From f14394b25f19a7c3ad9e4809778ee36487f23e50 Mon Sep 17 00:00:00 2001 From: mohammad1603 Date: Mon, 4 Jun 2018 14:33:19 +0300 Subject: [PATCH] add policy checks --- library/psa_crypto.c | 7 +++++-- tests/suites/test_suite_psa_crypto.function | 14 ++++++++++++++ 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index df0201b1d..8207a9bc1 100755 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1505,7 +1505,8 @@ psa_status_t psa_aead_encrypt( psa_key_slot_t key, if( cipher_info == NULL ) return( PSA_ERROR_NOT_SUPPORTED ); - //TODO: check key policy + if( !( slot->policy.usage & PSA_KEY_USAGE_ENCRYPT ) ) + return( PSA_ERROR_NOT_PERMITTED ); if ( ( key_type & PSA_KEY_TYPE_CATEGORY_MASK ) != PSA_KEY_TYPE_CATEGORY_SYMMETRIC ) return( PSA_ERROR_INVALID_ARGUMENT ); @@ -1644,7 +1645,9 @@ psa_status_t psa_aead_decrypt( psa_key_slot_t key, cipher_info = mbedtls_cipher_info_from_psa( alg, key_type, key_bits, &cipher_id ); if( cipher_info == NULL ) return( PSA_ERROR_NOT_SUPPORTED ); - //TODO: check key policy + + if( !( slot->policy.usage & PSA_KEY_USAGE_DECRYPT ) ) + return( PSA_ERROR_NOT_PERMITTED ); if ( !( ( key_type & PSA_KEY_TYPE_CATEGORY_MASK ) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC && PSA_BLOCK_CIPHER_BLOCK_SIZE( key_type ) == cipher_info->block_size ) ) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index a582b56c3..16577dd91 100755 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -598,6 +598,7 @@ void aead_encrypt_decrypt( int key_type_arg, char * key_hex, size_t additional_data_length = 0; size_t i = 0; psa_status_t expected_result = (psa_status_t) expected_result_arg; + psa_key_policy_t policy = {0}; key_data = unhexify_alloc( key_hex, &key_size ); @@ -619,6 +620,12 @@ void aead_encrypt_decrypt( int key_type_arg, char * key_hex, TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); + psa_key_policy_init( &policy ); + + psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT , alg ); + + TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS ); + TEST_ASSERT( psa_import_key( slot, key_type, key_data, key_size ) == PSA_SUCCESS ); @@ -679,6 +686,7 @@ void aead_encrypt( int key_type_arg, char * key_hex, size_t tag_length = 16; unsigned char *additional_data = NULL; size_t additional_data_length = 0; + psa_key_policy_t policy = {0}; key_data = unhexify_alloc( key_hex, &key_size ); @@ -697,6 +705,12 @@ void aead_encrypt( int key_type_arg, char * key_hex, TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); + psa_key_policy_init( &policy ); + + psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_ENCRYPT , alg ); + + TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS ); + TEST_ASSERT( psa_import_key( slot, key_type, key_data, key_size ) == PSA_SUCCESS );