From d2f84e5670df96dc2f8e15b7fd5cd7cc32ca7283 Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Sun, 26 Nov 2017 20:54:12 -0500 Subject: Fix errors caught with tlsfuzzer Don't send EC point format extension in server hello unless an EC suite was negotiated *and* the client sent the extension. Fix server FFDHE logic, this effectively disabled DHE ciphersuites for clients without FFDHE extension. Use unexpected_message alert in case of an unexpected message. (Previously an internal_error alert was sent.) --- src/lib/tls/tls_server.cpp | 7 ------- 1 file changed, 7 deletions(-) (limited to 'src/lib/tls/tls_server.cpp') diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp index 9f1dfe1d1..f20e363cf 100644 --- a/src/lib/tls/tls_server.cpp +++ b/src/lib/tls/tls_server.cpp @@ -168,13 +168,9 @@ uint16_t choose_ciphersuite( const bool have_shared_ecc_curve = (policy.choose_curve(client_hello.supported_ecc_curves()) != ""); - const bool have_shared_dh_group = - (policy.choose_dh_group(client_hello.supported_dh_groups()) != ""); - /* Walk down one list in preference order */ - std::vector pref_list = server_suites; std::vector other_list = client_suites; @@ -196,9 +192,6 @@ uint16_t choose_ciphersuite( if(suite.ecc_ciphersuite() && have_shared_ecc_curve == false) continue; - if(suite.kex_algo() == "DH" && have_shared_dh_group == false) - continue; - // For non-anon ciphersuites if(suite.sig_algo() != "") { -- cgit v1.2.3