From c0ac4a69336a1a8ae43a727bc45089940c40fa5e Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 9 Dec 2025 16:18:11 +0100 Subject: [PATCH] library: ssl: specify hash algorithm when checking signature in ssl_parse_certificate_verify Since the hash algorithm is known, this can be used when calling "mbedtls_pk_can_do_psa()" to get a more accurate answer. Signed-off-by: Valerio Setti --- library/ssl_tls12_server.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index c02aeeaa08..ec4446c1b4 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -3325,6 +3325,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info; mbedtls_pk_context *peer_pk; + psa_algorithm_t psa_sig_alg; MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify")); @@ -3422,9 +3423,8 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) /* * Check the certificate's key type matches the signature alg */ - if (!mbedtls_pk_can_do_psa(peer_pk, - mbedtls_psa_alg_from_pk_sigalg(pk_alg, PSA_ALG_ANY_HASH), - PSA_KEY_USAGE_VERIFY_HASH)) { + psa_sig_alg = mbedtls_psa_alg_from_pk_sigalg(pk_alg, mbedtls_md_psa_alg_from_type(md_alg)); + if (!mbedtls_pk_can_do_psa(peer_pk, psa_sig_alg, PSA_KEY_USAGE_VERIFY_HASH)) { MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key")); return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; }