1
0
mirror of https://github.com/RIOT-OS/RIOT.git synced 2025-01-17 05:12:57 +01:00

sys/psa_crypto: wipe temporary private key copies from stack

This commit is contained in:
Mikolai Gütschow 2023-09-27 17:05:57 +02:00
parent 335c4f8c0c
commit 7b9c113c99
No known key found for this signature in database
GPG Key ID: 943E2F37AA659AD5
3 changed files with 18 additions and 7 deletions

View File

@ -21,6 +21,7 @@
#include "psa_error.h"
#include "psa_cryptocell_310_ecc_common.h"
#include "cryptocell_310_util.h"
#include "string_utils.h"
#define ENABLE_DEBUG 0
#include "debug.h"
@ -67,6 +68,7 @@ psa_status_t cryptocell_310_common_ecc_generate_key_pair(uint8_t *priv_key_buffe
return CRYS_to_psa_error(ret);
}
explicit_bzero(&priv_key, sizeof(priv_key));
return PSA_SUCCESS;
}
@ -89,7 +91,7 @@ psa_status_t cryptocell_310_common_ecc_sign(const uint8_t *priv_key,
ret = CRYS_ECPKI_BuildPrivKey(pDomain, priv_key, priv_key_size, &user_priv_key);
if (ret != CRYS_OK) {
DEBUG("CRYS_ECPKI_BuildPrivKey failed with %s\n", cryptocell310_status_to_humanly_readable(ret));
return CRYS_to_psa_error(ret);
goto done;
}
cryptocell_310_enable();
@ -99,10 +101,12 @@ psa_status_t cryptocell_310_common_ecc_sign(const uint8_t *priv_key,
cryptocell_310_disable();
if (ret != CRYS_OK) {
DEBUG("CRYS_ECDSA_Sign failed with %s\n", cryptocell310_status_to_humanly_readable(ret));
return CRYS_to_psa_error(ret);
goto done;
}
return PSA_SUCCESS;
done:
explicit_bzero(&user_priv_key, sizeof(user_priv_key));
return CRYS_to_psa_error(ret);
}
psa_status_t cryptocell_310_common_ecc_verify(const uint8_t *pub_key,

View File

@ -21,6 +21,7 @@
#include "crys_ec_edw_api.h"
#include "psa_error.h"
#include "cryptocell_310_util.h"
#include "string_utils.h"
#define ENABLE_DEBUG 0
#include "debug.h"
@ -49,13 +50,15 @@ psa_status_t psa_generate_ecc_ed25519_key_pair( uint8_t *priv_key_buffer,
cryptocell_310_disable();
if (ret != CRYS_OK) {
DEBUG("CRYS_ECEDW_KeyPair failed with %s\n", cryptocell310_status_to_humanly_readable(ret));
return CRYS_to_psa_error(ret);
goto done;
}
memcpy(priv_key_buffer, secret_key, CRYS_ECEDW_ORD_SIZE_IN_BYTES);
memcpy(pub_key_buffer, &secret_key[CRYS_ECEDW_ORD_SIZE_IN_BYTES], CRYS_ECEDW_MOD_SIZE_IN_BYTES);
return PSA_SUCCESS;
done:
explicit_bzero(&secret_key, sizeof(secret_key));
return CRYS_to_psa_error(ret);
}
psa_status_t psa_ecc_ed25519_sign_message(const uint8_t *priv_key_buffer,
@ -91,10 +94,12 @@ psa_status_t psa_ecc_ed25519_sign_message(const uint8_t *priv_key_buffer,
cryptocell_310_disable();
if (ret != CRYS_OK) {
DEBUG("CRYS_ECEDW_Sign failed with %s\n", cryptocell310_status_to_humanly_readable(ret));
return CRYS_to_psa_error(ret);
goto done;
}
return PSA_SUCCESS;
done:
explicit_bzero(&secret_key, sizeof(secret_key));
return CRYS_to_psa_error(ret);
(void)signature_size;
}

View File

@ -23,6 +23,8 @@
psa_status_t CRYS_to_psa_error(CRYSError_t error)
{
switch (error) {
case CRYS_OK:
return PSA_SUCCESS;
case CRYS_HASH_ILLEGAL_OPERATION_MODE_ERROR:
case CRYS_HASH_IS_NOT_SUPPORTED:
return PSA_ERROR_NOT_SUPPORTED;