diff options
| author | tb <> | 2024-04-16 17:46:30 +0000 | 
|---|---|---|
| committer | tb <> | 2024-04-16 17:46:30 +0000 | 
| commit | 478a18f6e1ea66b9cf61074c2771d9c04f4d798f (patch) | |
| tree | ec214c3193a7a2dde770fe26928836b23e1bb051 /src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 | |
| parent | a2d33edef120713fca38edea57eba33f8e3ba217 (diff) | |
| download | openbsd-478a18f6e1ea66b9cf61074c2771d9c04f4d798f.tar.gz openbsd-478a18f6e1ea66b9cf61074c2771d9c04f4d798f.tar.bz2 openbsd-478a18f6e1ea66b9cf61074c2771d9c04f4d798f.zip | |
Fix key share negotiation in HRR case
In the ClientHello retrying the handshake after a HelloRetryRequest, the
client must send a single key share matching the group selected by the
server in the HRR. This is not necessarily the mutually preferred group.
Incorrect logic added in ssl_tlsect.c r1.134 would potentially reject
such a key share because of that.
Instead, add logic to ensure on the server side that there is a single
share matching the group we selected in the HRR.
Fixes a regress test in p5-IO-Socket-SSL where server is configured
with P-521:P-384 and the client with P-256:P-384:P-521. Since the
client sends an initial P-256 key share, a HRR is triggered which
the faulty logic rejected because it was not the mutually preferred
P-384 but rather matching the server-selected P-521.
This will need some deduplication in subsequent commits. We may also
want to consider honoring the mutual preference and request a key
accordingly in the HRR.
reported by bluhm, fix suggested by jsing
ok beck jsing
Diffstat (limited to 'src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3')
0 files changed, 0 insertions, 0 deletions
