From 6e56635a097036362a4d6a4676fa2c848586ef5c Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 4 Mar 2026 10:42:24 -0700 Subject: [PATCH] Fix for setting curve using all caps with wolfSSL_set1_curves_list --- src/ssl.c | 2 +- tests/api/test_tls.c | 45 ++++++++++++++++++++++++++++++++++++++++++++ tests/api/test_tls.h | 4 +++- 3 files changed, 49 insertions(+), 2 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index c0d80819674..518ada55e07 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -16957,7 +16957,7 @@ int set_curves_list(WOLFSSL* ssl, WOLFSSL_CTX *ctx, const char* names, goto leave; } - eccSet = wc_ecc_get_curve_params(ret); + eccSet = wc_ecc_get_curve_params(nret); if (eccSet == NULL) { WOLFSSL_MSG("NULL set returned"); goto leave; diff --git a/tests/api/test_tls.c b/tests/api/test_tls.c index f2919672c98..565006171bc 100644 --- a/tests/api/test_tls.c +++ b/tests/api/test_tls.c @@ -30,6 +30,7 @@ #include #include +#include int test_utils_memio_move_message(void) @@ -723,3 +724,47 @@ int test_tls12_no_null_compression(void) return EXPECT_RESULT(); } +/* Test that set_curves_list correctly resolves ECC curve names that fall + * through the kNistCurves table and reach the wc_ecc_get_curve_idx_from_name + * fallback path. The kNistCurves lookup uses a case-sensitive XSTRNCMP, so + * uppercase names like "SECP384R1" do not match the lowercase "secp384r1" + * entry; they fall through to the wolfCrypt ECC look-up which uses + * XSTRCASECMP. */ +int test_tls_set_curves_list_ecc_fallback(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_TLS13) && defined(HAVE_ECC) && \ + (defined(OPENSSL_EXTRA) || defined(HAVE_CURL)) && \ + !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \ + (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \ + ECC_MIN_KEY_SZ <= 384 +#ifndef NO_WOLFSSL_CLIENT + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + + /* "SECP384R1" (uppercase) is NOT in kNistCurves (case-sensitive table), + * so set_curves_list must use the wc_ecc_get_curve_idx_from_name fallback. + */ + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())); + + /* CTX-level: set single curve via its wolfCrypt name (uppercase) */ + ExpectIntEQ(wolfSSL_CTX_set1_curves_list(ctx, "SECP384R1"), + WOLFSSL_SUCCESS); + + /* Verify the correct curve was stored, not ecc_sets[0] */ + ExpectIntEQ(ctx->numGroups, 1); + ExpectIntEQ(ctx->group[0], WOLFSSL_ECC_SECP384R1); + + /* SSL-level: same check via wolfSSL_set1_curves_list */ + ExpectNotNull(ssl = wolfSSL_new(ctx)); + ExpectIntEQ(wolfSSL_set1_curves_list(ssl, "SECP384R1"), WOLFSSL_SUCCESS); + ExpectIntEQ(ssl->numGroups, 1); + ExpectIntEQ(ssl->group[0], WOLFSSL_ECC_SECP384R1); + + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif /* NO_WOLFSSL_CLIENT */ +#endif + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_tls.h b/tests/api/test_tls.h index e295ba05339..46d54043446 100644 --- a/tests/api/test_tls.h +++ b/tests/api/test_tls.h @@ -30,6 +30,7 @@ int test_tls13_curve_intersection(void); int test_tls_certreq_order(void); int test_tls12_bad_cv_sig_alg(void); int test_tls12_no_null_compression(void); +int test_tls_set_curves_list_ecc_fallback(void); #define TEST_TLS_DECLS \ TEST_DECL_GROUP("tls", test_utils_memio_move_message), \ @@ -39,6 +40,7 @@ int test_tls12_no_null_compression(void); TEST_DECL_GROUP("tls", test_tls13_curve_intersection), \ TEST_DECL_GROUP("tls", test_tls_certreq_order), \ TEST_DECL_GROUP("tls", test_tls12_bad_cv_sig_alg), \ - TEST_DECL_GROUP("tls", test_tls12_no_null_compression) + TEST_DECL_GROUP("tls", test_tls12_no_null_compression), \ + TEST_DECL_GROUP("tls", test_tls_set_curves_list_ecc_fallback) #endif /* TESTS_API_TEST_TLS_H */