tls: remove dependency from mbedtls_ecp_curve functions

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2025-03-29 22:20:30 +00:00 · 2022-12-30 17:44:24 +01:00 · 2022-12-30 17:44:24 +01:00 · 18c9fed857
commit 18c9fed857
parent b402e4bde1
7 changed files with 238 additions and 80 deletions
--- a/include/mbedtls/psa_util.h
+++ b/include/mbedtls/psa_util.h
@ -264,22 +264,6 @@ static inline int mbedtls_psa_get_ecc_oid_from_id(
 #define MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH \
    PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE( PSA_VENDOR_ECC_MAX_CURVE_BITS )

-/* This function transforms an ECC group identifier from
- * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
- * into a PSA ECC group identifier. */
-#if defined(MBEDTLS_ECP_C)
-static inline psa_key_type_t mbedtls_psa_parse_tls_ecc_group(
-    uint16_t tls_ecc_grp_reg_id, size_t *bits )
-{
-    const mbedtls_ecp_curve_info *curve_info =
-        mbedtls_ecp_curve_info_from_tls_id( tls_ecc_grp_reg_id );
-    if( curve_info == NULL )
-        return( 0 );
-    return( PSA_KEY_TYPE_ECC_KEY_PAIR(
-                mbedtls_ecc_group_to_psa( curve_info->grp_id, bits ) ) );
-}
-#endif /* MBEDTLS_ECP_C */
-
 /* Expose whatever RNG the PSA subsystem uses to applications using the
 * mbedtls_xxx API. The declarations and definitions here need to be
 * consistent with the implementation in library/psa_crypto_random_impl.h.
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@ -266,15 +266,17 @@ static int ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl,
            ( mbedtls_ssl_conf_is_tls12_enabled( ssl->conf ) &&
              mbedtls_ssl_tls12_named_group_is_ecdhe( *group_list ) ) )
        {
-            const mbedtls_ecp_curve_info *curve_info;
-            curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
-            if( curve_info == NULL )
+            if( mbedtls_ssl_get_ecp_group_id_from_tls_id( *group_list ) ==
+                MBEDTLS_ECP_DP_NONE )
+            {
                continue;
+            }
            MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
            MBEDTLS_PUT_UINT16_BE( *group_list, p, 0 );
            p += 2;
            MBEDTLS_SSL_DEBUG_MSG( 3, ( "NamedGroup: %s ( %x )",
-                                curve_info->name, *group_list ) );
+                        mbedtls_ssl_get_curve_name_from_tls_id( *group_list ),
+                        *group_list ) );
        }
 #endif /* MBEDTLS_ECP_C */
        /* Add DHE groups here */
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@ -787,7 +787,7 @@ struct mbedtls_ssl_handshake_params

 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) ||      \
    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-    const mbedtls_ecp_curve_info **curves;      /*!<  Supported elliptic curves */
+    uint16_t *curves_tls_id;      /*!<  List of TLS IDs of supported elliptic curves */
 #endif

 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
@ -1576,6 +1576,69 @@ MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
 #endif

+/**
+ * \brief Return PSA EC info for the specified TLS ID.
+ *
+ * \param tls_id    The TLS ID to look for
+ * \param family    If the TLD ID is supported, then proper \c psa_ecc_family_t
+ *                  value is returned here. Can be NULL.
+ * \param bits      If the TLD ID is supported, then proper bit size is returned
+ *                  here. Can be NULL.
+ * \return          PSA_SUCCESS if the TLS ID is supported,
+ *                  PSA_ERROR_NOT_SUPPORTED otherwise
+ *
+ * \note            If either \c family or \c bits parameters are NULL, then
+ *                  the corresponding value is not returned.
+ *                  The function can be called with both parameters as NULL
+ *                  simply to check if a specific TLS ID is supported.
+ */
+int mbedtls_ssl_get_psa_curve_info_from_tls_id( uint16_t tls_id,
+                                                psa_ecc_family_t *family,
+                                                size_t* bits );
+
+/**
+ * \brief Return \c mbedtls_ecp_group_id for the specified TLS ID.
+ *
+ * \param tls_id    The TLS ID to look for
+ * \return          Proper \c mbedtls_ecp_group_id if the TLS ID is supported,
+ *                  or MBEDTLS_ECP_DP_NONE otherwise
+ */
+mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id( uint16_t tls_id );
+
+/**
+ * \brief Return TLS ID for the specified \c mbedtls_ecp_group_id.
+ *
+ * \param grp_id    The \c mbedtls_ecp_group_id ID to look for
+ * \return          Proper TLS ID if the \c mbedtls_ecp_group_id is supported,
+ *                  or 0 otherwise
+ */
+uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id( mbedtls_ecp_group_id grp_id );
+
+/**
+ * \brief Return EC's name for the specified TLS ID.
+ *
+ * \param tls_id    The TLS ID to look for
+ * \return          A pointer to a const string with the proper name. If TLS
+ *                  ID is not suppoted, a NULL pointer is returned insted.
+ */
+const char* mbedtls_ssl_get_curve_name_from_tls_id( uint16_t tls_id );
+
+/* This function transforms an ECC group identifier from
+ * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
+ * into a PSA ECC group identifier. */
+#if defined(MBEDTLS_ECP_C)
+static inline psa_key_type_t mbedtls_psa_parse_tls_ecc_group(
+    uint16_t tls_ecc_grp_reg_id, size_t *bits )
+{
+    mbedtls_ecp_group_id grp_id =
+            mbedtls_ssl_get_ecp_group_id_from_tls_id( tls_ecc_grp_reg_id );
+    if( grp_id == MBEDTLS_ECP_DP_NONE )
+        return( 0 );
+    return( PSA_KEY_TYPE_ECC_KEY_PAIR(
+                mbedtls_ecc_group_to_psa( grp_id, bits ) ) );
+}
+#endif /* MBEDTLS_ECP_C */
+
 #if defined(MBEDTLS_SSL_DTLS_SRTP)
 static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
                                                    ( const uint16_t srtp_profile_value )
@ -2173,9 +2236,8 @@ static inline int mbedtls_ssl_named_group_is_supported( uint16_t named_group )
 #if defined(MBEDTLS_ECDH_C)
    if( mbedtls_ssl_tls13_named_group_is_ecdhe( named_group ) )
    {
-        const mbedtls_ecp_curve_info *curve_info =
-            mbedtls_ecp_curve_info_from_tls_id( named_group );
-        if( curve_info != NULL )
+        if( mbedtls_ssl_get_ecp_group_id_from_tls_id( named_group ) !=
+                        MBEDTLS_ECP_DP_NONE )
            return( 1 );
    }
 #else
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -1064,14 +1064,14 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )

        for( size_t i = 0; i < length; i++ )
        {
-            const mbedtls_ecp_curve_info *info =
-                        mbedtls_ecp_curve_info_from_grp_id( curve_list[i] );
-            if ( info == NULL )
+            uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
+                                curve_list[i] );
+            if ( tls_id == 0 )
            {
                mbedtls_free( group_list );
                return( MBEDTLS_ERR_SSL_BAD_CONFIG );
            }
-            group_list[i] = info->tls_id;
+            group_list[i] = tls_id;
        }

        group_list[length] = 0;
@ -4048,7 +4048,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
    /* explicit void pointer cast for buggy MS compiler */
-    mbedtls_free( (void *) handshake->curves );
+    mbedtls_free( (void *) handshake->curves_tls_id );
 #endif

 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
@ -5468,18 +5468,118 @@ int mbedtls_ssl_check_curve_tls_id( const mbedtls_ssl_context *ssl, uint16_t tls
 */
 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
 {
-    const mbedtls_ecp_curve_info *grp_info =
-        mbedtls_ecp_curve_info_from_grp_id( grp_id );
+    uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id( grp_id );

-    if ( grp_info == NULL )
+    if ( tls_id == 0 )
        return -1;

-    uint16_t tls_id = grp_info->tls_id;
-
    return mbedtls_ssl_check_curve_tls_id( ssl, tls_id );
 }
 #endif /* MBEDTLS_ECP_C */

+static const struct {
+    uint16_t tls_id;
+    mbedtls_ecp_group_id ecp_group_id;
+    psa_ecc_family_t psa_family;
+    uint16_t bits;
+    const char* name;
+} tls_id_match_table[] =
+{
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_521)
+    { 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521, "secp521r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
+    { 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512, "brainpoolP512r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
+    { 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384, "secp384r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_384)
+    { 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384, "brainpoolP384r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
+    { 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256, "secp256r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_256)
+    { 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256, "secp256k1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_256)
+    { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256, "brainpoolP256r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_224)
+    { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224, "secp224r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_224)
+    { 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224, "secp224k1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192)
+    { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192, "secp192r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_192)
+    { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192, "secp192k1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_255)
+    { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 256, "x25519" },
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_448)
+    { 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448, "x448" },
+#endif
+    { 0, MBEDTLS_ECP_DP_NONE, 0, 0, NULL },
+};
+
+int mbedtls_ssl_get_psa_curve_info_from_tls_id( uint16_t tls_id,
+                                                psa_ecc_family_t *family,
+                                                size_t* bits )
+{
+    for( int i = 0; tls_id_match_table[i].tls_id != 0; i++ )
+    {
+        if( tls_id_match_table[i].tls_id == tls_id )
+        {
+            if( family != NULL )
+                *family = tls_id_match_table[i].psa_family;
+            if( bits != NULL )
+                *bits = tls_id_match_table[i].bits;
+            return PSA_SUCCESS;
+        }
+    }
+
+    return PSA_ERROR_NOT_SUPPORTED;
+}
+
+mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id( uint16_t tls_id )
+{
+    for( int i = 0; tls_id_match_table[i].tls_id != 0; i++ )
+    {
+        if( tls_id_match_table[i].tls_id == tls_id )
+            return tls_id_match_table[i].ecp_group_id;
+    }
+
+    return MBEDTLS_ECP_DP_NONE;
+}
+
+uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id( mbedtls_ecp_group_id grp_id )
+{
+    for( int i = 0; tls_id_match_table[i].ecp_group_id != MBEDTLS_ECP_DP_NONE;
+            i++ )
+    {
+        if( tls_id_match_table[i].ecp_group_id == grp_id )
+            return tls_id_match_table[i].tls_id;
+    }
+
+    return 0;
+}
+
+const char* mbedtls_ssl_get_curve_name_from_tls_id( uint16_t tls_id )
+{
+    for( int i = 0; tls_id_match_table[i].tls_id != 0; i++ )
+    {
+        if( tls_id_match_table[i].tls_id == tls_id )
+            return tls_id_match_table[i].name;
+    }
+
+    return NULL;
+}
+
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
                          const mbedtls_ssl_ciphersuite_t *ciphersuite,
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@ -1870,7 +1870,7 @@ static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
 {
-    const mbedtls_ecp_curve_info *curve_info;
+    uint16_t tls_id;
    mbedtls_ecp_group_id grp_id;
 #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
    grp_id = ssl->handshake->ecdh_ctx.grp.id;
@ -1878,14 +1878,15 @@ static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
    grp_id = ssl->handshake->ecdh_ctx.grp_id;
 #endif

-    curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
-    if( curve_info == NULL )
+    tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id( grp_id );
+    if( tls_id == 0 )
    {
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
    }

-    MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s",
+                mbedtls_ssl_get_curve_name_from_tls_id( tls_id ) ) );

    if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 )
        return( -1 );
@ -2346,16 +2347,16 @@ start_processing:
         * that TLS ID here
         */
        uint16_t read_tls_id = MBEDTLS_GET_UINT16_BE( p, 1 );
-        const mbedtls_ecp_curve_info *curve_info;
+        uint16_t exp_tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
+                                    MBEDTLS_ECP_DP_SECP256R1 );

-        if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id(
-                                MBEDTLS_ECP_DP_SECP256R1 ) ) == NULL )
+        if( exp_tls_id == 0 )
        {
            return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
        }

        if( ( *p != MBEDTLS_ECP_TLS_NAMED_CURVE ) ||
-            ( read_tls_id != curve_info->tls_id ) )
+            ( read_tls_id != exp_tls_id ) )
        {
            return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
        }
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@ -180,7 +180,7 @@ static int ssl_parse_supported_groups_ext( mbedtls_ssl_context *ssl,
 {
    size_t list_size, our_size;
    const unsigned char *p;
-    const mbedtls_ecp_curve_info *curve_info, **curves;
+    uint16_t *curves_tls_id;

    if ( len < 2 ) {
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
@ -199,7 +199,7 @@ static int ssl_parse_supported_groups_ext( mbedtls_ssl_context *ssl,
    }

    /* Should never happen unless client duplicates the extension */
-    if( ssl->handshake->curves != NULL )
+    if( ssl->handshake->curves_tls_id != NULL )
    {
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
@ -213,23 +213,25 @@ static int ssl_parse_supported_groups_ext( mbedtls_ssl_context *ssl,
    if( our_size > MBEDTLS_ECP_DP_MAX )
        our_size = MBEDTLS_ECP_DP_MAX;

-    if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL )
+    if( ( curves_tls_id = mbedtls_calloc( our_size,
+                                sizeof( *curves_tls_id ) ) ) == NULL )
    {
        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
                                        MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
    }

-    ssl->handshake->curves = curves;
+    ssl->handshake->curves_tls_id = curves_tls_id;

    p = buf + 2;
    while( list_size > 0 && our_size > 1 )
    {
-        curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
+        uint16_t curr_tls_id = MBEDTLS_GET_UINT16_BE( p, 0 );

-        if( curve_info != NULL )
+        if( mbedtls_ssl_get_ecp_group_id_from_tls_id( curr_tls_id ) !=
+                                        MBEDTLS_ECP_DP_NONE )
        {
-            *curves++ = curve_info;
+            *curves_tls_id++ = curr_tls_id;
            our_size--;
        }

@ -685,16 +687,18 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_ECDSA_C)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_check_key_curve( mbedtls_pk_context *pk,
-                                const mbedtls_ecp_curve_info **curves )
+                                uint16_t *curves_tls_id )
 {
-    const mbedtls_ecp_curve_info **crv = curves;
+    uint16_t *curr_tls_id = curves_tls_id;
    mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id;
+    mbedtls_ecp_group_id curr_grp_id;

-    while( *crv != NULL )
+    while( *curr_tls_id != 0 )
    {
-        if( (*crv)->grp_id == grp_id )
+        curr_grp_id = mbedtls_ssl_get_ecp_group_id_from_tls_id( *curr_tls_id );
+        if( curr_grp_id == grp_id )
            return( 0 );
-        crv++;
+        curr_tls_id++;
    }

    return( -1 );
@ -789,7 +793,8 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,

 #if defined(MBEDTLS_ECDSA_C)
        if( pk_alg == MBEDTLS_PK_ECDSA &&
-            ssl_check_key_curve( &cur->cert->pk, ssl->handshake->curves ) != 0 )
+            ssl_check_key_curve( &cur->cert->pk,
+                            ssl->handshake->curves_tls_id ) != 0 )
        {
            MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
            continue;
@ -857,8 +862,8 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,

 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
    if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
-        ( ssl->handshake->curves == NULL ||
-          ssl->handshake->curves[0] == NULL ) )
+        ( ssl->handshake->curves_tls_id == NULL ||
+          ssl->handshake->curves_tls_id[0] == 0 ) )
    {
        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
                            "no common elliptic curve" ) );
@ -2849,7 +2854,6 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
                               ssl->out_msglen;
        size_t output_offset = 0;
        size_t output_len = 0;
-        const mbedtls_ecp_curve_info *curve_info;

        /*
         * The first 3 bytes are:
@ -2859,13 +2863,14 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
         * However since we only support secp256r1 for now, we hardcode its
         * TLS ID here
         */
-        if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id(
-                                    MBEDTLS_ECP_DP_SECP256R1 ) ) == NULL )
+        uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
+                                    MBEDTLS_ECP_DP_SECP256R1 );
+        if( tls_id ==0 )
        {
            return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
        }
        *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE;
-        MBEDTLS_PUT_UINT16_BE( curve_info->tls_id, out_p, 1 );
+        MBEDTLS_PUT_UINT16_BE( tls_id, out_p, 1 );
        output_offset += 3;

        ret = mbedtls_psa_ecjpake_write_round( &ssl->handshake->psa_pake_ctx,
@ -2986,27 +2991,29 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
         *     ECPoint      public;
         * } ServerECDHParams;
         */
-        const mbedtls_ecp_curve_info **curve = NULL;
+        uint16_t *curr_tls_id = ssl->handshake->curves_tls_id;
        const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
        size_t len = 0;

        /* Match our preference list against the offered curves */
-        if( group_list == NULL )
+        if( ( group_list == NULL ) || ( curr_tls_id == NULL ) )
            return( MBEDTLS_ERR_SSL_BAD_CONFIG );
        for( ; *group_list != 0; group_list++ )
-            for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
-                if( (*curve)->tls_id == *group_list )
+            for( curr_tls_id = ssl->handshake->curves_tls_id;
+                 *curr_tls_id != 0; curr_tls_id++ )
+                if( *curr_tls_id == *group_list )
                    goto curve_matching_done;

 curve_matching_done:
-        if( curve == NULL || *curve == NULL )
+        if( *curr_tls_id == 0 )
        {
            MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
            return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
        }

-        MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s",
+                    mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id) ) );

 #if defined(MBEDTLS_USE_PSA_CRYPTO)
        psa_status_t status = PSA_ERROR_GENERIC_ERROR;
@ -3022,7 +3029,7 @@ curve_matching_done:

        /* Convert EC group to PSA key type. */
        handshake->ecdh_psa_type = mbedtls_psa_parse_tls_ecc_group(
-                    (*curve)->tls_id, &ecdh_bits );
+                    *curr_tls_id, &ecdh_bits );

        if( handshake->ecdh_psa_type == 0 )
        {
@ -3047,7 +3054,7 @@ curve_matching_done:
        /*
         * Next two bytes are the namedcurve value
         */
-        MBEDTLS_PUT_UINT16_BE( (*curve)->tls_id, p, 0 );
+        MBEDTLS_PUT_UINT16_BE( *curr_tls_id, p, 0 );
        p += 2;

        /* Generate ECDH private key. */
@ -3093,8 +3100,11 @@ curve_matching_done:
        /* Determine full message length. */
        len += header_size;
 #else
+        mbedtls_ecp_group_id curr_grp_id =
+                    mbedtls_ssl_get_ecp_group_id_from_tls_id( *curr_tls_id );
+
        if( ( ret = mbedtls_ecdh_setup( &ssl->handshake->ecdh_ctx,
-                                        (*curve)->grp_id ) ) != 0 )
+                                        curr_grp_id ) ) != 0 )
        {
            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
            return( ret );
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@ -230,9 +230,8 @@ static int ssl_tls13_get_default_group_id( mbedtls_ssl_context *ssl,

    for ( ; *group_list != 0; group_list++ )
    {
-        const mbedtls_ecp_curve_info *curve_info;
-        curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
-        if( curve_info != NULL &&
+        if( ( mbedtls_ssl_get_psa_curve_info_from_tls_id( *group_list,
+                            NULL, NULL ) == PSA_SUCCESS ) &&
            mbedtls_ssl_tls13_named_group_is_ecdhe( *group_list ) )
        {
            *group_id = *group_list;
@ -385,7 +384,6 @@ static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl,
                                              const unsigned char *end )
 {
 #if defined(MBEDTLS_ECDH_C)
-    const mbedtls_ecp_curve_info *curve_info = NULL;
    const unsigned char *p = buf;
    int selected_group;
    int found = 0;
@ -412,8 +410,9 @@ static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl,
     */
    for( ; *group_list != 0; group_list++ )
    {
-        curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
-        if( curve_info == NULL || curve_info->tls_id != selected_group )
+        if( ( mbedtls_ssl_get_psa_curve_info_from_tls_id( *group_list,
+                NULL, NULL ) == PSA_ERROR_NOT_SUPPORTED ) ||
+                *group_list != selected_group )
            continue;

        /* We found a match */
@ -493,15 +492,15 @@ static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_ECDH_C)
    if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
    {
-        const mbedtls_ecp_curve_info *curve_info =
-            mbedtls_ecp_curve_info_from_tls_id( group );
-        if( curve_info == NULL )
+        if( mbedtls_ssl_get_psa_curve_info_from_tls_id( group, NULL, NULL )
+                    == PSA_ERROR_NOT_SUPPORTED )
        {
            MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid TLS curve group id" ) );
            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
        }

-        MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s",
+                    mbedtls_ssl_get_curve_name_from_tls_id( group ) ) );

        ret = mbedtls_ssl_tls13_read_public_ecdhe_share( ssl, p, end - p );
        if( ret != 0 )