Add support for setting the supported EC curves via

SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
SSL{_CTX}_set1_curves{_list} names.

This also changes the default list of EC curves to be X25519, P-256 and
P-384. If you want others (such a brainpool) you need to configure this
yourself.

Inspired by parts of BoringSSL and OpenSSL.

ok beck@

1 files changed, 30 insertions, 1 deletions

diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c
index 1b0ddc702fb..9d0217e95f4 100644
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.129 2017/01/24 03:00:54 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.130 2017/01/24 09:03:21 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2154,9 +2154,24 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 	default:
 		break;
 	}
+
 	return (ret);
 }
 
+int
+SSL_set1_groups(SSL *s, const int *groups, size_t groups_len)
+{
+	return tls1_set_groups(&s->internal->tlsext_supportedgroups,
+	    &s->internal->tlsext_supportedgroups_length, groups, groups_len);
+}
+
+int
+SSL_set1_groups_list(SSL *s, const char *groups)
+{
+	return tls1_set_groups_list(&s->internal->tlsext_supportedgroups,
+	    &s->internal->tlsext_supportedgroups_length, groups);
+}
+
 long
 ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
 {
@@ -2327,6 +2342,20 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 	return (1);
 }
 
+int
+SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len)
+{
+	return tls1_set_groups(&ctx->internal->tlsext_supportedgroups,
+	    &ctx->internal->tlsext_supportedgroups_length, groups, groups_len);
+}
+
+int
+SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups)
+{
+	return tls1_set_groups_list(&ctx->internal->tlsext_supportedgroups,
+	    &ctx->internal->tlsext_supportedgroups_length, groups);
+}
+
 long
 ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
 {