PSA interruptible sign/verify: detect invalid curve family in start

Detect attempts to do ECDSA with a Montgomery curve in psa_sign_hash_start() and psa_verify_hash_start(), whereas before start() would succeed and complete() would fail. This avoids an inconsistency between psa_sign_hash() and psa_sign_hash_start() that would be annoying to handle in test_suite_psa_crypto_op_fail. Signed-off-by: Gilles Peskine <[email protected]>
Mbed-TLS · Dec 16, 2024 · e105031 · e105031
1 parent f8fdea0
commit e105031
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
@@ -3969,9 +3969,13 @@ psa_status_t mbedtls_psa_sign_hash_start(
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     size_t required_hash_length;
 
-    if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) {
+    if (!PSA_KEY_TYPE_IS_ECC_KEY_PAIR(attributes->type)) {
         return PSA_ERROR_NOT_SUPPORTED;
     }
+    psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type);
+    if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
 
     if (!can_do_interruptible_sign_verify(alg)) {
         return PSA_ERROR_NOT_SUPPORTED;
@@ -4188,6 +4192,10 @@ psa_status_t mbedtls_psa_verify_hash_start(
     if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) {
         return PSA_ERROR_NOT_SUPPORTED;
     }
+    psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type);
+    if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
 
     if (!can_do_interruptible_sign_verify(alg)) {
         return PSA_ERROR_NOT_SUPPORTED;