Merge remote-tracking branch 'origin/pr/602' into baremetal
diff --git a/configs/baremetal.h b/configs/baremetal.h
index 09391dd..a88f8ac 100644
--- a/configs/baremetal.h
+++ b/configs/baremetal.h
@@ -57,6 +57,10 @@
#define MBEDTLS_ECP_MAX_BITS 256
#define MBEDTLS_MPI_MAX_SIZE 32 // 256 bits is 32 bytes
+#define MBEDTLS_SSL_CONF_SINGLE_EC
+#define MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID MBEDTLS_ECP_DP_SECP256R1
+#define MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID 23
+
/* Key exchanges */
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 82e4dad..93831b7 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -87,6 +87,12 @@
#error "MBEDTLS_CMAC_C defined, but not all prerequisites"
#endif
+#if defined(MBEDTLS_SSL_CONF_SINGLE_EC) && \
+ ( !defined(MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID) || \
+ !defined(MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID) )
+#error "MBEDTLS_SSL_CONF_SINGLE_EC defined, but not all prerequesites"
+#endif
+
#if defined(MBEDTLS_USE_TINYCRYPT) && defined(MBEDTLS_NO_64BIT_MULTIPLICATION)
#error "MBEDTLS_USE_TINYCRYPT defined, but it cannot be defined with MBEDTLS_NO_64BIT_MULTIPLICATION"
#endif
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index e18c11b..5b17238 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -3658,6 +3658,33 @@
*/
//#define MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE MBEDTLS_SUITE_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
+/* Enable support of a single elliptic curve fixed
+ * at compile-time, at the benefit of code-size.
+ *
+ * On highly constrained systems with large control
+ * over the configuration of the connection endpoints,
+ * this option can be used to hardcode the choice of
+ * a single elliptic curve to be used for all elliptic
+ * curve operations during the handshake.
+ *
+ * If this is set, you must also define the following:
+ * - MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID
+ * This must resolve to the Mbed TLS group ID for the elliptic
+ * curve to use (e.g. MBEDTLS_ECP_DP_SECP256R1_ENABLED); see
+ * ::mbedtls_ecp_group_id in mbedtls/ecp.h for a complete list
+ * of curve identifiers.
+ * - MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID
+ * This must resolve to the identifier for the elliptic curve
+ * to use according to the IANA NamedCurve registry:
+ * https://tools.ietf.org/html/rfc4492#section-5.1
+ *
+ * If defined, this option overwrites the effect of the
+ * runtime configuration API mbedtls_ssl_conf_curves().
+ */
+//#define MBEDTLS_SSL_CONF_SINGLE_EC
+//#define MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID
+//#define MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID
+
/* \} SECTION: Compile-time SSL configuration */
/* Target and application specific configurations
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index e00f7b9..0f9ab0e 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1082,7 +1082,9 @@
#endif
#if defined(MBEDTLS_ECP_C)
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
const mbedtls_ecp_group_id *curve_list; /*!< allowed curves */
+#endif /* MBEDTLS_SSL_CONF_SINGLE_EC */
#endif
#if defined(MBEDTLS_DHM_C)
@@ -2809,6 +2811,7 @@
#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_ECP_C)
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
/**
* \brief Set the allowed curves in order of preference.
* (Default: all defined curves.)
@@ -2832,12 +2835,17 @@
* \note This list should be ordered by decreasing preference
* (preferred curve first).
*
+ * \note On highly constrained systems, the support for a single
+ * fixed elliptic curve can be configured at compile time
+ * through the option MBEDTLS_SSL_CONF_SINGLE_EC.
+ *
* \param conf SSL configuration
* \param curves Ordered list of allowed curves,
* terminated by MBEDTLS_ECP_DP_NONE.
*/
void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
const mbedtls_ecp_group_id *curves );
+#endif /* !MBEDTLS_SSL_CONF_SINGLE_EC */
#endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 0c812bc..40391d5 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -383,7 +383,7 @@
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
- mbedtls_ecp_curve_info const *curve_info; /*!< Info for EC for ECDHE. */
+ uint16_t curve_tls_id; /*!< TLS ID of EC for ECDHE. */
#endif
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
unsigned char *psk; /*!< PSK from the callback */
@@ -1625,4 +1625,55 @@
#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
+
+#define MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_TLS_ID( TLS_ID_VAR ) \
+ { \
+ mbedtls_ecp_group_id const *_gid; \
+ mbedtls_ecp_curve_info const *_info; \
+ for( _gid = ssl->conf->curve_list; \
+ *_gid != MBEDTLS_ECP_DP_NONE; _gid++ ) \
+ { \
+ uint16_t TLS_ID_VAR; \
+ _info = mbedtls_ecp_curve_info_from_grp_id( *_gid ) ; \
+ if( _info == NULL ) \
+ continue; \
+ TLS_ID_VAR = _info->tls_id;
+
+#define MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_TLS_ID \
+ } \
+ }
+
+#define MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_GRP_ID( EC_ID_VAR ) \
+ { \
+ mbedtls_ecp_group_id const *_gid; \
+ for( _gid = ssl->conf->curve_list; \
+ *_gid != MBEDTLS_ECP_DP_NONE; _gid++ ) \
+ { \
+ mbedtls_ecp_group_id EC_ID_VAR = *_gid; \
+
+#define MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_GRP_ID \
+ } \
+ }
+
+#else /* !MBEDTLS_SSL_CONF_SINGLE_EC */
+
+#define MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_TLS_ID( TLS_ID_VAR ) \
+ { \
+ uint16_t TLS_ID_VAR = MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID; \
+ ((void) ssl);
+
+#define MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_TLS_ID \
+ }
+
+#define MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_GRP_ID( EC_ID_VAR ) \
+ { \
+ mbedtls_ecp_group_id EC_ID_VAR = MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID; \
+ ((void) ssl);
+
+#define MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_GRP_ID \
+ }
+
+#endif /* MBEDTLS_SSL_CONF_SINGLE_EC */
+
#endif /* ssl_internal.h */
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index c7a18f5..b0c0403 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -254,42 +254,34 @@
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static size_t ssl_get_ec_curve_list_length( mbedtls_ssl_context *ssl )
+{
+ size_t ec_list_len = 0;
+
+ MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_TLS_ID( tls_id )
+ ((void) tls_id);
+ ec_list_len++;
+ MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_TLS_ID
+
+ return( ec_list_len );
+}
+
static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
size_t *olen )
{
unsigned char *p = buf;
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
- unsigned char *elliptic_curve_list = p + 6;
size_t elliptic_curve_len = 0;
- const mbedtls_ecp_curve_info *info;
-#if defined(MBEDTLS_ECP_C)
- const mbedtls_ecp_group_id *grp_id;
-#else
- ((void) ssl);
-#endif
*olen = 0;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
-#if defined(MBEDTLS_ECP_C)
- for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
-#else
- for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
-#endif
- {
-#if defined(MBEDTLS_ECP_C)
- info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
-#endif
- if( info == NULL )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) );
- return;
- }
-
- elliptic_curve_len += 2;
- }
+ /* Each elliptic curve is encoded in 2 bytes. */
+ elliptic_curve_len = 2 * ssl_get_ec_curve_list_length( ssl );
+ if( elliptic_curve_len == 0 )
+ return;
if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
{
@@ -297,24 +289,6 @@
return;
}
- elliptic_curve_len = 0;
-
-#if defined(MBEDTLS_ECP_C)
- for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
-#else
- for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
-#endif
- {
-#if defined(MBEDTLS_ECP_C)
- info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
-#endif
- elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
- elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
- }
-
- if( elliptic_curve_len == 0 )
- return;
-
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
@@ -324,6 +298,11 @@
*p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
+ MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_TLS_ID( tls_id )
+ *p++ = tls_id >> 8;
+ *p++ = tls_id & 0xFF;
+ MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_TLS_ID
+
*olen = 6 + elliptic_curve_len;
}
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 660b30f..3744cf6 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -280,9 +280,9 @@
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
const unsigned char *buf, size_t len,
- mbedtls_ecp_group_id curve_ids[ MBEDTLS_ECP_DP_MAX ] )
+ unsigned char const **list_start, size_t *list_len )
{
- size_t list_size, our_size;
+ size_t list_size;
const unsigned char *p;
if ( len < 2 ) {
@@ -302,37 +302,26 @@
}
p = buf + 2;
- our_size = MBEDTLS_ECP_DP_MAX;
- /* Leave room for final 0-entry */
- while( list_size > 0 && our_size > 1 )
+ /* Remember list for later. */
+ *list_start = p;
+ *list_len = list_size / 2;
+
+ while( list_size > 0 )
{
- uint16_t const tls_id = ( p[0] << 8 ) | p[1];
- mbedtls_ecp_curve_info const * const info =
- mbedtls_ecp_curve_info_from_tls_id( tls_id );
+ uint16_t const peer_tls_id = ( p[0] << 8 ) | p[1];
- if( info != NULL )
+ MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_TLS_ID( own_tls_id )
+ if( own_tls_id == peer_tls_id &&
+ ssl->handshake->curve_tls_id == 0 )
{
- mbedtls_ecp_group_id const *gid;
- /* Remember the first curve that we also support. */
- for( gid = ssl->conf->curve_list;
- *gid != MBEDTLS_ECP_DP_NONE; gid++ )
- {
- if( info->grp_id != *gid )
- continue;
-
- if( ssl->handshake->curve_info == NULL )
- ssl->handshake->curve_info = info;
- }
-
- *curve_ids++ = info->grp_id;
- our_size--;
+ ssl->handshake->curve_tls_id = own_tls_id;
}
+ MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_TLS_ID
list_size -= 2;
p += 2;
}
- *curve_ids = MBEDTLS_ECP_DP_NONE;
return( 0 );
}
@@ -736,18 +725,28 @@
*/
#if defined(MBEDTLS_ECDSA_C)
static int ssl_check_key_curve( mbedtls_pk_context *pk,
- mbedtls_ecp_group_id const *acceptable_ec_grp_ids )
+ unsigned char const *acceptable_ec_tls_ids,
+ size_t ec_tls_ids_len )
{
+ mbedtls_ecp_curve_info const *info;
mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id;
- if( acceptable_ec_grp_ids == NULL )
+ info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
+ if( info == NULL )
return( -1 );
- while( *acceptable_ec_grp_ids != MBEDTLS_ECP_DP_NONE )
+ if( acceptable_ec_tls_ids == NULL )
+ return( -1 );
+
+ while( ec_tls_ids_len-- != 0 )
{
- if( *acceptable_ec_grp_ids == grp_id )
+ uint16_t const cur_tls_id =
+ ( acceptable_ec_tls_ids[0] << 8 ) | acceptable_ec_tls_ids[1];
+
+ if( cur_tls_id == info->tls_id )
return( 0 );
- acceptable_ec_grp_ids++;
+
+ acceptable_ec_tls_ids += 2;
}
return( -1 );
@@ -760,7 +759,8 @@
*/
static int ssl_pick_cert( mbedtls_ssl_context *ssl,
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info,
- mbedtls_ecp_group_id const *acceptable_ec_grp_ids )
+ unsigned char const *acceptable_ec_tls_ids,
+ size_t ec_tls_ids_len )
{
mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
mbedtls_pk_type_t pk_alg =
@@ -825,13 +825,16 @@
#if defined(MBEDTLS_ECDSA_C)
if( pk_alg == MBEDTLS_PK_ECDSA &&
- ssl_check_key_curve( pk, acceptable_ec_grp_ids ) != 0 )
+ ssl_check_key_curve( pk,
+ acceptable_ec_tls_ids,
+ ec_tls_ids_len ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
match = 0;
}
#else
- ((void) acceptable_ec_grp_ids);
+ ((void) acceptable_ec_tls_ids);
+ ((void) ec_tls_ids_len);
#endif
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
@@ -920,7 +923,8 @@
*/
static int ssl_ciphersuite_is_match( mbedtls_ssl_context *ssl,
mbedtls_ssl_ciphersuite_handle_t suite_info,
- mbedtls_ecp_group_id const *acceptable_ec_grp_ids )
+ unsigned char const *acceptable_ec_tls_ids,
+ size_t ec_tls_ids_len )
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
@@ -970,7 +974,7 @@
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
- ssl->handshake->curve_info == NULL )
+ ssl->handshake->curve_tls_id == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
"no common elliptic curve" ) );
@@ -1018,14 +1022,17 @@
* - try the next ciphersuite if we don't
* This must be done last since we modify the key_cert list.
*/
- if( ssl_pick_cert( ssl, suite_info, acceptable_ec_grp_ids ) != 0 )
+ if( ssl_pick_cert( ssl, suite_info,
+ acceptable_ec_tls_ids,
+ ec_tls_ids_len ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
"no suitable certificate" ) );
return( 0 );
}
#else
- ((void) acceptable_ec_grp_ids);
+ ((void) acceptable_ec_tls_ids);
+ ((void) ec_tls_ids_len);
#endif
return( 1 );
@@ -1266,7 +1273,7 @@
got_common_suite = 1;
- if( ssl_ciphersuite_is_match( ssl, cur_info, NULL ) )
+ if( ssl_ciphersuite_is_match( ssl, cur_info, NULL, 0 ) )
{
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
ciphersuite_info = cur_info;
@@ -1356,12 +1363,8 @@
#endif
int major, minor;
-#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
- mbedtls_ecp_group_id acceptable_ec_grp_ids[ MBEDTLS_ECP_DP_MAX ];
-#else
- mbedtls_ecp_group_id * acceptable_ec_grp_ids = NULL;
-#endif
+ unsigned char const *acceptable_ec_tls_ids = NULL;
+ size_t ec_tls_ids_len = 0;
/* If there is no signature-algorithm extension present,
* we need to fall back to the default values for allowed
@@ -1921,7 +1924,8 @@
ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4,
ext_size,
- acceptable_ec_grp_ids );
+ &acceptable_ec_tls_ids,
+ &ec_tls_ids_len );
if( ret != 0 )
return( ret );
break;
@@ -2203,7 +2207,8 @@
got_common_suite = 1;
if( ssl_ciphersuite_is_match( ssl, cur_info,
- acceptable_ec_grp_ids) )
+ acceptable_ec_tls_ids,
+ ec_tls_ids_len ) != 0 )
{
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
ciphersuite_info = cur_info;
@@ -3357,7 +3362,8 @@
* ECPoint public;
* } ServerECDHParams;
*/
- const mbedtls_ecp_curve_info *curve = ssl->handshake->curve_info;
+ const mbedtls_ecp_curve_info *curve =
+ mbedtls_ecp_curve_info_from_tls_id( ssl->handshake->curve_tls_id );
int ret;
size_t len = 0;
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 8fb548c..0b1ebdd 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -8635,6 +8635,7 @@
#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
#if defined(MBEDTLS_ECP_C)
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
/*
* Set the allowed elliptic curves
*/
@@ -8643,6 +8644,7 @@
{
conf->curve_list = curve_list;
}
+#endif /* MBEDTLS_SSL_CONF_SINGLE_EC */
#endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
@@ -10869,7 +10871,7 @@
};
#endif
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
MBEDTLS_ECP_DP_SECP256R1,
@@ -11020,8 +11022,10 @@
#endif
#if defined(MBEDTLS_ECP_C)
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
conf->curve_list = ssl_preset_suiteb_curves;
#endif
+#endif
break;
/*
@@ -11068,8 +11072,10 @@
#endif
#if defined(MBEDTLS_ECP_C)
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
conf->curve_list = mbedtls_ecp_grp_id_list();
#endif
+#endif
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
conf->dhm_min_bitlen = 1024;
@@ -11285,14 +11291,10 @@
*/
int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
{
- const mbedtls_ecp_group_id *gid;
-
- if( ssl->conf->curve_list == NULL )
- return( -1 );
-
- for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
- if( *gid == grp_id )
- return( 0 );
+ MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_GRP_ID( own_ec_id )
+ if( own_ec_id == grp_id )
+ return( 0 );
+ MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_GRP_ID
return( -1 );
}
diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c
index 6a1cb1b..ff30788 100644
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@@ -2810,6 +2810,30 @@
}
#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
+#if defined(MBEDTLS_SSL_CONF_SINGLE_EC)
+ if( strcmp( "MBEDTLS_SSL_CONF_SINGLE_EC", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_SINGLE_EC );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CONF_SINGLE_EC */
+
+#if defined(MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID)
+ if( strcmp( "MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID */
+
+#if defined(MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID)
+ if( strcmp( "MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID */
+
/* If the symbol is not found, return an error */
return( 1 );
}
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 268be15..87454b2 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -215,7 +215,7 @@
#define USAGE_ALPN ""
#endif /* MBEDTLS_SSL_ALPN */
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
#define USAGE_CURVES \
" curves=a,b,c,d default: \"default\" (library default)\n" \
" example: \"secp521r1,brainpoolP512r1\"\n" \
@@ -777,7 +777,7 @@
#if defined(MBEDTLS_SSL_ALPN)
const char *alpn_list[ALPN_LIST_SIZE];
#endif
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
mbedtls_ecp_group_id curve_list[CURVE_LIST_SIZE];
const mbedtls_ecp_curve_info *curve_cur;
#endif
@@ -1115,8 +1115,10 @@
default: goto usage;
}
}
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
else if( strcmp( p, "curves" ) == 0 )
opt.curves = q;
+#endif /* !MBEDTLS_SSL_CONF_SINGLE_EC */
else if( strcmp( p, "etm" ) == 0 )
{
switch( atoi( q ) )
@@ -1422,7 +1424,7 @@
}
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
if( opt.curves != NULL )
{
p = (char *) opt.curves;
@@ -1476,7 +1478,7 @@
curve_list[i] = MBEDTLS_ECP_DP_NONE;
}
}
-#endif /* MBEDTLS_ECP_C */
+#endif /* MBEDTLS_ECP_C && !MBEDTLS_SSL_CONF_SINGLE_EC */
#if defined(MBEDTLS_SSL_ALPN)
if( opt.alpn_string != NULL )
@@ -1847,12 +1849,14 @@
#endif
#if defined(MBEDTLS_ECP_C)
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
if( opt.curves != NULL &&
strcmp( opt.curves, "default" ) != 0 )
{
mbedtls_ssl_conf_curves( &conf, curve_list );
}
-#endif
+#endif /* !MBEDTLS_SSL_CONF_SINGLE_EC */
+#endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
if( ( ret = mbedtls_ssl_conf_psk( &conf, psk, psk_len,
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index ab9b950..9cca9c4 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -381,7 +381,7 @@
#define USAGE_ECJPAKE ""
#endif
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
#define USAGE_CURVES \
" curves=a,b,c,d default: \"default\" (library default)\n" \
" example: \"secp521r1,brainpoolP512r1\"\n" \
@@ -1425,7 +1425,7 @@
#if defined(SNI_OPTION)
sni_entry *sni_info = NULL;
#endif
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
mbedtls_ecp_group_id curve_list[CURVE_LIST_SIZE];
const mbedtls_ecp_curve_info * curve_cur;
#endif
@@ -1707,8 +1707,10 @@
}
opt.force_ciphersuite[1] = 0;
}
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
else if( strcmp( p, "curves" ) == 0 )
opt.curves = q;
+#endif /* !MBEDTLS_SSL_CONF_SINGLE_EC */
else if( strcmp( p, "version_suites" ) == 0 )
opt.version_suites = q;
else if( strcmp( p, "renegotiation" ) == 0 )
@@ -2176,7 +2178,7 @@
}
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
if( opt.curves != NULL )
{
p = (char *) opt.curves;
@@ -2230,7 +2232,7 @@
curve_list[i] = MBEDTLS_ECP_DP_NONE;
}
}
-#endif /* MBEDTLS_ECP_C */
+#endif /* MBEDTLS_ECP_C && !MBEDTLS_SSL_CONF_SINGLE_EC */
#if defined(MBEDTLS_SSL_ALPN)
if( opt.alpn_string != NULL )
@@ -2848,12 +2850,14 @@
#endif
#if defined(MBEDTLS_ECP_C)
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
if( opt.curves != NULL &&
strcmp( opt.curves, "default" ) != 0 )
{
mbedtls_ssl_conf_curves( &conf, curve_list );
}
-#endif
+#endif /* !MBEDTLS_SSL_CONF_SINGLE_EC */
+#endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
if( strlen( opt.psk ) != 0 && strlen( opt.psk_identity ) != 0 )