From b536126183e1ae58f3b44990b4ef98e964e26aac Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 18 May 2023 18:51:58 +0200 Subject: [PATCH] pk: manage allocate and free space when working with PSA private key Allocation does not need to perform any action since the priv_id field is already present on the pk_context. Free should destroy the key. Of course this is true only if the key is not opaque (because in that case it's the user responsibility to do so). Signed-off-by: Valerio Setti --- library/pk.c | 10 +++++++++- library/pk_wrap.c | 21 +++++++++++++++++++-- 2 files changed, 28 insertions(+), 3 deletions(-) diff --git a/library/pk.c b/library/pk.c index 5ed485baf..77012e157 100644 --- a/library/pk.c +++ b/library/pk.c @@ -78,6 +78,14 @@ void mbedtls_pk_free(mbedtls_pk_context *ctx) ctx->pk_info->ctx_free_func(ctx->pk_ctx); } +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + /* The ownership of the priv_id key for opaque keys is external of the PK + * module. It's the user responsibility to clear it after use. */ + if ((ctx->pk_info != NULL) && (ctx->pk_info->type != MBEDTLS_PK_OPAQUE)) { + psa_destroy_key(ctx->priv_id); + } +#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ + mbedtls_platform_zeroize(ctx, sizeof(mbedtls_pk_context)); } @@ -143,7 +151,7 @@ int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info) return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } - if ((info->ctx_alloc_func == NULL) || + if ((info->ctx_alloc_func != NULL) && ((ctx->pk_ctx = info->ctx_alloc_func()) == NULL)) { return MBEDTLS_ERR_PK_ALLOC_FAILED; } diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 45ded6e2b..7f5e751a9 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -1214,6 +1214,7 @@ static int eckey_check_pair(mbedtls_pk_context *pub, mbedtls_pk_context *prv, #endif } +#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA) static void *eckey_alloc_wrap(void) { void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecp_keypair)); @@ -1230,6 +1231,7 @@ static void eckey_free_wrap(void *ctx) mbedtls_ecp_keypair_free((mbedtls_ecp_keypair *) ctx); mbedtls_free(ctx); } +#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ static void eckey_debug(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items) { @@ -1267,8 +1269,13 @@ const mbedtls_pk_info_t mbedtls_eckey_info = { NULL, NULL, eckey_check_pair, +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + NULL, + NULL, +#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ eckey_alloc_wrap, eckey_free_wrap, +#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) eckey_rs_alloc, eckey_rs_free, @@ -1299,8 +1306,13 @@ const mbedtls_pk_info_t mbedtls_eckeydh_info = { NULL, NULL, eckey_check_pair, - eckey_alloc_wrap, /* Same underlying key structure */ - eckey_free_wrap, /* Same underlying key structure */ +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + NULL, + NULL, +#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ + eckey_alloc_wrap, /* Same underlying key structure */ + eckey_free_wrap, /* Same underlying key structure */ +#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) NULL, NULL, @@ -1389,8 +1401,13 @@ const mbedtls_pk_info_t mbedtls_ecdsa_info = { NULL, NULL, eckey_check_pair, /* Compatible key structures */ +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + NULL, + NULL, +#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ eckey_alloc_wrap, /* Compatible key structures */ eckey_free_wrap, /* Compatible key structures */ +#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) ecdsa_rs_alloc, ecdsa_rs_free,