aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
diff options
context:
space:
mode:
authorRenĂ© Korthaus <[email protected]>2017-10-20 17:59:08 +0200
committerRenĂ© Korthaus <[email protected]>2017-10-20 17:59:08 +0200
commit558b66b0d56879f9b204266d08e661ff90667d20 (patch)
tree9388db19a18b35da59203d90f08993931d982cce /src/lib
parent85c97aa989e93861f1623ac05fc4f8c7610f976d (diff)
Remove check for negotiated DH group in TLS client
The server may not support the supported groups extension and choose an arbitrary group. RFC 7919 permits clients to continue if the group is acceptable under local policy, which we do now.
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/tls/msg_client_kex.cpp29
1 files changed, 0 insertions, 29 deletions
diff --git a/src/lib/tls/msg_client_kex.cpp b/src/lib/tls/msg_client_kex.cpp
index 1c3950a03..3291b6eb5 100644
--- a/src/lib/tls/msg_client_kex.cpp
+++ b/src/lib/tls/msg_client_kex.cpp
@@ -101,35 +101,6 @@ Client_Key_Exchange::Client_Key_Exchange(Handshake_IO& io,
throw Decoding_Error("Bad params size for DH key exchange");
/*
- * If we offer ffdhe groups in the client hello,
- * p and g must match one of these groups.
- */
- std::vector<std::string> allowed_groups = policy.allowed_groups();
- bool server_sent_requested_group = false;
-
- if(!allowed_groups.empty())
- {
- for(const auto& allowed_group : allowed_groups)
- {
- if(Supported_Groups::is_dh_group(allowed_group))
- {
- DL_Group client_group(allowed_group);
- if(client_group.get_p() == p && client_group.get_g() == g)
- {
- server_sent_requested_group = true;
- break;
- }
- }
- }
- }
-
- if(!server_sent_requested_group)
- {
- throw TLS_Exception(Alert::INSUFFICIENT_SECURITY,
- "Server sent unexpected DH key for DHE exchange");
- }
-
- /*
* A basic check for key validity. As we do not know q here we
* cannot check that Y is in the right subgroup. However since
* our key is ephemeral there does not seem to be any