From b9c7ea459e518eac4cdf8c0d79977f2571b4dcd7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Tue, 14 Jun 2022 09:25:17 +0200
Subject: [PATCH] Improve a comment.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ECDSA keys work with mbedtls_pk_ec() too, but we don't want to accept
them here, so the comment should reflect that the check is not just
about ensuring pk_ec() works.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 library/ssl_srv.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index f2fca12b76..705a63241a 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -3241,7 +3241,8 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_pk_context *own_key = mbedtls_ssl_own_key( ssl );
 
-    /* We want to call mbedtls_pk_ec(), which only works on those types. */
+    /* Check if the key is a transparent ECDH key.
+     * This also ensures that it is safe to call mbedtls_pk_ec(). */
     if( mbedtls_pk_get_type( own_key ) != MBEDTLS_PK_ECKEY &&
         mbedtls_pk_get_type( own_key ) != MBEDTLS_PK_ECKEY_DH )
     {