From 0d63b84fa49ecb758dbec4fd7a94df59fe8367ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Tue, 18 Jan 2022 13:10:56 +0100
Subject: [PATCH] Add mbedtls_ssl_check_curve_tls_id() (internal)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This can be used to validate the server's choice of group in the PSA
case (this will be done in the next commit).

Note that new function doesn't depend on ECP_C, as it only requires
mbedtls_ssl_get_groups(), which is always available. As a general rule,
functions for defining and enforcing policy in the TLS module should not
depend on low-level modules but work with TLS-level identifiers are much
as possible, and this new function follows that principle.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 library/ssl_misc.h |  1 +
 library/ssl_tls.c  | 14 +++++++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index ad358b3693..f86e3c6c05 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -1288,6 +1288,7 @@ mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
 unsigned char mbedtls_ssl_hash_from_md_alg( int md );
 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
 
+int mbedtls_ssl_check_curve_tls_id( const mbedtls_ssl_context *ssl, uint16_t tls_id );
 #if defined(MBEDTLS_ECP_C)
 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
 #endif
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index f261a6a89a..a4737becc1 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7054,18 +7054,16 @@ unsigned char mbedtls_ssl_hash_from_md_alg( int md )
     }
 }
 
-#if defined(MBEDTLS_ECP_C)
 /*
  * Check if a curve proposed by the peer is in our list.
  * Return 0 if we're willing to use it, -1 otherwise.
  */
-int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
+int mbedtls_ssl_check_curve_tls_id( const mbedtls_ssl_context *ssl, uint16_t tls_id )
 {
     const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
 
     if( group_list == NULL )
         return( -1 );
-    uint16_t tls_id = mbedtls_ecp_curve_info_from_grp_id(grp_id)->tls_id;
 
     for( ; *group_list != 0; group_list++ )
     {
@@ -7075,6 +7073,16 @@ int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_i
 
     return( -1 );
 }
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id.
+ */
+int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
+{
+    uint16_t tls_id = mbedtls_ecp_curve_info_from_grp_id(grp_id)->tls_id;
+    return mbedtls_ssl_check_curve_tls_id( ssl, tls_id );
+}
 #endif /* MBEDTLS_ECP_C */
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)