1 files changed, 49 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index dcd9a31205..d879b3304e 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.158 2025/12/04 21:03:42 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.159 2025/12/04 21:16:17 beck Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1445,7 +1445,7 @@ tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type)
 static int
 tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
 {
-        CBB client_shares, key_exchange;
+        CBB client_shares, key_exchange, key_exchange2;
        if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
                return 0;
@@ -1458,6 +1458,31 @@ tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
        if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
                return 0;
+        /*
+         * We wish to include a second key share prediction in a TLS 1.3 client
+         * hello if we have more than one preferred group. We never wish to do
+         * this in response to a server selected group (Either from a TLS 1.2
+         * server, or from a hello retry request after having negotiated TLS
+         * 1.3).
+         *
+         * Therefore we only do this if we have not yet negotiated
+         * a version, and our max version could negotiate TLS 1.3.
+         */
+        if (s->s3->hs.negotiated_tls_version == 0 &&
+            s->s3->hs.our_max_tls_version >= TLS1_3_VERSION) {
+                if (s->s3->hs.tls13.key_share != NULL) {
+                        if (!CBB_add_u16(&client_shares,
+                            tls_key_share_group(s->s3->hs.tls13.key_share)))
+                                return 0;
+                        if (!CBB_add_u16_length_prefixed(&client_shares,
+                            &key_exchange2))
+                                return 0;
+                        if (!tls_key_share_public(s->s3->hs.tls13.key_share,
+                            &key_exchange2))
+                                return 0;
+                }
+        }
        if (!CBB_flush(cbb))
                return 0;
@@ -1687,10 +1712,32 @@ tlsext_keyshare_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                *alert = SSL_AD_INTERNAL_ERROR;
                return 0;
        }
+        if (s->s3->hs.tls13.server_version >= TLS1_3_VERSION &&
+            tls_key_share_group(s->s3->hs.key_share) != group &&
+            s->s3->hs.tls13.key_share != NULL &&
+            tls_key_share_group(s->s3->hs.tls13.key_share) == group) {
+                /*
+                 * Server chose our second key share prediction, switch to it,
+                 * and discard the first one.
+                 */
+                tls_key_share_free(s->s3->hs.key_share);
+                s->s3->hs.key_share = s->s3->hs.tls13.key_share;
+                s->s3->hs.tls13.key_share = NULL;
+        }
        if (tls_key_share_group(s->s3->hs.key_share) != group) {
                *alert = SSL_AD_INTERNAL_ERROR;
                return 0;
        }
+        /*
+         * Discard our now unused second key share prediction if we had made one
+         * with our initial 1.3 client hello
+         */
+        tls_key_share_free(s->s3->hs.tls13.key_share);
+        s->s3->hs.tls13.key_share = NULL;
        if (!tls_key_share_client_peer_public(s->s3->hs.key_share,
            &key_exchange, &decode_error, NULL)) {
                if (!decode_error)

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index dcd9a31205..d879b3304e 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.158 2025/12/04 21:03:42 beck Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.159 2025/12/04 21:16:17 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1445,7 +1445,7 @@ tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type)
1445	static int	1445	static int
1446	tlsext_keyshare_client_build(SSL s, uint16_t msg_type, CBB cbb)	1446	tlsext_keyshare_client_build(SSL s, uint16_t msg_type, CBB cbb)
1447	{	1447	{
1448	CBB client_shares, key_exchange;	1448	CBB client_shares, key_exchange, key_exchange2;
1449		1449
1450	if (!CBB_add_u16_length_prefixed(cbb, &client_shares))	1450	if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
1451	return 0;	1451	return 0;
@@ -1458,6 +1458,31 @@ tlsext_keyshare_client_build(SSL s, uint16_t msg_type, CBB cbb)
1458	if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))	1458	if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
1459	return 0;	1459	return 0;
1460		1460
		1461	/*
		1462	* We wish to include a second key share prediction in a TLS 1.3 client
		1463	* hello if we have more than one preferred group. We never wish to do
		1464	* this in response to a server selected group (Either from a TLS 1.2
		1465	* server, or from a hello retry request after having negotiated TLS
		1466	* 1.3).
		1467	*
		1468	* Therefore we only do this if we have not yet negotiated
		1469	* a version, and our max version could negotiate TLS 1.3.
		1470	*/
		1471	if (s->s3->hs.negotiated_tls_version == 0 &&
		1472	s->s3->hs.our_max_tls_version >= TLS1_3_VERSION) {
		1473	if (s->s3->hs.tls13.key_share != NULL) {
		1474	if (!CBB_add_u16(&client_shares,
		1475	tls_key_share_group(s->s3->hs.tls13.key_share)))
		1476	return 0;
		1477	if (!CBB_add_u16_length_prefixed(&client_shares,
		1478	&key_exchange2))
		1479	return 0;
		1480	if (!tls_key_share_public(s->s3->hs.tls13.key_share,
		1481	&key_exchange2))
		1482	return 0;
		1483	}
		1484	}
		1485
1461	if (!CBB_flush(cbb))	1486	if (!CBB_flush(cbb))
1462	return 0;	1487	return 0;
1463		1488
@@ -1687,10 +1712,32 @@ tlsext_keyshare_client_process(SSL s, uint16_t msg_type, CBS cbs, int *alert)
1687	*alert = SSL_AD_INTERNAL_ERROR;	1712	*alert = SSL_AD_INTERNAL_ERROR;
1688	return 0;	1713	return 0;
1689	}	1714	}
		1715
		1716	if (s->s3->hs.tls13.server_version >= TLS1_3_VERSION &&
		1717	tls_key_share_group(s->s3->hs.key_share) != group &&
		1718	s->s3->hs.tls13.key_share != NULL &&
		1719	tls_key_share_group(s->s3->hs.tls13.key_share) == group) {
		1720	/*
		1721	* Server chose our second key share prediction, switch to it,
		1722	* and discard the first one.
		1723	*/
		1724	tls_key_share_free(s->s3->hs.key_share);
		1725	s->s3->hs.key_share = s->s3->hs.tls13.key_share;
		1726	s->s3->hs.tls13.key_share = NULL;
		1727	}
		1728
1690	if (tls_key_share_group(s->s3->hs.key_share) != group) {	1729	if (tls_key_share_group(s->s3->hs.key_share) != group) {
1691	*alert = SSL_AD_INTERNAL_ERROR;	1730	*alert = SSL_AD_INTERNAL_ERROR;
1692	return 0;	1731	return 0;
1693	}	1732	}
		1733
		1734	/*
		1735	* Discard our now unused second key share prediction if we had made one
		1736	* with our initial 1.3 client hello
		1737	*/
		1738	tls_key_share_free(s->s3->hs.tls13.key_share);
		1739	s->s3->hs.tls13.key_share = NULL;
		1740
1694	if (!tls_key_share_client_peer_public(s->s3->hs.key_share,	1741	if (!tls_key_share_client_peer_public(s->s3->hs.key_share,
1695	&key_exchange, &decode_error, NULL)) {	1742	&key_exchange, &decode_error, NULL)) {
1696	if (!decode_error)	1743	if (!decode_error)