Add CKA_DERIVE flag in server's private key template

[kshitizvars]

Description

This commit adds CKA_DERIVE flag in server's private key template which gets checked by optee subsystem to derive shared secret. Tested TLS1.2 with the change.
Without this flag enabled, tls connection fails while deriving shared secret.
This change is in common code, please let me know where I can change instead of changing common code.

Checklist

• Code modified for feature

Reviewer's checklist:

• Any issues marked for closing are addressed
• There is a test suite reasonably covering new functionality or modifications
• This feature/change has adequate documentation added
• Code conform to coding style that today cannot yet be enforced via the check style test
• Commits have short titles and sensible commit messages
• Coverity Scan has run if needed (code PR) and no new defects were found

[simo5]

At the moment there is no good way via OPenSSL APIs to tell what the intended use of a key is, so while not ideal I guess adding CKA_DERIVE by default may be the only good option here.
please check formatting though.

[simo5]

any chance you can contribute a test that would show the failure ?

[kshitizvars]

Hi @simo5,

I can contribute a test to show failure, it would be helpful, if you can share the steps to compile tests and run them.

[simo5]

@kshitizvars you should be able to run test by just doing:
make
make check

You will need at least one of the token dependencies installed, or all tests will end up being skipped.

Adding a test is a matter of adding a script or a binary under tests/ and modifying tests/meson.build accordingly.
But feel free to ask questions if you run into any trouble.

I am also ok if you provide instructions to reproduce via openssl commands, and I can code up a script quickly that way.

[kshitizvars]

Hi @simo5

1. For running the test, you need one key with no CKA_DERIVE capability, for this I have used below p11tool command:-

p11tool --login --generate-ecc --curve=secp256r1 --label="ecc-key-256_using_p11" --outfile="ec-key-256.pub" "pkcs11:model=OP-TEE%20TA;manufacturer=Linaro;serial=0000000000000001;token=token0" --set-pin="1234" --provider=/usr/lib/libckteec.so.0

Note:- Key generated by p11tool doesn't have DERIVE capability enabled, by default. Issue will only be seen with key with no derive capability.

2. Derive key using pkeyutl command:-
openssl pkeyutl -derive -inkey ${ECBASEURI} -peerkey ${ECPEERPUBURI} -out ${TMPPDIR}/secret.ecdh.bin

Please let me know, if you require any other thing.

[kshitizvars]

Hi @simo5,

Any more comments on this?

[simo5]

@kshitizvars sorry with vacations and stuff we are being a little slow replying.
The info you provided is fine, if you want to provide a test using that cmdline that is nice, otherwise I will create one and then merge your PR later on.

[kshitizvars]

Hi @simo5

Just checking, if you came back from vacations.
If yes, could you please merge this PR.

[simo5]

Yup!
Thanks for the ping.
Merging.