Allow all curves when the client doesn't send an supported elliptic curves extension

At least in the case of SSLv3 we can't send an extention. Reviewed-by: N Matt Caswell <matt@openssl.org> MR #811

Allow all curves when the client doesn't send an supported elliptic curves extension
At least in the case of SSLv3 we can't send an extention. Reviewed-by: N Matt Caswell <matt@openssl.org> MR #811
3c06513f · Kurt Roeckx · 9c422b5b · 3c06513f
隐藏空白更改
内联并排

Showing with 14 addition and 0 deletion

ssl/t1_lib.c ssl/t1_lib.c +14 -0

未找到文件。
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -555,6 +555,20 @@ int tls1_shared_curve(SSL *s, int nmatch)
        (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
         &num_pref))
        return nmatch == -1 ? 0 : NID_undef;
+    /*
+     * If the client didn't send the elliptic_curves extension all of them
+     * are allowed.
+     */
+    if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
+        supp = eccurves_all;
+        num_supp = sizeof(eccurves_all) / 2;
+    } else if (num_pref == 0 &&
+        (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
+        pref = eccurves_all;
+        num_pref = sizeof(eccurves_all) / 2;
+    }
    k = 0;
    for (i = 0; i < num_pref; i++, pref += 2) {
        const unsigned char *tsupp = supp;