[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

[Kurt Roeckx]

The branch OpenSSL_1_0_2-stable has been updated
       via  ba9d44b28d312138fefcdc5fc0d499d49a4dca41 (commit)
      from  da5fab73255c24e0b6ce8717df2441a03f504939 (commit)


- Log -----------------------------------------------------------------
commit ba9d44b28d312138fefcdc5fc0d499d49a4dca41
Author: Kurt Roeckx <kurt at roeckx.be>
Date:   Sat May 30 19:20:12 2015 +0200

    Allow all curves when the client doesn't send an supported elliptic curves extension
    
    At least in the case of SSLv3 we can't send an extention.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    MR #811
    
    (cherry picked from commit 3c06513f3833d4692f620e2c03d7a840871c08a7)

-----------------------------------------------------------------------

Summary of changes:
 ssl/t1_lib.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index bf11f93..a398501 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -593,6 +593,20 @@ int tls1_shared_curve(SSL *s, int nmatch)
         (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
          &num_pref))
         return nmatch == -1 ? 0 : NID_undef;
+
+    /*
+     * If the client didn't send the elliptic_curves extension all of them
+     * are allowed.
+     */
+    if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
+        supp = eccurves_all;
+        num_supp = sizeof(eccurves_all) / 2;
+    } else if (num_pref == 0 &&
+        (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
+        pref = eccurves_all;
+        num_pref = sizeof(eccurves_all) / 2;
+    }
+
     k = 0;
     for (i = 0; i < num_pref; i++, pref += 2) {
         const unsigned char *tsupp = supp;