Handle Opaque PK EC keys in ssl_get_ecdh_params_from_cert()

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2025-02-11 09:40:38 +00:00 · 2022-03-23 10:58:03 +01:00 · 2022-03-23 10:58:03 +01:00 · 104a7c1d29
commit 104a7c1d29
parent 8113d25d1e
1 changed files with 72 additions and 41 deletions
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@ -2863,18 +2863,45 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
    unsigned char buf[
        PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
-    psa_key_attributes_t key_attributes;
+    psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
    size_t ecdh_bits = 0;
    size_t key_len;
+    mbedtls_pk_context *pk;
+    mbedtls_ecp_keypair *key;

-    if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
+    pk = mbedtls_ssl_own_key( ssl );
+
+    if( pk == NULL )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    switch( mbedtls_pk_get_type( pk ) )
    {
+    case MBEDTLS_PK_OPAQUE:
+        if( ! mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) )
            return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
-    }

-    mbedtls_ecp_keypair *key =
-            mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) );
+        ssl->handshake->ecdh_psa_privkey =
+                *( (mbedtls_svc_key_id_t*) pk->pk_ctx );

+        status = psa_get_key_attributes( ssl->handshake->ecdh_psa_privkey,
+                                         &key_attributes );
+        if( status != PSA_SUCCESS)
+            return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+        ssl->handshake->ecdh_psa_type = psa_get_key_type( &key_attributes );
+        ssl->handshake->ecdh_bits = psa_get_key_bits( &key_attributes );
+
+        psa_reset_key_attributes( &key_attributes );
+
+        /* Key should no be destroyed in the TLS library */
+        ssl->handshake->ecdh_psa_shared_key = 1;
+
+        ret = 0;
+        break;
+    case MBEDTLS_PK_ECKEY:
+    case MBEDTLS_PK_ECKEY_DH:
+    case MBEDTLS_PK_ECDSA:
+        key = mbedtls_pk_ec( *pk );
        if( key == NULL )
            return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );

@ -2912,6 +2939,10 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
        }

        ret = 0;
+        break;
+    default:
+            ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
+    }

 cleanup:
    mbedtls_platform_zeroize( buf, sizeof( buf ) );