[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
Matt Caswell
matt at openssl.org
Mon Mar 23 14:08:24 UTC 2015
The branch OpenSSL_1_0_2-stable has been updated
via bd891f098bdfcaa285c073ce556d0f5e27ec3a10 (commit)
from c45dfdc68a4d84c5a7c2a346ea335052cb2755a1 (commit)
- Log -----------------------------------------------------------------
commit bd891f098bdfcaa285c073ce556d0f5e27ec3a10
Author: Matt Caswell <matt at openssl.org>
Date: Fri Mar 20 15:10:16 2015 +0000
Don't check curves that haven't been sent
Don't check that the curve appears in the list of acceptable curves for the
peer, if they didn't send us such a list (RFC 4492 does not require that the
extension be sent).
Reviewed-by: Emilia Käsper <emilia at openssl.org>
(cherry picked from commit b79d24101e3b5904b3770d60e32bdd6edc558337)
-----------------------------------------------------------------------
Summary of changes:
ssl/t1_lib.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index a59fe82..3e01b6a 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -763,6 +763,16 @@ static int tls1_check_ec_key(SSL *s,
for (j = 0; j <= 1; j++) {
if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
return 0;
+ if (j == 1 && num_curves == 0) {
+ /*
+ * If we've not received any curves then skip this check.
+ * RFC 4492 does not require the supported elliptic curves extension
+ * so if it is not sent we can just choose any curve.
+ * It is invalid to send an empty list in the elliptic curves
+ * extension, so num_curves == 0 always means no extension.
+ */
+ break;
+ }
for (i = 0; i < num_curves; i++, pcurves += 2) {
if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
break;
More information about the openssl-commits
mailing list