tls: pake: do not destroy password key in TLS

Signed-off-by: Valerio Setti <vsetti@baylibre.com>

library/ssl_tls.c

@@ -1934,7 +1934,6 @@ int mbedtls_ssl_set_hs_ecjpake_password_opaque( mbedtls_ssl_context *ssl,
 
     if( mbedtls_svc_key_id_is_null( pwd ) )
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
-    ssl->handshake->psa_pake_password = pwd;
 
     psa_pake_cs_set_algorithm( &cipher_suite, PSA_ALG_JPAKE );
     psa_pake_cs_set_primitive( &cipher_suite,
@@ -1956,8 +1955,7 @@ int mbedtls_ssl_set_hs_ecjpake_password_opaque( mbedtls_ssl_context *ssl,
     if( status != PSA_SUCCESS )
         goto error;
 
-    status = psa_pake_set_password_key( &ssl->handshake->psa_pake_ctx,
+    status = psa_pake_set_password_key( &ssl->handshake->psa_pake_ctx, pwd );
-                                ssl->handshake->psa_pake_password );
     if( status != PSA_SUCCESS )
         goto error;
 
@@ -4037,7 +4035,15 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     psa_pake_abort( &handshake->psa_pake_ctx );
-    psa_destroy_key( handshake->psa_pake_password );
+    /*
+     * Opaque keys are not stored in the handshake's data and it's the user
+     * responsibility to destroy them. Clear ones, instead, are created by
+     * the TLS library and should be destroyed at the same level
+     */
+    if( ! mbedtls_svc_key_id_is_null( handshake->psa_pake_password ) )
+    {
+        psa_destroy_key( handshake->psa_pake_password );
+    }
     handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
 #else
     mbedtls_ecjpake_free( &handshake->ecjpake_ctx );

programs/ssl/ssl_client2.c

@@ -3329,18 +3329,14 @@ exit:
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
     defined(MBEDTLS_USE_PSA_CRYPTO)
-    if( opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE )
+    /*
+     * In case opaque keys it's the user responsibility to keep the key valid
+     * for the duration of the handshake and destroy it at the end
+     */
+    if( ( opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE ) &&
+        ( ! mbedtls_svc_key_id_is_null( ecjpake_pw_slot ) ) )
     {
-        psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+        psa_destroy_key( ecjpake_pw_slot );
-
-        /* Ensure the key is still valid before destroying it */
-        status = psa_get_key_attributes( ecjpake_pw_slot, &key_attr );
-        if( status == PSA_SUCCESS &&
-            PSA_ALG_IS_PAKE( psa_get_key_algorithm( &key_attr ) ) )
-        {
-            psa_destroy_key( ecjpake_pw_slot );
-        }
-        psa_reset_key_attributes( &key_attr );
     }
 #endif  /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO */
 

programs/ssl/ssl_server2.c

@@ -4439,18 +4439,14 @@ exit:
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
     defined(MBEDTLS_USE_PSA_CRYPTO)
-    if( opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE )
+    /*
+     * In case opaque keys it's the user responsibility to keep the key valid
+     * for the duration of the handshake and destroy it at the end
+     */
+    if( ( opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE ) &&
+        ( ! mbedtls_svc_key_id_is_null( ecjpake_pw_slot ) ) )
     {
-        psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+        psa_destroy_key( ecjpake_pw_slot );
-
-        /* Ensure the key is still valid before destroying it */
-        status = psa_get_key_attributes( ecjpake_pw_slot, &key_attr );
-        if( status == PSA_SUCCESS &&
-            PSA_ALG_IS_PAKE( psa_get_key_algorithm( &key_attr ) ) )
-        {
-            psa_destroy_key( ecjpake_pw_slot );
-        }
-        psa_reset_key_attributes( &key_attr );
     }
 #endif  /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO */