diff --git a/library/psa_crypto.c b/library/psa_crypto.c index d55599e9e..411010c60 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -591,12 +591,18 @@ psa_status_t psa_copy_key_material_into_slot( psa_key_slot_t *slot, * * Persistent storage is not affected. * - * \param[in,out] slot The key slot to import data into. - * Its `type` field must have previously been set to - * the desired key type. - * It must not contain any key material yet. - * \param[in] data Buffer containing the key material to parse and import. - * \param data_length Size of \p data in bytes. + * \param[in,out] slot The key slot to import data into. + * Its `type` field must have previously been set to + * the desired key type. + * It must not contain any key material yet. + * \param[in] data Buffer containing the key material to parse and + * import. + * \param data_length Size of \p data in bytes. + * \param[out] key_buffer The buffer containing the export representation. + * \param[in] key_buffer_size The size of \p key_buffer in bytes. The size + * is greater or equal to \p data_length. + * \param[out] key_buffer_length The length of the data written in \p + * key_buffer in bytes. * * \retval #PSA_SUCCESS * \retval #PSA_ERROR_INVALID_ARGUMENT @@ -605,7 +611,10 @@ psa_status_t psa_copy_key_material_into_slot( psa_key_slot_t *slot, */ static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot, const uint8_t *data, - size_t data_length ) + size_t data_length, + uint8_t *key_buffer, + size_t key_buffer_size, + size_t *key_buffer_length ) { psa_status_t status = PSA_SUCCESS; size_t bit_size; @@ -631,10 +640,10 @@ static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot, if( status != PSA_SUCCESS ) return( status ); - /* Allocate memory for the key */ - status = psa_copy_key_material_into_slot( slot, data, data_length ); - if( status != PSA_SUCCESS ) - return( status ); + /* Copy the key material. */ + memcpy( key_buffer, data, data_length ); + *key_buffer_length = data_length; + (void)key_buffer_size; /* Write the actual key size to the slot. * psa_start_key_creation() wrote the size declared by the @@ -650,16 +659,12 @@ static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot, .core = slot->attr }; - status = psa_allocate_buffer_to_slot( slot, data_length ); - if( status != PSA_SUCCESS ) - return( status ); - bit_size = slot->attr.bits; status = psa_driver_wrapper_import_key( &attributes, data, data_length, - slot->key.data, - slot->key.bytes, - &slot->key.bytes, + key_buffer, + key_buffer_size, + key_buffer_length, &bit_size ); if( status == PSA_SUCCESS ) { @@ -676,10 +681,7 @@ static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot, return( status ); } - mbedtls_platform_zeroize( slot->key.data, data_length ); - mbedtls_free( slot->key.data ); - slot->key.data = NULL; - slot->key.bytes = 0; + mbedtls_platform_zeroize( key_buffer, key_buffer_size ); /* Key format is not supported by any accelerator, try software fallback * if present. */ @@ -687,14 +689,10 @@ static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot, defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) { - status = psa_allocate_buffer_to_slot( slot, data_length ); - if( status != PSA_SUCCESS ) - return( status ); - status = mbedtls_psa_ecp_import_key( &attributes, data, data_length, - slot->key.data, data_length, - &slot->key.bytes, + key_buffer, key_buffer_size, + key_buffer_length, &bit_size ); slot->attr.bits = (psa_key_bits_t) bit_size; return( status ); @@ -705,14 +703,10 @@ static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot, defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) ) { - status = psa_allocate_buffer_to_slot( slot, data_length ); - if( status != PSA_SUCCESS ) - return( status ); - status = mbedtls_psa_rsa_import_key( &attributes, data, data_length, - slot->key.data, data_length, - &slot->key.bytes, + key_buffer, key_buffer_size, + key_buffer_length, &bit_size ); slot->attr.bits = (psa_key_bits_t) bit_size; return( status ); @@ -1931,7 +1925,14 @@ psa_status_t psa_import_key( const psa_key_attributes_t *attributes, } else { - status = psa_import_key_into_slot( slot, data, data_length ); + status = psa_allocate_buffer_to_slot( slot, data_length ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_import_key_into_slot( slot, data, data_length, + slot->key.data, + slot->key.bytes, + &slot->key.bytes ); if( status != PSA_SUCCESS ) goto exit; } @@ -5234,7 +5235,14 @@ static psa_status_t psa_generate_derived_key_internal( if( slot->attr.type == PSA_KEY_TYPE_DES ) psa_des_set_key_parity( data, bytes ); #endif /* MBEDTLS_DES_C */ - status = psa_import_key_into_slot( slot, data, bytes ); + + status = psa_allocate_buffer_to_slot( slot, bytes ); + if( status != PSA_SUCCESS ) + return( status ); + + status = psa_import_key_into_slot( slot, data, bytes, + slot->key.data, slot->key.bytes, + &slot->key.bytes ); exit: mbedtls_free( data );