LibreSSL 3.1.4 - Interoperability and bug fixes for the TLSv1.3 client:

* Improve client certificate selection to allow EC certificates
  instead of only RSA certificates.

* Do not error out if a TLSv1.3 server requests an OCSP response as
  part of a certificate request.

* Fix SSL_shutdown behavior to match the legacy stack.  The previous
  behaviour could cause a hang.

* Fix a memory leak and add a missing error check in the handling of
  the key update message.

* Fix a memory leak in tls13_record_layer_set_traffic_key.

* Avoid calling freezero with a negative size if a server sends a
  malformed plaintext of all zeroes.

* Ensure that only PSS may be used with RSA in TLSv1.3 in order
  to avoid using PKCS1-based signatures.

* Add the P-521 curve to the list of curves supported by default
  in the client.

This is errata/6.7/019_libssl.patch.sig

10 files changed, 221 insertions, 96 deletions

diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 0212166678..8ebdab279f 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.272 2020/04/18 14:07:56 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.272.4.1 2020/08/10 18:59:47 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -433,6 +433,12 @@ typedef struct ssl_handshake_st {
         uint8_t *sigalgs;
 } SSL_HANDSHAKE;
 
+typedef struct cert_pkey_st {
+        X509 *x509;
+        EVP_PKEY *privatekey;
+        STACK_OF(X509) *chain;
+} CERT_PKEY;
+
 typedef struct ssl_handshake_tls13_st {
         uint16_t min_version;
         uint16_t max_version;
@@ -441,6 +447,10 @@ typedef struct ssl_handshake_tls13_st {
         int use_legacy;
         int hrr;
 
+        /* Certificate and sigalg selected for use (static pointers) */
+        const CERT_PKEY *cpk;
+        const struct ssl_sigalg *sigalg;
+
         /* Version proposed by peer server. */
         uint16_t server_version;
 
@@ -988,12 +998,6 @@ typedef struct dtls1_state_internal_st {
 } DTLS1_STATE_INTERNAL;
 #define D1I(s) (s->d1->internal)
 
-typedef struct cert_pkey_st {
-        X509 *x509;
-        EVP_PKEY *privatekey;
-        STACK_OF(X509) *chain;
-} CERT_PKEY;
-
 typedef struct cert_st {
         /* Current active set */
         CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 37fdcfa73f..374ba3cef2 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.20 2019/04/01 02:09:21 beck Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.20.8.1 2020/08/10 18:59:47 tb Exp $ */
 /*
  * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
  *
@@ -322,6 +322,12 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
                     tls_sigalgs_len)) == NULL)
                         continue;
 
+                /* RSA cannot be used without PSS in TLSv1.3. */
+                if (TLS1_get_version(s) >= TLS1_3_VERSION &&
+                    sigalg->key_type == EVP_PKEY_RSA &&
+                    (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
+                        continue;
+
                 if (ssl_sigalg_pkey_ok(sigalg, pkey, check_curve))
                         return sigalg;
         }
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index a0e2f7320b..302211c5e7 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.63 2020/04/21 17:06:16 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.63.4.1 2020/08/10 18:59:47 tb Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -896,12 +896,49 @@ tlsext_ocsp_server_build(SSL *s, CBB *cbb)
 int
 tlsext_ocsp_client_parse(SSL *s, CBS *cbs, int *alert)
 {
-        if (s->tlsext_status_type == -1) {
-                *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
-                return 0;
+        CBS response;
+        size_t resp_len;
+        uint16_t version = TLS1_get_client_version(s);
+        uint8_t status_type;
+
+        if (version >= TLS1_3_VERSION) {
+                /*
+                 * RFC 8446, 4.4.2.1 - the server may request an OCSP
+                 * response with an empty status_request.
+                 */
+                if (CBS_len(cbs) == 0)
+                        return 1;
+
+                if (!CBS_get_u8(cbs, &status_type)) {
+                        SSLerror(s, SSL_R_LENGTH_MISMATCH);
+                        return 0;
+                }
+                if (status_type != TLSEXT_STATUSTYPE_ocsp) {
+                        SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE);
+                        return 0;
+                }
+                if (!CBS_get_u24_length_prefixed(cbs, &response)) {
+                        SSLerror(s, SSL_R_LENGTH_MISMATCH);
+                        return 0;
+                }
+                if (CBS_len(&response) > 65536) {
+                        SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
+                        return 0;
+                }
+                if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp,
+                    &resp_len)) {
+                        *alert = SSL_AD_INTERNAL_ERROR;
+                        return 0;
+                }
+                s->internal->tlsext_ocsp_resplen = (int)resp_len;
+        } else {
+                if (s->tlsext_status_type == -1) {
+                        *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
+                        return 0;
+                }
+                /* Set flag to expect CertificateStatus message */
+                s->internal->tlsext_status_expected = 1;
         }
-        /* Set flag to expect CertificateStatus message */
-        s->internal->tlsext_status_expected = 1;
         return 1;
 }
 
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index b265ea089f..9536b0a078 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.165 2020/03/10 17:02:21 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.165.4.1 2020/08/10 18:59:47 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -250,7 +250,14 @@ static const uint16_t eccurves_list[] = {
 };
 #endif
 
-static const uint16_t eccurves_default[] = {
+static const uint16_t eccurves_client_default[] = {
+        29,                     /* X25519 (29) */
+        23,                     /* secp256r1 (23) */
+        24,                     /* secp384r1 (24) */
+        25,                     /* secp521r1 (25) */
+};
+
+static const uint16_t eccurves_server_default[] = {
         29,                     /* X25519 (29) */
         23,                     /* secp256r1 (23) */
         24,                     /* secp384r1 (24) */
@@ -374,9 +381,15 @@ tls1_get_group_list(SSL *s, int client_groups, const uint16_t **pgroups,
 
         *pgroups = s->internal->tlsext_supportedgroups;
         *pgroupslen = s->internal->tlsext_supportedgroups_length;
-        if (*pgroups == NULL) {
-                *pgroups = eccurves_default;
-                *pgroupslen = sizeof(eccurves_default) / 2;
+        if (*pgroups != NULL)
+                return;
+
+        if (!s->server) {
+                *pgroups = eccurves_client_default;
+                *pgroupslen = sizeof(eccurves_client_default) / 2;
+        } else {
+                *pgroups = eccurves_server_default;
+                *pgroupslen = sizeof(eccurves_server_default) / 2;
         }
 }
 
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 24286569b1..67d663c326 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.54.4.1 2020/05/19 20:22:33 tb Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.54.4.2 2020/08/10 18:59:47 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -811,30 +811,92 @@ tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
         return ret;
 }
 
+static int
+tls13_client_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk,
+    int *ok, const struct ssl_sigalg **out_sigalg)
+{
+        const struct ssl_sigalg *sigalg;
+        SSL *s = ctx->ssl;
+
+        *ok = 0;
+        *out_sigalg = NULL;
+
+        if (cpk->x509 == NULL || cpk->privatekey == NULL)
+                goto done;
+
+        if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL)
+                goto done;
+
+        *ok = 1;
+        *out_sigalg = sigalg;
+
+ done:
+        return 1;
+}
+
+static int
+tls13_client_select_certificate(struct tls13_ctx *ctx, CERT_PKEY **out_cpk,
+    const struct ssl_sigalg **out_sigalg)
+{
+        SSL *s = ctx->ssl;
+        const struct ssl_sigalg *sigalg;
+        CERT_PKEY *cpk;
+        int cert_ok;
+
+        *out_cpk = NULL;
+        *out_sigalg = NULL;
+
+        cpk = &s->cert->pkeys[SSL_PKEY_ECC];
+        if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg))
+                return 0;
+        if (cert_ok)
+                goto done;
+
+        cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC];
+        if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg))
+                return 0;
+        if (cert_ok)
+                goto done;
+
+        cpk = NULL;
+        sigalg = NULL;
+
+ done:
+        *out_cpk = cpk;
+        *out_sigalg = sigalg;
+
+        return 1;
+}
+
 int
 tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
 {
         SSL *s = ctx->ssl;
         CBB cert_request_context, cert_list;
+        const struct ssl_sigalg *sigalg;
         STACK_OF(X509) *chain;
         CERT_PKEY *cpk;
         X509 *cert;
         int i, ret = 0;
 
-        /* XXX - Need to revisit certificate selection. */
-        cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC];
+        if (!tls13_client_select_certificate(ctx, &cpk, &sigalg))
+                goto err;
 
-        if ((chain = cpk->chain) == NULL)
-                chain = s->ctx->extra_certs;
+        ctx->hs->cpk = cpk;
+        ctx->hs->sigalg = sigalg;
 
         if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
                 goto err;
         if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
                 goto err;
 
-        if (cpk->x509 == NULL)
+        /* No certificate selected. */
+        if (cpk == NULL)
                 goto done;
 
+        if ((chain = cpk->chain) == NULL)
+                chain = s->ctx->extra_certs;
+
         if (!tls13_cert_add(&cert_list, cpk->x509))
                 goto err;
 
@@ -858,27 +920,23 @@ tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        SSL *s = ctx->ssl;
-        const struct ssl_sigalg *sigalg = NULL;
+        const struct ssl_sigalg *sigalg;
         uint8_t *sig = NULL, *sig_content = NULL;
         size_t sig_len, sig_content_len;
         EVP_MD_CTX *mdctx = NULL;
         EVP_PKEY_CTX *pctx;
         EVP_PKEY *pkey;
-        CERT_PKEY *cpk;
+        const CERT_PKEY *cpk;
         CBB sig_cbb;
         int ret = 0;
 
         memset(&sig_cbb, 0, sizeof(sig_cbb));
 
-        /* XXX - Need to revisit certificate selection. */
-        cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC];
-        pkey = cpk->privatekey;
-
-        if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) {
-                /* XXX - SSL_R_SIGNATURE_ALGORITHMS_ERROR */
+        if ((cpk = ctx->hs->cpk) == NULL)
                 goto err;
-        }
+        if ((sigalg = ctx->hs->sigalg) == NULL)
+                goto err;
+        pkey = cpk->privatekey;
 
         if (!CBB_init(&sig_cbb, 0))
                 goto err;
diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c
index d25674d93b..95e9032634 100644
--- a/src/lib/libssl/tls13_legacy.c
+++ b/src/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_legacy.c,v 1.3.4.1 2020/05/19 20:22:33 tb Exp $ */
+/*      $OpenBSD: tls13_legacy.c,v 1.3.4.2 2020/08/10 18:59:47 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -486,29 +486,30 @@ tls13_legacy_shutdown(SSL *ssl)
                 return 1;
         }
 
-        /* Send close notify. */
         if (!ctx->close_notify_sent) {
-                ctx->close_notify_sent = 1;
-                if ((ret = tls13_send_alert(ctx->rl, SSL_AD_CLOSE_NOTIFY)) < 0)
+                /* Enqueue and send close notify. */
+                if (!(ssl->internal->shutdown & SSL_SENT_SHUTDOWN)) {
+                        ssl->internal->shutdown |= SSL_SENT_SHUTDOWN;
+                        if ((ret = tls13_send_alert(ctx->rl,
+                            SSL_AD_CLOSE_NOTIFY)) < 0)
+                                return tls13_legacy_return_code(ssl, ret);
+                }
+                if ((ret = tls13_record_layer_send_pending(ctx->rl)) !=
+                    TLS13_IO_SUCCESS)
                         return tls13_legacy_return_code(ssl, ret);
-        }
-
-        /* Ensure close notify has been sent. */
-        if ((ret = tls13_record_layer_send_pending(ctx->rl)) != TLS13_IO_SUCCESS)
-                return tls13_legacy_return_code(ssl, ret);
-
-        /* Receive close notify. */
-        if (!ctx->close_notify_recv) {
+        } else if (!ctx->close_notify_recv) {
                 /*
-                 * If there is still application data pending then we have no
-                 * option but to discard it here. The application should have
-                 * continued to call SSL_read() instead of SSL_shutdown().
+                 * If there is no application data pending, attempt to read more
+                 * data in order to receive a close notify. This should trigger
+                 * a record to be read from the wire, which may be application
+                 * handshake or alert data. Only one attempt is made to match
+                 * previous semantics.
                  */
-                /* XXX - tls13_drain_application_data()? */
-                if ((ret = tls13_read_application_data(ctx->rl, buf, sizeof(buf))) > 0)
-                        ret = TLS13_IO_WANT_POLLIN;
-                if (ret != TLS13_IO_EOF)
-                        return tls13_legacy_return_code(ssl, ret);
+                if (tls13_pending_application_data(ctx->rl) == 0) {
+                        if ((ret = tls13_read_application_data(ctx->rl, buf,
+                            sizeof(buf))) < 0)
+                                return tls13_legacy_return_code(ssl, ret);
+                }
         }
 
         if (ctx->close_notify_recv)
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 199f43ca16..4373e769dc 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_lib.c,v 1.36 2020/04/28 20:30:41 jsing Exp $ */
+/*      $OpenBSD: tls13_lib.c,v 1.36.4.1 2020/08/10 18:59:47 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -227,8 +227,9 @@ tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs)
                 CBB cbb;
                 CBS cbs; /* XXX */
 
-                free(ctx->hs_msg);
-                ctx->hs_msg = tls13_handshake_msg_new();
+                tls13_handshake_msg_free(ctx->hs_msg);
+                if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)
+                        goto err;
                 if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb, TLS13_MT_KEY_UPDATE))
                         goto err;
                 if (!CBB_add_u8(&cbb, 0))
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c
index 5c2c2116c0..bf605012b3 100644
--- a/src/lib/libssl/tls13_record_layer.c
+++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record_layer.c,v 1.33 2020/05/03 15:57:25 jsing Exp $ */
+/* $OpenBSD: tls13_record_layer.c,v 1.33.4.1 2020/08/10 18:59:47 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -435,6 +435,8 @@ tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, EVP_AEAD_CTX *aead_ctx,
         struct tls13_secret key = { .data = NULL, .len = 0 };
         int ret = 0;
 
+        EVP_AEAD_CTX_cleanup(aead_ctx);
+
         freezero(iv->data, iv->len);
         iv->data = NULL;
         iv->len = 0;
@@ -523,8 +525,9 @@ static int
 tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
 {
         CBS header, enc_record;
+        ssize_t inner_len;
         uint8_t *content = NULL;
-        ssize_t content_len = 0;
+        size_t content_len = 0;
         uint8_t content_type;
         size_t out_len;
 
@@ -560,18 +563,18 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
          * Time to hunt for that elusive content type!
          */
         /* XXX - CBS from end? CBS_get_end_u8()? */
-        content_len = out_len - 1;
-        while (content_len >= 0 && content[content_len] == 0)
-                content_len--;
-        if (content_len < 0)
+        inner_len = out_len - 1;
+        while (inner_len >= 0 && content[inner_len] == 0)
+                inner_len--;
+        if (inner_len < 0)
                 goto err;
-        content_type = content[content_len];
+        content_type = content[inner_len];
 
         tls13_record_layer_rbuf_free(rl);
 
         rl->rbuf_content_type = content_type;
         rl->rbuf = content;
-        rl->rbuf_len = content_len;
+        rl->rbuf_len = inner_len;
 
         CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len);
 
diff --git a/src/regress/lib/libssl/client/clienttest.c b/src/regress/lib/libssl/client/clienttest.c
index e81b83c45e..e8e20c2f8d 100644
--- a/src/regress/lib/libssl/client/clienttest.c
+++ b/src/regress/lib/libssl/client/clienttest.c
@@ -66,21 +66,21 @@ static unsigned char cipher_list_tls10[] = {
 };
 
 static unsigned char client_hello_tls10[] = {
-        0x16, 0x03, 0x01, 0x00, 0x71, 0x01, 0x00, 0x00,
-        0x6d, 0x03, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x16, 0x03, 0x01, 0x00, 0x73, 0x01, 0x00, 0x00,
+        0x6f, 0x03, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 0xc0, 0x14,
-        0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 0x00, 0x88,
+        0x00, 0x00, 0x00, 0x00, 0xff, 0x85, 0x00, 0x88,
         0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 0xc0, 0x13,
         0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 0x00, 0x2f,
         0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05,
         0x00, 0x04, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16,
-        0x00, 0x0a, 0x00, 0xff, 0x01, 0x00, 0x00, 0x16,
+        0x00, 0x0a, 0x00, 0xff, 0x01, 0x00, 0x00, 0x18,
         0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a,
-        0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17,
-        0x00, 0x18, 0x00, 0x23, 0x00, 0x00,
+        0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d, 0x00, 0x17,
+        0x00, 0x18, 0x00, 0x19, 0x00, 0x23, 0x00, 0x00,
 };
 
 static unsigned char cipher_list_tls11[] = {
@@ -93,8 +93,8 @@ static unsigned char cipher_list_tls11[] = {
 };
 
 static unsigned char client_hello_tls11[] = {
-        0x16, 0x03, 0x01, 0x00, 0x71, 0x01, 0x00, 0x00,
-        0x6d, 0x03, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x16, 0x03, 0x01, 0x00, 0x73, 0x01, 0x00, 0x00,
+        0x6f, 0x03, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@@ -104,10 +104,10 @@ static unsigned char client_hello_tls11[] = {
         0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 0x00, 0x2f,
         0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05,
         0x00, 0x04, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16,
-        0x00, 0x0a, 0x00, 0xff, 0x01, 0x00, 0x00, 0x16,
+        0x00, 0x0a, 0x00, 0xff, 0x01, 0x00, 0x00, 0x18,
         0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a,
-        0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17,
-        0x00, 0x18, 0x00, 0x23, 0x00, 0x00,
+        0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d, 0x00, 0x17,
+        0x00, 0x18, 0x00, 0x19, 0x00, 0x23, 0x00, 0x00,
 };
 
 static unsigned char cipher_list_tls12_aes[] = {
@@ -141,8 +141,8 @@ static unsigned char cipher_list_tls12_chacha[] = {
 };
 
 static unsigned char client_hello_tls12[] = {
-        0x16, 0x03, 0x01, 0x00, 0xbb, 0x01, 0x00, 0x00,
-        0xb7, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x16, 0x03, 0x01, 0x00, 0xbd, 0x01, 0x00, 0x00,
+        0xb9, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@@ -158,13 +158,14 @@ static unsigned char client_hello_tls12[] = {
         0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41,
         0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 0x00, 0x04,
         0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a,
-        0x00, 0xff, 0x01, 0x00, 0x00, 0x32, 0x00, 0x0b,
-        0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08,
-        0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
-        0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x18,
-        0x00, 0x16, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03,
-        0x08, 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04,
-        0x04, 0x01, 0x04, 0x03, 0x02, 0x01, 0x02, 0x03,
+        0x00, 0xff, 0x01, 0x00, 0x00, 0x34, 0x00, 0x0b,
+        0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0a,
+        0x00, 0x08, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
+        0x00, 0x19, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d,
+        0x00, 0x18, 0x00, 0x16, 0x08, 0x06, 0x06, 0x01,
+        0x06, 0x03, 0x08, 0x05, 0x05, 0x01, 0x05, 0x03,
+        0x08, 0x04, 0x04, 0x01, 0x04, 0x03, 0x02, 0x01,
+        0x02, 0x03,
 };
 
 struct client_hello_test {
diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c
index eb8cef7ef5..bfda66fe32 100644
--- a/src/regress/lib/libssl/tlsext/tlsexttest.c
+++ b/src/regress/lib/libssl/tlsext/tlsexttest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tlsexttest.c,v 1.35 2020/04/17 17:24:03 jsing Exp $ */
+/* $OpenBSD: tlsexttest.c,v 1.35.2.1 2020/08/10 18:59:47 tb Exp $ */
 /*
  * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -470,10 +470,11 @@ test_tlsext_alpn_server(void)
  */
 
 static uint8_t tlsext_supportedgroups_client_default[] = {
-        0x00, 0x06,
+        0x00, 0x08,
         0x00, 0x1d,  /* X25519 (29) */
         0x00, 0x17,  /* secp256r1 (23) */
-        0x00, 0x18   /* secp384r1 (24) */
+        0x00, 0x18,  /* secp384r1 (24) */
+        0x00, 0x19,  /* secp521r1 (25) */
 };
 
 static uint16_t tlsext_supportedgroups_client_secp384r1_val[] = {
@@ -2712,13 +2713,13 @@ test_tlsext_srtp_server(void)
 #endif /* OPENSSL_NO_SRTP */
 
 unsigned char tlsext_clienthello_default[] = {
-        0x00, 0x32, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00,
-        0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d,
-        0x00, 0x17, 0x00, 0x18, 0x00, 0x23, 0x00, 0x00,
-        0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x08, 0x06,
-        0x06, 0x01, 0x06, 0x03, 0x08, 0x05, 0x05, 0x01,
-        0x05, 0x03, 0x08, 0x04, 0x04, 0x01, 0x04, 0x03,
-        0x02, 0x01, 0x02, 0x03,
+        0x00, 0x34, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00,
+        0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d,
+        0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x23,
+        0x00, 0x00, 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16,
+        0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 0x08, 0x05,
+        0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 0x01,
+        0x04, 0x03, 0x02, 0x01, 0x02, 0x03,
 };
 
 unsigned char tlsext_clienthello_disabled[] = {};