Only make PSA HMAC key exportable when NULL or CBC & not EtM in build_transforms()

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-18 09:56:57 +01:00 · 2022-03-18 09:56:57 +01:00 · 8f92bf3a26
commit 8f92bf3a26
parent 29c0c040fc
1 changed files with 7 additions and 3 deletions
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@ -1374,9 +1374,13 @@ static int build_transforms( mbedtls_ssl_transform *t_in,
                             md1, maclen,
                             &t_out->psa_mac_enc ) == PSA_SUCCESS );

-        /* mbedtls_ct_hmac() requires the key to be exportable */
-        psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT |
-                                              PSA_KEY_USAGE_VERIFY_HASH );
+        if( cipher_info->mode == MBEDTLS_MODE_STREAM ||
+            etm == MBEDTLS_SSL_ETM_DISABLED )
+            /* mbedtls_ct_hmac() requires the key to be exportable */
+            psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT |
+                                                  PSA_KEY_USAGE_VERIFY_HASH );
+        else
+            psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH );

        CHK( psa_import_key( &attributes,
                             md1, maclen,