1 files changed, 40 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 6d8f51833b..64fa52e20c 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.148 2024/04/04 08:02:21 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.149 2024/04/16 17:46:30 tb Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1493,6 +1493,45 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                return 0;
        }
+        if (s->s3->hs.tls13.hrr) {
+                if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
+                        return 0;
+                /* Unpack client share. */
+                if (!CBS_get_u16(&client_shares, &group))
+                        return 0;
+                if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
+                        return 0;
+                /* There should only be one share. */
+                if (CBS_len(&client_shares) != 0)
+                        return 0;
+                if (group != s->s3->hs.tls13.server_group) {
+                        *alert = SSL_AD_ILLEGAL_PARAMETER;
+                        return 0;
+                }
+                if (s->s3->hs.key_share != NULL) {
+                        *alert = SSL_AD_INTERNAL_ERROR;
+                        return 0;
+                }
+                /* Decode and store the selected key share. */
+                if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) {
+                        *alert = SSL_AD_INTERNAL_ERROR;
+                        return 0;
+                }
+                if (!tls_key_share_peer_public(s->s3->hs.key_share,
+                    &key_exchange, &decode_error, NULL)) {
+                        if (!decode_error)
+                                *alert = SSL_AD_INTERNAL_ERROR;
+                        return 0;
+                }
+                return 1;
+        }
        /*
         * XXX similar to tls1_get_supported_group, but client pref
         * only - consider deduping later.

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 6d8f51833b..64fa52e20c 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.148 2024/04/04 08:02:21 tb Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.149 2024/04/16 17:46:30 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1493,6 +1493,45 @@ tlsext_keyshare_server_process(SSL s, uint16_t msg_type, CBS cbs, int *alert)
1493	return 0;	1493	return 0;
1494	}	1494	}
1495		1495
		1496	if (s->s3->hs.tls13.hrr) {
		1497	if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
		1498	return 0;
		1499
		1500	/* Unpack client share. */
		1501	if (!CBS_get_u16(&client_shares, &group))
		1502	return 0;
		1503	if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
		1504	return 0;
		1505
		1506	/* There should only be one share. */
		1507	if (CBS_len(&client_shares) != 0)
		1508	return 0;
		1509
		1510	if (group != s->s3->hs.tls13.server_group) {
		1511	*alert = SSL_AD_ILLEGAL_PARAMETER;
		1512	return 0;
		1513	}
		1514
		1515	if (s->s3->hs.key_share != NULL) {
		1516	*alert = SSL_AD_INTERNAL_ERROR;
		1517	return 0;
		1518	}
		1519
		1520	/* Decode and store the selected key share. */
		1521	if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) {
		1522	*alert = SSL_AD_INTERNAL_ERROR;
		1523	return 0;
		1524	}
		1525	if (!tls_key_share_peer_public(s->s3->hs.key_share,
		1526	&key_exchange, &decode_error, NULL)) {
		1527	if (!decode_error)
		1528	*alert = SSL_AD_INTERNAL_ERROR;
		1529	return 0;
		1530	}
		1531
		1532	return 1;
		1533	}
		1534
1496	/*	1535	/*
1497	* XXX similar to tls1_get_supported_group, but client pref	1536	* XXX similar to tls1_get_supported_group, but client pref
1498	* only - consider deduping later.	1537	* only - consider deduping later.