commit 8113d25d1e7ec74aa795d22e16c2718a36a1e2a8
author Neil Armstrong <narmstrong@baylibre.com> Wed Mar 23 10:57:04 2022 +0100
committer Neil Armstrong <narmstrong@baylibre.com> Thu Mar 31 15:24:17 2022 +0200
tree cd4d93cb589071773d2ca918a1ec647071cb8cc8
parent 5cd5f76d679ba5289cb3f28f74d6a41fa69d05bf

Add ecdh_psa_shared_key flag to protect PSA privkey if imported

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>

library/ssl_tls12_server.c

diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 422f5cf..a9d37c1 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -3946,18 +3946,22 @@
         {
             ret = psa_ssl_status_to_mbedtls( status );
             MBEDTLS_SSL_DEBUG_RET( 1, "psa_raw_key_agreement", ret );
-            (void) psa_destroy_key( handshake->ecdh_psa_privkey );
+            if( handshake->ecdh_psa_shared_key == 0 )
+                (void) psa_destroy_key( handshake->ecdh_psa_privkey );
             handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
             return( ret );
         }
 
-        status = psa_destroy_key( handshake->ecdh_psa_privkey );
-
-        if( status != PSA_SUCCESS )
+        if( handshake->ecdh_psa_shared_key == 0 )
         {
-            ret = psa_ssl_status_to_mbedtls( status );
-            MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret );
-            return( ret );
+            status = psa_destroy_key( handshake->ecdh_psa_privkey );
+
+            if( status != PSA_SUCCESS )
+            {
+                ret = psa_ssl_status_to_mbedtls( status );
+                MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret );
+                return( ret );
+            }
         }
         handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
     }