From 251c774b91b32acc8a6a72f590ac45dc98cc2486 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 21 Apr 2021 22:32:05 +0200 Subject: [PATCH] Refuse to destroy read-only keys Signed-off-by: Gilles Peskine --- ChangeLog.d/psa-read-only-keys.txt | 9 +++++---- library/psa_crypto.c | 12 ++++++++++++ 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/ChangeLog.d/psa-read-only-keys.txt b/ChangeLog.d/psa-read-only-keys.txt index 9e3081030..a4a282373 100644 --- a/ChangeLog.d/psa-read-only-keys.txt +++ b/ChangeLog.d/psa-read-only-keys.txt @@ -1,4 +1,5 @@ -Features - * The PSA API no longer allows the creation of keys with a read-only lifetime. - The persistence level PSA_KEY_PERSISTENCE_READ_ONLY can now only be used - as intended, for keys that cannot be modified through normal use of the API. +Bugfix + * The PSA API no longer allows the creation or destruction of keys with a + read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY + can now only be used as intended, for keys that cannot be modified through + normal use of the API. diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 339370e40..f4860e631 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1133,6 +1133,18 @@ psa_status_t psa_destroy_key( mbedtls_svc_key_id_t key ) return( PSA_ERROR_GENERIC_ERROR ); } + if( PSA_KEY_LIFETIME_IS_READ_ONLY( slot->attr.lifetime ) ) + { + /* Refuse the destruction of a read-only key (which may or may not work + * if we attempt it, depending on whether the key is merely read-only + * by policy or actually physically read-only). + * Just do the best we can, which is to wipe the copy in memory. */ + status = psa_wipe_key_slot( slot ); + if( status != PSA_SUCCESS ) + return( status ); + return( PSA_ERROR_NOT_PERMITTED ); + } + #if defined(MBEDTLS_PSA_CRYPTO_SE_C) driver = psa_get_se_driver_entry( slot->attr.lifetime ); if( driver != NULL )