From 61f9174d6855a3f59617e02b5a01006cabe3d534 Mon Sep 17 00:00:00 2001
From: Patrick McDermott <patrick.mcdermott@libiquity.com>
Date: Mon, 29 Jul 2019 23:13:50 -0400
Subject: s_client: Use supported curves

---
diff --git a/src/s_client.c b/src/s_client.c
index 3559728..20ef929 100644
--- a/src/s_client.c
+++ b/src/s_client.c
@@ -29,6 +29,7 @@
 #include <sys/socket.h>
 #include <unistd.h>
 
+#include <wolfssl/options.h>
 #include <wolfssl/ssl.h>
 #include <wolfssl/wolfcrypt/settings.h>
 
@@ -37,7 +38,9 @@
 #define CA_CERTS "/etc/ssl/certs"
 
 #define ARRAY_SIZE(a)  (sizeof(a) / sizeof((a)[0]))
+#undef MAX
 #define MAX(a, b)      (((a) > (b)) ? (a) : (b))
+#undef MIN
 #define MIN(a, b)      (((a) < (b)) ? (a) : (b))
 
 static _Bool
@@ -57,6 +60,99 @@ parse_host_port(char *hostport, char **host, char **port)
 	return true;
 }
 
+#ifdef HAVE_SUPPORTED_CURVES
+static _Bool
+use_curves(WOLFSSL_CTX *ctx)
+{
+	static word16 curves[] = {
+#ifdef HAVE_CURVE25519
+		WOLFSSL_ECC_X25519,
+#endif
+#ifdef HAVE_ECC
+#  if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)
+#    ifdef HAVE_ECC_KOBLITZ
+		WOLFSSL_ECC_SECP160K1,
+#    endif
+#    ifndef NO_ECC_SECP  /* Ugh double negative */
+		WOLFSSL_ECC_SECP160R1,
+#    endif
+#    ifdef HAVE_ECC_SECPR2
+		WOLFSSL_ECC_SECP160R2,
+#    endif
+#  endif
+#  if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)
+#    ifdef HAVE_ECC_KOBLITZ
+		WOLFSSL_ECC_SECP192K1,
+#    endif
+#    ifndef NO_ECC_SECP
+		WOLFSSL_ECC_SECP192R1,
+#    endif
+#  endif
+#  if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
+#    ifdef HAVE_ECC_KOBLITZ
+		WOLFSSL_ECC_SECP224K1,
+#    endif
+#    ifndef NO_ECC_SECP
+		WOLFSSL_ECC_SECP224R1,
+#    endif
+#  endif
+#  if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
+#    ifdef HAVE_ECC_KOBLITZ
+		WOLFSSL_ECC_SECP256K1,
+#    endif
+#    ifndef NO_ECC_SECP
+		WOLFSSL_ECC_SECP256R1,
+#    endif
+#    ifdef HAVE_ECC_BRAINPOOL
+		WOLFSSL_ECC_BRAINPOOLP256R1,
+#    endif
+#  endif
+#  if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
+#    ifndef NO_ECC_SECP
+		WOLFSSL_ECC_SECP384R1,
+#    endif
+#    ifdef HAVE_ECC_BRAINPOOL
+		WOLFSSL_ECC_BRAINPOOLP384R1,
+#    endif
+#  endif
+#  if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
+#    ifndef NO_ECC_SECP
+		WOLFSSL_ECC_SECP521R1,
+#    endif
+#    ifdef HAVE_ECC_BRAINPOOL
+		WOLFSSL_ECC_BRAINPOOLP512R1,
+#    endif
+#  endif
+#endif  /* HAVE_ECC */
+#ifdef HAVE_FFDHE_2048
+		WOLFSSL_FFDHE_2048,
+#endif
+#ifdef HAVE_FFDHE_3072
+		WOLFSSL_FFDHE_3072,
+#endif
+#ifdef HAVE_FFDHE_4096
+		WOLFSSL_FFDHE_4096,
+#endif
+#ifdef HAVE_FFDHE_6144
+		WOLFSSL_FFDHE_6144,
+#endif
+#ifdef HAVE_FFDHE_8192
+		WOLFSSL_FFDHE_8192,
+#endif
+	};
+	size_t i;
+
+	for (i = 0; i < ARRAY_SIZE(curves); ++i) {
+		if (wolfSSL_CTX_UseSupportedCurve(ctx, curves[i]) !=
+				WOLFSSL_SUCCESS) {
+			return false;
+		}
+	}
+
+	return true;
+}
+#endif  /* HAVE_SUPPORTED_CURVES */
+
 static int
 connect_socket(const char *host, const char *port)
 {
@@ -247,6 +343,13 @@ s_client(int argc, char **argv)
 #else
 	(void) servername;
 #endif
+#ifdef HAVE_SUPPORTED_CURVES
+	if (use_curves(ctx) == false) {
+		fputs("Out of memory\n", stderr);
+		ret = EXIT_FAILURE;
+		goto ctx_free;
+	}
+#endif
 
 	ssl = wolfSSL_new(ctx);
 	if (ssl == NULL) {
--
cgit v0.9.1