PSA Crypto: Don't skip key data removal when SE driver is not in use

Closing a wrapped key with the new SE driver interface while MBEDTLS_PSA_CRYPTO_SE_C is also enabled leads to the key material not being freed, even though an old SE driver is not in use, leading to a memory leak. This is because a wrapped key is also considered external. This commit extends the check for skipping by checking whether an old-style SE driver is registered with the provided slot, in addition to checking whether the key is external. Signed-off-by: Fredrik Strupe <[email protected]>
lhuang04 · May 17, 2023 · d1333fa · d1333fa
1 parent 160d7ed
commit d1333fa
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/ChangeLog.d/psa_close_key_memory_leak_fix.txt b/ChangeLog.d/psa_close_key_memory_leak_fix.txt
@@ -0,0 +1,3 @@
+Bugfix
+   * Fix memory leak that occured when calling psa_close_key() on a
+     wrapped key with MBEDTLS_PSA_CRYPTO_SE_C defined.
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
@@ -1316,7 +1316,8 @@ static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy(
 static psa_status_t psa_remove_key_data_from_memory( psa_key_slot_t *slot )
 {
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-    if( psa_key_slot_is_external( slot ) )
+    if( psa_get_se_driver( slot->attr.lifetime, NULL, NULL ) &&
+        psa_key_slot_is_external( slot ) )
     {
         /* No key material to clean. */
     }