diff options
author | Jack Lloyd <[email protected]> | 2017-01-06 10:32:09 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2017-01-06 10:32:09 -0500 |
commit | 4bf0ef759c87225deb97a39580f25450a87d6cc7 (patch) | |
tree | 8525cbc3a569393b1812ae02db6aa194bbd86314 | |
parent | 4fd8c78d79492855f131c0d1bc005812a557cbf0 (diff) | |
parent | 17dd8d9eb0072d94d082b21803a1906141ea7a28 (diff) |
Merge GH #814 Avoid negotiating CECPQ1 if x25519 ECC is disabled
-rw-r--r-- | src/lib/tls/tls_policy.cpp | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp index 1fff936fa..60f8957c0 100644 --- a/src/lib/tls/tls_policy.cpp +++ b/src/lib/tls/tls_policy.cpp @@ -417,12 +417,22 @@ std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version, continue; } + /* + CECPQ1 always uses x25519 for ECDH, so treat the applications + removal of x25519 from the ECC curve list as equivalent to + saying they do not trust CECPQ1 + */ + if(suite.kex_algo() == "CECPQ1" && allowed_ecc_curve("x25519") == false) + continue; + // OK, consider it ciphersuites.push_back(suite); } if(ciphersuites.empty()) + { throw Exception("Policy does not allow any available cipher suite"); + } Ciphersuite_Preference_Ordering order(ciphers, macs, kex, sigs); std::sort(ciphersuites.begin(), ciphersuites.end(), order); |