diff options
| author | Jay Satiro <raysatiro@yahoo.com> | 2016-03-29 19:06:55 -0400 |
|---|---|---|
| committer | Jay Satiro <raysatiro@yahoo.com> | 2016-03-29 19:06:55 -0400 |
| commit | 79216287148c4ede29cd3a0b4c2dc961908c79d2 (patch) | |
| tree | 2759adadb169efa7c922c3c1ee89045db3ecc7e6 | |
| parent | 27c99a37ba55a78e3227c7058cf7533bb4aa7296 (diff) | |
wolfssl: Use ECC supported curves extension
https://github.com/wolfSSL/wolfssl/issues/366
| -rw-r--r-- | configure.ac | 4 | ||||
| -rw-r--r-- | lib/vtls/cyassl.c | 19 | ||||
| -rw-r--r-- | projects/wolfssl_options.h | 4 |
3 files changed, 26 insertions, 1 deletions
diff --git a/configure.ac b/configure.ac index b3ad5816f..6826b10a3 100644 --- a/configure.ac +++ b/configure.ac @@ -2206,11 +2206,13 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then dnl Recent WolfSSL versions build without SSLv3 by default dnl WolfSSL needs configure --enable-opensslextra to have *get_peer* AC_CHECK_FUNCS(wolfSSLv3_client_method \ + wolfSSL_CTX_UseSupportedCurve \ wolfSSL_get_peer_certificate \ wolfSSL_UseALPN) else dnl Cyassl needs configure --enable-opensslextra to have *get_peer* - AC_CHECK_FUNCS(CyaSSL_get_peer_certificate) + AC_CHECK_FUNCS(CyaSSL_CTX_UseSupportedCurve \ + CyaSSL_get_peer_certificate) fi if test -n "$cyassllib"; then diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c index 7fa853678..0bd318f7c 100644 --- a/lib/vtls/cyassl.c +++ b/lib/vtls/cyassl.c @@ -112,6 +112,15 @@ and that's a problem since options.h hasn't been included yet. */ #endif #endif +/* HAVE_SUPPORTED_CURVES is wolfSSL's build time symbol for enabling the ECC + supported curve extension in options.h. Note ECC is enabled separately. */ +#ifndef HAVE_SUPPORTED_CURVES +#if defined(HAVE_CYASSL_CTX_USESUPPORTEDCURVE) || \ + defined(HAVE_WOLFSSL_CTX_USESUPPORTEDCURVE) +#define HAVE_SUPPORTED_CURVES +#endif +#endif + static Curl_recv cyassl_recv; static Curl_send cyassl_send; @@ -313,6 +322,16 @@ cyassl_connect_step1(struct connectdata *conn, } #endif +#ifdef HAVE_SUPPORTED_CURVES + /* CyaSSL/wolfSSL does not send the supported ECC curves ext automatically: + https://github.com/wolfSSL/wolfssl/issues/366 + The supported curves below are those also supported by OpenSSL 1.0.2 and + in the same order. */ + CyaSSL_CTX_UseSupportedCurve(conssl->ctx, 0x17); /* secp256r1 */ + CyaSSL_CTX_UseSupportedCurve(conssl->ctx, 0x19); /* secp521r1 */ + CyaSSL_CTX_UseSupportedCurve(conssl->ctx, 0x18); /* secp384r1 */ +#endif + /* give application a chance to interfere with SSL set up. */ if(data->set.ssl.fsslctx) { CURLcode result = CURLE_OK; diff --git a/projects/wolfssl_options.h b/projects/wolfssl_options.h index b668daaf5..04752b811 100644 --- a/projects/wolfssl_options.h +++ b/projects/wolfssl_options.h @@ -30,6 +30,7 @@ C_EXTRA_FLAGS="\ --enable-sha512 \ --enable-sni \ --enable-sslv3 \ + --enable-supportedcurves \ --enable-testcert \ > config.out 2>&1 @@ -158,6 +159,9 @@ extern "C" { #undef HAVE_TLS_EXTENSIONS #define HAVE_TLS_EXTENSIONS +#undef HAVE_SUPPORTED_CURVES +#define HAVE_SUPPORTED_CURVES + #undef WOLFSSL_TEST_CERT #define WOLFSSL_TEST_CERT |