Add ecdh_psa_shared_key flag to protect PSA privkey if imported

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-23 10:57:04 +01:00 · 2022-03-23 10:57:04 +01:00 · 8113d25d1e
commit 8113d25d1e
parent 5cd5f76d67
3 changed files with 14 additions and 8 deletions
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@ -3946,18 +3946,22 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
        {
            ret = psa_ssl_status_to_mbedtls( status );
            MBEDTLS_SSL_DEBUG_RET( 1, "psa_raw_key_agreement", ret );
-            (void) psa_destroy_key( handshake->ecdh_psa_privkey );
+            if( handshake->ecdh_psa_shared_key == 0 )
+                (void) psa_destroy_key( handshake->ecdh_psa_privkey );
            handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
            return( ret );
        }

-        status = psa_destroy_key( handshake->ecdh_psa_privkey );
-
-        if( status != PSA_SUCCESS )
+        if( handshake->ecdh_psa_shared_key == 0 )
        {
-            ret = psa_ssl_status_to_mbedtls( status );
-            MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret );
-            return( ret );
+            status = psa_destroy_key( handshake->ecdh_psa_privkey );
+
+            if( status != PSA_SUCCESS )
+            {
+                ret = psa_ssl_status_to_mbedtls( status );
+                MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret );
+                return( ret );
+            }
        }
        handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
    }