Fix for setting curve using all caps with wolfSSL_set1_curves_list

JacobBarthelmeh · JacobBarthelmeh · commit 65286e4e2a5e · 2026-03-05T15:40:19.000-07:00
diff --git a/src/ssl.c b/src/ssl.c
@@ -16949,7 +16949,7 @@ int set_curves_list(WOLFSSL* ssl, WOLFSSL_CTX *ctx, const char* names,
                 goto leave;
             }
 
-            eccSet = wc_ecc_get_curve_params(ret);
+            eccSet = wc_ecc_get_curve_params(nret);
             if (eccSet == NULL) {
                 WOLFSSL_MSG("NULL set returned");
                 goto leave;
diff --git a/tests/api/test_tls.c b/tests/api/test_tls.c
@@ -666,3 +666,47 @@ int test_tls12_bad_cv_sig_alg(void)
     return EXPECT_RESULT();
 }
 
+/* Test that set_curves_list correctly resolves ECC curve names that fall
+ * through the kNistCurves table and reach the wc_ecc_get_curve_idx_from_name
+ * fallback path.  The kNistCurves lookup uses a case-sensitive XSTRNCMP, so
+ * uppercase names like "SECP384R1" do not match the lowercase "secp384r1"
+ * entry; they fall through to the wolfCrypt ECC look-up which uses
+ * XSTRCASECMP. */
+int test_tls_set_curves_list_ecc_fallback(void)
+{
+    EXPECT_DECLS;
+#if defined(WOLFSSL_TLS13) && defined(HAVE_ECC) && \
+    (defined(OPENSSL_EXTRA) || defined(HAVE_CURL)) && \
+    !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
+    (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \
+    ECC_MIN_KEY_SZ <= 384
+#ifndef NO_WOLFSSL_CLIENT
+    WOLFSSL_CTX* ctx = NULL;
+    WOLFSSL*     ssl = NULL;
+
+    /* "SECP384R1" (uppercase) is NOT in kNistCurves (case-sensitive table),
+     * so set_curves_list must use the wc_ecc_get_curve_idx_from_name fallback.
+     */
+    ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
+
+    /* CTX-level: set single curve via its wolfCrypt name (uppercase) */
+    ExpectIntEQ(wolfSSL_CTX_set1_curves_list(ctx, "SECP384R1"),
+                WOLFSSL_SUCCESS);
+
+    /* Verify the correct curve was stored, not ecc_sets[0] */
+    ExpectIntEQ(ctx->numGroups, 1);
+    ExpectIntEQ(ctx->group[0], WOLFSSL_ECC_SECP384R1);
+
+    /* SSL-level: same check via wolfSSL_set1_curves_list */
+    ExpectNotNull(ssl = wolfSSL_new(ctx));
+    ExpectIntEQ(wolfSSL_set1_curves_list(ssl, "SECP384R1"), WOLFSSL_SUCCESS);
+    ExpectIntEQ(ssl->numGroups, 1);
+    ExpectIntEQ(ssl->group[0], WOLFSSL_ECC_SECP384R1);
+
+    wolfSSL_free(ssl);
+    wolfSSL_CTX_free(ctx);
+#endif /* NO_WOLFSSL_CLIENT */
+#endif
+    return EXPECT_RESULT();
+}
+
diff --git a/tests/api/test_tls.h b/tests/api/test_tls.h
@@ -29,6 +29,7 @@ int test_tls12_curve_intersection(void);
 int test_tls13_curve_intersection(void);
 int test_tls_certreq_order(void);
 int test_tls12_bad_cv_sig_alg(void);
+int test_tls_set_curves_list_ecc_fallback(void);
 
 #define TEST_TLS_DECLS                                                         \
         TEST_DECL_GROUP("tls", test_utils_memio_move_message),                 \
@@ -37,6 +38,7 @@ int test_tls12_bad_cv_sig_alg(void);
         TEST_DECL_GROUP("tls", test_tls12_curve_intersection),                 \
         TEST_DECL_GROUP("tls", test_tls13_curve_intersection),                 \
         TEST_DECL_GROUP("tls", test_tls_certreq_order),                        \
-        TEST_DECL_GROUP("tls", test_tls12_bad_cv_sig_alg)
+        TEST_DECL_GROUP("tls", test_tls12_bad_cv_sig_alg),                     \
+        TEST_DECL_GROUP("tls", test_tls_set_curves_list_ecc_fallback)
 
 #endif /* TESTS_API_TEST_TLS_H */

Original file line number	Diff line number	Diff line change
`@@ -16949,7 +16949,7 @@ int set_curves_list(WOLFSSL* ssl, WOLFSSL_CTX ctx, const char names,`
`16949`	`16949`	`goto leave;`
`16950`	`16950`	`}`
`16951`	`16951`
`16952`		`- eccSet = wc_ecc_get_curve_params(ret);`
	`16952`	`+ eccSet = wc_ecc_get_curve_params(nret);`
`16953`	`16953`	`if (eccSet == NULL) {`
`16954`	`16954`	`WOLFSSL_MSG("NULL set returned");`
`16955`	`16955`	`goto leave;`