From 1f97e73114a37bab4655100890680592cdba8204 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Thu, 18 Jan 2024 14:14:24 +0100
Subject: [PATCH] mbedtls_pk_get_psa_attributes: force enrollment algorithm off

This avoids a possible gotcha when if the application code reuses an
existing attribute structure.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 library/pk.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/library/pk.c b/library/pk.c
index bde561a1e..706d5d38c 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -397,6 +397,12 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk,
 
     usage |= PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY;
     psa_set_key_usage_flags(attributes, usage);
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+    /* Assume that we have all Mbed TLS attributes. When
+     * MBEDTLS_PSA_CRYPTO_CLIENT is enabled but not MBEDTLS_PSA_CRYPTO_C,
+     * we only assume standard PSA functions. */
+    psa_set_key_enrollment_algorithm(attributes, PSA_ALG_NONE);
+#endif
 
     return 0;
 }