Merge pull request #9937 from valeriosetti/issue9688-backport
[Backport 3.6] Migrate DHE test cases to ECDHE
diff --git a/docs/3.0-migration-guide.md b/docs/3.0-migration-guide.md
index 63a13ad..42af9db 100644
--- a/docs/3.0-migration-guide.md
+++ b/docs/3.0-migration-guide.md
@@ -748,7 +748,7 @@
The default preference order for curves in TLS now favors resource usage (performance and memory consumption) over size. The exact order is unspecified and may change, but generally you can expect 256-bit curves to be preferred over larger curves.
-If you prefer a different order, call `mbedtls_ssl_conf_curves()` when configuring a TLS connection.
+If you prefer a different order, call `mbedtls_ssl_conf_groups()` when configuring a TLS connection.
### SSL key export interface change
@@ -1025,7 +1025,7 @@
my_profile.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 );
```
-If you still need to allow hashes and curves in TLS that have been removed from the default configuration, call `mbedtls_ssl_conf_sig_hashes()` and `mbedtls_ssl_conf_curves()` with the desired lists.
+If you still need to allow hashes and curves in TLS that have been removed from the default configuration, call `mbedtls_ssl_conf_sig_hashes()` and `mbedtls_ssl_conf_groups()` with the desired lists.
### Remove 3DES ciphersuites
diff --git a/library/ecp.c b/library/ecp.c
index 427059b..fdd00a5 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -3056,7 +3056,7 @@
/* see RFC 7748 sec. 5 para. 5 */
if (mbedtls_mpi_get_bit(d, 0) != 0 ||
mbedtls_mpi_get_bit(d, 1) != 0 ||
- mbedtls_mpi_bitlen(d) - 1 != grp->nbits) { /* mbedtls_mpi_bitlen is one-based! */
+ mbedtls_mpi_bitlen(d) != grp->nbits + 1) { /* mbedtls_mpi_bitlen is one-based! */
return MBEDTLS_ERR_ECP_INVALID_KEY;
}
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 1d65706..10e10ba 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -3060,7 +3060,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_DEPRECATED_REMOVED */
+/* BEGIN_CASE */
void conf_group()
{
uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1,
@@ -3072,8 +3072,9 @@
mbedtls_ssl_config_init(&conf);
mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
- mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
- mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
+ mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT,
+ MBEDTLS_SSL_TRANSPORT_STREAM,
+ MBEDTLS_SSL_PRESET_DEFAULT);
mbedtls_ssl_conf_groups(&conf, iana_tls_group_list);