Make support for SpecifiedECDomain optional
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index c070df2..decfc73 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -588,6 +588,20 @@
#define POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED
/**
+ * \def POLARSSL_PK_PARSE_EC_EXTENDED
+ *
+ * Enhance support for reading EC keys using variants of SEC1 not allowed by
+ * RFC 5915 and RFC 5480.
+ *
+ * Currently this means parsing the SpecifiedECDomain choice of EC
+ * parameters (only known groups are supported, not arbitrary domains, to
+ * avoid validation issues).
+ *
+ * Disable if you only need to support RFC 5915 + 5480 key formats.
+ */
+#define POLARSSL_PK_PARSE_EC_EXTENDED
+
+/**
* \def POLARSSL_ERROR_STRERROR_BC
*
* Make available the backward compatible error_strerror() next to the
diff --git a/library/pkparse.c b/library/pkparse.c
index aed50d1..4e9e400 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -163,8 +163,11 @@
/* Tag may be either OID or SEQUENCE */
params->tag = **p;
- if( params->tag != ASN1_OID &&
- params->tag != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) )
+ if( params->tag != ASN1_OID
+#if defined(POLARSSL_PK_PARSE_EC_EXTENDED)
+ && params->tag != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE )
+#endif
+ )
{
return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT +
POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
@@ -185,6 +188,7 @@
return( 0 );
}
+#if defined(POLARSSL_PK_PARSE_EC_EXTENDED)
/*
* Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it.
* WARNING: the resulting group should only be used with
@@ -411,6 +415,7 @@
return( ret );
}
+#endif /* POLARSSL_PK_PARSE_EC_EXTENDED */
/*
* Use EC parameters to initialise an EC group
@@ -432,8 +437,12 @@
}
else
{
+#if defined(POLARSSL_PK_PARSE_EC_EXTENDED)
if( ( ret = pk_group_id_from_specified( params, &grp_id ) ) != 0 )
return( ret );
+#else
+ return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT );
+#endif
}
/*