commit 311f54d0ee492a74ea754cf5bc577dfc3f45063c
author Gilles Peskine <Gilles.Peskine@arm.com> Mon Sep 23 18:19:22 2019 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Mon Sep 23 18:19:22 2019 +0200
tree 1ce2ea06ed4dce9779935d7a35221317b8a8c29d
parent a5fb316b5b4362aa2101adb3730144c09f3d7c86

tls_prf: support an empty master secret

In TLS, the master secret is always a key. But EAP-TLS uses the TLS
PRF to derive an IV with an empty string for the "secret" input. The
code always stored the secret into a key slot before calling the TLS
PRF, but this doesn't work when the secret is empty, since PSA Crypto
no longer supports empty keys. Add a special case for an empty secret.

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index a7facb8..4e7c01b 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -711,9 +711,18 @@
         if( status != PSA_SUCCESS )
             return( status );
 
-        status = psa_key_derivation_input_key( derivation,
-                                               PSA_KEY_DERIVATION_INPUT_SECRET,
-                                               slot );
+        if( slot == 0 )
+        {
+            status = psa_key_derivation_input_bytes(
+                derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
+                NULL, 0 );
+        }
+        else
+        {
+            status = psa_key_derivation_input_key(
+                derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
+                slot );
+        }
         if( status != PSA_SUCCESS )
             return( status );
 
@@ -743,8 +752,7 @@
 {
     psa_status_t status;
     psa_algorithm_t alg;
-    psa_key_attributes_t key_attributes;
-    psa_key_handle_t master_slot;
+    psa_key_handle_t master_slot = 0;
     psa_key_derivation_operation_t derivation =
         PSA_KEY_DERIVATION_OPERATION_INIT;
 
@@ -753,14 +761,24 @@
     else
         alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
 
-    key_attributes = psa_key_attributes_init();
-    psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
-    psa_set_key_algorithm( &key_attributes, alg );
-    psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
+    /* Normally a "secret" should be long enough to be impossible to
+     * find by brute force, and in particular should not be empty. But
+     * this PRF is also used to derive an IV, in particular in EAP-TLS,
+     * and for this use case it makes sense to have a 0-length "secret".
+     * Since the key API doesn't allow importing a key of length 0,
+     * keep master_slot=0, which setup_psa_key_derivation() understands
+     * to mean a 0-length "secret" input. */
+    if( slen != 0 )
+    {
+        psa_key_attributes_t key_attributes = psa_key_attributes_init();
+        psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
+        psa_set_key_algorithm( &key_attributes, alg );
+        psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
 
-    status = psa_import_key( &key_attributes, secret, slen, &master_slot );
-    if( status != PSA_SUCCESS )
-        return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        status = psa_import_key( &key_attributes, secret, slen, &master_slot );
+        if( status != PSA_SUCCESS )
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+    }
 
     status = setup_psa_key_derivation( &derivation,
                                        master_slot, alg,
@@ -790,7 +808,8 @@
         return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
     }
 
-    status = psa_destroy_key( master_slot );
+    if( master_slot != 0 )
+        status = psa_destroy_key( master_slot );
     if( status != PSA_SUCCESS )
         return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );