Only make PSA HMAC key exportable when NULL or CBC & not EtM in build_transforms() Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>

commit: 8f92bf3a26b971e7287e6052f282adc461598df1 [log] [tgz]
author: Neil Armstrong <narmstrong@baylibre.com> Fri Mar 18 09:56:57 2022 +0100
committer: Neil Armstrong <narmstrong@baylibre.com> Fri Mar 18 11:10:09 2022 +0100
tree: bde93d4149f626a80b884228bd9e76b99b3cd5bf
parent: 29c0c040fcc3fe3744e3dc048764b1ed3f2d77b2 [diff] [blame]
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 4ea0a47..5108b86 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function

@@ -1374,9 +1374,13 @@
                              md1, maclen,
                              &t_out->psa_mac_enc ) == PSA_SUCCESS );
 
-        /* mbedtls_ct_hmac() requires the key to be exportable */
-        psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT |
-                                              PSA_KEY_USAGE_VERIFY_HASH );
+        if( cipher_info->mode == MBEDTLS_MODE_STREAM ||
+            etm == MBEDTLS_SSL_ETM_DISABLED )
+            /* mbedtls_ct_hmac() requires the key to be exportable */
+            psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT |
+                                                  PSA_KEY_USAGE_VERIFY_HASH );
+        else
+            psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH );
 
         CHK( psa_import_key( &attributes,
                              md1, maclen,
commit	8f92bf3a26b971e7287e6052f282adc461598df1	[log] [tgz]
author	Neil Armstrong <narmstrong@baylibre.com>	Fri Mar 18 09:56:57 2022 +0100
committer	Neil Armstrong <narmstrong@baylibre.com>	Fri Mar 18 11:10:09 2022 +0100
tree	bde93d4149f626a80b884228bd9e76b99b3cd5bf
parent	29c0c040fcc3fe3744e3dc048764b1ed3f2d77b2 [diff] [blame]