Add mbedtls_ssl_check_curve_tls_id() (internal)

This can be used to validate the server's choice of group in the PSA
case (this will be done in the next commit).

Note that new function doesn't depend on ECP_C, as it only requires
mbedtls_ssl_get_groups(), which is always available. As a general rule,
functions for defining and enforcing policy in the TLS module should not
depend on low-level modules but work with TLS-level identifiers are much
as possible, and this new function follows that principle.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard 2022-01-18 13:10:56 +01:00
parent 3caa0edb9b
commit 0d63b84fa4
2 changed files with 12 additions and 3 deletions

View file

@ -1288,6 +1288,7 @@ mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
unsigned char mbedtls_ssl_hash_from_md_alg( int md ); unsigned char mbedtls_ssl_hash_from_md_alg( int md );
int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ); int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
int mbedtls_ssl_check_curve_tls_id( const mbedtls_ssl_context *ssl, uint16_t tls_id );
#if defined(MBEDTLS_ECP_C) #if defined(MBEDTLS_ECP_C)
int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ); int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
#endif #endif

View file

@ -7054,18 +7054,16 @@ unsigned char mbedtls_ssl_hash_from_md_alg( int md )
} }
} }
#if defined(MBEDTLS_ECP_C)
/* /*
* Check if a curve proposed by the peer is in our list. * Check if a curve proposed by the peer is in our list.
* Return 0 if we're willing to use it, -1 otherwise. * Return 0 if we're willing to use it, -1 otherwise.
*/ */
int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ) int mbedtls_ssl_check_curve_tls_id( const mbedtls_ssl_context *ssl, uint16_t tls_id )
{ {
const uint16_t *group_list = mbedtls_ssl_get_groups( ssl ); const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
if( group_list == NULL ) if( group_list == NULL )
return( -1 ); return( -1 );
uint16_t tls_id = mbedtls_ecp_curve_info_from_grp_id(grp_id)->tls_id;
for( ; *group_list != 0; group_list++ ) for( ; *group_list != 0; group_list++ )
{ {
@ -7075,6 +7073,16 @@ int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_i
return( -1 ); return( -1 );
} }
#if defined(MBEDTLS_ECP_C)
/*
* Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id.
*/
int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
{
uint16_t tls_id = mbedtls_ecp_curve_info_from_grp_id(grp_id)->tls_id;
return mbedtls_ssl_check_curve_tls_id( ssl, tls_id );
}
#endif /* MBEDTLS_ECP_C */ #endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C)