Tighten up the checks that the server is respecting the client's

Supported Elliptic Curves Extension (if any)
author: Peter Dettman <peter.dettman@bouncycastle.org> 2013-09-16 12:20:51 +0400
committer: Peter Dettman <peter.dettman@bouncycastle.org> 2013-09-16 12:20:51 +0400
commit: a48e5f6ed184dfbb2fca49b824ec39b07f49e09d (patch)
tree: d1427a8bf2c09732aa464ad32196a0a7c17487e2 /core/src/main/java/org/bouncycastle/crypto/tls/TlsECCUtils.java
parent: 52f489640eab7c59f411ad732e7d41fdeb4381d9 (diff)
1 files changed, 18 insertions, 9 deletions
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsECCUtils.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsECCUtils.java
index 7378c6b2..281a9898 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsECCUtils.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsECCUtils.java
@@ -433,6 +433,8 @@ public class TlsECCUtils
             {
             case ECCurveType.explicit_prime:
             {
+                checkNamedCurve(namedCurves, NamedCurve.arbitrary_explicit_prime_curves);
+
                 BigInteger prime_p = readECParameter(input);
                 BigInteger a = readECFieldElement(prime_p.bitLength(), input);
                 BigInteger b = readECFieldElement(prime_p.bitLength(), input);
@@ -444,6 +446,8 @@ public class TlsECCUtils
             }
             case ECCurveType.explicit_char2:
             {
+                checkNamedCurve(namedCurves, NamedCurve.arbitrary_explicit_char2_curves);
+
                 int m = TlsUtils.readUint16(input);
                 short basis = TlsUtils.readUint8(input);
                 ECCurve curve;
@@ -487,15 +491,7 @@ public class TlsECCUtils
                     throw new TlsFatalAlert(AlertDescription.illegal_parameter);
                 }
 
-                if (!TlsProtocol.arrayContains(namedCurves, namedCurve))
-                {
-                    /*
-                     * RFC 4492 4. [...] servers MUST NOT negotiate the use of an ECC cipher suite
-                     * unless they can complete the handshake while respecting the choice of curves
-                     * and compression techniques specified by the client.
-                     */
-                    throw new TlsFatalAlert(AlertDescription.illegal_parameter);
-                }
+                checkNamedCurve(namedCurves, namedCurve);
 
                 return TlsECCUtils.getParametersForNamedCurve(namedCurve);
             }
@@ -509,6 +505,19 @@ public class TlsECCUtils
         }
     }
 
+    private static void checkNamedCurve(int[] namedCurves, int namedCurve) throws IOException
+    {
+        if (namedCurves != null && !TlsProtocol.arrayContains(namedCurves, namedCurve))
+        {
+            /*
+             * RFC 4492 4. [...] servers MUST NOT negotiate the use of an ECC cipher suite
+             * unless they can complete the handshake while respecting the choice of curves
+             * and compression techniques specified by the client.
+             */
+            throw new TlsFatalAlert(AlertDescription.illegal_parameter);
+        }
+    }
+
     public static void writeECExponent(int k, OutputStream output) throws IOException
     {
         BigInteger K = BigInteger.valueOf(k);
author	Peter Dettman <peter.dettman@bouncycastle.org>	2013-09-16 12:20:51 +0400
committer	Peter Dettman <peter.dettman@bouncycastle.org>	2013-09-16 12:20:51 +0400
commit	a48e5f6ed184dfbb2fca49b824ec39b07f49e09d (patch)
tree	d1427a8bf2c09732aa464ad32196a0a7c17487e2 /core/src/main/java/org/bouncycastle/crypto/tls/TlsECCUtils.java
parent	52f489640eab7c59f411ad732e7d41fdeb4381d9 (diff)