diff options
| author | tb <> | 2024-04-16 17:46:30 +0000 |
|---|---|---|
| committer | tb <> | 2024-04-16 17:46:30 +0000 |
| commit | 9f458210467d28817b342e95a6ee616b6ed5b411 (patch) | |
| tree | ec214c3193a7a2dde770fe26928836b23e1bb051 /src/usr.bin/openssl/req.c | |
| parent | 20b733dad0a708b937ef54aa3435a51f6ad6d75c (diff) | |
| download | openbsd-9f458210467d28817b342e95a6ee616b6ed5b411.tar.gz openbsd-9f458210467d28817b342e95a6ee616b6ed5b411.tar.bz2 openbsd-9f458210467d28817b342e95a6ee616b6ed5b411.zip | |
Fix key share negotiation in HRR case
In the ClientHello retrying the handshake after a HelloRetryRequest, the
client must send a single key share matching the group selected by the
server in the HRR. This is not necessarily the mutually preferred group.
Incorrect logic added in ssl_tlsect.c r1.134 would potentially reject
such a key share because of that.
Instead, add logic to ensure on the server side that there is a single
share matching the group we selected in the HRR.
Fixes a regress test in p5-IO-Socket-SSL where server is configured
with P-521:P-384 and the client with P-256:P-384:P-521. Since the
client sends an initial P-256 key share, a HRR is triggered which
the faulty logic rejected because it was not the mutually preferred
P-384 but rather matching the server-selected P-521.
This will need some deduplication in subsequent commits. We may also
want to consider honoring the mutual preference and request a key
accordingly in the HRR.
reported by bluhm, fix suggested by jsing
ok beck jsing
Diffstat (limited to 'src/usr.bin/openssl/req.c')
0 files changed, 0 insertions, 0 deletions