Enforce our choice of allowed curves.

2025-07-28 00:21:48 +03:00 · 2014-02-04 16:18:07 +01:00
parent 7f38ed0bfa
commit ab24010b54
3 changed files with 52 additions and 6 deletions
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@ -1168,7 +1168,10 @@ int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx );
 *                 list of available certificates instead.
 *
 *                 On client: this affects the list of curves offered for any
- *                 use. The server can override our preferences.
+ *                 use. The server can override our preference order.
+ *
+ *                 Both sides: limits the set of curves used by peer to the
+ *                 listed curves for any use (ECDH(E), certificates).
 *
 * \param ssl      SSL context
 * \param curves   Ordered list of allowed curves,
@ -1589,6 +1592,10 @@ pk_type_t ssl_pk_alg_from_sig( unsigned char sig );

 md_type_t ssl_md_alg_from_hash( unsigned char hash );

+#if defined(POLARSSL_SSL_SET_CURVES)
+int ssl_curve_is_acceptable( const ssl_context *ssl, ecp_group_id grp_id );
+#endif
+
 #if defined(POLARSSL_X509_CRT_PARSE_C)
 static inline pk_context *ssl_own_key( ssl_context *ssl )
 {