Merge GH #814 Avoid negotiating CECPQ1 if x25519 ECC is disabled

author: Jack Lloyd <[email protected]> 2017-01-06 10:32:09 -0500
committer: Jack Lloyd <[email protected]> 2017-01-06 10:32:09 -0500
commit: 4bf0ef759c87225deb97a39580f25450a87d6cc7 (patch)
tree: 8525cbc3a569393b1812ae02db6aa194bbd86314 /src/lib/tls
parent: 4fd8c78d79492855f131c0d1bc005812a557cbf0 (diff)
parent: 17dd8d9eb0072d94d082b21803a1906141ea7a28 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index 1fff936fa..60f8957c0 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -417,12 +417,22 @@ std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version,
             continue;
          }
 
+      /*
+      CECPQ1 always uses x25519 for ECDH, so treat the applications
+      removal of x25519 from the ECC curve list as equivalent to
+      saying they do not trust CECPQ1
+      */
+      if(suite.kex_algo() == "CECPQ1" && allowed_ecc_curve("x25519") == false)
+         continue;
+
       // OK, consider it
       ciphersuites.push_back(suite);
       }
 
    if(ciphersuites.empty())
+      {
       throw Exception("Policy does not allow any available cipher suite");
+      }
 
    Ciphersuite_Preference_Ordering order(ciphers, macs, kex, sigs);
    std::sort(ciphersuites.begin(), ciphersuites.end(), order);
author	Jack Lloyd <[email protected]>	2017-01-06 10:32:09 -0500
committer	Jack Lloyd <[email protected]>	2017-01-06 10:32:09 -0500
commit	4bf0ef759c87225deb97a39580f25450a87d6cc7 (patch)
tree	8525cbc3a569393b1812ae02db6aa194bbd86314 /src/lib/tls
parent	4fd8c78d79492855f131c0d1bc005812a557cbf0 (diff)
parent	17dd8d9eb0072d94d082b21803a1906141ea7a28 (diff)