mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-02 05:24:20 +01:00
Forbid volatile key identifiers for non volatile keys
Volatile key identifiers in the vendor range are reserved to volatile keys thus don't allow them for persistent keys when creating a key. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
parent
f67aefed3f
commit
fc9c556127
@ -1792,7 +1792,7 @@ static psa_status_t psa_validate_key_attributes(
|
|||||||
{
|
{
|
||||||
status = psa_validate_key_id(
|
status = psa_validate_key_id(
|
||||||
psa_get_key_id( attributes ),
|
psa_get_key_id( attributes ),
|
||||||
psa_key_lifetime_is_external( lifetime ) );
|
psa_key_lifetime_is_external( lifetime ), 0 );
|
||||||
|
|
||||||
if( status != PSA_SUCCESS )
|
if( status != PSA_SUCCESS )
|
||||||
return( status );
|
return( status );
|
||||||
|
@ -51,7 +51,8 @@ typedef struct
|
|||||||
|
|
||||||
static psa_global_data_t global_data;
|
static psa_global_data_t global_data;
|
||||||
|
|
||||||
psa_status_t psa_validate_key_id( mbedtls_svc_key_id_t key, int vendor_ok )
|
psa_status_t psa_validate_key_id(
|
||||||
|
mbedtls_svc_key_id_t key, int vendor_ok, int volatile_ok )
|
||||||
{
|
{
|
||||||
psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( key );
|
psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( key );
|
||||||
|
|
||||||
@ -61,7 +62,12 @@ psa_status_t psa_validate_key_id( mbedtls_svc_key_id_t key, int vendor_ok )
|
|||||||
|
|
||||||
if( vendor_ok &&
|
if( vendor_ok &&
|
||||||
( PSA_KEY_ID_VENDOR_MIN <= key_id ) &&
|
( PSA_KEY_ID_VENDOR_MIN <= key_id ) &&
|
||||||
( key_id <= PSA_KEY_ID_VENDOR_MAX ) )
|
( key_id < PSA_KEY_ID_VOLATILE_MIN ) )
|
||||||
|
return( PSA_SUCCESS );
|
||||||
|
|
||||||
|
if( volatile_ok &&
|
||||||
|
( PSA_KEY_ID_VOLATILE_MIN <= key_id ) &&
|
||||||
|
( key_id <= PSA_KEY_ID_VOLATILE_MAX ) )
|
||||||
return( PSA_SUCCESS );
|
return( PSA_SUCCESS );
|
||||||
|
|
||||||
return( PSA_ERROR_INVALID_HANDLE );
|
return( PSA_ERROR_INVALID_HANDLE );
|
||||||
@ -191,7 +197,7 @@ psa_status_t psa_get_key_slot( mbedtls_svc_key_id_t key,
|
|||||||
if( ! global_data.key_slots_initialized )
|
if( ! global_data.key_slots_initialized )
|
||||||
return( PSA_ERROR_BAD_STATE );
|
return( PSA_ERROR_BAD_STATE );
|
||||||
|
|
||||||
status = psa_validate_key_id( key, 1 );
|
status = psa_validate_key_id( key, 1, 1 );
|
||||||
if( status != PSA_SUCCESS )
|
if( status != PSA_SUCCESS )
|
||||||
return( status );
|
return( status );
|
||||||
|
|
||||||
|
@ -157,11 +157,15 @@ psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime );
|
|||||||
*
|
*
|
||||||
* \param[in] key The key identifier.
|
* \param[in] key The key identifier.
|
||||||
* \param[in] vendor_ok Non-zero to indicate that key identifiers in the
|
* \param[in] vendor_ok Non-zero to indicate that key identifiers in the
|
||||||
* vendor range are allowed, \c 0 otherwise.
|
* vendor range are allowed, volatile key identifiers
|
||||||
|
* excepted \c 0 otherwise.
|
||||||
|
* \param[in] volatile_ok Non-zero to indicate that volatile key identifiers
|
||||||
|
* are allowed \c 0 otherwise.
|
||||||
*
|
*
|
||||||
* \retval #PSA_SUCCESS The identifier is valid.
|
* \retval #PSA_SUCCESS The identifier is valid.
|
||||||
* \retval #PSA_ERROR_INVALID_ARGUMENT The key identifier is not valid.
|
* \retval #PSA_ERROR_INVALID_ARGUMENT The key identifier is not valid.
|
||||||
*/
|
*/
|
||||||
psa_status_t psa_validate_key_id( mbedtls_svc_key_id_t key, int vendor_ok );
|
psa_status_t psa_validate_key_id(
|
||||||
|
mbedtls_svc_key_id_t key, int vendor_ok, int volatile_ok );
|
||||||
|
|
||||||
#endif /* PSA_CRYPTO_SLOT_MANAGEMENT_H */
|
#endif /* PSA_CRYPTO_SLOT_MANAGEMENT_H */
|
||||||
|
@ -150,8 +150,17 @@ register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:1:-1:PSA_ERROR_NOT_SUPPORT
|
|||||||
Key registration: key id out of range
|
Key registration: key id out of range
|
||||||
register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VENDOR_MAX+1:-1:PSA_ERROR_INVALID_HANDLE
|
register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VENDOR_MAX+1:-1:PSA_ERROR_INVALID_HANDLE
|
||||||
|
|
||||||
Key registration: key id in vendor range
|
Key registration: key id min vendor
|
||||||
register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VENDOR_MAX:1:PSA_SUCCESS
|
register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VENDOR_MIN:1:PSA_SUCCESS
|
||||||
|
|
||||||
|
Key registration: key id max vendor except volatile
|
||||||
|
register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VOLATILE_MIN-1:1:PSA_SUCCESS
|
||||||
|
|
||||||
|
Key registration: key id min volatile
|
||||||
|
register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VOLATILE_MIN:1:PSA_ERROR_INVALID_HANDLE
|
||||||
|
|
||||||
|
Key registration: key id max volatile
|
||||||
|
register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VOLATILE_MAX:1:PSA_ERROR_INVALID_HANDLE
|
||||||
|
|
||||||
Import-sign-verify: sign in driver, ECDSA
|
Import-sign-verify: sign in driver, ECDSA
|
||||||
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||||
|
@ -3,6 +3,7 @@
|
|||||||
#include "psa/crypto_se_driver.h"
|
#include "psa/crypto_se_driver.h"
|
||||||
|
|
||||||
#include "psa_crypto_se.h"
|
#include "psa_crypto_se.h"
|
||||||
|
#include "psa_crypto_slot_management.h"
|
||||||
#include "psa_crypto_storage.h"
|
#include "psa_crypto_storage.h"
|
||||||
|
|
||||||
/* Invasive peeking: check the persistent data */
|
/* Invasive peeking: check the persistent data */
|
||||||
|
Loading…
Reference in New Issue
Block a user