tls: remove dependency from mbedtls_ecp_curve functions
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h
index d55b7f7..dc74ac6 100644
--- a/include/mbedtls/psa_util.h
+++ b/include/mbedtls/psa_util.h
@@ -257,23 +257,6 @@
#define MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH \
PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
-/* This function transforms an ECC group identifier from
- * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
- * into a PSA ECC group identifier. */
-#if defined(MBEDTLS_ECP_C)
-static inline psa_key_type_t mbedtls_psa_parse_tls_ecc_group(
- uint16_t tls_ecc_grp_reg_id, size_t *bits)
-{
- const mbedtls_ecp_curve_info *curve_info =
- mbedtls_ecp_curve_info_from_tls_id(tls_ecc_grp_reg_id);
- if (curve_info == NULL) {
- return 0;
- }
- return PSA_KEY_TYPE_ECC_KEY_PAIR(
- mbedtls_ecc_group_to_psa(curve_info->grp_id, bits));
-}
-#endif /* MBEDTLS_ECP_C */
-
/* Expose whatever RNG the PSA subsystem uses to applications using the
* mbedtls_xxx API. The declarations and definitions here need to be
* consistent with the implementation in library/psa_crypto_random_impl.h.
diff --git a/library/ssl_client.c b/library/ssl_client.c
index 57a73a4..863ce21 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -266,16 +266,16 @@
mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) ||
(mbedtls_ssl_conf_is_tls12_enabled(ssl->conf) &&
mbedtls_ssl_tls12_named_group_is_ecdhe(*group_list))) {
- const mbedtls_ecp_curve_info *curve_info;
- curve_info = mbedtls_ecp_curve_info_from_tls_id(*group_list);
- if (curve_info == NULL) {
+ if (mbedtls_ssl_get_ecp_group_id_from_tls_id(*group_list) ==
+ MBEDTLS_ECP_DP_NONE) {
continue;
}
MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
MBEDTLS_PUT_UINT16_BE(*group_list, p, 0);
p += 2;
MBEDTLS_SSL_DEBUG_MSG(3, ("NamedGroup: %s ( %x )",
- curve_info->name, *group_list));
+ mbedtls_ssl_get_curve_name_from_tls_id(*group_list),
+ *group_list));
}
#endif /* MBEDTLS_ECP_C */
/* Add DHE groups here */
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index a070366..d9df015 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -781,7 +781,7 @@
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
- const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */
+ uint16_t *curves_tls_id; /*!< List of TLS IDs of supported elliptic curves */
#endif
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
@@ -1554,6 +1554,70 @@
int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id);
#endif
+/**
+ * \brief Return PSA EC info for the specified TLS ID.
+ *
+ * \param tls_id The TLS ID to look for
+ * \param family If the TLD ID is supported, then proper \c psa_ecc_family_t
+ * value is returned here. Can be NULL.
+ * \param bits If the TLD ID is supported, then proper bit size is returned
+ * here. Can be NULL.
+ * \return PSA_SUCCESS if the TLS ID is supported,
+ * PSA_ERROR_NOT_SUPPORTED otherwise
+ *
+ * \note If either \c family or \c bits parameters are NULL, then
+ * the corresponding value is not returned.
+ * The function can be called with both parameters as NULL
+ * simply to check if a specific TLS ID is supported.
+ */
+int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
+ psa_ecc_family_t *family,
+ size_t *bits);
+
+/**
+ * \brief Return \c mbedtls_ecp_group_id for the specified TLS ID.
+ *
+ * \param tls_id The TLS ID to look for
+ * \return Proper \c mbedtls_ecp_group_id if the TLS ID is supported,
+ * or MBEDTLS_ECP_DP_NONE otherwise
+ */
+mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id);
+
+/**
+ * \brief Return TLS ID for the specified \c mbedtls_ecp_group_id.
+ *
+ * \param grp_id The \c mbedtls_ecp_group_id ID to look for
+ * \return Proper TLS ID if the \c mbedtls_ecp_group_id is supported,
+ * or 0 otherwise
+ */
+uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id);
+
+/**
+ * \brief Return EC's name for the specified TLS ID.
+ *
+ * \param tls_id The TLS ID to look for
+ * \return A pointer to a const string with the proper name. If TLS
+ * ID is not suppoted, a NULL pointer is returned insted.
+ */
+const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id);
+
+/* This function transforms an ECC group identifier from
+ * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
+ * into a PSA ECC group identifier. */
+#if defined(MBEDTLS_ECP_C)
+static inline psa_key_type_t mbedtls_psa_parse_tls_ecc_group(
+ uint16_t tls_ecc_grp_reg_id, size_t *bits)
+{
+ mbedtls_ecp_group_id grp_id =
+ mbedtls_ssl_get_ecp_group_id_from_tls_id(tls_ecc_grp_reg_id);
+ if (grp_id == MBEDTLS_ECP_DP_NONE) {
+ return 0;
+ }
+ return PSA_KEY_TYPE_ECC_KEY_PAIR(
+ mbedtls_ecc_group_to_psa(grp_id, bits));
+}
+#endif /* MBEDTLS_ECP_C */
+
#if defined(MBEDTLS_SSL_DTLS_SRTP)
static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
(const uint16_t srtp_profile_value)
@@ -2153,9 +2217,8 @@
{
#if defined(MBEDTLS_ECDH_C)
if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group)) {
- const mbedtls_ecp_curve_info *curve_info =
- mbedtls_ecp_curve_info_from_tls_id(named_group);
- if (curve_info != NULL) {
+ if (mbedtls_ssl_get_ecp_group_id_from_tls_id(named_group) !=
+ MBEDTLS_ECP_DP_NONE) {
return 1;
}
}
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 3b67fdc..5c62393 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1040,13 +1040,13 @@
}
for (size_t i = 0; i < length; i++) {
- const mbedtls_ecp_curve_info *info =
- mbedtls_ecp_curve_info_from_grp_id(curve_list[i]);
- if (info == NULL) {
+ uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
+ curve_list[i]);
+ if (tls_id == 0) {
mbedtls_free(group_list);
return MBEDTLS_ERR_SSL_BAD_CONFIG;
}
- group_list[i] = info->tls_id;
+ group_list[i] = tls_id;
}
group_list[length] = 0;
@@ -4019,7 +4019,7 @@
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
/* explicit void pointer cast for buggy MS compiler */
- mbedtls_free((void *) handshake->curves);
+ mbedtls_free((void *) handshake->curves_tls_id);
#endif
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
@@ -5418,19 +5418,119 @@
*/
int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id)
{
- const mbedtls_ecp_curve_info *grp_info =
- mbedtls_ecp_curve_info_from_grp_id(grp_id);
+ uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
- if (grp_info == NULL) {
+ if (tls_id == 0) {
return -1;
}
- uint16_t tls_id = grp_info->tls_id;
-
return mbedtls_ssl_check_curve_tls_id(ssl, tls_id);
}
#endif /* MBEDTLS_ECP_C */
+static const struct {
+ uint16_t tls_id;
+ mbedtls_ecp_group_id ecp_group_id;
+ psa_ecc_family_t psa_family;
+ uint16_t bits;
+ const char *name;
+} tls_id_match_table[] =
+{
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_521)
+ { 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521, "secp521r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
+ { 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512, "brainpoolP512r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
+ { 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384, "secp384r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_384)
+ { 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384, "brainpoolP384r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
+ { 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256, "secp256r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_256)
+ { 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256, "secp256k1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_256)
+ { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256, "brainpoolP256r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_224)
+ { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224, "secp224r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_224)
+ { 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224, "secp224k1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192)
+ { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192, "secp192r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_192)
+ { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192, "secp192k1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_255)
+ { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 256, "x25519" },
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_448)
+ { 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448, "x448" },
+#endif
+ { 0, MBEDTLS_ECP_DP_NONE, 0, 0, NULL },
+};
+
+int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
+ psa_ecc_family_t *family,
+ size_t *bits)
+{
+ for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
+ if (tls_id_match_table[i].tls_id == tls_id) {
+ if (family != NULL) {
+ *family = tls_id_match_table[i].psa_family;
+ }
+ if (bits != NULL) {
+ *bits = tls_id_match_table[i].bits;
+ }
+ return PSA_SUCCESS;
+ }
+ }
+
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id)
+{
+ for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
+ if (tls_id_match_table[i].tls_id == tls_id) {
+ return tls_id_match_table[i].ecp_group_id;
+ }
+ }
+
+ return MBEDTLS_ECP_DP_NONE;
+}
+
+uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id)
+{
+ for (int i = 0; tls_id_match_table[i].ecp_group_id != MBEDTLS_ECP_DP_NONE;
+ i++) {
+ if (tls_id_match_table[i].ecp_group_id == grp_id) {
+ return tls_id_match_table[i].tls_id;
+ }
+ }
+
+ return 0;
+}
+
+const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)
+{
+ for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
+ if (tls_id_match_table[i].tls_id == tls_id) {
+ return tls_id_match_table[i].name;
+ }
+ }
+
+ return NULL;
+}
+
#if defined(MBEDTLS_X509_CRT_PARSE_C)
int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
const mbedtls_ssl_ciphersuite_t *ciphersuite,
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index 840c0a4..41de916 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -1778,7 +1778,7 @@
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl)
{
- const mbedtls_ecp_curve_info *curve_info;
+ uint16_t tls_id;
mbedtls_ecp_group_id grp_id;
#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
grp_id = ssl->handshake->ecdh_ctx.grp.id;
@@ -1786,13 +1786,14 @@
grp_id = ssl->handshake->ecdh_ctx.grp_id;
#endif
- curve_info = mbedtls_ecp_curve_info_from_grp_id(grp_id);
- if (curve_info == NULL) {
+ tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
+ if (tls_id == 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
- MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s", curve_info->name));
+ MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s",
+ mbedtls_ssl_get_curve_name_from_tls_id(tls_id)));
if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
return -1;
@@ -2222,15 +2223,15 @@
* that TLS ID here
*/
uint16_t read_tls_id = MBEDTLS_GET_UINT16_BE(p, 1);
- const mbedtls_ecp_curve_info *curve_info;
+ uint16_t exp_tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
+ MBEDTLS_ECP_DP_SECP256R1);
- if ((curve_info = mbedtls_ecp_curve_info_from_grp_id(
- MBEDTLS_ECP_DP_SECP256R1)) == NULL) {
+ if (exp_tls_id == 0) {
return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
}
if ((*p != MBEDTLS_ECP_TLS_NAMED_CURVE) ||
- (read_tls_id != curve_info->tls_id)) {
+ (read_tls_id != exp_tls_id)) {
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
}
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 399750b..44ad452 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -182,7 +182,8 @@
{
size_t list_size, our_size;
const unsigned char *p;
- const mbedtls_ecp_curve_info *curve_info, **curves;
+ //const mbedtls_ecp_curve_info *curve_info, **curves;
+ uint16_t *curves_tls_id;
if (len < 2) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
@@ -200,7 +201,7 @@
}
/* Should never happen unless client duplicates the extension */
- if (ssl->handshake->curves != NULL) {
+ if (ssl->handshake->curves_tls_id != NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
@@ -214,20 +215,22 @@
our_size = MBEDTLS_ECP_DP_MAX;
}
- if ((curves = mbedtls_calloc(our_size, sizeof(*curves))) == NULL) {
+ if ((curves_tls_id = mbedtls_calloc(our_size,
+ sizeof(*curves_tls_id))) == NULL) {
mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
return MBEDTLS_ERR_SSL_ALLOC_FAILED;
}
- ssl->handshake->curves = curves;
+ ssl->handshake->curves_tls_id = curves_tls_id;
p = buf + 2;
while (list_size > 0 && our_size > 1) {
- curve_info = mbedtls_ecp_curve_info_from_tls_id((p[0] << 8) | p[1]);
+ uint16_t curr_tls_id = MBEDTLS_GET_UINT16_BE(p, 0);
- if (curve_info != NULL) {
- *curves++ = curve_info;
+ if (mbedtls_ssl_get_ecp_group_id_from_tls_id(curr_tls_id) !=
+ MBEDTLS_ECP_DP_NONE) {
+ *curves_tls_id++ = curr_tls_id;
our_size--;
}
@@ -657,16 +660,18 @@
#if defined(MBEDTLS_ECDSA_C)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_check_key_curve(mbedtls_pk_context *pk,
- const mbedtls_ecp_curve_info **curves)
+ uint16_t *curves_tls_id)
{
- const mbedtls_ecp_curve_info **crv = curves;
+ uint16_t *curr_tls_id = curves_tls_id;
mbedtls_ecp_group_id grp_id = mbedtls_pk_ec(*pk)->grp.id;
+ mbedtls_ecp_group_id curr_grp_id;
- while (*crv != NULL) {
- if ((*crv)->grp_id == grp_id) {
+ while (*curr_tls_id != 0) {
+ curr_grp_id = mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
+ if (curr_grp_id == grp_id) {
return 0;
}
- crv++;
+ curr_tls_id++;
}
return -1;
@@ -758,7 +763,8 @@
#if defined(MBEDTLS_ECDSA_C)
if (pk_alg == MBEDTLS_PK_ECDSA &&
- ssl_check_key_curve(&cur->cert->pk, ssl->handshake->curves) != 0) {
+ ssl_check_key_curve(&cur->cert->pk,
+ ssl->handshake->curves_tls_id) != 0) {
MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve"));
continue;
}
@@ -821,8 +827,8 @@
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) &&
- (ssl->handshake->curves == NULL ||
- ssl->handshake->curves[0] == NULL)) {
+ (ssl->handshake->curves_tls_id == NULL ||
+ ssl->handshake->curves_tls_id[0] == 0)) {
MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
"no common elliptic curve"));
return 0;
@@ -2741,7 +2747,6 @@
ssl->out_msglen;
size_t output_offset = 0;
size_t output_len = 0;
- const mbedtls_ecp_curve_info *curve_info;
/*
* The first 3 bytes are:
@@ -2751,12 +2756,13 @@
* However since we only support secp256r1 for now, we hardcode its
* TLS ID here
*/
- if ((curve_info = mbedtls_ecp_curve_info_from_grp_id(
- MBEDTLS_ECP_DP_SECP256R1)) == NULL) {
+ uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
+ MBEDTLS_ECP_DP_SECP256R1);
+ if (tls_id == 0) {
return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
}
*out_p = MBEDTLS_ECP_TLS_NAMED_CURVE;
- MBEDTLS_PUT_UINT16_BE(curve_info->tls_id, out_p, 1);
+ MBEDTLS_PUT_UINT16_BE(tls_id, out_p, 1);
output_offset += 3;
ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
@@ -2869,30 +2875,32 @@
* ECPoint public;
* } ServerECDHParams;
*/
- const mbedtls_ecp_curve_info **curve = NULL;
+ uint16_t *curr_tls_id = ssl->handshake->curves_tls_id;
const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len = 0;
/* Match our preference list against the offered curves */
- if (group_list == NULL) {
+ if ((group_list == NULL) || (curr_tls_id == NULL)) {
return MBEDTLS_ERR_SSL_BAD_CONFIG;
}
for (; *group_list != 0; group_list++) {
- for (curve = ssl->handshake->curves; *curve != NULL; curve++) {
- if ((*curve)->tls_id == *group_list) {
+ for (curr_tls_id = ssl->handshake->curves_tls_id;
+ *curr_tls_id != 0; curr_tls_id++) {
+ if (*curr_tls_id == *group_list) {
goto curve_matching_done;
}
}
}
curve_matching_done:
- if (curve == NULL || *curve == NULL) {
+ if (*curr_tls_id == 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE"));
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
- MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s", (*curve)->name));
+ MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s",
+ mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id)));
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_GENERIC_ERROR;
@@ -2908,7 +2916,7 @@
/* Convert EC group to PSA key type. */
handshake->ecdh_psa_type = mbedtls_psa_parse_tls_ecc_group(
- (*curve)->tls_id, &ecdh_bits);
+ *curr_tls_id, &ecdh_bits);
if (handshake->ecdh_psa_type == 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse."));
@@ -2932,7 +2940,7 @@
/*
* Next two bytes are the namedcurve value
*/
- MBEDTLS_PUT_UINT16_BE((*curve)->tls_id, p, 0);
+ MBEDTLS_PUT_UINT16_BE(*curr_tls_id, p, 0);
p += 2;
/* Generate ECDH private key. */
@@ -2976,8 +2984,11 @@
/* Determine full message length. */
len += header_size;
#else
+ mbedtls_ecp_group_id curr_grp_id =
+ mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
+
if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx,
- (*curve)->grp_id)) != 0) {
+ curr_grp_id)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret);
return ret;
}
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 2bc2715..a2a229b 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -223,9 +223,8 @@
}
for (; *group_list != 0; group_list++) {
- const mbedtls_ecp_curve_info *curve_info;
- curve_info = mbedtls_ecp_curve_info_from_tls_id(*group_list);
- if (curve_info != NULL &&
+ if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(*group_list,
+ NULL, NULL) == PSA_SUCCESS) &&
mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
*group_id = *group_list;
return 0;
@@ -373,7 +372,6 @@
const unsigned char *end)
{
#if defined(MBEDTLS_ECDH_C)
- const mbedtls_ecp_curve_info *curve_info = NULL;
const unsigned char *p = buf;
int selected_group;
int found = 0;
@@ -400,8 +398,9 @@
* then the client MUST abort the handshake with an "illegal_parameter" alert.
*/
for (; *group_list != 0; group_list++) {
- curve_info = mbedtls_ecp_curve_info_from_tls_id(*group_list);
- if (curve_info == NULL || curve_info->tls_id != selected_group) {
+ if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(*group_list,
+ NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) ||
+ *group_list != selected_group) {
continue;
}
@@ -479,14 +478,14 @@
#if defined(MBEDTLS_ECDH_C)
if (mbedtls_ssl_tls13_named_group_is_ecdhe(group)) {
- const mbedtls_ecp_curve_info *curve_info =
- mbedtls_ecp_curve_info_from_tls_id(group);
- if (curve_info == NULL) {
+ if (mbedtls_ssl_get_psa_curve_info_from_tls_id(group, NULL, NULL)
+ == PSA_ERROR_NOT_SUPPORTED) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid TLS curve group id"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
- MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s", curve_info->name));
+ MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s",
+ mbedtls_ssl_get_curve_name_from_tls_id(group)));
ret = mbedtls_ssl_tls13_read_public_ecdhe_share(ssl, p, end - p);
if (ret != 0) {