tls: pake: do not destroy password key in TLS
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 004616f..4b195c4 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -4439,18 +4439,14 @@
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
defined(MBEDTLS_USE_PSA_CRYPTO)
- if( opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE )
+ /*
+ * In case opaque keys it's the user responsibility to keep the key valid
+ * for the duration of the handshake and destroy it at the end
+ */
+ if( ( opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE ) &&
+ ( ! mbedtls_svc_key_id_is_null( ecjpake_pw_slot ) ) )
{
- psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
-
- /* Ensure the key is still valid before destroying it */
- status = psa_get_key_attributes( ecjpake_pw_slot, &key_attr );
- if( status == PSA_SUCCESS &&
- PSA_ALG_IS_PAKE( psa_get_key_algorithm( &key_attr ) ) )
- {
- psa_destroy_key( ecjpake_pw_slot );
- }
- psa_reset_key_attributes( &key_attr );
+ psa_destroy_key( ecjpake_pw_slot );
}
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO */