mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-26 18:45:43 +01:00
Address review comments
* zero key buffer on failure * readability improvements * psa_finish_key_creation adjustment after removing import_key_into_slot Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
This commit is contained in:
parent
162ec8758f
commit
40120f6b76
@ -1039,6 +1039,8 @@ static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
|
|||||||
* psa_start_key_creation() wrote the size declared by the
|
* psa_start_key_creation() wrote the size declared by the
|
||||||
* caller, which may be 0 (meaning unspecified) or wrong. */
|
* caller, which may be 0 (meaning unspecified) or wrong. */
|
||||||
slot->attr.bits = (psa_key_bits_t) bit_size;
|
slot->attr.bits = (psa_key_bits_t) bit_size;
|
||||||
|
|
||||||
|
return( PSA_SUCCESS );
|
||||||
}
|
}
|
||||||
else if( PSA_KEY_TYPE_IS_ASYMMETRIC( slot->attr.type ) )
|
else if( PSA_KEY_TYPE_IS_ASYMMETRIC( slot->attr.type ) )
|
||||||
{
|
{
|
||||||
@ -1067,41 +1069,27 @@ static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
|
|||||||
|
|
||||||
/* Key format is not supported by any accelerator, try software fallback
|
/* Key format is not supported by any accelerator, try software fallback
|
||||||
* if present. */
|
* if present. */
|
||||||
|
#if defined(MBEDTLS_ECP_C)
|
||||||
if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
|
if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
|
||||||
{
|
{
|
||||||
#if defined(MBEDTLS_ECP_C)
|
return( psa_import_ecp_key( slot, data, data_length ) );
|
||||||
status = psa_import_ecp_key( slot,
|
}
|
||||||
data, data_length );
|
|
||||||
#else
|
|
||||||
/* No drivers have been implemented yet, so without mbed TLS backing
|
|
||||||
* there's no way to do ECP with the current library. */
|
|
||||||
status = PSA_ERROR_NOT_SUPPORTED;
|
|
||||||
#endif /* defined(MBEDTLS_ECP_C) */
|
#endif /* defined(MBEDTLS_ECP_C) */
|
||||||
}
|
|
||||||
else if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
|
|
||||||
{
|
|
||||||
#if defined(MBEDTLS_RSA_C)
|
#if defined(MBEDTLS_RSA_C)
|
||||||
status = psa_import_rsa_key( slot,
|
if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
|
||||||
data, data_length );
|
|
||||||
#else
|
|
||||||
/* No drivers have been implemented yet, so without mbed TLS backing
|
|
||||||
* there's no way to do RSA with the current library. */
|
|
||||||
status = PSA_ERROR_NOT_SUPPORTED;
|
|
||||||
#endif /* defined(MBEDTLS_RSA_C) */
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
{
|
||||||
/* Unsupported asymmetric key type */
|
return( psa_import_rsa_key( slot, data, data_length ) );
|
||||||
status = PSA_ERROR_NOT_SUPPORTED;
|
|
||||||
}
|
}
|
||||||
|
#endif /* defined(MBEDTLS_RSA_C) */
|
||||||
|
|
||||||
|
/* Fell through the fallback as well, so have nothing else to try. */
|
||||||
|
return( PSA_ERROR_NOT_SUPPORTED );
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
/* Unknown key type */
|
/* Unknown key type */
|
||||||
status = PSA_ERROR_NOT_SUPPORTED;
|
return( PSA_ERROR_NOT_SUPPORTED );
|
||||||
}
|
}
|
||||||
|
|
||||||
return( status );
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Calculate the intersection of two algorithm usage policies.
|
/** Calculate the intersection of two algorithm usage policies.
|
||||||
@ -1977,22 +1965,11 @@ static psa_status_t psa_finish_key_creation(
|
|||||||
else
|
else
|
||||||
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
|
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
|
||||||
{
|
{
|
||||||
size_t buffer_size =
|
/* Key material is saved in export representation in the slot, so
|
||||||
PSA_KEY_EXPORT_MAX_SIZE( slot->attr.type,
|
* just pass the slot buffer for storage. */
|
||||||
slot->attr.bits );
|
status = psa_save_persistent_key( &slot->attr,
|
||||||
uint8_t *buffer = mbedtls_calloc( 1, buffer_size );
|
slot->data.key.data,
|
||||||
size_t length = 0;
|
slot->data.key.bytes );
|
||||||
if( buffer == NULL )
|
|
||||||
return( PSA_ERROR_INSUFFICIENT_MEMORY );
|
|
||||||
status = psa_internal_export_key( slot,
|
|
||||||
buffer, buffer_size, &length,
|
|
||||||
0 );
|
|
||||||
if( status == PSA_SUCCESS )
|
|
||||||
status = psa_save_persistent_key( &slot->attr,
|
|
||||||
buffer, length );
|
|
||||||
|
|
||||||
mbedtls_platform_zeroize( buffer, buffer_size );
|
|
||||||
mbedtls_free( buffer );
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
|
#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
|
||||||
|
@ -81,9 +81,10 @@ int psa_is_key_present_in_storage( const mbedtls_svc_key_id_t key );
|
|||||||
* This function formats the key data and metadata and saves it to a
|
* This function formats the key data and metadata and saves it to a
|
||||||
* persistent storage backend. The storage location corresponding to the
|
* persistent storage backend. The storage location corresponding to the
|
||||||
* key slot must be empty, otherwise this function will fail. This function
|
* key slot must be empty, otherwise this function will fail. This function
|
||||||
* should be called after psa_import_key_into_slot() to ensure the
|
* should be called after loading the key into an internal slot to ensure the
|
||||||
* persistent key is not saved into a storage location corresponding to an
|
* persistent key is not saved into a storage location corresponding to an
|
||||||
* already occupied non-persistent key, as well as validating the key data.
|
* already occupied non-persistent key, as well as ensuring the key data is
|
||||||
|
* validated.
|
||||||
*
|
*
|
||||||
*
|
*
|
||||||
* \param[in] attr The attributes of the key to save.
|
* \param[in] attr The attributes of the key to save.
|
||||||
|
@ -106,6 +106,10 @@ psa_status_t test_transparent_generate_key(
|
|||||||
{
|
{
|
||||||
*key_length = bytes;
|
*key_length = bytes;
|
||||||
}
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
memset( key, 0, bytes );
|
||||||
|
}
|
||||||
|
|
||||||
mbedtls_ecp_keypair_free( &ecp );
|
mbedtls_ecp_keypair_free( &ecp );
|
||||||
return( status );
|
return( status );
|
||||||
@ -146,7 +150,7 @@ psa_status_t test_transparent_validate_key(const psa_key_attributes_t *attribute
|
|||||||
mbedtls_ecp_keypair ecp;
|
mbedtls_ecp_keypair ecp;
|
||||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||||
|
|
||||||
if( *bits == 0 )
|
if( psa_get_key_bits( attributes ) == 0 )
|
||||||
{
|
{
|
||||||
// Attempt auto-detect of curve bit size
|
// Attempt auto-detect of curve bit size
|
||||||
size_t curve_size = data_length;
|
size_t curve_size = data_length;
|
||||||
|
Loading…
Reference in New Issue
Block a user