aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Hu <david.hu@arm.com>2021-06-03 15:37:46 +0800
committerDavid Hu <david.hu@arm.com>2021-06-07 11:09:19 +0200
commitc8c616ef11bbe5960ada85a719b7a5b53e6aa42c (patch)
tree0d51ff02782b5db6aac91913ff81316e7a1c9c7c
parent2bedfcddb0df0bacaeb769d617708de12c61ea8c (diff)
downloadtrusted-firmware-m-c8c616ef11bbe5960ada85a719b7a5b53e6aa42c.tar.gz
Crypto: Fix Mbed TLS key operation return code
PSA Crypto API spec requests key operation to return error code PSA_ERROR_INVALID_HANDLE when the key doesn't exist. However, according to [1], PSA key operation implementation in Mbed TLS returns PSA_ERROR_DOES_NOT_EXIST instead. TF-M currently works normally since TF-M specific key handle check will return PSA_ERROR_INVALID_HANDLE for a non-existing key, without calling Mbed TLS PSA key operation. Apply the merged Mbed TLS fix to TF-M to prepare for enhancement of TF-M key handle check. [1]: https://github.com/ARMmbed/mbedtls/pull/4198 Change-Id: I79dda1c54dc8377afbfaefdf180bb81c7ff99f02 Signed-off-by: David Hu <david.hu@arm.com>
-rw-r--r--lib/ext/mbedcrypto/0003-Fix-4162-Return-correct-error-type-for-invalid-key.patch64
1 files changed, 64 insertions, 0 deletions
diff --git a/lib/ext/mbedcrypto/0003-Fix-4162-Return-correct-error-type-for-invalid-key.patch b/lib/ext/mbedcrypto/0003-Fix-4162-Return-correct-error-type-for-invalid-key.patch
new file mode 100644
index 0000000000..6e127b9773
--- /dev/null
+++ b/lib/ext/mbedcrypto/0003-Fix-4162-Return-correct-error-type-for-invalid-key.patch
@@ -0,0 +1,64 @@
+From 374c93c43f8c299adcee91cfbc90a15037317d18 Mon Sep 17 00:00:00 2001
+From: Maulik Patel <Maulik.Patel@arm.com>
+Date: Mon, 15 Mar 2021 14:48:14 +0000
+Subject: [PATCH 3/3] Fix:4162 Return correct error type for invalid key
+
+Return PSA_ERROR_INVALID_HANDLE instead of
+PSA_ERROR_DOES_NOT_EXIST if invalid key is passed for some key
+operations.
+
+Signed-off-by: Maulik Patel <Maulik.Patel@arm.com>
+---
+ library/psa_crypto_slot_management.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c
+index dcbee31aa..b7e3442fb 100644
+--- a/library/psa_crypto_slot_management.c
++++ b/library/psa_crypto_slot_management.c
+@@ -305,13 +305,15 @@ psa_status_t psa_get_and_lock_key_slot( mbedtls_svc_key_id_t key,
+
+ status = psa_load_persistent_key_into_slot( *p_slot );
+ if( status != PSA_SUCCESS )
++ {
+ psa_wipe_key_slot( *p_slot );
+-
++ if( status == PSA_ERROR_DOES_NOT_EXIST )
++ status = PSA_ERROR_INVALID_HANDLE;
++ }
+ return( status );
+ #else
+- return( PSA_ERROR_DOES_NOT_EXIST );
++ return( PSA_ERROR_INVALID_HANDLE );
+ #endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
+-
+ }
+
+ psa_status_t psa_unlock_key_slot( psa_key_slot_t *slot )
+@@ -399,6 +401,9 @@ psa_status_t psa_open_key( mbedtls_svc_key_id_t key, psa_key_handle_t *handle )
+ if( status != PSA_SUCCESS )
+ {
+ *handle = PSA_KEY_HANDLE_INIT;
++ if( status == PSA_ERROR_INVALID_HANDLE )
++ status = PSA_ERROR_DOES_NOT_EXIST;
++
+ return( status );
+ }
+
+@@ -423,8 +428,12 @@ psa_status_t psa_close_key( psa_key_handle_t handle )
+
+ status = psa_get_and_lock_key_slot_in_memory( handle, &slot );
+ if( status != PSA_SUCCESS )
+- return( status );
++ {
++ if( status == PSA_ERROR_DOES_NOT_EXIST )
++ status = PSA_ERROR_INVALID_HANDLE;
+
++ return( status );
++ }
+ if( slot->lock_count <= 1 )
+ return( psa_wipe_key_slot( slot ) );
+ else
+--
+2.25.1
+