Added the possibility to define the allowed curves for ECDHE handshake. It also defines the preference of the curves.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 36378ef..02f24a1 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3325,6 +3325,46 @@
*/
int ssl_init( ssl_context *ssl )
{
+
+#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
+ /*
+ * ECDHE allowed curves and preference list
+ *
+ * We start with the most secure curves. From the same size curves, we prefer
+ * the SECP ones because they are much faster.
+ *
+ * TODO: Add the Montgomery curves
+ */
+ static const ecp_group_id ecdh_default_curve_list[] =
+ {
+#if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
+ POLARSSL_ECP_DP_SECP521R1,
+#endif
+#if defined(POLARSSL_ECP_DP_BP512R1_ENABLED)
+ POLARSSL_ECP_DP_BP512R1,
+#endif
+#if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
+ POLARSSL_ECP_DP_SECP384R1,
+#endif
+#if defined(POLARSSL_ECP_DP_BP384R1_ENABLED)
+ POLARSSL_ECP_DP_BP384R1,
+#endif
+#if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
+ POLARSSL_ECP_DP_SECP256R1,
+#endif
+#if defined(POLARSSL_ECP_DP_BP256R1_ENABLED)
+ POLARSSL_ECP_DP_BP256R1,
+#endif
+#if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
+ POLARSSL_ECP_DP_SECP224R1,
+#endif
+#if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
+ POLARSSL_ECP_DP_SECP192R1,
+#endif
+ POLARSSL_ECP_DP_NONE
+ };
+#endif
+
int ret;
int len = SSL_BUFFER_LEN;
@@ -3384,6 +3424,10 @@
ssl->ticket_lifetime = SSL_DEFAULT_TICKET_LIFETIME;
#endif
+#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
+ ssl->ecdh_curve_list = ecdh_default_curve_list;
+#endif
+
if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
return( ret );
@@ -4610,3 +4654,13 @@
}
#endif
+
+#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
+/*
+ * Set the allowed ECDH curves.
+ */
+void ssl_set_ecdh_curves( ssl_context *ssl, const ecp_group_id *ecdh_curve_list )
+{
+ ssl->ecdh_curve_list = ecdh_curve_list;
+}
+#endif