diff options
| -rw-r--r-- | src/lib/libssl/ssl_tlsext.c | 20 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_server.c | 4 |
2 files changed, 15 insertions, 9 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 8949dc3a26..f5343c81ab 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_tlsext.c,v 1.70 2020/05/19 02:16:16 beck Exp $ */ | 1 | /* $OpenBSD: ssl_tlsext.c,v 1.71 2020/05/23 08:47:19 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -222,13 +222,15 @@ tlsext_supportedgroups_server_parse(SSL *s, CBS *cbs, int *alert) | |||
| 222 | uint16_t *groups; | 222 | uint16_t *groups; |
| 223 | int i; | 223 | int i; |
| 224 | 224 | ||
| 225 | if (SSI(s)->tlsext_supportedgroups != NULL) { | 225 | if (S3I(s)->hs_tls13.hrr) { |
| 226 | if (SSI(s)->tlsext_supportedgroups == NULL) { | ||
| 227 | *alert = SSL_AD_HANDSHAKE_FAILURE; | ||
| 228 | return 0; | ||
| 229 | } | ||
| 226 | /* | 230 | /* |
| 227 | * We should only end up here in the case of a TLSv1.3 | 231 | * In the case of TLSv1.3 the client cannot change |
| 228 | * HelloRetryRequest... and the client cannot change | 232 | * the supported groups. |
| 229 | * supported groups. | ||
| 230 | */ | 233 | */ |
| 231 | /* XXX - we should know this is a HRR. */ | ||
| 232 | if (groups_len != SSI(s)->tlsext_supportedgroups_length) { | 234 | if (groups_len != SSI(s)->tlsext_supportedgroups_length) { |
| 233 | *alert = SSL_AD_ILLEGAL_PARAMETER; | 235 | *alert = SSL_AD_ILLEGAL_PARAMETER; |
| 234 | return 0; | 236 | return 0; |
| @@ -1410,9 +1412,11 @@ int | |||
| 1410 | tlsext_keyshare_server_build(SSL *s, CBB *cbb) | 1412 | tlsext_keyshare_server_build(SSL *s, CBB *cbb) |
| 1411 | { | 1413 | { |
| 1412 | /* In the case of a HRR, we only send the server selected group. */ | 1414 | /* In the case of a HRR, we only send the server selected group. */ |
| 1413 | /* XXX - we should know this is a HRR. */ | 1415 | if (S3I(s)->hs_tls13.hrr) { |
| 1414 | if (S3I(s)->hs_tls13.server_group != 0) | 1416 | if (S3I(s)->hs_tls13.server_group == 0) |
| 1417 | return 0; | ||
| 1415 | return CBB_add_u16(cbb, S3I(s)->hs_tls13.server_group); | 1418 | return CBB_add_u16(cbb, S3I(s)->hs_tls13.server_group); |
| 1419 | } | ||
| 1416 | 1420 | ||
| 1417 | if (S3I(s)->hs_tls13.key_share == NULL) | 1421 | if (S3I(s)->hs_tls13.key_share == NULL) |
| 1418 | return 0; | 1422 | return 0; |
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index e0ea6b564d..e605ccd90f 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_server.c,v 1.51 2020/05/22 02:37:27 beck Exp $ */ | 1 | /* $OpenBSD: tls13_server.c,v 1.52 2020/05/23 08:47:19 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| @@ -365,6 +365,8 @@ tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 365 | if (s->method->internal->version < TLS1_3_VERSION) | 365 | if (s->method->internal->version < TLS1_3_VERSION) |
| 366 | return 0; | 366 | return 0; |
| 367 | 367 | ||
| 368 | ctx->hs->hrr = 0; | ||
| 369 | |||
| 368 | return 1; | 370 | return 1; |
| 369 | } | 371 | } |
| 370 | 372 | ||