Get the list of supported ECC curves out of the client hello, and

avoid negotiating an ECDH key exchange if the client didn't send any curves that we know about.
author: lloyd <[email protected]> 2012-01-24 14:54:40 +0000
committer: lloyd <[email protected]> 2012-01-24 14:54:40 +0000
commit: 92f6a575bca25d8985aa87304e28cd63867310e2 (patch)
tree: 772ed25014be71f74482cef8cc55f5dd984ea765 /src/tls/tls_policy.cpp
parent: d0d097337d652e2205d88e0037725d4aac05eab3 (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/src/tls/tls_policy.cpp b/src/tls/tls_policy.cpp
index 1ef132ba0..bdcebab71 100644
--- a/src/tls/tls_policy.cpp
+++ b/src/tls/tls_policy.cpp
@@ -182,9 +182,10 @@ std::vector<byte> Policy::compression() const
 * Choose which ciphersuite to use
 */
 u16bit Policy::choose_suite(const std::vector<u16bit>& client_suites,
-                                bool have_rsa,
-                                bool have_dsa,
-                                bool have_srp) const
+                            bool have_shared_ecc_curve,
+                            bool have_rsa,
+                            bool have_dsa,
+                            bool have_srp) const
    {
    for(size_t i = 0; i != client_suites.size(); ++i)
       {
@@ -194,6 +195,9 @@ u16bit Policy::choose_suite(const std::vector<u16bit>& client_suites,
       if(suite.cipher_keylen() == 0)
          continue; // not a ciphersuite we know
 
+      if(suite.kex_algo() == "ECDH" && !have_shared_ecc_curve)
+         continue;
+
       if(suite.sig_algo() == "RSA" && have_rsa)
          return suite_id;
author	lloyd <[email protected]>	2012-01-24 14:54:40 +0000
committer	lloyd <[email protected]>	2012-01-24 14:54:40 +0000
commit	92f6a575bca25d8985aa87304e28cd63867310e2 (patch)
tree	772ed25014be71f74482cef8cc55f5dd984ea765 /src/tls/tls_policy.cpp
parent	d0d097337d652e2205d88e0037725d4aac05eab3 (diff)