From ea7945a4f52d0c331e9f1ca4d6fcf86caaa5d69b Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 4 Jan 2021 15:24:54 +0100
Subject: [PATCH] wolfssl: Disable ECC curves based on minimum ECC key size

wolfSSL 4.6.0 provides a new option to configure the minimum ECC key
size (--with-eccminsz), which currently defaults to 224 bits.
---
 .../plugins/wolfssl/wolfssl_plugin.c          | 27 ++++++++++++-------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c b/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c
index 8c0cbdcac8..6602730613 100644
--- a/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c
+++ b/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c
@@ -194,32 +194,41 @@ METHOD(plugin_t, get_features, int,
 #ifdef HAVE_ECC_DHE
 		/* EC DH groups */
 		PLUGIN_REGISTER(DH, wolfssl_ec_diffie_hellman_create),
-	#if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
+	#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \
+		(!defined(ECC_MIN_KEY_SZ) || ECC_MIN_KEY_SZ <= 256)
 			PLUGIN_PROVIDE(DH, ECP_256_BIT),
 	#endif
-	#if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
+	#if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \
+		(!defined(ECC_MIN_KEY_SZ) || ECC_MIN_KEY_SZ <= 384)
 			PLUGIN_PROVIDE(DH, ECP_384_BIT),
 	#endif
-	#if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
+	#if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && \
+		(!defined(ECC_MIN_KEY_SZ) || ECC_MIN_KEY_SZ <= 521)
 			PLUGIN_PROVIDE(DH, ECP_521_BIT),
 	#endif
-	#if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
+	#if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && \
+		 (!defined(ECC_MIN_KEY_SZ) || ECC_MIN_KEY_SZ <= 224)
 			PLUGIN_PROVIDE(DH, ECP_224_BIT),
 	#endif
-	#if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)
+	#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && \
+		 (!defined(ECC_MIN_KEY_SZ) || ECC_MIN_KEY_SZ <= 192)
 			PLUGIN_PROVIDE(DH, ECP_192_BIT),
 	#endif
 	#ifdef HAVE_ECC_BRAINPOOL
-		#if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
+		#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \
+			(!defined(ECC_MIN_KEY_SZ) || ECC_MIN_KEY_SZ <= 256)
 			PLUGIN_PROVIDE(DH, ECP_256_BP),
 		#endif
-		#if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
+		#if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES))  && \
+			(!defined(ECC_MIN_KEY_SZ) || ECC_MIN_KEY_SZ <= 384)
 			PLUGIN_PROVIDE(DH, ECP_384_BP),
 		#endif
-		#if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)
+		#if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && \
+			(!defined(ECC_MIN_KEY_SZ) || ECC_MIN_KEY_SZ <= 512)
 			PLUGIN_PROVIDE(DH, ECP_512_BP),
 		#endif
-		#if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
+		#if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && \
+			(!defined(ECC_MIN_KEY_SZ) || ECC_MIN_KEY_SZ <= 224)
 			PLUGIN_PROVIDE(DH, ECP_224_BP),
 		#endif
 	#endif
-- 
2.47.2