Merge pull request #10282 from bjwtaylor/switch-to-mbedtls_pk_sigalg_t
Switch to mbedtls pk sigalg t
diff --git a/ChangeLog.d/secp256k1-removal.txt b/ChangeLog.d/secp256k1-removal.txt
new file mode 100644
index 0000000..9933b8e
--- /dev/null
+++ b/ChangeLog.d/secp256k1-removal.txt
@@ -0,0 +1,3 @@
+Removals
+ * Support for secp192k1, secp192r1, secp224k1 and secp224r1 EC curves is
+ removed from TLS.
diff --git a/framework b/framework
index 87dbfb2..3f2ef1e 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit 87dbfb290fa42ca2ccfb403e8c2fa7334fa4f1dd
+Subproject commit 3f2ef1ecf6d70b1e6bb7ad587f9a5bd6eaf65a2a
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 7ea0174..55d832c 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -229,10 +229,6 @@
/* Elliptic Curve Groups (ECDHE) */
#define MBEDTLS_SSL_IANA_TLS_GROUP_NONE 0
-#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 0x0012
-#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 0x0013
-#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 0x0014
-#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 0x0015
#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 0x0016
#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 0x0017
#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 0x0018
diff --git a/library/mbedtls_check_config.h b/library/mbedtls_check_config.h
index 5e5a5b3..cf5e981 100644
--- a/library/mbedtls_check_config.h
+++ b/library/mbedtls_check_config.h
@@ -45,7 +45,6 @@
defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192) || \
defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) || \
defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192) || \
- defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224) || \
defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256) || \
defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384) || \
defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521)
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 72dc941..b635fd9 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -2243,10 +2243,6 @@
named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 ||
named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 ||
/* Below deprecated curves should be removed with notice to users */
- named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 ||
- named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 ||
- named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 ||
- named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 ||
named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 ||
named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index dee8029..a997e41 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5893,15 +5893,6 @@
#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
{ 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 },
#endif
-#if defined(PSA_WANT_ECC_SECP_R1_224)
- { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 },
-#endif
-#if defined(PSA_WANT_ECC_SECP_R1_192)
- { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 },
-#endif
-#if defined(PSA_WANT_ECC_SECP_K1_192)
- { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 },
-#endif
#if defined(PSA_WANT_ECC_MONTGOMERY_255)
{ 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 },
#endif
@@ -5966,10 +5957,6 @@
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" },
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" },
{ MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" },
- { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1" },
- { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1" },
- { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" },
- { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" },
{ MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" },
{ MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" },
{ 0, NULL },
diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c
index ad3feb6..79d3059 100644
--- a/programs/ssl/ssl_test_lib.c
+++ b/programs/ssl/ssl_test_lib.c
@@ -505,21 +505,6 @@
#else
{ MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1", 0 },
#endif
-#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_224)
- { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1", 1 },
-#else
- { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1", 0 },
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192)
- { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1", 1 },
-#else
- { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1", 0 },
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_192)
- { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1", 1 },
-#else
- { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1", 0 },
-#endif
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_255)
{ MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519", 1 },
#else
diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py
index 679f05a..513c641 100755
--- a/tests/scripts/depends.py
+++ b/tests/scripts/depends.py
@@ -257,20 +257,27 @@
'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG'],
'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128'],
+ # These reverse dependencies can be removed as part of issue
+ # tf-psa-crypto#364.
'PSA_WANT_ECC_BRAINPOOL_P_R1_256': ['MBEDTLS_ECP_DP_BP256R1_ENABLED'],
'PSA_WANT_ECC_BRAINPOOL_P_R1_384': ['MBEDTLS_ECP_DP_BP384R1_ENABLED'],
'PSA_WANT_ECC_BRAINPOOL_P_R1_512': ['MBEDTLS_ECP_DP_BP512R1_ENABLED'],
'PSA_WANT_ECC_MONTGOMERY_255': ['MBEDTLS_ECP_DP_CURVE25519_ENABLED'],
'PSA_WANT_ECC_MONTGOMERY_448': ['MBEDTLS_ECP_DP_CURVE448_ENABLED'],
- 'PSA_WANT_ECC_SECP_R1_192': ['MBEDTLS_ECP_DP_SECP192R1_ENABLED'],
- 'PSA_WANT_ECC_SECP_R1_224': ['MBEDTLS_ECP_DP_SECP224R1_ENABLED'],
'PSA_WANT_ECC_SECP_R1_256': ['PSA_WANT_ALG_JPAKE',
'MBEDTLS_ECP_DP_SECP256R1_ENABLED'],
'PSA_WANT_ECC_SECP_R1_384': ['MBEDTLS_ECP_DP_SECP384R1_ENABLED'],
'PSA_WANT_ECC_SECP_R1_521': ['MBEDTLS_ECP_DP_SECP521R1_ENABLED'],
- 'PSA_WANT_ECC_SECP_K1_192': ['MBEDTLS_ECP_DP_SECP192K1_ENABLED'],
'PSA_WANT_ECC_SECP_K1_256': ['MBEDTLS_ECP_DP_SECP256K1_ENABLED'],
+ # Support for secp224[k|r]1 was removed in tfpsacrypto#408 while
+ # secp192[k|r]1 were kept only for internal testing (hidden to the end
+ # user). We need to keep these reverse dependencies here until
+ # symbols are hidden/removed from crypto_config.h.
+ 'PSA_WANT_ECC_SECP_R1_192': ['MBEDTLS_ECP_DP_SECP192R1_ENABLED'],
+ 'PSA_WANT_ECC_SECP_R1_224': ['MBEDTLS_ECP_DP_SECP224R1_ENABLED'],
+ 'PSA_WANT_ECC_SECP_K1_192': ['MBEDTLS_ECP_DP_SECP192K1_ENABLED'],
+
'PSA_WANT_ALG_ECDSA': ['PSA_WANT_ALG_DETERMINISTIC_ECDSA',
'MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED',
'MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED',
@@ -482,9 +489,7 @@
if alg.can_do(crypto_knowledge.AlgorithmCategory.HASH)}
# Find elliptic curve enabling macros by name.
- # MBEDTLS_ECP_DP_SECP224K1_ENABLED added to disable it for all curves
- curve_symbols = self.config_symbols_matching(r'PSA_WANT_ECC_\w+\Z|'
- r'MBEDTLS_ECP_DP_SECP224K1_ENABLED')
+ curve_symbols = self.config_symbols_matching(r'PSA_WANT_ECC_\w+\Z')
# Find key exchange enabling macros by name.
key_exchange_symbols = self.config_symbols_matching(r'MBEDTLS_KEY_EXCHANGE_\w+_ENABLED\Z')
diff --git a/tests/scripts/set_psa_test_dependencies.py b/tests/scripts/set_psa_test_dependencies.py
index 2267311..0be8ac5 100755
--- a/tests/scripts/set_psa_test_dependencies.py
+++ b/tests/scripts/set_psa_test_dependencies.py
@@ -27,13 +27,9 @@
'MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS',
'MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN',
'MBEDTLS_CIPHER_PADDING_ZEROS',
- #curve#'MBEDTLS_ECP_DP_SECP192R1_ENABLED',
- #curve#'MBEDTLS_ECP_DP_SECP224R1_ENABLED',
#curve#'MBEDTLS_ECP_DP_SECP256R1_ENABLED',
#curve#'MBEDTLS_ECP_DP_SECP384R1_ENABLED',
#curve#'MBEDTLS_ECP_DP_SECP521R1_ENABLED',
- #curve#'MBEDTLS_ECP_DP_SECP192K1_ENABLED',
- #curve#'MBEDTLS_ECP_DP_SECP224K1_ENABLED',
#curve#'MBEDTLS_ECP_DP_SECP256K1_ENABLED',
#curve#'MBEDTLS_ECP_DP_BP256R1_ENABLED',
#curve#'MBEDTLS_ECP_DP_BP384R1_ENABLED',
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 60b970a..d0278b1 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2659,12 +2659,6 @@
run_test_psa_force_curve "secp256k1"
requires_config_enabled PSA_WANT_ECC_BRAINPOOL_P_R1_256
run_test_psa_force_curve "brainpoolP256r1"
-requires_config_enabled PSA_WANT_ECC_SECP_R1_224
-run_test_psa_force_curve "secp224r1"
-requires_config_enabled PSA_WANT_ECC_SECP_R1_192
-run_test_psa_force_curve "secp192r1"
-requires_config_enabled PSA_WANT_ECC_SECP_K1_192
-run_test_psa_force_curve "secp192k1"
# Test current time in ServerHello
requires_config_enabled MBEDTLS_HAVE_TIME
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index c700803..3335e5c 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -3537,9 +3537,9 @@
/* BEGIN_CASE */
void conf_group()
{
- uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1,
- MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1,
- MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
+ uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
+ MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
+ MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1,
MBEDTLS_SSL_IANA_TLS_GROUP_NONE };
mbedtls_ssl_config conf;
@@ -4050,21 +4050,6 @@
#else
TEST_UNAVAILABLE_ECC(26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256);
#endif
-#if defined(PSA_WANT_ECC_SECP_R1_224)
- TEST_AVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224);
-#else
- TEST_UNAVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224);
-#endif
-#if defined(PSA_WANT_ECC_SECP_R1_192)
- TEST_AVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192);
-#else
- TEST_UNAVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192);
-#endif
-#if defined(PSA_WANT_ECC_SECP_K1_192)
- TEST_AVAILABLE_ECC(18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192);
-#else
- TEST_UNAVAILABLE_ECC(18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192);
-#endif
#if defined(PSA_WANT_ECC_MONTGOMERY_255)
TEST_AVAILABLE_ECC(29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255);
#else