From 5de2580563109decf0e883f7e7c414b933d35333 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Mon, 3 Feb 2014 15:56:49 +0100
Subject: [PATCH] Make ssl_set_ecdh_curves() a compile-time option

---
 include/polarssl/config.h | 16 ++++++++++++++++
 include/polarssl/ssl.h    | 10 +++++++---
 library/ssl_srv.c         |  9 +++++++--
 library/ssl_tls.c         |  6 ++++--
 4 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 1ed203c73..8c95c426a 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -813,6 +813,22 @@
  */
 #define POLARSSL_SSL_TRUNCATED_HMAC
 
+/**
+ * \def POLARSSL_SSL_SET_ECDH_CURVES
+ *
+ * Enable ssl_set_ecdh_curves().
+ *
+ * This is disabled by default since it breaks binary compatibility with the
+ * 1.3.x line. If you choose to enable it, you will need to rebuild your
+ * application against the new header files, relinking will not be enough.
+ * It will be enabled by default, or no longer an option, in the 1.4 branch.
+ *
+ * TODO: actually disable it when done working on this branch ,)
+ *
+ * Uncomment to make ssl_set_ecdh_curves() available.
+ */
+#define POLARSSL_SSL_SET_ECDH_CURVES
+
 /**
  * \def POLARSSL_THREADING_ALT
  *
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 2b50304aa..2fdc01df4 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -727,7 +727,8 @@ struct _ssl_context
     int disable_renegotiation;          /*!<  enable/disable renegotiation   */
     int allow_legacy_renegotiation;     /*!<  allow legacy renegotiation     */
     const int *ciphersuite_list[4];     /*!<  allowed ciphersuites / version */
-#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
+#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED) && \
+    defined(POLARSSL_SSL_SET_ECDH_CURVES)
     const ecp_group_id *ecdh_curve_list;/*!<  allowed curves for ECDH */
 #endif
 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
@@ -1158,9 +1159,11 @@ int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G );
 int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx );
 #endif
 
-#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
+#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED) && \
+    defined(POLARSSL_SSL_SET_ECDH_CURVES)
 /**
  * \brief          Set the allowed ECDH curves.
+ *                 (Default: all defined curves.)
  *
  *                 The sequence of the curves in the list also determines the
  *                 handshake curve preference.
@@ -1168,7 +1171,8 @@ int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx );
  * \param ssl      SSL context
  * \param ecdh_curve_list Zero terminated list of the allowed ECDH curves
  */
-void ssl_set_ecdh_curves( ssl_context *ssl, const ecp_group_id *ecdh_curve_list );
+void ssl_set_ecdh_curves( ssl_context *ssl,
+                          const ecp_group_id *ecdh_curve_list );
 #endif
 
 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index dfae8c5a1..ac5f8028f 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2105,7 +2105,8 @@ static int ssl_write_server_key_exchange( ssl_context *ssl )
          *     ECPoint      public;
          * } ServerECDHParams;
          */
-
+        ecp_group_id grp_id;
+#if defined(POLARSSL_SSL_SET_ECDH_CURVES)
         unsigned int pref_idx, curv_idx, found;
 
         /* Match our preference list against the agreed curves */
@@ -2137,9 +2138,13 @@ static int ssl_write_server_key_exchange( ssl_context *ssl )
          * ssl->ecdh_curve_list[pref_idx] will contain POLARSSL_ECP_DP_NONE and
          * ecp_use_known_dp() will fail.
          */
+        grp_id = ssl->ecdh_curve_list[pref_idx];
+#else
+        grp_id = ssl->handshake->curves[0]->grp_id;
+#endif /* POLARSSL_SSL_SET_ECDH_CURVES */
 
         if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
-                                       ssl->ecdh_curve_list[pref_idx] ) ) != 0 )
+                                       grp_id ) ) != 0 )
         {
             SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
             return( ret );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 02f24a18f..29977d789 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3424,7 +3424,8 @@ int ssl_init( ssl_context *ssl )
     ssl->ticket_lifetime = SSL_DEFAULT_TICKET_LIFETIME;
 #endif
 
-#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
+#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED) && \
+    defined(POLARSSL_SSL_SET_ECDH_CURVES)
     ssl->ecdh_curve_list = ecdh_default_curve_list;
 #endif
 
@@ -4655,7 +4656,8 @@ md_type_t ssl_md_alg_from_hash( unsigned char hash )
 
 #endif
 
-#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
+#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED) && \
+    defined(POLARSSL_SSL_SET_ECDH_CURVES)
 /*
  * Set the allowed ECDH curves.
  */