From: Nikos Mavrogiannopoulos Date: Fri, 20 May 2011 19:07:31 +0000 (+0200) Subject: client side ECC fixes. X-Git-Tag: gnutls_2_99_2~65 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=14cdffd508a834f0df1935732455c40432ad36b0;p=thirdparty%2Fgnutls.git client side ECC fixes. --- diff --git a/lib/auth/ecdh_common.c b/lib/auth/ecdh_common.c index 555ab4f9ef..502396d1b0 100644 --- a/lib/auth/ecdh_common.c +++ b/lib/auth/ecdh_common.c @@ -151,6 +151,8 @@ _gnutls_proc_ecdh_common_server_kx (gnutls_session_t session, if (ret < 0) return gnutls_assert_val(ret); + _gnutls_session_ecc_curve_set(session, curve); + DECR_LEN (data_size, 1); point_size = data[i]; i+=1; diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 0e11c2fcd1..759987463d 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -3344,6 +3344,15 @@ _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session, if (server) delete = check_server_params (session, kx, alg, alg_size); } + + /* If we have not agreed to a common curve with the peer don't bother + * negotiating ECDH. + */ + if (session->security_parameters.entity == GNUTLS_SERVER && (kx == GNUTLS_KX_ANON_ECDH)) + { + if (_gnutls_session_ecc_curve_get(session) == GNUTLS_ECC_CURVE_INVALID) + delete = 1; + } /* These two SRP kx's are marked to require a CRD_CERTIFICATE, (see cred_mappings in gnutls_algorithms.c), but it also diff --git a/src/common.c b/src/common.c index ef537c36d3..3dfea1bb07 100644 --- a/src/common.c +++ b/src/common.c @@ -410,7 +410,8 @@ print_info (gnutls_session_t session, const char *hostname, int insecure) { #ifdef ENABLE_ANON case GNUTLS_CRD_ANON: - print_dh_info (session, "Anonymous "); + if (kx != GNUTLS_KX_ANON_ECDH) + print_dh_info (session, "Anonymous "); break; #endif #ifdef ENABLE_SRP