Allow hardcoding single supported elliptic curve
This commit introduces the option MBEDTLS_SSL_CONF_SINGLE_EC
which can be used to register a single supported elliptic curve
at compile time. It replaces the runtime configuration API
mbedtls_ssl_conf_curves() which allows to register a _list_
of supported elliptic curves.
In contrast to other options used to hardcode configuration options,
MBEDTLS_SSL_CONF_SINGLE_EC isn't a numeric option, but instead it's
only relevant if it's defined or not. To actually set the single
elliptic curve that should be supported, numeric options
MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID
MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID
must both be defined and provide the TLS ID and the Mbed TLS internal
ID and the chosen curve, respectively.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 169e054..9937b30 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1070,7 +1070,9 @@
#endif
#if defined(MBEDTLS_ECP_C)
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
const mbedtls_ecp_group_id *curve_list; /*!< allowed curves */
+#endif /* MBEDTLS_SSL_CONF_SINGLE_EC */
#endif
#if defined(MBEDTLS_DHM_C)
@@ -2785,6 +2787,7 @@
#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_ECP_C)
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
/**
* \brief Set the allowed curves in order of preference.
* (Default: all defined curves.)
@@ -2808,12 +2811,17 @@
* \note This list should be ordered by decreasing preference
* (preferred curve first).
*
+ * \note On highly constrained systems, the support for a single
+ * fixed elliptic curve can be configured at compile time
+ * through the option MBEDTLS_SSL_CONF_SINGLE_EC.
+ *
* \param conf SSL configuration
* \param curves Ordered list of allowed curves,
* terminated by MBEDTLS_ECP_DP_NONE.
*/
void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
const mbedtls_ecp_group_id *curves );
+#endif /* !MBEDTLS_SSL_CONF_SINGLE_EC */
#endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)