_gnutls_figure_dh_params: do not use have_ffdhe flag

This flag is intended to indicate whether the peer has advertized
at least one FFDHE group, and not whether we have negotiated FFDHE.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2 files changed, 8 insertions, 3 deletions

diff --git a/lib/dh.c b/lib/dh.c
index 3a3c540c5a..2294cb94cd 100644
--- a/lib/dh.c
+++ b/lib/dh.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2000-2012 Free Software Foundation, Inc.
+ * Copyright (C) 2017 Red Hat, Inc.
  *
  * Author: Nikos Mavrogiannopoulos
  *
@@ -73,13 +74,16 @@ _gnutls_figure_dh_params(gnutls_session_t session, gnutls_dh_params_t dh_params,
 	unsigned free_pg = 0;
 	int ret;
 	unsigned q_bits = 0, i;
+	const gnutls_group_entry_st *group;
+
+	group = get_group(session);
 
 	params.deinit = 0;
 
-	/* if client advertised RFC7919 */
-	if (session->internals.have_ffdhe) {
+	/* if we negotiated RFC7919 FFDHE */
+	if (group && group->pk == GNUTLS_PK_DH) {
 		for (i=0;i<session->internals.priorities->groups.size;i++) {
-			if (session->internals.priorities->groups.entry[i] == get_group(session)) {
+			if (session->internals.priorities->groups.entry[i] == group) {
 				ret = _gnutls_mpi_init_scan_nz(&p,
 						session->internals.priorities->groups.entry[i]->prime->data,
 						session->internals.priorities->groups.entry[i]->prime->size);
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 84728fc140..86745a9c28 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -1117,6 +1117,7 @@ typedef struct {
 	 * receive size */
 	unsigned max_recv_size;
 
+	/* whether the peer has advertized at least an FFDHE group */
 	bool have_ffdhe;
 
 	/* candidate groups to be selected for security params groups */