[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Mon Mar 23 14:08:30 UTC 2015
The branch master has been updated
via b79d24101e3b5904b3770d60e32bdd6edc558337 (commit)
from 4fe67498b0d1c0052fabcc46d6de07d7900aa850 (commit)
- Log -----------------------------------------------------------------
commit b79d24101e3b5904b3770d60e32bdd6edc558337
Author: Matt Caswell <matt at openssl.org>
Date: Fri Mar 20 15:10:16 2015 +0000
Don't check curves that haven't been sent
Don't check that the curve appears in the list of acceptable curves for the
peer, if they didn't send us such a list (RFC 4492 does not require that the
extension be sent).
Reviewed-by: Emilia Käsper <emilia at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
ssl/t1_lib.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 8b75dba..511223e 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -706,6 +706,16 @@ static int tls1_check_ec_key(SSL *s,
for (j = 0; j <= 1; j++) {
if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
return 0;
+ if (j == 1 && num_curves == 0) {
+ /*
+ * If we've not received any curves then skip this check.
+ * RFC 4492 does not require the supported elliptic curves extension
+ * so if it is not sent we can just choose any curve.
+ * It is invalid to send an empty list in the elliptic curves
+ * extension, so num_curves == 0 always means no extension.
+ */
+ break;
+ }
for (i = 0; i < num_curves; i++, pcurves += 2) {
if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
break;
More information about the openssl-commits
mailing list