Merge pull request #10276 from bjwtaylor/switch-to-mbedtls_pk_verify_new

Switch to mbedtls_pk_verify_new
2025-09-24 05:00:45 -04:00 · 2025-07-21 14:57:05 +00:00 · 2025-07-21 14:57:05 +00:00 · f2d4cbbb0e
commit f2d4cbbb0e
parent b5fd7b9a54 5be8511151
4 changed files with 6 additions and 7 deletions
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@ -2082,8 +2082,7 @@ start_processing:

 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
        if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
-            ret = mbedtls_pk_verify_ext(pk_alg, NULL,
-                                        peer_pk,
+            ret = mbedtls_pk_verify_new(pk_alg, peer_pk,
                                        md_alg, hash, hashlen,
                                        p, sig_len);
        } else
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@ -300,13 +300,13 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,

    MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len);

-    if ((ret = mbedtls_pk_verify_ext(sig_alg, NULL,
+    if ((ret = mbedtls_pk_verify_new(sig_alg,
                                     &ssl->session_negotiate->peer_cert->pk,
                                     md_alg, verify_hash, verify_hash_len,
                                     p, signature_len)) == 0) {
        return 0;
    }
-    MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_ext", ret);
+    MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_new", ret);

 error:
    /* RFC 8446 section 4.4.3
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -2060,7 +2060,7 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
            flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
        }

-        if (mbedtls_pk_verify_ext(crl_list->sig_pk, NULL, &ca->pk,
+        if (mbedtls_pk_verify_new(crl_list->sig_pk, &ca->pk,
                                  crl_list->sig_md, hash, hash_length,
                                  crl_list->sig.p, crl_list->sig.len) != 0) {
            flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
@ -2134,7 +2134,7 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child,
    (void) rs_ctx;
 #endif

-    return mbedtls_pk_verify_ext(child->sig_pk, NULL, &parent->pk,
+    return mbedtls_pk_verify_new(child->sig_pk, &parent->pk,
                                 child->sig_md, hash, hash_len,
                                 child->sig.p, child->sig.len);
 }
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@ -41,7 +41,7 @@ static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen)
        goto cleanup;
    }

-    if (mbedtls_pk_verify_ext(csr.sig_pk, NULL, &csr.pk,
+    if (mbedtls_pk_verify_new(csr.sig_pk, &csr.pk,
                              csr.sig_md, hash, mbedtls_md_get_size_from_type(csr.sig_md),
                              csr.sig.p, csr.sig.len) != 0) {
        ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;