diff options
author | Matt Caswell <matt@openssl.org> | 2018-03-12 17:15:25 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-03-28 15:08:09 +0100 |
commit | dcf8b01f44c4dc5f76ea72093261b61d8a34601b (patch) | |
tree | ab748a631c3d4c11978653019c6b6dfe9585ef68 /ssl/statem/statem_clnt.c | |
parent | 7814cdf3ebc0bae649cc46f279ac4e4369d309de (diff) |
Tolerate a Certificate using a non-supported group on server side
If a server has been configured to use an ECDSA certificate, we should
allow it regardless of whether the server's own supported groups list
includes the certificate's group.
Fixes #2033
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5601)
Diffstat (limited to 'ssl/statem/statem_clnt.c')
-rw-r--r-- | ssl/statem/statem_clnt.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index e940fc8e98..29db4bc3f2 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2192,7 +2192,8 @@ static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) * Check curve is named curve type and one of our preferences, if not * server has sent an invalid curve. */ - if (curve_type != NAMED_CURVE_TYPE || !tls1_check_group_id(s, curve_id)) { + if (curve_type != NAMED_CURVE_TYPE + || !tls1_check_group_id(s, curve_id, 1)) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_WRONG_CURVE); return 0; |