From: Kurt Roeckx Date: Sat, 30 May 2015 17:20:12 +0000 (+0200) Subject: Allow all curves when the client doesn't send an supported elliptic curves extension X-Git-Tag: OpenSSL_1_0_2b~28 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=ba9d44b28d312138fefcdc5fc0d499d49a4dca41;p=oweals%2Fopenssl.git Allow all curves when the client doesn't send an supported elliptic curves extension At least in the case of SSLv3 we can't send an extention. Reviewed-by: Matt Caswell MR #811 (cherry picked from commit 3c06513f3833d4692f620e2c03d7a840871c08a7) --- diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index bf11f93e62..a398501e24 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -593,6 +593,20 @@ int tls1_shared_curve(SSL *s, int nmatch) (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref, &num_pref)) return nmatch == -1 ? 0 : NID_undef; + + /* + * If the client didn't send the elliptic_curves extension all of them + * are allowed. + */ + if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) { + supp = eccurves_all; + num_supp = sizeof(eccurves_all) / 2; + } else if (num_pref == 0 && + (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) { + pref = eccurves_all; + num_pref = sizeof(eccurves_all) / 2; + } + k = 0; for (i = 0; i < num_pref; i++, pref += 2) { const unsigned char *tsupp = supp;