TeamHepta/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-03-20 11:11:08 +01:00
Code Issues Packages Projects Releases Wiki Activity

library: ssl: replace mbedtls_pk_can_do() with mbedtls_pk_can_do_psa()

Browse Source 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This commit is contained in:
Valerio Setti
2025-11-12 12:55:04 +01:00
parent 92926ff4dc
commit 81a5a0914c
3 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
library/ssl_tls12_client.c
View File

@@ -16,6 +16,7 @@
#include "debug_internal.h"
#include "mbedtls/error.h"
#include "mbedtls/constant_time.h"
#include "mbedtls_utils.h"
#include "psa/crypto.h"
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
@@ -1883,6 +1884,7 @@ start_processing:
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
psa_algorithm_t psa_hash_alg;
mbedtls_pk_sigalg_t pk_alg = MBEDTLS_PK_SIGALG_NONE;
unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
size_t params_len = (size_t) (p - params);
@@ -1921,7 +1923,10 @@ start_processing:
}
p += 2;
if (!mbedtls_pk_can_do(peer_pk, (mbedtls_pk_type_t) pk_alg)) {
psa_hash_alg = mbedtls_md_psa_alg_from_type(md_alg);
if (!mbedtls_pk_can_do_psa(peer_pk,
mbedtls_psa_alg_from_pk_sigalg(pk_alg, psa_hash_alg),
PSA_KEY_USAGE_VERIFY_HASH)) {
MBEDTLS_SSL_DEBUG_MSG(1,
("bad server key exchange message"));
mbedtls_ssl_send_alert_message(

5
library/ssl_tls12_server.c
View File

@@ -16,6 +16,7 @@
#include "mbedtls/error.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/constant_time.h"
#include "mbedtls_utils.h"
#include <string.h>
@@ -3421,7 +3422,9 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
/*
* Check the certificate's key type matches the signature alg
*/
if (!mbedtls_pk_can_do(peer_pk, (mbedtls_pk_type_t) pk_alg)) {
if (!mbedtls_pk_can_do_psa(peer_pk,
mbedtls_psa_alg_from_pk_sigalg(pk_alg, PSA_ALG_ANY_HASH),
PSA_KEY_USAGE_VERIFY_HASH)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
}

5
library/ssl_tls13_generic.c
View File

@@ -18,6 +18,7 @@
#include "mbedtls/constant_time.h"
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#include "mbedtls_utils.h"
#include "ssl_tls13_invasive.h"
#include "ssl_tls13_keys.h"
@@ -276,7 +277,9 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
/*
* Check the certificate's key type matches the signature alg
*/
if (!mbedtls_pk_can_do(&ssl->session_negotiate->peer_cert->pk, (mbedtls_pk_type_t) sig_alg)) {
if (!mbedtls_pk_can_do_psa(&ssl->session_negotiate->peer_cert->pk,
mbedtls_psa_alg_from_pk_sigalg(sig_alg, hash_alg),
PSA_KEY_USAGE_VERIFY_HASH)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("signature algorithm doesn't match cert key"));
goto error;
}