The default ECDH curve list will be dynamically built in the ecp module based on ecp_supported_curves[].
diff --git a/library/ecp.c b/library/ecp.c
index a27d30e..992c436 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -114,27 +114,33 @@
* - TLS NamedCurve ID (RFC 4492 sec. 5.1.1, RFC 7071 sec. 2)
* - size in bits
* - readable name
+ *
+ * The sequence of elements in this list also determines the default preference
+ * of the curves used by an ECHDE handshake.
+ * We start with the most secure curves. From the same sized curves, we prefer
+ * the SECP ones because they are much faster.
+ *
*/
static const ecp_curve_info ecp_supported_curves[] =
{
-#if defined(POLARSSL_ECP_DP_BP512R1_ENABLED)
- { POLARSSL_ECP_DP_BP512R1, 28, 512, "brainpoolP512r1" },
-#endif
-#if defined(POLARSSL_ECP_DP_BP384R1_ENABLED)
- { POLARSSL_ECP_DP_BP384R1, 27, 384, "brainpoolP384r1" },
-#endif
-#if defined(POLARSSL_ECP_DP_BP256R1_ENABLED)
- { POLARSSL_ECP_DP_BP256R1, 26, 256, "brainpoolP256r1" },
-#endif
#if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
{ POLARSSL_ECP_DP_SECP521R1, 25, 521, "secp521r1" },
#endif
+#if defined(POLARSSL_ECP_DP_BP512R1_ENABLED)
+ { POLARSSL_ECP_DP_BP512R1, 28, 512, "brainpoolP512r1" },
+#endif
#if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
{ POLARSSL_ECP_DP_SECP384R1, 24, 384, "secp384r1" },
#endif
+#if defined(POLARSSL_ECP_DP_BP384R1_ENABLED)
+ { POLARSSL_ECP_DP_BP384R1, 27, 384, "brainpoolP384r1" },
+#endif
#if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
{ POLARSSL_ECP_DP_SECP256R1, 23, 256, "secp256r1" },
#endif
+#if defined(POLARSSL_ECP_DP_BP256R1_ENABLED)
+ { POLARSSL_ECP_DP_BP256R1, 26, 256, "brainpoolP256r1" },
+#endif
#if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
{ POLARSSL_ECP_DP_SECP224R1, 21, 224, "secp224r1" },
#endif
@@ -152,6 +158,8 @@
#endif
{ POLARSSL_ECP_DP_NONE, 0, 0, NULL },
};
+#define ECP_NUM_SUPPORTED_CURVES ( sizeof( ecp_supported_curves ) / \
+ sizeof( ecp_curve_info ) )
/*
* List of supported curves and associated info
@@ -216,6 +224,23 @@
}
/*
+ * Get the default ECDH curve list
+ */
+ecp_group_id *ecp_get_default_echd_curve_list( void )
+{
+ static ecp_group_id ecdh_default_curve_list[ECP_NUM_SUPPORTED_CURVES];
+ int i;
+
+ /* Build the list of default curves based on ecp_supported_curves[] */
+ for( i = 0; i < ECP_NUM_SUPPORTED_CURVES; i++)
+ {
+ ecdh_default_curve_list[i] = ecp_supported_curves[i].grp_id;
+ }
+
+ return ecdh_default_curve_list;
+}
+
+/*
* Get the type of a curve
*/
static inline ecp_curve_type ecp_get_type( const ecp_group *grp )
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 79b4bb7..dd84daa 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3325,46 +3325,6 @@
*/
int ssl_init( ssl_context *ssl )
{
-
-#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
- /*
- * ECDHE allowed curves and preference list
- *
- * We start with the most secure curves. From the same size curves, we prefer
- * the SECP ones because they are much faster.
- *
- * TODO: Add the Montgomery curves
- */
- static const ecp_group_id default_curve_list[] =
- {
-#if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
- POLARSSL_ECP_DP_SECP521R1,
-#endif
-#if defined(POLARSSL_ECP_DP_BP512R1_ENABLED)
- POLARSSL_ECP_DP_BP512R1,
-#endif
-#if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
- POLARSSL_ECP_DP_SECP384R1,
-#endif
-#if defined(POLARSSL_ECP_DP_BP384R1_ENABLED)
- POLARSSL_ECP_DP_BP384R1,
-#endif
-#if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
- POLARSSL_ECP_DP_SECP256R1,
-#endif
-#if defined(POLARSSL_ECP_DP_BP256R1_ENABLED)
- POLARSSL_ECP_DP_BP256R1,
-#endif
-#if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
- POLARSSL_ECP_DP_SECP224R1,
-#endif
-#if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
- POLARSSL_ECP_DP_SECP192R1,
-#endif
- POLARSSL_ECP_DP_NONE
- };
-#endif
-
int ret;
int len = SSL_BUFFER_LEN;
@@ -3426,7 +3386,7 @@
#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED) && \
defined(POLARSSL_SSL_SET_CURVES)
- ssl->curve_list = default_curve_list;
+ ssl->curve_list = ecp_get_default_echd_curve_list( );
#endif
if( ( ret = ssl_handshake_init( ssl ) ) != 0 )