diff options
| author | jsing <> | 2025-10-16 14:42:21 +0000 |
|---|---|---|
| committer | jsing <> | 2025-10-16 14:42:21 +0000 |
| commit | 07ac085cccf13625ee0512126e736b8da8ed0dad (patch) | |
| tree | 8cd9f82e2b82fe6cd09d3184bc6a6b3931c35c1d /src/lib/libssl/tls13_server.c | |
| parent | f690640165ccfa300db43b4a8e0d48a2ac660993 (diff) | |
| download | openbsd-07ac085cccf13625ee0512126e736b8da8ed0dad.tar.gz openbsd-07ac085cccf13625ee0512126e736b8da8ed0dad.tar.bz2 openbsd-07ac085cccf13625ee0512126e736b8da8ed0dad.zip | |
When processing the client supported groups and key shares extensions,
the group selection is currently based on client preference. However,
when building a HRR the preferred group is identified by calling
tls1_get_supported_group(). If SSL_OP_CIPHER_SERVER_PREFERENCE is enabled,
group selection will be based on server instead of client preference. This
in turn can result in the server sending a HRR for a group that the client
has already provided a key share for, violating the RFC.
Avoid this issue by storing the client preferred group when processing
the key share extension, then using this group when creating the HRR.
Thanks to dzwdz for identifying and reporting the issue.
ok beck@ tb@
Diffstat (limited to 'src/lib/libssl/tls13_server.c')
| -rw-r--r-- | src/lib/libssl/tls13_server.c | 10 |
1 files changed, 2 insertions, 8 deletions
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index 63b7d92093..f852e08a52 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_server.c,v 1.109 2024/07/22 14:47:15 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_server.c,v 1.110 2025/10/16 14:42:21 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| @@ -437,8 +437,6 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx) | |||
| 437 | int | 437 | int |
| 438 | tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) | 438 | tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) |
| 439 | { | 439 | { |
| 440 | int nid; | ||
| 441 | |||
| 442 | ctx->hs->tls13.hrr = 1; | 440 | ctx->hs->tls13.hrr = 1; |
| 443 | 441 | ||
| 444 | if (!tls13_synthetic_handshake_message(ctx)) | 442 | if (!tls13_synthetic_handshake_message(ctx)) |
| @@ -446,9 +444,7 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 446 | 444 | ||
| 447 | if (ctx->hs->key_share != NULL) | 445 | if (ctx->hs->key_share != NULL) |
| 448 | return 0; | 446 | return 0; |
| 449 | if (!tls1_get_supported_group(ctx->ssl, &nid)) | 447 | if (ctx->hs->tls13.server_group == 0) |
| 450 | return 0; | ||
| 451 | if (!tls1_ec_nid2group_id(nid, &ctx->hs->tls13.server_group)) | ||
| 452 | return 0; | 448 | return 0; |
| 453 | 449 | ||
| 454 | if (!tls13_server_hello_build(ctx, cbb, 1)) | 450 | if (!tls13_server_hello_build(ctx, cbb, 1)) |
| @@ -511,8 +507,6 @@ tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 511 | if (!tls13_servername_process(ctx)) | 507 | if (!tls13_servername_process(ctx)) |
| 512 | return 0; | 508 | return 0; |
| 513 | 509 | ||
| 514 | ctx->hs->tls13.server_group = 0; | ||
| 515 | |||
| 516 | if (!tls13_server_hello_build(ctx, cbb, 0)) | 510 | if (!tls13_server_hello_build(ctx, cbb, 0)) |
| 517 | return 0; | 511 | return 0; |
| 518 | 512 | ||