commit b541da6ef394d1da303a7408821c100a56a27bc2
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Jun 17 11:43:30 2015 +0200
committer Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Jun 17 14:27:38 2015 +0200
tree ac8b003472bc161167adf1da3b7e081ecc6fb2e0
parent 6e3ee3ad43e2a194bdf462fb9ef9a46edad6484c

Fix define for ssl_conf_curves()

This is a security feature, it shouldn't be optional.

include/mbedtls/compat-1.3.h

diff --git a/include/mbedtls/compat-1.3.h b/include/mbedtls/compat-1.3.h
index 8a3ab96..0af0a9e 100644
--- a/include/mbedtls/compat-1.3.h
+++ b/include/mbedtls/compat-1.3.h
@@ -585,9 +585,6 @@
 #if defined MBEDTLS_SSL_SESSION_TICKETS
 #define POLARSSL_SSL_SESSION_TICKETS MBEDTLS_SSL_SESSION_TICKETS
 #endif
-#if defined MBEDTLS_SSL_SET_CURVES
-#define POLARSSL_SSL_SET_CURVES MBEDTLS_SSL_SET_CURVES
-#endif
 #if defined MBEDTLS_SSL_SRV_C
 #define POLARSSL_SSL_SRV_C MBEDTLS_SSL_SRV_C
 #endif

include/mbedtls/config.h

diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index f0d293c..02dd969 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1155,20 +1155,6 @@
 #define MBEDTLS_SSL_TRUNCATED_HMAC
 
 /**
- * \def MBEDTLS_SSL_SET_CURVES
- *
- * Enable mbedtls_ssl_conf_curves().
- *
- * This is disabled by default since it breaks binary compatibility with the
- * 1.3.x line. If you choose to enable it, you will need to rebuild your
- * application against the new header files, relinking will not be enough.
- * It will be enabled by default, or no longer an option, in the 1.4 branch.
- *
- * Uncomment to make mbedtls_ssl_conf_curves() available.
- */
-//#define MBEDTLS_SSL_SET_CURVES
-
-/**
  * \def MBEDTLS_THREADING_ALT
  *
  * Provide your own alternate threading implementation.

include/mbedtls/ssl.h

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 4bca71c..318ca46 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -535,7 +535,7 @@
     mbedtls_x509_crl *ca_crl;       /*!< trusted CAs CRLs                   */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
-#if defined(MBEDTLS_SSL_SET_CURVES)
+#if defined(MBEDTLS_ECP_C)
     const mbedtls_ecp_group_id *curve_list; /*!< allowed curves             */
 #endif
 
@@ -1504,7 +1504,7 @@
                                       unsigned int bitlen );
 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
 
-#if defined(MBEDTLS_SSL_SET_CURVES)
+#if defined(MBEDTLS_ECP_C)
 /**
  * \brief          Set the allowed curves in order of preference.
  *                 (Default: all defined curves.)
@@ -1524,7 +1524,7 @@
  *                 terminated by MBEDTLS_ECP_DP_NONE.
  */
 void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, const mbedtls_ecp_group_id *curves );
-#endif /* MBEDTLS_SSL_SET_CURVES */
+#endif /* MBEDTLS_ECP_C */
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
 /**

include/mbedtls/ssl_internal.h

diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 122c1ee..e074ce2 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -375,7 +375,7 @@
 
 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
 
-#if defined(MBEDTLS_SSL_SET_CURVES)
+#if defined(MBEDTLS_ECP_C)
 int mbedtls_ssl_curve_is_acceptable( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
 #endif
 

library/ssl_cli.c

diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 72ce76f..3d3f3d1 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -255,7 +255,7 @@
     unsigned char *elliptic_curve_list = p + 6;
     size_t elliptic_curve_len = 0;
     const mbedtls_ecp_curve_info *info;
-#if defined(MBEDTLS_SSL_SET_CURVES)
+#if defined(MBEDTLS_ECP_C)
     const mbedtls_ecp_group_id *grp_id;
 #else
     ((void) ssl);
@@ -265,7 +265,7 @@
 
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
 
-#if defined(MBEDTLS_SSL_SET_CURVES)
+#if defined(MBEDTLS_ECP_C)
     for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
     {
         info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
@@ -1683,7 +1683,7 @@
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
 
-#if defined(MBEDTLS_SSL_SET_CURVES)
+#if defined(MBEDTLS_ECP_C)
     if( ! mbedtls_ssl_curve_is_acceptable( ssl, ssl->handshake->ecdh_ctx.grp.id ) )
 #else
     if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||

library/ssl_srv.c

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 7db5a3c..554a552 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2641,7 +2641,7 @@
          * } ServerECDHParams;
          */
         const mbedtls_ecp_curve_info **curve = NULL;
-#if defined(MBEDTLS_SSL_SET_CURVES)
+#if defined(MBEDTLS_ECP_C)
         const mbedtls_ecp_group_id *gid;
 
         /* Match our preference list against the offered curves */

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 9ce9739..7a1284a 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4081,7 +4081,7 @@
          * Secondary checks: always done, but change 'ret' only if it was 0
          */
 
-#if defined(MBEDTLS_SSL_SET_CURVES)
+#if defined(MBEDTLS_ECP_C)
         {
             const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
 
@@ -4094,7 +4094,7 @@
                     ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
             }
         }
-#endif /* MBEDTLS_SSL_SET_CURVES */
+#endif /* MBEDTLS_ECP_C */
 
         if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
                                   ciphersuite_info,
@@ -5478,7 +5478,7 @@
 }
 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
 
-#if defined(MBEDTLS_SSL_SET_CURVES)
+#if defined(MBEDTLS_ECP_C)
 /*
  * Set the allowed elliptic curves
  */
@@ -6665,7 +6665,7 @@
     conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
 #endif
 
-#if defined(MBEDTLS_SSL_SET_CURVES)
+#if defined(MBEDTLS_ECP_C)
     conf->curve_list = mbedtls_ecp_grp_id_list( );
 #endif
 
@@ -6804,7 +6804,7 @@
     }
 }
 
-#if defined(MBEDTLS_SSL_SET_CURVES)
+#if defined(MBEDTLS_ECP_C)
 /*
  * Check is a curve proposed by the peer is in our list.
  * Return 1 if we're willing to use it, 0 otherwise.
@@ -6819,7 +6819,7 @@
 
     return( 0 );
 }
-#endif /* MBEDTLS_SSL_SET_CURVES */
+#endif /* MBEDTLS_ECP_C */
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,

library/version_features.c

diff --git a/library/version_features.c b/library/version_features.c
index e534b32..7ad0f02 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -385,9 +385,6 @@
 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
     "MBEDTLS_SSL_TRUNCATED_HMAC",
 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
-#if defined(MBEDTLS_SSL_SET_CURVES)
-    "MBEDTLS_SSL_SET_CURVES",
-#endif /* MBEDTLS_SSL_SET_CURVES */
 #if defined(MBEDTLS_THREADING_ALT)
     "MBEDTLS_THREADING_ALT",
 #endif /* MBEDTLS_THREADING_ALT */

scripts/data_files/rename-1.3-2.0.txt

diff --git a/scripts/data_files/rename-1.3-2.0.txt b/scripts/data_files/rename-1.3-2.0.txt
index d395091..bfe2eb2 100644
--- a/scripts/data_files/rename-1.3-2.0.txt
+++ b/scripts/data_files/rename-1.3-2.0.txt
@@ -881,7 +881,6 @@
 POLARSSL_SSL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION
 POLARSSL_SSL_SERVER_NAME_INDICATION MBEDTLS_SSL_SERVER_NAME_INDICATION
 POLARSSL_SSL_SESSION_TICKETS MBEDTLS_SSL_SESSION_TICKETS
-POLARSSL_SSL_SET_CURVES MBEDTLS_SSL_SET_CURVES
 POLARSSL_SSL_SRV_C MBEDTLS_SSL_SRV_C
 POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
 POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO