commit f14394b25f19a7c3ad9e4809778ee36487f23e50
author mohammad1603 <mohammad.abomokh@arm.com> Mon Jun 04 14:33:19 2018 +0300
committer itayzafrir <itay.zafrir@arm.com> Wed Sep 05 12:41:52 2018 +0300
tree 896bdb2d65394e483805b2a3f97a86cb0293cdc1
parent 96910d807ed73db0c5a06b5d17c07acd4c0120fd

add policy checks

library/psa_crypto.c

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index df0201b..8207a9b 100755
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -1505,7 +1505,8 @@
     if( cipher_info == NULL )
             return( PSA_ERROR_NOT_SUPPORTED );
 
-    //TODO: check key policy
+    if( !( slot->policy.usage & PSA_KEY_USAGE_ENCRYPT ) )
+        return( PSA_ERROR_NOT_PERMITTED );
 
     if ( ( key_type & PSA_KEY_TYPE_CATEGORY_MASK ) != PSA_KEY_TYPE_CATEGORY_SYMMETRIC )
         return( PSA_ERROR_INVALID_ARGUMENT );
@@ -1644,7 +1645,9 @@
     cipher_info = mbedtls_cipher_info_from_psa( alg, key_type, key_bits, &cipher_id );
     if( cipher_info == NULL )
             return( PSA_ERROR_NOT_SUPPORTED );
-    //TODO: check key policy
+    
+    if( !( slot->policy.usage & PSA_KEY_USAGE_DECRYPT ) )
+        return( PSA_ERROR_NOT_PERMITTED );
 
     if ( !( ( key_type & PSA_KEY_TYPE_CATEGORY_MASK ) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC
             && PSA_BLOCK_CIPHER_BLOCK_SIZE( key_type ) == cipher_info->block_size ) )

tests/suites/test_suite_psa_crypto.function

diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index a582b56..16577dd 100755
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -598,6 +598,7 @@
     size_t additional_data_length = 0;
     size_t i = 0;
     psa_status_t expected_result = (psa_status_t) expected_result_arg;
+    psa_key_policy_t policy = {0};
 
 
     key_data = unhexify_alloc( key_hex, &key_size );
@@ -619,6 +620,12 @@
 
     TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
 
+    psa_key_policy_init( &policy );
+
+    psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT , alg );
+
+    TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS );
+
     TEST_ASSERT( psa_import_key( slot, key_type,
                                  key_data, key_size ) == PSA_SUCCESS );
 
@@ -679,6 +686,7 @@
     size_t tag_length = 16;
     unsigned char *additional_data = NULL;
     size_t additional_data_length = 0;
+    psa_key_policy_t policy = {0};
 
 
     key_data = unhexify_alloc( key_hex, &key_size );
@@ -697,6 +705,12 @@
     
     TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
 
+    psa_key_policy_init( &policy );
+
+    psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_ENCRYPT , alg );
+
+    TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS );
+
     TEST_ASSERT( psa_import_key( slot, key_type,
                                  key_data, key_size ) == PSA_SUCCESS );