From 6eb5335ef0caa8bb77d5ec1b94a1736677acac0a Mon Sep 17 00:00:00 2001
From: Anton Matkin <anton.matkin@arm.com>
Date: Wed, 28 May 2025 20:02:35 +0200
Subject: [PATCH] Fixed issues with policy verification, since wildcard JPAKE
 policy is now disallowed, changed to concrete jpake algorithm (with SHA256
 hash)

Signed-off-by: Anton Matkin <anton.matkin@arm.com>
---
 library/ssl_tls.c                    | 2 +-
 programs/ssl/ssl_client2.c           | 2 +-
 programs/ssl/ssl_server2.c           | 2 +-
 tests/suites/test_suite_ssl.function | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 76430b593b..9144f9222b 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1808,7 +1808,7 @@ int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
     }
 
     psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
-    psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE_BASE);
+    psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE(PSA_ALG_SHA_256));
     psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
 
     status = psa_import_key(&attributes, pw, pw_len,
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index ae77a173fb..40304dd381 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -2059,7 +2059,7 @@ usage:
             psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
 
             psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
-            psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE_BASE);
+            psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE(PSA_ALG_SHA_256));
             psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
 
             status = psa_import_key(&attributes,
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 3b07c8d368..64fd45952f 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -3336,7 +3336,7 @@ reset:
             psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
 
             psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
-            psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE_BASE);
+            psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE(PSA_ALG_SHA_256));
             psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
 
             status = psa_import_key(&attributes,
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 3fbeac2479..5b6500898e 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -3973,7 +3973,7 @@ void ssl_ecjpake_set_password(int use_opaque_arg)
 
         /* First try with an invalid usage */
         psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
-        psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE_BASE);
+        psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE(PSA_ALG_SHA_256));
         psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
 
         PSA_ASSERT(psa_import_key(&attributes, pwd_string,