Improve PSA error return code

psa_key_derivation_output_key: prioritize BAD_STATE over NOT_PERMITTED

If psa_key_derivation_output_key() is called on an operation which hasn't been
set up or which has been aborted, return PSA_ERROR_BAD_STATE. Only return
PSA_ERROR_NOT_PERMITTED if the operation state is ok for
psa_key_derivation_input_bytes() or psa_key_derivation_output_bytes() but not
ok to output a key.

Ideally psa_key_derivation_output_key() would return PSA_ERROR_NOT_PERMITTED
only when psa_key_derivation_output_bytes() is possible, but this is clumsier
to implement.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
This commit is contained in:
Dave Rodgman 2021-11-16 10:32:48 +00:00
parent 2290afc2d4
commit 021e724936

View file

@ -4282,6 +4282,9 @@ psa_status_t psa_key_derivation_output_key( const psa_key_attributes_t *attribut
if( psa_get_key_bits( attributes ) == 0 ) if( psa_get_key_bits( attributes ) == 0 )
return( PSA_ERROR_INVALID_ARGUMENT ); return( PSA_ERROR_INVALID_ARGUMENT );
if( operation->alg == PSA_ALG_NONE )
return( PSA_ERROR_BAD_STATE );
if( ! operation->can_output_key ) if( ! operation->can_output_key )
return( PSA_ERROR_NOT_PERMITTED ); return( PSA_ERROR_NOT_PERMITTED );