eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add a hash wildcard value for hash-and-sign algorithm

Browse source 
You can use PSA_ALG_ANY_HASH to build the algorithm value for a
hash-and-sign algorithm in a policy. Then the policy allows usage with
this hash-and-sign family with any hash.

Test that PSA_ALG_ANY_HASH-based policies allow a specific hash, but
not a different hash-and-sign family. Test that PSA_ALG_ANY_HASH is
not valid for operations, only in policies.
This commit is contained in:
Gilles Peskine 2019-01-14 16:06:39 +01:00
parent b66c27b2c9
commit 0ce26e35d6
6 changed files with 180 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

27
library/psa_crypto.c
View file

@ -713,6 +713,29 @@ static psa_status_t psa_get_empty_key_slot( psa_key_handle_t handle,
return( status );
}
/** Test whether a policy permits an algorithm.
*
* The caller must test usage flags separately.
*/
static int psa_key_policy_permits( const psa_key_policy_t *policy,
psa_algorithm_t alg )
{
/* Common case: the policy only allows alg. */
if( alg == policy->alg )
return( 1 );
/* If policy->alg is a hash-and-sign with a wildcard for the hash,
* and alg is the same hash-and-sign family with any hash,
* then alg is compliant with policy->alg. */
if( PSA_ALG_IS_HASH_AND_SIGN( alg ) &&
PSA_ALG_SIGN_GET_HASH( policy->alg ) == PSA_ALG_ANY_HASH )
{
return( ( policy->alg & ~PSA_ALG_HASH_MASK ) ==
( alg & ~PSA_ALG_HASH_MASK ) );
}
/* If it isn't permitted, it's forbidden. */
return( 0 );
}
/** Retrieve a slot which must contain a key. The key must have allow all the
* usage flags set in \p usage. If \p alg is nonzero, the key must allow
* operations with this algorithm. */
@ -740,7 +763,9 @@ static psa_status_t psa_get_key_from_slot( psa_key_handle_t handle,
usage &= ~PSA_KEY_USAGE_EXPORT;
if( ( slot->policy.usage & usage ) != usage )
return( PSA_ERROR_NOT_PERMITTED );
if( alg != 0 && ( alg != slot->policy.alg ) )
/* Enforce that the usage policy permits the requested algortihm. */
if( alg != 0 && ! psa_key_policy_permits( &slot->policy, alg ) )
return( PSA_ERROR_NOT_PERMITTED );
*p_slot = slot;