ssl: replace PSA_ALG_ECDSA with MBEDTLS_PK_ALG_ECDSA

valeriosetti · valeriosetti · commit 7b2d72aaf078 · 2025-09-16T16:12:07.000+02:00
When the key is parsed from PK it is assigned the pseudo-alg
MBEDTLS_PK_ALG_ECDSA. Trying to run "mbedtls_pk_can_do_psa" with an hardcoded
deterministc/randomized ECDSA can make the function to fail if the proper
variant is not the one also used by PK.
This commit fixes this problem.

Signed-off-by: Valerio Setti &lt;valerio.setti@nordicsemi.no&gt;
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
@@ -924,7 +924,7 @@ psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_cip
                 mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));
 
         case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
-            return PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));
+            return MBEDTLS_PK_ALG_ECDSA(mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));
 
         default:
             return PSA_ALG_NONE;
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
@@ -8148,7 +8148,7 @@ unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
 
                 if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&
                     !mbedtls_pk_can_do_psa(ssl->handshake->key_cert->key,
-                                           PSA_ALG_ECDSA(psa_hash_alg),
+                                           MBEDTLS_PK_ALG_ECDSA(psa_hash_alg),
                                            PSA_KEY_USAGE_SIGN_HASH)) {
                     continue;
                 }
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
@@ -1076,11 +1076,11 @@ static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg(uint16_t sig_alg)
 {
     switch (sig_alg) {
         case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
-            return PSA_ALG_ECDSA(PSA_ALG_SHA_256);
+            return MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_256);
         case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
-            return PSA_ALG_ECDSA(PSA_ALG_SHA_384);
+            return MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_384);
         case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
-            return PSA_ALG_ECDSA(PSA_ALG_SHA_512);
+            return MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_512);
         case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
             return PSA_ALG_RSA_PSS(PSA_ALG_SHA_256);
         case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:

Original file line number	Diff line number	Diff line change
`@@ -8148,7 +8148,7 @@ unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(`
`8148`	`8148`
`8149`	`8149`	`if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&`
`8150`	`8150`	`!mbedtls_pk_can_do_psa(ssl->handshake->key_cert->key,`
`8151`		`- PSA_ALG_ECDSA(psa_hash_alg),`
	`8151`	`+ MBEDTLS_PK_ALG_ECDSA(psa_hash_alg),`
`8152`	`8152`	`PSA_KEY_USAGE_SIGN_HASH)) {`
`8153`	`8153`	`continue;`
`8154`	`8154`	`}`