commit ae3f13bf5ecd02955556a1450294613bd0102f8c
author Steven Cooreman <steven.cooreman@silabs.com> Tue Feb 23 12:19:42 2021 +0100
committer Steven Cooreman <steven.cooreman@silabs.com> Mon Mar 01 16:03:40 2021 +0100
tree 5dcbe5c77c4eef2ebe6b179128c36d70a632a69f
parent a96e2410e7e5604a85bce6f548c0e66b55c88d67

Add more test cases and fix AT_LEAST_THIS_LENGTH against base algorithm

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>

library/psa_crypto.c

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index ffb6ef4..32be756 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -2913,7 +2913,28 @@
 
     if( truncated == 0 )
     {
-        /* The "normal" case: untruncated algorithm. Nothing to do. */
+        /* The "normal" case: untruncated algorithm. Re-validate the
+         * key policy with explicit MAC length set in the algorithm
+         * when the algorithm policy is at-least-this-length to catch
+         * a corner case due to the default MAC length being unknown
+         * at key loading time. */
+        if( PSA_ALG_IS_MAC( slot->attr.policy.alg ) &&
+            ( PSA_ALG_FULL_LENGTH_MAC( slot->attr.policy.alg ) == full_length_alg ) &&
+            ( slot->attr.policy.alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) )
+        {
+            /* validate policy length */
+            if( PSA_MAC_TRUNCATED_LENGTH( slot->attr.policy.alg ) > operation->mac_size )
+                status = PSA_ERROR_NOT_PERMITTED;
+        }
+
+        if( PSA_ALG_IS_MAC( slot->attr.policy.alg2 ) &&
+            ( PSA_ALG_FULL_LENGTH_MAC( slot->attr.policy.alg2 ) == full_length_alg ) &&
+            ( slot->attr.policy.alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) )
+        {
+            /* validate policy length */
+            if( PSA_MAC_TRUNCATED_LENGTH( slot->attr.policy.alg2 ) > operation->mac_size )
+                status = PSA_ERROR_NOT_PERMITTED;
+        }
     }
     else if( truncated < 4 )
     {