diff --git a/configs/baremetal.h b/configs/baremetal.h index 09391ddb0..a88f8ac31 100644 --- a/configs/baremetal.h +++ b/configs/baremetal.h @@ -57,6 +57,10 @@ #define MBEDTLS_ECP_MAX_BITS 256 #define MBEDTLS_MPI_MAX_SIZE 32 // 256 bits is 32 bytes +#define MBEDTLS_SSL_CONF_SINGLE_EC +#define MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID MBEDTLS_ECP_DP_SECP256R1 +#define MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID 23 + /* Key exchanges */ #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED #define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 82e4dad59..93831b76a 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -87,6 +87,12 @@ #error "MBEDTLS_CMAC_C defined, but not all prerequisites" #endif +#if defined(MBEDTLS_SSL_CONF_SINGLE_EC) && \ + ( !defined(MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID) || \ + !defined(MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID) ) +#error "MBEDTLS_SSL_CONF_SINGLE_EC defined, but not all prerequesites" +#endif + #if defined(MBEDTLS_USE_TINYCRYPT) && defined(MBEDTLS_NO_64BIT_MULTIPLICATION) #error "MBEDTLS_USE_TINYCRYPT defined, but it cannot be defined with MBEDTLS_NO_64BIT_MULTIPLICATION" #endif diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index e18c11bee..5b172387e 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -3658,6 +3658,33 @@ */ //#define MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE MBEDTLS_SUITE_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 +/* Enable support of a single elliptic curve fixed + * at compile-time, at the benefit of code-size. + * + * On highly constrained systems with large control + * over the configuration of the connection endpoints, + * this option can be used to hardcode the choice of + * a single elliptic curve to be used for all elliptic + * curve operations during the handshake. + * + * If this is set, you must also define the following: + * - MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID + * This must resolve to the Mbed TLS group ID for the elliptic + * curve to use (e.g. MBEDTLS_ECP_DP_SECP256R1_ENABLED); see + * ::mbedtls_ecp_group_id in mbedtls/ecp.h for a complete list + * of curve identifiers. + * - MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID + * This must resolve to the identifier for the elliptic curve + * to use according to the IANA NamedCurve registry: + * https://tools.ietf.org/html/rfc4492#section-5.1 + * + * If defined, this option overwrites the effect of the + * runtime configuration API mbedtls_ssl_conf_curves(). + */ +//#define MBEDTLS_SSL_CONF_SINGLE_EC +//#define MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID +//#define MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID + /* \} SECTION: Compile-time SSL configuration */ /* Target and application specific configurations diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index e00f7b9e8..0f9ab0ecf 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1082,7 +1082,9 @@ struct mbedtls_ssl_config #endif #if defined(MBEDTLS_ECP_C) +#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC) const mbedtls_ecp_group_id *curve_list; /*!< allowed curves */ +#endif /* MBEDTLS_SSL_CONF_SINGLE_EC */ #endif #if defined(MBEDTLS_DHM_C) @@ -2809,6 +2811,7 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_ECP_C) +#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC) /** * \brief Set the allowed curves in order of preference. * (Default: all defined curves.) @@ -2832,12 +2835,17 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, * \note This list should be ordered by decreasing preference * (preferred curve first). * + * \note On highly constrained systems, the support for a single + * fixed elliptic curve can be configured at compile time + * through the option MBEDTLS_SSL_CONF_SINGLE_EC. + * * \param conf SSL configuration * \param curves Ordered list of allowed curves, * terminated by MBEDTLS_ECP_DP_NONE. */ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, const mbedtls_ecp_group_id *curves ); +#endif /* !MBEDTLS_SSL_CONF_SINGLE_EC */ #endif /* MBEDTLS_ECP_C */ #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 0c812bc56..40391d581 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -383,7 +383,7 @@ struct mbedtls_ssl_handshake_params #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) - mbedtls_ecp_curve_info const *curve_info; /*!< Info for EC for ECDHE. */ + uint16_t curve_tls_id; /*!< TLS ID of EC for ECDHE. */ #endif #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) unsigned char *psk; /*!< PSK from the callback */ @@ -1625,4 +1625,55 @@ static inline unsigned int mbedtls_ssl_conf_get_ems_enforced( #endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */ +#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC) + +#define MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_TLS_ID( TLS_ID_VAR ) \ + { \ + mbedtls_ecp_group_id const *_gid; \ + mbedtls_ecp_curve_info const *_info; \ + for( _gid = ssl->conf->curve_list; \ + *_gid != MBEDTLS_ECP_DP_NONE; _gid++ ) \ + { \ + uint16_t TLS_ID_VAR; \ + _info = mbedtls_ecp_curve_info_from_grp_id( *_gid ) ; \ + if( _info == NULL ) \ + continue; \ + TLS_ID_VAR = _info->tls_id; + +#define MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_TLS_ID \ + } \ + } + +#define MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_GRP_ID( EC_ID_VAR ) \ + { \ + mbedtls_ecp_group_id const *_gid; \ + for( _gid = ssl->conf->curve_list; \ + *_gid != MBEDTLS_ECP_DP_NONE; _gid++ ) \ + { \ + mbedtls_ecp_group_id EC_ID_VAR = *_gid; \ + +#define MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_GRP_ID \ + } \ + } + +#else /* !MBEDTLS_SSL_CONF_SINGLE_EC */ + +#define MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_TLS_ID( TLS_ID_VAR ) \ + { \ + uint16_t TLS_ID_VAR = MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID; \ + ((void) ssl); + +#define MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_TLS_ID \ + } + +#define MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_GRP_ID( EC_ID_VAR ) \ + { \ + mbedtls_ecp_group_id EC_ID_VAR = MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID; \ + ((void) ssl); + +#define MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_GRP_ID \ + } + +#endif /* MBEDTLS_SSL_CONF_SINGLE_EC */ + #endif /* ssl_internal.h */ diff --git a/library/ssl_cli.c b/library/ssl_cli.c index c7a18f58b..b0c0403fd 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -254,42 +254,34 @@ static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +static size_t ssl_get_ec_curve_list_length( mbedtls_ssl_context *ssl ) +{ + size_t ec_list_len = 0; + + MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_TLS_ID( tls_id ) + ((void) tls_id); + ec_list_len++; + MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_TLS_ID + + return( ec_list_len ); +} + static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t *olen ) { unsigned char *p = buf; const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; - unsigned char *elliptic_curve_list = p + 6; size_t elliptic_curve_len = 0; - const mbedtls_ecp_curve_info *info; -#if defined(MBEDTLS_ECP_C) - const mbedtls_ecp_group_id *grp_id; -#else - ((void) ssl); -#endif *olen = 0; MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); -#if defined(MBEDTLS_ECP_C) - for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) -#else - for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) -#endif - { -#if defined(MBEDTLS_ECP_C) - info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); -#endif - if( info == NULL ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) ); - return; - } - - elliptic_curve_len += 2; - } + /* Each elliptic curve is encoded in 2 bytes. */ + elliptic_curve_len = 2 * ssl_get_ec_curve_list_length( ssl ); + if( elliptic_curve_len == 0 ) + return; if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len ) { @@ -297,24 +289,6 @@ static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, return; } - elliptic_curve_len = 0; - -#if defined(MBEDTLS_ECP_C) - for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) -#else - for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) -#endif - { -#if defined(MBEDTLS_ECP_C) - info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); -#endif - elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; - elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; - } - - if( elliptic_curve_len == 0 ) - return; - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF ); *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF ); @@ -324,6 +298,11 @@ static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF ); *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF ); + MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_TLS_ID( tls_id ) + *p++ = tls_id >> 8; + *p++ = tls_id & 0xFF; + MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_TLS_ID + *olen = 6 + elliptic_curve_len; } diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 660b30f2e..3744cf6bc 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -280,9 +280,9 @@ static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl, defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len, - mbedtls_ecp_group_id curve_ids[ MBEDTLS_ECP_DP_MAX ] ) + unsigned char const **list_start, size_t *list_len ) { - size_t list_size, our_size; + size_t list_size; const unsigned char *p; if ( len < 2 ) { @@ -302,37 +302,26 @@ static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl, } p = buf + 2; - our_size = MBEDTLS_ECP_DP_MAX; - /* Leave room for final 0-entry */ - while( list_size > 0 && our_size > 1 ) + /* Remember list for later. */ + *list_start = p; + *list_len = list_size / 2; + + while( list_size > 0 ) { - uint16_t const tls_id = ( p[0] << 8 ) | p[1]; - mbedtls_ecp_curve_info const * const info = - mbedtls_ecp_curve_info_from_tls_id( tls_id ); + uint16_t const peer_tls_id = ( p[0] << 8 ) | p[1]; - if( info != NULL ) + MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_TLS_ID( own_tls_id ) + if( own_tls_id == peer_tls_id && + ssl->handshake->curve_tls_id == 0 ) { - mbedtls_ecp_group_id const *gid; - /* Remember the first curve that we also support. */ - for( gid = ssl->conf->curve_list; - *gid != MBEDTLS_ECP_DP_NONE; gid++ ) - { - if( info->grp_id != *gid ) - continue; - - if( ssl->handshake->curve_info == NULL ) - ssl->handshake->curve_info = info; - } - - *curve_ids++ = info->grp_id; - our_size--; + ssl->handshake->curve_tls_id = own_tls_id; } + MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_TLS_ID list_size -= 2; p += 2; } - *curve_ids = MBEDTLS_ECP_DP_NONE; return( 0 ); } @@ -736,18 +725,28 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, */ #if defined(MBEDTLS_ECDSA_C) static int ssl_check_key_curve( mbedtls_pk_context *pk, - mbedtls_ecp_group_id const *acceptable_ec_grp_ids ) + unsigned char const *acceptable_ec_tls_ids, + size_t ec_tls_ids_len ) { + mbedtls_ecp_curve_info const *info; mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id; - if( acceptable_ec_grp_ids == NULL ) + info = mbedtls_ecp_curve_info_from_grp_id( grp_id ); + if( info == NULL ) return( -1 ); - while( *acceptable_ec_grp_ids != MBEDTLS_ECP_DP_NONE ) + if( acceptable_ec_tls_ids == NULL ) + return( -1 ); + + while( ec_tls_ids_len-- != 0 ) { - if( *acceptable_ec_grp_ids == grp_id ) + uint16_t const cur_tls_id = + ( acceptable_ec_tls_ids[0] << 8 ) | acceptable_ec_tls_ids[1]; + + if( cur_tls_id == info->tls_id ) return( 0 ); - acceptable_ec_grp_ids++; + + acceptable_ec_tls_ids += 2; } return( -1 ); @@ -760,7 +759,8 @@ static int ssl_check_key_curve( mbedtls_pk_context *pk, */ static int ssl_pick_cert( mbedtls_ssl_context *ssl, mbedtls_ssl_ciphersuite_handle_t ciphersuite_info, - mbedtls_ecp_group_id const *acceptable_ec_grp_ids ) + unsigned char const *acceptable_ec_tls_ids, + size_t ec_tls_ids_len ) { mbedtls_ssl_key_cert *cur, *list, *fallback = NULL; mbedtls_pk_type_t pk_alg = @@ -825,13 +825,16 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_ECDSA_C) if( pk_alg == MBEDTLS_PK_ECDSA && - ssl_check_key_curve( pk, acceptable_ec_grp_ids ) != 0 ) + ssl_check_key_curve( pk, + acceptable_ec_tls_ids, + ec_tls_ids_len ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) ); match = 0; } #else - ((void) acceptable_ec_grp_ids); + ((void) acceptable_ec_tls_ids); + ((void) ec_tls_ids_len); #endif #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) @@ -920,7 +923,8 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl, */ static int ssl_ciphersuite_is_match( mbedtls_ssl_context *ssl, mbedtls_ssl_ciphersuite_handle_t suite_info, - mbedtls_ecp_group_id const *acceptable_ec_grp_ids ) + unsigned char const *acceptable_ec_tls_ids, + size_t ec_tls_ids_len ) { #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) @@ -970,7 +974,7 @@ static int ssl_ciphersuite_is_match( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) && - ssl->handshake->curve_info == NULL ) + ssl->handshake->curve_tls_id == 0 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " "no common elliptic curve" ) ); @@ -1018,14 +1022,17 @@ static int ssl_ciphersuite_is_match( mbedtls_ssl_context *ssl, * - try the next ciphersuite if we don't * This must be done last since we modify the key_cert list. */ - if( ssl_pick_cert( ssl, suite_info, acceptable_ec_grp_ids ) != 0 ) + if( ssl_pick_cert( ssl, suite_info, + acceptable_ec_tls_ids, + ec_tls_ids_len ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " "no suitable certificate" ) ); return( 0 ); } #else - ((void) acceptable_ec_grp_ids); + ((void) acceptable_ec_tls_ids); + ((void) ec_tls_ids_len); #endif return( 1 ); @@ -1266,7 +1273,7 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl ) got_common_suite = 1; - if( ssl_ciphersuite_is_match( ssl, cur_info, NULL ) ) + if( ssl_ciphersuite_is_match( ssl, cur_info, NULL, 0 ) ) { #if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE) ciphersuite_info = cur_info; @@ -1356,12 +1363,8 @@ static int ssl_parse_client_hello( mbedtls_ssl_context *ssl ) #endif int major, minor; -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) - mbedtls_ecp_group_id acceptable_ec_grp_ids[ MBEDTLS_ECP_DP_MAX ]; -#else - mbedtls_ecp_group_id * acceptable_ec_grp_ids = NULL; -#endif + unsigned char const *acceptable_ec_tls_ids = NULL; + size_t ec_tls_ids_len = 0; /* If there is no signature-algorithm extension present, * we need to fall back to the default values for allowed @@ -1921,7 +1924,8 @@ read_record_header: ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size, - acceptable_ec_grp_ids ); + &acceptable_ec_tls_ids, + &ec_tls_ids_len ); if( ret != 0 ) return( ret ); break; @@ -2203,7 +2207,8 @@ read_record_header: got_common_suite = 1; if( ssl_ciphersuite_is_match( ssl, cur_info, - acceptable_ec_grp_ids) ) + acceptable_ec_tls_ids, + ec_tls_ids_len ) != 0 ) { #if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE) ciphersuite_info = cur_info; @@ -3357,7 +3362,8 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, * ECPoint public; * } ServerECDHParams; */ - const mbedtls_ecp_curve_info *curve = ssl->handshake->curve_info; + const mbedtls_ecp_curve_info *curve = + mbedtls_ecp_curve_info_from_tls_id( ssl->handshake->curve_tls_id ); int ret; size_t len = 0; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8fb548c46..0b1ebddcf 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8635,6 +8635,7 @@ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ #if defined(MBEDTLS_ECP_C) +#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC) /* * Set the allowed elliptic curves */ @@ -8643,6 +8644,7 @@ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, { conf->curve_list = curve_list; } +#endif /* MBEDTLS_SSL_CONF_SINGLE_EC */ #endif /* MBEDTLS_ECP_C */ #if defined(MBEDTLS_X509_CRT_PARSE_C) @@ -10869,7 +10871,7 @@ static int ssl_preset_suiteb_hashes[] = { }; #endif -#if defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_SSL_CONF_SINGLE_EC) static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = { #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) MBEDTLS_ECP_DP_SECP256R1, @@ -11020,7 +11022,9 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #endif #if defined(MBEDTLS_ECP_C) +#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC) conf->curve_list = ssl_preset_suiteb_curves; +#endif #endif break; @@ -11068,8 +11072,10 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #endif #if defined(MBEDTLS_ECP_C) +#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC) conf->curve_list = mbedtls_ecp_grp_id_list(); #endif +#endif #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) conf->dhm_min_bitlen = 1024; @@ -11285,14 +11291,10 @@ unsigned char mbedtls_ssl_hash_from_md_alg( int md ) */ int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ) { - const mbedtls_ecp_group_id *gid; - - if( ssl->conf->curve_list == NULL ) - return( -1 ); - - for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) - if( *gid == grp_id ) - return( 0 ); + MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_GRP_ID( own_ec_id ) + if( own_ec_id == grp_id ) + return( 0 ); + MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_GRP_ID return( -1 ); } diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index 6a1cb1bb7..ff3078826 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -2810,6 +2810,30 @@ int query_config( const char *config ) } #endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */ +#if defined(MBEDTLS_SSL_CONF_SINGLE_EC) + if( strcmp( "MBEDTLS_SSL_CONF_SINGLE_EC", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_SINGLE_EC ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_CONF_SINGLE_EC */ + +#if defined(MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID) + if( strcmp( "MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID */ + +#if defined(MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID) + if( strcmp( "MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID */ + /* If the symbol is not found, return an error */ return( 1 ); } diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 268be15c8..87454b2fb 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -215,7 +215,7 @@ int main( void ) #define USAGE_ALPN "" #endif /* MBEDTLS_SSL_ALPN */ -#if defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_SSL_CONF_SINGLE_EC) #define USAGE_CURVES \ " curves=a,b,c,d default: \"default\" (library default)\n" \ " example: \"secp521r1,brainpoolP512r1\"\n" \ @@ -777,7 +777,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_ALPN) const char *alpn_list[ALPN_LIST_SIZE]; #endif -#if defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_SSL_CONF_SINGLE_EC) mbedtls_ecp_group_id curve_list[CURVE_LIST_SIZE]; const mbedtls_ecp_curve_info *curve_cur; #endif @@ -1115,8 +1115,10 @@ int main( int argc, char *argv[] ) default: goto usage; } } +#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC) else if( strcmp( p, "curves" ) == 0 ) opt.curves = q; +#endif /* !MBEDTLS_SSL_CONF_SINGLE_EC */ else if( strcmp( p, "etm" ) == 0 ) { switch( atoi( q ) ) @@ -1422,7 +1424,7 @@ int main( int argc, char *argv[] ) } #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ -#if defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_SSL_CONF_SINGLE_EC) if( opt.curves != NULL ) { p = (char *) opt.curves; @@ -1476,7 +1478,7 @@ int main( int argc, char *argv[] ) curve_list[i] = MBEDTLS_ECP_DP_NONE; } } -#endif /* MBEDTLS_ECP_C */ +#endif /* MBEDTLS_ECP_C && !MBEDTLS_SSL_CONF_SINGLE_EC */ #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) @@ -1847,12 +1849,14 @@ int main( int argc, char *argv[] ) #endif #if defined(MBEDTLS_ECP_C) +#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC) if( opt.curves != NULL && strcmp( opt.curves, "default" ) != 0 ) { mbedtls_ssl_conf_curves( &conf, curve_list ); } -#endif +#endif /* !MBEDTLS_SSL_CONF_SINGLE_EC */ +#endif /* MBEDTLS_ECP_C */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) if( ( ret = mbedtls_ssl_conf_psk( &conf, psk, psk_len, diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index ab9b9500d..9cca9c4d7 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -381,7 +381,7 @@ int main( void ) #define USAGE_ECJPAKE "" #endif -#if defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_SSL_CONF_SINGLE_EC) #define USAGE_CURVES \ " curves=a,b,c,d default: \"default\" (library default)\n" \ " example: \"secp521r1,brainpoolP512r1\"\n" \ @@ -1425,7 +1425,7 @@ int main( int argc, char *argv[] ) #if defined(SNI_OPTION) sni_entry *sni_info = NULL; #endif -#if defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_SSL_CONF_SINGLE_EC) mbedtls_ecp_group_id curve_list[CURVE_LIST_SIZE]; const mbedtls_ecp_curve_info * curve_cur; #endif @@ -1707,8 +1707,10 @@ int main( int argc, char *argv[] ) } opt.force_ciphersuite[1] = 0; } +#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC) else if( strcmp( p, "curves" ) == 0 ) opt.curves = q; +#endif /* !MBEDTLS_SSL_CONF_SINGLE_EC */ else if( strcmp( p, "version_suites" ) == 0 ) opt.version_suites = q; else if( strcmp( p, "renegotiation" ) == 0 ) @@ -2176,7 +2178,7 @@ int main( int argc, char *argv[] ) } #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ -#if defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_SSL_CONF_SINGLE_EC) if( opt.curves != NULL ) { p = (char *) opt.curves; @@ -2230,7 +2232,7 @@ int main( int argc, char *argv[] ) curve_list[i] = MBEDTLS_ECP_DP_NONE; } } -#endif /* MBEDTLS_ECP_C */ +#endif /* MBEDTLS_ECP_C && !MBEDTLS_SSL_CONF_SINGLE_EC */ #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) @@ -2848,12 +2850,14 @@ int main( int argc, char *argv[] ) #endif #if defined(MBEDTLS_ECP_C) +#if !defined(MBEDTLS_SSL_CONF_SINGLE_EC) if( opt.curves != NULL && strcmp( opt.curves, "default" ) != 0 ) { mbedtls_ssl_conf_curves( &conf, curve_list ); } -#endif +#endif /* !MBEDTLS_SSL_CONF_SINGLE_EC */ +#endif /* MBEDTLS_ECP_C */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) if( strlen( opt.psk ) != 0 && strlen( opt.psk_identity ) != 0 )