Add supported_curves/groups extension

This allows us to use a ciphersuite that will still be supported in 4.0.

Signed-off-by: Manuel Pégourié-Gonnard <[email protected]>

Author: mpg

tests/suites/test_suite_ssl.data

@@ -3446,31 +3446,45 @@ tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:3:3
 TLS 1.3 srv, max early data size, HRR, 98, wsz=49
 tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:97:0
 
-# 1.2 minimal ClientHello breakdown:
+# (Minimal) ClientHello breakdown:
 # 160303rlrl - record header, 2-byte record contents len
 # 01hlhlhl - handshake header, 3-byte handshake message len
 # 0303 - protocol version: 1.2
 # 0123456789abcdef (repeated, 4 times total) - 32-byte "random"
 # 00 - session ID (empty)
 # 0002cvcv - ciphersuite list: 2-byte len + list of 2-byte values (see below)
 # 0100 - compression methods: 1-byte len then "null" (only legal value now)
-# [then end, or extensions]
+# [then end, or extensions, see notes below]
 # elel - 2-byte extensions length
 # ...
+# 000a - elliptic_curves aka supported_groups
+# 0004 - extension length
+# 0002 - length of named_curve_list / named_group_list
+# 0017 - secp256r1 aka NIST P-256
+# ...
 #
 # Note: currently our TLS "1.3 or 1.2" code requires extension length to be
 # present even it it's 0. This is not strictly compliant but doesn't matter
 # much in practice as these days everyone wants to use signature_algorithms
 # (for hashes better than SHA-1), secure_renego (even if you have renego
 # disabled), and most people want either ECC or PSK related extensions.
+# See https://github.com/Mbed-TLS/mbedtls/issues/9963
+#
+# Also, currently we won't negotiate ECC ciphersuites unless at least the
+# supported_groups extension is present, see
+# https://github.com/Mbed-TLS/mbedtls/issues/7458
 #
 # Note: cccc is currently not assigned, so can be used get a consistent
 # "no matching ciphersuite" behaviour regardless of the configuration.
-# 002f is MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, MTI in 1.2, but removed in 4.0.
+# c02b is MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (1.2)
+
+# See "ClientHello breakdown" above
+# MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 with secp256r1
 Inject ClientHello - TLS 1.2 good (for reference)
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_SSL_HAVE_AES:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_HAVE_CBC
-inject_client_content_on_the_wire:MBEDTLS_SSL_CLIENT_HELLO:"160303002f0100002b03030123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef000002002f01000000":"<= parse client hello":0
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_SSL_HAVE_AES:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_ECP_HAVE_SECP256R1
+inject_client_content_on_the_wire:MBEDTLS_PK_ECDSA:MBEDTLS_SSL_CLIENT_HELLO:"16030300370100003303030123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef000002c02b01000008000a000400020017":"<= parse client hello":0
 
+# See "ClientHello breakdown" above
 Inject ClientHello - TLS 1.2 unknown ciphersuite (for reference)
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
-inject_client_content_on_the_wire:MBEDTLS_SSL_CLIENT_HELLO:"160303002f0100002b03030123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef000002cccc01000000":"got no ciphersuites in common":MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C
+inject_client_content_on_the_wire:MBEDTLS_PK_RSA:MBEDTLS_SSL_CLIENT_HELLO:"160303002f0100002b03030123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef000002cccc01000000":"got no ciphersuites in common":MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE

tests/suites/test_suite_ssl.function

@@ -5039,8 +5039,9 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void inject_client_content_on_the_wire(int state, data_t *hello, char *log_pattern,
-                                       int expected_ret)
+void inject_client_content_on_the_wire(int pk_alg,
+                                       int state, data_t *data,
+                                       char *log_pattern, int expected_ret)
 {
     /* This function allows us to inject content at a specific state
      * in the handshake, or when it's completed. The content is injected
@@ -5068,7 +5069,9 @@ void inject_client_content_on_the_wire(int state, data_t *hello, char *log_patte
     srv_pattern.pattern = log_pattern;
     options.srv_log_obj = &srv_pattern;
     options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
-    mbedtls_debug_set_threshold(3);
+    mbedtls_debug_set_threshold(5);
+
+    options.pk_alg = pk_alg;
 
     ret = mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER,
                                          &options, NULL, NULL, NULL);
@@ -5087,8 +5090,8 @@ void inject_client_content_on_the_wire(int state, data_t *hello, char *log_patte
     TEST_EQUAL(ret, 0);
 
     /* Send the crafted message */
-    ret = mbedtls_test_mock_tcp_send_b(&client.socket, hello->x, hello->len);
-    TEST_ASSERT(ret >= 0 && (size_t) ret == hello->len);
+    ret = mbedtls_test_mock_tcp_send_b(&client.socket, data->x, data->len);
+    TEST_ASSERT(ret >= 0 && (size_t) ret == data->len);
 
     /* Have the server process it.
      * Need the loop because a server that support 1.3 and 1.2