diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index 3797dea9c..39d6dbb36 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -269,12 +269,6 @@ static psa_status_t psa_load_persistent_key_into_slot( psa_key_slot_t *slot ) } #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ - if ( key_data == NULL ) - { - status = PSA_ERROR_STORAGE_FAILURE; - goto exit; - } - status = psa_copy_key_material_into_slot( slot, key_data, key_data_length ); exit: diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c index 1ebd20ee3..10a1ad37b 100644 --- a/library/psa_crypto_storage.c +++ b/library/psa_crypto_storage.c @@ -374,8 +374,12 @@ psa_status_t psa_save_persistent_key( const psa_core_key_attributes_t *attr, uint8_t *storage_data; psa_status_t status; + /* All keys saved to persistent storage always have a key context */ + if( data == NULL || data_length == 0 ) + return( PSA_ERROR_INVALID_ARGUMENT ); + if( data_length > PSA_CRYPTO_MAX_STORAGE_SIZE ) - return PSA_ERROR_INSUFFICIENT_STORAGE; + return( PSA_ERROR_INSUFFICIENT_STORAGE ); storage_data_length = data_length + sizeof( psa_persistent_key_storage_format ); storage_data = mbedtls_calloc( 1, storage_data_length ); @@ -426,6 +430,11 @@ psa_status_t psa_load_persistent_key( psa_core_key_attributes_t *attr, status = psa_parse_key_data_from_storage( loaded_data, storage_data_length, data, data_length, attr ); + /* All keys saved to persistent storage always have a key context */ + if( status == PSA_SUCCESS && + ( *data == NULL || *data_length == 0 ) ) + status = PSA_ERROR_STORAGE_FAILURE; + exit: mbedtls_free( loaded_data ); return( status ); diff --git a/library/psa_crypto_storage.h b/library/psa_crypto_storage.h index fbc94fc38..06128e993 100644 --- a/library/psa_crypto_storage.h +++ b/library/psa_crypto_storage.h @@ -86,6 +86,9 @@ int psa_is_key_present_in_storage( const mbedtls_svc_key_id_t key ); * already occupied non-persistent key, as well as ensuring the key data is * validated. * + * Note: This function will only succeed for key buffers which are not + * empty. If passed a NULL pointer or zero-length, the function will fail + * with #PSA_ERROR_INVALID_ARGUMENT. * * \param[in] attr The attributes of the key to save. * The key identifier field in the attributes @@ -94,6 +97,7 @@ int psa_is_key_present_in_storage( const mbedtls_svc_key_id_t key ); * \param data_length The number of bytes that make up the key data. * * \retval #PSA_SUCCESS + * \retval #PSA_ERROR_INVALID_ARGUMENT * \retval #PSA_ERROR_INSUFFICIENT_MEMORY * \retval #PSA_ERROR_INSUFFICIENT_STORAGE * \retval #PSA_ERROR_STORAGE_FAILURE @@ -111,9 +115,10 @@ psa_status_t psa_save_persistent_key( const psa_core_key_attributes_t *attr, * metadata and writes them to the appropriate output parameters. * * Note: This function allocates a buffer and returns a pointer to it through - * the data parameter. psa_free_persistent_key_data() must be called after - * this function to zeroize and free this buffer, regardless of whether this - * function succeeds or fails. + * the data parameter. On succesful return, the pointer is guaranteed to be + * valid and contain at least one byte of data. + * psa_free_persistent_key_data() must be called on the data buffer + * afterwards to zeroize and free this buffer. * * \param[in,out] attr On input, the key identifier field identifies * the key to load. Other fields are ignored.