Allow all curves when the client doesn't send an supported elliptic curves extension At least in the case of SSLv3 we can't send an extention. Reviewed-by: Matt Caswell <matt@openssl.org> MR #811

commit: 3c06513f3833d4692f620e2c03d7a840871c08a7 [log] [tgz]
author: Kurt Roeckx <kurt@roeckx.be> Sat May 30 19:20:12 2015 +0200
committer: Kurt Roeckx <kurt@roeckx.be> Thu Jun 04 20:48:52 2015 +0200
tree: 0094a547ae42bd3e8b9a21f71a28a78e7d6a16fd
parent: 9c422b5b1ebc9871a7306f66648aa16c8769082a [diff] [blame]
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index a161dcc..0420fe3 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c

@@ -555,6 +555,20 @@
         (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
          &num_pref))
         return nmatch == -1 ? 0 : NID_undef;
+
+    /*
+     * If the client didn't send the elliptic_curves extension all of them
+     * are allowed.
+     */
+    if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
+        supp = eccurves_all;
+        num_supp = sizeof(eccurves_all) / 2;
+    } else if (num_pref == 0 &&
+        (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
+        pref = eccurves_all;
+        num_pref = sizeof(eccurves_all) / 2;
+    }
+
     k = 0;
     for (i = 0; i < num_pref; i++, pref += 2) {
         const unsigned char *tsupp = supp;
commit	3c06513f3833d4692f620e2c03d7a840871c08a7	[log] [tgz]
author	Kurt Roeckx <kurt@roeckx.be>	Sat May 30 19:20:12 2015 +0200
committer	Kurt Roeckx <kurt@roeckx.be>	Thu Jun 04 20:48:52 2015 +0200
tree	0094a547ae42bd3e8b9a21f71a28a78e7d6a16fd
parent	9c422b5b1ebc9871a7306f66648aa16c8769082a [diff] [blame]