From 1f4b39621be82cf3a8f5335c212744cbe25c5b4f Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Wed, 9 Mar 2022 14:54:29 +0100
Subject: [PATCH 01/16] Implement PSA server-side ECDH-RSA/ECDSA

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/ssl_tls12_server.c | 76 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 72 insertions(+), 4 deletions(-)

diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index fe81e34d39..e96a9792a6 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -2854,7 +2854,69 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
 }
 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
 
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+#if defined(MBEDTLS_USE_PSA_CRYPTO) &&                      \
+        ( defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+          defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) )
+static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    unsigned char buf[MBEDTLS_ECP_MAX_BYTES];
+    psa_key_attributes_t key_attributes;
+    size_t ecdh_bits = 0;
+    size_t key_len;
+
+    if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
+    {
+        return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
+    }
+
+    mbedtls_ecp_keypair *key =
+            mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) );
+
+    if( key == NULL )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /* Convert EC group to PSA key type. */
+    if( ( ssl->handshake->ecdh_psa_type =
+                mbedtls_ecc_group_to_psa( key->grp.id,
+                                          &ecdh_bits ) ) == 0 )
+    {
+        return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+    }
+
+    if( ecdh_bits > 0xffff )
+        return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+
+    ssl->handshake->ecdh_bits = (uint16_t) ecdh_bits;
+
+    key_attributes = psa_key_attributes_init();
+    psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
+    psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH );
+    psa_set_key_type( &key_attributes,
+            PSA_KEY_TYPE_ECC_KEY_PAIR( ssl->handshake->ecdh_psa_type ) );
+    psa_set_key_bits( &key_attributes, ssl->handshake->ecdh_bits );
+
+    key_len = ( key->grp.pbits + 7 ) / 8;
+    ret = mbedtls_ecp_write_key( key, buf, key_len );
+    if( ret != 0 )
+        goto cleanup;
+
+    status = psa_import_key( &key_attributes, buf, key_len,
+                             &ssl->handshake->ecdh_psa_privkey );
+    if( status != PSA_SUCCESS ) {
+        ret = psa_ssl_status_to_mbedtls( status );
+        goto cleanup;
+    }
+
+    ret = 0;
+
+cleanup:
+    memset( buf, 0, sizeof( buf ) );
+
+    return( ret );
+}
+#elif defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
     defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
 {
@@ -3838,9 +3900,13 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
 #if defined(MBEDTLS_USE_PSA_CRYPTO) &&                           \
         ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||     \
-          defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) )
+          defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||   \
+          defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||      \
+          defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) )
     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
-        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
     {
         size_t data_len = (size_t)( *p++ );
         size_t buf_len = (size_t)( end - p );
@@ -3896,7 +3962,9 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
     else
 #endif /* MBEDTLS_USE_PSA_CRYPTO &&
             ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
-              MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
+              MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+              MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+              MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED ) */
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
     defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \

From 062de7dd79abc0f908925441e46b155824809b0e Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Fri, 18 Mar 2022 14:44:37 +0100
Subject: [PATCH 02/16] Use PSA_BITS_TO_BYTES instead of open-coded calculation
 in PSA version of ssl_get_ecdh_params_from_cert()

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/ssl_tls12_server.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index e96a9792a6..70036477be 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -2897,7 +2897,7 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
             PSA_KEY_TYPE_ECC_KEY_PAIR( ssl->handshake->ecdh_psa_type ) );
     psa_set_key_bits( &key_attributes, ssl->handshake->ecdh_bits );
 
-    key_len = ( key->grp.pbits + 7 ) / 8;
+    key_len = PSA_BITS_TO_BYTES( key->grp.pbits );
     ret = mbedtls_ecp_write_key( key, buf, key_len );
     if( ret != 0 )
         goto cleanup;

From 306d6074b36797ea39449d7679a08a793c8cac89 Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Fri, 18 Mar 2022 14:44:56 +0100
Subject: [PATCH 03/16] Fix indentation issue in PSA version of
 ssl_get_ecdh_params_from_cert()

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/ssl_tls12_server.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 70036477be..d45fabc7e2 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -2904,7 +2904,8 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
 
     status = psa_import_key( &key_attributes, buf, key_len,
                              &ssl->handshake->ecdh_psa_privkey );
-    if( status != PSA_SUCCESS ) {
+    if( status != PSA_SUCCESS )
+    {
         ret = psa_ssl_status_to_mbedtls( status );
         goto cleanup;
     }

From 4f33fbc7e927adf1ee3fe0ecbc50708f016c99e8 Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Tue, 22 Mar 2022 16:30:01 +0100
Subject: [PATCH 04/16] Use PSA define for max EC key pair size in
 ssl_get_ecdh_params_from_cert()

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/ssl_tls12_server.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index d45fabc7e2..1c7f5fbaf9 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -2861,7 +2861,8 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    unsigned char buf[MBEDTLS_ECP_MAX_BYTES];
+    unsigned char buf[
+        PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
     psa_key_attributes_t key_attributes;
     size_t ecdh_bits = 0;
     size_t key_len;

From 5cd5f76d679ba5289cb3f28f74d6a41fa69d05bf Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Tue, 22 Mar 2022 17:28:51 +0100
Subject: [PATCH 05/16] Use mbedtls_platform_zeroize() in
 ssl_get_ecdh_params_from_cert()

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/ssl_tls12_server.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 1c7f5fbaf9..422f5cf697 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -2914,7 +2914,7 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
     ret = 0;
 
 cleanup:
-    memset( buf, 0, sizeof( buf ) );
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
 
     return( ret );
 }

From 8113d25d1e7ec74aa795d22e16c2718a36a1e2a8 Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Wed, 23 Mar 2022 10:57:04 +0100
Subject: [PATCH 06/16] Add ecdh_psa_shared_key flag to protect PSA privkey if
 imported

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/ssl_misc.h         |  1 +
 library/ssl_tls.c          |  3 ++-
 library/ssl_tls12_server.c | 18 +++++++++++-------
 3 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 6329e0d5e5..e13b3d9dad 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -632,6 +632,7 @@ struct mbedtls_ssl_handshake_params
     psa_key_type_t ecdh_psa_type;
     uint16_t ecdh_bits;
     mbedtls_svc_key_id_t ecdh_psa_privkey;
+    uint8_t ecdh_psa_shared_key;
     unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
     size_t ecdh_psa_peerkey_len;
 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 86445de247..cc7d7e143c 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3146,7 +3146,8 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
 
 #if defined(MBEDTLS_ECDH_C) && \
     ( defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) )
-    psa_destroy_key( handshake->ecdh_psa_privkey );
+    if( handshake->ecdh_psa_shared_key == 0 )
+        psa_destroy_key( handshake->ecdh_psa_privkey );
 #endif /* MBEDTLS_ECDH_C && MBEDTLS_USE_PSA_CRYPTO */
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 422f5cf697..a9d37c1a48 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -3946,18 +3946,22 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
         {
             ret = psa_ssl_status_to_mbedtls( status );
             MBEDTLS_SSL_DEBUG_RET( 1, "psa_raw_key_agreement", ret );
-            (void) psa_destroy_key( handshake->ecdh_psa_privkey );
+            if( handshake->ecdh_psa_shared_key == 0 )
+                (void) psa_destroy_key( handshake->ecdh_psa_privkey );
             handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
             return( ret );
         }
 
-        status = psa_destroy_key( handshake->ecdh_psa_privkey );
-
-        if( status != PSA_SUCCESS )
+        if( handshake->ecdh_psa_shared_key == 0 )
         {
-            ret = psa_ssl_status_to_mbedtls( status );
-            MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret );
-            return( ret );
+            status = psa_destroy_key( handshake->ecdh_psa_privkey );
+
+            if( status != PSA_SUCCESS )
+            {
+                ret = psa_ssl_status_to_mbedtls( status );
+                MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret );
+                return( ret );
+            }
         }
         handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
     }

From 104a7c1d29d19b87ae7828bed137e60f023f01f4 Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Wed, 23 Mar 2022 10:58:03 +0100
Subject: [PATCH 07/16] Handle Opaque PK EC keys in
 ssl_get_ecdh_params_from_cert()

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/ssl_tls12_server.c | 113 +++++++++++++++++++++++--------------
 1 file changed, 72 insertions(+), 41 deletions(-)

diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index a9d37c1a48..c7870f2e79 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -2863,56 +2863,87 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     unsigned char buf[
         PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
-    psa_key_attributes_t key_attributes;
+    psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
     size_t ecdh_bits = 0;
     size_t key_len;
+    mbedtls_pk_context *pk;
+    mbedtls_ecp_keypair *key;
 
-    if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
-    {
-        return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
-    }
+    pk = mbedtls_ssl_own_key( ssl );
 
-    mbedtls_ecp_keypair *key =
-            mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) );
-
-    if( key == NULL )
+    if( pk == NULL )
         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
 
-    /* Convert EC group to PSA key type. */
-    if( ( ssl->handshake->ecdh_psa_type =
-                mbedtls_ecc_group_to_psa( key->grp.id,
-                                          &ecdh_bits ) ) == 0 )
+    switch( mbedtls_pk_get_type( pk ) )
     {
-        return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+    case MBEDTLS_PK_OPAQUE:
+        if( ! mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) )
+            return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
+
+        ssl->handshake->ecdh_psa_privkey =
+                *( (mbedtls_svc_key_id_t*) pk->pk_ctx );
+
+        status = psa_get_key_attributes( ssl->handshake->ecdh_psa_privkey,
+                                         &key_attributes );
+        if( status != PSA_SUCCESS)
+            return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+        ssl->handshake->ecdh_psa_type = psa_get_key_type( &key_attributes );
+        ssl->handshake->ecdh_bits = psa_get_key_bits( &key_attributes );
+
+        psa_reset_key_attributes( &key_attributes );
+
+        /* Key should no be destroyed in the TLS library */
+        ssl->handshake->ecdh_psa_shared_key = 1;
+
+        ret = 0;
+        break;
+    case MBEDTLS_PK_ECKEY:
+    case MBEDTLS_PK_ECKEY_DH:
+    case MBEDTLS_PK_ECDSA:
+        key = mbedtls_pk_ec( *pk );
+        if( key == NULL )
+            return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+        /* Convert EC group to PSA key type. */
+        if( ( ssl->handshake->ecdh_psa_type =
+                    mbedtls_ecc_group_to_psa( key->grp.id,
+                                              &ecdh_bits ) ) == 0 )
+        {
+            return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+        }
+
+        if( ecdh_bits > 0xffff )
+            return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+
+        ssl->handshake->ecdh_bits = (uint16_t) ecdh_bits;
+
+        key_attributes = psa_key_attributes_init();
+        psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
+        psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH );
+        psa_set_key_type( &key_attributes,
+                PSA_KEY_TYPE_ECC_KEY_PAIR( ssl->handshake->ecdh_psa_type ) );
+        psa_set_key_bits( &key_attributes, ssl->handshake->ecdh_bits );
+
+        key_len = PSA_BITS_TO_BYTES( key->grp.pbits );
+        ret = mbedtls_ecp_write_key( key, buf, key_len );
+        if( ret != 0 )
+            goto cleanup;
+
+        status = psa_import_key( &key_attributes, buf, key_len,
+                                 &ssl->handshake->ecdh_psa_privkey );
+        if( status != PSA_SUCCESS )
+        {
+            ret = psa_ssl_status_to_mbedtls( status );
+            goto cleanup;
+        }
+
+        ret = 0;
+        break;
+    default:
+            ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
     }
 
-    if( ecdh_bits > 0xffff )
-        return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
-
-    ssl->handshake->ecdh_bits = (uint16_t) ecdh_bits;
-
-    key_attributes = psa_key_attributes_init();
-    psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
-    psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH );
-    psa_set_key_type( &key_attributes,
-            PSA_KEY_TYPE_ECC_KEY_PAIR( ssl->handshake->ecdh_psa_type ) );
-    psa_set_key_bits( &key_attributes, ssl->handshake->ecdh_bits );
-
-    key_len = PSA_BITS_TO_BYTES( key->grp.pbits );
-    ret = mbedtls_ecp_write_key( key, buf, key_len );
-    if( ret != 0 )
-        goto cleanup;
-
-    status = psa_import_key( &key_attributes, buf, key_len,
-                             &ssl->handshake->ecdh_psa_privkey );
-    if( status != PSA_SUCCESS )
-    {
-        ret = psa_ssl_status_to_mbedtls( status );
-        goto cleanup;
-    }
-
-    ret = 0;
-
 cleanup:
     mbedtls_platform_zeroize( buf, sizeof( buf ) );
 

From 80325d00cf85b7bf97882ac68d7a76b867a642c3 Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Wed, 23 Mar 2022 14:01:56 +0100
Subject: [PATCH 08/16] Allow ECDSA PK Opaque keys for ECDH Derivation

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/pk.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/library/pk.c b/library/pk.c
index 7f4d5fe949..3b42799c7d 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -735,8 +735,10 @@ int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk,
     /* prepare the key attributes */
     psa_set_key_type( &attributes, key_type );
     psa_set_key_bits( &attributes, bits );
-    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH );
+    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH |
+                                          PSA_KEY_USAGE_DERIVE);
     psa_set_key_algorithm( &attributes, PSA_ALG_ECDSA(hash_alg) );
+    psa_set_key_enrollment_algorithm( &attributes, PSA_ALG_ECDH );
 
     /* import private key into PSA */
     if( PSA_SUCCESS != psa_import_key( &attributes, d, d_len, key ) )

From 023bf8d7c209bb8861eaecd979094d618784dfeb Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Wed, 23 Mar 2022 14:04:04 +0100
Subject: [PATCH 09/16] Add ECDH- Opaque PK key test

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 tests/ssl-opt.sh | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 03351d419d..5d77e29d33 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1583,6 +1583,23 @@ run_test    "Opaque key for server authentication" \
             -S "error" \
             -C "error"
 
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SHA256_C
+run_test    "Opaque key for server authentication (ECDH-)" \
+            "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.ku-ka.crt \
+             key_file=data_files/server5.key" \
+            "$P_CLI" \
+            0 \
+            -c "Verifying peer X.509 certificate... ok" \
+            -c "Ciphersuite is TLS-ECDH-" \
+            -s "key types: Opaque, none" \
+            -s "Ciphersuite is TLS-ECDH-" \
+            -S "error" \
+            -C "error"
+
 # Test using an opaque private key for client/server authentication
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO

From f788253ed3cb23f3da134e58d30eb51369fb5c0c Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Fri, 25 Mar 2022 15:06:10 +0100
Subject: [PATCH 10/16] Fix comment typo in PSA version of
 ssl_get_ecdh_params_from_cert()

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/ssl_tls12_server.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index c7870f2e79..36f8f1616e 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -2893,7 +2893,7 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
 
         psa_reset_key_attributes( &key_attributes );
 
-        /* Key should no be destroyed in the TLS library */
+        /* Key should not be destroyed in the TLS library */
         ssl->handshake->ecdh_psa_shared_key = 1;
 
         ret = 0;

From 1335222f138fb604ee3526d23d696cf1deef56f5 Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Fri, 25 Mar 2022 15:08:11 +0100
Subject: [PATCH 11/16] Return translated PSA error in PSA version of
 ssl_get_ecdh_params_from_cert()

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/ssl_tls12_server.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 36f8f1616e..e0b5aaba30 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -2886,7 +2886,7 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
         status = psa_get_key_attributes( ssl->handshake->ecdh_psa_privkey,
                                          &key_attributes );
         if( status != PSA_SUCCESS)
-            return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+            return( psa_ssl_status_to_mbedtls( status ) );
 
         ssl->handshake->ecdh_psa_type = psa_get_key_type( &key_attributes );
         ssl->handshake->ecdh_bits = psa_get_key_bits( &key_attributes );

From b7b549aa71349bb9f7403f20de31043ceae0da5e Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Fri, 25 Mar 2022 15:13:02 +0100
Subject: [PATCH 12/16] Force server-side TLS1.2 for ECDH- Opaque PK key test

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 tests/ssl-opt.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 5d77e29d33..54a66835bf 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1589,7 +1589,8 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
 requires_config_enabled MBEDTLS_ECDSA_C
 requires_config_enabled MBEDTLS_SHA256_C
 run_test    "Opaque key for server authentication (ECDH-)" \
-            "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.ku-ka.crt \
+            "$P_SRV force_version=tls12 auth_mode=required key_opaque=1\
+             crt_file=data_files/server5.ku-ka.crt\
              key_file=data_files/server5.key" \
             "$P_CLI" \
             0 \

From 98f6f78a7082e061b328402dc378df0c3c40aeef Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Fri, 25 Mar 2022 15:36:07 +0100
Subject: [PATCH 13/16] Update mbedtls_pk_wrap_as_opaque() documentation for
 ECDH derivation usage

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 include/mbedtls/pk.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h
index 324612a243..a0d4694949 100644
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@@ -923,7 +923,8 @@ int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n );
  *                  change or be removed at any time without notice.
  *
  * \note            Only ECDSA keys are supported so far. Signing with the
- *                  specified hash is the only allowed use of that key.
+ *                  specified hash & ECDH key agreement derivation operation
+ *                  are the only allowed use of that key.
  *
  * \param pk        Input: the EC key to import to a PSA key.
  *                  Output: a PK context wrapping that PSA key.

From 91477a7964f2ad9dd3bef857ae008e8c01757e8e Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Fri, 25 Mar 2022 15:42:20 +0100
Subject: [PATCH 14/16] Switch handshake->ecdh_bits to size_t and remove now
 useless cast & limit checks

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/ssl_misc.h         | 2 +-
 library/ssl_tls12_client.c | 4 +---
 library/ssl_tls12_server.c | 9 +++------
 library/ssl_tls13_client.c | 4 +---
 4 files changed, 6 insertions(+), 13 deletions(-)

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index e13b3d9dad..00f39891b7 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -630,7 +630,7 @@ struct mbedtls_ssl_handshake_params
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
     psa_key_type_t ecdh_psa_type;
-    uint16_t ecdh_bits;
+    size_t ecdh_bits;
     mbedtls_svc_key_id_t ecdh_psa_privkey;
     uint8_t ecdh_psa_shared_key;
     unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index 7b609e9f2a..a8ce5c9af6 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -2352,9 +2352,7 @@ static int ssl_parse_server_ecdh_params_psa( mbedtls_ssl_context *ssl,
     {
         return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
     }
-    if( ecdh_bits > 0xffff )
-        return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
-    handshake->ecdh_bits = (uint16_t) ecdh_bits;
+    handshake->ecdh_bits = ecdh_bits;
 
     /* Keep a copy of the peer's public key */
     ecpoint_len = *(*p)++;
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index e0b5aaba30..f3e9d14947 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -2913,10 +2913,7 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
             return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
         }
 
-        if( ecdh_bits > 0xffff )
-            return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
-
-        ssl->handshake->ecdh_bits = (uint16_t) ecdh_bits;
+        ssl->handshake->ecdh_bits = ecdh_bits;
 
         key_attributes = psa_key_attributes_init();
         psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
@@ -3186,12 +3183,12 @@ curve_matching_done:
             handshake->ecdh_psa_type = mbedtls_psa_parse_tls_ecc_group(
                         (*curve)->tls_id, &ecdh_bits );
 
-            if( handshake->ecdh_psa_type == 0 || ecdh_bits > 0xffff )
+            if( handshake->ecdh_psa_type == 0 )
             {
                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid ecc group parse." ) );
                 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
             }
-            handshake->ecdh_bits = (uint16_t) ecdh_bits;
+            handshake->ecdh_bits = ecdh_bits;
 
             key_attributes = psa_key_attributes_init();
             psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 9f22e1dcc6..c0094c065b 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -288,9 +288,7 @@ static int ssl_tls13_generate_and_write_ecdh_key_exchange(
         mbedtls_psa_parse_tls_ecc_group( named_group, &ecdh_bits ) ) == 0 )
             return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
 
-    if( ecdh_bits > 0xffff )
-        return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
-    ssl->handshake->ecdh_bits = (uint16_t) ecdh_bits;
+    ssl->handshake->ecdh_bits = ecdh_bits;
 
     key_attributes = psa_key_attributes_init();
     psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );

From f716a700a11598ad70937503dd24ce7f219aa1fc Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Mon, 4 Apr 2022 11:23:46 +0200
Subject: [PATCH 15/16] Rename mbedtls_ssl_handshake_params variable
 ecdh_psa_shared_key to ecdh_psa_privkey_is_external

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/ssl_misc.h         | 2 +-
 library/ssl_tls.c          | 2 +-
 library/ssl_tls12_server.c | 6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 00f39891b7..ea3fe1a325 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -632,7 +632,7 @@ struct mbedtls_ssl_handshake_params
     psa_key_type_t ecdh_psa_type;
     size_t ecdh_bits;
     mbedtls_svc_key_id_t ecdh_psa_privkey;
-    uint8_t ecdh_psa_shared_key;
+    uint8_t ecdh_psa_privkey_is_external;
     unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
     size_t ecdh_psa_peerkey_len;
 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index cc7d7e143c..95ef03241a 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3146,7 +3146,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
 
 #if defined(MBEDTLS_ECDH_C) && \
     ( defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) )
-    if( handshake->ecdh_psa_shared_key == 0 )
+    if( handshake->ecdh_psa_privkey_is_external == 0 )
         psa_destroy_key( handshake->ecdh_psa_privkey );
 #endif /* MBEDTLS_ECDH_C && MBEDTLS_USE_PSA_CRYPTO */
 
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index f3e9d14947..e1e4b8a790 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -2894,7 +2894,7 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
         psa_reset_key_attributes( &key_attributes );
 
         /* Key should not be destroyed in the TLS library */
-        ssl->handshake->ecdh_psa_shared_key = 1;
+        ssl->handshake->ecdh_psa_privkey_is_external = 1;
 
         ret = 0;
         break;
@@ -3974,13 +3974,13 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
         {
             ret = psa_ssl_status_to_mbedtls( status );
             MBEDTLS_SSL_DEBUG_RET( 1, "psa_raw_key_agreement", ret );
-            if( handshake->ecdh_psa_shared_key == 0 )
+            if( handshake->ecdh_psa_privkey_is_external == 0 )
                 (void) psa_destroy_key( handshake->ecdh_psa_privkey );
             handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
             return( ret );
         }
 
-        if( handshake->ecdh_psa_shared_key == 0 )
+        if( handshake->ecdh_psa_privkey_is_external == 0 )
         {
             status = psa_destroy_key( handshake->ecdh_psa_privkey );
 

From e88d190f2e6d7e40ee1fcd3dff1e94b275bcd5a4 Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Mon, 4 Apr 2022 11:25:23 +0200
Subject: [PATCH 16/16] Set ecdh_psa_privkey_is_external to 1 right after
 setting ecdh_psa_privkey in ssl_get_ecdh_params_from_cert()

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/ssl_tls12_server.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index e1e4b8a790..514d81e4ec 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -2883,19 +2883,22 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
         ssl->handshake->ecdh_psa_privkey =
                 *( (mbedtls_svc_key_id_t*) pk->pk_ctx );
 
+        /* Key should not be destroyed in the TLS library */
+        ssl->handshake->ecdh_psa_privkey_is_external = 1;
+
         status = psa_get_key_attributes( ssl->handshake->ecdh_psa_privkey,
                                          &key_attributes );
         if( status != PSA_SUCCESS)
+        {
+            ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
             return( psa_ssl_status_to_mbedtls( status ) );
+        }
 
         ssl->handshake->ecdh_psa_type = psa_get_key_type( &key_attributes );
         ssl->handshake->ecdh_bits = psa_get_key_bits( &key_attributes );
 
         psa_reset_key_attributes( &key_attributes );
 
-        /* Key should not be destroyed in the TLS library */
-        ssl->handshake->ecdh_psa_privkey_is_external = 1;
-
         ret = 0;
         break;
     case MBEDTLS_PK_ECKEY: