diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-06-27 15:36:04 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-08-01 09:34:02 +0200 |
commit | 2a552f2eb3c93e2c13c1eb8cd4f64317d8586e5f (patch) | |
tree | 5acdb04170e020d876c3671bff2dad6f013294c9 /lib/algorithms/kx.c | |
parent | dffd5a166e7aa59e5966b3ad27949170bf1d8061 (diff) | |
download | gnutls-2a552f2eb3c93e2c13c1eb8cd4f64317d8586e5f.tar.gz |
TLS: introduced support for RFC7919 groups
That replaces the EC curve extension negotiation with
the negotiated groups extensions, introduces handling
for groups as priority strings, as well as using and
checking of RFC7919 DH parameters once negotiated.
Resolves: #37
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib/algorithms/kx.c')
-rw-r--r-- | lib/algorithms/kx.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/lib/algorithms/kx.c b/lib/algorithms/kx.c index 276f56f118..309484054f 100644 --- a/lib/algorithms/kx.c +++ b/lib/algorithms/kx.c @@ -252,18 +252,25 @@ bool _gnutls_kx_allows_false_start(gnutls_session_t session) GNUTLS_KX_ALG_LOOP(ret = p->false_start; needs_dh = p->needs_dh_params); if (ret != 0) { + const gnutls_group_entry_st *e; + + e = _gnutls_id_to_group(session->security_parameters.group); + #if defined(ENABLE_DHE) || defined(ENABLE_ANON) if (needs_dh != 0) { bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_HIGH); /* check whether sizes are sufficient */ - if (gnutls_dh_get_prime_bits(session) < bits) + if (e && e->prime) { + if (e->prime->size*8 < (unsigned)bits) + ret = 0; + } else if (gnutls_dh_get_prime_bits(session) < bits) ret = 0; } else #endif if (algorithm == GNUTLS_KX_ECDHE_RSA || algorithm == GNUTLS_KX_ECDHE_ECDSA) { bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_EC, GNUTLS_SEC_PARAM_HIGH); - if (gnutls_ecc_curve_get_size(session->security_parameters.ecc_curve) * 8 < bits) + if (e != NULL && gnutls_ecc_curve_get_size(e->curve) * 8 < bits) ret = 0; } } |