generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Allow all curves when the client doesn't send an supported elliptic curves extension

Browse Source 
At least in the case of SSLv3 we can't send an extention.

Reviewed-by: Matt Caswell <matt@openssl.org>
MR #811

(cherry picked from commit 3c06513f38)
This commit is contained in:
Kurt Roeckx
2015-05-30 19:20:12 +02:00
parent da5fab7325
commit ba9d44b28d
1 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
ssl/t1_lib.c
View File

@@ -593,6 +593,20 @@ int tls1_shared_curve(SSL *s, int nmatch)
(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref, (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
&num_pref)) &num_pref))
return nmatch == -1 ? 0 : NID_undef; return nmatch == -1 ? 0 : NID_undef;
/*
* If the client didn't send the elliptic_curves extension all of them
* are allowed.
*/
if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
supp = eccurves_all;
num_supp = sizeof(eccurves_all) / 2;
} else if (num_pref == 0 &&
(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
pref = eccurves_all;
num_pref = sizeof(eccurves_all) / 2;
}
k = 0; k = 0;
for (i = 0; i < num_pref; i++, pref += 2) { for (i = 0; i < num_pref; i++, pref += 2) {
const unsigned char *tsupp = supp; const unsigned char *tsupp = supp;