1 files changed, 57 insertions, 9 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 57efb75d32..d879b3304e 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.155 2025/04/30 13:50:50 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.159 2025/12/04 21:16:17 beck Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1445,7 +1445,7 @@ tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type)
 static int
 tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
 {
-        CBB client_shares, key_exchange;
+        CBB client_shares, key_exchange, key_exchange2;
        if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
                return 0;
@@ -1458,6 +1458,31 @@ tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
        if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
                return 0;
+        /*
+         * We wish to include a second key share prediction in a TLS 1.3 client
+         * hello if we have more than one preferred group. We never wish to do
+         * this in response to a server selected group (Either from a TLS 1.2
+         * server, or from a hello retry request after having negotiated TLS
+         * 1.3).
+         *
+         * Therefore we only do this if we have not yet negotiated
+         * a version, and our max version could negotiate TLS 1.3.
+         */
+        if (s->s3->hs.negotiated_tls_version == 0 &&
+            s->s3->hs.our_max_tls_version >= TLS1_3_VERSION) {
+                if (s->s3->hs.tls13.key_share != NULL) {
+                        if (!CBB_add_u16(&client_shares,
+                            tls_key_share_group(s->s3->hs.tls13.key_share)))
+                                return 0;
+                        if (!CBB_add_u16_length_prefixed(&client_shares,
+                            &key_exchange2))
+                                return 0;
+                        if (!tls_key_share_public(s->s3->hs.tls13.key_share,
+                            &key_exchange2))
+                                return 0;
+                }
+        }
        if (!CBB_flush(cbb))
                return 0;
@@ -1523,7 +1548,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                        *alert = SSL_AD_INTERNAL_ERROR;
                        return 0;
                }
-                if (!tls_key_share_peer_public(s->s3->hs.key_share,
+                if (!tls_key_share_server_peer_public(s->s3->hs.key_share,
                    &key_exchange, &decode_error, NULL)) {
                        if (!decode_error)
                                *alert = SSL_AD_INTERNAL_ERROR;
@@ -1554,6 +1579,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                for (j = 0; j < server_groups_len; j++) {
                        if (server_groups[j] == client_groups[i]) {
                                client_preferred_group = client_groups[i];
+                                s->s3->hs.tls13.server_group = client_preferred_group;
                                preferred_group_found = 1;
                                break;
                        }
@@ -1613,7 +1639,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                        *alert = SSL_AD_INTERNAL_ERROR;
                        return 0;
                }
-                if (!tls_key_share_peer_public(s->s3->hs.key_share,
+                if (!tls_key_share_server_peer_public(s->s3->hs.key_share,
                    &key_exchange, &decode_error, NULL)) {
                        if (!decode_error)
                                *alert = SSL_AD_INTERNAL_ERROR;
@@ -1686,11 +1712,33 @@ tlsext_keyshare_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                *alert = SSL_AD_INTERNAL_ERROR;
                return 0;
        }
+        if (s->s3->hs.tls13.server_version >= TLS1_3_VERSION &&
+            tls_key_share_group(s->s3->hs.key_share) != group &&
+            s->s3->hs.tls13.key_share != NULL &&
+            tls_key_share_group(s->s3->hs.tls13.key_share) == group) {
+                /*
+                 * Server chose our second key share prediction, switch to it,
+                 * and discard the first one.
+                 */
+                tls_key_share_free(s->s3->hs.key_share);
+                s->s3->hs.key_share = s->s3->hs.tls13.key_share;
+                s->s3->hs.tls13.key_share = NULL;
+        }
        if (tls_key_share_group(s->s3->hs.key_share) != group) {
                *alert = SSL_AD_INTERNAL_ERROR;
                return 0;
        }
-        if (!tls_key_share_peer_public(s->s3->hs.key_share,
+        /*
+         * Discard our now unused second key share prediction if we had made one
+         * with our initial 1.3 client hello
+         */
+        tls_key_share_free(s->s3->hs.tls13.key_share);
+        s->s3->hs.tls13.key_share = NULL;
+        if (!tls_key_share_client_peer_public(s->s3->hs.key_share,
            &key_exchange, &decode_error, NULL)) {
                if (!decode_error)
                        *alert = SSL_AD_INTERNAL_ERROR;
@@ -2414,8 +2462,8 @@ tlsext_randomize_build_order(SSL *s)
        free(s->tlsext_build_order);
        s->tlsext_build_order_len = 0;
-        if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order),
+        if ((s->tlsext_build_order = calloc(N_TLS_EXTENSIONS,
-            N_TLS_EXTENSIONS)) == NULL)
+            sizeof(*s->tlsext_build_order))) == NULL)
                return 0;
        s->tlsext_build_order_len = N_TLS_EXTENSIONS;
@@ -2443,8 +2491,8 @@ tlsext_linearize_build_order(SSL *s)
        free(s->tlsext_build_order);
        s->tlsext_build_order_len = 0;
-        if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order),
+        if ((s->tlsext_build_order = calloc(N_TLS_EXTENSIONS,
-            N_TLS_EXTENSIONS)) == NULL)
+            sizeof(*s->tlsext_build_order))) == NULL)
                return 0;
        s->tlsext_build_order_len = N_TLS_EXTENSIONS;

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 57efb75d32..d879b3304e 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.155 2025/04/30 13:50:50 tb Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.159 2025/12/04 21:16:17 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1445,7 +1445,7 @@ tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type)
1445	static int	1445	static int
1446	tlsext_keyshare_client_build(SSL s, uint16_t msg_type, CBB cbb)	1446	tlsext_keyshare_client_build(SSL s, uint16_t msg_type, CBB cbb)
1447	{	1447	{
1448	CBB client_shares, key_exchange;	1448	CBB client_shares, key_exchange, key_exchange2;
1449		1449
1450	if (!CBB_add_u16_length_prefixed(cbb, &client_shares))	1450	if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
1451	return 0;	1451	return 0;
@@ -1458,6 +1458,31 @@ tlsext_keyshare_client_build(SSL s, uint16_t msg_type, CBB cbb)
1458	if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))	1458	if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
1459	return 0;	1459	return 0;
1460		1460
		1461	/*
		1462	* We wish to include a second key share prediction in a TLS 1.3 client
		1463	* hello if we have more than one preferred group. We never wish to do
		1464	* this in response to a server selected group (Either from a TLS 1.2
		1465	* server, or from a hello retry request after having negotiated TLS
		1466	* 1.3).
		1467	*
		1468	* Therefore we only do this if we have not yet negotiated
		1469	* a version, and our max version could negotiate TLS 1.3.
		1470	*/
		1471	if (s->s3->hs.negotiated_tls_version == 0 &&
		1472	s->s3->hs.our_max_tls_version >= TLS1_3_VERSION) {
		1473	if (s->s3->hs.tls13.key_share != NULL) {
		1474	if (!CBB_add_u16(&client_shares,
		1475	tls_key_share_group(s->s3->hs.tls13.key_share)))
		1476	return 0;
		1477	if (!CBB_add_u16_length_prefixed(&client_shares,
		1478	&key_exchange2))
		1479	return 0;
		1480	if (!tls_key_share_public(s->s3->hs.tls13.key_share,
		1481	&key_exchange2))
		1482	return 0;
		1483	}
		1484	}
		1485
1461	if (!CBB_flush(cbb))	1486	if (!CBB_flush(cbb))
1462	return 0;	1487	return 0;
1463		1488
@@ -1523,7 +1548,7 @@ tlsext_keyshare_server_process(SSL s, uint16_t msg_type, CBS cbs, int *alert)
1523	*alert = SSL_AD_INTERNAL_ERROR;	1548	*alert = SSL_AD_INTERNAL_ERROR;
1524	return 0;	1549	return 0;
1525	}	1550	}
1526	if (!tls_key_share_peer_public(s->s3->hs.key_share,	1551	if (!tls_key_share_server_peer_public(s->s3->hs.key_share,
1527	&key_exchange, &decode_error, NULL)) {	1552	&key_exchange, &decode_error, NULL)) {
1528	if (!decode_error)	1553	if (!decode_error)
1529	*alert = SSL_AD_INTERNAL_ERROR;	1554	*alert = SSL_AD_INTERNAL_ERROR;
@@ -1554,6 +1579,7 @@ tlsext_keyshare_server_process(SSL s, uint16_t msg_type, CBS cbs, int *alert)
1554	for (j = 0; j < server_groups_len; j++) {	1579	for (j = 0; j < server_groups_len; j++) {
1555	if (server_groups[j] == client_groups[i]) {	1580	if (server_groups[j] == client_groups[i]) {
1556	client_preferred_group = client_groups[i];	1581	client_preferred_group = client_groups[i];
		1582	s->s3->hs.tls13.server_group = client_preferred_group;
1557	preferred_group_found = 1;	1583	preferred_group_found = 1;
1558	break;	1584	break;
1559	}	1585	}
@@ -1613,7 +1639,7 @@ tlsext_keyshare_server_process(SSL s, uint16_t msg_type, CBS cbs, int *alert)
1613	*alert = SSL_AD_INTERNAL_ERROR;	1639	*alert = SSL_AD_INTERNAL_ERROR;
1614	return 0;	1640	return 0;
1615	}	1641	}
1616	if (!tls_key_share_peer_public(s->s3->hs.key_share,	1642	if (!tls_key_share_server_peer_public(s->s3->hs.key_share,
1617	&key_exchange, &decode_error, NULL)) {	1643	&key_exchange, &decode_error, NULL)) {
1618	if (!decode_error)	1644	if (!decode_error)
1619	*alert = SSL_AD_INTERNAL_ERROR;	1645	*alert = SSL_AD_INTERNAL_ERROR;
@@ -1686,11 +1712,33 @@ tlsext_keyshare_client_process(SSL s, uint16_t msg_type, CBS cbs, int *alert)
1686	*alert = SSL_AD_INTERNAL_ERROR;	1712	*alert = SSL_AD_INTERNAL_ERROR;
1687	return 0;	1713	return 0;
1688	}	1714	}
		1715
		1716	if (s->s3->hs.tls13.server_version >= TLS1_3_VERSION &&
		1717	tls_key_share_group(s->s3->hs.key_share) != group &&
		1718	s->s3->hs.tls13.key_share != NULL &&
		1719	tls_key_share_group(s->s3->hs.tls13.key_share) == group) {
		1720	/*
		1721	* Server chose our second key share prediction, switch to it,
		1722	* and discard the first one.
		1723	*/
		1724	tls_key_share_free(s->s3->hs.key_share);
		1725	s->s3->hs.key_share = s->s3->hs.tls13.key_share;
		1726	s->s3->hs.tls13.key_share = NULL;
		1727	}
		1728
1689	if (tls_key_share_group(s->s3->hs.key_share) != group) {	1729	if (tls_key_share_group(s->s3->hs.key_share) != group) {
1690	*alert = SSL_AD_INTERNAL_ERROR;	1730	*alert = SSL_AD_INTERNAL_ERROR;
1691	return 0;	1731	return 0;
1692	}	1732	}
1693	if (!tls_key_share_peer_public(s->s3->hs.key_share,	1733
		1734	/*
		1735	* Discard our now unused second key share prediction if we had made one
		1736	* with our initial 1.3 client hello
		1737	*/
		1738	tls_key_share_free(s->s3->hs.tls13.key_share);
		1739	s->s3->hs.tls13.key_share = NULL;
		1740
		1741	if (!tls_key_share_client_peer_public(s->s3->hs.key_share,
1694	&key_exchange, &decode_error, NULL)) {	1742	&key_exchange, &decode_error, NULL)) {
1695	if (!decode_error)	1743	if (!decode_error)
1696	*alert = SSL_AD_INTERNAL_ERROR;	1744	*alert = SSL_AD_INTERNAL_ERROR;
@@ -2414,8 +2462,8 @@ tlsext_randomize_build_order(SSL *s)
2414	free(s->tlsext_build_order);	2462	free(s->tlsext_build_order);
2415	s->tlsext_build_order_len = 0;	2463	s->tlsext_build_order_len = 0;
2416		2464
2417	if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order),	2465	if ((s->tlsext_build_order = calloc(N_TLS_EXTENSIONS,
2418	N_TLS_EXTENSIONS)) == NULL)	2466	sizeof(*s->tlsext_build_order))) == NULL)
2419	return 0;	2467	return 0;
2420	s->tlsext_build_order_len = N_TLS_EXTENSIONS;	2468	s->tlsext_build_order_len = N_TLS_EXTENSIONS;
2421		2469
@@ -2443,8 +2491,8 @@ tlsext_linearize_build_order(SSL *s)
2443	free(s->tlsext_build_order);	2491	free(s->tlsext_build_order);
2444	s->tlsext_build_order_len = 0;	2492	s->tlsext_build_order_len = 0;
2445		2493
2446	if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order),	2494	if ((s->tlsext_build_order = calloc(N_TLS_EXTENSIONS,
2447	N_TLS_EXTENSIONS)) == NULL)	2495	sizeof(*s->tlsext_build_order))) == NULL)
2448	return 0;	2496	return 0;
2449	s->tlsext_build_order_len = N_TLS_EXTENSIONS;	2497	s->tlsext_build_order_len = N_TLS_EXTENSIONS;
2450		2498