status); | ||
| status = psa_destroy_key(key_id); | ||
| return (status != PSA_SUCCESS) ? PSA_PK_TO_MBEDTLS_ERR(status) : ret; | ||
| } | ||
|
|
||
| status = psa_destroy_key(key_id); | ||
| if (status != PSA_SUCCESS) { | ||
| return PSA_PK_TO_MBEDTLS_ERR(status); | ||
| } |
There was a problem hiding this comment.
Call to psa_destroy_key(key_id) is duplicated. Key is destroyed regardless of status of psa_export_public_key. Seems that this can be optimized.
There was a problem hiding this comment.
Key is destroyed regardless of status of psa_export_public_key
But if psa_export_public_key() fails then we need to destroy the key that was imported few lines above before returning from this function. Am I missing something?
There was a problem hiding this comment.
As for the possible optimization I thought something like this:
ret = PSA_PK_TO_MBEDTLS_ERR(psa_export_public_key(key_id,
prv_key_buf,
sizeof(prv_key_buf),
&prv_key_len));
status = psa_destroy_key(key_id);
if (ret != 0 || status != PSA_SUCCESS) {
return (ret != 0) ? ret : PSA_PK_TO_MBEDTLS_ERR(status);
}
Is that what you were looking for?
library/pk_wrap.c
Outdated
| size_t pub_key_len; | ||
| mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; | ||
| size_t curve_bits; | ||
| psa_ecc_family_t curve = |
There was a problem hiding this comment.
Suggested change
| psa_ecc_family_t curve = | |
| const psa_ecc_family_t curve = |
library/pk_wrap.c
Outdated
| size_t curve_bits; | ||
| psa_ecc_family_t curve = | ||
| mbedtls_ecc_group_to_psa(prv_ctx->grp.id, &curve_bits); | ||
| size_t curve_bytes = PSA_BITS_TO_BYTES(curve_bits); |
There was a problem hiding this comment.
Suggested change
| size_t curve_bytes = PSA_BITS_TO_BYTES(curve_bits); | |
| const size_t curve_bytes = PSA_BITS_TO_BYTES(curve_bits); |
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
mprse
approved these changes
Apr 7, 2023
3 tasks
mpg
added
approved
mpg
added
needs-ci
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Instead of using the legacy mbedtls_ecp_check_pub_priv() function which was based on ECP math, we add a new option named eckey_check_pair_psa() which takes advantage of PSA.
Resolves #7387
Gatekeeper checklist