commit f9cd60853fcbb189270f4332ab8e2cf3bcb99c95
author Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com> Tue Feb 01 11:25:55 2022 +0100
committer Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com> Tue Feb 01 11:25:55 2022 +0100
tree 6c649e502666ec54069ab71f14f922eac3926250
parent 77aec8d181ab882c85f4c88df8b07aa7284f98ea

ssl_tls1X_populate_transform(): import psa keys only if alg is not MBEDTLS_SSL_NULL_CIPHER

Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 921d82f..0c92a05 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1020,32 +1020,36 @@
         goto end;
     }
 
-    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT );
-    psa_set_key_algorithm( &attributes, alg );
-    psa_set_key_type( &attributes, key_type );
-
     transform->psa_alg = alg;
 
-    if( ( status = psa_import_key( &attributes,
-                             key1,
-                             PSA_BITS_TO_BYTES( key_bits ),
-                             &transform->psa_key_enc ) ) != PSA_SUCCESS )
+    if ( alg != MBEDTLS_SSL_NULL_CIPHER )
     {
-        ret = psa_ssl_status_to_mbedtls( status );
-        MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_key", ret );
-        goto end;
-    }
+        psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT );
+        psa_set_key_algorithm( &attributes, alg );
+        psa_set_key_type( &attributes, key_type );
 
-    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT );
+        if( ( status = psa_import_key( &attributes,
+                                key1,
+                                PSA_BITS_TO_BYTES( key_bits ),
+                                &transform->psa_key_enc ) ) != PSA_SUCCESS )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 3, "psa_import_key", (int)status );
+            ret = psa_ssl_status_to_mbedtls( status );
+            MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_key", ret );
+            goto end;
+        }
 
-    if( ( status = psa_import_key( &attributes,
-                             key2,
-                             PSA_BITS_TO_BYTES( key_bits ),
-                             &transform->psa_key_dec ) ) != PSA_SUCCESS )
-    {
-        ret = psa_ssl_status_to_mbedtls( status );
-        MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_key", ret );
-        goto end;
+        psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT );
+
+        if( ( status = psa_import_key( &attributes,
+                                key2,
+                                PSA_BITS_TO_BYTES( key_bits ),
+                                &transform->psa_key_dec ) ) != PSA_SUCCESS )
+        {
+            ret = psa_ssl_status_to_mbedtls( status );
+            MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_key", ret );
+            goto end;
+        }
     }
 #else
     if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,

library/ssl_tls13_keys.c

diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index 88ff217..5615386 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -940,30 +940,33 @@
         return( psa_ssl_status_to_mbedtls( status ) );
     }
 
-    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT );
-    psa_set_key_algorithm( &attributes, alg );
-    psa_set_key_type( &attributes, key_type );
-
     transform->psa_alg = alg;
 
-    if( ( status = psa_import_key( &attributes,
-                             key_enc,
-                             PSA_BITS_TO_BYTES( key_bits ),
-                             &transform->psa_key_enc ) ) != PSA_SUCCESS )
+    if ( alg != MBEDTLS_SSL_NULL_CIPHER )
     {
-        MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_key", psa_ssl_status_to_mbedtls( status ) );
-        return( psa_ssl_status_to_mbedtls( status ) );
-    }
+        psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT );
+        psa_set_key_algorithm( &attributes, alg );
+        psa_set_key_type( &attributes, key_type );
 
-    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT );
+        if( ( status = psa_import_key( &attributes,
+                                key_enc,
+                                PSA_BITS_TO_BYTES( key_bits ),
+                                &transform->psa_key_enc ) ) != PSA_SUCCESS )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_key", psa_ssl_status_to_mbedtls( status ) );
+            return( psa_ssl_status_to_mbedtls( status ) );
+        }
 
-    if( ( status = psa_import_key( &attributes,
-                             key_dec,
-                             PSA_BITS_TO_BYTES( key_bits ),
-                             &transform->psa_key_dec ) ) != PSA_SUCCESS )
-    {
-        MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_key", psa_ssl_status_to_mbedtls( status ) );
-        return( psa_ssl_status_to_mbedtls( status ) );
+        psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT );
+
+        if( ( status = psa_import_key( &attributes,
+                                key_dec,
+                                PSA_BITS_TO_BYTES( key_bits ),
+                                &transform->psa_key_dec ) ) != PSA_SUCCESS )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_key", psa_ssl_status_to_mbedtls( status ) );
+            return( psa_ssl_status_to_mbedtls( status ) );
+        }
     }
 #endif /* MBEDTLS_USE_PSA_CRYPTO */