Skip to content

Commit e60d1d0

Browse files
gilles-peskine-armgilles-peskine-arm
committed
SE keys: save the bit size in storage
For a key in a secure element, save the bit size alongside the slot number. This is a quick-and-dirty implementation where the storage format depends on sizeof(size_t), which is fragile. This should be replaced by a more robust implementation before going into production.
1 parent 1801740 commit e60d1d0

File tree

2 files changed

+14
-23
lines changed

2 files changed

+14
-23
lines changed

library/psa_crypto.c

Lines changed: 12 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1538,40 +1538,32 @@ static psa_status_t psa_finish_key_creation(
15381538
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
15391539
if( slot->lifetime != PSA_KEY_LIFETIME_VOLATILE )
15401540
{
1541-
uint8_t *buffer = NULL;
1542-
size_t buffer_size = 0;
1543-
size_t length = 0;
1541+
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1542+
psa_get_key_slot_attributes( slot, &attributes );
15441543

15451544
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
15461545
if( driver != NULL )
15471546
{
1548-
buffer = (uint8_t*) &slot->data.se.slot_number;
1549-
length = sizeof( slot->data.se.slot_number );
1547+
status = psa_save_persistent_key( &attributes,
1548+
(uint8_t*) &slot->data.se,
1549+
sizeof( slot->data.se ) );
15501550
}
15511551
else
15521552
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
15531553
{
1554-
buffer_size = PSA_KEY_EXPORT_MAX_SIZE( slot->type,
1555-
psa_get_key_slot_bits( slot ) );
1556-
buffer = mbedtls_calloc( 1, buffer_size );
1554+
size_t buffer_size =
1555+
PSA_KEY_EXPORT_MAX_SIZE( slot->type,
1556+
psa_get_key_bits( &attributes ) );
1557+
uint8_t *buffer = mbedtls_calloc( 1, buffer_size );
1558+
size_t length = 0;
15571559
if( buffer == NULL && buffer_size != 0 )
15581560
return( PSA_ERROR_INSUFFICIENT_MEMORY );
15591561
status = psa_internal_export_key( slot,
15601562
buffer, buffer_size, &length,
15611563
0 );
1562-
}
1563-
1564-
if( status == PSA_SUCCESS )
1565-
{
1566-
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1567-
psa_get_key_slot_attributes( slot, &attributes );
1568-
status = psa_save_persistent_key( &attributes, buffer, length );
1569-
}
1564+
if( status == PSA_SUCCESS )
1565+
status = psa_save_persistent_key( &attributes, buffer, length );
15701566

1571-
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1572-
if( driver == NULL )
1573-
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1574-
{
15751567
if( buffer_size != 0 )
15761568
mbedtls_platform_zeroize( buffer, buffer_size );
15771569
mbedtls_free( buffer );

library/psa_crypto_slot_management.c

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -138,13 +138,12 @@ static psa_status_t psa_load_persistent_key_into_slot( psa_key_slot_t *p_slot )
138138
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
139139
if( psa_key_lifetime_is_external( p_slot->lifetime ) )
140140
{
141-
if( key_data_length != sizeof( p_slot->data.se.slot_number ) )
141+
if( key_data_length != sizeof( p_slot->data.se ) )
142142
{
143143
status = PSA_ERROR_STORAGE_FAILURE;
144144
goto exit;
145145
}
146-
memcpy( &p_slot->data.se.slot_number, key_data,
147-
sizeof( p_slot->data.se.slot_number ) );
146+
memcpy( &p_slot->data.se, key_data, sizeof( p_slot->data.se ) );
148147
}
149148
else
150149
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */

0 commit comments

Comments
 (0)