MFC libssl fix - rev 1.49 (commitid: DLpHk0vyoFEK0Baa)

---
Relax parsing of TLS key share extensions on the server.

The RFC does not require X25519 and it also allows clients to send an empty
key share when the want the server to select a group. The current behaviour
results in handshake failures where the client supports TLS 1.3 and sends a
TLS key share extension that does not contain X25519.
---

(this fixes server side in some cases with TLS 1.3 clients with what
would normally be unusual config - however triggered by recent Firefox
packages on Fedora, https://bugzilla.redhat.com/show_bug.cgi?id=1713777)

1 files changed, 2 insertions, 5 deletions

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 00afe1e586..5e9f73536f 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.44.2.1 2019/05/15 19:25:15 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.44.2.2 2019/06/07 15:09:44 sthen Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1269,7 +1269,6 @@ tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert)
         CBS key_exchange;
         uint16_t group;
         size_t out_len;
-        int ret = 0;
 
         if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
                 goto err;
@@ -1301,11 +1300,9 @@ tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert)
                 if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
                     &out_len))
                         goto err;
-
-                ret = 1;
         }
 
-        return ret;
+        return 1;
 
  err:
         *alert = SSL_AD_DECODE_ERROR;