From bc611fe44c8fd262359220ad8d838b57c05327fc Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 8 Sep 2025 13:41:58 +0200 Subject: [PATCH] [tls12|tls13]_server: fix usage being checked on the certificate key Signed-off-by: Valerio Setti --- library/ssl_tls12_server.c | 3 ++- library/ssl_tls13_server.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index b8ee41a423..07641cb3e8 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -694,7 +694,8 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) key_type_matches = ((ssl->conf->f_async_sign_start != NULL || mbedtls_pk_can_do_psa(cur->key, pk_alg, pk_usage)) && - mbedtls_pk_can_do_psa(&cur->cert->pk, pk_alg, pk_usage)); + mbedtls_pk_can_do_psa(&cur->cert->pk, pk_alg, + PSA_KEY_USAGE_VERIFY_HASH)); #else key_type_matches = ( mbedtls_pk_can_do_psa(cur->key, pk_alg, pk_usage)); diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 8b60a7b30e..982e6f8c3b 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1161,7 +1161,7 @@ static int ssl_tls13_pick_key_cert(mbedtls_ssl_context *ssl) *sig_alg, &key_cert->cert->pk) && psa_alg != PSA_ALG_NONE && mbedtls_pk_can_do_psa(&key_cert->cert->pk, psa_alg, - PSA_KEY_USAGE_SIGN_HASH) == 1 + PSA_KEY_USAGE_VERIFY_HASH) == 1 ) { ssl->handshake->key_cert = key_cert; MBEDTLS_SSL_DEBUG_MSG(3,