From bf33c93717adbcc673839b19cc1eac18b543aec7 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Sat, 28 Nov 2020 18:06:53 +0100 Subject: [PATCH] psa: Call import software implementation as a driver Signed-off-by: Ronald Cron --- library/psa_crypto.c | 50 ++++++++++++-------------- library/psa_crypto_driver_wrappers.c | 52 ++++++++++++++++------------ 2 files changed, 53 insertions(+), 49 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 5463a5f1e9..6e80cec3dc 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -622,19 +622,6 @@ psa_status_t psa_import_key_into_slot( } else if( PSA_KEY_TYPE_IS_ASYMMETRIC( type ) ) { - status = psa_driver_wrapper_import_key( attributes, - data, data_length, - key_buffer, - key_buffer_size, - key_buffer_length, - bits ); - if( status != PSA_ERROR_NOT_SUPPORTED ) - return( status ); - - mbedtls_platform_zeroize( key_buffer, key_buffer_size ); - - /* Key format is not supported by any accelerator, try software fallback - * if present. */ #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) if( PSA_KEY_TYPE_IS_ECC( type ) ) @@ -1865,16 +1852,23 @@ psa_status_t psa_import_key( const psa_key_attributes_t *attributes, } else { - status = psa_allocate_buffer_to_slot( slot, data_length ); - if( status != PSA_SUCCESS ) - goto exit; + /* In the case of a transparent key or an opaque key stored in local + * storage (thus not in the case of generating a key in a secure element + * or cryptoprocessor with storage), we have to allocate a buffer to + * hold the generated key material. */ + if( slot->key.data == NULL ) + { + status = psa_allocate_buffer_to_slot( slot, data_length ); + if( status != PSA_SUCCESS ) + goto exit; + } size_t bits = slot->attr.bits; - status = psa_import_key_into_slot( attributes, - data, data_length, - slot->key.data, - slot->key.bytes, - &slot->key.bytes, &bits ); + status = psa_driver_wrapper_import_key( attributes, + data, data_length, + slot->key.data, + slot->key.bytes, + &slot->key.bytes, &bits ); if( status != PSA_SUCCESS ) goto exit; @@ -5191,16 +5185,18 @@ static psa_status_t psa_generate_derived_key_internal( if( status != PSA_SUCCESS ) return( status ); + slot->attr.bits = (psa_key_bits_t) bits; psa_key_attributes_t attributes = { .core = slot->attr }; - status = psa_import_key_into_slot( &attributes, - data, bytes, - slot->key.data, slot->key.bytes, - &slot->key.bytes, - &bits ); - slot->attr.bits = (psa_key_bits_t) bits; + status = psa_driver_wrapper_import_key( &attributes, + data, bytes, + slot->key.data, + slot->key.bytes, + &slot->key.bytes, &bits ); + if( bits != slot->attr.bits ) + status = PSA_ERROR_INVALID_ARGUMENT; exit: mbedtls_free( data ); diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c index 0cc89fe7fb..fe54b7b970 100644 --- a/library/psa_crypto_driver_wrappers.c +++ b/library/psa_crypto_driver_wrappers.c @@ -418,30 +418,38 @@ psa_status_t psa_driver_wrapper_import_key( size_t *key_buffer_length, size_t *bits ) { -#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - /* Try accelerators in turn */ -#if defined(PSA_CRYPTO_DRIVER_TEST) - status = test_transparent_import_key( attributes, - data, data_length, - key_buffer, key_buffer_size, - key_buffer_length, bits ); - /* Declared with fallback == true */ - if( status != PSA_ERROR_NOT_SUPPORTED ) - return( status ); -#endif /* PSA_CRYPTO_DRIVER_TEST */ + psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( + psa_get_key_lifetime( attributes ) ); + + switch( location ) + { + case PSA_KEY_LOCATION_LOCAL_STORAGE: + /* Key is stored in the slot in export representation, so + * cycle through all known transparent accelerators */ +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + status = test_transparent_import_key( attributes, + data, data_length, + key_buffer, key_buffer_size, + key_buffer_length, bits ); + /* Declared with fallback == true */ + if( status != PSA_ERROR_NOT_SUPPORTED ) + return( status ); +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + /* Fell through, meaning no accelerator supports this operation */ + return( psa_import_key_into_slot( attributes, + data, data_length, + key_buffer, key_buffer_size, + key_buffer_length, bits ) ); + + default: + /* Key is declared with a lifetime not known to us */ + (void)status; + return( PSA_ERROR_NOT_SUPPORTED ); + } - return( PSA_ERROR_NOT_SUPPORTED ); -#else /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ - (void) attributes; - (void) data; - (void) data_length; - (void) key_buffer; - (void) key_buffer_size; - (void) key_buffer_length; - (void) bits; - return( PSA_ERROR_NOT_SUPPORTED ); -#endif /* PSA_CRYPTO_DRIVER_PRESENT */ } psa_status_t psa_driver_wrapper_export_key(