Remove unnecessary key generation

When saving encrypted key, the unencrypted key was created
just to be overwritten later with unnecessary retrieval of
data from that key. This was changed to manually encrypting
key secret data & saving it with the key.

Change-Id: Idc7379deea35082804cab0048328c96f0f60e709

diff --git a/ta/src/cmd_exec.c b/ta/src/cmd_exec.c
index 7f4858c929840ee3aa00ca756ec2edb4e58ebcea..ae731838c10ec04487dfd509d515e7d04125a18b 100644 (file)
--- a/ta/src/cmd_exec.c
+++ b/ta/src/cmd_exec.c
@@ -772,7 +772,6 @@ TEE_Result KM_ExecCmdSaveData(TEE_Param param[4])
 {
        TEE_Result ret = TEE_SUCCESS;
        TEE_ObjectHandle key = TEE_HANDLE_NULL;
-       TEE_ObjectHandle oldKey = TEE_HANDLE_NULL;
        KM_BinaryData dataToSave;
        KM_BinaryData dataEncIV;                   // IV used to decrypt dataToSave with build-in key
        KM_BinaryData dataEncTag;                  // TAG used to data verfication after gcm decryption
@@ -782,7 +781,10 @@ TEE_Result KM_ExecCmdSaveData(TEE_Param param[4])
        uint32_t with_pwd = 0;
        uint32_t dataSizeBits_flag;
        uint32_t dataTypeFlag;                     // representation of tz_data_type
+       uint32_t encKeyBufSize = 0;
+
        void *tmp = NULL;
+       void *encKeyBuf = NULL;
 
        KM_BinaryData plainData;                   // Used during decryption with build-in key
        KM_BinaryData encData;                     // Used during encyption with password
@@ -924,12 +926,6 @@ TEE_Result KM_ExecCmdSaveData(TEE_Param param[4])
                        goto clean;
                }
 
-               ret = KM_CreateKey(TEE_TYPE_AES, dataSizeBits_flag, dataToSave.data, &key);
-               if (ret != TEE_SUCCESS) {
-                       LOG("Failed to create key");
-                       goto clean;
-               }
-
                if (with_pwd) {
                        tag.data_size = pwdData.tag_len_bits / 8;
                        tag.data = malloc(tag.data_size);
@@ -939,13 +935,32 @@ TEE_Result KM_ExecCmdSaveData(TEE_Param param[4])
                                goto clean;
                        }
 
-                       oldKey = key;
+                       encKeyBufSize = dataSizeBits_flag / 8;
+                       encKeyBuf = malloc(encKeyBufSize);
+                       if (encKeyBuf == NULL) {
+                               LOG("Failed to allocate memory for key encryption");
+                               ret = TEE_ERROR_OUT_OF_MEMORY;
+                               goto clean;
+                       }
+
+                       ret = KM_EncryptDataWithPwd(&pwdData, dataToSave.data, encKeyBufSize,
+                                                                               encKeyBuf, &encKeyBufSize, tag.data, &tag.data_size);
 
-                       ret = KM_EncryptKey(key, &pwdData, &key, tag.data, &tag.data_size);
                        if (TEE_SUCCESS != ret) {
-                               LOG("Failed to encrypt new key");
+                               LOG("Failed to encrypt key data");
                                goto clean;
                        }
+
+                       // Setting variables for key creation right after data encryption
+                       dataSizeBits_flag = encKeyBufSize * 8;
+                       dataToSave.data = encKeyBuf;
+                       dataToSave.data_size = encKeyBufSize;
+               }
+
+               ret = KM_CreateKey(TEE_TYPE_AES, dataSizeBits_flag, dataToSave.data, &key);
+               if (ret != TEE_SUCCESS) {
+                       LOG("Failed to create key");
+                       goto clean;
                }
 
                ret = KM_SaveKey(NULL, 0, key, objId.data, objId.data_size);
@@ -975,12 +990,12 @@ TEE_Result KM_ExecCmdSaveData(TEE_Param param[4])
        }
 
 clean:
-       TEE_CloseObject(oldKey);
        TEE_CloseObject(key);
        free(plainData.data);
        free(objId.data);
        free(encData.data);
        free(tag.data);
+       free(encKeyBuf);
        return ret;
 }