diff options
| -rw-r--r-- | src/lib/tls/msg_client_kex.cpp | 6 | ||||
| -rw-r--r-- | src/lib/tls/tls_policy.cpp | 5 | ||||
| -rw-r--r-- | src/lib/tls/tls_policy.h | 2 |
3 files changed, 13 insertions, 0 deletions
diff --git a/src/lib/tls/msg_client_kex.cpp b/src/lib/tls/msg_client_kex.cpp index 4bec9f3be..d7689df45 100644 --- a/src/lib/tls/msg_client_kex.cpp +++ b/src/lib/tls/msg_client_kex.cpp @@ -148,6 +148,12 @@ Client_Key_Exchange::Client_Key_Exchange(Handshake_IO& io, if(name == "") throw Decoding_Error("Server sent unknown named curve " + std::to_string(curve_id)); + if(!policy.allowed_ecc_curve(name)) + { + throw TLS_Exception(Alert::HANDSHAKE_FAILURE, + "Server sent ECC curve prohibited by policy"); + } + EC_Group group(name); std::vector<byte> ecdh_key = reader.get_range<byte>(1, 1, 255); diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp index be4c61b16..f88860a71 100644 --- a/src/lib/tls/tls_policy.cpp +++ b/src/lib/tls/tls_policy.cpp @@ -109,6 +109,11 @@ std::vector<std::string> Policy::allowed_ecc_curves() const }; } +bool Policy::allowed_ecc_curve(const std::string& curve) const + { + return value_exists(allowed_ecc_curves(), curve); + } + /* * Choose an ECC curve to use */ diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h index 769bb8eeb..f8262cdee 100644 --- a/src/lib/tls/tls_policy.h +++ b/src/lib/tls/tls_policy.h @@ -64,6 +64,8 @@ class BOTAN_DLL Policy */ virtual std::vector<std::string> allowed_ecc_curves() const; + bool allowed_ecc_curve(const std::string& curve) const; + /** * Returns a list of compression algorithms we are willing to use, * in order of preference. Allowed values any value of |