From 8e4d8c92277aab24568da37a816badf5ddaaf2b0 Mon Sep 17 00:00:00 2001
From: Anton Matkin <anton.matkin@arm.com>
Date: Thu, 13 Mar 2025 13:38:30 +0100
Subject: [PATCH 1/7] Update ssl_tls.c to use psa_pake_get_shared_key

Signed-off-by: Anton Matkin <anton.matkin@arm.com>
---
 library/ssl_tls.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 9144f9222b..b75c6d4c11 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6385,13 +6385,29 @@ static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake,
                 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
             }
 
-            status = psa_pake_get_implicit_key(&handshake->psa_pake_ctx,
-                                               &derivation);
+            mbedtls_svc_key_id_t shared_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+
+            psa_key_attributes_t shared_key_attributes = PSA_KEY_ATTRIBUTES_INIT;
+            psa_set_key_usage_flags(&shared_key_attributes, PSA_KEY_USAGE_DERIVE);
+            psa_set_key_algorithm(&shared_key_attributes, alg);
+            psa_set_key_type(&shared_key_attributes, PSA_KEY_TYPE_PASSWORD);
+
+            status = psa_pake_get_shared_key(&handshake->psa_pake_ctx, &shared_key_attributes, &shared_key_id);
+
             if (status != PSA_SUCCESS) {
                 psa_key_derivation_abort(&derivation);
                 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
             }
 
+            status = psa_key_derivation_input_key(&derivation, PSA_KEY_DERIVATION_INPUT_SECRET, shared_key_id);
+
+            if (status != PSA_SUCCESS) {
+                psa_key_derivation_abort(&derivation);
+                return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+            }
+
+            psa_destroy_key(shared_key_id);
+
             status = psa_key_derivation_output_bytes(&derivation,
                                                      handshake->premaster,
                                                      handshake->pmslen);

From ce42312229a05d7f925d4f0a31a0bcaaee8fcfee Mon Sep 17 00:00:00 2001
From: Anton Matkin <anton.matkin@arm.com>
Date: Thu, 13 Mar 2025 13:39:16 +0100
Subject: [PATCH 2/7] Finished updating the tests

Signed-off-by: Anton Matkin <anton.matkin@arm.com>
---
 tf-psa-crypto | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tf-psa-crypto b/tf-psa-crypto
index 20524a8972..59cba29b14 160000
--- a/tf-psa-crypto
+++ b/tf-psa-crypto
@@ -1 +1 @@
-Subproject commit 20524a89722972a7dbf06a32ab7bb225053713f6
+Subproject commit 59cba29b14bbfd76e7ae8618b3cc1c96e542b3b7

From 5663c2379997cc4bc72d291d955af54951b12093 Mon Sep 17 00:00:00 2001
From: Anton Matkin <anton.matkin@arm.com>
Date: Thu, 13 Mar 2025 15:01:48 +0100
Subject: [PATCH 3/7] Create a changelog entry

Signed-off-by: Anton Matkin <anton.matkin@arm.com>
---
 ChangeLog.d/9322.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 ChangeLog.d/9322.txt

diff --git a/ChangeLog.d/9322.txt b/ChangeLog.d/9322.txt
new file mode 100644
index 0000000000..582e47f66b
--- /dev/null
+++ b/ChangeLog.d/9322.txt
@@ -0,0 +1,3 @@
+Changes
+   * Use the new `psa_pake_get_shared_key()` function implemented in
+     tf-psa-crypto instead of the removed `psa_pake_get_implicit_key()`

From 8135b84ed2f5a2c2ab032098b0816f1bf1e4f405 Mon Sep 17 00:00:00 2001
From: Anton Matkin <anton.matkin@arm.com>
Date: Thu, 3 Apr 2025 16:36:24 +0200
Subject: [PATCH 4/7] Fixed incorrect usage of key derivation procedures

Signed-off-by: Anton Matkin <anton.matkin@arm.com>
---
 library/ssl_tls.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index b75c6d4c11..12af239374 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6390,7 +6390,7 @@ static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake,
             psa_key_attributes_t shared_key_attributes = PSA_KEY_ATTRIBUTES_INIT;
             psa_set_key_usage_flags(&shared_key_attributes, PSA_KEY_USAGE_DERIVE);
             psa_set_key_algorithm(&shared_key_attributes, alg);
-            psa_set_key_type(&shared_key_attributes, PSA_KEY_TYPE_PASSWORD);
+            psa_set_key_type(&shared_key_attributes, PSA_KEY_TYPE_DERIVE);
 
             status = psa_pake_get_shared_key(&handshake->psa_pake_ctx, &shared_key_attributes, &shared_key_id);
 
@@ -6401,13 +6401,13 @@ static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake,
 
             status = psa_key_derivation_input_key(&derivation, PSA_KEY_DERIVATION_INPUT_SECRET, shared_key_id);
 
+            psa_destroy_key(shared_key_id);
+
             if (status != PSA_SUCCESS) {
                 psa_key_derivation_abort(&derivation);
                 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
             }
 
-            psa_destroy_key(shared_key_id);
-
             status = psa_key_derivation_output_bytes(&derivation,
                                                      handshake->premaster,
                                                      handshake->pmslen);

From 92129adcf2e5cc3f656412a0aa9a454761c1a7c0 Mon Sep 17 00:00:00 2001
From: Anton Matkin <anton.matkin@arm.com>
Date: Mon, 7 Apr 2025 16:10:42 +0200
Subject: [PATCH 5/7] Removed the whitespace which is causing CI to fail

Signed-off-by: Anton Matkin <anton.matkin@arm.com>
---
 library/ssl_tls.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 12af239374..78bcb92f4c 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6392,14 +6392,18 @@ static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake,
             psa_set_key_algorithm(&shared_key_attributes, alg);
             psa_set_key_type(&shared_key_attributes, PSA_KEY_TYPE_DERIVE);
 
-            status = psa_pake_get_shared_key(&handshake->psa_pake_ctx, &shared_key_attributes, &shared_key_id);
+            status = psa_pake_get_shared_key(&handshake->psa_pake_ctx,
+                                             &shared_key_attributes,
+                                             &shared_key_id);
 
             if (status != PSA_SUCCESS) {
                 psa_key_derivation_abort(&derivation);
                 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
             }
 
-            status = psa_key_derivation_input_key(&derivation, PSA_KEY_DERIVATION_INPUT_SECRET, shared_key_id);
+            status = psa_key_derivation_input_key(&derivation,
+                                                  PSA_KEY_DERIVATION_INPUT_SECRET,
+                                                  shared_key_id);
 
             psa_destroy_key(shared_key_id);
 

From ab4716619aa31b67be0cd84bdf33dd04e947c7ea Mon Sep 17 00:00:00 2001
From: Anton Matkin <anton.matkin@arm.com>
Date: Thu, 28 Aug 2025 04:21:29 +0200
Subject: [PATCH 6/7] Removed the unnecessary changelog entry

Signed-off-by: Anton Matkin <anton.matkin@arm.com>
---
 ChangeLog.d/9322.txt | 3 ---
 1 file changed, 3 deletions(-)
 delete mode 100644 ChangeLog.d/9322.txt

diff --git a/ChangeLog.d/9322.txt b/ChangeLog.d/9322.txt
deleted file mode 100644
index 582e47f66b..0000000000
--- a/ChangeLog.d/9322.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Changes
-   * Use the new `psa_pake_get_shared_key()` function implemented in
-     tf-psa-crypto instead of the removed `psa_pake_get_implicit_key()`

From 68f658c95ed1de59c94c0ba84e1b6d5ec8fe6f71 Mon Sep 17 00:00:00 2001
From: Anton Matkin <anton.matkin@arm.com>
Date: Fri, 29 Aug 2025 16:07:44 +0200
Subject: [PATCH 7/7] Updated tf-psa-crypto pointer

Signed-off-by: Anton Matkin <anton.matkin@arm.com>
---
 tf-psa-crypto | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tf-psa-crypto b/tf-psa-crypto
index 59cba29b14..197f8859a7 160000
--- a/tf-psa-crypto
+++ b/tf-psa-crypto
@@ -1 +1 @@
-Subproject commit 59cba29b14bbfd76e7ae8618b3cc1c96e542b3b7
+Subproject commit 197f8859a7111deb66578e401c320d08bf534e62