From c09df2f24c85623a426501f0fa6ef659cb57fbd4 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Tue, 23 Jan 2024 17:03:31 +0100
Subject: [PATCH] Unify want_private detection

This commit makes the code arguably slightly simpler and fixes the build
with clang -Wimplicit-fallthrough. No intended semantic change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 library/pk.c | 23 ++++++++---------------
 1 file changed, 8 insertions(+), 15 deletions(-)

diff --git a/library/pk.c b/library/pk.c
index c34da9974..60891a07e 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -416,24 +416,23 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk,
     }
     more_usage |= PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY;
 
+    int want_private = !(usage == PSA_KEY_USAGE_VERIFY_MESSAGE ||
+                         usage == PSA_KEY_USAGE_VERIFY_HASH ||
+                         usage == PSA_KEY_USAGE_ENCRYPT);
+
     switch (pk_type) {
 #if defined(MBEDTLS_RSA_C)
         case MBEDTLS_PK_RSA:
         {
-            int want_crypt = 0;
-            int want_private = 0;
+            int want_crypt = 0; /* 0: encrypt/decrypt; 1: sign/verify */
             switch (usage) {
                 case PSA_KEY_USAGE_SIGN_MESSAGE:
                 case PSA_KEY_USAGE_SIGN_HASH:
-                    want_private = 1;
-                    break;
-                case PSA_KEY_USAGE_DECRYPT:
-                    want_private = 1;
-                    want_crypt = 1;
-                    break;
                 case PSA_KEY_USAGE_VERIFY_MESSAGE:
                 case PSA_KEY_USAGE_VERIFY_HASH:
+                    /* Nothing to do. */
                     break;
+                case PSA_KEY_USAGE_DECRYPT:
                 case PSA_KEY_USAGE_ENCRYPT:
                     want_crypt = 1;
                     break;
@@ -482,13 +481,10 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk,
             psa_ecc_family_t family =
                 mbedtls_ecc_group_to_psa(ec->grp.id, &bits);
 #endif
-            int want_private = 0;
             psa_algorithm_t alg = 0;
             switch (usage) {
                 case PSA_KEY_USAGE_SIGN_MESSAGE:
                 case PSA_KEY_USAGE_SIGN_HASH:
-                    want_private = 1;
-                /* FALLTHROUGH */
                 case PSA_KEY_USAGE_VERIFY_MESSAGE:
                 case PSA_KEY_USAGE_VERIFY_HASH:
                     if (!sign_ok) {
@@ -501,7 +497,6 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk,
 #endif
                     break;
                 case PSA_KEY_USAGE_DERIVE:
-                    want_private = 1;
                     alg = PSA_ALG_ECDH;
                     if (!derive_ok) {
                         return MBEDTLS_ERR_PK_TYPE_MISMATCH;
@@ -566,9 +561,7 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk,
             /* Opaque keys are always key pairs, so we don't need a check
              * on the input if the required usage is private. We just need
              * to adjust the type correctly if the required usage is public. */
-            if (usage == PSA_KEY_USAGE_VERIFY_MESSAGE ||
-                usage == PSA_KEY_USAGE_VERIFY_HASH ||
-                usage == PSA_KEY_USAGE_ENCRYPT) {
+            if (!want_private) {
                 new_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(new_type);
             }
             more_usage = psa_get_key_usage_flags(&old_attributes);