From db92768497b09d1216c161f6cb819914e9133f4d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 5 Aug 2025 11:22:13 +0200 Subject: [PATCH 1/7] framework: update reference Signed-off-by: Valerio Setti --- framework | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework b/framework index 87dbfb290f..3f2ef1ecf6 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit 87dbfb290fa42ca2ccfb403e8c2fa7334fa4f1dd +Subproject commit 3f2ef1ecf6d70b1e6bb7ad587f9a5bd6eaf65a2a From 70a4a31cb566407a7c308f473472c967c070064a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 5 Aug 2025 11:22:29 +0200 Subject: [PATCH 2/7] remove secp224[k|r]1 curves Signed-off-by: Valerio Setti --- include/mbedtls/ssl.h | 2 -- library/ssl_misc.h | 2 -- library/ssl_tls.c | 5 ----- programs/ssl/ssl_test_lib.c | 5 ----- tests/scripts/depends.py | 5 +---- tests/scripts/set_psa_test_dependencies.py | 2 -- tests/ssl-opt.sh | 2 -- tests/suites/test_suite_ssl.function | 6 ------ 8 files changed, 1 insertion(+), 28 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 7ea0174612..aa1590f41d 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -231,8 +231,6 @@ #define MBEDTLS_SSL_IANA_TLS_GROUP_NONE 0 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 0x0012 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 0x0013 -#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 0x0014 -#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 0x0015 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 0x0016 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 0x0017 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 0x0018 diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 72dc9418f2..66e348c780 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2245,8 +2245,6 @@ static inline int mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group) /* Below deprecated curves should be removed with notice to users */ named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 || named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 || - named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 || - named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 || named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 || named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 || named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 || diff --git a/library/ssl_tls.c b/library/ssl_tls.c index dee80292e2..5709ab7c3c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5893,9 +5893,6 @@ static const struct { #if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 }, #endif -#if defined(PSA_WANT_ECC_SECP_R1_224) - { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 }, -#endif #if defined(PSA_WANT_ECC_SECP_R1_192) { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 }, #endif @@ -5966,8 +5963,6 @@ static const struct { { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" }, { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" }, { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1" }, { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" }, { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" }, { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" }, diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c index ad3feb65b8..d14ff660bd 100644 --- a/programs/ssl/ssl_test_lib.c +++ b/programs/ssl/ssl_test_lib.c @@ -505,11 +505,6 @@ static const struct { #else { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1", 0 }, #endif -#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_224) - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1", 1 }, -#else - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1", 0 }, -#endif #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192) { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1", 1 }, #else diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 679f05af1b..940c661f12 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -263,7 +263,6 @@ REVERSE_DEPENDENCIES = { 'PSA_WANT_ECC_MONTGOMERY_255': ['MBEDTLS_ECP_DP_CURVE25519_ENABLED'], 'PSA_WANT_ECC_MONTGOMERY_448': ['MBEDTLS_ECP_DP_CURVE448_ENABLED'], 'PSA_WANT_ECC_SECP_R1_192': ['MBEDTLS_ECP_DP_SECP192R1_ENABLED'], - 'PSA_WANT_ECC_SECP_R1_224': ['MBEDTLS_ECP_DP_SECP224R1_ENABLED'], 'PSA_WANT_ECC_SECP_R1_256': ['PSA_WANT_ALG_JPAKE', 'MBEDTLS_ECP_DP_SECP256R1_ENABLED'], 'PSA_WANT_ECC_SECP_R1_384': ['MBEDTLS_ECP_DP_SECP384R1_ENABLED'], @@ -482,9 +481,7 @@ class DomainData: if alg.can_do(crypto_knowledge.AlgorithmCategory.HASH)} # Find elliptic curve enabling macros by name. - # MBEDTLS_ECP_DP_SECP224K1_ENABLED added to disable it for all curves - curve_symbols = self.config_symbols_matching(r'PSA_WANT_ECC_\w+\Z|' - r'MBEDTLS_ECP_DP_SECP224K1_ENABLED') + curve_symbols = self.config_symbols_matching(r'PSA_WANT_ECC_\w+\Z|') # Find key exchange enabling macros by name. key_exchange_symbols = self.config_symbols_matching(r'MBEDTLS_KEY_EXCHANGE_\w+_ENABLED\Z') diff --git a/tests/scripts/set_psa_test_dependencies.py b/tests/scripts/set_psa_test_dependencies.py index 2267311e44..411cf0c2a0 100755 --- a/tests/scripts/set_psa_test_dependencies.py +++ b/tests/scripts/set_psa_test_dependencies.py @@ -28,12 +28,10 @@ CLASSIC_DEPENDENCIES = frozenset([ 'MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN', 'MBEDTLS_CIPHER_PADDING_ZEROS', #curve#'MBEDTLS_ECP_DP_SECP192R1_ENABLED', - #curve#'MBEDTLS_ECP_DP_SECP224R1_ENABLED', #curve#'MBEDTLS_ECP_DP_SECP256R1_ENABLED', #curve#'MBEDTLS_ECP_DP_SECP384R1_ENABLED', #curve#'MBEDTLS_ECP_DP_SECP521R1_ENABLED', #curve#'MBEDTLS_ECP_DP_SECP192K1_ENABLED', - #curve#'MBEDTLS_ECP_DP_SECP224K1_ENABLED', #curve#'MBEDTLS_ECP_DP_SECP256K1_ENABLED', #curve#'MBEDTLS_ECP_DP_BP256R1_ENABLED', #curve#'MBEDTLS_ECP_DP_BP384R1_ENABLED', diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 60b970aefb..8d26cec242 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2659,8 +2659,6 @@ requires_config_enabled PSA_WANT_ECC_SECP_K1_256 run_test_psa_force_curve "secp256k1" requires_config_enabled PSA_WANT_ECC_BRAINPOOL_P_R1_256 run_test_psa_force_curve "brainpoolP256r1" -requires_config_enabled PSA_WANT_ECC_SECP_R1_224 -run_test_psa_force_curve "secp224r1" requires_config_enabled PSA_WANT_ECC_SECP_R1_192 run_test_psa_force_curve "secp192r1" requires_config_enabled PSA_WANT_ECC_SECP_K1_192 diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index c70080317c..ad274daec3 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3538,7 +3538,6 @@ exit: void conf_group() { uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, - MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; @@ -4050,11 +4049,6 @@ void elliptic_curve_get_properties() #else TEST_UNAVAILABLE_ECC(26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256); #endif -#if defined(PSA_WANT_ECC_SECP_R1_224) - TEST_AVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224); -#else - TEST_UNAVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224); -#endif #if defined(PSA_WANT_ECC_SECP_R1_192) TEST_AVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192); #else From d0d0791aed6a1aac8ff685fd7916e4133408cda4 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 5 Aug 2025 11:29:04 +0200 Subject: [PATCH 3/7] remove usage of secp192[k|r]1 curves Signed-off-by: Valerio Setti --- include/mbedtls/ssl.h | 2 -- library/ssl_misc.h | 2 -- library/ssl_tls.c | 8 -------- programs/ssl/ssl_test_lib.c | 10 ---------- tests/scripts/depends.py | 2 -- tests/scripts/set_psa_test_dependencies.py | 2 -- tests/ssl-opt.sh | 4 ---- tests/suites/test_suite_ssl.function | 13 +------------ 8 files changed, 1 insertion(+), 42 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index aa1590f41d..55d832c354 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -229,8 +229,6 @@ /* Elliptic Curve Groups (ECDHE) */ #define MBEDTLS_SSL_IANA_TLS_GROUP_NONE 0 -#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 0x0012 -#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 0x0013 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 0x0016 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 0x0017 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 0x0018 diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 66e348c780..b635fd9d0c 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2243,8 +2243,6 @@ static inline int mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group) named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 || named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 || /* Below deprecated curves should be removed with notice to users */ - named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 || - named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 || named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 || named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 || named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 || diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 5709ab7c3c..a997e41f32 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5893,12 +5893,6 @@ static const struct { #if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 }, #endif -#if defined(PSA_WANT_ECC_SECP_R1_192) - { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 }, -#endif -#if defined(PSA_WANT_ECC_SECP_K1_192) - { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 }, -#endif #if defined(PSA_WANT_ECC_MONTGOMERY_255) { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 }, #endif @@ -5963,8 +5957,6 @@ static const struct { { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" }, { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" }, { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" }, { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" }, { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" }, { 0, NULL }, diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c index d14ff660bd..79d3059306 100644 --- a/programs/ssl/ssl_test_lib.c +++ b/programs/ssl/ssl_test_lib.c @@ -505,16 +505,6 @@ static const struct { #else { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1", 0 }, #endif -#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192) - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1", 1 }, -#else - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1", 0 }, -#endif -#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_192) - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1", 1 }, -#else - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1", 0 }, -#endif #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_255) { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519", 1 }, #else diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 940c661f12..b3fbea4b4f 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -262,12 +262,10 @@ REVERSE_DEPENDENCIES = { 'PSA_WANT_ECC_BRAINPOOL_P_R1_512': ['MBEDTLS_ECP_DP_BP512R1_ENABLED'], 'PSA_WANT_ECC_MONTGOMERY_255': ['MBEDTLS_ECP_DP_CURVE25519_ENABLED'], 'PSA_WANT_ECC_MONTGOMERY_448': ['MBEDTLS_ECP_DP_CURVE448_ENABLED'], - 'PSA_WANT_ECC_SECP_R1_192': ['MBEDTLS_ECP_DP_SECP192R1_ENABLED'], 'PSA_WANT_ECC_SECP_R1_256': ['PSA_WANT_ALG_JPAKE', 'MBEDTLS_ECP_DP_SECP256R1_ENABLED'], 'PSA_WANT_ECC_SECP_R1_384': ['MBEDTLS_ECP_DP_SECP384R1_ENABLED'], 'PSA_WANT_ECC_SECP_R1_521': ['MBEDTLS_ECP_DP_SECP521R1_ENABLED'], - 'PSA_WANT_ECC_SECP_K1_192': ['MBEDTLS_ECP_DP_SECP192K1_ENABLED'], 'PSA_WANT_ECC_SECP_K1_256': ['MBEDTLS_ECP_DP_SECP256K1_ENABLED'], 'PSA_WANT_ALG_ECDSA': ['PSA_WANT_ALG_DETERMINISTIC_ECDSA', diff --git a/tests/scripts/set_psa_test_dependencies.py b/tests/scripts/set_psa_test_dependencies.py index 411cf0c2a0..0be8ac5e4e 100755 --- a/tests/scripts/set_psa_test_dependencies.py +++ b/tests/scripts/set_psa_test_dependencies.py @@ -27,11 +27,9 @@ CLASSIC_DEPENDENCIES = frozenset([ 'MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS', 'MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN', 'MBEDTLS_CIPHER_PADDING_ZEROS', - #curve#'MBEDTLS_ECP_DP_SECP192R1_ENABLED', #curve#'MBEDTLS_ECP_DP_SECP256R1_ENABLED', #curve#'MBEDTLS_ECP_DP_SECP384R1_ENABLED', #curve#'MBEDTLS_ECP_DP_SECP521R1_ENABLED', - #curve#'MBEDTLS_ECP_DP_SECP192K1_ENABLED', #curve#'MBEDTLS_ECP_DP_SECP256K1_ENABLED', #curve#'MBEDTLS_ECP_DP_BP256R1_ENABLED', #curve#'MBEDTLS_ECP_DP_BP384R1_ENABLED', diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 8d26cec242..d0278b123c 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2659,10 +2659,6 @@ requires_config_enabled PSA_WANT_ECC_SECP_K1_256 run_test_psa_force_curve "secp256k1" requires_config_enabled PSA_WANT_ECC_BRAINPOOL_P_R1_256 run_test_psa_force_curve "brainpoolP256r1" -requires_config_enabled PSA_WANT_ECC_SECP_R1_192 -run_test_psa_force_curve "secp192r1" -requires_config_enabled PSA_WANT_ECC_SECP_K1_192 -run_test_psa_force_curve "secp192k1" # Test current time in ServerHello requires_config_enabled MBEDTLS_HAVE_TIME diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index ad274daec3..8b192ed97c 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3537,8 +3537,7 @@ exit: /* BEGIN_CASE */ void conf_group() { - uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, - MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, + uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; mbedtls_ssl_config conf; @@ -4049,16 +4048,6 @@ void elliptic_curve_get_properties() #else TEST_UNAVAILABLE_ECC(26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256); #endif -#if defined(PSA_WANT_ECC_SECP_R1_192) - TEST_AVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192); -#else - TEST_UNAVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192); -#endif -#if defined(PSA_WANT_ECC_SECP_K1_192) - TEST_AVAILABLE_ECC(18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192); -#else - TEST_UNAVAILABLE_ECC(18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192); -#endif #if defined(PSA_WANT_ECC_MONTGOMERY_255) TEST_AVAILABLE_ECC(29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255); #else From fa648bacb2bd47471ac7988ad522e0d51ba97f16 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 6 Aug 2025 11:02:25 +0200 Subject: [PATCH 4/7] depends.py: keep reverse dependencies for p192 and p224 curves These reverse dependencies will be removed once tf-psa-crypto will remove the corresponding build symbols. Signed-off-by: Valerio Setti --- tests/scripts/depends.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index b3fbea4b4f..513c6413a5 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -257,6 +257,8 @@ REVERSE_DEPENDENCIES = { 'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG'], 'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128'], + # These reverse dependencies can be removed as part of issue + # tf-psa-crypto#364. 'PSA_WANT_ECC_BRAINPOOL_P_R1_256': ['MBEDTLS_ECP_DP_BP256R1_ENABLED'], 'PSA_WANT_ECC_BRAINPOOL_P_R1_384': ['MBEDTLS_ECP_DP_BP384R1_ENABLED'], 'PSA_WANT_ECC_BRAINPOOL_P_R1_512': ['MBEDTLS_ECP_DP_BP512R1_ENABLED'], @@ -268,6 +270,14 @@ REVERSE_DEPENDENCIES = { 'PSA_WANT_ECC_SECP_R1_521': ['MBEDTLS_ECP_DP_SECP521R1_ENABLED'], 'PSA_WANT_ECC_SECP_K1_256': ['MBEDTLS_ECP_DP_SECP256K1_ENABLED'], + # Support for secp224[k|r]1 was removed in tfpsacrypto#408 while + # secp192[k|r]1 were kept only for internal testing (hidden to the end + # user). We need to keep these reverse dependencies here until + # symbols are hidden/removed from crypto_config.h. + 'PSA_WANT_ECC_SECP_R1_192': ['MBEDTLS_ECP_DP_SECP192R1_ENABLED'], + 'PSA_WANT_ECC_SECP_R1_224': ['MBEDTLS_ECP_DP_SECP224R1_ENABLED'], + 'PSA_WANT_ECC_SECP_K1_192': ['MBEDTLS_ECP_DP_SECP192K1_ENABLED'], + 'PSA_WANT_ALG_ECDSA': ['PSA_WANT_ALG_DETERMINISTIC_ECDSA', 'MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED', @@ -479,7 +489,7 @@ class DomainData: if alg.can_do(crypto_knowledge.AlgorithmCategory.HASH)} # Find elliptic curve enabling macros by name. - curve_symbols = self.config_symbols_matching(r'PSA_WANT_ECC_\w+\Z|') + curve_symbols = self.config_symbols_matching(r'PSA_WANT_ECC_\w+\Z') # Find key exchange enabling macros by name. key_exchange_symbols = self.config_symbols_matching(r'MBEDTLS_KEY_EXCHANGE_\w+_ENABLED\Z') From 80a623089d8bbbda72e630c72de47495ffe89188 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 6 Aug 2025 11:38:45 +0200 Subject: [PATCH 5/7] tests: ssl: allow more groups in conf_group() Previously 3 different groups were allowed, but since the removal of secp192r1 and secp224r1 only secp256r1 was left. This commit adds other 2 options. Signed-off-by: Valerio Setti --- tests/suites/test_suite_ssl.function | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 8b192ed97c..3335e5c84e 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3538,6 +3538,8 @@ exit: void conf_group() { uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, + MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, + MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; mbedtls_ssl_config conf; From a2a1c084ef867a9d122b529d7c5d59f9fc0dad6f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 6 Aug 2025 14:02:47 +0200 Subject: [PATCH 6/7] mbedtls_check_config: remove reference to MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224 Signed-off-by: Valerio Setti --- library/mbedtls_check_config.h | 1 - 1 file changed, 1 deletion(-) diff --git a/library/mbedtls_check_config.h b/library/mbedtls_check_config.h index 5e5a5b31db..cf5e981da0 100644 --- a/library/mbedtls_check_config.h +++ b/library/mbedtls_check_config.h @@ -45,7 +45,6 @@ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192) || \ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) || \ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192) || \ - defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224) || \ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256) || \ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384) || \ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521) From 602fa5dd99435a637b162fbe598eab958e7f02b0 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 7 Aug 2025 10:18:40 +0200 Subject: [PATCH 7/7] changelog: add note about EC curves support removal in TLS Signed-off-by: Valerio Setti --- ChangeLog.d/secp256k1-removal.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/secp256k1-removal.txt diff --git a/ChangeLog.d/secp256k1-removal.txt b/ChangeLog.d/secp256k1-removal.txt new file mode 100644 index 0000000000..9933b8e7a9 --- /dev/null +++ b/ChangeLog.d/secp256k1-removal.txt @@ -0,0 +1,3 @@ +Removals + * Support for secp192k1, secp192r1, secp224k1 and secp224r1 EC curves is + removed from TLS.