mpg
commented
4 months ago I've just been thinking: since the keys are held as PK contexts in X.509 and TLS so far, and those modules always use PK functions to operate on them (even when USE_PSA_CRYPTO is enabled), perhaps the easiest way to achieve what we want is to extend mbedtls_pk_verify_restartable() and mbedtls_pk_sign_restartable() so that they use the PSA interruptible API under the hood when USE_PSA_CRYPTO is enabled. That way absolutely no change to X.509 or TLS is needed.
This would probably involve providing an alternative definition of the type mbedtls_pk_restart_ctx when USE_PSA_CRYPTO is enabled, as well as providing PSA-based implementations of ecdsa_verify_rs_wrap and ecdsa_sign_rs_wrap when USE_PSA_CRYPTO is enabled.
gilles-peskine-arm
PSA recently gained interruptible functions for signing and verifying hash-based signatures. So far, these functions are not used by X.509 or TLS, but they should be used when
MBEDTLS_USE_PSA_CRYPTOenabled, in all places that currently support restartable operations using the legacy API (that's currently just 1.2 with the ECDHE-ECDSA key exchange, including client authentication), in order to avoid feature gaps in PSA-based builds.This task is to investigate how to achieve that goal, and break the work down in reasonnably-size and testable steps.
Note: execution of the work will probably depend on https://github.com/Mbed-TLS/mbedtls/issues/7029