diff --git a/library/psa_crypto.c b/library/psa_crypto.c index af8a7a973..460b9df6c 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3638,10 +3638,6 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle, { psa_key_slot_t *slot; psa_status_t status; -#if defined(MBEDTLS_PSA_CRYPTO_SE_C) - const psa_drv_se_t *drv; - psa_drv_se_context_t *drv_context; -#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ *signature_length = signature_size; /* Immediately reject a zero-length signature buffer. This guarantees @@ -3671,24 +3667,7 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle, if( status != PSA_ERROR_NOT_SUPPORTED ) goto exit; -#if defined(MBEDTLS_PSA_CRYPTO_SE_C) - if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) ) - { - if( drv->asymmetric == NULL || - drv->asymmetric->p_sign == NULL ) - { - status = PSA_ERROR_NOT_SUPPORTED; - goto exit; - } - status = drv->asymmetric->p_sign( drv_context, - slot->data.se.slot_number, - alg, - hash, hash_length, - signature, signature_size, - signature_length ); - } - else -#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ + /* If the operation was not supported by any accelerator, try fallback. */ #if defined(MBEDTLS_RSA_C) if( slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR ) { diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c index 9ace0cb28..06f33699d 100644 --- a/library/psa_crypto_driver_wrappers.c +++ b/library/psa_crypto_driver_wrappers.c @@ -28,9 +28,17 @@ #if defined(MBEDTLS_TEST_HOOKS) #undef MBEDTLS_PSA_CRYPTO_DRIVER_PRESENT #define MBEDTLS_PSA_CRYPTO_DRIVER_PRESENT +#undef MBEDTLS_PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT +#define MBEDTLS_PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT #include "drivers/test_driver.h" #endif +#if defined(MBEDTLS_PSA_CRYPTO_SE_C) +#undef MBEDTLS_PSA_CRYPTO_DRIVER_PRESENT +#define MBEDTLS_PSA_CRYPTO_DRIVER_PRESENT +#include "psa_crypto_se.h" +#endif + /* Include driver definition file for each registered driver */ /* Start delegation functions */ @@ -43,6 +51,30 @@ psa_status_t psa_driver_wrapper_sign_hash( psa_key_slot_t *slot, size_t *signature_length ) { #if defined(MBEDTLS_PSA_CRYPTO_DRIVER_PRESENT) + /* Try dynamically-registered SE interface first */ +#if defined(MBEDTLS_PSA_CRYPTO_SE_C) + const psa_drv_se_t *drv; + psa_drv_se_context_t *drv_context; + + if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) ) + { + if( drv->asymmetric == NULL || + drv->asymmetric->p_sign == NULL ) + { + /* Key is defined in SE, but we have no way to exercise it */ + return PSA_ERROR_INVALID_ARGUMENT; + } + return( drv->asymmetric->p_sign( drv_context, + slot->data.se.slot_number, + alg, + hash, hash_length, + signature, signature_size, + signature_length ) ); + } +#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ + + /* Then try accelerator API */ +#if defined(MBEDTLS_PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(slot->attr.lifetime); psa_key_attributes_t attributes = { @@ -87,6 +119,9 @@ psa_status_t psa_driver_wrapper_sign_hash( psa_key_slot_t *slot, /* Key is declared with a lifetime not known to us */ return status; } +#else /* MBEDTLS_PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + return PSA_ERROR_NOT_SUPPORTED; +#endif /* MBEDTLS_PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ #else /* MBEDTLS_PSA_CRYPTO_DRIVER_PRESENT */ (void)slot; (void)alg;