Add supported_curves/groups extension

This allows us to use a ciphersuite that will still be supported in 4.0. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-06-26 15:07:59 +08:00 · 2025-02-12 12:36:28 +01:00 · 2025-02-12 12:36:28 +01:00 · e916652390
commit e916652390
parent 6637ef798f
2 changed files with 30 additions and 13 deletions
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@ -3330,7 +3330,7 @@ tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:3:3
 TLS 1.3 srv, max early data size, HRR, 98, wsz=49
 tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:97:0

-# 1.2 minimal ClientHello breakdown:
+# (Minimal) ClientHello breakdown:
 # 160303rlrl - record header, 2-byte record contents len
 # 01hlhlhl - handshake header, 3-byte handshake message len
 # 0303 - protocol version: 1.2
@ -3338,23 +3338,37 @@ tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:97:0
 # 00 - session ID (empty)
 # 0002cvcv - ciphersuite list: 2-byte len + list of 2-byte values (see below)
 # 0100 - compression methods: 1-byte len then "null" (only legal value now)
-# [then end, or extensions]
+# [then end, or extensions, see notes below]
 # elel - 2-byte extensions length
 # ...
+# 000a - elliptic_curves aka supported_groups
+# 0004 - extension length
+# 0002 - length of named_curve_list / named_group_list
+# 0017 - secp256r1 aka NIST P-256
+# ...
 #
 # Note: currently our TLS "1.3 or 1.2" code requires extension length to be
 # present even it it's 0. This is not strictly compliant but doesn't matter
 # much in practice as these days everyone wants to use signature_algorithms
 # (for hashes better than SHA-1), secure_renego (even if you have renego
 # disabled), and most people want either ECC or PSK related extensions.
+# See https://github.com/Mbed-TLS/mbedtls/issues/9963
+#
+# Also, currently we won't negotiate ECC ciphersuites unless at least the
+# supported_groups extension is present, see
+# https://github.com/Mbed-TLS/mbedtls/issues/7458
 #
 # Note: cccc is currently not assigned, so can be used get a consistent
 # "no matching ciphersuite" behaviour regardless of the configuration.
-# 002f is MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, MTI in 1.2, but removed in 4.0.
-Inject ClientHello - TLS 1.2 good (for reference)
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_SSL_HAVE_AES:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_HAVE_CBC
-inject_client_content_on_the_wire:MBEDTLS_SSL_CLIENT_HELLO:"160303002f0100002b03030123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef000002002f01000000":"<= parse client hello":0
+# c02b is MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (1.2)

+# See "ClientHello breakdown" above
+# MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 with secp256r1
+Inject ClientHello - TLS 1.2 good (for reference)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_SSL_HAVE_AES:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_ECP_HAVE_SECP256R1
+inject_client_content_on_the_wire:MBEDTLS_PK_ECDSA:MBEDTLS_SSL_CLIENT_HELLO:"16030300370100003303030123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef000002c02b01000008000a000400020017":"<= parse client hello":0
+
+# See "ClientHello breakdown" above
 Inject ClientHello - TLS 1.2 unknown ciphersuite (for reference)
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
-inject_client_content_on_the_wire:MBEDTLS_SSL_CLIENT_HELLO:"160303002f0100002b03030123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef000002cccc01000000":"got no ciphersuites in common":MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C
+inject_client_content_on_the_wire:MBEDTLS_PK_RSA:MBEDTLS_SSL_CLIENT_HELLO:"160303002f0100002b03030123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef000002cccc01000000":"got no ciphersuites in common":MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@ -5015,8 +5015,9 @@ exit:
 /* END_CASE */

 /* BEGIN_CASE */
-void inject_client_content_on_the_wire(int state, data_t *hello, char *log_pattern,
-                                       int expected_ret)
+void inject_client_content_on_the_wire(int pk_alg,
+                                       int state, data_t *data,
+                                       char *log_pattern, int expected_ret)
 {
    /* This function allows us to inject content at a specific state
     * in the handshake, or when it's completed. The content is injected
@ -5045,7 +5046,9 @@ void inject_client_content_on_the_wire(int state, data_t *hello, char *log_patte
    srv_pattern.pattern = log_pattern;
    options.srv_log_obj = &srv_pattern;
    options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
-    mbedtls_debug_set_threshold(3);
+    mbedtls_debug_set_threshold(5);
+
+    options.pk_alg = pk_alg;

    ret = mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER,
                                         &options, NULL, NULL, NULL);
@ -5064,8 +5067,8 @@ void inject_client_content_on_the_wire(int state, data_t *hello, char *log_patte
    TEST_EQUAL(ret, 0);

    /* Send the crafted message */
-    ret = mbedtls_test_mock_tcp_send_b(&client.socket, hello->x, hello->len);
-    TEST_ASSERT(ret >= 0 && (size_t) ret == hello->len);
+    ret = mbedtls_test_mock_tcp_send_b(&client.socket, data->x, data->len);
+    TEST_ASSERT(ret >= 0 && (size_t) ret == data->len);

    /* Have the server process it.
     * Need the loop because a server that support 1.3 and 1.2