diff options
author | Ingela Anderton Andin <[email protected]> | 2014-03-14 15:06:58 +0100 |
---|---|---|
committer | Ingela Anderton Andin <[email protected]> | 2014-03-14 15:39:22 +0100 |
commit | ebfd862f47611fa17be72cad1afcd6a13f14bc4d (patch) | |
tree | 84d9bf768b74b16b1fa0b250a0abd391e1b1d1c3 /lib/ssl/src/ssl_handshake.erl | |
parent | 6d2f4bb8fd96049a18cc6b123db4a28bad9ef73a (diff) | |
download | otp-ebfd862f47611fa17be72cad1afcd6a13f14bc4d.tar.gz otp-ebfd862f47611fa17be72cad1afcd6a13f14bc4d.tar.bz2 otp-ebfd862f47611fa17be72cad1afcd6a13f14bc4d.zip |
ssl: Server now ignores client ECC curves that it does not support instead of
crashing.
When TLS client sends Supported Elliptic Curves Client Hello Extension
the server shall select a curve supported by both sides or refuse to
negotiate the use of an ECC cipher suite.
Diffstat (limited to 'lib/ssl/src/ssl_handshake.erl')
-rw-r--r-- | lib/ssl/src/ssl_handshake.erl | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index 245cd3e280..74ca7ca699 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -1654,7 +1654,16 @@ dec_hello_extensions(<<?UINT16(?SIGNATURE_ALGORITHMS_EXT), ?UINT16(Len), dec_hello_extensions(<<?UINT16(?ELLIPTIC_CURVES_EXT), ?UINT16(Len), ExtData:Len/binary, Rest/binary>>, Acc) -> <<?UINT16(_), EllipticCurveList/binary>> = ExtData, - EllipticCurves = [tls_v1:enum_to_oid(X) || <<X:16>> <= EllipticCurveList], + %% Ignore unknown curves + Pick = fun(Enum) -> + case tls_v1:enum_to_oid(Enum) of + undefined -> + false; + Oid -> + {true, Oid} + end + end, + EllipticCurves = lists:filtermap(Pick, [ECC || <<ECC:16>> <= EllipticCurveList]), dec_hello_extensions(Rest, Acc#hello_extensions{elliptic_curves = #elliptic_curves{elliptic_curve_list = EllipticCurves}}); |