Ensure that we specify the correct group when creating a HelloRetryRequest.HEAD master

When processing the client supported groups and key shares extensions, the group selection is currently based on client preference. However, when building a HRR the preferred group is identified by calling tls1_get_supported_group(). If SSL_OP_CIPHER_SERVER_PREFERENCE is enabled, group selection will be based on server instead of client preference. This in turn can result in the server sending a HRR for a group that the client has already provided a key share for, violating the RFC. Avoid this issue by storing the client preferred group when processing the key share extension, then using this group when creating the HRR. Thanks to dzwdz for identifying and reporting the issue. ok beck@ tb@
author: jsing <> 2025-10-16 14:42:21 +0000
committer: jsing <> 2025-10-16 14:42:21 +0000
commit: 07ac085cccf13625ee0512126e736b8da8ed0dad (patch)
tree: 8cd9f82e2b82fe6cd09d3184bc6a6b3931c35c1d
parent: f690640165ccfa300db43b4a8e0d48a2ac660993 (diff)
download: openbsd-07ac085cccf13625ee0512126e736b8da8ed0dad.tar.gz
openbsd-07ac085cccf13625ee0512126e736b8da8ed0dad.tar.bz2
openbsd-07ac085cccf13625ee0512126e736b8da8ed0dad.zip
2 files changed, 4 insertions, 9 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 9209597601..12ede899e8 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.156 2025/06/07 10:23:21 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.157 2025/10/16 14:42:21 jsing Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1554,6 +1554,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                for (j = 0; j < server_groups_len; j++) {
                        if (server_groups[j] == client_groups[i]) {
                                client_preferred_group = client_groups[i];
+                                s->s3->hs.tls13.server_group = client_preferred_group;
                                preferred_group_found = 1;
                                break;
                        }
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 63b7d92093..f852e08a52 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.109 2024/07/22 14:47:15 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.110 2025/10/16 14:42:21 jsing Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -437,8 +437,6 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
 int
 tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        int nid;
        ctx->hs->tls13.hrr = 1;
        if (!tls13_synthetic_handshake_message(ctx))
@@ -446,9 +444,7 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
        if (ctx->hs->key_share != NULL)
                return 0;
-        if (!tls1_get_supported_group(ctx->ssl, &nid))
+        if (ctx->hs->tls13.server_group == 0)
-                return 0;
-        if (!tls1_ec_nid2group_id(nid, &ctx->hs->tls13.server_group))
                return 0;
        if (!tls13_server_hello_build(ctx, cbb, 1))
@@ -511,8 +507,6 @@ tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
        if (!tls13_servername_process(ctx))
                return 0;
-        ctx->hs->tls13.server_group = 0;
        if (!tls13_server_hello_build(ctx, cbb, 0))
                return 0;
author	jsing <>	2025-10-16 14:42:21 +0000
committer	jsing <>	2025-10-16 14:42:21 +0000
commit	07ac085cccf13625ee0512126e736b8da8ed0dad (patch)
tree	8cd9f82e2b82fe6cd09d3184bc6a6b3931c35c1d
parent	f690640165ccfa300db43b4a8e0d48a2ac660993 (diff)
download	openbsd-07ac085cccf13625ee0512126e736b8da8ed0dad.tar.gz openbsd-07ac085cccf13625ee0512126e736b8da8ed0dad.tar.bz2 openbsd-07ac085cccf13625ee0512126e736b8da8ed0dad.zip