Merge pull request #10333 from valeriosetti/issue10266
[development] Migrate from mbedtls_pk_can_do_ext to mbedtls_pk_can_do_psa (2/2)
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 39826ee..f7aaac2 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -924,7 +924,7 @@
mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
- return PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));
+ return MBEDTLS_PK_ALG_ECDSA(mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));
default:
return PSA_ALG_NONE;
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 38db9cd..37e4259 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -8147,14 +8147,14 @@
mbedtls_md_psa_alg_from_type(md_alg);
if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&
- !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
- PSA_ALG_ECDSA(psa_hash_alg),
+ !mbedtls_pk_can_do_psa(ssl->handshake->key_cert->key,
+ MBEDTLS_PK_ALG_ECDSA(psa_hash_alg),
PSA_KEY_USAGE_SIGN_HASH)) {
continue;
}
if (sig_alg_received == MBEDTLS_SSL_SIG_RSA &&
- !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
+ !mbedtls_pk_can_do_psa(ssl->handshake->key_cert->key,
PSA_ALG_RSA_PKCS1V15_SIGN(
psa_hash_alg),
PSA_KEY_USAGE_SIGN_HASH)) {
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 256f1b1..07641cb 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -693,11 +693,12 @@
int key_type_matches = 0;
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
- mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) &&
- mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage));
+ mbedtls_pk_can_do_psa(cur->key, pk_alg, pk_usage)) &&
+ mbedtls_pk_can_do_psa(&cur->cert->pk, pk_alg,
+ PSA_KEY_USAGE_VERIFY_HASH));
#else
key_type_matches = (
- mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage));
+ mbedtls_pk_can_do_psa(cur->key, pk_alg, pk_usage));
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
if (!key_type_matches) {
MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index dc50bee..982e6f8 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1076,11 +1076,11 @@
{
switch (sig_alg) {
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
- return PSA_ALG_ECDSA(PSA_ALG_SHA_256);
+ return MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_256);
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
- return PSA_ALG_ECDSA(PSA_ALG_SHA_384);
+ return MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_384);
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
- return PSA_ALG_ECDSA(PSA_ALG_SHA_512);
+ return MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_512);
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
return PSA_ALG_RSA_PSS(PSA_ALG_SHA_256);
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
@@ -1160,8 +1160,8 @@
if (mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
*sig_alg, &key_cert->cert->pk)
&& psa_alg != PSA_ALG_NONE &&
- mbedtls_pk_can_do_ext(&key_cert->cert->pk, psa_alg,
- PSA_KEY_USAGE_SIGN_HASH) == 1
+ mbedtls_pk_can_do_psa(&key_cert->cert->pk, psa_alg,
+ PSA_KEY_USAGE_VERIFY_HASH) == 1
) {
ssl->handshake->key_cert = key_cert;
MBEDTLS_SSL_DEBUG_MSG(3,
diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c
index 79d3059..a84bf24 100644
--- a/programs/ssl/ssl_test_lib.c
+++ b/programs/ssl/ssl_test_lib.c
@@ -242,7 +242,7 @@
*psa_algs[i] = PSA_ALG_RSA_PSS(PSA_ALG_SHA_512);
*usage |= PSA_KEY_USAGE_SIGN_HASH;
} else if (strcmp(algs[i], "ecdsa-sign") == 0) {
- *psa_algs[i] = PSA_ALG_ECDSA(PSA_ALG_ANY_HASH);
+ *psa_algs[i] = MBEDTLS_PK_ALG_ECDSA(PSA_ALG_ANY_HASH);
*usage |= PSA_KEY_USAGE_SIGN_HASH;
} else if (strcmp(algs[i], "ecdh") == 0) {
*psa_algs[i] = PSA_ALG_ECDH;
@@ -253,7 +253,7 @@
}
} else {
if (key_type == MBEDTLS_PK_ECKEY) {
- *psa_alg1 = PSA_ALG_ECDSA(PSA_ALG_ANY_HASH);
+ *psa_alg1 = MBEDTLS_PK_ALG_ECDSA(PSA_ALG_ANY_HASH);
*psa_alg2 = PSA_ALG_ECDH;
*usage = PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_DERIVE;
} else if (key_type == MBEDTLS_PK_RSA) {
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index 6c5e718..4254208 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -457,11 +457,11 @@
Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_ANY_HASH
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
+handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":MBEDTLS_PK_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_SHA_256
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
+handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, bad alg
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH