Key derivation: forbid output_key without input_key
If none of the inputs to a key derivation is a
PSA_KEY_DERIVATION_INPUT_SECRET passed with
psa_key_derivation_input_key(), forbid
psa_key_derivation_output_key(). It usually doesn't make sense to
derive a key object if the secret isn't itself a proper key.
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index cc60901..b9ea00f 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -4787,6 +4787,9 @@
if( psa_get_key_bits( attributes ) == 0 )
return( PSA_ERROR_INVALID_ARGUMENT );
+ if( ! operation->can_output_key )
+ return( PSA_ERROR_NOT_PERMITTED );
+
status = psa_start_key_creation( PSA_KEY_CREATION_DERIVE,
attributes, handle, &slot, &driver );
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
@@ -5174,6 +5177,7 @@
{
psa_key_slot_t *slot;
psa_status_t status;
+
status = psa_get_transparent_key( handle, &slot,
PSA_KEY_USAGE_DERIVE,
operation->alg );
@@ -5182,6 +5186,12 @@
psa_key_derivation_abort( operation );
return( status );
}
+
+ /* Passing a key object as a SECRET input unlocks the permission
+ * to output to a key object. */
+ if( step == PSA_KEY_DERIVATION_INPUT_SECRET )
+ operation->can_output_key = 1;
+
return( psa_key_derivation_input_internal( operation,
step, slot->attr.type,
slot->data.raw.data,