wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Allow all curves when the client doesn't send an supported elliptic curves extension

Browse source 
At least in the case of SSLv3 we can't send an extention.

Reviewed-by: Matt Caswell <matt@openssl.org>
MR #811
This commit is contained in:
Kurt Roeckx 2015-05-30 19:20:12 +02:00
parent 9c422b5b1e
commit 3c06513f38
1 changed files with 14 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
ssl/t1_lib.c
View file

@ -555,6 +555,20 @@ int tls1_shared_curve(SSL *s, int nmatch)
(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
&num_pref))
return nmatch == -1 ? 0 : NID_undef;
/*
* If the client didn't send the elliptic_curves extension all of them
* are allowed.
*/
if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
supp = eccurves_all;
num_supp = sizeof(eccurves_all) / 2;
} else if (num_pref == 0 &&
(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
pref = eccurves_all;
num_pref = sizeof(eccurves_all) / 2;
}
k = 0;
for (i = 0; i < num_pref; i++, pref += 2) {
const unsigned char *tsupp = supp;