Commit 3c06513f authored by Kurt Roeckx's avatar Kurt Roeckx
Browse files

Allow all curves when the client doesn't send an supported elliptic curves extension 



At least in the case of SSLv3 we can't send an extention.

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
MR #811
parent 9c422b5b

ssl/t1_lib.c

+14 −0
Original line number Diff line number Diff line
@@ -555,6 +555,20 @@ int tls1_shared_curve(SSL *s, int nmatch) 
        (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,

         &num_pref))

        return nmatch == -1 ? 0 : NID_undef;



    /*

     * If the client didn't send the elliptic_curves extension all of them

     * are allowed.

     */

    if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {

        supp = eccurves_all;

        num_supp = sizeof(eccurves_all) / 2;

    } else if (num_pref == 0 &&

        (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {

        pref = eccurves_all;

        num_pref = sizeof(eccurves_all) / 2;

    }



    k = 0;

    for (i = 0; i < num_pref; i++, pref += 2) {

        const unsigned char *tsupp = supp;