Merge pull request #10333 from valeriosetti/issue10266

[development] Migrate from mbedtls_pk_can_do_ext to mbedtls_pk_can_do_psa (2/2)
2025-10-23 00:58:55 +08:00 · 2025-09-16 16:41:59 +00:00
parent e6240f14ee e2aed3a6df
commit d66898e9a7
6 changed files with 17 additions and 16 deletions
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -924,7 +924,7 @@ psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_cip
                mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));
        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
-            return PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));
+            return MBEDTLS_PK_ALG_ECDSA(mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));
        default:
            return PSA_ALG_NONE;
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -8147,14 +8147,14 @@ unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
                    mbedtls_md_psa_alg_from_type(md_alg);
                if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&
-                    !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
+                    !mbedtls_pk_can_do_psa(ssl->handshake->key_cert->key,
-                                           PSA_ALG_ECDSA(psa_hash_alg),
+                                           MBEDTLS_PK_ALG_ECDSA(psa_hash_alg),
                                           PSA_KEY_USAGE_SIGN_HASH)) {
                    continue;
                }
                if (sig_alg_received == MBEDTLS_SSL_SIG_RSA &&
-                    !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
+                    !mbedtls_pk_can_do_psa(ssl->handshake->key_cert->key,
                                           PSA_ALG_RSA_PKCS1V15_SIGN(
                                               psa_hash_alg),
                                           PSA_KEY_USAGE_SIGN_HASH)) {
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -693,11 +693,12 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl,
        int key_type_matches = 0;
 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
        key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
-                             mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) &&
+                             mbedtls_pk_can_do_psa(cur->key, pk_alg, pk_usage)) &&
-                            mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage));
+                            mbedtls_pk_can_do_psa(&cur->cert->pk, pk_alg,
                                                  PSA_KEY_USAGE_VERIFY_HASH));
 #else
        key_type_matches = (
-            mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage));
+            mbedtls_pk_can_do_psa(cur->key, pk_alg, pk_usage));
 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
        if (!key_type_matches) {
            MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1076,11 +1076,11 @@ static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg(uint16_t sig_alg)
 {
    switch (sig_alg) {
        case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
-            return PSA_ALG_ECDSA(PSA_ALG_SHA_256);
+            return MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_256);
        case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
-            return PSA_ALG_ECDSA(PSA_ALG_SHA_384);
+            return MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_384);
        case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
-            return PSA_ALG_ECDSA(PSA_ALG_SHA_512);
+            return MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_512);
        case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
            return PSA_ALG_RSA_PSS(PSA_ALG_SHA_256);
        case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
@@ -1160,8 +1160,8 @@ static int ssl_tls13_pick_key_cert(mbedtls_ssl_context *ssl)
            if (mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
                    *sig_alg, &key_cert->cert->pk)
                && psa_alg != PSA_ALG_NONE &&
-                mbedtls_pk_can_do_ext(&key_cert->cert->pk, psa_alg,
+                mbedtls_pk_can_do_psa(&key_cert->cert->pk, psa_alg,
-                                      PSA_KEY_USAGE_SIGN_HASH) == 1
+                                      PSA_KEY_USAGE_VERIFY_HASH) == 1
                ) {
                ssl->handshake->key_cert = key_cert;
                MBEDTLS_SSL_DEBUG_MSG(3,
--- a/programs/ssl/ssl_test_lib.c
+++ b/programs/ssl/ssl_test_lib.c
@@ -242,7 +242,7 @@ int key_opaque_set_alg_usage(const char *alg1, const char *alg2,
                *psa_algs[i] = PSA_ALG_RSA_PSS(PSA_ALG_SHA_512);
                *usage |= PSA_KEY_USAGE_SIGN_HASH;
            } else if (strcmp(algs[i], "ecdsa-sign") == 0) {
-                *psa_algs[i] = PSA_ALG_ECDSA(PSA_ALG_ANY_HASH);
+                *psa_algs[i] = MBEDTLS_PK_ALG_ECDSA(PSA_ALG_ANY_HASH);
                *usage |= PSA_KEY_USAGE_SIGN_HASH;
            } else if (strcmp(algs[i], "ecdh") == 0) {
                *psa_algs[i] = PSA_ALG_ECDH;
@@ -253,7 +253,7 @@ int key_opaque_set_alg_usage(const char *alg1, const char *alg2,
        }
    } else {
        if (key_type == MBEDTLS_PK_ECKEY) {
-            *psa_alg1 = PSA_ALG_ECDSA(PSA_ALG_ANY_HASH);
+            *psa_alg1 = MBEDTLS_PK_ALG_ECDSA(PSA_ALG_ANY_HASH);
            *psa_alg2 = PSA_ALG_ECDH;
            *usage = PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_DERIVE;
        } else if (key_type == MBEDTLS_PK_RSA) {
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -457,11 +457,11 @@ handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA
 Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_ANY_HASH
 depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
+handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":MBEDTLS_PK_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
 Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_SHA_256
 depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
+handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
 Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, bad alg
 depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH