Avoid negotiating CECPQ1 if x25519 ECC is disabled

author: Jack Lloyd <[email protected]> 2017-01-05 16:07:42 -0500
committer: Jack Lloyd <[email protected]> 2017-01-05 16:07:42 -0500
commit: 17dd8d9eb0072d94d082b21803a1906141ea7a28 (patch)
tree: 33183aab15925db65ebd8cdcc9e7340d9cd61873 /src/lib/tls/tls_policy.cpp
parent: 18543d2b27c37f7a4440cdaf55129a0cf2db4cfb (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index 1fff936fa..60f8957c0 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -417,12 +417,22 @@ std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version,
             continue;
          }
 
+      /*
+      CECPQ1 always uses x25519 for ECDH, so treat the applications
+      removal of x25519 from the ECC curve list as equivalent to
+      saying they do not trust CECPQ1
+      */
+      if(suite.kex_algo() == "CECPQ1" && allowed_ecc_curve("x25519") == false)
+         continue;
+
       // OK, consider it
       ciphersuites.push_back(suite);
       }
 
    if(ciphersuites.empty())
+      {
       throw Exception("Policy does not allow any available cipher suite");
+      }
 
    Ciphersuite_Preference_Ordering order(ciphers, macs, kex, sigs);
    std::sort(ciphersuites.begin(), ciphersuites.end(), order);
author	Jack Lloyd <[email protected]>	2017-01-05 16:07:42 -0500
committer	Jack Lloyd <[email protected]>	2017-01-05 16:07:42 -0500
commit	17dd8d9eb0072d94d082b21803a1906141ea7a28 (patch)
tree	33183aab15925db65ebd8cdcc9e7340d9cd61873 /src/lib/tls/tls_policy.cpp
parent	18543d2b27c37f7a4440cdaf55129a0cf2db4cfb (diff)