1 files changed, 15 insertions, 3 deletions

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 901b38f860..21d3960796 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.104 2024/07/22 14:47:15 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.106 2025/12/04 21:16:17 beck Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -53,9 +53,21 @@ tls13_client_init(struct tls13_ctx *ctx)
                 return 0;
         if ((ctx->hs->key_share = tls_key_share_new(groups[0])) == NULL)
                 return 0;
-        if (!tls_key_share_generate(ctx->hs->key_share))
+        if (!tls_key_share_client_generate(ctx->hs->key_share))
                 return 0;
 
+        /*
+         * Generate a second key share prediction if we have another
+         * supported group
+         */
+        if (groups_len > 1) {
+                if ((ctx->hs->tls13.key_share = tls_key_share_new(groups[1])) ==
+                    NULL)
+                        return 0;
+                if (!tls_key_share_client_generate(ctx->hs->tls13.key_share))
+                        return 0;
+        }
+
         arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
 
         /*
@@ -450,7 +462,7 @@ tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
         if ((ctx->hs->key_share =
             tls_key_share_new(ctx->hs->tls13.server_group)) == NULL)
                 return 0;
-        if (!tls_key_share_generate(ctx->hs->key_share))
+        if (!tls_key_share_client_generate(ctx->hs->key_share))
                 return 0;
 
         if (!tls13_client_hello_build(ctx, cbb))