obey user ecc choices at TLS layer

src/internal.c

@@ -9562,6 +9562,42 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
 #endif /* !NO_CERTS */
 
 
+#ifdef HAVE_ECC
+
+    static int CheckCurveId(int oid)
+    {
+        int ret = 0;
+
+        switch (oid) {
+#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160)
+            case WOLFSSL_ECC_SECP160R1:
+#endif
+#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192)
+            case WOLFSSL_ECC_SECP192R1:
+#endif
+#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224)
+            case WOLFSSL_ECC_SECP224R1:
+#endif
+#if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256)
+            case WOLFSSL_ECC_SECP256R1:
+#endif
+#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384)
+            case WOLFSSL_ECC_SECP384R1:
+#endif
+#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521)
+            case WOLFSSL_ECC_SECP521R1:
+#endif
+                break;
+
+            default:
+                ret = -1;
+        }
+
+        return ret;
+    }
+
+#endif /* HAVE_ECC */
+
     static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
                                    word32* inOutIdx, word32 size)
     {
@@ -9689,9 +9725,9 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
         *inOutIdx += 1;   /* curve type, eat leading 0 */
         b = input[(*inOutIdx)++];
 
-        if (b != secp256r1 && b != secp384r1 && b != secp521r1 && b !=
+        if (CheckCurveId(b) != 0) {
-                 secp160r1 && b != secp192r1 && b != secp224r1)
             return ECC_CURVE_ERROR;
+        }
 
         length = input[(*inOutIdx)++];
 
@@ -11180,18 +11216,30 @@ int DoSessionTicket(WOLFSSL* ssl,
     static byte SetCurveId(int size)
     {
         switch(size) {
+#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160)
             case 20:
-                return secp160r1;
+                return WOLFSSL_ECC_SECP160R1;
+#endif
+#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192)
             case 24:
-                return secp192r1;
+                return WOLFSSL_ECC_SECP192R1;
+#endif
+#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224)
             case 28:
-                return secp224r1;
+                return WOLFSSL_ECC_SECP224R1;
+#endif
+#if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256)
             case 32:
-                return secp256r1;
+                return WOLFSSL_ECC_SECP256R1;
+#endif
+#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384)
             case 48:
-                return secp384r1;
+                return WOLFSSL_ECC_SECP384R1;
+#endif
+#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521)
             case 66:
-                return secp521r1;
+                return WOLFSSL_ECC_SECP521R1;
+#endif
             default:
                 return 0;
         }

src/tls.c

@@ -1502,12 +1502,24 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
     for (curve = extension->data; curve && !(sig && key); curve = curve->next) {
 
         switch (curve->name) {
+#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160)
             case WOLFSSL_ECC_SECP160R1: oid = ECC_160R1; octets = 20; break;
+#endif
+#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192)
             case WOLFSSL_ECC_SECP192R1: oid = ECC_192R1; octets = 24; break;
+#endif
+#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224)
             case WOLFSSL_ECC_SECP224R1: oid = ECC_224R1; octets = 28; break;
+#endif
+#if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256)
             case WOLFSSL_ECC_SECP256R1: oid = ECC_256R1; octets = 32; break;
+#endif
+#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384)
             case WOLFSSL_ECC_SECP384R1: oid = ECC_384R1; octets = 48; break;
+#endif
+#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521)
             case WOLFSSL_ECC_SECP521R1: oid = ECC_521R1; octets = 66; break;
+#endif
             default: continue; /* unsupported curve */
         }
 

tests/api.c

@@ -1126,18 +1126,18 @@ static void test_wolfSSL_UseSupportedCurve(void)
 #ifndef NO_WOLFSSL_CLIENT
     /* error cases */
     AssertIntNE(SSL_SUCCESS,
-                      wolfSSL_CTX_UseSupportedCurve(NULL, WOLFSSL_ECC_SECP160R1));
+                      wolfSSL_CTX_UseSupportedCurve(NULL, WOLFSSL_ECC_SECP256R1));
     AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_UseSupportedCurve(ctx,  0));
 
     AssertIntNE(SSL_SUCCESS,
-                          wolfSSL_UseSupportedCurve(NULL, WOLFSSL_ECC_SECP160R1));
+                          wolfSSL_UseSupportedCurve(NULL, WOLFSSL_ECC_SECP256R1));
     AssertIntNE(SSL_SUCCESS, wolfSSL_UseSupportedCurve(ssl,  0));
 
     /* success case */
     AssertIntEQ(SSL_SUCCESS,
-                       wolfSSL_CTX_UseSupportedCurve(ctx, WOLFSSL_ECC_SECP160R1));
+                       wolfSSL_CTX_UseSupportedCurve(ctx, WOLFSSL_ECC_SECP256R1));
     AssertIntEQ(SSL_SUCCESS,
-                           wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP160R1));
+                           wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP256R1));
 #endif
 
     wolfSSL_free(ssl);

wolfssl/internal.h

@@ -1576,18 +1576,6 @@ enum EccCurves {
 };
 
 
-/* Supprted ECC Named Curves */
-enum EccNamedCurves {
-    secp256r1 = 0x17,         /* default, OpenSSL also calls it prime256v1 */
-    secp384r1 = 0x18,
-    secp521r1 = 0x19,
-
-    secp160r1 = 0x10,
-    secp192r1 = 0x13,        /*           Openssl also call it prime192v1 */
-    secp224r1 = 0x15
-};
-
-
 /* Valid client certificate request types from page 27 */
 enum ClientCertificateType {    
     rsa_sign            = 1, 

wolfssl/ssl.h

@@ -1324,8 +1324,6 @@ WOLFSSL_API int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx);
 #endif
 
 /* Elliptic Curves */
-#ifdef HAVE_SUPPORTED_CURVES
-
 enum {
     WOLFSSL_ECC_SECP160R1 = 0x10,
     WOLFSSL_ECC_SECP192R1 = 0x13,
@@ -1335,6 +1333,7 @@ enum {
     WOLFSSL_ECC_SECP521R1 = 0x19
 };
 
+#ifdef HAVE_SUPPORTED_CURVES
 #ifndef NO_WOLFSSL_CLIENT
 
 WOLFSSL_API int wolfSSL_UseSupportedCurve(WOLFSSL* ssl, unsigned short name);