Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rework PSA Crypto core to store keys in export representation #3492

Merged
merged 16 commits into from
Aug 5, 2020
Merged

Rework PSA Crypto core to store keys in export representation #3492

Changes from 1 commit
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
71fd80d
Re-define members of psa_key_slot_t
stevew817 Jul 7, 2020
81be2fa
Pull apart slot memory allocation from key validation.
stevew817 Jul 24, 2020
a01795d
Remove RSA internal representation from key slot
stevew817 Jul 24, 2020
acda834
Remove ECP internal representation from key slot
stevew817 Jul 24, 2020
560c28a
Unify key handling logic
stevew817 Jul 24, 2020
19fd574
Disconnect knowing about a PSA key type from knowing the mbedTLS API
stevew817 Jul 24, 2020
75b7436
Update after feedback on #3492
stevew817 Jul 28, 2020
a2371e5
Update after feedback from #3492
stevew817 Jul 28, 2020
6d839f0
Cleanup
stevew817 Jul 30, 2020
7f39187
Convert load_xxx_representation to take buffers instead of a whole slot
stevew817 Jul 30, 2020
3fa684e
Allow importing Montgomery public keys in PSA Crypto
stevew817 Jul 30, 2020
4fed455
Apply review feedback
stevew817 Aug 3, 2020
2914986
Style fixes
stevew817 Aug 5, 2020
fd4d69a
Simplified key slot deletion
stevew817 Aug 5, 2020
b7f6dea
Add buffer zeroization when ecp_write_key fails
stevew817 Aug 5, 2020
d486787
Initialize key pointer in ecdh to NULL
stevew817 Aug 5, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
64 changes: 44 additions & 20 deletions library/psa_crypto.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -441,9 +441,8 @@ mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve,
}
#endif /* defined(MBEDTLS_ECP_C) */

static psa_status_t prepare_raw_data_slot( psa_key_type_t type,
size_t bits,
struct key_data *key )
static psa_status_t validate_unstructured_key_bit_size( psa_key_type_t type,
size_t bits )
{
/* Check that the bit size is acceptable for the key type */
switch( type )
Expand Down Expand Up @@ -490,14 +489,6 @@ static psa_status_t prepare_raw_data_slot( psa_key_type_t type,
if( bits % 8 != 0 )
return( PSA_ERROR_INVALID_ARGUMENT );

/* Allocate memory for the key */
key->bytes = PSA_BITS_TO_BYTES( bits );
key->data = mbedtls_calloc( 1, key->bytes );
if( key->data == NULL )
{
key->bytes = 0;
return( PSA_ERROR_INSUFFICIENT_MEMORY );
}
return( PSA_SUCCESS );
}

Expand Down Expand Up @@ -740,22 +731,42 @@ psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
{
psa_status_t status = PSA_SUCCESS;

/* zero-length keys are never supported. */
if( data_length == 0 )
ronald-cron-arm marked this conversation as resolved.
Show resolved Hide resolved
return( PSA_ERROR_NOT_SUPPORTED );

/* Ensure that the bytes-to-bit conversion never overflows. */
if( data_length > SIZE_MAX / 8 )
ronald-cron-arm marked this conversation as resolved.
Show resolved Hide resolved
return( PSA_ERROR_NOT_SUPPORTED );

if( key_type_is_raw_bytes( slot->attr.type ) )
{
size_t bit_size = PSA_BYTES_TO_BITS( data_length );
/* Ensure that the bytes-to-bit conversion didn't overflow. */
if( data_length > SIZE_MAX / 8 )
return( PSA_ERROR_NOT_SUPPORTED );

/* Enforce a size limit, and in particular ensure that the bit
* size fits in its representation type. */
if( bit_size > PSA_MAX_KEY_BITS )
return( PSA_ERROR_NOT_SUPPORTED );
status = prepare_raw_data_slot( slot->attr.type, bit_size,
&slot->data.key );

status = validate_unstructured_key_bit_size( slot->attr.type, bit_size );
if( status != PSA_SUCCESS )
return( status );
if( data_length != 0 )
memcpy( slot->data.key.data, data, data_length );
return status;

/* Allocate memory for the key */
ronald-cron-arm marked this conversation as resolved.
Show resolved Hide resolved
slot->data.key.data = mbedtls_calloc( 1, data_length );
if( slot->data.key.data == NULL )
{
return( PSA_ERROR_INSUFFICIENT_MEMORY );
}
slot->data.key.bytes = data_length;

/* copy key into allocated buffer */
memcpy(slot->data.key.data, data, data_length);

/* Write the actual key size to the slot.
* psa_start_key_creation() wrote the size declared by the
* caller, which may be 0 (meaning unspecified) or wrong. */
slot->attr.bits = (psa_key_bits_t) bit_size;
}
else
#if defined(MBEDTLS_ECP_C)
Expand Down Expand Up @@ -5525,13 +5536,26 @@ static psa_status_t psa_generate_key_internal(
if( key_type_is_raw_bytes( type ) )
{
psa_status_t status;
status = prepare_raw_data_slot( type, bits, &slot->data.key );

status = validate_unstructured_key_bit_size( slot->attr.type, bits );
if( status != PSA_SUCCESS )
return( status );

/* Allocate memory for the key */
slot->data.key.bytes = PSA_BITS_TO_BYTES( bits );
slot->data.key.data = mbedtls_calloc( 1, slot->data.key.bytes );
if( slot->data.key.data == NULL )
{
slot->data.key.bytes = 0;
return( PSA_ERROR_INSUFFICIENT_MEMORY );
}

status = psa_generate_random( slot->data.key.data,
slot->data.key.bytes );
if( status != PSA_SUCCESS )
return( status );

slot->attr.bits = (psa_key_bits_t) bits;
#if defined(MBEDTLS_DES_C)
if( type == PSA_KEY_TYPE_DES )
psa_des_set_key_parity( slot->data.key.data,
Expand Down