Add a tls_config_set_ecdhecurves() function to libtls, which allows the

names of the elliptic curves that may be used during client and server
key exchange to be specified.

This deprecates tls_config_set_ecdhecurve(), which could only be used to
specify a single supported curve.

ok beck@

1 files changed, 5 insertions, 2 deletions

diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 6079babccf..9e9443dbaf 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.63 2017/08/09 21:27:24 claudio Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.64 2017/08/10 18:18:30 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -33,6 +33,8 @@ __BEGIN_HIDDEN_DECLS
 #define TLS_CIPHERS_LEGACY      "HIGH:MEDIUM:!aNULL"
 #define TLS_CIPHERS_ALL         "ALL:!aNULL:!eNULL"
 
+#define TLS_ECDHE_CURVES        "X25519,P-256,P-384"
+
 union tls_addr {
         struct in_addr ip4;
         struct in6_addr ip6;
@@ -87,7 +89,8 @@ struct tls_config {
         char *crl_mem;
         size_t crl_len;
         int dheparams;
-        int ecdhecurve;
+        int *ecdhecurves;
+        size_t ecdhecurves_len;
         struct tls_keypair *keypair;
         int ocsp_require_stapling;
         uint32_t protocols;