aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2017-01-06 10:32:09 -0500
committerJack Lloyd <[email protected]>2017-01-06 10:32:09 -0500
commit4bf0ef759c87225deb97a39580f25450a87d6cc7 (patch)
tree8525cbc3a569393b1812ae02db6aa194bbd86314
parent4fd8c78d79492855f131c0d1bc005812a557cbf0 (diff)
parent17dd8d9eb0072d94d082b21803a1906141ea7a28 (diff)
Merge GH #814 Avoid negotiating CECPQ1 if x25519 ECC is disabled
-rw-r--r--src/lib/tls/tls_policy.cpp10
1 files changed, 10 insertions, 0 deletions
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index 1fff936fa..60f8957c0 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -417,12 +417,22 @@ std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version,
continue;
}
+ /*
+ CECPQ1 always uses x25519 for ECDH, so treat the applications
+ removal of x25519 from the ECC curve list as equivalent to
+ saying they do not trust CECPQ1
+ */
+ if(suite.kex_algo() == "CECPQ1" && allowed_ecc_curve("x25519") == false)
+ continue;
+
// OK, consider it
ciphersuites.push_back(suite);
}
if(ciphersuites.empty())
+ {
throw Exception("Policy does not allow any available cipher suite");
+ }
Ciphersuite_Preference_Ordering order(ciphers, macs, kex, sigs);
std::sort(ciphersuites.begin(), ciphersuites.end(), order);