X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Ft1_lib.c;h=06cb57d9eaa760cc53ec187ec8517601867657b3;hp=69c0d42b1acd43d69c3d3a7b8a3bc8e3fc337a56;hb=a4974de937c185cf91e31558f037f6d5a089c28c;hpb=22f41c9b99ff41a9aa08cd5421c02e876f58702f

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 69c0d42b1a..06cb57d9ea 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -223,7 +223,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
 
 		if ((lenmax = limit - p - 6) < 0) return NULL; 
 		if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
-		if (s->tlsext_ellipticcurvelist_length > 255)
+		if (s->tlsext_ellipticcurvelist_length > 65532)
 			{
 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
 			return NULL;
@@ -231,6 +231,12 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
 		
 		s2n(TLSEXT_TYPE_elliptic_curves,ret);
 		s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
+
+		/* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
+		 * elliptic_curve_list, but the examples use two bytes.
+		 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
+		 * resolves this to two bytes.
+		 */
 		s2n(s->tlsext_ellipticcurvelist_length, ret);
 		memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
 		ret+=s->tlsext_ellipticcurvelist_length;