Commit ba9d44b2 authored by Kurt Roeckx's avatar Kurt Roeckx
Browse files

Allow all curves when the client doesn't send an supported elliptic curves extension 



At least in the case of SSLv3 we can't send an extention.

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
MR #811

(cherry picked from commit 3c06513f)
parent da5fab73

ssl/t1_lib.c

+14 −0
Original line number Diff line number Diff line
@@ -593,6 +593,20 @@ int tls1_shared_curve(SSL *s, int nmatch) 
        (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,

         &num_pref))

        return nmatch == -1 ? 0 : NID_undef;



    /*

     * If the client didn't send the elliptic_curves extension all of them

     * are allowed.

     */

    if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {

        supp = eccurves_all;

        num_supp = sizeof(eccurves_all) / 2;

    } else if (num_pref == 0 &&

        (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {

        pref = eccurves_all;

        num_pref = sizeof(eccurves_all) / 2;

    }



    k = 0;

    for (i = 0; i < num_pref; i++, pref += 2) {

        const unsigned char *tsupp = supp;