Add a tls_config_set_ecdhecurves() function to libtls, which allows the

names of the elliptic curves that may be used during client and server
key exchange to be specified.

This deprecates tls_config_set_ecdhecurve(), which could only be used to
specify a single supported curve.

ok beck@

1 files changed, 9 insertions, 1 deletions

diff --git a/lib/libtls/tls_client.c b/lib/libtls/tls_client.c
index b92490f25d1..c79f462a3a5 100644
--- a/lib/libtls/tls_client.c
+++ b/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.42 2017/05/07 03:27:06 jsing Exp $ */
+/* $OpenBSD: tls_client.c,v 1.43 2017/08/10 18:18:30 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -198,6 +198,14 @@ tls_connect_common(struct tls *ctx, const char *servername)
 	if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, SSL_VERIFY_PEER) == -1)
 		goto err;
 
+	if (ctx->config->ecdhecurves != NULL) {
+		if (SSL_CTX_set1_groups(ctx->ssl_ctx, ctx->config->ecdhecurves,
+		    ctx->config->ecdhecurves_len) != 1) {
+			tls_set_errorx(ctx, "failed to set ecdhe curves");
+			goto err;
+		}
+	}
+
 	if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_verify_cb) != 1) {
 		tls_set_errorx(ctx, "ssl OCSP verification setup failure");
 		goto err;