mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-01 04:20:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add ecdh_psa_shared_key flag to protect PSA privkey if imported

Browse Source 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
This commit is contained in:
Neil Armstrong 2022-03-23 10:57:04 +01:00
parent 5cd5f76d67
commit 8113d25d1e
3 changed files with 14 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
library/ssl_misc.h
View File

@ -632,6 +632,7 @@ struct mbedtls_ssl_handshake_params
psa_key_type_t ecdh_psa_type; psa_key_type_t ecdh_psa_type;
uint16_t ecdh_bits; uint16_t ecdh_bits;
mbedtls_svc_key_id_t ecdh_psa_privkey; mbedtls_svc_key_id_t ecdh_psa_privkey;
uint8_t ecdh_psa_shared_key;
unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH]; unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
size_t ecdh_psa_peerkey_len; size_t ecdh_psa_peerkey_len;
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */

3
library/ssl_tls.c
View File

@ -3146,7 +3146,8 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_ECDH_C) && \ #if defined(MBEDTLS_ECDH_C) && \
( defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) ) ( defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) )
psa_destroy_key( handshake->ecdh_psa_privkey ); if( handshake->ecdh_psa_shared_key == 0 )
psa_destroy_key( handshake->ecdh_psa_privkey );
#endif /* MBEDTLS_ECDH_C && MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_ECDH_C && MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_3)

18
library/ssl_tls12_server.c
View File

@ -3946,18 +3946,22 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
{ {
ret = psa_ssl_status_to_mbedtls( status ); ret = psa_ssl_status_to_mbedtls( status );
MBEDTLS_SSL_DEBUG_RET( 1, "psa_raw_key_agreement", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "psa_raw_key_agreement", ret );
(void) psa_destroy_key( handshake->ecdh_psa_privkey ); if( handshake->ecdh_psa_shared_key == 0 )
(void) psa_destroy_key( handshake->ecdh_psa_privkey );
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
return( ret ); return( ret );
} }
status = psa_destroy_key( handshake->ecdh_psa_privkey ); if( handshake->ecdh_psa_shared_key == 0 )
if( status != PSA_SUCCESS )
{ {
ret = psa_ssl_status_to_mbedtls( status ); status = psa_destroy_key( handshake->ecdh_psa_privkey );
MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret );
return( ret ); if( status != PSA_SUCCESS )
{
ret = psa_ssl_status_to_mbedtls( status );
MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret );
return( ret );
}
} }
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
} }