library: extend mbedtls_ssl_iana_tls_group_info_t structure

Add new field that tells if the corresponding group is supported or not in the current build. Test function "test_mbedtls_ssl_get_supported_group_list" is extended to verify this new feature. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2026-03-20 11:11:08 +01:00 · 2026-01-27 23:37:50 +01:00
parent 9b49d5dbde
commit 476a2edea7
2 changed files with 109 additions and 23 deletions
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -3661,18 +3661,93 @@ void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf,
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */

 /**
- * This structure defines the correpondence between IANA's TLS-ID and its
- * corresponding group name.
- * This is used in macro #MBEDTLS_SSL_IANA_TLS_GROUPS_INFO to define the list
- * of known TLS IDs and corresponding group names.
+ * This structure defines each entry of the macro #MBEDTLS_SSL_IANA_TLS_GROUPS_INFO.
 *
- * Future versions of the library might add new fields to this structure.
+ * \note Future versions of the library might add new fields to this structure.
 */
 typedef struct {
+    /** TLS-ID */
    uint16_t tls_id;
+
+    /** Group name */
    const char *group_name;
+
+    /** 1 if the group is supported; 0 otherwise */
+    uint8_t is_supported;
 } mbedtls_ssl_iana_tls_group_info_t;

+/* Helpers to check which PSA_WANT_xxx symbols are defined for groups. */
+#if defined(PSA_WANT_ECC_MONTGOMERY_255)
+#define MBEDTLS_SSL_HAVE_GROUP_X25519 1
+#else
+#define MBEDTLS_SSL_HAVE_GROUP_X25519 0
+#endif
+#if defined(PSA_WANT_ECC_SECP_R1_256)
+#define MBEDTLS_SSL_HAVE_GROUP_SECP256R1 1
+#else
+#define MBEDTLS_SSL_HAVE_GROUP_SECP256R1 0
+#endif
+#if defined(PSA_WANT_ECC_SECP_K1_256)
+#define MBEDTLS_SSL_HAVE_GROUP_SECP256K1 1
+#else
+#define MBEDTLS_SSL_HAVE_GROUP_SECP256K1 0
+#endif
+#if defined(PSA_WANT_ECC_SECP_R1_384)
+#define MBEDTLS_SSL_HAVE_GROUP_SECP384R1 1
+#else
+#define MBEDTLS_SSL_HAVE_GROUP_SECP384R1 0
+#endif
+#if defined(PSA_WANT_ECC_MONTGOMERY_448)
+#define MBEDTLS_SSL_HAVE_GROUP_X448 1
+#else
+#define MBEDTLS_SSL_HAVE_GROUP_X448 0
+#endif
+#if defined(PSA_WANT_ECC_SECP_R1_521)
+#define MBEDTLS_SSL_HAVE_GROUP_SECP521R1 1
+#else
+#define MBEDTLS_SSL_HAVE_GROUP_SECP521R1 0
+#endif
+#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
+#define MBEDTLS_SSL_HAVE_GROUP_BP256R1 1
+#else
+#define MBEDTLS_SSL_HAVE_GROUP_BP256R1 0
+#endif
+#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
+#define MBEDTLS_SSL_HAVE_GROUP_BP384R1 1
+#else
+#define MBEDTLS_SSL_HAVE_GROUP_BP384R1 0
+#endif
+#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
+#define MBEDTLS_SSL_HAVE_GROUP_BP512R1 1
+#else
+#define MBEDTLS_SSL_HAVE_GROUP_BP512R1 0
+#endif
+#if defined(PSA_WANT_DH_RFC7919_2048)
+#define MBEDTLS_SSL_HAVE_GROUP_FFDHE2048 1
+#else
+#define MBEDTLS_SSL_HAVE_GROUP_FFDHE2048 0
+#endif
+#if defined(PSA_WANT_DH_RFC7919_3072)
+#define MBEDTLS_SSL_HAVE_GROUP_FFDHE3072 1
+#else
+#define MBEDTLS_SSL_HAVE_GROUP_FFDHE3072 0
+#endif
+#if defined(PSA_WANT_DH_RFC7919_4096)
+#define MBEDTLS_SSL_HAVE_GROUP_FFDHE4096 1
+#else
+#define MBEDTLS_SSL_HAVE_GROUP_FFDHE4096 0
+#endif
+#if defined(PSA_WANT_DH_RFC7919_6144)
+#define MBEDTLS_SSL_HAVE_GROUP_FFDHE6144 1
+#else
+#define MBEDTLS_SSL_HAVE_GROUP_FFDHE6144 0
+#endif
+#if defined(PSA_WANT_DH_RFC7919_8192)
+#define MBEDTLS_SSL_HAVE_GROUP_FFDHE8192 1
+#else
+#define MBEDTLS_SSL_HAVE_GROUP_FFDHE8192 0
+#endif
+
 /**
 * Initializer for a list of known TLS 1.2 named elliptic curves and
 * TLS 1.3 groups, with their names.
@@ -3680,23 +3755,23 @@ typedef struct {
 * Each entry is a structure of type #mbedtls_ssl_iana_tls_group_info_t.
 * The last entry has `tls_id = 0` and `group_name = NULL`.
 */
-#define MBEDTLS_SSL_IANA_TLS_GROUPS_INFO                            \
-    {                                                               \
-        { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" },            \
-        { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" },      \
-        { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" },      \
-        { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1" },      \
-        { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" },                \
-        { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1" },      \
-        { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" },  \
-        { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1" },  \
-        { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1" },  \
-        { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048, "ffdhe2048" },      \
-        { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072, "ffdhe3072" },      \
-        { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096, "ffdhe4096" },      \
-        { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144, "ffdhe6144" },      \
-        { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192, "ffdhe8192" },      \
-        { MBEDTLS_SSL_IANA_TLS_GROUP_NONE, NULL }                   \
+#define MBEDTLS_SSL_IANA_TLS_GROUPS_INFO                                                           \
+    {                                                                                              \
+        { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519", MBEDTLS_SSL_HAVE_GROUP_X25519 },            \
+        { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1", MBEDTLS_SSL_HAVE_GROUP_SECP256R1 },   \
+        { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1", MBEDTLS_SSL_HAVE_GROUP_SECP256K1 },   \
+        { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1", MBEDTLS_SSL_HAVE_GROUP_SECP384R1 },   \
+        { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448", MBEDTLS_SSL_HAVE_GROUP_X448 },                  \
+        { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1", MBEDTLS_SSL_HAVE_GROUP_SECP521R1 },   \
+        { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1", MBEDTLS_SSL_HAVE_GROUP_BP256R1 }, \
+        { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1", MBEDTLS_SSL_HAVE_GROUP_BP384R1 }, \
+        { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1", MBEDTLS_SSL_HAVE_GROUP_BP512R1 }, \
+        { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048, "ffdhe2048", MBEDTLS_SSL_HAVE_GROUP_FFDHE2048 },   \
+        { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072, "ffdhe3072", MBEDTLS_SSL_HAVE_GROUP_FFDHE3072 },   \
+        { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096, "ffdhe4096", MBEDTLS_SSL_HAVE_GROUP_FFDHE4096 },   \
+        { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144, "ffdhe6144", MBEDTLS_SSL_HAVE_GROUP_FFDHE6144 },   \
+        { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192, "ffdhe8192", MBEDTLS_SSL_HAVE_GROUP_FFDHE8192 },   \
+        { MBEDTLS_SSL_IANA_TLS_GROUP_NONE, NULL, 1 }                                               \
    }

 #if defined(MBEDTLS_DEBUG_C)
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -3580,15 +3580,26 @@ void test_mbedtls_ssl_get_supported_group_list(int iana_group_id, int is_availab
    const uint16_t *list = mbedtls_ssl_get_supported_group_list();
    int found = 0;

+    /* First: go through the list returned by mbedtls_ssl_get_supported_group_list() and
+     * check that the specified group ID is supported/unsupported as expected. */
    for (int i = 0; list[i] != MBEDTLS_SSL_IANA_TLS_GROUP_NONE; i++) {
        if (list[i] == iana_group_id) {
            found = 1;
            break;
        }
    }
-
    TEST_EQUAL(found, is_available);

+    /* Second: check that supported/unsupported property for the specified group is also
+     * correctly set in the array initialized by MBEDTLS_SSL_IANA_TLS_GROUP_NONE. */
+    mbedtls_ssl_iana_tls_group_info_t group_info_table[] = MBEDTLS_SSL_IANA_TLS_GROUPS_INFO;
+    mbedtls_ssl_iana_tls_group_info_t *ptr;
+    for (ptr = &group_info_table[0]; ptr->tls_id != MBEDTLS_SSL_IANA_TLS_GROUP_NONE; ptr++) {
+        if (ptr->tls_id == iana_group_id) {
+            TEST_EQUAL(ptr->is_supported, is_available);
+        }
+    }
+
 exit:;
 }
 /* END_CASE */