Check for existence of key material on store/load
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c
index 3797dea..39d6dbb 100644
--- a/library/psa_crypto_slot_management.c
+++ b/library/psa_crypto_slot_management.c
@@ -269,12 +269,6 @@
}
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
- if ( key_data == NULL )
- {
- status = PSA_ERROR_STORAGE_FAILURE;
- goto exit;
- }
-
status = psa_copy_key_material_into_slot( slot, key_data, key_data_length );
exit:
diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c
index 1ebd20e..10a1ad3 100644
--- a/library/psa_crypto_storage.c
+++ b/library/psa_crypto_storage.c
@@ -374,8 +374,12 @@
uint8_t *storage_data;
psa_status_t status;
+ /* All keys saved to persistent storage always have a key context */
+ if( data == NULL || data_length == 0 )
+ return( PSA_ERROR_INVALID_ARGUMENT );
+
if( data_length > PSA_CRYPTO_MAX_STORAGE_SIZE )
- return PSA_ERROR_INSUFFICIENT_STORAGE;
+ return( PSA_ERROR_INSUFFICIENT_STORAGE );
storage_data_length = data_length + sizeof( psa_persistent_key_storage_format );
storage_data = mbedtls_calloc( 1, storage_data_length );
@@ -426,6 +430,11 @@
status = psa_parse_key_data_from_storage( loaded_data, storage_data_length,
data, data_length, attr );
+ /* All keys saved to persistent storage always have a key context */
+ if( status == PSA_SUCCESS &&
+ ( *data == NULL || *data_length == 0 ) )
+ status = PSA_ERROR_STORAGE_FAILURE;
+
exit:
mbedtls_free( loaded_data );
return( status );
diff --git a/library/psa_crypto_storage.h b/library/psa_crypto_storage.h
index fbc94fc..06128e9 100644
--- a/library/psa_crypto_storage.h
+++ b/library/psa_crypto_storage.h
@@ -86,6 +86,9 @@
* already occupied non-persistent key, as well as ensuring the key data is
* validated.
*
+ * Note: This function will only succeed for key buffers which are not
+ * empty. If passed a NULL pointer or zero-length, the function will fail
+ * with #PSA_ERROR_INVALID_ARGUMENT.
*
* \param[in] attr The attributes of the key to save.
* The key identifier field in the attributes
@@ -94,6 +97,7 @@
* \param data_length The number of bytes that make up the key data.
*
* \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
* \retval #PSA_ERROR_INSUFFICIENT_STORAGE
* \retval #PSA_ERROR_STORAGE_FAILURE
@@ -111,9 +115,10 @@
* metadata and writes them to the appropriate output parameters.
*
* Note: This function allocates a buffer and returns a pointer to it through
- * the data parameter. psa_free_persistent_key_data() must be called after
- * this function to zeroize and free this buffer, regardless of whether this
- * function succeeds or fails.
+ * the data parameter. On succesful return, the pointer is guaranteed to be
+ * valid and contain at least one byte of data.
+ * psa_free_persistent_key_data() must be called on the data buffer
+ * afterwards to zeroize and free this buffer.
*
* \param[in,out] attr On input, the key identifier field identifies
* the key to load. Other fields are ignored.