From: Martin Willi <martin@revosec.ch>
Date: Fri, 3 Sep 2010 16:24:03 +0000 (+0200)
Subject: Do not propose (EC)DHE suites if we do not support them
X-Git-Tag: 4.5.0~220
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4e68c1cfdc31891d74789390c5834b762a705783;p=thirdparty%2Fstrongswan.git

Do not propose (EC)DHE suites if we do not support them
---

diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
index 2fb5a1feb6..49ee88defe 100644
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -625,7 +625,9 @@ static void filter_suite(private_tls_crypto_t *this,
 				 !current.encr || current.encr == suites[i].encr) &&
 				(!current.mac  || current.mac  == suites[i].mac) &&
 				(!current.prf  || current.prf  == suites[i].prf) &&
-				(!current.hash || current.hash == suites[i].hash))
+				(!current.hash || current.hash == suites[i].hash) &&
+				(suites[i].dh == MODP_NONE ||
+				 !current.dh   || current.dh   == suites[i].dh))
 			{
 				suites[remaining] = suites[i];
 				remaining++;
@@ -712,6 +714,8 @@ static void build_cipher_suite_list(private_tls_crypto_t *this,
 				 lib->crypto->create_prf_enumerator);
 	filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
 				 lib->crypto->create_hasher_enumerator);
+	filter_suite(this, suites, &count, offsetof(suite_algs_t, dh),
+				 lib->crypto->create_dh_enumerator);
 
 	free(this->suites);
 	this->suite_count = count;