From 1265f004941967cbf5cfba0d14d3cb4f63f7d3a1 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 9 Sep 2022 17:15:43 +0100
Subject: [PATCH 01/70] First draft of PSA interruptible ECC signing design

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/psa/crypto.h        | 606 ++++++++++++++++++++++++++++++++++++
 include/psa/crypto_struct.h |  42 +++
 include/psa/crypto_values.h |  21 ++
 3 files changed, 669 insertions(+)

diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index 2b9b2a27e..482b58288 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -4045,6 +4045,612 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
 
 /**@}*/
 
+/** \defgroup interruptible_hash Interruptible sign/verify hash
+ * @{
+ */
+
+/** The type of the state data structure for interruptible hash
+ *  signing operations.
+ *
+ * Before calling any function on a sign hash operation object, the
+ * application must initialize it by any of the following means:
+ * - Set the structure to all-bits-zero, for example:
+ *   \code
+ *   psa_sign_hash_interruptible_operation_t operation;
+ *   memset(&operation, 0, sizeof(operation));
+ *   \endcode
+ * - Initialize the structure to logical zero values, for example:
+ *   \code
+ *   psa_sign_hash_interruptible_operation_t operation = {0};
+ *   \endcode
+ * - Initialize the structure to the initializer
+ *   #PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT, for example:
+ *   \code
+ *   psa_sign_hash_interruptible_operation_t operation =
+ *   PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT;
+ *   \endcode
+ * - Assign the result of the function
+ *   psa_sign_hash_interruptible_operation_init() to the structure, for
+ *   example:
+ *   \code
+ *   psa_sign_hash_interruptible_operation_t operation;
+ *   operation = psa_sign_hash_interruptible_operation_init();
+ *   \endcode
+ *
+ * This is an implementation-defined \c struct. Applications should not
+ * make any assumptions about the content of this structure.
+ * Implementation details can change in future versions without notice. */
+typedef struct psa_sign_hash_interruptible_operation_s psa_sign_hash_interruptible_operation_t;
+
+/** The type of the state data structure for interruptible hash
+ *  verification operations.
+ *
+ * Before calling any function on a sign hash operation object, the
+ * application must initialize it by any of the following means:
+ * - Set the structure to all-bits-zero, for example:
+ *   \code
+ *   psa_verify_hash_interruptible_operation_t operation;
+ *   memset(&operation, 0, sizeof(operation));
+ *   \endcode
+ * - Initialize the structure to logical zero values, for example:
+ *   \code
+ *   psa_verify_hash_interruptible_operation_t operation = {0};
+ *   \endcode
+ * - Initialize the structure to the initializer
+ *   #PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT, for example:
+ *   \code
+ *   psa_verify_hash_interruptible_operation_t operation =
+ *   PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT;
+ *   \endcode
+ * - Assign the result of the function
+ *   psa_verify_hash_interruptible_operation_init() to the structure, for
+ *   example:
+ *   \code
+ *   psa_verify_hash_interruptible_operation_t operation;
+ *   operation = psa_verify_hash_interruptible_operation_init();
+ *   \endcode
+ *
+ * This is an implementation-defined \c struct. Applications should not
+ * make any assumptions about the content of this structure.
+ * Implementation details can change in future versions without notice. */
+typedef struct psa_verify_hash_interruptible_operation_s psa_verify_hash_interruptible_operation_t;
+
+/**
+ * \brief                       Set the maximum number of ops allowed to be
+ *                              executed by an interruptible function in a
+ *                              single call.
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ * \note                        The time taken to execute a single op is
+ *                              implementation specific and depends on
+ *                              software, hardware, the algorithm, key type and
+ *                              curve chosen. Even within a single operation,
+ *                              successive ops can take differing amounts of
+ *                              time. The only guarantee is that lower values
+ *                              for \p max_ops means functions will block for a
+ *                              lesser maximum amount of time. The functions
+ *                              \c psa_sign_interruptible_get_num_ops() and
+ *                              \c psa_verify_interruptible_get_num_ops() are
+ *                              provided to help with tuning this value.
+ *
+ * \note                        This value defaults to
+ *                              #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, which
+ *                              means the whole operation will be done in one
+ *                              go, regardless of the number of ops required.
+ *
+ * \note                        If more ops are needed to complete a
+ *                              computation, #PSA_OPERATION_INCOMPLETE will be
+ *                              returned by the function performing the
+ *                              computation. It is then the caller's
+ *                              responsibility to either call again with the
+ *                              same operation context until it returns 0 or an
+ *                              error code; or to call the relevant abort
+ *                              function if the answer is no longer required.
+ *
+ * \note                        The interpretation of \p max_ops is also
+ *                              implementation defined. On a hard real time
+ *                              system, this can indicate a hard deadline, as a
+ *                              real-time system needs a guarantee of not
+ *                              spending more than X time, however care must be
+ *                              taken in such an implementation to avoid the
+ *                              situation whereby calls just return, not being
+ *                              able to do any actual work within the allotted
+ *                              time.  On a non-real-time system, the
+ *                              implementation can be more relaxed, but again
+ *                              whether this number should be interpreted as as
+ *                              hard or soft limit or even whether a less than
+ *                              or equals as regards to ops executed in a
+ *                              single call is implementation defined.
+ *
+ * \warning                     With implementations that interpret this number
+ *                              as a hard limit, setting this number too small
+ *                              may result in an infinite loop, whereby each
+ *                              call results in immediate return with no ops
+ *                              done (as there is not enough time to execute
+ *                              any), and thus no result will ever be achieved.
+ *
+ * \note                        This only applies to functions whose
+ *                              documentation mentions they may return
+ *                              #PSA_OPERATION_INCOMPLETE.
+ *
+ * \param max_ops               The maximum number of ops to be executed in a
+ *                              single call. This can be a number from 0 to
+ *                              #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0
+ *                              is the least amount of work done per call.
+ */
+void psa_interruptible_set_max_ops(uint32_t max_ops);
+
+/**
+ * \brief                       Get the maximum number of ops allowed to be
+ *                              executed by an interruptible function in a
+ *                              single call. This will return the last
+ *                              value set by
+ *                              \c psa_interruptible_set_max_ops() or
+ *                              #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED if
+ *                              that function has never been called.
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ * \return                      Maximum number of ops allowed to be
+ *                              executed by an interruptible function in a
+ *                              single call.
+ */
+uint32_t psa_interruptible_get_max_ops(void);
+
+/**
+ * \brief                       Get the number of ops that a hash signing
+ *                              operation has taken so far. If the operation
+ *                              has completed, then this will represent the
+ *                              number of ops required for the entire
+ *                              operation. After initialization or calling
+ *                              \c psa_sign_hash_interruptible_abort() on
+ *                              the operation, a value of 0 will be returned.
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ *                              This is a helper provided to help you tune the
+ *                              value passed to \c
+ *                              psa_interruptible_set_max_ops().
+ *
+ * \param operation             The \c psa_sign_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ *
+ * \return                      Number of ops that the operation has taken so
+ *                              far.
+ */
+uint32_t psa_sign_hash_get_num_ops(
+    const psa_sign_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief                       Get the number of ops that a hash verification
+ *                              operation has taken so far. If the operation
+ *                              has completed, then this will represent the
+ *                              number of ops required for the entire
+ *                              operation. After initialization or calling \c
+ *                              psa_verify_hash_interruptible_abort() on the
+ *                              operation, a value of 0 will be returned.
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ *                              This is a helper provided to help you tune the
+ *                              value passed to \c
+ *                              psa_interruptible_set_max_ops().
+ *
+ * \param operation             The \c
+ *                              psa_verify_hash_interruptible_operation_t to
+ *                              use. This must be initialized first.
+ *
+ * \return                      Number of ops that the operation has taken so
+ *                              far.
+ */
+uint32_t psa_verify_hash_get_num_ops(
+    const psa_verify_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief                       Start signing a hash or short message with a
+ *                              private key, in an interruptible manner.
+ *
+ * \see                         \c psa_sign_hash_complete()
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ * \note                        This function combined with \c
+ *                              psa_sign_hash_complete() is equivalent to
+ *                              \c psa_sign_hash() but
+ *                              \c psa_sign_hash_complete() can return early and
+ *                              resume according to the limit set with \c
+ *                              psa_interruptible_set_max_ops() to reduce the
+ *                              maximum time spent in a function call.
+ *
+ * \note                        Users should call \c psa_sign_hash_complete()
+ *                              repeatedly on the same context after a
+ *                              successful call to this function until \c
+ *                              psa_sign_hash_complete() either returns 0 or an
+ *                              error. \c psa_sign_hash_complete() will return
+ *                              #PSA_OPERATION_INCOMPLETE if there is more work
+ *                              to do. Alternatively users can call
+ *                              \c psa_sign_hash_abort() at any point if they no
+ *                              longer want the result.
+ *
+ * \note                        If this function returns an error status, the
+ *                              operation enters an error state and must be
+ *                              aborted by calling \c psa_sign_hash_abort().
+ *
+ * \param[in, out] operation    The \c psa_sign_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ *
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must be an asymmetric key pair. The key must
+ *                              allow the usage #PSA_KEY_USAGE_SIGN_HASH.
+ * \param alg                   A signature algorithm (\c PSA_ALG_XXX
+ *                              value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
+ *                              is true), that is compatible with
+ *                              the type of \p key.
+ * \param[in] hash              The hash or message to sign.
+ * \param hash_length           Size of the \p hash buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation started successfully - call \c psa_sign_hash_complete()
+ *         with the same context to complete the operation
+ *
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The key does not have the #PSA_KEY_USAGE_SIGN_HASH flag, or it does
+ *         not permit the requested algorithm.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         An operation has previously been started on this context, and is
+ *         still in progress.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_HARDWARE_FAILURE
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_DATA_CORRUPT
+ * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_sign_hash_start(
+    psa_sign_hash_interruptible_operation_t *operation,
+    mbedtls_svc_key_id_t key, psa_algorithm_t alg,
+    const uint8_t *hash, size_t hash_length);
+
+/**
+ * \brief                       Continue and eventually complete the action of
+ *                              signing a hash or short message with a private
+ *                              key, in an interruptible manner.
+ *
+ * \see                         \c psa_sign_hash_start()
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ * \note                        This function combined with \c
+ *                              psa_sign_hash_start() is equivalent to
+ *                              \c psa_sign_hash() but this function can return
+ *                              early and resume according to the limit set with
+ *                              \c psa_interruptible_set_max_ops() to reduce the
+ *                              maximum time spent in a function call.
+ *
+ * \note                        Users should call this function on the same
+ *                              operation object repeatedly until it either
+ *                              returns 0 or an error. This function will return
+ *                              #PSA_OPERATION_INCOMPLETE if there is more work
+ *                              to do. Alternatively users can call
+ *                              \c psa_sign_hash_abort() at any point if they no
+ *                              longer want the result.
+ *
+ * \note                        When this function returns successfully, the
+ *                              operation becomes inactive. If this function
+ *                              returns an error status, the operation enters an
+ *                              error state and must be aborted by calling
+ *                              \c psa_sign_hash_abort().
+ *
+ * \param[in, out] operation    The \c psa_sign_hash_interruptible_operation_t
+ *                              to use. This must be initialized first, and have
+ *                              had \c psa_sign_hash_start() called with it
+ *                              first.
+ *
+ * \param[out] signature        Buffer where the signature is to be written.
+ * \param signature_size        Size of the \p signature buffer in bytes. This
+ *                              must be appropriate for the selected
+ *                              algorithm and key:
+ *                              - The required signature size is
+ *                                #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c
+ *                                key_bits, \c alg) where \c key_type and \c
+ *                                key_bits are the type and bit-size
+ *                                respectively of key.
+ *                              - #PSA_SIGNATURE_MAX_SIZE evaluates to the
+ *                                maximum signature size of any supported
+ *                                signature algorithm.
+ * \param[out] signature_length On success, the number of bytes that make up
+ *                              the returned signature value.
+ *
+ * \retval #PSA_SUCCESS
+ *         Operation completed successfully
+ *
+ * \retval #PSA_OPERATION_INCOMPLETE
+ *         Operation was interrupted due to the setting of \c
+ *         psa_interruptible_set_max_ops(). There is still work to be done.
+ *         Call this function again with the same operation object.
+ *
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p signature buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ *         where \c key_type and \c key_bits are the type and bit-size
+ *         respectively of \p key.
+ *
+ * \retval #PSA_ERROR_BAD_STATE
+ *         An operation was not previously started on this context via
+ *         \c psa_sign_hash_start().
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_HARDWARE_FAILURE
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_DATA_CORRUPT
+ * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has either not been previously initialized by
+ *         psa_crypto_init()  or you did not previously call
+ *         psa_sign_hash_start() with this operation object. It is
+ *         implementation-dependent whether a failure to initialize results in
+ *         this error code.
+ */
+psa_status_t psa_sign_hash_complete(
+    psa_sign_hash_interruptible_operation_t *operation,
+    uint8_t *signature, size_t signature_size,
+    size_t *signature_length);
+
+/**
+ * \brief                       Abort a sign hash operation.
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+
+ * \note                        Aborting an operation frees all associated
+ *                              resources except for the \p operation structure
+ *                              itself. Once aborted, the operation object can
+ *                              be reused for another operation by calling \c
+ *                              psa_sign_hash_start() again.
+ *
+ * \note                        You may call this function any time after the
+ *                              operation object has been initialized. In
+ *                              particular, calling \c psa_sign_hash_abort()
+ *                              after the operation has already been terminated
+ *                              by a call to \c psa_sign_hash_abort() or
+ *                              psa_sign_hash_complete() is safe and has no
+ *                              effect.
+ *
+ * \param[in,out] operation     Initialized sign hash operation.
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation was aborted successfully.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_sign_hash_abort(
+    psa_sign_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief                       Start reading and verifying a hash or short
+ *                              message, in an interruptible manner.
+ *
+ * \see                         \c psa_verify_hash_complete()
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ * \note                        This function combined with \c
+ *                              psa_verify_hash_complete() is equivalent to
+ *                              \c psa_verify_hash() but \c
+ *                              psa_verify_hash_complete() can return early and
+ *                              resume according to the limit set with \c
+ *                              psa_interruptible_set_max_ops() to reduce the
+ *                              maximum time spent in a function.
+ *
+ * \note                        Users should call \c psa_verify_hash_complete()
+ *                              repeatedly on the same operation object after a
+ *                              successful call to this function until \c
+ *                              psa_verify_hash_complete() either returns 0 or
+ *                              an error. \c psa_verify_hash_complete() will
+ *                              return #PSA_OPERATION_INCOMPLETE if there is
+ *                              more work to do. Alternatively users can call
+ *                              \c psa_verify_hash_abort() at any point if they
+ *                              no longer want the result.
+ *
+ * \note                        If this function returns an error status, the
+ *                              operation enters an error state and must be
+ *                              aborted by calling \c psa_verify_hash_abort().
+ *
+ * \param[in, out] operation    The \c psa_verify_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ *
+ * \param key                   Identifier of the key to use for the operation.
+ *                              The key must allow the usage
+ *                              #PSA_KEY_USAGE_VERIFY_HASH.
+ * \param alg                   A signature algorithm (\c PSA_ALG_XXX
+ *                              value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
+ *                              is true), that is compatible with
+ *                              the type of \p key.
+ * \param[in] hash              The hash whose signature is to be verified.
+ * \param hash_length           Size of the \p hash buffer in bytes.
+ * \param[in] signature         Buffer containing the signature to verify.
+ * \param signature_length      Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation started successfully - please call \c
+ *         psa_verify_hash_complete() with the same context to complete the
+ *         operation.
+ *
+ * \retval #PSA_ERROR_BAD_STATE
+ *         Another operation has already been started on this context, and is
+ *         still in progress.
+ *
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The key does not have the #PSA_KEY_USAGE_VERIFY_HASH flag, or it does
+ *         not permit the requested algorithm.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_HARDWARE_FAILURE
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval PSA_ERROR_DATA_CORRUPT
+ * \retval PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_verify_hash_start(
+    psa_verify_hash_interruptible_operation_t *operation,
+    mbedtls_svc_key_id_t key, psa_algorithm_t alg,
+    const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length);
+
+/**
+ * \brief                       Continue and eventually complete the action of
+ *                              reading and verifying a hash or short message
+ *                              signed with a private key, in an interruptible
+ *                              manner.
+ *
+ * \see                         \c psa_verify_hash_start()
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ * \note                        This function combined with \c
+ *                              psa_verify_hash_start() is equivalent to
+ *                              \c psa_verify_hash() but this function can
+ *                              return early and resume according to the limit
+ *                              set with \c psa_interruptible_set_max_ops() to
+ *                              reduce the maximum time spent in a function
+ *                              call.
+ *
+ * \note                        Users should call this function on the same
+ *                              operation object repeatedly until it either
+ *                              returns 0 or an error. This function will return
+ *                              #PSA_OPERATION_INCOMPLETE if there is more work
+ *                              to do. Alternatively users can call
+ *                              \c psa_verify_hash_abort() at any point if they
+ *                              no longer want the result.
+ *
+ * \note                        When this function returns successfully, the
+ *                              operation becomes inactive. If this function
+ *                              returns an error status, the operation enters an
+ *                              error state and must be aborted by calling
+ *                              \c psa_verify_hash_abort().
+ *
+ * \param[in, out] operation    The \c psa_verify_hash_interruptible_operation_t
+ *                              to use. This must be initialized first, and have
+ *                              had \c psa_verify_hash_start() called with it
+ *                              first.
+ *
+ * \retval #PSA_SUCCESS
+ *         Operation completed successfully, and the passed signature is valid.
+ *
+ * \retval #PSA_OPERATION_INCOMPLETE
+ *         Operation was interrupted due to the setting of \c
+ *         psa_interruptible_set_max_ops(). There is still work to be done.
+ *         Call this function again with the same operation object.
+ *
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The calculation was performed successfully, but the passed
+ *         signature is not a valid signature.
+ *\retval #PSA_ERROR_BAD_STATE
+ *         An operation was not previously started on this context via
+ *         \c psa_verify_hash_start().
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_HARDWARE_FAILURE
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_DATA_CORRUPT
+ * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has either not been previously initialized by
+ *         psa_crypto_init() or you did not previously call
+ *         psa_verify_hash_start() on this object. It is
+ *         implementation-dependent whether a failure to initialize results in
+ *         this error code.
+ */
+psa_status_t psa_verify_hash_complete(
+    psa_verify_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief                     Abort a verify hash operation.
+ *
+ * \warning                   This is a beta API, and thus subject to change at
+ *                            any point. It is not bound by the usual interface
+ *                            stability promises.
+ *
+ * \note                      Aborting an operation frees all associated
+ *                            resources except for the operation structure
+ *                            itself. Once aborted, the operation object can be
+ *                            reused for another operation by calling \c
+ *                            psa_verify_hash_start() again.
+ *
+ * \note                      You may call this function any time after the
+ *                            operation object has been initialized.
+ *                            In particular, calling \c psa_verify_hash_abort()
+ *                            after the operation has already been terminated by
+ *                            a call to \c psa_verify_hash_abort() or
+ *                            psa_verify_hash_complete() is safe and has no
+ *                            effect.
+ *
+ * \param[in,out] operation   Initialized verify hash operation.
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation was aborted successfully.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_verify_hash_abort(
+    psa_verify_hash_interruptible_operation_t *operation);
+
+
+/**@}*/
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
index 7a6caa2ed..ff49eb962 100644
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@@ -491,6 +491,48 @@ static inline size_t psa_get_key_bits(
     return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(bits);
 }
 
+/**
+ * \brief The context for PSA interruptible hash signing.
+ *
+ * \note  Contents not yet designed as implementation specific.
+ *
+ */
+struct psa_sign_hash_interruptible_operation_s {
+    size_t MBEDTLS_PRIVATE(num_ops);
+};
+
+#define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
+
+static inline struct psa_sign_hash_interruptible_operation_s
+psa_sign_hash_interruptible_operation_init(void)
+{
+    const struct psa_sign_hash_interruptible_operation_s v =
+        PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT;
+
+    return v;
+}
+
+/**
+ * \brief The context for PSA interruptible hash verification.
+ *
+ * \note  Contents not yet designed as implementation specific.
+ *
+ */
+struct psa_verify_hash_interruptible_operation_s {
+    size_t MBEDTLS_PRIVATE(num_ops);
+};
+
+#define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
+
+static inline struct psa_verify_hash_interruptible_operation_s
+psa_verify_hash_interruptible_operation_init(void)
+{
+    const struct psa_verify_hash_interruptible_operation_s v =
+        PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT;
+
+    return v;
+}
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
index ee95745ad..07e96f70b 100644
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@@ -335,6 +335,13 @@
  */
 #define PSA_ERROR_DATA_INVALID          ((psa_status_t)-153)
 
+/** The function that returns this status is defined as interruptible and
+ *  still has work to do, thus the user should call the function again with the
+ *  same operation context until it either returns #PSA_SUCCESS or any other
+ *  error. This is not an error per se, more a notification of status.
+ */
+#define PSA_OPERATION_INCOMPLETE           ((psa_status_t)-248)
+
 /* *INDENT-ON* */
 
 /**@}*/
@@ -2739,4 +2746,18 @@ static inline int mbedtls_svc_key_id_is_null(mbedtls_svc_key_id_t key)
 
 /**@}*/
 
+/**@}*/
+
+/** \defgroup interruptible Interruptible operations
+ * @{
+ */
+
+/** Maximum value for use with \c psa_interruptible_set_max_ops() to determine
+ *  the maximum number of ops allowed to be executed by an interruptible
+ *  function in a single call.
+ */
+#define PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED INT32_MAX
+
+/**@}*/
+
 #endif /* PSA_CRYPTO_VALUES_H */

From 2d247923e58ce51959db45b3fa6c66c4810b34c0 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Tue, 29 Nov 2022 14:54:44 +0000
Subject: [PATCH 02/70] Initial empty driver wrapper implementation

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/psa/crypto_struct.h                   |  20 +-
 library/psa_crypto_driver_wrappers.h          |  41 +++
 .../psa_crypto_driver_wrappers.c.jinja        | 236 ++++++++++++++++++
 3 files changed, 295 insertions(+), 2 deletions(-)

diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
index ff49eb962..bd20937e5 100644
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@@ -498,10 +498,18 @@ static inline size_t psa_get_key_bits(
  *
  */
 struct psa_sign_hash_interruptible_operation_s {
+    /** Unique ID indicating which driver got assigned to do the
+     * operation. Since driver contexts are driver-specific, swapping
+     * drivers halfway through the operation is not supported.
+     * ID values are auto-generated in psa_crypto_driver_wrappers.h
+     * ID value zero means the context is not valid or not assigned to
+     * any driver (i.e. none of the driver contexts are active). */
+    unsigned int MBEDTLS_PRIVATE(id);
+
     size_t MBEDTLS_PRIVATE(num_ops);
 };
 
-#define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
+#define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, 0 }
 
 static inline struct psa_sign_hash_interruptible_operation_s
 psa_sign_hash_interruptible_operation_init(void)
@@ -519,10 +527,18 @@ psa_sign_hash_interruptible_operation_init(void)
  *
  */
 struct psa_verify_hash_interruptible_operation_s {
+    /** Unique ID indicating which driver got assigned to do the
+     * operation. Since driver contexts are driver-specific, swapping
+     * drivers halfway through the operation is not supported.
+     * ID values are auto-generated in psa_crypto_driver_wrappers.h
+     * ID value zero means the context is not valid or not assigned to
+     * any driver (i.e. none of the driver contexts are active). */
+    unsigned int MBEDTLS_PRIVATE(id);
+
     size_t MBEDTLS_PRIVATE(num_ops);
 };
 
-#define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
+#define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, 0 }
 
 static inline struct psa_verify_hash_interruptible_operation_s
 psa_verify_hash_interruptible_operation_init(void)
diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h
index da3cd1d5d..26df08835 100644
--- a/library/psa_crypto_driver_wrappers.h
+++ b/library/psa_crypto_driver_wrappers.h
@@ -66,6 +66,47 @@ psa_status_t psa_driver_wrapper_verify_hash(
     psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
     const uint8_t *signature, size_t signature_length);
 
+/*
+ * Interruptible Signature functions
+ */
+
+void psa_driver_wrapper_interruptible_set_max_ops(uint32_t max_ops);
+
+uint32_t psa_driver_wrapper_interruptible_get_max_ops(void);
+
+uint32_t psa_driver_wrapper_sign_hash_get_num_ops(
+    const psa_sign_hash_interruptible_operation_t *operation);
+
+uint32_t psa_driver_wrapper_verify_hash_get_num_ops(
+    const psa_verify_hash_interruptible_operation_t *operation);
+
+psa_status_t psa_driver_wrapper_sign_hash_start(
+    psa_sign_hash_interruptible_operation_t *operation,
+    const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+    size_t key_buffer_size, psa_algorithm_t alg,
+    const uint8_t *hash, size_t hash_length);
+
+psa_status_t psa_driver_wrapper_sign_hash_complete(
+    psa_sign_hash_interruptible_operation_t *operation,
+    uint8_t *signature, size_t signature_size,
+    size_t *signature_length);
+
+psa_status_t psa_driver_wrapper_sign_hash_abort(
+    psa_sign_hash_interruptible_operation_t *operation);
+
+psa_status_t psa_driver_wrapper_verify_hash_start(
+    psa_verify_hash_interruptible_operation_t *operation,
+    const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+    size_t key_buffer_size, psa_algorithm_t alg,
+    const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length);
+
+psa_status_t psa_driver_wrapper_verify_hash_complete(
+    psa_verify_hash_interruptible_operation_t *operation);
+
+psa_status_t psa_driver_wrapper_verify_hash_abort(
+    psa_verify_hash_interruptible_operation_t *operation);
+
 /*
  * Key handling functions
  */
diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
index bdf331516..e1f7b1fe8 100644
--- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
+++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
@@ -433,6 +433,242 @@ psa_status_t psa_driver_wrapper_verify_hash(
     }
 }
 
+void psa_driver_wrapper_interruptible_set_max_ops( uint32_t max_ops )
+{
+    ( void ) max_ops;
+}
+
+uint32_t psa_driver_wrapper_interruptible_get_max_ops( void )
+{
+    return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+uint32_t psa_driver_wrapper_sign_hash_get_num_ops(
+    const psa_sign_hash_interruptible_operation_t *operation )
+{
+    switch( operation->id )
+    {
+        case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+
+            /* Add cases for opaque driver here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+    }
+
+    return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+uint32_t psa_driver_wrapper_verify_hash_get_num_ops(
+    const psa_verify_hash_interruptible_operation_t *operation )
+{
+    switch( operation->id )
+    {
+        case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+
+            /* Add cases for opaque driver here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+    }
+
+    return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+psa_status_t psa_driver_wrapper_sign_hash_start(
+    psa_sign_hash_interruptible_operation_t *operation,
+    const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+    size_t key_buffer_size, psa_algorithm_t alg,
+    const uint8_t *hash, size_t hash_length )
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_location_t location =
+                                  PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+
+    switch( location )
+    {
+        case PSA_KEY_LOCATION_LOCAL_STORAGE:
+            /* Key is stored in the slot in export representation, so
+             * cycle through all known transparent accelerators */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+
+            /* Add test driver tests here */
+
+            /* Declared with fallback == true */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+            /* Fell through, meaning no accelerator supports this operation */
+            operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID;
+            break;
+
+            /* Add cases for opaque driver here */
+
+        default:
+            /* Key is declared with a lifetime not known to us */
+            ( void ) status;
+            return( PSA_ERROR_INVALID_ARGUMENT );
+    }
+
+    ( void ) operation;
+    ( void ) key_buffer;
+    ( void ) key_buffer_size;
+    ( void ) alg;
+    ( void ) hash;
+    ( void ) hash_length;
+
+        return( status );
+}
+
+psa_status_t psa_driver_wrapper_sign_hash_complete(
+    psa_sign_hash_interruptible_operation_t *operation,
+    uint8_t *signature, size_t signature_size,
+    size_t *signature_length )
+{
+    switch( operation->id )
+    {
+        case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+
+            /* Add cases for opaque driver here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+    }
+
+    ( void ) signature;
+    ( void ) signature_size;
+    ( void ) signature_length;
+
+    return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+psa_status_t psa_driver_wrapper_sign_hash_abort(
+    psa_sign_hash_interruptible_operation_t *operation )
+{
+    switch( operation->id )
+    {
+        case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+
+            /* Add cases for opaque driver here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+    }
+
+    return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+psa_status_t psa_driver_wrapper_verify_hash_start(
+    psa_verify_hash_interruptible_operation_t *operation,
+    const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+    size_t key_buffer_size, psa_algorithm_t alg,
+    const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length )
+{
+
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_location_t location =
+                                  PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+
+    switch( location )
+    {
+        case PSA_KEY_LOCATION_LOCAL_STORAGE:
+            /* Key is stored in the slot in export representation, so
+             * cycle through all known transparent accelerators */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+
+            /* Add test driver tests here */
+
+            /* Declared with fallback == true */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+            /* Fell through, meaning no accelerator supports this operation */
+            operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID;
+            break;
+
+            /* Add cases for opaque driver here */
+
+        default:
+            /* Key is declared with a lifetime not known to us */
+            ( void ) status;
+            return( PSA_ERROR_INVALID_ARGUMENT );
+    }
+
+    ( void ) operation;
+    ( void ) key_buffer;
+    ( void ) key_buffer_size;
+    ( void ) alg;
+    ( void ) hash;
+    ( void ) hash_length;
+    ( void ) signature;
+    ( void ) signature_length;
+
+    return( status );
+}
+
+psa_status_t psa_driver_wrapper_verify_hash_complete(
+    psa_verify_hash_interruptible_operation_t *operation )
+{
+    switch( operation->id )
+    {
+        case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+
+            /* Add cases for opaque driver here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+    }
+
+    return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+psa_status_t psa_driver_wrapper_verify_hash_abort(
+    psa_verify_hash_interruptible_operation_t *operation )
+{
+    switch( operation->id )
+    {
+        case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+
+            /* Add cases for opaque driver here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+    }
+
+    return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
 /** Calculate the key buffer size required to store the key material of a key
  *  associated with an opaque driver from input key data.
  *

From 9fe12f666b9a37de13228fa22427cf17989f2ddf Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Wed, 30 Nov 2022 19:16:02 +0000
Subject: [PATCH 03/70] PSA level initial implementation

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c | 236 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 236 insertions(+)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index a683fdb8f..a21f6d963 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3124,6 +3124,242 @@ exit:
     return (status == PSA_SUCCESS) ? unlock_status : status;
 }
 
+/****************************************************************/
+/* Asymmetric interruptible cryptography                        */
+/****************************************************************/
+
+void psa_interruptible_set_max_ops(uint32_t max_ops)
+{
+    psa_driver_wrapper_interruptible_set_max_ops(max_ops);
+}
+
+uint32_t psa_interruptible_get_max_ops(void)
+{
+    return psa_driver_wrapper_interruptible_get_max_ops();
+}
+
+
+uint32_t psa_sign_hash_get_num_ops(
+    const psa_sign_hash_interruptible_operation_t *operation)
+{
+    return psa_driver_wrapper_sign_hash_get_num_ops(operation);
+}
+
+uint32_t psa_verify_hash_get_num_ops(
+    const psa_verify_hash_interruptible_operation_t *operation)
+{
+    return psa_driver_wrapper_verify_hash_get_num_ops(operation);
+}
+
+psa_status_t psa_sign_hash_start(
+    psa_sign_hash_interruptible_operation_t *operation,
+    mbedtls_svc_key_id_t key, psa_algorithm_t alg,
+    const uint8_t *hash, size_t hash_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    /* Check that start has not been previously called. */
+    if (operation->id != 0) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+
+    status = psa_sign_verify_check_alg(0, alg);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    status = psa_get_and_lock_key_slot_with_policy(key, &slot,
+                                                   PSA_KEY_USAGE_SIGN_HASH,
+                                                   alg);
+
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    psa_key_attributes_t attributes = {
+        .core = slot->attr
+    };
+
+    status = psa_driver_wrapper_sign_hash_start(operation, &attributes,
+                                                slot->key.data,
+                                                slot->key.bytes, alg,
+                                                hash, hash_length);
+exit:
+
+    if (status != PSA_SUCCESS) {
+        psa_sign_hash_abort(operation);
+    }
+
+    unlock_status = psa_unlock_key_slot(slot);
+
+    return (status == PSA_SUCCESS) ? unlock_status : status;
+
+}
+
+
+psa_status_t psa_sign_hash_complete(
+    psa_sign_hash_interruptible_operation_t *operation,
+    uint8_t *signature, size_t signature_size,
+    size_t *signature_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    *signature_length = 0;
+
+    /* Check that start has been called first. */
+    if (operation->id == 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    /* Immediately reject a zero-length signature buffer. This guarantees
+     * that signature must be a valid pointer. (On the other hand, the input
+     * buffer can in principle be empty since it doesn't actually have
+     * to be a hash.) */
+    if (signature_size == 0) {
+        status = PSA_ERROR_BUFFER_TOO_SMALL;
+        goto exit;
+    }
+
+    status = psa_driver_wrapper_sign_hash_complete(operation, signature,
+                                                   signature_size,
+                                                   signature_length);
+exit:
+
+    if (status != PSA_OPERATION_INCOMPLETE) {
+        /* Fill the unused part of the output buffer (the whole buffer on error,
+         * the trailing part on success) with something that isn't a valid
+         * signature (barring an attack on the signature and
+         * deliberately-crafted input), in case the caller doesn't check the
+         * return status properly.*/
+        if (status == PSA_SUCCESS) {
+            memset(signature + *signature_length, '!',
+                   signature_size - *signature_length);
+        } else if (signature_size > 0) {
+            memset(signature, '!', signature_size);
+        }
+        /* If signature_size is 0 then we have nothing to do. We must not
+         * call memset because signature may be NULL in this case.*/
+
+        psa_sign_hash_abort(operation);
+    }
+
+    return status;
+}
+
+psa_status_t psa_sign_hash_abort(
+    psa_sign_hash_interruptible_operation_t *operation)
+{
+    if (operation->id == 0) {
+        /* The object has (apparently) been initialized but it is not (yet)
+         * in use. It's ok to call abort on such an object, and there's
+         * nothing to do. */
+        return PSA_SUCCESS;
+    }
+
+    psa_driver_wrapper_sign_hash_abort(operation);
+
+    operation->id = 0;
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_verify_hash_start(
+    psa_verify_hash_interruptible_operation_t *operation,
+    mbedtls_svc_key_id_t key, psa_algorithm_t alg,
+    const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    /* Check that start has not been previously called. */
+    if (operation->id != 0) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    status = psa_sign_verify_check_alg(0, alg);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    status = psa_get_and_lock_key_slot_with_policy(key, &slot,
+                                                   PSA_KEY_USAGE_VERIFY_HASH,
+                                                   alg);
+
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    psa_key_attributes_t attributes = {
+        .core = slot->attr
+    };
+
+    status = psa_driver_wrapper_verify_hash_start(operation, &attributes,
+                                                  slot->key.data,
+                                                  slot->key.bytes,
+                                                  alg, hash, hash_length,
+                                                  signature, signature_length);
+
+    if (status != PSA_SUCCESS) {
+        psa_verify_hash_abort(operation);
+    }
+
+    unlock_status = psa_unlock_key_slot(slot);
+
+    return (status == PSA_SUCCESS) ? unlock_status : status;
+
+    return status;
+}
+
+psa_status_t psa_verify_hash_complete(
+    psa_verify_hash_interruptible_operation_t *operation)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    /* Check that start has been called first. */
+    if (operation->id == 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    status = psa_driver_wrapper_verify_hash_complete(operation);
+
+exit:
+
+    if (status != PSA_OPERATION_INCOMPLETE) {
+        psa_verify_hash_abort(operation);
+    }
+
+    return status;
+}
+
+psa_status_t psa_verify_hash_abort(
+    psa_verify_hash_interruptible_operation_t *operation)
+{
+    if (operation->id == 0) {
+        /* The object has (apparently) been initialized but it is not (yet)
+         * in use. It's ok to call abort on such an object, and there's
+         * nothing to do. */
+        return PSA_SUCCESS;
+    }
+
+    psa_driver_wrapper_verify_hash_abort(operation);
+
+    operation->id = 0;
+
+    return PSA_SUCCESS;
+}
+
 
 
 /****************************************************************/

From 2ba002cc2f7be32b838490a6f7f2ecb0848a774e Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 9 Dec 2022 18:59:26 +0000
Subject: [PATCH 04/70] Make ECDSA restartable sign and verify functions public

Make public the versions of ECSDA sign and verify which return raw signatures
rather than returning ASN.1 encoded signatures, in order to use them for the
internal implemention of psa_sign/verify_hash_interruptible.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/mbedtls/ecdsa.h | 173 ++++++++++++++++++++++++++++++++++++++++
 library/ecdsa.c         |  71 +++++++++--------
 2 files changed, 209 insertions(+), 35 deletions(-)

diff --git a/include/mbedtls/ecdsa.h b/include/mbedtls/ecdsa.h
index 9847a6836..1741d2c20 100644
--- a/include/mbedtls/ecdsa.h
+++ b/include/mbedtls/ecdsa.h
@@ -222,6 +222,134 @@ int mbedtls_ecdsa_sign_det_ext(mbedtls_ecp_group *grp, mbedtls_mpi *r,
                                void *p_rng_blind);
 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
 
+#if !defined(MBEDTLS_ECDSA_SIGN_ALT)
+/**
+ * \brief               This function computes the ECDSA signature of a
+ *                      previously-hashed message, in a restartable way.
+ *
+ * \note                The deterministic version implemented in
+ *                      mbedtls_ecdsa_sign_det_restartable() is usually
+ *                      preferred.
+ *
+ * \note                This function is like \c mbedtls_ecdsa_sign() but
+ *                      it can return early and restart according to the
+ *                      limit set with \c mbedtls_ecp_set_max_ops() to
+ *                      reduce blocking.
+ *
+ * \note                If the bitlength of the message hash is larger
+ *                      than the bitlength of the group order, then the
+ *                      hash is truncated as defined in <em>Standards for
+ *                      Efficient Cryptography Group (SECG): SEC1 Elliptic
+ *                      Curve Cryptography</em>, section 4.1.3, step 5.
+ *
+ * \see                 ecp.h
+ *
+ * \param grp           The context for the elliptic curve to use.
+ *                      This must be initialized and have group parameters
+ *                      set, for example through mbedtls_ecp_group_load().
+ * \param r             The MPI context in which to store the first part
+ *                      the signature. This must be initialized.
+ * \param s             The MPI context in which to store the second part
+ *                      the signature. This must be initialized.
+ * \param d             The private signing key. This must be initialized
+ *                      and setup, for example through
+ *                      mbedtls_ecp_gen_privkey().
+ * \param buf           The hashed content to be signed. This must be a readable
+ *                      buffer of length \p blen Bytes. It may be \c NULL if
+ *                      \p blen is zero.
+ * \param blen          The length of \p buf in Bytes.
+ * \param f_rng         The RNG function. This must not be \c NULL.
+ * \param p_rng         The RNG context to be passed to \p f_rng. This may be
+ *                      \c NULL if \p f_rng doesn't need a context parameter.
+ * \param f_rng_blind   The RNG function used for blinding. This must not be
+ *                      \c NULL.
+ * \param p_rng_blind   The RNG context to be passed to \p f_rng. This may be
+ *                      \c NULL if \p f_rng doesn't need a context parameter.
+ * \param rs_ctx        The restart context to use. This may be \c NULL
+ *                      to disable restarting. If it is not \c NULL, it
+ *                      must point to an initialized restart context.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                      operations was reached: see \c
+ *                      mbedtls_ecp_set_max_ops().
+ * \return              Another \c MBEDTLS_ERR_ECP_XXX, \c
+ *                      MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX
+ *                      error code on failure.
+ */
+int mbedtls_ecdsa_sign_restartable(
+    mbedtls_ecp_group *grp,
+    mbedtls_mpi *r, mbedtls_mpi *s,
+    const mbedtls_mpi *d,
+    const unsigned char *buf, size_t blen,
+    int (*f_rng)(void *, unsigned char *, size_t),
+    void *p_rng,
+    int (*f_rng_blind)(void *, unsigned char *, size_t),
+    void *p_rng_blind,
+    mbedtls_ecdsa_restart_ctx *rs_ctx);
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+
+/**
+ * \brief               This function computes the ECDSA signature of a
+ *                      previously-hashed message, in a restartable way.
+ *
+ * \note                This function is like \c
+ *                      mbedtls_ecdsa_sign_det_ext() but it can return
+ *                      early and restart according to the limit set with
+ *                      \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \note                If the bitlength of the message hash is larger
+ *                      than the bitlength of the group order, then the
+ *                      hash is truncated as defined in <em>Standards for
+ *                      Efficient Cryptography Group (SECG): SEC1 Elliptic
+ *                      Curve Cryptography</em>, section 4.1.3, step 5.
+ *
+ * \see                 ecp.h
+ *
+ * \param grp           The context for the elliptic curve to use.
+ *                      This must be initialized and have group parameters
+ *                      set, for example through mbedtls_ecp_group_load().
+ * \param r             The MPI context in which to store the first part
+ *                      the signature. This must be initialized.
+ * \param s             The MPI context in which to store the second part
+ *                      the signature. This must be initialized.
+ * \param d             The private signing key. This must be initialized
+ *                      and setup, for example through
+ *                      mbedtls_ecp_gen_privkey().
+ * \param buf           The hashed content to be signed. This must be a readable
+ *                      buffer of length \p blen Bytes. It may be \c NULL if
+ *                      \p blen is zero.
+ * \param blen          The length of \p buf in Bytes.
+ * \param f_rng_blind   The RNG function used for blinding. This must not be
+ *                      \c NULL.
+ * \param p_rng_blind   The RNG context to be passed to \p f_rng. This may be
+ *                      \c NULL if \p f_rng doesn't need a context parameter.
+ * \param rs_ctx        The restart context to use. This may be \c NULL
+ *                      to disable restarting. If it is not \c NULL, it
+ *                      must point to an initialized restart context.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                      operations was reached: see \c
+ *                      mbedtls_ecp_set_max_ops().
+ * \return              Another \c MBEDTLS_ERR_ECP_XXX, \c
+ *                      MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX
+ *                      error code on failure.
+ */
+int mbedtls_ecdsa_sign_det_restartable(
+    mbedtls_ecp_group *grp,
+    mbedtls_mpi *r, mbedtls_mpi *s,
+    const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+    mbedtls_md_type_t md_alg,
+    int (*f_rng_blind)(void *, unsigned char *, size_t),
+    void *p_rng_blind,
+    mbedtls_ecdsa_restart_ctx *rs_ctx);
+
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+#endif /* !MBEDTLS_ECDSA_SIGN_ALT */
+
 /**
  * \brief           This function verifies the ECDSA signature of a
  *                  previously-hashed message.
@@ -257,6 +385,49 @@ int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
                          const mbedtls_ecp_point *Q, const mbedtls_mpi *r,
                          const mbedtls_mpi *s);
 
+#if !defined(MBEDTLS_ECDSA_VERIFY_ALT)
+/**
+ * \brief           This function verifies the ECDSA signature of a
+ *                  previously-hashed message, in a restartable manner
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.4, step 3.
+ *
+ * \see             ecp.h
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param buf       The hashed content that was signed. This must be a readable
+ *                  buffer of length \p blen Bytes. It may be \c NULL if
+ *                  \p blen is zero.
+ * \param blen      The length of \p buf in Bytes.
+ * \param Q         The public key to use for verification. This must be
+ *                  initialized and setup.
+ * \param r         The first integer of the signature.
+ *                  This must be initialized.
+ * \param s         The second integer of the signature.
+ *                  This must be initialized.
+ * \param rs_ctx    The restart context to use. This may be \c NULL to disable
+ *                  restarting. If it is not \c NULL, it must point to an
+ *                  initialized restart context.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
+ *                  error code on failure.
+ */
+int mbedtls_ecdsa_verify_restartable(mbedtls_ecp_group *grp,
+                                     const unsigned char *buf, size_t blen,
+                                     const mbedtls_ecp_point *Q,
+                                     const mbedtls_mpi *r,
+                                     const mbedtls_mpi *s,
+                                     mbedtls_ecdsa_restart_ctx *rs_ctx);
+
+#endif /* !MBEDTLS_ECDSA_VERIFY_ALT */
+
 /**
  * \brief           This function computes the ECDSA signature and writes it
  *                  to a buffer, serialized as defined in <em>RFC-4492:
@@ -303,6 +474,8 @@ int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
  *                  \c NULL if \p f_rng is \c NULL or doesn't use a context.
  *
  * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
  * \return          An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
  *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
diff --git a/library/ecdsa.c b/library/ecdsa.c
index 3ddb82b1e..eb3c30319 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -239,13 +239,13 @@ cleanup:
  * Compute ECDSA signature of a hashed message (SEC1 4.1.3)
  * Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message)
  */
-static int ecdsa_sign_restartable(mbedtls_ecp_group *grp,
-                                  mbedtls_mpi *r, mbedtls_mpi *s,
-                                  const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
-                                  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
-                                  int (*f_rng_blind)(void *, unsigned char *, size_t),
-                                  void *p_rng_blind,
-                                  mbedtls_ecdsa_restart_ctx *rs_ctx)
+int mbedtls_ecdsa_sign_restartable(mbedtls_ecp_group *grp,
+                                   mbedtls_mpi *r, mbedtls_mpi *s,
+                                   const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                                   int (*f_rng_blind)(void *, unsigned char *, size_t),
+                                   void *p_rng_blind,
+                                   mbedtls_ecdsa_restart_ctx *rs_ctx)
 {
     int ret, key_tries, sign_tries;
     int *p_sign_tries = &sign_tries, *p_key_tries = &key_tries;
@@ -394,8 +394,8 @@ int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
                        int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
 {
     /* Use the same RNG for both blinding and ephemeral key generation */
-    return ecdsa_sign_restartable(grp, r, s, d, buf, blen,
-                                  f_rng, p_rng, f_rng, p_rng, NULL);
+    return mbedtls_ecdsa_sign_restartable(grp, r, s, d, buf, blen,
+                                          f_rng, p_rng, f_rng, p_rng, NULL);
 }
 #endif /* !MBEDTLS_ECDSA_SIGN_ALT */
 
@@ -406,13 +406,13 @@ int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
  * note:    The f_rng_blind parameter must not be NULL.
  *
  */
-static int ecdsa_sign_det_restartable(mbedtls_ecp_group *grp,
-                                      mbedtls_mpi *r, mbedtls_mpi *s,
-                                      const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
-                                      mbedtls_md_type_t md_alg,
-                                      int (*f_rng_blind)(void *, unsigned char *, size_t),
-                                      void *p_rng_blind,
-                                      mbedtls_ecdsa_restart_ctx *rs_ctx)
+int mbedtls_ecdsa_sign_det_restartable(mbedtls_ecp_group *grp,
+                                       mbedtls_mpi *r, mbedtls_mpi *s,
+                                       const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                                       mbedtls_md_type_t md_alg,
+                                       int (*f_rng_blind)(void *, unsigned char *, size_t),
+                                       void *p_rng_blind,
+                                       mbedtls_ecdsa_restart_ctx *rs_ctx)
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_hmac_drbg_context rng_ctx;
@@ -462,9 +462,9 @@ sign:
     ret = mbedtls_ecdsa_sign(grp, r, s, d, buf, blen,
                              mbedtls_hmac_drbg_random, p_rng);
 #else
-    ret = ecdsa_sign_restartable(grp, r, s, d, buf, blen,
-                                 mbedtls_hmac_drbg_random, p_rng,
-                                 f_rng_blind, p_rng_blind, rs_ctx);
+    ret = mbedtls_ecdsa_sign_restartable(grp, r, s, d, buf, blen,
+                                         mbedtls_hmac_drbg_random, p_rng,
+                                         f_rng_blind, p_rng_blind, rs_ctx);
 #endif /* MBEDTLS_ECDSA_SIGN_ALT */
 
 cleanup:
@@ -487,8 +487,8 @@ int mbedtls_ecdsa_sign_det_ext(mbedtls_ecp_group *grp, mbedtls_mpi *r,
                                                   size_t),
                                void *p_rng_blind)
 {
-    return ecdsa_sign_det_restartable(grp, r, s, d, buf, blen, md_alg,
-                                      f_rng_blind, p_rng_blind, NULL);
+    return mbedtls_ecdsa_sign_det_restartable(grp, r, s, d, buf, blen, md_alg,
+                                              f_rng_blind, p_rng_blind, NULL);
 }
 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
 
@@ -497,11 +497,12 @@ int mbedtls_ecdsa_sign_det_ext(mbedtls_ecp_group *grp, mbedtls_mpi *r,
  * Verify ECDSA signature of hashed message (SEC1 4.1.4)
  * Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message)
  */
-static int ecdsa_verify_restartable(mbedtls_ecp_group *grp,
-                                    const unsigned char *buf, size_t blen,
-                                    const mbedtls_ecp_point *Q,
-                                    const mbedtls_mpi *r, const mbedtls_mpi *s,
-                                    mbedtls_ecdsa_restart_ctx *rs_ctx)
+int mbedtls_ecdsa_verify_restartable(mbedtls_ecp_group *grp,
+                                     const unsigned char *buf, size_t blen,
+                                     const mbedtls_ecp_point *Q,
+                                     const mbedtls_mpi *r,
+                                     const mbedtls_mpi *s,
+                                     mbedtls_ecdsa_restart_ctx *rs_ctx)
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_mpi e, s_inv, u1, u2;
@@ -610,7 +611,7 @@ int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
                          const mbedtls_mpi *r,
                          const mbedtls_mpi *s)
 {
-    return ecdsa_verify_restartable(grp, buf, blen, Q, r, s, NULL);
+    return mbedtls_ecdsa_verify_restartable(grp, buf, blen, Q, r, s, NULL);
 }
 #endif /* !MBEDTLS_ECDSA_VERIFY_ALT */
 
@@ -665,9 +666,9 @@ int mbedtls_ecdsa_write_signature_restartable(mbedtls_ecdsa_context *ctx,
     mbedtls_mpi_init(&s);
 
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-    MBEDTLS_MPI_CHK(ecdsa_sign_det_restartable(&ctx->grp, &r, &s, &ctx->d,
-                                               hash, hlen, md_alg, f_rng,
-                                               p_rng, rs_ctx));
+    MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_det_restartable(&ctx->grp, &r, &s, &ctx->d,
+                                                       hash, hlen, md_alg, f_rng,
+                                                       p_rng, rs_ctx));
 #else
     (void) md_alg;
 
@@ -678,9 +679,9 @@ int mbedtls_ecdsa_write_signature_restartable(mbedtls_ecdsa_context *ctx,
                                        hash, hlen, f_rng, p_rng));
 #else
     /* Use the same RNG for both blinding and ephemeral key generation */
-    MBEDTLS_MPI_CHK(ecdsa_sign_restartable(&ctx->grp, &r, &s, &ctx->d,
-                                           hash, hlen, f_rng, p_rng, f_rng,
-                                           p_rng, rs_ctx));
+    MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_restartable(&ctx->grp, &r, &s, &ctx->d,
+                                                   hash, hlen, f_rng, p_rng, f_rng,
+                                                   p_rng, rs_ctx));
 #endif /* MBEDTLS_ECDSA_SIGN_ALT */
 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
 
@@ -760,8 +761,8 @@ int mbedtls_ecdsa_read_signature_restartable(mbedtls_ecdsa_context *ctx,
         goto cleanup;
     }
 #else
-    if ((ret = ecdsa_verify_restartable(&ctx->grp, hash, hlen,
-                                        &ctx->Q, &r, &s, rs_ctx)) != 0) {
+    if ((ret = mbedtls_ecdsa_verify_restartable(&ctx->grp, hash, hlen,
+                                                &ctx->Q, &r, &s, rs_ctx)) != 0) {
         goto cleanup;
     }
 #endif /* MBEDTLS_ECDSA_VERIFY_ALT */

From 588f8ed498216b3f600f6d423328bd290ffe4a97 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 2 Dec 2022 18:10:26 +0000
Subject: [PATCH 05/70] Add internal implementation

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/psa/crypto_builtin_composites.h       |  55 +++
 .../psa/crypto_driver_contexts_composites.h   |  10 +
 include/psa/crypto_struct.h                   |   8 +-
 library/psa_crypto.c                          | 421 ++++++++++++++++++
 library/psa_crypto_core.h                     | 299 +++++++++++++
 .../psa_crypto_driver_wrappers.c.jinja        |  61 ++-
 6 files changed, 829 insertions(+), 25 deletions(-)

diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h
index b7f0b1162..0f1220de9 100644
--- a/include/psa/crypto_builtin_composites.h
+++ b/include/psa/crypto_builtin_composites.h
@@ -107,4 +107,59 @@ typedef struct {
 
 #define MBEDTLS_PSA_AEAD_OPERATION_INIT { 0, 0, 0, 0, { 0 } }
 
+#include "mbedtls/ecdsa.h"
+
+/* Context structure for the Mbed TLS interruptible sign hash implementation. */
+typedef struct {
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+    mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx);
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx);
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    size_t MBEDTLS_PRIVATE(curve_bytes);
+    psa_algorithm_t MBEDTLS_PRIVATE(alg);
+    mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg);
+    const uint8_t *MBEDTLS_PRIVATE(hash);
+    size_t MBEDTLS_PRIVATE(hash_length);
+
+    mbedtls_mpi MBEDTLS_PRIVATE(r);
+    mbedtls_mpi MBEDTLS_PRIVATE(s);
+
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA */
+
+} mbedtls_psa_sign_hash_interruptible_operation_t;
+
+#define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, 0, { 0 }, \
+        { 0 } }
+
+/* Context structure for the Mbed TLS interruptible verify hash
+ * implementation.*/
+typedef struct {
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+    mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx);
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx);
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    size_t MBEDTLS_PRIVATE(curve_bytes);
+    const uint8_t *MBEDTLS_PRIVATE(hash);
+    size_t MBEDTLS_PRIVATE(hash_length);
+
+    mbedtls_mpi MBEDTLS_PRIVATE(r);
+    mbedtls_mpi MBEDTLS_PRIVATE(s);
+
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA */
+
+} mbedtls_psa_verify_hash_interruptible_operation_t;
+
+#define MBEDTLS_VERIFY_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, { 0 }, \
+        { 0 } }
+
+
+
 #endif /* PSA_CRYPTO_BUILTIN_COMPOSITES_H */
diff --git a/include/psa/crypto_driver_contexts_composites.h b/include/psa/crypto_driver_contexts_composites.h
index bcd000e70..1b95814f9 100644
--- a/include/psa/crypto_driver_contexts_composites.h
+++ b/include/psa/crypto_driver_contexts_composites.h
@@ -114,5 +114,15 @@ typedef union {
 #endif
 } psa_driver_aead_context_t;
 
+typedef union {
+    unsigned dummy; /* Make sure this union is always non-empty */
+    mbedtls_psa_sign_hash_interruptible_operation_t mbedtls_ctx;
+} psa_driver_sign_hash_interruptible_context_t;
+
+typedef union {
+    unsigned dummy; /* Make sure this union is always non-empty */
+    mbedtls_psa_verify_hash_interruptible_operation_t mbedtls_ctx;
+} psa_driver_verify_hash_interruptible_context_t;
+
 #endif /* PSA_CRYPTO_DRIVER_CONTEXTS_COMPOSITES_H */
 /* End of automatically generated file. */
diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
index bd20937e5..8874e97a2 100644
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@@ -506,10 +506,12 @@ struct psa_sign_hash_interruptible_operation_s {
      * any driver (i.e. none of the driver contexts are active). */
     unsigned int MBEDTLS_PRIVATE(id);
 
+    psa_driver_sign_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx);
+
     size_t MBEDTLS_PRIVATE(num_ops);
 };
 
-#define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, 0 }
+#define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0 }
 
 static inline struct psa_sign_hash_interruptible_operation_s
 psa_sign_hash_interruptible_operation_init(void)
@@ -535,10 +537,12 @@ struct psa_verify_hash_interruptible_operation_s {
      * any driver (i.e. none of the driver contexts are active). */
     unsigned int MBEDTLS_PRIVATE(id);
 
+    psa_driver_verify_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx);
+
     size_t MBEDTLS_PRIVATE(num_ops);
 };
 
-#define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, 0 }
+#define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0 }
 
 static inline struct psa_verify_hash_interruptible_operation_s
 psa_verify_hash_interruptible_operation_init(void)
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index a21f6d963..b31d51b4b 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -81,6 +81,7 @@
 #include "mbedtls/sha1.h"
 #include "mbedtls/sha256.h"
 #include "mbedtls/sha512.h"
+#include "hash_info.h"
 
 #define ARRAY_LENGTH(array) (sizeof(array) / sizeof(*(array)))
 
@@ -310,6 +311,9 @@ psa_status_t mbedtls_to_psa_error(int ret)
         case MBEDTLS_ERR_ECP_RANDOM_FAILED:
             return PSA_ERROR_INSUFFICIENT_ENTROPY;
 
+        case MBEDTLS_ERR_ECP_IN_PROGRESS:
+            return PSA_OPERATION_INCOMPLETE;
+
         case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED:
             return PSA_ERROR_CORRUPTION_DETECTED;
 
@@ -3360,7 +3364,424 @@ psa_status_t psa_verify_hash_abort(
     return PSA_SUCCESS;
 }
 
+/****************************************************************/
+/* Asymmetric interruptible cryptography internal               */
+/* implementations                                              */
+/****************************************************************/
 
+static uint32_t mbedtls_psa_interruptible_max_ops =
+    PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
+
+void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops)
+{
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+
+    /* Internal implementation uses zero to indicate infinite number max ops,
+     * therefore avoid this value, and set to minimum possible. */
+    if (max_ops == 0) {
+        max_ops = 1;
+    }
+
+    mbedtls_psa_interruptible_max_ops = max_ops;
+    mbedtls_ecp_set_max_ops(max_ops);
+#else
+    (void) max_ops;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+uint32_t mbedtls_psa_interruptible_get_max_ops(void)
+{
+    return mbedtls_psa_interruptible_max_ops;
+}
+
+uint32_t mbedtls_psa_sign_hash_get_num_ops(
+    const mbedtls_psa_sign_hash_interruptible_operation_t *operation)
+{
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+
+    return operation->restart_ctx.ecp.ops_done;
+#else
+    (void) operation;
+    return 0;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+uint32_t mbedtls_psa_verify_hash_get_num_ops(
+    const mbedtls_psa_verify_hash_interruptible_operation_t *operation)
+{
+    #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+
+    return operation->restart_ctx.ecp.ops_done;
+#else
+    (void) operation;
+    return 0;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_sign_hash_start(
+    mbedtls_psa_sign_hash_interruptible_operation_t *operation,
+    const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+    size_t key_buffer_size, psa_algorithm_t alg,
+    const uint8_t *hash, size_t hash_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    if (PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
+        if (PSA_ALG_IS_ECDSA(alg)) {
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+            defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+            defined(MBEDTLS_ECP_RESTARTABLE)
+
+#if !defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+            if (PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)) {
+                return PSA_ERROR_NOT_SUPPORTED;
+            }
+#endif
+
+            /* Ensure default is set even if
+             * mbedtls_psa_interruptible_get_max_ops() has not been called. */
+            mbedtls_ecp_set_max_ops(mbedtls_psa_interruptible_get_max_ops());
+
+            status = mbedtls_psa_ecp_load_representation(attributes->core.type,
+                                                         attributes->core.bits,
+                                                         key_buffer,
+                                                         key_buffer_size,
+                                                         &operation->ctx);
+
+            if (status != PSA_SUCCESS) {
+                return status;
+            }
+
+            mbedtls_ecdsa_restart_init(&operation->restart_ctx);
+
+            mbedtls_mpi_init(&operation->r);
+            mbedtls_mpi_init(&operation->s);
+
+            operation->curve_bytes = PSA_BITS_TO_BYTES(
+                operation->ctx->grp.pbits);
+
+            psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
+            operation->md_alg = mbedtls_hash_info_md_from_psa(hash_alg);
+            operation->alg = alg;
+
+            operation->hash = hash;
+            operation->hash_length = hash_length;
+
+#else
+            (void) operation;
+            (void) key_buffer;
+            (void) key_buffer_size;
+            (void) alg;
+            (void) hash;
+            (void) hash_length;
+
+            return PSA_ERROR_NOT_SUPPORTED;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+        } else {
+            status = PSA_ERROR_INVALID_ARGUMENT;
+        }
+    } else {
+        status = PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    return status;
+}
+
+psa_status_t mbedtls_psa_sign_hash_complete(
+    mbedtls_psa_sign_hash_interruptible_operation_t *operation,
+    uint8_t *signature, size_t signature_size,
+    size_t *signature_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+
+    if (signature_size < 2 * operation->curve_bytes) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+
+
+    if (PSA_ALG_ECDSA_IS_DETERMINISTIC(operation->alg)) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+        status = mbedtls_to_psa_error(
+            mbedtls_ecdsa_sign_det_restartable(&operation->ctx->grp,
+                                               &operation->r,
+                                               &operation->s,
+                                               &operation->ctx->d,
+                                               operation->hash,
+                                               operation->hash_length,
+                                               operation->md_alg,
+                                               mbedtls_psa_get_random,
+                                               MBEDTLS_PSA_RANDOM_STATE,
+                                               &operation->restart_ctx));
+#else /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+        return PSA_ERROR_NOT_SUPPORTED;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+    } else {
+
+        status = mbedtls_to_psa_error(
+            mbedtls_ecdsa_sign_restartable(&operation->ctx->grp,
+                                           &operation->r,
+                                           &operation->s,
+                                           &operation->ctx->d,
+                                           operation->hash,
+                                           operation->hash_length,
+                                           mbedtls_psa_get_random,
+                                           MBEDTLS_PSA_RANDOM_STATE,
+                                           mbedtls_psa_get_random,
+                                           MBEDTLS_PSA_RANDOM_STATE,
+                                           &operation->restart_ctx));
+    }
+
+    if (status != PSA_SUCCESS) {
+        return status;
+    } else {
+        status =  mbedtls_to_psa_error(
+            mbedtls_mpi_write_binary(&operation->r,
+                                     signature,
+                                     operation->curve_bytes));
+
+        if (status != PSA_SUCCESS) {
+            return status;
+        }
+
+        status =  mbedtls_to_psa_error(
+            mbedtls_mpi_write_binary(&operation->s,
+                                     signature +
+                                     operation->curve_bytes,
+                                     operation->curve_bytes));
+
+        if (status != PSA_SUCCESS) {
+            return status;
+        }
+
+        *signature_length = operation->curve_bytes * 2;
+
+        return PSA_SUCCESS;
+    }
+ #else
+
+    (void) operation;
+    (void) status;
+    (void) signature;
+    (void) signature_size;
+    (void) signature_length;
+
+    return PSA_ERROR_NOT_SUPPORTED;
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_sign_hash_abort(
+    mbedtls_psa_sign_hash_interruptible_operation_t *operation)
+{
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+
+    if (operation->ctx) {
+        mbedtls_ecdsa_free(operation->ctx);
+        mbedtls_free(operation->ctx);
+    }
+
+    mbedtls_ecdsa_restart_free(&operation->restart_ctx);
+
+    mbedtls_mpi_free(&operation->r);
+    mbedtls_mpi_free(&operation->s);
+
+    return PSA_SUCCESS;
+
+#else
+
+    (void) operation;
+
+    return PSA_ERROR_NOT_SUPPORTED;
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_verify_hash_start(
+    mbedtls_psa_verify_hash_interruptible_operation_t *operation,
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    if (PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
+        if (PSA_ALG_IS_ECDSA(alg)) {
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+            defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+            defined(MBEDTLS_ECP_RESTARTABLE)
+
+            /* Ensure default is set even if
+             * mbedtls_psa_interruptible_get_max_ops() has not been called. */
+            mbedtls_ecp_set_max_ops(mbedtls_psa_interruptible_get_max_ops());
+
+            status = mbedtls_psa_ecp_load_representation(attributes->core.type,
+                                                         attributes->core.bits,
+                                                         key_buffer,
+                                                         key_buffer_size,
+                                                         &operation->ctx);
+
+            if (status != PSA_SUCCESS) {
+                return status;
+            }
+
+            operation->curve_bytes = PSA_BITS_TO_BYTES(
+                operation->ctx->grp.pbits);
+
+
+            if (signature_length != 2 * operation->curve_bytes) {
+                return PSA_ERROR_INVALID_SIGNATURE;
+            }
+
+            mbedtls_mpi_init(&operation->r);
+            status = mbedtls_to_psa_error(
+                mbedtls_mpi_read_binary(&operation->r,
+                                        signature,
+                                        operation->curve_bytes));
+
+            if (status != PSA_SUCCESS) {
+                return status;
+            }
+
+            mbedtls_mpi_init(&operation->s);
+            status = mbedtls_to_psa_error(
+                mbedtls_mpi_read_binary(&operation->s,
+                                        signature +
+                                        operation->curve_bytes,
+                                        operation->curve_bytes));
+
+            if (status != PSA_SUCCESS) {
+                return status;
+            }
+
+            /* Check whether the public part is loaded. If not, load it. */
+            if (mbedtls_ecp_is_zero(&operation->ctx->Q)) {
+                int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+                ret = mbedtls_ecp_mul(&operation->ctx->grp,
+                                      &operation->ctx->Q,
+                                      &operation->ctx->d,
+                                      &operation->ctx->grp.G,
+                                      mbedtls_psa_get_random,
+                                      MBEDTLS_PSA_RANDOM_STATE);
+
+                if (ret != 0) {
+                    return mbedtls_to_psa_error(ret);
+                }
+            }
+
+            mbedtls_ecdsa_restart_init(&operation->restart_ctx);
+
+            operation->hash = hash;
+            operation->hash_length = hash_length;
+#else
+            (void) operation;
+            (void) key_buffer;
+            (void) key_buffer_size;
+            (void) alg;
+            (void) hash;
+            (void) hash_length;
+            (void) signature;
+            (void) signature_length;
+
+            return PSA_ERROR_NOT_SUPPORTED;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+        } else {
+            status = PSA_ERROR_INVALID_ARGUMENT;
+        }
+    } else {
+        status = PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    return status;
+}
+
+psa_status_t mbedtls_psa_verify_hash_complete(
+    mbedtls_psa_verify_hash_interruptible_operation_t *operation)
+{
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+
+    return mbedtls_to_psa_error(
+        mbedtls_ecdsa_verify_restartable(&operation->ctx->grp,
+                                         operation->hash,
+                                         operation->hash_length,
+                                         &operation->ctx->Q,
+                                         &operation->r,
+                                         &operation->s,
+                                         &operation->restart_ctx));
+
+#else
+    (void) operation;
+
+    return PSA_ERROR_NOT_SUPPORTED;
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_verify_hash_abort(
+    mbedtls_psa_verify_hash_interruptible_operation_t *operation)
+{
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+
+    if (operation->ctx) {
+        mbedtls_ecdsa_free(operation->ctx);
+        mbedtls_free(operation->ctx);
+    }
+
+    mbedtls_ecdsa_restart_free(&operation->restart_ctx);
+
+    mbedtls_mpi_free(&operation->r);
+    mbedtls_mpi_free(&operation->s);
+
+    return PSA_SUCCESS;
+
+#else
+    (void) operation;
+
+    return PSA_ERROR_NOT_SUPPORTED;
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
 
 /****************************************************************/
 /* Symmetric cryptography */
diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h
index 38e4bc5cc..2f3cb6458 100644
--- a/library/psa_crypto_core.h
+++ b/library/psa_crypto_core.h
@@ -606,4 +606,303 @@ psa_status_t psa_key_agreement_raw_builtin(
     size_t shared_secret_size,
     size_t *shared_secret_length);
 
+/**
+ * \brief Set the maximum number of ops allowed to be executed by an
+ *        interruptible function in a single call.
+ *
+ * \warning This is a beta API, and thus subject to change at any point. It is
+ *          not bound by the usual interface stability promises.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       interruptible_set_max_ops entry point. This function behaves as an
+ *       interruptible_set_max_ops entry point as defined in the PSA driver
+ *       interface specification for transparent drivers.
+ *
+ * \param[in]  max_ops          The maximum number of ops to be executed in a
+ *                              single call, this can be a number from 0 to
+ *                              #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0
+ *                              is obviously the least amount of work done per
+ *                              call.
+ */
+void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops);
+
+/**
+ * \brief Get the maximum number of ops allowed to be executed by an
+ *        interruptible function in a single call.
+ *
+ * \warning This is a beta API, and thus subject to change at any point. It is
+ *          not bound by the usual interface stability promises.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       interruptible_get_max_ops entry point. This function behaves as an
+ *       interruptible_get_max_ops entry point as defined in the PSA driver
+ *       interface specification for transparent drivers.
+ *
+ * \return                      Maximum number of ops allowed to be executed
+ *                              by an interruptible function in a single call.
+ */
+uint32_t mbedtls_psa_interruptible_get_max_ops(void);
+
+/**
+ * \brief Get the number of ops that a hash signing operation has taken so
+ *        far. If the operation has completed, then this will represent the
+ *        number of ops required for the entire operation. After initialization
+ *        or calling psa_sign_hash_interruptible_abort() on the operation, a
+ *        value of 0 will be returned.
+ *
+ * \warning This is a beta API, and thus subject to change at any point. It is
+ *          not bound by the usual interface stability promises.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       sign_get_num_ops entry point. This function behaves as a
+ *       sign_get_num_ops entry point as defined in the PSA driver interface
+ *       specification for transparent drivers.
+ *
+ * \param[in]  operation        The \c
+ *                              mbedtls_psa_sign_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ *
+ * \return                      Number of ops that the operation has taken so
+ *                              far.
+ */
+uint32_t mbedtls_psa_sign_hash_get_num_ops(
+    const mbedtls_psa_sign_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Get the number of ops that a hash verification operation has taken
+ *        so far. If the operation has completed, then this will represent the
+ *        number of ops required for the entire operation. After initialization
+ *        or calling psa_verify_hash_interruptible_abort() on the operation, a
+ *        value of 0 will be returned.
+ *
+ * \warning This is a beta API, and thus subject to change at any point. It is
+ *          not bound by the usual interface stability promises.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       verify_get_num_ops entry point. This function behaves as a
+ *       verify_get_num_ops entry point as defined in the PSA driver interface
+ *       specification for transparent drivers.
+ *
+ * \param[in]  operation        The \c
+ *                              mbedtls_psa_verify_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ *
+ * \return                      Number of ops that the operation has taken so
+ *                              far.
+ */
+uint32_t mbedtls_psa_verify_hash_get_num_ops(
+    const mbedtls_psa_verify_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief  Start signing a hash or short message with a private key, in an
+ *         interruptible manner.
+ *
+ * \warning This is a beta API, and thus subject to change at any point. It is
+ *          not bound by the usual interface stability promises.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       sign_hash_start entry point. This function behaves as a
+ *       sign_hash_start entry point as defined in the PSA driver interface
+ *       specification for transparent drivers.
+ *
+ * \param[in]  operation        The \c
+ *                              mbedtls_psa_sign_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ * \param[in]  attributes       The attributes of the key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the key context.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg              A signature algorithm that is compatible with
+ *                              the type of the key.
+ * \param[in] hash              The hash or message to sign.
+ * \param hash_length           Size of the \p hash buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation started successfully - call \c psa_sign_hash_complete()
+ *         with the same context to complete the operation
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         An unsupported, incorrectly formatted or incorrect type of key was
+ *         used.
+ * \retval #PSA_ERROR_NOT_SUPPORTED Either no internal interruptible operations
+ *         are currently supported, or the key type is currently unsupported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ *         There was insufficient memory to load the key representation.
+ */
+psa_status_t mbedtls_psa_sign_hash_start(
+    mbedtls_psa_sign_hash_interruptible_operation_t *operation,
+    const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+    size_t key_buffer_size, psa_algorithm_t alg,
+    const uint8_t *hash, size_t hash_length);
+
+/**
+ * \brief Continue and eventually complete the action of signing a hash or
+ *        short message with a private key, in an interruptible manner.
+ *
+ * \warning This is a beta API, and thus subject to change at any point. It is
+ *          not bound by the usual interface stability promises.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       sign_hash_complete entry point. This function behaves as a
+ *       sign_hash_complete entry point as defined in the PSA driver interface
+ *       specification for transparent drivers.
+ *
+ * \param[in]  operation        The \c
+ *                              mbedtls_psa_sign_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ *
+ * \param[out] signature        Buffer where the signature is to be written.
+ * \param signature_size        Size of the \p signature buffer in bytes. This
+ *                              must be appropriate for the selected
+ *                              algorithm and key.
+ * \param[out] signature_length On success, the number of bytes that make up
+ *                              the returned signature value.
+ *
+ * \retval #PSA_SUCCESS
+ *         Operation completed successfully
+ *
+ * \retval #PSA_OPERATION_INCOMPLETE
+ *         Operation was interrupted due to the setting of \c
+ *         psa_interruptible_set_max_ops(), there is still work to be done,
+ *         please call this function again with the same operation object.
+ *
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p signature buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ *         where \c key_type and \c key_bits are the type and bit-size
+ *         respectively of \p key.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ */
+psa_status_t mbedtls_psa_sign_hash_complete(
+    mbedtls_psa_sign_hash_interruptible_operation_t *operation,
+    uint8_t *signature, size_t signature_size,
+    size_t *signature_length);
+
+/**
+ * \brief Abort a sign hash operation.
+ *
+ * \warning This is a beta API, and thus subject to change at any point. It is
+ *          not bound by the usual interface stability promises.
+ *
+ * \note The signature of this function is that of a PSA driver sign_hash_abort
+ *       entry point. This function behaves as a sign_hash_abort entry point as
+ *       defined in the PSA driver interface specification for transparent
+ *       drivers.
+ *
+ * \param[in]  operation        The \c
+ *                              mbedtls_psa_sign_hash_interruptible_operation_t
+ *                              to abort.
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation was aborted successfully.
+ */
+psa_status_t mbedtls_psa_sign_hash_abort(
+    mbedtls_psa_sign_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief  Start reading and verifying a hash or short message, in an
+ *         interruptible manner.
+ *
+ * \warning This is a beta API, and thus subject to change at any point. It is
+ *          not bound by the usual interface stability promises.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       verify_hash_start entry point. This function behaves as a
+ *       verify_hash_start entry point as defined in the PSA driver interface
+ *       specification for transparent drivers.
+ *
+ * \param[in]  operation        The \c
+ *                              mbedtls_psa_verify_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ * \param[in]  attributes       The attributes of the key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the key context.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg              A signature algorithm that is compatible with
+ *                              the type of the key.
+ * \param[in] hash              The hash whose signature is to be verified.
+ * \param hash_length           Size of the \p hash buffer in bytes.
+ * \param[in] signature         Buffer containing the signature to verify.
+ * \param signature_length      Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation started successfully - call \c psa_sign_hash_complete()
+ *         with the same context to complete the operation
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         An unsupported or incorrect type of key was used.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *        Either no internal interruptible operations are currently supported,
+ *         or the key type is currently unsupported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ *        There was insufficient memory to load the key representation.
+ */
+psa_status_t mbedtls_psa_verify_hash_start(
+    mbedtls_psa_verify_hash_interruptible_operation_t *operation,
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length);
+
+/**
+ * \brief Continue and eventually complete the action of signing a hash or
+ *        short message with a private key, in an interruptible manner.
+ *
+ * \warning This is a beta API, and thus subject to change at any point. It is
+ *          not bound by the usual interface stability promises.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       sign_hash_complete entry point. This function behaves as a
+ *       sign_hash_complete entry point as defined in the PSA driver interface
+ *       specification for transparent drivers.
+ *
+ * \param[in]  operation        The \c
+ *                              mbedtls_psa_sign_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ *
+ * \retval #PSA_SUCCESS
+ *         Operation completed successfully, and the passed signature is valid.
+ *
+ * \retval #PSA_OPERATION_INCOMPLETE
+ *         Operation was interrupted due to the setting of \c
+ *         psa_interruptible_set_max_ops(), there is still work to be done,
+ *         please call this function again with the same operation object.
+ *
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The calculation was performed successfully, but the passed
+ *         signature is not a valid signature.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ */
+psa_status_t mbedtls_psa_verify_hash_complete(
+    mbedtls_psa_verify_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Abort a verify signed hash operation.
+ *
+ * \warning This is a beta API, and thus subject to change at any point. It is
+ *          not bound by the usual interface stability promises.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       verify_hash_abort entry point. This function behaves as a
+ *       verify_hash_abort entry point as defined in the PSA driver interface
+ *       specification for transparent drivers.
+ *
+ * \param[in]  operation        The \c
+ *                              mbedtls_psa_verify_hash_interruptible_operation_t
+ *                              to abort.
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation was aborted successfully.
+ */
+psa_status_t mbedtls_psa_verify_hash_abort(
+    mbedtls_psa_verify_hash_interruptible_operation_t *operation);
+
 #endif /* PSA_CRYPTO_CORE_H */
diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
index e1f7b1fe8..6093fdf81 100644
--- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
+++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
@@ -435,12 +435,12 @@ psa_status_t psa_driver_wrapper_verify_hash(
 
 void psa_driver_wrapper_interruptible_set_max_ops( uint32_t max_ops )
 {
-    ( void ) max_ops;
+    mbedtls_psa_interruptible_set_max_ops( max_ops );
 }
 
 uint32_t psa_driver_wrapper_interruptible_get_max_ops( void )
 {
-    return( PSA_ERROR_INVALID_ARGUMENT );
+    return mbedtls_psa_interruptible_get_max_ops( );
 }
 
 uint32_t psa_driver_wrapper_sign_hash_get_num_ops(
@@ -449,12 +449,13 @@ uint32_t psa_driver_wrapper_sign_hash_get_num_ops(
     switch( operation->id )
     {
         case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+            return( mbedtls_psa_sign_hash_get_num_ops(
+                                                &operation->ctx.mbedtls_ctx )
+                  );
 
 #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
 #if defined(PSA_CRYPTO_DRIVER_TEST)
-        case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
-
-            /* Add cases for opaque driver here */
+            /* Add test driver tests here */
 
 #endif /* PSA_CRYPTO_DRIVER_TEST */
 #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
@@ -469,15 +470,17 @@ uint32_t psa_driver_wrapper_verify_hash_get_num_ops(
     switch( operation->id )
     {
         case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+            return( mbedtls_psa_verify_hash_get_num_ops(
+                                                &operation->ctx.mbedtls_ctx )
+                    );
 
 #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
 #if defined(PSA_CRYPTO_DRIVER_TEST)
-        case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
-
-            /* Add cases for opaque driver here */
+            /* Add test driver tests here */
 
 #endif /* PSA_CRYPTO_DRIVER_TEST */
 #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
     }
 
     return( PSA_ERROR_INVALID_ARGUMENT );
@@ -491,7 +494,8 @@ psa_status_t psa_driver_wrapper_sign_hash_start(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location =
-                                  PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+                                  PSA_KEY_LIFETIME_GET_LOCATION(
+                                                    attributes->core.lifetime );
 
     switch( location )
     {
@@ -511,6 +515,10 @@ psa_status_t psa_driver_wrapper_sign_hash_start(
 
             /* Fell through, meaning no accelerator supports this operation */
             operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID;
+            return( mbedtls_psa_sign_hash_start( &operation->ctx.mbedtls_ctx,
+                                                 attributes,
+                                                 key_buffer, key_buffer_size,
+                                                 alg, hash, hash_length ) );
             break;
 
             /* Add cases for opaque driver here */
@@ -539,12 +547,13 @@ psa_status_t psa_driver_wrapper_sign_hash_complete(
     switch( operation->id )
     {
         case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+            return( mbedtls_psa_sign_hash_complete( &operation->ctx.mbedtls_ctx,
+                                                    signature, signature_size,
+                                                    signature_length ) );
 
 #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
 #if defined(PSA_CRYPTO_DRIVER_TEST)
-        case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
-
-            /* Add cases for opaque driver here */
+            /* Add test driver tests here */
 
 #endif /* PSA_CRYPTO_DRIVER_TEST */
 #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
@@ -563,12 +572,11 @@ psa_status_t psa_driver_wrapper_sign_hash_abort(
     switch( operation->id )
     {
         case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+            return( mbedtls_psa_sign_hash_abort( &operation->ctx.mbedtls_ctx ) );
 
 #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
 #if defined(PSA_CRYPTO_DRIVER_TEST)
-        case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
-
-            /* Add cases for opaque driver here */
+            /* Add test driver tests here */
 
 #endif /* PSA_CRYPTO_DRIVER_TEST */
 #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
@@ -586,8 +594,8 @@ psa_status_t psa_driver_wrapper_verify_hash_start(
 {
 
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_location_t location =
-                                  PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+    psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(
+                                                    attributes->core.lifetime );
 
     switch( location )
     {
@@ -607,6 +615,12 @@ psa_status_t psa_driver_wrapper_verify_hash_start(
 
             /* Fell through, meaning no accelerator supports this operation */
             operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID;
+            return( mbedtls_psa_verify_hash_start( &operation->ctx.mbedtls_ctx,
+                                                   attributes,
+                                                   key_buffer, key_buffer_size,
+                                                   alg, hash, hash_length,
+                                                   signature, signature_length
+                                                   ) );
             break;
 
             /* Add cases for opaque driver here */
@@ -635,12 +649,13 @@ psa_status_t psa_driver_wrapper_verify_hash_complete(
     switch( operation->id )
     {
         case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+            return( mbedtls_psa_verify_hash_complete(
+                                                     &operation->ctx.mbedtls_ctx
+                                                     ) );
 
 #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
 #if defined(PSA_CRYPTO_DRIVER_TEST)
-        case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
-
-            /* Add cases for opaque driver here */
+            /* Add test driver tests here */
 
 #endif /* PSA_CRYPTO_DRIVER_TEST */
 #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
@@ -655,12 +670,12 @@ psa_status_t psa_driver_wrapper_verify_hash_abort(
     switch( operation->id )
     {
         case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+            return( mbedtls_psa_verify_hash_abort( &operation->ctx.mbedtls_ctx
+                                                 ) );
 
 #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
 #if defined(PSA_CRYPTO_DRIVER_TEST)
-        case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
-
-            /* Add cases for opaque driver here */
+            /* Add test driver tests here */
 
 #endif /* PSA_CRYPTO_DRIVER_TEST */
 #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */

From 296ede99c9649c7606f09c4888b0ea157835027d Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Thu, 15 Dec 2022 17:00:30 +0000
Subject: [PATCH 06/70] Fix issues with get_{sign/verify}_num_ops

Move to accumulate ops in context rather than attempting to read straight out
of structures due to structure ops getting reset per operation, and also
issues with _abort clearing internal data. Fix usage of size_t in structures

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/psa/crypto_struct.h                     |  4 ++--
 library/psa_crypto.c                            | 17 +++++++++++++++--
 .../psa_crypto_driver_wrappers.c.jinja          |  8 ++++++++
 3 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
index 8874e97a2..bc56a4fa6 100644
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@@ -508,7 +508,7 @@ struct psa_sign_hash_interruptible_operation_s {
 
     psa_driver_sign_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx);
 
-    size_t MBEDTLS_PRIVATE(num_ops);
+    uint32_t MBEDTLS_PRIVATE(num_ops);
 };
 
 #define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0 }
@@ -539,7 +539,7 @@ struct psa_verify_hash_interruptible_operation_s {
 
     psa_driver_verify_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx);
 
-    size_t MBEDTLS_PRIVATE(num_ops);
+    uint32_t MBEDTLS_PRIVATE(num_ops);
 };
 
 #define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0 }
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index b31d51b4b..e3be65013 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3146,13 +3146,13 @@ uint32_t psa_interruptible_get_max_ops(void)
 uint32_t psa_sign_hash_get_num_ops(
     const psa_sign_hash_interruptible_operation_t *operation)
 {
-    return psa_driver_wrapper_sign_hash_get_num_ops(operation);
+    return operation->num_ops;
 }
 
 uint32_t psa_verify_hash_get_num_ops(
     const psa_verify_hash_interruptible_operation_t *operation)
 {
-    return psa_driver_wrapper_verify_hash_get_num_ops(operation);
+    return operation->num_ops;
 }
 
 psa_status_t psa_sign_hash_start(
@@ -3192,6 +3192,9 @@ psa_status_t psa_sign_hash_start(
         .core = slot->attr
     };
 
+    /* Ensure ops count gets reset, in case of operation re-use. */
+    operation->num_ops = 0;
+
     status = psa_driver_wrapper_sign_hash_start(operation, &attributes,
                                                 slot->key.data,
                                                 slot->key.bytes, alg,
@@ -3238,6 +3241,9 @@ psa_status_t psa_sign_hash_complete(
                                                    signature_length);
 exit:
 
+    /* Update ops count with work done. */
+    operation->num_ops += psa_driver_wrapper_sign_hash_get_num_ops(operation);
+
     if (status != PSA_OPERATION_INCOMPLETE) {
         /* Fill the unused part of the output buffer (the whole buffer on error,
          * the trailing part on success) with something that isn't a valid
@@ -3308,6 +3314,9 @@ psa_status_t psa_verify_hash_start(
         .core = slot->attr
     };
 
+    /* Ensure ops count gets reset, in case of operation re-use. */
+    operation->num_ops = 0;
+
     status = psa_driver_wrapper_verify_hash_start(operation, &attributes,
                                                   slot->key.data,
                                                   slot->key.bytes,
@@ -3340,6 +3349,10 @@ psa_status_t psa_verify_hash_complete(
 
 exit:
 
+    /* Update ops count with work done. */
+    operation->num_ops += psa_driver_wrapper_verify_hash_get_num_ops(
+        operation);
+
     if (status != PSA_OPERATION_INCOMPLETE) {
         psa_verify_hash_abort(operation);
     }
diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
index 6093fdf81..2b2b02571 100644
--- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
+++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
@@ -448,6 +448,10 @@ uint32_t psa_driver_wrapper_sign_hash_get_num_ops(
 {
     switch( operation->id )
     {
+        /* If uninitialised, return 0, as no work can have been done. */
+        case 0:
+            return 0;
+
         case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
             return( mbedtls_psa_sign_hash_get_num_ops(
                                                 &operation->ctx.mbedtls_ctx )
@@ -469,6 +473,10 @@ uint32_t psa_driver_wrapper_verify_hash_get_num_ops(
 {
     switch( operation->id )
     {
+        /* If uninitialised, return 0, as no work can have been done. */
+        case 0:
+            return 0;
+
         case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
             return( mbedtls_psa_verify_hash_get_num_ops(
                                                 &operation->ctx.mbedtls_ctx )

From 712d5120072fe9c9e36b78dae54b3d9a4efdd269 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Wed, 7 Dec 2022 14:03:10 +0000
Subject: [PATCH 07/70] Basic tests

Sign Hash, Verify Hash and Sign and Verify Hash.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.data     |  45 ++++
 tests/suites/test_suite_psa_crypto.function | 258 ++++++++++++++++++++
 2 files changed, 303 insertions(+)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index c3561420b..c45e168a3 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -4145,6 +4145,18 @@ PSA sign hash: deterministic ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_hash_deterministic:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f"
 
+PSA sign hash: interruptible ECDSA SECP256R1 SHA - 256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
+
+PSA sign hash: interruptible ECDSA SECP256R1 SHA - 384
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca"
+
+PSA sign hash: interruptible ECDSA SECP384R1 SHA - 256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f"
+
 PSA sign hash: RSA PKCS#1 v1.5 SHA-256, wrong hash size
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C
 sign_hash_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015":128:PSA_ERROR_INVALID_ARGUMENT
@@ -4249,6 +4261,31 @@ PSA sign/verify hash: deterministic ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
 
+PSA sign / verify hash interruptible: randomized ECDSA SECP256R1 SHA - 256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
+
+PSA sign / verify hash interruptible: deterministic ECDSA SECP256R1 SHA - 256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
+
+PSA sign / verify hash interruptible: randomized ECDSA SECP256R1 SHA - 384
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f"
+
+PSA sign / verify hash interruptible: deterministic ECDSA SECP256R1 SHA - 384
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f"
+
+PSA sign / verify hash interruptible: randomized ECDSA SECP384R1 SHA - 256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
+
+PSA sign / verify hash interruptible: deterministic ECDSA SECP384R1 SHA - 256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
+
+
 PSA verify hash: RSA PKCS#1 v1.5 SHA-256, good signature
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C
 verify_hash:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311"
@@ -4369,6 +4406,14 @@ PSA verify hash with keypair: ECDSA SECP256R1, good
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
 
+PSA verify hash interruptible: ECDSA SECP256R1, good
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
+
+PSA verify hash interruptible with keypair: ECDSA SECP256R1, good
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
+
 PSA verify hash: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index c414b65fa..9bf5039fc 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -6444,6 +6444,89 @@ exit:
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void sign_hash_interruptible(int key_type_arg, data_t *key_data,
+                             int alg_arg, data_t *input_data,
+                             data_t *output_data)
+{
+    mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_type_t key_type = key_type_arg;
+    psa_algorithm_t alg = alg_arg;
+    size_t key_bits;
+    unsigned char *signature = NULL;
+    size_t signature_size;
+    size_t signature_length = 0xdeadbeef;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_status_t status = PSA_OPERATION_INCOMPLETE;
+    size_t num_ops = 0;
+    size_t num_ops_prior = 0;
+    psa_sign_hash_interruptible_operation_t operation =
+        psa_sign_hash_interruptible_operation_init();
+
+    PSA_ASSERT(psa_crypto_init());
+
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
+    psa_set_key_algorithm(&attributes, alg);
+    psa_set_key_type(&attributes, key_type);
+
+    PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+                              &key));
+    PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+    key_bits = psa_get_key_bits(&attributes);
+
+    /* Allocate a buffer which has the size advertised by the
+     * library. */
+    signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
+                                          key_bits, alg);
+    TEST_ASSERT(signature_size != 0);
+    TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
+    ASSERT_ALLOC(signature, signature_size);
+
+    num_ops_prior = psa_sign_hash_get_num_ops(&operation);
+    TEST_ASSERT(num_ops_prior == 0);
+
+    /* Start performing the signature. */
+    PSA_ASSERT(psa_sign_hash_start(&operation, key, alg,
+                                   input_data->x, input_data->len));
+
+    num_ops_prior = psa_sign_hash_get_num_ops(&operation);
+    TEST_ASSERT(num_ops_prior == 0);
+
+    /* Continue performing the signature until complete. */
+    while (status == PSA_OPERATION_INCOMPLETE) {
+        status = psa_sign_hash_complete(&operation, signature, signature_size,
+                                        &signature_length);
+
+        if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) {
+            num_ops = psa_sign_hash_get_num_ops(&operation);
+
+            TEST_ASSERT(num_ops > num_ops_prior);
+            num_ops_prior = num_ops;
+        }
+    }
+
+    TEST_ASSERT(status == PSA_SUCCESS);
+
+    /* Verify that the signature is what is expected. */
+    ASSERT_COMPARE(output_data->x, output_data->len,
+                   signature, signature_length);
+
+    PSA_ASSERT(psa_sign_hash_abort(&operation));
+
+exit:
+
+    /*
+     * Key attributes may have been returned by psa_get_key_attributes()
+     * thus reset them as required.
+     */
+    psa_reset_key_attributes(&attributes);
+
+    psa_destroy_key(key);
+    mbedtls_free(signature);
+    PSA_DONE();
+}
+/* END_CASE */
+
 /* BEGIN_CASE */
 void sign_hash_fail(int key_type_arg, data_t *key_data,
                     int alg_arg, data_t *input_data,
@@ -6559,6 +6642,116 @@ exit:
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
+                                    int alg_arg, data_t *input_data)
+{
+    mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_type_t key_type = key_type_arg;
+    psa_algorithm_t alg = alg_arg;
+    size_t key_bits;
+    unsigned char *signature = NULL;
+    size_t signature_size;
+    size_t signature_length = 0xdeadbeef;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_status_t status = PSA_OPERATION_INCOMPLETE;
+    psa_sign_hash_interruptible_operation_t sign_operation =
+        psa_sign_hash_interruptible_operation_init();
+    psa_verify_hash_interruptible_operation_t verify_operation =
+        psa_verify_hash_interruptible_operation_init();
+
+    PSA_ASSERT(psa_crypto_init());
+
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH);
+    psa_set_key_algorithm(&attributes, alg);
+    psa_set_key_type(&attributes, key_type);
+
+    PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+                              &key));
+    PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+    key_bits = psa_get_key_bits(&attributes);
+
+    /* Allocate a buffer which has the size advertised by the
+     * library. */
+    signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
+                                          key_bits, alg);
+    TEST_ASSERT(signature_size != 0);
+    TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
+    ASSERT_ALLOC(signature, signature_size);
+
+    /* Start performing the signature. */
+    PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+                                   input_data->x, input_data->len));
+
+    /* Continue performing the signature until complete. */
+    while (status == PSA_OPERATION_INCOMPLETE) {
+
+        status = psa_sign_hash_complete(&sign_operation, signature, signature_size,
+                                        &signature_length);
+    }
+
+    TEST_ASSERT(status == PSA_SUCCESS);
+
+    PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+    /* Check that the signature length looks sensible. */
+    TEST_LE_U(signature_length, signature_size);
+    TEST_ASSERT(signature_length > 0);
+
+    status = PSA_OPERATION_INCOMPLETE;
+
+    /* Start verification. */
+    PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+                                     input_data->x, input_data->len,
+                                     signature, signature_length));
+
+    /* Continue performing the signature until complete. */
+    while (status == PSA_OPERATION_INCOMPLETE) {
+        status = psa_verify_hash_complete(&verify_operation);
+    }
+
+    TEST_ASSERT(status == PSA_SUCCESS);
+
+    PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+    verify_operation = psa_verify_hash_interruptible_operation_init();
+
+    if (input_data->len != 0) {
+        /* Flip a bit in the input and verify that the signature is now
+         * detected as invalid. Flip a bit at the beginning, not at the end,
+         * because ECDSA may ignore the last few bits of the input. */
+        input_data->x[0] ^= 1;
+
+        status = PSA_OPERATION_INCOMPLETE;
+
+        /* Start verification. */
+        PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+                                         input_data->x, input_data->len,
+                                         signature, signature_length));
+
+        /* Continue performing the signature until complete. */
+        while (status == PSA_OPERATION_INCOMPLETE) {
+            status = psa_verify_hash_complete(&verify_operation);
+        }
+
+        TEST_ASSERT(status ==  PSA_ERROR_INVALID_SIGNATURE);
+    }
+
+    PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+exit:
+    /*
+     * Key attributes may have been returned by psa_get_key_attributes()
+     * thus reset them as required.
+     */
+    psa_reset_key_attributes(&attributes);
+
+    psa_destroy_key(key);
+    mbedtls_free(signature);
+    PSA_DONE();
+}
+/* END_CASE */
+
 /* BEGIN_CASE */
 void verify_hash(int key_type_arg, data_t *key_data,
                  int alg_arg, data_t *hash_data,
@@ -6591,6 +6784,71 @@ exit:
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void verify_hash_interruptible(int key_type_arg, data_t *key_data,
+                               int alg_arg, data_t *hash_data,
+                               data_t *signature_data)
+{
+    mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_type_t key_type = key_type_arg;
+    psa_algorithm_t alg = alg_arg;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_status_t status = PSA_OPERATION_INCOMPLETE;
+    size_t num_ops = 0;
+    size_t num_ops_prior = 0;
+    psa_verify_hash_interruptible_operation_t operation =
+        psa_verify_hash_interruptible_operation_init();
+
+    TEST_LE_U(signature_data->len, PSA_SIGNATURE_MAX_SIZE);
+
+    PSA_ASSERT(psa_crypto_init());
+
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
+    psa_set_key_algorithm(&attributes, alg);
+    psa_set_key_type(&attributes, key_type);
+
+    PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+                              &key));
+
+    num_ops_prior = psa_verify_hash_get_num_ops(&operation);
+
+    TEST_ASSERT(num_ops_prior == 0);
+
+    /* Start verification. */
+    PSA_ASSERT(psa_verify_hash_start(&operation, key, alg,
+                                     hash_data->x, hash_data->len,
+                                     signature_data->x, signature_data->len)
+               );
+
+    num_ops_prior = psa_verify_hash_get_num_ops(&operation);
+
+    TEST_ASSERT(num_ops_prior == 0);
+
+    /* Continue performing the signature until complete. */
+    while (status == PSA_OPERATION_INCOMPLETE) {
+        status = psa_verify_hash_complete(&operation);
+
+        if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) {
+            num_ops = psa_verify_hash_get_num_ops(&operation);
+
+            TEST_ASSERT(num_ops > num_ops_prior);
+            num_ops_prior = num_ops;
+        }
+    }
+
+    TEST_ASSERT(status == PSA_SUCCESS);
+
+    PSA_ASSERT(psa_verify_hash_abort(&operation));
+
+exit:
+    psa_reset_key_attributes(&attributes);
+    psa_destroy_key(key);
+    PSA_DONE();
+}
+/* END_CASE */
+
+
+
 /* BEGIN_CASE */
 void verify_hash_fail(int key_type_arg, data_t *key_data,
                       int alg_arg, data_t *hash_data,

From e04e15b766cabd682e51a56a86b28b6a74d82819 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 9 Dec 2022 19:27:06 +0000
Subject: [PATCH 08/70] Add Changelog entry

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 ChangeLog.d/add_interruptible_sign_hash | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 ChangeLog.d/add_interruptible_sign_hash

diff --git a/ChangeLog.d/add_interruptible_sign_hash b/ChangeLog.d/add_interruptible_sign_hash
new file mode 100644
index 000000000..3d933038e
--- /dev/null
+++ b/ChangeLog.d/add_interruptible_sign_hash
@@ -0,0 +1,5 @@
+Features
+   * Add an interruptible version of sign and verify hash to the PSA interface,
+     backed by internal library support for ECDSA signing and verification.
+
+

From 9100797cb3373ba3c999a89b1ec8799ded2eaee5 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 16 Dec 2022 12:21:24 +0000
Subject: [PATCH 09/70] Negative tests

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.data     |  52 +++++++
 tests/suites/test_suite_psa_crypto.function | 156 +++++++++++++++++++-
 2 files changed, 206 insertions(+), 2 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index c45e168a3..fc6ae5c61 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -4221,6 +4221,30 @@ PSA sign hash: deterministic ECDSA not supported
 depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
 sign_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED
 
+PSA sign hash interruptible: deterministic ECDSA SECP256R1 SHA-256, output buffer too small
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL
+
+PSA sign hash interruptible: deterministic ECDSA SECP256R1 SHA-256, empty output buffer
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL
+
+PSA sign hash interruptible: deterministic ECDSA SECP256R1, invalid hash algorithm (0)
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT
+
+PSA sign hash interruptible: deterministic ECDSA SECP256R1, invalid hash algorithm (wildcard)
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_ANY_HASH ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE
+
+PSA sign hash interruptible: invalid algorithm for ECC key
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_PARSE_C
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE
+
+PSA sign hash interruptible: deterministic ECDSA not supported
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE
+
 PSA sign/verify hash: RSA PKCS#1 v1.5, raw
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C
 sign_verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN_RAW:"616263"
@@ -4442,6 +4466,34 @@ PSA verify hash: invalid algorithm for ECC key
 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT
 
+PSA verify hash interruptible: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded)
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE
+
+PSA verify hash interruptible: ECDSA SECP256R1, wrong signature of correct size
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE
+
+PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (empty)
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE
+
+PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (truncated)
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f5":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE
+
+PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (trailing junk)
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f21":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE
+
+PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (leading junk)
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"216a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE
+
+PSA verify hash interruptible: invalid algorithm for ECC key
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE
+
 PSA sign message: RSA PKCS#1 v1.5 SHA-256
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C
 sign_message_deterministic:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"616263":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311"
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 9bf5039fc..d5141790d 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -6572,6 +6572,89 @@ exit:
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
+                                  int alg_arg, data_t *input_data,
+                                  int signature_size_arg,
+                                  int expected_start_status_arg,
+                                  int expected_complete_status_arg)
+{
+    mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_type_t key_type = key_type_arg;
+    psa_algorithm_t alg = alg_arg;
+    size_t signature_size = signature_size_arg;
+    psa_status_t actual_status;
+    psa_status_t expected_start_status = expected_start_status_arg;
+    psa_status_t expected_complete_status = expected_complete_status_arg;
+    unsigned char *signature = NULL;
+    size_t signature_length = 0xdeadbeef;
+    size_t num_ops = 0;
+    size_t num_ops_prior = 0;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_sign_hash_interruptible_operation_t operation =
+        psa_sign_hash_interruptible_operation_init();
+
+    ASSERT_ALLOC(signature, signature_size);
+
+    PSA_ASSERT(psa_crypto_init());
+
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
+    psa_set_key_algorithm(&attributes, alg);
+    psa_set_key_type(&attributes, key_type);
+
+    PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+                              &key));
+
+    num_ops_prior = psa_sign_hash_get_num_ops(&operation);
+    TEST_ASSERT(num_ops_prior == 0);
+
+    /* Start performing the signature. */
+    actual_status = psa_sign_hash_start(&operation, key, alg,
+                                        input_data->x, input_data->len);
+
+    TEST_EQUAL(actual_status, expected_start_status);
+
+    num_ops_prior = psa_sign_hash_get_num_ops(&operation);
+    TEST_ASSERT(num_ops_prior == 0);
+
+    actual_status = PSA_OPERATION_INCOMPLETE;
+
+    /* Continue performing the signature until complete. */
+    while (actual_status == PSA_OPERATION_INCOMPLETE) {
+        actual_status = psa_sign_hash_complete(&operation, signature,
+                                               signature_size,
+                                               &signature_length);
+
+        /* If the psa_sign_hash_start() failed, psa_sign_hash_complete()
+         * should also fail with bad state. */
+        if (expected_start_status != PSA_SUCCESS) {
+            TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
+        } else if (actual_status != PSA_OPERATION_INCOMPLETE) {
+            TEST_EQUAL(actual_status, expected_complete_status);
+        } else {
+            num_ops = psa_sign_hash_get_num_ops(&operation);
+
+            TEST_ASSERT(num_ops > num_ops_prior);
+            num_ops_prior = num_ops;
+        }
+    }
+
+    PSA_ASSERT(psa_sign_hash_abort(&operation));
+
+    /* The value of *signature_length is unspecified on error, but
+     * whatever it is, it should be less than signature_size, so that
+     * if the caller tries to read *signature_length bytes without
+     * checking the error code then they don't overflow a buffer. */
+    TEST_LE_U(signature_length, signature_size);
+
+exit:
+    psa_reset_key_attributes(&attributes);
+    psa_destroy_key(key);
+    mbedtls_free(signature);
+    PSA_DONE();
+}
+/* END_CASE */
+
 /* BEGIN_CASE */
 void sign_verify_hash(int key_type_arg, data_t *key_data,
                       int alg_arg, data_t *input_data)
@@ -6847,8 +6930,6 @@ exit:
 }
 /* END_CASE */
 
-
-
 /* BEGIN_CASE */
 void verify_hash_fail(int key_type_arg, data_t *key_data,
                       int alg_arg, data_t *hash_data,
@@ -6883,6 +6964,77 @@ exit:
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
+                                    int alg_arg, data_t *hash_data,
+                                    data_t *signature_data,
+                                    int expected_start_status_arg,
+                                    int expected_complete_status_arg)
+{
+    mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_type_t key_type = key_type_arg;
+    psa_algorithm_t alg = alg_arg;
+    psa_status_t actual_status;
+    psa_status_t expected_start_status = expected_start_status_arg;
+    psa_status_t expected_complete_status = expected_complete_status_arg;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    size_t num_ops = 0;
+    size_t num_ops_prior = 0;
+    psa_verify_hash_interruptible_operation_t operation =
+        psa_verify_hash_interruptible_operation_init();
+
+    PSA_ASSERT(psa_crypto_init());
+
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
+    psa_set_key_algorithm(&attributes, alg);
+    psa_set_key_type(&attributes, key_type);
+
+    PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+                              &key));
+
+    num_ops_prior = psa_verify_hash_get_num_ops(&operation);
+    TEST_ASSERT(num_ops_prior == 0);
+
+    /* Start verification. */
+    actual_status = psa_verify_hash_start(&operation, key, alg,
+                                          hash_data->x, hash_data->len,
+                                          signature_data->x,
+                                          signature_data->len);
+
+    TEST_EQUAL(actual_status, expected_start_status);
+
+    num_ops_prior = psa_verify_hash_get_num_ops(&operation);
+    TEST_ASSERT(num_ops_prior == 0);
+
+    actual_status = PSA_OPERATION_INCOMPLETE;
+
+    /* Continue performing the signature until complete. */
+    while (actual_status == PSA_OPERATION_INCOMPLETE) {
+        actual_status = psa_verify_hash_complete(&operation);
+
+        /* If the psa_verify_hash_start() failed,
+         * psa_verify_hash_complete() should also fail with bad state.*/
+        if (expected_start_status != PSA_SUCCESS) {
+            TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
+        } else if (actual_status != PSA_OPERATION_INCOMPLETE) {
+            TEST_EQUAL(actual_status, expected_complete_status);
+        } else {
+            num_ops = psa_verify_hash_get_num_ops(&operation);
+
+            TEST_ASSERT(num_ops > num_ops_prior);
+            num_ops_prior = num_ops;
+        }
+    }
+
+    PSA_ASSERT(psa_verify_hash_abort(&operation));
+
+exit:
+    psa_reset_key_attributes(&attributes);
+    psa_destroy_key(key);
+    PSA_DONE();
+}
+/* END_CASE */
+
 /* BEGIN_CASE */
 void sign_message_deterministic(int key_type_arg,
                                 data_t *key_data,

From 4cec2f60dc77a21d4a6016f3223a9acf14c8e551 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 16 Dec 2022 14:44:11 +0000
Subject: [PATCH 10/70] Add interruptible to psa_op_fail tests

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 .../test_suite_psa_crypto_op_fail.function    | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/tests/suites/test_suite_psa_crypto_op_fail.function b/tests/suites/test_suite_psa_crypto_op_fail.function
index 046e3c3a0..970be84b4 100644
--- a/tests/suites/test_suite_psa_crypto_op_fail.function
+++ b/tests/suites/test_suite_psa_crypto_op_fail.function
@@ -221,6 +221,13 @@ void sign_fail(int key_type_arg, data_t *key_data,
     uint8_t input[1] = { 'A' };
     uint8_t output[PSA_SIGNATURE_MAX_SIZE] = { 0 };
     size_t length = SIZE_MAX;
+    psa_sign_hash_interruptible_operation_t sign_operation =
+        psa_sign_hash_interruptible_operation_init();
+
+    psa_verify_hash_interruptible_operation_t verify_operation =
+        psa_verify_hash_interruptible_operation_init();
+
+
 
     PSA_INIT();
 
@@ -237,6 +244,15 @@ void sign_fail(int key_type_arg, data_t *key_data,
                 psa_sign_hash(key_id, alg,
                               input, sizeof(input),
                               output, sizeof(output), &length));
+
+    if (PSA_KEY_TYPE_IS_ECC(key_type)) {
+        TEST_STATUS(expected_status,
+                    psa_sign_hash_start(&sign_operation, key_id, alg,
+                                        input, sizeof(input)));
+
+        PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+    }
+
     if (!private_only) {
         /* Determine a plausible signature size to avoid an INVALID_SIGNATURE
          * error based on this. */
@@ -253,6 +269,15 @@ void sign_fail(int key_type_arg, data_t *key_data,
                     psa_verify_hash(key_id, alg,
                                     input, sizeof(input),
                                     output, output_length));
+
+        if (PSA_KEY_TYPE_IS_ECC(key_type)) {
+            TEST_STATUS(expected_status,
+                        psa_verify_hash_start(&verify_operation, key_id, alg,
+                                              input, sizeof(input),
+                                              output, output_length));
+
+            PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+        }
     }
 
 exit:

From 0c68335a42af6a72f85a0862f18fb8cc03815616 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 16 Dec 2022 19:16:56 +0000
Subject: [PATCH 11/70] Convert tests to configurable max_ops

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.data     | 125 ++++++++++++++------
 tests/suites/test_suite_psa_crypto.function |  78 ++++++++++--
 2 files changed, 155 insertions(+), 48 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index fc6ae5c61..7164d275b 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -4145,17 +4145,29 @@ PSA sign hash: deterministic ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_hash_deterministic:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f"
 
-PSA sign hash: interruptible ECDSA SECP256R1 SHA - 256
+PSA sign hash: interruptible (no interrupt) ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
-PSA sign hash: interruptible ECDSA SECP256R1 SHA - 384
+PSA sign hash: interruptible (max interrupt) ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash: interruptible (no interrupt) ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384
-sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca"
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
-PSA sign hash: interruptible ECDSA SECP384R1 SHA - 256
+PSA sign hash: interruptible (max interrupt) ECDSA SECP256R1 SHA-384
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash: interruptible (no interrupt) ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
-sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f"
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+
+PSA sign hash: interruptible (max interrupt) ECDSA SECP384R1 SHA-256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign hash: RSA PKCS#1 v1.5 SHA-256, wrong hash size
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C
@@ -4221,29 +4233,41 @@ PSA sign hash: deterministic ECDSA not supported
 depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
 sign_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED
 
-PSA sign hash interruptible: deterministic ECDSA SECP256R1 SHA-256, output buffer too small
+PSA sign hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-256, output buffer too small
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
-PSA sign hash interruptible: deterministic ECDSA SECP256R1 SHA-256, empty output buffer
+PSA sign hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-256, output buffer too small
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1:1:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sign hash interruptible: deterministic ECDSA SECP256R1, invalid hash algorithm (0)
+PSA sign hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-256, empty output buffer
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+
+PSA sign hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-256, empty output buffer
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1:1:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash interruptible (no interrupt): deterministic ECDSA SECP256R1, invalid hash algorithm (0)
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+
+PSA sign hash interruptible (max interrupt): deterministic ECDSA SECP256R1, invalid hash algorithm (0)
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:1:1:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign hash interruptible: deterministic ECDSA SECP256R1, invalid hash algorithm (wildcard)
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_ANY_HASH ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_ANY_HASH ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
 PSA sign hash interruptible: invalid algorithm for ECC key
 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_PARSE_C
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
 PSA sign hash interruptible: deterministic ECDSA not supported
 depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
 PSA sign/verify hash: RSA PKCS#1 v1.5, raw
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C
@@ -4285,30 +4309,53 @@ PSA sign/verify hash: deterministic ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
 
-PSA sign / verify hash interruptible: randomized ECDSA SECP256R1 SHA - 256
+PSA sign / verify hash interruptible (no interrupt): randomized ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
-PSA sign / verify hash interruptible: deterministic ECDSA SECP256R1 SHA - 256
+PSA sign / verify hash interruptible (max interrupt): randomized ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign / verify hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
-PSA sign / verify hash interruptible: randomized ECDSA SECP256R1 SHA - 384
+PSA sign / verify hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign / verify hash interruptible (no interrupt): randomized ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
-sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f"
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
-PSA sign / verify hash interruptible: deterministic ECDSA SECP256R1 SHA - 384
+PSA sign / verify hash interruptible (max interrupt): randomized ECDSA SECP256R1 SHA-384
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign / verify hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
-sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f"
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
-PSA sign / verify hash interruptible: randomized ECDSA SECP384R1 SHA - 256
+PSA sign / verify hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-384
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign / verify hash interruptible (no interrupt): randomized ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
-sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
-PSA sign / verify hash interruptible: deterministic ECDSA SECP384R1 SHA - 256
+PSA sign / verify hash interruptible (max interrupt): randomized ECDSA SECP384R1 SHA-256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign / verify hash interruptible (no interrupt): deterministic ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
-sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
+PSA sign / verify hash interruptible (max interrupt): deterministic ECDSA SECP384R1 SHA-256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA verify hash: RSA PKCS#1 v1.5 SHA-256, good signature
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C
@@ -4432,11 +4479,11 @@ verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30
 
 PSA verify hash interruptible: ECDSA SECP256R1, good
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-verify_hash_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
+verify_hash_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
 PSA verify hash interruptible with keypair: ECDSA SECP256R1, good
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
+verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
 PSA verify hash: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
@@ -4468,31 +4515,35 @@ verify_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab4543571264
 
 PSA verify hash interruptible: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
-PSA verify hash interruptible: ECDSA SECP256R1, wrong signature of correct size
+PSA verify hash interruptible (no interrupt): ECDSA SECP256R1, wrong signature of correct size
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+
+PSA verify hash interruptible (max interrupt): ECDSA SECP256R1, wrong signature of correct size
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (empty)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
 PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (truncated)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f5":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f5":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
 PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (trailing junk)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f21":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f21":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
 PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (leading junk)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"216a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"216a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
 PSA verify hash interruptible: invalid algorithm for ECC key
 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
 PSA sign message: RSA PKCS#1 v1.5 SHA-256
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index d5141790d..ce5a240b2 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -6447,7 +6447,8 @@ exit:
 /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
 void sign_hash_interruptible(int key_type_arg, data_t *key_data,
                              int alg_arg, data_t *input_data,
-                             data_t *output_data)
+                             data_t *output_data, int max_ops,
+                             int min_completes, int max_completes)
 {
     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_type_t key_type = key_type_arg;
@@ -6460,6 +6461,7 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data,
     psa_status_t status = PSA_OPERATION_INCOMPLETE;
     size_t num_ops = 0;
     size_t num_ops_prior = 0;
+    size_t num_completes = 0;
     psa_sign_hash_interruptible_operation_t operation =
         psa_sign_hash_interruptible_operation_init();
 
@@ -6482,6 +6484,8 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data,
     TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
     ASSERT_ALLOC(signature, signature_size);
 
+    psa_interruptible_set_max_ops(max_ops);
+
     num_ops_prior = psa_sign_hash_get_num_ops(&operation);
     TEST_ASSERT(num_ops_prior == 0);
 
@@ -6497,16 +6501,21 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data,
         status = psa_sign_hash_complete(&operation, signature, signature_size,
                                         &signature_length);
 
+        num_completes++;
+
         if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) {
             num_ops = psa_sign_hash_get_num_ops(&operation);
-
             TEST_ASSERT(num_ops > num_ops_prior);
+
             num_ops_prior = num_ops;
         }
     }
 
     TEST_ASSERT(status == PSA_SUCCESS);
 
+    TEST_LE_U(min_completes, num_completes);
+    TEST_LE_U(num_completes, max_completes);
+
     /* Verify that the signature is what is expected. */
     ASSERT_COMPARE(output_data->x, output_data->len,
                    signature, signature_length);
@@ -6577,7 +6586,9 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
                                   int alg_arg, data_t *input_data,
                                   int signature_size_arg,
                                   int expected_start_status_arg,
-                                  int expected_complete_status_arg)
+                                  int expected_complete_status_arg,
+                                  int max_ops, int min_completes,
+                                  int max_completes)
 {
     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_type_t key_type = key_type_arg;
@@ -6590,6 +6601,7 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
     size_t signature_length = 0xdeadbeef;
     size_t num_ops = 0;
     size_t num_ops_prior = 0;
+    size_t num_completes = 0;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
     psa_sign_hash_interruptible_operation_t operation =
         psa_sign_hash_interruptible_operation_init();
@@ -6605,6 +6617,8 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
     PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
                               &key));
 
+    psa_interruptible_set_max_ops(max_ops);
+
     num_ops_prior = psa_sign_hash_get_num_ops(&operation);
     TEST_ASSERT(num_ops_prior == 0);
 
@@ -6625,6 +6639,8 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
                                                signature_size,
                                                &signature_length);
 
+        num_completes++;
+
         /* If the psa_sign_hash_start() failed, psa_sign_hash_complete()
          * should also fail with bad state. */
         if (expected_start_status != PSA_SUCCESS) {
@@ -6633,8 +6649,8 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
             TEST_EQUAL(actual_status, expected_complete_status);
         } else {
             num_ops = psa_sign_hash_get_num_ops(&operation);
-
             TEST_ASSERT(num_ops > num_ops_prior);
+
             num_ops_prior = num_ops;
         }
     }
@@ -6647,6 +6663,9 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
      * checking the error code then they don't overflow a buffer. */
     TEST_LE_U(signature_length, signature_size);
 
+    TEST_LE_U(min_completes, num_completes);
+    TEST_LE_U(num_completes, max_completes);
+
 exit:
     psa_reset_key_attributes(&attributes);
     psa_destroy_key(key);
@@ -6727,7 +6746,9 @@ exit:
 
 /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
 void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
-                                    int alg_arg, data_t *input_data)
+                                    int alg_arg, data_t *input_data,
+                                    int max_ops, int min_completes,
+                                    int max_completes)
 {
     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_type_t key_type = key_type_arg;
@@ -6738,6 +6759,7 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
     size_t signature_length = 0xdeadbeef;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
     psa_status_t status = PSA_OPERATION_INCOMPLETE;
+    size_t num_completes = 0;
     psa_sign_hash_interruptible_operation_t sign_operation =
         psa_sign_hash_interruptible_operation_init();
     psa_verify_hash_interruptible_operation_t verify_operation =
@@ -6745,7 +6767,8 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
 
     PSA_ASSERT(psa_crypto_init());
 
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH);
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
+                            PSA_KEY_USAGE_VERIFY_HASH);
     psa_set_key_algorithm(&attributes, alg);
     psa_set_key_type(&attributes, key_type);
 
@@ -6762,6 +6785,8 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
     TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
     ASSERT_ALLOC(signature, signature_size);
 
+    psa_interruptible_set_max_ops(max_ops);
+
     /* Start performing the signature. */
     PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
                                    input_data->x, input_data->len));
@@ -6769,18 +6794,25 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
     /* Continue performing the signature until complete. */
     while (status == PSA_OPERATION_INCOMPLETE) {
 
-        status = psa_sign_hash_complete(&sign_operation, signature, signature_size,
+        status = psa_sign_hash_complete(&sign_operation, signature,
+                                        signature_size,
                                         &signature_length);
+
+        num_completes++;
     }
 
     TEST_ASSERT(status == PSA_SUCCESS);
 
+    TEST_LE_U(min_completes, num_completes);
+    TEST_LE_U(num_completes, max_completes);
+
     PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
 
     /* Check that the signature length looks sensible. */
     TEST_LE_U(signature_length, signature_size);
     TEST_ASSERT(signature_length > 0);
 
+    num_completes = 0;
     status = PSA_OPERATION_INCOMPLETE;
 
     /* Start verification. */
@@ -6791,10 +6823,15 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
     /* Continue performing the signature until complete. */
     while (status == PSA_OPERATION_INCOMPLETE) {
         status = psa_verify_hash_complete(&verify_operation);
+
+        num_completes++;
     }
 
     TEST_ASSERT(status == PSA_SUCCESS);
 
+    TEST_LE_U(min_completes, num_completes);
+    TEST_LE_U(num_completes, max_completes);
+
     PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
 
     verify_operation = psa_verify_hash_interruptible_operation_init();
@@ -6870,7 +6907,8 @@ exit:
 /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
 void verify_hash_interruptible(int key_type_arg, data_t *key_data,
                                int alg_arg, data_t *hash_data,
-                               data_t *signature_data)
+                               data_t *signature_data, int max_ops,
+                               int min_completes, int max_completes)
 {
     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_type_t key_type = key_type_arg;
@@ -6879,6 +6917,7 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data,
     psa_status_t status = PSA_OPERATION_INCOMPLETE;
     size_t num_ops = 0;
     size_t num_ops_prior = 0;
+    size_t num_completes = 0;
     psa_verify_hash_interruptible_operation_t operation =
         psa_verify_hash_interruptible_operation_init();
 
@@ -6893,6 +6932,8 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data,
     PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
                               &key));
 
+    psa_interruptible_set_max_ops(max_ops);
+
     num_ops_prior = psa_verify_hash_get_num_ops(&operation);
 
     TEST_ASSERT(num_ops_prior == 0);
@@ -6911,16 +6952,21 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data,
     while (status == PSA_OPERATION_INCOMPLETE) {
         status = psa_verify_hash_complete(&operation);
 
+        num_completes++;
+
         if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) {
             num_ops = psa_verify_hash_get_num_ops(&operation);
-
             TEST_ASSERT(num_ops > num_ops_prior);
+
             num_ops_prior = num_ops;
         }
     }
 
     TEST_ASSERT(status == PSA_SUCCESS);
 
+    TEST_LE_U(min_completes, num_completes);
+    TEST_LE_U(num_completes, max_completes);
+
     PSA_ASSERT(psa_verify_hash_abort(&operation));
 
 exit:
@@ -6969,7 +7015,9 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
                                     int alg_arg, data_t *hash_data,
                                     data_t *signature_data,
                                     int expected_start_status_arg,
-                                    int expected_complete_status_arg)
+                                    int expected_complete_status_arg,
+                                    int max_ops, int min_completes,
+                                    int max_completes)
 {
     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_type_t key_type = key_type_arg;
@@ -6980,6 +7028,7 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
     size_t num_ops = 0;
     size_t num_ops_prior = 0;
+    size_t num_completes = 0;
     psa_verify_hash_interruptible_operation_t operation =
         psa_verify_hash_interruptible_operation_init();
 
@@ -6992,6 +7041,8 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
     PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
                               &key));
 
+    psa_interruptible_set_max_ops(max_ops);
+
     num_ops_prior = psa_verify_hash_get_num_ops(&operation);
     TEST_ASSERT(num_ops_prior == 0);
 
@@ -7012,6 +7063,8 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
     while (actual_status == PSA_OPERATION_INCOMPLETE) {
         actual_status = psa_verify_hash_complete(&operation);
 
+        num_completes++;
+
         /* If the psa_verify_hash_start() failed,
          * psa_verify_hash_complete() should also fail with bad state.*/
         if (expected_start_status != PSA_SUCCESS) {
@@ -7020,12 +7073,15 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
             TEST_EQUAL(actual_status, expected_complete_status);
         } else {
             num_ops = psa_verify_hash_get_num_ops(&operation);
-
             TEST_ASSERT(num_ops > num_ops_prior);
+
             num_ops_prior = num_ops;
         }
     }
 
+    TEST_LE_U(min_completes, num_completes);
+    TEST_LE_U(num_completes, max_completes);
+
     PSA_ASSERT(psa_verify_hash_abort(&operation));
 
 exit:

From 20a360679b41f7139bbdf13b5eb2a4bdac2332e1 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Sun, 18 Dec 2022 13:21:25 +0000
Subject: [PATCH 12/70] Add State tests

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.data     |   4 +
 tests/suites/test_suite_psa_crypto.function | 202 ++++++++++++++++++++
 2 files changed, 206 insertions(+)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index 7164d275b..e6da057da 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -4545,6 +4545,10 @@ PSA verify hash interruptible: invalid algorithm for ECC key
 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
 
+PSA interruptible hash state test: randomized ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+hash_interruptible_state_test:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
+
 PSA sign message: RSA PKCS#1 v1.5 SHA-256
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C
 sign_message_deterministic:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"616263":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311"
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index ce5a240b2..6860f7f07 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -7091,6 +7091,208 @@ exit:
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void hash_interruptible_state_test(int key_type_arg, data_t *key_data,
+                                   int alg_arg, data_t *input_data)
+{
+    mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_type_t key_type = key_type_arg;
+    psa_algorithm_t alg = alg_arg;
+    size_t key_bits;
+    unsigned char *signature = NULL;
+    size_t signature_size;
+    size_t signature_length = 0xdeadbeef;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_sign_hash_interruptible_operation_t sign_operation =
+        psa_sign_hash_interruptible_operation_init();
+    psa_verify_hash_interruptible_operation_t verify_operation =
+        psa_verify_hash_interruptible_operation_init();
+
+    PSA_ASSERT(psa_crypto_init());
+
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
+                            PSA_KEY_USAGE_VERIFY_HASH);
+    psa_set_key_algorithm(&attributes, alg);
+    psa_set_key_type(&attributes, key_type);
+
+    PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+                              &key));
+    PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+    key_bits = psa_get_key_bits(&attributes);
+
+    /* Allocate a buffer which has the size advertised by the
+     * library. */
+    signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
+                                          key_bits, alg);
+    TEST_ASSERT(signature_size != 0);
+    TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
+    ASSERT_ALLOC(signature, signature_size);
+
+    psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+    /* --- Attempt completes prior to starts --- */
+    TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
+                                      signature_size,
+                                      &signature_length),
+               PSA_ERROR_BAD_STATE);
+
+    PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+    TEST_EQUAL(psa_verify_hash_complete(&verify_operation),
+               PSA_ERROR_BAD_STATE);
+
+    PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+    /* --- Aborts in all other places. --- */
+    psa_sign_hash_abort(&sign_operation);
+
+    PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+                                   input_data->x, input_data->len));
+
+    PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+    psa_interruptible_set_max_ops(1);
+
+    PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+                                   input_data->x, input_data->len));
+
+    TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
+                                      signature_size,
+                                      &signature_length),
+               PSA_OPERATION_INCOMPLETE);
+
+    PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+    psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+    PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+                                   input_data->x, input_data->len));
+
+    PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature,
+                                      signature_size,
+                                      &signature_length));
+
+    PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+    PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+    PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+                                     input_data->x, input_data->len,
+                                     signature, signature_length));
+
+    PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+    psa_interruptible_set_max_ops(1);
+
+    PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+                                     input_data->x, input_data->len,
+                                     signature, signature_length));
+
+    TEST_EQUAL(psa_verify_hash_complete(&verify_operation),
+               PSA_OPERATION_INCOMPLETE);
+
+    PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+    psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+    PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+                                     input_data->x, input_data->len,
+                                     signature, signature_length));
+
+    PSA_ASSERT(psa_verify_hash_complete(&verify_operation));
+
+    PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+    /* --- Attempt double starts. --- */
+
+    PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+                                   input_data->x, input_data->len));
+
+    TEST_EQUAL(psa_sign_hash_start(&sign_operation, key, alg,
+                                   input_data->x, input_data->len),
+               PSA_ERROR_BAD_STATE);
+
+    PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+    PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+                                     input_data->x, input_data->len,
+                                     signature, signature_length));
+
+    TEST_EQUAL(psa_verify_hash_start(&verify_operation, key, alg,
+                                     input_data->x, input_data->len,
+                                     signature, signature_length),
+               PSA_ERROR_BAD_STATE);
+
+    PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+    /* --- Ensure changing the max ops mid operation works (operation should
+     *     complete successfully after setting max ops to unlimited --- */
+    psa_interruptible_set_max_ops(1);
+
+    PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+                                   input_data->x, input_data->len));
+
+    TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
+                                      signature_size,
+                                      &signature_length),
+               PSA_OPERATION_INCOMPLETE);
+
+    psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+    PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature,
+                                      signature_size,
+                                      &signature_length));
+
+    PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+    psa_interruptible_set_max_ops(1);
+
+    PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+                                     input_data->x, input_data->len,
+                                     signature, signature_length));
+
+    TEST_EQUAL(psa_verify_hash_complete(&verify_operation),
+               PSA_OPERATION_INCOMPLETE);
+
+    psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+    PSA_ASSERT(psa_verify_hash_complete(&verify_operation));
+
+    PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+    /* --- Change function inputs mid run, to cause an error (sign only,
+     *     verify passes all inputs to start. --- */
+
+    psa_interruptible_set_max_ops(1);
+
+    PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+                                   input_data->x, input_data->len));
+
+    TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
+                                      signature_size,
+                                      &signature_length),
+               PSA_OPERATION_INCOMPLETE);
+
+    TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
+                                      0,
+                                      &signature_length),
+               PSA_ERROR_BUFFER_TOO_SMALL);
+
+    PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+exit:
+    /*
+     * Key attributes may have been returned by psa_get_key_attributes()
+     * thus reset them as required.
+     */
+    psa_reset_key_attributes(&attributes);
+
+    psa_destroy_key(key);
+    mbedtls_free(signature);
+    PSA_DONE();
+}
+/* END_CASE */
+
 /* BEGIN_CASE */
 void sign_message_deterministic(int key_type_arg,
                                 data_t *key_data,

From 59ad9457b6a8036773ca255663f0e9edc6fca6d7 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Sun, 18 Dec 2022 15:09:02 +0000
Subject: [PATCH 13/70] Add {sign/verify}_hash_abort_internal

Ensure that num_ops is cleared when manual abort is called, but obviously not
when an operation just completes, and test this.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c                        | 62 ++++++++++++++++-----
 tests/suites/test_suite_psa_crypto.function | 12 ++++
 2 files changed, 59 insertions(+), 15 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index e3be65013..f7228bc4b 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3155,6 +3155,25 @@ uint32_t psa_verify_hash_get_num_ops(
     return operation->num_ops;
 }
 
+static psa_status_t psa_sign_hash_abort_internal(
+    psa_sign_hash_interruptible_operation_t *operation)
+{
+    if (operation->id == 0) {
+        /* The object has (apparently) been initialized but it is not (yet)
+         * in use. It's ok to call abort on such an object, and there's
+         * nothing to do. */
+        return PSA_SUCCESS;
+    }
+
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    status = psa_driver_wrapper_sign_hash_abort(operation);
+
+    operation->id = 0;
+
+    return status;
+}
+
 psa_status_t psa_sign_hash_start(
     psa_sign_hash_interruptible_operation_t *operation,
     mbedtls_svc_key_id_t key, psa_algorithm_t alg,
@@ -3202,7 +3221,7 @@ psa_status_t psa_sign_hash_start(
 exit:
 
     if (status != PSA_SUCCESS) {
-        psa_sign_hash_abort(operation);
+        psa_sign_hash_abort_internal(operation);
     }
 
     unlock_status = psa_unlock_key_slot(slot);
@@ -3259,7 +3278,7 @@ exit:
         /* If signature_size is 0 then we have nothing to do. We must not
          * call memset because signature may be NULL in this case.*/
 
-        psa_sign_hash_abort(operation);
+        psa_sign_hash_abort_internal(operation);
     }
 
     return status;
@@ -3267,6 +3286,20 @@ exit:
 
 psa_status_t psa_sign_hash_abort(
     psa_sign_hash_interruptible_operation_t *operation)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    status = psa_sign_hash_abort_internal(operation);
+
+    /* We clear the number of ops done here, so that it is not cleared when
+     * the operation fails or succeeds, only on manual abort. */
+    operation->num_ops = 0;
+
+    return status;
+}
+
+static psa_status_t psa_verify_hash_abort_internal(
+    psa_verify_hash_interruptible_operation_t *operation)
 {
     if (operation->id == 0) {
         /* The object has (apparently) been initialized but it is not (yet)
@@ -3275,11 +3308,13 @@ psa_status_t psa_sign_hash_abort(
         return PSA_SUCCESS;
     }
 
-    psa_driver_wrapper_sign_hash_abort(operation);
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    status = psa_driver_wrapper_verify_hash_abort(operation);
 
     operation->id = 0;
 
-    return PSA_SUCCESS;
+    return status;
 }
 
 psa_status_t psa_verify_hash_start(
@@ -3324,7 +3359,7 @@ psa_status_t psa_verify_hash_start(
                                                   signature, signature_length);
 
     if (status != PSA_SUCCESS) {
-        psa_verify_hash_abort(operation);
+        psa_verify_hash_abort_internal(operation);
     }
 
     unlock_status = psa_unlock_key_slot(slot);
@@ -3354,7 +3389,7 @@ exit:
         operation);
 
     if (status != PSA_OPERATION_INCOMPLETE) {
-        psa_verify_hash_abort(operation);
+        psa_verify_hash_abort_internal(operation);
     }
 
     return status;
@@ -3363,18 +3398,15 @@ exit:
 psa_status_t psa_verify_hash_abort(
     psa_verify_hash_interruptible_operation_t *operation)
 {
-    if (operation->id == 0) {
-        /* The object has (apparently) been initialized but it is not (yet)
-         * in use. It's ok to call abort on such an object, and there's
-         * nothing to do. */
-        return PSA_SUCCESS;
-    }
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
 
-    psa_driver_wrapper_verify_hash_abort(operation);
+    status = psa_verify_hash_abort_internal(operation);
 
-    operation->id = 0;
+    /* We clear the number of ops done here, so that it is not cleared when
+     * the operation fails or succeeds, only on manual abort. */
+    operation->num_ops = 0;
 
-    return PSA_SUCCESS;
+    return status;
 }
 
 /****************************************************************/
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 6860f7f07..21965cfca 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -6522,6 +6522,9 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data,
 
     PSA_ASSERT(psa_sign_hash_abort(&operation));
 
+    num_ops = psa_sign_hash_get_num_ops(&operation);
+    TEST_ASSERT(num_ops == 0);
+
 exit:
 
     /*
@@ -6657,6 +6660,9 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
 
     PSA_ASSERT(psa_sign_hash_abort(&operation));
 
+    num_ops = psa_sign_hash_get_num_ops(&operation);
+    TEST_ASSERT(num_ops == 0);
+
     /* The value of *signature_length is unspecified on error, but
      * whatever it is, it should be less than signature_size, so that
      * if the caller tries to read *signature_length bytes without
@@ -6969,6 +6975,9 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data,
 
     PSA_ASSERT(psa_verify_hash_abort(&operation));
 
+    num_ops = psa_verify_hash_get_num_ops(&operation);
+    TEST_ASSERT(num_ops == 0);
+
 exit:
     psa_reset_key_attributes(&attributes);
     psa_destroy_key(key);
@@ -7084,6 +7093,9 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
 
     PSA_ASSERT(psa_verify_hash_abort(&operation));
 
+    num_ops = psa_verify_hash_get_num_ops(&operation);
+    TEST_ASSERT(num_ops == 0);
+
 exit:
     psa_reset_key_attributes(&attributes);
     psa_destroy_key(key);

From c5c6963d07c5ca423ecf5b57cfdac220ab36a2c9 Mon Sep 17 00:00:00 2001
From: David Horstmann <david.horstmann@arm.com>
Date: Tue, 3 Jan 2023 17:07:05 +0000
Subject: [PATCH 14/70] Remove #endif from between testcases

Signed-off-by: David Horstmann <david.horstmann@arm.com>

From 3225f198030bd07535e163013215d2583e64827c Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Tue, 10 Jan 2023 12:03:12 +0000
Subject: [PATCH 15/70] Fix ecdsa.h documentation error

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/mbedtls/ecdsa.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/mbedtls/ecdsa.h b/include/mbedtls/ecdsa.h
index 1741d2c20..c5d9701f6 100644
--- a/include/mbedtls/ecdsa.h
+++ b/include/mbedtls/ecdsa.h
@@ -416,6 +416,8 @@ int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
  *                  initialized restart context.
  *
  * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
  * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
  *                  error code on failure.
  */
@@ -474,8 +476,6 @@ int mbedtls_ecdsa_verify_restartable(mbedtls_ecp_group *grp,
  *                  \c NULL if \p f_rng is \c NULL or doesn't use a context.
  *
  * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
- *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
  * \return          An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
  *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */

From 7cc4e816c16df362c0723694d1e2941d2166a70c Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Tue, 10 Jan 2023 17:14:11 +0000
Subject: [PATCH 16/70] Ensure max ops gets set regardless of having built-in
 implementation

Set the psa level global anyway, regardless of having a built in
implementation, to match the set function. Also, ensure that value returned
is the same as value passed in, irregardless of internal implementation
requirements.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index f7228bc4b..efad51035 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3419,6 +3419,8 @@ static uint32_t mbedtls_psa_interruptible_max_ops =
 
 void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops)
 {
+    mbedtls_psa_interruptible_max_ops = max_ops;
+
 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
     defined(MBEDTLS_ECP_RESTARTABLE)
@@ -3429,10 +3431,7 @@ void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops)
         max_ops = 1;
     }
 
-    mbedtls_psa_interruptible_max_ops = max_ops;
     mbedtls_ecp_set_max_ops(max_ops);
-#else
-    (void) max_ops;
 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
         * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
         * defined( MBEDTLS_ECP_RESTARTABLE ) */
@@ -3497,8 +3496,9 @@ psa_status_t mbedtls_psa_sign_hash_start(
 #endif
 
             /* Ensure default is set even if
-             * mbedtls_psa_interruptible_get_max_ops() has not been called. */
-            mbedtls_ecp_set_max_ops(mbedtls_psa_interruptible_get_max_ops());
+             * mbedtls_psa_interruptible_set_max_ops() has not been called. */
+            mbedtls_psa_interruptible_set_max_ops(
+                mbedtls_psa_interruptible_get_max_ops());
 
             status = mbedtls_psa_ecp_load_representation(attributes->core.type,
                                                          attributes->core.bits,
@@ -3685,8 +3685,9 @@ psa_status_t mbedtls_psa_verify_hash_start(
             defined(MBEDTLS_ECP_RESTARTABLE)
 
             /* Ensure default is set even if
-             * mbedtls_psa_interruptible_get_max_ops() has not been called. */
-            mbedtls_ecp_set_max_ops(mbedtls_psa_interruptible_get_max_ops());
+             * mbedtls_psa_interruptible_set_max_ops() has not been called. */
+            mbedtls_psa_interruptible_set_max_ops(
+                mbedtls_psa_interruptible_get_max_ops());
 
             status = mbedtls_psa_ecp_load_representation(attributes->core.type,
                                                          attributes->core.bits,

From 749dec54effb21db2e9f3036b451144f8652dcf1 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Mon, 16 Jan 2023 12:18:46 +0000
Subject: [PATCH 17/70] Clean up structure include guards

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/psa/crypto_builtin_composites.h | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h
index 0f1220de9..c5a37e63d 100644
--- a/include/psa/crypto_builtin_composites.h
+++ b/include/psa/crypto_builtin_composites.h
@@ -138,13 +138,12 @@ typedef struct {
 /* Context structure for the Mbed TLS interruptible verify hash
  * implementation.*/
 typedef struct {
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
     mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx);
-#if defined(MBEDTLS_ECP_RESTARTABLE)
     mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx);
-#endif /* MBEDTLS_ECP_RESTARTABLE */
 
     size_t MBEDTLS_PRIVATE(curve_bytes);
     const uint8_t *MBEDTLS_PRIVATE(hash);
@@ -153,7 +152,9 @@ typedef struct {
     mbedtls_mpi MBEDTLS_PRIVATE(r);
     mbedtls_mpi MBEDTLS_PRIVATE(s);
 
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA &&
+        * MBEDTLS_ECP_RESTARTABLE */
 
 } mbedtls_psa_verify_hash_interruptible_operation_t;
 

From 068fe0774029c658a295abf1369bd113cb7aa551 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Mon, 16 Jan 2023 13:59:15 +0000
Subject: [PATCH 18/70] Improve indentation of hash start functions

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c | 230 +++++++++++++++++++++----------------------
 1 file changed, 115 insertions(+), 115 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index efad51035..ee9e0412c 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3482,69 +3482,69 @@ psa_status_t mbedtls_psa_sign_hash_start(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
 
-    if (PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
-        if (PSA_ALG_IS_ECDSA(alg)) {
+    if (!PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    if (!PSA_ALG_IS_ECDSA(alg)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
 
 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-            defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
-            defined(MBEDTLS_ECP_RESTARTABLE)
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
 
 #if !defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
-            if (PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)) {
-                return PSA_ERROR_NOT_SUPPORTED;
-            }
+    if (PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
 #endif
 
-            /* Ensure default is set even if
-             * mbedtls_psa_interruptible_set_max_ops() has not been called. */
-            mbedtls_psa_interruptible_set_max_ops(
-                mbedtls_psa_interruptible_get_max_ops());
+    /* Ensure default is set even if
+     * mbedtls_psa_interruptible_set_max_ops() has not been called. */
+    mbedtls_psa_interruptible_set_max_ops(
+        mbedtls_psa_interruptible_get_max_ops());
 
-            status = mbedtls_psa_ecp_load_representation(attributes->core.type,
-                                                         attributes->core.bits,
-                                                         key_buffer,
-                                                         key_buffer_size,
-                                                         &operation->ctx);
+    status = mbedtls_psa_ecp_load_representation(attributes->core.type,
+                                                 attributes->core.bits,
+                                                 key_buffer,
+                                                 key_buffer_size,
+                                                 &operation->ctx);
 
-            if (status != PSA_SUCCESS) {
-                return status;
-            }
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
 
-            mbedtls_ecdsa_restart_init(&operation->restart_ctx);
+    mbedtls_ecdsa_restart_init(&operation->restart_ctx);
 
-            mbedtls_mpi_init(&operation->r);
-            mbedtls_mpi_init(&operation->s);
+    mbedtls_mpi_init(&operation->r);
+    mbedtls_mpi_init(&operation->s);
 
-            operation->curve_bytes = PSA_BITS_TO_BYTES(
-                operation->ctx->grp.pbits);
+    operation->curve_bytes = PSA_BITS_TO_BYTES(
+        operation->ctx->grp.pbits);
 
-            psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
-            operation->md_alg = mbedtls_hash_info_md_from_psa(hash_alg);
-            operation->alg = alg;
+    psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
+    operation->md_alg = mbedtls_hash_info_md_from_psa(hash_alg);
+    operation->alg = alg;
 
-            operation->hash = hash;
-            operation->hash_length = hash_length;
+    operation->hash = hash;
+    operation->hash_length = hash_length;
+
+    return PSA_SUCCESS;
 
 #else
-            (void) operation;
-            (void) key_buffer;
-            (void) key_buffer_size;
-            (void) alg;
-            (void) hash;
-            (void) hash_length;
+    (void) operation;
+    (void) key_buffer;
+    (void) key_buffer_size;
+    (void) alg;
+    (void) hash;
+    (void) hash_length;
+    (void) status;
 
-            return PSA_ERROR_NOT_SUPPORTED;
+    return PSA_ERROR_NOT_SUPPORTED;
 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
         * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
         * defined( MBEDTLS_ECP_RESTARTABLE ) */
-        } else {
-            status = PSA_ERROR_INVALID_ARGUMENT;
-        }
-    } else {
-        status = PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    return status;
 }
 
 psa_status_t mbedtls_psa_sign_hash_complete(
@@ -3677,99 +3677,99 @@ psa_status_t mbedtls_psa_verify_hash_start(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
 
-    if (PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
-        if (PSA_ALG_IS_ECDSA(alg)) {
+    if (!PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    if (!PSA_ALG_IS_ECDSA(alg)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
 
 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-            defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
-            defined(MBEDTLS_ECP_RESTARTABLE)
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
 
-            /* Ensure default is set even if
-             * mbedtls_psa_interruptible_set_max_ops() has not been called. */
-            mbedtls_psa_interruptible_set_max_ops(
-                mbedtls_psa_interruptible_get_max_ops());
+    /* Ensure default is set even if
+     * mbedtls_psa_interruptible_set_max_ops() has not been called. */
+    mbedtls_psa_interruptible_set_max_ops(
+        mbedtls_psa_interruptible_get_max_ops());
 
-            status = mbedtls_psa_ecp_load_representation(attributes->core.type,
-                                                         attributes->core.bits,
-                                                         key_buffer,
-                                                         key_buffer_size,
-                                                         &operation->ctx);
+    status = mbedtls_psa_ecp_load_representation(attributes->core.type,
+                                                 attributes->core.bits,
+                                                 key_buffer,
+                                                 key_buffer_size,
+                                                 &operation->ctx);
 
-            if (status != PSA_SUCCESS) {
-                return status;
-            }
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
 
-            operation->curve_bytes = PSA_BITS_TO_BYTES(
-                operation->ctx->grp.pbits);
+    operation->curve_bytes = PSA_BITS_TO_BYTES(
+        operation->ctx->grp.pbits);
 
 
-            if (signature_length != 2 * operation->curve_bytes) {
-                return PSA_ERROR_INVALID_SIGNATURE;
-            }
+    if (signature_length != 2 * operation->curve_bytes) {
+        return PSA_ERROR_INVALID_SIGNATURE;
+    }
 
-            mbedtls_mpi_init(&operation->r);
-            status = mbedtls_to_psa_error(
-                mbedtls_mpi_read_binary(&operation->r,
-                                        signature,
-                                        operation->curve_bytes));
+    mbedtls_mpi_init(&operation->r);
+    status = mbedtls_to_psa_error(
+        mbedtls_mpi_read_binary(&operation->r,
+                                signature,
+                                operation->curve_bytes));
 
-            if (status != PSA_SUCCESS) {
-                return status;
-            }
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
 
-            mbedtls_mpi_init(&operation->s);
-            status = mbedtls_to_psa_error(
-                mbedtls_mpi_read_binary(&operation->s,
-                                        signature +
-                                        operation->curve_bytes,
-                                        operation->curve_bytes));
+    mbedtls_mpi_init(&operation->s);
+    status = mbedtls_to_psa_error(
+        mbedtls_mpi_read_binary(&operation->s,
+                                signature +
+                                operation->curve_bytes,
+                                operation->curve_bytes));
 
-            if (status != PSA_SUCCESS) {
-                return status;
-            }
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
 
-            /* Check whether the public part is loaded. If not, load it. */
-            if (mbedtls_ecp_is_zero(&operation->ctx->Q)) {
-                int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    /* Check whether the public part is loaded. If not, load it. */
+    if (mbedtls_ecp_is_zero(&operation->ctx->Q)) {
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
-                ret = mbedtls_ecp_mul(&operation->ctx->grp,
-                                      &operation->ctx->Q,
-                                      &operation->ctx->d,
-                                      &operation->ctx->grp.G,
-                                      mbedtls_psa_get_random,
-                                      MBEDTLS_PSA_RANDOM_STATE);
+        ret = mbedtls_ecp_mul(&operation->ctx->grp,
+                              &operation->ctx->Q,
+                              &operation->ctx->d,
+                              &operation->ctx->grp.G,
+                              mbedtls_psa_get_random,
+                              MBEDTLS_PSA_RANDOM_STATE);
 
-                if (ret != 0) {
-                    return mbedtls_to_psa_error(ret);
-                }
-            }
+        if (ret != 0) {
+            return mbedtls_to_psa_error(ret);
+        }
+    }
 
-            mbedtls_ecdsa_restart_init(&operation->restart_ctx);
+    mbedtls_ecdsa_restart_init(&operation->restart_ctx);
 
-            operation->hash = hash;
-            operation->hash_length = hash_length;
+    operation->hash = hash;
+    operation->hash_length = hash_length;
+
+    return PSA_SUCCESS;
 #else
-            (void) operation;
-            (void) key_buffer;
-            (void) key_buffer_size;
-            (void) alg;
-            (void) hash;
-            (void) hash_length;
-            (void) signature;
-            (void) signature_length;
+    (void) operation;
+    (void) key_buffer;
+    (void) key_buffer_size;
+    (void) alg;
+    (void) hash;
+    (void) hash_length;
+    (void) signature;
+    (void) signature_length;
+    (void) status;
 
-            return PSA_ERROR_NOT_SUPPORTED;
+    return PSA_ERROR_NOT_SUPPORTED;
 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
         * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
         * defined( MBEDTLS_ECP_RESTARTABLE ) */
-        } else {
-            status = PSA_ERROR_INVALID_ARGUMENT;
-        }
-    } else {
-        status = PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    return status;
 }
 
 psa_status_t mbedtls_psa_verify_hash_complete(

From 6ee2408d26302705773b4f134e7b94775d8cbac7 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Mon, 16 Jan 2023 14:00:41 +0000
Subject: [PATCH 19/70] Remove deterministic alg restriction on sign hash

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index ee9e0412c..748cb13f8 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3494,12 +3494,6 @@ psa_status_t mbedtls_psa_sign_hash_start(
     defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
     defined(MBEDTLS_ECP_RESTARTABLE)
 
-#if !defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
-    if (PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-#endif
-
     /* Ensure default is set even if
      * mbedtls_psa_interruptible_set_max_ops() has not been called. */
     mbedtls_psa_interruptible_set_max_ops(

From edfc8835688af22c073a6acd14d2fa24be33488f Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 20 Jan 2023 17:13:10 +0000
Subject: [PATCH 20/70] Change test loops over to do...while

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.function | 35 +++++++++------------
 1 file changed, 14 insertions(+), 21 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 21965cfca..aaf9d8657 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -6497,7 +6497,7 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data,
     TEST_ASSERT(num_ops_prior == 0);
 
     /* Continue performing the signature until complete. */
-    while (status == PSA_OPERATION_INCOMPLETE) {
+    do {
         status = psa_sign_hash_complete(&operation, signature, signature_size,
                                         &signature_length);
 
@@ -6509,7 +6509,7 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data,
 
             num_ops_prior = num_ops;
         }
-    }
+    } while (status == PSA_OPERATION_INCOMPLETE);
 
     TEST_ASSERT(status == PSA_SUCCESS);
 
@@ -6634,10 +6634,8 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
     num_ops_prior = psa_sign_hash_get_num_ops(&operation);
     TEST_ASSERT(num_ops_prior == 0);
 
-    actual_status = PSA_OPERATION_INCOMPLETE;
-
     /* Continue performing the signature until complete. */
-    while (actual_status == PSA_OPERATION_INCOMPLETE) {
+    do {
         actual_status = psa_sign_hash_complete(&operation, signature,
                                                signature_size,
                                                &signature_length);
@@ -6656,7 +6654,7 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
 
             num_ops_prior = num_ops;
         }
-    }
+    } while (actual_status == PSA_OPERATION_INCOMPLETE);
 
     PSA_ASSERT(psa_sign_hash_abort(&operation));
 
@@ -6798,14 +6796,14 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
                                    input_data->x, input_data->len));
 
     /* Continue performing the signature until complete. */
-    while (status == PSA_OPERATION_INCOMPLETE) {
+    do {
 
         status = psa_sign_hash_complete(&sign_operation, signature,
                                         signature_size,
                                         &signature_length);
 
         num_completes++;
-    }
+    } while (status == PSA_OPERATION_INCOMPLETE);
 
     TEST_ASSERT(status == PSA_SUCCESS);
 
@@ -6819,7 +6817,6 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
     TEST_ASSERT(signature_length > 0);
 
     num_completes = 0;
-    status = PSA_OPERATION_INCOMPLETE;
 
     /* Start verification. */
     PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
@@ -6827,11 +6824,11 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
                                      signature, signature_length));
 
     /* Continue performing the signature until complete. */
-    while (status == PSA_OPERATION_INCOMPLETE) {
+    do {
         status = psa_verify_hash_complete(&verify_operation);
 
         num_completes++;
-    }
+    } while (status == PSA_OPERATION_INCOMPLETE);
 
     TEST_ASSERT(status == PSA_SUCCESS);
 
@@ -6848,17 +6845,15 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
          * because ECDSA may ignore the last few bits of the input. */
         input_data->x[0] ^= 1;
 
-        status = PSA_OPERATION_INCOMPLETE;
-
         /* Start verification. */
         PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
                                          input_data->x, input_data->len,
                                          signature, signature_length));
 
         /* Continue performing the signature until complete. */
-        while (status == PSA_OPERATION_INCOMPLETE) {
+        do {
             status = psa_verify_hash_complete(&verify_operation);
-        }
+        } while (status == PSA_OPERATION_INCOMPLETE);
 
         TEST_ASSERT(status ==  PSA_ERROR_INVALID_SIGNATURE);
     }
@@ -6955,7 +6950,7 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data,
     TEST_ASSERT(num_ops_prior == 0);
 
     /* Continue performing the signature until complete. */
-    while (status == PSA_OPERATION_INCOMPLETE) {
+    do {
         status = psa_verify_hash_complete(&operation);
 
         num_completes++;
@@ -6966,7 +6961,7 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data,
 
             num_ops_prior = num_ops;
         }
-    }
+    } while (status == PSA_OPERATION_INCOMPLETE);
 
     TEST_ASSERT(status == PSA_SUCCESS);
 
@@ -7066,10 +7061,8 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
     num_ops_prior = psa_verify_hash_get_num_ops(&operation);
     TEST_ASSERT(num_ops_prior == 0);
 
-    actual_status = PSA_OPERATION_INCOMPLETE;
-
     /* Continue performing the signature until complete. */
-    while (actual_status == PSA_OPERATION_INCOMPLETE) {
+    do {
         actual_status = psa_verify_hash_complete(&operation);
 
         num_completes++;
@@ -7086,7 +7079,7 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
 
             num_ops_prior = num_ops;
         }
-    }
+    } while (actual_status == PSA_OPERATION_INCOMPLETE);
 
     TEST_LE_U(min_completes, num_completes);
     TEST_LE_U(num_completes, max_completes);

From 334d726d408aa79be8b55da126c17a93cfc70ff4 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 20 Jan 2023 17:29:41 +0000
Subject: [PATCH 21/70] Ensure ops are tested on successful 'fail' tests

Make sure the number of ops is tested in the interruptible failure tests,
should they get through the interruptible loop part.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.function | 34 ++++++++++++---------
 1 file changed, 20 insertions(+), 14 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index aaf9d8657..d89afa336 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -6642,13 +6642,8 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
 
         num_completes++;
 
-        /* If the psa_sign_hash_start() failed, psa_sign_hash_complete()
-         * should also fail with bad state. */
-        if (expected_start_status != PSA_SUCCESS) {
-            TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
-        } else if (actual_status != PSA_OPERATION_INCOMPLETE) {
-            TEST_EQUAL(actual_status, expected_complete_status);
-        } else {
+        if (actual_status == PSA_SUCCESS ||
+            actual_status == PSA_OPERATION_INCOMPLETE) {
             num_ops = psa_sign_hash_get_num_ops(&operation);
             TEST_ASSERT(num_ops > num_ops_prior);
 
@@ -6656,6 +6651,14 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
         }
     } while (actual_status == PSA_OPERATION_INCOMPLETE);
 
+    /* If the psa_sign_hash_start() failed, psa_sign_hash_complete()
+     * should also fail with bad state. */
+    if (expected_start_status != PSA_SUCCESS) {
+        TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
+    } else if (actual_status != PSA_OPERATION_INCOMPLETE) {
+        TEST_EQUAL(actual_status, expected_complete_status);
+    }
+
     PSA_ASSERT(psa_sign_hash_abort(&operation));
 
     num_ops = psa_sign_hash_get_num_ops(&operation);
@@ -7067,13 +7070,8 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
 
         num_completes++;
 
-        /* If the psa_verify_hash_start() failed,
-         * psa_verify_hash_complete() should also fail with bad state.*/
-        if (expected_start_status != PSA_SUCCESS) {
-            TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
-        } else if (actual_status != PSA_OPERATION_INCOMPLETE) {
-            TEST_EQUAL(actual_status, expected_complete_status);
-        } else {
+        if (actual_status == PSA_SUCCESS ||
+            actual_status == PSA_OPERATION_INCOMPLETE) {
             num_ops = psa_verify_hash_get_num_ops(&operation);
             TEST_ASSERT(num_ops > num_ops_prior);
 
@@ -7081,6 +7079,14 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
         }
     } while (actual_status == PSA_OPERATION_INCOMPLETE);
 
+    /* If the psa_verify_hash_start() failed,
+     * psa_verify_hash_complete() should also fail with bad state.*/
+    if (expected_start_status != PSA_SUCCESS) {
+        TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
+    } else if (actual_status != PSA_OPERATION_INCOMPLETE) {
+        TEST_EQUAL(actual_status, expected_complete_status);
+    }
+
     TEST_LE_U(min_completes, num_completes);
     TEST_LE_U(num_completes, max_completes);
 

From 97ac7d9090fdbef679f797c7709f0f5bdebb5dfe Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Mon, 23 Jan 2023 18:09:06 +0000
Subject: [PATCH 22/70] Calculate min/max completes rather than passing in to
 test

Only 2 options were really possible anyway - complete in 1 op, or somewhere
between 2 and max ops. Anything else we cannot test due to implementation
specifics.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.data     | 74 ++++++++++-----------
 tests/suites/test_suite_psa_crypto.function | 74 ++++++++++++++++++---
 2 files changed, 101 insertions(+), 47 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index e6da057da..a00f8ed4c 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -4147,27 +4147,27 @@ sign_hash_deterministic:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8
 
 PSA sign hash: interruptible (no interrupt) ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign hash: interruptible (max interrupt) ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":1
 
 PSA sign hash: interruptible (no interrupt) ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384
-sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign hash: interruptible (max interrupt) ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384
-sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":1
 
 PSA sign hash: interruptible (no interrupt) ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
-sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign hash: interruptible (max interrupt) ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
-sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":1
 
 PSA sign hash: RSA PKCS#1 v1.5 SHA-256, wrong hash size
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C
@@ -4235,39 +4235,39 @@ sign_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5
 
 PSA sign hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-256, output buffer too small
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-256, output buffer too small
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1:1:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1
 
 PSA sign hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-256, empty output buffer
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-256, empty output buffer
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1:1:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1
 
 PSA sign hash interruptible (no interrupt): deterministic ECDSA SECP256R1, invalid hash algorithm (0)
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign hash interruptible (max interrupt): deterministic ECDSA SECP256R1, invalid hash algorithm (0)
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:1:1:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:1
 
 PSA sign hash interruptible: deterministic ECDSA SECP256R1, invalid hash algorithm (wildcard)
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_ANY_HASH ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_ANY_HASH ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign hash interruptible: invalid algorithm for ECC key
 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_PARSE_C
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign hash interruptible: deterministic ECDSA not supported
 depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign/verify hash: RSA PKCS#1 v1.5, raw
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C
@@ -4311,51 +4311,51 @@ sign_verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280
 
 PSA sign / verify hash interruptible (no interrupt): randomized ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign / verify hash interruptible (max interrupt): randomized ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1
 
 PSA sign / verify hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign / verify hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1
 
 PSA sign / verify hash interruptible (no interrupt): randomized ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
-sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign / verify hash interruptible (max interrupt): randomized ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
-sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1
 
 PSA sign / verify hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
-sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign / verify hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
-sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1
 
 PSA sign / verify hash interruptible (no interrupt): randomized ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
-sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign / verify hash interruptible (max interrupt): randomized ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
-sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1
 
 PSA sign / verify hash interruptible (no interrupt): deterministic ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
-sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign / verify hash interruptible (max interrupt): deterministic ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
-sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1
 
 PSA verify hash: RSA PKCS#1 v1.5 SHA-256, good signature
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C
@@ -4479,11 +4479,11 @@ verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30
 
 PSA verify hash interruptible: ECDSA SECP256R1, good
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-verify_hash_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+verify_hash_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA verify hash interruptible with keypair: ECDSA SECP256R1, good
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA verify hash: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
@@ -4515,35 +4515,35 @@ verify_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab4543571264
 
 PSA verify hash interruptible: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA verify hash interruptible (no interrupt): ECDSA SECP256R1, wrong signature of correct size
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA verify hash interruptible (max interrupt): ECDSA SECP256R1, wrong signature of correct size
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:1
 
 PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (empty)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (truncated)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f5":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f5":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (trailing junk)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f21":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f21":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (leading junk)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"216a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"216a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA verify hash interruptible: invalid algorithm for ECC key
 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA interruptible hash state test: randomized ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index d89afa336..7f50e960c 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -6447,8 +6447,7 @@ exit:
 /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
 void sign_hash_interruptible(int key_type_arg, data_t *key_data,
                              int alg_arg, data_t *input_data,
-                             data_t *output_data, int max_ops,
-                             int min_completes, int max_completes)
+                             data_t *output_data, int max_ops)
 {
     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_type_t key_type = key_type_arg;
@@ -6462,6 +6461,8 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data,
     size_t num_ops = 0;
     size_t num_ops_prior = 0;
     size_t num_completes = 0;
+    size_t min_completes = 0;
+    size_t max_completes = 0;
     psa_sign_hash_interruptible_operation_t operation =
         psa_sign_hash_interruptible_operation_init();
 
@@ -6486,6 +6487,14 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data,
 
     psa_interruptible_set_max_ops(max_ops);
 
+    if (max_ops == PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED) {
+        min_completes = 1;
+        max_completes = 1;
+    } else {
+        min_completes = 2;
+        max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
+    }
+
     num_ops_prior = psa_sign_hash_get_num_ops(&operation);
     TEST_ASSERT(num_ops_prior == 0);
 
@@ -6590,8 +6599,7 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
                                   int signature_size_arg,
                                   int expected_start_status_arg,
                                   int expected_complete_status_arg,
-                                  int max_ops, int min_completes,
-                                  int max_completes)
+                                  int max_ops)
 {
     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_type_t key_type = key_type_arg;
@@ -6605,6 +6613,9 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
     size_t num_ops = 0;
     size_t num_ops_prior = 0;
     size_t num_completes = 0;
+    size_t min_completes = 0;
+    size_t max_completes = 0;
+
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
     psa_sign_hash_interruptible_operation_t operation =
         psa_sign_hash_interruptible_operation_init();
@@ -6622,6 +6633,20 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
 
     psa_interruptible_set_max_ops(max_ops);
 
+    if (max_ops == PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED) {
+        min_completes = 1;
+        max_completes = 1;
+    } else {
+        /* Unfortunate, but failure cases tend to fail on the first op. */
+        if (expected_complete_status == PSA_SUCCESS) {
+            min_completes = 2;
+        } else {
+            min_completes = 1;
+        }
+
+        max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
+    }
+
     num_ops_prior = psa_sign_hash_get_num_ops(&operation);
     TEST_ASSERT(num_ops_prior == 0);
 
@@ -6754,8 +6779,7 @@ exit:
 /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
 void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
                                     int alg_arg, data_t *input_data,
-                                    int max_ops, int min_completes,
-                                    int max_completes)
+                                    int max_ops)
 {
     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_type_t key_type = key_type_arg;
@@ -6767,6 +6791,9 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
     psa_status_t status = PSA_OPERATION_INCOMPLETE;
     size_t num_completes = 0;
+    size_t min_completes = 0;
+    size_t max_completes = 0;
+
     psa_sign_hash_interruptible_operation_t sign_operation =
         psa_sign_hash_interruptible_operation_init();
     psa_verify_hash_interruptible_operation_t verify_operation =
@@ -6794,6 +6821,14 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
 
     psa_interruptible_set_max_ops(max_ops);
 
+    if (max_ops == PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED) {
+        min_completes = 1;
+        max_completes = 1;
+    } else {
+        min_completes = 2;
+        max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
+    }
+
     /* Start performing the signature. */
     PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
                                    input_data->x, input_data->len));
@@ -6911,8 +6946,7 @@ exit:
 /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
 void verify_hash_interruptible(int key_type_arg, data_t *key_data,
                                int alg_arg, data_t *hash_data,
-                               data_t *signature_data, int max_ops,
-                               int min_completes, int max_completes)
+                               data_t *signature_data, int max_ops)
 {
     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_type_t key_type = key_type_arg;
@@ -6922,6 +6956,9 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data,
     size_t num_ops = 0;
     size_t num_ops_prior = 0;
     size_t num_completes = 0;
+    size_t min_completes = 0;
+    size_t max_completes = 0;
+
     psa_verify_hash_interruptible_operation_t operation =
         psa_verify_hash_interruptible_operation_init();
 
@@ -6938,6 +6975,14 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data,
 
     psa_interruptible_set_max_ops(max_ops);
 
+    if (max_ops == PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED) {
+        min_completes = 1;
+        max_completes = 1;
+    } else {
+        min_completes = 2;
+        max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
+    }
+
     num_ops_prior = psa_verify_hash_get_num_ops(&operation);
 
     TEST_ASSERT(num_ops_prior == 0);
@@ -7023,8 +7068,7 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
                                     data_t *signature_data,
                                     int expected_start_status_arg,
                                     int expected_complete_status_arg,
-                                    int max_ops, int min_completes,
-                                    int max_completes)
+                                    int max_ops)
 {
     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_type_t key_type = key_type_arg;
@@ -7036,6 +7080,8 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
     size_t num_ops = 0;
     size_t num_ops_prior = 0;
     size_t num_completes = 0;
+    size_t min_completes = 0;
+    size_t max_completes = 0;
     psa_verify_hash_interruptible_operation_t operation =
         psa_verify_hash_interruptible_operation_init();
 
@@ -7050,6 +7096,14 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
 
     psa_interruptible_set_max_ops(max_ops);
 
+    if (max_ops == PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED) {
+        min_completes = 1;
+        max_completes = 1;
+    } else {
+        min_completes = 2;
+        max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
+    }
+
     num_ops_prior = psa_verify_hash_get_num_ops(&operation);
     TEST_ASSERT(num_ops_prior == 0);
 

From 62dfb95993f3713b4de9f2e4b303e33d653ba85b Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Tue, 24 Jan 2023 11:29:24 +0000
Subject: [PATCH 23/70] Fix broken negative test

Test for unsupported deterministic ECDSA was originally passing due to
incorrect code, fixing the code unfortunately broke the test.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.data | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index a00f8ed4c..0c4941f59 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -4265,9 +4265,13 @@ PSA sign hash interruptible: invalid algorithm for ECC key
 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_PARSE_C
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sign hash interruptible: deterministic ECDSA not supported
+PSA sign hash interruptible (no interrupt): deterministic ECDSA not supported
 depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:1
+
+PSA sign hash interruptible (max interrupt): deterministic ECDSA not supported
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign/verify hash: RSA PKCS#1 v1.5, raw
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C

From 90a91f041c10cf45c3a3ffb178346cace93a5453 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Tue, 24 Jan 2023 15:23:25 +0000
Subject: [PATCH 24/70] Ensure structs are not empty even if ECDSA not
 supported

Also make previous changes apply to both interruptible sign hash operation
structures rather than just the one as it was.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/psa/crypto_builtin_composites.h | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h
index c5a37e63d..ac065c163 100644
--- a/include/psa/crypto_builtin_composites.h
+++ b/include/psa/crypto_builtin_composites.h
@@ -111,13 +111,11 @@ typedef struct {
 
 /* Context structure for the Mbed TLS interruptible sign hash implementation. */
 typedef struct {
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
     mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx);
-#if defined(MBEDTLS_ECP_RESTARTABLE)
     mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx);
-#endif /* MBEDTLS_ECP_RESTARTABLE */
 
     size_t MBEDTLS_PRIVATE(curve_bytes);
     psa_algorithm_t MBEDTLS_PRIVATE(alg);
@@ -128,8 +126,13 @@ typedef struct {
     mbedtls_mpi MBEDTLS_PRIVATE(r);
     mbedtls_mpi MBEDTLS_PRIVATE(s);
 
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA */
+#else
+    /* Make the struct non-empty if algs not supported. */
+    unsigned MBEDTLS_PRIVATE(dummy);
 
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA &&
+        * MBEDTLS_ECP_RESTARTABLE */
 } mbedtls_psa_sign_hash_interruptible_operation_t;
 
 #define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, 0, { 0 }, \
@@ -152,6 +155,10 @@ typedef struct {
     mbedtls_mpi MBEDTLS_PRIVATE(r);
     mbedtls_mpi MBEDTLS_PRIVATE(s);
 
+#else
+    /* Make the struct non-empty if algs not supported. */
+    unsigned MBEDTLS_PRIVATE(dummy);
+
 #endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
         * MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA &&
         * MBEDTLS_ECP_RESTARTABLE */

From c4e2be86ef4d4448fa03789691414781e000e41c Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Wed, 25 Jan 2023 12:42:59 +0000
Subject: [PATCH 25/70] Fix incorrect test dependancies

Test for not having determnistic ECDSA was also being run when no ECDSA, and
this fails earlier. Fixed this and added a specific test for no ECDSA. Also
fixed (swapped) incorrect test descriptions.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.data | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index 0c4941f59..0cb5f85f3 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -4265,13 +4265,17 @@ PSA sign hash interruptible: invalid algorithm for ECC key
 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_PARSE_C
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
+PSA sign hash interruptible: ECDSA not supported
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
 PSA sign hash interruptible (no interrupt): deterministic ECDSA not supported
-depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:1
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign hash interruptible (max interrupt): deterministic ECDSA not supported
-depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:1
 
 PSA sign/verify hash: RSA PKCS#1 v1.5, raw
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C

From cb23311bd012b3206471840cb3904657994d018d Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Thu, 26 Jan 2023 14:54:47 +0000
Subject: [PATCH 26/70] Fix incorrect test dependencies part 2

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.data | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index 0cb5f85f3..486a54457 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -4266,7 +4266,7 @@ depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_P
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign hash interruptible: ECDSA not supported
-depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign hash interruptible (no interrupt): deterministic ECDSA not supported

From 1b49ef538443fcd008387cf570028cb6bbf026bf Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 3 Feb 2023 14:27:32 +0000
Subject: [PATCH 27/70] Fix abort documentation.

Make it clear that these functions reset the number of ops, and remove
statements that say they have no effect.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/psa/crypto.h | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index 482b58288..d371e1a1c 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -4430,7 +4430,13 @@ psa_status_t psa_sign_hash_complete(
  * \warning                     This is a beta API, and thus subject to change
  *                              at any point. It is not bound by the usual
  *                              interface stability promises.
-
+ *
+ * \note                        This function is the only function that clears
+ *                              the number of ops completed as part of the
+ *                              operation. Please ensure you copy this value via
+ *                              \c psa_sign_hash_get_num_ops() if required
+ *                              before calling.
+ *
  * \note                        Aborting an operation frees all associated
  *                              resources except for the \p operation structure
  *                              itself. Once aborted, the operation object can
@@ -4442,8 +4448,7 @@ psa_status_t psa_sign_hash_complete(
  *                              particular, calling \c psa_sign_hash_abort()
  *                              after the operation has already been terminated
  *                              by a call to \c psa_sign_hash_abort() or
- *                              psa_sign_hash_complete() is safe and has no
- *                              effect.
+ *                              psa_sign_hash_complete() is safe.
  *
  * \param[in,out] operation     Initialized sign hash operation.
  *
@@ -4620,6 +4625,12 @@ psa_status_t psa_verify_hash_complete(
  *                            any point. It is not bound by the usual interface
  *                            stability promises.
  *
+ * \note                      This function is the only function that clears the
+ *                            number of ops completed as part of the operation.
+ *                            Please ensure you copy this value via
+ *                            \c psa_verify_hash_get_num_ops() if required
+ *                            before calling.
+ *
  * \note                      Aborting an operation frees all associated
  *                            resources except for the operation structure
  *                            itself. Once aborted, the operation object can be
@@ -4631,8 +4642,7 @@ psa_status_t psa_verify_hash_complete(
  *                            In particular, calling \c psa_verify_hash_abort()
  *                            after the operation has already been terminated by
  *                            a call to \c psa_verify_hash_abort() or
- *                            psa_verify_hash_complete() is safe and has no
- *                            effect.
+ *                            psa_verify_hash_complete() is safe.
  *
  * \param[in,out] operation   Initialized verify hash operation.
  *

From a3a8abadff79922668ffcbc649a67c4643f96f4b Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 3 Feb 2023 14:49:37 +0000
Subject: [PATCH 28/70] Fix operation initialisers if no algorithms defined

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/psa/crypto_builtin_composites.h | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h
index ac065c163..800024281 100644
--- a/include/psa/crypto_builtin_composites.h
+++ b/include/psa/crypto_builtin_composites.h
@@ -135,8 +135,14 @@ typedef struct {
         * MBEDTLS_ECP_RESTARTABLE */
 } mbedtls_psa_sign_hash_interruptible_operation_t;
 
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
 #define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, 0, { 0 }, \
         { 0 } }
+#else
+#define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
+#endif
 
 /* Context structure for the Mbed TLS interruptible verify hash
  * implementation.*/
@@ -165,8 +171,14 @@ typedef struct {
 
 } mbedtls_psa_verify_hash_interruptible_operation_t;
 
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
 #define MBEDTLS_VERIFY_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, { 0 }, \
         { 0 } }
+#else
+#define MBEDTLS_VERIFY_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
+#endif
 
 
 

From 4684525ae98eec45b36f6a5324f49fe863ec5a6b Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 3 Feb 2023 14:59:11 +0000
Subject: [PATCH 29/70] Remove unrequired mpis from sign operation struct

These are only used at the output stage.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/psa/crypto_builtin_composites.h |  6 +-----
 library/psa_crypto.c                    | 23 +++++++++++------------
 2 files changed, 12 insertions(+), 17 deletions(-)

diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h
index 800024281..44fa6de4c 100644
--- a/include/psa/crypto_builtin_composites.h
+++ b/include/psa/crypto_builtin_composites.h
@@ -123,9 +123,6 @@ typedef struct {
     const uint8_t *MBEDTLS_PRIVATE(hash);
     size_t MBEDTLS_PRIVATE(hash_length);
 
-    mbedtls_mpi MBEDTLS_PRIVATE(r);
-    mbedtls_mpi MBEDTLS_PRIVATE(s);
-
 #else
     /* Make the struct non-empty if algs not supported. */
     unsigned MBEDTLS_PRIVATE(dummy);
@@ -138,8 +135,7 @@ typedef struct {
 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
     defined(MBEDTLS_ECP_RESTARTABLE)
-#define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, 0, { 0 }, \
-        { 0 } }
+#define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, 0 }
 #else
 #define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
 #endif
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 748cb13f8..78d8702d0 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3511,9 +3511,6 @@ psa_status_t mbedtls_psa_sign_hash_start(
 
     mbedtls_ecdsa_restart_init(&operation->restart_ctx);
 
-    mbedtls_mpi_init(&operation->r);
-    mbedtls_mpi_init(&operation->s);
-
     operation->curve_bytes = PSA_BITS_TO_BYTES(
         operation->ctx->grp.pbits);
 
@@ -3547,6 +3544,8 @@ psa_status_t mbedtls_psa_sign_hash_complete(
     size_t *signature_length)
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi r;
+    mbedtls_mpi s;
 
 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
@@ -3556,13 +3555,16 @@ psa_status_t mbedtls_psa_sign_hash_complete(
         return PSA_ERROR_BUFFER_TOO_SMALL;
     }
 
+    mbedtls_mpi_init(&r);
+    mbedtls_mpi_init(&s);
 
     if (PSA_ALG_ECDSA_IS_DETERMINISTIC(operation->alg)) {
+
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
         status = mbedtls_to_psa_error(
             mbedtls_ecdsa_sign_det_restartable(&operation->ctx->grp,
-                                               &operation->r,
-                                               &operation->s,
+                                               &r,
+                                               &s,
                                                &operation->ctx->d,
                                                operation->hash,
                                                operation->hash_length,
@@ -3577,8 +3579,8 @@ psa_status_t mbedtls_psa_sign_hash_complete(
 
         status = mbedtls_to_psa_error(
             mbedtls_ecdsa_sign_restartable(&operation->ctx->grp,
-                                           &operation->r,
-                                           &operation->s,
+                                           &r,
+                                           &s,
                                            &operation->ctx->d,
                                            operation->hash,
                                            operation->hash_length,
@@ -3593,7 +3595,7 @@ psa_status_t mbedtls_psa_sign_hash_complete(
         return status;
     } else {
         status =  mbedtls_to_psa_error(
-            mbedtls_mpi_write_binary(&operation->r,
+            mbedtls_mpi_write_binary(&r,
                                      signature,
                                      operation->curve_bytes));
 
@@ -3602,7 +3604,7 @@ psa_status_t mbedtls_psa_sign_hash_complete(
         }
 
         status =  mbedtls_to_psa_error(
-            mbedtls_mpi_write_binary(&operation->s,
+            mbedtls_mpi_write_binary(&s,
                                      signature +
                                      operation->curve_bytes,
                                      operation->curve_bytes));
@@ -3645,9 +3647,6 @@ psa_status_t mbedtls_psa_sign_hash_abort(
 
     mbedtls_ecdsa_restart_free(&operation->restart_ctx);
 
-    mbedtls_mpi_free(&operation->r);
-    mbedtls_mpi_free(&operation->s);
-
     return PSA_SUCCESS;
 
 #else

From 4ca521fcdb5acc9081209b3e09c2244866ec804d Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 3 Feb 2023 15:02:54 +0000
Subject: [PATCH 30/70] Remove obsolete comments

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/psa/crypto_struct.h | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
index bc56a4fa6..1153b8e78 100644
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@@ -493,9 +493,6 @@ static inline size_t psa_get_key_bits(
 
 /**
  * \brief The context for PSA interruptible hash signing.
- *
- * \note  Contents not yet designed as implementation specific.
- *
  */
 struct psa_sign_hash_interruptible_operation_s {
     /** Unique ID indicating which driver got assigned to do the
@@ -524,9 +521,6 @@ psa_sign_hash_interruptible_operation_init(void)
 
 /**
  * \brief The context for PSA interruptible hash verification.
- *
- * \note  Contents not yet designed as implementation specific.
- *
  */
 struct psa_verify_hash_interruptible_operation_s {
     /** Unique ID indicating which driver got assigned to do the

From ab7c5c8550443b0fdf565bea1d862a41fd176cb0 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 3 Feb 2023 15:49:42 +0000
Subject: [PATCH 31/70] Change incorrect define for MAX_OPS_UNLIMITED

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/psa/crypto_values.h                 |  2 +-
 tests/suites/test_suite_psa_crypto.function | 24 +++++++++++++--------
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
index 07e96f70b..39acd96c5 100644
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@@ -2756,7 +2756,7 @@ static inline int mbedtls_svc_key_id_is_null(mbedtls_svc_key_id_t key)
  *  the maximum number of ops allowed to be executed by an interruptible
  *  function in a single call.
  */
-#define PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED INT32_MAX
+#define PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED UINT32_MAX
 
 /**@}*/
 
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 7f50e960c..7b9daaec1 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -6447,7 +6447,7 @@ exit:
 /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
 void sign_hash_interruptible(int key_type_arg, data_t *key_data,
                              int alg_arg, data_t *input_data,
-                             data_t *output_data, int max_ops)
+                             data_t *output_data, int max_ops_arg)
 {
     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_type_t key_type = key_type_arg;
@@ -6458,11 +6458,13 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data,
     size_t signature_length = 0xdeadbeef;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
     psa_status_t status = PSA_OPERATION_INCOMPLETE;
-    size_t num_ops = 0;
+    uint32_t num_ops = 0;
+    uint32_t max_ops = max_ops_arg;
     size_t num_ops_prior = 0;
     size_t num_completes = 0;
     size_t min_completes = 0;
     size_t max_completes = 0;
+
     psa_sign_hash_interruptible_operation_t operation =
         psa_sign_hash_interruptible_operation_init();
 
@@ -6599,7 +6601,7 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
                                   int signature_size_arg,
                                   int expected_start_status_arg,
                                   int expected_complete_status_arg,
-                                  int max_ops)
+                                  int max_ops_arg)
 {
     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_type_t key_type = key_type_arg;
@@ -6610,7 +6612,8 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
     psa_status_t expected_complete_status = expected_complete_status_arg;
     unsigned char *signature = NULL;
     size_t signature_length = 0xdeadbeef;
-    size_t num_ops = 0;
+    uint32_t num_ops = 0;
+    uint32_t max_ops = max_ops_arg;
     size_t num_ops_prior = 0;
     size_t num_completes = 0;
     size_t min_completes = 0;
@@ -6779,7 +6782,7 @@ exit:
 /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
 void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
                                     int alg_arg, data_t *input_data,
-                                    int max_ops)
+                                    int max_ops_arg)
 {
     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_type_t key_type = key_type_arg;
@@ -6790,6 +6793,7 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
     size_t signature_length = 0xdeadbeef;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
     psa_status_t status = PSA_OPERATION_INCOMPLETE;
+    uint32_t max_ops = max_ops_arg;
     size_t num_completes = 0;
     size_t min_completes = 0;
     size_t max_completes = 0;
@@ -6946,14 +6950,15 @@ exit:
 /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
 void verify_hash_interruptible(int key_type_arg, data_t *key_data,
                                int alg_arg, data_t *hash_data,
-                               data_t *signature_data, int max_ops)
+                               data_t *signature_data, int max_ops_arg)
 {
     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_type_t key_type = key_type_arg;
     psa_algorithm_t alg = alg_arg;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
     psa_status_t status = PSA_OPERATION_INCOMPLETE;
-    size_t num_ops = 0;
+    uint32_t num_ops = 0;
+    uint32_t max_ops = max_ops_arg;
     size_t num_ops_prior = 0;
     size_t num_completes = 0;
     size_t min_completes = 0;
@@ -7068,7 +7073,7 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
                                     data_t *signature_data,
                                     int expected_start_status_arg,
                                     int expected_complete_status_arg,
-                                    int max_ops)
+                                    int max_ops_arg)
 {
     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_type_t key_type = key_type_arg;
@@ -7077,7 +7082,8 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
     psa_status_t expected_start_status = expected_start_status_arg;
     psa_status_t expected_complete_status = expected_complete_status_arg;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    size_t num_ops = 0;
+    uint32_t num_ops = 0;
+    uint32_t max_ops = max_ops_arg;
     size_t num_ops_prior = 0;
     size_t num_completes = 0;
     size_t min_completes = 0;

From e17a8fd9fd3e8a35c599656efbf86fa8af48193e Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 3 Feb 2023 16:15:36 +0000
Subject: [PATCH 32/70] Remove unneeded warning from internal headers

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto_core.h | 30 ------------------------------
 1 file changed, 30 deletions(-)

diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h
index 2f3cb6458..610d78033 100644
--- a/library/psa_crypto_core.h
+++ b/library/psa_crypto_core.h
@@ -610,9 +610,6 @@ psa_status_t psa_key_agreement_raw_builtin(
  * \brief Set the maximum number of ops allowed to be executed by an
  *        interruptible function in a single call.
  *
- * \warning This is a beta API, and thus subject to change at any point. It is
- *          not bound by the usual interface stability promises.
- *
  * \note The signature of this function is that of a PSA driver
  *       interruptible_set_max_ops entry point. This function behaves as an
  *       interruptible_set_max_ops entry point as defined in the PSA driver
@@ -630,9 +627,6 @@ void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops);
  * \brief Get the maximum number of ops allowed to be executed by an
  *        interruptible function in a single call.
  *
- * \warning This is a beta API, and thus subject to change at any point. It is
- *          not bound by the usual interface stability promises.
- *
  * \note The signature of this function is that of a PSA driver
  *       interruptible_get_max_ops entry point. This function behaves as an
  *       interruptible_get_max_ops entry point as defined in the PSA driver
@@ -650,9 +644,6 @@ uint32_t mbedtls_psa_interruptible_get_max_ops(void);
  *        or calling psa_sign_hash_interruptible_abort() on the operation, a
  *        value of 0 will be returned.
  *
- * \warning This is a beta API, and thus subject to change at any point. It is
- *          not bound by the usual interface stability promises.
- *
  * \note The signature of this function is that of a PSA driver
  *       sign_get_num_ops entry point. This function behaves as a
  *       sign_get_num_ops entry point as defined in the PSA driver interface
@@ -675,9 +666,6 @@ uint32_t mbedtls_psa_sign_hash_get_num_ops(
  *        or calling psa_verify_hash_interruptible_abort() on the operation, a
  *        value of 0 will be returned.
  *
- * \warning This is a beta API, and thus subject to change at any point. It is
- *          not bound by the usual interface stability promises.
- *
  * \note The signature of this function is that of a PSA driver
  *       verify_get_num_ops entry point. This function behaves as a
  *       verify_get_num_ops entry point as defined in the PSA driver interface
@@ -697,9 +685,6 @@ uint32_t mbedtls_psa_verify_hash_get_num_ops(
  * \brief  Start signing a hash or short message with a private key, in an
  *         interruptible manner.
  *
- * \warning This is a beta API, and thus subject to change at any point. It is
- *          not bound by the usual interface stability promises.
- *
  * \note The signature of this function is that of a PSA driver
  *       sign_hash_start entry point. This function behaves as a
  *       sign_hash_start entry point as defined in the PSA driver interface
@@ -738,9 +723,6 @@ psa_status_t mbedtls_psa_sign_hash_start(
  * \brief Continue and eventually complete the action of signing a hash or
  *        short message with a private key, in an interruptible manner.
  *
- * \warning This is a beta API, and thus subject to change at any point. It is
- *          not bound by the usual interface stability promises.
- *
  * \note The signature of this function is that of a PSA driver
  *       sign_hash_complete entry point. This function behaves as a
  *       sign_hash_complete entry point as defined in the PSA driver interface
@@ -786,9 +768,6 @@ psa_status_t mbedtls_psa_sign_hash_complete(
 /**
  * \brief Abort a sign hash operation.
  *
- * \warning This is a beta API, and thus subject to change at any point. It is
- *          not bound by the usual interface stability promises.
- *
  * \note The signature of this function is that of a PSA driver sign_hash_abort
  *       entry point. This function behaves as a sign_hash_abort entry point as
  *       defined in the PSA driver interface specification for transparent
@@ -808,9 +787,6 @@ psa_status_t mbedtls_psa_sign_hash_abort(
  * \brief  Start reading and verifying a hash or short message, in an
  *         interruptible manner.
  *
- * \warning This is a beta API, and thus subject to change at any point. It is
- *          not bound by the usual interface stability promises.
- *
  * \note The signature of this function is that of a PSA driver
  *       verify_hash_start entry point. This function behaves as a
  *       verify_hash_start entry point as defined in the PSA driver interface
@@ -853,9 +829,6 @@ psa_status_t mbedtls_psa_verify_hash_start(
  * \brief Continue and eventually complete the action of signing a hash or
  *        short message with a private key, in an interruptible manner.
  *
- * \warning This is a beta API, and thus subject to change at any point. It is
- *          not bound by the usual interface stability promises.
- *
  * \note The signature of this function is that of a PSA driver
  *       sign_hash_complete entry point. This function behaves as a
  *       sign_hash_complete entry point as defined in the PSA driver interface
@@ -887,9 +860,6 @@ psa_status_t mbedtls_psa_verify_hash_complete(
 /**
  * \brief Abort a verify signed hash operation.
  *
- * \warning This is a beta API, and thus subject to change at any point. It is
- *          not bound by the usual interface stability promises.
- *
  * \note The signature of this function is that of a PSA driver
  *       verify_hash_abort entry point. This function behaves as a
  *       verify_hash_abort entry point as defined in the PSA driver interface

From 096abc4dc0dd1cabf2f5f3350727e9b1b401c290 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 3 Feb 2023 18:33:23 +0000
Subject: [PATCH 33/70] Remove incorrect copied comment

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 78d8702d0..2797291dc 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3246,10 +3246,8 @@ psa_status_t psa_sign_hash_complete(
         goto exit;
     }
 
-    /* Immediately reject a zero-length signature buffer. This guarantees
-     * that signature must be a valid pointer. (On the other hand, the input
-     * buffer can in principle be empty since it doesn't actually have
-     * to be a hash.) */
+    /* Immediately reject a zero-length signature buffer. This guarantees that
+     * signature must be a valid pointer. */
     if (signature_size == 0) {
         status = PSA_ERROR_BUFFER_TOO_SMALL;
         goto exit;

From 1bc59df92c4c82f284635bbb16fb1499e746c5df Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Sun, 5 Feb 2023 13:41:57 +0000
Subject: [PATCH 34/70] Rename curve_bytes to coordinate_bytes

Also remove unneeded instance from verify operation struct.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/psa/crypto_builtin_composites.h |  3 +--
 library/psa_crypto.c                    | 27 +++++++++++++------------
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h
index 44fa6de4c..7122cc829 100644
--- a/include/psa/crypto_builtin_composites.h
+++ b/include/psa/crypto_builtin_composites.h
@@ -117,7 +117,7 @@ typedef struct {
     mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx);
     mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx);
 
-    size_t MBEDTLS_PRIVATE(curve_bytes);
+    size_t MBEDTLS_PRIVATE(coordinate_bytes);
     psa_algorithm_t MBEDTLS_PRIVATE(alg);
     mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg);
     const uint8_t *MBEDTLS_PRIVATE(hash);
@@ -150,7 +150,6 @@ typedef struct {
     mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx);
     mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx);
 
-    size_t MBEDTLS_PRIVATE(curve_bytes);
     const uint8_t *MBEDTLS_PRIVATE(hash);
     size_t MBEDTLS_PRIVATE(hash_length);
 
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 2797291dc..dcc6ab857 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3509,7 +3509,7 @@ psa_status_t mbedtls_psa_sign_hash_start(
 
     mbedtls_ecdsa_restart_init(&operation->restart_ctx);
 
-    operation->curve_bytes = PSA_BITS_TO_BYTES(
+    operation->coordinate_bytes = PSA_BITS_TO_BYTES(
         operation->ctx->grp.pbits);
 
     psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
@@ -3549,7 +3549,7 @@ psa_status_t mbedtls_psa_sign_hash_complete(
     defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
     defined(MBEDTLS_ECP_RESTARTABLE)
 
-    if (signature_size < 2 * operation->curve_bytes) {
+    if (signature_size < 2 * operation->coordinate_bytes) {
         return PSA_ERROR_BUFFER_TOO_SMALL;
     }
 
@@ -3595,7 +3595,8 @@ psa_status_t mbedtls_psa_sign_hash_complete(
         status =  mbedtls_to_psa_error(
             mbedtls_mpi_write_binary(&r,
                                      signature,
-                                     operation->curve_bytes));
+                                     operation->coordinate_bytes)
+            );
 
         if (status != PSA_SUCCESS) {
             return status;
@@ -3604,14 +3605,15 @@ psa_status_t mbedtls_psa_sign_hash_complete(
         status =  mbedtls_to_psa_error(
             mbedtls_mpi_write_binary(&s,
                                      signature +
-                                     operation->curve_bytes,
-                                     operation->curve_bytes));
+                                     operation->coordinate_bytes,
+                                     operation->coordinate_bytes)
+            );
 
         if (status != PSA_SUCCESS) {
             return status;
         }
 
-        *signature_length = operation->curve_bytes * 2;
+        *signature_length = operation->coordinate_bytes * 2;
 
         return PSA_SUCCESS;
     }
@@ -3667,6 +3669,7 @@ psa_status_t mbedtls_psa_verify_hash_start(
     const uint8_t *signature, size_t signature_length)
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t coordinate_bytes = 0;
 
     if (!PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
         return PSA_ERROR_NOT_SUPPORTED;
@@ -3695,11 +3698,9 @@ psa_status_t mbedtls_psa_verify_hash_start(
         return status;
     }
 
-    operation->curve_bytes = PSA_BITS_TO_BYTES(
-        operation->ctx->grp.pbits);
+    coordinate_bytes = PSA_BITS_TO_BYTES(operation->ctx->grp.pbits);
 
-
-    if (signature_length != 2 * operation->curve_bytes) {
+    if (signature_length != 2 * coordinate_bytes) {
         return PSA_ERROR_INVALID_SIGNATURE;
     }
 
@@ -3707,7 +3708,7 @@ psa_status_t mbedtls_psa_verify_hash_start(
     status = mbedtls_to_psa_error(
         mbedtls_mpi_read_binary(&operation->r,
                                 signature,
-                                operation->curve_bytes));
+                                coordinate_bytes));
 
     if (status != PSA_SUCCESS) {
         return status;
@@ -3717,8 +3718,8 @@ psa_status_t mbedtls_psa_verify_hash_start(
     status = mbedtls_to_psa_error(
         mbedtls_mpi_read_binary(&operation->s,
                                 signature +
-                                operation->curve_bytes,
-                                operation->curve_bytes));
+                                coordinate_bytes,
+                                coordinate_bytes));
 
     if (status != PSA_SUCCESS) {
         return status;

From 813f9cdcbbf43307952ee18ce835dadc9d9b478c Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Sun, 5 Feb 2023 15:28:46 +0000
Subject: [PATCH 35/70] Non ECDSA algorithms should return not supported

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c                    | 4 ++--
 tests/suites/test_suite_psa_crypto.data | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index dcc6ab857..93b404569 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3485,7 +3485,7 @@ psa_status_t mbedtls_psa_sign_hash_start(
     }
 
     if (!PSA_ALG_IS_ECDSA(alg)) {
-        return PSA_ERROR_INVALID_ARGUMENT;
+        return PSA_ERROR_NOT_SUPPORTED;
     }
 
 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
@@ -3676,7 +3676,7 @@ psa_status_t mbedtls_psa_verify_hash_start(
     }
 
     if (!PSA_ALG_IS_ECDSA(alg)) {
-        return PSA_ERROR_INVALID_ARGUMENT;
+        return PSA_ERROR_NOT_SUPPORTED;
     }
 
 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index 486a54457..8981adc0b 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -4263,7 +4263,7 @@ sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"
 
 PSA sign hash interruptible: invalid algorithm for ECC key
 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_PARSE_C
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign hash interruptible: ECDSA not supported
 depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
@@ -4551,7 +4551,7 @@ verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R
 
 PSA verify hash interruptible: invalid algorithm for ECC key
 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA interruptible hash state test: randomized ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256

From 0e9d6bd3f8041e86a77d3b592bc730e18ca37f93 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Sun, 5 Feb 2023 15:32:53 +0000
Subject: [PATCH 36/70] Replace MBEDTLS_ECP_DP_SECP384R1_ENABLED

With more appropriate PSA_WANT_ECC_SECP_R1_384

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.data | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index 8981adc0b..ccee39b6f 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -4230,7 +4230,7 @@ depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_P
 sign_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT
 
 PSA sign hash: deterministic ECDSA not supported
-depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED
 
 PSA sign hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-256, output buffer too small
@@ -4266,15 +4266,15 @@ depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_P
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign hash interruptible: ECDSA not supported
-depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign hash interruptible (no interrupt): deterministic ECDSA not supported
-depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA sign hash interruptible (max interrupt): deterministic ECDSA not supported
-depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:1
 
 PSA sign/verify hash: RSA PKCS#1 v1.5, raw

From f9c91a7fb5766cdb5b85a6dc3292c155e8309c26 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Sun, 5 Feb 2023 18:06:38 +0000
Subject: [PATCH 37/70] Store the hash, rather than the pointer

For sign and verify, the pointer passed in to the hash is not guaranteed to
remain valid inbetween calls, thus we need to store the hash in the
operation. Added a test to ensure this is the case.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/psa/crypto_builtin_composites.h     |  4 +--
 library/psa_crypto.c                        | 24 +++++++++++--
 library/psa_crypto_core.h                   |  6 ++--
 tests/suites/test_suite_psa_crypto.function | 40 +++++++++++++++++++++
 4 files changed, 68 insertions(+), 6 deletions(-)

diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h
index 7122cc829..ba3d25302 100644
--- a/include/psa/crypto_builtin_composites.h
+++ b/include/psa/crypto_builtin_composites.h
@@ -120,7 +120,7 @@ typedef struct {
     size_t MBEDTLS_PRIVATE(coordinate_bytes);
     psa_algorithm_t MBEDTLS_PRIVATE(alg);
     mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg);
-    const uint8_t *MBEDTLS_PRIVATE(hash);
+    uint8_t *MBEDTLS_PRIVATE(hash);
     size_t MBEDTLS_PRIVATE(hash_length);
 
 #else
@@ -150,7 +150,7 @@ typedef struct {
     mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx);
     mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx);
 
-    const uint8_t *MBEDTLS_PRIVATE(hash);
+    uint8_t *MBEDTLS_PRIVATE(hash);
     size_t MBEDTLS_PRIVATE(hash_length);
 
     mbedtls_mpi MBEDTLS_PRIVATE(r);
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 93b404569..a3bc80698 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3516,7 +3516,13 @@ psa_status_t mbedtls_psa_sign_hash_start(
     operation->md_alg = mbedtls_hash_info_md_from_psa(hash_alg);
     operation->alg = alg;
 
-    operation->hash = hash;
+    operation->hash = mbedtls_calloc(1, hash_length);
+
+    if (operation->hash == NULL) {
+        return PSA_ERROR_INSUFFICIENT_MEMORY;
+    }
+
+    memcpy(operation->hash, hash, hash_length);
     operation->hash_length = hash_length;
 
     return PSA_SUCCESS;
@@ -3643,8 +3649,12 @@ psa_status_t mbedtls_psa_sign_hash_abort(
     if (operation->ctx) {
         mbedtls_ecdsa_free(operation->ctx);
         mbedtls_free(operation->ctx);
+        operation->ctx = NULL;
     }
 
+    mbedtls_free(operation->hash);
+    operation->hash = NULL;
+
     mbedtls_ecdsa_restart_free(&operation->restart_ctx);
 
     return PSA_SUCCESS;
@@ -3743,7 +3753,13 @@ psa_status_t mbedtls_psa_verify_hash_start(
 
     mbedtls_ecdsa_restart_init(&operation->restart_ctx);
 
-    operation->hash = hash;
+    operation->hash = mbedtls_calloc(1, hash_length);
+
+    if (operation->hash == NULL) {
+        return PSA_ERROR_INSUFFICIENT_MEMORY;
+    }
+
+    memcpy(operation->hash, hash, hash_length);
     operation->hash_length = hash_length;
 
     return PSA_SUCCESS;
@@ -3802,8 +3818,12 @@ psa_status_t mbedtls_psa_verify_hash_abort(
     if (operation->ctx) {
         mbedtls_ecdsa_free(operation->ctx);
         mbedtls_free(operation->ctx);
+        operation->ctx = NULL;
     }
 
+    mbedtls_free(operation->hash);
+    operation->hash = NULL;
+
     mbedtls_ecdsa_restart_free(&operation->restart_ctx);
 
     mbedtls_mpi_free(&operation->r);
diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h
index 610d78033..f74db7088 100644
--- a/library/psa_crypto_core.h
+++ b/library/psa_crypto_core.h
@@ -711,7 +711,8 @@ uint32_t mbedtls_psa_verify_hash_get_num_ops(
  * \retval #PSA_ERROR_NOT_SUPPORTED Either no internal interruptible operations
  *         are currently supported, or the key type is currently unsupported.
  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- *         There was insufficient memory to load the key representation.
+ *         There was insufficient memory either to load the key representation,
+ *         or to store the hash.
  */
 psa_status_t mbedtls_psa_sign_hash_start(
     mbedtls_psa_sign_hash_interruptible_operation_t *operation,
@@ -815,7 +816,8 @@ psa_status_t mbedtls_psa_sign_hash_abort(
  *        Either no internal interruptible operations are currently supported,
  *         or the key type is currently unsupported.
  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- *        There was insufficient memory to load the key representation.
+ *        There was insufficient memory either to load the key representation,
+ *        or to store the hash.
  */
 psa_status_t mbedtls_psa_verify_hash_start(
     mbedtls_psa_verify_hash_interruptible_operation_t *operation,
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 7b9daaec1..f050abfa4 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -7174,6 +7174,7 @@ void hash_interruptible_state_test(int key_type_arg, data_t *key_data,
     size_t signature_size;
     size_t signature_length = 0xdeadbeef;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    uint8_t *input_buffer = NULL;
     psa_sign_hash_interruptible_operation_t sign_operation =
         psa_sign_hash_interruptible_operation_init();
     psa_verify_hash_interruptible_operation_t verify_operation =
@@ -7351,6 +7352,45 @@ void hash_interruptible_state_test(int key_type_arg, data_t *key_data,
 
     PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
 
+    /* Trash the hash buffer in between start and complete, to ensure
+     * no reliance on external buffers. */
+    psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+    input_buffer = mbedtls_calloc(1, input_data->len);
+    TEST_ASSERT(input_buffer != NULL);
+
+    memcpy(input_buffer, input_data->x, input_data->len);
+
+    PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+                                   input_buffer, input_data->len));
+
+    memset(input_buffer, '!', input_data->len);
+    mbedtls_free(input_buffer);
+    input_buffer = NULL;
+
+    PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature,
+                                      signature_size,
+                                      &signature_length));
+
+    PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+    input_buffer = mbedtls_calloc(1, input_data->len);
+    TEST_ASSERT(input_buffer != NULL);
+
+    memcpy(input_buffer, input_data->x, input_data->len);
+
+    PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+                                     input_buffer, input_data->len,
+                                     signature, signature_length));
+
+    memset(input_buffer, '!', input_data->len);
+    mbedtls_free(input_buffer);
+    input_buffer = NULL;
+
+    PSA_ASSERT(psa_verify_hash_complete(&verify_operation));
+
+    PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
 exit:
     /*
      * Key attributes may have been returned by psa_get_key_attributes()

From c9774411d4b90d32b6f0821aca4d53dec461f8c4 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Mon, 6 Feb 2023 15:14:07 +0000
Subject: [PATCH 38/70] Ensure that operation is put into error state if error
 occurs

If an error occurs, calling any function on the same operation should return
PSA_ERROR_BAD_STATE, and we were not honouring that for all errors. Add extra
failure tests to try and ratify this.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/psa/crypto_struct.h                 |  8 +++-
 library/psa_crypto.c                        | 51 ++++++++++++++++-----
 tests/suites/test_suite_psa_crypto.function | 44 ++++++++++++++----
 3 files changed, 79 insertions(+), 24 deletions(-)

diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
index 1153b8e78..934bc176e 100644
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@@ -505,10 +505,12 @@ struct psa_sign_hash_interruptible_operation_s {
 
     psa_driver_sign_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx);
 
+    unsigned int MBEDTLS_PRIVATE(error_occurred) : 1;
+
     uint32_t MBEDTLS_PRIVATE(num_ops);
 };
 
-#define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0 }
+#define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0, 0 }
 
 static inline struct psa_sign_hash_interruptible_operation_s
 psa_sign_hash_interruptible_operation_init(void)
@@ -533,10 +535,12 @@ struct psa_verify_hash_interruptible_operation_s {
 
     psa_driver_verify_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx);
 
+    unsigned int MBEDTLS_PRIVATE(error_occurred) : 1;
+
     uint32_t MBEDTLS_PRIVATE(num_ops);
 };
 
-#define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0 }
+#define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0, 0 }
 
 static inline struct psa_verify_hash_interruptible_operation_s
 psa_verify_hash_interruptible_operation_init(void)
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index a3bc80698..882cb968f 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3183,14 +3183,15 @@ psa_status_t psa_sign_hash_start(
     psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_slot_t *slot;
 
-    /* Check that start has not been previously called. */
-    if (operation->id != 0) {
+    /* Check that start has not been previously called, or operation has not
+     * previously errored. */
+    if (operation->id != 0 || operation->error_occurred) {
         return PSA_ERROR_BAD_STATE;
     }
 
-
     status = psa_sign_verify_check_alg(0, alg);
     if (status != PSA_SUCCESS) {
+        operation->error_occurred = 1;
         return status;
     }
 
@@ -3221,13 +3222,17 @@ psa_status_t psa_sign_hash_start(
 exit:
 
     if (status != PSA_SUCCESS) {
+        operation->error_occurred = 1;
         psa_sign_hash_abort_internal(operation);
     }
 
     unlock_status = psa_unlock_key_slot(slot);
 
-    return (status == PSA_SUCCESS) ? unlock_status : status;
+    if (unlock_status != PSA_SUCCESS) {
+        operation->error_occurred = 1;
+    }
 
+    return (status == PSA_SUCCESS) ? unlock_status : status;
 }
 
 
@@ -3240,8 +3245,9 @@ psa_status_t psa_sign_hash_complete(
 
     *signature_length = 0;
 
-    /* Check that start has been called first. */
-    if (operation->id == 0) {
+    /* Check that start has been called first, and that operation has not
+     * previously errored. */
+    if (operation->id == 0 || operation->error_occurred) {
         status = PSA_ERROR_BAD_STATE;
         goto exit;
     }
@@ -3276,6 +3282,10 @@ exit:
         /* If signature_size is 0 then we have nothing to do. We must not
          * call memset because signature may be NULL in this case.*/
 
+        if (status != PSA_SUCCESS) {
+            operation->error_occurred = 1;
+        }
+
         psa_sign_hash_abort_internal(operation);
     }
 
@@ -3293,6 +3303,9 @@ psa_status_t psa_sign_hash_abort(
      * the operation fails or succeeds, only on manual abort. */
     operation->num_ops = 0;
 
+    /* Likewise, failure state. */
+    operation->error_occurred = 0;
+
     return status;
 }
 
@@ -3325,13 +3338,15 @@ psa_status_t psa_verify_hash_start(
     psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_slot_t *slot;
 
-    /* Check that start has not been previously called. */
-    if (operation->id != 0) {
+    /* Check that start has not been previously called, or operation has not
+     * previously errored. */
+    if (operation->id != 0 || operation->error_occurred) {
         return PSA_ERROR_BAD_STATE;
     }
 
     status = psa_sign_verify_check_alg(0, alg);
     if (status != PSA_SUCCESS) {
+        operation->error_occurred = 1;
         return status;
     }
 
@@ -3340,6 +3355,7 @@ psa_status_t psa_verify_hash_start(
                                                    alg);
 
     if (status != PSA_SUCCESS) {
+        operation->error_occurred = 1;
         return status;
     }
 
@@ -3357,14 +3373,17 @@ psa_status_t psa_verify_hash_start(
                                                   signature, signature_length);
 
     if (status != PSA_SUCCESS) {
+        operation->error_occurred = 1;
         psa_verify_hash_abort_internal(operation);
     }
 
     unlock_status = psa_unlock_key_slot(slot);
 
-    return (status == PSA_SUCCESS) ? unlock_status : status;
+    if (unlock_status != PSA_SUCCESS) {
+        operation->error_occurred = 1;
+    }
 
-    return status;
+    return (status == PSA_SUCCESS) ? unlock_status : status;
 }
 
 psa_status_t psa_verify_hash_complete(
@@ -3372,8 +3391,9 @@ psa_status_t psa_verify_hash_complete(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
 
-    /* Check that start has been called first. */
-    if (operation->id == 0) {
+    /* Check that start has been called first, and that operation has not
+     * previously errored. */
+    if (operation->id == 0 || operation->error_occurred) {
         status = PSA_ERROR_BAD_STATE;
         goto exit;
     }
@@ -3387,6 +3407,10 @@ exit:
         operation);
 
     if (status != PSA_OPERATION_INCOMPLETE) {
+        if (status != PSA_SUCCESS) {
+            operation->error_occurred = 1;
+        }
+
         psa_verify_hash_abort_internal(operation);
     }
 
@@ -3404,6 +3428,9 @@ psa_status_t psa_verify_hash_abort(
      * the operation fails or succeeds, only on manual abort. */
     operation->num_ops = 0;
 
+    /* Likewise, failure state. */
+    operation->error_occurred = 0;
+
     return status;
 }
 
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index f050abfa4..bee923229 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -6659,6 +6659,13 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
 
     TEST_EQUAL(actual_status, expected_start_status);
 
+    if (expected_start_status != PSA_SUCCESS) {
+        actual_status = psa_sign_hash_start(&operation, key, alg,
+                                            input_data->x, input_data->len);
+
+        TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
+    }
+
     num_ops_prior = psa_sign_hash_get_num_ops(&operation);
     TEST_ASSERT(num_ops_prior == 0);
 
@@ -6679,12 +6686,14 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
         }
     } while (actual_status == PSA_OPERATION_INCOMPLETE);
 
-    /* If the psa_sign_hash_start() failed, psa_sign_hash_complete()
-     * should also fail with bad state. */
-    if (expected_start_status != PSA_SUCCESS) {
+    TEST_EQUAL(actual_status, expected_complete_status);
+
+    if (expected_complete_status != PSA_SUCCESS) {
+        actual_status = psa_sign_hash_complete(&operation, signature,
+                                               signature_size,
+                                               &signature_length);
+
         TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
-    } else if (actual_status != PSA_OPERATION_INCOMPLETE) {
-        TEST_EQUAL(actual_status, expected_complete_status);
     }
 
     PSA_ASSERT(psa_sign_hash_abort(&operation));
@@ -7121,6 +7130,15 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
 
     TEST_EQUAL(actual_status, expected_start_status);
 
+    if (expected_start_status != PSA_SUCCESS) {
+        actual_status = psa_verify_hash_start(&operation, key, alg,
+                                              hash_data->x, hash_data->len,
+                                              signature_data->x,
+                                              signature_data->len);
+
+        TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
+    }
+
     num_ops_prior = psa_verify_hash_get_num_ops(&operation);
     TEST_ASSERT(num_ops_prior == 0);
 
@@ -7139,12 +7157,12 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
         }
     } while (actual_status == PSA_OPERATION_INCOMPLETE);
 
-    /* If the psa_verify_hash_start() failed,
-     * psa_verify_hash_complete() should also fail with bad state.*/
-    if (expected_start_status != PSA_SUCCESS) {
+    TEST_EQUAL(actual_status, expected_complete_status);
+
+    if (expected_complete_status != PSA_SUCCESS) {
+        actual_status = psa_verify_hash_complete(&operation);
+
         TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
-    } else if (actual_status != PSA_OPERATION_INCOMPLETE) {
-        TEST_EQUAL(actual_status, expected_complete_status);
     }
 
     TEST_LE_U(min_completes, num_completes);
@@ -7350,6 +7368,12 @@ void hash_interruptible_state_test(int key_type_arg, data_t *key_data,
                                       &signature_length),
                PSA_ERROR_BUFFER_TOO_SMALL);
 
+    /* And test that this invalidates the operation. */
+    TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
+                                      0,
+                                      &signature_length),
+               PSA_ERROR_BAD_STATE);
+
     PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
 
     /* Trash the hash buffer in between start and complete, to ensure

From eefe47292ca04717ffca05e3b6abbc5429cc96c9 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Mon, 6 Feb 2023 15:59:09 +0000
Subject: [PATCH 39/70] Move loading of public part of ECP into function

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c     | 16 +++-------------
 library/psa_crypto_ecp.c | 23 +++++++++++++++++------
 library/psa_crypto_ecp.h |  9 +++++++++
 3 files changed, 29 insertions(+), 19 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 882cb968f..62828bdb4 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3762,20 +3762,10 @@ psa_status_t mbedtls_psa_verify_hash_start(
         return status;
     }
 
-    /* Check whether the public part is loaded. If not, load it. */
-    if (mbedtls_ecp_is_zero(&operation->ctx->Q)) {
-        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    int ret = mbedtls_psa_ecp_load_public_part(operation->ctx);
 
-        ret = mbedtls_ecp_mul(&operation->ctx->grp,
-                              &operation->ctx->Q,
-                              &operation->ctx->d,
-                              &operation->ctx->grp.G,
-                              mbedtls_psa_get_random,
-                              MBEDTLS_PSA_RANDOM_STATE);
-
-        if (ret != 0) {
-            return mbedtls_to_psa_error(ret);
-        }
+    if (ret != 0) {
+        return mbedtls_to_psa_error(ret);
     }
 
     mbedtls_ecdsa_restart_init(&operation->restart_ctx);
diff --git a/library/psa_crypto_ecp.c b/library/psa_crypto_ecp.c
index c4ccefd75..cc80f2776 100644
--- a/library/psa_crypto_ecp.c
+++ b/library/psa_crypto_ecp.c
@@ -404,6 +404,21 @@ cleanup:
     return mbedtls_to_psa_error(ret);
 }
 
+int mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp)
+{
+    int ret = 0;
+
+    /* Check whether the public part is loaded. If not, load it. */
+    if (mbedtls_ecp_is_zero(&ecp->Q)) {
+        ret = mbedtls_ecp_mul(&ecp->grp, &ecp->Q,
+                              &ecp->d, &ecp->grp.G,
+                              mbedtls_psa_get_random,
+                              MBEDTLS_PSA_RANDOM_STATE);
+    }
+
+    return ret;
+}
+
 psa_status_t mbedtls_psa_ecdsa_verify_hash(
     const psa_key_attributes_t *attributes,
     const uint8_t *key_buffer, size_t key_buffer_size,
@@ -443,12 +458,8 @@ psa_status_t mbedtls_psa_ecdsa_verify_hash(
                                             signature + curve_bytes,
                                             curve_bytes));
 
-    /* Check whether the public part is loaded. If not, load it. */
-    if (mbedtls_ecp_is_zero(&ecp->Q)) {
-        MBEDTLS_MPI_CHK(
-            mbedtls_ecp_mul(&ecp->grp, &ecp->Q, &ecp->d, &ecp->grp.G,
-                            mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE));
-    }
+    MBEDTLS_MPI_CHK(mbedtls_psa_ecp_load_public_part(ecp));
+
 
     ret = mbedtls_ecdsa_verify(&ecp->grp, hash, hash_length,
                                &ecp->Q, &r, &s);
diff --git a/library/psa_crypto_ecp.h b/library/psa_crypto_ecp.h
index 71f9d6acc..8b567fe3b 100644
--- a/library/psa_crypto_ecp.h
+++ b/library/psa_crypto_ecp.h
@@ -48,6 +48,15 @@ psa_status_t mbedtls_psa_ecp_load_representation(psa_key_type_t type,
                                                  size_t data_length,
                                                  mbedtls_ecp_keypair **p_ecp);
 
+/** Load the public part of an internal ECP, if required.
+ *
+ * \param ecp               The ECP context to load the public part for.
+ *
+ * \return 0 on success, otherwise an MPI error.
+ */
+
+int mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp);
+
 /** Import an ECP key in binary format.
  *
  * \note The signature of this function is that of a PSA driver

From 6f60037589394947ebc08bfc3030231b2e08cd66 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Mon, 6 Feb 2023 18:41:05 +0000
Subject: [PATCH 40/70] Move {min|max}_complete choice logic into function

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.function | 80 ++++++++++-----------
 1 file changed, 39 insertions(+), 41 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index bee923229..a1b3c902b 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -1220,6 +1220,31 @@ typedef enum {
     INJECT_ANTICIPATE_KEY_DERIVATION_2,
 } ecjpake_injected_failure_t;
 
+static void interruptible_signverify_get_minmax_completes(uint32_t max_ops,
+                                                          psa_status_t expected_status,
+                                                          size_t *min_completes,
+                                                          size_t *max_completes)
+{
+
+    /* This is slightly contrived, but we only really know that with a minimum
+       value of max_ops that a successful operation should take more than one op
+       to complete, and likewise that with a max_ops of
+       PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, it should complete in one go. */
+    if (max_ops == 0 || max_ops == 1) {
+        /* Failure test cases will fail on the first op. */
+        if (expected_status == PSA_SUCCESS) {
+            *min_completes = 2;
+        } else {
+            *min_completes = 1;
+        }
+
+        *max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
+    } else {
+        *min_completes = 1;
+        *max_completes = 1;
+    }
+}
+
 /* END_HEADER */
 
 /* BEGIN_DEPENDENCIES
@@ -6489,13 +6514,8 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data,
 
     psa_interruptible_set_max_ops(max_ops);
 
-    if (max_ops == PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED) {
-        min_completes = 1;
-        max_completes = 1;
-    } else {
-        min_completes = 2;
-        max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
-    }
+    interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS,
+                                                  &min_completes, &max_completes);
 
     num_ops_prior = psa_sign_hash_get_num_ops(&operation);
     TEST_ASSERT(num_ops_prior == 0);
@@ -6636,19 +6656,10 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
 
     psa_interruptible_set_max_ops(max_ops);
 
-    if (max_ops == PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED) {
-        min_completes = 1;
-        max_completes = 1;
-    } else {
-        /* Unfortunate, but failure cases tend to fail on the first op. */
-        if (expected_complete_status == PSA_SUCCESS) {
-            min_completes = 2;
-        } else {
-            min_completes = 1;
-        }
-
-        max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
-    }
+    interruptible_signverify_get_minmax_completes(max_ops,
+                                                  expected_complete_status,
+                                                  &min_completes,
+                                                  &max_completes);
 
     num_ops_prior = psa_sign_hash_get_num_ops(&operation);
     TEST_ASSERT(num_ops_prior == 0);
@@ -6834,13 +6845,8 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
 
     psa_interruptible_set_max_ops(max_ops);
 
-    if (max_ops == PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED) {
-        min_completes = 1;
-        max_completes = 1;
-    } else {
-        min_completes = 2;
-        max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
-    }
+    interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS,
+                                                  &min_completes, &max_completes);
 
     /* Start performing the signature. */
     PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
@@ -6989,13 +6995,8 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data,
 
     psa_interruptible_set_max_ops(max_ops);
 
-    if (max_ops == PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED) {
-        min_completes = 1;
-        max_completes = 1;
-    } else {
-        min_completes = 2;
-        max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
-    }
+    interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS,
+                                                  &min_completes, &max_completes);
 
     num_ops_prior = psa_verify_hash_get_num_ops(&operation);
 
@@ -7111,13 +7112,10 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
 
     psa_interruptible_set_max_ops(max_ops);
 
-    if (max_ops == PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED) {
-        min_completes = 1;
-        max_completes = 1;
-    } else {
-        min_completes = 2;
-        max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
-    }
+    interruptible_signverify_get_minmax_completes(max_ops,
+                                                  expected_complete_status,
+                                                  &min_completes,
+                                                  &max_completes);
 
     num_ops_prior = psa_verify_hash_get_num_ops(&operation);
     TEST_ASSERT(num_ops_prior == 0);

From 1243f93ccaeb1b4b41e67cbb89af42270de4969e Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Tue, 7 Feb 2023 11:21:10 +0000
Subject: [PATCH 41/70] Fix build fails with non ECDSA / restartable builds

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c                        | 6 ++++--
 tests/suites/test_suite_psa_crypto.function | 7 +++++++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 62828bdb4..b8abfd09e 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3575,13 +3575,14 @@ psa_status_t mbedtls_psa_sign_hash_complete(
     size_t *signature_length)
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi r;
-    mbedtls_mpi s;
 
 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
     defined(MBEDTLS_ECP_RESTARTABLE)
 
+    mbedtls_mpi r;
+    mbedtls_mpi s;
+
     if (signature_size < 2 * operation->coordinate_bytes) {
         return PSA_ERROR_BUFFER_TOO_SMALL;
     }
@@ -3790,6 +3791,7 @@ psa_status_t mbedtls_psa_verify_hash_start(
     (void) signature;
     (void) signature_length;
     (void) status;
+    (void) coordinate_bytes;
 
     return PSA_ERROR_NOT_SUPPORTED;
 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index a1b3c902b..7ad856924 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -1220,6 +1220,10 @@ typedef enum {
     INJECT_ANTICIPATE_KEY_DERIVATION_2,
 } ecjpake_injected_failure_t;
 
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+
 static void interruptible_signverify_get_minmax_completes(uint32_t max_ops,
                                                           psa_status_t expected_status,
                                                           size_t *min_completes,
@@ -1244,6 +1248,9 @@ static void interruptible_signverify_get_minmax_completes(uint32_t max_ops,
         *max_completes = 1;
     }
 }
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
 
 /* END_HEADER */
 

From 939bd9485d2051fb816902c007c5d34e4739ca6c Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Tue, 7 Feb 2023 12:15:24 +0000
Subject: [PATCH 42/70] Move output buffer wiping code to seperate function.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c | 60 ++++++++++++++++++++++++++------------------
 1 file changed, 35 insertions(+), 25 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index b8abfd09e..d3ac4ce61 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -2683,6 +2683,37 @@ static psa_status_t psa_sign_verify_check_alg(int input_is_message,
     return PSA_SUCCESS;
 }
 
+/**
+ * \brief                       Fill the unused part of the output buffer(the
+ *                              whole buffer on error, the trailing part on
+ *                              success) with something that isn't a valid
+ *                              signature (barring an attack on the signature
+ *                              and deliberately-crafted input), in case the
+ *                              caller doesn't check the return status properly.
+ *
+ * \param output_buffer         pointer to buffer to wipe. May not be NULL
+ *                              unless /p output_buffer_size is zero.
+ * \param status                status of function called to generate
+ *                              output_buffer originally
+ * \param output_buffer_size    Size of output buffer. If zero, /p output_buffer
+ *                              could be NULL
+ * \param output_buffer_length  Length of data written to output_buffer, must be
+ *                              less than /p output_buffer_size
+ */
+static void psa_wipe_output_buffer(uint8_t *output_buffer, psa_status_t status,
+                                   size_t output_buffer_size, size_t output_buffer_length)
+{
+    if (status == PSA_SUCCESS) {
+        memset(output_buffer + output_buffer_length, '!',
+               output_buffer_size - output_buffer_length);
+    } else if (output_buffer_size > 0) {
+        memset(output_buffer, '!', output_buffer_size);
+    }
+    /* If output_buffer_size is 0 then we have nothing to do. We must
+     * not call memset because output_buffer may be NULL in this
+     * case.*/
+}
+
 static psa_status_t psa_sign_internal(mbedtls_svc_key_id_t key,
                                       int input_is_message,
                                       psa_algorithm_t alg,
@@ -2745,18 +2776,8 @@ static psa_status_t psa_sign_internal(mbedtls_svc_key_id_t key,
 
 
 exit:
-    /* Fill the unused part of the output buffer (the whole buffer on error,
-     * the trailing part on success) with something that isn't a valid signature
-     * (barring an attack on the signature and deliberately-crafted input),
-     * in case the caller doesn't check the return status properly. */
-    if (status == PSA_SUCCESS) {
-        memset(signature + *signature_length, '!',
-               signature_size - *signature_length);
-    } else {
-        memset(signature, '!', signature_size);
-    }
-    /* If signature_size is 0 then we have nothing to do. We must not call
-     * memset because signature may be NULL in this case. */
+    psa_wipe_output_buffer(signature, status, signature_size,
+                           *signature_length);
 
     unlock_status = psa_unlock_key_slot(slot);
 
@@ -3268,19 +3289,8 @@ exit:
     operation->num_ops += psa_driver_wrapper_sign_hash_get_num_ops(operation);
 
     if (status != PSA_OPERATION_INCOMPLETE) {
-        /* Fill the unused part of the output buffer (the whole buffer on error,
-         * the trailing part on success) with something that isn't a valid
-         * signature (barring an attack on the signature and
-         * deliberately-crafted input), in case the caller doesn't check the
-         * return status properly.*/
-        if (status == PSA_SUCCESS) {
-            memset(signature + *signature_length, '!',
-                   signature_size - *signature_length);
-        } else if (signature_size > 0) {
-            memset(signature, '!', signature_size);
-        }
-        /* If signature_size is 0 then we have nothing to do. We must not
-         * call memset because signature may be NULL in this case.*/
+        psa_wipe_output_buffer(signature, status, signature_size,
+                               *signature_length);
 
         if (status != PSA_SUCCESS) {
             operation->error_occurred = 1;

From de1114c8830cb86ecf1e1dba6d4bb19af969cf73 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Tue, 7 Feb 2023 12:43:11 +0000
Subject: [PATCH 43/70] Fix {sign|verify}_get_num_ops

Move the obfuscation of the internal library only returning a delta of ops done
into the driver wrapper, thus meaning driver wrapper and API call both return
absolute values of work done. Document the differences at the internal
implementation level.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c                          |  4 +-
 library/psa_crypto_core.h                     | 40 +++++++++----------
 .../psa_crypto_driver_wrappers.c.jinja        | 12 +++++-
 3 files changed, 32 insertions(+), 24 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index d3ac4ce61..419be1649 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3286,7 +3286,7 @@ psa_status_t psa_sign_hash_complete(
 exit:
 
     /* Update ops count with work done. */
-    operation->num_ops += psa_driver_wrapper_sign_hash_get_num_ops(operation);
+    operation->num_ops = psa_driver_wrapper_sign_hash_get_num_ops(operation);
 
     if (status != PSA_OPERATION_INCOMPLETE) {
         psa_wipe_output_buffer(signature, status, signature_size,
@@ -3413,7 +3413,7 @@ psa_status_t psa_verify_hash_complete(
 exit:
 
     /* Update ops count with work done. */
-    operation->num_ops += psa_driver_wrapper_verify_hash_get_num_ops(
+    operation->num_ops = psa_driver_wrapper_verify_hash_get_num_ops(
         operation);
 
     if (status != PSA_OPERATION_INCOMPLETE) {
diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h
index f74db7088..a00728918 100644
--- a/library/psa_crypto_core.h
+++ b/library/psa_crypto_core.h
@@ -638,45 +638,45 @@ void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops);
 uint32_t mbedtls_psa_interruptible_get_max_ops(void);
 
 /**
- * \brief Get the number of ops that a hash signing operation has taken so
- *        far. If the operation has completed, then this will represent the
- *        number of ops required for the entire operation. After initialization
- *        or calling psa_sign_hash_interruptible_abort() on the operation, a
- *        value of 0 will be returned.
+ * \brief Get the number of ops that a hash signing operation has taken for the
+ *        previous call. If no call or work has taken place, this will return
+ *        zero.
  *
  * \note The signature of this function is that of a PSA driver
- *       sign_get_num_ops entry point. This function behaves as a
- *       sign_get_num_ops entry point as defined in the PSA driver interface
- *       specification for transparent drivers.
+ *       sign_get_num_ops entry point, however it differs in behaviour from the
+ *       driver function in that this function returns a delta of work done in
+ *       the last call rather than all of the ops done ever by the whole
+ *       operation, due to internal implementation differences.
  *
  * \param[in]  operation        The \c
  *                              mbedtls_psa_sign_hash_interruptible_operation_t
  *                              to use. This must be initialized first.
  *
- * \return                      Number of ops that the operation has taken so
- *                              far.
+ * \return                      Number of ops that were completed
+ *                              in the last call to \c
+ *                              mbedtls_psa_sign_hash_complete().
  */
 uint32_t mbedtls_psa_sign_hash_get_num_ops(
     const mbedtls_psa_sign_hash_interruptible_operation_t *operation);
 
 /**
- * \brief Get the number of ops that a hash verification operation has taken
- *        so far. If the operation has completed, then this will represent the
- *        number of ops required for the entire operation. After initialization
- *        or calling psa_verify_hash_interruptible_abort() on the operation, a
- *        value of 0 will be returned.
+ * \brief Get the number of ops that a hash verification operation has taken for
+ *        the previous call. If no call or work has taken place, this will
+ *        return zero.
  *
  * \note The signature of this function is that of a PSA driver
- *       verify_get_num_ops entry point. This function behaves as a
- *       verify_get_num_ops entry point as defined in the PSA driver interface
- *       specification for transparent drivers.
+ *       verify_get_num_ops entry point however it differs in behaviour from the
+ *       driver function in that this function returns a delta of work done in
+ *       the last call rather than all of the ops done ever by the whole
+ *       operation, due to internal implementation differences.
  *
  * \param[in]  operation        The \c
  *                              mbedtls_psa_verify_hash_interruptible_operation_t
  *                              to use. This must be initialized first.
  *
- * \return                      Number of ops that the operation has taken so
- *                              far.
+ * \return                      Number of ops that were completed
+ *                              in the last call to \c
+ *                              mbedtls_psa_verify_hash_complete().
  */
 uint32_t mbedtls_psa_verify_hash_get_num_ops(
     const mbedtls_psa_verify_hash_interruptible_operation_t *operation);
diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
index 2b2b02571..fba899033 100644
--- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
+++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
@@ -453,7 +453,11 @@ uint32_t psa_driver_wrapper_sign_hash_get_num_ops(
             return 0;
 
         case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
-            return( mbedtls_psa_sign_hash_get_num_ops(
+            /* Internal implementation returns a delta of ops completed in the
+             * last call to complete(), so need to add in ops already completed
+             * before this.*/
+            return( operation->num_ops +
+                    mbedtls_psa_sign_hash_get_num_ops(
                                                 &operation->ctx.mbedtls_ctx )
                   );
 
@@ -478,7 +482,11 @@ uint32_t psa_driver_wrapper_verify_hash_get_num_ops(
             return 0;
 
         case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
-            return( mbedtls_psa_verify_hash_get_num_ops(
+            /* Internal implementation returns a delta of ops completed in the
+             * last call to complete(), so need to add in ops already completed
+             * before this.*/
+            return ( operation->num_ops +
+                     mbedtls_psa_verify_hash_get_num_ops(
                                                 &operation->ctx.mbedtls_ctx )
                     );
 

From e6145dc47fdcbaf51428cf5b5bba42eae20995af Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Tue, 7 Feb 2023 12:51:21 +0000
Subject: [PATCH 44/70] Add documentation comment to internal abort functions

Explain the reasoning behind not clearing some variables.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 419be1649..97edc15a4 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3192,6 +3192,10 @@ static psa_status_t psa_sign_hash_abort_internal(
 
     operation->id = 0;
 
+    /* Do not clear either the error_occurred or num_ops elements here as they
+     * only want to be cleared by the application calling abort, not by abort
+     * being called at completion of an operation. */
+
     return status;
 }
 
@@ -3335,6 +3339,10 @@ static psa_status_t psa_verify_hash_abort_internal(
 
     operation->id = 0;
 
+    /* Do not clear either the error_occurred or num_ops elements here as they
+     * only want to be cleared by the application calling abort, not by abort
+     * being called at completion of an operation. */
+
     return status;
 }
 

From b830b35fb1b743db4292a732bbc5e12b375c53c1 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Tue, 7 Feb 2023 15:30:41 +0000
Subject: [PATCH 45/70] Shorten test descriptions.

Also mark some tests as being deterministic ECDSA where this was lacking.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.data | 80 ++++++++++++-------------
 1 file changed, 40 insertions(+), 40 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index ccee39b6f..b44fb2e6d 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -4145,27 +4145,27 @@ PSA sign hash: deterministic ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_hash_deterministic:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f"
 
-PSA sign hash: interruptible (no interrupt) ECDSA SECP256R1 SHA-256
+PSA sgn hash int (ops=inf): det ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sign hash: interruptible (max interrupt) ECDSA SECP256R1 SHA-256
+PSA sgn hash int (ops=min): det ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":1
 
-PSA sign hash: interruptible (no interrupt) ECDSA SECP256R1 SHA-384
+PSA sgn hash int (ops=inf) det ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384
 sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sign hash: interruptible (max interrupt) ECDSA SECP256R1 SHA-384
+PSA sgn hash int (ops=min): det ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384
 sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":1
 
-PSA sign hash: interruptible (no interrupt) ECDSA SECP384R1 SHA-256
+PSA sign hash int (ops=inf): det ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sign hash: interruptible (max interrupt) ECDSA SECP384R1 SHA-256
+PSA sign hash int (ops=min): det ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":1
 
@@ -4233,47 +4233,47 @@ PSA sign hash: deterministic ECDSA not supported
 depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED
 
-PSA sign hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-256, output buffer too small
+PSA Sgn hash int (ops=inf): det ECDSA SECP256R1 SHA-256, out buf too small
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sign hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-256, output buffer too small
+PSA sgn hash int (ops=min): det ECDSA SECP256R1 SHA-256, out buf too small
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1
 
-PSA sign hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-256, empty output buffer
+PSA sgn hash int(ops=inf): deterministic ECDSA SECP256R1 SHA-256, empty output buffer
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sign hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-256, empty output buffer
+PSA sgn hash int (ops=min): det ECDSA SECP256R1 SHA-256, empty out buf
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1
 
-PSA sign hash interruptible (no interrupt): deterministic ECDSA SECP256R1, invalid hash algorithm (0)
+PSA sgn hash int (ops=inf): det ECDSA SECP256R1, invld hash alg (0)
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sign hash interruptible (max interrupt): deterministic ECDSA SECP256R1, invalid hash algorithm (0)
+PSA sgn hash int (ops=min): det ECDSA SECP256R1, invld hash alg (0)
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:1
 
-PSA sign hash interruptible: deterministic ECDSA SECP256R1, invalid hash algorithm (wildcard)
+PSA sgn hash int: det ECDSA SECP256R1, invld hash alg (wildcard)
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_ANY_HASH ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sign hash interruptible: invalid algorithm for ECC key
+PSA sgn hash int: invld alg for ECC key
 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_PARSE_C
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sign hash interruptible: ECDSA not supported
+PSA sgn hash int: ECDSA not supported
 depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sign hash interruptible (no interrupt): deterministic ECDSA not supported
+PSA sgn hash int (ops=inf): det ECDSA not supported
 depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sign hash interruptible (max interrupt): deterministic ECDSA not supported
+PSA sgn hash int (ops=min): det ECDSA not supported
 depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:1
 
@@ -4317,51 +4317,51 @@ PSA sign/verify hash: deterministic ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
 
-PSA sign / verify hash interruptible (no interrupt): randomized ECDSA SECP256R1 SHA-256
+PSA sgn/vrfy hash int (ops=inf): randomized ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sign / verify hash interruptible (max interrupt): randomized ECDSA SECP256R1 SHA-256
+PSA sgn/vrfy hash int (ops=min): randomized ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1
 
-PSA sign / verify hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-256
+PSA sgn/vrfy hash int (ops=inf): det ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sign / verify hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-256
+PSA sgn/vrfy hash int (ops=min): det ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1
 
-PSA sign / verify hash interruptible (no interrupt): randomized ECDSA SECP256R1 SHA-384
+PSA sgn/vrfy hash int (ops=inf): randomized ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sign / verify hash interruptible (max interrupt): randomized ECDSA SECP256R1 SHA-384
+PSA sgn/vrfy hash int (ops=min): randomized ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1
 
-PSA sign / verify hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-384
+PSA sgn/vrfy hash int (ops=inf): det ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sign / verify hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-384
+PSA sgn/vrfy hash int (ops=min): det ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1
 
-PSA sign / verify hash interruptible (no interrupt): randomized ECDSA SECP384R1 SHA-256
+PSA sgn/vrfy hash int (ops=inf): randomized ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sign / verify hash interruptible (max interrupt): randomized ECDSA SECP384R1 SHA-256
+PSA sgn/vrfy hash int (ops=min): randomized ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1
 
-PSA sign / verify hash interruptible (no interrupt): deterministic ECDSA SECP384R1 SHA-256
+PSA sgn/vrfy hash int (ops=inf): det ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sign / verify hash interruptible (max interrupt): deterministic ECDSA SECP384R1 SHA-256
+PSA sgn/vrfy hash int (ops=min): det ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1
 
@@ -4485,11 +4485,11 @@ PSA verify hash with keypair: ECDSA SECP256R1, good
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
 
-PSA verify hash interruptible: ECDSA SECP256R1, good
+PSA vrfy hash int: ECDSA SECP256R1, good
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA verify hash interruptible with keypair: ECDSA SECP256R1, good
+PSA vrfy hash int w/keypair: ECDSA SECP256R1, good
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
@@ -4521,39 +4521,39 @@ PSA verify hash: invalid algorithm for ECC key
 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT
 
-PSA verify hash interruptible: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded)
+PSA vrfy hash int: ECDSA SECP256R1, wrng sig size (correct but ASN1-encoded)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA verify hash interruptible (no interrupt): ECDSA SECP256R1, wrong signature of correct size
+PSA vrfy hash int (ops=inf): ECDSA SECP256R1, wrng sig of correct size
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA verify hash interruptible (max interrupt): ECDSA SECP256R1, wrong signature of correct size
+PSA vrfy hash int (ops=min): ECDSA SECP256R1, wrng sig of correct size
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:1
 
-PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (empty)
+PSA vrfy hash int: ECDSA SECP256R1, wrng sig (empty)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (truncated)
+PSA vrfy hash int: ECDSA SECP256R1, wrng sig (truncated)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f5":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (trailing junk)
+PSA vrfy hash int: ECDSA SECP256R1, wrng sig (trailing junk)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f21":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (leading junk)
+PSA vrfy hash int: ECDSA SECP256R1, wrng sig (leading junk)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"216a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA verify hash interruptible: invalid algorithm for ECC key
+PSA vrfy hash int: invld alg for ECC key
 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA interruptible hash state test: randomized ECDSA SECP256R1 SHA-256
+PSA int hash state test: randomized ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 hash_interruptible_state_test:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
 

From 84329464d51693574367baceeed567224e29dfeb Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Tue, 7 Feb 2023 17:32:04 +0000
Subject: [PATCH 46/70] Replace allocated hash buffer with array

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/psa/crypto_builtin_composites.h |  4 ++--
 library/psa_crypto.c                    | 18 ------------------
 2 files changed, 2 insertions(+), 20 deletions(-)

diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h
index ba3d25302..2ba913398 100644
--- a/include/psa/crypto_builtin_composites.h
+++ b/include/psa/crypto_builtin_composites.h
@@ -120,7 +120,7 @@ typedef struct {
     size_t MBEDTLS_PRIVATE(coordinate_bytes);
     psa_algorithm_t MBEDTLS_PRIVATE(alg);
     mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg);
-    uint8_t *MBEDTLS_PRIVATE(hash);
+    uint8_t MBEDTLS_PRIVATE(hash)[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
     size_t MBEDTLS_PRIVATE(hash_length);
 
 #else
@@ -150,7 +150,7 @@ typedef struct {
     mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx);
     mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx);
 
-    uint8_t *MBEDTLS_PRIVATE(hash);
+    uint8_t MBEDTLS_PRIVATE(hash)[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
     size_t MBEDTLS_PRIVATE(hash_length);
 
     mbedtls_mpi MBEDTLS_PRIVATE(r);
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 97edc15a4..ab52918cd 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3561,12 +3561,6 @@ psa_status_t mbedtls_psa_sign_hash_start(
     operation->md_alg = mbedtls_hash_info_md_from_psa(hash_alg);
     operation->alg = alg;
 
-    operation->hash = mbedtls_calloc(1, hash_length);
-
-    if (operation->hash == NULL) {
-        return PSA_ERROR_INSUFFICIENT_MEMORY;
-    }
-
     memcpy(operation->hash, hash, hash_length);
     operation->hash_length = hash_length;
 
@@ -3698,9 +3692,6 @@ psa_status_t mbedtls_psa_sign_hash_abort(
         operation->ctx = NULL;
     }
 
-    mbedtls_free(operation->hash);
-    operation->hash = NULL;
-
     mbedtls_ecdsa_restart_free(&operation->restart_ctx);
 
     return PSA_SUCCESS;
@@ -3789,12 +3780,6 @@ psa_status_t mbedtls_psa_verify_hash_start(
 
     mbedtls_ecdsa_restart_init(&operation->restart_ctx);
 
-    operation->hash = mbedtls_calloc(1, hash_length);
-
-    if (operation->hash == NULL) {
-        return PSA_ERROR_INSUFFICIENT_MEMORY;
-    }
-
     memcpy(operation->hash, hash, hash_length);
     operation->hash_length = hash_length;
 
@@ -3858,9 +3843,6 @@ psa_status_t mbedtls_psa_verify_hash_abort(
         operation->ctx = NULL;
     }
 
-    mbedtls_free(operation->hash);
-    operation->hash = NULL;
-
     mbedtls_ecdsa_restart_free(&operation->restart_ctx);
 
     mbedtls_mpi_free(&operation->r);

From 76d671ad731143b3e0f4187bf885c87a48ce9936 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Tue, 7 Feb 2023 17:45:18 +0000
Subject: [PATCH 47/70] Split state tests into two functions

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.data     |  8 ++-
 tests/suites/test_suite_psa_crypto.function | 57 +++++++++++++++++++--
 2 files changed, 60 insertions(+), 5 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index b44fb2e6d..c1f4e4866 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -4553,9 +4553,13 @@ PSA vrfy hash int: invld alg for ECC key
 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA int hash state test: randomized ECDSA SECP256R1 SHA-256
+PSA sgn/vrfy hash int state test: randomized ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
-hash_interruptible_state_test:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
+interruptible_signverify_hash_state_test:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
+
+PSA sgn/vrfy hash int neg tests: randomized ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+interruptible_signverify_hash_negative_tests:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
 
 PSA sign message: RSA PKCS#1 v1.5 SHA-256
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 7ad856924..471f42676 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -7186,8 +7186,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
-void hash_interruptible_state_test(int key_type_arg, data_t *key_data,
-                                   int alg_arg, data_t *input_data)
+void interruptible_signverify_hash_state_test(int key_type_arg,
+                                              data_t *key_data, int alg_arg, data_t *input_data)
 {
     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_type_t key_type = key_type_arg;
@@ -7197,7 +7197,6 @@ void hash_interruptible_state_test(int key_type_arg, data_t *key_data,
     size_t signature_size;
     size_t signature_length = 0xdeadbeef;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    uint8_t *input_buffer = NULL;
     psa_sign_hash_interruptible_operation_t sign_operation =
         psa_sign_hash_interruptible_operation_init();
     psa_verify_hash_interruptible_operation_t verify_operation =
@@ -7320,6 +7319,57 @@ void hash_interruptible_state_test(int key_type_arg, data_t *key_data,
 
     PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
 
+exit:
+    /*
+     * Key attributes may have been returned by psa_get_key_attributes()
+     * thus reset them as required.
+     */
+    psa_reset_key_attributes(&attributes);
+
+    psa_destroy_key(key);
+    mbedtls_free(signature);
+    PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void interruptible_signverify_hash_negative_tests(int key_type_arg,
+                                                  data_t *key_data, int alg_arg, data_t *input_data)
+{
+    mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_type_t key_type = key_type_arg;
+    psa_algorithm_t alg = alg_arg;
+    size_t key_bits;
+    unsigned char *signature = NULL;
+    size_t signature_size;
+    size_t signature_length = 0xdeadbeef;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    uint8_t *input_buffer = NULL;
+    psa_sign_hash_interruptible_operation_t sign_operation =
+        psa_sign_hash_interruptible_operation_init();
+    psa_verify_hash_interruptible_operation_t verify_operation =
+        psa_verify_hash_interruptible_operation_init();
+
+    PSA_ASSERT(psa_crypto_init());
+
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
+                            PSA_KEY_USAGE_VERIFY_HASH);
+    psa_set_key_algorithm(&attributes, alg);
+    psa_set_key_type(&attributes, key_type);
+
+    PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+                              &key));
+    PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+    key_bits = psa_get_key_bits(&attributes);
+
+    /* Allocate a buffer which has the size advertised by the
+     * library. */
+    signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
+                                          key_bits, alg);
+    TEST_ASSERT(signature_size != 0);
+    TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
+    ASSERT_ALLOC(signature, signature_size);
+
     /* --- Ensure changing the max ops mid operation works (operation should
      *     complete successfully after setting max ops to unlimited --- */
     psa_interruptible_set_max_ops(1);
@@ -7433,6 +7483,7 @@ exit:
 }
 /* END_CASE */
 
+
 /* BEGIN_CASE */
 void sign_message_deterministic(int key_type_arg,
                                 data_t *key_data,

From a4cb909fcd218639a5fa16fcb33d6a1096cbbece Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Tue, 7 Feb 2023 18:01:55 +0000
Subject: [PATCH 48/70] Add max ops tests

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.data     |  4 ++
 tests/suites/test_suite_psa_crypto.function | 48 +++++++++++++++++++++
 2 files changed, 52 insertions(+)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index c1f4e4866..9511d1f5c 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -4561,6 +4561,10 @@ PSA sgn/vrfy hash int neg tests: randomized ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 interruptible_signverify_hash_negative_tests:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
 
+PSA sgn/vrfy hash int max ops tests: randomized ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+interruptible_signverify_hash_maxops_tests:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
+
 PSA sign message: RSA PKCS#1 v1.5 SHA-256
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C
 sign_message_deterministic:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"616263":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311"
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 471f42676..5f6aa42d5 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -7483,6 +7483,54 @@ exit:
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void interruptible_signverify_hash_maxops_tests(int key_type_arg,
+                                                data_t *key_data, int alg_arg, data_t *input_data)
+{
+    mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_type_t key_type = key_type_arg;
+    psa_algorithm_t alg = alg_arg;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_sign_hash_interruptible_operation_t sign_operation =
+        psa_sign_hash_interruptible_operation_init();
+
+    PSA_ASSERT(psa_crypto_init());
+
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
+                            PSA_KEY_USAGE_VERIFY_HASH);
+    psa_set_key_algorithm(&attributes, alg);
+    psa_set_key_type(&attributes, key_type);
+
+    PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+                              &key));
+
+    /* Check that default max ops gets set if we don't set it. */
+    PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+                                   input_data->x, input_data->len));
+
+    TEST_EQUAL(psa_interruptible_get_max_ops(),
+               PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+    PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+    /* Check that max ops gets set properly. */
+
+    psa_interruptible_set_max_ops(0xbeef);
+
+    TEST_EQUAL(psa_interruptible_get_max_ops(),
+               0xbeef);
+
+exit:
+    /*
+     * Key attributes may have been returned by psa_get_key_attributes()
+     * thus reset them as required.
+     */
+    psa_reset_key_attributes(&attributes);
+
+    psa_destroy_key(key);
+    PSA_DONE();
+}
+/* END_CASE */
 
 /* BEGIN_CASE */
 void sign_message_deterministic(int key_type_arg,

From c08112160a319d5e3ef9b85b370beb442df791b1 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Tue, 7 Feb 2023 18:06:25 +0000
Subject: [PATCH 49/70] Add comment to explain lack of driver dispatch

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 .../driver_templates/psa_crypto_driver_wrappers.c.jinja   | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
index fba899033..a8a8991a2 100644
--- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
+++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
@@ -435,11 +435,19 @@ psa_status_t psa_driver_wrapper_verify_hash(
 
 void psa_driver_wrapper_interruptible_set_max_ops( uint32_t max_ops )
 {
+    /* TODO - dispatch to drivers dynamically registered for this
+     * service when registering is implemented. For now, fall
+     * through to internal implementation. */
+
     mbedtls_psa_interruptible_set_max_ops( max_ops );
 }
 
 uint32_t psa_driver_wrapper_interruptible_get_max_ops( void )
 {
+    /* TODO - dispatch to drivers dynamically registered for this
+     * service when registering is implemented. For now, fall
+     * through to internal implementation. */
+
     return mbedtls_psa_interruptible_get_max_ops( );
 }
 

From 724bd25f4b061713885afa1c2512dedd6bb7a9d4 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Wed, 8 Feb 2023 12:35:08 +0000
Subject: [PATCH 50/70] Fix missing mbedtls_mpi_free() on signing.

After moving the MPIs used to output from the operation into the complete
function, I failed to move the accompanying free as well.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index ab52918cd..6e0d06b36 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3617,10 +3617,10 @@ psa_status_t mbedtls_psa_sign_hash_complete(
                                                MBEDTLS_PSA_RANDOM_STATE,
                                                &operation->restart_ctx));
 #else /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
-        return PSA_ERROR_NOT_SUPPORTED;
+        status = PSA_ERROR_NOT_SUPPORTED;
+        goto exit;
 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
     } else {
-
         status = mbedtls_to_psa_error(
             mbedtls_ecdsa_sign_restartable(&operation->ctx->grp,
                                            &r,
@@ -3635,9 +3635,7 @@ psa_status_t mbedtls_psa_sign_hash_complete(
                                            &operation->restart_ctx));
     }
 
-    if (status != PSA_SUCCESS) {
-        return status;
-    } else {
+    if (status == PSA_SUCCESS) {
         status =  mbedtls_to_psa_error(
             mbedtls_mpi_write_binary(&r,
                                      signature,
@@ -3645,7 +3643,7 @@ psa_status_t mbedtls_psa_sign_hash_complete(
             );
 
         if (status != PSA_SUCCESS) {
-            return status;
+            goto exit;
         }
 
         status =  mbedtls_to_psa_error(
@@ -3656,13 +3654,20 @@ psa_status_t mbedtls_psa_sign_hash_complete(
             );
 
         if (status != PSA_SUCCESS) {
-            return status;
+            goto exit;
         }
 
         *signature_length = operation->coordinate_bytes * 2;
 
-        return PSA_SUCCESS;
+        status = PSA_SUCCESS;
     }
+
+exit:
+
+    mbedtls_mpi_free(&r);
+    mbedtls_mpi_free(&s);
+    return status;
+
  #else
 
     (void) operation;

From 01885fa5e576d5e3f4cdf84aeb49f7d696d801cf Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Thu, 9 Feb 2023 12:07:30 +0000
Subject: [PATCH 51/70] Fix include guards on auxiliary test function.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.function | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 5f6aa42d5..66f932b7e 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -1220,9 +1220,7 @@ typedef enum {
     INJECT_ANTICIPATE_KEY_DERIVATION_2,
 } ecjpake_injected_failure_t;
 
-#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
-    defined(MBEDTLS_ECP_RESTARTABLE)
+#if defined(MBEDTLS_ECP_RESTARTABLE)
 
 static void interruptible_signverify_get_minmax_completes(uint32_t max_ops,
                                                           psa_status_t expected_status,
@@ -1248,9 +1246,7 @@ static void interruptible_signverify_get_minmax_completes(uint32_t max_ops,
         *max_completes = 1;
     }
 }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
-        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+#endif /* MBEDTLS_ECP_RESTARTABLE */
 
 /* END_HEADER */
 

From 0290a76fc27cf365f79ac7bb1b7622c5c597ed30 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Thu, 9 Feb 2023 14:30:24 +0000
Subject: [PATCH 52/70] Fix buffer overflow with hashes larger than key size.

Truncate input hashes to curve private key size as that is all that is required
for the internal implementation.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 6e0d06b36..5013c5d92 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3524,6 +3524,7 @@ psa_status_t mbedtls_psa_sign_hash_start(
     const uint8_t *hash, size_t hash_length)
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t required_hash_length;
 
     if (!PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
         return PSA_ERROR_NOT_SUPPORTED;
@@ -3561,8 +3562,13 @@ psa_status_t mbedtls_psa_sign_hash_start(
     operation->md_alg = mbedtls_hash_info_md_from_psa(hash_alg);
     operation->alg = alg;
 
-    memcpy(operation->hash, hash, hash_length);
-    operation->hash_length = hash_length;
+    /* We only need to store the same length of hash as the private key size
+     * here, it would be truncated by the internal implementation anyway. */
+    required_hash_length = (hash_length < operation->coordinate_bytes ?
+                            hash_length : operation->coordinate_bytes);
+
+    memcpy(operation->hash, hash, required_hash_length);
+    operation->hash_length = required_hash_length;
 
     return PSA_SUCCESS;
 
@@ -3574,6 +3580,7 @@ psa_status_t mbedtls_psa_sign_hash_start(
     (void) hash;
     (void) hash_length;
     (void) status;
+    (void) required_hash_length;
 
     return PSA_ERROR_NOT_SUPPORTED;
 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
@@ -3722,6 +3729,7 @@ psa_status_t mbedtls_psa_verify_hash_start(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     size_t coordinate_bytes = 0;
+    size_t required_hash_length = 0;
 
     if (!PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
         return PSA_ERROR_NOT_SUPPORTED;
@@ -3785,8 +3793,13 @@ psa_status_t mbedtls_psa_verify_hash_start(
 
     mbedtls_ecdsa_restart_init(&operation->restart_ctx);
 
-    memcpy(operation->hash, hash, hash_length);
-    operation->hash_length = hash_length;
+    /* We only need to store the same length of hash as the private key size
+     * here, it would be truncated by the internal implementation anyway. */
+    required_hash_length = (hash_length < coordinate_bytes ? hash_length :
+                            coordinate_bytes);
+
+    memcpy(operation->hash, hash, required_hash_length);
+    operation->hash_length = required_hash_length;
 
     return PSA_SUCCESS;
 #else
@@ -3800,6 +3813,7 @@ psa_status_t mbedtls_psa_verify_hash_start(
     (void) signature_length;
     (void) status;
     (void) coordinate_bytes;
+    (void) required_hash_length;
 
     return PSA_ERROR_NOT_SUPPORTED;
 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||

From fe9e77ff7adc8ecc8e161b6dedd6c9e98edcb482 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 10 Feb 2023 11:04:27 +0000
Subject: [PATCH 53/70] Better formatting of include guard comments

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/psa/crypto_builtin_composites.h | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h
index 2ba913398..b23199afc 100644
--- a/include/psa/crypto_builtin_composites.h
+++ b/include/psa/crypto_builtin_composites.h
@@ -127,9 +127,9 @@ typedef struct {
     /* Make the struct non-empty if algs not supported. */
     unsigned MBEDTLS_PRIVATE(dummy);
 
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
-        * MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA &&
-        * MBEDTLS_ECP_RESTARTABLE */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
 } mbedtls_psa_sign_hash_interruptible_operation_t;
 
 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
@@ -160,9 +160,9 @@ typedef struct {
     /* Make the struct non-empty if algs not supported. */
     unsigned MBEDTLS_PRIVATE(dummy);
 
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
-        * MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA &&
-        * MBEDTLS_ECP_RESTARTABLE */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
 
 } mbedtls_psa_verify_hash_interruptible_operation_t;
 

From 6d99f0c265305fddecf05b2f63c948163c380660 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 10 Feb 2023 12:58:09 +0000
Subject: [PATCH 54/70] Fix errors in psa_wipe_output_buffer() doc comment.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 5013c5d92..2328e3590 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -2684,7 +2684,7 @@ static psa_status_t psa_sign_verify_check_alg(int input_is_message,
 }
 
 /**
- * \brief                       Fill the unused part of the output buffer(the
+ * \brief                       Fill the unused part of the output buffer (the
  *                              whole buffer on error, the trailing part on
  *                              success) with something that isn't a valid
  *                              signature (barring an attack on the signature
@@ -2692,13 +2692,13 @@ static psa_status_t psa_sign_verify_check_alg(int input_is_message,
  *                              caller doesn't check the return status properly.
  *
  * \param output_buffer         pointer to buffer to wipe. May not be NULL
- *                              unless /p output_buffer_size is zero.
+ *                              unless \p output_buffer_size is zero.
  * \param status                status of function called to generate
  *                              output_buffer originally
- * \param output_buffer_size    Size of output buffer. If zero, /p output_buffer
+ * \param output_buffer_size    Size of output buffer. If zero, \p output_buffer
  *                              could be NULL
  * \param output_buffer_length  Length of data written to output_buffer, must be
- *                              less than /p output_buffer_size
+ *                              less than \p output_buffer_size
  */
 static void psa_wipe_output_buffer(uint8_t *output_buffer, psa_status_t status,
                                    size_t output_buffer_size, size_t output_buffer_length)

From c569fc268f9195fd19decbcd6cfe1954767a54cf Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 10 Feb 2023 13:02:54 +0000
Subject: [PATCH 55/70] Switch from nbits to pbits

Correct coordinate size is grp.nbits, not grp.pbits.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 2328e3590..776a9c858 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3556,7 +3556,7 @@ psa_status_t mbedtls_psa_sign_hash_start(
     mbedtls_ecdsa_restart_init(&operation->restart_ctx);
 
     operation->coordinate_bytes = PSA_BITS_TO_BYTES(
-        operation->ctx->grp.pbits);
+        operation->ctx->grp.nbits);
 
     psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
     operation->md_alg = mbedtls_hash_info_md_from_psa(hash_alg);
@@ -3758,7 +3758,7 @@ psa_status_t mbedtls_psa_verify_hash_start(
         return status;
     }
 
-    coordinate_bytes = PSA_BITS_TO_BYTES(operation->ctx->grp.pbits);
+    coordinate_bytes = PSA_BITS_TO_BYTES(operation->ctx->grp.nbits);
 
     if (signature_length != 2 * coordinate_bytes) {
         return PSA_ERROR_INVALID_SIGNATURE;

From 53bb3120544d23473370f8e75f6d2fe89241e880 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 10 Feb 2023 14:22:22 +0000
Subject: [PATCH 56/70] Wipe output buffer even when INCOMPLETE is returned.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 776a9c858..e10c34cc5 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3292,10 +3292,10 @@ exit:
     /* Update ops count with work done. */
     operation->num_ops = psa_driver_wrapper_sign_hash_get_num_ops(operation);
 
-    if (status != PSA_OPERATION_INCOMPLETE) {
-        psa_wipe_output_buffer(signature, status, signature_size,
-                               *signature_length);
+    psa_wipe_output_buffer(signature, status, signature_size,
+                           *signature_length);
 
+    if (status != PSA_OPERATION_INCOMPLETE) {
         if (status != PSA_SUCCESS) {
             operation->error_occurred = 1;
         }

From ebe225cf7b3395de91290788031d6e84e9200169 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 10 Feb 2023 14:32:53 +0000
Subject: [PATCH 57/70] Move num ops update to only point where work can be
 done.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index e10c34cc5..d458b0297 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3287,11 +3287,12 @@ psa_status_t psa_sign_hash_complete(
     status = psa_driver_wrapper_sign_hash_complete(operation, signature,
                                                    signature_size,
                                                    signature_length);
-exit:
 
     /* Update ops count with work done. */
     operation->num_ops = psa_driver_wrapper_sign_hash_get_num_ops(operation);
 
+exit:
+
     psa_wipe_output_buffer(signature, status, signature_size,
                            *signature_length);
 
@@ -3418,12 +3419,12 @@ psa_status_t psa_verify_hash_complete(
 
     status = psa_driver_wrapper_verify_hash_complete(operation);
 
-exit:
-
     /* Update ops count with work done. */
     operation->num_ops = psa_driver_wrapper_verify_hash_get_num_ops(
         operation);
 
+exit:
+
     if (status != PSA_OPERATION_INCOMPLETE) {
         if (status != PSA_SUCCESS) {
             operation->error_occurred = 1;

From a1c9409d88b838ffe3f5208a084bdd59257f4477 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Wed, 15 Feb 2023 16:38:04 +0000
Subject: [PATCH 58/70] Move structure init calls as early as possible

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index d458b0297..927b9d45f 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3539,6 +3539,8 @@ psa_status_t mbedtls_psa_sign_hash_start(
     defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
     defined(MBEDTLS_ECP_RESTARTABLE)
 
+    mbedtls_ecdsa_restart_init(&operation->restart_ctx);
+
     /* Ensure default is set even if
      * mbedtls_psa_interruptible_set_max_ops() has not been called. */
     mbedtls_psa_interruptible_set_max_ops(
@@ -3554,8 +3556,6 @@ psa_status_t mbedtls_psa_sign_hash_start(
         return status;
     }
 
-    mbedtls_ecdsa_restart_init(&operation->restart_ctx);
-
     operation->coordinate_bytes = PSA_BITS_TO_BYTES(
         operation->ctx->grp.nbits);
 
@@ -3594,22 +3594,22 @@ psa_status_t mbedtls_psa_sign_hash_complete(
     uint8_t *signature, size_t signature_size,
     size_t *signature_length)
 {
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
     defined(MBEDTLS_ECP_RESTARTABLE)
 
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     mbedtls_mpi r;
     mbedtls_mpi s;
 
-    if (signature_size < 2 * operation->coordinate_bytes) {
-        return PSA_ERROR_BUFFER_TOO_SMALL;
-    }
-
     mbedtls_mpi_init(&r);
     mbedtls_mpi_init(&s);
 
+    if (signature_size < 2 * operation->coordinate_bytes) {
+        status = PSA_ERROR_BUFFER_TOO_SMALL;
+        goto exit;
+    }
+
     if (PSA_ALG_ECDSA_IS_DETERMINISTIC(operation->alg)) {
 
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
@@ -3679,7 +3679,6 @@ exit:
  #else
 
     (void) operation;
-    (void) status;
     (void) signature;
     (void) signature_size;
     (void) signature_length;
@@ -3744,6 +3743,10 @@ psa_status_t mbedtls_psa_verify_hash_start(
     defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
     defined(MBEDTLS_ECP_RESTARTABLE)
 
+    mbedtls_ecdsa_restart_init(&operation->restart_ctx);
+    mbedtls_mpi_init(&operation->r);
+    mbedtls_mpi_init(&operation->s);
+
     /* Ensure default is set even if
      * mbedtls_psa_interruptible_set_max_ops() has not been called. */
     mbedtls_psa_interruptible_set_max_ops(
@@ -3765,7 +3768,6 @@ psa_status_t mbedtls_psa_verify_hash_start(
         return PSA_ERROR_INVALID_SIGNATURE;
     }
 
-    mbedtls_mpi_init(&operation->r);
     status = mbedtls_to_psa_error(
         mbedtls_mpi_read_binary(&operation->r,
                                 signature,
@@ -3775,7 +3777,6 @@ psa_status_t mbedtls_psa_verify_hash_start(
         return status;
     }
 
-    mbedtls_mpi_init(&operation->s);
     status = mbedtls_to_psa_error(
         mbedtls_mpi_read_binary(&operation->s,
                                 signature +
@@ -3792,8 +3793,6 @@ psa_status_t mbedtls_psa_verify_hash_start(
         return mbedtls_to_psa_error(ret);
     }
 
-    mbedtls_ecdsa_restart_init(&operation->restart_ctx);
-
     /* We only need to store the same length of hash as the private key size
      * here, it would be truncated by the internal implementation anyway. */
     required_hash_length = (hash_length < coordinate_bytes ? hash_length :

From 7ef174b285b86c8c8e49d479bf6fe552b7eae3f5 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Wed, 15 Feb 2023 16:45:20 +0000
Subject: [PATCH 59/70] Correct insufficient memory return documentation.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto_core.h | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h
index a00728918..5648321b2 100644
--- a/library/psa_crypto_core.h
+++ b/library/psa_crypto_core.h
@@ -711,8 +711,7 @@ uint32_t mbedtls_psa_verify_hash_get_num_ops(
  * \retval #PSA_ERROR_NOT_SUPPORTED Either no internal interruptible operations
  *         are currently supported, or the key type is currently unsupported.
  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- *         There was insufficient memory either to load the key representation,
- *         or to store the hash.
+ *         There was insufficient memory to load the key representation.
  */
 psa_status_t mbedtls_psa_sign_hash_start(
     mbedtls_psa_sign_hash_interruptible_operation_t *operation,
@@ -817,7 +816,7 @@ psa_status_t mbedtls_psa_sign_hash_abort(
  *         or the key type is currently unsupported.
  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
  *        There was insufficient memory either to load the key representation,
- *        or to store the hash.
+ *        or to prepare the operation.
  */
 psa_status_t mbedtls_psa_verify_hash_start(
     mbedtls_psa_verify_hash_interruptible_operation_t *operation,

From efebad0d67c63d3b734f898a5624b52be8fbf9e4 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Wed, 15 Feb 2023 16:56:45 +0000
Subject: [PATCH 60/70] Run extra complete in failure tests regardless.

We do not need to expect to fail, running another complete in either sign or
verify after successful completion should also return BAD_STATE.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.function | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 66f932b7e..2f5b50db9 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -6702,13 +6702,12 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
 
     TEST_EQUAL(actual_status, expected_complete_status);
 
-    if (expected_complete_status != PSA_SUCCESS) {
-        actual_status = psa_sign_hash_complete(&operation, signature,
-                                               signature_size,
-                                               &signature_length);
+    /* Check that another complete returns BAD_STATE. */
+    actual_status = psa_sign_hash_complete(&operation, signature,
+                                           signature_size,
+                                           &signature_length);
 
-        TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
-    }
+    TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
 
     PSA_ASSERT(psa_sign_hash_abort(&operation));
 
@@ -7160,11 +7159,9 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
 
     TEST_EQUAL(actual_status, expected_complete_status);
 
-    if (expected_complete_status != PSA_SUCCESS) {
-        actual_status = psa_verify_hash_complete(&operation);
-
-        TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
-    }
+    /* Check that another complete returns BAD_STATE. */
+    actual_status = psa_verify_hash_complete(&operation);
+    TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
 
     TEST_LE_U(min_completes, num_completes);
     TEST_LE_U(num_completes, max_completes);

From 2c9843f2a440be3fdaab73e0bdddba8d28845c8c Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Wed, 15 Feb 2023 17:32:42 +0000
Subject: [PATCH 61/70] Make mbedtls_sa_ecp_load_public_part return
 psa_status_t

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c     |  6 +++---
 library/psa_crypto_ecp.c | 38 +++++++++++++++++++++++---------------
 library/psa_crypto_ecp.h |  4 ++--
 3 files changed, 28 insertions(+), 20 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 927b9d45f..2c6f108a1 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3787,10 +3787,10 @@ psa_status_t mbedtls_psa_verify_hash_start(
         return status;
     }
 
-    int ret = mbedtls_psa_ecp_load_public_part(operation->ctx);
+    status = mbedtls_psa_ecp_load_public_part(operation->ctx);
 
-    if (ret != 0) {
-        return mbedtls_to_psa_error(ret);
+    if (status != PSA_SUCCESS) {
+        return status;
     }
 
     /* We only need to store the same length of hash as the private key size
diff --git a/library/psa_crypto_ecp.c b/library/psa_crypto_ecp.c
index cc80f2776..f70d804b0 100644
--- a/library/psa_crypto_ecp.c
+++ b/library/psa_crypto_ecp.c
@@ -404,7 +404,7 @@ cleanup:
     return mbedtls_to_psa_error(ret);
 }
 
-int mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp)
+psa_status_t mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp)
 {
     int ret = 0;
 
@@ -416,7 +416,7 @@ int mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp)
                               MBEDTLS_PSA_RANDOM_STATE);
     }
 
-    return ret;
+    return mbedtls_to_psa_error(ret);
 }
 
 psa_status_t mbedtls_psa_ecdsa_verify_hash(
@@ -427,7 +427,6 @@ psa_status_t mbedtls_psa_ecdsa_verify_hash(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     mbedtls_ecp_keypair *ecp = NULL;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t curve_bytes;
     mbedtls_mpi r, s;
 
@@ -447,30 +446,39 @@ psa_status_t mbedtls_psa_ecdsa_verify_hash(
     mbedtls_mpi_init(&s);
 
     if (signature_length != 2 * curve_bytes) {
-        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+        status = PSA_ERROR_INVALID_SIGNATURE;
         goto cleanup;
     }
 
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&r,
-                                            signature,
-                                            curve_bytes));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&s,
-                                            signature + curve_bytes,
-                                            curve_bytes));
+    status = mbedtls_to_psa_error(mbedtls_mpi_read_binary(&r,
+                                                          signature,
+                                                          curve_bytes));
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
 
-    MBEDTLS_MPI_CHK(mbedtls_psa_ecp_load_public_part(ecp));
+    status = mbedtls_to_psa_error(mbedtls_mpi_read_binary(&s,
+                                                          signature + curve_bytes,
+                                                          curve_bytes));
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
 
+    status = mbedtls_psa_ecp_load_public_part(ecp);
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
 
-    ret = mbedtls_ecdsa_verify(&ecp->grp, hash, hash_length,
-                               &ecp->Q, &r, &s);
-
+    status = mbedtls_to_psa_error(mbedtls_ecdsa_verify(&ecp->grp, hash,
+                                                       hash_length, &ecp->Q,
+                                                       &r, &s));
 cleanup:
     mbedtls_mpi_free(&r);
     mbedtls_mpi_free(&s);
     mbedtls_ecp_keypair_free(ecp);
     mbedtls_free(ecp);
 
-    return mbedtls_to_psa_error(ret);
+    return status;
 }
 
 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
diff --git a/library/psa_crypto_ecp.h b/library/psa_crypto_ecp.h
index 8b567fe3b..c7ef534b1 100644
--- a/library/psa_crypto_ecp.h
+++ b/library/psa_crypto_ecp.h
@@ -52,10 +52,10 @@ psa_status_t mbedtls_psa_ecp_load_representation(psa_key_type_t type,
  *
  * \param ecp               The ECP context to load the public part for.
  *
- * \return 0 on success, otherwise an MPI error.
+ * \return PSA_SUCCESS on success, otherwise an MPI error.
  */
 
-int mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp);
+psa_status_t mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp);
 
 /** Import an ECP key in binary format.
  *

From c86d45e8a1aff38d1cea21b4be93cbe16b6b12d1 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Wed, 15 Feb 2023 17:38:05 +0000
Subject: [PATCH 62/70] Remove spurious incorrect comment

Comment originated from original version of this code, and the newer comment
which was added when it was pulled into a seperate function covers all cases.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.function | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 2f5b50db9..fd355de9a 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -1233,7 +1233,7 @@ static void interruptible_signverify_get_minmax_completes(uint32_t max_ops,
        to complete, and likewise that with a max_ops of
        PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, it should complete in one go. */
     if (max_ops == 0 || max_ops == 1) {
-        /* Failure test cases will fail on the first op. */
+
         if (expected_status == PSA_SUCCESS) {
             *min_completes = 2;
         } else {

From 93d9ca83ea6e91c7d24c8da980af832448a4151a Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Wed, 15 Feb 2023 18:14:21 +0000
Subject: [PATCH 63/70] Move num_ops ECP abstraction fully into internal
 implementation

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/psa/crypto_builtin_composites.h       |  8 +++++--
 library/psa_crypto.c                          | 24 +++++++++++++++----
 library/psa_crypto_core.h                     | 22 ++++++++---------
 library/psa_crypto_driver_wrappers.h          |  4 ++--
 .../psa_crypto_driver_wrappers.c.jinja        | 20 ++++------------
 5 files changed, 42 insertions(+), 36 deletions(-)

diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h
index b23199afc..9f23551eb 100644
--- a/include/psa/crypto_builtin_composites.h
+++ b/include/psa/crypto_builtin_composites.h
@@ -117,6 +117,8 @@ typedef struct {
     mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx);
     mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx);
 
+    uint32_t MBEDTLS_PRIVATE(num_ops);
+
     size_t MBEDTLS_PRIVATE(coordinate_bytes);
     psa_algorithm_t MBEDTLS_PRIVATE(alg);
     mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg);
@@ -135,7 +137,7 @@ typedef struct {
 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
     defined(MBEDTLS_ECP_RESTARTABLE)
-#define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, 0 }
+#define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, 0, 0 }
 #else
 #define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
 #endif
@@ -150,6 +152,8 @@ typedef struct {
     mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx);
     mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx);
 
+    uint32_t MBEDTLS_PRIVATE(num_ops);
+
     uint8_t MBEDTLS_PRIVATE(hash)[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
     size_t MBEDTLS_PRIVATE(hash_length);
 
@@ -169,7 +173,7 @@ typedef struct {
 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
     defined(MBEDTLS_ECP_RESTARTABLE)
-#define MBEDTLS_VERIFY_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, { 0 }, \
+#define MBEDTLS_VERIFY_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, { 0 }, \
         { 0 } }
 #else
 #define MBEDTLS_VERIFY_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 2c6f108a1..39da74b48 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3487,13 +3487,16 @@ uint32_t mbedtls_psa_interruptible_get_max_ops(void)
 }
 
 uint32_t mbedtls_psa_sign_hash_get_num_ops(
-    const mbedtls_psa_sign_hash_interruptible_operation_t *operation)
+    mbedtls_psa_sign_hash_interruptible_operation_t *operation)
 {
 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
     defined(MBEDTLS_ECP_RESTARTABLE)
 
-    return operation->restart_ctx.ecp.ops_done;
+    /* Hide the fact that the restart context only holds a delta of number of
+     * ops done during the last operation, not an absolute value. */
+    operation->num_ops += operation->restart_ctx.ecp.ops_done;
+    return operation->num_ops;
 #else
     (void) operation;
     return 0;
@@ -3503,13 +3506,16 @@ uint32_t mbedtls_psa_sign_hash_get_num_ops(
 }
 
 uint32_t mbedtls_psa_verify_hash_get_num_ops(
-    const mbedtls_psa_verify_hash_interruptible_operation_t *operation)
+    mbedtls_psa_verify_hash_interruptible_operation_t *operation)
 {
     #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
     defined(MBEDTLS_ECP_RESTARTABLE)
 
-    return operation->restart_ctx.ecp.ops_done;
+    /* Hide the fact that the restart context only holds a delta of number of
+     * ops done during the last operation, not an absolute value. */
+    operation->num_ops += operation->restart_ctx.ecp.ops_done;
+    return operation->num_ops;
 #else
     (void) operation;
     return 0;
@@ -3541,6 +3547,9 @@ psa_status_t mbedtls_psa_sign_hash_start(
 
     mbedtls_ecdsa_restart_init(&operation->restart_ctx);
 
+    /* Ensure num_ops is zero'ed in case of context re-use. */
+    operation->num_ops = 0;
+
     /* Ensure default is set even if
      * mbedtls_psa_interruptible_set_max_ops() has not been called. */
     mbedtls_psa_interruptible_set_max_ops(
@@ -3706,6 +3715,8 @@ psa_status_t mbedtls_psa_sign_hash_abort(
 
     mbedtls_ecdsa_restart_free(&operation->restart_ctx);
 
+    operation->num_ops = 0;
+
     return PSA_SUCCESS;
 
 #else
@@ -3747,6 +3758,9 @@ psa_status_t mbedtls_psa_verify_hash_start(
     mbedtls_mpi_init(&operation->r);
     mbedtls_mpi_init(&operation->s);
 
+    /* Ensure num_ops is zero'ed in case of context re-use. */
+    operation->num_ops = 0;
+
     /* Ensure default is set even if
      * mbedtls_psa_interruptible_set_max_ops() has not been called. */
     mbedtls_psa_interruptible_set_max_ops(
@@ -3864,6 +3878,8 @@ psa_status_t mbedtls_psa_verify_hash_abort(
 
     mbedtls_ecdsa_restart_free(&operation->restart_ctx);
 
+    operation->num_ops = 0;
+
     mbedtls_mpi_free(&operation->r);
     mbedtls_mpi_free(&operation->s);
 
diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h
index 5648321b2..0ef0131fa 100644
--- a/library/psa_crypto_core.h
+++ b/library/psa_crypto_core.h
@@ -643,12 +643,11 @@ uint32_t mbedtls_psa_interruptible_get_max_ops(void);
  *        zero.
  *
  * \note The signature of this function is that of a PSA driver
- *       sign_get_num_ops entry point, however it differs in behaviour from the
- *       driver function in that this function returns a delta of work done in
- *       the last call rather than all of the ops done ever by the whole
- *       operation, due to internal implementation differences.
+ *       sign_hash_get_num_ops entry point. This function behaves as an
+ *       sign_hash_get_num_ops entry point as defined in the PSA driver
+ *       interface specification for transparent drivers.
  *
- * \param[in]  operation        The \c
+ * \param   operation           The \c
  *                              mbedtls_psa_sign_hash_interruptible_operation_t
  *                              to use. This must be initialized first.
  *
@@ -657,7 +656,7 @@ uint32_t mbedtls_psa_interruptible_get_max_ops(void);
  *                              mbedtls_psa_sign_hash_complete().
  */
 uint32_t mbedtls_psa_sign_hash_get_num_ops(
-    const mbedtls_psa_sign_hash_interruptible_operation_t *operation);
+    mbedtls_psa_sign_hash_interruptible_operation_t *operation);
 
 /**
  * \brief Get the number of ops that a hash verification operation has taken for
@@ -665,12 +664,11 @@ uint32_t mbedtls_psa_sign_hash_get_num_ops(
  *        return zero.
  *
  * \note The signature of this function is that of a PSA driver
- *       verify_get_num_ops entry point however it differs in behaviour from the
- *       driver function in that this function returns a delta of work done in
- *       the last call rather than all of the ops done ever by the whole
- *       operation, due to internal implementation differences.
+ *       verify_hash_get_num_ops entry point. This function behaves as an
+ *       verify_hash_get_num_ops entry point as defined in the PSA driver
+ *       interface specification for transparent drivers.
  *
- * \param[in]  operation        The \c
+ * \param   operation           The \c
  *                              mbedtls_psa_verify_hash_interruptible_operation_t
  *                              to use. This must be initialized first.
  *
@@ -679,7 +677,7 @@ uint32_t mbedtls_psa_sign_hash_get_num_ops(
  *                              mbedtls_psa_verify_hash_complete().
  */
 uint32_t mbedtls_psa_verify_hash_get_num_ops(
-    const mbedtls_psa_verify_hash_interruptible_operation_t *operation);
+    mbedtls_psa_verify_hash_interruptible_operation_t *operation);
 
 /**
  * \brief  Start signing a hash or short message with a private key, in an
diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h
index 26df08835..e3edec791 100644
--- a/library/psa_crypto_driver_wrappers.h
+++ b/library/psa_crypto_driver_wrappers.h
@@ -75,10 +75,10 @@ void psa_driver_wrapper_interruptible_set_max_ops(uint32_t max_ops);
 uint32_t psa_driver_wrapper_interruptible_get_max_ops(void);
 
 uint32_t psa_driver_wrapper_sign_hash_get_num_ops(
-    const psa_sign_hash_interruptible_operation_t *operation);
+    psa_sign_hash_interruptible_operation_t *operation);
 
 uint32_t psa_driver_wrapper_verify_hash_get_num_ops(
-    const psa_verify_hash_interruptible_operation_t *operation);
+    psa_verify_hash_interruptible_operation_t *operation);
 
 psa_status_t psa_driver_wrapper_sign_hash_start(
     psa_sign_hash_interruptible_operation_t *operation,
diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
index a8a8991a2..b35e726a0 100644
--- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
+++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
@@ -452,7 +452,7 @@ uint32_t psa_driver_wrapper_interruptible_get_max_ops( void )
 }
 
 uint32_t psa_driver_wrapper_sign_hash_get_num_ops(
-    const psa_sign_hash_interruptible_operation_t *operation )
+    psa_sign_hash_interruptible_operation_t *operation )
 {
     switch( operation->id )
     {
@@ -461,13 +461,7 @@ uint32_t psa_driver_wrapper_sign_hash_get_num_ops(
             return 0;
 
         case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
-            /* Internal implementation returns a delta of ops completed in the
-             * last call to complete(), so need to add in ops already completed
-             * before this.*/
-            return( operation->num_ops +
-                    mbedtls_psa_sign_hash_get_num_ops(
-                                                &operation->ctx.mbedtls_ctx )
-                  );
+            return(mbedtls_psa_sign_hash_get_num_ops(&operation->ctx.mbedtls_ctx));
 
 #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
 #if defined(PSA_CRYPTO_DRIVER_TEST)
@@ -481,7 +475,7 @@ uint32_t psa_driver_wrapper_sign_hash_get_num_ops(
 }
 
 uint32_t psa_driver_wrapper_verify_hash_get_num_ops(
-    const psa_verify_hash_interruptible_operation_t *operation )
+    psa_verify_hash_interruptible_operation_t *operation )
 {
     switch( operation->id )
     {
@@ -490,13 +484,7 @@ uint32_t psa_driver_wrapper_verify_hash_get_num_ops(
             return 0;
 
         case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
-            /* Internal implementation returns a delta of ops completed in the
-             * last call to complete(), so need to add in ops already completed
-             * before this.*/
-            return ( operation->num_ops +
-                     mbedtls_psa_verify_hash_get_num_ops(
-                                                &operation->ctx.mbedtls_ctx )
-                    );
+            return (mbedtls_psa_verify_hash_get_num_ops(&operation->ctx.mbedtls_ctx));
 
 #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
 #if defined(PSA_CRYPTO_DRIVER_TEST)

From ba70ad49446e3e814cb3dc0413b3956ade0e3265 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Wed, 15 Feb 2023 18:23:53 +0000
Subject: [PATCH 64/70] Add safety for keys larger than we currently support.

Prevent buffer overflow with keys whos grp.nbits is greater than
PSA_VENDOR_ECC_MAX_CURVE_BITS.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 39da74b48..36d48ad8f 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3577,6 +3577,11 @@ psa_status_t mbedtls_psa_sign_hash_start(
     required_hash_length = (hash_length < operation->coordinate_bytes ?
                             hash_length : operation->coordinate_bytes);
 
+    if (required_hash_length > sizeof(operation->hash)) {
+        /* Shouldn't happen, but better safe than sorry. */
+        return PSA_ERROR_CORRUPTION_DETECTED;
+    }
+
     memcpy(operation->hash, hash, required_hash_length);
     operation->hash_length = required_hash_length;
 
@@ -3812,6 +3817,11 @@ psa_status_t mbedtls_psa_verify_hash_start(
     required_hash_length = (hash_length < coordinate_bytes ? hash_length :
                             coordinate_bytes);
 
+    if (required_hash_length > sizeof(operation->hash)) {
+        /* Shouldn't happen, but better safe than sorry. */
+        return PSA_ERROR_CORRUPTION_DETECTED;
+    }
+
     memcpy(operation->hash, hash, required_hash_length);
     operation->hash_length = required_hash_length;
 

From f1743e2440e7f5e3b702195aeaf846e2cec5e33b Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Wed, 15 Feb 2023 18:44:16 +0000
Subject: [PATCH 65/70] Add verify call to max ops tests

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.function | 31 ++++++++++++++++++---
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index fd355de9a..5379eafd1 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -7484,8 +7484,13 @@ void interruptible_signverify_hash_maxops_tests(int key_type_arg,
     psa_key_type_t key_type = key_type_arg;
     psa_algorithm_t alg = alg_arg;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    size_t key_bits;
+    unsigned char *signature = NULL;
+    size_t signature_size;
     psa_sign_hash_interruptible_operation_t sign_operation =
         psa_sign_hash_interruptible_operation_init();
+    psa_verify_hash_interruptible_operation_t verify_operation =
+        psa_verify_hash_interruptible_operation_init();
 
     PSA_ASSERT(psa_crypto_init());
 
@@ -7494,8 +7499,17 @@ void interruptible_signverify_hash_maxops_tests(int key_type_arg,
     psa_set_key_algorithm(&attributes, alg);
     psa_set_key_type(&attributes, key_type);
 
-    PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
-                              &key));
+    PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, &key));
+    PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+    key_bits = psa_get_key_bits(&attributes);
+
+    /* Allocate a buffer which has the size advertised by the
+     * library. */
+    signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg);
+
+    TEST_ASSERT(signature_size != 0);
+    TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
+    ASSERT_ALLOC(signature, signature_size);
 
     /* Check that default max ops gets set if we don't set it. */
     PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
@@ -7506,12 +7520,20 @@ void interruptible_signverify_hash_maxops_tests(int key_type_arg,
 
     PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
 
+    PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+                                     input_data->x, input_data->len,
+                                     signature, signature_size));
+
+    TEST_EQUAL(psa_interruptible_get_max_ops(),
+               PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+    PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
     /* Check that max ops gets set properly. */
 
     psa_interruptible_set_max_ops(0xbeef);
 
-    TEST_EQUAL(psa_interruptible_get_max_ops(),
-               0xbeef);
+    TEST_EQUAL(psa_interruptible_get_max_ops(), 0xbeef);
 
 exit:
     /*
@@ -7521,6 +7543,7 @@ exit:
     psa_reset_key_attributes(&attributes);
 
     psa_destroy_key(key);
+    mbedtls_free(signature);
     PSA_DONE();
 }
 /* END_CASE */

From 21c395113983e621dd92a56b35e30d1daca4f33f Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Wed, 15 Feb 2023 19:47:39 +0000
Subject: [PATCH 66/70] Add reference to mbedtls_ecp_set_max_ops() to docs

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/psa/crypto.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index d371e1a1c..80bf5c969 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -4165,6 +4165,12 @@ typedef struct psa_verify_hash_interruptible_operation_s psa_verify_hash_interru
  *                              or equals as regards to ops executed in a
  *                              single call is implementation defined.
  *
+ * \note                        For keys in local storage when no accelerator
+ *                              driver applies, please see also the
+ *                              documentation for \c mbedtls_ecp_set_max_ops(),
+ *                              which is the internal implementation in these
+ *                              cases.
+ *
  * \warning                     With implementations that interpret this number
  *                              as a hard limit, setting this number too small
  *                              may result in an infinite loop, whereby each

From 5686533ba23aee02e21861e598e0b9119894f840 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Wed, 15 Feb 2023 22:57:44 +0000
Subject: [PATCH 67/70] Add warning to mbedtls_ecp_set_max_ops()

Using PSA interruptible interfaces will cause previously set values to be
overwritten.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 include/mbedtls/ecp.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h
index 7a28a1957..1590ef21e 100644
--- a/include/mbedtls/ecp.h
+++ b/include/mbedtls/ecp.h
@@ -472,6 +472,12 @@ mbedtls_ecp_keypair;
  *                  only enabled for specific sides and key exchanges
  *                  (currently only for clients and ECDHE-ECDSA).
  *
+ * \warning         Using the PSA interruptible interfaces with keys in local
+ *                  storage and no accelerator driver will also call this
+ *                  function to set the values specified via those interfaces,
+ *                  overwriting values previously set. Care should be taken if
+ *                  mixing these two interfaces.
+ *
  * \param max_ops   Maximum number of basic operations done in a row.
  *                  Default: 0 (unlimited).
  *                  Lower (non-zero) values mean ECC functions will block for

From 96b89b208a7f42d9b02c29b8be57925af4aba9a5 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Wed, 15 Feb 2023 23:10:37 +0000
Subject: [PATCH 68/70] Add comment to indicate non-PSA spec assertion.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.function | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 5379eafd1..c79217fbe 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -6539,6 +6539,10 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data,
 
         if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) {
             num_ops = psa_sign_hash_get_num_ops(&operation);
+            /* We are asserting here that every complete makes progress
+             * (completes some ops), which is true of the internal
+             * implementation and probably any implementation, however this is
+             * not mandated by the PSA specification. */
             TEST_ASSERT(num_ops > num_ops_prior);
 
             num_ops_prior = num_ops;
@@ -6694,6 +6698,10 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
         if (actual_status == PSA_SUCCESS ||
             actual_status == PSA_OPERATION_INCOMPLETE) {
             num_ops = psa_sign_hash_get_num_ops(&operation);
+            /* We are asserting here that every complete makes progress
+             * (completes some ops), which is true of the internal
+             * implementation and probably any implementation, however this is
+             * not mandated by the PSA specification. */
             TEST_ASSERT(num_ops > num_ops_prior);
 
             num_ops_prior = num_ops;
@@ -7022,6 +7030,10 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data,
 
         if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) {
             num_ops = psa_verify_hash_get_num_ops(&operation);
+            /* We are asserting here that every complete makes progress
+             * (completes some ops), which is true of the internal
+             * implementation and probably any implementation, however this is
+             * not mandated by the PSA specification. */
             TEST_ASSERT(num_ops > num_ops_prior);
 
             num_ops_prior = num_ops;
@@ -7151,6 +7163,10 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
         if (actual_status == PSA_SUCCESS ||
             actual_status == PSA_OPERATION_INCOMPLETE) {
             num_ops = psa_verify_hash_get_num_ops(&operation);
+            /* We are asserting here that every complete makes progress
+             * (completes some ops), which is true of the internal
+             * implementation and probably any implementation, however this is
+             * not mandated by the PSA specification. */
             TEST_ASSERT(num_ops > num_ops_prior);
 
             num_ops_prior = num_ops;

From 0af1b5367b362d3c33eb540ed3a58cfdb7ab742d Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Wed, 15 Feb 2023 23:25:54 +0000
Subject: [PATCH 69/70] Remove some abbrevations from test descriptions.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/suites/test_suite_psa_crypto.data | 74 ++++++++++++-------------
 1 file changed, 37 insertions(+), 37 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index 9511d1f5c..697cdd7b7 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -4145,19 +4145,19 @@ PSA sign hash: deterministic ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_hash_deterministic:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f"
 
-PSA sgn hash int (ops=inf): det ECDSA SECP256R1 SHA-256
+PSA sign hash int (ops=inf): det ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sgn hash int (ops=min): det ECDSA SECP256R1 SHA-256
+PSA sign hash int (ops=min): det ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":1
 
-PSA sgn hash int (ops=inf) det ECDSA SECP256R1 SHA-384
+PSA sign hash int (ops=inf) det ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384
 sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sgn hash int (ops=min): det ECDSA SECP256R1 SHA-384
+PSA sign hash int (ops=min): det ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384
 sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":1
 
@@ -4233,47 +4233,47 @@ PSA sign hash: deterministic ECDSA not supported
 depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED
 
-PSA Sgn hash int (ops=inf): det ECDSA SECP256R1 SHA-256, out buf too small
+PSA sign hash int (ops=inf): det ECDSA SECP256R1 SHA-256, out buf too small
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sgn hash int (ops=min): det ECDSA SECP256R1 SHA-256, out buf too small
+PSA sign hash int (ops=min): det ECDSA SECP256R1 SHA-256, out buf too small
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1
 
-PSA sgn hash int(ops=inf): deterministic ECDSA SECP256R1 SHA-256, empty output buffer
+PSA sign hash int (ops=inf): det ECDSA SECP256R1 SHA-256, empty out buf
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sgn hash int (ops=min): det ECDSA SECP256R1 SHA-256, empty out buf
+PSA sign hash int (ops=min): det ECDSA SECP256R1 SHA-256, empty out buf
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1
 
-PSA sgn hash int (ops=inf): det ECDSA SECP256R1, invld hash alg (0)
+PSA sign hash int (ops=inf): det ECDSA SECP256R1, invld hash alg (0)
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sgn hash int (ops=min): det ECDSA SECP256R1, invld hash alg (0)
+PSA sign hash int (ops=min): det ECDSA SECP256R1, invld hash alg (0)
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:1
 
-PSA sgn hash int: det ECDSA SECP256R1, invld hash alg (wildcard)
+PSA sign hash int: det ECDSA SECP256R1, invld hash alg (wildcard)
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_ANY_HASH ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sgn hash int: invld alg for ECC key
+PSA sign hash int: invld alg for ECC key
 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_PARSE_C
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sgn hash int: ECDSA not supported
+PSA sign hash int: ECDSA not supported
 depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sgn hash int (ops=inf): det ECDSA not supported
+PSA sign hash int (ops=inf): det ECDSA not supported
 depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sgn hash int (ops=min): det ECDSA not supported
+PSA sign hash int (ops=min): det ECDSA not supported
 depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:1
 
@@ -4317,51 +4317,51 @@ PSA sign/verify hash: deterministic ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
 
-PSA sgn/vrfy hash int (ops=inf): randomized ECDSA SECP256R1 SHA-256
+PSA sign/vrfy hash int (ops=inf): rand ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sgn/vrfy hash int (ops=min): randomized ECDSA SECP256R1 SHA-256
+PSA sign/vrfy hash int (ops=min): rand ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1
 
-PSA sgn/vrfy hash int (ops=inf): det ECDSA SECP256R1 SHA-256
+PSA sign/vrfy hash int (ops=inf): det ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sgn/vrfy hash int (ops=min): det ECDSA SECP256R1 SHA-256
+PSA sign/vrfy hash int (ops=min): det ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1
 
-PSA sgn/vrfy hash int (ops=inf): randomized ECDSA SECP256R1 SHA-384
+PSA sign/vrfy hash int (ops=inf): rand ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sgn/vrfy hash int (ops=min): randomized ECDSA SECP256R1 SHA-384
+PSA sign/vrfy hash int (ops=min): rand ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1
 
-PSA sgn/vrfy hash int (ops=inf): det ECDSA SECP256R1 SHA-384
+PSA sign/vrfy hash int (ops=inf): det ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sgn/vrfy hash int (ops=min): det ECDSA SECP256R1 SHA-384
+PSA sign/vrfy hash int (ops=min): det ECDSA SECP256R1 SHA-384
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1
 
-PSA sgn/vrfy hash int (ops=inf): randomized ECDSA SECP384R1 SHA-256
+PSA sign/vrfy hash int (ops=inf): rand ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sgn/vrfy hash int (ops=min): randomized ECDSA SECP384R1 SHA-256
+PSA sign/vrfy hash int (ops=min): rand ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1
 
-PSA sgn/vrfy hash int (ops=inf): det ECDSA SECP384R1 SHA-256
+PSA sign/vrfy hash int (ops=inf): det ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sgn/vrfy hash int (ops=min): det ECDSA SECP384R1 SHA-256
+PSA sign/vrfy hash int (ops=min): det ECDSA SECP384R1 SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1
 
@@ -4521,31 +4521,31 @@ PSA verify hash: invalid algorithm for ECC key
 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT
 
-PSA vrfy hash int: ECDSA SECP256R1, wrng sig size (correct but ASN1-encoded)
+PSA vrfy hash int: ECDSA SECP256R1, wrong sig size (correct but ASN1-encoded)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA vrfy hash int (ops=inf): ECDSA SECP256R1, wrng sig of correct size
+PSA vrfy hash int (ops=inf): ECDSA SECP256R1, wrong sig of correct size
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA vrfy hash int (ops=min): ECDSA SECP256R1, wrng sig of correct size
+PSA vrfy hash int (ops=min): ECDSA SECP256R1, wrong sig of correct size
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:1
 
-PSA vrfy hash int: ECDSA SECP256R1, wrng sig (empty)
+PSA vrfy hash int: ECDSA SECP256R1, wrong sig (empty)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA vrfy hash int: ECDSA SECP256R1, wrng sig (truncated)
+PSA vrfy hash int: ECDSA SECP256R1, wrong sig (truncated)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f5":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA vrfy hash int: ECDSA SECP256R1, wrng sig (trailing junk)
+PSA vrfy hash int: ECDSA SECP256R1, wrong sig (trailing junk)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f21":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA vrfy hash int: ECDSA SECP256R1, wrng sig (leading junk)
+PSA vrfy hash int: ECDSA SECP256R1, wrong sig (leading junk)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"216a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
@@ -4553,15 +4553,15 @@ PSA vrfy hash int: invld alg for ECC key
 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
-PSA sgn/vrfy hash int state test: randomized ECDSA SECP256R1 SHA-256
+PSA sign/vrfy hash int state test: randomized ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 interruptible_signverify_hash_state_test:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
 
-PSA sgn/vrfy hash int neg tests: randomized ECDSA SECP256R1 SHA-256
+PSA sign/vrfy hash int neg tests: randomized ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 interruptible_signverify_hash_negative_tests:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
 
-PSA sgn/vrfy hash int max ops tests: randomized ECDSA SECP256R1 SHA-256
+PSA sign/vrfy hash int max ops tests: randomized ECDSA SECP256R1 SHA-256
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 interruptible_signverify_hash_maxops_tests:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
 

From f8e5b56ad8395f7da9d496c5a21b3334e40c8047 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Sun, 19 Feb 2023 18:43:45 +0000
Subject: [PATCH 70/70] Fix get_num_ops internal code.

Previously calling get_num_ops more than once would have ended up with ops
getting double counted, and not calling inbetween completes would have ended up
with ops getting missed. Fix this by moving this to where the work is actually
done, and add tests for double calls to get_num_ops().

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto.c                        | 23 +++++++++++++--------
 library/psa_crypto_core.h                   |  4 ++--
 tests/suites/test_suite_psa_crypto.function | 12 +++++++++++
 3 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 36d48ad8f..3ec9273de 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3487,15 +3487,12 @@ uint32_t mbedtls_psa_interruptible_get_max_ops(void)
 }
 
 uint32_t mbedtls_psa_sign_hash_get_num_ops(
-    mbedtls_psa_sign_hash_interruptible_operation_t *operation)
+    const mbedtls_psa_sign_hash_interruptible_operation_t *operation)
 {
 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
     defined(MBEDTLS_ECP_RESTARTABLE)
 
-    /* Hide the fact that the restart context only holds a delta of number of
-     * ops done during the last operation, not an absolute value. */
-    operation->num_ops += operation->restart_ctx.ecp.ops_done;
     return operation->num_ops;
 #else
     (void) operation;
@@ -3506,15 +3503,12 @@ uint32_t mbedtls_psa_sign_hash_get_num_ops(
 }
 
 uint32_t mbedtls_psa_verify_hash_get_num_ops(
-    mbedtls_psa_verify_hash_interruptible_operation_t *operation)
+    const mbedtls_psa_verify_hash_interruptible_operation_t *operation)
 {
     #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
     defined(MBEDTLS_ECP_RESTARTABLE)
 
-    /* Hide the fact that the restart context only holds a delta of number of
-     * ops done during the last operation, not an absolute value. */
-    operation->num_ops += operation->restart_ctx.ecp.ops_done;
     return operation->num_ops;
 #else
     (void) operation;
@@ -3657,6 +3651,10 @@ psa_status_t mbedtls_psa_sign_hash_complete(
                                            &operation->restart_ctx));
     }
 
+    /* Hide the fact that the restart context only holds a delta of number of
+     * ops done during the last operation, not an absolute value. */
+    operation->num_ops += operation->restart_ctx.ecp.ops_done;
+
     if (status == PSA_SUCCESS) {
         status =  mbedtls_to_psa_error(
             mbedtls_mpi_write_binary(&r,
@@ -3853,7 +3851,9 @@ psa_status_t mbedtls_psa_verify_hash_complete(
     defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
     defined(MBEDTLS_ECP_RESTARTABLE)
 
-    return mbedtls_to_psa_error(
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    status = mbedtls_to_psa_error(
         mbedtls_ecdsa_verify_restartable(&operation->ctx->grp,
                                          operation->hash,
                                          operation->hash_length,
@@ -3862,6 +3862,11 @@ psa_status_t mbedtls_psa_verify_hash_complete(
                                          &operation->s,
                                          &operation->restart_ctx));
 
+    /* Hide the fact that the restart context only holds a delta of number of
+     * ops done during the last operation, not an absolute value. */
+    operation->num_ops += operation->restart_ctx.ecp.ops_done;
+
+    return status;
 #else
     (void) operation;
 
diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h
index 0ef0131fa..b1817e2da 100644
--- a/library/psa_crypto_core.h
+++ b/library/psa_crypto_core.h
@@ -656,7 +656,7 @@ uint32_t mbedtls_psa_interruptible_get_max_ops(void);
  *                              mbedtls_psa_sign_hash_complete().
  */
 uint32_t mbedtls_psa_sign_hash_get_num_ops(
-    mbedtls_psa_sign_hash_interruptible_operation_t *operation);
+    const mbedtls_psa_sign_hash_interruptible_operation_t *operation);
 
 /**
  * \brief Get the number of ops that a hash verification operation has taken for
@@ -677,7 +677,7 @@ uint32_t mbedtls_psa_sign_hash_get_num_ops(
  *                              mbedtls_psa_verify_hash_complete().
  */
 uint32_t mbedtls_psa_verify_hash_get_num_ops(
-    mbedtls_psa_verify_hash_interruptible_operation_t *operation);
+    const mbedtls_psa_verify_hash_interruptible_operation_t *operation);
 
 /**
  * \brief  Start signing a hash or short message with a private key, in an
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index c79217fbe..20e43c6ac 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -6546,6 +6546,12 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data,
             TEST_ASSERT(num_ops > num_ops_prior);
 
             num_ops_prior = num_ops;
+
+            /* Ensure calling get_num_ops() twice still returns the same
+             * number of ops as previously reported. */
+            num_ops = psa_sign_hash_get_num_ops(&operation);
+
+            TEST_EQUAL(num_ops, num_ops_prior);
         }
     } while (status == PSA_OPERATION_INCOMPLETE);
 
@@ -7037,6 +7043,12 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data,
             TEST_ASSERT(num_ops > num_ops_prior);
 
             num_ops_prior = num_ops;
+
+            /* Ensure calling get_num_ops() twice still returns the same
+             * number of ops as previously reported. */
+            num_ops = psa_verify_hash_get_num_ops(&operation);
+
+            TEST_EQUAL(num_ops, num_ops_prior);
         }
     } while (status == PSA_OPERATION_INCOMPLETE);