Skip to content

Commit d089b9c

Browse files
rvlad-patrascurvlad-patrascu
committed
tls_wolfssl: properly enforce the configured ec_curve
TLS outgoing connections would not properly use the configured curve but instead any curve selected by the server.
1 parent 4caa2a6 commit d089b9c

File tree

1 file changed

+35
-17
lines changed

1 file changed

+35
-17
lines changed

modules/tls_wolfssl/wolfssl_config.c

+35-17
Original file line numberDiff line numberDiff line change
@@ -255,28 +255,45 @@ static int set_dh_params_db(WOLFSSL_CTX * ctx, str *blob)
255255
return 0;
256256
}
257257

258-
static int set_ec_params(WOLFSSL_CTX * ctx, const char* curve_name)
258+
static int set_ec_params(WOLFSSL_CTX * ctx, enum tls_method method,
259+
int is_server, char *curve_name)
259260
{
260261
int curve = 0;
261-
if (curve_name) {
262-
curve = wolfSSL_OBJ_txt2nid(curve_name);
263-
}
264-
if (curve > 0) {
265-
WOLFSSL_EC_KEY *ecdh = wolfSSL_EC_KEY_new_by_curve_name(curve);
266-
if (! ecdh) {
267-
LM_ERR("unable to create EC curve\n");
262+
263+
if (is_server) {
264+
if (curve_name)
265+
curve = wolfSSL_OBJ_txt2nid(curve_name);
266+
if (curve > 0) {
267+
WOLFSSL_EC_KEY *ecdh = wolfSSL_EC_KEY_new_by_curve_name(curve);
268+
if (!ecdh) {
269+
LM_ERR("unable to create EC curve\n");
270+
return -1;
271+
}
272+
if (1 != wolfSSL_SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
273+
LM_ERR("unable to set tmp_ecdh\n");
274+
return -1;
275+
}
276+
wolfSSL_EC_KEY_free(ecdh);
277+
} else {
278+
LM_ERR("unable to find the EC curve\n");
268279
return -1;
269280
}
270-
if (1 != wolfSSL_SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
271-
LM_ERR("unable to set tmp_ecdh\n");
272-
return -1;
281+
} else {
282+
if (method == TLS_USE_TLSv1_3) {
283+
if (wolfSSL_CTX_set1_groups_list(ctx, curve_name) ==
284+
WOLFSSL_FAILURE) {
285+
LM_ERR("Failed to set EC curve\n");
286+
return -1;
287+
}
288+
} else {
289+
if (wolfSSL_CTX_set1_curves_list(ctx, curve_name) ==
290+
WOLFSSL_FAILURE) {
291+
LM_ERR("Failed to set EC curve\n");
292+
return -1;
293+
}
273294
}
274-
wolfSSL_EC_KEY_free(ecdh);
275-
}
276-
else {
277-
LM_ERR("unable to find the EC curve\n");
278-
return -1;
279295
}
296+
280297
return 0;
281298
}
282299

@@ -503,7 +520,8 @@ int _wolfssl_init_tls_dom(struct tls_domain *d, int init_flags)
503520

504521
if (!d->tls_ec_curve)
505522
LM_NOTICE("No EC curve defined\n");
506-
else if (set_ec_params(d->ctx, d->tls_ec_curve) < 0)
523+
else if (set_ec_params(d->ctx, d->method, d->flags & DOM_FLAG_SRV,
524+
d->tls_ec_curve) < 0)
507525
goto end;
508526

509527
if (d->ciphers_list != 0 &&

0 commit comments

Comments
 (0)