From 306ffd3a369a33d492543af24fc7da8170dfe0af Mon Sep 17 00:00:00 2001
From: Ben Taylor <ben.taylor@linaro.org>
Date: Mon, 7 Jul 2025 09:41:34 +0100
Subject: [PATCH 1/4] Switch to mbedtls_pk_verify_new

Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
---
 library/ssl_tls12_client.c  | 3 +--
 library/ssl_tls13_generic.c | 2 +-
 library/x509_crt.c          | 4 ++--
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index b244921554..2129da122d 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -2082,8 +2082,7 @@ start_processing:
 
 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
         if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
-            ret = mbedtls_pk_verify_ext(pk_alg, NULL,
-                                        peer_pk,
+            ret = mbedtls_pk_verify_new(pk_alg, peer_pk,
                                         md_alg, hash, hashlen,
                                         p, sig_len);
         } else
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 44525dd153..f5cdc65e55 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -300,7 +300,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
 
     MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len);
 
-    if ((ret = mbedtls_pk_verify_ext(sig_alg, NULL,
+    if ((ret = mbedtls_pk_verify_new(sig_alg,
                                      &ssl->session_negotiate->peer_cert->pk,
                                      md_alg, verify_hash, verify_hash_len,
                                      p, signature_len)) == 0) {
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 4ac5d9b7e6..3947eb09aa 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -2060,7 +2060,7 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
             flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
         }
 
-        if (mbedtls_pk_verify_ext(crl_list->sig_pk, NULL, &ca->pk,
+        if (mbedtls_pk_verify_new(crl_list->sig_pk, &ca->pk,
                                   crl_list->sig_md, hash, hash_length,
                                   crl_list->sig.p, crl_list->sig.len) != 0) {
             flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
@@ -2134,7 +2134,7 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child,
     (void) rs_ctx;
 #endif
 
-    return mbedtls_pk_verify_ext(child->sig_pk, NULL, &parent->pk,
+    return mbedtls_pk_verify_new(child->sig_pk, &parent->pk,
                                  child->sig_md, hash, hash_len,
                                  child->sig.p, child->sig.len);
 }

From 0de87611bbbac901376249f44a6ace45be661466 Mon Sep 17 00:00:00 2001
From: Ben Taylor <ben.taylor@linaro.org>
Date: Mon, 14 Jul 2025 08:27:01 +0100
Subject: [PATCH 2/4] Remove additional calls to mbedtls_pk_verify_ext

Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
---
 library/ssl_tls13_generic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index f5cdc65e55..372bf84608 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -306,7 +306,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
                                      p, signature_len)) == 0) {
         return 0;
     }
-    MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_ext", ret);
+    MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_new", ret);
 
 error:
     /* RFC 8446 section 4.4.3

From 0c787e3de84c77075fbecf006d16e1253bd8be99 Mon Sep 17 00:00:00 2001
From: Ben Taylor <ben.taylor@linaro.org>
Date: Mon, 14 Jul 2025 08:33:24 +0100
Subject: [PATCH 3/4] Remove additional calls to mbedtls_pk_verify_ext

Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
---
 tests/suites/test_suite_x509write.function | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 49ecc54278..b7e531e653 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -41,7 +41,7 @@ static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen)
         goto cleanup;
     }
 
-    if (mbedtls_pk_verify_ext(csr.sig_pk, NULL, &csr.pk,
+    if (mbedtls_pk_verify_new(csr.sig_pk, NULL, &csr.pk,
                               csr.sig_md, hash, mbedtls_md_get_size_from_type(csr.sig_md),
                               csr.sig.p, csr.sig.len) != 0) {
         ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;

From 5be8511151e8a982b87165452dca532fc01d3f9f Mon Sep 17 00:00:00 2001
From: Ben Taylor <ben.taylor@linaro.org>
Date: Thu, 17 Jul 2025 10:05:23 +0100
Subject: [PATCH 4/4] Fix too many arguments in mbedtls_pk_verify_new

Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
---
 tests/suites/test_suite_x509write.function | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index b7e531e653..db571dab65 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -41,7 +41,7 @@ static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen)
         goto cleanup;
     }
 
-    if (mbedtls_pk_verify_new(csr.sig_pk, NULL, &csr.pk,
+    if (mbedtls_pk_verify_new(csr.sig_pk, &csr.pk,
                               csr.sig_md, hash, mbedtls_md_get_size_from_type(csr.sig_md),
                               csr.sig.p, csr.sig.len) != 0) {
         ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;