diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index e074ce29e..22b07bc17 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -376,7 +376,7 @@ mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig ); mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash ); #if defined(MBEDTLS_ECP_C) -int mbedtls_ssl_curve_is_acceptable( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ); +int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ); #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 3d3f3d17f..e4f06864e 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1684,7 +1684,7 @@ static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); #if defined(MBEDTLS_ECP_C) - if( ! mbedtls_ssl_curve_is_acceptable( ssl, ssl->handshake->ecdh_ctx.grp.id ) ) + if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 ) #else if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || ssl->handshake->ecdh_ctx.grp.nbits > 521 ) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 7a1284aab..9f241576d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4087,7 +4087,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) /* If certificate uses an EC key, make sure the curve is OK */ if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) && - ! mbedtls_ssl_curve_is_acceptable( ssl, mbedtls_pk_ec( *pk )->grp.id ) ) + mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) ); if( ret == 0 ) @@ -6807,17 +6807,20 @@ mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash ) #if defined(MBEDTLS_ECP_C) /* * Check is a curve proposed by the peer is in our list. - * Return 1 if we're willing to use it, 0 otherwise. + * Return 0 if we're willing to use it, -1 otherwise. */ -int mbedtls_ssl_curve_is_acceptable( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ) +int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ) { const mbedtls_ecp_group_id *gid; + if( ssl->conf->curve_list == NULL ) + return( -1 ); + for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) if( *gid == grp_id ) - return( 1 ); + return( 0 ); - return( 0 ); + return( -1 ); } #endif /* MBEDTLS_ECP_C */