Add mbedtls_ssl_check_curve_tls_id() (internal)

This can be used to validate the server's choice of group in the PSA case (this will be done in the next commit). Backport of 0d63b84fa49ecb758dbec4fd7a94df59fe8367ab with a very different implementation, as 2.28 still stores the list of allowed groups with their mbedtls_ecp group IDs, not the IANA/TLS group IDs (changed by https://github.com/ARMmbed/mbedtls/pull/4859/ in 3.x). Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-03-04 15:49:52 +00:00 · 2022-02-14 11:34:47 +01:00 · 2022-02-14 11:34:47 +01:00 · 298d6cc397
parent 97f188289d
commit 298d6cc397
2 changed files with 13 additions and 0 deletions
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@ -1112,6 +1112,7 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );

 #if defined(MBEDTLS_ECP_C)
 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
+int mbedtls_ssl_check_curve_tls_id( const mbedtls_ssl_context *ssl, uint16_t tls_id );
 #endif

 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -7326,6 +7326,18 @@ int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_i

    return( -1 );
 }
+
+/*
+ * Same as mbedtls_ssl_check_curve() but takes a TLS ID for the curve.
+ */
+int mbedtls_ssl_check_curve_tls_id( const mbedtls_ssl_context *ssl, uint16_t tls_id )
+{
+    const mbedtls_ecp_curve_info *curve_info =
+        mbedtls_ecp_curve_info_from_tls_id( tls_id );
+    if( curve_info == NULL )
+        return( -1 );
+    return( mbedtls_ssl_check_curve( ssl, curve_info->grp_id ) );
+}
 #endif /* MBEDTLS_ECP_C */

 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)