Add comments when can_do() is safe to use

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-07-28 00:21:48 +03:00 · 2022-06-17 10:49:29 +02:00
parent 19a567ba43
commit 66b0d61718
2 changed files with 5 additions and 1 deletions
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@ -2089,6 +2089,8 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
    peer_pk = &ssl->session_negotiate->peer_cert->pk;
 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */

+    /* This is a public key, so it can't be opaque, so can_do() is a good
+     * enough check to ensure pk_ec() is safe to use below. */
    if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECKEY ) )
    {
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );