Merge pull request #9890 from gilles-peskine-arm/psa-storage-test-cas…

…es-never-supported-negative-preamble-3.6 PSA interruptible sign/verify: detect invalid curve family in start
Mbed-TLS · Jan 15, 2025 · 680d5bb · 680d5bb
2 parents d975184 + abf9f1a
commit 680d5bb
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
@@ -3969,9 +3969,13 @@ psa_status_t mbedtls_psa_sign_hash_start(
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     size_t required_hash_length;
 
-    if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) {
+    if (!PSA_KEY_TYPE_IS_ECC_KEY_PAIR(attributes->type)) {
         return PSA_ERROR_NOT_SUPPORTED;
     }
+    psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type);
+    if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
 
     if (!can_do_interruptible_sign_verify(alg)) {
         return PSA_ERROR_NOT_SUPPORTED;
@@ -4188,6 +4192,10 @@ psa_status_t mbedtls_psa_verify_hash_start(
     if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) {
         return PSA_ERROR_NOT_SUPPORTED;
     }
+    psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type);
+    if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
 
     if (!can_do_interruptible_sign_verify(alg)) {
         return PSA_ERROR_NOT_SUPPORTED;