Make ssl_set_ecdh_curves() a compile-time option
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 1ed203c..8c95c42 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -814,6 +814,22 @@
#define POLARSSL_SSL_TRUNCATED_HMAC
/**
+ * \def POLARSSL_SSL_SET_ECDH_CURVES
+ *
+ * Enable ssl_set_ecdh_curves().
+ *
+ * This is disabled by default since it breaks binary compatibility with the
+ * 1.3.x line. If you choose to enable it, you will need to rebuild your
+ * application against the new header files, relinking will not be enough.
+ * It will be enabled by default, or no longer an option, in the 1.4 branch.
+ *
+ * TODO: actually disable it when done working on this branch ,)
+ *
+ * Uncomment to make ssl_set_ecdh_curves() available.
+ */
+#define POLARSSL_SSL_SET_ECDH_CURVES
+
+/**
* \def POLARSSL_THREADING_ALT
*
* Provide your own alternate threading implementation.
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 2b50304..2fdc01d 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -727,7 +727,8 @@
int disable_renegotiation; /*!< enable/disable renegotiation */
int allow_legacy_renegotiation; /*!< allow legacy renegotiation */
const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */
-#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
+#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED) && \
+ defined(POLARSSL_SSL_SET_ECDH_CURVES)
const ecp_group_id *ecdh_curve_list;/*!< allowed curves for ECDH */
#endif
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
@@ -1158,9 +1159,11 @@
int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx );
#endif
-#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
+#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED) && \
+ defined(POLARSSL_SSL_SET_ECDH_CURVES)
/**
* \brief Set the allowed ECDH curves.
+ * (Default: all defined curves.)
*
* The sequence of the curves in the list also determines the
* handshake curve preference.
@@ -1168,7 +1171,8 @@
* \param ssl SSL context
* \param ecdh_curve_list Zero terminated list of the allowed ECDH curves
*/
-void ssl_set_ecdh_curves( ssl_context *ssl, const ecp_group_id *ecdh_curve_list );
+void ssl_set_ecdh_curves( ssl_context *ssl,
+ const ecp_group_id *ecdh_curve_list );
#endif
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index dfae8c5..ac5f802 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2105,7 +2105,8 @@
* ECPoint public;
* } ServerECDHParams;
*/
-
+ ecp_group_id grp_id;
+#if defined(POLARSSL_SSL_SET_ECDH_CURVES)
unsigned int pref_idx, curv_idx, found;
/* Match our preference list against the agreed curves */
@@ -2137,9 +2138,13 @@
* ssl->ecdh_curve_list[pref_idx] will contain POLARSSL_ECP_DP_NONE and
* ecp_use_known_dp() will fail.
*/
+ grp_id = ssl->ecdh_curve_list[pref_idx];
+#else
+ grp_id = ssl->handshake->curves[0]->grp_id;
+#endif /* POLARSSL_SSL_SET_ECDH_CURVES */
if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
- ssl->ecdh_curve_list[pref_idx] ) ) != 0 )
+ grp_id ) ) != 0 )
{
SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
return( ret );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 02f24a1..29977d7 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3424,7 +3424,8 @@
ssl->ticket_lifetime = SSL_DEFAULT_TICKET_LIFETIME;
#endif
-#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
+#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED) && \
+ defined(POLARSSL_SSL_SET_ECDH_CURVES)
ssl->ecdh_curve_list = ecdh_default_curve_list;
#endif
@@ -4655,7 +4656,8 @@
#endif
-#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
+#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED) && \
+ defined(POLARSSL_SSL_SET_ECDH_CURVES)
/*
* Set the allowed ECDH curves.
*/