SE keys: save the bit size in storage

For a key in a secure element, save the bit size alongside the slot
number.

This is a quick-and-dirty implementation where the storage format
depends on sizeof(size_t), which is fragile. This should be replaced
by a more robust implementation before going into production.
This commit is contained in:
Gilles Peskine 2019-07-24 20:27:59 +02:00
parent 1801740a7c
commit e60d1d08a4
2 changed files with 14 additions and 23 deletions

View File

@ -1538,40 +1538,32 @@ static psa_status_t psa_finish_key_creation(
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
if( slot->lifetime != PSA_KEY_LIFETIME_VOLATILE ) if( slot->lifetime != PSA_KEY_LIFETIME_VOLATILE )
{ {
uint8_t *buffer = NULL; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
size_t buffer_size = 0; psa_get_key_slot_attributes( slot, &attributes );
size_t length = 0;
#if defined(MBEDTLS_PSA_CRYPTO_SE_C) #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
if( driver != NULL ) if( driver != NULL )
{ {
buffer = (uint8_t*) &slot->data.se.slot_number; status = psa_save_persistent_key( &attributes,
length = sizeof( slot->data.se.slot_number ); (uint8_t*) &slot->data.se,
sizeof( slot->data.se ) );
} }
else else
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
{ {
buffer_size = PSA_KEY_EXPORT_MAX_SIZE( slot->type, size_t buffer_size =
psa_get_key_slot_bits( slot ) ); PSA_KEY_EXPORT_MAX_SIZE( slot->type,
buffer = mbedtls_calloc( 1, buffer_size ); psa_get_key_bits( &attributes ) );
uint8_t *buffer = mbedtls_calloc( 1, buffer_size );
size_t length = 0;
if( buffer == NULL && buffer_size != 0 ) if( buffer == NULL && buffer_size != 0 )
return( PSA_ERROR_INSUFFICIENT_MEMORY ); return( PSA_ERROR_INSUFFICIENT_MEMORY );
status = psa_internal_export_key( slot, status = psa_internal_export_key( slot,
buffer, buffer_size, &length, buffer, buffer_size, &length,
0 ); 0 );
} if( status == PSA_SUCCESS )
status = psa_save_persistent_key( &attributes, buffer, length );
if( status == PSA_SUCCESS )
{
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_get_key_slot_attributes( slot, &attributes );
status = psa_save_persistent_key( &attributes, buffer, length );
}
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
if( driver == NULL )
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
{
if( buffer_size != 0 ) if( buffer_size != 0 )
mbedtls_platform_zeroize( buffer, buffer_size ); mbedtls_platform_zeroize( buffer, buffer_size );
mbedtls_free( buffer ); mbedtls_free( buffer );

View File

@ -138,13 +138,12 @@ static psa_status_t psa_load_persistent_key_into_slot( psa_key_slot_t *p_slot )
#if defined(MBEDTLS_PSA_CRYPTO_SE_C) #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
if( psa_key_lifetime_is_external( p_slot->lifetime ) ) if( psa_key_lifetime_is_external( p_slot->lifetime ) )
{ {
if( key_data_length != sizeof( p_slot->data.se.slot_number ) ) if( key_data_length != sizeof( p_slot->data.se ) )
{ {
status = PSA_ERROR_STORAGE_FAILURE; status = PSA_ERROR_STORAGE_FAILURE;
goto exit; goto exit;
} }
memcpy( &p_slot->data.se.slot_number, key_data, memcpy( &p_slot->data.se, key_data, sizeof( p_slot->data.se ) );
sizeof( p_slot->data.se.slot_number ) );
} }
else else
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ #endif /* MBEDTLS_PSA_CRYPTO_SE_C */