aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--configure.ac4
-rw-r--r--lib/vtls/cyassl.c19
-rw-r--r--projects/wolfssl_options.h4
3 files changed, 26 insertions, 1 deletions
diff --git a/configure.ac b/configure.ac
index b3ad5816f..6826b10a3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2206,11 +2206,13 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then
dnl Recent WolfSSL versions build without SSLv3 by default
dnl WolfSSL needs configure --enable-opensslextra to have *get_peer*
AC_CHECK_FUNCS(wolfSSLv3_client_method \
+ wolfSSL_CTX_UseSupportedCurve \
wolfSSL_get_peer_certificate \
wolfSSL_UseALPN)
else
dnl Cyassl needs configure --enable-opensslextra to have *get_peer*
- AC_CHECK_FUNCS(CyaSSL_get_peer_certificate)
+ AC_CHECK_FUNCS(CyaSSL_CTX_UseSupportedCurve \
+ CyaSSL_get_peer_certificate)
fi
if test -n "$cyassllib"; then
diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c
index 7fa853678..0bd318f7c 100644
--- a/lib/vtls/cyassl.c
+++ b/lib/vtls/cyassl.c
@@ -112,6 +112,15 @@ and that's a problem since options.h hasn't been included yet. */
#endif
#endif
+/* HAVE_SUPPORTED_CURVES is wolfSSL's build time symbol for enabling the ECC
+ supported curve extension in options.h. Note ECC is enabled separately. */
+#ifndef HAVE_SUPPORTED_CURVES
+#if defined(HAVE_CYASSL_CTX_USESUPPORTEDCURVE) || \
+ defined(HAVE_WOLFSSL_CTX_USESUPPORTEDCURVE)
+#define HAVE_SUPPORTED_CURVES
+#endif
+#endif
+
static Curl_recv cyassl_recv;
static Curl_send cyassl_send;
@@ -313,6 +322,16 @@ cyassl_connect_step1(struct connectdata *conn,
}
#endif
+#ifdef HAVE_SUPPORTED_CURVES
+ /* CyaSSL/wolfSSL does not send the supported ECC curves ext automatically:
+ https://github.com/wolfSSL/wolfssl/issues/366
+ The supported curves below are those also supported by OpenSSL 1.0.2 and
+ in the same order. */
+ CyaSSL_CTX_UseSupportedCurve(conssl->ctx, 0x17); /* secp256r1 */
+ CyaSSL_CTX_UseSupportedCurve(conssl->ctx, 0x19); /* secp521r1 */
+ CyaSSL_CTX_UseSupportedCurve(conssl->ctx, 0x18); /* secp384r1 */
+#endif
+
/* give application a chance to interfere with SSL set up. */
if(data->set.ssl.fsslctx) {
CURLcode result = CURLE_OK;
diff --git a/projects/wolfssl_options.h b/projects/wolfssl_options.h
index b668daaf5..04752b811 100644
--- a/projects/wolfssl_options.h
+++ b/projects/wolfssl_options.h
@@ -30,6 +30,7 @@ C_EXTRA_FLAGS="\
--enable-sha512 \
--enable-sni \
--enable-sslv3 \
+ --enable-supportedcurves \
--enable-testcert \
> config.out 2>&1
@@ -158,6 +159,9 @@ extern "C" {
#undef HAVE_TLS_EXTENSIONS
#define HAVE_TLS_EXTENSIONS
+#undef HAVE_SUPPORTED_CURVES
+#define HAVE_SUPPORTED_CURVES
+
#undef WOLFSSL_TEST_CERT
#define WOLFSSL_TEST_CERT