Keep raw PSK when set via mbedtls_ssl_conf_psk() and feed as input_bytes
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 2ff2a0e..c8c1219 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1427,8 +1427,7 @@
* If either no PSK or a raw PSK have been
* configured, this has value \c 0.
*/
- uint8_t MBEDTLS_PRIVATE(psk_opaque_is_internal);
-#else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
unsigned char *MBEDTLS_PRIVATE(psk); /*!< The raw pre-shared key. This field should
* only be set via mbedtls_ssl_conf_psk().
* If either no PSK or an opaque PSK
@@ -1438,7 +1437,6 @@
* mbedtls_ssl_conf_psk().
* Its value is non-zero if and only if
* \c psk is not \c NULL. */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
unsigned char *MBEDTLS_PRIVATE(psk_identity); /*!< The PSK identity for PSK negotiation.
* This field should only be set via
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index f2a3e1a..99b7d04 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1527,10 +1527,9 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( !mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
return( 1 );
-#else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
if( conf->psk != NULL )
return( 1 );
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
return( 0 );
}
@@ -1541,16 +1540,11 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
{
- /* The maintenance of the external PSK key slot is the
+ /* The maintenance of the PSK key slot is the
* user's responsibility. */
- if( conf->psk_opaque_is_internal )
- {
- psa_destroy_key( conf->psk_opaque );
- conf->psk_opaque_is_internal = 0;
- }
conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
}
-#else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
if( conf->psk != NULL )
{
mbedtls_platform_zeroize( conf->psk, conf->psk_len );
@@ -1559,7 +1553,6 @@
conf->psk = NULL;
conf->psk_len = 0;
}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Remove reference to PSK identity, if any. */
if( conf->psk_identity != NULL )
@@ -1601,11 +1594,6 @@
const unsigned char *psk_identity, size_t psk_identity_len )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_key_attributes_t key_attributes = psa_key_attributes_init();
- psa_status_t status;
- mbedtls_svc_key_id_t key;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* We currently only support one PSK, raw or opaque. */
if( ssl_conf_psk_is_configured( conf ) )
@@ -1619,23 +1607,6 @@
if( psk_len > MBEDTLS_PSK_MAX_LEN )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
- psa_set_key_algorithm( &key_attributes,
- PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256) );
- psa_set_key_enrollment_algorithm( &key_attributes,
- PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384) );
- psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
-
- status = psa_import_key( &key_attributes, psk, psk_len, &key );
- if( status != PSA_SUCCESS )
- return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
-
- /* Allow calling psa_destroy_key() on config psk remove/free */
- conf->psk_opaque_is_internal = 1;
- ret = mbedtls_ssl_conf_psk_opaque( conf, key,
- psk_identity, psk_identity_len );
-#else
if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
conf->psk_len = psk_len;
@@ -1645,7 +1616,6 @@
ret = ssl_conf_set_psk_identity( conf, psk_identity, psk_identity_len );
if( ret != 0 )
ssl_conf_remove_psk( conf );
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
return( ret );
}
@@ -4498,14 +4468,9 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
{
- if( conf->psk_opaque_is_internal )
- {
- psa_destroy_key( conf->psk_opaque );
- conf->psk_opaque_is_internal = 0;
- }
conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
}
-#else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
if( conf->psk != NULL )
{
mbedtls_platform_zeroize( conf->psk, conf->psk_len );
@@ -4513,7 +4478,6 @@
conf->psk = NULL;
conf->psk_len = 0;
}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
if( conf->psk_identity != NULL )
{
@@ -4895,6 +4859,7 @@
static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation,
mbedtls_svc_key_id_t key,
psa_algorithm_t alg,
+ const unsigned char* raw_psk, size_t raw_psk_length,
const unsigned char* seed, size_t seed_length,
const unsigned char* label, size_t label_length,
const unsigned char* other_secret,
@@ -4928,7 +4893,7 @@
{
status = psa_key_derivation_input_bytes(
derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
- NULL, 0 );
+ raw_psk, raw_psk_length );
}
else
{
@@ -4994,6 +4959,7 @@
status = setup_psa_key_derivation( &derivation,
master_key, alg,
+ NULL, 0,
random, rlen,
(unsigned char const *) label,
(size_t) strlen( label ),
@@ -5298,6 +5264,7 @@
}
status = setup_psa_key_derivation( &derivation, psk, alg,
+ ssl->conf->psk, ssl->conf->psk_len,
seed, seed_len,
(unsigned char const *) lbl,
(size_t) strlen( lbl ),
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index a22d97f..095db8f 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -65,10 +65,10 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
return( 1 );
-#else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
if( conf->psk != NULL && conf->psk_len != 0 )
return( 1 );
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
return( 0 );
}
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 29cbe75..a1505d1 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -164,10 +164,10 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
return( 1 );
-#else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
if( conf->psk != NULL && conf->psk_len != 0 )
return( 1 );
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
return( 0 );
}
