wolfssl: Use ECC supported curves extension

https://github.com/wolfSSL/wolfssl/issues/366
2024-12-21 23:58:49 -05:00 · 2016-03-29 19:06:55 -04:00 · 2016-03-29 19:06:55 -04:00 · 7921628714
commit 7921628714
parent 27c99a37ba
3 changed files with 26 additions and 1 deletions
--- a/configure.ac
+++ b/configure.ac
@ -2206,11 +2206,13 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then
        dnl Recent WolfSSL versions build without SSLv3 by default
        dnl WolfSSL needs configure --enable-opensslextra to have *get_peer*
        AC_CHECK_FUNCS(wolfSSLv3_client_method \
+                       wolfSSL_CTX_UseSupportedCurve \
                       wolfSSL_get_peer_certificate \
                       wolfSSL_UseALPN)
      else
        dnl Cyassl needs configure --enable-opensslextra to have *get_peer*
-        AC_CHECK_FUNCS(CyaSSL_get_peer_certificate)
+        AC_CHECK_FUNCS(CyaSSL_CTX_UseSupportedCurve \
+                       CyaSSL_get_peer_certificate)
      fi

      if test -n "$cyassllib"; then
--- a/lib/vtls/cyassl.c
+++ b/lib/vtls/cyassl.c
@ -112,6 +112,15 @@ and that's a problem since options.h hasn't been included yet. */
 #endif
 #endif

+/* HAVE_SUPPORTED_CURVES is wolfSSL's build time symbol for enabling the ECC
+   supported curve extension in options.h. Note ECC is enabled separately. */
+#ifndef HAVE_SUPPORTED_CURVES
+#if defined(HAVE_CYASSL_CTX_USESUPPORTEDCURVE) || \
+    defined(HAVE_WOLFSSL_CTX_USESUPPORTEDCURVE)
+#define HAVE_SUPPORTED_CURVES
+#endif
+#endif
+
 static Curl_recv cyassl_recv;
 static Curl_send cyassl_send;

@ -313,6 +322,16 @@ cyassl_connect_step1(struct connectdata *conn,
  }
 #endif

+#ifdef HAVE_SUPPORTED_CURVES
+  /* CyaSSL/wolfSSL does not send the supported ECC curves ext automatically:
+     https://github.com/wolfSSL/wolfssl/issues/366
+     The supported curves below are those also supported by OpenSSL 1.0.2 and
+     in the same order. */
+  CyaSSL_CTX_UseSupportedCurve(conssl->ctx, 0x17); /* secp256r1 */
+  CyaSSL_CTX_UseSupportedCurve(conssl->ctx, 0x19); /* secp521r1 */
+  CyaSSL_CTX_UseSupportedCurve(conssl->ctx, 0x18); /* secp384r1 */
+#endif
+
  /* give application a chance to interfere with SSL set up. */
  if(data->set.ssl.fsslctx) {
    CURLcode result = CURLE_OK;
--- a/projects/wolfssl_options.h
+++ b/projects/wolfssl_options.h
@ -30,6 +30,7 @@ C_EXTRA_FLAGS="\
  --enable-sha512 \
  --enable-sni \
  --enable-sslv3 \
+  --enable-supportedcurves \
  --enable-testcert \
  > config.out 2>&1

@ -158,6 +159,9 @@ extern "C" {
 #undef  HAVE_TLS_EXTENSIONS
 #define HAVE_TLS_EXTENSIONS

+#undef  HAVE_SUPPORTED_CURVES
+#define HAVE_SUPPORTED_CURVES
+
 #undef  WOLFSSL_TEST_CERT
 #define WOLFSSL_TEST_CERT