Merge pull request #257 from gilles-peskine-arm/psa-remove_zero_length_keys

Forbid zero-length keys
2025-07-29 11:41:15 +03:00 · 2019-09-19 13:07:41 +02:00
parent fc95b847af 89cc74f447
commit a291413a1e
6 changed files with 171 additions and 53 deletions
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@ -451,13 +451,6 @@ static psa_status_t prepare_raw_data_slot( psa_key_type_t type,
    switch( type )
    {
        case PSA_KEY_TYPE_RAW_DATA:
-            if( bits == 0 )
-            {
-                raw->bytes = 0;
-                raw->data = NULL;
-                return( PSA_SUCCESS );
-            }
-            break;
 #if defined(MBEDTLS_MD_C)
        case PSA_KEY_TYPE_HMAC:
 #endif
@ -1281,6 +1274,12 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
    if( export_public_key && ! PSA_KEY_TYPE_IS_ASYMMETRIC( slot->attr.type ) )
        return( PSA_ERROR_INVALID_ARGUMENT );

+    /* Reject a zero-length output buffer now, since this can never be a
+     * valid key representation. This way we know that data must be a valid
+     * pointer and we can do things like memset(data, ..., data_size). */
+    if( data_size == 0 )
+        return( PSA_ERROR_BUFFER_TOO_SMALL );
+
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
    if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) )
    {
@ -1302,12 +1301,9 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
    {
        if( slot->data.raw.bytes > data_size )
            return( PSA_ERROR_BUFFER_TOO_SMALL );
-        if( data_size != 0 )
-        {
-            memcpy( data, slot->data.raw.data, slot->data.raw.bytes );
-            memset( data + slot->data.raw.bytes, 0,
-                    data_size - slot->data.raw.bytes );
-        }
+        memcpy( data, slot->data.raw.data, slot->data.raw.bytes );
+        memset( data + slot->data.raw.bytes, 0,
+                data_size - slot->data.raw.bytes );
        *data_length = slot->data.raw.bytes;
        return( PSA_SUCCESS );
    }
@ -1366,10 +1362,7 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
            }
            if( ret < 0 )
            {
-                /* If data_size is 0 then data may be NULL and then the
-                 * call to memset would have undefined behavior. */
-                if( data_size != 0 )
-                    memset( data, 0, data_size );
+                memset( data, 0, data_size );
                return( mbedtls_to_psa_error( ret ) );
            }
            /* The mbedtls_pk_xxx functions write to the end of the buffer.
@ -1676,7 +1669,7 @@ static psa_status_t psa_finish_key_creation(
                                         slot->attr.bits );
            uint8_t *buffer = mbedtls_calloc( 1, buffer_size );
            size_t length = 0;
-            if( buffer == NULL && buffer_size != 0 )
+            if( buffer == NULL )
                return( PSA_ERROR_INSUFFICIENT_MEMORY );
            status = psa_internal_export_key( slot,
                                              buffer, buffer_size, &length,
@ -1685,8 +1678,7 @@ static psa_status_t psa_finish_key_creation(
                status = psa_save_persistent_key( &slot->attr,
                                                  buffer, length );

-            if( buffer_size != 0 )
-                mbedtls_platform_zeroize( buffer, buffer_size );
+            mbedtls_platform_zeroize( buffer, buffer_size );
            mbedtls_free( buffer );
        }
    }
@ -1826,6 +1818,12 @@ psa_status_t psa_import_key( const psa_key_attributes_t *attributes,
    psa_key_slot_t *slot = NULL;
    psa_se_drv_table_entry_t *driver = NULL;

+    /* Reject zero-length symmetric keys (including raw data key objects).
+     * This also rejects any key which might be encoded as an empty string,
+     * which is never valid. */
+    if( data_length == 0 )
+        return( PSA_ERROR_INVALID_ARGUMENT );
+
    status = psa_start_key_creation( PSA_KEY_CREATION_IMPORT, attributes,
                                     handle, &slot, &driver );
    if( status != PSA_SUCCESS )
@ -1957,7 +1955,7 @@ static psa_status_t psa_copy_key_material( const psa_key_slot_t *source,
    buffer_size = PSA_KEY_EXPORT_MAX_SIZE( source->attr.type,
                                           psa_get_key_slot_bits( source ) );
    buffer = mbedtls_calloc( 1, buffer_size );
-    if( buffer == NULL && buffer_size != 0 )
+    if( buffer == NULL )
        return( PSA_ERROR_INSUFFICIENT_MEMORY );
    status = psa_internal_export_key( source, buffer, buffer_size, &length, 0 );
    if( status != PSA_SUCCESS )
@ -1966,8 +1964,7 @@ static psa_status_t psa_copy_key_material( const psa_key_slot_t *source,
    status = psa_import_key_into_slot( target, buffer, length );

 exit:
-    if( buffer_size != 0 )
-        mbedtls_platform_zeroize( buffer, buffer_size );
+    mbedtls_platform_zeroize( buffer, buffer_size );
    mbedtls_free( buffer );
    return( status );
 }
@ -3194,8 +3191,8 @@ static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
    if( status != PSA_SUCCESS )
        return( status );

-    if( signature_length < mbedtls_rsa_get_len( rsa ) )
-        return( PSA_ERROR_BUFFER_TOO_SMALL );
+    if( signature_length != mbedtls_rsa_get_len( rsa ) )
+        return( PSA_ERROR_INVALID_SIGNATURE );

 #if defined(MBEDTLS_PKCS1_V15)
    if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) )
@ -3350,6 +3347,12 @@ psa_status_t psa_asymmetric_sign( psa_key_handle_t handle,
 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */

    *signature_length = signature_size;
+    /* Immediately reject a zero-length signature buffer. This guarantees
+     * that signature must be a valid pointer. (On the other hand, the hash
+     * buffer can in principle be empty since it doesn't actually have
+     * to be a hash.) */
+    if( signature_size == 0 )
+        return( PSA_ERROR_BUFFER_TOO_SMALL );

    status = psa_get_key_from_slot( handle, &slot, PSA_KEY_USAGE_SIGN, alg );
    if( status != PSA_SUCCESS )
@ -3425,7 +3428,7 @@ exit:
    if( status == PSA_SUCCESS )
        memset( signature + *signature_length, '!',
                signature_size - *signature_length );
-    else if( signature_size != 0 )
+    else
        memset( signature, '!', signature_size );
    /* If signature_size is 0 then we have nothing to do. We must not call
     * memset because signature may be NULL in this case. */
@ -4778,6 +4781,12 @@ psa_status_t psa_key_derivation_output_key( const psa_key_attributes_t *attribut
    psa_status_t status;
    psa_key_slot_t *slot = NULL;
    psa_se_drv_table_entry_t *driver = NULL;
+
+    /* Reject any attempt to create a zero-length key so that we don't
+     * risk tripping up later, e.g. on a malloc(0) that returns NULL. */
+    if( psa_get_key_bits( attributes ) == 0 )
+        return( PSA_ERROR_INVALID_ARGUMENT );
+
    status = psa_start_key_creation( PSA_KEY_CREATION_DERIVE,
                                     attributes, handle, &slot, &driver );
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
@ -5512,6 +5521,11 @@ psa_status_t psa_generate_key( const psa_key_attributes_t *attributes,
    psa_key_slot_t *slot = NULL;
    psa_se_drv_table_entry_t *driver = NULL;

+    /* Reject any attempt to create a zero-length key so that we don't
+     * risk tripping up later, e.g. on a malloc(0) that returns NULL. */
+    if( psa_get_key_bits( attributes ) == 0 )
+        return( PSA_ERROR_INVALID_ARGUMENT );
+
    status = psa_start_key_creation( PSA_KEY_CREATION_GENERATE,
                                     attributes, handle, &slot, &driver );
    if( status != PSA_SUCCESS )