diff --git a/ChangeLog.d/issue10349.txt b/ChangeLog.d/issue10349.txt new file mode 100644 index 0000000000..ab47659ed8 --- /dev/null +++ b/ChangeLog.d/issue10349.txt @@ -0,0 +1,8 @@ +Features + * Function mbedtls_ssl_get_supported_group_list() is added to return the list + of supported groups IDs (curves and finite fields). + * MBEDTLS_SSL_IANA_TLS_GROUPS_INFO is added to allow defining the list of + mbedtls_ssl_iana_tls_group_info_t items which represent known TLS groups + with corresponding informations. + If MBEDTLS_DEBUG_C is also enabled then mbedtls_ssl_iana_tls_group_info is + also available as implementation of such list. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 6b98ad4584..1425896976 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3667,6 +3667,146 @@ void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf, #endif /* MBEDTLS_SSL_SRV_C */ #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ +/** + * This structure defines each entry of the macro #MBEDTLS_SSL_IANA_TLS_GROUPS_INFO. + * + * \note Future versions of the library might add new fields to this structure. + */ +typedef struct { + /** TLS-ID */ + uint16_t tls_id; + + /** Group name */ + const char *group_name; + + /** 1 if the group is supported; 0 otherwise */ + uint8_t is_supported; +} mbedtls_ssl_iana_tls_group_info_t; + +/* Helpers to check which PSA_WANT_xxx symbols are defined for groups. */ +#if defined(PSA_WANT_ECC_MONTGOMERY_255) +#define MBEDTLS_SSL_HAVE_GROUP_X25519 1 +#else +#define MBEDTLS_SSL_HAVE_GROUP_X25519 0 +#endif +#if defined(PSA_WANT_ECC_SECP_R1_256) +#define MBEDTLS_SSL_HAVE_GROUP_SECP256R1 1 +#else +#define MBEDTLS_SSL_HAVE_GROUP_SECP256R1 0 +#endif +#if defined(PSA_WANT_ECC_SECP_K1_256) +#define MBEDTLS_SSL_HAVE_GROUP_SECP256K1 1 +#else +#define MBEDTLS_SSL_HAVE_GROUP_SECP256K1 0 +#endif +#if defined(PSA_WANT_ECC_SECP_R1_384) +#define MBEDTLS_SSL_HAVE_GROUP_SECP384R1 1 +#else +#define MBEDTLS_SSL_HAVE_GROUP_SECP384R1 0 +#endif +#if defined(PSA_WANT_ECC_MONTGOMERY_448) +#define MBEDTLS_SSL_HAVE_GROUP_X448 1 +#else +#define MBEDTLS_SSL_HAVE_GROUP_X448 0 +#endif +#if defined(PSA_WANT_ECC_SECP_R1_521) +#define MBEDTLS_SSL_HAVE_GROUP_SECP521R1 1 +#else +#define MBEDTLS_SSL_HAVE_GROUP_SECP521R1 0 +#endif +#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) +#define MBEDTLS_SSL_HAVE_GROUP_BP256R1 1 +#else +#define MBEDTLS_SSL_HAVE_GROUP_BP256R1 0 +#endif +#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) +#define MBEDTLS_SSL_HAVE_GROUP_BP384R1 1 +#else +#define MBEDTLS_SSL_HAVE_GROUP_BP384R1 0 +#endif +#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) +#define MBEDTLS_SSL_HAVE_GROUP_BP512R1 1 +#else +#define MBEDTLS_SSL_HAVE_GROUP_BP512R1 0 +#endif +#if defined(PSA_WANT_DH_RFC7919_2048) +#define MBEDTLS_SSL_HAVE_GROUP_FFDHE2048 1 +#else +#define MBEDTLS_SSL_HAVE_GROUP_FFDHE2048 0 +#endif +#if defined(PSA_WANT_DH_RFC7919_3072) +#define MBEDTLS_SSL_HAVE_GROUP_FFDHE3072 1 +#else +#define MBEDTLS_SSL_HAVE_GROUP_FFDHE3072 0 +#endif +#if defined(PSA_WANT_DH_RFC7919_4096) +#define MBEDTLS_SSL_HAVE_GROUP_FFDHE4096 1 +#else +#define MBEDTLS_SSL_HAVE_GROUP_FFDHE4096 0 +#endif +#if defined(PSA_WANT_DH_RFC7919_6144) +#define MBEDTLS_SSL_HAVE_GROUP_FFDHE6144 1 +#else +#define MBEDTLS_SSL_HAVE_GROUP_FFDHE6144 0 +#endif +#if defined(PSA_WANT_DH_RFC7919_8192) +#define MBEDTLS_SSL_HAVE_GROUP_FFDHE8192 1 +#else +#define MBEDTLS_SSL_HAVE_GROUP_FFDHE8192 0 +#endif + +/** + * Initializer for a list of known TLS 1.2 named elliptic curves and + * TLS 1.3 groups, with their names. + * + * Each entry is a structure of type #mbedtls_ssl_iana_tls_group_info_t. + * The last entry has `tls_id = 0` and `group_name = NULL`. + */ +#define MBEDTLS_SSL_IANA_TLS_GROUPS_INFO \ + { \ + { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519", MBEDTLS_SSL_HAVE_GROUP_X25519 }, \ + { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1", MBEDTLS_SSL_HAVE_GROUP_SECP256R1 }, \ + { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1", MBEDTLS_SSL_HAVE_GROUP_SECP256K1 }, \ + { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1", MBEDTLS_SSL_HAVE_GROUP_SECP384R1 }, \ + { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448", MBEDTLS_SSL_HAVE_GROUP_X448 }, \ + { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1", MBEDTLS_SSL_HAVE_GROUP_SECP521R1 }, \ + { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1", MBEDTLS_SSL_HAVE_GROUP_BP256R1 }, \ + { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1", MBEDTLS_SSL_HAVE_GROUP_BP384R1 }, \ + { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1", MBEDTLS_SSL_HAVE_GROUP_BP512R1 }, \ + { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048, "ffdhe2048", MBEDTLS_SSL_HAVE_GROUP_FFDHE2048 }, \ + { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072, "ffdhe3072", MBEDTLS_SSL_HAVE_GROUP_FFDHE3072 }, \ + { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096, "ffdhe4096", MBEDTLS_SSL_HAVE_GROUP_FFDHE4096 }, \ + { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144, "ffdhe6144", MBEDTLS_SSL_HAVE_GROUP_FFDHE6144 }, \ + { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192, "ffdhe8192", MBEDTLS_SSL_HAVE_GROUP_FFDHE8192 }, \ + { MBEDTLS_SSL_IANA_TLS_GROUP_NONE, NULL, 1 } \ + } + +#if defined(MBEDTLS_DEBUG_C) +/** + * List of known "TLS ID" <-> "group name". + * #MBEDTLS_SSL_IANA_TLS_GROUPS_INFO is used to initialized the list. + */ +extern mbedtls_ssl_iana_tls_group_info_t mbedtls_ssl_iana_tls_group_info[]; +#endif /* MBEDTLS_DEBUG_C */ + +/** + * \brief Return the list of supported groups (curves and finite fields). + * + * \note The returned list is ordered in ascending order of resource + * usage. This follows the same pattern of the default list being + * used when mbedtls_ssl_conf_groups() is not called. + * + * \note The returned list represents supported groups in the current build + * configuration, not the one set by mbedtls_ssl_conf_groups(). + * + * \note The returned list is static so the user doesn't need to worry + * about it being freed. + * + * \return The list made of IANA NamedGroups IDs (MBEDTLS_SSL_IANA_TLS_GROUP_xxx) + * and is terminated by #MBEDTLS_SSL_IANA_TLS_GROUP_NONE. + */ +const uint16_t *mbedtls_ssl_get_supported_group_list(void); + /** * \brief Set the allowed groups in order of preference. * @@ -3692,6 +3832,10 @@ void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf, * keeping with the general principle of favoring the lowest * resource usage. * + * \note The list is not copied internally, only the reference to it + * is saved in \p conf. Do not free \p groups memory for the time + * in which \p conf is being used. + * * \param conf SSL configuration * \param groups List of allowed groups ordered by preference, terminated by 0. * Must contain valid IANA NamedGroup IDs (provided via either an integer diff --git a/library/ssl_tls.c b/library/ssl_tls.c index bc65b0e1d7..54129891a7 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2362,6 +2362,60 @@ void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf, } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ +/* The selection should be the same as mbedtls_x509_crt_profile_default in + * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters: + * curves with a lower resource usage come first. + * See the documentation of mbedtls_ssl_conf_groups() for what we promise + * about this list. + */ +static const uint16_t ssl_preset_default_groups[] = { +#if defined(PSA_WANT_ECC_MONTGOMERY_255) + MBEDTLS_SSL_IANA_TLS_GROUP_X25519, +#endif +#if defined(PSA_WANT_ECC_SECP_R1_256) + MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, +#endif +#if defined(PSA_WANT_ECC_SECP_R1_384) + MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, +#endif +#if defined(PSA_WANT_ECC_MONTGOMERY_448) + MBEDTLS_SSL_IANA_TLS_GROUP_X448, +#endif +#if defined(PSA_WANT_ECC_SECP_R1_521) + MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, +#endif +#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) + MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, +#endif +#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) + MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, +#endif +#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) + MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, +#endif +#if defined(PSA_WANT_DH_RFC7919_2048) + MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048, +#endif +#if defined(PSA_WANT_DH_RFC7919_3072) + MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072, +#endif +#if defined(PSA_WANT_DH_RFC7919_4096) + MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096, +#endif +#if defined(PSA_WANT_DH_RFC7919_6144) + MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144, +#endif +#if defined(PSA_WANT_DH_RFC7919_8192) + MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192, +#endif + MBEDTLS_SSL_IANA_TLS_GROUP_NONE +}; + +const uint16_t *mbedtls_ssl_get_supported_group_list(void) +{ + return ssl_preset_default_groups; +} + /* * Set the allowed groups */ @@ -5165,47 +5219,6 @@ void mbedtls_ssl_config_init(mbedtls_ssl_config *conf) memset(conf, 0, sizeof(mbedtls_ssl_config)); } -/* The selection should be the same as mbedtls_x509_crt_profile_default in - * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters: - * curves with a lower resource usage come first. - * See the documentation of mbedtls_ssl_conf_groups() for what we promise - * about this list. - */ -static const uint16_t ssl_preset_default_groups[] = { -#if defined(PSA_WANT_ECC_MONTGOMERY_255) - MBEDTLS_SSL_IANA_TLS_GROUP_X25519, -#endif -#if defined(PSA_WANT_ECC_SECP_R1_256) - MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, -#endif -#if defined(PSA_WANT_ECC_SECP_R1_384) - MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, -#endif -#if defined(PSA_WANT_ECC_MONTGOMERY_448) - MBEDTLS_SSL_IANA_TLS_GROUP_X448, -#endif -#if defined(PSA_WANT_ECC_SECP_R1_521) - MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, -#endif -#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) - MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, -#endif -#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) - MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, -#endif -#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) - MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, -#endif -#if defined(PSA_WANT_ALG_FFDH) - MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048, - MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072, - MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096, - MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144, - MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192, -#endif - MBEDTLS_SSL_IANA_TLS_GROUP_NONE -}; - static const int ssl_preset_suiteb_ciphersuites[] = { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, @@ -5839,28 +5852,14 @@ uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id) } #if defined(MBEDTLS_DEBUG_C) -static const struct { - uint16_t tls_id; - const char *name; -} tls_id_curve_name_table[] = -{ - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" }, - { 0, NULL }, -}; +mbedtls_ssl_iana_tls_group_info_t mbedtls_ssl_iana_tls_group_info[] = + MBEDTLS_SSL_IANA_TLS_GROUPS_INFO; const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id) { - for (int i = 0; tls_id_curve_name_table[i].tls_id != 0; i++) { - if (tls_id_curve_name_table[i].tls_id == tls_id) { - return tls_id_curve_name_table[i].name; + for (int i = 0; mbedtls_ssl_iana_tls_group_info[i].tls_id != 0; i++) { + if (mbedtls_ssl_iana_tls_group_info[i].tls_id == tls_id) { + return mbedtls_ssl_iana_tls_group_info[i].group_name; } } diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index b05de38509..6b9c73f11e 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3031,6 +3031,166 @@ ssl_serialize_session_load_buf_size:0:"":MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSI Test configuration of EC groups through mbedtls_ssl_conf_groups() conf_group: +Get supported group list: x25519, positive +depends_on:PSA_WANT_ECC_MONTGOMERY_255 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_X25519:1 + +Get supported group list: x25519, negative +depends_on:!PSA_WANT_ECC_MONTGOMERY_255 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_X25519:0 + +Get supported group list: secp256r1, positive +depends_on:PSA_WANT_ECC_SECP_R1_256 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1:1 + +Get supported group list: secp256r1, negative +depends_on:!PSA_WANT_ECC_SECP_R1_256 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1:0 + +Get supported group list: secp384r1, positive +depends_on:PSA_WANT_ECC_SECP_R1_384 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1:1 + +Get supported group list: secp384r1, negative +depends_on:!PSA_WANT_ECC_SECP_R1_384 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1:0 + +Get supported group list: x448, positive +depends_on:PSA_WANT_ECC_MONTGOMERY_448 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_X448:1 + +Get supported group list: x448, negative +depends_on:!PSA_WANT_ECC_MONTGOMERY_448 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_X448:0 + +Get supported group list: secp521r1, positive +depends_on:PSA_WANT_ECC_SECP_R1_521 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1:1 + +Get supported group list: secp521r1, negative +depends_on:!PSA_WANT_ECC_SECP_R1_521 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1:0 + +Get supported group list: brainpool256r1, positive +depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_256 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1:1 + +Get supported group list: brainpool256r1, negative +depends_on:!PSA_WANT_ECC_BRAINPOOL_P_R1_256 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1:0 + +Get supported group list: brainpool384r1, positive +depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_384 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1:1 + +Get supported group list: brainpool384r1, negative +depends_on:!PSA_WANT_ECC_BRAINPOOL_P_R1_384 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1:0 + +Get supported group list: brainpool512r1, positive +depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1:1 + +Get supported group list: brainpool512r1, negative +depends_on:!PSA_WANT_ECC_BRAINPOOL_P_R1_512 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1:0 + +Get supported group list: ffdhe2048, positive +depends_on:PSA_WANT_DH_RFC7919_2048 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048:1 + +Get supported group list: ffdhe2048, negative +depends_on:!PSA_WANT_DH_RFC7919_2048 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048:0 + +Get supported group list: ffdhe3072, positive +depends_on:PSA_WANT_DH_RFC7919_3072 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072:1 + +Get supported group list: ffdhe3072, negative +depends_on:!PSA_WANT_DH_RFC7919_3072 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072:0 + +Get supported group list: ffdhe4096, positive +depends_on:PSA_WANT_DH_RFC7919_4096 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096:1 + +Get supported group list: ffdhe4096, negative +depends_on:!PSA_WANT_DH_RFC7919_4096 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096:0 + +Get supported group list: ffdhe6144, positive +depends_on:PSA_WANT_DH_RFC7919_6144 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144:1 + +Get supported group list: ffdhe6144, negative +depends_on:!PSA_WANT_DH_RFC7919_6144 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144:0 + +Get supported group list: ffdhe8192, positive +depends_on:PSA_WANT_DH_RFC7919_8192 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192:1 + +Get supported group list: ffdhe8192, negative +depends_on:!PSA_WANT_DH_RFC7919_8192 +test_mbedtls_ssl_get_supported_group_list:MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192:0 + +TLS ID <-> group name: x25519 +depends_on:PSA_WANT_ECC_MONTGOMERY_255 +test_mbedtls_tls_id_group_name_table:MBEDTLS_SSL_IANA_TLS_GROUP_X25519:"x25519" + +TLS ID <-> group name: secp256r1 +depends_on:PSA_WANT_ECC_SECP_R1_256 +test_mbedtls_tls_id_group_name_table:MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1:"secp256r1" + +TLS ID <-> group name: secp256k1 +depends_on:PSA_WANT_ECC_SECP_K1_256 +test_mbedtls_tls_id_group_name_table:MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1:"secp256k1" + +TLS ID <-> group name: secp384r1 +depends_on:PSA_WANT_ECC_SECP_R1_384 +test_mbedtls_tls_id_group_name_table:MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1:"secp384r1" + +TLS ID <-> group name: x448 +depends_on:PSA_WANT_ECC_MONTGOMERY_448 +test_mbedtls_tls_id_group_name_table:MBEDTLS_SSL_IANA_TLS_GROUP_X448:"x448" + +TLS ID <-> group name: secp521r1 +depends_on:PSA_WANT_ECC_SECP_R1_521 +test_mbedtls_tls_id_group_name_table:MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1:"secp521r1" + +TLS ID <-> group name: brainpoolP256r1 +depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_256 +test_mbedtls_tls_id_group_name_table:MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1:"brainpoolP256r1" + +TLS ID <-> group name: brainpoolP384r1 +depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_384 +test_mbedtls_tls_id_group_name_table:MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1:"brainpoolP384r1" + +TLS ID <-> group name: brainpoolP512r1 +depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 +test_mbedtls_tls_id_group_name_table:MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1:"brainpoolP512r1" + +TLS ID <-> group name: ffdhe2048 +depends_on:PSA_WANT_DH_RFC7919_2048 +test_mbedtls_tls_id_group_name_table:MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048:"ffdhe2048" + +TLS ID <-> group name: ffdhe3072 +depends_on:PSA_WANT_DH_RFC7919_3072 +test_mbedtls_tls_id_group_name_table:MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072:"ffdhe3072" + +TLS ID <-> group name: ffdhe4096 +depends_on:PSA_WANT_DH_RFC7919_4096 +test_mbedtls_tls_id_group_name_table:MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096:"ffdhe4096" + +TLS ID <-> group name: ffdhe6144 +depends_on:PSA_WANT_DH_RFC7919_6144 +test_mbedtls_tls_id_group_name_table:MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144:"ffdhe6144" + +TLS ID <-> group name: ffdhe8192 +depends_on:PSA_WANT_DH_RFC7919_8192 +test_mbedtls_tls_id_group_name_table:MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192:"ffdhe8192" + Version config: valid client TLS 1.2 only depends_on:MBEDTLS_SSL_PROTO_TLS1_2 conf_version:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_TRANSPORT_STREAM:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2:0 diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 628a183853..d27d959232 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3574,6 +3574,65 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void test_mbedtls_ssl_get_supported_group_list(int iana_group_id, int is_available) +{ + const uint16_t *list = mbedtls_ssl_get_supported_group_list(); + int found = 0; + + /* First: go through the list returned by mbedtls_ssl_get_supported_group_list() and + * check that the specified group ID is supported/unsupported as expected. */ + for (int i = 0; list[i] != MBEDTLS_SSL_IANA_TLS_GROUP_NONE; i++) { + if (list[i] == iana_group_id) { + found = 1; + break; + } + } + TEST_EQUAL(found, is_available); + + /* Second: check that supported/unsupported property for the specified group is also + * correctly set in the array initialized by MBEDTLS_SSL_IANA_TLS_GROUP_INFO. */ + mbedtls_ssl_iana_tls_group_info_t group_info_table[] = MBEDTLS_SSL_IANA_TLS_GROUPS_INFO; + mbedtls_ssl_iana_tls_group_info_t *ptr; + for (ptr = &group_info_table[0]; ptr->tls_id != MBEDTLS_SSL_IANA_TLS_GROUP_NONE; ptr++) { + if (ptr->tls_id == iana_group_id) { + TEST_EQUAL(ptr->is_supported, is_available); + } + } + +exit:; +} +/* END_CASE */ + +/* BEGIN_CASE */ +void test_mbedtls_tls_id_group_name_table(int group_id, char *group_name) +{ + mbedtls_ssl_iana_tls_group_info_t test_table[] = MBEDTLS_SSL_IANA_TLS_GROUPS_INFO; + mbedtls_ssl_iana_tls_group_info_t *item; + const char *table_name = NULL; + + /* Ensure that the list includes at least 1 valid entry. */ + TEST_ASSERT(test_table[0].tls_id != MBEDTLS_SSL_IANA_TLS_GROUP_NONE); + + for (item = &test_table[0]; item->tls_id != MBEDTLS_SSL_IANA_TLS_GROUP_NONE; item++) { + if (item->tls_id == group_id) { + table_name = item->group_name; + } + } + + TEST_ASSERT(table_name != NULL); + TEST_MEMORY_COMPARE(table_name, strlen(table_name), group_name, strlen(group_name)); + +#if defined(MBEDTLS_DEBUG_C) + const char *builtin_table_name = mbedtls_ssl_get_curve_name_from_tls_id(group_id); + TEST_MEMORY_COMPARE(builtin_table_name, strlen(builtin_table_name), group_name, + strlen(group_name)); +#endif /* MBEDTLS_DEBUG_C */ + +exit:; +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_CACHE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_DEBUG_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_SHA_256 */ void force_bad_session_id_len() {