Document better what wiping a key slot does not do

When a key slot is wiped, a copy of the key material may remain in operations. This is undesirable, but does not violate the safety of the code. Tracked in https://github.com/ARMmbed/mbed-crypto/issues/86
2019-08-13 15:01:08 +02:00 · 2019-08-13 15:01:08 +02:00 · 3f7cd62ff5
commit 3f7cd62ff5
parent b4e73e9747
1 changed files with 5 additions and 7 deletions
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@ -994,18 +994,16 @@ static psa_status_t psa_remove_key_data_from_memory( psa_key_slot_t *slot )
    return( PSA_SUCCESS );
 }

-static void psa_abort_operations_using_key( psa_key_slot_t *slot )
-{
-    /*FIXME how to implement this?*/
-    (void) slot;
-}
-
 /** Completely wipe a slot in memory, including its policy.
 * Persistent storage is not affected. */
 psa_status_t psa_wipe_key_slot( psa_key_slot_t *slot )
 {
    psa_status_t status = psa_remove_key_data_from_memory( slot );
-    psa_abort_operations_using_key( slot );
+    /* Multipart operations may still be using the key. This is safe
+     * because all multipart operation objects are independent from
+     * the key slot: if they need to access the key after the setup
+     * phase, they have a copy of the key. Note that this means that
+     * key material can linger until all operations are completed. */
    /* At this point, key material and other type-specific content has
     * been wiped. Clear remaining metadata. We can call memset and not
     * zeroize because the metadata is not particularly sensitive. */