From cf5c88d07b44ad7c6b8702e7afb387fd8c13c3d3 Mon Sep 17 00:00:00 2001
From: Jack Lloyd <lloyd@randombit.net>
Date: Thu, 17 Mar 2016 14:45:42 -0400
Subject: Client must verify that the server sent an ECC curve which policy
 accepts.

Otherwise a MITM who can in real time break any supported ECC curve can
downgrade us.
---
 src/lib/tls/msg_client_kex.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src/lib/tls/msg_client_kex.cpp')

diff --git a/src/lib/tls/msg_client_kex.cpp b/src/lib/tls/msg_client_kex.cpp
index 4bec9f3be..d7689df45 100644
--- a/src/lib/tls/msg_client_kex.cpp
+++ b/src/lib/tls/msg_client_kex.cpp
@@ -148,6 +148,12 @@ Client_Key_Exchange::Client_Key_Exchange(Handshake_IO& io,
          if(name == "")
             throw Decoding_Error("Server sent unknown named curve " + std::to_string(curve_id));
 
+         if(!policy.allowed_ecc_curve(name))
+            {
+            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
+                                "Server sent ECC curve prohibited by policy");
+            }
+
          EC_Group group(name);
 
          std::vector<byte> ecdh_key = reader.get_range<byte>(1, 1, 255);
-- 
cgit v1.2.3