PSA interruptible sign/verify: detect invalid curve family in start

Detect attempts to do ECDSA with a Montgomery curve in psa_sign_hash_start()
and psa_verify_hash_start(), whereas before start() would succeed and
complete() would fail. This avoids an inconsistency between psa_sign_hash()
and psa_sign_hash_start() that would be annoying to handle in
test_suite_psa_crypto_op_fail.

Signed-off-by: Gilles Peskine <[email protected]>

Author: gilles-peskine-arm

library/psa_crypto.c

@@ -3969,9 +3969,13 @@ psa_status_t mbedtls_psa_sign_hash_start(
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     size_t required_hash_length;
 
-    if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) {
+    if (!PSA_KEY_TYPE_IS_ECC_KEY_PAIR(attributes->type)) {
         return PSA_ERROR_NOT_SUPPORTED;
     }
+    psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type);
+    if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
 
     if (!can_do_interruptible_sign_verify(alg)) {
         return PSA_ERROR_NOT_SUPPORTED;
@@ -4188,6 +4192,10 @@ psa_status_t mbedtls_psa_verify_hash_start(
     if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) {
         return PSA_ERROR_NOT_SUPPORTED;
     }
+    psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type);
+    if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
 
     if (!can_do_interruptible_sign_verify(alg)) {
         return PSA_ERROR_NOT_SUPPORTED;