Use PSA for private key generation and public key export only for ECDHE keys

This should be cleaned when server-side static ECDH (1.2) support is added (#5320). Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-14 12:05:27 +01:00 · 2022-03-14 12:05:27 +01:00 · fc91a1f030
commit fc91a1f030
parent a21af3da00
1 changed files with 93 additions and 76 deletions
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@ -3108,6 +3108,10 @@ curve_matching_done:
        }

 #if defined(MBEDTLS_USE_PSA_CRYPTO)
+        // Handle only ECDHE keys using PSA crypto.
+        if ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
+             ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
+        {
            psa_status_t status = PSA_ERROR_GENERIC_ERROR;
            psa_key_attributes_t key_attributes;
            mbedtls_ssl_handshake_params *handshake = ssl->handshake;
@ -3188,6 +3192,19 @@ curve_matching_done:

            /* Determine full message length. */
            len += header_size;
+        }
+        else
+        {
+            if( ( ret = mbedtls_ecdh_make_params(
+                    &ssl->handshake->ecdh_ctx, &len,
+                    ssl->out_msg + ssl->out_msglen,
+                    MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
+                    ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
+                return( ret );
+            }
+        }
 #else
        if( ( ret = mbedtls_ecdh_make_params(
                  &ssl->handshake->ecdh_ctx, &len,