mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-23 00:35:50 +01:00
Always configure PSA-based keys for encryption and decryption
Mbed TLS cipher layer allows usage of keys for other purposes than indicated in the `operation` parameter of `mbedtls_cipher_setkey()`. The semantics of the PSA Crypto API, in contrast, checks key usage against the key policy. As a remedy, this commit modifies the PSA key slot setup to always allow both encryption and decryption.
This commit is contained in:
parent
e43164e8f1
commit
884f6af590
@ -310,7 +310,13 @@ int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
|
||||
|
||||
/* Setup policy for the new key slot. */
|
||||
psa_key_policy_init( &key_policy );
|
||||
key_usage = mbedtls_psa_translate_cipher_operation( operation );
|
||||
|
||||
/* Mbed TLS' cipher layer doesn't enforce the mode of operation
|
||||
* (encrypt vs. decrypt): it is possible to setup a key for encryption
|
||||
* and use it for AEAD decryption. Until tests relying on this
|
||||
* are changed, allow any usage in PSA. */
|
||||
/* key_usage = mbedtls_psa_translate_cipher_operation( operation ); */
|
||||
key_usage = PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT;
|
||||
psa_key_policy_set_usage( &key_policy, key_usage, cipher_psa->alg );
|
||||
status = psa_set_key_policy( cipher_psa->slot, &key_policy );
|
||||
if( status != PSA_SUCCESS )
|
||||
|
Loading…
Reference in New Issue
Block a user