diff --git a/src/internal.c b/src/internal.c index 69e107ad4..2097f3ff1 100644 --- a/src/internal.c +++ b/src/internal.c @@ -23052,6 +23052,88 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif /* NO_WOLFSSL_CLIENT */ +#ifdef HAVE_ECC + /* returns the WOLFSSL_* version of the curve from the OID sum */ + word16 GetCurveByOID(int oidSum) { + switch(oidSum) { + #if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES) + #ifndef NO_ECC_SECP + case ECC_SECP160R1_OID: + return WOLFSSL_ECC_SECP160R1; + #endif /* !NO_ECC_SECP */ + #ifdef HAVE_ECC_SECPR2 + case ECC_SECP160R2_OID: + return WOLFSSL_ECC_SECP160R2; + #endif /* HAVE_ECC_SECPR2 */ + #ifdef HAVE_ECC_KOBLITZ + case ECC_SECP160K1_OID: + return WOLFSSL_ECC_SECP160K1; + #endif /* HAVE_ECC_KOBLITZ */ + #endif + #if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES) + #ifndef NO_ECC_SECP + case ECC_SECP192R1_OID: + return WOLFSSL_ECC_SECP192R1; + #endif /* !NO_ECC_SECP */ + #ifdef HAVE_ECC_KOBLITZ + case ECC_SECP192K1_OID: + return WOLFSSL_ECC_SECP192K1; + #endif /* HAVE_ECC_KOBLITZ */ + #endif + #if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES) + #ifndef NO_ECC_SECP + case ECC_SECP224R1_OID: + return WOLFSSL_ECC_SECP224R1; + #endif /* !NO_ECC_SECP */ + #ifdef HAVE_ECC_KOBLITZ + case ECC_SECP224K1_OID: + return WOLFSSL_ECC_SECP224K1; + #endif /* HAVE_ECC_KOBLITZ */ + #endif + #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES) + #ifndef NO_ECC_SECP + case ECC_SECP256R1_OID: + return WOLFSSL_ECC_SECP256R1; + #endif /* !NO_ECC_SECP */ + #ifdef HAVE_ECC_KOBLITZ + case ECC_SECP256K1_OID: + return WOLFSSL_ECC_SECP256K1; + #endif /* HAVE_ECC_KOBLITZ */ + #ifdef HAVE_ECC_BRAINPOOL + case ECC_BRAINPOOLP256R1_OID: + return WOLFSSL_ECC_BRAINPOOLP256R1; + #endif /* HAVE_ECC_BRAINPOOL */ + #endif + #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES) + #ifndef NO_ECC_SECP + case ECC_SECP384R1_OID: + return WOLFSSL_ECC_SECP384R1; + #endif /* !NO_ECC_SECP */ + #ifdef HAVE_ECC_BRAINPOOL + case ECC_BRAINPOOLP384R1_OID: + return WOLFSSL_ECC_BRAINPOOLP384R1; + #endif /* HAVE_ECC_BRAINPOOL */ + #endif + #if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES) + #ifdef HAVE_ECC_BRAINPOOL + case ECC_BRAINPOOLP512R1_OID: + return WOLFSSL_ECC_BRAINPOOLP512R1; + #endif /* HAVE_ECC_BRAINPOOL */ + #endif + #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES) + #ifndef NO_ECC_SECP + case ECC_SECP521R1_OID: + return WOLFSSL_ECC_SECP521R1; + #endif /* !NO_ECC_SECP */ + #endif + default: + WOLFSSL_MSG("Curve OID not compiled in or implemented"); + return 0; + } + } +#endif /* HAVE_ECC */ + + #ifndef NO_WOLFSSL_SERVER #ifndef WOLFSSL_NO_TLS12 @@ -23296,80 +23378,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, return 0; } - switch(key->dp->oidSum) { - #if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case ECC_SECP160R1_OID: - return WOLFSSL_ECC_SECP160R1; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_SECPR2 - case ECC_SECP160R2_OID: - return WOLFSSL_ECC_SECP160R2; - #endif /* HAVE_ECC_SECPR2 */ - #ifdef HAVE_ECC_KOBLITZ - case ECC_SECP160K1_OID: - return WOLFSSL_ECC_SECP160K1; - #endif /* HAVE_ECC_KOBLITZ */ - #endif - #if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case ECC_SECP192R1_OID: - return WOLFSSL_ECC_SECP192R1; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_KOBLITZ - case ECC_SECP192K1_OID: - return WOLFSSL_ECC_SECP192K1; - #endif /* HAVE_ECC_KOBLITZ */ - #endif - #if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case ECC_SECP224R1_OID: - return WOLFSSL_ECC_SECP224R1; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_KOBLITZ - case ECC_SECP224K1_OID: - return WOLFSSL_ECC_SECP224K1; - #endif /* HAVE_ECC_KOBLITZ */ - #endif - #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case ECC_SECP256R1_OID: - return WOLFSSL_ECC_SECP256R1; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_KOBLITZ - case ECC_SECP256K1_OID: - return WOLFSSL_ECC_SECP256K1; - #endif /* HAVE_ECC_KOBLITZ */ - #ifdef HAVE_ECC_BRAINPOOL - case ECC_BRAINPOOLP256R1_OID: - return WOLFSSL_ECC_BRAINPOOLP256R1; - #endif /* HAVE_ECC_BRAINPOOL */ - #endif - #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case ECC_SECP384R1_OID: - return WOLFSSL_ECC_SECP384R1; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_BRAINPOOL - case ECC_BRAINPOOLP384R1_OID: - return WOLFSSL_ECC_BRAINPOOLP384R1; - #endif /* HAVE_ECC_BRAINPOOL */ - #endif - #if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES) - #ifdef HAVE_ECC_BRAINPOOL - case ECC_BRAINPOOLP512R1_OID: - return WOLFSSL_ECC_BRAINPOOLP512R1; - #endif /* HAVE_ECC_BRAINPOOL */ - #endif - #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case ECC_SECP521R1_OID: - return WOLFSSL_ECC_SECP521R1; - #endif /* !NO_ECC_SECP */ - #endif - default: - return 0; - } + return (byte)GetCurveByOID(key->dp->oidSum); } #endif /* HAVE_ECC || HAVE_CURVE25519 */ diff --git a/src/ssl.c b/src/ssl.c index 8cf4f63dd..ef7d29bb1 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -44403,7 +44403,7 @@ void wolfSSL_get0_next_proto_negotiated(const WOLFSSL *s, const unsigned char ** int wolfSSL_CTX_set1_curves_list(WOLFSSL_CTX* ctx, const char* names) { int idx, start = 0, len; - int curve; + word16 curve; char name[MAX_CURVE_NAME_SZ]; /* Disable all curves so that only the ones the user wants are enabled. */ @@ -44432,13 +44432,51 @@ int wolfSSL_CTX_set1_curves_list(WOLFSSL_CTX* ctx, const char* names) (XSTRNCMP(name, "P-521", len) == 0)) { curve = WOLFSSL_ECC_SECP521R1; } - else if (XSTRNCMP(name, "X25519", len) == 0) + else if (XSTRNCMP(name, "X25519", len) == 0) { curve = WOLFSSL_ECC_X25519; - else if ((curve = wc_ecc_get_curve_id_from_name(name)) < 0) + } + else { + #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) + int ret; + const ecc_set_type *eccSet; + + ret = wc_ecc_get_curve_idx_from_name(name); + if (ret < 0) { + WOLFSSL_MSG("Could not find name in set"); + return WOLFSSL_FAILURE; + } + + eccSet = wc_ecc_get_curve_params(ret); + if (eccSet == NULL) { + WOLFSSL_MSG("NULL set returned"); + return WOLFSSL_FAILURE; + } + + curve = GetCurveByOID(eccSet->oidSum); + #else + WOLFSSL_MSG("API not present to search farther using name"); return WOLFSSL_FAILURE; + #endif + } + + if (curve > (sizeof(word32) * WOLFSSL_BIT_SIZE)) { + /* shift left more than size of ctx->disabledCurves causes static + * analysis report */ + WOLFSSL_MSG("curve value is too large for upcoming shift"); + return WOLFSSL_FAILURE; + } + + #ifndef NO_WOLFSSL_CLIENT + /* set the supported curve so client TLS extension contains only the + * desired curves */ + if (wolfSSL_CTX_UseSupportedCurve(ctx, curve) != WOLFSSL_SUCCESS) { + WOLFSSL_MSG("Unable to set supported curve"); + return WOLFSSL_FAILURE; + } + #endif /* Switch the bit to off and therefore is enabled. */ - ctx->disabledCurves &= ~(1 << curve); + ctx->disabledCurves &= ~(1U << curve); start = idx + 1; } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 0521a7dad..15701bb4a 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -4466,6 +4466,7 @@ WOLFSSL_LOCAL int SetKeysSide(WOLFSSL*, enum encrypt_side); #ifdef HAVE_ECC WOLFSSL_LOCAL int EccMakeKey(WOLFSSL* ssl, ecc_key* key, ecc_key* peer); + WOLFSSL_LOCAL word16 GetCurveByOID(int oidSum); #endif WOLFSSL_LOCAL int InitHandshakeHashes(WOLFSSL* ssl); diff --git a/wolfssl/test.h b/wolfssl/test.h index 221899a41..d48e30327 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -489,8 +489,8 @@ static WC_INLINE int mygetopt(int argc, char** argv, const char* optstring) if (myoptind == 0) myoptind++; - if (myoptind >= argc || argv[myoptind][0] != '-' || - argv[myoptind][1] == '\0') { + if (myoptind >= argc || argv[myoptind] == NULL || + argv[myoptind][0] != '-' || argv[myoptind][1] == '\0') { myoptarg = NULL; if (myoptind < argc) myoptarg = argv[myoptind];