diff options
| -rw-r--r-- | lib/auth/ecdh_common.c | 2 | ||||
| -rw-r--r-- | lib/gnutls_handshake.c | 9 | ||||
| -rw-r--r-- | src/common.c | 3 |
3 files changed, 13 insertions, 1 deletions
diff --git a/lib/auth/ecdh_common.c b/lib/auth/ecdh_common.c index 555ab4f9ef..502396d1b0 100644 --- a/lib/auth/ecdh_common.c +++ b/lib/auth/ecdh_common.c @@ -151,6 +151,8 @@ _gnutls_proc_ecdh_common_server_kx (gnutls_session_t session, if (ret < 0) return gnutls_assert_val(ret); + _gnutls_session_ecc_curve_set(session, curve); + DECR_LEN (data_size, 1); point_size = data[i]; i+=1; diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 0e11c2fcd1..759987463d 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -3344,6 +3344,15 @@ _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session, if (server) delete = check_server_params (session, kx, alg, alg_size); } + + /* If we have not agreed to a common curve with the peer don't bother + * negotiating ECDH. + */ + if (session->security_parameters.entity == GNUTLS_SERVER && (kx == GNUTLS_KX_ANON_ECDH)) + { + if (_gnutls_session_ecc_curve_get(session) == GNUTLS_ECC_CURVE_INVALID) + delete = 1; + } /* These two SRP kx's are marked to require a CRD_CERTIFICATE, (see cred_mappings in gnutls_algorithms.c), but it also diff --git a/src/common.c b/src/common.c index ef537c36d3..3dfea1bb07 100644 --- a/src/common.c +++ b/src/common.c @@ -410,7 +410,8 @@ print_info (gnutls_session_t session, const char *hostname, int insecure) { #ifdef ENABLE_ANON case GNUTLS_CRD_ANON: - print_dh_info (session, "Anonymous "); + if (kx != GNUTLS_KX_ANON_ECDH) + print_dh_info (session, "Anonymous "); break; #endif #ifdef ENABLE_SRP |