mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-23 03:15:43 +01:00
Split persistence and key id validation
With key usage based on key identifiers and not key handles (openless APIs), volatile keys will also have a key identifier. Thus, isolate key identifier validation from key persistence validation to clarify that key identifiers are not specific to persistent keys. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
parent
a455e71588
commit
d2ed4815da
@ -1776,17 +1776,28 @@ static psa_status_t psa_validate_key_attributes(
|
|||||||
psa_se_drv_table_entry_t **p_drv )
|
psa_se_drv_table_entry_t **p_drv )
|
||||||
{
|
{
|
||||||
psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
|
psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
|
||||||
|
psa_key_lifetime_t lifetime = psa_get_key_lifetime( attributes );
|
||||||
|
|
||||||
status = psa_validate_key_location( psa_get_key_lifetime( attributes ),
|
status = psa_validate_key_location( psa_get_key_lifetime( attributes ),
|
||||||
p_drv );
|
p_drv );
|
||||||
if( status != PSA_SUCCESS )
|
if( status != PSA_SUCCESS )
|
||||||
return( status );
|
return( status );
|
||||||
|
|
||||||
status = psa_validate_key_persistence( psa_get_key_lifetime( attributes ),
|
status = psa_validate_key_persistence( lifetime );
|
||||||
psa_get_key_id( attributes ) );
|
|
||||||
if( status != PSA_SUCCESS )
|
if( status != PSA_SUCCESS )
|
||||||
return( status );
|
return( status );
|
||||||
|
|
||||||
|
/* Validate the key identifier only in the case of a persistent key. */
|
||||||
|
if ( ! PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) )
|
||||||
|
{
|
||||||
|
status = psa_validate_key_id(
|
||||||
|
psa_get_key_id( attributes ),
|
||||||
|
psa_key_lifetime_is_external( lifetime ) );
|
||||||
|
|
||||||
|
if( status != PSA_SUCCESS )
|
||||||
|
return( status );
|
||||||
|
}
|
||||||
|
|
||||||
status = psa_validate_key_policy( &attributes->core.policy );
|
status = psa_validate_key_policy( &attributes->core.policy );
|
||||||
if( status != PSA_SUCCESS )
|
if( status != PSA_SUCCESS )
|
||||||
return( status );
|
return( status );
|
||||||
|
@ -51,6 +51,22 @@ typedef struct
|
|||||||
|
|
||||||
static psa_global_data_t global_data;
|
static psa_global_data_t global_data;
|
||||||
|
|
||||||
|
psa_status_t psa_validate_key_id( mbedtls_svc_key_id_t key, int vendor_ok )
|
||||||
|
{
|
||||||
|
psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( key );
|
||||||
|
|
||||||
|
if( ( PSA_KEY_ID_USER_MIN <= key_id ) &&
|
||||||
|
( key_id <= PSA_KEY_ID_USER_MAX ) )
|
||||||
|
return( PSA_SUCCESS );
|
||||||
|
|
||||||
|
if( vendor_ok &&
|
||||||
|
( PSA_KEY_ID_VENDOR_MIN <= key_id ) &&
|
||||||
|
( key_id <= PSA_KEY_ID_VENDOR_MAX ) )
|
||||||
|
return( PSA_SUCCESS );
|
||||||
|
|
||||||
|
return( PSA_ERROR_INVALID_ARGUMENT );
|
||||||
|
}
|
||||||
|
|
||||||
/* Access a key slot at the given handle. The handle of a key slot is
|
/* Access a key slot at the given handle. The handle of a key slot is
|
||||||
* the index of the slot in the global slot array, plus one so that handles
|
* the index of the slot in the global slot array, plus one so that handles
|
||||||
* start at 1 and not 0. */
|
* start at 1 and not 0. */
|
||||||
@ -150,31 +166,6 @@ exit:
|
|||||||
psa_free_persistent_key_data( key_data, key_data_length );
|
psa_free_persistent_key_data( key_data, key_data_length );
|
||||||
return( status );
|
return( status );
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Check whether a key identifier is acceptable.
|
|
||||||
*
|
|
||||||
* For backward compatibility, key identifiers that were valid in a
|
|
||||||
* past released version must remain valid, unless a migration path
|
|
||||||
* is provided.
|
|
||||||
*
|
|
||||||
* \param key The key identifier to check.
|
|
||||||
* \param vendor_ok Nonzero to allow key ids in the vendor range.
|
|
||||||
* 0 to allow only key ids in the application range.
|
|
||||||
*
|
|
||||||
* \return 1 if \p key is acceptable, otherwise 0.
|
|
||||||
*/
|
|
||||||
static int psa_is_key_id_valid( mbedtls_svc_key_id_t key, int vendor_ok )
|
|
||||||
{
|
|
||||||
psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( key );
|
|
||||||
if( PSA_KEY_ID_USER_MIN <= key_id && key_id <= PSA_KEY_ID_USER_MAX )
|
|
||||||
return( 1 );
|
|
||||||
else if( vendor_ok &&
|
|
||||||
PSA_KEY_ID_VENDOR_MIN <= key_id &&
|
|
||||||
key_id <= PSA_KEY_ID_VENDOR_MAX )
|
|
||||||
return( 1 );
|
|
||||||
else
|
|
||||||
return( 0 );
|
|
||||||
}
|
|
||||||
#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
|
#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
|
||||||
|
|
||||||
psa_status_t psa_validate_key_location( psa_key_lifetime_t lifetime,
|
psa_status_t psa_validate_key_location( psa_key_lifetime_t lifetime,
|
||||||
@ -202,8 +193,7 @@ psa_status_t psa_validate_key_location( psa_key_lifetime_t lifetime,
|
|||||||
return( PSA_SUCCESS );
|
return( PSA_SUCCESS );
|
||||||
}
|
}
|
||||||
|
|
||||||
psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime,
|
psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime )
|
||||||
mbedtls_svc_key_id_t key )
|
|
||||||
{
|
{
|
||||||
if ( PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) )
|
if ( PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) )
|
||||||
{
|
{
|
||||||
@ -214,13 +204,8 @@ psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime,
|
|||||||
{
|
{
|
||||||
/* Persistent keys require storage support */
|
/* Persistent keys require storage support */
|
||||||
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
|
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
|
||||||
if( psa_is_key_id_valid( key,
|
return( PSA_SUCCESS );
|
||||||
psa_key_lifetime_is_external( lifetime ) ) )
|
|
||||||
return( PSA_SUCCESS );
|
|
||||||
else
|
|
||||||
return( PSA_ERROR_INVALID_ARGUMENT );
|
|
||||||
#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
|
#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
|
||||||
(void) key;
|
|
||||||
return( PSA_ERROR_NOT_SUPPORTED );
|
return( PSA_ERROR_NOT_SUPPORTED );
|
||||||
#endif /* !MBEDTLS_PSA_CRYPTO_STORAGE_C */
|
#endif /* !MBEDTLS_PSA_CRYPTO_STORAGE_C */
|
||||||
}
|
}
|
||||||
@ -234,8 +219,9 @@ psa_status_t psa_open_key( mbedtls_svc_key_id_t key, psa_key_handle_t *handle )
|
|||||||
|
|
||||||
*handle = 0;
|
*handle = 0;
|
||||||
|
|
||||||
if( ! psa_is_key_id_valid( key, 1 ) )
|
status = psa_validate_key_id( key, 1 );
|
||||||
return( PSA_ERROR_INVALID_ARGUMENT );
|
if( status != PSA_SUCCESS )
|
||||||
|
return( status );
|
||||||
|
|
||||||
status = psa_get_empty_key_slot( handle, &slot );
|
status = psa_get_empty_key_slot( handle, &slot );
|
||||||
if( status != PSA_SUCCESS )
|
if( status != PSA_SUCCESS )
|
||||||
|
@ -108,18 +108,25 @@ static inline int psa_key_lifetime_is_external( psa_key_lifetime_t lifetime )
|
|||||||
psa_status_t psa_validate_key_location( psa_key_lifetime_t lifetime,
|
psa_status_t psa_validate_key_location( psa_key_lifetime_t lifetime,
|
||||||
psa_se_drv_table_entry_t **p_drv );
|
psa_se_drv_table_entry_t **p_drv );
|
||||||
|
|
||||||
/** Validate that a key's persistence attributes are valid.
|
/** Validate the persistence of a key.
|
||||||
*
|
|
||||||
* This function checks whether a key's declared persistence level and key ID
|
|
||||||
* attributes are valid and known to the PSA Core in its actual configuration.
|
|
||||||
*
|
*
|
||||||
* \param[in] lifetime The key lifetime attribute.
|
* \param[in] lifetime The key lifetime attribute.
|
||||||
* \param[in] key The key identifier.
|
|
||||||
*
|
*
|
||||||
* \retval #PSA_SUCCESS
|
* \retval #PSA_SUCCESS
|
||||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
* \retval #PSA_ERROR_INVALID_ARGUMENT The key is persistent but persistent
|
||||||
|
* keys are not supported.
|
||||||
*/
|
*/
|
||||||
psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime,
|
psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime );
|
||||||
mbedtls_svc_key_id_t key );
|
|
||||||
|
/** Validate a key identifier.
|
||||||
|
*
|
||||||
|
* \param[in] key The key identifier.
|
||||||
|
* \param[in] vendor_ok Non-zero to indicate that key identifiers in the
|
||||||
|
* vendor range are allowed, \c 0 otherwise.
|
||||||
|
*
|
||||||
|
* \retval #PSA_SUCCESS The identifier is valid.
|
||||||
|
* \retval #PSA_ERROR_INVALID_ARGUMENT The key identifier is not valid.
|
||||||
|
*/
|
||||||
|
psa_status_t psa_validate_key_id( mbedtls_svc_key_id_t key, int vendor_ok );
|
||||||
|
|
||||||
#endif /* PSA_CRYPTO_SLOT_MANAGEMENT_H */
|
#endif /* PSA_CRYPTO_SLOT_MANAGEMENT_H */
|
||||||
|
Loading…
Reference in New Issue
Block a user