ssl: replace PSA_ALG_ECDSA with MBEDTLS_PK_ALG_ECDSA

When the key is parsed from PK it is assigned the pseudo-alg MBEDTLS_PK_ALG_ECDSA. Trying to run "mbedtls_pk_can_do_psa" with an hardcoded deterministc/randomized ECDSA can make the function to fail if the proper variant is not the one also used by PK. This commit fixes this problem. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2026-05-05 01:23:39 +02:00 · 2025-09-08 13:36:08 +02:00
parent 0009b042ac
commit 7b2d72aaf0
3 changed files with 5 additions and 5 deletions
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -924,7 +924,7 @@ psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_cip
                mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));

        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
-            return PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));
+            return MBEDTLS_PK_ALG_ECDSA(mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));

        default:
            return PSA_ALG_NONE;
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -8148,7 +8148,7 @@ unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(

                if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&
                    !mbedtls_pk_can_do_psa(ssl->handshake->key_cert->key,
-                                           PSA_ALG_ECDSA(psa_hash_alg),
+                                           MBEDTLS_PK_ALG_ECDSA(psa_hash_alg),
                                           PSA_KEY_USAGE_SIGN_HASH)) {
                    continue;
                }
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1076,11 +1076,11 @@ static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg(uint16_t sig_alg)
 {
    switch (sig_alg) {
        case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
-            return PSA_ALG_ECDSA(PSA_ALG_SHA_256);
+            return MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_256);
        case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
-            return PSA_ALG_ECDSA(PSA_ALG_SHA_384);
+            return MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_384);
        case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
-            return PSA_ALG_ECDSA(PSA_ALG_SHA_512);
+            return MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_512);
        case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
            return PSA_ALG_RSA_PSS(PSA_ALG_SHA_256);
        case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: