Merge pull request #6608 from mprse/ecjpake_password_fix

Make a copy of the password key in operation object while setting j-pake password
2025-07-30 22:43:08 +03:00 · 2022-11-22 14:52:12 +01:00
parent 339406daf9 0bdec19c93
commit 4f19d86e3f
6 changed files with 106 additions and 45 deletions
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@ -877,20 +877,7 @@ static psa_status_t psa_restrict_key_policy(
    return( PSA_SUCCESS );
 }

-/** Get the description of a key given its identifier and policy constraints
- *  and lock it.
- *
- * The key must have allow all the usage flags set in \p usage. If \p alg is
- * nonzero, the key must allow operations with this algorithm. If \p alg is
- * zero, the algorithm is not checked.
- *
- * In case of a persistent key, the function loads the description of the key
- * into a key slot if not already done.
- *
- * On success, the returned key slot is locked. It is the responsibility of
- * the caller to unlock the key slot when it does not access it anymore.
- */
-static psa_status_t psa_get_and_lock_key_slot_with_policy(
+psa_status_t psa_get_and_lock_key_slot_with_policy(
    mbedtls_svc_key_id_t key,
    psa_key_slot_t **p_slot,
    psa_key_usage_t usage,
--- a/library/psa_crypto_core.h
+++ b/library/psa_crypto_core.h
@ -183,6 +183,24 @@ static inline psa_key_slot_number_t psa_key_slot_get_slot_number(
 }
 #endif

+/** Get the description of a key given its identifier and policy constraints
+ *  and lock it.
+ *
+ * The key must have allow all the usage flags set in \p usage. If \p alg is
+ * nonzero, the key must allow operations with this algorithm. If \p alg is
+ * zero, the algorithm is not checked.
+ *
+ * In case of a persistent key, the function loads the description of the key
+ * into a key slot if not already done.
+ *
+ * On success, the returned key slot is locked. It is the responsibility of
+ * the caller to unlock the key slot when it does not access it anymore.
+ */
+psa_status_t psa_get_and_lock_key_slot_with_policy( mbedtls_svc_key_id_t key,
+                                                    psa_key_slot_t **p_slot,
+                                                    psa_key_usage_t usage,
+                                                    psa_algorithm_t alg );
+
 /** Completely wipe a slot in memory, including its policy.
 *
 * Persistent storage is not affected.
--- a/library/psa_crypto_pake.c
+++ b/library/psa_crypto_pake.c
@ -248,6 +248,7 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation,
    psa_key_attributes_t attributes = psa_key_attributes_init();
    psa_key_type_t type;
    psa_key_usage_t usage;
+    psa_key_slot_t *slot = NULL;

    if( operation->alg == PSA_ALG_NONE ||
        operation->state != PSA_PAKE_STATE_SETUP )
@ -273,7 +274,27 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation,
    if( ( usage & PSA_KEY_USAGE_DERIVE ) == 0 )
        return( PSA_ERROR_NOT_PERMITTED );

-    operation->password = password;
+    if( operation->password != NULL )
+        return( PSA_ERROR_BAD_STATE );
+
+    status = psa_get_and_lock_key_slot_with_policy( password, &slot,
+                                                    PSA_KEY_USAGE_DERIVE,
+                                                    PSA_ALG_JPAKE );
+    if( status != PSA_SUCCESS )
+        return( status );
+
+    operation->password = mbedtls_calloc( 1, slot->key.bytes );
+    if( operation->password == NULL )
+    {
+        psa_unlock_key_slot( slot );
+        return( PSA_ERROR_INSUFFICIENT_MEMORY );
+    }
+    memcpy( operation->password, slot->key.data, slot->key.bytes );
+    operation->password_len = slot->key.bytes;
+
+    status = psa_unlock_key_slot( slot );
+    if( status != PSA_SUCCESS )
+        return( status );

    return( PSA_SUCCESS );
 }
@ -348,9 +369,7 @@ psa_status_t psa_pake_set_role( psa_pake_operation_t *operation,
 static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
    mbedtls_ecjpake_role role;
-    psa_key_slot_t *slot = NULL;

    if( operation->role == PSA_PAKE_ROLE_CLIENT )
        role = MBEDTLS_ECJPAKE_CLIENT;
@ -359,22 +378,20 @@ static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation )
    else
        return( PSA_ERROR_BAD_STATE );

-    if( psa_is_valid_key_id( operation->password, 1 ) == 0 )
+    if( operation->password_len == 0 )
        return( PSA_ERROR_BAD_STATE );

-    status = psa_get_and_lock_key_slot( operation->password, &slot );
-    if( status != PSA_SUCCESS )
-        return( status );
-
-
    ret = mbedtls_ecjpake_setup( &operation->ctx.ecjpake,
                                 role,
                                 MBEDTLS_MD_SHA256,
                                 MBEDTLS_ECP_DP_SECP256R1,
-                                 slot->key.data, slot->key.bytes );
+                                 operation->password,
+                                 operation->password_len );

-    psa_unlock_key_slot( slot );
-    slot = NULL;
+    mbedtls_platform_zeroize( operation->password, operation->password_len );
+    mbedtls_free( operation->password );
+    operation->password = NULL;
+    operation->password_len = 0;

    if( ret != 0 )
        return( mbedtls_ecjpake_to_psa_error( ret ) );
@ -840,7 +857,11 @@ psa_status_t psa_pake_abort(psa_pake_operation_t * operation)
    {
        operation->input_step = PSA_PAKE_STEP_INVALID;
        operation->output_step = PSA_PAKE_STEP_INVALID;
-        operation->password = MBEDTLS_SVC_KEY_ID_INIT;
+        if( operation->password_len > 0 )
+            mbedtls_platform_zeroize( operation->password, operation->password_len );
+        mbedtls_free( operation->password );
+        operation->password = NULL;
+        operation->password_len = 0;
        operation->role = PSA_PAKE_ROLE_NONE;
        mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE );
        operation->buffer_length = 0;