diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 906e9b4579..bcbaa3d68a 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1991,18 +1991,6 @@ exit: } #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ -static psa_status_t psa_copy_key_material( const psa_key_slot_t *source, - psa_key_slot_t *target ) -{ - psa_status_t status = psa_copy_key_material_into_slot( target, - source->key.data, - source->key.bytes ); - if( status != PSA_SUCCESS ) - return( status ); - - return( PSA_SUCCESS ); -} - psa_status_t psa_copy_key( mbedtls_svc_key_id_t source_key, const psa_key_attributes_t *specified_attributes, mbedtls_svc_key_id_t *target_key ) @@ -2027,13 +2015,13 @@ psa_status_t psa_copy_key( mbedtls_svc_key_id_t source_key, if( status != PSA_SUCCESS ) goto exit; - /* The actual attributes that we received from the user could have - * zero values for key bits and type.These optional attributes - * have been validated and so it is safe to inherit these - * from the source key. + /* The target key type and number of bits have been validated by + * psa_validate_optional_attributes() to be either equal to zero or + * equal to the ones of the source key. So it is safe to inherit + * them from the source key now." * */ - actual_attributes.core.bits = source_slot->attr.bits; - actual_attributes.core.type = source_slot->attr.type; + actual_attributes.core.bits = source_slot->attr.bits; + actual_attributes.core.type = source_slot->attr.type; status = psa_restrict_key_policy( source_slot->attr.type, @@ -2050,7 +2038,7 @@ psa_status_t psa_copy_key( mbedtls_svc_key_id_t source_key, PSA_KEY_LIFETIME_GET_LOCATION( source_slot->attr.lifetime ) ) { /* - * If the source and target keys are stored across different locations, + * If the source and target keys are stored in different locations, * the source key would need to be exported as plaintext and re-imported * in the other location. This has security implications which have not * been fully mapped. For now, this can be achieved through @@ -2087,7 +2075,9 @@ psa_status_t psa_copy_key( mbedtls_svc_key_id_t source_key, } else { - status = psa_copy_key_material( source_slot, target_slot ); + status = psa_copy_key_material_into_slot( target_slot, + source_slot->key.data, + source_slot->key.bytes ); if( status != PSA_SUCCESS ) goto exit; } diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c index 00c17063af..4123d8a560 100644 --- a/library/psa_crypto_driver_wrappers.c +++ b/library/psa_crypto_driver_wrappers.c @@ -785,7 +785,7 @@ psa_status_t psa_driver_wrapper_get_builtin_key( psa_status_t psa_driver_wrapper_copy_key( psa_key_attributes_t *attributes, - const uint8_t *source_key, size_t source_key_size, + const uint8_t *source_key, size_t source_key_length, uint8_t *target_key_buffer, size_t target_key_buffer_size, size_t *target_key_buffer_length ) { @@ -793,13 +793,24 @@ psa_status_t psa_driver_wrapper_copy_key( psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); +#if defined(MBEDTLS_PSA_CRYPTO_SE_C) + const psa_drv_se_t *drv; + psa_drv_se_context_t *drv_context; + + if( psa_get_se_driver( attributes->core.lifetime, &drv, &drv_context ) ) + { + /* Copying to a secure element is not implemented yet. */ + return( PSA_ERROR_NOT_SUPPORTED ); + } +#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ + switch( location ) { #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) case PSA_CRYPTO_TEST_DRIVER_LOCATION: return( mbedtls_test_opaque_copy_key( attributes, source_key, - source_key_size, + source_key_length, target_key_buffer, target_key_buffer_size, target_key_buffer_length) ); @@ -807,7 +818,7 @@ psa_status_t psa_driver_wrapper_copy_key( #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ default: (void)source_key; - (void)source_key_size; + (void)source_key_length; (void)target_key_buffer; (void)target_key_buffer_size; (void)target_key_buffer_length; diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index c186228fa0..c6e3d51a39 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -102,7 +102,7 @@ psa_status_t psa_driver_wrapper_get_builtin_key( psa_status_t psa_driver_wrapper_copy_key( psa_key_attributes_t *attributes, - const uint8_t *source_key, size_t source_key_size, + const uint8_t *source_key, size_t source_key_length, uint8_t *target_key_buffer, size_t target_key_buffer_size, size_t *target_key_buffer_length ); /* diff --git a/tests/include/test/drivers/key_management.h b/tests/include/test/drivers/key_management.h index 16ee0b2160..d147568cdc 100644 --- a/tests/include/test/drivers/key_management.h +++ b/tests/include/test/drivers/key_management.h @@ -115,7 +115,7 @@ psa_status_t mbedtls_test_opaque_get_builtin_key( psa_status_t mbedtls_test_opaque_copy_key( psa_key_attributes_t *attributes, const uint8_t *source_key, - size_t source_key_size, + size_t source_key_length, uint8_t *target_key_buffer, size_t target_key_buffer_size, size_t *target_key_buffer_length); diff --git a/tests/src/drivers/test_driver_key_management.c b/tests/src/drivers/test_driver_key_management.c index 2683edcd8c..61ebc8aa1a 100644 --- a/tests/src/drivers/test_driver_key_management.c +++ b/tests/src/drivers/test_driver_key_management.c @@ -75,7 +75,7 @@ size_t mbedtls_test_opaque_size_function( key_buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE( key_type, key_bits ); if( key_buffer_size == 0 ) - return( key_buffer_size ); + return( 0 ); /* Include spacing for base size overhead over the key size * */ key_buffer_size += TEST_DRIVER_KEY_CONTEXT_BASE_SIZE; @@ -109,7 +109,7 @@ static psa_status_t mbedtls_test_opaque_wrap_key( return( PSA_ERROR_BUFFER_TOO_SMALL ); /* Write in the opaque pad prefix */ - memcpy( wrapped_key_buffer, &prefix, opaque_key_base_size); + memcpy( wrapped_key_buffer, &prefix, opaque_key_base_size ); wrapped_key_buffer += opaque_key_base_size; *wrapped_key_buffer_length = key_length + opaque_key_base_size; @@ -136,7 +136,12 @@ static psa_status_t mbedtls_test_opaque_unwrap_key( { /* Remove the pad prefix from the wrapped key */ size_t opaque_key_base_size = mbedtls_test_opaque_get_base_size(); - size_t clear_key_size = wrapped_key_length - opaque_key_base_size; + size_t clear_key_size; + + /* Check for underflow */ + if( wrapped_key_length < opaque_key_base_size ) + return( PSA_ERROR_DATA_CORRUPT ); + clear_key_size = wrapped_key_length - opaque_key_base_size; wrapped_key += opaque_key_base_size; if( clear_key_size > key_buffer_size ) @@ -281,11 +286,14 @@ psa_status_t mbedtls_test_opaque_import_key( { *bits = PSA_BYTES_TO_BITS( data_length ); - status = psa_validate_unstructured_key_bit_size( attributes->core.type, + status = psa_validate_unstructured_key_bit_size( type, *bits ); if( status != PSA_SUCCESS ) goto exit; + if( data_length > key_buffer_size ) + return( PSA_ERROR_BUFFER_TOO_SMALL ); + /* Copy the key material accounting for opaque key padding. */ memcpy( key_buffer_temp, data, data_length ); *key_buffer_length = data_length; @@ -327,7 +335,7 @@ psa_status_t mbedtls_test_opaque_import_key( status = mbedtls_test_opaque_wrap_key( key_buffer_temp, *key_buffer_length, key_buffer, key_buffer_size, key_buffer_length ); exit: - free( key_buffer_temp ); + mbedtls_free( key_buffer_temp ); return( status ); } @@ -395,21 +403,15 @@ psa_status_t mbedtls_test_opaque_export_key( { /* This buffer will be used as an intermediate placeholder for * the opaque key till we unwrap the key into key_buffer */ - uint8_t *key_buffer_temp; - size_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_type_t type = psa_get_key_type( attributes ); if( PSA_KEY_TYPE_IS_UNSTRUCTURED( type ) || PSA_KEY_TYPE_IS_RSA( type ) || PSA_KEY_TYPE_IS_ECC( type ) ) { - key_buffer_temp = mbedtls_calloc( 1, key_length ); - if( key_buffer_temp == NULL ) - return( PSA_ERROR_INSUFFICIENT_MEMORY ); - memcpy( key_buffer_temp, key, key_length ); - status = mbedtls_test_opaque_unwrap_key( key_buffer_temp, key_length, + status = mbedtls_test_opaque_unwrap_key( key, key_length, data, data_size, data_length ); - mbedtls_free( key_buffer_temp ); return( status ); } } @@ -614,7 +616,7 @@ psa_status_t mbedtls_test_opaque_get_builtin_key( psa_status_t mbedtls_test_opaque_copy_key( psa_key_attributes_t *attributes, - const uint8_t *source_key_buffer, size_t source_key_buffer_size, + const uint8_t *source_key, size_t source_key_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) { /* This is a case where the opaque test driver emulates an SE without storage. @@ -623,10 +625,11 @@ psa_status_t mbedtls_test_opaque_copy_key( * copied keys. This could change when the opaque test driver is extended * to support SE with storage, or to emulate an SE without storage but * still holding some slot references */ - if( source_key_buffer_size > key_buffer_size ) + if( source_key_length > key_buffer_size ) return( PSA_ERROR_BUFFER_TOO_SMALL ); - memcpy( key_buffer, source_key_buffer, source_key_buffer_size ); - *key_buffer_length = source_key_buffer_size; + + memcpy( key_buffer, source_key, source_key_length ); + *key_buffer_length = source_key_length; (void)attributes; return( PSA_SUCCESS ); } diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 2b5727345d..01e5d5939b 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -564,18 +564,18 @@ void import_export( data_t *data, { mbedtls_svc_key_id_t key2 = MBEDTLS_SVC_KEY_ID_INIT; PSA_ASSERT( psa_import_key( &attributes, exported, exported_length, - &key2 ) ); + &key2 ) ); PSA_ASSERT( psa_export_key( key2, - reexported, - export_size, - &reexported_length ) ); + reexported, + export_size, + &reexported_length ) ); ASSERT_COMPARE( exported, exported_length, reexported, reexported_length ); PSA_ASSERT( psa_destroy_key( key2 ) ); } TEST_ASSERT( exported_length <= PSA_EXPORT_KEY_OUTPUT_SIZE( type, - psa_get_key_bits( &got_attributes ) ) ); + psa_get_key_bits( &got_attributes ) ) ); TEST_ASSERT( exported_length <= PSA_EXPORT_KEY_PAIR_MAX_SIZE ); destroy: @@ -629,8 +629,8 @@ void import_export_public_key( data_t *data, /* Export the public key */ ASSERT_ALLOC( exported, export_size ); status = psa_export_public_key( key, - exported, export_size, - &exported_length ); + exported, export_size, + &exported_length ); TEST_EQUAL( status, expected_export_status ); if( status == PSA_SUCCESS ) {