commit 4ce2a9dcbf9635a05f17fc583ae586e3f97b43ab
author Gilles Peskine <Gilles.Peskine@arm.com> Fri May 03 16:57:15 2019 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Fri May 03 16:57:15 2019 +0200
tree 07ae5d00e3fadf10df7985230576d19cb6fb380e
parent 971bd69696452c32bca14a3fff1f4f34e0aefa81

Check unused attributes in import and copy

In psa_import_key and psa_copy_key, some information comes from the
key data (input buffer or source key) rather than from the attributes:
key size for import, key size and type and domain parameters for copy.
If an unused attribute is nonzero in the attribute structure, check
that it matches the correct value. This protects against application
errors.

include/psa/crypto.h

diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index fff144c..af3353c 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -583,9 +583,10 @@
  * according to a different format.
  *
  * \param[in] attributes    The attributes for the new key.
- *                          The key size field in \p attributes is
- *                          ignored; the actual key size is determined
- *                          from the \p data buffer.
+ *                          The key size is always determined from the
+ *                          \p data buffer.
+ *                          If the key size in \p attributes is nonzero,
+ *                          it must be equal to the size from \p data.
  * \param[out] handle       On success, a handle to the newly created key.
  *                          \c 0 on failure.
  * \param[in] data    Buffer containing the key data. The content of this
@@ -612,8 +613,12 @@
  *         The key type or key size is not supported, either by the
  *         implementation in general or in this particular persistent location.
  * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The key attributes, as a whole, are invalid,
- *         or the key data is not correctly formatted.
+ *         The key attributes, as a whole, are invalid.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The key data is not correctly formatted.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The size in \p attributes is nonzero and does not match the size
+ *         of the key data.
  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
  * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
@@ -859,9 +864,12 @@
  *                          occupied slot.
  * \param[in] attributes    The attributes for the new key.
  *                          They are used as follows:
- *                          - The key type, key size and domain parameters
- *                            are ignored. This information is copied
- *                            from the source key.
+ *                          - The key type and size may be 0. If either is
+ *                            nonzero, it must match the corresponding
+ *                            attribute of the source key.
+ *                          - If \p attributes contains domain parameters,
+ *                            they must match the domain parameters of
+ *                            the source key.
  *                          - The key location (the lifetime and, for
  *                            persistent keys, the key identifier) is
  *                            used directly.
@@ -884,6 +892,9 @@
  * \retval #PSA_ERROR_INVALID_ARGUMENT
  *         The policy constraints on the source and specified in
  *         \p attributes are incompatible.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p attributes specifies a key type, domain parameters or key size
+ *         which does not match the attributes of the source key.
  * \retval #PSA_ERROR_NOT_PERMITTED
  *         The source key is not exportable and its lifetime does not
  *         allow copying it to the target's lifetime.